Cyber Threat Brief — May 30 2026
⚠️ This report is AI-generated. Always validate findings.
1. PAN-OS GlobalProtect Auth Bypass — CVE-2026-0257
TL;DR: CVSS 7.8 authentication bypass lets unauthenticated attackers forge GlobalProtect VPN cookies and tunnel into internal networks. CISA KEV added May 29; Rapid7 confirmed two exploitation waves from a single threat actor.
What’s New:
- Forged authentication override cookies bypass GlobalProtect gateway auth when the portal/gateway certificate is reused for HTTPS service
- Rapid7 MDR observed Wave 1 (May 17, Vultr IPs) and Wave 2 (May 21, Dromatics Systems) — same spoofed MAC
aa:bb:cc:dd:ee:fflinks both - Wave 2 achieved full VPN IP assignment granting direct internal network access
- CISA KEV added May 29 with federal deadline June 19
- Affects PAN-OS with GlobalProtect portal/gateway + authentication override cookies enabled
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
MAC address aa:bb:cc:dd:ee:ff | Attacker fingerprint | T1078.004 | GlobalProtect logs | Hunt for this exact spoofed MAC in GP auth logs |
Machine names GP-CLIENT, DESKTOP-GP01 | Attacker fingerprint | T1078.004 | GlobalProtect logs | Alert on these machine names in VPN auth events |
| Cookie-based auth to local admin accounts | Exploitation indicator | T1550.004 | GlobalProtect system logs | Alert on cookie auth (vs. credential auth) to admin accounts |
| Vultr / Dromatics Systems source IPs | Attacker infra | T1133 | Firewall logs | Baseline VPN source IPs; alert on hosting provider origins |
| VPN IP assignment following cookie auth | Post-exploitation | T1133 | GlobalProtect logs | Correlate cookie auth events with subsequent IP pool assignments |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No GlobalProtect cookie auth bypass detection; need SPL for cookie-based admin auth from hosting provider IPs |
| Elastic | None | No specific rule; need alert on GP VPN auth with spoofed/default MAC addresses |
| Sigma | None | No rule; need GP log parsing for authentication override cookie usage patterns |
Sources: Rapid7 ETR Blog (May 29), Palo Alto Advisory, CISA KEV
2. Kimsuky Deploys HTTPSpy + HelloDoor with VS Code Tunnel Persistence
TL;DR: DPRK-linked Kimsuky targeted South Korean military and corporate entities (March–April 2026) using spoofed security software installers delivering HTTPSpy and the new Rust-based HelloDoor backdoor, with VS Code tunnels for persistent access.
What’s New:
- HTTPSpy delivered via fake South Korean security software installers (JSE/PIF/SCR/EXE droppers)
- HelloDoor: Rust-based PebbleDash variant (first seen Aug 2025, likely LLM-developed), delivered alongside httpMalice, MemLoad, httpTroy, AppleSeed, HappyDoor
- VS Code tunnel persistence via GitHub authentication + DWAgent RMM + Cloudflare Quick Tunnels
- Fake Webex meeting pages using legitimate meeting schedules as lures
- Targets: South Korean military, defense, corporate sectors
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
female-disorder-beta-metropolitan.trycloudflare[.]com | C2 (HelloDoor) | T1071.001 | DNS / proxy logs | Block and hunt |
hxxps://www.pyrotech.co[.]kr/common/include/tech/default.php | C2 (httpMalice) | T1071.001 | Proxy logs | Block domain |
hxxp://newjo-imd[.]com/common/include/library/default.php | C2 (httpMalice) | T1071.001 | Proxy logs | Block domain |
hxxps://www.yespp.co[.]kr/common/include/code/out.php | C2 | T1071.001 | Proxy logs | Block domain |
| VS Code tunnel + GitHub auth from non-developer endpoints | Persistence | T1219 | EDR / process logs | Alert on code tunnel or VS Code Remote processes on non-dev machines |
| DWAgent RMM installation | Post-exploitation | T1219 | EDR / software inventory | Alert on DWAgent installation outside change windows |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None for HTTPSpy/HelloDoor | Need rule for VS Code tunnel process spawned from non-standard parent; need Cloudflare Quick Tunnel detection |
| Elastic | Suspicious VS Code Tunnel Connection (partial) | Gap: no HelloDoor/HTTPSpy-specific process detection |
| Sigma | proc_creation_win_vscode_tunnel.yml (partial) | Gap: no Kimsuky-specific dropper chain (JSE→PIF→SCR execution) detection |
Sources: The Hacker News (May 29), SC Media
3. LLM Agent Used for Autonomous Post-Exploitation — CVE-2026-39987 Update
TL;DR: First documented case of an LLM agent conducting autonomous post-exploitation: attacker exploited Marimo CVE-2026-39987, then an LLM agent extracted cloud credentials, pivoted to AWS Secrets Manager for SSH keys, and exfiltrated a full PostgreSQL database — end-to-end in under one hour.
What’s New:
- LLM agent (not human operator) performed the entire post-exploitation chain autonomously
- Attack chain: CVE-2026-39987 RCE → credential extraction → AWS Secrets Manager SSH key retrieval → 8 SSH sessions to bastion → full PostgreSQL schema + data exfiltration in <2 minutes
- Credentials replayed through fanned-out egress pool to obscure origin
- Recorded May 10 by Sysdig, disclosed May 29
- Represents a new TTP class: autonomous AI-driven lateral movement (T1557-adjacent)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Rapid sequential AWS API calls (GetSecretValue) from compromised Marimo host | AI-driven recon | T1552.005 | CloudTrail | Alert on GetSecretValue calls from notebook/web app instance roles |
| 8 SSH sessions in rapid succession to bastion from single source | AI-driven lateral movement | T1021.004 | SSH auth logs / VPC Flow Logs | Alert on burst SSH connection patterns from non-jump-box sources |
Full pg_dump execution in <2 min window | Data exfiltration | T1005 | PostgreSQL logs | Alert on pg_dump from non-scheduled/non-DBA sources |
| Internet-exposed Marimo notebooks | Attack surface | T1190 | Asset inventory | Remove from internet; require auth proxy |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | AWS Credential Access GetSecretValue (partial) | Gap: no correlation with web-app-origin + rapid sequential API pattern |
| Elastic | None specific | Gap: no LLM-speed lateral movement detection (need burst-pattern SSH + API sequencing rules) |
| Sigma | None specific | Gap: no rule for autonomous post-exploitation velocity patterns |
Sources: The Hacker News (May 29), Sysdig Blog
Status Updates
- CVE-2026-42945 (NGINX Rift): ITW exploitation ongoing since May 16; 5.7M exposed instances. May 29 brief.
- CVE-2026-42897 (Exchange OWA XSS): FCEB deadline was May 29; no permanent patch yet (expected June 10). May 28 brief.
- CVE-2026-41091/CVE-2026-45498 (RedSun/UnDefend): CISA KEV federal deadline June 3; patched May 19-21. May 28 brief.
- CVE-2026-48172 (LiteSpeed cPanel): FCEB deadline was May 29; mass exploitation continues. May 28 brief.