Frequently Asked Questions

Cyberattack Trends & Threat Intelligence

What were the most significant cyberattacks in May 2022?

May 2022 saw a range of high-profile cyberattacks, including spear-phishing campaigns by the Lotus Panda APT group using Viper and ARL tools, exploitation of the Microsoft Office Follina zero-day vulnerability, Magecart skimming attacks on e-commerce sites, the Sysrv-K cryptomining worm, the Nerbian RAT targeting organizations in Europe, ZIP bomb tactics, and new Mirai botnet variants targeting IoT devices. These attacks highlight the evolving tactics of cybercriminals and the importance of continuous threat validation. Source

How did the Lotus Panda APT group conduct their attacks in May 2022?

The Lotus Panda group launched spear-phishing attacks using malware Viper and ARL (Asset Reconnaissance Lighthouse). The attack began with a malicious Word document, used macro code to extract embedded data, loaded shellcode, and injected a beacon into svchost.exe. The C2 server hosted the Viper framework and ARL dashboards for asset discovery and exploitation. Source

What is the Follina vulnerability and how was it exploited?

The Follina vulnerability (CVE-2022-30190) is a remote code execution flaw in the Microsoft Windows Support Diagnostic Tool (MSDT). In May 2022, Chinese-linked threat actors exploited this zero-day to execute malicious code on Windows systems via Office documents, impacting all supported Windows client and server platforms. Source

How did Magecart hackers target e-commerce sites in May 2022?

Magecart hackers injected JavaScript skimmers on checkout pages of e-commerce sites, including Germany-based Emma – The Sleep Company, to steal credit and debit card data. They also infiltrated site vendors, allowing them to compromise thousands of sites through a single vendor breach. Source

What is the Sysrv-K malware and how does it operate?

Sysrv-K is a worm and cryptocurrency miner that scans for vulnerable Tomcat, WebLogic, and MySQL services, exploits them with hard-coded password attacks, and deploys a Monero miner. It also searches WordPress files to take control of web servers and uses Telegram bots for communication. Source

How did the Nerbian RAT target organizations in May 2022?

The Nerbian RAT was distributed via COVID-19-themed phishing emails, primarily targeting organizations in Italy, Spain, and the UK. The malware used anti-VM techniques to evade detection, logged keystrokes, captured screenshots, and exfiltrated data to remote servers. Source

What is a ZIP bomb and how is it used by attackers?

A ZIP bomb is a maliciously crafted archive file that, when decompressed, consumes excessive system resources, potentially bypassing security controls and causing denial of service. Attackers deliver ZIP bombs via email to overwhelm victim systems. Source

How did the Mirai botnet evolve in May 2022?

In May 2022, Mirai botnet operators added new vulnerabilities and expanded support for hardware architectures, targeting IoT devices with ARM, x86, MIPS, Motorola 68K, Sparc, and PowerPC CPUs. 32-bit x86 variants became more common on Linux servers and networking equipment. Source

How can organizations test their exposure to recent cyberattacks?

Organizations can use Cymulate’s Immediate Threats assessment to test and verify exposure to the latest attacks. The platform provides actionable mitigation suggestions and indicators of compromise (IOCs) directly in the Cymulate UI. Source

What resources does Cymulate offer for staying updated on cyber threats?

Cymulate provides a regularly updated blog, a resource hub with whitepapers, guides, and data sheets, and a newsroom for media mentions. These resources help organizations stay informed about the latest threats and security trends. Blog | Resource Hub | Newsroom

Features & Capabilities

What is Cymulate’s Exposure Management Platform?

Cymulate’s Exposure Management Platform is a unified solution that integrates Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics. It enables organizations to proactively validate security controls, prioritize vulnerabilities, and optimize defenses against real-world threats. Learn more

What are the key features of Cymulate?

Key features include continuous threat validation, unified platform for BAS, CART, and Exposure Analytics, AI-powered optimization, complete kill chain coverage, attack path discovery, automated mitigation, cloud validation, and an intuitive, user-friendly interface. Source

Does Cymulate support integration with other security tools?

Yes, Cymulate integrates with numerous security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, CrowdStrike Falcon, Crowdstrike Falcon LogScale, and Cybereason. For a full list, visit the Partnerships and Integrations page.

How does Cymulate help organizations prioritize vulnerabilities?

