Cybersecurity Radar — 2026-05-15
Two unpatched Windows zero-days dubbed "YellowKey" and "GreenPlasma" — enabling BitLocker bypass and privilege escalation — were publicly dropped by an angry researcher just hours after Microsoft's May Patch Tuesday, putting millions of Windows 11 and Server systems at immediate risk. Meanwhile, Foxconn confirmed a ransomware attack affecting North American facilities, and the broader threat landscape continues to consolidate around fewer, higher-impact groups claiming 2,122 victims in Q1 2026 alone.
Cybersecurity Radar — 2026-05-15
🔴 Critical Alerts
YellowKey & GreenPlasma: Unpatched Windows Zero-Days Go Public
A cybersecurity researcher — described as "angry" — publicly released proof-of-concept exploit code for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma within hours of Microsoft's May 2026 Patch Tuesday rollout. YellowKey exploits Windows Recovery Environment (WinRE) USB FsTx files to bypass BitLocker disk encryption, exposing systems running Windows 11 and Windows Server 2022/2025. GreenPlasma enables privilege escalation via a CTFMON flaw. Neither vulnerability has a patch available. Security teams should monitor for exploitation in the wild and consider additional physical security controls for BitLocker-protected devices.
Foxconn Confirms Ransomware Attack on North American Facilities
Electronics manufacturing giant Foxconn — a key supplier for Apple, Google, and Nvidia — confirmed a cyberattack affecting some of its North American facilities. A ransomware group has claimed responsibility and is actively attempting to extort the company. Foxconn has taken systems offline in the affected regions, causing operational disruption. The attack highlights ongoing targeting of Tier-1 supply chain manufacturers. Organizations with supply chain dependencies on Foxconn should assess potential downstream risk.
Threat Landscape
Ransomware Oligopoly: Top 10 Groups Now Control 71% of Victims
Check Point's Q1 2026 ransomware analysis reveals a stark consolidation: the top 10 ransomware groups accounted for 71% of all 2,122 confirmed victims in the quarter. Threat actor "The Gentlemen" stands out for scaling attacks using a pre-built network of 14,700 pre-exploited FortiGate devices — a ready-made access infrastructure enabling rapid deployment. The threat landscape is shifting from a chaotic swarm of opportunistic actors into a "highly organized, heavily armed oligopoly," according to researchers.
Global Cyberattacks Rebounded Sharply in April 2026
Following a brief moderation period, global cyberattack volumes climbed 10% in April 2026, according to Check Point Research. Every major region recorded higher attack volumes. Ransomware expanded its footprint across new sectors, and risks from generative AI-assisted attacks persisted as a compounding factor. Education, healthcare, and critical infrastructure remain the most heavily targeted verticals.
HoneyMyte APT Updates CoolClient Backdoor, Deploys Browser Stealers
Kaspersky researchers tracking HoneyMyte (also tracked as Mustang Panda or Bronze President) — a Chinese-linked APT — have identified an updated CoolClient backdoor along with new tools and scripts including three variants of a browser data stealer. The group continues to evolve its tooling in active campaigns, consistent with long-term espionage objectives. Organizations in government, defense, and research sectors in regions targeted by Chinese APTs should review endpoint detections for CoolClient indicators.
Vulnerabilities & Patches
Microsoft May 2026 Patch Tuesday: 120+ Flaws, But No Zero-Days (Until After)
Microsoft's May 2026 Patch Tuesday addressed 120 vulnerabilities including approximately 30 rated Critical — notably including four Microsoft Word remote code execution flaws. In a rare milestone, it marked the first Patch Tuesday without zero-days since June 2024. However, that distinction evaporated within hours as the YellowKey/GreenPlasma PoCs dropped publicly (see Critical Alerts above). Admins should prioritize deploying patches immediately, particularly the Critical-rated CVEs.
CVE-2026-40361: Critical Zero-Click Outlook Vulnerability Patched
Among the May Patch Tuesday fixes, CVE-2026-40361 stands out as a critical zero-click vulnerability in Microsoft Outlook described as similar to the historic "BadWinmail" bug — dubbed at the time an "enterprise killer." The flaw requires no user interaction and can be triggered remotely, threatening enterprise environments at scale. SecurityWeek notes that this class of vulnerability poses severe risk to organizations relying on Outlook for communications. Apply the May Patch Tuesday update immediately.
