Inferlume

How it Works
Pricing
About
Get Free Access →

Get Free Access

Last Updated On

DDAAIILLYY--22002266--00552277
CCrriittiiccaall
AAccttiivvee  EExxppllooiittaattiioonn  CCoonnffiirrmmeedd

Active CMS Exploitation and Targeted Defense Sector Espionage

Critical Ghost CMS and Drupal SQL injection vulnerabilities alongside actively exploited Microsoft Defender zero days demand urgent patching of web platforms and Windows endpoints. Simultaneously organizations must monitor for Screening Serpens espionage campaigns targeting defense sectors and review exposure to major telecommunications and retail data breaches.

9.4

CVSS Score

30

IOC Count

9

Source Count

85

Confidence Score

CVEs

CVE-2026-26980, CVE-2026-9082, CVE-2026-41091, CVE-2026-45498

Actors

Screening Serpens, UNC1549, Smoke Sandstorm, Iranian Dream Job, ShinyHunters, Under Attribution

Sectors

Technology, Government, Education, Media and Publishing, Telecommunications, Retail, Fintech, SaaS Platforms, Aerospace, Defense

Regions

North America, Europe, Middle East, Asia Pacific, Global, United States, Israel, UAE

Chapter 01 - Executive Overview

Today's intelligence brief covers critical vulnerabilities, confirmed espionage operations, and major data breaches requiring immediate attention across multiple sectors.

  • Drupal JSON API SQL Injection (CVE-2026-9082)

    • An actively exploited PostgreSQL specific SQL injection in Drupal Core database abstraction JSON API handling enables unauthenticated attackers to read, modify, or delete all data.

    • CISA Known Exploited Vulnerabilities catalog remediation deadline is today 27 May 2026 for US federal agencies.

    • Consulted sources observed over 15,000 attack attempts against nearly 6,000 sites in at least 65 countries.

    • CISO Risk Decision: Escalate for any Drupal installations using PostgreSQL. Treat as a KEV driven emergency patch and access control exercise.

  • Ghost CMS ClickFix Poisoning (CVE-2026-26980)

    • A critical unauthenticated SQL injection in the Ghost Content API allows attackers to steal admin API keys and bulk inject malicious JavaScript.

    • Attackers have hijacked more than 700 sites for ClickFix fake CAPTCHA malware campaigns targeting site visitors.

    • CISO Risk Decision: Escalate and treat unpatched Ghost instances as an active web tier compromise risk. Prioritize emergency patching and content integrity reviews.

  • Microsoft Defender RedSun and UnDefend Zero Days (CVE-2026-41091, CVE-2026-45498)

    • Two Microsoft Defender engine flaws are being exploited in the wild to obtain SYSTEM level privileges and disable signature updates.

    • CISA ordered US civilian agencies to remediate by 3 June 2026.

    • CISO Risk Decision: Escalate and monitor until engine and platform versions are confirmed fleet wide.

  • Screening Serpens Iran Nexus Espionage

    • The group is actively targeting aerospace, defense, and technology sectors in the US, Israel, UAE, and the Middle East.

    • The threat actors deploy MiniUpdate and MiniJunk V2 RATs via tailored recruitment themed spear phishing and advanced defense evasion techniques.

    • CISO Risk Decision: Aerospace and defense CISOs should brief HR and recruiting teams immediately regarding malicious job seeker lures.

  • Telecom and Retail Data Breaches

    • Charter Communications confirmed a data breach following extortion threats from the ShinyHunters group.

    • ShinyHunters also claimed responsibility for 183,000 compromised records at 7-Eleven.

    • CISO Risk Decision: Legal and compliance teams must assess regulatory data breach notification timelines and begin evidence preservation immediately.

  • KnowledgeDeliver LMS Zero Day Web Shell

    • Attackers exploited an unspecified zero day vulnerability in the KnowledgeDeliver learning management system to deploy persistent Godzilla web shells.

    • CISO Risk Decision: Isolate internet facing KnowledgeDeliver instances and contact the vendor for emergency guidance pending a formal advisory.

