Threat Alerts
Your place for the latest CyberProof cyber threat intelligence alerts and updates
Speak with an ExpertGigaWiper Combines Espionage and Destructive Capabilities in a Modular Backdoor
GigaWiper is a Golang-based Windows backdoor that combines persistent remote access, espionage, and destructive functionality within a single implant. Unlike traditional wipers that focus solely on data destruction, GigaWiper enables attackers to maintain access to compromised systems, conduct reconnaissance, and execute destructive actions without deploying separate tooling. The malware supports capabilities including remote command execution, screenshot capture, screen recording, hidden VNC sessions, and system manipulation.
When instructed by the operator, GigaWiper can execute multiple destructive routines, including raw disk wiping, partition deletion, and a ransomware-like encryption mechanism that permanently encrypts files without retaining decryption keys. Persistence is established through scheduled tasks and registry modifications, while command-and-control communications leverage RabbitMQ and Redis. The combination of long-term access, reconnaissance, and irreversible destructive capabilities allows attackers to transition rapidly from post-compromise activity to impact operations from a single implant.
Pre-Auth Bypass in BeyondTrust RS and PRA
BeyondTrust has disclosed multiple vulnerabilities affecting its Remote Support (RS) and Privileged Remote Access (PRA) products. The most severe issue could allow unauthenticated attackers to bypass authentication and gain unauthorized access to vulnerable appliances, potentially leading to compromise of privileged environments.
The advisory addresses a critical pre-authentication authentication bypass vulnerability, tracked as CVE-2026-40138 (CVSS Score 9.2), which impacts specific authentication configurations and may enable remote attackers to gain elevated access without valid credentials. A second high-severity vulnerability, CVE-2026-40140 (CVSS Score 8.7), could be exploited to trigger a denial-of-service condition through improper handling of network input.
GodDamn Ransomware Uses Signed Malicious Kernel Driver
GodDamn is a rebranded ransomware that uses a signed malicious kernel driver to disable endpoint defenses, enabling credential theft, lateral movement, and widespread file encryption. Targets face data loss, operational disruption, and extended recovery time.
In the observed campaign the initial access vector was not identified; early activity showed a remoteโaccess application placed in a user profile folder. Operators deployed a fake security tool that dropped a signed kernel driver into the driver store, then ran a large credentialโharvesting toolkit (including Mimikatz and multiple browser/credential utilities). They used remote execution to move laterally, mounted administrative shares with stolen credentials, configured unattended remote access, established persistence via services and startup, and finally deployed the ransomware after a multiโday dwell period. Encrypted files were sometimes given a unique extension or renamed using the victim organization name.
The signed kernel driver can terminate security processes and remove userโmode hooks, allowing the ransomware to operate with limited endpoint visibility. The campaign shows a clear escalation in defenseโevasion techniques and reuses a consistent toolset for credential theft, network mapping, and remote access.
Oracle E-Business Suite CVE-2026-46817 Actively Exploited
A critical vulnerability in Oracle E-Business Suite (EBS) is being actively exploited in the wild, increasing the risk to organizations relying on Oracle Payments for business-critical operations. Tracked as CVE-2026-46817 (CVSS 9.8), the flaw affects the Oracle Payments File Transmission component and allows unauthenticated attackers with network access over HTTP to fully compromise vulnerable systems. Active exploitation has been observed despite the absence of a public proof-of-concept, suggesting the use of privately developed exploit tooling.
The vulnerability stems from missing authentication and improper privilege management within the File Transmission component. Successful exploitation enables remote attackers to compromise the confidentiality, integrity, and availability of affected Oracle Payments instances, potentially resulting in complete system takeover. Recent observations indicate attackers issuing crafted HTTP POST requests to the /OA_HTML/ibytransmit endpoint with malicious XML payloads, including attempts to access sensitive local files, although the full exploitation chain has not been publicly disclosed. Previous Oracle E-Business Suite vulnerabilities have been leveraged by the Cl0p ransomware group to conduct large-scale data theft and extortion campaigns, highlighting the platform’s continued value as a target for financially motivated threat actors.
Active Exploitation of Citrix NetScaler “CitrixBleed 2” Vulnerability CVE-2026-8451
Citrix has released security updates for multiple vulnerabilities affecting NetScaler ADC and NetScaler Gateway that could allow unauthenticated attackers to read arbitrary files, disclose sensitive memory contents, or trigger denial-of-service (DoS) conditions under specific configurations. The flaws affect enterprise application delivery and remote access infrastructure commonly deployed at the network edge, making them attractive targets for threat actors seeking initial access or service disruption. Following public disclosure, active exploitation of CVE-2026-8451 has been observed in the wild, with attacks reported less than 24 hours after technical details and proof-of-concept (PoC) code became publicly available.
The most critical issue, CVE-2026-8451 (CVSS 8.8), is an insufficient input validation vulnerability that can disclose sensitive memory contents when NetScaler is configured as a SAML Identity Provider. The flaw belongs to the same class of memory disclosure vulnerabilities as the 2023 CitrixBleed attacks and has been dubbed “CitrixBleed 2” by security researchers. Observed exploitation involves attackers leveraging publicly available PoC code to retrieve sensitive information from vulnerable appliances. Additional vulnerabilities addressed by Citrix include CVE-2026-8452 (CVSS 8.8), which can trigger denial-of-service through insufficient input validation; CVE-2026-8655 (CVSS 8.8), involving multiple memory overflow vulnerabilities that can result in unpredictable behavior or DoS in Oracle load balancer and DNS deployments; CVE-2026-10816 (CVSS 7.7), an external control of file path vulnerability enabling unauthenticated arbitrary file reads when management interfaces are exposed; and CVE-2026-13474 (CVSS 8.7), which enables HTTP/2-based denial-of-service attacks.
Linux Kernel Privilege Escalation Exploited
An actively exploited local privilege escalation vulnerability in the Linux kernel, CVE-2026-43456 (CVSS 7.8), allows an attacker with local access to gain root under specific conditions. Multiple kernel versions are affected and patches have been published.
The flaw results from improper handling of kernel interfaces that permits escalation from a local session to root when certain conditions are met. Observed exploitation chains begin with a local foothold or access to an untrusted service/container, then leverage the kernel flaw to obtain elevated privileges and perform persistent actions as root. Remediation updates addressing the underlying code paths are available.
This vulnerability has been entered into CISA KEV, indicating active use in the wild. Organizations with multi-tenant hosts, developer workstations, containers, or systems allowing local user access should treat this as high priority. Forensic review of suspected hosts can confirm exploitation timelines and guide containment and recovery.
NEWS AND RESOURCES
Whatโs on at CyberProof
Speak with an expert
Explore how CyberProof can help you anticipate, prevent, and mitigate ever-evolving cyberattacks in hybrid and cloud-native environments.
SPEAK WITH AN EXPERT








