Skip to content

CyberSecurity Institute

Security News Curated from across the world

Menu
Menu

Malware Analysis Weekly — June 28, 2026

Posted on June 28, 2026 by admini
Malware Analysis Weekly · June 28, 2026 · Weekly Edition

Malware Analysis Weekly

Families, campaigns, TTPs, and IOCs from the field · for malware analysts and IR teams

At a glance

This week’s threat landscape was shaped by a wave of new malware families, continued Chinese-nexus APT activity, and two significant law-enforcement and judicial milestones. On the new-family front, AryStinger — a router botnet targeting 4,300+ legacy and D-Link devices — joined SharkLoader (a loader deploying Cobalt Strike in the StrikeShark campaign), Mistic and its dropper WoodGnat (a stealthy multi-sector backdoor surfaced by Help Net Security), and macOS.Gaslight (a Rust backdoor that inverts the analyst’s own AI triage tools against them) as the week’s marquee discoveries. The breadth of new tooling — spanning routers, Windows, and macOS — reflects an accelerating pace of capability development across criminal and state-linked actors alike.

APT activity was dominated by two Chinese-nexus groups. VerdantBamboo deployed BRICKSTORM and the new Plenet implant to maintain persistent access to compromised networks, building on the full technical account published by Volexity in early June. Separately, FishMonger’s SprySOCKS backdoor — previously Linux-only — is now confirmed on Windows via a new DLL-sideloading chain, expanding the actor’s mixed-OS reach. Defenders tracking Chinese-nexus infrastructure should treat both groups as actively maintaining footholds across government, telecoms, and critical-infrastructure targets, with new implant variants rolling out to maintain access as older IOCs get burned.

Law enforcement delivered two significant outcomes. Operation Endgame expanded its mandate to take down StealC and Amadey infostealer infrastructure in a joint action coordinated by Microsoft, the FBI, and European partners. In the courts, members of Scattered Spider were convicted for the Transport for London cyberattack — a notable accountability moment for a group that has long operated with apparent impunity. On the vulnerability front, ShinyHunters exploited CVE-2026-35273, an Oracle PeopleSoft zero-day, to extort universities, and CISA added four new entries to KEV, including Lantronix and Ubiquiti UniFi OS flaws with confirmed exploitation. The week closed with confirmation that the Klue supply-chain breach reached HackerOne, Huntress, and Snyk — three security vendors — raising pointed questions about third-party SaaS risk across the security industry itself.

Topic map — families, actors, CVEs, and how they intersect

Named entities extracted from this week’s 14 malware-analysis articles — threat actors, malware families, CVEs, vendors, researchers, and the campaigns or themes connecting them.

Topic map for malware analysis — June 28, 2026

This week clusters around four gravitational centres: new router and platform malware (AryStinger botnet, SharkLoader/StrikeShark, Mistic/WoodGnat, macOS.Gaslight); Chinese-nexus APT persistence (VerdantBamboo/BRICKSTORM/Plenet, FishMonger/SprySOCKS); law-enforcement and judicial actions (Operation Endgame StealC/Amadey, Scattered Spider TfL conviction); and exploit-driven intrusions and supply-chain impact (ShinyHunters/CVE-2026-35273, CISA KEV four-pack, Klue breach reaching security vendors).

Article index

New malware families & delivery chains

A router botnet infecting 4,300+ legacy devices, a Cobalt Strike loader campaign, a stealthy multi-sector backdoor pair, and a macOS Rust implant that turns prompt injection on the analyst.

# Article Source Date
1 AryStinger botnet infects 4,300+ legacy/D-Link routers The Hacker News Jun 22
2 SharkLoader deploys Cobalt Strike in StrikeShark campaign The Hacker News Jun 26
3 StrikeShark: custom SharkLoader + Cobalt Strike campaign · FOUNDATIONAL Securelist (Kaspersky) Jun 24
4 Stealthy new backdoor (Mistic/WoodGnat) surfaces across sectors Help Net Security Jun 25
5 macOS.Gaslight: Rust backdoor turns prompt injection on the analyst · FOUNDATIONAL SentinelOne Labs Jun 25

APT campaigns & persistent-access implants

VerdantBamboo deploying BRICKSTORM and new Plenet implant; FishMonger’s SprySOCKS crosses to Windows; FortiBleed credential-harvesting anatomy from Arctic Wolf.

