Weekly Threat Intel Report — 2026-W18

TL;DR

Week 18 of 2026 (Apr 27 – May 3) was defined by two high-impact vulnerabilities reaching mass-exploitation status, North Korean cybercrime continuing to set records, and the slow but steady arrival of AI-enabled phishing kits and AI-assisted vulnerability discovery.

• CVE-2026-31431 ('Copy Fail') — a Linux kernel privilege-escalation flaw — was added to CISA's Known Exploited Vulnerabilities catalog on May 1 with a public proof-of-concept and active exploitation reported by Microsoft and Sophos.
• CVE-2026-41940 — a missing-authentication flaw in WebPros' cPanel & WHM and WP2 — is being mass-exploited to deploy 'Sorry' ransomware on hosted websites. CISA gave federal agencies until Sunday to patch.
• APT38 / BlueNoroff is reportedly using AI-generated avatars and recycled victim footage in fake Zoom calls to scale attacks against cryptocurrency executives, and DPRK actors collectively now account for ~76% of all crypto stolen in 2026.
• VECT ransomware turned out to behave like a wiper due to broken cryptography, and a new phishing-as-a-service kit, Bluekit, launched with 40+ templates and an AI assistant.
• CISA, NSA, and partners published joint guidance on Zero Trust for OT and on agentic AI adoption, while the UK NCSC warned defenders to brace for an AI-accelerated 'patch wave.'

Notable Activity by Actor

APT38 (BlueNoroff / Sapphire Sleet) — DPRK

Dark Reading reported on April 28 that BlueNoroff is industrializing its social-engineering pipeline against cryptocurrency executives. Operators stage fake Zoom meetings featuring AI-generated avatars and, more strikingly, repurposed video footage of previous victims to make calls feel real to new targets. During the call, the victim is steered to run an attacker-supplied file under the pretense of fixing audio or camera issues — a technique that maps closely to MITRE T1566.003 (Spearphishing via Service) and T1204.002 (User Execution: Malicious File).

This fits the broader pattern Recorded Future and Dark Reading both highlighted this week: by May 1, roughly 76% of all cryptocurrency stolen so far in 2026 traces to North Korean operators. Recorded Future's 'Lazarus Doesn't Need AGI' analysis argues that current LLMs and image/voice models are already sufficient to scale DPRK theft pipelines — no science-fiction AI required. Defenders in any sector that handles cryptocurrency, custody keys, or wallet infrastructure should treat unsolicited video meetings — especially ones that demand a 'plug-in' or 'updater' — as an active intrusion vector.

UNC6692 (newly tracked, attribution unclear)

A newly designated cluster, UNC6692, was reported on April 27 combining Microsoft Teams-based social engineering, AWS S3 buckets for staging, and a custom malware family called Snow. Public reporting does not yet attribute UNC6692 to a known group or nation-state. The choice of Teams as a delivery channel — and the use of a major cloud provider's storage as both lure host and exfil endpoint — continues a trend of attackers blending into trusted SaaS to dodge perimeter controls.

VECT (ransomware-as-a-service)

Check Point and Dark Reading detailed VECT, a Russian-language RaaS first advertised in December 2025 and now partnered with the supply-chain actor 'TeamPCP.' The headline finding: VECT 2.0's encryption is broken in a way that destroys data even when victims pay for a decryptor. In other words, victims face a destructive incident regardless of payment posture. This is a useful talking point for any organization still using 'we'll just pay' as an implicit recovery plan.

