Reading view

Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency

By Saher Naumaan, Carlos Rubio, and the Proofpoint Threat Research Team Key Findings Between April and May 2026, Proofpoint Threat Research observed a likely North Korean threat actor conducting phishing campaigns using developer role recruitment or code review themes to targets in close to 100 organizations in finance, cryptocurrency, education, technology, and several other sectors. Proofpoint clusters this activity under the name UNK_DeadDrop. The infection chain begins with emails containing links to actor-controlled GitHub repositories hosting malicious scripts that result in the execution of cross-platform malware for macOS, Linux, and Windows, including an open-source Go framework named Overlord. The campaigns abused Visual Studio Code workflows and deployed a stealthy new technique using malicious Visual Studio Extensions (VSIX) that requires minimal user interaction. The activity has similarities to another North Korean group called Contagious Interview; however, there is no direct overlap in Proofpoint telemetry so Proofpoint Threat Research tracks this activity as a distinct cluster. Overview Since at least 2022, North Korea-aligned threat actors have made a concerted effort not only to target cryptocurrency and decentralized finance organizations, but specifically to target developers using fake recruiter personas, malicious npm/PyPI packages (TraderTraitor / Jade Sleet), and trojanized cryptocurrency trading applications (AppleJeus / Citrine Sleet). These often masquerade as technical assessments or coding challenges and use techniques such as ClickFix or abusing Visual Studio Code’s features to execute malware. Approaches often occur over LinkedIn, Slack, Telegram, or in a multi-platform manner, with a consistent aim of targeting developer assets such as API tokens, cryptocurrency wallets, and credentials. In April and May 2026, Proofpoint Threat Research observed a new, large wave of this type of activity distinct from known DPRK operations (also recently reported by independent researcher Denys Vitali). Proofpoint tracks this new cluster as UNK_DeadDrop, a very likely North Korea-aligned group that uses broad phishing to target developers. Figure 1. Distribution of UNK_DeadDrop targeting across sector and geography. Over a six-week period, the attackers sent over 250 emails to individuals in almost 100 organizations across several sectors, primarily technology, education, business services, and financial services, specifically organizations in the cryptocurrency industry. Most targeted organizations were in the US, but the distribution of targeted geographies was global. Infection chain The emails contained links to GitHub repositories masquerading as technical assignments or cryptocurrency-related projects. The instructions encouraged the target to clone the repository and open it in an editor such as VS Code or Cursor. A pre-configured task executes silently when the user opens the repository folder in the IDE, triggering platform-specific loaders that decode embedded payloads on Linux, macOS, and Windows. The loader installs a malicious VS Code extension (VSIX) masquerading as a legitimate Google service. The payloads communicate with a hardcoded C&C server, enabling remote command execution, system reconnaissance, followed by exfiltration of browser wallet extensions, decrypted credentials, and desktop wallets. The infection chain finishes by deleting malicious payloads and directories from the cloned repository in an effort to clean up forensic artifacts, while maintaining persistence through the VSIX extension. Lures UNK_DeadDrop activity in late April and early May 2026 masqueraded as companies from various sectors seeking to recruit for software developer roles. The spoofed companies included: Ondo Finance: a decentralized finance (DeFi) platform Empower Pharmacy: a pharmaceutical company NXLog: a log collection and centralization tool OnePlan: a strategic portfolio and work management platform Hypen Connect: a Web3 & AI Talent Agency Valon: a mortgage service provider Nourish: a telehealth company The emails used attacker-owned sender domains and approached targets with job opportunities for “Full-Stack Engineer” or “Agent Lead Developer” positions. Figure 2: UNK_DeadDrop emails containing job offers for developer roles. The emails provided instructions on how to complete a technical assignment that was part of the job application process. The URLs led to attacker-controlled GitHub repositories hosting take-home assessments and coding challenges. Campaigns observed later in May 2026 changed their approach to targets with requests for peer review on open-source projects. The attackers masqueraded as cryptocurrency trading or prediction companies, such as Pulsynk and Trixauvex, to send requests for developer code reviews with the option of a job offer based on the fixes. Figure 3. UNK_DeadDrop emails requesting code reviews. In late May, another UNK_DeadDrop campaign targeted finance and technology organizations requesting targets to test an ERC-4626 vault in Foundry, a toolkit for Ethereum and smart contract development. Figure 4. UNK_DeadDrop emails requesting testing on Foundry tool. The most recently observed iteration of UNK_DeadDrop campaigns used a project for building AI agent-based systems with payment capabilities, similarly including skill requirements and a potential job offer. Figure 5. UNK_DeadDrop emails offering a role building an AI payments project. Analysis of 10 repositories, all hosted by different GitHub accounts, showed four thematic categories: cryptocurrency platforms, exploit archives, Foundry testing, and AI payments. Repo Name GitHub Account Theme Description First Commit Date Repository URL pulsynk Pulsynk Crypto Prediction AI-powered cryptocurrency price prediction platform May 10, 2026 hxxps://github[.]com/Pulsynk/pulsynk trixauvex Trixauvex-org Crypto Trading Cryptocurrency trading engine and analytics platform May 16, 2026 hxxps://github[.]com/Trixauvex-org/trixauvex rekt-db PedrinPY Exploit Archive Cross-chain blockchain exploit archive with runnable PoCs May 19, 2026 hxxps://github[.]com/PedrinPY/rekt-db rekt-db wayout4u Exploit Archive Cross-chain blockchain exploit archive with runnable PoCs May 21, 2026 hxxps://github[.]com/wayout4u/rekt-db rekt-db Stomp47 Exploit Archive Cross-chain blockchain exploit archive with runnable PoCs May 25, 2026 hxxps://github[.]com/Stomp47/rekt-db forge-4626-invariants sr-werney Foundry Testing Drop-in Foundry invariant tests for ERC-4626 vaults May 20, 2026 hxxps://github[.]com/sr-werney/forge-4626-invariants forge-4626-invariants ziobiri Foundry Testing Drop-in Foundry invariant tests for ERC-4626 vaults May 27, 2026 hxxps://github[.]com/ziobiri/forge-4626-invariants forge-4626-invariants mireles343 Foundry Testing Drop-in Foundry invariant tests for ERC-4626 vaults May 26, 2026 hxxps://github[.]com/mireles343/forge-4626-invariants x402-kit skyjum AI Payments HTTP 402 micropayments for AI agents - EVM, Solana, Lightning adapters May 25, 2026 hxxps://github[.]com/skyjum/x402-kit x402-kit rkama411 AI payments HTTP 402 micropayments for AI agents - EVM, Solana, Lightning adapters May 27, 2026 hxxps://github[.]com/rkama411/x402-kit Figure 6. UNK_DeadDrop GitHub repositories and descriptions. The attackers presented Pulsynk and Trixauvex as AI-powered crypto prediction and trading platforms with professional Python project structures, while rekt-db masqueraded as a security research archive with reproducible proof-of-concepts for real high-profile exploits such as Bybit ($1.46B), Wormhole ($325M), and Radiant Capital ($50M). The forge-4626-invariants repository was centered around drop-in Foundry invariant tests for ERC-4626 tokenized vaults. The newest variation, x402-kit, focused on HTTP 402 micropayment infrastructure with multi-chain adapters for EVM, Solana, and Lightning networks. The malicious repositories appeared legitimate, masquerading as open-source projects targeting specific developer niches within the cryptocurrency and blockchain ecosystem: security researchers, DeFi developers, and AI engineers. They had technical credibility, containing realistic directory structures, working npm/forge scripts, and references to real standards and frameworks. Across 10 repositories analyzed, there were roughly six builds containing only minor changes such as binary recompilations, altered naming conventions, and bug fixes. This suggests that the operators are continuing active development. Delivery The emails all contained GitHub or GitLab URLs with instructions to clone the repository and open it in a code editor such as VS Code or Cursor.   Figure 7. Sample attacker-controlled GitHub repository. Inside the hidden vscode folder, there is a file called tasks.json that will execute either a shell script or .cmd file, buried in the src/ folder, when the repository is opened in Cursor or VS Code. This infection chain abuses the IDEs’ task automation as well as VSIX extensions to facilitate further execution, as well as achieve persistence on macOS and Linux devices. Execution The hidden tasks.json file defines a task with runOptions.runOn: "folderOpen", a VS Code feature that executes the task automatically when the folder is opened in the editor. Figure 8. tasks.json file that is run when .vscode folder is opened. The task definition specifies the platform-specific commands that will be executed when the task runs: Linux/macOS: /bin/bash vendor/run-update[.]sh Windows: wscript[.]exe //B //Nologo vendor/run-update-hidden-launch.vbs VS Code requires user interaction before any task can run; additionally, if automatic task execution has never been accepted before, a second prompt is shown. Figure 9. VS Code trust prompt when running malicious repository. By contrast, Cursor does not show any trust dialog. Opening a folder with tasks.json containing runOn: "folderOpen" in Cursor results in immediate silent execution with zero user interaction. The launcher scripts install the VSIX extension to the editor. Every time the user opens VS Code or Cursor on macOS or Linux, the VSIX extension activates, checks whether the subsequent infection portions are already running, and re-launches them if not. On Windows, this persistence mechanism does not apply. The pipeline executes once and terminates; the VSIX remains installed but does not re-execute on subsequent editor starts. Once