Skip to content

CyberSecurity Institute

Security News Curated from across the world

Menu
Menu

Malware Analysis Weekly — June 7, 2026

Posted on June 6, 2026June 14, 2026 by admini
Malware Analysis Weekly · June 14, 2026 · Weekly Edition

Malware Analysis Weekly

Families, campaigns, TTPs, and IOCs from the field · for malware analysts and IR teams

At a glance

This week was defined by actively exploited zero-days stacking up across the edge and the endpoint. Google shipped Chrome 149 to close a V8 out-of-bounds read/write (CVE-2026-11645, CVSS 8.8) already exploited in the wild — the fifth Chrome zero-day of 2026. A critical IKEv1 auth-bypass in Check Point Remote/Mobile Access VPN (CVE-2026-50751, CVSS 9.3) has been abused by a Qilin ransomware affiliate since May 7 and landed in CISA’s KEV with a June 11 deadline. Cisco disclosed its seventh SD-WAN zero-day of 2026 (CVE-2026-20245) — an unpatched root-privilege flaw in Catalyst SD-WAN Manager with confirmed config-pushing in the wild — and a public PoC named RoguePlanet (CVE-2026-47281, CVSS 9.6) turns a Microsoft Defender race condition into SYSTEM on fully patched Windows.

Law enforcement kept the pressure on ransomware’s support economy. Europol’s June 10 takedown dismantled “AudiA6,” a crypto-laundering service that moved ~€336M through 6,000+ mule accounts and is tied to 15+ ransomware investigations. Separately, Ukrainian national Oleksii Lytvynenko pleaded guilty to wire-fraud conspiracy for his role in the Conti operation, with sentencing set for September 10.

On the delivery side, the supply-chain and web-delivery threads stayed loud. The Miasma npm worm (Shai-Hulud lineage) compromised 32 @redhat-cloud-services packages via a preinstall hook to sweep cloud and CI/CD secrets and republish itself, while the new DriveSurge initial-access-broker operation hijacked thousands of sites and routed victims through a zTDS traffic-distribution system into ClickFix/FakeUpdates on Windows and macOS. Intel 471 framed a June surge in APT activity against critical sectors. For foundational context this week: Dutch police dismantled a 17-million-device botnet behind the Asocks residential-proxy network, Operation Saffron took down the bulletproof “First VPN” used by 25+ ransomware groups, and Unit 42 detailed Iranian APT Screening Serpens’ six new RAT variants.

Topic map — families, actors, CVEs, and how they intersect

Named entities extracted from this week’s 12 malware-analysis articles — threat actors, malware families, CVEs, vendors, researchers, and the campaigns or themes connecting them.

Topic map for malware analysis

This week clusters around actively exploited zero-days across Chrome (CVE-2026-11645), Check Point VPN (CVE-2026-50751), Cisco SD-WAN (CVE-2026-20245), and Microsoft Defender (RoguePlanet, CVE-2026-47281); ransomware takedowns and prosecutions (Europol’s AudiA6 laundering bust, the Conti guilty plea); and supply-chain and web-delivery campaigns (the Miasma npm worm and the DriveSurge ClickFix/FakeUpdate operation) — set against an Intel 471-reported surge in APT activity and foundational botnet, bulletproof-VPN, and Iranian-APT takedowns and analysis.

Article index

Actively exploited zero-days & critical CVEs

In-the-wild browser RCE, edge-VPN auth bypass tied to a ransomware affiliate, unpatched network-infrastructure exploitation, and a SYSTEM-level local privilege-escalation PoC.

# Article Source Date
1 Chrome V8 zero-day CVE-2026-11645 exploited in the wild — patch now The Hacker News Jun 9
2 Check Point VPN zero-day exploited in Qilin ransomware attacks (CVE-2026-50751) SecurityWeek Jun 8
3 Cisco warns of 7th SD-WAN zero-day exploited in 2026 (CVE-2026-20245) SecurityWeek Jun 5
4 Microsoft Defender ‘RoguePlanet’ zero-day grants SYSTEM access on patched Windows (CVE-2026-47281) The Hacker News Jun 10

Ransomware & law-enforcement actions

Disruption of the criminal financial infrastructure underpinning ransomware, and a prosecution milestone against a major ransomware operation.

