InfoSec Briefing - May 14, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Thursday, May 14, 2026. Today we're covering 4 articles. All attribution is by the article authors. All article analysis is automated.

HarfangLab reports that the Gamaredon APT group has been actively targeting Ukrainian state institutions since September 2025 using spearphishing emails from spoofed or compromised government accounts. The campaign delivers multi-stage script downloaders that exploit a vulnerability for persistence and system profiling, with primary targets including the Security Service of Ukraine regional directorates across multiple oblasts.

Stream Security reports that TeamPCP has released the full source code of Shai-Hulud, a self-propagating supply chain worm, as an open-source framework on GitHub. The malware compromised over 170 npm and PyPI packages in its latest wave, affecting organizations including TanStack, Mistral AI, and UiPath, using techniques like token exploitation and credential revocation traps. The open-sourcing enables any threat actor to deploy variants, significantly lowering the barrier for supply chain attacks.

The Amnesty International Security Lab highlights that Google has introduced Android Intrusion Logging as part of Android Advanced Protection Mode, marking the first time a major device vendor has released a feature specifically designed to enhance forensic detection capabilities. The feature logs security events including device unlocking, physical access via debugging interfaces, application installations and removals, and network events to aid in investigating sophisticated attacks including spyware and stalkerware.

Microsoft reports on a case where threat actors compromised a third-party IT services provider to gain stealthy access to client organizations by exploiting trusted relationships. They leveraged legitimate administrative tools and deployed malicious components including network providers and password filters to capture credentials and maintain persistence through web shells and covert tunnels.

That concludes today's briefing.

📰 Articles Covered

Gamaredon's infection chain: Spoofed emails, GammaDrop and GammaLoad - HarfangLab

A cybersecurity campaign attributed to the **Gamaredon group** has been actively targeting **Ukrainian state institutions** since at least September 2025. This campaign utilizes **spearphishing emails**, which are either spoofed or sent from compromised government accounts, to deliver multi-stage VBScript downloaders. These downloaders are designed to profile infected systems and establish persistence.

**Who is affected:**
The primary targets are **Ukrainian state institutions** and individuals associated with them, across various sectors including state administration, security, justice, and law enforcement. Specific institutions heavily targeted include regional directorates of the **Security Service of Ukraine (SSU)**. The attacks have been observed in multiple oblasts such as Odesa, Sumy, Kirovohrad, Zaporizhzhia, Khmelnytskyi, Luhansk, Lviv, and Chernivtsi.

**Security Implications:**
The campaign's effectiveness stems from its **relentless operational tempo and scale**, rather than technical sophistication. The use of auto-generated and mutable tooling allows Gamaredon to rapidly adapt to detection techniques. The infection chain, while straightforward, is effective in bypassing authentication checks through spoofed emails and exploiting vulnerabilities like **CVE-2025-8088** to silently install payloads. This persistent access allows for the selective delivery of further malicious payloads.

**Technical Details:**
The infection chain begins with spearphishing emails that bypass authentication due to being spoofed or sent from compromised accounts. These emails deliver a payload that exploits **CVE-2025-8088**, writing a malicious file to the system's Startup folder for persistence. This initial stage involves VBScript downloaders that profile the infected system. The group then uses a tool referred to as **GammaLoad** to selectively serve more guarded payloads to compromised systems.

**What Defenders Should Know:**
Defenders can mitigate a significant portion of these attacks by implementing **strict DMARC enforcement**, which would block many of the spoofed emails. Additionally, blocking the **`194.58.66[.]0/24` subnet** is recommended, as it has been identified as a persistent operational hub for Gamaredon, hosting critical infrastructure like SMTP clients and email relays. The group's strength lies in its high operational tempo and ability to quickly iterate on its tools, making continuous monitoring and rapid response crucial.
Shai-Hulud: Another Wave and Going Open Source - Stream Security

The cybersecurity article details the evolution and open-sourcing of **Shai-Hulud**, a self-propagating supply chain worm that has significantly expanded its reach and capabilities 【1】.

**What Happened:**
Shai-Hulud, initially identified in November 2025, began as a worm compromising around 100 npm packages with a post-install hook for credential theft and GitHub exfiltration 【1】. Subsequent waves escalated to include pre-install execution, harvesting multi-cloud SDKs, establishing GitHub Actions RCE backdoors, and implementing a dead-man's switch to wipe user data 【1】. A notable development was its expansion to PyPI, affecting projects like LiteLLM, and compromising major packages such as `axios` 【1】. The latest wave, in May 2026, impacted over 170 packages across npm and PyPI, affecting organizations like **TanStack, Mistral AI, and UiPath** 【1】. Crucially, the full source code for Shai-Hulud has been **deliberately released on GitHub** by TeamPCP, complete with deployment instructions, effectively turning it into an open-source framework 【1】.

