In this week's roundup, we feature our breakdown of the ESXi VM escape demonstrated at Pwn2Own Berlin 2026 — a memory corruption flaw with no patch and no CVE that allows an attacker inside a guest VM to break isolation, execute code on the underlying hypervisor, and reach every other tenant on the host, and how ZeroLock's VMX Lockdown rule mitigates the exploit class today; elsewhere in the threat landscape, The Gentlemen ransomware group claims 73 attacks in April alone cementing itself as the second most active RaaS operation globally, AI chatbot responses are being weaponized as a delivery mechanism to direct users to attacker-controlled cryptojacking sites, the Silent Ransom Group escalates its targeting of law firms by dispatching threat actors in person to physically insert storage devices into victim computers, and a coordinated takedown dismantles GlassWorm, a software supply chain campaign that poisoned over 300 GitHub repositories using blockchain-based C2 infrastructure. Read on!
PWN2OWN Berlin 2026: ESXi VM Escape
At Pwn2Own Berlin 2026, a security researcher demonstrated a working memory corruption exploit against VMware ESXi that achieved something every hypervisor defender dreads — a full VM escape with cross-tenant code execution. That means an attacker with admin access inside one guest VM could break out of isolation entirely, land on the underlying ESXi host, and reach other tenants' virtual machines without ever touching the network. No patch exists yet, and no CVE has been assigned. This is what makes VM escapes categorically different from a typical vulnerability: you're not compromising one workload, you're compromising the foundation everything runs on. Traditional security tools running inside guest VMs are completely blind to this class of attack, and detect-and-respond has nothing to detect until it's already too late. ZeroLock addresses this by constraining what the VMX process — the specific choke point any VM escape must transit — is permitted to do on the host, blocking the attack behavior in real time regardless of whether a patch exists.
"Rising AI usage is getting a lot of press, especially around vulnerability discovery and automated attacks. We should also be paying attention to the new and interesting cybersecurity challenges sophisticated AI models bring. Hallucinations and bad recommendations are fairly well known issues with LLM at this point, but malware recommendations are a new issue. AI is not at all foolproof, and using software recommended by your favorite chatbot without doing due diligence is a recipe for disaster. Don't get cryptojacked! Check your downloads."
On AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites
"VM escapes are particularly scary because many workloads are exposed to the public by nature (such as web-servers, email-servers, etc.) So even if you've done all the proper hardening and segmentation steps to protect your hypervisor, all an attacker has to do is compromise one of these VMs, escape to the host, gaining remote code execution and resulting in a very bad day for the affected organization."
On PWN2OWN Berlin 2026: ESXi VM Escape
The Gentlemen emerging as key ransomware player
The Gentlemen ransomware group is rapidly cementing itself as one of the most active extortion operations in the ecosystem, claiming 73 attacks in April alone — 10% of all recorded ransomware activity that month — and over 230 victims so far this year. Operating as a RaaS with advanced tooling across Windows, Linux, NAS, BSD, and VMware ESXi, affiliates are leveraging SystemBC proxy malware to tunnel C2 traffic through compromised hosts, shrinking the window defenders have to detect and respond before encryption begins. Analysts describe the group as a sophisticated, established actor with industrialized intrusion capabilities.
AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites
Researchers have warned of an active cryptojacking campaign using AI chatbot responses as a delivery mechanism. Users querying AI tools for software download recommendations are being served links to attacker-controlled domains impersonating legitimate system utilities, with attackers deliberately targeting high-performance GPU systems to maximize mining yield. Once installed, the malware establishes persistent access via ScreenConnect, deploys GPU miners, and configures Defender exclusions — while leaving the door open for follow-on ransomware or data theft.
Ransomware Actors Show Up In Person to Steal Law Firm Data
The Silent Ransom Group is escalating its targeting of law firms with a particularly brazen evolution in social engineering tactics — in some cases dispatching threat actors in person to physically insert storage devices into victim computers after posing as IT support staff. Operating without encryption, the group focuses purely on data theft and extortion, exfiltrating sensitive files via tools like Rclone and WinSCP before threatening to leak or sell stolen data. The FBI has issued a formal warning, noting the group has faced no arrests or infrastructure disruptions to date and is believed to operate out of Russia.
A coordinated takedown led by security researchers has simultaneously disrupted all four command-and-control channels used by GlassWorm, a persistent software supply chain campaign targeting developers through trojanized VS Code extensions and malicious npm and Python packages. Active since early 2025, the operation poisoned over 300 GitHub repositories using stolen developer credentials and converted infected hosts into covert SOCKS proxies and remote execution nodes. Notably, the campaign used the Solana blockchain, BitTorrent DHT, and Google Calendar as resilient dead drop resolvers to evade takedown attempts.
-2.png?upscale=true&width=1120&upscale=true&name=Copy%20of%20WTR%20Newsletter%20Email%20Header%20(7)-2.png)
.png?upscale=true&width=520&upscale=true&name=Untitled%20design%20(10).png)