# Article Source Date
6 Chinese APT (VerdantBamboo) deploys BRICKSTORM/Plenet to keep access BleepingComputer Jun 24
7 VerdantBamboo: just another BRICKSTORM in the firewall · FOUNDATIONAL Volexity Jun 4
8 FishMonger’s arsenal upgraded: SprySOCKS for Windows · FOUNDATIONAL ESET Jun 16
9 Inside FortiBleed: reverse-engineering the credential-harvester · FOUNDATIONAL Arctic Wolf Jun

Law enforcement, takedowns & convictions

Operation Endgame expands to StealC/Amadey; Scattered Spider members convicted for the TfL attack.

# Article Source Date
10 Operation Endgame takes down StealC & Amadey infostealers Microsoft Security Jun 24
11 Scattered Spider teens convicted over TfL cyber-attack The Record Jun 23

Exploited vulnerabilities & supply-chain impact

ShinyHunters weaponizes Oracle PeopleSoft zero-day against universities; CISA KEV four-pack; and the Klue hack reaches HackerOne, Huntress, and Snyk.

# Article Source Date
12 ShinyHunters exploits Oracle PeopleSoft zero-day (CVE-2026-35273), extorts universities Mandiant / Google Cloud Jun 23
13 CISA adds four KEVs (Lantronix EDS5000, Ubiquiti UniFi OS) CISA Jun 23
14 Klue hack breaches several security firms (HackerOne, Huntress, Snyk) TechCrunch Jun 22

Detailed write-ups

1. AryStinger botnet infects 4,300+ legacy/D-Link routers

The Hacker News · Jun 22, 2026

AryStinger is a newly documented router botnet that has compromised more than 4,300 legacy and D-Link devices, exploiting known-unpatched vulnerabilities in end-of-life firmware to establish persistent C2 footholds. Compromised routers are used for traffic proxying, reconnaissance staging, and as launch points for downstream attacks against internal network segments that trust the router as a perimeter device. The botnet follows a well-established playbook for router malware: gain access via a default-credential or unpatched-RCE vector, achieve persistence via cron or init scripts, and join a centrally managed C2 cluster. The long tail of unmanaged, un-updated consumer and SOHO routers in enterprise environments — home-office equipment that routes into corporate VPNs, for instance — represents exactly the attack surface AryStinger is targeting. Defensive priorities: audit your network for EoL D-Link models; replace devices that cannot receive firmware updates; for devices still in service, change default credentials, disable UPnP and remote management, and monitor outbound traffic from router management IPs for anomalous connections.

Read the article

Sources: The Hacker News

2. SharkLoader deploys Cobalt Strike in StrikeShark campaign · + FOUNDATIONAL

The Hacker News · Jun 26, 2026  |  Securelist (Kaspersky) · Jun 24, 2026

SharkLoader is a new malware loader, detailed in the StrikeShark campaign reporting from Kaspersky’s Securelist, that functions as an initial-access-to-post-exploitation bridge: it delivers a Cobalt Strike beacon after bypassing common defenses through a multi-stage obfuscated loading chain. The Securelist foundational report provides the full technical anatomy, including the loader’s anti-analysis features, network communication patterns, and the Cobalt Strike watermark that can be used to cluster infrastructure across StrikeShark operations. SharkLoader represents the continued professionalization of loader-as-a-service tooling: purpose-built, evasion-hardened, and sold or rented to threat actors who then select their own post-exploitation framework. Detection engineering priorities: build coverage on the loader’s process injection behavior and the specific shellcode decryption routines documented by Kaspersky, and pivot on the Cobalt Strike watermark to identify additional infrastructure. The combination of a fresh loader with a well-known post-exploitation framework makes this campaign accessible to a wide range of threat actors.

Read the article

Sources: The Hacker News · Securelist (Kaspersky) — full technical analysis

3. macOS.Gaslight: Rust backdoor turns prompt injection on the analyst · FOUNDATIONAL

SentinelOne Labs · Jun 25, 2026

macOS.Gaslight is a Rust-based macOS backdoor with an unusual adversarial twist: it embeds crafted prompt-injection payloads in artefacts likely to be examined by AI-assisted malware-analysis tools, attempting to manipulate the analyst’s AI triage pipeline rather than evading the sandbox directly. SentinelOne’s detailed write-up documents how the backdoor plants misleading or neutralizing instructions within strings, metadata, and file structures that AI analysis tools commonly ingest, aiming to produce incorrect classification or suppressed alerting in AI-assisted workflows. Beyond the prompt-injection novelty, the underlying implant is a capable Rust backdoor with standard C2 capabilities. This is a significant defensive-tooling threat: teams that rely on AI-assisted initial triage — including SOAR playbooks that feed artefacts to LLM analysis steps — should review whether those pipelines can be manipulated via malicious content. The Gaslight technique is likely to be replicated in other families as the attack surface of AI-assisted analysis grows.

