Detailed write-ups
1. Miasma Supply Chain Attack Compromises Red Hat npm Packages
A new Mini Shai-Hulud variant dubbed Miasma compromised 32+ @redhat-cloud-services npm versions on June 1 after a hijacked GitHub account pushed orphan commits that triggered OIDC-backed GitHub Actions publishing. Once installed, the worm sweeps GITHUB_TOKEN, AWS/GCP/Azure credentials, Vault and Kubernetes service-account tokens, then republishes backdoored versions across every package the compromised identity has rights to. Concrete TTPs: orphan-commit triggering of trusted-publishing workflows, OIDC token theft from runner memory, recursive republish to multiply the blast radius. IR teams should rotate any token issued from impacted publishing workflows, audit recent @redhat-cloud-services installs, and block downstream egress.
Sources: The Hacker News
2. AI-built ransomware toolkit automates EDR evasion, AD discovery
Sophos uncovered an AI-orchestrated malware lab built around a Claude Opus 4.5 coordinator agent driving Cursor IDE to generate roughly 80 Rust and Go modules, then test each against Sophos, CrowdStrike, and Microsoft Defender EDRs. Operational infra: Sliver C2, Cobalt Strike beacons disguised as web traffic, Telegram-based C2, and Cloudflare Worker proxies. The orchestration loop iterated until samples evaded the target stack, with a human-in-the-loop hardening pass at the end. Defenders should treat the toolkit as a template — expect rapid module turnover, Rust/Go-leaning binaries, and Telegram or Cloudflare Worker C2 fronts.
Sources: BleepingComputer
3. Sophos uncovers AI-powered malware lab built for EDR evasion
Companion coverage filling in the operational detail: a Ludus virtualization lab mirrors target estates, Russian-language Python orchestration scripts drive Cursor sessions, and an automated Active Directory discovery panel enumerates trusts and high-value identities before payload selection. Each generated module is funneled through a human-in-the-loop hardening workflow so the operator can promote, reject, or re-prompt. The pipeline turns frontier-model output into ready-to-deploy tooling at a pace that strains signature- and behavior-rule cadences. Hunt for Cursor or Ludus artifacts in suspected staging hosts, and look for Russian-language Python in dev-environment forensics.
Sources: Help Net Security
4. Over 116,000 Minecraft systems infected in WeedHack malware campaign
McAfee exposed WeedHack, a malware-as-a-service infostealer distributed via YouTube videos and SEO-poisoned Minecraft mods. The campaign spans 240+ URLs and 3,820 malicious JARs. The free tier steals session IDs and cookies across 36 browsers, 56 crypto add-ons, and 12 wallets; the premium tier layers a RAT with keylogger, webcam capture, and remote shell. JAR delivery, gaming-mod lure, and tiered MaaS pricing mark this as both a credential-harvest engine and a foothold for downstream operators. IR teams: hunt for unsigned Java processes spawned from user-mod directories and outbound to recently registered mod-hosting infrastructure.
Sources: BleepingComputer
5. Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android
WatchGuard and ESET document parallel campaigns. Grandoreiro (Windows banking trojan) uses DLL side-loading via four legitimate apps to target Portuguese banks; victims sit across Spain, Portugal, Mexico, and Brazil. BTMOB v4.5.5 — an Android RAT pitched as the successor to CraxsRAT/CypherRAT/SpySolr at $700/month — rides the same regions and overlaps in some lure infrastructure. Two named families, current pricing, side-loading TTPs — everything an IR or malware-analysis team needs to build yara, EDR detection content, and customer-comms templates for LATAM/Iberia exposure.
Sources: The Hacker News
6. WordPress malware campaign hides payloads in Steam profiles
GoDaddy found ~1,980 WordPress sites running malware that encodes next-stage URLs into Steam Community profile comments using invisible Unicode characters. The chain is two-stage: front-end JavaScript injection retrieves the encoded URL from a chosen Steam profile, then a server-side PHP backdoor renders payloads on demand. Steam Community is a perfect dead drop — high reputation, never blocked, and trivially mutable by the actor. Detection content: outbound requests from PHP processes to steamcommunity.com profile pages, and Unicode-rich strings in WordPress option tables. Pair with #10 below for the encoding scheme and primary IOCs.
