Summary5 min read

Cybersecurity Headlines (CISO Series)

Episode: Nimbus Manticore, Real-Time Credential Harvesting, 12-Hour Patches

Date: May 27, 2026
Host: Rich Stroffolino

Episode Overview

This episode presents the latest developments and emerging trends in the cybersecurity landscape, highlighting active threats, evolving attack tactics, regulatory shifts, and key industry research. Topics include Iranian APT group activity expanding to the US, sophisticated real-time credential harvesting, India's aggressive vulnerability patching mandate, the use of AI in vulnerability detection, key malware campaigns, and noteworthy developments in endpoint defense and international tech sovereignty.

Key Discussion Points & Insights

1. Nimbus Manticore APT Adopts New Attack Methods

[00:15 – 01:10]

The Iranian-backed APT known as Nimbus Manticore (aka Smoke, Sandstorm, Boherium) is broadening its targets from the Middle East and Europe to the US.
Transitioning from DLL sideloading to app domain hijacking with Trojanized installers (notably for Zoom and OnlyOffice).
Installs a new version of the mini junk backdoor, showing rapid adaptation and persistence.
"Checkpoint notes the group shows the ability to rapidly adapt to new approaches, use new tooling, and maintain infrastructure for persistence." – Rich Stroffolino [00:45]

2. Phishing Moves to Real-Time MFA Interception

[01:10 – 02:05]

Google's Threat Intelligence Group reports phishing as a service in Asia increasingly using real-time techniques to harvest credentials and bypass multi-factor authentication (MFA).
Phishing lures are delivered through encrypted RCS and iMessage channels, evading traditional infrastructure blockers.
Attackers capture one-time passcodes live, targeting linked payment cards.
Many providers lack operational security, but show sophistication through possible AI automation.
"Operators then seek to capture one-time passcodes in real-time to bypass MFA and ultimately get victims' payment cards linked to an attacker's virtual wallet." – Rich Stroffolino [01:45]

3. AI Spurs Massive Vulnerability Discoveries

[02:05 – 02:46]

Anthropic's Project Glasswing reports >10,000 vulnerabilities (mostly high/critical) in a single month across essential codebases.
Cloudflare, a participant, found 2,000 bugs in its critical systems; ~20% were high/critical.
AI-powered scans produced better false positives than human testers.
Over 1,000 vulnerabilities across open-source projects were validated as high/critical.
No general release planned yet, pending further safeguards.
"Scans of over 1,000 open-source projects found over 23,000 vulnerabilities. Of those, over 1,000 were confirmed by researchers as valid, high or critical security vulnerabilities." – Rich Stroffolino [02:30]

4. India Mandates 12-Hour Patch Turnaround for Critical Flaws

[02:46 – 03:20]

CERT-In guidance now requires organizations to patch actively exploited internet-facing vulnerabilities within 12 hours.
Other vulnerabilities have triage windows from one to five days, depending on severity.
In response to AI-enhanced attacks, guidance also pushes for zero trust architecture and software bill of materials practices.
Reporting of cyber incidents within 6 hours remains law since 2022.
"India has had a requirement to report cyber incidents to Cert-In within 6 hours of detection since 2022." – Rich Stroffolino [03:10]

5. Internet Access in Iran Set for Restoration

[04:00 – 04:31]

After 87 days of international internet blackout, Iran's president orders reopening access post military strikes by the US and Israel.
Unclear how or when restoration and censorship policies will change.
"It's unclear how and when Iran will restore access or if the country will change its existing censorship policies." – Rich Stroffolino [04:27]

6. Zero-Day eLearning Platform Compromise in Japan

[04:32 – 04:58]

Mandian discovers a campaign exploiting the "Knowledge Deliver" eLearning platform via a zero-day vulnerability.
Attack leverages hardcoded config values for deserialization attacks, dropping Godzilla web shells and eventually Cobalt Strike backdoor.
All deployments before Feb 24, 2026, are vulnerable.

7. “No Code” Android Malware-as-a-Service Emerges

[04:59 – 05:33]

ESET reveals "BTMob" – an Android RAT sold with an APK builder allowing buyers to design new payloads/phishing lures without coding.
Exploits accessibility services for full device takeover.
Distributed via Telegram, X (Twitter), and Instagram.
Targets mainly in Brazil and Argentina, often impersonating streaming platforms, brands, or tax authorities.
Lifetime license: $5,000 plus monthly support.

