InfoSec Briefing - May 25, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Monday the 25th of May 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 7 articles to cover. All attribution is by the article authors. All article analysis is automated.

Europol report on the takedown of First VPN, a criminal infrastructure service that's featured in nearly every major ransomware investigation they've supported. The operation seized 33 servers and obtained the full user database, which should make for some interesting follow-up work.

CrowdStrike have a writeup on Velvet Chollima, a North Korean actor running an infostealer campaign using a fake crypto trading app. The interesting bit: they've exposed hardcoded credentials and SSH keys in the installer that reveal the backend infrastructure and over 90 compromised hosts. Not exactly textbook operational security.

Black Lotus Labs at Lumen have disclosed Showboat, a modular framework targeting Linux systems that's been active since mid-2022. It's been used by multiple China-aligned actors against telecoms and satellite providers across the Middle East, Southeast Asia, the US, and Ukraine. First public disclosure of this particular toolset.

PwC Threat Intelligence found an open directory containing a backdoor used by Red Lamassu, another China-based group. They're targeting telecoms and government entities across Asia Pacific for long-term intelligence collection, using DLL side-loading via legitimate Windows utilities. Worth a look if you're tracking activity in that region.

Microsoft have detailed a multi-stage intrusion that started with an end-of-life F5 appliance and moved laterally through an unpatched Confluence server to Active Directory. It's a useful case study in how perimeter devices become the entry point for identity-focused attacks once you're inside the network.

Nettitude have published CLR-STOMP, a technique for executing .NET assemblies in Cobalt Strike beacons whilst evading detection. It manipulates module loading to bypass monitoring tools and spoof telemetry by overwriting legitimate assemblies in memory. One for red teamers and anyone tracking offensive tooling.

ReliaQuest report on active exploitation of an authentication bypass in SonicWall VPN appliances that allows multi-factor authentication to be sidestepped. The critical detail: applying the vendor patch isn't enough—devices remain exploitable unless you manually reconfigure them afterwards. Attackers are moving fast once they're in, typically within the hour.

That concludes today's briefing.

📰 Articles Covered

Cybercriminal VPN used by ransomware actors dismantled in global crackdown – VPN service featured in almost every major Europol-supported cybercrime investigation | Europol - Europol

This precis outlines the international law enforcement operation that dismantled "First VPN," a service specifically engineered to facilitate cybercriminal activity.

### **What Happened**
Between May 19 and May 20, an international coalition led by France and the Netherlands, with support from Europol and Eurojust, dismantled the infrastructure of "First VPN" 【1】. Authorities seized the service's domain names (including `1vpns.com`, `1vpns.net`, `1vpns.org`, and associated onion domains) and dismantled 33 servers linked to the criminal operation 【1】. Additionally, law enforcement interviewed the service's administrator in Ukraine 【1】.

### **Who Is Affected**
The primary targets were the cybercriminals who relied on the service to mask their identities and infrastructure 【1】. Law enforcement has successfully identified thousands of users linked to the cybercrime ecosystem 【1】. These users have been notified of the shutdown and informed that their identities have been compromised 【1】.

### **Security Implications**
"First VPN" was deeply embedded in the global cybercrime ecosystem, appearing in nearly every major investigation supported by Europol in recent years 【1】. By dismantling this service, law enforcement has disrupted a critical layer of anonymity that protected actors engaged in ransomware, large-scale fraud, and data theft 【1】. The operation has already advanced 21 ongoing investigations and resulted in the dissemination of 83 intelligence packages to international partners 【1】.

### **Technical Details**
* **Service Nature:** The VPN was marketed on Russian-speaking cybercrime forums as a "trusted" tool for evading law enforcement, specifically offering anonymous payment methods and hidden infrastructure 【1】.
* **Law Enforcement Access:** Investigators gained direct access to the service, allowing them to extract the user database and map specific VPN connections to criminal activities 【1】.

### **What Defenders Should Know**
* **Attribution Intelligence:** The intelligence gathered from this operation is currently being used to link specific users to past ransomware attacks and fraud schemes 【1】.
* **Ecosystem Disruption:** The takedown serves as a reminder that even "trusted" criminal infrastructure is vulnerable to international law enforcement cooperation. Defenders should monitor for shifts in how threat actors attempt to re-establish anonymous communication channels following the loss of this widely used service.
VELVET CHOLLIMA Infostealer Campaign Using Trading App as Lure - CrowdStrike

This precis outlines the findings regarding the "Velvet Chollima" infostealer campaign, as detailed in the Hybrid Analysis report.

