Cybersecurity incidents escalated in early May 2026, impacting critical infrastructure and organizations worldwide. This roundup explores significant threats, including ransomware, state-sponsored espionage, and sophisticated phishing campaigns, offering insights and actionable recommendations.
Ransomware and Double Extortion Attacks
The Qilin ransomware group targeted Ahorramas, a major Spanish supermarket chain, in a double extortion attack. The group leaked sensitive data, including employee DNIs and financial records. Ahorramas confirmed the breach but assured that customer data was not compromised. The incident highlights the growing threat of ransomware attacks on critical infrastructure. Ransomware attacks have become more sophisticated, targeting critical sectors such as healthcare, finance, and retail. These attacks often involve double extortion, where data is both encrypted and leaked, increasing pressure on victims to pay ransoms. The Qilin group, known for its aggressive tactics, has ramped up operations, conducting over 700 attacks in 2025 alone. They have targeted other Spanish entities, showcasing their persistent threat to the region. The attack on Ahorramas underscores the need for robust cybersecurity measures and incident response plans. Organizations must segment sensitive data and implement advanced detection systems to mitigate such threats. The incident also highlights the importance of reporting breaches to authorities like the National Cybersecurity Institute (INCIBE) and the Spanish Data Protection Agency (AEPD) to enhance collective defense strategies. Reference
State-Sponsored Cyber Espionage: Russia’s GRU Training Pipeline
An investigative consortium uncovered Russia’s covert cyber warfare training program at Bauman Moscow State Technical University. The program, linked to the GRU, trains students in hacking, disinformation, and election interference. This revelation underscores the escalating threat of state-sponsored cyber espionage.
The secret faculty, Department 4 (Special Training), operates under the GRU (Russian military intelligence), recruiting top students for careers in hacking, disinformation, and election interference. Leaked documents reveal a systematic pipeline where students are trained in password attacks, trojan deployment, and psychological manipulation before being assigned to notorious units like Fancy Bear (Unit 26165) and Sandworm (Unit 74455).
Key findings include:
- Curriculum Highlights: Courses on ‘Defence against Technical Reconnaissance’ (144 hours), disinformation campaign development, and hacking US/UK military intelligence structures. Students must create custom computer viruses and social media manipulation videos as part of assessments.
- Notable Instructors: Lt. Col. Kirill Stupakov (signals intelligence, GRU Unit 45807) and Maj. Gen. Viktor Netyksho (sanctioned commander of Fancy Bear, indicted for 2016 US election interference).
- Graduate Placements: The 2024 cohort included Daniil Porshin, assigned to Fancy Bear, and others deployed to Sandworm (linked to attacks on Ukraine’s power grid, the 2017 Macron campaign, and the 2018 Winter Olympics).
- Kremlin Narrative Integration: Teaching materials propagate pro-war propaganda, framing Ukraine’s conflict as a ‘genocide’ against Russians and justifying cyber operations as defensive measures.
The revelation aligns with warnings from Western intelligence agencies about Russia’s escalating hybrid warfare, combining cyberattacks, sabotage, and influence operations to destabilize Europe. The Dutch intelligence service and Sweden’s civil defense minister have recently accused Russia of targeting EU critical infrastructure with destructive cyberattacks.
Phishing and Social Engineering Campaigns
Cybercriminals are leveraging AI tools to create hyper-personalized phishing messages. Traditional red flags are disappearing, making these scams harder to spot. Organizations must implement behavioral analytics and real-time URL scanning to combat these threats. AI-driven scams require deep scrutiny, as attackers tailor messages to victims’ roles or recent activities.
The St. Lucie County Sheriff’s Office (Florida) issued an alert about fake UPS delivery failure texts/emails, tricking recipients into clicking malicious links or paying ‘redelivery fees’. The scam aims to steal credit card details or install malware. Authorities emphasize: ‘DO NOT CLICK’ on unexpected delivery notifications. St. Lucie County Sheriff’s Office has warned about this scam, highlighting the importance of user awareness.
Microsoft exposed a large-scale phishing operation targeting 35,000+ users across 26 countries, with 13,000+ organizations in healthcare, finance, and technology sectors at risk. Attackers used fake compliance warnings and urgent workplace updates to lure victims into downloading malicious PDFs, which redirected to cloned login pages. Advanced tactics included:
- Adversary-in-the-Middle (AiTM): Real-time MFA bypass by intercepting authentication tokens.
- CAPTCHA and QR Codes: Added layers to evade automated detection and appear legitimate.
- Polished Lures: Emails mimicked corporate branding, with no obvious errors.
Microsoft warned that remote work trends have amplified phishing risks, as employees are more susceptible to urgency-based social engineering. Experts recommend multi-layered defenses, including email authentication protocols (DMARC/DKIM) and user training on QR code/PDF risks. Microsoft has provided detailed insights into this sophisticated phishing campaign, which involves a complex setup to bypass security measures.
Supply Chain and Credential Theft: Microsoft Teams Exploited
Researchers at Rapid7 uncovered an Iranian state-sponsored APT group using Microsoft Teams as a phishing vector to steal credentials and bypass multi-factor authentication (MFA). The group, linked to Iran’s Ministry of Intelligence (MOIS), disguised their espionage operation as a ransomware attack. This incident highlights the dual-use risk of collaboration platforms like Teams for both legitimate and malicious purposes.
The attack flow involved several sophisticated steps:
- Social Engineering: Threat actors sent external Teams chat requests to employees, initiating screen-sharing sessions.
- Credential Harvesting: Victims were instructed to save passwords in ‘credentials.txt’ files and add attacker devices to their MFA configurations.
- Phishing Page: A fake Microsoft Quick Assist portal captured additional credentials.
- Lateral Movement: Using stolen credentials, attackers accessed Domain Controllers, deployed DWAgent/AnyDesk for persistence, and avoided ransomware encryption, indicating espionage motives.
The malware chain included:
- ms_upd.exe: Downloader fetching WebView2Loader.dll (legitimate Microsoft DLL), an encrypted config (visualwincomp.txt), and Game.exe (a custom RAT with 12 commands, including C2 communication via uploadfiler[.]com:443).
- Anti-Analysis: Sandbox/VM detection, XOR-encoded strings, and dynamic API resolution.
Attribution clues included:
- Code-signing certificate: Signed with ‘Donald Gay’, tied to prior MuddyWater operations (Operation Olalampo).
- C2 Domain: moonzonet[.]com linked to MuddyWater in early 2026.
- Tactics: Use of pythonw.exe for injection and ‘IT Support’ persona on Teams, consistent with past campaigns.
Organizations are advised to:
- Restrict external Teams messages and monitor unsolicited screen-sharing requests.
- Audit MFA configurations for unauthorized devices.
- Detect unusual RDP/DWAgent/AnyDesk activity on critical systems.
Reference: Hackers Exploit Microsoft Teams to Steal Credentials and Bypass MFA.
Final words
The cybersecurity landscape in May 2026 highlights the need for robust defenses against evolving threats. Organizations must prioritize incident response planning, threat intelligence sharing, and user training to mitigate risks. Stay vigilant against emerging threats and prepare for future challenges.