the task is executed, the infection chain diverges by platform. The Linux and macOS chains use a native Go binary that connects to the C&C as a persistent RAT, while Windows runs a Node.js pipeline entirely inside the editor's Electron process. Both paths share the same C&C infrastructure and exfiltration endpoints but differ significantly in their architecture and capabilities. Linux/macOS infection chain The Linux and macOS infection chains use native Go binaries derived from the open-source Overlord C&C framework (github[.]com/vxaboveground/Overlord). Unlike the Windows pipeline (which performs a single stealer operation), these binaries function as full RATs with persistent WebSocket connectivity. Binary Platform google-update-support-linux-amd64 Linux AMD64 google-update-support-darwin-amd64 macOS Intel google-update-support-darwin-arm64 macOS Apple Silicon Figure 10. Binaries built for respective platforms. The threat actor added three custom modules: browserlogin (Chrome and Firefox credential theft), companywallet (crypto wallet stealer with 2-phase ZIP+upload exfiltration), and cleanup (anti-forensic removal of workspace artifacts). The initial launcher (run-update.sh) is a bash script with an embedded Base64-encoded payload. When executed, it installs the VSIX extension in all available editors (Cursor, VS Code, VSCodium), resolves the correct Go binary for the platform, removes macOS quarantine, and launches Overlord fully detached. It also schedules cleanup of vendor/ and .vscode/ via a background subshell that survives editor shutdown. Figure 11. run-update.sh (Base64-decoded). Once Overlord is running, it immediately establishes a persistent WebSocket connection to the C&C server at 23.137.105[.]75:5173. Figure 12. Overlord agent.log. macOS credential theft and exfiltration The credential theft chain then proceeds differently on each platform. Internally, the malware code divides its operation into two phases: Phase 1 (wallet data collection) and Phase 2 (credential theft + exfiltration). Overlord first collects wallet extension data, browser profile artifacts, and standalone wallet directories, packaging them into a ZIP and uploading to the C&C server. The malware waits five minutes before proceeding to credential theft. The credential theft uses a second embedded Mach-O binary named darwin-password-prompt that creates a fake system dialogue to prompt the user to enter their password: Figure 13. darwin-password-prompt app showing the fake prompt. Figure 14. Prompt for the credentials to access the keychain. The credentials are validated by the parent Overlord process. After password validation, the malware modifies Keychain ACLs for the following browsers: Chrome, Brave, Edge, Opera, Vivaldi, Arc, Yandex, and Chromium. Safe Storage keys are then extracted. Following credential gathering, the backdoor re-launches itself as root using the captured password. The elevated instance performs a command to dump the entire login keychain. The collected credentials, Safe Storage keys, and keychain data are then packaged as ZIP files and uploaded to the C&C via the persistent WebSocket connection. Linux credential theft and exfiltration If it is running on Linux, Overlord first collects wallet-related data (browser extension storage, standalone wallet directories) and uploads a ZIP to the C&C before attempting credential theft. After Phase 1 upload, the agent waits five minutes before proceeding to password capture. The Linux backdoor uses Zenity, a standard GTK dialog tool present on most desktop Linux distributions, to create a prompt to collect user credentials. Figure 15. Fake dialog to collect user credentials. This backdoor also attempts to read browser passwords from GNOME Keyring by spawning Python3 processes for each browser, querying chrome_libsecret_os_crypt_password_v2 and v1 schemas. If secret-tool is not installed, the agent falls back to the Python gi.repository.Secret method via D-Bus. Similar to the macOS chain, Overlord re-launches itself as root using the captured password. The elevated instance re-attempts keyring access by impersonating the original user via runuser, since the GNOME Keyring is tied to the user session and not accessible directly as root. Credentials are exported to e_p.txt and uploaded as a _pa.zip to the C&C. Windows infection chain Unlike Linux/macOS, the Windows attack does not deploy a Go binary. It runs entirely as JavaScript inside the editor's Electron process using ELECTRON_RUN_AS_NODE=1, a documented Electron feature that turns the editor into a plain Node.js interpreter. No binary is dropped to disk, the process appears as Code.exe in Task Manager, and the editor itself provides the runtime. As stated before, the VSIX extension does not create persistence in the Windows infection chain. The tasks.json file launches run-update-hidden-launch.vbs via wscript[.]exe //B (hidden window), which calls run-update[.]cmd. Figure 16. run-update.cmd script. The CMD file decodes an embedded script, which installs a VSIX extension. The script then stages three encrypted files into a staging directory and relaunches the editor with ELECTRON_RUN_AS_NODE=1 running gus-node-bootstrap.js. The three encrypted payloads are decrypted at runtime using the hardcoded AES-256-GCM key: 4f7a8c3d2e1b5f9071a6b2c8d4e3f50a92b1c7d6e8f4a30b5c2d9e1f7a6b8c4d. Encrypted file Purpose windows-js-pipeline.js.enc Runs the Node.js agent through both phases, uploads artifacts to the companywallet API, and cleans up Windows runtime files. windows-agent-node.js.enc Wallet stealer + Python setup detect_malware.py.enc DPAPI + App-Bound Encryption bypass for credential stealing Figure 17. Windows encrypted payloads in staging directory. Credential theft and exfiltration The Windows variant first conducts wallet collection and then credential theft. The wallet collection is done by scanning Chromium browser variants for items in Local State, Login Data, and Local Extension Settings/, as well as wallet-specific IndexedDB entries. It targets 35 wallet extension IDs (MetaMask, Phantom, Rabby, Keplr, and others), 18 standalone wallet applications (Exodus, Electrum, Ledger Live, Monero, Solana CLI, Bitcoin, and others), and Firefox profiles. It also enumerates all Windows user profiles via registry, not just the current user. The wallet stealer also looks for Python executables in the victim host and attempts to download Python 3.12.8 embeddable from the C&C, or falls back to system Python. If downloaded, Python is installed inside the browser's application directory (e.g., Program Files\Google\Chrome\Application\python[.]exe) to pass App-Bound Encryption's path validation. Once Python is available, the credential stealer (detect_malware.py) is executed for each browser profile. It performs: Password extraction from Chromium browsers via DPAPI + App-Bound Encryption bypass (COM Elevation Service, IElevator2) Firefox credential extraction via key4.db + logins.json Cookie theft from Chrome/Edge/Brave Five cascade methods for reading locked databases: shutil.copy2 → SQLite backup() → Win32 shared-read → Win32 backup-semantics → Volume Shadow Copy (VSS) For Chrome, Edge, and Brave, elevated privileges are required to access credentials protected by App-Bound Encryption. COM Elevation Moniker is used to elevate privileges silently. If this fails, it falls back to Start-Process -Verb RunAs, which displays the standard Windows UAC dialog. After both phases are complete, the stolen data is uploaded to the C&C server at 23.137.105[.]75:5173 via HTTP POST. Unlike the Linux/macOS agent, the Windows pipeline does not maintain a persistent connection; it uploads the ZIP files, performs cleanup, and terminates. The VSIX package.json contains a reference to a Windows binary (google-update-support-windows-amd64.dat) in its description of the windowsActivationMode setting. While this binary was not found in any of the analyzed repositories, searching VirusTotal for the developer path Yuki/dionbenu2yuki returned Windows samples named google-update-support-windows-amd64[.]exe with the same C&C server and agent token found in the Linux and macOS binaries. This implies the threat actor previously distributed a Windows Go binary (Overlord RAT) but replaced it with the Node.js and Python pipeline in the current campaign, likely to avoid detection. The references to the DAT/EXE binary in the scripts are legacy code that is no longer executed. Infrastructure UNK_DeadDrop campaigns spanned April and May 2026 with related infrastructure created in the same timeframe and emails sent within days of domain registrations. Figure 18. UNK_DeadDrop domain registration timeline (April-May 2026). Most domains were registered using Namecheap, and set MailHostBox mailservers. The domains used slight name variations of fake companies used for recruiting in phishing emails. Some domains used to send phishing emails were also hosting unfinished, likely AI-generated websites to market the projects. These were hosted on Vercel Inc. rather than Namecheap infrastructure. Figure 19. Fake company websites hosted at trixauvexnet[.]ink, trixauvex[.]org, and pulsnyk[.]org. A small subset of domains, including nemesis[.]work, used Advin Services LLC IPs for hosting, which are likely attacker-controlled boxes that were also used as sender IPs in early UNK_DeadDrop campaigns: 170.205.29[.]83 and 170.205.30[.]227. In May, the attackers transitioned to using Mailgun and MailHostBox as email sender services. Figure 20. Fake company website spoofing NEMESIS, a decentralized finance protocol, hosted at nemesis[.]work. Attribution UNK_DeadDrop activity shares several characteristics with previously documented North-Korea-aligned operations, specifically Contagious Interview activity reported by OpenSourceMalware, Microsoft, and JAMF. The campaigns broadly overlap in developer targeting, cryptocurrency and credential theft, GitHub delivery, VS Code workflow abuse, and cross-platform targeting.   