NEW#0834
Recorded Future6 days ago10 min▣LLM reporthigh Recorded Future's Insikt Group evaluates Mexico's newly published 2025-2030 National Cybersecurity Plan, assessing it against the country's actual threat landscape from 2020-2026. Ransomware is the dominant threat with 223 documented incidents across 64 groups, while financial malware (Mispadu, Grandoreiro, Casabaneiro, Fenix botnet), state-sponsored espionage (TAG-141/FamousSparrow, TGR-STA-1030), hacktivism (Chronus Team, Guacamaya), and organized crime-linked money laundering via Chinese networks compound the risk. The 2026 FIFA World Cup will be an early operational test of Mexico's cyber resilience.
NEW#0833
Recorded Future6 days ago14 min▣LLM reporthigh Insikt Group identified new infrastructure used by the TAG-182 threat cluster to disseminate MarkiRAT surveillance malware targeting Farsi-speaking users, particularly Iranians, via fake VPN and media player applications distributed through social media. TAG-182 demonstrates tradecraft overlaps with Ferocious Kitten, including identical BITS job command strings and similar domain naming conventions. The operation supports Iranian government surveillance objectives, with infrastructure spanning multiple hosting providers and dozens of lookalike domains impersonating legitimate services.
NEW#0832
Palo Alto Networks6 days ago13 min▣LLM reporthigh CL-STA-1062, a Chinese-speaking threat cluster assessed to be the same as UAT-7237, has compromised Southeast Asian government and critical energy infrastructure entities throughout 2025 using web shell deployment, MSSQL data exfiltration, and open-source tunneling tools (SoftEther VPN, VNT, yuze). The group has introduced TinyRCT, a previously undocumented .NET backdoor delivered via AppDomainManager Injection (malicious chrome_setup.zip), which uses AES-CBC encrypted HTTP C2, sandbox-evasion path checks, scheduled-task persistence disguised as legitimate updater services, and a self-destruct routine using choice.exe for anti-forensic file deletion.
NEW#0831
Palo Alto Networks6 days ago13 min▣LLM reporthigh Unit 42 researchers identified 'phantom squatting,' a novel supply chain attack vector where adversaries register web domains that LLMs consistently hallucinate for legitimate brands. By proactively mapping LLM hallucination patterns across 913 brands and 2.1 million generated URLs, researchers identified 13,229 confirmed malicious URLs and ~250,000 unregistered phantom domains. Real-world cases — including the Montana Empire phishing kit built with an AI coding assistant — demonstrate that adversaries independently converge on the same hallucinated domains, with detection lead times of 18–51 days. The threat exploits a structural, unpatchable property of LLM architectures and bypasses reputation-based defenses through zero-reputation newly registered domains.
NEW#0830
Microsoft6 days ago12 min▣LLM reporthigh StealC is a C++ malware-as-a-service infostealer that harvests credentials, cookies, and session tokens from browsers, email clients, crypto wallets, and gaming platforms, using APC injection to bypass Chromium App-Bound Encryption. Amadey is a modular MaaS loader that delivers StealC and other payloads through a rich backdoor command set including process injection, SOCKS proxying, RDP enablement, and hidden admin account creation. Microsoft DCU disrupted over 200 C2 domains and IPs associated with both threats in a coordinated action with Europol on June 24, 2026.
NEW#0829
Mandiant6 days ago11 min▣LLM reportcritical Mandiant identified a threat actor exploiting zero-day CVE-2026-20245 in Cisco Catalyst SD-WAN Manager to escalate privileges from a compromised administrative account to root-level access via a malicious CSV file upload. The intrusion began with rogue peering connections, potentially leveraging CVE-2026-20127 or CVE-2026-20182, followed by SSH access using the vmanage-admin account, password manipulation of the admin account, and ultimately root access through a crafted evil_tenant.csv payload that modified /etc/passwd and /etc/shadow. The threat actor employed extensive anti-forensic techniques including file deletion, configuration restoration, and validation script execution to purge indicators.