Chapter 02 - Threat & Exposure Analysis

  • Ghost CMS (CVE-2026-26980)

    • What is happening: Unauthenticated HTTP GET requests to Ghost Content API endpoints allow attackers to inject SQL into the ORDER BY clause. Attackers extract admin API keys to mass tamper published content by injecting JavaScript loaders that redirect visitors into ClickFix fake CAPTCHA flows.

    • Strategic risk context: Ghost often fronts blogs and documentation portals. Compromise turns trusted customer facing surfaces into malware delivery channels targeting the readership and expanding the blast radius.

    • Severity and impact: Assessed at CVSS 9.4 with real world hijack of over 700 sites.

    • Intelligence confidence: Converging technical detail from consulted sources. No named actor attribution is present.

  • Drupal Core (CVE-2026-9082)

    • What is happening: An SQL injection exists in the PostgreSQL EntityQuery condition handler used by JSON API filter parameter keys. Unauthenticated attackers craft requests containing SQL metacharacters.

    • Strategic risk context: Drupal powers heavily utilized public facing websites and portals. Consulted sources track active exploitation attempts across 65 countries.

    • Severity and impact: Rated Highly Critical 20 out of 25 by Drupal and CVSS 6.5 by NVD. Successful exploitation permits modification or deletion of arbitrary content. 15,000 attack attempts observed.

    • Intelligence confidence: High confidence picture of active exploitation validated by CISA KEV listing.

  • Microsoft Defender Zero Days (CVE-2026-41091, CVE-2026-45498)

    • What is happening: Local privilege escalation flaws allow attackers to abuse link following to escalate to SYSTEM. Standard users can also induce denial of service states by blocking definition updates.

    • Strategic risk context: These flaws provide attackers with built in pathways to elevate privileges and suppress detection on hosts where they already possess initial access.

    • Severity and impact: CISA ordered US Federal Civilian agencies to remediate by 3 June 2026.

    • Intelligence confidence: Consulted sources confirm both vulnerabilities are actively exploited in real world attacks.

  • KnowledgeDeliver LMS Zero Day

    • What is happening: Attackers exploited an unspecified zero day vulnerability to deploy the Godzilla web shell framework.

    • Strategic risk context: Provides persistent interactive remote access to the compromised server.

    • Severity and impact: Full server compromise potential and data exfiltration risk. No patch confirmed at the time of report.

    • Intelligence confidence: Low to medium confidence from consulted sources. No CVE assigned.

  • Screening Serpens Iran Nexus Espionage

    • What is happening: This advanced persistent threat group deployed six new RAT variants targeting aerospace, defense, and technology sectors. The actor uses AppDomainManager hijacking to disable ETW telemetry before EDR tools initialize.

    • Strategic risk context: Campaigns align with regional conflict and leverage highly tailored recruitment themed spear phishing.

    • Severity and impact: Long term espionage risk, intellectual property theft, and credential harvesting.

    • Intelligence confidence: High for technical analysis based on consulted sources.

  • Charter Communications and 7-Eleven Data Breaches

    • What is happening: ShinyHunters extortion following data theft from Charter and 183,000 customer records from 7-Eleven. Charter confirmed the breach.

    • Strategic risk context: Represents an active targeting campaign against major corporations.

    • Severity and impact: Customer PII exposure and significant regulatory notification obligations.

    • Intelligence confidence: Medium confidence from consulted sources.

Chapter 03 - Operational Response

  • Drupal Core (CVE-2026-9082)

    • Identify all Drupal installations utilizing PostgreSQL backends.

    • Temporarily restrict public access to JSON API endpoints if immediate patching is not possible.

    • Apply security updates for all affected versions immediately to meet KEV deadlines.

    • Review web server access logs for suspicious requests containing SQL metacharacters dating from 20 May 2026.

  • Ghost CMS (CVE-2026-26980)

    • Determine running versions and treat all deployments between 3.24.0 and 6.19.0 as vulnerable.

    • Upgrade all deployments to version 6.19.1 or later.

    • Rotate all credentials, admin accounts, API keys, and invalidate existing sessions.

    • Perform scripted sweeps of all posts to locate and remove injected JavaScript loaders associated with ClickFix.

