📋 Top Headlines at a Glance

  1. Week in review: 74k Fortinet firewall credentials stolen, Splunk Enterprise RCE under active attack
  2. Inside GentleKiller: The EDR-Killer Powering The Gentlemen
  3. Microsoft links Mastra AI supply chain attack to North Korean hackers
  4. Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
  5. French President Urges US to Share Cutting-Edge AI and Democracies to Cooperate on Regulation

Executive Summary: Today’s intelligence highlights a multi-faceted threat landscape marked by significant credential theft impacting Fortinet firewalls and active exploitation of Splunk Enterprise RCE. A new EDR-killer, GentleKiller, is enabling ransomware groups like The Gentlemen to bypass security controls. Simultaneously, state-sponsored actors are leveraging sophisticated supply chain attacks targeting AI components via npm packages. These technical threats are juxtaposed with critical discussions on international AI regulation, underscoring the growing complexity of securing digital and emerging technology infrastructures.

🌍 Technical Intelligence Breakdown

🚨 Week in review: 74k Fortinet firewall credentials stolen, Splunk Enterprise RCE under active attack

This past week saw several critical security incidents and emerging threats:

  • Credential Theft: Over 74,000 Fortinet firewall credentials have reportedly been stolen, posing a significant risk of unauthorized network access.
    • Defensive Action: Organizations using Fortinet products should immediately review logs for suspicious access attempts, enforce strong multi-factor authentication (MFA), and initiate password resets for all administrative and user accounts.
  • Active Exploitation: A Remote Code Execution (RCE) vulnerability in Splunk Enterprise is under active attack.
    • Defensive Action: Prioritize patching Splunk Enterprise instances to the latest secure version. Implement intrusion detection/prevention systems (IDS/IPS) to monitor for exploitation attempts and ensure robust logging is enabled for forensic analysis.
  • Hardware Supply Chain Risk: Researchers unveiled HAMLOCK, a novel backdoor attack method that splits malicious functionality between hardware (FPGAs and ASICs) and software. This technique complicates detection and introduces significant supply chain risks for deep learning systems on edge devices.
    • Defensive Action: Implement rigorous hardware and software supply chain verification processes. Monitor for unusual behavior in edge devices and deep learning systems, focusing on runtime integrity and unexpected resource utilization.

🔪 Inside GentleKiller: The EDR-Killer Powering The Gentlemen

The GentleKiller suite has emerged as a significant enabler for ransomware operations, specifically utilized by the group known as The Gentlemen.

  • EDR Evasion: GentleKiller is a centralized EDR-killer suite designed to rapidly disable security tools.
  • Exploitation Method: It weaponizes Bring Your Own Vulnerable Driver (BYOVD) exploits to achieve its objectives, effectively neutralizing endpoint detection and response capabilities.
  • Attack Chain Impact: This EDR-killer functionality precedes ransomware attacks, allowing threat actors to operate with reduced detection risk.
  • Intelligence Source: ESET’s detailed breakdown, corroborated by an internal data leak from May 2026, provides deep insight into The Gentlemen’s technical infrastructure.
  • Defensive Action: Implement robust application control to prevent the execution of unauthorized drivers. Enhance behavioral monitoring beyond signature-based EDR, focusing on process injection, unusual system calls, and attempts to disable security services. Regularly review and update EDR configurations to detect BYOVD patterns.

Microsoft has formally attributed the Mastra AI supply chain attack to a North Korean state-sponsored hacking group.

  • Attack Target: The Mastra AI supply chain attack compromised over 140 npm packages.
  • Attribution: Microsoft links this activity to Sapphire Sleet, also known as BlueNoroff, a known North Korean threat actor.
  • Impact: Compromised npm packages can lead to widespread infection across development pipelines and applications that depend on them.
  • Defensive Action: Implement strict software supply chain security practices, including dependency scanning, integrity checks for npm packages, and source code verification. Developers should exercise caution when integrating third-party libraries and ensure robust sandboxing for build environments.

🔑 Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

A recently patched vulnerability in the Gravity SMTP WordPress plugin is being actively exploited by threat actors.

  • Affected Plugin: Gravity SMTP, installed on approximately 100,000 WordPress sites.
  • Vulnerability Details: Tracked as CVE-2026-4020 (CVSS score: 5.3), this is a medium-severity information disclosure flaw.
  • Attack Path: Unauthenticated attackers can exploit this flaw to extract sensitive data.
  • Exposed Data: Configuration data, API keys, secrets, and OAuth tokens are at risk of exposure.
  • Defensive Action: Immediately update the Gravity SMTP WordPress plugin to the latest patched version. Review WordPress site logs for signs of exploitation. Rotate all API keys, secrets, and OAuth tokens that may have been exposed. Implement Web Application Firewalls (WAFs) to help detect and block exploitation attempts.

⚖️ French President Urges US to Share Cutting-Edge AI and Democracies to Cooperate on Regulation

French President Emmanuel Macron has called for increased international cooperation on the governance and regulation of advanced AI systems.

  • Key Call: Macron urged the United States to share cutting-edge AI technologies.
  • Strategic Objective: He emphasized the need for democracies to collaborate on establishing regulatory frameworks for advanced AI.
  • Implication: This highlights the growing global concern over the ethical, security, and societal implications of rapidly advancing AI, necessitating a coordinated international response.
  • Strategic Takeaway: While not a direct cyber threat, this policy discussion underscores the future landscape of AI security. Organizations leveraging AI must anticipate evolving regulatory requirements and integrate ethical AI principles into their development and deployment strategies.

📉 Threat Landscape & Trends

  • Escalating Supply Chain Attacks: Both hardware (HAMLOCK) and software (Mastra AI via npm) supply chains are under active targeting, indicating a shift towards upstream compromise for broader impact.
  • Advanced Evasion Techniques: The emergence of EDR-killers like GentleKiller leveraging BYOVD exploits signifies a sophisticated effort by threat actors to neutralize endpoint security, paving the way for more destructive attacks like ransomware.
  • Persistent Credential & Vulnerability Exploitation: Large-scale credential theft (Fortinet) and active exploitation of known vulnerabilities (Splunk RCE, Gravity SMTP) remain foundational attack vectors, emphasizing the need for basic cyber hygiene and rapid patching.
  • AI as a Dual-Use Technology: The Mastra AI attack demonstrates AI’s role as a target in supply chain attacks, while international calls for AI regulation highlight its strategic importance and potential for misuse.

📌 Strategic Takeaway

Organizations must adopt a holistic, defense-in-depth strategy that extends beyond traditional perimeter security, focusing on supply chain integrity, advanced endpoint protection against evasion techniques, rigorous credential management, and proactive vulnerability patching, all while preparing for the evolving regulatory landscape of AI.

🔗 References

  1. Week in review: 74k Fortinet firewall credentials stolen, Splunk Enterprise RCE under active attack
  2. Inside GentleKiller: The EDR-Killer Powering The Gentlemen
  3. Microsoft links Mastra AI supply chain attack to North Korean hackers
  4. Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
  5. French President Urges US to Share Cutting-Edge AI and Democracies to Cooperate on Regulation