Weekly Recap — 2026-06-22 -> 2026-06-29
Legitimate Tools Hijacked as AI Becomes the New Battleground The most damaging intrusions this week didn't rely on custom malware — they hijacked the legitimate tools and protocols organizations already trust. FortiBleed harvested real credentials from FortiGate firewall configurations worldwide, EvilTokens bypassed multi-factor authentication by abusing Microsoft's own device login flow, and a WhatsApp campaign installed legitimate ManageEngine remote management software to maintain persistent access. Simultaneously, attackers are learning to manipulate the AI systems defenders increasingly depend on. The macOS.Gaslight malware feeds fake error messages to AI analysis tools to blind security analysts, malicious skills on the OpenClaw marketplace trick AI assistants into executing harmful commands, and researchers demonstrated that chatbot reconnaissance can map an organization's defenses through casual conversation. Reset all FortiGate and VPN credentials immediately, scrutinize AI marketplace add-ons before installation, and assume that any legitimate-looking login prompt or remote management tool could be an attacker wearing a trusted disguise.
Detection / Hunteropenrouter
By the Numbers
- Total articles: 12
- By severity: Critical: 2, High: 7, Informational: 1, Medium: 2
- By category: general security news: 2, malware: 6, phishing/social engineering: 2, threat actor: 1, vulnerability: 1
Top Threats
Trusted Systems and Protocols Weaponized
Attackers bypassed security controls this week by operating inside legitimate channels rather than breaking them. FortiBleed extracted real credentials from FortiGate configurations to pivot into internal networks, EvilTokens abused Microsoft's device-code authentication flow to bypass MFA, and the Edgecution extension exploited Chrome's native messaging protocol to escape browser sandboxes. When attackers use legitimate mechanisms, traditional detection based on spotting anomalous behavior fails entirely.
- https://securelist.com/whatsapp-vbs-rmm-campaign/120290/
- https://www.zscaler.com/blogs/security-research/payouts-king-ransomware-initial-access-broker-deploys-new-edgecution
- https://any.run/cybersecurity-blog/eviltokens-ghost-code-analysis/
- https://arcticwolf.com/resources/blog/inside-fortibleed-reverse-engineering-the-cyberstrike-harvester-behind-a-global-fortigate-credential-factory/
AI Under Attack and Turned Against Defenders
AI systems emerged as both target and weapon this week. macOS.Gaslight embeds prompt-injection payloads designed to confuse LLM-assisted analysis tools, OpenClaw's marketplace distributes malicious skills that hijack AI agents through semantic instruction manipulation, and chatbot reconnaissance reveals that AI assistants leak operational context to attackers probing for weaknesses. As organizations rush to adopt AI, they are deploying systems that attackers can interrogate, deceive, and corrupt faster than they can secure them.
- https://blog.trailofbits.com/2026/06/22/introducing-patch-the-planet/
- https://www.akamai.com/blog/security/2026/jun/ai-reconnaissance-missing-layer-chatbot-security
- https://www.sentinelone.com/labs/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox/
- https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk/
Infrastructure Exploitation and Industrialized Fraud
Public-facing servers remain the primary entry point for network compromise, while consumer fraud scales through compromised platforms. StrikeShark exploits a catalog of unpatched server vulnerabilities to deploy Cobalt Strike, the Langflow cryptominer leverages CVE-2026-33017 to hijack exposed AI infrastructure, and Broadcom's critical VMware Tanzu patches underscore how often essential infrastructure is left unpatched. Meanwhile, the AEGIR cluster poisoned search results on compromised websites to redirect 26 million visitors to World Cup merchandise scams.
- https://cyber.gc.ca/en/daily-digest/2026-06-23
- https://www.trendmicro.com/en_us/research/26/f/from-langflow-to-monero-inside-cve-2026-33017-cryptominer.html
- https://www.recordedfuture.com/blog/world-cup-purchase-scam-tactics
- https://securelist.com/strikeshark-campaign/120326/
Trending CVEs
- CVE-2026-33017 (1 mentions) — Unauthenticated RCE in Langflow exploited to deploy cryptocurrency miners and establish SSH-based lateral movement Sources: 1
- CVE-2021-26855 (1 mentions) — Exchange Server ProxyShell vulnerability among multiple exploited by StrikeShark for initial access Sources: 1
- CVE-2023-32315 (1 mentions) — Openfire authentication bypass exploited by StrikeShark campaign for initial access Sources: 1
- CVE-2022-40684 (1 mentions) — FortiGate authentication bypass among vulnerabilities exploited by StrikeShark for initial access Sources: 1
- CVE-2023-20198 (1 mentions) — Cisco IOS XE web UI privilege escalation exploited by StrikeShark for initial access Sources: 1
Sector Trends
- Technology — AI tools and infrastructure emerged as a primary attack surface this week, with Langflow servers mined for cryptocurrency, OpenClaw marketplace skills hijacking AI agents, chatbots leaking operational context to reconnaissance, and malware specifically designed to deceive AI analysis tools. Sources: 1, 2, 3, 4, 5
- Financial Services — Financial fraud scaled through platform compromise this week, with AEGIR redirecting 26 million search visits to fake merchandise sites and EvilTokens bypassing MFA to harvest Microsoft 365 credentials, both abusing legitimate platforms rather than building their own infrastructure. Sources: 1, 2, 3
- Government — Government organizations were among the targets of StrikeShark's exploitation of public-facing servers, reinforcing that unpatched perimeter infrastructure remains a persistent entry point for state-aligned actors. Sources: 1
Notable Incidents
- FortiBleed Global Credential Harvesting Campaign — Represents a shift from malware-based intrusion to credential pipeline attacks, harvesting real FortiGate configuration files and network captures to crack passwords and pivot into internal networks at global scale
- macOS.Gaslight Prompt-Injection Backdoor — First observed malware that embeds prompt-injection payloads specifically designed to deceive and disable LLM-assisted malware analysis tools, marking a new offensive technique against AI-augmented defenders
- OpenClaw AI Marketplace Supply Chain Attack — Demonstrates that AI agent ecosystems are now viable attack surfaces, with malicious skills using semantic instruction hijacking to bypass constraints and deploy infostealers through a trusted marketplace
- Langflow CVE-2026-33017 Cryptominer — Shows that exposed AI development infrastructure is being actively targeted, with attackers using a single RCE vulnerability to disable security controls, spread via SSH, and mine cryptocurrency