Iran-nexus APT group newly detailed by Unit 42 (Palo Alto Networks) in a report published May 22, 2026. Between February and April 2026, the group dramatically escalated operations aligned with the outbreak of the US-Israel-Iran regional conflict on Feb 28, deploying six new RAT variants across two new malware families (MiniUpdate and MiniJunk V2) against targets in the US, Israel, UAE, and at least two additional Middle Eastern countries. For the first time, researchers observed the group fusing its standard DLL sideloading techniques with advanced AppDomainManager hijacking, disabling security mechanisms before applications fully start. The group's campaigns are tightly correlated to geopolitical escalation, with campaign spikes tracked within 72–96 hours of kinetic events.
Rapid7 disclosed on May 6, 2026 that MuddyWater — Iran's MOIS-linked APT — conducted a sophisticated false-flag operation disguised as a Chaos ransomware attack in early 2026. The group used Microsoft Teams social engineering to harvest credentials and manipulate MFA, then deployed the custom Darkcomp (Game.exe) RAT, but deliberately withheld file encryption to prioritize long-term espionage persistence while creating the illusion of a financially motivated attack. Confirmed targets include a US bank, a US airport, nonprofits, and a defense/aerospace software supplier with Israeli operations. Attribution rests on the 'Donald Gay' code-signing certificate, C2 infrastructure at moonzonet[.]com, and use of pythonw.exe for process injection — all previously tied to MuddyWater's 'Operation Olalampo.'
Formally attributed by the US DOJ (March 2026) as an Iranian MOIS 'fake activist persona,' Handala dramatically escalated operations following the Feb 28 US-Israel military strikes on Iran. In March 2026 alone, the group executed a destructive MDM-abuse wiper operation against Stryker Corporation deleting data from 200,000+ devices across 79 countries, compromised FBI Director Kash Patel's personal email, and published PII for 28 Lockheed Martin engineers in Israel. The State Department issued a $10M reward for operator identification; the FBI seized four Handala leak site domains. The group continued operating through Iran's internet blackout by using Starlink VSAT connectivity, and executed a WhatsApp threat campaign against US Marines at Naval Support Activity Bahrain in late April 2026.
First VPN — a criminal VPN service operating since 2014 and marketed exclusively on Russian-speaking cybercrime forums — was dismantled May 19–20, 2026 in Operation Saffron, led by French and Dutch authorities with Europol and Eurojust support. The service had over 5,000 accounts, was linked to at least 25 ransomware groups including the Phobos RaaS outfit, and facilitated more than $70M in illicit proceeds laundering. Law enforcement seized 33 servers across 27 countries, shut down domains including 1vpns.com and associated .onion addresses, and generated 83 intelligence packages covering 506 users shared with partner countries. All users were notified their identities are now known to authorities. This represents a significant blow to the anonymization layer of the ransomware supply chain.
KimWolf was a massive IoT DDoS-for-hire botnet operated by Jacob Butler (alias 'Dort'), a 23-year-old Ottawa resident arrested by Canadian authorities on May 21, 2026 under a US extradition warrant. Assessed as a variant/successor of the AISURU botnet, KimWolf infected nearly two million devices globally — targeting inherently vulnerable endpoints including digital photo frames, web cameras, and Android smart TVs — and issued over 25,000 attack commands linked to a record-breaking 31.4 Tbps DDoS attack. The DOJ unsealed charges the same day and simultaneously disrupted 45 DDoS-for-hire platforms that collaborated with the KimWolf ecosystem.
First VPN was a criminal VPN service operating since 2014, marketed exclusively on Russian-speaking cybercriminal forums and used by over 5,000 accounts including at least 25 ransomware groups (notably Phobos RaaS affiliates). Taken offline May 19–20, 2026 via Operation Saffron — a joint French/Dutch/Europol/Eurojust action seizing 33 servers across 27 countries and interviewing the Ukrainian operator. Before shutdown, law enforcement gained covert visibility into criminal user traffic; 83 intelligence packages covering 506 identified users were disseminated to partner countries for ongoing ransomware and fraud investigations.
