← Back to Blog
Security Briefing5 min read2026-05-04

Security Briefing, May 4 2026: cPanel Ransomware, Instructure Breach, Telegram Mini App Scams, and Microsoft Defender Certificate Chaos

The ugly pattern this morning is trust under pressure: hosting panels, education platforms, chat-native apps, and endpoint protection all became leverage points once defenders assumed the familiar path was the safe path.


Top line: Patch cPanel fast, treat Instructure-linked data as exposed until institutions prove otherwise, stop trusting Telegram Mini Apps that ask for deposits or APK installs, and verify Defender certificate health if May 3 alerts hit your Windows fleet.


1. cPanel moved from critical bug to live Linux ransomware fast

CVE-2026-41940 in cPanel and WHM is already being mass-exploited. BleepingComputer reports at least 44,000 cPanel IPs were compromised in ongoing attacks, with intrusions quickly turning into deployments of the Go-based Linux "Sorry" ransomware that appends .sorry to encrypted files.


2. Instructure is now a real education-sector breach story, not just an incident notice

Instructure confirmed that user data was stolen in the cyberattack it disclosed on Friday. The company says exposed information includes names, email addresses, student ID numbers, and messages among users at affected institutions. Passwords, dates of birth, government identifiers, and financial data have not been found in scope so far, but the blast radius may still be enormous if the ShinyHunters claims are even partly right.


3. Telegram Mini Apps are being used as scam UX and Android malware delivery rails

Researchers at CTM360 say the FEMITBOT operation uses Telegram bots plus Mini Apps to impersonate brands, fake balances, pressure victims into deposits, and in some cases push Android APKs posing as legitimate apps. The trick works because the phishing flow stays inside Telegram’s own interface, which makes it feel normal to the victim.


4. Microsoft Defender false positives turned trusted DigiCert roots into an outage risk

A Defender signature update wrongly flagged legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha and, on some systems, removed them from the Windows trust store. Microsoft says the issue is fixed in Security Intelligence version 1.449.430.0 or later, but this is the kind of defensive mistake that quietly breaks trust chains while teams waste time hunting ghosts.


What security teams should do today

  1. Patch cPanel and WHM first if any exposed hosting panel is still unpatched.
  2. Assess whether your institution, customer base, or vendors rely on Instructure or Canvas and plan comms now.
  3. Push a user warning on Telegram investment scams and block sideloaded APK paths where you can.
  4. Audit Windows endpoints for Defender certificate false positives before broken trust chains surface as bigger outages.

Sources


Bottom line: The common failure mode today is misplaced trust in familiar infrastructure. Attackers exploited it in cPanel and Telegram, and defenders tripped over it in certificate handling. Either way, the teams that verify assumptions fastest will have the least damage.

Find the exposed trust paths before attackers or broken tooling do

KENSAI helps teams map risky internet-facing panels, SaaS dependencies, phishing surfaces, and trust-chain blind spots before they become incidents.

Start Free Scan →

Stay sharp.

🗡️ KENSAI Security Team