Active Exploitation of Ivanti and Palo Alto Networks Flaws Joins Linux RAT Emergence in Week of Supply Chain and Credential Theft Campaigns

TL;DR Ivanti EPMM and Palo Alto Networks PAN-OS vulnerabilities are under active exploitation by attackers. A new Linux RAT called Quasar combines rootkit functionality with peer-to-peer mesh networking to resist takedown attempts. A supply chain compromise of DAEMON Tools, credential-stealing campaigns targeting cloud infrastructure, and the use of legitimate RMM tools as persistence mechanisms round out a week of coordinated and opportunistic attacks across multiple vectors.

What happened

Ivanti warned customers that CVE-2026-6973, an improper input validation defect in Endpoint Manager Mobile (EPMM), has been successfully weaponized by attackers. The vulnerability allows authenticated users with administrative privileges to execute code remotely. Ivanti did not disclose when the first exploitation occurred or how many customers have been impacted.

In parallel, Palo Alto Networks disclosed that a zero-day vulnerability in PAN-OS is under active exploitation. Tracked as CVE-2026-0300, the memory corruption flaw affects the authentication portal and allows unauthenticated attackers to execute code with root privileges on PA-Series and VM-Series firewalls. The company indicated that threat actors may have attempted to exploit a recently disclosed critical flaw as early as April 9, 2026, but did not specify the exact timeline or method of discovery. Censys detected approximately 263,000 Internet-exposed hosts running PAN-OS.

Security researchers have identified a new Linux RAT designated Quasar Linux (QLNX). The malware combines kernel-level rootkit functionality, PAM-based authentication backdoors, and persistence mechanisms. Its defining characteristic is a peer-to-peer mesh capability that creates an interconnected infection network between compromised hosts, reducing reliance on centralized command infrastructure and complicating mitigation efforts.

An unidentified threat actor has launched a campaign dubbed PCPJack that targets cloud secrets and credentials across multiple service categories. Active since late April, the campaign systematically removes competing malware—specifically tools associated with the TeamPCP group—and deploys its own credential harvesters. The actor propagates laterally by targeting open and exploitable cloud infrastructure and uses Common Crawl parquet files for target discovery.

MuddyWater, an Iranian state-sponsored group, disguised a espionage operation as a Chaos ransomware attack. The group used Microsoft Teams social engineering to gain initial access, then conducted reconnaissance, credential harvesting, and data exfiltration. No file-encrypting ransomware was deployed, inconsistent with typical Chaos activity. The victim was listed on the Chaos data leak site, likely as misdirection. Rapid7 found no evidence linking MuddyWater to Chaos as an affiliate.

A supply chain compromise affected DAEMON Tools installers in early April, impacting users across more than 100 countries. Malicious versions were distributed to thousands of machines in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. Most victims received only a data miner; a select subset of targets in retail, scientific, government, and manufacturing sectors in Russia, Belarus, and Thailand received a more sophisticated shellcode loader. A single educational institution in Russia was identified as receiving QUIC RAT. Kaspersky noted Chinese-language elements in the malicious code but did not attribute the campaign to a specific group.

An active phishing campaign targeting multiple industries has operated since at least April 2025, using legitimate RMM tools—SimpleHelp and ScreenConnect—to establish persistent remote access rather than deploying traditional malware.

Why it matters

The concurrent exploitation of Ivanti and Palo Alto Networks vulnerabilities creates a dual-vector risk for enterprises. Ivanti EPMM requires authenticated access, constraining but not eliminating the attack surface; PAN-OS CVE-2026-0300 requires no authentication, making it a direct and urgent exposure for any organization operating Internet-facing firewalls. With 263,000 exposed hosts detected, the potential scale of compromise is significant.

Quasar Linux represents an evolution in persistence mechanisms. The P2P mesh architecture means that network segmentation and takedown of command servers alone will not disrupt an active campaign; individual infected nodes remain capable of communicating laterally, complicating both detection and remediation. The rootkit and PAM backdoor components allow attackers to maintain access below the visibility of standard process monitoring.

PCPJack's targeting of cloud infrastructure and credentials highlights the shift in attacker focus away from endpoint compromise alone toward identity and secrets as the primary attack objective. The lateral propagation through exploitable cloud resources suggests that defenders relying solely on perimeter security will miss this vector.

The DAEMON Tools supply chain compromise demonstrates the persistent risk of trusted software distribution channels. The selective deployment of advanced implants to high-value targets indicates profiling and curation, not indiscriminate distribution.

The use of legitimate RMM tools bypasses detection signatures and behavioral monitoring designed to flag suspicious binaries. This approach reduces friction for attackers and is difficult to distinguish from legitimate IT operations.

Affected systems and CVEs

Ivanti Endpoint Manager Mobile (EPMM) — CVE-2026-6973
Palo Alto Networks PAN-OS (PA-Series and VM-Series firewalls) — CVE-2026-0300
Linux systems (Quasar Linux RAT)
DAEMON Tools (multiple releases)

What to do

Apply patches for CVE-2026-0300 starting May 13, 2026, prioritizing Internet-exposed PAN-OS instances.
Audit Ivanti EPMM logs for evidence of authenticated code execution and review administrative account activity.
Scan Linux systems for indicators of Quasar Linux infection, including kernel module artifacts and PAM modifications.
Review cloud infrastructure for open ports, unpatched services, and credential exposure in container and CI/CD environments.
Monitor RMM tool installations and network egress from SimpleHelp and ScreenConnect processes.
Validate the integrity of recently installed software, particularly DAEMON Tools, against known-good hashes from official sources.

Open questions

When did Ivanti EPMM exploitation begin, and how many customers are confirmed compromised?
What is the identity of the threat actor behind PCPJack, and what is the relationship to TeamPCP, if any?
When and how did Palo Alto Networks discover active exploitation of CVE-2026-0300?
Who is responsible for the DAEMON Tools supply chain compromise, and what were the selection criteria for advanced implant deployment?
Which specific organizations were targeted by the RMM phishing campaign, and what data was accessed?