Cymulate ranks vulnerabilities based on exploitability, business context, and threat intelligence, enabling organizations to focus remediation efforts on the most critical exposures. This evidence-based prioritization improves operational efficiency and risk reduction. Learn more

What is Cymulate’s Immediate Threats assessment?

The Immediate Threats assessment allows organizations to test their exposure to the latest cyberattacks, verify defenses, and receive actionable mitigation suggestions. Indicators of compromise (IOCs) are available directly in the Cymulate UI. Source

How often is Cymulate’s threat library updated?

Cymulate provides the most advanced library of attack simulations with daily updates, ensuring customers stay ahead of emerging threats. Source

What technical documentation is available for Cymulate?

Cymulate offers whitepapers, guides, solution briefs, data sheets, and e-books covering its Exposure Management Platform, CTEM, detection engineering, and more. Access these resources in the Resource Hub.

How easy is Cymulate to use and implement?

Cymulate is praised for its intuitive, user-friendly interface and fast implementation. Customers report being able to deploy and start running simulations quickly, with minimal resources or technical expertise required. Customer quotes

What customer feedback has Cymulate received about ease of use?

Customers consistently highlight Cymulate’s ease of use, intuitive dashboard, and excellent support. For example, a Security Consultant described it as "very easy to understand," and a Cybersecurity Manager said, "All you need to do is click a few buttons, and you receive a lot of practical insights." Read more testimonials

Use Cases & Benefits

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams across industries such as finance, healthcare, retail, and more. It is suitable for organizations of all sizes, from small businesses to large enterprises. Learn more

What business impact can customers expect from Cymulate?

Customers typically see a 30% improvement in threat prevention, a 52% reduction in critical exposures, a 60% increase in team efficiency, and an 81% reduction in cyber risk within four months. These metrics are based on real customer outcomes. Source

What core problems does Cymulate solve?

Cymulate addresses overwhelming threat volumes, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers for CISOs. It provides continuous threat validation, actionable insights, and unified exposure management. Source

How does Cymulate address persona-specific pain points?

Cymulate tailors solutions for CISOs (visibility, metrics), SecOps (efficiency, automation), red teams (scalable offensive testing), and vulnerability management (prioritization, resource constraints). Each persona benefits from features aligned to their unique challenges. Learn more

What is the primary purpose of Cymulate’s platform?

The primary purpose is to harden defenses and optimize security controls by proactively validating controls, threats, and response capabilities. Cymulate helps organizations focus on exploitable exposures and strengthen their overall security posture. Source

How does Cymulate help with lateral movement attack prevention?

Cymulate’s Attack Path Discovery automates testing for lateral movement, helping organizations identify and mitigate threats related to privilege escalation and lateral movement. For more, see the blog post Stopping Attackers in Their Tracks.

How does Cymulate support cloud security validation?

Cymulate provides dedicated validation features for hybrid and cloud environments, including integrations with AWS GuardDuty and Check Point CloudGuard, to ensure comprehensive cloud security validation. Learn more

What is Cymulate’s approach to continuous threat exposure management (CTEM)?

Cymulate evolves security practices into CTEM by integrating validation, prioritization, and mobilization with collaboration across teams, ensuring measurable improvements in threat resilience and operational efficiency. Learn more

Pricing & Plans

What is Cymulate’s pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization’s needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a personalized quote, schedule a demo.

Competition & Comparison

How does Cymulate compare to AttackIQ?

Cymulate offers an industry-leading threat scenario library and AI-powered capabilities for streamlined workflows and accelerated security posture improvement. AttackIQ focuses on automated security validation but lacks Cymulate’s innovation, threat coverage, and ease of use. Read more

How does Cymulate compare to Mandiant Security Validation?

Mandiant is one of the original BAS platforms but has seen little innovation in recent years. Cymulate continually innovates with AI and automation, expanding into exposure management as a grid leader. Read more

How does Cymulate compare to Pentera?

Pentera is useful for attack path validation but lacks the depth Cymulate provides for fully assessing and strengthening defenses. Cymulate optimizes defense, scales offensive testing, and increases exposure awareness. Read more

How does Cymulate compare to Picus Security?

Picus may suit organizations seeking a BAS vendor with an on-prem option. Cymulate offers a more complete exposure validation platform covering the full kill chain and cloud control validation. Read more

How does Cymulate compare to SafeBreach?

