A single click or a rogue USB drive can now trigger a multi-stage breach, as attackers wield the modular Gamma malware ecosystem to quietly plant, steal, and spread inside Windows environments. Cyware spotlights how Gamaredon is leveraging spearphishing and native Windows tricks to escalate from initial access to persistent, organization-wide compromise.

Thousands of attacks per day are slashing through Citrix NetScaler ADC deployments, as a critical memory overread flaw exposes sensitive data directly from device memory. Organizations in Germany, Hong Kong, France, the United States, and Poland face ongoing exploitation, with attackers fueling follow-on intrusions and operational disruptions.

Routine npm installs have become a silent threat for developers, as the codexui-android package siphons OpenAI refresh tokens from over 27,000 weekly downloads. This campaign turns everyday coding into a credentials leak, enabling attackers to hijack sessions and access accounts without raising alarms.

Top Malware Reported in the Last 24 Hours

Gamaredon evolves Gamma malware infection chain

The Gamma malware ecosystem, developed by Gamaredon, is a modular toolkit designed for stealthy planting, data theft, and lateral movement within Windows environments. Gamma leverages GammaPhish spearphishing with weaponized xHTML exploiting CVE-2025-8088 to initiate infections, and uses Windows-native techniques for persistence and propagation. GammaWorm spreads via USB and network drives, employing NTFS alternate data streams (ADS) and scheduled tasks to maintain access. GammaLoad deploys payloads, GammaSteel exfiltrates data, and GammaWorm maintains a backdoor while propagating further. Gamma targets Windows environments across organizations. Researchers analyzing over 70 artifacts from compromised hosts confirmed the distinct roles and early-stage activity of the Gamma toolkit.

SmartApeSG ClickFix drops NetSupport RAT

The SmartApeSG ClickFix campaign deploys an unidentified RAT as a first-stage infection, followed by installation of NetSupport Manager RAT for persistent remote control. SmartApeSG ClickFix uses fake verification pages and encoded traffic over TCP port 443 to evade detection. The infection chain involves a Zip archive, a script named processor.vbs, a batch file (token.bat), and a CAB file (setup.cab) containing the NetSupport payload. SmartApeSG ClickFix deletes these components post-installation to minimize forensic traces. The campaign targets users and businesses, granting attackers hands-on remote access. The activity was detected on May 27, 2026, highlighting the ongoing risk of remote access tool deployment.

codexui-android npm package steals tokens

The malicious npm package codexui-android is designed to steal OpenAI refresh tokens and other credentials, enabling account takeover. codexui-android executes a hidden script (chunk-PUR7OUAG.js) upon loading, extracting access_token, id_token, account ID, and refresh_token from auth.json. codexui-android transmits these values to sentry[.]anyclawstore, masquerading as telemetry. The same infrastructure is linked to Android apps such as codex.app and OpenClaw Codex Claude AI Agent, which unpack a Termux-derived Linux userland to run the npm code. codexui-android targets developers and teams using AI coding tools. Aikido Security identified the package on May 27, 2026, with 27,000 weekly downloads reported.

Top Vulnerabilities Reported in Last 24 hours

Palo Alto VPN bug opens networks

CVE-2026-0257 is an authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect (CVSS 7.8), allowing attackers to establish unauthorized VPN sessions and access internal networks. Successful exploitation lets attackers impersonate legitimate users by forging authentication override cookies. CVE-2026-0257 is already being exploited in the wild. Rapid7 reported multiple exploitation waves, though no lateral movement has been observed. The bug was disclosed on May 13 and exploited by May 17. Federal agencies must patch by June 1, and fixes are available.

Citrix NetScaler attacks hit thousands daily

CVE-2026-3055 is a memory overread vulnerability in Citrix NetScaler ADC that allows attackers to read sensitive information directly from device memory. Exploitation of CVE-2026-3055 can lead to follow-on intrusions, outages, account takeovers, and cascading access failures. Attackers are already exploiting this vulnerability at scale, with thousands of attacks daily. watchTowr first reported the issue on March 29, and CISA issued a directive on March 30. Targeting continues across tech, telecom, automotive, managed security service providers, and governments, especially in Germany, Hong Kong, France, the United States, and Poland. Security updates have been available since March 23, 2026.

Windows domain controllers face zero-click RCE

CVE-2026-41089 is a remote code execution vulnerability in Windows Netlogon affecting domain controllers, enabling unauthenticated attackers to execute code and compromise entire Windows domains. Exploitation of CVE-2026-41089 can result in lateral movement, credential theft, ransomware deployment, and broad data exfiltration. Attackers are actively exploiting this vulnerability. Public-sector defenders, including the Center for Cybersecurity Belgium, have issued urgent advisories. The bug affects Windows Server versions from 2012 onward. Microsoft addressed 118 vulnerabilities in May 2026 Patch Tuesday, including 16 rated critical.