Windows BitLocker Zero-Day PoC Released (YellowKey)
As noted in Critical Alerts, a researcher published working proof-of-concept code for YellowKey — a BitLocker bypass — and GreenPlasma — a Windows privilege escalation flaw via CTFMON. Both remain unpatched as of publication. YellowKey specifically targets Windows 11 and Server 2022/2025 systems via WinRE USB FsTx files. No CVE identifiers have been officially assigned yet. Security teams should treat these as active, unmitigated risks.
Breaches & Incidents
Foxconn Ransomware Attack Disrupts North American Operations
As noted above, Foxconn confirmed the attack is affecting North American facilities, forcing systems offline. The responsible ransomware group has not been officially named by the company. Given Foxconn's role as a critical supplier in global electronics supply chains, the incident has raised concerns about cascading operational impacts for downstream customers including major tech firms.
Silent Ransomware Group Breaches Law Firm Orrick, Herrington & Sutcliffe
Reports emerging this week indicate the Silent ransomware group breached international law firm Orrick, Herrington & Sutcliffe in an attack that began in January 2026, with attackers maintaining persistent access to the firm's network for several days before detection. The breach has been documented in BlackFog's running 2026 state-of-ransomware tracker. Law firms, which hold highly sensitive client data, remain high-value targets for ransomware actors seeking both ransom payments and leverage via data exposure threats.
Industry & Policy
CISA Advisories Page Active — Verification Recommended
The CISA Cybersecurity Alerts & Advisories page is active and updated. Given the emergence of unpatched Windows zero-days (YellowKey/GreenPlasma) this week, readers should monitor the CISA known exploited vulnerabilities catalog and advisory feed directly for any emergency directives issued in connection with these flaws, particularly for federal agencies and critical infrastructure operators.
Note: Specific advisory content from the CISA page could not be fully extracted at time of publication — please verify directly.
Nation-State and Criminal Actor Lines Continue to Blur
Analysis published around this week's threat reporting underscores a persistent structural trend: the distinction between nation-state cyberattacks and criminal ransomware operations is collapsing in practice. Ransomware groups operating with state approval — particularly Russian-linked actors targeting defense contractors — simultaneously pursue profit and geopolitical objectives. This "criminal-state hybrid" model complicates attribution and policy response, as noted in recent SecurityWeek analysis of the 2026 cyberwar landscape.
What to Watch
- YellowKey/GreenPlasma patch timeline: Microsoft has not yet acknowledged or committed to an emergency out-of-band patch for the two newly disclosed Windows zero-days. Watch for MSRC advisories and potential exploits appearing in commodity crimeware toolkits within days.
- Foxconn attribution: The ransomware group responsible for the Foxconn breach has not been publicly confirmed. Attribution will clarify whether this is a consolidating top-10 group and signal potential follow-on targeting of other supply chain manufacturers.
- AI-assisted attack acceleration: Check Point data flags GenAI-assisted attack tooling as a persistent and growing risk factor alongside the April volume spike — expect this to increasingly lower the technical bar for mid-tier threat actors in Q2 2026.
Reader Action Items
-
Patch immediately and monitor for BitLocker bypass activity: Deploy Microsoft's May 2026 Patch Tuesday updates — particularly CVE-2026-40361 (Outlook zero-click RCE) — and implement compensating controls for BitLocker (restrict physical access, disable WinRE USB boot where possible) until patches for YellowKey and GreenPlasma are available.
-
Audit FortiGate device exposure: The Gentlemen ransomware group's use of 14,700 pre-exploited FortiGate devices as a standing attack infrastructure means any unpatched or internet-facing FortiGate remains a high-risk initial access vector. Run immediate inventory and patching checks on all FortiGate appliances.
-
Review supply chain and law firm data exposure: Given the Foxconn and Orrick breaches, organizations with supply chain dependencies or legal engagements with recently-breached firms should assess what sensitive data may have been exposed and consider proactive notification protocols.
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.
Powered by