UNK_DeadDrop Contagious Interview Targeting Software developers, security researchers, AI engineers in cryptocurrency Developers in cryptocurrency and AI Target platforms macOS, Windows, Linux macOS, Windows, Linux Initial access Phishing over email Phishing over social media Lures Job recruitment, code reviews Job recruitment Delivery GitHub, GitLab GitHub, GitLab, BitBucket Repositories Professional structure, legitimate references, industrialized creation, iterative builds, consistent obfuscation Possibly AI-assisted generation, less polished code, tutorial comments, emoji logging Installation VS Code tasks.json auto-execution abuse (silent) VS Code tasks.json npm installation abuse (visible) Execution Malicious VSIX extension and self-contained payloads Remote fetch from Vercel or external hosting Payload Overlord (Go binaries) OtterCookie (JavaScript), Invisible Ferret (Python), FlexibleFerret (Go/Python) C&C protocol WebSocket Secure (WSS) HTTP/HTTPS Exfiltration Cryptocurrency wallets, browser credentials, system keychains Cryptocurrency wallets, API tokens, credentials, source code, password managers Anti-forensics Removes payload and malicious artifacts from directories Self-cleanup capability Figure 20. Comparison of UNK_DeadDrop and Contagious Interview campaigns and TTPs. However, there are several differences between the activity sets, such as the shift in social engineering from arranging fake interviews to unsolicited job offer or code review approaches as well as the move from delivery platforms such as LinkedIn to email. UNK_DeadDrop campaigns use the Overlord framework as a payload instead of custom malware, and it is contained within the repository rather than hosted remotely. The VS Code auto-execution approach exploits trust in standard developer workflows similar to malicious npm packages and previous VS code abuse, but requires less user interaction, executes silently without output, and doesn’t rely on external infrastructure that can be taken down. It is possible, or even likely, that the overlaps between UNK_DeadDrop and Contagious Interview demonstrate an operational evolution to include more mature techniques rather than distinct but related groups. However, based on the use of email for initial access, the high volume of emails, industrialization and scale of repository creation, a new self-contained payload, and distinct infrastructure from previous Proofpoint observations of Contagious Interview campaigns, Proofpoint Threat Research continues to track UNK_DeadDrop activity as an independent cluster. Conclusion UNK_DeadDrop activity suggests North Korea-aligned operations targeting developers for financial gain are maturing and evolving. The shift from active social engineering over social media platforms to conduct fake interviews to large campaigns of recruitment-themed phishing emails distributing links to malicious repositories could indicate an actor industrializing and scaling operations. The consistent creation of new GitHub repositories as well as a new malware framework with iterative builds and a stealthy new execution and persistence technique through VSIX extensions demonstrates dedicated resourcing and active development of tooling. The attackers have likely also adapted by embedding payloads rather than hosting them externally, potentially increasing operational resilience and avoiding the effects of infrastructure takedowns. UNK_DeadDrop bears many similarities to Contagious Interview activity and may be an improved and more professional iteration of previous operations as attackers adapt to defenders and adopt new techniques. However, the TTP and infection chain differences could also suggest another actor leveraging previously disclosed techniques or a subgroup incorporating various types of tradecraft into one operation. While attribution to a known actor remains unconfirmed, Proofpoint continues to track this ongoing activity as an independent cluster. Indicators Indicator Type Description First Seen alex@contacttrixauvex[.]ink Email address Attacker-controlled email address May 2026 alex@mailpredicttogether[.]ink Email address Attacker-controlled email address May 2026 alex@predicttocareer[.]space Email address Attacker-controlled email address May 2026 alex@pulsynk[.]org Email address Attacker-controlled email address May 2026 alex@trixauvexnet[.]ink Email address Attacker-controlled email address May 2026 alexsnow@hr.onoplanoai[.]ink] Email address Attacker-controlled email address May 2026 alexsnow@hr.predicttocareer[.]space Email address Attacker-controlled email address May 2026 alexstone@hr.trixauvex[.]org Email address Attacker-controlled email address May 2026 carissae@hr.mailpulsynk[.]xyz Email address Attacker-controlled email address May 2026 christopher@hr.trixauvex[.]org Email address Attacker-controlled email address May 2026 chrisyan@hr.pulsynk[.]org Email address Attacker-controlled email address May 2026 emmaparker@hr.recruitvex[.]us Email address Attacker-controlled email address May 2026 faithtedesco@hr.mailtrixauvex[.]ink Email address Attacker-controlled email address May 2026 frankbloch@hr.trixauvex[.]org Email address Attacker-controlled email address May 2026 jamesrock@hr.trixauvexnet[.]ink Email address Attacker-controlled email address May 2026 jamierain@hr.contacttrixauvex[.]ink Email address Attacker-controlled email address May 2026 jamierain@hr.onoplanoai[.]ink Email address Attacker-controlled email address May 2026 jamiereed@hr.mailpredicttogether[.]ink Email address Attacker-controlled email address May 2026 jamiereed@hr.predicttocareer[.]space Email address Attacker-controlled email address May 2026 joshn@hr.recruitvex[.]us Email address Attacker-controlled email address May 2026 justinstone@hr.trixauvex[.]org Email address Attacker-controlled email address May 2026 nicoupdyke@hr.trixauvexnet[.]ink Email address Attacker-controlled email address May 2026 oliviaben@hr.pulsynk[.]org Email address Attacker-controlled email address May 2026 sam@hr.pulsynk[.]org Email address Attacker-controlled email address May 2026 samalt@hr.contacttrixauvex[.]ink Email address Attacker-controlled email address May 2026 samalt@hr.onoplanoai[.]ink Email address Attacker-controlled email address May 2026 samalt@hr.predicttocareer[.]space Email address Attacker-controlled email address May 2026 shelbysturm@hr.mailtrixauvex[.]ink Email address Attacker-controlled email address May 2026 sophiareed@hr.contacttrixauvex[.]ink Email address Attacker-controlled email address May 2026 sophiareed@hr.onoplanoai[.]ink Email address Attacker-controlled email address May 2026 taylorzhang@hr.pulsynk[.]org] Email address Attacker-controlled email address May 2026 dalbir@empowerpharmacy[.]space Email address Attacker-controlled email address April 2026 dianaberendi@nxlog[.]tech Email address Attacker-controlled email address April 2026 gusb@ondofinance[.]tech Email address Attacker-controlled email address April 2026 jasen@empowerpharmacy[.]space Email address Attacker-controlled email address April 2026 joshc@ondofinance[.]tech Email address Attacker-controlled email address April 2026 jovanav@nxlog[.]tech Email address Attacker-controlled email address April 2026 michaelw@ondofinance[.]tech Email address Attacker-controlled email address April 2026 neila@ondofinance[.]tech Email address Attacker-controlled email address April 2026 oladotuna@ondofinance[.]tech Email address Attacker-controlled email address April 2026 sarikasinha@nxlog[.]tech Email address Attacker-controlled email address April 2026 sladjanas@nxlog[.]tech Email address Attacker-controlled email address April 2026 valerie@empowerpharmacy[.]space Email address Attacker-controlled email address April 2026 vanjamirkovic@nxlog[.]tech Email address Attacker-controlled email address April 2026 nemesistrade[.]work Domain Related infrastructure May 2026 ceronet[.]work Domain Related infrastructure May 2026 deep-ai-guard[.]store Domain Related infrastructure May 2026 ceronetwork[.]org Domain Related infrastructure May 2026 culyrax[.]us Domain Related infrastructure May 2026 elsavora[.]us Domain Related infrastructure May 2026 optixauvex[.]us Domain Related infrastructure May 2026 recruitvex[.]us Domain Sender domain May 2026 talentnexhr[.]ink Domain Related infrastructure May 2026 onoplanoai[.]ink Domain Sender domain May 2026 trixauvexnet[.]ink Domain Sender domain May 2026 recruitptogether[.]xyz Domain Related infrastructure May 2026 contactpredicttogether[.]ink Domain Related infrastructure May 2026 connectptogether[.]ink Domain Related infrastructure May 2026 notifypulsynk[.]ink Domain Related infrastructure May 2026 contactpulsynk[.]ink Domain Related infrastructure May 2026 contacttrixauvex[.]ink Domain Sender domain May 2026 trixauvex[.]org Domain Sender domain May 2026 careertrixauvex[.]ink Domain Related infrastructure May 2026 cotrixauvex[.]ink Domain Related infrastructure May 2026 pulsynk[.]org Domain Sender domain May 2026 mailtrixauvex[.]ink Domain Sender domain May 2026 teampulsynk[.]team Domain Related infrastructure May 2026 careerpulsynk[.]xyz Domain Related infrastructure May 2026 mailpulsynk[.]xyz Domain Sender domain May 2026 mailpredicttogether[.]ink Domain Sender domain May 2026 predicttogetherrecruit[.]store Domain Related infrastructure May 2026 predicttogerecruit[.]store Domain Related infrastructure May 2026 predicttogether[.]ink Domain Related infrastructure May 2026 careerpredictto[.]space Domain Related infrastructure May 2026 togetherhire[.]fun Domain Related infrastructure May 2026 predictcareertogether[.]space Domain Related infrastructure May 2026 predicttocareer[.]space Domain Sender domain May 2026 nowurisch[.]fit Domain Sender domain May 2026 hyperdevpipline[.]org Domain Sender domain May 2026 asteara[.]org Domain Related infrastructure April 2026 doxxela[.]ink Domain Related infrastructure April 2026 coslyintra[.]online Domain Related infrastructure April 2026 valorecuiting[.]online Domain Sender domain April 2026 onoplainai[.]ink Domain Related infrastructure April 2026 raxvatange[.]ink Domain Related infrastructure April 2026 alphanonega[.]org Domain Related infrastructure April 2026 domatisc[.]ink Domain Related infrastructure April 2026 migadyn[.]info Domain Sender domain April 2026 empowerpharmacy[.]space Domain Sender domain April 2026 nxlog[.]tech Domain Sender domain April 2026 ondofinance[.]tech Domain Sender domain April 2026 170.205.29[.]83 IP address Sender IP April 2026 170.205.30[.]227 IP address Sender IP April 2026 hxxps://github[.]com/Pulsynk/pulsynk URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/Trixauvex-org/trixauvex URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/PedrinPY/rekt-db URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/sr-werney/forge-4626invariants URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/wayout4u/rekt-db URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/ziobiri/forge-4626-invariants URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/skyjum/x402-kit URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/Stomp47/rekt-db URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/mireles343/forge-4626invariants URL Attacker-controlled GitHub repository May 2026 hxxps://gitlab[.]com/pulsynk-org/rekt-db.git URL Attacker-controlled GitHub repository May 2026 hxxps://gitlab[.]com/trixauvex-org/x402-kit.git URL Attacker-controlled GitHub repository May 2026 hxxps://gitlab[.]com/predict-together/forge-4626invariants.git URL Attacker-controlled GitHub repository May 2026 hxxps://github[.]com/rkama411/x402-kit URL Attacker-controlled GitHub repository May 2026 23.137.105[.]75 IP address C&C IP May 2026 35813f4401d3ad77b618275473a556eb47bfa6f4b7439dd8943b19f81aa7252e SHA256 settings.json May 2026 c935808147f0236c81483d7bbeda4b9d602f3595d5d4057f8115d39e222d1c4b SHA256 tasks.json May 2026 4c0d9b802c075be79e9edb52d88f8dd72e6904f5c58267213745818470945c78 SHA256 run-update-hidden-launch.vbs May 2026 62761f38ed194c59abe15c49f09f0ebc431ac852c965180c9327ed84d3a454fb SHA256 run-update.cmd May 2026 d3ebce2f05fe91a8260e87fd11a6ea17c156703d081b3f91d9bbe5fd6aeedc10 SHA256 gus-node-bootstrap.js May 2026 91b9381d19b2e6a2db5cc0307167979b502731cb3fb50da684479e9ed35261aa SHA256 windows-agent-node.js.enc May 2026 6cf9f7b2aa456a0b438600588df869b38d8007e28f01fa96022f9d8059f120b0 SHA256 windows-js-pipeline.js.enc May 2026 2812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628f SHA256 detect_malware.py.enc May 2026 52886aab179f26421678ff23af1b0fabf0a17ffbb534369cdbbac8008cbed8e7 SHA256 google-update-support.vsix May 2026 d5e9288693aa745dc89368deac677e7ea1ec81e663283af30838cdae189b7a7e SHA256 extension.js May 2026 734699773e53d995f20d485eb61261033d9d00b4332b39ca26071bcd60cd352f SHA256 run-update.sh May 2026 e1bf1b29e6fa3525d7f32f429290a88d6ea2890e61c06574b8ff6372aa5d0667 SHA256 google-update-support-agent.zip May 2026 a2b9a769df84d9d3a4694bb0252a2c6a5e5f5d1a85a04565362737092bbb3a86 SHA256 google-update-support-linux-amd64 May 2026 bb10adac5b0124efedfe71102c1d5638135ec9e1cde8c8cb3353c5ed91bb9f81 SHA256 google-update-support-darwin-amd64 May 2026 339907b44f161f57ff30819f422c552382ff437b3ae437463b4222cfe86bd943 SHA256 google-update-support-darwin-arm64 May 2026 808e7154b7af2bc7a4b28d577297c55f77221c355191cbe00f9f1810b6d4a619 SHA256 darwin-password-prompt May 2026
  •  

TA4922: The Suspected Chinese Crime Group is Going Global

Key Findings:  TA4922 is a highly sophisticated threat actor demonstrating a rapid operational tempo and continually evolving malware arsenal.  The group has been observed using multiple malware families including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT (Winos4.0), among others.  TA4922 relies on localized lures often themed around HR, payroll, tax, and invoicing to convince targets across multiple regions. In recent months, the actor’s activity has spread to more countries globally, including in Europe and Africa.  The actor combines malicious activity with legitimate tools, trusted software, and cloud hosting services, making detection and defense more challenging.  Overview  The Chinese-speaking cybercriminal ecosystem has grown dramatically in recent years. Many of the threats observed in the landscape are descendants of malware first used by Chinese espionage threat actors, namely Gh0stRAT and related payloads, and frequently targeted Chinese-speaking users. But as Chinese-speaking cybercriminals develop better capabilities in malware, social engineering, and global targeting, their footprint is expanding, and more actor clusters are emerging. In this report, we’ll dive into TA4922, a newly designated Chinese-speaking threat actor largely targeting East Asia.   This actor is unique due to its wide variety of lure themes, targeting, and objectives. TA4922 distributes malware, credential phishing, and attempts fraud like credit card theft. Cybercriminals will sometimes display multiple objectives (using credential phishing to enable fraud, for example), but TA4922’s consistency with disparate campaigns, payloads, and goals makes it one of the most unique actors tracked by Proofpoint.   TA4922 activity shows overlap in tooling, infrastructure, and social engineering themes with activity reported by other researchers as Silver Fox or Void Arachne. While those clusters are sometimes characterized as espionage oriented, Proofpoint assesses that the campaigns attributed to TA4922 align more closely with cybercriminal objectives despite the actor’s advanced tradecraft. The activities described in this report do not overlap one to one with Silver Fox/Void Arachne, and Proofpoint tracks this actor as a distinct threat cluster.   Beginning in spring 2025, Proofpoint tracked malicious email campaigns associated with TA4922. Based on Proofpoint’s analysis of the emails, targeting, and payloads, the actor is likely financially motivated and focused on obtaining remote access to victim environments for financial gain such as data theft, fraud, access resale, or persistent access.  In March and April 2026, Proofpoint identified a series of campaigns that demonstrate TA4922’s evolution in malware tooling. The actor’s operational tempo increased dramatically in March and into April 2026. Across these observed campaigns, the actor relied on mostly human resources and business themed lures in attempts to deliver credential phishing, fraud, and malware payloads including the newly identified Atlas RAT. Campaigns also leveraged new loader families Proofpoint designated as RomulusLoader and SilentRunLoader. RomulusLoader is used to stage additional tooling including legitimate remote management software (RMM) such as AnyDesk and SyncFuture. The diverse payloads observed in recent months is a significant change in the actor’s tactics, techniques, and procedures (TTPs).   This report focuses on the newly identified payloads and related notable campaigns.  Actor Details  TA4922 relies on social engineering to convince recipients to click malicious links, download payloads hosted on third party services, steal credentials, or direct communications from email to messaging applications. The actor has been historically associated with malware families including Winos4.0 (sometimes referred to as ValleyRAT) and HoldingHands. The actor increased its malware arsenal in recent months, which we describe below.   Campaigns are typically small to medium in size, ranging from a few hundred to a few thousand, and the messages are tailored to specific regions or business functions. Campaigns mostly target organizations in Japan, with additional targeting in Asia including Taiwan, Korea, Singapore, and India. In recent months, the actor expanded global targeting to include European organizations in the U.K., Germany, Italy, and South Africa.  Figure 1: Targeted country assessment.  In addition to malware delivery, TA4922 has conducted credential phishing and imposter campaigns that attempt to shift interactions out of email and into out-of-band communication channels. These messages impersonate trusted authorities or internal contacts and request that recipients continue conversations via messaging platforms such as LINE, WhatsApp, or Microsoft Teams. Once communication moves to those platforms, the actor is better positioned to extend social engineering, harvest contact information, or deliver malware beyond traditional email security visibility.    Figure 2: Social engineering email instructing recipients to create a new LINE messaging group.  Figure 3: Variation in campaign objectives, January – May 2026.  Proofpoint assesses that TA4922 is likely based in East Asia and is Chinese speaking. Chinese language metadata in malware samples, frequent use of infrastructure tied to Chinese providers and overlap with the Silver Fox and Void Arachne ecosystem help support this assessment.   Geographic targeting is highly regionalized. TA4922 most frequently targets organizations in Japan, Taiwan, India, Malaysia, Singapore, Indonesia, and occasionally European countries such as Germany and the United Kingdom. Lures commonly impersonate tax authorities, finance departments, or human resources teams and are written to closely match local language norms.  Campaign Details  To better understand the diverse nature of targeting, lure themes, and payloads, we’re highlighting a handful of recently observed campaigns from TA4922. These campaigns represent a small part of the actor’s overall activity but are illustrative of typical behaviors from this group. The new malware also shows that while the group’s techniques remain relatively consistent, their payloads can change rapidly between campaigns.  Atlas RAT Campaign 1  On 6 March 2026, Proofpoint observed a TA4922 campaign targeting organizations in Japan using human resources themed messages. The emails were designed to resemble internal HR notifications and claimed to inform recipients of personnel-related changes and compensation.  Email Body Translation:  The language is formal and intentionally vague. It avoids specific figures while creating urgency around compensation which is a tactic to increase the chances of the recipient acting quickly without verifying the message.  The email contained a GoFile URL linking to a ZIP file, “【給与調整のお知らせ】.zip” which translates to [Notice of salary adjustment]. zip. The ZIP contained an executable along with a malicious DLL. Upon execution, the Atlas RAT payload is installed via DLL sideloading which is configured to communicate with IP 206[.]238[.]115[.]58 over TCP port 886.  Figure 4: HR-themed salary adjustment email lure used in the March 2026 campaign.  Atlas RAT Campaign 2  On 2 April 2026, Proofpoint identified a second TA4922 campaign leading to Atlas RAT against targets in the United Kingdom and Germany. The social engineering and delivery infrastructure were mostly unchanged from the March activity.  Emails in this campaign again impersonated internal human resources communications and instructed recipients to review routine paperwork. In some cases, the messages suggested that documents required confirmation or acknowledgment.   The URLs led to ZIP files hosted on GoFile with filenames such as “Paperwork.zip” and “HR (2).zip”. They contained an executable with a malicious DLL file, libcef.dll. Execution triggered DLL sideloading and resulted in the deployment of Atlas RAT, configured to communicate to C2 IP 154[.]211[.]86[.]110 over TCP port 886.  