May 2026 showed how fast routine business activity can turn into real security exposure. ANY.RUN observed phishing campaigns, fileless malware delivery, credential theft, OTP interception, and remote access abuse targeting organizations across industries. 

From fake invitations and banking portals to compromised B2B websites and Word Online lures, the month’s attacks had one thing in common: they were built to look normal long enough to delay detection. 

Here are the major attacks from May and what SOC teams should take away from them. 

Key Business Risks That Stood Out in May Attacks 

The most important lesson from May’s attacks is that many of these campaigns were designed to hide inside normal business activity long enough to create real exposure. 

• Phishing turned into direct access risk: May campaigns did not stop at fake login pages. They led to credential theft, OTP interception, remote access tool installation, and possible account takeover. 
• Trusted workflows became attack paths: Fake invitations, Word Online pages, banking portals, legitimate B2B websites, and RMM tools helped attackers lower suspicion and delay detection. 
• Fileless and browser-based techniques reduced visibility: Blob-generated pages, injected scripts, PowerShell execution, and in-memory payloads made some attacks harder to catch with traditional file or network-based controls. 
• Credential theft created broader business exposure: Stolen email, browser, banking, and session data can open the door to BEC, fraud, SaaS compromise, supplier risk, and lateral movement. 
• Delayed certainty became the biggest SOC problem: When teams cannot quickly confirm whether access was stolen, remote access was installed, or C2 activity happened, response slows and business risk grows. 

Main Targets in May Attacks 

May’s campaigns were concentrated around the business functions and user groups that attackers can use to reach valuable accounts, financial workflows, and internal systems. For CISOs, this helps show where security reviews, detection coverage, and response playbooks should be prioritized first. 

1. Routine Invitations Created High-Impact Access Risk for U.S. Organizations 

In May, ANY.RUN tracked a fake invitation phishing campaign targeting U.S. organizations. The attack used familiar event-style lures to guide users through what looked like a normal invitation flow. Behind that flow, attackers could move victims toward credential theft, OTP interception, and in some cases remote access tool delivery. 

Check detailed breakdown 

This campaign shows how a simple business interaction can turn into an access incident. The user does not need to open an obviously malicious file or interact with a suspicious-looking page. They only need to follow an invitation that feels familiar. From there, the risk can expand from one employee action to exposed credentials, compromised mailboxes, unauthorized remote access, and wider business exposure. 

CISO priority: Security leaders should treat fake invitation flows as more than phishing noise. These attacks test whether the SOC can connect email, browser, identity, and remote access signals fast enough to understand real exposure. ANY.RUN helps teams safely open the full flow, observe credential and OTP collection, identify possible remote access tool delivery, and pivot to related infrastructure before the same campaign reaches more users. 

2. Business Document Lures Put LATAM Enterprises at Credential Theft Risk 

ANY.RUN also analyzed an Agent Tesla campaign targeting enterprises in Latin America. The attack used familiar business-document themes, including purchase orders, invoices, payroll files, and procurement requests, to reach employees who regularly work with external files and supplier communication. 

Check detailed breakdown 

This type of attack goes after the business functions where one stolen credential can quickly create financial and operational exposure. If attackers gain access to email accounts, browser credentials, FTP logins, or other stored data, the risk can move beyond one infected endpoint. It can support BEC, supplier fraud, cloud account compromise, and wider access across company systems. 

Business risk to reduce: Finance, procurement, and payroll inboxes should be treated as high-risk business entry points. A suspicious invoice or purchase order is not only an attachment problem; it may be the first sign of credential theft that can later support fraud or unauthorized access. With behavior-based sandbox analysis, teams can quickly confirm whether a file executed, what data it tried to collect, and which accounts need immediate protection. 

3. Compromised B2B Websites Turned Trusted Browsing into Fileless Malware Risk 

May also showed how legitimate B2B websites can be abused to deliver malware without relying on obvious malicious files. In this activity, attackers used compromised websites and injected scripts to move users toward PowerShell execution, in-memory payload delivery, and outbound C2 communication. 

Check technical details on X 

This is dangerous as the attack starts from a place employees may already trust. The website can look legitimate, the traffic may not stand out at first, and the malicious activity becomes clearer only later in the chain. For enterprises, that means a normal browsing session can turn into fileless execution before the SOC has enough evidence to react. 

Detection gap to close: This is where reputation-based controls are not enough. A known business website can still become part of the attack chain, and fileless execution may leave fewer obvious artifacts for Tier 1 teams to catch. ANY.RUN gives analysts a way to see what happens after the page loads: script behavior, PowerShell activity, memory execution, process injection, and C2 communication. That turns a suspicious browsing event into a response-ready case. 