Rapid7 disclosed on May 6, 2026 that MuddyWater conducted a sophisticated false-flag intrusion in early 2026, masquerading as a Chaos RaaS affiliate to conceal state-sponsored espionage. The campaign involved Microsoft Teams social engineering, MFA manipulation, credential harvesting, and deployment of a custom Darkcomp (Game.exe) RAT — but never deployed file-encrypting ransomware, exposing the espionage intent. This follows a pattern: MuddyWater previously used Qilin ransomware against an Israeli organization in late 2025, then switched to Chaos branding post-attribution to reduce detection risk. Confirmed U.S. victims include a bank, an airport, nonprofits, and a defense/aerospace software supplier.
KimWolf was a record-breaking IoT DDoS botnet operated as a criminal rental service, assessed by the DOJ as a variant of the AISURU botnet. The botnet infected nearly 2 million IoT devices globally — including digital photo frames, web cameras, and streaming TV boxes — and generated attack traffic peaking at nearly 30 Tbps, the largest DDoS volume publicly disclosed at the time. Its administrator, Jacob Butler ('Dort') of Ottawa, was arrested on May 20, 2026 under a U.S. extradition warrant and charged in the District of Alaska; infrastructure was seized in a March 2026 multinational operation alongside related botnets Aisuru, JackSkid, and Mossad.
First VPN was a cybercriminal-market VPN service operating since 2014, dismantled May 19–20, 2026 in Operation Saffron by French and Dutch authorities with Europol/Eurojust support. The service had over 5,000 accounts and was confirmed used by at least 25 ransomware groups, including Phobos RaaS affiliates. Europol seized 33 servers across 27 countries and generated 83 intelligence packages covering 506 identified users, enabling downstream ransomware and fraud investigations across multiple countries. All active users were notified their identities are known to law enforcement.
GopherWhisper is a previously undocumented China-aligned APT group publicly disclosed by ESET Research on April 23, 2026, after being discovered in January 2025 targeting a Mongolian government institution. The group wields a seven-tool Go-based malware suite routing all C2 traffic through legitimate enterprise platforms — Slack, Discord, and Microsoft 365 Outlook — to evade network detection. Analysis of recovered C2 traffic from attacker-controlled Slack and Discord servers indicates dozens of additional victims beyond the confirmed Mongolian target.
Rapid7's May 6, 2026 report 'Muddying the Tracks' disclosed that MuddyWater conducted a sophisticated false-flag intrusion in early 2026, masquerading as a Chaos RaaS affiliate to conceal state-sponsored espionage objectives. The campaign used Microsoft Teams social engineering to harvest credentials and manipulate MFA, deploying the custom Darkcomp/Game.exe RAT and remote management tools (DWAgent, AnyDesk) for persistent access — but never deployed actual file-encrypting ransomware. This follows a pattern established in late 2025 when MuddyWater used Qilin RaaS against an Israeli organization; the switch to Chaos branding is assessed as a deliberate move to reduce attribution risk after the Qilin incident was attributed to MOIS.
APT73, also known as Bashe, is a ransomware group that emerged in mid-April 2024, self-styling as an Advanced Persistent Threat and operating a TOR-based data leak site bearing a striking resemblance to LockBit's infrastructure. The group has surged in activity in May 2026, posting multiple high-profile victims within 48 hours including Turkey's General Directorate of Land Registry (TKGM, a government agency), Thailand's National Astronomical Research Institute (NARIT), and Mexican corn producer Minsa S.A.B. de C.V. — all claimed on May 21–22, 2026. The group previously claimed 50GB stolen from UK investment platform Hargreaves Lansdown in late April 2026.
