Monthly Threat Report May 2026

Introduction

The Monthly Threat Report from Hornetsecurity by Proofpoint brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on industry events from the month of April 2026. As a news and commentary edition, this month’s report prioritizes depth on emerging threats and industry research over statistical data sections. 

Executive Summary

• New research from our parent company Proofpoint reveals that half of global organizations have experienced a confirmed or suspected AI-related security incident, including among the 63% that report having AI security controls in place. The finding signals a widening gap between AI deployment velocity and the maturity of controls designed to govern it. 
• CVE-2026-31431, known as “Copy Fail,” allows any unprivileged local user to obtain root access on virtually every major Linux distribution running kernels from 2017 onward, via a 732-byte Python exploit with claimed 100% reliability across affected distributions. Patches are available and should be applied immediately. 
• OpenAI disclosed that a GitHub Actions misconfiguration exposed its code-signing certificate infrastructure to the March 31 Axios npm supply chain attack, though no user data, systems, or intellectual property was confirmed compromised. Older macOS OpenAI desktop applications will stop functioning after May 8, 2026. 
• Our Threat Intelligence Lab documented a sustained Remcos RAT delivery campaign active since at least November 2025, using purchase-order phishing lures and a layered, fileless execution chain designed to evade detection tools that rely on scanning for dropped binaries. 
• Email remains the dominant threat vector, cited by 63% of respondents in Proofpoint’s 2026 AI and Human Risk Landscape report as the most common attack entry point. Among organizations that experienced incidents, 67% involved email as the channel of compromise. 
• Only one-third of organizations say they are fully prepared to investigate an AI-related security incident, revealing a critical gap not just in prevention controls but in incident response capability as AI-driven threats mature. 

Threat Overview

Remcos RAT Returns: A Layered, Fileless Attack Chain Built to Evade Detection 

Our Threat Intelligence Lab has documented a sustained phishing campaign delivering Remcos RAT through a multi-stage, fileless execution chain observed repeatedly since November 2025. The full technical analysis is available on the Hornetsecurity security blog. 

The campaign opens with a deceptive email impersonating a purchase-order workflow. Subject lines follow the pattern of legitimate procurement communications (“Order Request: UAB Sarens – PO #SB-0407026-001” in the observed example). The attachment uses double-extension masquerading: a file named with a .txz extension that appears to be a document but is a compressed archive containing an executable payload. 

From that initial deception, the attack proceeds through four stages designed to minimize disk artifacts and evade detection: 

Stage 1: A Visual Basic Script (VBS) executes via wscript.exe, invoking PowerShell with an execution-policy bypass flag to reduce visibility. 

Stage 2: The PowerShell stage downloads what appears to be a PNG image from a remote server. The image contains hidden encoded content appended after legitimate image data, reducing the number of obvious intermediary files written to disk and contributing to a more fileless overall execution chain. 

Stage 3: Multiple deobfuscation layers process the hidden content: character substitution, base64 reversal and decoding, and reconstruction of a .NET executable with a valid MZ header. 

Stage 4: The .NET assembly loads directly into memory via the AppDomain.Load method, bypassing disk entirely. Multiple indicators confirm the payload as Remcos RAT: Remcos-specific mutex artifacts, registry keys under HKCU\SOFTWARE\Rmc-HQO1B7, and encrypted TLS communication patterns matching Remcos 3.x/4.x JA3 fingerprints. 

Why It Matters 

No single technique in this chain is novel. The effectiveness comes from the orchestration: each stage hands off cleanly to the next in a way that keeps detection surfaces small. Antivirus tools scanning for dropped binaries will not typically catch a payload loaded directly into memory. Some more legacy email security filters may pass an archive containing a VBS loader when no obvious executable is present. Organizations relying on perimeter detection alone, without endpoint-level behavioral monitoring, are well-positioned to miss this chain entirely. 

The sustained nature of this campaign also warrants attention. Active since at least November 2025, this is not an opportunistic one-off. The consistency of the purchase-order lure and the technical sophistication of the delivery chain point to an operator who has refined this approach over time and found it productive. 