# Article Source Date
5 Europol disrupts ‘AudiA6’ crypto-laundering service used by ransomware gangs The Hacker News Jun 12
6 Ukrainian national pleads guilty to role in Conti ransomware operation BleepingComputer Jun 12

Supply-chain & web-delivery campaigns

A self-propagating npm worm sweeping CI/CD secrets, an initial-access-broker TDS pushing ClickFix/FakeUpdates, and a threat-landscape frame tying active APT campaigns together.

# Article Source Date
7 Miasma: supply-chain worm compromises 32 Red Hat npm packages Wiz blog Jun 3
8 New DriveSurge threat actor hijacks thousands of sites for ClickFix/FakeUpdate attacks Dark Reading Jun 2
9 Global cyber-threat campaigns escalate as APT groups target critical sectors (Intel 471) Industrial Cyber Jun 2026

APT & botnet takedowns (foundational)

Refreshed each week — a massive residential-proxy botnet seizure, a bulletproof-VPN takedown serving 25+ ransomware groups, and deep Iranian-APT malware-family analysis.

# Article Source Date
10 Dutch police dismantle 17-million-device botnet (Asocks residential proxy) SecurityWeek May 28
11 First VPN dismantled in global takedown over use by 25 ransomware groups (Operation Saffron) The Hacker News May 19
12 Tracking Iranian APT Screening Serpens’ 2026 espionage campaigns Unit 42 May 22

Detailed write-ups

1. Chrome V8 zero-day CVE-2026-11645 exploited in the wild — patch now

Google patched a V8 out-of-bounds read/write zero-day (CVE-2026-11645, CVSS 8.8) that is being actively exploited in the wild — the fifth Chrome zero-day of 2026. The fix shipped in Chrome 149 stable on June 8. This is an in-the-wild browser RCE primitive, so it’s a confirm-the-rollout item first: validate that managed fleets have moved to 149, force-restart browsers to apply the update, and don’t forget Chromium-based downstreams. Then hunt for exploitation artifacts — renderer crashes, unexpected child processes spawned from chrome.exe, and post-exploitation download/execute chains following web visits.

Read the article

Sources: The Hacker News

2. Check Point VPN zero-day exploited in Qilin ransomware attacks (CVE-2026-50751)

A critical IKEv1 authentication bypass (CVE-2026-50751, CVSS 9.3) in Check Point Remote/Mobile Access VPN has been exploited since May 7 by a Qilin ransomware affiliate. CISA added it to KEV on June 9 with a June 11 patch deadline. This is an active-exploit CVE tied directly into a ransomware intrusion chain, so treat exposed gateways as priority-zero: apply the vendor fix immediately, review remote-access logs for anomalous IKEv1 negotiations and authentications back to May 7, and assume any session established during the window is suspect. Pivot from VPN access into lateral-movement and pre-encryption staging hunts given the Qilin linkage.

Read the article

Sources: SecurityWeek

3. Cisco warns of 7th SD-WAN zero-day exploited in 2026 (CVE-2026-20245)

Cisco disclosed an actively exploited, unpatched root-privilege flaw in Catalyst SD-WAN Manager (CVE-2026-20245), reported by Mandiant, with confirmed cases of attackers pushing config changes to edge devices. This is in-the-wild network-infrastructure exploitation with no patch available — the worst combination for IR teams. Until a fix lands, restrict management-plane access, watch SD-WAN Manager for unexpected configuration deployments and template changes, and audit edge-device configs against known-good baselines. Treat any unexplained config push during the exposure window as a potential compromise and validate device integrity downstream.

Read the article

Sources: SecurityWeek

4. Microsoft Defender ‘RoguePlanet’ zero-day grants SYSTEM access on patched Windows (CVE-2026-47281)

A public PoC dubbed “RoguePlanet” (CVE-2026-47281, CVSS 9.6) exploits a Microsoft Defender race condition to obtain a SYSTEM-level shell on fully patched Windows 10/11, and is reported to be actively exploited. This is an unpatched local privilege-escalation primitive that slots neatly into post-compromise chains — assume any foothold an attacker already has can be escalated to SYSTEM. Hunt for anomalous child processes and token manipulation around the Defender service, unexpected SYSTEM-context shells, and race-condition exploitation patterns. Prioritize detection on the escalation step since there is no patch to lean on yet.

