|
Malware Analysis Weekly · June 28, 2026 · Weekly Edition
Malware Analysis Weekly
Families, campaigns, TTPs, and IOCs from the field · for malware analysts and IR teams
|
At a glance
This week’s threat landscape was shaped by a wave of new malware families, continued Chinese-nexus APT activity, and two significant law-enforcement and judicial milestones. On the new-family front, AryStinger — a router botnet targeting 4,300+ legacy and D-Link devices — joined SharkLoader (a loader deploying Cobalt Strike in the StrikeShark campaign), Mistic and its dropper WoodGnat (a stealthy multi-sector backdoor surfaced by Help Net Security), and macOS.Gaslight (a Rust backdoor that inverts the analyst’s own AI triage tools against them) as the week’s marquee discoveries. The breadth of new tooling — spanning routers, Windows, and macOS — reflects an accelerating pace of capability development across criminal and state-linked actors alike.
APT activity was dominated by two Chinese-nexus groups. VerdantBamboo deployed BRICKSTORM and the new Plenet implant to maintain persistent access to compromised networks, building on the full technical account published by Volexity in early June. Separately, FishMonger’s SprySOCKS backdoor — previously Linux-only — is now confirmed on Windows via a new DLL-sideloading chain, expanding the actor’s mixed-OS reach. Defenders tracking Chinese-nexus infrastructure should treat both groups as actively maintaining footholds across government, telecoms, and critical-infrastructure targets, with new implant variants rolling out to maintain access as older IOCs get burned.
Law enforcement delivered two significant outcomes. Operation Endgame expanded its mandate to take down StealC and Amadey infostealer infrastructure in a joint action coordinated by Microsoft, the FBI, and European partners. In the courts, members of Scattered Spider were convicted for the Transport for London cyberattack — a notable accountability moment for a group that has long operated with apparent impunity. On the vulnerability front, ShinyHunters exploited CVE-2026-35273, an Oracle PeopleSoft zero-day, to extort universities, and CISA added four new entries to KEV, including Lantronix and Ubiquiti UniFi OS flaws with confirmed exploitation. The week closed with confirmation that the Klue supply-chain breach reached HackerOne, Huntress, and Snyk — three security vendors — raising pointed questions about third-party SaaS risk across the security industry itself.
|
Topic map — families, actors, CVEs, and how they intersect
Named entities extracted from this week’s 14 malware-analysis articles — threat actors, malware families, CVEs, vendors, researchers, and the campaigns or themes connecting them.
This week clusters around four gravitational centres: new router and platform malware (AryStinger botnet, SharkLoader/StrikeShark, Mistic/WoodGnat, macOS.Gaslight); Chinese-nexus APT persistence (VerdantBamboo/BRICKSTORM/Plenet, FishMonger/SprySOCKS); law-enforcement and judicial actions (Operation Endgame StealC/Amadey, Scattered Spider TfL conviction); and exploit-driven intrusions and supply-chain impact (ShinyHunters/CVE-2026-35273, CISA KEV four-pack, Klue breach reaching security vendors).
|
Article index
New malware families & delivery chains
A router botnet infecting 4,300+ legacy devices, a Cobalt Strike loader campaign, a stealthy multi-sector backdoor pair, and a macOS Rust implant that turns prompt injection on the analyst.
APT campaigns & persistent-access implants
VerdantBamboo deploying BRICKSTORM and new Plenet implant; FishMonger’s SprySOCKS crosses to Windows; FortiBleed credential-harvesting anatomy from Arctic Wolf.
Law enforcement, takedowns & convictions
Operation Endgame expands to StealC/Amadey; Scattered Spider members convicted for the TfL attack.
Exploited vulnerabilities & supply-chain impact
ShinyHunters weaponizes Oracle PeopleSoft zero-day against universities; CISA KEV four-pack; and the Klue hack reaches HackerOne, Huntress, and Snyk.
|
Detailed write-ups
1. AryStinger botnet infects 4,300+ legacy/D-Link routers
The Hacker News · Jun 22, 2026
AryStinger is a newly documented router botnet that has compromised more than 4,300 legacy and D-Link devices, exploiting known-unpatched vulnerabilities in end-of-life firmware to establish persistent C2 footholds. Compromised routers are used for traffic proxying, reconnaissance staging, and as launch points for downstream attacks against internal network segments that trust the router as a perimeter device. The botnet follows a well-established playbook for router malware: gain access via a default-credential or unpatched-RCE vector, achieve persistence via cron or init scripts, and join a centrally managed C2 cluster. The long tail of unmanaged, un-updated consumer and SOHO routers in enterprise environments — home-office equipment that routes into corporate VPNs, for instance — represents exactly the attack surface AryStinger is targeting. Defensive priorities: audit your network for EoL D-Link models; replace devices that cannot receive firmware updates; for devices still in service, change default credentials, disable UPnP and remote management, and monitor outbound traffic from router management IPs for anomalous connections.
