Weekly Recap: Ivanti and PAN-OS Zero-Days Under Active Exploitation, New Linux RAT Emerges
Ivanti EPMM CVE-2026-6973 and Palo Alto Networks PAN-OS CVE-2026-0300 are under active attack, while a new Linux RAT called Quasar Linux uses P2P mesh networking and kernel rootkits.
This week's cybersecurity landscape is dominated by two actively exploited zero-day vulnerabilities and the emergence of a sophisticated Linux remote access trojan. Ivanti warned that attackers have weaponized CVE-2026-6973, an improper input validation flaw in Endpoint Manager Mobile (EPMM) that allows authenticated administrators to execute remote code. Separately, Palo Alto Networks disclosed that CVE-2026-0300, a memory corruption vulnerability in the PAN-OS authentication portal, is being exploited in the wild, enabling unauthenticated attackers to gain root privileges on PA-Series and VM-Series firewalls. Censys has identified approximately 263,000 internet-exposed PAN-OS hosts. Patches for PAN-OS are expected to be released starting May 13, 2026.
In parallel, researchers at Trend Micro have uncovered a new Linux remote access trojan dubbed Quasar Linux (QLNX). This modular RAT distinguishes itself through its use of a peer-to-peer (P2P) mesh network, allowing infected hosts to communicate directly rather than relying on centralized command-and-control servers. This architecture makes the botnet resilient to takedowns. QLNX also incorporates kernel-level rootkits, PAM-based authentication backdoors, and persistence mechanisms that hide malicious processes under names mimicking legitimate Linux services. The malware carries embedded C source code for its rootkit and PAM backdoor as string literals within the binary.
The weekly recap also highlights a supply chain attack on DAEMON Tools, where malicious installers compromised users in over 100 countries, primarily in Russia, Brazil, Turkey, and several European nations. The attack delivered a QUIC-based RAT. Additionally, the Iranian state-sponsored group MuddyWater was observed masquerading as a Chaos ransomware operation, using Microsoft Teams social engineering to gain access and exfiltrate data without deploying file-encrypting malware, likely to mask espionage activities.
Another notable campaign involves PCPJack, a new malware that systematically removes artifacts of the TeamPCP hacking group and steals credentials from cloud, container, and financial services. The malware propagates laterally within networks and externally by scanning Common Crawl parquet files for vulnerable targets. This worm-like behavior and the targeted removal of competing malware suggest a possible rivalry or a third-party mimicking TeamPCP's tactics.
These incidents underscore the persistent threat from both state-sponsored actors and cybercriminal groups exploiting known vulnerabilities and supply chain weaknesses. Organizations are urged to apply patches promptly, monitor for indicators of compromise, and implement robust network segmentation and access controls.