A Day In Cybercrime: May 30, 2026

A Day In Cybercrime with DERP delivers a daily cybercrime and threat intelligence overview: news, package manager malware, ransomware claims, C2 observations, and infrastructure.

News

Hackers exploit FortiClient EMS flaw to push infostealer malware

Bleeping Computer (opens in new tab) | today at 6:02 AM Eastern

Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient EMS to deliver an undocumented infostealer disguised as a Fortinet update via VPN scripting workflows. Operators should verify FortiClient EMS patch status and monitor for unexpected VPN scripting activity.

PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation

The Hacker News (opens in new tab) | today at 3:02 AM Eastern

Palo Alto Networks warned that CVE-2026-0257, an authentication bypass in PAN-OS GlobalProtect, is under active exploitation to establish unauthorized VPN connections. The advisory was updated on May 29 with confirmation of limited exploit attempts on unpatched devices.

Bleeping Computer (opens in new tab) | May 29 at 3:02 PM Eastern

The LLMShare campaign abuses ChatGPT share links hosted on chatgpt.com to display fake OpenAI outage pages, directing users to download malware via Google ads. This attack leverages a legitimate OpenAI domain, making it harder to block by domain reputation alone.

California AG sues 23andMe over 2023 breach exposing health data

Bleeping Computer (opens in new tab) | May 29 at 3:02 PM Eastern

California AG Rob Bonta sued 23andMe (now Chrome Holding Co.) over the 2023 breach that exposed sensitive data of nearly 7 million customers, including 855,541 Californians. The lawsuit highlights regulatory consequences of inadequate security for genetic and health data.

New Russia-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks

The Hacker News (opens in new tab) | May 29 at 8:02 AM Eastern

A new Russian-linked threat actor GREYVIBE targets Ukraine with AI-powered cyberattacks using spear-phishing, fake captcha pages, and fraudulent adult websites to deliver custom malware. The group's victimology spans military, government, civilian, and business organizations, with ties to the broader Russian cybercrime ecosystem.

Package Manager Malware

OSV reported 319 MAL advisories across repositories: PyPI: 1, npm: 318.

That covers 319 packages across 2 repositories.

5 promoted hosts were present in the OSV data.

npm dominates with 318 of 319 MAL advisories, including two malware_infra packages sharing four hosts and a large c2_config campaign pointing to a single host.

OSV ID	Repository	Package	Feed Classes	Roles	Hosts
MAL-2026-3433	npm	@beproduct/nestjs-auth	malware_infra	malware_infra	api[.]masscan.cloud, filev2[.]getsession.org, git-tanstack[.]com, seed1[.]getsession.org
MAL-2026-4863	npm	@car-loans/applicaion-aff	c2_config	config_or_webhook	oob[.]moika.tech
MAL-2026-4864	npm	@car-loans/application-aff	c2_config	config_or_webhook	oob[.]moika.tech
MAL-2026-4865	npm	@car-loans/close-flow-module	c2_config	config_or_webhook	oob[.]moika.tech
MAL-2026-4866	npm	@car-loans/deal	c2_config	config_or_webhook	oob[.]moika.tech
MAL-2026-4867	npm	@car-loans/deal-aff	c2_config	config_or_webhook	oob[.]moika.tech
MAL-2026-4868	npm	@car-loans/desktop-car-loans-application	c2_config	config_or_webhook	oob[.]moika.tech
MAL-2026-4869	npm	@car-loans/feature-toggles-module	c2_config	config_or_webhook	oob[.]moika.tech
MAL-2026-4870	npm	@car-loans/general-analytics	c2_config	config_or_webhook	oob[.]moika.tech
MAL-2026-4871	npm	@car-loans/general-feature-toggles	c2_config	config_or_webhook	oob[.]moika.tech

Ransomware Claims

23 ransomware claims posted across 16 groups, 9 countries, and 12 sectors in the past 24 hours.

Akira leads with 3 claims among 16 active groups, while the US accounts for 10 of 23 total claims across 9 countries.

Group	Claims
Akira	3
Dragonforce	2
Genesis	2
Nova	2
Shinyhunters	2
Titan	2
0day syndicate	1
Bravox	1
Cmdorganization	1
Gunra	1
Incransom	1
Kairos	1
Krybit	1
Lamashtu	1
Lapsus$	1
Pure Extraction And Ransom	1

Countries hit: US (10), KR (2), FR (2), LK (1), IT (1), DE (1), ID (1), NL (1), IN (1).

Targeted sectors: Business Services (5), Healthcare (3), Agriculture and Food Production (2), Manufacturing (2), Transportation/Logistics (1), Education (1), Telecommunication (1), Hospitality and Tourism (1), Public Sector (1), Technology (1).

