APAC Weekly Threat Brief (2026-05-05 to 2026-05-12): High-risk week driven by ACSC ClickFix/Vidar Stealer campaign, May 2026 Microsoft RCEs, and sustained APT/eCrime pressure across healthcare, finance, and critical infrastructure.
| Attribute | Value |
|---|---|
| Reporting Window | 2026-05-05 to 2026-05-12 |
| Sectors Covered | Healthcare, Finance, Critical Infrastructure — APAC |
| Total Findings | 6 (1 Critical, 4 High, 1 Medium) |
| Most Urgent | ACSC ClickFix → Vidar Stealer campaign — Healthcare/All-sectors |
| Risk Verdict | HIGH — Actionable credential-theft campaigns, multiple high-severity Microsoft RCEs, persistent APT/eCrime pressure |
| Recommended Posture | Elevate monitoring · Ingest ACSC IOCs · Prioritise Microsoft May 2026 patches |
This Weekly Threat Brief covers the reporting window 2026-05-05 to 2026-05-12 for APAC Healthcare, Finance, and Critical Infrastructure sectors. The dominant in-window signal was a high-confidence advisory from the Australian Cyber Security Centre (ACSC) describing a ClickFix social-engineering campaign delivering Vidar Stealer. Across sectors, the week featured urgent patching requirements from the May 2026 Microsoft cycle, sustained state-linked and eCrime pressure against finance and telecom targets, and an elevated emphasis on resilience and third-party risk rather than newly disclosed mass-casualty breaches.C1 C2
Available reporting indicates no large, newly disclosed APAC-wide healthcare breach was first published inside the window; instead reporting emphasised sector resilience, third-party risk, and targeted credential-theft campaigns. Finance organisations face concurrent DPRK-linked, China-nexus, and eCrime pressure alongside urgent Microsoft patch requirements. Critical infrastructure risk remained elevated with telecom-focused APT tooling and continued rapid exploit attempts against unpatched components.C4 C7
| Scope Item | Details |
|---|---|
| Time Window | 2026-05-05 to 2026-05-12 |
| Geography | Asia-Pacific (APAC) |
| Sectors | Healthcare · Finance · Critical Infrastructure (Telecom, Energy, Transportation) |
| Classification | TLP:AMBER |
| Analyst | Protos AI Threat Intelligence |
| Key Sources | ACSC Advisory, Health-ISAC, CrowdStrike, Cisco Talos, Microsoft MSRC, Group-IB, IMDA |
No large, newly disclosed APAC-wide healthcare breach was first published inside the 2026-05-05 to 2026-05-12 window; instead reporting emphasised sector resilience, third-party risk, and targeted credential-theft campaigns. C1 The ACSC published a detailed advisory on 07 May describing the ClickFix social-engineering workflow delivering Vidar Stealer via compromised WordPress sites and clipboard-paste PowerShell execution. C2
In-window sources did not identify new healthcare-specific zero-days exploited across APAC; attention in the sector should remain on credential-theft and web compromise vectors (WordPress, admin consoles). Clipboard-paste social engineering that induces execution of obfuscated PowerShell (ClickFix → Vidar) is operationally significant for healthcare staff who may run administrative commands. C2
APAC finance continues to face a mixture of DPRK-linked actors targeting crypto and fintech, China-nexus espionage actors, and prolific eCrime groups monetising access and extortion. C4 The May 2026 Microsoft patch cycle introduced several high-severity RCEs affecting SharePoint, Office, Netlogon, and the DNS Client. C5 AI-enabled fraud, deepfake social engineering, and agentic automation abuse are emerging as material risks — particularly where automated workflows or AI agents can initiate payments. C6
Critical infrastructure actors focused on telecom-targeting implants, GitHub-hosted C2, LNK-based phishing, and operational relay networks. C7 C8 Cisco Talos documented UAT-9244 tooling (TernDoor, PeerTime, BruteEntry) targeting carrier edge devices with P2P/BitTorrent-style C2. C7 No new APAC-wide energy or transportation incidents were confirmed in-window, but shared infrastructure exposure remained elevated.
What: Present, actionable credential-theft campaign targeting APAC healthcare via compromised WordPress sites. Clipboard-paste PowerShell executes Vidar Stealer; dead-drops via Telegram and Steam. C2
Impact: Credential theft, session token exfiltration, potential follow-on ransomware. Detection Priority: HIGH High Confidence
SharePoint (CVE-2026-40365, 8.8), Office (CVE-2026-40363, 8.4), Word (CVE-2026-40364, 8.4), Netlogon (CVE-2026-41089, 9.8), DNS Client (CVE-2026-41096, 9.8). Not exploited in-window but technically severe. C5 Detection Priority: HIGH
Overlapping actor clusters targeting APAC finance with credential theft, API abuse, and access monetisation. C4 Medium-High Confidence
P2P backdoors relevant to carrier edge devices. Hunt for PeerTime/TernDoor indicators; coordinate IOC sharing with national CERTs. C7 Medium-High Confidence
APRA, MAS, RBI pushing for stronger resilience and board-level governance across APAC sectors. C9 Medium Confidence
| Type | Indicator (defanged) | Context |
|---|---|---|
| SHA256 | 4162dfc4...bd954 | Vidar payload — ACSC CSV |
| SHA256 | 117bfb53...900d1 | Vidar payload — ACSC CSV |
| SHA256 | 3292e709...bb335 | Vidar payload — ACSC CSV |
| Domain | ggl[.]expertcs[.]au | Observed C2 infrastructure |
| Domain | gy4q[.]supportly[.]au | Observed C2 infrastructure |
| Domain | plh[.]bespokedigital[.]au | Observed C2 infrastructure |
| IP (dst) | 135[.]181[.]233[.]225 | C2 IP observed in campaign |
| IP (dst) | 138[.]199[.]160[.]74 | C2 IP observed in campaign |
| URL | hxxps://telegram[.]me/mm8hyx | Telegram dead-drop resolver |
| URL | hxxps://steamcommunity[.]com/profiles/76561198728266687 | Steam dead-drop resolver |
| Tactic | Technique ID | Technique Name | Notes |
|---|---|---|---|
| Initial Access | T1189 | Drive-by Compromise | Compromised WordPress sites serve ClickFix lure page |
| Execution | T1059.001 | PowerShell | Clipboard-paste PowerShell executes Vidar Stealer loader |
| Credential Access | T1555 | Credentials from Password Stores | Vidar Stealer exfiltrates browser credentials and session tokens |
| Command & Control | T1102 | Web Service | Telegram and Steam profiles used as dead-drop C2 resolvers |
| Lateral Movement | T1078 | Valid Accounts | Stolen credentials enable post-compromise lateral movement |
Everything you need to run your first AI-powered CTI investigation. Leverage OSINT with Protos AI's Agentic AI capability.
.png)