8. Microsoft Automates Endpoint Isolation

[05:34 – 05:57]

Defender for Endpoint now previews automated isolation for compromised devices.
Automated isolation aims to halt lateral movement but allows continued monitoring and admin override.
Builds on manual isolation tools introduced in 2022.

9. Dutch Block US Acquisition of Authentication Platform

[05:58 – 06:32]

Dutch government blocks Kyndryl’s (US) acquisition of Solvinity, which runs the critical "Digidee" authentication app used by Dutch citizens.
Block follows security screening over national interest and precedes proposed EU tech sovereignty measures.
Kyndryl criticizes decision as "politicization."

Notable Quotes & Memorable Moments

"Checkpoint notes the group shows the ability to rapidly adapt to new approaches, use new tooling, and maintain infrastructure for persistence." – Rich Stroffolino [00:45]
"Operators then seek to capture one-time passcodes in real-time to bypass MFA and ultimately get victims' payment cards linked to an attacker's virtual wallet." – Rich Stroffolino [01:45]
"Scans of over 1,000 open-source projects found over 23,000 vulnerabilities. Of those, over 1,000 were confirmed by researchers as valid, high or critical security vulnerabilities." – Rich Stroffolino [02:30]
"India has had a requirement to report cyber incidents to Cert-In within 6 hours of detection since 2022." – Rich Stroffolino [03:10]
"It's unclear how and when Iran will restore access or if the country will change its existing censorship policies." – Rich Stroffolino [04:27]
"Kyndryl said it was extremely disappointed about the politicization of this process." – Rich Stroffolino [06:22]

Timestamps for Major Segments

Nimbus Manticore APT Tactics: [00:15 – 01:10]
Real-Time Credential Phishing: [01:10 – 02:05]
Anthropic AI Vuln Scanning: [02:05 – 02:46]
India's Patch Guidance: [02:46 – 03:20]
Iran Internet Access: [04:00 – 04:31]
Knowledge Deliver Zero-Day: [04:32 – 04:58]
BTMob Android RAT: [04:59 – 05:33]
Microsoft Endpoint Isolation: [05:34 – 05:57]
Dutch Block Acquisition: [05:58 – 06:32]