Read the article

Sources: SentinelOne Labs

4. Chinese APT (VerdantBamboo) deploys BRICKSTORM/Plenet to keep access · + FOUNDATIONAL

BleepingComputer · Jun 24, 2026  |  Volexity · Jun 4, 2026

VerdantBamboo, a Chinese-nexus APT group tracked since at least 2024, is deploying BRICKSTORM — a cross-platform backdoor documented by Volexity in their foundational June 4 report — alongside a newly identified implant named Plenet to maintain persistent access to compromised networks even as defenders work to evict them. The dual-implant strategy is deliberate: BRICKSTORM and Plenet use different C2 channels and persistence mechanisms, so burning one set of IOCs does not dislodge the actor from the environment. Volexity’s foundational report provides the full BRICKSTORM reverse-engineering, C2 protocol specification, and persistence mechanism details that are essential reading for IR teams responding to VerdantBamboo intrusions. Defenders should treat any confirmed BRICKSTORM finding as indicative of a parallel, distinct implant potentially still present, and pursue full network-level threat hunting rather than artifact-based remediation. The actor’s targeting profile emphasizes government networks, critical infrastructure, and technology companies in Western Europe and Asia-Pacific.

Read the article

Sources: BleepingComputer · Volexity — BRICKSTORM deep dive

5. Operation Endgame takes down StealC & Amadey infostealers

Microsoft Security · Jun 24, 2026

Operation Endgame continued its expansion this week with a coordinated action — led by Microsoft in partnership with the FBI and European law-enforcement partners — targeting the infrastructure behind StealC and Amadey, two of the most prolific infostealer families in active distribution. Microsoft’s accompanying technical report breaks down both families’ delivery mechanisms (malvertising, pay-per-install, phishing), the cybercrime-as-a-service ecosystem that distributes them, and the credential-theft, cookie-theft, and cryptocurrency-wallet-harvesting capabilities that make them staple tools for initial-access brokers. The takedown disrupts the current C2 infrastructure but not the malware code itself, which is freely circulated and will spawn successor campaigns quickly. Threat-intelligence teams should pull the updated IOC set from the Microsoft report, but also update detection logic to catch Amadey and StealC behavior patterns rather than relying solely on infrastructure indicators. The report’s ecosystem mapping — showing the distribution-service relationships between these stealers and other crimeware families — is particularly valuable for understanding downstream ransomware risk.

Read the article

Sources: Microsoft Security

6. ShinyHunters exploits Oracle PeopleSoft zero-day (CVE-2026-35273), extorts universities

Mandiant / Google Cloud Threat Intelligence · Jun 23, 2026

ShinyHunters, a financially motivated threat actor with a long history of large-scale data-theft extortion, exploited CVE-2026-35273 — a zero-day in Oracle PeopleSoft — to breach multiple university and higher-education targets, exfiltrating student and staff records before initiating extortion demands. Mandiant’s report provides the vulnerability details, the actor’s exploitation methodology, and the data exfiltration techniques observed in victim environments. Oracle PeopleSoft is widely deployed in the education sector for HR, financial, and student-records management, making this zero-day particularly high-value for targeting student data at scale. Immediate actions for PeopleSoft operators: apply Oracle’s emergency patch if available; audit PeopleSoft access logs for anomalous query patterns, bulk-export activity, and service-account abuse in the exposure window; and treat any institution running internet-facing PeopleSoft as a potential victim regardless of whether an intrusion has been confirmed yet. The education sector’s historically under-resourced security posture makes it a preferred target for extortion actors.

