What Business Owners Need to Know This Week
Week 22 (17–24 May 2026) was dominated by infrastructure-targeting activity, not ransomware encryption. A coordinated ransom-DDoS (RDoS) campaign struck five South African internet infrastructure providers across 18–20 May: 1-Grid (>100 Gbit/s; 32,000 customers), Xneelo (KonsoleH disrupted), Network Platforms (>300 Gbit/s; ransom refused), Domains.co.za (impacted), and Seacom (downstream disruption). Extortion emails signed “BlackMatter” demanded ~R16,000 (2.5 XMR). Attribution is disputed — experts cite inconsistency with BlackMatter’s historical US$80k–$15M demand range; a nation-state reconnaissance theory has been raised. Microsoft released out-of-band patches on 21 May for the long-running Defender RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) zero-days after 7+ weeks. A new CVSS 10.0 cPanel/LiteSpeed vulnerability (CVE-2026-48172) is in-the-wild and directly compounds the SA hosting wave. South Africa has been newly added to Lazarus Group’s (DPRK) confirmed APT target geography by CYFIRMA.
The Bottom Line: The flat ransomware count (111) should not be read as reduced threat — the threat actor mix is shifting toward DDoS extortion, hacktivism, and espionage-adjacent reconnaissance. Five SA internet providers demonstrated that refusing to pay DDoS extortion is viable, but the campaign showed >1 Tbps capability against SA infrastructure. CYFIRMA’s addition of SA to Lazarus APT target geography is a significant new signal for financial services, crypto, and defence-adjacent sectors. The cPanel CVSS 10.0 vulnerability is in-the-wild on hosting infrastructure already under DDoS pressure — a dangerous combination.
The Week in Numbers
- 111 cumulative SA ransomware victims — FLAT for the second consecutive week; no new ransomware.live listings in W22.
- 5 SA ISPs/hosting providers hit by coordinated ransom-DDoS: 1-Grid, Xneelo, Network Platforms, Domains.co.za, Seacom.
- 676 Gbit/s peak DDoS traffic on individual providers; >1 Tbps in the wider campaign (SSS measurement).
- ~R16,000 (2.5 XMR) — extortion demand; inconsistent with BlackMatter’s historical US$80k–$15M range, raising attribution doubt.
- 13 minutes — time taken by SSS to neutralise a concurrent data-exfil attempt during the campaign.
- 11 new CISA KEV entries including 5 legacy 2008–2010 CVEs re-weaponised in 2026 campaigns.
- CVSS 10.0 — severity of new cPanel/LiteSpeed CVE-2026-48172; in-the-wild exploitation confirmed.
- SA newly added to Lazarus Group (DPRK) confirmed APT target geography — 3 SA finance sector victims in 90 days (CYFIRMA).
- +40% YoY — POPIA breach notifications growth rate (IR APP figure, W22).
Major Incidents: Who Was Hit and How
SA ISP/Hosting Ransom-DDoS Wave — 18–20 May
A coordinated carpet-bombing RDoS campaign struck five South African internet infrastructure providers across 18–20 May 2026:
| Date | Provider | Peak / Impact | Outcome |
|---|---|---|---|
| 18 May | 1-Grid | >100 Gbit/s; 32,000 customers; 77,000 hosted sites | Disrupted |
| 18–19 May | Xneelo | KonsoleH control panel disrupted | Disrupted |
| 19 May | Network Platforms | >300 Gbit/s peak | Ransom REFUSED |
| 19–20 May | Domains.co.za | Customer-facing services impacted | Disrupted |
| 20 May | Seacom | Downstream connectivity disruption | Disrupted |
| 22 May | SSS | Concurrent data-exfil attempt during DDoS | NEUTRALISED (13 min) |
Attribution to BlackMatter is disputed by security experts. The R16,000 (2.5 XMR) demand is inconsistent with BlackMatter’s historical US$80k–$15M range. Dr Manny Corregedor (Telspace Africa) raised a nation-state reconnaissance theory — that the DDoS may be cover for infrastructure mapping. No payments were confirmed. All five providers refused extortion demands where disclosed.
Microsoft Defender OOB Patches — RedSun & UnDefend Finally Fixed
On 21 May, Microsoft released out-of-band patches for the two long-running Defender zero-days: CVE-2026-41091 (Defender Engine RedSun, CVSS 7.8 — privilege escalation to SYSTEM) and CVE-2026-45498 (Defender Platform UnDefend, CVSS 4.0 — disables AV protection). These had been unpatched for 7+ weeks. Huntress confirmed live intrusions via FortiGate VPN entry followed by the UnDefend/RedSun chain. Patch Defender Engine to 1.1.26040.8 and Platform to 4.18.26040.7 (distributed via Windows Update/WSUS automatically, but verify deployment across all endpoints).
cPanel/LiteSpeed — CVE-2026-48172 (CVSS 10.0) In-the-Wild
A new CVSS 10.0 vulnerability in the LiteSpeed cPanel plugin
(CVE-2026-48172) is confirmed in-the-wild. The vulnerability allows
unauthenticated remote code execution on any cPanel server running the LiteSpeed plugin.