We recommend treating all email-borne business communication attachments as potential full execution chains rather than individual files. Security controls that evaluate delivery chains as a whole rather than individual stages are significantly more likely to surface campaigns of this type. 

Indicators of Compromise (IOCs) 

Domains: – nrmlogistics[.]ro - dentalux202[.]ydns[.]eu 

IP Addresses: – 107.172.139.23 – 193.230.215.22 – 94.198.96.165 

File Hashes (SHA-256): – 95e6c6c13f65217f41c371abf6d03594b2bfed2259a1813bb4222fb2d3c32745 (PNG with hidden payload) – 53c3e0f8627917e8972a627b9e68adf9c21966428a85cb1c28f47cb21db3c12b (Payload) – bd835498f0526e2a80da2efc58cddf96834dbfe9924e4465130602bce7a3314a (Archive) - 5bd356b14a0647170924904f7c0411d62ca79733594fe6f7d8277dd68c1ca217 (VBS loader) 

Proofpoint Research: Half of Global Organizations Have Already Experienced an AI-Related Security Incident 

Proofpoint’s 2026 AI and Human Risk Landscape report, published April 28, 2026 and drawing on a survey of more than 1,400 security professionals across 12 countries and 20 industries, delivers a finding that should recalibrate how organizations assess their AI security posture: half of all global organizations have experienced a confirmed or suspected AI-related security incident, including among those that already have AI security controls in place. 

The deployment context matters here. 87% of organizations have moved AI assistants beyond the pilot stage, and 76% are actively piloting or rolling out autonomous agents. That velocity has clearly outpaced security maturity: 42% of organizations reported a suspicious or confirmed AI-related incident, and among the 63% that report having AI security coverage in place, fully half still experienced an incident. Controls are present but not sufficient. 

Several data points from the report deserve particular attention: 

• Email remains the dominant attack vector. 63% of respondents cited email as the most common threat vector, and among organizations that experienced incidents, 67% involved email as the channel of compromise. 
• AI systems are now incident surfaces themselves. 36% of organizations report facing threats that specifically involve AI assistants or agents. Among incident victims, 53% said an AI system was directly involved. 
• Investigation readiness is dangerously low. Only one-third of organizations say they are fully prepared to investigate an AI-related security incident. 41% struggle to correlate threats across channels, which is precisely the cross-channel visibility required when an AI agent is a compromised component. 
• Tool fragmentation is compounding the problem. 94% of respondents find managing multiple security tools at least moderately challenging, and more than half describe it as very or extremely difficult. That operational overhead degrades both response speed and the visibility organizations need when something goes wrong. 

Why It Matters 

The security industry has spent years calibrating defenses against human threat actors exploiting human users. AI systems introduce a third variable: an automated, trusted, privileged entity operating at machine speed that may be manipulated, misconfigured, or directly compromised. The challenge is compounded by the fact that few organizations have developed the incident response playbooks, logging coverage, or forensic tooling needed to investigate a compromised or abused AI agent. 

The data suggests the current approach, deploying AI broadly while layering conventional security controls around it, is not working. Half of organizations with controls in place experienced incidents anyway. That is not a baseline worth accepting. 

Proofpoint’s findings point toward three concrete gaps worth addressing first: training coverage (47% of respondents lack adequate AI security training), visibility into AI and agent activity (42% report gaps here), and governance alignment across teams (41% report misalignment). These are not exotic security engineering problems. They are organizational and process gaps that can be addressed without waiting for the tooling market to mature. 

Major Incidents and Industry Events

“Copy Fail” (CVE-2026-31431): A Nine-Year-Old Linux Kernel Bug Grants Any Local User Root Access 

On April 29, 2026, security firm Theori publicly disclosed CVE-2026-31431, a local privilege escalation vulnerability in the Linux kernel now known as “Copy Fail.” The flaw had been reported to the Linux kernel security team five weeks earlier on March 23, with patches available within one week of that disclosure and upstream fixes merged April 1. Bleeping Computer covered the public disclosure, and The Hacker News independently confirmed the scope and severity. 

