Summary4 min read

Cybersecurity Headlines – May 27, 2026

Host: Rich Stroffolino
Theme: Key developments in cyber threats, attacker tactics, regulatory moves, and defensive innovations.

Episode Overview

This episode covers significant global cybersecurity events and trends, with a focus on emerging threats and regulatory responses. Highlighted topics include new tactics from Iranian APT group “Nimbus Manticore,” advances in phishing credential theft, India’s aggressive patch response requirements, critical software vulnerabilities, automation in malware deployment, and regulatory blocks on tech acquisitions.

Key Discussion Points

1. Nimbus Manticore Adapts Its Tactics

Timestamp: 00:13

Background:
- An Iranian-backed APT (Advanced Persistent Threat) with links to the Islamic Revolutionary Guard Corps.
- Known by aliases Smoke, Sandstorm, and Boherium.
- Historically targets aerospace, aviation, and defense sectors in the Middle East and Europe.
Recent Developments:
- Expanding target scope to the US.
- Switching from DLL sideloading to app domain hijacking.
- Using Trojanized installers for legit applications (e.g., Zoom, OnlyOffice) to install the “mini junk” backdoor.
Insight:
- “Checkpoint notes the group shows the ability to rapidly adapt to new approaches, use new tooling and maintain infrastructure for persistence.” — Rich Stroffolino [00:33]

2. Phishing as a Service Hits Real-Time Credential Harvesting

Timestamp: 01:02

Findings:
- Google’s Threat Intelligence Group observes more sophisticated phishing within Asian cybercriminal networks.
- Shift from static credential theft to real-time phishing to capture one-time passcodes and sidestep MFA.
- Attackers target the general public, spoofing non-Chinese entities.
- Encrypted RCS and iMessage delivery makes blocking harder.
- Captured credentials are quickly linked to attackers’ virtual wallets for payment card theft.
Notable Moment:
- “Operators then seek to capture one time passcodes in real time to bypass MFA and ultimately get victims’ payment cards linked to an attacker’s virtual wallet.” — Rich Stroffolino [01:27]
AI Use:
- Many phishing campaigns are now aided by AI automation, though some groups lack basic operational security.

3. Iran Announces Restoration of Internet Access

Timestamp: 01:46

Context:
- Iran’s President Massoud Pezeshkian orders full Internet access restored after an 87-day blackout.
- Prior cuts followed US and Israeli military actions (Feb 28) and anti-government protests (July 8).
- Unclear timing and whether censorship policies will change.

4. India’s 12-Hour Patch Mandate for Critical Vulnerabilities

Timestamp: 02:22

New Guidance from CERT-In:
- Organizations should patch actively exploited, Internet-facing vulnerabilities within 12 hours.
- Less severe vulnerabilities: patch timelines range from 1–5 days.
- Guidance responds to rapid, AI-driven exploitation trends.
- Framework also emphasizes zero trust architecture and software bill of materials.
Quote:
- “India has had a requirement to report cyber incidents to CERT-In within six hours of detection since 2022 and now…” — Rich Stroffolino [02:54]

5. Knowledge Deliver Platform Exploited by Zero-Day Attack

Timestamp: 03:16

Attack Summary:
- Mandiant discovered attacks on the Knowledge Deliver eLearning platform (popular in Japan).
- Zero-day allowed attacks via hard-coded values in the platform’s config file, enabling deserialization and further exploitation.
- “Godzilla” web shells used to download further payloads, leading to Cobalt Strike backdoor infections.
- “All Knowledge Delivered deployments prior to February 24, 2026 are vulnerable.” — Rich Stroffolino [03:49]

6. No-Code Malware: BTMob Android RAT

Timestamp: 03:57

Details:
- ESET reports on “btmob”—an Android remote access trojan (RAT) with no-code, APK builder features.
- Buyers can create custom payloads and phishing lures with no coding skills.
- Capable of full device takeover via accessibility service abuse.
- Malware-as-a-service sold via Telegram, X, and Instagram.
- Priced at $5,000 lifetime license plus monthly fees; prevalence in Brazil and Argentina.
- Operators pose as streaming services, brands, or tax authorities.

7. Microsoft Automates Endpoint Isolation in Defender

Timestamp: 04:39

Update:
- Defender for Endpoint can now automatically isolate compromised endpoints, limiting lateral attacker movement.
- Devices remain connected to the Defender service for monitoring; admins can manually release isolation.
- Builds on manual isolation capability launched in June 2022.

8. Netherlands Blocks US Acquisition of National Authentication Provider

Timestamp: 05:10

Event:
- Dutch government blocks Kyndryl’s acquisition of Solvinity (operator of Digi DAPP) over public interest concerns.
- Follows investment screening advice; aligns with upcoming EU tech sovereignty policy for decreased foreign tech reliance (especially cloud, AI).
- Kyndryl responds: “Extremely disappointed about the politicization of this process.” — Rich Stroffolino [05:43]

Notable Quotes

On the rapid adaptation of Nimbus Manticore:
- “Checkpoint notes the group shows the ability to rapidly adapt to new approaches, use new tooling and maintain infrastructure for persistence.” [00:33]
On phishing evolution:
- “Operators then seek to capture one time passcodes in real time to bypass MFA and ultimately get victims’ payment cards linked to an attacker’s virtual wallet.” [01:27]
On India’s new patching mandate:
- “India has had a requirement to report cyber incidents to CERT-In within six hours of detection since 2022 and now…” [02:54]
On Kyndryl’s response to the Netherlands’ block:
- “Extremely disappointed about the politicization of this process.” [05:43]

