Threat Intelligence Report Cyber Security

Monthly Cyber Threat Intelligence Report: May 2026

Published June 2026 · v1.0, May 2026 · 19 pages

May 2026 monthly cyber threat intelligence summary from System Force IT: critical CVEs across edge devices and domain controllers, supply-chain industrialisation via the TeamPCP contest, the GitHub repository breach, and 704 ransomware victims led by Qilin, The Gentlemen and DragonForce. Includes deep dives on M3RX ransomware, Evelyn Stealer and Aur0ra ransomware, plus the Gentlemen RaaS infrastructure breach.

What's inside

Software supply-chain attacks have industrialised, with the TeamPCP Monero-bounty contest and mandatory worm tooling lowering the barrier for criminal participation in open-source ecosystem compromise.
Critical CVEs across internet-facing edge devices (Palo Alto PAN-OS, Cisco SD-WAN, Fortinet FortiAuthenticator) and domain controllers (Windows Netlogon, Windows DNS) demand immediate patching priority.
Ransomware claimed 704 victims in May, with Qilin (110), The Gentlemen (77) and DragonForce (55) the most active groups; business services and the United States remained the most-targeted sector and country.
The Gentlemen ransomware-as-a-service group's own backend was breached in May, exposing affiliate rosters, negotiation transcripts and tooling discussions, and underlining instability in the criminal ecosystem.
Linux kernel Copy Fail flaw (CVE-2026-31431) is a high-severity local privilege escalation in the CISA Known Exploited Vulnerabilities catalogue, affecting kernels 4.14 through 6.19.12 across mainstream distributions.

The May 2026 edition of the System Force IT Monthly Cyber Threat Intelligence Report covers the most significant cyber incidents, emerging malware families, vulnerability disclosures and ransomware activity observed during the month. The report is intended for business owners, IT leaders and risk managers who need a concise monthly briefing without wading through fragmented vendor advisories.

May was dominated by software supply-chain compromise and the continued professionalisation of ransomware. The TeamPCP group launched a Monero-bounty contest with mandatory worm tooling, effectively industrialising open-source package attacks. Roughly 3,800 private GitHub repositories were exposed via a trojanised Nx Console extension. A CISA contractor left AWS GovCloud credentials in a public repository for an extended period. Foxconn’s North American manufacturing sites were briefly disrupted by the Nitrogen ransomware group, who claimed 8TB of stolen drawings and project material.

On the technical side, eight high-severity CVEs were disclosed across Palo Alto, Cisco SD-WAN, Microsoft Windows DNS, Fortinet, Apache, Drupal and Windows Netlogon, most scoring 9.8 or higher on CVSS. The Linux kernel Copy Fail flaw (CVE-2026-31431) entered the CISA Known Exploited Vulnerabilities catalogue. Ransomware claimed 704 victims in the month, with Qilin (110), The Gentlemen (77) and DragonForce (55) leading. In an unusual development, The Gentlemen RaaS group’s own backend was breached, exposing affiliate operations and operational data. Priority actions remain consistent: patch edge devices and domain controllers urgently, treat low-priority alerts as potential precursors, harden the software supply chain, and maintain tested offline backups.