This briefing covers threat activity observed on May 20, 2026. The primary threats identified include a widespread SSHDKit backdoor campaign targeting Linux systems globally, seven critical vulnerabilities added to CISA's Known Exploited Vulnerabilities catalog (including legacy Microsoft products and two current Microsoft Defender flaws), and active ClearFake malware distribution. The SSHDKit campaign shows significant scale with 49 distinct distribution URLs across multiple continents, indicating an active botnet operation targeting SSH infrastructure. Organizations should prioritize patching the two newly identified Microsoft Defender vulnerabilities (CVE-2026-45498 and CVE-2026-41091) immediately, as these affect currently supported products. The legacy CVEs added to the KEV catalog, while affecting end-of-life products, suggest active exploitation of unpatched systems and underscore the importance of asset lifecycle management.
CISA added seven vulnerabilities to the KEV catalog, including two current Microsoft Defender flaws and five legacy vulnerabilities affecting end-of-life products that remain actively exploited.
Critical buffer overflow in Windows Server Service allowing remote code execution via crafted RPC request. Historic vulnerability (MS08-067) still being exploited against unpatched legacy systems.
Microsoft Defender contains an unspecified denial of service vulnerability. This affects currently supported products and requires immediate patching.
Microsoft Defender contains a link following vulnerability allowing authorized attackers to elevate privileges locally. Represents a post-compromise persistence and privilege escalation risk.
Use-after-free vulnerability in end-of-life Internet Explorer allowing remote code execution. Indicates continued targeting of legacy browser environments.
Heap-based buffer overflow in legacy Adobe Acrobat and Reader versions enabling arbitrary code execution via crafted PDF files.
Observed large-scale SSHDKit backdoor distribution campaign with 49 active distribution URLs, plus ClearFake social engineering malware continuing operations.
49 active URLs distributing SSHDKit ELF backdoor targeting Linux systems globally. Distribution infrastructure spans Asia-Pacific, Europe, Middle East, and Africa. SSHDKit typically replaces legitimate SSH daemons to provide persistent remote access while maintaining normal SSH functionality. Indicators suggest botnet-scale operation.
ClearFake malware campaign using social engineering through compromised legitimate websites (meadowprocessingframework.garden). ClearFake typically impersonates browser update prompts to deliver malware payloads.
Active Mozi botnet distribution targeting MIPS-based IoT devices via shell script dropper. Mozi is a peer-to-peer botnet known for DDoS capabilities and cryptocurrency mining.
Analysis of attack techniques observed across malware campaigns and exploitation activity.
SSHDKit campaign demonstrates sophisticated persistence through SSH daemon replacement, allowing threat actors to maintain access while preserving legitimate SSH service functionality. This technique evades basic integrity monitoring.