Figure 5: HR themed email lures in April 2026.  Atlas RAT Campaign 3  On 7 April 2026, Proofpoint observed a third TA4922 campaign that introduced a different lure theme while maintaining familiar delivery techniques. Unlike the prior HR-themed activity, this campaign appeared to impersonate customer service communications related to invoicing. The emails claimed to deliver an electronic invoice in PDF format.  Email Body Translation:  The email attachment was a ZIP archive named “電子請求書発行のお知らせ.zip”, which contained a compressed IMG file. When mounted, the IMG file included an executable that relied on DLL sideloading to install Atlas RAT. Once executed, the payload established C2 communication with the same infrastructure observed in prior campaign, IP 154[.]211[.]86[.]110 over TCP port 886.  Figure 6: Electronic invoicing email lure delivering Atlas RAT via compressed IMG attachment.  RomulusLoader Campaign 1 – Initial activity   On 23 March 2026, Proofpoint observed TA4922 campaigns that marked the first identified use of a new loader family Proofpoint named RomulusLoader. The emails primarily targeted organizations in Japan and used corporate and human resources–themed lures.  The messages impersonated internal company communications and urged recipients to review business documents. URLs embedded in the email body redirected users to file sharing services (LimeWire) where a ZIP archive was hosted.  Email Body Translation:  The archive contained an executable paired with a malicious DLL. Upon execution, the payload leveraged DLL sideloading to install RomulusLoader. The loader subsequently attempted to retrieve and execute additional payloads, although the final stage was not identified during initial analysis. Observed network traffic showed communications with C2 infrastructure at 43[.]156[.]77[.]97 over TCP port 1234.  Figure 7: Corporate/HR-themed lure with LimeWire URL.  Figure 8: LimeWire hosting RomulusLoader payload.  RomulusLoader Campaign 2 – RMMs  Remote Monitoring and Management (RMM) payloads are very popular across the cybercriminal threat landscape currently, in part because abusing legitimate services can enable threat actors to “hide” in networks masquerading as authentically used software. However, Proofpoint typically observes threat actors deliver an RMM as a first-stage payload for initial access, then will drop follow-on payloads (like more RMMs or malware) once they’ve gained a foothold. TA4922 switches things up, using the newly identified RomulusLoader as a first stage to drop RMMs.  In mid‑April 2026, Proofpoint identified multiple TA4922 campaigns that leveraged RomulusLoader to deploy legitimate RMM software, AnyDesk and the Chinese RMM SyncFuture.  The emails used business and tax‑related themes which targeted organizations in Japan and Germany. Similar to the prior campaign, emails contained embedded URLs which led to ZIP archives containing an executable and a malicious DLL. Execution triggered DLL sideloading, resulting in the installation of RomulusLoader.  Following initial execution, RomulusLoader retrieved an additional component that installed RMM software, either SyncFuture or AnyDesk. First‑stage infrastructure in these campaigns overlapped, leveraging IP address 103[.]214[.]172[.]33 to host the subsequent payload.   Notably, TA4922 was last observed deploying SyncFuture in a campaign in December 2025 with subsequent activity shifting away from its use. However, recent campaigns indicate it is still part of this actor’s malware arsenal.   The SyncFuture campaign targeted organizations in Germany and impersonated the Munich tax authority (Finanzamt München). Messages purported to claim the target was receiving a tax audit.   Figure 9: Tax audit–themed email to lure recipients into downloading audit documentation.  URLs in the email led to a landing page impersonating a tax portal.   Figure 10: Fraudulent German‑language tax portal landing page.  The AnyDesk campaign targeted companies in Germany using payroll and salary themed lures. Emails contained URLs leading to a ZIP file and claimed to share pay slip and expense information in a zipped PDF. The file contained the EXE and DLL leading to the malware.  Figure 11: Payroll‑themed lure impersonating an internal salary and expense notification system to prompt victims to download a purported PDF document.  Figure 12: CAPTCHA‑style verification gate presented on the initial landing page. Figure 13: Payroll‑themed landing page impersonating an internal salary notification system and providing a button to download purported PDF pay statements.  SilentRunLoader Campaign 1 – Initial activity  Proofpoint first identified the campaign leading to the Python‑based loader and stealer tracked as SilentRunLoader on 30 March 2026. This campaign primarily targeted organizations in the United Kingdom and impersonated tax authorities with references to VAT filings, payroll tax documentation, and regulatory compliance requirements. Embedded URLs directed recipients to the file‑hosting service, MediaFire, where the executable was hosted. Upon execution, the payload installed SilentRunLoader which harvested sensitive data from Google Chrome including stored credentials, cookies, and browsing information. Collected data was exfiltrated via HTTP POST requests to C2 infrastructure hosted at “ws[.]ztts88[.]cyou” which resolved to IP address 18[.]139[.]83[.]110.  Figure 14: Tax‑themed email lure impersonating the UK government tax authority HMRC and directing recipients to the SilentRunLoader payload hosted on MediaFire.  SilentRunLoader Campaign 2  Proofpoint identified another TA4922 campaign delivering SilentRunLoader on 10 April 2026. The campaign targeted recipients across Southeast Asia and the United Kingdom using benefits and compliance‑themed lures. The lures impersonated government and universal benefits services.  Emails contained embedded srt.tw URLs, a URL shortening service, which redirected to ZIP or RAR archive files hosted on MediaFire. SilentRunLoader was installed via DLL sideloading and exfiltrated Chrome data to previously observed C2 infrastructure hosted at “ws[.]ztts88[.]cyou” which resolved to IP address 18[.]139[.]83[.]110.  Figure 15: Benefits‑themed email lure using a shortened URL to deliver the SilentRunLoader payload.  Now let’s examine the malware TA4922 is using in greater technical detail.  Malware Analysis  RomulusLoader  RomulusLoader is a unique loader malware written in C, designed to download and execute additional payloads from a C2. It features:  A Custom PE loader with section mapping and relocation processing  Dynamic API resolution using PEB/TEB walking and ROR13 hashing  RC4 encryption for an embedded payload (the RomulusLoader PE file)  In campaigns observed within Proofpoint data, RomulusLoader was delivered inside a ZIP archive containing a legitimate executable and DLL related to the Vulkan Graphics API. Vulkan is a low-level, cross-platform graphics and compute API designed for high performance and control over GPU operations. Specifically, the RomulusLoader samples Proofpoint researchers analyzed were masquerading as a component of Vulkan Loader, a sub-component of Vulkan. The metadata of the executable file can be seen in the below image:  Figure 16: Metadata seen in the legitimate Vulkan Loader component abused by RomulusLoader.  The EXE also included this PDB path:            j\msdk\build\Khronos-Tools\repo\build\vulkaninfo\RelWithDebInfo\vulkaninfo.pdb  The DLL has this metadata:  Figure 17: Metadata of a RomulusLoader DLL.  We assess that this DLL file contains legitimate code related to either Vulkan or AnyDesk, but is used primarily to execute RomulusLoader. This is as follows:  1. When the target user executes the legitimate executable, it sideloads the DLL (in our case, “vulkan-1.dll”) as well as a malicious .bin file (in our case, “vulkan-1.bin”). The .bin file contains a shellcode stub and an encrypted blob of data that will eventually result in RomulusLoader itself.  2. The shellcode stub resolves its required Windows function addresses. It also resolves several native API functions like ZwAllocateVirtualMemory, which will be used to load and execute code.  3. The shellcode then locates the embedded payload, which is in the following structure:  Offset 0x00: [4 bytes] PE size (metadata)                     Offset 0x04: [4 bytes] Encrypted payload size                 Offset 0x08: [1 byte]  RC4 key length  Offset 0x09: [N bytes] RC4 key  Offset 0x09+N: Encrypted PE                    4. The shellcode decrypts the embedded PE file, maps it into memory, and executes it as a DLL (starting at the DllMain function).  5. Once the RomulusLoader executable runs, it checks if it is running with Administrator user privileges and copies the original executable (the Vulkan Loader binary) as well as the DLL and malicious .bin file, to the directory “C:\Program Files\Common Files” as a sort of persistence directory.  6. RomulusLoader starts one or more “workers”, which are effectively copies of its code that are injected into other processes (such as svchost[.]exe and dllhost[.]exe). These processes may be started by RomulusLoader, or alternatively, the OpenProcess function can be called to inject into a running process. Once this occurs, RomulusLoader terminates its original process, and the workers continue to execute. This code can be seen in the below example:  Figure 18: Code snippet of RomulusLoader’s start_worker loop.   These worker processes, as well as the termination of the original parent process, are likely used as a technique to attempt to evade endpoint defenses and establish a persistent connection to the C2.   7. The “worker” processes execute the C2 communications routine in a loop. This involves a check-in to the C2 (over HTTP), at which point the C2 server may respond with a payload. Payload delivery seems selective based on targeting. Based on analysis of the C2 communications functions, the payload can take different forms, with support for the following payload execution options (among others):  Shellcode injection, by writing a shellcode payload into a running process (WriteProcessMemory) and executing it (CreateRemoteThread)  Creation of a suspended process, followed by injection (Process Hollowing)  Download (drop to disk) and execute (via a provided URL)  8. When RomulusLoader receives a payload, it decrypts (XOR) and decompresses it (ZLib) and writes the payload to disk (or executes it directly in memory in the case of shellcode). In one instance, the payload was written to the C:\ directory (C:\112[.]121[.]183[.]202ClientSetup.exe).  