Read the article
Sources: The Hacker News
2. SharkLoader deploys Cobalt Strike in StrikeShark campaign · + FOUNDATIONAL
The Hacker News · Jun 26, 2026 | Securelist (Kaspersky) · Jun 24, 2026
SharkLoader is a new malware loader, detailed in the StrikeShark campaign reporting from Kaspersky’s Securelist, that functions as an initial-access-to-post-exploitation bridge: it delivers a Cobalt Strike beacon after bypassing common defenses through a multi-stage obfuscated loading chain. The Securelist foundational report provides the full technical anatomy, including the loader’s anti-analysis features, network communication patterns, and the Cobalt Strike watermark that can be used to cluster infrastructure across StrikeShark operations. SharkLoader represents the continued professionalization of loader-as-a-service tooling: purpose-built, evasion-hardened, and sold or rented to threat actors who then select their own post-exploitation framework. Detection engineering priorities: build coverage on the loader’s process injection behavior and the specific shellcode decryption routines documented by Kaspersky, and pivot on the Cobalt Strike watermark to identify additional infrastructure. The combination of a fresh loader with a well-known post-exploitation framework makes this campaign accessible to a wide range of threat actors.
Read the article
Sources: The Hacker News · Securelist (Kaspersky) — full technical analysis
3. macOS.Gaslight: Rust backdoor turns prompt injection on the analyst · FOUNDATIONAL
SentinelOne Labs · Jun 25, 2026
macOS.Gaslight is a Rust-based macOS backdoor with an unusual adversarial twist: it embeds crafted prompt-injection payloads in artefacts likely to be examined by AI-assisted malware-analysis tools, attempting to manipulate the analyst’s AI triage pipeline rather than evading the sandbox directly. SentinelOne’s detailed write-up documents how the backdoor plants misleading or neutralizing instructions within strings, metadata, and file structures that AI analysis tools commonly ingest, aiming to produce incorrect classification or suppressed alerting in AI-assisted workflows. Beyond the prompt-injection novelty, the underlying implant is a capable Rust backdoor with standard C2 capabilities. This is a significant defensive-tooling threat: teams that rely on AI-assisted initial triage — including SOAR playbooks that feed artefacts to LLM analysis steps — should review whether those pipelines can be manipulated via malicious content. The Gaslight technique is likely to be replicated in other families as the attack surface of AI-assisted analysis grows.
Read the article
Sources: SentinelOne Labs
4. Chinese APT (VerdantBamboo) deploys BRICKSTORM/Plenet to keep access · + FOUNDATIONAL
BleepingComputer · Jun 24, 2026 | Volexity · Jun 4, 2026
VerdantBamboo, a Chinese-nexus APT group tracked since at least 2024, is deploying BRICKSTORM — a cross-platform backdoor documented by Volexity in their foundational June 4 report — alongside a newly identified implant named Plenet to maintain persistent access to compromised networks even as defenders work to evict them. The dual-implant strategy is deliberate: BRICKSTORM and Plenet use different C2 channels and persistence mechanisms, so burning one set of IOCs does not dislodge the actor from the environment. Volexity’s foundational report provides the full BRICKSTORM reverse-engineering, C2 protocol specification, and persistence mechanism details that are essential reading for IR teams responding to VerdantBamboo intrusions. Defenders should treat any confirmed BRICKSTORM finding as indicative of a parallel, distinct implant potentially still present, and pursue full network-level threat hunting rather than artifact-based remediation. The actor’s targeting profile emphasizes government networks, critical infrastructure, and technology companies in Western Europe and Asia-Pacific.
Read the article
Sources: BleepingComputer · Volexity — BRICKSTORM deep dive
5. Operation Endgame takes down StealC & Amadey infostealers
Microsoft Security · Jun 24, 2026
Operation Endgame continued its expansion this week with a coordinated action — led by Microsoft in partnership with the FBI and European law-enforcement partners — targeting the infrastructure behind StealC and Amadey, two of the most prolific infostealer families in active distribution. Microsoft’s accompanying technical report breaks down both families’ delivery mechanisms (malvertising, pay-per-install, phishing), the cybercrime-as-a-service ecosystem that distributes them, and the credential-theft, cookie-theft, and cryptocurrency-wallet-harvesting capabilities that make them staple tools for initial-access brokers. The takedown disrupts the current C2 infrastructure but not the malware code itself, which is freely circulated and will spawn successor campaigns quickly. Threat-intelligence teams should pull the updated IOC set from the Microsoft report, but also update detection logic to catch Amadey and StealC behavior patterns rather than relying solely on infrastructure indicators. The report’s ecosystem mapping — showing the distribution-service relationships between these stealers and other crimeware families — is particularly valuable for understanding downstream ransomware risk.
