This pack covers four intelligence items spanning three distinct attack patterns: a large-scale Chinese-language phishing-as-a-service operation (Darcula/UNC5814) actively bypassing MFA and tokenizing stolen payment cards across 119 countries; an actively exploited unauthenticated RCE in KnowledgeDeliver LMS via hardcoded ASP.NET machine keys with confirmed web shell and Cobalt Strike deployment in the wild; and two access control failures, a credential-compromise-driven healthcare data breach and a critical Linux kernel use-after-free (CVE-2026-43414) targeting Azure Linux 3.0 Fibre Channel infrastructure. Immediate attention is required for the KnowledgeDeliver RCE (treat as active compromise) and the Darcula PhaaS campaign (any organization with consumer-facing authentication or payment services is in scope). The credential abuse pattern appearing in both the Darcula campaign and the Hartford HealthCare breach underscores a systemic gap in phishing-resistant authentication adoption across financial and healthcare sectors.