Ankura CTIX FLASH Update – May 29, 2026

Malware Activity

How Modern Cybercriminals Are Blending Social Engineering with Advanced Malware to Expand Financial Attacks

Recent threat activity shows a clear shift in how cybercriminals are targeting organizations and individuals, combining highly convincing social engineering with increasingly advanced malware across multiple platforms. A group known as JINX‑0164 is focusing on cryptocurrency companies by impersonating recruiters and luring developers into fake meetings, where victims unknowingly install macOS malware that steals credentials, wallet data, and access to collaboration tools. Once inside, attackers move deeper into development environments and even manipulate code pipelines, sometimes escalating into supply chain attacks that spread infections further. At the same time, separate campaigns involving Grandoreiro and BTMOB are targeting financial institutions and users in Latin America and Europe, using phishing emails and fake applications to infect both Windows and Android devices. Grandoreiro focuses on stealing banking credentials through sophisticated evasion techniques, while BTMOB enables attackers to gain remote control over mobile devices and access sensitive data. Together, these campaigns highlight how financially motivated actors are expanding their reach by targeting multiple entry points, including employees, devices, and software ecosystems, while blending human manipulation with technical precision to drive larger and more scalable cyberattacks. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

• TheHackerNews: JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware article
• TheHackerNews: Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users article

Threat Actor Activity

MuddyWater Global Espionage Campaign with New Attack Techniques and Upgrades

The Iranian state-linked group MuddyWater has launched a new espionage campaign impacting at least nine (9) organizations across nine (9) countries and four (4) continents in early 2026. Targets include a major South Korean electronics manufacturer, a Middle Eastern international airport, Southeast Asian industrial firms, and a Latin American financial-services provider, as well as education and public-sector bodies. The attackers rely heavily on DLL sideloading with legitimately signed Fortemedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) binaries to execute malicious DLLs (fmapp.dll and sentinelagentcore.dll) while appearing benign. These DLLs embed the open-source ChromElevator tool to steal passwords, cookies, and payment card data from Chromium-based browsers, bypassing App-Bound Encryption protections. MuddyWater also uses a Node.js–to–PowerShell implant chain to perform reconnaissance, screenshot capture, SAM hive theft, privilege escalation, SOCKS5 reverse-proxy tunneling, and staging of stolen data on public file-transfer services like

. In the South Korean case, they repeatedly re-executed the binaries to maintain access. While none of the techniques are new individually, Symantec and Carbon Black note a clear shift toward quieter, more disciplined, implant-driven operations compared to MuddyWater’s earlier activity.

• The Hacker News: MuddyWater Article

Vulnerabilities

CISA Orders Emergency Patching for Actively Exploited LiteSpeed cPanel Root-Level Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive mandating affected agencies to remediate a critical LiteSpeed cPanel User-End Plugin vulnerability that is actively being exploited in the wild and has now been added to the agency’s Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as

, carries a maximum CVSS score of 10/10, affecting LiteSpeed cPanel plugin versions prior to 2.4.5, and stems from improper handling of Redis enable/disable functionality within the lsws.redisAble function. The vulnerability allows any cPanel user, including compromised or low-privileged accounts, to execute arbitrary scripts with root privileges, creating a severe privilege escalation and remote code execution risk on internet-facing servers. In response, LiteSpeed released emergency patches and urged administrators to immediately upgrade to at least version 2.4.7, while also reviewing cPanel logs for suspicious redisAble API activity using a provided grep command to identify potentially malicious IP addresses and signs of compromise. Under Binding Operational Directive 22-01, all Federal Civilian Executive Branch (FCEB) agencies have until May 29, 2026 to secure affected systems, though CISA strongly encouraged private-sector organizations to prioritize patching and mitigation as well, warning that vulnerabilities enabling root-level access on exposed infrastructure remain one of the most common and dangerous attack vectors leveraged by cyber threat actors. CTIX analysts strongly urge administrators to follow the CISA guidance immediately to identify if there are signs of exploitation and prevent future exploitation.

• Bleeping Computer: CVE-2026-48172 Article
• Security Affairs: CVE-2026-48172 Article
• CISA:

  CVE-2026-48172 Advisory

Never Miss a Briefing

Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure. 

Join the Cyber Flash Update community today.