May 5, 2026 Emerging Threats Weekly

kroll logo
Kroll
May 5, 2026
Kroll

This week’s briefing covers:

00:00 – Intro

03:05 [INSIDER] LAPSUS$ Revives Insider-Access Recruitment
LAPSUS$ has reportedly reactivated an insider recruitment campaign focused on obtaining direct access into telecoms, technology and AI organization environments. Rather than prioritizing stolen datasets or conventional external exploitation, the group is seeking employees willing to provide operational access into corporate networks, including VPN and VDI credentials, Citrix sessions, remote administration tools (such as AnyDesk) or other internal footholds.

04:52 [VULNERABILITY] LiteLLM Pre-auth SQL Injection CVE-2026-42208 Exploitation
A critical pre-authentication SQL injection flaw in LiteLLM, CVE-2026-42208, is already seeing exploitation attempts, according to reporting. The bug affects an open-source gateway commonly used to broker access to major AI providers, making it a high-value target because it centralizes credentials and model-access tokens.

06:04 [SOCIAL ENGINEERING] BlueNoroff Revives Fake Zoom Meetings With Deepfake-Enhanced Tradecraft
Arctic Wolf Labs has identified a campaign attributed with high likelihood to BlueNoroff, the financially motivated Lazarus subgroup, targeting a North American Web3 and cryptocurrency firm. The campaign uses fake Zoom and Teams meetings as the lure, but the notable change is the apparent use of AI-generated imagery, recycled webcam footage and pre-recorded content to make the calls more convincing.

08:14 [SUPPLY CHAIN] GlassWorm Expands With 73 Sleeper Open VSX Extensions
Recent reporting on The Gentlemen Ransomware-as-a-Service operation shows a more mature affiliate model than many newer brands. A DFIR write-up says an affiliate already holding domain administrator access used layered tooling including Cobalt Strike, attempted SystemBC proxy deployment, and then distributed the encryptor through group policy for near-simultaneous execution across the domain.

10:14 [CAMPAIGN] BlackFile Ties Vishing-Led Extortion to Retail and Hospitality Data Theft
BlackFile is a newly emerged threat group responsible for the early 2026 surge of vishing-led data theft in retail and hospitality. The group has been observed gaining valid credentials through corporate help desk impersonation attacks.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.