Threat View from the Lens of Huntress Adversary Tactics: May 2026

Our SOC has seen exploitation of a nasty authentication bypass flaw (CVE-2026-41940) in the popular web server management software cPanel and WebHost Manager (WHM). cPanel is a web-based web hosting control panel that’s widely used by hosting providers and companies that want to manage websites or public-facing resource portals. That means there’s potentially a pretty big attack surface for this bug - and threat actors are already taking advantage.

The vulnerability, which was disclosed and patched in April, could allow threat actors to remotely bypass cPanel’s login screen and access its administration panel. What we saw: On May 1, we detected malicious activity after two sets of attackers (coming from two different IP addresses) exploited the cPanel flaw on a Linux host. Here’s some of the things the threat actors did:

• Executed reconnaissance commands via the cPanel API
• Set up persistence by adding an SSH public key to /root/.ssh/authorized_keys – before modifying SSH configuration files to enable password authentication and changing the root password
• Created two rogue WHM reseller accounts with full administrative privileges
• Used wget to download a malicious script, which was saved as /tmp/a.sh
• Deployed XMRig cryptocurrency mining malware (/root/.rsyslogd)

Luckily, the malicious activity was caught and remediated by our SOC. Shout out to Tanner Filip for his investigation into this incident!

Earlier in May, the administrator of The Gentlemen RaaS operation acknowledged that an internal backend database had been leaked, exposing the accounts of the ransomware’s operator, who runs its infrastructure and builds the locker. The leaks gave end-to-end views of the operation of the group behind the ransomware, which has been deployed in an increasing number of attacks in 2026.

Microsoft Defender alert for The Gentlemen ransomware

Huntress has seen The Gentlemen ransomware in several incidents in May. In two of the incidents, we observed the use of Scheduled Tasks and PowerShell. We also saw the threat actors use defense evasion or impairment tactics, like clearing the Security, System, and Application Event Logs, and using PowerShell commands to disable Microsoft Defender and add antivirus exclusions. You can read our full analysis of the ransomware and related incidents here. Shout out to SOC analysts Nick Roddy and Dani Lopez for their investigations and analysis into these incidents!

Since February, the SOC has observed a growing number of incidents involving Tiflux, a relatively obscure RMM tool. While public documentation on Tiflux remains sparse, its adoption fits a broader pattern we've tracked: threat actors routinely experiment with lesser-known RMMs to gain footholds and maintain persistence in victim environments.

The Tiflux attack chain started with malspam emails

Many of the Tiflux-related incidents shared common elements, including the use of multiple RMMs alongside vulnerable kernel drivers — and in some cases, these intrusions resulted in unauthorized access and credential theft. A deeper dive into one such incident uncovered an infrastructure threat actors had built out for persistence, system reconnaissance, and screenshot exfiltration. Read more here.

In the wake of GreyNoise Intelligence's report on widespread SonicWall scanning activity, Huntress continued to detect a significant uptick in SonicWall SSLVPN device compromises throughout May, which originated from two IP addresses: 173.208.148[.]250 (WholeSale Internet) and 45.86.230[.]72 (Clouvider).

In one cluster of attacks May 22, threat actors operating from these addresses launched brute force attacks over the course of 24 hours, targeting 58 distinct organizations, successfully gaining access to multiple devices across six of them. However, the attacks continued in the following weeks after this cluster as well.

The attackers appear to be working from a pre-existing list of credentials, as several accounts were compromised on the very first attempt, suggesting the adversary may have already possessed valid username and password combinations before initiating their campaign. Shout out to Dray Agha and Michael Tigges for their investigation into this activity!

Detection for SonicWall VPN malicious authentication

In May, three easy-to-exploit Linux privilege escalation vulnerabilities were disclosed: CopyFail, Dirty Frag, and Fragnesia. While they do not provide remote code execution on their own, an attacker with an existing foothold can abuse them to quickly gain root access on affected systems. Check out this blog post by Chris Ryan and Uttie Gumbula to learn how three newly discovered Linux kernel vulnerabilities allow attackers (with an existing foothold) to trivially escalate to root access, and what your team can do right now to patch or mitigate the risk.

