This week’s threat landscape reveals an aggressive tactical pivot across multiple threat boundaries. Attackers are moving past simple exploits to execute deep infrastructure abuse—tunneling ransomware command-and-control traffic through legitimate Microsoft Teams relay servers and exploiting authentication chains inside Microsoft 365 Copilot. Simultaneously, a massive global perimeter crisis has left tens of thousands of edge firewalls exposed, while ransomware cartels are weaponizing centralized EDR-killing frameworks to systematically blind corporate defenders.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

Perimeter Collapse and Edge Infrastructure Exploitation

The enterprise perimeter is under unprecedented strain from automated credential-harvesting campaigns and high-severity data plane vulnerabilities targeting edge routing and security appliances.

• Massive "FortiBleed" Operation & FortiSandbox Flaws — A massive, highly automated cyber-espionage campaign has compromised between 30,000 and 75,000 internet-facing FortiGate firewalls globally. Threat actors are extracting legacy SHA-256 configuration hashes and using a 45-GPU cluster to crack passwords offline, turning appliances into credential-harvesting listening posts. Concurrently, unauthenticated remote command execution flaws in FortiSandbox (CVE-2026-39808, -39813, -25089) are being actively exploited in the wild.
• Systemic Fortinet Ecosystem Exploitation (H1 2026) — Aggregated threat telemetry from the first half of 2026 highlights a severe vulnerability surge across the Fortinet suite. Threat actors are prioritizing pre-authentication remote code execution (RCE) and cross-tenant Single Sign-On (SSO) bypasses (CVE-2026-24858) to target core identity proxies, underscoring that edge architecture must immediately be isolated from public exposure.
• F5 NGINX Data Plane Vulnerabilities — F5 issued an out-of-band security advisory addressing critical memory-handling flaws (CVE-2026-42530 and CVE-2026-42055) in NGINX Open Source, Plus, and Gateway Fabric. Unauthenticated remote attackers can send crafted HTTP/2, HTTP/3, or gRPC traffic to trigger heap-based buffer overflows or Use-After-Free conditions, leading to persistent worker process crashes or arbitrary code execution.

Stealth Infiltration and Supply Chain Injections

Adversaries are targeting the software delivery pipelines and AI productivity environments that organizations inherently trust, embedding malicious logic directly into daily engineering workflows.

• M365 Copilot Enterprise "SearchLeak" (CVE-2026-42824) — A critical three-stage vulnerability chain allows unauthenticated external attackers to steal highly sensitive emails, private organizational files, and MFA codes with a single click. The attack combines a Parameter-to-Prompt (P2P) injection via trusted Microsoft links with an output streaming race condition, bypassing Content Security Policies (CSP) via Bing Server-Side Request Forgery (SSRF) to leak data into attacker server logs.
• WordPress Supply Chain CDN Hijack — A sophisticated campaign has backdoored over 1.2 million websites by tampering with JavaScript SDK files hosted on official plugin CDNs (including OptinMonster, TrustPulse, and PushEngage). When a logged-in site administrator loads the altered scripts, the malware automatically executes backend requests to create rogue administrator accounts and deploy persistent web shells.
• Mastra npm Ecosystem Compromise — Over 140 npm packages published under the Mastra namespace were poisoned via a malicious transitive dependency named easy-day-js (a typosquat of the popular dayjs library). The package utilizes an obfuscated postinstall hook that explicitly disables TLS certificate validation to download a cross-platform implant capable of siphoning cryptocurrency wallets and local browser databases.
• Crypto Clipper Worm Utilizing Tor Network — Distributed via malicious Windows Shortcut (.lnk) files on removable USB media, this worm aggressively replicates across host drives and connected systems. The malware establishes system persistence, disables Windows Defender via forced exclusions, and spawns a hidden, bundled Tor client (ugate.exe) to securely route hijacked clipboard data and environment logs out-of-band to hidden onion domains.