  • Microsoft Defender (CVE-2026-41091, CVE-2026-45498)

    • Inventory Malware Protection Engine and Antimalware Platform versions across all Windows endpoints.

    • Verify versions meet or exceed 1.1.26040.8 for the engine and 4.18.26040.7 for the platform.

    • Add hunting queries for signs of Defender tampering or failed definition updates.

  • KnowledgeDeliver LMS Zero Day

    • Isolate internet facing instances from the broader network.

    • Audit web server files for Godzilla web shell artifacts.

  • Screening Serpens

    • Block all confirmed C2 domains at DNS proxy and firewall layers.

    • Brief HR and recruiting teams regarding fake job application archives.

    • Hunt for scheduled tasks named WindowsSecurityUpdate or Synchronize OS on endpoints.

  • Charter and 7-Eleven

    • Verify whether employee credentials or internal systems were part of the breach scope.

    • Assess contractual data sharing exposure for organizations within the supply chain.

  • Late 2025: Screening Serpens expands targeting to Western Europe.

  • 17 February 2026: MiniJunk V2 sample uploaded to VirusTotal.

  • 26 February 2026: Consulted sources describe CVE-2026-26980 as a critical unauthenticated SQL injection in the Ghost Content API.

  • 28 February 2026: Regional Middle East conflict begins and Screening Serpens operational tempo increases.

  • March 2026: MiniUpdate variants compiled and submitted targeting US and Israel entities.

  • April 2026: The 7-Eleven breach occurs with approximately 183,000 customer records stolen. Screening Serpens rotates C2 domains to impersonate health and financial sectors.

  • 22 April 2026: Deep technical analysis published confirming CVSS 9.4 for the Ghost CMS vulnerability.

  • 20 May 2026: Drupal releases security advisory for CVE-2026-9082. Microsoft begins rolling out engine and platform updates addressing CVE-2026-41091 and CVE-2026-45498.

  • 21 May 2026: Early probing attempts observed against Drupal JSON API endpoints. Consulted sources publish full technical report on Screening Serpens campaigns.

  • 22 May 2026: CISA adds CVE-2026-9082 to the KEV catalog. Consulted sources report 15,000 attack attempts against Drupal sites.

  • 23 May 2026: Consulted sources report large scale campaigns abusing Ghost CMS to inject malicious JavaScript. Active Drupal exploitation confirmed from 68 distinct IP addresses.

  • 24 May 2026: Reports indicate more than 700 Ghost sites hijacked for ClickFix fake CAPTCHA attacks.

  • 25 May 2026: CISA adds Microsoft Defender zero days to the KEV catalog setting a 3 June 2026 remediation deadline.

  • 26 May 2026: Charter Communications confirms data breach after ShinyHunters extortion threat. Exploitation of KnowledgeDeliver LMS zero day reported.

  • 27 May 2026: CISA KEV remediation deadline arrives for US federal agencies regarding Drupal CVE-2026-9082.

Chapter 04 - Detection Intelligence

  • Drupal Core (CVE-2026-9082)

    • Attack Vector: Network based unauthenticated remote requests.

    • Mechanism: Vulnerability resides in the PostgreSQL EntityQuery condition handler. Filter keys containing SQL metacharacters are concatenated directly into queries enabling blind SQL injection and time based inference.

    • Observed Behavior: Information disclosure, data modification, and potential privilege escalation.

  • Ghost CMS (CVE-2026-26980)

    • Attack Vector: Unauthenticated HTTP GET requests to Content API endpoints.

    • Mechanism: Vulnerable code concatenates user supplied slug values into SQL CASE statements without parameterization. Attackers exfiltrate database values to steal admin keys.

    • Observed Behavior: Injected JavaScript presents ClickFix overlays instructing visitors to copy and execute PowerShell commands resulting in client side malware delivery.

  • Microsoft Defender (CVE-2026-41091, CVE-2026-45498)

    • Attack Vector: Local attackers on Windows systems.

    • Mechanism: Improper link resolution before file access redirects operations to gain SYSTEM level privileges. Standard users can manipulate processes to block definition updates.

    • Observed Behavior: Silently elevates privileges and disables definition updates consistent with defense evasion behavior.

  • KnowledgeDeliver LMS

    • Attack Vector: Server side zero day vulnerability.

