Oracle Patch, OceanLotus Campaigns, OnyxC2 Stealer Hit Headlines
Summary
Today's intelligence landscape is defined by a convergence of established threats and emerging capabilities. While no new critical data exposures were recorded, the operational tempo remains high with a confirmed zero-day exploitation, a sophisticated state-aligned espionage campaign, and a new commercial malware strain that lowers the barrier for credential theft. Defenders should focus on patching known exploited vulnerabilities, scrutinizing AI agent supply chains, and preparing for an increase in targeted, low-cost infostealer operations.
Today's developments
Oracle Patch and Zero-Day Exploitation: Oracle has released a patch for CVE-2026-35273, a PeopleSoft vulnerability that security reporters note is being actively exploited. The company has not confirmed whether this is the zero-day allegedly used by the ShinyHunters group in recent attacks. Separately, ShinyHunters has claimed responsibility for a breach at the University of Nottingham, allegedly leaking over 450,000 email addresses. The university has confirmed the incident.
State-Aligned Espionage: Industry researchers have attributed two distinct campaigns to the Vietnam-aligned threat actor OceanLotus. The campaigns, which ran from mid-2024 to February 2026, targeted a Vietnamese infrastructure and transport construction corporation and stock investors using a backdoor known as SPECTRALVIPER. The supply chain attack component highlights the group's evolving tradecraft.
Emerging Malware and Exploit Kits: A new malware-as-a-service offering called OnyxC2 is being marketed to cybercriminals for $250 a month. Researchers describe it as an enterprise-grade stealer that targets over 200 applications and extensions, using encrypted payloads and DLL sideloading to evade detection. Separately, a proof-of-concept exploit dubbed "GreatXML" has been published that bypasses Microsoft's BitLocker encryption by abusing Defender's offline scan to spawn a SYSTEM shell during recovery mode.
Vulnerability and Policy Updates: CISA has issued Binding Operational Directive (BOD) 26-04, requiring federal agencies to prioritize patching based on risk, with a focus on the Known Exploited Vulnerabilities (KEV) catalog. Splunk and Palo Alto Networks have both released patches for severe vulnerabilities that could allow arbitrary file manipulation. Hackers are also actively exploiting a previously disclosed Langflow vulnerability for remote code execution.
AI Agent Security: Researchers from Unit 42 have published guidance on verifying the integrity of third-party skills in enterprise AI agent supply chains, warning of hidden vulnerabilities and multi-stage attack chains. This follows reports that AI agents can be tricked into leaking real credentials.
Threat landscape signals
The absence of new large-scale data breaches today is notable, but it masks a high level of targeted activity. The OceanLotus campaigns demonstrate that state-aligned actors are investing in long-term, supply-chain-focused operations against specific sectors. Meanwhile, the emergence of OnyxC2 as a low-cost, high-capability stealer signals a democratization of credential theft that will likely increase the volume of targeted intrusions against mid-market organizations. The CISA BOD 26-04 reinforces a shift toward risk-based prioritization, a necessary response to the shrinking patch window driven by AI-accelerated exploit development.