Below is a diagram of the malware attack chain:  Figure 19: Diagram of RomulusLoader’s behaviors.  A Yara rule to detect or hunt for RomulusLoader shellcode is available here.   SilentRunLoader (a Vibe-Coded Python Stealer/Loader)  Proofpoint has also seen TA4922 using a new compiled Python stealer/loader we call SilentRunLoader, due to its internal naming “silent_run_and_upload.py”. SilentRunLoader is designed to silently download and execute an additional payload, then separately upload sensitive Chrome backup files to a command and control (C2) server.   A few snippets from the decompiled Python code can be seen below.  Figure 20: Screenshot of the beginning of SilentRunLoader’s Python code.  Figure 21: Screenshot of SilentRunLoader’s code, showing the malware’s configuration and other key functions.  The Python code is quite basic and serves two purposes: to download a next-stage payload (cg[.]exe, in this case) and exfiltrate a backup of Chrome browser user data to an actor-controlled server. The downloaded executable (cg[.]exe) is another compiled Python executable and is responsible for gathering Chrome data and packing it into an archive, at which point the main Python code (SilentRunLoader) executes.  In the malware’s configuration, there is an API key “your_secret_key_here”, which the actor didn’t change. This appears to be a placeholder generated by an LLM. Proofpoint has witnessed TA4922 using a few similar Python loader/stealers. Given the comments, strings, and unchanged, hardcoded constants in the code, we assess with high confidence that this group is likely using LLM’s to rapidly develop new Python-based malware. TA4922 seems to be deploying “new” malware at a very fast rate, also leading us to believe that much of it is vibe-coded.    Atlas RAT   Atlas RAT is a fully featured backdoor consisting of multiple stages with a final download of a “core” module, and one or more auxiliary plugins that can be requested and downloaded from the C2. Atlas RAT shares similarities with the Winos4.0 C2 framework in its modular nature and seeming alignment with Chinese-speaking groups.   Given that Atlas RAT was recently documented in detail by researchers at Hexastrike, Proofpoint will provide only a high-level overview of the malware here and highlight techniques or behaviors of interest.   Atlas RAT has the following capabilities:  Gather system information and forward it to the C2, likely for reconnaissance and target selection  List and upload files to the C2 server (data exfiltration)  Load additional plugins, modules, and/or payloads  Surveillance capabilities, such as:  Record audio and video (webcam)  Start a keylogger  Capture clipboard and screenshot data  Shutdown and reboot the system  Atlas RAT consists of multiple stages:  1. The target receives a legitimate executable file and a malicious DLL (the Atlas RAT loader) that is sideloaded into the executable’s process. We have observed that sometimes the malicious DLL copies itself (along with the original executable) to a temporary directory in the user’s path and re-executes itself from there, likely to be a bit stealthier. This can be observed in the following screenshot:  Figure 22: Screenshot of part of Atlas RAT’s loader code.  2. The Atlas RAT loader DLL runs several interesting anti-sandbox and anti-analysis checks, such as:  Checks if the active username is “WDAGUtilityAccount”, which is a built-in account for the Microsoft Defender Application Guard sandbox environment.   Checks if the “CExecSvc” service is running. CExecSvc (Container Execution Service) is a Windows service that acts as the container execution agent, enabling the management and execution of processes inside Windows containers. If this service exists, the malware assumes it is running in a containerized environment.  Checks if the network adapter DNS suffix is “mshome”, which is a default suffix that may be used in Hyper-V and other virtual environments.  Checks if the “vmsmb” device exists on the system, which could indicate to the malware that it is running in a VM.  Checks the UUID of the Windows operating system, which can help determine if the Windows operating system is activated. Many sandboxes and analysis environments don’t have an activated Windows environment.  Checks for the existence of the “WDAG” RunOnce registry key, a registry key associated with Windows Defender Application Guard (WDAG).  If any of these checks fail, the malware assumes it’s running in a hostile environment and terminates itself. After the anti-sandbox checks, the malware loads shellcode into memory:  Figure 23: Screenshot of Atlas RAT’s loader functionalities.  3. The malware uses direct syscalls via SysWhispers to allocate memory for the shellcode and execute it. The shellcode is a small, encrypted blob in the DLL which resolves Windows API function addresses it requires to download the next stage of the malware (such as the WSAStartup, socket, connect, send, and receive functions). The last ~329 bytes of the shellcode contain a multi-stage XOR decoding routine which decodes the C2 address where the Atlas RAT core module will be downloaded.   Figure 24: Snippet of Atlas RAT’s XOR-decryption routine in its shellcode.  4. The Atlas RAT loader DLL then connects to the C2 to download the next stage. The loader issues a very specific check-in consisting of the string “SFuck” followed by 3 null bytes.   Figure 25: Snippet from a malware sandbox of the Send call buffer containing the unique string.  If successful, the C2 responds with the next stage: The Atlas RAT core module.  5. The Atlas RAT core module consists of another DLL with a specific export address of “AtlasInfo” (at least in the samples we observed). Once the AtlasInfo exported function is executed, the core module parses its config structure and writes it to disk in the user’s Documents directory. The config is as follows:  [Setting]  LoginAddress=3200300036002e003200330038002e003100310035002e0035003800 LoginPort=380038003600 REMARK=d89ea48b0759e86c GROUPS=d89ea48b0652c47e Time=32003000320036002d0033002d0036002000310032003a0032003800 SIGN=660035003500630039003600370065002d0066003200370034002d0034006400340066002d0062006100300064002d00660035003500330064003200350032003900640064003100  The config is hex-encoded, and once decoded, results in the following data (example):  Config Value  Description  206[.]238[.]115[.]58  LoginAddress (C2 IP)  886  LoginPort (C2 port)  ؤYèl  GROUPS (likely a build id or affiliate id)  ؤRÄ~  REMARK (likely a sort of campaign id)  2026-3-6 12:28  Time (Time of infection)  f55c967e-f274-4d4f-ba0d-f553d2529dd1  SIGN (used as a unique victim id)  6. Atlas RAT then attempts to connect to its C2 server. Upon successful connection, the malware collects system information and sends it to the C2 encrypted with the ChaCha encryption algorithm. The sysinfo struct looks as follows (example data):  Figure 26: Atlas RAT’s sysinfo struct it sends to its C2 (example only).  The malware also checks for a camera as well as the audio (recording and output) devices on the endpoint and sends this data to the C2.  Figure 27: Screenshot of Atlas RAT’s audio input/output device check code.  7. Atlas RAT maintains its connection state to the C2. It continually checks if the user is actively using their system (via a GetLastInputInfo call), and if this status changes, it sends the current status to the C2:  Figure 28: Screenshot of Atlas RAT’s user activity check code.  8. Atlas RAT continues to execute the above in a loop. The malware client waits for instructions or data from its C2. Based on code analysis of the samples we observed, we assess that these are the commands supported by the malware client and C2 panel (this is subject to change among versions and variants):  Command Code  Description  0x11  Heartbeat / timing synchronization  0x12  Load and execute a plugin DLL  0x13  Payload DLL injection (in our case, injects DLL into WeChat.exe)  0x14  Payload DLL unload  0x15 & 0x16  Update configuration  0x17  Uninstall malware  0x18  Process check (checks if named process is running)  0x19  Window check (checks if window with given title exists)  0x1A  Shutdown/reboot  0x1D  Download payload from URL  0xC8 & 0xC9  Unclear, but possibly related to download and verification of plugin modules  We did not observe follow-on payloads from the C2 during our analysis. However, there is evidence in the code that shows that Atlas RAT is modular in nature, so we suspect additional modules may be downloaded.  Winos4.0 Analysis  Winos4.0 is a well-documented C2 framework. The payloads generated by this framework are referred to by Proofpoint as ValleyRAT, although the terms are sometimes used interchangeably in public reporting. It is a modular, full-featured remote access trojan that has many capabilities, including:  The ability to download additional modules and payloads  File management (read, delete, create files on disk)  Webcam and microphone control  Remote shell access and command execution  Keylogging  DDoS attack support (via a “stress testing” module)  As there are versions of Winos4.0 on GitHub, it is largely open source and could be used by anyone. Due to this, researchers tend to observe different variants and versions of Winos4.0, with slightly different configurations. We have even observed different variations of Winos4.0 being used by TA4922. As an example, in early 2026, we saw a new variation of the standard Winos4.0 malware being used by this group. The malware’s configuration, once decrypted, is as follows:  |A16A6736FB5DC030EF3|A1:aeya388[.]club|o1:7880|t1:1|S2:aeya388[.]club|o2:7881|t2:1|p3:aeya388[.]club|o3:7881|t3:0|dd:10|cl:30|fz:̄ψ|bb:11171030|bz:2025.11.20|jp:0|bh:0|ll:0|dl:0|sh:0|kl:0|bd:0|  This configuration is largely similar to other Winos4.0 configurations with one notable detail: the addition of a string that prefixes the C2 list. This string (“A16A6736FB5DC030EF3”, in one case) is an RC4 key that decrypts the configuration stored in the binary and is possibly used as a campaign identifier.   The malware binary contains a hexadecimal data blob:  3FE030CD5BF6376A61A184A6DC6007584E2F61DCC0C5E44159C45EBF60E3C41F47FA4CD320ADEB17E619A1B593A541B72CC87E261BA9E9C3ECE124B32D4520172C23EACC15C68CDE848DAD61D8A7048413E6A7D51301DD8D4BB661D3E22F0D2BCD3208FECC11AF193C07A2F7BB42324F4F380B8FAE032C6A358AECC87EA5A3035138D26DFEE743A94908979E0E4E21DB6F81E0E3BE12F323D599393BC496FAE730D8154619B79CDF0ADC55C0B6CA68EC8954F0DE88A864A618294F02D895398A486AD0C1E879A  The first 19 characters are an RC4 key that decrypts the config data (starting at the bytes “184A...”