### **Executive Summary: What Happened**
Since June 2025, the threat actor known as Velvet Chollima has been conducting a financially motivated infostealer campaign. The operation centers on the distribution of a fake cryptocurrency trading application called **Tralert FX**. The malware, identified as **MoonPeak** (a custom variant of the open-source XenoRAT), is signed with a valid Extended Validation (EV) code-signing certificate issued to a likely front company, **AgilusTech LLC**. This legitimacy allowed the malware to maintain a low detection rate (3/52 AV engines) 【1】.

### **Who Is Affected**
The campaign primarily targets individuals involved in cryptocurrency trading, including those active on trading platforms, members of Telegram-based crypto signal communities, and users of related financial tooling 【1】. At the time of discovery, researchers identified over 90 compromised hosts, with evidence suggesting the actor manually triages victims to prioritize high-value targets for account takeover 【1】【1】.

### **Technical Details**
* **Malware Kit:** The three-module kit performs system reconnaissance, keylogging, and browser credential theft 【1】.
* **Exfiltration Infrastructure:** The actor uses five GitLab repositories to manage both payload delivery and data exfiltration. Stolen data is pushed via automated git commits on a strict 30-minute cycle, a technique designed to blend malicious traffic with legitimate developer activity 【1】【1】.
* **Critical OPSEC Failure:** The threat actor committed a catastrophic operational security error by hardcoding live production credentials, SSH keys, and GitLab Personal Access Tokens directly into the distributed MSI installer. This provided researchers with full visibility into the backend infrastructure and the history of the operation 【1】【1】.

### **Security Implications**
The campaign demonstrates a sophisticated attempt to bypass perimeter controls by leveraging trusted infrastructure (GitLab) for C2 communication. While the actor shows interest in broader credential harvesting (e.g., professional networking platforms), the primary risk is immediate financial loss through cryptocurrency account takeover. The use of valid EV certificates highlights the ongoing challenge of distinguishing malicious software from legitimate applications 【1】【1】.

### **What Defenders Should Know**
* **Detection Strategy:** Defenders should monitor for unusual outbound traffic to GitLab repositories, particularly automated commits occurring on a 30-minute cadence.
* **Targeting Awareness:** Organizations should be aware that employees involved in cryptocurrency trading or those using Telegram-based financial communities are at elevated risk.
* **Infrastructure Indicators:** The actor relies on a single C2 IP address without proxy or redirector layers, and the operation is linked to ProtonMail-based personas 【1】【1】.
* **Credential Hygiene:** This incident underscores the necessity of scanning distributed binaries for hardcoded secrets, as even sophisticated actors can make critical errors that expose their entire backend 【1】.
Introducing Showboat: A new malware family taunts defenses and targets international telecom firms - Lumen Technologies

This precis summarizes the findings from Black Lotus Labs regarding the "Showboat" malware family.

### What Happened
Black Lotus Labs has identified "Showboat," a modular post-exploitation framework targeting Linux systems that has been active since at least mid-2022 【1】. This is believed to be the first public reporting of this toolset, which is utilized by multiple threat actors aligned with the People's Republic of China (PRC) 【1】【1】.

### Who is Affected
The campaign primarily targets telecommunications and satellite providers, which are considered strategic assets for nation-state actors 【1】. Confirmed and potential victims have been identified in:
* **Middle East:** Telecommunications providers (e.g., Afghanistan) 【1】【1】.
* **Southeast Asia:** Impersonated telecommunications firms 【1】.
* **United States:** Multiple potential compromises 【1】【1】.
* **Ukraine:** Activity detected in disputed territory regions 【1】【1】.

### Technical Details
Showboat is a modular framework designed to establish a persistent foothold and facilitate lateral movement within a network 【1】. Key features include:
* **Core Capabilities:** Spawning remote shells, file transfer, process hiding, and persistence as a service 【1】.
* **Proxy Functions:** Includes `SOCKS5` and `portmap` routines, allowing attackers to interact with non-public, internal machines 【1】.
* **Evasion:** Uses XOR-encrypted configuration files (with the key "look me, AV!") and can utilize "dead drops" (e.g., Pastebin) to retrieve code and hide its presence 【1】【1】.