KryBit is an emerging RaaS operation that launched in late March 2026, offering affiliates an aggressive 80/20 revenue split with cross-platform ransomware builders for Windows, Linux, ESXi, and NAS devices. The group posted 10 legitimate victims within its first two weeks and engaged in a high-profile ransomware turf war with rival group 0APT in April 2026, in which KryBit successfully hacked back, defaced 0APT's infrastructure, and exposed its full operational dataset — revealing that 0APT's 190+ claimed victims were entirely fabricated. Despite active affiliate operations and staged victim data (10–250GB per victim, ransom demands $40K–$100K), KryBit had collected zero ransom payments as of mid-April 2026 per leaked wallet data. The group employs structured double-extortion with shadow copy deletion and TOR-based leak infrastructure.
First VPN was a criminal-facing VPN anonymization service active since 2014, advertised exclusively on Russian-speaking cybercrime forums and used by threat actors across ransomware, fraud, and data theft operations including the Phobos RaaS outfit. The service was dismantled on May 19–20, 2026, by French and Dutch authorities under Operation Saffron with Europol/Eurojust support, in one of the first VPN-category takedowns in law enforcement history. Authorities seized 33 servers across 27 countries, took down domains including 1vpns.com/net/org and .onion mirrors, and generated 83 intelligence packages on 506 users linked to active ransomware investigations.
Silver Fox is a China-linked APT group newly documented by Kaspersky (May 2026) as having significantly expanded its geographic targeting to include Russia and India, using tax-authority impersonation phishing to deploy a newly discovered Python-based backdoor called ABCDoor alongside the established ValleyRAT (Winos 4.0) RAT. The group's technical maturity is growing: ABCDoor features visual remote control via FFmpeg screen-broadcasting, DPAPI-encrypted persistence, and self-updating/self-deletion logic — distinct from traditional shell-based RATs. Over 1,600 malicious emails were recorded in a single month-long period in early 2026.
First VPN was a criminal VPN service operating since 2014, exclusively promoted on Russian-speaking cybercrime forums, used by ransomware actors including those linked to the Phobos RaaS operation. On May 19–20, 2026, French and Dutch authorities dismantled the service under Operation Saffron, seizing 33 servers across 27 countries, shutting down domains (1vpns.com/.net/.org and .onion mirrors), and interviewing the Ukrainian administrator. Law enforcement had covert access to criminal traffic prior to takedown and issued identification notifications to over 5,000 user accounts, generating 83 intelligence packages covering 506 users for partner nations.
SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated initial-access broker operating in direct support of Volt Typhoon. The group gains footholds across OT-adjacent organizations in North America, Europe, South Korea, Guam, the Philippines, and Saudi Arabia, then hands off access to Volt Typhoon for deeper persistence and OT reconnaissance. Dragos has attributed several recent high-profile vulnerability exploitation campaigns — including Ivanti and Trimble Cityworks GIS — to SYLVANITE, making it a critical link in China's critical infrastructure pre-positioning strategy.
Coinbase Cartel is a data-extortion-only group active since September 2025, assessed by Halcyon and Fortinet FortiGuard Labs as an offshoot of the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems. The group does not deploy ransomware encryption; instead it steals sensitive data and extorts victims under threat of public disclosure, amassing 170+ victims. In the last 48 hours (May 15–18, 2026), the group claimed Grafana Labs after exploiting a misconfigured GitHub Actions workflow to exfiltrate Grafana's entire private codebase.
UAT-8616 is a highly sophisticated, assessed China-nexus threat actor designated by Cisco Talos that has been persistently exploiting Cisco Catalyst SD-WAN infrastructure since at least 2023. In the last 48 hours (May 14–15, 2026), the group was attributed with high confidence to exploitation of CVE-2026-20182 (CVSS 10.0), the sixth SD-WAN zero-day exploited in 2026, prompting a CISA Emergency Directive 26-03 mandating federal patching by May 17. The actor's infrastructure overlaps with Operational Relay Box (ORB) networks previously associated with China-nexus espionage operations by Mandiant researchers.
