The exploit that writes its own story.

CISA warns CopyFail is under active exploitation. Attackers compromise installers for a widely used disk imaging utility. MuddyWater masks cyberespionage as ransomware. Attackers spread malware through a fake OpenClaw plugin. Researchers ID a new Linux RAT. Vimeo blames a third party provider for a recent breach. Palo Alto’s Captive Portal is under attack. The FTC settles with a data broker over location sharing. A former Conti gang member gets jail time. Our guest is Dov Yoran, CEO of Command Zero, discussing how cybersecurity teams are fighting AI with AI. Geotargeting turns creepy. 

Today is Wednesday, May 6th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CISA warns CopyFail is under active exploitation. 

CISA is warning that a newly disclosed Linux kernel flaw called “CopyFail” is already being exploited, days after researchers released a working root-level exploit.

Tracked as CVE-2026-31431, the bug allows low-privileged users to gain full root access on vulnerable Linux systems. Cybersecurity consultancy Theori says its AI-powered testing platform, Xint, discovered the flaw and reported it in March. The company later released a proof-of-concept exploit that works against Ubuntu, Amazon Linux, Red Hat Enterprise Linux, and SUSE systems. Researchers warned most mainstream Linux kernels released since 2017 may be vulnerable.

The attack requires minimal access and no user interaction, making it useful for attackers who already have an initial foothold. CISA has added the flaw to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by May 15. Microsoft says it is already observing early exploitation activity following the exploit’s release.

Attackers compromise installers for a widely used disk imaging utility. 

Researchers at Kaspersky say attackers compromised installers for Daemon Tools, a widely used disk imaging utility, and distributed malware through the software’s official website in a global supply-chain attack.

The malicious installers affected versions 12.5.0.2421 through 12.5.0.2434 and were first observed in early April. Kaspersky says thousands of infection attempts have been recorded across more than 100 countries. Most victims received a basic information-stealing payload, while a smaller number of targets in government, science, manufacturing, and retail sectors received more advanced malware, including a backdoor linked to Quic RAT.

Trusted software distribution channels remain a high-value target for attackers. Supply-chain compromises can bypass traditional trust controls and quickly scale across organizations using legitimate software updates. Disc Soft, the Latvia-based developer behind Daemon Tools, says it is investigating.

MuddyWater masks cyberespionage as ransomware. 

Researchers at Rapid7 say the Iran-linked threat group MuddyWater conducted an intrusion that appeared to be ransomware, but operated more like a cyberespionage campaign.

The attackers reportedly used Microsoft Teams social engineering to gain access through screen-sharing sessions, then harvested credentials, manipulated multi-factor authentication protections, and deployed remote access tools including AnyDesk and DWAgent. Rapid7 says the group conducted reconnaissance, moved laterally, and exfiltrated data, but never deployed file-encrypting ransomware. Instead, the attackers used Chaos ransomware branding and extortion emails as apparent false flags while maintaining persistence in the victim environment.

The operation blurred the line between espionage and financially motivated cybercrime, potentially delaying incident response and attribution efforts. Rapid7 linked the activity to MuddyWater with moderate confidence based on infrastructure, malware, and operational patterns associated with previous campaigns tied to Iran’s Ministry of Intelligence and Security.

Attackers spread malware through a fake OpenClaw plugin. 

Researchers at Zscaler ThreatLabz say attackers are abusing the OpenClaw AI automation framework to distribute malware through a fake plugin called “DeepSeek-Claw.”

The campaign targeted developers and autonomous AI agents by embedding malicious instructions into plugin files downloaded from public repositories. On Windows systems, the malware chain deployed the Remcos remote access trojan using DLL side-loading with a legitimate GoToMeeting executable. On macOS and Linux, attackers used obfuscated Node.js scripts and fake password prompts to steal credentials, SSH keys, cryptocurrency wallets, and cloud API tokens. Zscaler says the campaign also delivered the GhostLoader information stealer.

The operation highlights growing risks tied to high-privilege AI tools and third-party AI plugins. Researchers warn that autonomous AI agents introduce new attack surfaces with broad system access, making supply-chain vetting and behavioral monitoring increasingly important for enterprise defenders.

Researchers ID a new Linux RAT. 

Researchers at Trend Micro have identified a Linux remote access trojan called QLNX that appears designed to steal developer credentials and compromise software supply chains.