Cymulate outpaces SafeBreach with unmatched innovation, precision, and automation. It features the industry’s largest attack library, a full CTEM solution, and comprehensive exposure validation. Read more

How does Cymulate compare to Scythe?

Scythe is suitable for advanced red teams building custom attack campaigns. Cymulate provides a more comprehensive exposure validation platform with actionable remediation and automated mitigation. Read more

How does Cymulate compare to NetSPI?

NetSPI excels in penetration testing as a service (PTaaS). Cymulate is designed for continuous, independent assessment and strengthening of defenses, recognized as a leader in exposure validation by Gartner and G2. Read more

Security, Compliance & Company Information

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating its commitment to security, privacy, and cloud service best practices. Learn more

How does Cymulate ensure product security and compliance?

Cymulate employs secure AWS data centers, strong encryption (TLS 1.2+ and AES-256), a robust SDLC, continuous vulnerability scanning, annual penetration tests, and ongoing employee security training. It is GDPR-compliant and has a dedicated privacy and security team. Learn more

What is Cymulate’s company background?

Founded in 2016, Cymulate has a presence in 8 global locations, serves customers in 50 countries, and is trusted by over 1,000 organizations. The company is recognized for continuous innovation and measurable impact in cybersecurity. About Us

What is Cymulate’s vision and mission?

Cymulate’s mission is to revolutionize cybersecurity by fostering a proactive approach to managing threats, empowering organizations to improve resilience and manage their security posture effectively. Learn more

Support & Resources

Where can I find Cymulate’s blog?

You can stay updated on the latest threats, new Cymulate research, and more on our blog. Recent topics include CVE-2026-20965 and steps to become ransomware resilient.

How can I subscribe to the Cymulate blog?

To subscribe, you need to provide your full name, email address, and country of residence. Privacy Policy

Where can I find Cymulate’s newsroom?

Cymulate’s media mentions and bylines in leading publications are available in our newsroom.

Where can I find Cymulate’s resource hub?

All resources, including insights, thought leadership, and product information, are available in our Resource Hub.

How can I stay updated with the latest news and research from Cymulate?

Visit the company blog for the latest threats and research, and check the Newsroom for media mentions and press releases.

New: 2026 Gartner® Market Guide for Adversarial Exposure Validation
Learn More
Cymulate named a Customers' Choice in 2025 Gartner® Peer Insights™
Learn More
New Research: The Security Tradeoffs Behind AI Tooling
Learn More
An Inside Look at the Technology Behind Cymulate
Learn More
Book a Demo
Book a Demo

Cymulate’s May 2022 Cyberattacks Wrap-up

Last Updated: September 15, 2025

cymulate blog article

Cyberattacks never take a day off, as May 2022 has shown us once again. As we mentioned before, cybercrime gangs keep stepping up their game. For instance, Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk, and Trickbot, has grown into a multimillion-dollar organization operating similar to a regular corporation.  

This Panda's Not Cute

Another well-known threat group made a comeback: Lotus Panda, the Chinese APT. This time, it launched spear-phishing attacks using malware Viper and ARL (Asset Reconnaissance Lighthouse). Viper, which integrates numerous attack modules, is a penetration tool for tactics and technologies commonly used as part of the attackers’ processes. The ARL tool assists security teams or penetration testers to perform reconnaissance and retrieval of assets and discover existing weak points and attack surfaces. 

  1. The attack started with a spear-phishing email containing a malicious Word document titled "Tender Documents for Centralized Procurement of Web Application Firewall (WAF) Equipment of China Mobile from 2022 to 2024". 
  2. Once opened, the Macro code extracted the embedded data from Comments and Subject properties, writing it in the file system. 
  3. The small HexINI executable acted as a loader for a shellcode for opening and reading functions. It then converted the hexadecimal string to a byte array, which, in turn, loaded an array into process memory space using VirtualAlloc and memcpy. 
  4. The code was executed on a new thread through the CreateThread function. 
  5. Once the shellcode was executed, a suspended process of svchost.exe was created for infecting the final beacon. 
  6. In this case, the injection mechanism used the classic flow of VirtualAllocEx, WriteProcessMemory, and CreateRemoteThreadEx WinApi functions. 
  7. The HTTP beacon embedded the user-agent and got new commands for execution. 
  8. The C2 server contained a Viper framework and ARL dashboards. 