Destructive Evasion and Ransomware Cartels

Ransomware cartels are rapidly modernizing their toolkits, transitioning to "hands-on-keyboard" execution models designed to destroy visibility before launching encryption routines.

• DragonForce Cartel Weaponizes Microsoft Teams Relays — In a highly sophisticated evasion play, the DragonForce ransomware cartel is deploying a custom Go-based RAT (Backdoor.Turn) that tunnels command-and-control traffic directly through Microsoft Teams' legitimate STUN/TURN relay servers. This masks outbound malicious communication as standard corporate collaboration traffic. The group pairs this with Bring Your Own Vulnerable Driver (BYOVD) tactics to aggressively terminate endpoint security agents.
• The Gentlemen RaaS "GentleKiller" Framework — The Gentlemen ransomware group has introduced GentleKiller, a centralized, modular EDR-killing framework designed to aggressively disable roughly 400 unique processes across 48 security applications. The framework utilizes obfuscation wrappers (Enigma/Themida) and exploits vendor-signed UEFI applications (VU#457458) to execute pre-boot code, bypassing Secure Boot entirely to blind the OS-level security stack.
• Prinz Eugen Ransomware Targets Financial Sectors — A new Go-based ransomware strain executed a massive 1.2 TB data exfiltration breach against the Standard Bank Group. Operating "hands-on-keyboard" under a double-extortion model, the malware features an innovative prioritization engine that aggressively encrypts the most recently modified files first to cause immediate operational paralysis. It executes entirely out-of-band without dropping a traditional text ransom note and automatically wipes itself from disk post-encryption.
• GORZ ROSTAM DDoS Campaigns (Operation Haft Khan) — Shifting from localized website defacements, the hacktivist actor "GORZ ROSTAM" has launched coordinated, application-layer Distributed Denial of Service (DDoS) campaigns targeting the Middle Eastern financial sector. High-profile victims include major institutions in Bahrain (Bank ABC) and the UAE (Mashreq Bank) under the banner of "Operation Haft Khan."

Proactive Steps for the Week

• Upgrade Hashing Frameworks & Rotate Perimeter Keys: Immediately update all FortiGate appliances to enforce modern PBKDF2 configuration password hashing. Force a global password rotation and terminate all active administrative and SSL VPN sessions to invalidate potentially cracked legacy hashes.
• Harden Microsoft Collaboration Infrastructure: Configure Microsoft Teams tenant parameters to block anonymous users or unverified external guests from generating guest session tokens. Review enterprise Microsoft 365 configurations to ensure server-side mitigations for the Copilot "SearchLeak" (CVE-2026-42824) are fully active.
• Deploy Ingress and Edge Protections: Prioritize updates for F5 NGINX and FortiSandbox (remediating CVE-2026-25089). Ensure the NGINX large_client_header_buffers directive is kept strictly below 2MB and ignore_invalid_headers is set to on.
• Harden UEFI and Kernel Boundaries: Implement Microsoft's Recommended Driver Block Rules or WDAC policies to actively prevent known vulnerable third-party drivers (BYOVD) from loading into kernel space. Apply latest vendor BIOS/UEFI patches to refresh the Secure Boot Forbidden Signature Database (DBX) to neutralize pre-boot bypass tools.
• Sanitize Open-Source Ingestion Paths: Conduct automated audits of project manifests and lockfiles for references to the malicious easy-day-js dependency. Enforce npm config set ignore-scripts true globally across developer workstations and CI/CD runners to block postinstall payload hooks.
• Audit WordPress User Registries: For enterprise WordPress environments, retroactively scan the wp_users database for rogue accounts matching developer_api1 or dev_ naming structures. Immediately delete unauthorized directories under wp-content/plugins/.

To Know More

Explore our DFIR Solutions to discover how our advanced incident response support, threat hunting frameworks, and compromise assessments can insulate your enterprise infrastructure against these emerging campaigns.

‍