Read the article

Sources: The Hacker News

5. Europol disrupts ‘AudiA6’ crypto-laundering service used by ransomware gangs

A June 10 international takedown dismantled “AudiA6,” a crypto-laundering service that moved ~€336M for cybercriminals through 6,000+ mule accounts. Two administrators were arrested in Georgia, and the service is linked to 15+ ransomware investigations. This is a law-enforcement strike against the criminal financial infrastructure that underpins ransomware monetization — cutting off cash-out capacity raises operating costs across multiple affiliates at once. For analysts, the value is in the downstream intelligence: expect investigative pivots from the seized mule-account network into the ransomware crews it serviced.

Read the article

Sources: The Hacker News

6. Ukrainian national pleads guilty to role in Conti ransomware operation

Oleksii Lytvynenko, extradited from Ireland, pleaded guilty to wire-fraud conspiracy tied to Conti attacks during 2021–2022 that affected 1,000+ systems; sentencing is set for September 10. This is a prosecution milestone against one of the most consequential ransomware operations of the era. While it doesn’t change today’s detection posture, it reinforces the attribution and tooling lineage that flowed out of Conti into successor crews — useful context when triaging TTPs that trace back to the original playbook.

Read the article

Sources: BleepingComputer

7. Miasma: supply-chain worm compromises 32 Red Hat npm packages

Wiz details Miasma, a self-propagating credential-harvesting npm worm of the Shai-Hulud lineage that compromised 32 @redhat-cloud-services packages via a preinstall hook, sweeping cloud and CI/CD secrets before republishing itself. This is an active supply-chain compromise that comes with IOCs and remediation guidance. IR teams should rotate any credentials and tokens exposed to affected build environments, audit recent @redhat-cloud-services installs across CI/CD and developer machines, block the worm’s egress, and review npm publish history on org-owned scopes for unexpected version bumps that signal recursive republishing.

Read the article

Sources: Wiz blog

8. New DriveSurge threat actor hijacks thousands of sites for ClickFix/FakeUpdate attacks

Silent Push detailed “DriveSurge,” an initial-access-broker operation using a zTDS traffic-distribution system across thousands of compromised sites to deliver ClickFix/FakeUpdates to both Windows and macOS victims. This is an active malware-delivery campaign with IAB-infrastructure analysis and TDS tradecraft analysts can hunt on. Detection focus: injected redirect/JavaScript on compromised web properties, traffic flowing through the zTDS, ClickFix fake-CAPTCHA prompts that coax users into pasting clipboard commands, and the resulting mshta/shell launches. Cross-platform targeting means macOS endpoints belong in the hunt too.

Read the article

Sources: Dark Reading

9. Global cyber-threat campaigns escalate as APT groups target critical sectors (Intel 471)

Intel 471 reports a June surge in APT operations against critical sectors, with both espionage and disruptive activity growing in scale. This is a threat-landscape framing piece that ties several active APT campaigns together rather than a single-family writeup — useful for setting hunting priorities and briefing stakeholders on where state-aligned pressure is concentrating. Pair it with the foundational APT analysis below (Screening Serpens) to map specific malware families and TTPs onto the broader trend.

Read the article

Sources: Industrial Cyber

10. Dutch police dismantle 17-million-device botnet (Asocks residential proxy) · FOUNDATIONAL

NCSC and Dutch police seized 200+ C2 servers behind a 17-million-device botnet powering the Asocks residential-proxy network used for DDoS, phishing, credential stuffing, and malware distribution. A botnet and criminal-infrastructure takedown of this scale matters to IR teams well beyond the headline: residential-proxy abuse is a recurring problem because malicious traffic blends into legitimate ISP space and defeats simple IP reputation. Use this as a prompt to revisit detections that assume datacenter-ASN signals, and to harden against credential-stuffing routed through residential exit nodes.

Read the article

Sources: SecurityWeek

11. First VPN dismantled in global takedown over use by 25 ransomware groups (Operation Saffron) · FOUNDATIONAL

A France/Netherlands-led Operation Saffron seized 33 bulletproof-VPN servers across 27 countries and arrested the administrator in Ukraine; “First VPN” had served 25+ ransomware groups since 2014. This is a law-enforcement disruption of the anonymization infrastructure central to ransomware operations — the kind of upstream takedown that degrades many crews’ OPSEC at once. For analysts, the seized server set is a likely source of attribution pivots; expect follow-on intelligence linking infrastructure to specific ransomware operations over the coming weeks.