### Security Implications
Showboat underscores the trend of threat actors targeting Linux-based systems and routers, which frequently lack Endpoint Detection and Response (EDR) coverage 【1】. Furthermore, the use of shared frameworks among PRC-aligned clusters reflects a "resource-pooling" strategy that complicates attribution, as tooling is no longer a reliable indicator of a specific actor group 【1】.

### What Defenders Should Know
* **Monitor Traffic:** Organizations should be vigilant regarding "east-west" traffic (internal network traffic) originating from servers that do not map to known, legitimate business processes @https://www.lumen.com/blog/en-us/introducing-showboat-a-new-malware-tand-targets-international-telecom-firms#360-362.
* **Utilize IOCs:** Defenders are encouraged to monitor for and alert on Indicators of Compromise (IOCs) associated with Showboat, which are maintained on the [Black Lotus Labs GitHub page](https://github.com/blacklotuslabs) 【1】.
From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence - Microsoft Defender Security Research Team

This precis outlines the multi-stage Linux intrusion detailed in the Microsoft Security blog post regarding a sophisticated attack chain that leveraged edge appliance vulnerabilities to compromise enterprise infrastructure 【1】.

### What Happened
The threat actor executed a multi-stage attack beginning with the compromise of an internet-facing edge appliance. After gaining an initial foothold, the actor performed extensive internal reconnaissance, moved laterally to an internal Atlassian Confluence server, harvested credentials, and ultimately launched relay-style authentication attacks against the organization's Active Directory infrastructure 【1】.

### Who Is Affected
Organizations utilizing internet-facing edge appliances (specifically older, end-of-life versions) and those with internal web applications that are not hardened or patched with the same rigor as external-facing services are at risk 【1】.

### Security Implications
This incident highlights a shift toward identity-centric, multi-domain attack chains. By compromising a "trusted" edge device, the attacker bypassed traditional perimeter controls. The subsequent lateral movement demonstrated that internal services—even those without direct internet exposure—are critical attack surfaces that can be exploited once an initial foothold is established. The use of stolen credentials to conduct relay attacks against domain infrastructure underscores the danger of over-privileged accounts and the necessity of robust identity hardening 【1】.

### Technical Details
* **Initial Access:** The actor exploited an end-of-life (EOL) F5 BIG-IP Virtual Edition appliance (version 15.1.201000) to establish SSH access 【1】.
* **Reconnaissance:** The actor used automated shell scripts, `Nmap`, and `gowitness` to map the internal network and identify HTTP/HTTPS services 【1】.
* **Lateral Movement:** After identifying an unpatched internal Confluence server, the actor used it as a target for remote code execution. They bypassed network-level blocking by setting up an FTP server on the initial Linux host to transfer custom scanning tools 【1】.
* **Credential & Identity Abuse:** The actor extracted credentials from Confluence configuration files and utilized them for Kerberos relay attacks and exploitation of CVE-2025-33073 against Windows infrastructure 【1】.

### What Defenders Should Know
* **Edge Governance:** Treat internet-facing appliances as Tier-0 assets. Maintain accurate inventories, track end-of-support dates, and prioritize rapid patching 【1】.
* **Internal Hardening:** Patch internal web applications with the same urgency as internet-facing services, as they are reachable once an attacker gains an internal foothold 【1】.
* **Identity Security:** Reduce the blast radius of relay attacks by disabling NTLM where possible, enforcing SMB/LDAP signing, and using Extended Protection for Authentication (EPA) 【1】.
* **Endpoint Protection:** Consistently enable real-time protection (e.g., Microsoft Defender in block mode) across all Linux servers to prevent the execution of malicious ELF binaries and commodity lateral movement tools 【1】.
CLR-Stomp: .NET CLR-Stomping - Nettitude

CLR-STOMP is a sophisticated post-exploitation technique designed to execute .NET assemblies within a Cobalt Strike (or compatible) beacon while evading traditional security telemetry and detection mechanisms.

### What Happened
CLR-STOMP was developed as a Beacon Object File (BOF) to facilitate the stealthy loading of .NET assemblies. By manipulating how the Common Language Runtime (CLR) loads modules, it allows an attacker to execute arbitrary code while masquerading as a legitimate, trusted assembly residing in the Global Assembly Cache (GAC) 【1】.

### Who is Affected
Any environment utilizing Windows systems where .NET applications are present is theoretically susceptible. Specifically, security operations centers (SOCs) and defenders monitoring for malicious .NET execution are affected, as this technique is designed to bypass standard detection methods that rely on monitoring assembly loads or scanning memory for malicious payloads 【1】.