    • Mechanism: Enables attackers to upload and execute the Godzilla web shell framework.

    • Observed Behavior: Provides interactive shell access, file management, and database interaction.

  • Screening Serpens

    • Attack Vector: Social engineering via spear phishing links and archives.

    • Mechanism: A setup executable triggers an AppDomainManager hijack via a configuration file. The configuration disables ETW and bypasses strong name signature validation. The InitInstall DLL is subsequently sideloaded.

    • Observed Behavior: Drops staged payloads to application data directories and establishes scheduled task persistence. MiniUpdate and MiniJunk V2 RATs communicate via Azure hosted domains using obfuscation and artificial file inflation.

Consulted sources note that Drupal and Ghost CMS incidents lack specific network IOCs in public reporting and recommend reliance on behavioral detection.

  • Screening Serpens Domains:

    • buisness-centeral.azurewebsites.net

    • buisness-centeral-transportation.azurewebsites.net

    • Buisness-centeral-transportation.com

    • PremierHealthAdvisory.com

    • PremierHealthAdvisory.azurewebsites.net

    • Premier-HealthAdvisory.azurewebsites.net

    • Ramiltonsfinance.com

    • Ramiltonsfinance.azurewebsites.net

    • Ramiltons-finance.azurewebsites.net

    • licencemanagers.azurewebsites.net

    • LicenceSupporting.azurewebsites.net

    • PeerDistSvcManagers.azurewebsites.net

    • ThemesManagers.azurewebsites.net

    • ThemesProviderManagers.azurewebsites.net

    • NanoMatrix.azurewebsites.net

    • QuantumWeave.azurewebsites.net

    • ElementShift.azurewebsites.net

    • business-startup.org

    • business-startup.azurewebsites.net

    • Businessstartup.azurewebsites.net

    • docspace-y4cumb.onlyoffice.com

    • docspace-twpf0e.onlyoffice.com

  • Screening Serpens URLs:

  • Screening Serpens File Hashes (SHA256):

    • 44f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e054250

    • 0db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864

    • 43dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfa

    • 9cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da84

Drupal JSON API SQL Injection Detection

  • Monitor web server access logs for requests to JSON API endpoints containing SQL indicative characters in filter key parameters. Watch for anomalous HTTP response codes 500 or 503 which often indicate blind SQL injection errors during testing.

  • Monitor database query logs for unusual query patterns originating from the web application user account. Perform focused hunts across web access logs from 20 May 2026 onward for repeated requests from the same IPs.

  • Deploy WAF block rules on JSON API filter key SQL metacharacter patterns immediately.

event.category = "web" AND
http.request.uri.path CONTAINS "/jsonapi/" AND
(http.request.uri.query CONTAINS "||" OR
http.request.uri.query CONTAINS "UNION" OR
http.request.uri.query CONTAINS "SLEEP" OR
http.request.uri.query CONTAINS "WAITFOR" OR
http.request.uri.query CONTAINS "`") AND
http.response.status_code IN (200, 500, 503)
SecRule REQUEST_URI "@contains /jsonapi/" \
"chain,id:1000001,phase:2,block,msg:'CVE-2026-9082 SQLi Probe'"
SecRule ARGS_NAMES "@rx (\|\||UNION|SLEEP|WAITFOR|`)" \
"t:urlDecodeUni,t:lowercase"

  • Ghost CMS ClickFix Detection

    • Create WAF or reverse proxy rules to flag or block Ghost Content API requests whose filter or order parameters contain SQL keywords like SELECT or UNION.

    • Alert on spikes of requests to Content API endpoints with complex query strings from single IPs. Compare current and prior versions of Ghost content to identify unexpected JavaScript snippets appended near the end of HTML bodies.

    • ClickFix delivers payloads via clipboard and user paste execution so defenders should hunt for PowerShell processes spawned from browser processes.

process.parent.name IN ("chrome.exe", "firefox.exe", "msedge.exe") AND
process.name IN ("powershell.exe", "cmd.exe", "wscript.exe", "mshta.exe")

  • Microsoft Defender Endpoint Detection

    • Add monitoring in EDR or SIEM for machines where Defender definition updates repeatedly fail or show long gaps despite the device being online.