NEW#0828
Mandiant6 days ago14 min▣LLM reporthigh Google Threat Intelligence Group analyzed STOCKSTAY, a modular .NET backdoor developed and operated by Turla since late 2022, which uses a WebSocket-based C2 channel, RSA/AES encrypted communications, and IPC via WM_COPYDATA between its downloader, orchestrator, tunneler, and backdoor components. STOCKSTAY exhibits strong code, architectural, and obfuscation (K1MORPHER) overlaps with KAZUAR, suggesting a shared development team, and has been deployed via phishing (malicious RDP files, HTA lures) and, most recently, exploitation of CVE-2025-8088 in WinRAR to target Ukrainian military personnel. The actor leverages legitimate hosting platforms (Render, Glitch, GitHub) and compromised third-party/government infrastructure to obscure C2 infrastructure and complicate attribution.
NEW#0827
Mandiant6 days ago11 min▣LLM reportmedium Google Threat Intelligence Group analyzes the evolution of the pro-Russia influence ecosystem four years into the full-scale invasion of Ukraine, identifying a pivot from war-focused operations back to global strategic objectives targeting the West, NATO, and the EU. The ecosystem comprises six interconnected components — overt media, covert IO campaigns, hacktivism, cyber espionage, government direction, and outsourced proxies — that cross-promote and amplify narratives. Key trends include the increasing use of generative AI for content creation, the blending of cyber espionage with influence operations via hack-and-leak tactics, and the outsourcing of capability development to contractors like NTC Vulkan for plausible deniability.
NEW#0826KKaspersky6 days ago12 min▣LLM reporthigh ToddyCat APT developed a tool called Umbrij that automates the theft of Google OAuth authorization codes by launching Chromium-based browsers in headless mode with remote debugging ports enabled. The tool copies the victim's browser profile to a backup directory, launches the browser invisibly with the stolen session, and uses Puppeteer Sharp to automate the Google OAuth consent flow using legitimate Google Workspace Migration/Sync client IDs. The resulting authorization code is exfiltrated and exchanged for an access token, enabling API-level access to the victim's Gmail, Drive, Calendar, and Contacts without traditional credential theft.
NEW#0825KKaspersky6 days ago11 min▣LLM reporthigh OpenClaw, a widely adopted AI agent ecosystem with a skill marketplace called ClawHub, is being actively abused by attackers who publish malicious skills containing embedded shell commands or harmful natural-language instructions. Approximately 530 vulnerabilities have been discovered in OpenClaw and its underlying technologies, many involving sensitive data storage and excessive privileges. Kaspersky identified over 600 malicious skills from 24 accounts in April, with 1,100+ malicious accounts created since January. Malicious skills observed include macOS payloads using base64-encoded curl-pipe-to-bash execution and Windows MSI installers distributed via password-protected ZIP archives.
NEW#0824KKaspersky6 days ago14 min▣LLM reporthigh A large-scale campaign abuses the legitimate ScreenConnect remote management tool, distributed via 90+ spoofed freeware download sites using SEO poisoning, to silently deploy AsyncRAT. The attack uses DLL sideloading via a Microsoft-signed install.exe binary, followed by a multi-stage loader chain involving PowerShell and VBScript scripts that disable Defender, bypass UAC, and ultimately inject AsyncRAT into RegAsm.exe via process hollowing. The campaign targets both consumers and corporate networks across multiple languages and regions.
NEW#0823
Infoblox6 days ago14 min▣LLM reporthigh Infoblox Threat Intel has identified over 236,000 scam domains built on the Chinese open-source DCloud Uni-App framework, constituting a massive decentralized scam economy spanning fake crypto exchanges, wallet drainers, gambling sites, and investment frauds. The framework's default build fingerprints enable large-scale identification of malicious sites, though sophisticated operators strip these signatures and migrate to bulletproof hosting (primarily AS152194 CTG Server). Active scams like Yuechi Sharing Technology Ltd. demonstrate evolution toward weaponizing genuine government registrations (FinCEN MSB, Hong Kong Companies Registry) as legitimacy props. Enterprise exposure is substantial, with 985 customers generating 5M+ DNS queries to scam infrastructure, primarily through employee personal device usage.
NEW#0822
Huntress6 days ago9 min▣LLM reporthigh The article details two evolving social engineering techniques: ClickFix, which tricks users into pasting and executing attacker-supplied PowerShell commands via fake prompts, and ConsentFix, which abuses Microsoft 365 OAuth consent flows by manipulating users into dragging a localhost callback link into the browser to capture session tokens. A complete ConsentFix playbook with working code was publicly shared on a Russian cybercrime forum, enabling widespread adoption. Both techniques bypass traditional security controls by exploiting user muscle memory and legitimate platform infrastructure.