Check Your Windows

Chinese-linked threat actors also actively exploited the Microsoft Office zero-day vulnerability Follina for executing malicious code remotely on Windows systems. This remote code execution flaw in the Microsoft Windows Support Diagnostic Tool (MSDT) impacted all Windows client and server platforms still receiving security updates (Windows 7 or later and Windows Server 2008 or later). 

No Rest for the Wicked

The Magecart hackers attacked Germany-based mattress giant Emma – The Sleep Company. Magecart used online skimming techniques to steal data from customers entering credit or debit card information on e-commerce websites. JavaScript skimmers were injected on checkout pages to steal the data, regardless of whether the customer completed the online transaction or not. Magecart also breached other sites by infiltrating site vendors and e-commerce sites that use those vendors. This allowed Magecart to infiltrate thousands of sites with a single vendor infiltration. 

 Mail-ware

Malware keeps on being updated for maximum impact. In May 2022, we saw that its range of vulnerabilities to exploit keeps expanding. For instance, the new variant Sysrv-K deployed a Monero cryptocurrency miner on infected machines to abuse computer resources so as to generate digicash. Sysry-K was also observed to search through WordPress files on compromised machines to take control of web server software using a Telegram bot. as a communications channel. Using the Go programming language, Sysrv is basically a worm and a cryptocurrency miner that initiates port scans against random IPs to find vulnerable Tomcat, WebLogic, and MySQL services to infiltrate the servers with hard-coded password dictionary attacks. 

A RAT in the Org

Another type of malware rearing its ugly head in May 2022 is the Remote Access Trojan Nerbian RAT, which targeted organizations in Italy, Spain, and the United Kingdom. The malware was distributed via COVID-19-themed phishing emails claiming to be sent by the World Health Organization. 

  1. Once the victims opened the email, they were duped into accessing the malicious Word document titled the "latest health advice." 
  2. The micros displayed COVID-19 guidance, including steps for self-isolation, at first glance. 
  3. The micros also triggered an infection chain in the background. 
  4. The "UpdateUAV.exe" payload was delivered for dropping the Nerbian RAT from a remote server. 
  5. The dropper also used the open-source Chacal "anti-VM framework" to make reverse engineering difficult by carrying out anti-reversing checks. 
  6. Once it encountered a debugger or memory analysis program, it terminated itself. 
  7. The RAT logged keystrokes, capturing screenshots, and execute arbitrary commands before exfiltrating the results back to the server. 

 

Skip this ZIP

Threat actors are always finding ways to stay obfuscated. One way of doing so is the so-called “ZIP bomb” tactic by delivering a malicious archive (ZIP folder) to a victim's mailbox. Once the very small malicious archive was decompressed, it consumed a lot of resources to unzip. This tactic is a highly efficient way to bypass security controls. 

IoT Tales

In May 2022, the Mirai botnet operators incorporated new vulnerabilities and different hardware architectures to target IoT devices, x86 (32 and 64 bit), ARM, MIPS, Motorola 68K, Sparc, and PowerPC architectures. We saw that, although the ARM CPU architecture - used in most mobile and IoT devices - remained the favorite, 32-bit x86 Mirai variants used on Linux servers and networking equipment are becoming more popular.  

To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI! 

Stay cyber safe! 

Table of Contents
This Panda's Not Cute Check Your Windows No Rest for the Wicked  Mail-ware A RAT in the Org Skip this ZIP IoT Tales
Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.
Mike Humbert, Cybersecurity Engineer
DARLING INGREDIENTS INC.
Learn More

Featured Resources

View More Resources
image
blog

AKS RunCommand Vulnerability Enables Cross-Cluster Privilege Escalation

A newly disclosed weakness in Azure Kubernetes Service’s RunCommand feature created a path for attackers to intercept a privileged Entra ID access

Read More
image
blog

When AI Tools Become the Backdoor: Zero-Click RCE via Prompt Injection 

Prompt injection flaws in AI tools can trigger zero-click remote code execution through silent config poisoning.

Read More
image
blog

MITRE ATT&CK v19 Unpacked: What Changed and How to Operationalize 

MITRE ATT&CK v19 introduces major changes that reshape how organizations understand and validate adversary behavior, including retiring the Defense Evasion tactic and introducing Stealth and Defense Impairment tactics.

Read More

GET A PERSONALIZED DEMO

Ready to see Cymulate in action?

Book a Demo