TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Weekly Threat Bulletin – May 6th, 2026

3 hours ago · Read original ↗

ATT&CK techniques detected

25 predictions
T1190Exploit Public-Facing Application
99%
“##ositories. - implement a network egress filtering policy on firewalls that denies outbound traffic by default from developer environments and allows only necessary protocols and destinations required for business operations. what type of ' c2 on a sleep cycle ' do they leave be…”
T1190Exploit Public-Facing Application
97%
“servers using vulnerable react server components and apply the security patch for the react2shell vulnerability ( cve - 2025 - 55182 ). - scan the file systems of all public - facing web servers, especially microsoft exchange, for known web shells like godzilla and for any recent…”
T1068Exploitation for Privilege Escalation
96%
“- all - linux - systems - via - 732 - byte - exploit / https : / / cyberpress. org / linux - kernel - 0 - day - copy - fail / https : / / cyberveille. esante. gouv. fr / alertes / linux - cve - 2026 - 31431 - 2026 - 04 - 30 https : / / gbhackers. com / linux - kernel - 0 - day - …”
T1505.003Web Shell
95%
“deploy web shells like godzilla and the custom shadowpad backdoor, sometimes delivering it via legitimate tools such as anydesk. to evade detection, they utilize tools like ringq to pack malicious binaries, rename legitimate windows system binaries, and use domain names impersona…”
T1068Exploitation for Privilege Escalation
94%
“cve - 2026 - 31431 - linux - kernel - copy - fail - privilege - escalation / https : / / securityonline. info / linux - kernel - copy - fail - root - exploit - poc - public - disclosure / https : / / sploitus. com / exploit? id = 2701b38e - 308b - 578e - a22d - 1538782b2a0c https…”
T1190Exploit Public-Facing Application
93%
“- bypass - was. html https : / / www. esecurityplanet. com / threats / cpanel - vulnerability - exposes - servers - to - takeover / https : / / www. hendryadrian. com / cpanel - whm - emergency - update - fixes - critical - auth - bypass - bug / https : / / www. securityweek. com…”
T1195.001Compromise Software Dependencies and Development Tools
90%
“attackers via telegram or slack. these campaigns demonstrate a continuous evolution in techniques, including the " matryoshka doll approach " for malware delivery, to compromise developer environments and exfiltrate sensitive data. severity : critical threat details and iocs miti…”
T1195.001Compromise Software Dependencies and Development Tools
84%
“- implement a network segmentation strategy to isolate critical servers like moveit automation into a secure enclave, with strict ingress and egress filtering rules that only permit traffic required for business functions. - establish a formal vulnerability management program tha…”
T1068Exploitation for Privilege Escalation
81%
“weekly threat bulletin – may 6th, 2026 linux cryptographic code flaw offers fast route to root a local privilege escalation ( lpe ) vulnerability, dubbed copy fail ( cve - 2026 - 31431 ), has been identified in the linux kernel ' s ` authencesn ` cryptographic template. this logi…”
T1190Exploit Public-Facing Application
80%
“##d. io / blog / linux - copy - fail - lpe - cve - 2026 - 31431 / https : / / www. openwall. com / lists / oss - security / 2026 / 04 / 30 / 10 https : / / www. securityweek. com / copy - fail - logic - flaw - in - linux - kernel - enables - system - takeover / https : / / www. t…”
T1190Exploit Public-Facing Application
71%
“redirecting users to malicious sites, data theft, sending spam, or establishing persistent server access for various illicit activities. patched versions include 11. 110. 0. 97, 11. 118. 0. 63, 11. 126. 0. 54, 11. 132. 0. 29, 11. 136. 0. 5, and 11. 134. 0. 20. administrators are …”
T1190Exploit Public-Facing Application
70%
“2096 on all servers running cpanel and whm. - review cpanel, whm, and server authentication logs for any unexpected or unauthorized logins, especially from unfamiliar ip addresses, that occurred before the patch was applied. - scan all web - accessible directories on cpanel and w…”
T1176.001Browser Extensions
58%