**Who is Affected:**
The worm has affected **hundreds of npm packages and PyPI packages**, with over 800 npm packages compromised in earlier waves 【1】. Organizations like **TanStack, Mistral AI, UiPath, Squawk, and GuardRails AI** have been directly impacted by the latest wave 【1】. With the code now open source, **any individual with a GitHub account** can potentially deploy their own variants, broadening the scope of potential victims to anyone using software supply chains that incorporate these compromised packages or their future derivatives 【1】.

**Security Implications:**
The open-sourcing of Shai-Hulud represents a significant shift in the threat landscape. It transforms the malware from a specific campaign into a **versatile framework**, empowering less sophisticated actors to launch their own attacks 【1】. The exploitation of **OIDC tokens in GitHub Actions** undermines trusted publishing mechanisms, as malicious packages can now be signed with legitimate build pipeline identities 【1】. Furthermore, the malware's ability to monitor for credential revocation and trigger destructive actions acts as a **credential revocation trap**, specifically targeting incident responders attempting to contain breaches 【1】. The inclusion of hooks targeting AI coding assistants like **Claude Code** introduces a new attack vector 【1】.

**Technical Details:**
Newer waves have employed a more subtle execution method using Git-based `optionalDependency` entries that point to an attacker-controlled commit containing a `prepare` script 【1】. This allows the malware to execute during installation, with failures silently ignored by npm due to the optional nature of the dependency 【1】. The malware harvests credentials, including multi-cloud SDK credentials and OIDC tokens from CI/CD environments like GitHub Actions 【1】, 【1】. Persistence mechanisms have included systemd persistence and `.pth` startup hooks on PyPI 【1】. The open-sourced code includes modules for credential harvesting, C2 exfiltration, GitHub repository creation for stolen data, and self-propagation 【1】.

**What Defenders Should Know:**
Defenders must shift their focus from detecting specific Shai-Hulud variants to **detecting the abnormal use of stolen credentials** 【1】, 【1】. The core of the attack, regardless of its specific implementation, is the theft and subsequent misuse of credentials 【1】. Behavioral analysis of credential usage, looking for deviations from normal patterns (e.g., unusual API calls, access from unexpected locations or times), is crucial 【1】. Given the open-source nature of the malware, organizations should assume that **customized variants will emerge**, making signature-based detection insufficient 【1】. Robust monitoring of CI/CD pipelines, especially for OIDC token usage and unusual build activities, is essential 【1】.
Android Intrusion Logging as a new source of data for consensual forensic analysis - Amnesty International Security Lab - Amnesty International Security Lab

Google has introduced a new **Android Intrusion Logging (IL)** feature as part of **Android Advanced Protection Mode (AAPM)**, designed to significantly aid digital forensics researchers in investigating sophisticated attacks on Android devices 【1】. This marks the first time a major device vendor has released a feature specifically to enhance the forensic detection and response capabilities for advanced digital threats 【1】.

**What Happened:**
The Android Intrusion Logging feature records various events on an Android device, providing valuable data for forensic analysis. This includes security events like device unlocking, physical access and abusive interactions (e.g., via ADB), and the installation or removal of applications, including spyware 【1】. It also logs DNS and connection events, offering insights into navigation history and potential communication with malicious websites or command and control servers 【1】.

**Who is Affected:**
This feature is particularly relevant for **digital forensics researchers** and individuals who are at **high risk of sophisticated attacks**. This includes those who might be targeted by spyware, stalkerware, or state-sponsored actors. It is also beneficial in cases involving **police custody or gender-based violence** where physical access to a device might be suspected 【1】.

**Security Implications:**
The IL feature enhances security by providing a detailed audit trail of activities on a device. This can help in:
- **Detecting unauthorized access:** Logs of device unlocking attempts and ADB activity can reveal if a device was accessed physically 【1】.
- **Identifying spyware:** Tracking application installations and process starts can help uncover the presence of malicious monitoring applications 【1】.
- **Exposing malicious network activity:** DNS and connection logs can highlight visits to malicious websites or communication with command and control servers, even if the user was unaware of these actions 【1】.
- **Providing evidence for investigations:** The detailed logs serve as crucial evidence in forensic analysis, especially when malicious activity has been deliberately removed from the device 【1】.

**Technical Details:**
Intrusion Logging records three main categories of events:
- **Security events:** These include `TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT` (for successful unlocks), `TAG_ADB_SHELL_CMD` and `TAG_ADB_SHELL_INTERACTIVE` (for ADB commands), `TAG_SYNC_SEND_FILE` and `TAG_SYNC_RECV_FILE` (for file transfers via ADB), `TAG_PACKAGE_INSTALLED` and `TAG_PACKAGE_UNINSTALLED` (for app installations/removals), and `APP_PROCESS_START` (for launched processes) 【1】.
- **DNS events:** These log DNS lookups, including the hostname, resolved IP addresses, and the package name that initiated the request 【1】.
- **Connection events:** These record connections to IP addresses, also including the originating package name 【1】.