Emerging Threats

'Copy Fail' — Linux kernel privilege escalation (CVE-2026-31431)

Microsoft disclosed CVE-2026-31431 on May 1, describing it as a high-severity Linux kernel flaw that enables local root privilege escalation across cloud environments and Kubernetes workloads. Sophos published a proof-of-concept the same day, and CISA added the CVE to KEV with confirmation of in-the-wild exploitation. Any Linux fleet — bare metal, VM, or container host — should treat this as a top-priority patch this week. Cloud and Kubernetes operators should additionally review pod security profiles, restrictions on CAP_SYS_ADMIN, and runtime detections for suspicious setuid/capabilities transitions.

cPanel & WHM 'Sorry' ransomware (CVE-2026-41940)

BleepingComputer and The Record reported that CVE-2026-41940 — a missing-authentication-for-critical-function flaw in WebPros cPanel & WHM and WP2 — is being mass-exploited to deploy 'Sorry' ransomware on customer websites. Rapid7 noted that successful exploitation grants attackers control over the cPanel host, its configurations and databases, and every site it manages. CISA added the CVE to KEV on April 30 and ordered federal civilian agencies to patch by Sunday. Hosting providers, MSPs, and any SMB running self-managed cPanel are in scope.

Bluekit phishing-as-a-service

A new phishing kit, Bluekit, launched with 40+ ready-made templates targeting popular services and a built-in AI assistant for drafting campaigns (BleepingComputer, April 30). The barrier to launching a credible phishing campaign keeps dropping. Combine this with the ClickFix variant BackgroundFix that Huntress documented April 30 — which removes a victim's video-call background while quietly installing CastleLoader, NetSupport RAT, and CastleStealer — and the take-away is consistent: 2026's commodity phishing increasingly looks like spear-phishing did three years ago.

Microsoft email-threat trends, Q1 2026

Microsoft's Q1 2026 email-threat report (April 30) noted credential phishing, QR-code phishing, and CAPTCHA-gated lures all rising. The takedown of the Tycoon2FA phishing platform produced a measurable ~15% drop in overall volume and forced operators to rework infrastructure. CAPTCHA gating and QR codes continue to evade traditional URL inspection, so detection programs should weight client-side telemetry and not just gateway scanning.

Russian aviation espionage

The Record reported on May 1 that a cyber-espionage cluster is targeting Russian government bodies and aviation firms to exfiltrate satellite and GPS data. Public reporting does not yet attribute the activity, but it is a reminder that geospatial and PNT (positioning, navigation, timing) data remain a valuable espionage target globally.

AI is now both attacker and auditor

• The UK NCSC warned on May 1 that organizations should prepare for a 'patch wave' as AI accelerates flaw discovery in legacy code.
• Dark Reading reported AI tooling found 38 security flaws in OpenEMR, an electronic-health-records platform used by 100,000+ providers, including paths to RCE and database compromise.
• Microsoft made Agent 365 generally available with new shadow-AI-agent discovery capabilities, signaling that 'unmanaged AI agents inside the enterprise' is the next visibility problem.
• Unit 42 published research on high-risk generative-AI browser extensions that disguise themselves as productivity tools while reading email content and exfiltrating credentials.

Defender Takeaways

1. Patch the two big ones now. CVE-2026-31431 (Linux kernel, KEV, working exploit) and CVE-2026-41940 (cPanel/WHM, KEV, mass-exploited). Confirm coverage across cloud images, Kubernetes node OSes, and any hosted/cPanel infrastructure.
2. Treat unsolicited video calls as a delivery vector. BlueNoroff's fake-Zoom playbook is the canonical example. Block inbound 'updater' downloads from meeting participants; require finance and crypto staff to verify identities out-of-band.
3. Re-baseline phishing detection for the AI-kit era. Bluekit, ClickFix/BackgroundFix, QR-code phishing, and CAPTCHA-gated landers all bypass traditional URL scanning. Lean on client-side EDR telemetry, browser isolation, and DNS-layer detection.
4. Don't assume 'we'll pay' is a recovery plan. VECT 2.0's broken encryption destroys data regardless of payment. Test offline backup restoration this quarter.
5. Inventory AI agents and AI browser extensions. Both can read email, prompts, and credentials. Apply the same governance you apply to any data-processing third party — and review CISA's new agentic-AI guidance.
6. Prepare for the patch wave. NCSC's warning is operational, not theoretical. Pre-stage emergency change windows now while things are quiet.