. Here is a Cyberchef recipe that can be used to decrypt this config:  Figure 29: Cyberchef recipe for decrypting the config of this Winos4.0 variant.  In addition to this code change, Proofpoint researchers observed some other key code differences between this newer variant of Winos4.0 and other variants. Some notable differences are:  Significantly more complex codebase (71 times larger than other Winos4.0 samples we’ve looked at). Much of this is likely bloat, junk or unused code, however. It’s likely the actor purposefully bloated the code to help evade basic endpoint defense scanning.  Configuration is completely encrypted in binary (using RC4). In many other Winos4.0 samples, config struct is only partially encrypted.   Some differences in module download and implant injection and C2 communications, but many other behaviors are similar.   Proofpoint does not observe this version of Winos4.0 often. Because Winos4.0 has been documented by many other research organizations, we won’t delve into more details of Winos4.0 in this blog post. We highlighted this simply to further demonstrate the number of malware variations used by this group.  Recommendations  To defend against TA4922 and malware described in this report, Proofpoint recommends the following:  Enforce application allowlisting on trusted directories  Prevent or monitor execution from temporary user-path directories such as %TEMP%, %APPDATA%  Monitor for executable files written to system paths or root directories like “C:\”  Prevent or monitor network traffic destined to non-standard or unnecessary ports (such as “1234”), at least for processes that are not allowlisted  Enforce least-privilege principles and limit local admin rights  Conclusion  TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives. While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance which could be used by or sold to espionage groups.   Proofpoint initially observed the actor targeting organizations in East Asia but has since expanded its scope to include many European countries, particularly in 2026. The actor appears well-organized, using highly targeted lures, and rarely mistakenly distributes campaigns (for example, we don’t see them using Italian language lures to target people in Japan).   The global nature of this actor shows how organizations should be aware of emerging and complex threats, regardless of geographic targeting. These types of actors can quickly expand and scale their tactics to include more targets at any time.   IOCs  Indicator  Description  First Seen  206.238.115.58  Atlas RAT C2  6 March 2026  a648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295  ZIP archive (【給与調整のお知らせ】.zip) delivering Atlas RAT  6 March 2026  584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8  Atlas RAT DLL (libcef.dll)  6 March 2026    154.211.86.110  Atlas RAT C2  2 April 2026  66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d  ZIP archive (Paperwork.zip) delivering Atlas RAT  2 April 2026  4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9d  ZIP archive (HR (2).zip) delivering Atlas RAT  2 April 2026  a75eab31d7ff06b6864960ad7e633be3f9730ff3d3873e4539c8f425fc632dad  Atlas RAT DLL (libcef.dll)    2 April 2026  43.156.77.97  RomulusLoader C2  23 March 2026  40b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5  RAR archive (会社文書.rar) delivering RomulusLoader  23 March 2026    8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0  RomulusLoader DLL (vulkan-1.dll)  23 March 2026  3119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d  RomulusLoader component (vulkan-1.bin)  23 March 2026  https://nwphotoblog[.]com  URL used in RomulusLoader / SyncFuture campaign which hosted a landing page with download button  16 April 2026  103.214.172.33  RomulusLoader First-stage C2  16 April 2026  314f4b59535d1b783e1c20c2be00f9e30f8ed27b2e21fad06a73b47ea43279ef  RomulusLoader / SyncFuture ZIP (Alles in dem schuppen.zip)  16 April 2026  2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d  RomulusLoader / SyncFuture executable (Alles in dem schuppen.exe)  16 April 2026  0857148fb0bc4aa7adf967ede2307bdb4fc427065d5b6a6db132688a5a8e1eb8  RomulusLoader / SyncFuture DLL (teamspeak_control.dll)  16 April 2026  https://ws.ztts88[.]cyou/file/cg[.]exe  SilentRunLoader download URL  30 March 2026  https://ws.ztts88[.]cyou/upload[.]php  SilentRunLoader data exfiltration URL  30 March 2026  e0a6a71c605d9a4076147e9537f82f79f1e1eccadc874595160aa4637ff4088c  SilentRunLoader Executable SHA256  30 March 2026  18[.]139[.]83[.]110  SilentRunLoader data exfiltration IP  30 March 2026  de82998ad5fcd63deae030803388e0fb4290d6223fda82368fd25b99b823f0d2  SilentRunLoader ZIP SHA256    10 April 2026  9d0a55c545c4147956db2c2667c4ed931a2875309147548b1dfdd216228f5f73  SilentRunLoader Executable SHA256  10 April 2026 
  •  

More CVEs, Same Playbook: 2026 Vulnerability Exploitation in the Wild

Executive Summary The CVE Landscape Has Changed. The Threat Actors Haven't.  Proofpoint's dual telemetry streams — targeted attack visibility covering hundreds of millions of messages daily, and a global network sensor array that generated over 3 million alerts and identified four undisclosed CVEs in 2026 to date — present a consistent picture: attackers are opportunistic. They grab newly published CVEs when public proof-of-concept code appears, chain them with established techniques, and move on.  What has changed is the volume of vulnerabilities feeding that pipeline. NIST reported that CVE submissions in Q1 2026 were nearly one-third higher than the same quarter last year, and that the National Vulnerability Database still cannot keep pace with enrichment. The widely-cited driver is AI-assisted vulnerability discovery: frontier models are enabling both defenders and researchers — and, increasingly, anyone with access to an open-weights model — to surface bugs at machine speed. The exploit window is narrowing, but the exploitation pattern remains recognizable.  KEY TAKEAWAY  Proofpoint telemetry shows 12 distinct 2026 CVEs being actively exploited in network-facing attacks, compared to the 8 currently listed on the CISA KEV catalog. The four-CVE gap represents real-world exploitation that CISA has not yet formally catalogued — a visibility problem that defenders cannot afford to ignore. Targeted Email Telemetry Three 2026 CVEs in Targeted Email: Old Tricks, New Vulnerabilities  Proofpoint's email telemetry — which covers organizations across the globe — has identified two 2026 CVEs being actively weaponized in targeted attack campaigns this year. Neither represents a fundamental shift in tradecraft. Both fit cleanly into attacker playbooks that Proofpoint has tracked for years.  CVE-2026-21509 — Microsoft Office (RTF/OLE Code Execution)  The more prominent of the two is CVE-2026-21509, a remote code execution vulnerability in Microsoft Office affecting RTF and OLE document processing. Within 24 hours of public disclosure in January 2026, Russia-linked TA422 (APT28) weaponized the flaw in malicious RTF files targeting Ukrainian government agencies and European defense, transportation, and diplomatic entities — behavior consistent with the group's well-documented practice of rapidly adopting newly disclosed Office vulnerabilities for email-borne initial access.  Proofpoint telemetry observed CVE-2026-21509 in targeted spear-phishing campaigns delivering weaponized document attachments with high-fidelity institutional lures — official letterheads, bilingual formatting, ministerial seals. The exploitation delivers a multi-stage infection chain culminating in the NotDoor Outlook backdoor and Covenant Grunt implants. Cloud storage services (notably filen.io) serve as C2 infrastructure, blending malicious traffic with normal enterprise activity.  CVE-2026-21510 — Windows Shell Protection Mechanism Failure  In two separate campaigns observed by Proofpoint in March and April 2026, DPRK-aligned threat actor TA406 (Opal Sleet) chained CVE-2026-21509 and CVE-2026-21510 within a single attack sequence. Social engineering lures themed around visa processing and diplomatic initiatives delivered RTF attachments weaponizing CVE-2026-21509 for initial code execution.  The use of the same CVE pair previously documented in TA422's campaigns is a textbook illustration of the delayed-remediation risk: once a vulnerability with reliable code execution is demonstrated in the wild, additional threat actors will adopt it opportunistically, regardless of patch availability. Disclosure and exploitation are no longer sequential.  In both TA406 campaigns, the OLE objects embedded in the RTF attachments were LNK files. Upon execution, these initiated a WebDAV connection to download secondary LNK files, which then invoked CVE-2026-21510 to bypass Windows Shell security controls and execute a DLL payload. It is at this stage that TA406's chain diverges from TA422's — the downstream payloads and post-exploitation behavior reflect distinct operational infrastructure and tradecraft between the two threat actors.  PROOFPOINT OBSERVED  All CVE-2026-21509 and CVE-2026-21510 messages targeting Proofpoint customers were blocked at delivery. Indicators of compromise for the associated campaign are available to Proofpoint Threat Intelligence subscribers.  CVE-2026-32202 — Windows (Incomplete Patch Bypass)  The third (targeted) email-weaponized CVE of 2026 is CVE-2026-32202, a Windows vulnerability stemming from an incomplete patch for earlier CVE-2026-21510. The flaw was exploited as a zero-day alongside CVE-2026-21513 by TA422 in attacks targeting Ukraine and EU member states beginning in late 2025. Microsoft added CVE-2026-32202 to the CISA KEV catalog after acknowledging active exploitation in April 2026.  The exploitation chain is notable for its stability: the two CVEs are being chained to achieve reliable initial access via email-delivered lures, reinforcing a recurring Proofpoint observation that incomplete patches create a secondary exploitation window that sophisticated actors actively monitor and capitalize on.  