Summaries

ThreatsDay: Pwn2Own 47 Zero-Days, AI-Driven Intrusions, and the OrBit Linux Rootkit Resurfaces

The Hacker News ThreatsDay bulletin covers this week's major stories: Pwn2Own Berlin awarded $1.3M for 47 zero-days, agentic AI intrusions against Latin American governments, the OrBit Linux rootkit's return after four years, and UK NCSC agentic AI security guidance.

View on Graph

Summary

The Hacker News ThreatsDay bulletin for late May 2026 aggregates a wide-ranging set of stories, with the Pwn2Own Berlin 2026 hacking contest standing out as the marquee event. Security researchers earned $1,298,250 in rewards after exploiting 47 zero-day vulnerabilities across Windows, Linux, VMware, and NVIDIA products over three days. DEVCORE won Master of Pwn with 50.5 points and $505,000, demonstrating successful exploits against Microsoft SharePoint, Exchange, Edge, and Windows 11. The volume of zero-days disclosed in a single event — and the fact that most were previously unknown — underscores the depth of residual vulnerabilities in widely deployed software.

Two emerging intrusion campaigns, tracked as SHADOW-AETHER-040 and SHADOW-AETHER-064, have independently deployed agentic AI with strikingly similar tactics against government and financial organizations in Latin America. Trend Micro’s analysis reveals that the attackers established encrypted tunnels and used AI agents to dynamically generate hacking tools rather than relying on pre-built toolkits — reducing signature-based detection opportunities. The campaigns bypassed AI safety controls by framing requests as authorized penetration testing.

The OrBit Linux userland rootkit, first detailed in 2022, has resurfaced with two parallel lineages indicating active development. One analysis shows a full-featured build and a leaner fork dropping certain capabilities for a smaller footprint. The rootkit hooks key functions, provides SSH-based remote access, harvests credentials, and logs TTY commands. It has been deployed by Blockade Spider in Embargo ransomware campaigns.

Why It Matters

The ThreatsDay format captures stories that individually may not dominate headlines but collectively shape the threat landscape. The Pwn2Own results provide a snapshot of where vulnerability research is finding the most impactful bugs. The AI-augmented intrusion campaigns signal an early but worrying trend: attackers using LLMs to generate custom tooling on the fly, bypassing signature-based detection. The OrBit rootkit’s continued evolution demonstrates that well-designed malware persists across years, adapting and forking into new variants.

Defender Takeaways

  • Review the Pwn2Own Berlin disclosure list for affected products in your environment; prioritize patches for the exploited SharePoint, Exchange, and Windows components.
  • Monitor for signs of AI-augmented intrusion techniques — unexpected SSH tunnels, dynamically generated scripts, and penetration testing tooling without authorization.
  • Audit Linux systems for indicators of OrBit rootkit compromise, particularly SSH backdoors, credential harvesting, and TTY logging.
  • Evaluate agentic AI deployment controls following NCSC guidance; ensure AI tools in enterprise environments operate with least privilege and have appropriate monitoring.
  • Check for exposed network management interfaces that could be targeted by AI-augmented reconnaissance and intrusion campaigns.

Source

Title: ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories — The Hacker News
URL: https://thehackernews.com/2026/05/threatsday-bulletin-linux-rootkits.html