zerofox logo
Advisories

ZeroFox Weekly Intelligence Brief – May 9, 2026

|by Alpha Team

banner image

ZeroFox Weekly Intelligence Brief – May 9, 2026

ZeroFox’s Weekly Intelligence Briefing highlights the major developments and trends across the threat landscape, including digital, cyber, and physical threats. ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 6:00 AM (EST) on May 7, 2026; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

Read the Brief

View the full report here

Critical cPanel Zero-Day

What we know:

  • A critical authentication bypass vulnerability (CVE-2026-41940) affecting web server management software cPanel is being actively exploited.
  • Approximately 1.5 million cPanel instances are exposed online, with over 40,000 servers compromised worldwide.
  • Since the initial patch release on April 28, 2026, attackers have ramped up efforts, targeting government and military entities in Southeast Asia using public proofs of concept.

DAEMON Tools Compromised in Supply Chain Attack

What we know:

  • Threat actors have compromised installers for the popular DAEMON Tools virtual drive software, embedding a backdoor that has infected thousands of systems across more than 100 countries.
  • The attack targets versions 12.5.0.2421 through 12.5.0.2434, with infections reported since April 8.

Fragmented Botnet Infrastructure Fuels Stealthy DDoS Campaign

What we know:

  • In mid-April, threat actors launched 2.45 billion malicious requests against a major platform within five hours, in a “low and slow” distributed denial-of-service (DDoS) campaign.
  • The attack reportedly peaked at 205,344 requests per second, while evading standard rate-limiting defenses.

Tags: tlp:green