Malware

Mirai-Family Botnet Actively Mass-Scanning EOL TP-Link Routers with No Patch Path Available

CVE-2023-33538 Ninja UPPERCUT

Unit 42 documents active, automated exploitation of CVE-2023-33538 across end-of-life TP-Link models (TL-WR940N v2/v4, TL-WR740N v1/v2, TL-WR841N v8/v10), with payloads consistent with Mirai-family botnet malware attempting download-and-execute on vulnerable devices. The EPSS score of 0.915 accurately reflects real-world exploitation pressure, and the KEV entry — originally due 2025-07-07 — confirms this vulnerability has been weaponized for at least nine months with no sign of scanning volume declining. Because all affected models are end-of-life, there is no vendor patch path: the only remediation is device replacement, which historically produces slow compliance even in managed environments. The continued mass scanning nearly a year past the KEV due date is a reliable indicator that a substantial unpatched population persists globally.

The past-due KEV date (July 2025) combined with active automated scanning in April 2026 points directly at unmanaged or forgotten IoT sitting on inadequately segmented networks. For a financial institution the primary risk surface isn't enterprise gear — it's vendor and third-party exposure: suppliers and service partners with poorly maintained network infrastructure running consumer-grade EOL routers. Worth running your external attack surface inventory and third-party questionnaire program against these specific model strings, and flagging any that show up in network visibility tooling.

Classic long-tail IoT exposure story: KEV since mid-2025, nine months of sustained scanning, affected models unpatchable by design. For a bank the relevance is entirely indirect — this is a supplier-side and vendor-network problem, and it pairs naturally with ongoing third-party risk reviews. Expect this scanner chatter to persist as background radiation for years, same shape as the Mirai/GPON and Realtek SDK tails.

Editorial

The Amtrak disclosure is the load-bearing item today, but only if you read it against Wednesday's McGraw Hill breach: ShinyHunters has now executed two Salesforce smash-and-grabs inside 48 hours (13.5M records, then 2.1M), which is operational tempo, not opportunism. The trust-layer thread we've tracked all week has narrowed to a specific, repeatable playbook against a single SaaS platform, and the control surface that actually matters is no longer "did we patch" but OAuth grant inventory, admin session lifetimes, and service-account scoping on Salesforce itself — the same hygiene questions the broader Scattered Spider/ShinyHunters cohort keeps answering for us in public. Assume the same crew is mid-campaign and that fresh disclosures land before the weekend.

NIST's 263% submission-surge framing today completes the pincer movement on vulnerability management: yesterday's confirmation that pre-March-2026 CVEs will never be enriched, plus today's explicit forward-looking capacity cap, means the NVD pipeline is now structurally degraded in both temporal directions at once. Unit 42's Mirai-on-EOL-TP-Link write-up (CVE-2023-33538, no patch path) is the tactical illustration — the risk is not on our estate but in supplier and third-party networks where unpatchable gear accumulates, and that exposure class is exactly what a diminished NVD is worst at characterising. Strategic implication for this readership: vendor-risk and external-attack-surface inventories are becoming the authoritative vulnerability dataset by default, and they need to be resourced as such rather than treated as a compliance artefact.

Notable

Ransomware

ShinyHunters Claims Amtrak Breach via Salesforce Compromise, 2.1M Customer Records Exposed

Scattered Spider

ShinyHunters — not Scattered Spider, despite the actor attribution in the story metadata — claims responsibility for a breach of Amtrak affecting approximately 2.1 million customer accounts, with exposed data including email addresses, names, physical addresses, and customer support records. The claimed vector is compromise of Amtrak's Salesforce instance, consistent with ShinyHunters' documented pattern of targeting SaaS CRM platforms prior to ransom demand and subsequent data publication. The source here is a HIBP breach listing with null authority, meaning technical details are unverified and the breach timeline is unconfirmed. No IOCs are available from this entry.

The actor tag conflates ShinyHunters with Scattered Spider, which are distinct groups despite prior operational overlap — the article content specifically names ShinyHunters. The more actionable signal is the Salesforce vector: ShinyHunters has a consistent and documented pattern of SaaS CRM targeting, and if your organization holds customer PII in Salesforce, a review of OAuth app grants, third-party data access permissions, and admin session controls is warranted independently of this specific breach. The transportation sector targeting is also a useful data point for understanding ShinyHunters' current victim selection criteria.

Second ShinyHunters-via-Salesforce disclosure in as many days after the 13.5M McGraw Hill dump covered yesterday — the SaaS-CRM lane is clearly the current operational focus, and the actor-metadata conflation with Scattered Spider is the usual noise around this cluster. Watch for the public dump to materialize on their preferred leak channel within weeks if the extortion demand goes unpaid; the Amtrak records are thin PII but useful for pretexting against the customer base.

Vulnerabilities

NIST Halts Comprehensive CVE Enrichment After 263% Submission Volume Surge

NIST has announced it will restrict detailed CVE enrichment — including CVSS scoring, CWE assignment, and CPE product mapping — in response to a 263% increase in vulnerability submissions that has overwhelmed NVD processing capacity. This creates a structural gap in the vulnerability intelligence ecosystem: tools and workflows that depend on NVD-provided CVSS scores or CPE matching for newly reported CVEs will receive degraded or absent metadata for an indeterminate period. EPSS remains independently maintained by FIRST and is unaffected; CISA's KEV remains authoritative for exploitation-confirmed tracking. The same announcement is covered in newsletter context within sibling story 5410.

