May 26, 2026 by sig9

Hacker Wars - May 26, 2026

bulletin-feature-image

Your daily dose of infosec chaos

Retail breaches, Iranian APTs still hunting after military strikes, and LMS zero-days getting exploited in the wild. Another Monday in infosec where “patch everything” is starting to sound less like advice and more like a survival strategy.

7-Eleven Breach Hits 185,000 Customers

ShinyHunters leaked data from 7-Eleven, exposing names, email addresses, physical addresses, and dates of birth of roughly 185,000 people. The breach came through a third-party partner repository, which is corporate-speak for “our vendor got popped and we inherited the mess.” If you have a 7-Eleven account, assume your PII is out there.

What to do: Change passwords on any 7-Eleven linked accounts and watch for targeted phishing using your leaked personal details.

Iranian APT Nimbus Manticore Hits Aviation and Software

The Iranian threat group Nimbus Manticore has been quietly targeting aviation and software companies with refreshed tooling, and notably kept operating through and after the US military campaign against Iran. These folks don’t take days off, apparently. The updated toolkit suggests they’re investing in staying ahead of detection.

What to do: If you’re in aviation or defense-adjacent software, review your network segmentation and check IOCs from recent Nimbus Manticore reports.

Microsoft Defender Gets Auto-Isolation for Compromised Endpoints

Microsoft is rolling out a feature in Defender for Endpoint that automatically isolates compromised machines from the network. The idea is to cut off lateral movement before attackers can pivot, essentially giving your SOC a robot that slams the network door shut without waiting for a human to approve the JIRA ticket.

What to do: Evaluate this capability in your Defender for Endpoint deployment and plan your isolation policies before enabling it in production.

KnowledgeDeliver Zero-Day Leads to Godzilla Web Shells

Attackers exploited a zero-day in KnowledgeDeliver LMS to deploy Godzilla web shells and Cobalt Strike beacons on vulnerable servers. LMS platforms are often overlooked in patch cycles because nobody thinks the training portal is interesting to attackers. Spoiler: they’re wrong.

What to do: Audit your KnowledgeDeliver deployments immediately, check for unexpected web shells, and restrict internet-facing LMS instances.

Dutch Police Seize 800 Servers From Bulletproof Hosting Providers

Netherlands law enforcement arrested two administrators and seized 800 servers from a bulletproof hosting operation that had been providing infrastructure to Russian cybercriminal groups. The service was essentially an Airbnb for malware operators. This won’t stop the threat actors, but it does mean they need to find new real estate.

What to do: Check if any of your threat intel feeds have updated blocklists with the seized infrastructure and update your defenses accordingly.

That’s the chaos for today. Stay sharp out there.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.