Issue #007 · May 27, 2026

Cyber Threat Brief — Issue #007

What's active. What matters. What to do about it.

Priority Actions This Week

  1. 01Verify Microsoft Defender Malware Protection Engine has updated to version 1.1.26040.8 or later on all Windows endpoints, especially managed devices, offline systems, and privileged workstations.
  2. 02Apply Microsoft Defender Antimalware Platform update to version 4.18.26040.7 or later and confirm definition updates are flowing correctly.
  3. 03Apply the Microsoft Exchange Server security update addressing CVE-2026-42897 and audit Exchange access logs for anomalous session activity.
  4. 04Audit legacy Windows assets for unpatched vulnerabilities from 2008–2010, particularly any systems running Internet Explorer or older DirectX components.

Active Campaigns

[ ESCALATING ]Microsoft Defender Weaponized Against Itself — Two Zero-Days Actively Exploited
ACTOR: Multiple threat actors — nation-state and financially motivatedTARGETS: Every Windows endpoint running Microsoft Defender — effectively every managed Windows device worldwide

Two Microsoft Defender zero-days, tracked as RedSun and UnDefend by the researcher who discovered them, are being actively exploited in the wild. RedSun allows an authenticated local attacker to escalate to SYSTEM-level privileges by exploiting how Defender's Malware Protection Engine resolves file links before accessing them. UnDefend allows any standard user to block Defender from receiving definition updates, effectively blinding the endpoint protection layer and creating a window for follow-on attacks. Both were added to the CISA KEV catalog on May 20, 2026, with a federal remediation deadline of June 3. The combination is particularly dangerous as a chained attack. UnDefend disables Defender's ability to update its threat definitions. RedSun then elevates the attacker to SYSTEM. The security tool defending the endpoint becomes the attack path into it. Microsoft Defender updates are automatic by default but organizations should manually verify the patch landed, especially on managed devices, offline systems, and privileged workstations.

[ ACTIVE ]MuddyWater Operation Olalampo — Iranian Espionage Campaign Expands Globally
ACTOR: MuddyWater (Mango Sandstorm) — Iranian Ministry of Intelligence and SecurityTARGETS: Government agencies, financial services, industrial manufacturers, airports, and critical infrastructure across MENA, Southeast Asia, South Korea, and Latin America

Operation Olalampo, MuddyWater's 2026 espionage campaign first observed on January 26, has continued to expand in scope and geographic reach through May. New reporting from Symantec and Carbon Black confirms the campaign has hit at least nine organizations across nine countries on four continents in Q1 2026 alone, including a major South Korean electronics manufacturer, an international airport in the Middle East, and a Latin American financial services provider. The campaign deploys four novel malware families — GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor — delivered via spear-phishing emails with malicious Office document attachments tailored to regional themes. The CHAR backdoor is Rust-based, and Group-IB researchers identified evidence of AI-assisted development in the malware construction, consistent with the broader 2026 trend of nation-state actors integrating AI into their development pipelines. MuddyWater's mandate is strategic intelligence collection, not financial theft. The group is patient, maintains long-dwell access, and extracts sensitive communications and intellectual property over extended periods before detection.

[ ACTIVE ]Ancient Windows Bugs Return — 2008-Era Vulnerabilities Back in Active Exploitation
ACTOR: APT groups and ransomware actors — blending legacy exploits with modern payloadsTARGETS: Organizations running unpatched legacy Windows infrastructure, air-gapped environments

CISA's May 20, 2026 KEV catalog update included four Microsoft vulnerabilities from 2008, 2009, and 2010 alongside the two Defender zero-days. CVE-2008-4250, CVE-2009-1537, CVE-2010-0249, and CVE-2010-0806 affect Windows components including Internet Explorer and DirectX. The return of decade-old exploits to active exploitation status is not an anomaly. Threat intelligence firms report that APT groups and ransomware actors are deliberately blending legacy exploits with modern payloads to evade endpoint detection tools trained on contemporary attack patterns. A 2008 Windows buffer overflow paired with a 2026 Defender bypass payload is a combination that legacy-aware EDR tools may not catch. The inclusion of CVE-2010-2568, a Windows LNK file vulnerability historically associated with Stuxnet and air-gap jumping techniques, suggests a possible resurgence of interest in targeting isolated or air-gapped environments.

CVE Watch

CVE-2026-41091CVSS 7.8[ ESCALATING ]

PRODUCT: Microsoft Defender (Malware Protection Engine)

WHAT IT MEANS:

Known as RedSun, this local privilege escalation vulnerability in Microsoft Defender's Malware Protection Engine allows an authenticated local attacker to gain SYSTEM-level privileges by exploiting how the engine resolves file links before accessing them. SYSTEM is the highest privilege level on Windows. An attacker who escalates to SYSTEM can disable security tools, deploy persistent payloads, access all data on the machine, and create new high-privilege accounts. The particular danger here is that Defender, the tool designed to protect the endpoint, becomes the escalation path into it. Active exploitation confirmed. CISA KEV deadline June 3, 2026.

