Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning
Researchers tied a fresh Nimbus Manticore campaign to phishing and SEO poisoning targeting aviation, software, telecom, and oil and gas organizations across the U.S., Europe, and the Middle East, using fake career lures, trojanized Zoom and SQL Developer installers, and new backdoors called MiniFast and MiniJunk V2, with evidence suggesting AI assisted some malware development. The campaign is notable for its move beyond direct phishing into search-driven software impersonation — a technique that can catch developers and technical users during routine work rather than requiring a targeted spear-phish. Organizations in the targeted sectors should scrutinize software downloads from search results, particularly installer packages for common developer and collaboration tools.
Ghost CMS Flaw Abused to Push ClickFix Attacks on Hundreds of Sites
Attackers are exploiting CVE-2026-26980, a patched Ghost CMS SQL injection flaw, to compromise more than 700 unpatched websites — including university sites — by exposing the Admin API key and using it to inject malicious JavaScript that redirects visitors into ClickFix-style malware execution flows. The attack chain is particularly effective because compromised sites appear legitimate, and visitors have no obvious reason to distrust content on a university or established organization’s domain. Site owners running Ghost should patch immediately, rotate any exposed Admin API keys, review recent content changes, and inspect published pages for injected scripts.
NIST Publishes SP 1800-41 Draft to Focus on Ransomware Response and Operational Recovery in Manufacturing Networks
NIST released a draft practice guide aimed at helping manufacturers respond to and recover from cyberattacks affecting ICS and OT environments, with guidance covering ransomware response, operational recovery, log review, event analysis, restoration planning, and continuity for industrial processes. The guide is notable for treating recovery as an operational requirement rather than a post-incident IT task, which better reflects the reality that production downtime carries direct financial and safety consequences in manufacturing environments. Critical infrastructure and manufacturing security teams should review the draft and use the comment period to shape guidance that reflects real-world constraints.
‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains
Researchers described Underminr, a CDN and shared-hosting abuse technique that makes malicious traffic appear to connect to trusted domains while actually reaching attacker-controlled infrastructure, exploiting the gap that arises when defenders don’t correlate DNS decisions, edge IPs, SNI, Host headers, and CDN tenant routing together. The technique can bypass DNS filtering and protective DNS controls that operate in isolation, which is a meaningful gap in environments where those tools are treated as a primary egress control. High-risk environments should complement DNS filtering with full egress inspection that accounts for CDN routing behavior, and detection engineers should review whether their C2 detection logic accounts for this class of traffic blending.
Suspected KimWolf Botnet Admin Arrested Over DDoS-for-Hire Operation
U.S. and Canadian authorities arrested a Canadian man accused of operating the KimWolf DDoS botnet, which infected more than one million IoT devices including digital photo frames and web cameras and rented them out through a cybercrime-as-a-service model to carry out attacks against victims worldwide, including Department of Defense network addresses. The case is a reminder that unmanaged and poorly secured consumer IoT devices remain a reliable recruitment pool for large-scale criminal services, even when they sit behind home or small-business networks with no visibility or logging. Organizations with IoT exposure — whether through employee devices, facility equipment, or supply chain connections — should treat unmanaged endpoints as potential botnet infrastructure rather than low-risk background noise.
The post InfoSec News Nuggets 05/26/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