This is an operational problem for vulnerability management programs that use NVD CVSS as the primary triage signal for patch prioritization — and that is most of them. The gap is specifically in severity scoring and product-to-CVE mapping, which directly impacts automated vulnerability management pipeline logic. Worth auditing your vuln management stack's data dependency chain now to identify where NVD enrichment is load-bearing: teams that have already shifted to EPSS-primary triage are better positioned, while CVSS-threshold-based SLA programs will need an interim data source strategy.

Same announcement as yesterday's VulnCon26 readout (story 5165), now re-framed around raw submission volume rather than a deliberate line-in-the-sand at March 2026 — the two explanations aren't mutually exclusive, and the practical effect is identical: CVSS-threshold SLA programs need an interim data source. EPSS-primary triage shops are fine; the pain falls on anyone whose vuln-mgmt logic is load-bearing on NVD CPE matching.

Briefs

Social Engineering

Trojanized Slack installer article updated; no material change in RDAT hidden-desktop technique

Malicious application impersonating Slack is being distributed via official app store channels with detection patterns updated since prior coverage.

RDAT

Geopolitical

Risky Biz newsletter roundup — NIST CVE item is the only signal, covered elsewhere

Policy briefing on NIST CVE enrichment restrictions explicitly names Scattered Spider, APT28, and five other tracked threat actors in context of vulnerability exploitation.

CVE-2026-22666 CVE-2026-33032 CVE-2026-40478 APT28 Black Basta Lazarus Group Qilin Scattered Spider UAC-0247 UNC2465 Black Basta Conficker Milan Qilin SMOKEDHAM UPPERCUT

Malware

SANS ISC documents Lumma Stealer → Sectop RAT (ArechClient2) chain via cracked-software SEO poisoning

Government agency publishes detection indicators and analysis for Lumma Stealer infections that deploy Sectop RAT and ArechClient2 post-compromise.

Lumma Stealer Lumma Stealer

Social Engineering

DHL-themed phishing delivers preconfigured SimpleHelp RAT to German industrial supplier

Social engineering campaign using fraudulent shipment notification emails to deliver remote access malware to targets.

Firmware

AutoProber: open-source AI-assisted JTAG/SWD/UART pin discovery rig on commodity CNC hardware

Hobbyist documents DIY construction of AI-driven hardware reconnaissance apparatus using repurposed components.

Ransomware

Unverified: former Black Basta affiliates reportedly exploring automated executive-targeting tooling

Reporting on potential operational evolution of former Black Basta affiliates exploring automated executive targeting tactics.

Black Basta Black Basta

Vulnerabilities

CVE-2026-4853: path traversal in JetBackup WordPress plugin ≤3.1.19.8

CVE-2026-4853 describes path traversal vulnerability in JetBackup WordPress plugin affecting versions up to 3.1.19.8.

CVE-2026-4853

Vulnerabilities

CVE-2026-6482: Rapid7 Insight Agent 4.1.0.2 untrusted OpenSSL config inclusion

CVE-2026-6482 affects Rapid7 Insight Agent 4.1.0.2 via untrusted OpenSSL configuration inclusion.

CVE-2026-6482

Vulnerabilities

CVE-2026-6487: path traversal in Qihui jtbc5 CMS manage.php

CVE-2026-6487 describes path traversal in Qihui jtbc5 CMS manage.php endpoint.

CVE-2026-6487

Vulnerabilities

CVE-2026-23853: Dell PowerProtect Data Domain weak credential configuration

CVE-2026-23853 affects Dell PowerProtect Data Domain with weak credential configuration across multiple versions.

CVE-2026-23853

Vulnerabilities

CVE-2026-23775: Dell PowerProtect Data Domain log file exposure (DSA-2026-060)

CVE-2026-23775 describes log file exposure in Dell PowerProtect Data Domain appliances per advisory DSA-2026-060.

CVE-2026-23775

Vulnerabilities

CVE-2026-35153: Dell PowerProtect Data Domain argument injection (DSA-2026-060)

CVE-2026-35153 affects Dell PowerProtect Data Domain 8.7.0.0 via argument injection (DSA-2026-060).

CVE-2026-35153

Vulnerabilities

CVE-2026-35074: Dell PowerProtect Data Domain OS command injection (DSA-2026-060)

CVE-2026-35074 describes OS command injection in Dell PowerProtect Data Domain up to 8.7.0.0 (DSA-2026-060).

CVE-2026-35074

Vulnerabilities

CVE-2026-35073: Dell PowerProtect Data Domain OS command injection (DSA-2026-060)

CVE-2026-35073 affects Dell PowerProtect Data Domain 8.7.0.0 via OS command injection (DSA-2026-060).

CVE-2026-35073

Vulnerabilities

CVE-2026-35072: Dell PowerProtect Data Domain OS command injection (DSA-2026-060)

CVE-2026-35072 describes OS command injection in Dell PowerProtect Data Domain up to 8.7.0.0 (DSA-2026-060).

CVE-2026-35072

Malware

ISC infrastructure note on Lumma Stealer + Sectop RAT deployment

Brief malware analysis note documenting Lumma Stealer infrastructure deployment with Sectop RAT.

Lumma Stealer Lumma Stealer

Intelligence

FIM framebuffer image viewer tool release (Linux)

FIM is an open-source Linux utility for framebuffer-based image display.

BACKSPACE