The Lyceum: Cyber Intelligence Daily — May 24, 2026

Today's threat picture has a familiar shape but a sharper edge: the tools defenders trust most — file transfer servers, package registries, antivirus engines, control panels — keep turning into the front door. Microsoft is still actively investigating GoAnywhere MFT exploitation. Over 700 Laravel PHP package versions were poisoned to hunt for cloud keys. APT28 is already weaponizing a Microsoft Office bug patched days ago. And CISA's KEV catalog is expanding into the security stack itself — Drupal, LiteSpeed, Langflow, Trend Micro Apex One. If you ship code, run web infrastructure, or own the tools that protect everything else, today has something for you.

• CVE-2026-9082 — Drupal Core SQL injection: actively exploited per CISA KEV (no CVSS in NVD yet), federal patch deadline May 27. Reports cited in the early-signals draft describe roughly 15,000 attack attempts against 6,000 sites since Friday's patch — treat that figure as community-reported until Drupal or a major vendor confirms.
• CVE-2025-34291 — Langflow origin-validation flaw: CVSS 8.8 on the session, on CISA KEV, federal due date June 4.
• CVE-2026-34926 — Trend Micro Apex One on-prem directory traversal: actively exploited (no NVD score yet), federal due date June 4.
• CVE-2026-41091 and CVE-2026-45498 — Microsoft Defender local privilege escalation and denial-of-service: both added to KEV, federal due date June 3. The product designed to stop intrusions is now the intrusion surface.
• CVE-2026-48172 — LiteSpeed User-End cPanel Plugin (v2.3–2.4.4): The Hacker News reports this as CVSS 10.0 with active exploitation; it is not in the NVD/KEV backbone table at time of writing, so treat the score as press-reported. Fix is WHM Plugin 5.3.1.0 with cPanel plugin v2.4.7+. Hunt for cpanel_jsonapi_func=redisAble in logs.
• Laravel Lang supply-chain compromise — 700+ package versions hijacked via rewritten GitHub tags; Composer post-install script drops a cross-platform PHP stealer hunting .env files, cloud keys, SSH keys, and browser-stored credentials.

Check your GoAnywhere MFT patch status before you finish this paragraph.

CVE-2025-10035 is a CVSS 10.0 deserialization flaw in GoAnywhere MFT's License Servlet — the kind of software that quietly shuttles payroll, legal, and healthcare records between systems. According to Microsoft's investigation, a threat actor with a validly forged license response signature can deserialize an arbitrary object, leading to command injection and remote code execution. An attacker who can reach your admin console can take it over without a username or password. Microsoft Threat Intelligence has attributed observed exploitation to Storm-1175, a group known for deploying Medusa ransomware and abusing public-facing applications for initial access. For persistence, the same actor was seen abusing remote monitoring tools SimpleHelp and MeshAgent.

What changes if defenders move fast: the managed file transfer category avoids becoming MOVEit redux — the 2023 incident where a single MFT bug cascaded into hundreds of downstream breaches. What failure looks like: confirmed bulk data theft incidents start surfacing in regulatory filings over the next two weeks, and the insurance and compliance fallout extends to organizations that didn't even know their vendors were running GoAnywhere. Fortra recommends immediate update to 7.8.4 or sustain release 7.6.3. If you can't patch, restrict external access to the Admin Console and grep your audit logs for SignedObject.getObject — that's the fingerprint of a successful exploit attempt.

Watch the leak sites. The signal that tells you which path this is on is whether Clop or Medusa post a named victim this week.

If you pulled a PHP dependency update in the last 48 hours, something unwanted may have come along for the ride.

A supply-chain attack hit Laravel Lang — the widely used localization packages for Laravel, the PHP framework powering a large slice of e-commerce and SaaS. According to BleepingComputer, attackers abused GitHub version tags to push malicious code through Composer packages, rewriting tags across laravel-lang/lang, http-statuses, attributes, and possibly actions so the poisoned releases looked indistinguishable from legitimate ones to automated tooling. The Hacker News reports the payload — a cross-platform PHP stealer — auto-runs via a Composer post-install script and targets cloud keys, CI/CD tokens, browser data, crypto wallets, password managers, SSH keys, and .env files. On Windows, it also tries to extract browser encryption keys to decrypt stored credentials. BleepingComputer links the campaign to 777 GitHub-hosted files, including GitHub Actions workflow files, meaning the malicious code could have propagated through automated build pipelines silently.

Every .env file scraped is a potential pivot into Stripe, Twilio, AWS, SendGrid, or any other API the application talks to. That's the secondary-breach wave that follows credential theft campaigns — the part that usually doesn't get reported until weeks later.

Check composer.lock for Laravel Lang installs between roughly May 21 and 23. If your dependencies updated in that window, rotate every secret in your .env file. Treat it as a credential incident, not a code incident.