4. OTP Phishing Showed How Fast Financial Access Can Be Weaponized 

ANY.RUN tracked a large-scale phishing campaign impersonating a U.S. financial institution. The campaign used a multi-step flow to collect usernames, passwords, OTP codes, and email verification data. Its infrastructure was also highly reusable, with hundreds of related phishing domains already identified. 

Check technical details on X 

This attack highlights a dangerous shift: MFA does not remove phishing risk when attackers can intercept OTPs in real time. Once users submit credentials and verification codes, attackers can move closer to account takeover, fraud, and unauthorized access before security teams have a clear picture of what happened. 

For enterprises, the lesson goes beyond one banking-themed campaign. Any organization that relies on login codes, email verification, or user-driven authentication flows needs to understand where those flows can be copied, replayed, or abused. 

MSSP priority: The priority is to move from single-alert handling to campaign-level detection. Blocking one domain will not stop an operation built on reusable templates and rotating infrastructure. ANY.RUN Threat Intelligence helps MSSPs connect related phishing pages, infrastructure, and recurring artifacts, so teams can prove whether authentication data was exposed and help clients act before stolen access becomes fraud or account takeover. 

5. Fake Word Online Lures Turned Document Access into Remote Control 

Another May attack started with an Outlook email and redirected users to a fake Word Online / OneDrive-style page. Instead of pushing an obvious malware download, the chain moved through software installation stages and eventually led to remote access through ScreenConnect, with additional activity used to hide the installed tools. 

Check technical details on X 

This is the kind of attack that creates real confusion inside security operations. On the surface, the user is trying to open a business document. Deeper in the chain, the attacker is setting up remote access through tools that may look similar to normal IT or support activity. 

For MSSPs, this is especially dangerous as one alert may not immediately look like a full compromise. A fake document page, a silent installer, an RMM tool, and concealment activity may appear as separate weak signals unless the team can connect them fast. 

Access question for leaders: This attack should push CISOs and MSSPs to ask a harder question: not “Did malware run?” but “Did someone gain hands-on access to the environment?” Remote access abuse is dangerous because it can look close to legitimate IT activity while giving attackers a path back into the network. Teams should expose the full chain from phishing page to installer behavior, RMM deployment, concealment activity, and follow-on access signals to can contain the access path before it becomes persistence. 

6. BlobPhish Exposed a Blind Spot in Browser-Based Credential Theft 

May also brought attention to BlobPhish, a credential-phishing campaign targeting Microsoft 365, major U.S. financial institutions, and webmail services. Instead of loading a phishing page in the usual way, the attack generated the page directly inside the browser using blob objects, keeping the malicious content in memory. 

Check technical details on X

 This matters as many phishing defenses still depend on what can be seen in the email, URL, or network request. BlobPhish weakens that visibility. The page can appear after the browser builds it locally, which makes the attack harder to judge using traditional signals alone. 

For CISOs, this creates a dangerous gap between what the user experiences and what the security stack can clearly prove. For MSSPs, it raises the investigation burden across clients: teams need to understand not only where the user clicked, but what the browser created after the click. 

Visibility gap to close: BlobPhish shows why phishing response cannot stop at URL checks. The real danger is the gap between what the user sees in the browser and what security teams can prove afterward. ANY.RUN allows teams to reproduce the browser-side flow safely, observe how the phishing page is generated, and capture the credential-theft behavior that may not be visible through standard inspection alone. For CISOs and MSSPs, this closes a critical evidence gap before stolen accounts turn into BEC, SaaS compromise, or client-wide exposure. 

Give Your SOC the Visibility May’s Attacks Demand with Enterprise Suite 

May’s attacks made one thing clear: the earliest signs of compromise are often hidden inside normal workflows. A user follows an invitation, opens a supplier file, visits a trusted website, enters an OTP, or previews a document, and the SOC may only see scattered signals until the risk has already moved forward. 

That is where ANY.RUN Enterprise Suite gives security leaders stronger control. Teams get full sandbox functionality, private analyses, multi-platform analysis across Windows, macOS, Linux, and Android, advanced privacy controls, SSO, team management, API access, workspace analytics, and TI Lookup & YARA Premium to validate threats faster and investigate sensitive cases without losing visibility or control. 