The vulnerability carries a CVSS score of 7.8 and affects virtually every major Linux distribution running kernels released since 2017, up to and including 6.19.12. Confirmed affected distributions include Ubuntu, Amazon Linux, RHEL, SUSE, Debian, Arch, AlmaLinux, and others across the broader Linux ecosystem. The scope is wide. 

The root cause is a logic bug in the Linux kernel’s authencesn cryptographic template, introduced when an in-place buffer optimization was added to the kernel’s AEAD (Authenticated Encryption with Associated Data) encryption routines in 2017. By combining the AF_ALG socket interface with the splice() system call, an unprivileged local user can trigger a controlled 4-byte write into the page cache of any readable file on the system. When directed at a setuid-root binary, the result is root access. Theori demonstrated this with a 732-byte Python script, claiming 100% exploit reliability across affected distributions. 

Patched kernel versions are 6.18.22, 6.19.12, and 7.0. Ubuntu 26.04 (Resolute) and later are not affected. For systems where an immediate kernel upgrade is not possible, disabling the algif_aead kernel module persistently is the recommended interim mitigation. CISA has added CVE-2026-31431 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation in the wild and setting a May 15, 2026 remediation deadline for federal systems. 

Why It Matters 

Local privilege escalation vulnerabilities are often treated as lower priority than remote code execution because they require some level of existing access. In practice, that framing consistently underestimates their real-world significance. In cloud environments, containerized infrastructure, and shared hosting scenarios, the barrier to “local” access is frequently lower than it appears: a compromised web application, a phished low-privileged account, or a container escape can all provide the foothold from which a local privilege escalation becomes root. 

This flaw has the additional distinction of having existed in production Linux kernels since 2017. Nine years of stable, widely deployed infrastructure carrying a reliable and now-public path to root is a meaningful exposure window. Organizations should treat this as a high-priority patching item regardless of the local-only framing in the CVSS score, particularly across cloud workloads, developer systems, and any environment where multiple users or services share underlying kernel access. 

OpenAI Discloses Limited Exposure from the Axios npm Supply Chain Attack 

As we covered in the April edition of this report, on March 31, 2026, North Korean threat actors published malicious versions of the Axios npm package to the registry, with the packages live for approximately three hours before detection and removal. OpenAI has since disclosed that its own infrastructure was among those exposed. OpenAI’s statement details the incident and the company’s response. 

The malicious Axios version (1.14.1) executed within a GitHub Actions workflow at OpenAI on March 31. That workflow was tied to the code-signing certificates used to authenticate OpenAI’s desktop applications. OpenAI states it found no evidence that user data was accessed, that its systems or intellectual property were compromised, or that its published software was altered. The exposure was limited to the certificate infrastructure that the affected workflow touched. 

OpenAI’s response has centered on rotating the affected certificates. As a consequence, older versions of OpenAI’s macOS desktop applications will stop receiving updates and may stop functioning entirely as of May 8, 2026. Users running older versions need to update. 

According to OpenAI’s own disclosure, the root cause was a misconfiguration in the GitHub Actions workflow: the workflow pinned a floating tag rather than a specific commit hash, and had no minimumReleaseAge policy configured for incoming package versions. Both are standard supply chain hardening practices that would have prevented the malicious package from executing in this pipeline. 

Why It Matters 

OpenAI’s disclosure is worth examining beyond its limited-exposure headline for a few reasons. 

First, it illustrates the real-world blast radius of the Axios attack in concrete terms. OpenAI’s code-signing certificates are not peripheral infrastructure. If those certificates had been silently replaced with attacker-controlled values, the downstream capability would have included distributing malicious software updates appearing to be legitimately signed OpenAI applications. That is a significant capability to briefly hold, even if OpenAI’s investigation found no evidence of exploitation. 

Second, the root cause is entirely preventable and common. Pinning floating tags rather than specific commit hashes in CI/CD pipelines is a widely documented supply chain risk. The fact that an organization of OpenAI’s resources and security focus had this misconfiguration in a sensitive, certificate-adjacent workflow is a useful reminder that supply chain hygiene gaps are not a problem exclusive to under-resourced teams. 