### Security Implications
The primary security implication is the **evasion of security controls**:
* **AMSI Bypass:** Because the assembly is loaded via strong-name identity rather than as a raw byte array, the Antimalware Scan Interface (AMSI) managed assembly scan is never presented with the malicious payload bytes 【1】.
* **Telemetry Spoofing:** Event Tracing for Windows (ETW) CLR loader events record the path of the legitimate GAC assembly rather than the malicious in-memory payload, causing security tools to report a benign module load 【1】.

### Technical Details
The technique relies on "module stomping" during the CLR initialization process:
1. **Environment Setup:** The BOF sets two environment variables, `COMPLUS_ZapDisable=1` (to force the MSIL load path) and `COMPLUS_AllowStrongNameBypass=1` (to prevent re-verification after the image is swapped) 【1】.
2. **Mapping:** The CLR is instructed to resolve and map a legitimate assembly from the GAC.
3. **Stomping:** Before the CLR parses the .NET metadata, a custom memory manager overwrites the mapped image in memory with the attacker's payload (PE headers and sections).
4. **Execution:** The CLR proceeds, believing it has loaded the legitimate GAC assembly, while it actually executes the attacker's code 【1】.

### What Defenders Should Know
Defenders should move beyond simple string matching and focus on behavioral correlation. Key indicators and detection strategies include:

| Detection Category | Indicators |
| :--- | :--- |
| **Process Behavior** | Native or unmanaged processes unexpectedly loading `mscoree.dll`, `clr.dll`, or `mscorwks.dll`. |
| **Memory Integrity** | GAC assembly loads where the recorded module path is legitimate, but the in-memory image does not match the backing file on disk. |
| **Environment IOCs** | Presence of `COMPLUS_ZapDisable=1` or `COMPLUS_AllowStrongNameBypass=1` in process environment variables. |
| **Artifacts** | Named pipes matching `\\.\pipe\clr????????` or named file mappings like `Local\CLRBofState_v6_<pid>`. |
| **Output Strings** | Distinctive strings in beacon output such as `[*] Initialising CLR` or `[+] Load_2 succeeded (stomped)`. |

【1】
VPN Exploitation When Patched Doesn't Mean Protected - ReliaQuest

This precis outlines the critical findings from the ReliaQuest threat spotlight regarding the exploitation of SonicWall SSL VPN appliances, highlighting a dangerous gap between patching and actual remediation.

### What Happened
Threat actors have been actively exploiting **CVE-2024-12802**, an authentication bypass vulnerability in SonicWall SSL VPN appliances. The investigation revealed that simply applying the vendor-provided firmware patch is insufficient for Gen6 devices. Because the patch does not automatically remove the vulnerable configuration, devices that appear "patched" based on firmware version remain fully exploitable 【1】【1】.

### Who Is Affected
Organizations utilizing **SonicWall Gen6 SSL VPN appliances** are specifically at risk if they have applied the firmware update but failed to perform the additional, mandatory manual reconfiguration steps documented in SonicWall advisory **SNWLID-2025-0001** 【1】【1】.

### Security Implications
* **Silent Bypass:** The vulnerability allows attackers to bypass Multi-Factor Authentication (MFA). Because the system may still issue an MFA request that is subsequently ignored or bypassed, the login appears legitimate in logs, leaving no traditional "failed MFA" alerts 【1】.
* **Rapid Compromise:** Attackers move quickly, often transitioning from initial VPN access to internal network compromise within 30 to 60 minutes. This speed often outpaces manual SOC triage 【1】【1】.
* **Lateral Movement & Persistence:** Attackers use brute-forced credentials to sweep networks and exploit credential reuse. In escalated cases, they deploy "EDR killers" (via Bring Your Own Vulnerable Driver/BYOVD attacks) to disable security tools and establish command-and-control (C2) beacons 【1】【1】.

### Technical Details
* **The Vulnerability:** The issue stems from how MFA is enforced on the User Principal Name (UPN) authentication path. The existing LDAP configuration remains vulnerable even after the firmware update 【1】.
* **Log Indicators:**
* **`sess="CLI"`:** This session type indicates automated, scripted authentication rather than an interactive user login.
* **Transition to `GMS`:** A change from `sess="CLI"` to `GMS` in logs indicates the attacker has successfully authenticated and is actively connecting to internal resources 【1】.
* **Remediation Gap:** Standard patch management workflows verify firmware versions but fail to verify the six required manual LDAP reconfiguration steps, creating a significant security blind spot 【1】.