Gunra first emerged in April 2025 targeting South Korean organizations using a Conti-based locker, then evolved into a full RaaS operation by pivoting to a custom-built encryptor. Confirmed at 32 victims as of March 2026 following a late-2025 lull, with activity surging again after new affiliate recruitment. The group is notable for imposing no restrictions on target industries — including hospitals and critical infrastructure — and operating almost exclusively in darkweb forums including RAMP, Rehub, Tierone, and Darkforums.
A previously undocumented threat cluster disclosed by Google Threat Intelligence Group (GTIG) / Mandiant in April 2026. UNC6692 combines email-bombing tactics with Microsoft Teams helpdesk impersonation to deliver the custom 'SNOW' malware suite (SNOWBELT browser extension, SNOWGLAZE Python tunneler, SNOWBASIN persistent backdoor). The group abuses legitimate cloud infrastructure — AWS S3 buckets and Heroku subdomains — for payload delivery and C2, and targets senior-level employees at an elevated rate (77% of observed incidents from March–April 2026). Assessed as financially motivated based on credential-focused post-compromise actions including LSASS dumping, Pass-the-Hash, and Active Directory database exfiltration.
A rapidly maturing ransomware group first observed in February 2025 and strongly assessed as a rebrand of the defunct Rbfs operation, based on overlapping victims, shared infrastructure, and synchronized activity cessation. NightSpire reached 259 claimed victims across 30+ countries by May 2026, posting 74 victims in Q1 2026 alone to rank among the top active groups. In April 2026, the group publicly announced a shift toward a RaaS affiliate model, marking a structural evolution from its closed in-house operation.
DragonForce has evolved from a pro-Palestine hacktivist group into a self-styled ransomware 'cartel' offering a white-label infrastructure model where affiliates operate independent brands using DragonForce encryption, negotiation portals, and leak sites. Ranked 6th by victim volume (426 DLS postings) with 56 victims in March 2026 alone, the group absorbed displaced RansomHub affiliates in April 2025 and formalized a partnership with Scattered Spider. The alliance struck Marks & Spencer (April 2025), Co-op, and Harrods in a coordinated UK retail wave causing over £500M in M&S market cap loss. Law enforcement pressure on Scattered Spider is intensifying: alleged leader Tyler Buchanan pleaded guilty in early April 2026, and member 'Bouquet' (Peter Stokes, 19) was arrested at Helsinki Airport on April 10, 2026 and federally charged on April 28.
Rapid7 disclosed in early May 2026 that MuddyWater conducted a sophisticated false-flag operation, masquerading as the Chaos ransomware-as-a-service group to obscure Iranian state espionage activity. Rather than encrypting files, the group focused exclusively on credential harvesting via Microsoft Teams screen-sharing, MFA manipulation, and deploying remote access tools (DWAgent, AnyDesk, Game.exe RAT) for long-term persistence. The operation — linked to MOIS via the 'Donald Gay' code-signing certificate and moonzonet[.]com C2 infrastructure — represents a documented escalation in Iranian state actors adopting criminal RaaS branding to complicate attribution and delay defensive response.
Bitdefender Labs disclosed on May 13, 2026 that FamousSparrow conducted a multi-wave intrusion against an unnamed Azerbaijani oil and gas company between December 2025 and February 2026 — the first documented FamousSparrow targeting of South Caucasus energy infrastructure. The group repeatedly re-exploited the same vulnerable Microsoft Exchange Server entry point across three distinct waves despite remediation attempts, deploying the Deed RAT (ShadowPad successor) and TernDoor backdoors. This campaign is assessed as geopolitically driven: Azerbaijan has become a critical European energy supplier following the 2024 expiration of Russia's Ukraine gas transit agreement and 2026 Strait of Hormuz disruptions.
Newly tracked threat actor disclosed in Google/Mandiant's May 2026 GTIG report. In March 2026, TeamPCP (UNC6780) compromised multiple GitHub repositories including LiteLLM (a widely-used AI gateway library) and the Trivy vulnerability scanner, embedding a credential stealer called SANDCLOCK in affected build environments. Stolen AWS keys and GitHub tokens were then provided to ransomware affiliates, marking the first documented AI supply chain attack specifically targeting LLM infrastructure for downstream ransomware operations.