    • Alert on unexpected modifications to Defender configurations initiated by non administrative accounts. Hunt for execution chains where unprivileged processes interact with Defender binaries shortly before a user account gains SYSTEM level access.

  • Screening Serpens Detection

    • Monitor for configuration files containing directives that disable Event Tracing for Windows. This is a high fidelity indicator of advanced evasion tradecraft.

    • Alert on setup executables spawning unexpected child processes or loading DLLs from non standard paths within application data directories.

    • Alert on scheduled task creation where the task action points to a user writable directory. Deploy DNS and proxy block rules for all known Screening Serpens domains to prevent beaconing.

rule ScreeningSerpens_ETWDisable_Config {
    strings:
        $etw_disable = "<etwEnable enabled=\"false\"/>" ascii wide
        $bypass_sn = "<bypassTrustedAppStrongNames enabled=\"true\"/>" ascii wide
        $pub_policy = "<publisherPolicy apply=\"no\"/>" ascii wide
        $probing = "<probing privatePath" ascii wide
    condition:
        $etw_disable and ($bypass_sn or $pub_policy or $probing)
}
process.parent.name IN ("setup.exe", "update.exe", "SoftwareLicencing.exe") AND
process.name = "rundll32.exe" OR
(event.type = "image_load" AND dll.path MATCHES ".*\\AppData\\.*\\bin\\update\\.*" AND dll.code_signature.trusted = false)

  • T1566.002 Spearphishing Link Initial Access: Attackers delivered spear phishing links via email and social engineering platforms pointing to attacker controlled document workspaces.

  • T1574.002 DLL Side Loading Defense Evasion and Execution: Attackers placed malicious DLLs alongside legitimate signed executables causing the legitimate process to sideload the malicious code.

  • T1562.001 Impair Defenses Disable or Modify Tools: Configuration files used directives to disable Event Tracing for Windows before application code runs blinding EDR telemetry pipelines.

  • T1053.005 Scheduled Task Persistence: Attackers drop payloads and establish scheduled task persistence triggering daily to maintain access.

  • T1041 Exfiltration Over C2 Channel: Remote access trojan variants communicate via Azure hosted domains using obfuscation and artificial file inflation to bypass limits.

  • T1190 Exploit Public Facing Application: Directly applicable to Drupal CVE-2026-9082 and Ghost CMS CVE-2026-26980 active exploitation based on technical analysis from consulted sources.

Chapter 05 - Governance, Risk & Compliance

  • Ghost CMS Web Trust and Brand Impact

    • Compromises turn trusted public facing websites into malware distribution and credential harvesting channels directly impacting customer trust.

    • Boards and risk committees should treat unpatched Ghost instances as an unacceptable residual risk requiring immediate credential rotation.

    • Organizations should involve legal and privacy teams early to determine whether local data protection and consumer notification laws are triggered by the compromise.

  • Drupal KEV Driven Obligations and Business Exposure

    • Entities subject to KEV driven contractual or regulatory requirements must demonstrate timely patching for CVE-2026-9082 or documented compensating controls.

    • Risk owners should assume worst case confidentiality and integrity impact in risk registers until logs and forensics can bound actual exposure.

  • Microsoft Defender Control Efficacy and Assurance

    • The zero days primarily affect the trustworthiness of the endpoint protection layer which can be turned into a privilege escalation vector if not updated promptly.

    • Risk and audit teams should treat confirmation of patched engine versions as a control assurance task requiring explicit evidence from endpoint management systems.


Chapter 06 - Adversary Emulation

Consulted sources do not provide authoritative adversary emulation scenarios or complete MITRE mappings for full playbook emulation regarding these specific campaigns.

Intelligence Confidence85%

The final confidence score of 74 reflects strong corroboration from consulted sources including primary threat intelligence providers and federal catalog entries for the Drupal and Microsoft vulnerabilities. This baseline is adjusted downward due to the reliance on single source reporting for the telecommunications and retail data breaches. Further deductions account for unconfirmed severity metrics regarding the Ghost CMS campaign and a lack of named actor attribution across the broader web exploitation clusters.