Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Business Applications
Intelligent Workplace
Small Medium Enterprise
Health
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cybersecurity Weekly Briefing, 23-29 May
Public exploit for a vulnerability in the Windows 11 kernel that allows escalation to SYSTEM
The vulnerability CVE-2026-40369 (CVSSv3 7.8 according to the vendor) affects the Windows 11 kernel and allows an unprivileged process to modify kernel memory to escalate privileges to SYSTEM. The flaw lies in an untrusted pointer dereference in ExpGetProcessInformation, exploitable via a call to NtQuerySystemInformation. The flaw is accessible from highly restricted environments such as browser sandboxes, allowing it to be chained with remote code execution exploits to gain full control of the system.
Researcher Ori Nimron has published a complete exploit for this flaw, demonstrating that since NtQuerySystemInformation is a core NT syscall and not a win32k call, the win32k lockdown in Chrome, Edge and Firefox does not apply here, meaning that any code execution vulnerability in the browser renderer can be chained with CVE-2026-40369 to escalate from sandboxed code to SYSTEM privileges with 100% reliability combined with a KASLR bypass.
The exploit is public and available in open-source repositories. Microsoft included a patch in the May 2026 cumulative updates for Windows 11 (versions 24H2 and 25H2 affected) and there is no alternative configuration-based mitigation, so prioritising the patch is urgent.
Screening Serpens espionage campaign featuring six new RAT variants
Palo Alto Networks’ Unit 42 has documented an intense campaign by the Iranian APT group Screening Serpens, also known as UNC1549 or Smoke Sandstorm, which between February and April 2026 deployed six new RAT variants against entities in the United States, Israel, the United Arab Emirates and at least two additional targets in the Middle East. The group, active since 2022 and having expanded into Western Europe in 2025, operated at a sustained high pace, timing its attacks to coincide with the start of the regional conflict on 28 February 2026.
The two new malware families identified, MiniUpdate and MiniJunk V2, are distributed via spear phishing using job offer lures that impersonate airlines, video conferencing platforms and recruitment portals, specifically targeting the aerospace, defence and telecommunications sectors. The most sophisticated technique documented is AppDomainManager hijacking: using a legitimate XML configuration file, the actor natively disables Event Tracing for Windows (ETW) prior to payload execution, depriving EDR solutions of their primary source of .NET telemetry without resorting to memory patching or API hooking. Indicators of compromise include C2 domains hosted on Azure that impersonate entities in the healthcare and financial sectors in the April campaigns targeting the Middle East.
Security teams should prioritise the detection of anomalous .NET configurations that disable ETW and monitor the creation of scheduled tasks with names such as WindowsSecurityUpdate.
Payload consolidates a ransomware operation using ChaCha20 and Curve25519
Dark Atlas has published a report on the Payload ransomware, which emerged in February 2026, adopting a double extortion model from day one and demonstrating immediate global reach. As of 24 March, its leak site already listed 50 compromised organisations, with a notable presence in logistics, real estate (particularly in Egypt and the MENA region), manufacturing and professional services.
Technically, the payload is a PE32 executable for Windows that encrypts files using ChaCha20, deriving a unique key per file via ECDH key exchange over Curve25519: for each file, it generates a 32-byte ephemeral private key and a 12-byte nonce via CryptGenRandom, calculates the shared secret using the operator’s embedded public key, and uses that secret directly as the ChaCha20 key without a KDF. The ephemeral key is destroyed in memory and the shared secret is never written to disk, making recovery without the attacker’s private key mathematically unfeasible.
The binary includes 14 command-line flags to customise behaviour, deletes VSS snapshots using vssadmin, patches the ETW routines in ntdll, clears Windows Event Log channels, and utilises direct NT APIs with multithreading over IOCP for parallel encryption, simultaneously terminating database, backup and security processes. A mutex named MakeAmericaGreatAgain ensures single-instance execution.
Ubiquiti patches three CVSS 10.0 vulnerabilities in UniFi OS
Ubiquiti has released emergency patches for five critical vulnerabilities in UniFi OS that affect a very wide range of devices: Dream Machines, network video recorders, industrial gateways and NAS systems. Three of the five flaws, CVE-2026-34908, CVE-2026-34909 and CVE-2026-34910, have a vendor-assigned CVSSv3 score of 10.0, do not require authentication and allow an attacker on the adjacent network to make unauthorised changes to the system, manipulate underlying account files or execute arbitrary commands remotely.
The simultaneous presence of three maximum-scoring vulnerabilities with no credential requirement makes these devices very high-value targets, particularly in enterprise environments where UniFi devices act as network gateways or video surveillance aggregation points.
Administrators should update most devices to UniFi OS Server 5.1.12 or later, or to 4.0.14 for UniFi Express, and restrict access to management interfaces to trusted networks or VPNs.
NightSpire ransomware has compromised 64 organisations across 33 countries, including Spain
Picus Security has published a report on the NightSpire ransomware group, which has targeted 64 victims across 33 countries, including Spain, from the government, healthcare, financial and transport sectors. The group uses Chrome Remote Desktop and AnyDesk for covert persistence, exfiltrates data via MEGAsync to MEGA, and encrypts both local storage and files synchronised with OneDrive. The encryptor is written in Go for cross-platform compatibility.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