The window between "Microsoft ships a patch" and "the GRU ships an exploit" used to be measured in weeks. Now it's measured in days.

SecurityWeek reports that APT28 — the Russian military intelligence unit also known as Fancy Bear, tracked by Ukraine's CERT-UA as UAC-0001 — is rapidly weaponizing a Microsoft Office vulnerability patched this month. The pattern is deliberate: APT28 monitors Patch Tuesday releases, reverse-engineers the fixes to understand what was broken, and builds working exploits before most organizations have finished their patch cycles. CERT-UA advisory CERT-UA#19542 documented the same group doing the same thing with CVE-2026-21509 against Ukrainian and EU targets within weeks of disclosure.

If this works, Office clients become a near-zero-day surface on every diplomat, civil servant, and defense-contractor laptop in Europe — and "patched within 30 days" stops being a meaningful posture. The deeper failure: the gap between vendor patch and nation-state exploit collapses far enough that the patch itself becomes the disclosure that lights the fuse.

Watch for a CERT-UA bulletin with UAC-0001 IOCs in the next 24–72 hours. Their advisories typically trail SecurityWeek's initial reporting by a day or two and contain the specific file hashes and network indicators defenders need to build detection rules. In the meantime: apply May's Microsoft patches, particularly if your organization touches government, defense, or critical infrastructure.

This one hasn't made the rounds in Western security press yet, and it should.

A threat intelligence feed flagged on May 23 that Ghostwriter — the Belarus-linked influence and intrusion cluster running disinformation and credential phishing campaigns against Ukrainian targets since at least 2017 — is back with a new operation. The lure: a Ukrainian educational platform, used to phish government employees. The technique is classic Ghostwriter: impersonate a trusted Ukrainian institution to get targets to click.

What makes this notable is the targeting profile. Ghostwriter has historically blurred the line between influence operations — fake news, document forgeries — and technical intrusions like credential phishing and account takeovers. An educational-platform lure points at government workers who might plausibly receive communications from that platform: teachers, administrators, officials managing wartime education continuity.

Ghostwriter campaigns that start in Ukraine frequently pivot to NATO partner countries within weeks. The group has previously targeted Polish, Lithuanian, and German audiences with similar lures. The failure-to-notice scenario: a Central or Eastern European government worker clicks an "education ministry" email in three weeks' time and hands over credentials that pivot into a defense supply chain. The signal to watch: a formal CERT-UA advisory, which typically lands 24–48 hours after the initial Telegram-channel signal.

Ukraine's national CERT has cataloged three new malware families deployed by the cluster it tracks as UAC-0057 — a group long associated with Belarus-aligned operations against Ukrainian and EU institutions. The advisory describes OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES as an expanded toolkit replacing earlier OYSTER-family variants. For Western defenders, the value is in the IOCs and behavioral indicators CERT-UA publishes that Western press has not yet picked up — and in the signal that UAC-0057 is investing in capability development, not just operational tempo. Source: CERT-UA — Ukrainian. No English-language coverage confirmed at time of publication.

A separate CERT-UA advisory describes UAC-0247 (also tracked as UAC-0244) running a coordinated campaign against Ukrainian hospitals, local government bodies, and operators of FPV drones — the small, cheap quadcopters that have become central to Ukrainian battlefield operations. The infection chain uses password-protected ZIP archives dropping LNK and JavaScript files that invoke PowerShell and mshta, with a lightweight backdoor beaconing via the Telegram API. The targeting profile — emergency services, municipal infrastructure, and drone operators in the same campaign — matches Russian intelligence priorities, though CERT-UA has not made a formal state attribution. Telegram-as-C2 in healthcare environments forces a different detection model: stop looking at where traffic goes, start looking at what processes are initiating it. Source: CERT-UA — Ukrainian. No English-language coverage confirmed at time of publication.

Kaspersky's Securelist published a fresh research note on the Cloud Atlas espionage cluster, saying the group has been using an expanded toolkit into early 2026 — including PowerCloud, ReverseSocks, a patched OpenSSH build, Tor tunneling, and PowerShell-loader persistence. The victims named are government and commercial organizations in Russia and Belarus. The strategic read: a state-linked actor moving toward living-inside-admin-tools tradecraft that's hard to separate from normal remote administration. When an espionage group starts mixing patched SSH, reverse tunnels, and registry-run persistence, detection has to shift from malware-family names to operator behavior. Source: Kaspersky Securelist — Russian-language research published in English on Securelist; primary Russian-language coverage. No major English-press pickup confirmed at time of publication.

A Russian intelligence unit reverse-engineering a Microsoft patch over the weekend, a Composer post-install script quietly rifling through your .env file, and the Salvation Army on a ransomware leak site. The software industry's most embarrassing year keeps finding new ways to top itself — and we're still in May. Stay patched, stay paranoid, stay caffeinated.

Forward this to whoever in your life still says "we don't need to patch that, it's internal."