This directly compounds the SA hosting wave: five ISPs already under DDoS pressure are
simultaneously exposed to a CVSS 10.0 RCE on their hosting infrastructure. Update the
LiteSpeed cPanel plugin to version 2.4.7 immediately. Hunt cPanel IOCs:
grep for cpanel_jsonapi_func=redisAble in /var/cpanel/logs/;
check for .sorry files, hasroot=1 sessions, and root password
123Qwe123C.
Lazarus Group (DPRK) — SA Added to APT Target Geography
CYFIRMA confirmed in Week 22 that South Africa has been newly added to Lazarus Group’s (North Korea / DPRK) confirmed APT target geography, with 3 SA finance sector victims identified in the preceding 90 days. Lazarus Group targets financial institutions, cryptocurrency exchanges, and defence-adjacent organisations for direct financial theft (estimated US$3B+ stolen globally) and intelligence collection. SA financial institutions, crypto exchanges, and any organisation with SWIFT connectivity should treat Lazarus as an active threat and brief boards accordingly.
Legacy CVEs Re-weaponised — 2008–2010 Vulns in 2026 Campaigns
Among the 11 CISA KEV additions in Week 22, 5 are legacy CVEs from 2008–2010 that have been re-weaponised in active 2026 campaigns. This confirms that threat actors are successfully exploiting decade-old vulnerabilities in SA environments where patch discipline has lapsed. Organisations should audit legacy Windows, Office, and network device firmware for CVEs older than 5 years that remain unpatched.
POPIA and Regulatory
POPIA breach notifications are growing at +40% year-on-year (IR APP figure, W22) — the accelerating notification rate reflects both improved compliance awareness and escalating incident frequency. The #OpSouthAfrica hacktivist wave targeting government systems adds to the public-sector POPIA notification burden. Three active KEV deadlines remain: Drupal (27 May), Exchange OWA CVE-2026-42897 (29 May, no permanent patch), and Ivanti (27 May). Financial sector entities must document all KEV remediation timelines under SARB Joint Standard 2/2024.
Full Intelligence Report
The complete Week 22 technical report covers the SA ISP RDoS wave with full timeline and provider impact assessment, BlackMatter attribution analysis, Defender OOB patch deployment guide, cPanel CVE-2026-48172 IOC hunt playbook, Lazarus Group SA campaign profile, legacy CVE re-weaponisation analysis, Exchange OWA EEMS M2 status, and structured hunt missions (TH-2026-W22-01 to -04) with full IOC tables.
What Your Business Should Do Right Now
- Validate DDoS scrubbing and CDN protection immediately: The SA ISP campaign demonstrated >1 Tbps capability. Confirm Anycast routing, upstream cooperative mitigation agreements with your ISP, and that outage communications templates are ready. Do not engage with extortion emails referencing “BlackMatter” or any variant — refuse and report. SSS neutralised a concurrent exfil attempt in 13 minutes; know your IR timing.
- Patch Defender OOB + verify auto-deployment: Confirm Defender Engine 1.1.26040.8 and Platform 4.18.26040.7 are deployed on every endpoint (auto via Windows Update/WSUS, but verify). These patches address 7+ weeks of active zero-day exploitation. Run endpoint coverage reports to identify any stragglers.
- Patch LiteSpeed cPanel plugin to 2.4.7 (CVE-2026-48172, CVSS 10.0): If you run any cPanel hosting infrastructure, update immediately. Hunt IOCs: grep
cpanel_jsonapi_func=redisAblein/var/cpanel/logs/; check for.sorryfiles,hasroot=1sessions, and root password reset to123Qwe123C. - Verify Exchange OWA EEMS Mitigation ID M2 (KEV due 29 May): Run Exchange Health Checker to confirm M2 is applied on all Exchange servers. No permanent patch exists. Any unprotected OWA instance can be hijacked to send spearphishing from legitimate organisational addresses.
- Initiate Lazarus Group threat hunt for financial sector organisations: CYFIRMA confirms SA is in Lazarus’ active target geography. Focus hunt on SWIFT operator workstations, crypto wallet infrastructure, and anomalous outbound connections to DPRK-linked IP ranges. Any confirmed Lazarus activity is a Board-level and regulatory notification event.
- Audit legacy CVE patch status: Five 2008–2010 CVEs are being actively exploited in 2026. Run a vulnerability scan specifically filtering for CVEs older than 5 years across all Windows, Office, and network device estate. Treat any finding as critical-priority remediation.