LodeHQSubscribe →

Rapid7 PAN-OS bugs, Veeam RCE, Seedworm DLL hijacks

Infosec · 2026-06-01

Vulnerabilities & Exploits
Rapid7 Observes Active Exploitation of PAN‑OS GlobalProtect Auth Bypass (CVE‑2026‑0257)9 MIN

Rapid7’s Managed Detection and Response team observed real‑world exploitation of Palo Alto Networks’ PAN‑OS GlobalProtect authentication bypass (CVE‑2026‑0257) across multiple customers as early as May 17, 2026. The vulnerability lets unauthenticated attackers establish VPN connections, prompting Rapid7 to urge urgent patching despite its medium CVSS rating.

Critical RCE flaw in Veeam Service Provider Console fixed in 9.2.11 MIN

Veeam disclosed a critical remote‑code‑execution vulnerability (CVSS 9.4) in Service Provider Console that could be triggered through enabled alarm script execution. The flaw, reported via HackerOne, is mitigated by disabling the script execution flag or upgrading to version 9.2.1 (build 33875). Administrators are urged to patch immediately.

Threats & Malware
Seedworm APT Hijacks Signed Fortemedia and SentinelOne Binaries for Stealthy DLL Sideloading4 MIN

Iran‑linked Seedworm (MuddyWater) ran an espionage campaign in early 2026 against nine organizations across nine countries, abusing legitimate Fortemedia fmapp.exe and SentinelOne sentinelmemoryservice.exe binaries to sideload malicious DLLs. The loaders delivered ChromElevator, stealing browser credentials and data, while a Node.js script orchestrated the attack.

Typosquatted npm Packages Harvest Cloud and CI/CD Secrets, Microsoft Finds11 MIN

Microsoft identified a supply‑chain attack where a threat actor published 14 malicious npm packages that typo‑squat popular OpenSearch and Elastic libraries. The packages execute a preinstall hook to steal AWS credentials, HashiCorp Vault tokens, CI/CD pipeline secrets, and npm publish tokens for further exploitation.

IRGC Front Sabotages Israeli Plants via OT and IT Attacks During Ceasefire14 MIN

Profero researchers uncovered an Iranian state‑directed persona, Cyber Isnaad Front, that reprogrammed industrial control systems and deployed malware to wipe Windows servers in Israeli factories during a cease‑fire, using OT sabotage as a low‑cost continuation of conflict. The campaign shows how cyber attacks fill the gaps between kinetic wars.

Undocumented Lua-wrapped loader drives BoldTealLayer malware campaign55 MIN

A detailed blog post reveals BoldTealLayer’s multi‑stage attack chain, featuring a legitimate signed host that side‑loads a malicious DLL which launches a Lua engine to bypass Windows defenses and inject a .NET payload. The author provides IOCs, YARA rules, and mitigation guidance.

Unidentified RAT Deploys NetSupport RAT in New Malware Delivery Chain1 MIN

SANS ISC reports an unknown RAT infection that delivered NetSupport Manager RAT via the SmartApeSG ClickFix campaign. The initial RAT communicated with a C2 server on TCP 443 and later dropped malicious NetSupport files, establishing persistence on Windows hosts. Indicators include varied domains, hashes, and C2 IPs.

Privacy, Policy & Governance
Encrypted DNS Protocols Compared: DoH, DoT, DoQ, DoH3 Trade‑offs14 MIN

The article benchmarks over 3,000 DNS resolvers to compare DoH, DoT, DoQ, and DoH3, highlighting performance, privacy, and compatibility differences. It explains that while DoH shields queries from ISP snooping, it cannot mitigate attacks from compromised or malicious resolvers. The piece also outlines DNS hijacking risks inherent to unencrypted DNS.

Data Centers Power Modern Surveillance, Raising Privacy Alarms1 MIN

The article explains how data center infrastructure, sold as neutral cloud and AI support, underpins government fusion centers that merge police, immigration and criminal data, effectively creating a digital panopticon. Privacy advocates warn this unremarkable hardware enables mass monitoring with little oversight.

UN Calls for Child‑Safe Design Over Social Media Bans1 MIN

The UN human rights office warns that blocking children from social media is insufficient, urging platforms to embed safety by design, enforce strict age verification, and conduct child‑rights impact assessments. It stresses that bans can be bypassed and push youth toward riskier, unregulated digital spaces.

Research & Tools
Encrypted Reasoning Blobs Offer New Crypto Guarantees for LLM Inference14 MIN

Matthew Green’s blog details a weekend project exploring the signed, encrypted “thinking” blobs returned by Claude and OpenAI APIs. The blobs enable cryptographic verification and secure, privacy‑preserving LLM reasoning, suggesting a path toward auditable AI inference.

MalShark uses AI (MCP) to auto‑analyze malware traffic, benchmarked on real samples6 MIN

MalShark is an MCP‑based server that lets AI clients run tshark analyses on PCAPs via natural‑language prompts, producing structured IOC reports. Its detection rules were tuned and benchmarked against real malware captures from malware‑traffic‑analysis.net, ensuring practical relevance.

NVIDIA Open‑Sources SkillSpector to Scan AI Agent Skills for Vulnerabilities12 MIN

NVIDIA released SkillSpector, an open‑source scanner that analyzes AI agent skill packages for security flaws, malicious patterns, and supply‑chain risks. It supports multiple formats, runs static and LLM‑semantic checks, and outputs reports in JSON, Markdown, SARIF and more, helping developers vet skills before deployment.

Bypassing Modern EDR: BYOVD Drives LSASS Credential Dumping20 MIN

A security researcher shows how to find a vulnerable driver not on Microsoft’s blocklist, use it to strip Protected Process Light from LSASS, and dump its memory while XOR‑obfuscating the dump to evade current EDR solutions. The step‑by‑step guide covers driver selection, exploitation and stealth techniques.

Get Infosec in your inbox, every issue.
Subscribe free
Privacy · Terms · About · Contact
© 2026 LodeHQ