Microsoft Defender: RoguePlanet Zero-Day CVE-2026-50656 and Woodgnat Exploitation
The 'Woodgnat' threat actor (KongTuke) is leveraging a critical race condition in the Microsoft Defender quarantine pipeline (CVE-2026-50656) to facilitate local privilege escalation (LPE) to SYSTEM on Windows 10 and 11. The attack chain initiates with 'ClickFix' social engineering, followed by DLL sideloading via the legitimate MpExtMs.exe binary. This enables the deployment of the 'Mistic' backdoor (utilizing EndpointDlp.dll) and the 'ModeloRAT' Python-based Trojan. This sophisticated access is subsequently auctioned to high-impact ransomware groups such as Qilin, Akira, and Black Basta, presenting a significant risk to Insurance, Education, and IT service sectors through high-durability, privileged persistence.
Akira Ransomware Breach: Sunrise Company and Associated Luxury Entities
The Akira ransomware group compromised the network of Sunrise Company, a US-based real estate developer, and its associated subsidiaries, Toscana Country Club and Andalusia Country Club. Approximately 13GB of sensitive data was exfiltrated, including highly sensitive PII of the CEO's family (passports, driver's licenses), corporate financial records, and client contracts. While the specific initial access vector for this incident was not disclosed, Akira typically leverages vulnerabilities in VPN appliances or compromised credentials to gain entry before deploying ransomware and conducting double extortion via their leak site.