#0677
Sekoia.ioabout 1 month ago6 min▣LLM reporthigh Gamaredon, a Russia-nexus threat actor, utilizes a multi-stage VBScript loader framework named GammaLoad to establish persistent access and deploy subsequent payloads like GammaSteel. The infection chain leverages Dead Drop Resolvers on legitimate platforms, stores C2 configurations in the Windows Registry, and uses Alternate Data Streams (ADS) combined with Scheduled Tasks for stealthy execution.
#0676KKasperskyabout 1 month ago7 min▣LLM reporthigh A newly discovered malware campaign dubbed Argamal targets users downloading adult games, utilizing DLL sideloading and COM hijacking to deploy a sophisticated Remote Access Trojan (RAT). The malware establishes persistence by hijacking the Windows Color System Calibration Loader and grants attackers full system control, including surveillance, file exfiltration, and arbitrary command execution.
#0675
Socketabout 1 month ago7 min▣LLM reporthigh A targeted supply chain attack attributed to Famous Chollima compromised a development branch of the legitimate PHP package 'roberts/leads' on Packagist. The attackers injected an obfuscated JavaScript loader into a tailwind.js configuration file, which utilizes blockchain RPC infrastructure as a dead drop to retrieve and execute secondary payloads like DEV#POPPER RAT, likely as part of a Contagious Interview developer lure.
#0674
Huntressabout 1 month ago5 min▣LLM reportmedium Researchers disclosed an unpatched NTLM coercion vulnerability in the Windows search: URI handler that allows attackers to steal Net-NTLMv2 hashes via a malicious link or command execution. Despite sharing the same severity and underlying mechanism as a recently patched Snipping Tool vulnerability (CVE-2026-33829), Microsoft declined to service this flaw. Defenders must rely on environmental mitigations like blocking outbound SMB and restricting NTLM traffic to prevent exploitation.
#0673
CISAabout 1 month ago3 min▣LLM reporthigh CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include CVE-2022-0492, a Linux Kernel improper authentication vulnerability, and CVE-2025-48595, an Android Framework integer overflow vulnerability, citing evidence of active exploitation in the wild.
#0672
CISAabout 1 month ago4 min▣LLM reporthigh CISA and partner agencies have observed unattributed malicious cyber activity targeting internet-exposed Automatic Tank Gauge (ATG) systems across multiple U.S. critical infrastructure sectors. Threat actors are leveraging authentication bypass, hardcoded credentials, and command execution vulnerabilities to gain administrative control, enabling them to manipulate tank parameters, disable safety alerts, and create denial-of-view conditions.
#0671
SentinelOneabout 1 month ago4 min▣LLM reporthigh ESET researchers presented evidence of a 2025 espionage alliance between Russian state-aligned actors Gamaredon and Turla targeting Ukraine. Gamaredon utilized its lightweight custom tooling, including PteroGraphin and PteroOdd, to deploy Turla's Kazuar backdoor and maintain persistence for Turla's advanced espionage operations.
#0670
Recorded Futureabout 1 month ago6 min▣LLM reporthigh Iran's Ministry of Intelligence (MOIS) has expanded its 'Handala' operational brand to encompass physical threats and influence operations alongside its established cyber hacktivism. By coordinating personas like Handala Hack Team, HPRF, and VIPEmployment, MOIS leverages global brand recognition to solicit proxies via Telegram for espionage, sabotage, and physical attacks against US and Israeli interests. This multidomain approach combines cyber intrusions with real-world intimidation tactics.
#0669
Canadian Centre for Cyber Securityabout 1 month ago4 min▣LLM reporthigh The Canadian Centre for Cyber Security released a daily digest highlighting security updates for Samsung mobile devices, Android devices, and HP Poly voice products. Notably, the Android June 2026 monthly rollup addresses CVE-2025-48595, which is reportedly under limited, targeted exploitation.
#0668
Arctic Wolfabout 1 month ago6 min▣LLM reporthigh The operators behind the Kali365 Phishing-as-a-Service (PhaaS) kit have expanded their infrastructure to target a wider array of services, including Microsoft 365, Okta, and Russia's MAX Messenger. The threat actors utilize OAuth 2.0 device authorization grant abuse and fake prize-claim lures to bypass MFA and exfiltrate credentials via Telegram.
