GrayscaleInsight GrayscaleInsight

Dark Storm Team Hits 11 Israeli Government Portals; PAN-OS Auth Bypass CVE-2026-0257 Exploited | June 5 CTI Brief

Events tracked
177
Critical exposure
80

Summary

177 events on June 5 span a heavy day across DDoS, ransomware, and data exposure operations. The most tactically significant development is Dark Storm Team's coordinated hit on eleven Israeli government portals in a single-day campaign, combining with a DieNet operation against eight Dutch public services. A Palo Alto Networks advisory confirmed active exploitation of CVE-2026-0257, a CVSS 7.8 authentication bypass in PAN-OS GlobalProtect. Qilin ransomware posted nine new victims across six countries. Google Threat Intelligence published a detailed report on UNC3753's targeted vishing campaign against US law firms, now confirmed as an ongoing operation through May 2026.

Key developments

Dark Storm Team: coordinated Israeli government DDoS campaign

Dark Storm Team posted eleven DDoS attacks against Israeli government infrastructure in a single day: Ministry of Finance, Ministry of Justice, Government Chief Information Officer, Israel National Cyber Directorate portal, Prime Minister's Office, Ministry of Foreign Affairs, Israeli Security Agency, Ministry of Education, Employment Service, Israel Tax Authority, and the Presidency of Ecuador. The campaign is the group's most comprehensive single-day government-targeting operation in recent months. Dark Storm Team, a pro-Palestinian hacktivist group, has been active since the Gaza conflict and significantly escalated activity during the Iran war. The simultaneous targeting of INCD (the Israeli equivalent of CISA), the PM's Office, and major revenue agencies suggests deliberate selection of high-visibility symbolic targets rather than a random spray. Ecuador's Presidency was also hit; no public reason for that target was given.

CVE-2026-0257: PAN-OS GlobalProtect authentication bypass under active exploitation

Palo Alto Networks confirmed that CVE-2026-0257 (CVSS 7.8), an authentication bypass in PAN-OS GlobalProtect portal and gateway, is being actively exploited in the wild. The vulnerability allows attackers to bypass security restrictions and establish unauthorized VPN connections without valid credentials. Unit42 published a threat brief noting exploitation activity. Organizations using PAN-OS should apply the available patch immediately; GlobalProtect is widely deployed as a remote access VPN in enterprise environments, making this a high-priority remediation item. The vulnerability is rated medium-severity but the active exploitation status upgrades its effective risk profile.

Qilin ransomware: nine targets in six countries

Qilin posted nine new victims on June 5: Trican Well Service Ltd. (Canada, Oil & Gas), Don Don d.o.o. (Slovenia, food production), AvCon Jet (Austria, aviation), Ontario Home Builders' Association (Canada, real estate), Interspa-Gruppe (Germany, recreational facilities), Swim-Mor Pools and Spas (US, construction), Pro-Mec Engineering Services (US, mechanical engineering), Jay's Catering (US, events services), and Central Florida Cosmetic and Family Dentistry (US, healthcare). Qilin continues its cross-sector campaign pattern, with no apparent industry focus — the victim list spans five sectors across three continents. Healthcare remains in the target pool.

DieNet: coordinated Dutch public services campaign

DieNet launched eight DDoS attacks against Dutch public services and infrastructure: iDeal (digital payment system), UWV (national unemployment benefits agency), MijnOverheid (citizen government portal), Netherlands Enterprise Agency (RVO), 9292 (public transport route planner), Nederlandse Spoorwegen (national railways), Telecom-NL, and Living in Holland. The coordinated targeting of iDeal (the primary Dutch online payment method) alongside the railways and the government citizen portal suggests an attempt to disrupt daily-life digital infrastructure. DieNet has previously targeted German and Belgian infrastructure; the Netherlands campaign is an escalation in scope.

UNC3753 / Luna Moth: targeted vishing campaign against US law firms

Google Threat Intelligence published a detailed report on UNC3753 (also tracked as Luna Moth / Silent Ransom Group), a financially motivated threat cluster that has targeted dozens of US law firms in a data theft extortion campaign from January through May 2026. The primary vector is voice phishing (vishing): actors impersonate internal IT helpdesk staff and convince employees to install remote monitoring and management (RMM) software. In several confirmed incidents, individuals physically entered corporate offices posing as IT contractors to establish persistent access. Law firms are targeted for the high value of privileged client data, including M&A intelligence and attorney-client communications. Google assessed UNC3753 as distinct from but operationally similar to Scattered Spider; the vishing-to-physical-infiltration escalation represents a new operational tier.

Android spyware Asin: Arabic-language targeting with war-themed lures

HackerNews reported on Android spyware designated Asin, targeting Arabic-language users via fake news applications, PDF readers and war map applications. The apps mimic legitimate tools users would install to follow the Iran-Israel conflict, delivering persistent spyware once installed. Asin exfiltrates contacts, SMS messages, call logs and location data. Distribution appears to be via third-party app stores and social media direct messages. The use of war-themed lures is consistent with conflict-opportunistic mobile malware deployment patterns observed since February 2026.

Additional noteworthy events

  • LOCKBIT 5.0: Sierra Vista Hospital (United States) — healthcare ransomware; patient data exposure likely
  • PLAY ransomware: 4 additional victims across the US and Europe
  • 0xulnar: Alleged data breach of Nasdaq (US) — claim details unverified; Nasdaq has not confirmed
  • The BlackH4t MD-Ghost: Alleged data breach of Qatar National Bank — financial sector, unverified
  • Armenian code: DDoS against Armenia's Ministry of Defense and Government — likely Azerbaijani-linked hacktivist activity
  • NoName057(16): 7 DDoS events targeting European infrastructure — ongoing Russian-linked hacktivist campaign
  • OP-512: New threat cluster targeting Microsoft IIS servers with custom web shell frameworks (HackerNews report)
  • Chrome 149: Patches 429 vulnerabilities — high-priority browser update for enterprise fleets

All breach and leak claims are alleged and unverified. Publication does not imply confirmation.

This brief is compiled for defensive awareness. Information is drawn from open-source threat intelligence feeds.

Recent editions
6 Jun
Dumpdump Leads 192-Event Day Hitting Telecom and Government
192 ev 82 crit
4 Jun
Aquahack 63-Victim Blitz; Russian Banks, Belgium Gov Hit
184 ev 108 crit
3 Jun
Ukraine General Staff Leak Claim Caps Six-Bank Breach Spree
158 ev 73 crit