C2 Observations

370 C2 observations landed across 65 malware families, with 265 unique hosts and 21 shared hosts.

Clearfake dominates with 107 of 370 C2 observations, followed by AsyncRAT and Quasar; 21 shared hosts indicate multi-family infrastructure reuse.

Family	C2s
clearfake	107
asyncrat	40
quasar	25
vidar	19
cobaltstrike	17
vshell	16
remcos	15
nanocore	13
xworm	8
meshagent	5
adaptixc2	4
njrat	4

Shared Hosts

Shared hosts like xboxtelemetry-defender.cc and 3.36.173.8 host 34 families each, indicating broad multi-family C2 consolidation on Amazon infrastructure.

Host	Family Count	Selected Families	AS / Country
xboxtelemetry-defender[.]cc	34	ades_stealer, amadey, chaos, cobaltstrike, dcrat, discordrat, dragonforce, emotet, gcleaner, gh0strat, hiddentear, hijackloader	Amazon.com, Inc. / US
3[.]36.173.8	34	ades_stealer, amadey, chaos, cobaltstrike, dcrat, discordrat, dragonforce, emotet, gcleaner, gh0strat, hiddentear, hijackloader	Amazon.com, Inc. / US
president-rogers[.]gl.at.ply.gg	21	44caliber, ammyyadmin, blankgrabber, donutloader, formbook, lockbit, lumma, mimikatz, neshta, njrat, quasar, redline	Developed Methods LLC / US
talk-chief[.]gl.at.ply.gg	3	asyncrat, njrat, xworm	Developed Methods LLC / US
zsf168[.]com	2	asyncrat, quasar	Cloudflare, Inc. / US
seomf168[.]com	2	asyncrat, quasar	Cloudflare, Inc. / US
qhcf168[.]com	2	asyncrat, quasar	Cloudflare, Inc. / US
f168csn[.]com	2	asyncrat, quasar	Cloudflare, Inc. / US
f168-t1[.]com	2	asyncrat, quasar	Cloudflare, Inc. / US
chief168[.]com	2	asyncrat, quasar	Cloudflare, Inc. / US
nf168[.]net	2	asyncrat, quasar	Cloudflare, Inc. / US
mcf168[.]com	2	asyncrat, quasar	Cloudflare, Inc. / US

Quad9 DNS Activity

Vidar hosts mub.matriculaflix.com and mub.depansm188.top generated the most resolver blocks, with clearfake hosts also prominent in the top blocked list.

Top 10 New Quad9 C2 Blocks (24hour)

Host	Families	Blocked Events	Top Countries
mub[.]matriculaflix.com	vidar	794	VE, IN, ZA
mub[.]depansm188.top	vidar	641	VE, IN, ZA, DE, PK
mjugj[.]sm188dvlv.hair	clearfake	191	DE, US, CH, EE, NL
ultraviolence[.]buzz	-	139	DE, RU, US, IL, NL
phimsexhayho[.]com	asyncrat	109	VN, US, DE
mfrpd[.]sm188daftar.cfd	clearfake	102	DE, EE, US, CH, CO
tohiels[.]payestation.com	clearfake	63	DE, US
advbc[.]sm188dvlv.hair	clearfake	47	DE, CO, EE, US, CH
tooca[.]sm188daftar.skin	clearfake	46	DE, NL, US, CH, FR
zzksh[.]sm188dvlv.rest	clearfake	36	DE, NL, CH, CO

Top 10 All C2 DB Quad9 C2 Blocks (24hour)

Host	Blocked Events	Top Countries
ff[.]nnmm234.com	277,124	DE, US
ff[.]vvbb321.com	277,085	DE
ff[.]jjkk567.com	277,075	DE
ff[.]xxcc789.com	277,035	DE
ff[.]aass654.com	276,982	DE
hh[.]nnmm234.com	162,577	LK, TH, US
hh[.]aass654.com	162,557	LK, US
hh[.]xxcc789.com	162,477	LK, US
hh[.]jjkk567.com	162,422	LK, US
topbannersun[.]com	153,466	ID, ET, MU, BD, BR

Infrastructure

Download-host infrastructure covered 278 hosts across 25 countries, 62 providers, and 5 infrastructure types.

Cloudflare hosts 161 of 278 C2 hosts, with the US as the top country; Hetzner and Tencent follow distantly.

Provider	Download Hosts
Cloudflare	161
Hetzner Online GmbH	12
Shenzhen Tencent Computer Systems Company	11
Amazon.com	6
Datacamp	6
Hangzhou Alibaba Advertising Co.,Ltd.	6
OVH SAS	6
DigitalOcean	4
HostPapa	3
China Telecom (Group)	2