In early May 2026, the hacking group ShinyHunters breached Instructure, the company behind Canvas LMS, stealing 3.65TB of data from nearly 9,000 organizations. Stolen data included names, email addresses, student ID numbers, and private messages, but not passwords or financial information.

On May 7, a second attack defaced Canvas login pages at around 330 institutions, with a ransom deadline of May 12. The breach affected 275 million users across 8,809 institutions worldwide, making it the largest educational data breach on record. On May 11, Instructure said it had “reached an agreement” with the unauthorized actor (reading between the lines, that means the company paid the ransom). The incident shows the real-life impact of cyberattacks: the coursework and exams for many students across the US were disrupted on May 7.

Mini Shai-Hulud is a major software supply chain attack that continued to make headlines in mid-May 2026. The threat group TeamPCP linked the campaign to compromises of npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. Over a 48-hour window from May 11 to 12, attackers compromised 172 unique packages across 403 malicious versions. The self-propagating malware spread by stealing CI/CD secrets and hijacking GitHub Actions OIDC tokens to publish malicious versions through projects' own release pipelines, bypassing modern safeguards by turning developers' own automated systems against them. Stolen credentials were exfiltrated via three channels, including the decentralized Session messenger network, making takedown difficult.

• Improved visibility into Windows logon events: Managed EDR now surfaces successful Windows logon events in the portal, including logon type, username, domain, and SID, to help distinguish normal access from suspicious remote sessions.
• macOS infostealer / deceptive installer detection: Managed EDR now detects macOS infostealers that use social engineering to trick users into bypassing Gatekeeper, with the agent scanning files at open time and flagging deceptive icons/instructions for SOC triage.

• Incident Report Timeline PDF export: The ITDR Incident Report Timeline, which provides you with a quick and accurate snapshot of malicious activity that occurred during an identity-based attack, is now available in a PDF version. Read more here.
• Re-authorize to version 6 to get the latest ITDR functionalities: Doing this will make sure you’re prepared to get access to the latest and greatest functionality coming out of ITDR. You can find the re-auth steps here.

• Okta integration with new detections: Managed SIEM expanded Okta support with new detections/use cases for risky authentication patterns and potential account compromise.
• SIEM via macOS agent: Managed SIEM is now available through the Huntress macOS agent for broader Mac visibility.
• Public syslog collector: Managed SIEM now supports a public syslog collector so syslog-capable devices can send data directly into Huntress without a custom integration path.
• Check out this blog post by Cody Staley to learn how Huntress's internal security teams use Managed SIEM in a tight feedback loop with the product team, so every feature you get is battle-tested to help you detect threats faster, correlate signals across endpoints and identities, and catch complex attacks that single-event tools would miss.

• Check out SAT’s new Phishing Simulation Demo: This phishing scenario shows a type of attack we’ve seen in the wild, where victims receive a fake Microsoft Teams meeting invite, and are asked to join a real call with an AI-generated person. The audio cuts in and out, which prompts them to update the Teams driver - which in actual incidents has paved the way for the attack.
• ScalePad's Lifecycle Manager now pulls in SAT data alongside its existing EDR integration, so MSPs can report on both endpoint threats and human risk (phishing simulation results, training completion, user behavior) in one consolidated, client-ready report instead of jumping between tools.
• Custom content from PDF imports: SAT’s Custom Content Creator can now import a PDF of PowerPoint or Google Slides and turn it into custom training content.
• New Assignment PDF Summary Report: The assignment PDF summary report was redesigned to include richer learner completion/incompletion data and session-count detail.
• New SAT episodes: The May materials call out Secure Browsing 2 and Insider Threat (2026) as new episode content

During this month’s Tradecraft Tuesday, Huntress’ Harlan Carvey, Principal Threat Intelligence Analyst, and Lindsey O’Donnell-Welch, Principal Technical Community Engagement Writer, explained how the RaaS economy plays out in attacker tradecraft during on-the-ground incidents. Check out the replay (and recap blog).

May 2026 Tradecraft Tuesday

Andrew Brandt, principal threat intelligence incident commander, recently went on Darknet Diaries to talk about Pacific Rim, Sophos’ defensive and counter-offensive operation with nation-state adversaries in China. Give it a listen!