ACTION:Verify Microsoft Defender Malware Protection Engine has updated to version 1.1.26040.8 or later on all Windows endpoints, particularly managed devices, offline systems, and privileged workstations where automatic updates may not have applied.

CVE-2026-45498CVSS 4[ ESCALATING ]

PRODUCT: Microsoft Defender Antimalware Platform (UnDefend)

WHAT IT MEANS:

Known as UnDefend, this denial-of-service vulnerability in the Microsoft Defender Antimalware Platform allows any standard user — no administrator privileges required — to block Defender from receiving threat definition updates. An attacker who triggers UnDefend creates a window where Defender cannot recognize new threats, effectively blinding the endpoint protection layer. When chained with RedSun, the combination allows an attacker to first blind Defender, then use Defender itself to escalate to SYSTEM. The CVSS score of 4.0 understates the real-world risk because it does not account for chaining. Active exploitation confirmed. CISA KEV deadline June 3, 2026.

ACTION:Apply Microsoft Defender Antimalware Platform update to version 4.18.26040.7 or later and verify Defender definition updates are flowing correctly on all endpoints after patching.

CVE-2026-42897CVSS 8.1[ ACTIVE ]

PRODUCT: Microsoft Exchange Server (on-premise)

WHAT IT MEANS:

A cross-site scripting vulnerability in on-premise Microsoft Exchange Server has been confirmed as actively exploited in real-world attacks. Exchange Server is a high-value target because it holds the email communications of entire organizations and often has broad network access. Cross-site scripting in Exchange can be used to steal session tokens, impersonate users, and pivot into connected systems. CISA added CVE-2026-42897 to the KEV catalog on May 15, 2026. Organizations still running on-premise Exchange rather than Exchange Online should treat this as an urgent remediation, as on-premise Exchange has been a persistent high-priority target for both nation-state and ransomware actors throughout 2025 and 2026.

ACTION:Apply the Microsoft Exchange Server security update addressing CVE-2026-42897 immediately and audit Exchange access logs for anomalous session activity or unauthorized mailbox access.

Threat Actor Activity

MuddyWater (Mango Sandstorm)[ ACTIVE ]

Operation Olalampo confirmed hitting nine organizations across nine countries on four continents in Q1 2026. New victims include a South Korean electronics manufacturer, a Middle Eastern airport, and a Latin American financial services provider. The campaign deploys AI-assisted Rust malware and uses Telegram as a command-and-control channel.

TeamPCP (UNC6780)[ ACTIVE ]

No new confirmed campaigns since the GitHub breach on May 19. The Mini Shai-Hulud campaign remains active and the group retains capability for further developer tooling attacks. GitHub's investigation into the extent of the breach is ongoing.

Coinbase Cartel (SLSH cluster)[ ACTIVE ]

Grafana ransom refusal stands. No confirmed data leak as of publication. The group's 170-victim leak site remains active. Repeat extortion of prior victims remains a documented risk.

APT28 / Forest Blizzard[ ACTIVE ]

CVE-2026-32202, the Windows Shell spoofing flaw enabling zero-click NTLM credential theft via LNK files, remains actively exploited by APT28 against government and diplomatic targets. Patch Tuesday fixes are available and should be applied across all Windows systems.

Salt Typhoon[ MONITORING ]

No new confirmed activity. Full eviction from US telecommunications infrastructure remains unconfirmed by independent sources. Congressional oversight continues.

Volt Typhoon[ MONITORING ]

No new confirmed activity. Pre-positioning in US critical infrastructure from prior periods remains unresolved. Operational silence consistent with established long-dwell pattern.

Key Takeaway

This issue centers on a category of attack that deserves its own name: security tool inversion. Two of the three CVEs covered this week involve Microsoft Defender being used against the endpoints it protects. RedSun turns Defender's own scanning engine into a privilege escalation path to SYSTEM. UnDefend turns off Defender's ability to recognize new threats, creating the window RedSun needs. The security layer designed to catch attackers becomes the attack surface. This is not a new concept — attackers have targeted endpoint protection tools for years precisely because they run with elevated privileges and broad file system access. What is new is the pace at which these vulnerabilities are being found, disclosed, and immediately weaponized. Both Defender flaws were publicly disclosed and confirmed as actively exploited within eight days of Patch Tuesday. Separately, the return of 2008-era Windows vulnerabilities to CISA's active exploitation list is a reminder that the threat landscape does not retire old techniques. It stacks them. A 2008 buffer overflow paired with a 2026 Defender bypass is a combination that many modern detection stacks will not recognize. Patch what is old. Patch what is new. The distinction matters less than the patching.

Sources

  • CISA Known Exploited Vulnerabilities Catalog
  • Microsoft Security Response Center
  • Help Net Security
  • The Hacker News
  • BleepingComputer
  • Symantec Threat Hunter Team
  • Carbon Black
  • Group-IB Threat Intelligence
  • Cybersecurity News