Sources

• Dark Reading — BlueNoroff Uses Fake Zoom Calls to Turn Victims Into Attack Lures (2026-04-28): https://www.darkreading.com/cyberattacks-data-breaches/bluenoroff-turns-victims-into-new-attack-lures
• Dark Reading — 76% of All Crypto Stolen in 2026 Is Now in North Korea (2026-05-01): https://www.darkreading.com/cybersecurity-analytics/crypto-stolen-2026-north-korea
• Dark Reading — UNC6692 Combines Social Engineering, Malware, Cloud Abuse (2026-04-27): https://www.darkreading.com/cloud-security/unc6692-social-engineering-malware-cloud-abuse
• Dark Reading — Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error (2026-04-29): https://www.darkreading.com/threat-intelligence/vect-ransomware-wiper-design-error
• Dark Reading — Feuding Ransomware Groups Leak Each Other's Data (2026-04-28): https://www.darkreading.com/threat-intelligence/feuding-ransomware-groups-leak-data
• Dark Reading — AI Finds 38 Security Flaws in Electronic Health Record Platform (2026-04-29): https://www.darkreading.com/vulnerabilities-threats/ai-finds-38-security-flaws-openemr
• Check Point Research — VECT: Ransomware by design, Wiper by accident (2026-04-28): https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/
• Microsoft Threat Intel — CVE-2026-31431: Copy Fail vulnerability (2026-05-01): https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/
• Microsoft Threat Intel — Email threat landscape: Q1 2026 trends and insights (2026-04-30): https://www.microsoft.com/en-us/security/blog/2026/04/30/email-threat-landscape-q1-2026-trends-and-insights/
• Sophos — PoC exploit for Linux 'Copy Fail' (CVE-2026-31431) (2026-05-01): https://www.sophos.com/en-us/blog/proof-of-concept-exploit-available-for-linux-copy-fail-cve-2026-31431
• CISA — KEV addition: CVE-2026-31431 (2026-05-01): https://www.cisa.gov/news-events/alerts/2026/05/01/cisa-adds-one-known-exploited-vulnerability-catalog
• CISA — KEV addition: CVE-2026-41940 (cPanel) (2026-04-30): https://www.cisa.gov/news-events/alerts/2026/04/30/cisa-adds-one-known-exploited-vulnerability-catalog
• CISA — Adapting Zero Trust Principles to Operational Technology (2026-04-29): https://www.cisa.gov/resources-tools/resources/adapting-zero-trust-principles-operational-technology
• CISA — Careful Adoption of Agentic AI Services (2026-05-01): https://www.cisa.gov/resources-tools/resources/careful-adoption-agentic-ai-services
• BleepingComputer — Critical cPanel flaw mass-exploited in 'Sorry' ransomware attacks (2026-05-02): https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/
• BleepingComputer — New Bluekit phishing service (2026-04-30): https://www.bleepingcomputer.com/news/security/new-bluekit-phishing-service-includes-an-ai-assistant-40-templates/
• The Record — Federal agencies must patch cPanel bug by Sunday (2026-05-01): https://therecord.media/cisa-orders-federal-agencies-to-patch-cpanel-bug
• The Record — Cyber spies target Russian aviation firms (2026-05-01): https://therecord.media/russia-cyber-espionage-aviation
• Recorded Future — Lazarus Doesn't Need AGI (2026-04-28): https://www.recordedfuture.com/blog/lazarus-does-not-need-agi
• Huntress — ClickFix Removes Your Background but Leaves the Malware (2026-04-30): https://www.huntress.com/blog/clickfix-castleloader-backgroundfix
• Unit 42 — High-Risk Gen-AI Browser Extensions (2026-04-30): https://unit42.paloaltonetworks.com/high-risk-gen-ai-browser-extensions/
• Unit 42 — The npm Threat Landscape (Updated May 1) (2026-05-02): https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/
• UK NCSC — Preparing for a 'vulnerability patch wave' (2026-05-01): https://www.ncsc.gov.uk/blogs/prepare-for-vulnerability-patch-wave