NEW#0821
Huntress6 days ago10 min▣LLM reporthigh Huntress demonstrated that a standard Microsoft 365 user with no admin privileges can be escalated to Global Administrator in under six minutes by exploiting common identity misconfigurations — specifically, an over-privileged service account owning an enterprise application, lack of MFA enforcement, and standard users being permitted to access the Azure portal. Analysis of 12,000+ M365 tenants revealed that over 60% were missing at least half of recommended security controls, with MFA gaps, over-privileged accounts, and admin restriction failures being the most prevalent issues. The article argues that continuous, automated identity posture management is essential because configuration drift creates exploitable windows far shorter than the 24-hour scan cycles of traditional tools.
NEW#0820
ESET6 days ago16 min▣LLM reporthigh ESET Research contributed to Operation Endgame, a coordinated global disruption targeting the Amadey botnet and Stealc infostealer MaaS ecosystems. The operation seized or rendered inoperative approximately 50 domains and nearly 200 active IP-based C&C servers. ESET provided technical analysis, C&C server lists, RC4 encryption keys, campaign/build identifiers, and clustering methodology based on long-term tracking of both malware families. The fragmented, affiliate-operated infrastructure model used by both services required advanced graph-based clustering of RC4 keys, build IDs, and C&C URL paths to identify high-priority targets for disruption.
NEW#0819
ESET6 days ago12 min▣LLM reporthigh Gamaredon, a Russia-aligned APT group attributed to the FSB, maintained high operational tempo throughout 2025 with 35 spearphishing campaigns exclusively targeting Ukrainian government and military institutions. The group introduced six new PowerShell tools, resurrected the PteroSetup VBScript weaponizer for lateral movement, and began abusing CVE-2025-8088 (WinRAR) for persistence via the Startup folder. A significant infrastructure evolution occurred: C&C servers are now hidden behind tunnel services (Cloudflare tunnels, Cloudflare workers, Microsoft devtunnels, Loophole) and dead-drop resolutions on legitimate platforms (Telegram, Telegra.ph, Rentry, GoFile, Dropbox, and others), while stolen data is exfiltrated to S3-compatible cloud storage (Wasabi, Tebi, Intercolo) rather than attacker-owned servers.
NEW#0818
Canadian Centre for Cyber Security6 days ago6 min▣LLM reportcritical The Canadian Centre for Cyber Security published a daily advisory digest on 2026-06-30 covering four security advisories for SimpleHelp, wolfSSL, Mozilla Firefox, and Citrix NetScaler ADC/Gateway. The most urgent item is CVE-2026-48558 in SimpleHelp, which has been added to CISA's KEV Database, indicating active exploitation. Citrix NetScaler ADC and Gateway also have multiple critical vulnerabilities across versions 13.1 and 14.1 that require immediate attention.
NEW#0817
Canadian Centre for Cyber Security6 days ago7 min▣LLM reporthigh The Canadian Centre for Cyber Security published a daily advisory digest on 2026-06-29 containing 8 security advisories covering Ubuntu, Red Hat, CISA ICS, Dell, IBM, Microsoft Edge, Oracle, and Apple products. The most critical item is Oracle CVE-2026-46817, which open-source reporting indicates is being actively exploited, affecting Oracle Database Server, E-Business Suite, Communications Unified Assurance, Hospitality OPERA 5, and REST Data Services. Organizations should prioritize patching Oracle products and review all applicable advisories for their environment.
NEW#0816
CrowdStrike6 days ago7 min▣LLM reportmedium The rapid deployment of AI agents in enterprises creates an identity problem: OAuth access tokens (RFC 9068) lack standardized fields to represent agent instance identity, the user on whose behalf an agent acts, and the delegation relationship between them. This gap can lead to coarse-grained authorization, over-privileged access, and the confused deputy problem in transitive agent call chains. The article calls for industry standardization of this identity context within or adjacent to OAuth tokens.
NEW#0815
Canadian Centre for Cyber Security6 days ago4 min▣LLM reportmedium The Canadian Centre for Cyber Security issued advisory AV26-634 referencing a Google Chrome security advisory published on June 25, 2026. The advisory addresses vulnerabilities in Chrome for Desktop Stable Channel on Windows, Mac, and Linux. No specific CVE IDs, exploit details, or threat actor attribution were included in the digest; the primary action is to apply Chrome updates when available.