This pack covers three active threat scenarios dominating the 2026-05-26 threat landscape: a disrupted but not eradicated developer-targeting botnet supply chain campaign (Glassworm), an ongoing Iran-linked espionage operation abusing legitimately signed binaries against critical infrastructure (MuddyWater), and an actively exploited ASP.NET hard-coded key vulnerability enabling unauthenticated RCE on KnowledgeDeliver LMS deployments. Immediate attention is required for any organization running KnowledgeDeliver LMS (unauthenticated RCE with confirmed web shell and Cobalt Strike delivery in the wild) and for any organization employing software developers who may have installed VSCode-family extensions or open-source packages during the Glassworm campaign window (early 2025 through May 26, 2026). The MuddyWater DLL sideloading campaign presents an elevated detection gap for organizations running SentinelOne or Fortemedia software, with no vendor patch currently available and behavior-based detection as the primary mitigation.