On May 11, 2026, Google's Threat Intelligence Group disclosed the first confirmed real-world case of a threat actor using an AI-developed zero-day exploit targeting a popular open-source web-based system administration tool. The group used a large language model to identify a semantic logic flaw — a hard-coded trust assumption in the authentication flow — and generated a Python-based 2FA bypass exploit bearing unmistakable LLM fingerprints (educational docstrings, a hallucinated CVSS score, textbook Pythonic formatting). The group had planned a mass exploitation event; Google coordinated a silent patch with the vendor to disrupt the operation before it launched.
Bitdefender published a major report on May 13, 2026 documenting FamousSparrow's first confirmed intrusion into South Caucasus energy infrastructure — a multi-wave campaign against an Azerbaijani oil and gas company running from December 2025 through February 2026. The group exploited the ProxyNotShell Exchange vulnerability chain (CVE-2022-41082/41040), returned to the same access vector three separate times despite remediation attempts, and deployed evolved variants of the Deed RAT and Terndoor backdoors with a novel two-stage DLL sideloading technique designed to evade sandbox analysis. This expansion marks a strategic pivot into European energy supply-chain targets driven by Azerbaijan's growing role as a gas supplier to 13 EU nations after the collapse of Russian transit agreements.
Rapid7 published research on May 6, 2026 exposing a new MuddyWater false-flag operation in which the Iranian MOIS-affiliated group masqueraded as the Chaos ransomware-as-a-service gang to conduct credential harvesting and long-term espionage against U.S. and MENA organizations. Rather than encrypting files, attackers used Microsoft Teams social engineering with interactive screen-sharing to steal VPN credentials and manipulate MFA, then established persistence via DWAgent and AnyDesk RATs. The operation follows a late-2025 case where MuddyWater similarly impersonated the Qilin RaaS ecosystem against an Israeli target, reflecting a systematic escalation of RaaS false-flag tradecraft to confuse defenders and complicate attribution.
The Gentlemen is the breakout ransomware group of Q1 2026, climbing to #2 globally with 400+ public victims in under 10 months of operation. Founded by 'hastalamuerte,' a former senior Qilin affiliate who departed after a $48,000 commission dispute, the group arrived with a pre-staged stockpile of approximately 14,700 compromised FortiGate devices (exploited via CVE-2024-55591) and 969 validated brute-forced VPN credentials. On May 4, 2026, the group itself was breached by an anonymous party who exfiltrated its internal database from hosting provider 4VPS, exposing full operational structure, ransom negotiations, and confirmed use of DeepSeek and Qwen AI models to accelerate ransomware development. Chain-victimization — using data from one victim to attack that victim's clients — is a confirmed tactic.
On May 11, 2026, Google's Threat Intelligence Group (GTIG) disclosed the first confirmed in-the-wild case of a threat actor using an AI model to discover and weaponize a zero-day vulnerability — a 2FA bypass logic flaw in a popular open-source web-based administration tool. The AI-generated Python exploit script contained hallmark indicators of LLM generation: educational docstrings, a fabricated CVSS score, and textbook Pythonic formatting. GTIG assessed with high confidence that the actors planned a mass exploitation campaign and intervened with the vendor to silently patch the flaw before it could launch. The case demonstrates that AI has compressed the timeline from vulnerability existence to weaponized exploit from weeks to days.
CYFIRMA's Research and Advisory Team discovered Rex Ransomware in underground forums on or before May 15, 2026. The strain encrypts files appending a '.rex48' extension (numeric suffix varies by variant) and drops an HTML ransom note (RANSOM_NOTE.html) claiming to have exfiltrated data for double-extortion leverage. Currently assessed as an early-stage threat with conventional encryption mechanics and no confirmed advanced capabilities, though CYFIRMA assesses it has potential to mature into a more sophisticated operation with expanding cross-platform support and structured extortion methodologies.