“- sdk / v2 " and " @ hash - validator / v2, " to steal credentials and crypto - wallet information, employing layered dependencies, typosquatting, and vercel - hosted command - and - control infrastructure. this malware has evolved from javascript to rust - based binaries, target…”
T1587Develop Capabilities
58%
“- implement a network segmentation strategy to isolate critical servers like moveit automation into a secure enclave, with strict ingress and egress filtering rules that only permit traffic required for business functions. - establish a formal vulnerability management program tha…”
T1588.006Vulnerabilities
57%
“assets, including details on software versions like cpanel / whm, to quickly identify systems affected by future vulnerabilities. - implement network segmentation to isolate web hosting environments from internal corporate networks and to separate different hosting clients from e…”
T1587.004Exploits
55%
“2026 - 04 - 30 https : / / exploit - intel. com / vuln / cve - 2026 - 41940 https : / / gbhackers. com / attackers - exploit - cpanel - authentication - bypass - 0 - day / https : / / horizon3. ai / attack - research / vulnerabilities / cve - 2026 - 41940 / https : / / sploitus. …”
T1566.001Spearphishing Attachment
48%
“- sdk / v2 " and " @ hash - validator / v2, " to steal credentials and crypto - wallet information, employing layered dependencies, typosquatting, and vercel - hosted command - and - control infrastructure. this malware has evolved from javascript to rust - based binaries, target…”
T1190Exploit Public-Facing Application
43%
“2026 - 04 - 30 https : / / exploit - intel. com / vuln / cve - 2026 - 41940 https : / / gbhackers. com / attackers - exploit - cpanel - authentication - bypass - 0 - day / https : / / horizon3. ai / attack - research / vulnerabilities / cve - 2026 - 41940 / https : / / sploitus. …”
T1190Exploit Public-Facing Application
43%
“deploy web shells like godzilla and the custom shadowpad backdoor, sometimes delivering it via legitimate tools such as anydesk. to evade detection, they utilize tools like ringq to pack malicious binaries, rename legitimate windows system binaries, and use domain names impersona…”
T1587Develop Capabilities
42%
“attackers via telegram or slack. these campaigns demonstrate a continuous evolution in techniques, including the " matryoshka doll approach " for malware delivery, to compromise developer environments and exfiltrate sensitive data. severity : critical threat details and iocs miti…”
T1555.003Credentials from Web Browsers
41%
“- sdk / v2 " and " @ hash - validator / v2, " to steal credentials and crypto - wallet information, employing layered dependencies, typosquatting, and vercel - hosted command - and - control infrastructure. this malware has evolved from javascript to rust - based binaries, target…”
T1190Exploit Public-Facing Application
40%
“score of 9. 8, this vulnerability is remotely exploitable without requiring authentication or user interaction ( av : n / ac : l / pr : n / ui : n ), and can lead to complete compromise of confidentiality, integrity, and availability ( c : h / i : h / a : h ). the issue is catego…”
T1566.002Spearphishing Link
39%
“- sdk / v2 " and " @ hash - validator / v2, " to steal credentials and crypto - wallet information, employing layered dependencies, typosquatting, and vercel - hosted command - and - control infrastructure. this malware has evolved from javascript to rust - based binaries, target…”
T1195.002Compromise Software Supply Chain
39%
“redirecting users to malicious sites, data theft, sending spam, or establishing persistent server access for various illicit activities. patched versions include 11. 110. 0. 97, 11. 118. 0. 63, 11. 126. 0. 54, 11. 132. 0. 29, 11. 136. 0. 5, and 11. 134. 0. 20. administrators are …”
T1059.006Python
36%
“deploy web shells like godzilla and the custom shadowpad backdoor, sometimes delivering it via legitimate tools such as anydesk. to evade detection, they utilize tools like ringq to pack malicious binaries, rename legitimate windows system binaries, and use domain names impersona…”

Summary

These are the top threats you should know about this week.