Third, the May 8 end-of-support deadline for older macOS app versions is a meaningful and time-sensitive consequence. Organizations with OpenAI desktop tooling in their environment should treat this as an immediate software update item, both to maintain functionality and to confirm they are running software signed by the rotated, clean certificate chain. 

Predictions for the Coming Months

• AI-related incidents will increase in frequency as agentic deployments scale. Proofpoint’s data shows that organizations furthest along in AI deployment are already experiencing incidents at higher rates. As autonomous agent adoption moves from 76% piloting toward broader production rollout, the attack surface will grow accordingly. Expect both opportunistic abuse of AI-accessible data and more deliberate targeting of AI agent credentials and API access.
• The Copy Fail vulnerability will appear in post-compromise activity reports. Kernel upgrades require planned maintenance windows across cloud and on-premise infrastructure, meaning many systems will remain vulnerable for weeks. A public, 732-byte proof-of-concept with claimed 100% reliability is an attractive post-exploitation tool. Expect CVE-2026-31431 to surface in incident investigations over the coming months.
• North Korean supply chain operations will continue to escalate. The Axios attack demonstrates a willingness to target foundational developer infrastructure with broad reach. The pattern of Contagious Interview followed by the Axios attack reflects a deliberate progression toward higher-impact targets. Further attacks against widely used open-source packages, CI/CD tooling, or developer credential infrastructure are a logical continuation.
• CI/CD pipeline security will receive increased organizational attention. OpenAI’s disclosure of the floating tag misconfiguration is the kind of concrete, named-company example that drives internal security reviews. Expect security teams to queue pipeline hardening audits in the coming months, with particular focus on supply chain controls for sensitive workflows involving code signing and release publishing.
• Fileless and memory-resident malware delivery will continue to grow. The Remcos RAT campaign we documented shows that effective campaigns do not require novel techniques. Layered fileless execution chains are increasingly the baseline, not the exception. Detection strategies that rely on scanning for dropped files will continue to fall behind as operators refine approaches like the one we observed.

Monthly Recommendations

• Patch CVE-2026-31431 (Copy Fail) immediately across all affected Linux systems. Prioritize cloud workloads, developer systems, and any environment where shared kernel access exists. For systems that cannot be patched immediately, disable the algif_aead kernel module as an interim mitigation. Do not treat the local-only attack vector as justification for delayed patching: the blast radius of a local privilege escalation is determined by what an attacker already has access to, not by the vulnerability’s classification.
• Update all OpenAI macOS desktop applications. Older versions will stop receiving updates and may cease to function. Organizations with OpenAI tooling in their environment should treat this as an urgent software update item and verify that updated versions are running software signed by the rotated certificate chain.
• Audit CI/CD pipelines for floating tag usage and missing package age policies. The OpenAI incident root cause, a sensitive GitHub Actions workflow pinning a floating tag rather than a specific commit hash, is a common and correctable misconfiguration. Review all pipelines handling sensitive operations (code signing, release publishing, credential access) for this pattern. Be sure to configure minimumReleaseAge policies for npm package consumption where available.
• Deploy Security Awareness Training that covers fileless phishing chains. The Remcos RAT campaign documented by our Threat Intelligence Lab bypasses conventional attachment scanning by delivering execution chains rather than payloads. Employees should understand that a business-formatted email with an archive attachment is not necessarily safe even when no obvious executable is present. Training on recognizing purchase-order lures and unexpected archive attachments from unknown senders is a meaningful and actionable control.
• Conduct a structured AI security audit covering training, visibility, and governance gaps. Proofpoint’s research identified three addressable gaps common across organizations experiencing AI incidents: inadequate training (47%), visibility gaps into AI and agent activity (42%), and governance misalignment across teams (41%). Each can be addressed without waiting for purpose-built AI security tooling to mature. A structured review of who is using AI tools, what access those tools have, how their activity is logged, and what policies govern their use is a reasonable and achievable starting point for most organizations.

---

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 125,000 customers.