CTI Daily Brief: 2026-05-07
title: Data Leak Surge Targets Telecoms, Government; Cisco Patches Critical Flaws description: 32 critical data exposure events today, led by telecom and government leaks in France, Canada, and Israel. Cisco and PAN-OS zero-day patches urgent. Cloud worm PCPJack steals credentials at scale. keywords: data leak, ransomware, DDoS, Cisco, PAN-OS, cloud worm, threat actors
SEO---
Summary
Today's threat landscape is defined by a high volume of alleged data leaks and breaches targeting telecommunications providers and government entities across multiple continents, with France, Canada, and Israel as primary victims. While DDoS and defacement events remain numerically dominant, the critical exposures signal a shift toward data theft as a primary objective for actors like courtika and KARAWANG ERROR SYSTEM. Defenders should prioritize patching newly disclosed vulnerabilities in Cisco enterprise products and PAN-OS, as well as monitoring for the PCPJack cloud worm, which is actively harvesting credentials at scale.
Today's developments
The most concentrated activity today comes from actor courtika, who allegedly leaked a Canadian phone number dataset and two separate French databases -- one government-related and one B2B commercial dataset. These incidents underscore a persistent targeting of telecom and public sector data in Western nations. Separately, actor dumpzeta claims to have leaked a United Kingdom citizens database, while Xyph0rix allegedly leaked data on Israeli citizens from a government source. The breadth of these claims suggests a coordinated effort to monetize personally identifiable information (PII) on underground markets.
In the breach category, several high-profile entities are implicated. Actor KARAWANG ERROR SYSTEM claims to have breached Forbes (United States, publishing), while MDGhost alleges a breach of Clark International Airport in the Philippines. The education sector is also heavily targeted: fuckiewuckie claims a breach of moreideas.ae involving 787,000 student records in Saudi Arabia, and rutify alleges a breach of Chile's Tarjeta Nacional Estudiantil (TNE). These incidents highlight the persistent value of student and employee data for credential stuffing and identity fraud.
Industry researchers at Unit 42 have detailed a zero-day vulnerability (CVE-2026-0300) in PAN-OS Captive Portal that enables unauthenticated remote code execution, with active exploitation observed. Separately, Cisco has patched high-severity flaws in enterprise products that could lead to code execution and denial-of-service. SentinelOne reports on PCPJack, a cloud worm that evicts existing cryptominers and steals financial, messaging, and enterprise credentials at scale, shifting from resource theft to credential harvesting for fraud and extortion. Additionally, Kaspersky researchers identified three malicious PyPI packages delivering ZiChatBot malware via Zulip APIs on both Windows and Linux.
Threat landscape signals
The top threat actors by event volume -- Hider_Nex (10), DieNet (9), SAFEPAY (9), Dark Storm Team (8), and NoName057(16) (7) -- are primarily associated with DDoS and defacement operations, not data theft. This suggests a bifurcated threat landscape where high-volume nuisance attacks mask a smaller but more dangerous set of actors focused on data exfiltration. The victim country distribution shows a notable concentration on Egypt (13 events) and Israel (12 events), likely reflecting hacktivist and geopolitical motivations, while the United States (14 events) remains the top target across all categories.
The emergence of PCPJack as a credential-stealing cloud worm represents a tactical evolution in cloud-native attacks. Rather than simply mining cryptocurrency, adversaries are now prioritizing credential theft for lateral movement and data exfiltration. Combined with the PAN-OS zero-day and the PyPI malware campaign, defenders should prioritize patch management for edge devices and cloud infrastructure, and enforce multi-factor authentication on all externally facing services.