Timestamps for Key Segments

00:13 — Nimbus Manticore adapts tactics
01:02 — Real-time credential harvesting in phishing
01:46 — Iran’s Internet restoration order
02:22 — India’s 12-hour patch guidance
03:16 — Knowledge Deliver platform zero-day
03:57 — No-code Android RAT “btmob”
04:39 — Microsoft’s Defender automatic isolation
05:10 — Dutch block on US tech acquisition

Summary by CISO Series, hosted by Rich Stroffolino. For in-depth stories, visit cisoseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Wednesday, May 27, 2026. I'm Rich Stroffelino Nimbus Manticore Learning new tricks this Iranian backed APT with ties to the Islamic Revolutionary Guard Corps, also known as Smoke, Sandstorm and Boherium, has been active online since at least 2022. It's known for targeting sophisticated actors in the aerospace, aviation and defense sectors across the Middle east and Europe. Researchers at Checkpoint recently found that the group is changing tactics and expanding targets to the us. This has seen them switching from tried and true DLL sideloading to app domain hijacking, using Trojanized installers for legitimate apps like Zoom and OnlyOffice to install an updated version of its mini junk backdoor check Point notes the group shows the ability to rapidly adapt to new approaches using, use new tooling and maintain infrastructure for persistence. Phishing moves to real Time credential harvesting Researchers at Google's Threat Intelligence Group warned that it's seen increasing sophistication from phishing as a service operators. Within the broader Asian cybercriminal ecosystem, there's been a shift from static password harvesting to real time interception. These operations target the general public with phishing lures that spoof non Chinese entities. These use encrypted RCS and imessage channels to deliver phishing messages, making it harder for infrastructure layer blockers to be effective. Operators then seek to capture one time passcodes in real time to bypass MFA and ultimately get victims payment cards linked to an attacker's virtual wallet. It's believed many of these efforts are aided by AI automation as many providers show a lack of usual operational security and cyber hygiene. While when advertising these schemes, Iran says it will reopen Internet access, According to state media reports, Iran's President Massoud Pezeshkian issued an order to restore Internet access nationwide. According to NetBlocks, Iran cut off international Internet access 87 days ago after initial strikes were made by US and Israeli forces on February 28. This followed another multi week Internet blackout that started on July 8th following following massive anti government protests. It's unclear how and when Iran will restore access or if the country will change its existing censorship policies. India wants 12 hour patches. This comes from new guidance from the Indian Computer Emergency Response Team, or cert, in which urges organizations to meet this timeline for actively exploited Internet facing vulnerabilities. The guidance lays out a further triage timeline for less severe vulnerabilities rather than ranging from one to five days. This guidance was developed in response to AI enhanced exploitation and also includes a framework for zero trust architecture, encourages the use of AI, bill of materials and other best practices. India has had a requirement to report cyber incidents to Cert in within six hours of detection since 2022 and now a huge thanks to our sponsor Guard Square. Is your mobile app truly protected? Relying on the OS isn't enough. A global study of 1300 security and developer leaders that 96% of teams using layered protection reported significantly fewer security incidents. Don't wait for a breach to harden your defenses. Get the protection needed for modern security risks. Learn more@guardsquare.com Knowledge Deliver delivers Backdoors Researchers at Mandian discovered a campaign impacting digital knowledge's knowledge deliver eLearning platform, which is particularly popular in Japan. This exploited a zero day that was able to exploit known hard coded values in the platform's web config file, allowing for deserialization attacks against other deployments. The attackers used Godzilla web shells to pull down further payloads to the machine, ultimately infecting with a Cobalt strike backdoor. All Knowledge Delivered Deployments prior to February 24, 2026 are vulnerable. No code comes to malware ESET researchers published details on an Android remote access trojan called btmob, which ship commercial style packaging and includes an APK builder to let buyers generate new payloads and reconfigure phishing lures without any coding. Ultimately, BTMob is capable of full device takeover by abusing Android's accessibility services. This malware as a service operation is sold through Telegram channels as well as X and Instagram accounts, offering a $5,000 lifetime license plus additional monthly support fees. Researchers saw this operating mostly in Brazil and Argentina, with operators posing as streaming services, major brands or tax authorities. Microsoft testing automated endpoint isolation Microsoft released a preview for Defender for Endpoint that can automatically isolate compromised endpoints. This is designed to limit lateral movement across the network by attackers. While cut off from the network, endpoints will still remain. Connectivity to the Microsoft Defender for Endpoint service for monitoring admins will also be able to release devices from this automated isolation and at any time. Microsoft introduced manual endpoint isolation for defender back in June 2022. Netherlands blocks the sale of authentication tech to us in November, the US firm Kyndryl announced it would acquire the Dutch company Solvinity, which operates the Digi DAPP platform that citizens use to authenticate identities with public authorities. In a letter to the national parliament, the Dutch government said that the national authority that screens investments had advised the government to block the acquisition as it posed a possible risk to the the public interest. This announcement comes a week before the European Commission releases a tech sovereignty policy proposal to reduce EU reliance on foreign technology, particularly for the cloud and AI. A statement from Kyndryl said it was extremely disappointed about the politicization of this process. Join us this Friday for hacking pen testing in the age of agentic AI on Super Cyber Friday. It starts at 1pm Eastern. You can join our chat or play some games, learn how pen testing is evolving, and even win some free CISO Series swag. Go to the events page@cisoseries.com to register. See you there. And if you have some thoughts about the news from today or about the show in general, be sure to reach out to us. Feedbackisoseries.com we would love to hear from you. Reporting for the CISO Series, I'm Rich Drofalino reminding you to have a super sparkly day.
[06:28]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.