The malware targets Amazon Web Services credentials, Kubernetes tokens, Docker Hub logins, Git access tokens, NPM authentication tokens, and PyPI API keys. Trend Micro says attackers could use the stolen credentials to publish malicious software updates or pivot into cloud environments. QLNX includes multiple stealth features, including memory-only execution, rootkit functionality, log clearing, and six separate persistence mechanisms. The malware also deploys Pluggable Authentication Module backdoors to harvest credentials and supports dozens of commands for remote control, file manipulation, and data theft.

Researchers warn the malware’s danger comes from how its capabilities work together to establish long-term stealth and persistent access inside developer environments. A successful compromise of a software maintainer could expose downstream users through poisoned packages and altered build pipelines.

Vimeo blames a third party provider for a recent breach. 

Vimeo says a breach affecting more than 119,000 users originated through third-party analytics provider Anodot, not Vimeo’s own systems.

According to Have I Been Pwned, attackers accessed customer email addresses and some associated names. Vimeo says the stolen data also included video titles and metadata, but not video content, login credentials, or payment card information. The company linked the incident to compromised Anodot integrations and says it has since disabled the connection, revoked credentials, and launched an investigation with outside security support.

Researchers and breach analysts warn that exposed email lists tied to contextual account data can fuel targeted phishing campaigns for years after a breach.

Palo Alto’s Captive Portal is under attack. 

Palo Alto Networks is warning customers that attackers are exploiting a critical zero-day flaw in the PAN-OS User-ID Authentication Portal, also known as the Captive Portal.

Tracked as CVE-2026-0300, the buffer overflow vulnerability allows unauthenticated attackers to execute arbitrary code with root privileges on exposed PA-Series and VM-Series firewalls. Palo Alto says limited exploitation has already been observed against internet-facing systems. The company has not yet released a patch and is urging customers to restrict portal access to trusted internal networks or disable the feature entirely.

Shadowserver says more than 5,800 vulnerable VM-Series firewalls remain exposed online.

The FTC settles with a data broker over location sharing. 

The Federal Trade Commission and data broker Kochava have reached a proposed settlement that would bar the company from selling or sharing sensitive location data without explicit consumer consent.

The FTC accused Kochava in a 2023 complaint of collecting and selling detailed geolocation data, mobile device identifiers, app usage information, and income data. Regulators said the company’s data could reveal visits to places like health clinics and houses of worship without users’ knowledge. Under the agreement, Kochava must implement programs to track sensitive locations, verify consent from data suppliers, limit data retention, and allow consumers to withdraw consent or request information about data sales.

The case highlights growing regulatory pressure on the location data industry and the risks tied to large-scale collection of precise consumer movement data. Kochava says the settlement reflects its commitment to privacy and responsible data practices.

A former Conti gang member gets jail time. 

A Latvian national accused of working with former members of the Conti ransomware group has been sentenced to 102 months in prison for conspiracy involving wire fraud and money laundering.

U.S. authorities say Deniss Zolotarjovs participated in ransomware operations between 2021 and 2023 that targeted more than 54 organizations using malware families including Conti, Akira, Royal, and Karakurt. Investigators say the attacks caused hundreds of millions of dollars in losses and involved the theft of sensitive personal and health information. Zolotarjovs was arrested in Georgia in 2023, extradited to the United States in 2024, and pleaded guilty last year.

The case underscores continued international cooperation against ransomware operators and highlights how former Conti affiliates continue to appear across multiple ransomware-as-a-service operations years after the group’s original disruption.

Geotargeting turns creepy. 

A 19-year-old University of Tennessee student is suing the makers of the dating app Meete, alleging the company turned a harmless TikTok graduation video into an ad suggesting she was looking for “friends with benefits,” then geotargeted the promotion to people near her dorm. Few college introductions are awkward enough to begin with, “Hey, I keep seeing your dating app ad on Snapchat,” but according to the lawsuit, that is exactly how she discovered it.

The complaint alleges Meete edited her video, added graphics and a voiceover, and used location-based targeting to serve the ads to nearby men without her consent. Her attorney says the campaign damaged her reputation and created real safety concerns by falsely implying she endorsed the app and was soliciting hookups.

The case highlights how simple editing tools and ad-targeting systems can weaponize someone’s likeness without sophisticated artificial intelligence. Snap says it is investigating, while Meete’s listed publisher, which advertises “safety and respect first,” has not publicly responded.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.