The feature requires **Android Advanced Protection Mode (AAPM)** to be enabled, and then Intrusion Logging must be activated within AAPM settings 【1】. Logs can be accessed and downloaded manually from the device or acquired using tools like **AndroidQF** 【1】. The **Mobile Verification Toolkit (MVT)** has a new module, `check-advanced-logs`, designed to parse these IL logs for forensic analysis 【1】.

**What Defenders Should Know:**
- **Enable AAPM and IL proactively:** Intrusion Logging must be enabled *before* an incident occurs for logs to be generated 【1】. This should be considered as part of a risk management strategy for individuals with high exposure profiles 【1】.
- **Secure log export:** Logs should be exported and shared securely with forensic analysts, preferably using end-to-end encrypted methods or automated tools like AndroidQF 【1】.
- **Utilize MVT for analysis:** The MVT `check-advanced-logs` module can parse IL logs, and the `check-androidqf` module automatically analyzes them when acquired via AndroidQF. These tools help in identifying suspicious activities and creating comprehensive timelines 【1】.
- **Combine with other data:** IL logs can be combined with other forensic artifacts, such as bug reports, to create a more complete picture of events on the device 【1】.
Undermining the trust boundary: Investigating a stealthy intrusion through third-party compromise - Microsoft

A sophisticated intrusion campaign has been uncovered, characterized by its stealthy approach and the exploitation of trusted relationships to gain and maintain access within an organization's environment 【1】.

**What Happened:**
The threat actor gained an initial foothold by compromising a **third-party IT services provider**. Instead of using overt exploits or malware, they leveraged legitimate and trusted administrative tools, specifically the **HPE Operations Agent (OA)**, to execute their malicious activities. This allowed them to operate undetected for an extended period. The campaign focused on establishing long-term access, stealing credentials, and creating a persistent presence. This involved registering malicious components like network providers (_mslogon.dll_) and password filters (_passms.dll_) to hijack authentication processes and capture credentials in cleartext or encoded formats. Persistence was further established through web shells on internet-facing servers and by using tools like `ngrok` to create covert tunnels for remote access 【1】.

**Who is Affected:**
The primary targets are organizations that rely on **third-party IT service providers** for managing their IT infrastructure. The attack specifically targeted the trust established between the organization and its IT service provider, demonstrating how a compromise at the provider level can directly impact their clients 【1】.

**Security Implications:**
The core security implication is the **undermining of the trust boundary**. Threat actors can exploit legitimate operational relationships and tools to bypass traditional security measures. This stealthy approach makes detection extremely difficult, as malicious activities appear as routine administrative tasks. The campaign highlights the risks associated with implicit trust in third-party vendors and the potential for these relationships to become attack vectors 【1】.

**Technical Details:**
- **Delivery Mechanism:** Abuse of the **HPE Operations Agent (OA)**, a legitimate enterprise management tool, without exploiting any vulnerabilities in the tool itself 【1】.
- **Credential Access:**
- Registration of a network provider (_mslogon.dll_) to hijack authentication and capture credentials via `NPLogonNotify` and `NPPasswordChangeNotify` APIs, storing them in cleartext 【1】.
- Deployment of a malicious password filter (_passms.dll_) to the Local Security Authority (LSA) notification package on domain controllers, capturing credentials during password changes. This data was double-encoded (Base64 and custom routine) before exfiltration 【1】.
- A secondary module (_msupdate.dll_) read encoded data and transferred it via SMB to remote shares or exfiltrated it via SMTP 【1】.
- **Persistence:**
- Web shells (_Errors.aspx_ and _ghost.inc_) deployed on web servers, modifying legitimate application files to maintain access 【1】.
- Use of `ngrok` to create encrypted tunnels for inbound RDP access, bypassing firewall restrictions 【1】.
- Reinforcement of persistence through malicious authentication components on domain controllers 【1】.
- **Lateral Movement:** Achieved by leveraging harvested credentials and covert connectivity 【1】.

**What Defenders Should Know:**
Defenders need to adopt a posture of **deliberate verification**, trusting vendors and tools but actively validating their behavior within the organization's environment 【1】. Key recommendations include:
- **Enable cloud-delivered protection** for antivirus solutions to detect evolving threats 【1】.
- **Deploy Endpoint Detection and Response (EDR)** across all endpoints for enhanced visibility and faster detection 【1】.
- Implement a **default-deny egress filtering model** to restrict outbound traffic to only approved destinations 【1】.
- **Remove unnecessary software and tools** to reduce the attack surface 【1】.
- Enable **detailed logging and monitoring** on web servers, actively watching for anomalies 【1】.
- Implement the **enterprise access model** to control privilege escalation and enforce strong access controls 【1】.
- **Strengthen SOC monitoring and incident response capabilities**, addressing identified detection and response gaps 【1】. Organizations in sensitive sectors should anticipate continued refinement of third-party abuse, credential interception, and stealthy persistence techniques by sophisticated threat actors 【1】.