Summary

This concise, information-dense episode underscores how quickly threat actors are adapting, the impact of AI in both offense and defense, and how organizations and governments are stepping up requirements for cyber resiliency. Developments like real-time phishing, AI-powered vulnerability discovery, aggressive patching mandates, and geopolitical control of key authentication infrastructure all point to a security landscape in persistent flux—demanding vigilance, speed, and continuous adaptation.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Wednesday, May 27, 2026. I'm Rich Stroffelino Nimbus Manticore Learning new tricks this Iranian backed APT with ties to the Islamic Revolutionary Guard Corps, also known as Smoke, Sandstorm and Boherium, has been active online since at least 2022. It's known for targeting sophisticated actors in the aerospace, aviation and defense sectors across the Middle east and Europe. Researchers at Checkpoint recently found that the group is changing tactics and expanding targets to the us. This has seen them switching from tried and true DLL sideloading to app domain hijacking, using Trojanized installers for legitimate apps like Zoom and OnlyOffice to install an updated version of its mini junk backdoor check Point notes the group shows the ability to rapidly adapt to new approaches using, use new tooling and maintain infrastructure for persistence. Phishing moves to real Time credential harvesting Researchers at Google's Threat Intelligence Group warned that it's seen increasing sophistication from phishing as a service operators. Within the broader Asian cybercriminal ecosystem, there's been a shift from static password harvesting to real time interception. These operations target the general public with phishing lures that spoof non Chinese entities. These use encrypted RCS and iMessage channels to deliver phishing messages, making it harder for infrastructure layer blockers to be effective. Operators then seek to capture one time passcodes in real time to bypass MFA and ultimately get victims payment cards linked to an attacker's virtual wallet. It's believed many of these efforts are aided by AI automation as many providers show a lack of usual operational security and cyber hygiene, while when advertising these schemes, Mythos found over 10,000 vulnerabilities in a month. That finding comes from a new Anthropic report on the initial results of Project Glasswing. These high or critical severity vulnerabilities appeared across systemically important code. One testing partner, Cloudflare, identified 2,000 bugs in its critical path systems with about 20% rated as high or critical. It also reported a better false positive rate than human testers. Scans of over 1,000 open source projects found over 23,000 vulnerabilities. Of those over 1,000 were confirmed by researchers as valid, high or critical security vulnerabilities. Anthropic said it continues to add more partners to Project Glasswing, including more government agencies, but said it had no timeline for a general release citing a lack of adequate safeguards. India wants 12 hour patches this comes from new guidance from the Indian Computer Emergency Response Team, or cert, in, which urges organizations to meet this timeline for actively exploited Internet facing vulnerabilities. The guidance lays out a further triage timeline for less severe vulnerabilities ranging from one to five days. This guidance was developed in response to AI enhanced exploitation and also includes a framework for zero trust architecture, encourages the use of AI, bill of materials and other best practices. India has had a requirement to report cyber incidents to Cert in within six hours of detection since 2022 and now a huge thanks to our sponsor Guard Square Is your mobile app truly protected? Relying on the OS isn't enough. A Global study of 1,300 security and developer leaders found that 96% of teams using layered protection reported significantly fewer security incidents. Don't wait for a breach to harden your defenses. Get the protection needed for modern security risks. Learn more@guardsquare.com Iran says it will reopen Internet Access According to state media reports, Iran's President Massoud Pezeshkian issued an order to restore Internet access nationwide. According to NetBlocks, Iran cut off international Internet access 87 days ago after initial strikes were made by US and Israeli forces on February 28. This followed another multi week Internet blackout that started on July 8th following massive anti government protests. It's unclear how and when Iran will restore access or if the country will change its existing censorship policies. Knowledge Deliver delivers backdoors Researchers at Mandian discovered a campaign impacting digital knowledge's knowledge deliver eLearning platform, which is particularly popular in Japan. This exploited a zero day that was able to exploit known hard coded values in the platform's web config file, allowing for deserialization attacks against other deployments. The attackers use Godzilla web shells to pull down further payloads to the machine, ultimately infecting with a Cobalt strike backdoor. All Knowledge Delivered Deployments prior to February 24, 2026 are vulnerable. No code comes to malware eset. Researchers published details on an Android remote access Trojan called btmob, which ships with commercial style packaging and includes an APK builder to let buyers generate new payloads and reconfigure phishing lures without any coding. Ultimately, BTMob is capable of full device takeover by abusing Android's accessibility services. This malware as a service operation is sold through Telegram channels as well as X and Instagram accounts, offering a $5,000 lifetime license plus additional monthly support fees. Researchers saw this operating mostly in Brazil and Argentina, with operators posing as streaming services, major brands or tax authorities Microsoft Testing Automated Endpoint Isolation Microsoft released a preview for Defender for Endpoint that can automatically isol compromised endpoints. This is designed to limit lateral movement across the network by attackers. While cut off from the network, endpoints will still remain. Connectivity to the Microsoft Defender for Endpoint service for monitoring admins will also be able to release devices from this automated isolation at any time. Microsoft introduced manual endpoint isolation for Defender back in June 2022 Netherlands blocks the sale of authentication tech to us in November, the US firm Kyndryl announced it would acquire the Dutch company Solvinity, which operates the Digidee app platform that citizens use to authenticate identities with public authorities. In a letter to the national parliament, the Dutch government said that the national authority that screens investments had advised the government to block the acquisition as it posed a possible risk to the public interest. This announcement comes a week before the European Commission releases a tech sovereignty policy proposal to to reduce EU reliance on foreign technology, particularly for the cloud and AI. A statement from Kyndryl said it was extremely disappointed about the politicization of this process. Join us this Friday for hacking pen testing in the age of agentic AI on Super Cyber Friday. It starts at 1pm Eastern. You can join our chat, play some games, learn how pen testing is evolving, and even win some free CISO series swag. Go to the events page@cisoseries.com to register. See you there. And if you have some thoughts about the news from today or about the show in general, be sure to reach out to us. Feedbackisoseries.com we would love to hear from you. Reporting for the CISO series, I'm Rich Drofalino reminding you to have a super sparkly day.
[07:16]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.