Global threats decoded for Indian defenders, plus the India-targeted picture. Week of 25–29 May 2026.
A consequential week for defenders in India: the national CERT redrew the patching clock, an enterprise security agent became the delivery vehicle for an infostealer, and credential-theft kits and overlay banking malware kept the human and the handset firmly in the crosshairs. Five items that matter.
1
CERT-In sets a 12-hour patch clock for AI-accelerated exploitation
CERT-In published a blueprint warning that adversaries are using AI and large language models to compress the gap between disclosure and weaponisation, and recommending internet-facing known-exploited and critical externally-exposed flaws be remediated within 12 hours to 1 day, with high-severity issues inside 5 days. -
India exposureThis is the national authority resetting expectations for every regulated entity here — government, BFSI, defence and critical infrastructure — not a foreign guideline. -
ActionMap your internet-facing assets now and rehearse an emergency-patch path; if you cannot patch a known-exploited flaw in a day, have a documented compensating mitigation ready. -
SourceThe Hacker News, "CERT-In Recommends 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks," 26 May 2026.
2CriticalCVSS 9.1
FortiClient EMS abused to push an infostealer disguised as a Fortinet patch (CVE-2026-35616)
Arctic Wolf observed threat actors exploiting the unauthenticated RCE flaw (CVSS 9.1) in FortiClient EMS to distribute a credential stealer (tracked as EKZ) as a fake endpoint update, FortiEndpoint_Patch.exe, executed via PowerShell by tampering with Remote Access Profile and endpoint policy configurations so the payload ran through FortiClient-managed VPN scripting workflows. It harvests credentials from Chromium-based browsers and Firefox. Fixed in FortiClient EMS 7.4.7. -
India exposureFortinet is heavily deployed across Indian enterprise and government estates; a compromise of the management server turns your own software-distribution channel into a malware delivery pipe. -
ActionConfirm FortiClient EMS is on 7.4.7 or later; hunt for FortiEndpoint_Patch.exe/p.exe and unexpected PowerShell-spawned executables pushed via EMS. -
SourceArctic Wolf, "FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch," 27 May 2026; Help Net Security, 29 May 2026.
3
OverlayPhantom Android banking trojan steals via fake overlay screens
Cyble's research lab detailed OverlayPhantom, an Android trojan that abuses Accessibility services, hides as "Google Play Services," and overlays HTML phishing pages on roughly 180 banking, finance and crypto apps to capture PINs and take over accounts, with screen-streaming and 30-plus remote commands. -
India exposureCyble's documented target list names ten countries and does not include India; the relevance here is the technique and distribution model — sideloaded droppers impersonating government identity and social apps — which maps directly onto India's high-volume mobile-banking and UPI user base. -
ActionEnforce Play Protect and block sideloading on managed devices; brief retail-banking customers that no legitimate app requests Accessibility permission to "view your screen." -
SourceCyble (CRIL), "OverlayPhantom: The Android Banking Trojan Hiding in Plain Sight," 27 May 2026.
4
Kali365 phishing-as-a-service bypasses MFA on Microsoft 365
Check Point's weekly report carried an FBI warning on Kali365, a phishing kit sold via Telegram that targets Microsoft 365 users with device-code phishing and is built to bypass multi-factor authentication. -
India exposureMicrosoft 365 is the default productivity stack across Indian enterprises and government; device-code phishing defeats the SMS/OTP MFA many organisations still rely on. -
ActionMove high-value accounts to phishing-resistant authentication (FIDO2/passkeys or certificate-based), and restrict the device-code authentication flow in Entra ID where it is not operationally required. -
SourceCheck Point Research, "25th May – Threat Intelligence Report," 25 May 2026.
5
Two actively-exploited Windows Defender flaws patched (CVE-2026-41091, CVE-2026-45498)
The same Check Point report flagged Microsoft's fix for two Windows Defender vulnerabilities under active exploitation, enabling local privilege escalation and denial of service. -
India exposureWindows endpoints dominate the Indian corporate and public-sector desktop fleet; a privilege-escalation bug in the bundled defender is a clean post-access step for an intruder. -
ActionConfirm the May Windows security updates have rolled out to all endpoints and verify Defender platform versions on stragglers. -
SourceCheck Point Research, "25th May – Threat Intelligence Report," 25 May 2026.
The takeaway: This week's thread is trust being turned against defenders — your CERT shortening the clock, your endpoint-management console, your MFA, and your own Android users' instinct to trust a familiar screen. Patch the named flaws inside CERT-In's new windows, treat your software-distribution channels as a privileged attack surface, and move authentication beyond OTP.
Nirad Bharat Threat Feed | Bharat-first threat intelligence
