Articles
CMD Organization – New Ransomware Operator Moves to Place Public Bidding Wars on Ransomed Data
In April, Beazley Security’s incident response team was called in after a newly surfaced affiliate calling themselves CMD Organization deployed ransomware and exfiltrated data from a victim organization. By way of adding a bidding platform within its leak site, the group allows potential buyers to participate directly in the extortion process. In this post, we document what our responders uncovered about CMD Organization and explore their leaksite.
May 14 - 11 Min Read
Vect 2.0: An Insider Perspective On The New Ransomware Variant
An insider look at Vect 2.0, a rapidly emerging ransomware-as-a-service operation that has gone from forum post to full-fledged platform in a matter of months. We walk through the affiliate panel, commission structure, and the technical capabilities of its Windows and ESXi lockers.
Apr 24 - 18 Min Read
Pay2Key Iranian-Linked Ransomware is Back, Back Again
In late February, Beazley Security's Incident Response team responded to a ransomware intrusion at a U.S. healthcare organization attributed to Pay2key, an Iranian government-linked threat actor that has operated since 2020. Upon investigation, the attacker had maintained access to a compromised admin account for several days before deploying ransomware and encrypting the environment within three hours.
Mar 24 - 25 Min Read
Chasing a Ghost : PXA Stealer Part 2
A follow-up to a previous article on LoneNone and his PXA Stealer malware where we detail some rare insights into the malware author's back-end operations and the evolution of their capabilities.
Oct 30 - 17 Min Read
Quantum Redirect: Offense by Vibes
When you send phishing campaigns to a security company, you really shouldn't ask LLMs to build your infrastructure.
Oct 27 - 26 Min Read
Advisories
Critical Vulnerability in Cisco Catalyst SD-WAN Controller Under Active Exploitation (CVE-2026-20182)
On May 14th, Cisco published an advisory detailing a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN controller infrastructure. The vulnerability, tracked as CVE-2026-20182, is a peering authentication bypass between SD-WAN infrastructure components and is similar to a vulnerability discovered 3 months prior. Active exploitation has been confirmed in the wild, and CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Line the vulnerability reported in late February, this flaw allows an unauthenticated attacker the ability to bypass authentication and create a rogue peer to a victim’s SD-WAN controller. Through creating a rogue peer, an attacker can advance to gain high privileged access into the ecosystem and manipulate configurations via NETCONF.
May 14 - 4 Min Read
Critical 18-Year-Old RCE Vulnerability in NGINX aka “NGINX Rift” (CVE-2026-42945)
On May 13th, 2026, F5 released an advisory regarding a flaw that under specific non-default conditions, could allow unauthenticated remote code execution (RCE) in NGINX Open Source and NGINX Plus. Tracked as CVE-2026-42945 and nicknamed “NGINX Rift”, the vulnerability stems from a heap buffer overflow in the ‘ngx_http_rewrite_module’ that has been present in the codebase since 2008.
May 14 - 4 Min Read
Critical Auth Bypass Vulnerability in FortiAuthenticator (CVE-2026-44277)
On May 12th, Fortinet publicly released a critical vulnerability affecting Fortinet FortiAuthenticator which handles Identity and Access Management (IAM) within some Fortinet architectures. The flaw is tracked as CVE-2026-44277 and classified as an improper access control vulnerability allowing unauthenticated attackers the ability to execute unauthorized code remotely.
May 12 - 2 Min Read
Critical Supply Chain Attack targeting TanStack affecting multiple NPM & PyPi Packages
Another TeamPCP NPM supply-chain attack hitting TanStack and worming to other dependencies across NPM and other package managers, affecting over 200 affected versions of widely distributed packages.
May 11 - 7 Min Read
Critical Vulnerability in PaloAlto PAN-OS Authentication Portal (CVE-2026-0300)
On May 6th, Palo Alto Networks announced CVE-2026-0300, an authentication bypass vulnerability in their PAN-OS which allows an unauthenticated attacker to bypass authentication and remotely execute code as root on PAN-OS PA-Series and VM-Series firewalls.
May 5 - 4 Min Read