Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cybersecurity Weekly Briefing, 2-8 May
Apache patches CVE-2026-23918 vulnerability that allows remote code execution
The Apache Software Foundation has released a patch for the CVE-2026-23918 vulnerability (CVSSv3 8.8). This is a severe memory corruption vulnerability that can lead to anything from a denial of service (DoS) to remote code execution (RCE).
The flaw is a double free caused by an early reset in HTTP/2, which can cause a DoS or lead to remote code execution, allowing for total control of the system, data theft or the deployment of ransomware. No public PoCs have been reported, but the patch is already available in version 2.4.67; it is recommended to update immediately, monitor logs, temporarily disable HTTP/2 and strengthen network security measures.
UAT-8302, a new China-linked APT group, reuses malware from various groups to target government entities
Cisco Talos attributes with high confidence to UAT-8302, a China-linked APT group, campaigns targeting government entities in South America since at least late 2024 and agencies in south-eastern Europe in 2025. Following the initial compromise, the actor conducts extensive reconnaissance, credential harvesting, Active Directory information gathering and lateral movement using tools such as Impacket, WMI, Stowaway, SoftEther VPN, QScan and PortQry.
UAT-8302 deploys several malware families previously associated with Chinese actors, including NetDraft (NosyDoor), a .NET backdoor derived from FinalDraft/SquidDoor, and CloudSorcerer v3, previously observed in attacks against Russian government entities, which obtains C2 infrastructure from legitimate services such as GitHub or GameSpot.
UAT-8302 operates using the VSHELL framework, employing the SNOWLIGHT stagers and their Rust variant SNOWRUST to download obfuscated payloads.
The primary objective is to maintain long-term persistent access, exfiltrate credentials and Active Directory information, and establish multiple backdoor channels via proxies (Stowaway, SoftEther VPN).
DAEMON Tools supply chain attack active for a month compromises hundreds of countries
Kaspersky researchers have discovered that the official DAEMON Tools installers for Windows, distributed with a legitimate digital signature from AVB Disc Soft, had been trojanised since 8 April 2026, with versions between 12.5.0.2421 and 12.5.0.2434 compromised.
The tampered binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe) activate an implant on every system boot, which contacts a domain registered on 27 March (env-check. daemontools[.]cc) to receive shell commands and download chained payloads: a system information collector, a shellcode loader and a minimalist backdoor with support for multiple C2 protocols (HTTP, UDP, TCP, WSS, QUIC, DNS, HTTP/3).
The backdoor includes code injection into legitimate processes such as notepad.exe and conhost.exe, and in selected victims (a dozen organisations in Russia, Belarus and Thailand across the retail, public administration and manufacturing sectors), QUIC RAT was also deployed. Kaspersky recorded several thousand infection attempts in over 100 countries, including Spain, Germany, France and Italy, although the secondary backdoor was delivered selectively. Forensic evidence points to a Chinese-speaking actor.
It is recommended that computers with DAEMON Tools installed be isolated immediately and that thorough security sweeps be carried out.
KidsProtect: stalkerware for Android marketed as parental control
Researchers at Certo have uncovered a new piece of spyware called KidsProtect. It is a remote access trojan (RAT) for Android that operates in the background and can only be removed via the operator’s control panel.
Via a web interface, the attacker can carry out multiple surveillance actions, such as secretly recording calls, streaming live audio from the device’s microphone, tracking real-time GPS location, reading SMS messages and notifications from apps such as WhatsApp and Viber, logging keystrokes, accessing contacts and photos, and remotely activating the front and rear cameras. Another notable feature is that it allows buyers to create their own variants.
Labelling this type of spyware as a child protection tool helps to give it a false sense of legitimacy and makes it harder to detect. The tool is sold via a subscription model starting at $60.
The FBI has alerted the transport sector to a sharp rise in cargo theft via cyberattacks
The FBI is warning the logistics and transport sectors of a rise in cargo theft, with estimated losses in the United States and Canada set to reach nearly $725 million by 2025.
Since at least 2024, attackers have compromised freight broker and carrier systems through phishing using fake emails from intermediaries containing malicious links disguised as transport agreements, redirecting users to sites that download malicious executables and remote administration software.
Once inside, they use stolen accounts to post fraudulent freight offers on industry platforms, impersonate legitimate companies, spread to other systems, and redirect genuine shipments for theft and subsequent illegal resale.
It is recommended to strengthen identity verification, implement multi-factor authentication, improve email security and exercise extreme caution with links and attachments to reduce the risk of intrusion and cargo theft.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