With these capabilities, enterprise teams can: 

• Reduce investigation delays by safely analyzing suspicious files, URLs, scripts, and phishing flows in real time. 
• Confirm business exposure faster by seeing whether credentials, OTPs, remote access tools, C2 traffic, or fileless execution were involved. 
• Protect sensitive investigations with private analyses, advanced privacy controls, SSO, and team-based access. 
• Improve SOC efficiency with shared workflows, workspace analytics, API access, and full task history. 
• Strengthen detection coverage with TI Lookup & YARA Premium to connect related infrastructure, IOCs, and attack patterns. 
• Support enterprise-scale response with longer VM timeout and analysis across major operating systems. 

ANY.RUN’s 10th-anniversary special offers are available until May 31, making this a timely opportunity for SOCs, MSSPs, and enterprise security teams to expand threat analysis and intelligence capabilities, reduce investigation delays, and respond with more confidence.

About ANY.RUN 

ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps SOC, MSSP, and enterprise security teams detect threats earlier, and investigate incidents faster. 

With its Interactive Sandbox, Threat Intelligence Lookup, TI Feeds, and YARA Search, ANY.RUN gives teams the visibility they need to analyze suspicious files, URLs, scripts, phishing pages, and malware behavior in real time. Security teams can safely observe full attack chains, extract IOCs, investigate related infrastructure, and turn unclear alerts into evidence they can act on. 

Trusted by more than 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN supports faster triage, stronger threat visibility, and more confident response across modern SOC workflows. 

The post Major Cyber Attacks in May 2026: Fake Invitations, Agent Tesla, BlobPhish, and More appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Imagine handing your smartphone over for repair. A couple of days later, you pick it up — and great, it’s working again! But you won’t even realize that your device has been injected with malicious code, allowing attackers to access your smartphone even when it’s locked.

This is the beginning of the story shared by Kaspersky ICS CERT researchers, Alexander Kozlov and Sergey Anufrienko, at the Black Hat Asia 2026 conference. They managed to uncover a vulnerability that flips conventional assumptions about smartphone and IoT security on their head. Its core lies at the very heart of Qualcomm chips.

What is BootROM?

To grasp the severity of this discovery, we first need to look at how a modern device powered by a Qualcomm chip boots up. Think of it as a fortress with multiple layers of security. Each subsequent layer verifies the pass issued by the previous one. The bedrock foundation — the most trusted layer of them all — is the BootROM, a read-only memory baked directly into the silicon that can’t be modified once it comes off the fab.

The BootROM is the very first thing to run when a device powers on. It verifies the signature of the next bootloader, which in turn verifies the next, building a chain of trust all the way up to the operating system. If an attacker can compromise this chain at the BootROM level, it’s game over: the malicious code will execute before the main operating system even has a chance to load.

This is exactly what attackers can do by exploiting the CVE-2026-25262 vulnerability discovered by Kaspersky ICS CERT researchers.

Emergency Download Mode as an entry point

The research began with a protocol called Sahara. This is a component of Emergency Download Mode (EDL). Manufacturers and service centers use it to revive bricked devices: the phone is connected to a computer via USB, and a special utility program signed by the manufacturer (in this case, Qualcomm) is uploaded to it.

Sahara is implemented directly within the ARM PBL (Primary Boot Loader) — the BootROM itself. This means the protocol runs before any operating system boots, before any user access privileges are checked, and before any security controls are activated. The device simply waits for a USB connection, ready to accept data.

The communication scheme looks simple: the device sends a handshake (HELLO) to the computer, the computer selects the mode, a cycle begins to upload the utility program in chunks, and finally, the device executes the uploaded code. And it was within the verification logic of these very file chunks that the vulnerability was identified.

Write-what-where: the core of the vulnerability

In technical terms, the bug introduced by the developers is classified as CWE-123: Write-What-Where Condition. This is about as bad as it gets when it comes to flaws in low-level programming. An attacker can write arbitrary data to an arbitrary address in the device memory.

Without diving too deep into the technical weeds, suffice it to say that by exploiting the discovered vulnerability, attackers can gain access to any data on the device, including user-entered passwords, files, contacts, geolocation data, as well as the hardware sensors like the camera and microphone. In certain scenarios, complete control over the device is possible. Just a few minutes of physical access to the device via a cable connection, and the gadget has been compromised. This creates a risk if you hand your smartphone over to a repair shop, pass it to someone else to set up and install apps on, or just leave it unattended.

Which devices are affected

The CVE-2026-25262 vulnerability affects the following Qualcomm chip series: MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50 — every single version released to date, until the vulnerability is patched by the manufacturer.

These are no obsolete museum pieces. The MDM9207, which we used for the bulk of our research, is integrated into modem modules for the internet of things (IoT), industrial equipment, smart home devices, healthcare monitoring systems, logistics trackers, and banking terminals. The MSM8916 powers many budget smartphones, while the SDX50 is used in automotive control units.

