GrayscaleInsight GrayscaleInsight

cPanel Zero-Day Exploits, AI-Assisted Attacks, and Global Breach Surge

Events tracked
95
Critical exposure
43

Summary

Today's threat landscape is defined by a convergence of high-volume, opportunistic exploitation and targeted, high-impact breaches. The ongoing cPanel zero-day campaign, compromising over 40,000 servers, represents a critical infrastructure-level event that demands immediate patching. Simultaneously, a wave of 43 alleged data exposures -- spanning financial services, defense, and government sectors across 20+ countries -- signals that threat actors are aggressively monetizing access and data. Defenders should prioritize patching known vulnerabilities, scrutinizing email security, and preparing for AI-enhanced phishing campaigns.

Today's developments

The most significant operational security event today is the widespread exploitation of CVE-2026-41940, a critical cPanel zero-day. Industry researchers report that over 40,000 servers have been compromised, with a previously unknown threat actor targeting government and military entities in Southeast Asia, as well as managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, and Microsoft has observed limited exploitation, primarily associated with proof-of-concept testing. This campaign underscores the risk of unpatched web hosting infrastructure and the cascading impact on downstream customers.

In parallel, a high volume of alleged data breaches and leaks were reported today, with 43 critical events tracked. Notable incidents include:

  • Rheinmetall (Germany / Defense & Space): The actor "Infrastructure Destruction Squad" claims to have breached the German defense contractor. This is a high-priority incident given the sensitivity of the sector.
  • Trustpilot (Denmark / IT Services): The actor "MDGhost" claims to have breached the review platform, potentially exposing user and business data.
  • Crocs (Israel / Retail): The actor "campfire" claims to have breached the footwear retailer, adding to a pattern of retail sector targeting.
  • Punjab National Bank (India / Banking): The actor "Neffex THe BlackHat" claims to have breached one of India's largest public sector banks.
  • Government of Pakistan (Pakistan / Government Administration): The actor "shalimaar13" claims to have breached government systems, while another actor, "RubiconH4CK," claims to have obtained defense documents.
  • WhatsApp (Global / Social Media): The actor "x0ghost" claims to have breached the messaging platform. This claim requires verification given the platform's scale and security posture.
  • Banco de Machala (Ecuador / Financial Services): The actor "GondorPe" claims to have leaked data from the Ecuadorian bank.
  • Multiple French Sports Federations (France / Sports): The actor "selluk" claims to have breached multiple sports bodies, alongside a separate claim against insurer Malakoff Humanis.

The external analysis landscape highlights several key trends. SecurityWeek reports that DigiCert revoked certificates after a support portal hack where attackers delivered malware via a customer chat channel. This incident demonstrates the risk of social engineering and supply chain attacks targeting certificate authorities. The Hacker News notes that 2026 is being characterized as "The Year of AI-Assisted Attacks," citing a case where a 17-year-old used AI to extract data from a major Japanese internet cafe chain. Kaspersky's Securelist details a new phishing scheme weaponizing Amazon SES to bypass email security, a technique that defenders must now account for. Finally, Edtech firm Instructure disclosed a data breach amid hacker leak threats, affecting names, email addresses, and student IDs.

Threat landscape signals

The data reveals a clear concentration of activity against the United States and France, each with 9 events, followed by Israel (7), Indonesia (6), and Venezuela (5). This suggests a broad, opportunistic targeting pattern rather than a single geopolitical campaign. The Financial Services and Banking & Mortgage sectors remain the most targeted, with 8 combined events, followed by Government Administration and Higher Education.

Actor concentration is notable, with BABAYO EROR SYSTEM (7 events) and Order403 (5 events) leading in volume, primarily associated with defacement and DDoS activity. However, the most impactful breaches are attributed to a diverse set of actors, including Neffex THe BlackHat, Infrastructure Destruction Squad, and MDGhost. The presence of actors like NoName057(16) (4 events) indicates continued hacktivist activity, likely targeting geopolitical adversaries.

The Ransomware category is relatively low today (4 events), but the Data Breach (33) and Data Leak (10) categories dominate. This suggests that threat actors are prioritizing data exfiltration and extortion over encryption, a trend consistent with the "big game hunting" ransomware model. The cPanel exploitation campaign, while not a ransomware event, is a critical precursor that could enable future ransomware deployments. Defenders should treat any unpatched cPanel instance as a high-risk asset and prioritize incident response for any signs of compromise.

All incidents are reported as alleged claims by threat actors and have not been independently verified by GrayscaleInsight.

Threat intelligence is reported for security awareness purposes only and does not constitute endorsement of any actor, group, or activity.

Recent editions
3 May
FreeCity Data Dump Spree Targets Malaysia, Vietnam, UK; Linux Zero-Day Exploited
180 ev 85 crit
2 May
Trellix Source Code Hit; Microsoft and Orange Forum Claims
212 ev 53 crit
1 May
Multiple Government Breaches, Telkom Indonesia Hit in Global Data Leak Wave
180 ev 70 crit