Read the article
Sources: Microsoft Security
6. ShinyHunters exploits Oracle PeopleSoft zero-day (CVE-2026-35273), extorts universities
Mandiant / Google Cloud Threat Intelligence · Jun 23, 2026
ShinyHunters, a financially motivated threat actor with a long history of large-scale data-theft extortion, exploited CVE-2026-35273 — a zero-day in Oracle PeopleSoft — to breach multiple university and higher-education targets, exfiltrating student and staff records before initiating extortion demands. Mandiant’s report provides the vulnerability details, the actor’s exploitation methodology, and the data exfiltration techniques observed in victim environments. Oracle PeopleSoft is widely deployed in the education sector for HR, financial, and student-records management, making this zero-day particularly high-value for targeting student data at scale. Immediate actions for PeopleSoft operators: apply Oracle’s emergency patch if available; audit PeopleSoft access logs for anomalous query patterns, bulk-export activity, and service-account abuse in the exposure window; and treat any institution running internet-facing PeopleSoft as a potential victim regardless of whether an intrusion has been confirmed yet. The education sector’s historically under-resourced security posture makes it a preferred target for extortion actors.
Read the article
Sources: Mandiant / Google Cloud Threat Intelligence
7. Klue hack breaches several security firms (HackerOne, Huntress, Snyk)
TechCrunch · Jun 22, 2026
The Klue supply-chain breach — initially disclosed the previous week as an OAuth token compromise — has now been confirmed to have resulted in data breaches at downstream customers including HackerOne, Huntress, and Snyk: three organizations whose businesses are, in part, securing other companies. The irony is operationally significant beyond the obvious: these breaches expose the data that security vendors hold on behalf of their customers, potentially including vulnerability research, penetration-test findings, and threat-detection telemetry. The Klue incident is a textbook illustration of the SaaS transitive-trust risk: a breach at a smaller, less-scrutinized SaaS vendor with OAuth delegations into high-value downstream platforms can compromise the downstream orgs at scale with minimal attacker effort. For defenders: review every third-party SaaS integration in your environment for OAuth scopes granted, data residency, and the vendor’s own security posture. The Klue breach should prompt immediate revocation of Klue OAuth tokens across all connected platforms and a full audit of data accessible through those integrations.
Read the article
Sources: TechCrunch
8. Scattered Spider teens convicted over TfL cyber-attack
The Record · Jun 23, 2026
Members of Scattered Spider have been convicted in connection with the Transport for London cyberattack, marking a significant accountability milestone for a group that has operated with apparent impunity despite repeated, high-profile intrusions against major Western organizations. Scattered Spider is notable for its social-engineering sophistication — particularly its use of vishing and MFA fatigue attacks against helpdesk staff — and for recruiting young English-speaking members who can blend into corporate communications to conduct LAPSUS$-style insider-access abuse. The TfL attack disrupted passenger services and resulted in the exfiltration of customer data. The convictions matter beyond this specific case: they demonstrate that English-speaking financially motivated hackers operating in Western jurisdictions are not beyond the reach of law enforcement, and they may deter recruitment into similar groups. For defenders: Scattered Spider TTPs center on identity and helpdesk abuse; ensure your helpdesk staff have clear protocols for identity verification before any privileged account action, and treat vishing-resistant MFA as a baseline control.
Read the article
Sources: The Record
|
On our watch list
- AryStinger botnet growth. The 4,300-device figure reflects discovered compromises, not the full potential scale. EoL D-Link and legacy SOHO devices number in the millions globally. Watch for expanded AryStinger IOC sets and secondary-use reports as researchers continue sinkholing and mapping the botnet’s C2 infrastructure. Organizations running hybrid home/office environments should treat unmanaged home routers accessing corporate VPNs as an elevated-risk entry point.
- macOS.Gaslight and the AI-triage arms race. The Gaslight technique of embedding prompt-injection payloads into malware artefacts is novel but conceptually straightforward to replicate. Expect this pattern to appear in other macOS and Windows families within weeks. AI-assisted triage and SOAR playbooks that ingest raw malware artefacts or strings without prompt-injection controls are now a viable attack surface. Track SentinelOne, CrowdStrike, and Microsoft Defender for Endpoint advisories for updated AI-triage safeguards.
- CVE-2026-35273 / Oracle PeopleSoft patch and exploitation spread. ShinyHunters’ active exploitation of this zero-day in the education sector is likely to expand to other PeopleSoft verticals as the vulnerability and exploitation methodology become more widely known. Higher education, healthcare, and government organizations running PeopleSoft should treat patch application as urgent and monitor for IOCs published in the Mandiant report.
- Klue breach downstream disclosure. Three named security vendors is likely not the complete downstream victim list. Monitor for further breach notifications from Klue customers over the coming week. The event is also likely to prompt regulatory and client scrutiny of OAuth-delegation risk management across the SaaS security vendor space more broadly.
|
|
Malware Analysis Weekly · a weekly intelligence bulletin from Security Radar LLC
Curated by Paul Davis (paul.davis@security-radar.com)
Weekly news items are from the previous seven days. Foundational reading is refreshed each week.
*|LIST:ADDRESS|*
View this email in your browser · Unsubscribe
© 2026 Security Radar LLC. All rights reserved.
Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.
|
|