Sources: BleepingComputer
7. DAEMON Tools trojanized in supply-chain attack
Kaspersky disclosed that DAEMON Tools installers (versions 12.5.0.2421–12.5.0.2434) distributed from the legitimate signed website since April 8 carry a CRT-init backdoor. Thousands of infections span 100+ countries; forensic artifacts point to a Chinese-speaking actor. CRT-init persistence runs the backdoor inside the C runtime initialization path before main(), evading import-table and entry-point-based static checks. IR: pull installer hashes and check against the affected version band, dust off process-creation telemetry for legitimate DAEMON Tools binaries spawning unusual child processes, and treat any signed software installed in that window as suspect until validated.
Sources: BleepingComputer
8. CrowdStrike, Google, and Shadowserver dismantle GlassWorm botnet
May 26 takedown of GlassWorm, a developer-targeting botnet running four parallel C2 channels: Solana memo transactions, BitTorrent DHT lookups, Google Calendar dead-drops, and conventional VPS infrastructure. Propagation rode trojanized OpenVSX extensions, poisoned npm and Python packages, and 300+ compromised GitHub repos. The CrowdStrike postmortem documents both the joint operation and the resilience design — multiple, fundamentally different lookup paths so seizing any one doesn’t kill the botnet. Useful as a reference architecture for the next campaign: expect Calendar, blockchain, and DHT dead-drops to keep showing up.
Sources: CrowdStrike Blog
9. New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots
ThreatFabric documents a TrickMo variant that routes C2 over TON (The Open Network), resolving .adnl endpoints through an embedded proxy. A new SOCKS5 module turns infected Android devices into fraud-traffic exit nodes, monetizing the foothold even when banking-overlay theft fails. The blockchain-network C2 path is the headline: classic DNS/IP takedowns don’t reach it, and TON addresses are cheap to rotate. Detection focus: outbound traffic to TON proxies, anomalous Android SOCKS5 listeners, and unusual mobile-device patterns in fraud-network exit logs. Expect the TON C2 pattern to spread beyond TrickMo.
Sources: Security Affairs
10. WordPress Malware Abuses Steam Community Profiles for C2 (technical writeup)
GoDaddy’s primary-source analysis on the Steam-profile dead-drop campaign — full IOCs, the invisible-Unicode encoding scheme mapping zero-width characters to URL bytes, the hello-mywordl[.]info delivery domain, and the PHP backdoor artifacts. The encoding makes manual triage hard (the comments look empty) but it’s deterministic: a small regex on zero-width spaces, joiners, and direction marks decodes the C2 URL. Pair with #6 above; use this writeup to build the parser, then sweep WordPress fleets for the backdoor artifacts.
Sources: GoDaddy Security Blog
11. PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
A critical authentication bypass in Palo Alto PAN-OS GlobalProtect lets unauthenticated attackers forge auth cookies to obtain VPN access. Rapid7 MDR reports in-the-wild exploitation from May 17 onward. Hunt for “Cookie” auth-method logins from previously unseen IPs, anomalous geos for known users, and rapid session creation followed by lateral RDP/SSH. See item 16 for log-line examples (spoofed MAC, GP-CLIENT user agent) and concrete SIEM search strings. Patch and rotate any sessions established during the exposure window.
Sources: The Hacker News
12. Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation
CISA added CVE-2026-6973 (Ivanti Endpoint Manager Mobile authenticated RCE) to the KEV catalog with a 3-day remediation deadline. Harvested admin credentials link this campaign to the earlier CVE-2026-1340 activity, suggesting the same actor cluster is pivoting through stale EPMM admin sessions. No reliable atomic IOCs — build behavioral analytics around EPMM admin actions: bulk policy edits, unexpected MDM-payload pushes, and command shells spawned from EPMM service accounts. Treat EPMM admin credentials issued during the exposure window as compromised.
Sources: Help Net Security
13. How Storm-2949 turned a compromised identity into a cloud-wide breach
Microsoft Threat Intelligence details a no-malware identity-driven campaign by Storm-2949. The chain abuses Entra ID Self-Service Password Reset and MFA fatigue to take over identities, then pivots across M365, OneDrive, SharePoint, and Azure resources. There is no implant to find — only behavior. KQL content priorities: SSPR events from unusual networks, MFA prompt bursts, post-authentication enumeration of OneDrive/SharePoint, and azure-portal sessions from non-standard ASNs. Conditional Access policies covering SSPR risk and impossible-travel are the structural fixes.