#0667
Sophosabout 1 month ago5 min▣LLM reporthigh Sophos researchers uncovered a threat actor utilizing AI-native development tools, specifically the Cursor IDE and Claude Opus, to build and iteratively test a post-exploitation framework designed to evade major EDR solutions. The framework automates the ingestion of public security research to generate and refine custom Rust and Go payloads, ultimately supporting ransomware and data theft operations.
#0666
Palo Alto Networksabout 1 month ago7 min▣LLM reporthigh Operation FlutterBridge is a widespread macOS malvertising campaign operated by the CL-CRI-1089 threat cluster, delivering a novel Flutter-based backdoor dubbed FlutterShell. The malware utilizes a dynamic WebView-based JavaScript-to-native bridge to execute arbitrary commands, hijack Google Chrome for adware revenue, and exfiltrate data, all while masquerading as legitimate, Apple-notarized applications.
#0665KKasperskyabout 1 month ago4 min▣LLM reportmedium A wardriving assessment across three Mexican host cities for the 2026 World Cup revealed significant wireless security risks, including high rates of vulnerable WPS configurations on otherwise secure WPA2/WPA3 networks. The prevalence of open networks, default SSID naming conventions, and BSSID exposure increases the attack surface for passive reconnaissance, rogue access point deployment, and adversary-in-the-middle attacks.
#0664
ANY.RUNabout 1 month ago6 min▣LLM reporthigh JS.MonoGlyphRAT is a newly identified, highly obfuscated JavaScript backdoor targeting US enterprises via phishing. It establishes persistence, communicates over HTTP using custom headers, and acts as a loader capable of executing AES-encrypted payloads, PowerShell commands, and in-memory .NET assemblies while bypassing AMSI.
#0663RReversinglabsabout 1 month ago9 min▣LLM reportcritical A coordinated supply chain attack compromised the @redhat-cloud-services npm scope, resulting in the automated publication of 32 backdoored packages. The malware utilizes a sophisticated three-layer obfuscation pipeline to drop a credential stealer that targets cloud and CI/CD secrets, exfiltrates data via the GitHub API, and possesses worm-like self-propagation capabilities.
#0662
CISAabout 1 month ago4 min▣LLM reporthigh CISA released an advisory detailing multiple vulnerabilities in Danelec's MacGregor Voyage Data Recorder (VDR) G4e devices, including default and hard-coded credentials, weak password hashing, and insecure file access. Exploitation of these flaws could allow an attacker on an adjacent network to gain full administrator access to the affected transportation sector devices. Danelec has released firmware version V5.250 to address these vulnerabilities.
#0661
CISAabout 1 month ago3 min▣LLM reporthigh CISA has added CVE-2024-21182, an unspecified vulnerability in Oracle WebLogic Server, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation to reduce exposure to cyberattacks.
#0660
Trend Microabout 1 month ago5 min▣LLM reportcritical At Pwn2Own Berlin 2026, security researchers demonstrated 47 unique zero-day vulnerabilities across AI platforms and traditional enterprise software. Notable exploits included root-level code execution in AI agents via trust boundary failures, a SYSTEM-level RCE in Microsoft Exchange, a pre-authentication RCE in SharePoint, and a cross-tenant guest-to-host escape in VMware ESXi.
#0659
Elastic Security Labsabout 1 month ago6 min▣LLM reporthigh PHANTOMPULSE is a sophisticated RAT attributed to DPRK-aligned actors that utilizes hardware breakpoints to bypass AMSI, WLDP, and ETW. It establishes a resilient, sinkhole-able command and control channel by resolving C2 URLs from blockchain transaction inputs and employs multiple process injection and UAC bypass techniques.
#0658
Canadian Centre for Cyber Securityabout 1 month ago3 min▣LLM reportcritical The Canadian Centre for Cyber Security published a daily digest of nine security advisories covering critical updates for major vendors including Microsoft, IBM, Dell, Ubuntu, Red Hat, Ivanti, and Plesk. Notably, the digest highlights that CVE-2026-41089, a Windows Netlogon Remote Code Execution vulnerability, is actively being exploited in the wild.