FINDING #1  Both 2026 CVEs observed in targeted email campaigns are Microsoft-ecosystem vulnerabilities exploited by a single, state-sponsored actor (TA422) via highly targeted spear-phishing. The technique — weaponized Office documents with institutional lures — is unchanged from campaigns Proofpoint tracked years prior. The CVEs are new. The behavior is not.  Network Sensor Telemetry  Twelve 2026 CVEs Across 5,000+ Sensors — Four Ahead of CISA  Proofpoint's network sensor infrastructure — spanning over 5,000 sensors globally with more than 3 million alerts analyzed in 2026 — has detected active exploitation attempts for 12 distinct 2026 CVEs. The CISA KEV catalog, as of this writing, lists 8 CVEs from 2026. The four-CVE gap reflects a structural reality: CISA's KEV process is necessarily reactive and evidence-based, while internet-scale sensor telemetry captures exploitation activity earlier and more broadly.  The 12 CVEs observed span a predictable set of target categories: network perimeter devices, enterprise web infrastructure, collaboration and mail platforms, and remote access management systems. This distribution reflects attacker prioritization of internet-exposed attack surface.  CVES SEEN IN NETWORK TELEMETRY (PROOFPOINT OBSERVED VS. CISA KEV)  CVE  Affected Product  Vulnerability Type  Vector  KEV Listed  CVE-2026-20122  Cisco Catalyst SD-WAN  Authentication Bypass  Network  Yes  CVE-2026-20128  Cisco Catalyst SD-WAN  Authentication Bypass  Network  Yes  CVE-2026-20133  Cisco Catalyst SD-WAN Manager  Info Disclosure  Network  Yes  CVE-2026-0300  Palo Alto PAN-OS  Out-of-bounds Write / RCE  Network  Yes  CVE-2026-6973  Ivanti EPMM  Authentication Bypass  Network  Yes  CVE-2026-41940  WebPros cPanel & WHM / WP2  Missing Auth — Critical Function  Network  Yes  CVE-2026-42897  Microsoft Exchange Server  Cross-Site Scripting (OWA)  Network  Yes  CVE-2026-39987  Marimo (Python notebooks)  Remote Code Execution  Network  Yes  CVE-2026-1281  Ivanti EPMM  Zero-day / Auth Bypass  Network  No *  CVE-2026-1340  Ivanti EPMM  Zero-day / Auth Bypass  Network  No *  CVE-2026-20182  Cisco Catalyst SD-WAN  Authentication Bypass  Network  No *  CVE-2026-31431  Linux Kernel  Incorrect Resource Transfer / Priv-Esc  Network  No *  * Not on CISA KEV list as of May 15, 2026, but active exploitation confirmed in Proofpoint telemetry.  The cPanel Cluster: Mass Exploitation at Scale  CVE-2026-41940, the cPanel authentication bypass, illustrates the opportunistic mass-exploitation pattern most clearly. What began as exploratory probing evolved into a multi-actor campaign combining ransomware deployment, website defacement, and — in at least one documented case — targeted cyber-espionage. We also now increasingly observe this vulnerability within attack chains of threat actors that rely on compromising legitimate websites via web inject, such as TA569 (SocGholish). As these campaigns generally leverage non-malicious email communications to drive intended victims to the compromised assets, we have not included this activity in the “targeted” email section of this report.  Proofpoint sensor data observed automated scanning traffic targeting cPanel instances within days of public proof-of-concept code availability, consistent with how financially motivated actors typically operationalize newly published vulnerabilities.  Cisco SD-WAN: A Persistent Perimeter Target  Three CVEs in our network telemetry affect Cisco Catalyst SD-WAN infrastructure: CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133. The first two are authentication bypass vulnerabilities; the third exposes sensitive configuration data. CISA issued Emergency Directive ED 26-03 specifically covering these flaws. Proofpoint sensor data shows exploitation attempts against exposed SD-WAN management interfaces across multiple verticals, consistent with reconnaissance-phase activity by both nation-state and financially motivated actors.  FINDING #2  Four of the 12 2026 CVEs seen in Proofpoint's network telemetry are not yet on the CISA KEV list. Organizations relying solely on KEV for prioritization are operating with an incomplete picture. Network-scale telemetry is consistently 2–4 weeks ahead of formal KEV inclusion for perimeter vulnerability classes.  Structural Context AI Is Discovering More Vulnerabilities. It Isn't (Yet) Changing How They're Exploited.  The macro context behind the 2026 CVE surge deserves careful framing. There is credible, growing evidence that frontier AI models are materially accelerating vulnerability discovery. Mozilla's Firefox team, working with frontier models, released 61 patches in February and 76 in March. Apache is experiencing a 170%+ increase in published CVEs. NIST CVE submissions in Q1 2026 ran nearly one-third above the same period last year. By one estimate, 55,000 to 60,000 CVEs will be published across all of 2026.  Critically, these discoveries are being made primarily by defenders and researchers — the intent is patching, not exploitation. The early 2026 surge was initially noisy, with a flood of low-quality AI-assisted submissions, but quality has improved markedly since April as tooling matures.  What Proofpoint's telemetry does not show is a corresponding transformation in attacker behavior. The threat actors exploiting 2026 CVEs in our email and network data are using them the same way they've used newly disclosed vulnerabilities for years: grab the public PoC, adapt it to existing delivery infrastructure, target exposed attack surface opportunistically. APT28 weaponized CVE-2026-21509 within 24 hours — but delivered it via the same spear-phishing RTF/OLE chain the group has used since at least 2022.  THE NUANCE THAT MATTERS  Frontier AI is almost certainly shrinking the window between vulnerability discovery and exploit availability, even if it hasn't yet transformed attacker tradecraft at scale. The 42% year-over-year increase in zero-days exploited before public disclosure (CrowdStrike 2026 Global Threat Report) is a leading indicator worth watching. The story may look different by year-end.  The NIST Gap Problem  One structural consequence of the CVE volume surge deserves particular attention for defenders. NIST has formally acknowledged that the National Vulnerability Database can no longer enrich every new CVE submission at the same speed or depth as before. Backlogged CVEs published before March 1, 2026 are being moved to a "Not Scheduled" enrichment category. For security teams relying on NVD CVSS scores and metadata to drive patch prioritization queues, this creates a systematic blind spot. Threat-intelligence-driven prioritization — using data like Proofpoint's sensor telemetry to identify what is actually being exploited — becomes more important, not less, as the vulnerability catalog scales.  FINDING #3  The surge in 2026 CVE volume is a consequence of AI-assisted vulnerability discovery by defenders, not offensive AI capability deployed at scale. Attacker behavior in Proofpoint telemetry remains opportunistic and technique-stable. The risk is not that AI has transformed the threat actor, but that a higher-volume CVE pipeline will strain patch prioritization processes — particularly as NIST NVD enrichment coverage thins out.  Defensive Guidance Recommendations for Security Teams  The patterns in Proofpoint's 2026 telemetry translate into several concrete defensive priorities:  1. Don't Wait for KEV to Prioritize Network-Facing CVEs  Four of the 12 2026 CVEs Proofpoint has observed being actively exploited are not yet on the CISA KEV list. For internet-exposed infrastructure — network perimeter devices, mail servers, VPN and remote access management platforms — treat newly disclosed authentication bypass and RCE vulnerabilities as high priority immediately upon disclosure, particularly when public PoC code is available. Prevention via an IPS ruleset will likely be the only option for certain exploits.  2. Patch Microsoft Office and Windows With Urgency  Both 2026 CVEs observed in targeted email campaigns are Microsoft-ecosystem vulnerabilities. CVE-2026-21509 and CVE-2026-32202 were exploited by APT28 within days of disclosure. Organizations in government, defense, transportation, and European critical infrastructure should treat Microsoft's monthly patches — especially for Office and Windows zero-days — as emergency items. Apply Microsoft's registry hardening guidance alongside patches.  3. Rebuild Patch Prioritization Workflows for Higher Volume  With 55,000–60,000 CVEs projected for 2026 and NVD enrichment coverage declining, CVSS-score-driven prioritization is increasingly inadequate. Teams should augment or replace CVSS-centric workflows with exploitation-signal-based prioritization: which vulnerabilities are generating actual exploit traffic in telemetry right now?  4. Monitor AI Developer Tooling as an Emerging Attack Surface  CVE-2026-39987 (Marimo RCE) and the BerriAI LiteLLM SQL injection vulnerability represent a newly emerging class of AI developer tooling targets on the KEV list. As AI infrastructure proliferates in enterprise environments — often with broad network access and sensitive credential stores — treat these platforms with the same exposure scrutiny applied to traditional web application infrastructure.  5. Assume the Window Is Narrower Than It Was  TA422’s sub-24-hour weaponization of CVE-2026-21509 is consistent with a structural trend: the time between vulnerability disclosure and exploit availability is compressing. Assume that a high-severity, remotely exploitable vulnerability with public PoC is being actively attempted within 48–72 hours of disclosure, and size response SLAs accordingly.  Methodology Data Sources and Scope  Email telemetry in this report covers Proofpoint's global email security platform, which analyzes hundreds of millions of messages daily across enterprise customers in AMER, EMEA, and APJ. Targeted attack data reflects campaigns observed by the Proofpoint Emerging Threats team in which CVE-year-2026 vulnerabilities appeared as the initial access vector.  Network telemetry is sourced from Proofpoint's distributed sensor infrastructure: more than 5,000 passive network sensors generating over 3 million alerts in 2026 year-to-date. CVE observation in this context reflects detected exploitation attempts or successful exploitation events, not theoretical exposure. The CISA KEV catalog figures cited reflect the catalog's state as of May 15, 2026.  CVE background information and campaign attribution details draw on public reporting from CISA, CERT-UA, Trellix, Securelist, Recorded Future, and other sources, corroborated against Proofpoint telemetry. 
  •  
❌