### What Defenders Should Know
* **Verify Remediation:** Do not rely on firmware version alone. Audit all Gen6 devices to ensure the six manual LDAP reconfiguration steps from SNWLID-2025-0001 have been completed 【1】.
* **Monitor Logs:** Treat `sess="CLI"` entries as high-priority indicators of automated authentication, especially when correlated with Event ID 238 (failed logins) or Event ID 1080 (successful logins) 【1】.
* **Harden Infrastructure:**
* Implement unique, rotated local administrator passwords (e.g., via LAPS).
* Restrict VPN account privileges and block VPN-assigned IPs from accessing sensitive server tiers directly.
* Deploy block rules for known vulnerable drivers to prevent BYOVD attacks 【1】.
* **Broader Lesson:** This is a systemic issue with edge devices (similar to "Citrix Bleed"). Always review vendor advisories for post-patch configuration requirements and track these as separate, mandatory tasks 【1】.
Open Directory, Open Season: Inside Red Lamassu’s JFMBackdoor - PwC

This precis summarizes the findings from PwC Threat Intelligence regarding the China-based threat actor **Red Lamassu** (also known as Calypso) and their use of the **JFMBackdoor**.

### What Happened
PwC Threat Intelligence has been tracking Red Lamassu since 2019. During recent hunting operations, researchers discovered an open directory containing a sophisticated Windows-oriented backdoor, which they named **JFMBackdoor**, alongside other malicious tools. This discovery provides insight into the actor's Windows-based operations, which complement their previously identified Linux-based tooling (such as the "kworker" or "Showboat" ELF binary).

### Who Is Affected
Red Lamassu primarily targets **telecommunications and government entities** across the Asia Pacific region. Specific evidence identified in the open directory linked the activity to a telecommunications provider in Afghanistan. The actor has also been observed targeting similar sectors in Kazakhstan, Thailand, and India.

### Security Implications
Red Lamassu is a persistent threat actor focused on **long-term intelligence collection**. The use of JFMBackdoor allows the actor to maintain a deep, stealthy foothold within victim environments. The backdoor’s extensive capabilities—ranging from remote shell access and file system manipulation to network proxying and screenshot capture—enable the actor to conduct comprehensive espionage, exfiltrate sensitive data, and move laterally within compromised networks.

### Technical Details
The infection chain typically involves a script (e.g., `1.bat`) that downloads several files into the `%TEMP%` directory, including a legitimate executable (`fltMC.exe`) and a malicious DLL (`FLTLIB.dll`).
* **DLL Side-Loading:** The legitimate `fltMC.exe` is used to side-load the malicious `FLTLIB.dll`.
* **Decryption & Execution:** `FLTLIB.dll` decrypts configuration data from `scr.mui` using a hardcoded XOR key (`Zs0@31=KDw.*7ev`). It then loads a shellcode stub (`flt.bin`) into memory, which decodes and executes the final JFMBackdoor payload.
* **Command & Control (C2):** The backdoor communicates with its C2 server, `namefuture[.]site`, using `CppServer` library classes (`TCPSession`, `WSSession`, and `WSSSession`).
* **Functionality:** JFMBackdoor is a fully featured toolset supporting:
* **Remote Shells:** Includes variants designed to evade process inspection.
* **File System Operations:** Full management capabilities, including timestomping to hide malicious activity.
* **Reconnaissance:** Network enumeration and screenshot capture (Base64-encoded and XOR-encrypted).
* **Persistence & Anti-Forensics:** Ability to manage services, registry keys, and self-uninstall.

### What Defenders Should Know
* **Detection:** Defenders should monitor for the presence of the identified files in `%TEMP%` and the execution of `fltMC.exe` loading `FLTLIB.dll`.
* **IOCs:** PwC has provided Indicators of Compromise (IOCs) on their [GitHub page](https://github.com/pwc-threat-intelligence).
* **Command Analysis:** Security teams should review the detailed command codes provided in the article's Appendix B to understand the specific actions the malware can perform, which can assist in creating targeted detection rules for behavioral analysis.
* **Infrastructure:** The actor utilizes various C2 domains and infrastructure, and defenders should be aware that the actor's operational goals are consistent with long-term intelligence gathering in the telecommunications sector.