Read the article

Sources: The Hacker News

12. Tracking Iranian APT Screening Serpens’ 2026 espionage campaigns · FOUNDATIONAL

Unit 42 details six new RAT variants (including two new families) deployed February–April 2026 against targets in the US, Israel, and UAE, using AppDomainManager hijacking and air-carrier impersonation lures. This is deep APT malware-family analysis with new RAT TTPs and IOCs ready for detection content. Build coverage around AppDomainManager hijacking (anomalous .NET config files redirecting managed processes to attacker DLLs), and feed the published RAT indicators into Sigma/YARA. Pair with the Intel 471 trend piece above to connect this family-level detail to the broader surge in APT activity against critical sectors.

Read the article

Sources: Unit 42

On our watch list

  1. Cisco SD-WAN patch and active exploitation. CVE-2026-20245 is the seventh SD-WAN zero-day of 2026 and remains unpatched while attackers push config changes to edge devices. Watch for the Cisco fix and Mandiant follow-up IOCs, and keep management-plane restrictions and config-baseline diffs in place until a patch is validated in your fleet.
  2. RoguePlanet weaponization in real chains. A public PoC plus reported active exploitation of the Defender race condition (CVE-2026-47281) means we expect it folded into post-compromise toolkits quickly. Watch for a Microsoft mitigation or out-of-band patch, and prioritize behavioral detection on SYSTEM-context shells around Defender until one ships.
  3. Fallout from the AudiA6 and First VPN takedowns. Both seized infrastructure servicing many ransomware crews. We expect attribution pivots and follow-on indictments as investigators work the mule-account network and bulletproof-VPN server set — useful upstream intelligence to map onto active intrusions.
  4. More Shai-Hulud-lineage npm worms. Miasma’s preinstall-hook, secret-sweeping, self-republishing pattern is repeatable against any high-trust scope. We expect at least one more variant targeting a different org-owned npm scope; watch for unexpected version bumps and CI/CD credential exposure across your dependency graph.

Malware Analysis Weekly · a Newshunter publication

Weekly news items are from the previous seven to ten days. Foundational reading is refreshed each week.

Unsubscribe · View in browser

*|LIST:ADDRESS|*

Curated by the Security Radar threat-intelligence team.

Newsletter design, layout, and editorial curation © 2026 Security Radar. All rights reserved.

Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.

Recent Posts

  • DevSecOps Weekly — July 12, 2026
  • DevSecOps Weekly — July 12, 2026 — Interactive Topic Map
  • Malware Analysis Weekly — July 12, 2026
  • Malware Analysis Weekly — July 12, 2026 — Interactive Topic Map
  • AI & ML in Security — July 12, 2026

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • November 2025
  • April 2024
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • April 2023
  • March 2023
  • February 2022
  • January 2022
  • December 2021
  • September 2020
  • October 2019
  • August 2019
  • July 2019
  • December 2018
  • April 2018
  • December 2016
  • September 2016
  • August 2016
  • July 2016
  • April 2015
  • March 2015
  • August 2014
  • March 2014
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • October 2012
  • September 2012
  • August 2012
  • February 2012
  • October 2011
  • August 2011
  • June 2011
  • May 2011
  • April 2011
  • February 2011
  • January 2011
  • December 2010
  • November 2010
  • October 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • June 2009
  • May 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • December 2007
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006
  • October 2006
  • September 2006
  • August 2006
  • July 2006
  • June 2006
  • May 2006
  • April 2006
  • March 2006
  • February 2006
  • January 2006
  • December 2005
  • November 2005
  • October 2005
  • September 2005
  • August 2005
  • July 2005
  • June 2005
  • May 2005
  • April 2005
  • March 2005
  • February 2005
  • January 2005
  • December 2004
  • November 2004
  • October 2004
  • September 2004
  • August 2004
  • July 2004
  • June 2004
  • May 2004
  • April 2004
  • March 2004
  • February 2004
  • January 2004
  • December 2003
  • November 2003
  • October 2003
  • September 2003

Categories

  • AI-ML
  • Augment / Virtual Reality
  • Blogging
  • Cloud
  • DR/Crisis Response/Crisis Management
  • Editorial
  • Financial
  • Make You Smile
  • Malware
  • Mobility
  • Motor Industry
  • News
  • OTT Video
  • Pending Review
  • Personal
  • Product
  • Regulations
  • Secure
  • Security Industry News
  • Security Operations
  • Statistics
  • Threat Intel
  • Trends
  • Uncategorized
  • Warnings
  • WebSite News
  • Zero Trust

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
© 2026 CyberSecurity Institute | Powered by Superbs Personal Blog theme