How vulnerable devices get attacked

The catch is that the attacker needs physical access to the device to pull this off. In the real world, this translates to:

• Smartphone repairs at third-party repair shops, where the phone is left for several hours
• Customs checkpoints in certain countries, where devices are withheld, inspected, and then returned
• Lost and found scams, where your phone is stolen, tampered with, and then mysteriously found
• Corporate espionage via an insider or a rogue employee

With just a few minutes of physical access to the device an attacker can plant a backdoor so deep inside that standard research tools won’t even detect it in most cases.

Why there’s no patch — and what to do

Qualcomm was notified of the discovery in March 2025 and confirmed the vulnerability in its chips. To identify it, the vendor reserved CVE-2026-25262, and on April 20, 2026, Kaspersky ICS CERT published technical information on the vulnerability and recommendations for users.

Qualcomm included this vulnerability in its May security bulletin. While fixing already-made devices is fundamentally impossible, the company promised to make all future chips without this vulnerability.

If you currently own a device with an affected chip, use our recommendations below to help mitigate the risk of infection.

• Enforce strict physical control: don’t leave your devices unattended, especially when traveling or on business trips.
• Choose only authorized service centers for repairs and maintenance.
• Regularly update your firmware — this won’t patch the BootROM vulnerability, but it can eliminate many related vulnerabilities at higher levels.
• Use a Kaspersky for Android on your device. This will safeguard your gadget from other threats that, combined with this vulnerability, could lead to unpredictable consequences.

If you notice that your gadget with a vulnerable Qualcomm chip starts acting up — overheating when idle, reporting unexpected spikes in network traffic, or exhibiting strange app behavior — you may have fallen victim to this vulnerability. You can wipe the malicious code and reset your device to its baseline state simply by completely cutting its power. This means either pulling the battery or letting it drain all the way to zero until the gadget shuts down entirely. In this case, the malicious code will most likely not persist on the device — during our research, we were unable to confirm that it could achieve persistence in non-volatile memory.

Want to learn more about severe vulnerabilities in Android phones? Check out these posts:

• Attacks on 5G networks: the arms race continues
• Are geolocation services spying on you?
• Pixnapping vulnerability: unblockable screenshots of your Android phone
• Data theft during smartphone charging
• Trojan embedded in fake Android smartphones

Kaspersky official blog – ​Read More

Netflix, Apple TV+, Disney+, Hulu, Amazon Prime, YouTube Premium… The average law-abiding family today pays for five to 10 subscriptions just to watch their shows of choice, with the monthly bill easily crossing the hundred-dollar mark. It’s no surprise, then, that social media and online marketplaces are seeing a surge in demand for the “magic boxes” that popped up at the end of 2025: Android-powered TV boxes that promise to unlock thousands of channels and every streaming service subscription-free for a one-time purchase.

Ads for these devices are flooding TikTok and Instagram: smiling influencers unbox the SuperBoxes, plug them into a TV, and browse endlessly through channels. It looks like the ultimate life hack against subscription fatigue, right? In reality, it’s one of the easiest ways to invite a botnet into your home network.

What’s wrong with these cheap TV boxes?

Stories about malicious TV boxes have surfaced before, but right now, their marketing has reached a truly alarming scale.

At the end of 2025, analysts examined several models of the popular SuperBox device available from major retail stores and online marketplaces. The findings were deeply concerning: immediately upon powering up, the devices began pinging the servers of the Chinese messaging app Tencent QQ, as well as the Grass proxy service — effectively renting out the owner’s internet bandwidth to third parties.

Inside the firmware, researchers discovered applications completely uncharacteristic of a media player: a network scanner, a traffic analyzer, and tools for DNS hijacking. Consequently, the device not only streams pirated content but also scans the local network for other targets (including industrial SCADA interfaces), and stands ready to participate in DDoS attacks. The SuperBoxes were also found to contain folders with the telltale name “secondstage”, a textbook indication of multi-stage malware.

More recently, in April 2026, the Darknet Diaries podcast featured an interview with a security researcher known by the alias D3ada55, who shared plenty of intriguing details about these boxes — including the fact that they were still openly sold on major platforms like Amazon, Walmart, and Best Buy.