Sources: Microsoft Security
14. Drupal Core SQL Injection (CVE-2026-9082) Actively Exploited, Added to KEV
A critical PostgreSQL-specific SQLi in Drupal Core was added to KEV in under two days. Imperva observed 15,000+ attack attempts against ~6,000 sites in 65 countries. Mass-exploitation against a public-facing CMS implies many low-effort foothold opportunities for opportunistic actors and follow-on web-shell drops. Defenders: confirm patch level on every Drupal property, audit recent database errors and unusual queries against PostgreSQL backends, and watch for newly created admin accounts or modified node/users_field_data rows.
Sources: The Hacker News
15. Unidentified RAT pushes NetSupport RAT (SmartApeSG ClickFix)
SANS ISC reports a May 27 infection where an unidentified RAT (C2 at 89.110.110.119:443) delivered a NetSupport Manager RAT package via a SmartApeSG ClickFix fake-CAPTCHA chain. The TTP analysts should pull out: mshta invoked from clipboard contents the user pasted after a ClickFix prompt. Detection content: mshta.exe with non-file arguments, suspicious clipboard-write events followed by mshta or wscript launches, and outbound to the listed IP. The ClickFix lure remains one of the most productive initial-access patterns going into Q3.
Sources: SANS ISC Diary
16. Hackers exploiting Palo Alto GlobalProtect VPN authentication bypass (CVE-2026-0257)
Companion to #11 with the operational SIEM/EDR content: Rapid7 MDR observations and concrete log-line examples showing the Cookie auth method, a spoofed MAC address, and the GP-CLIENT user agent on forged sessions. Plug these into your hunt queries directly — particularly anything that pairs auth-method="Cookie" with first-time-seen client IPs or unusual GP-CLIENT versions. Detection should also alert on Cookie-auth sessions arriving from countries or ASNs outside the user’s baseline.
Sources: Help Net Security
17. As AI speeds coding, CVE Lite CLI keeps security deliberately AI-free
CSO profiles CVE Lite CLI, a new analyst tool that adopts a deliberately AI-free stance, citing reliability and trust concerns — specifically the cost of hallucinated CVE detail in a workflow where ground-truth matters. The piece is useful as a counter-current reference point for malware analysts whose toolchain is otherwise going agentic: signal-stable, deterministic CVE handling at the CLI is still a viable choice and worth surfacing when asked to justify model-free links in the analysis pipeline.
Sources: CSO Online
18. Russia-aligned crime group Greyvibe extensively uses AI in attacks
CSO covers Greyvibe, a Russia-aligned crime crew making extensive use of AI across attack tradecraft — phishing generation, credential-theft staging, and translation/localization. The piece highlights operational shortcuts that produce traceable telltale signatures — reused prompt-shaped phrasing, consistent translation artifacts, and timestamp/locale slips that betray the toolchain. Threat-hunters can build clustering on the language artifacts even before binary IOCs land. Useful actor profile to pair with the Sophos lab finding: AI-assisted offensive operations leave fingerprints when the operator skips OPSEC.
Sources: CSO Online
19. The Gentlemen are coming for your files — and then your network
CSO profiles The Gentlemen, a ransomware group running a textbook double-extortion playbook — data theft first, then lateral movement to network-wide encryption. Victim profile and TTPs are conventional but well-executed: phishing or stolen creds for initial access, off-the-shelf RMM for persistence, AD enumeration, archive-and-exfil before locker detonation. IR teams should treat the group as a likely client of broker traffic; once The Gentlemen surface in the environment, the original initial-access compromise is likely several weeks old. Hunt for archive utilities running on unexpected hosts, unusual outbound to cloud-storage, and the RMM tools commonly chosen by the cluster.
Sources: CSO Online
20. Meet Greyvibe, the Russia-linked group using AI to target Ukraine
Security Affairs companion to #18 with Ukraine-focused detail: AI-assisted phishing and credential theft, but also explicit rookie OPSEC mistakes — reused infrastructure, leaked development artifacts, and language slips that ease attribution. The piece is particularly useful for hunters building “cheap and dirty” clustering rules: when AI accelerates an operator who lacks discipline, telltale infrastructure reuse is the soft spot. Combine with the CSO write-up (#18) and the Sophos lab finding (#2/#3) for a full picture of AI-in-the-loop crime tradecraft going into Q3.
Sources: Security Affairs
|