The infection chronicles: BADBOX to Keenadu

The SuperBox case is far from the only instance where Android devices have been turned into botnet nodes — or sold infected right out of the box. Here’s a look at the most recent cases:

• BADBOX 2.0. In July 2025, Google filed a lawsuit against the operators of a botnet that compromised over 10 million Android devices — mostly cheap TV boxes, tablets, and projectors lacking Google Play Protect certification. As we reported earlier, BADBOX 2.0 specifically targets TV boxes, operating simultaneously as a proxy network and an ad fraud engine.
• Kimwolf. In December 2025, the QiAnXin XLab team uncovered a DDoS botnet that had hijacked around 1.8 million Android devices. The infected hardware included generic models from off-brand manufacturers sporting high-profile names like TV BOX, SuperBox, XBOX, SmartTV, and others. The infection footprint was massive, with compromised devices shipped worldwide. Among the hardest-hit countries were Brazil, India, the U.S., Argentina, South Africa, the Philippines, and Mexico.
• Keenadu. Our experts discovered this malware lurking in the firmware of brand-new devices back November 2025, though it didn’t gain widespread attention until after we published a study about it in February 2026. Keenadu masquerades as legitimate system components, embedding itself even into facial-recognition unlock apps, potentially granting attackers access to biometrics, banking data, and personal messages.

All of these stories share the same origin: the Triada Trojan, first documented by our researchers back in 2016 and dubbed at the time “one of the most advanced mobile Trojans”. Over the past decade it has evolved from a standard piece of malware into a modular backdoor baked directly into firmware during manufacturing.

How the infection scheme works

Manufacturers of cheap TV boxes cut corners on absolutely everything: Google Play Protect certification, firmware audits, and security updates. Many of these devices run on the Android Open Source Project without any security guarantees whatsoever. Somewhere along the supply chain — whether at the factory, through a middleman, or at a distributor — a backdoor gets injected into the firmware image. Our experts suspect that the manufacturer itself might not even be aware of the compromise.

The sheer scale of the infection turns millions of identical boxes into the perfect foundation for a botnet: every compromised device represents a unique IP address that can be rented out to anyone. Botnet operators like Kimwolf monetize this not only through distributed DDoS attacks but also by reselling the bandwidth of infected smart TVs and streaming boxes.

What this means for you

An infected TV box sits right in your living room, connected to your home Wi-Fi. That means it can see smartphones running banking apps, network-attached storage (NAS) units holding family archives, IP cameras, smart locks, work laptops, and any other the devices connected to your Wi-Fi network.

With this kind of beachhead inside your home network, an attacker can intercept unencrypted traffic, spoof DNS requests, scan ports, and hunt for vulnerabilities on neighboring devices. On top of that, they can use your IP address for fraudulent activity. As a result, in the best-case scenario, your IP will end up blacklisted, and legitimate services will start blocking you for suspicious activity; in the worst-case scenario, law enforcement could come knocking on your door.

How to spot a potentially dangerous gadget

You should be on alert if a device:

• Is sold under a no-name brand like T95, X96Q, MX10, TV BOX, SuperBox, or some such
• Promises free lifetime access to paid premium services for a one-time fee
• Requires you to disable Google Play Protect, or install third-party APK files during the initial setup
• Lacks Play Protect certification entirely
• Is promoted through aggressive spam campaigns on social media

How to avoid hosting a botnet node

• Buy certified TV boxes that feature Google Play Protect, or purchase devices directly from reputable telecom operators and internet service providers.
• Isolate all smart home devices. Set up a separate Wi-Fi network on your home router for TV boxes, cameras, smart speakers, robot vacuums, and similar gear, while keeping smartphones, NAS units, and computers on the main network. This prevents malware from spreading to your critical gadgets.
• Regularly update the firmware on all your devices, and don’t forget about your router — it’s another vulnerable link in the chain.
• Remove any applications from your Android TV box that you didn’t install yourself, especially alternative app stores, Wi-Fi “boosters”, and “system cleaners”.
• Monitor your traffic. Modern routers and Kaspersky Premium can display which devices are connecting to where. Frequent connections from a media player to servers in China are a major security red flag.
• Install Kaspersky Premiumon all your devices — it protects against Trojans, and blocks the phishing pages often used to distribute infected APK files.
• Don’t disable Google Play Protect, and avoid installing APKs from shady sources — this is the primary infection vector that bypasses the official app store.
• If in doubt, return the TV box. A cheap streaming device isn’t worth risking your biometrics, banking data, or the reputation of your IP address.

Want to know how else to protect your smart home devices? Read more in our related posts:

• Are your TV, smartphone, and smart speakers eavesdropping on you?
• Is your router secretly working for foreign intelligence?
• Vulnerability in the Rubetek Home smart-home app
• Best smart home standards and how to implement them
• How to secure your smart home

Kaspersky official blog – ​Read More