Read the article

Sources: Mandiant / Google Cloud Threat Intelligence

7. Klue hack breaches several security firms (HackerOne, Huntress, Snyk)

TechCrunch · Jun 22, 2026

The Klue supply-chain breach — initially disclosed the previous week as an OAuth token compromise — has now been confirmed to have resulted in data breaches at downstream customers including HackerOne, Huntress, and Snyk: three organizations whose businesses are, in part, securing other companies. The irony is operationally significant beyond the obvious: these breaches expose the data that security vendors hold on behalf of their customers, potentially including vulnerability research, penetration-test findings, and threat-detection telemetry. The Klue incident is a textbook illustration of the SaaS transitive-trust risk: a breach at a smaller, less-scrutinized SaaS vendor with OAuth delegations into high-value downstream platforms can compromise the downstream orgs at scale with minimal attacker effort. For defenders: review every third-party SaaS integration in your environment for OAuth scopes granted, data residency, and the vendor’s own security posture. The Klue breach should prompt immediate revocation of Klue OAuth tokens across all connected platforms and a full audit of data accessible through those integrations.

Read the article

Sources: TechCrunch

8. Scattered Spider teens convicted over TfL cyber-attack

The Record · Jun 23, 2026

Members of Scattered Spider have been convicted in connection with the Transport for London cyberattack, marking a significant accountability milestone for a group that has operated with apparent impunity despite repeated, high-profile intrusions against major Western organizations. Scattered Spider is notable for its social-engineering sophistication — particularly its use of vishing and MFA fatigue attacks against helpdesk staff — and for recruiting young English-speaking members who can blend into corporate communications to conduct LAPSUS$-style insider-access abuse. The TfL attack disrupted passenger services and resulted in the exfiltration of customer data. The convictions matter beyond this specific case: they demonstrate that English-speaking financially motivated hackers operating in Western jurisdictions are not beyond the reach of law enforcement, and they may deter recruitment into similar groups. For defenders: Scattered Spider TTPs center on identity and helpdesk abuse; ensure your helpdesk staff have clear protocols for identity verification before any privileged account action, and treat vishing-resistant MFA as a baseline control.

Read the article

Sources: The Record

On our watch list

  1. AryStinger botnet growth. The 4,300-device figure reflects discovered compromises, not the full potential scale. EoL D-Link and legacy SOHO devices number in the millions globally. Watch for expanded AryStinger IOC sets and secondary-use reports as researchers continue sinkholing and mapping the botnet’s C2 infrastructure. Organizations running hybrid home/office environments should treat unmanaged home routers accessing corporate VPNs as an elevated-risk entry point.
  2. macOS.Gaslight and the AI-triage arms race. The Gaslight technique of embedding prompt-injection payloads into malware artefacts is novel but conceptually straightforward to replicate. Expect this pattern to appear in other macOS and Windows families within weeks. AI-assisted triage and SOAR playbooks that ingest raw malware artefacts or strings without prompt-injection controls are now a viable attack surface. Track SentinelOne, CrowdStrike, and Microsoft Defender for Endpoint advisories for updated AI-triage safeguards.
  3. CVE-2026-35273 / Oracle PeopleSoft patch and exploitation spread. ShinyHunters’ active exploitation of this zero-day in the education sector is likely to expand to other PeopleSoft verticals as the vulnerability and exploitation methodology become more widely known. Higher education, healthcare, and government organizations running PeopleSoft should treat patch application as urgent and monitor for IOCs published in the Mandiant report.
  4. Klue breach downstream disclosure. Three named security vendors is likely not the complete downstream victim list. Monitor for further breach notifications from Klue customers over the coming week. The event is also likely to prompt regulatory and client scrutiny of OAuth-delegation risk management across the SaaS security vendor space more broadly.

Malware Analysis Weekly · a weekly intelligence bulletin from Security Radar LLC

Curated by Paul Davis (paul.davis@security-radar.com)

Weekly news items are from the previous seven days. Foundational reading is refreshed each week.

*|LIST:ADDRESS|*

View this email in your browser · Unsubscribe

© 2026 Security Radar LLC. All rights reserved.

Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.

Recent Posts

  • DevSecOps Weekly — July 12, 2026
  • DevSecOps Weekly — July 12, 2026 — Interactive Topic Map
  • Malware Analysis Weekly — July 12, 2026
  • Malware Analysis Weekly — July 12, 2026 — Interactive Topic Map
  • AI & ML in Security — July 12, 2026

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • November 2025
  • April 2024
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • April 2023
  • March 2023
  • February 2022
  • January 2022
  • December 2021
  • September 2020
  • October 2019
  • August 2019
  • July 2019
  • December 2018
  • April 2018
  • December 2016
  • September 2016
  • August 2016
  • July 2016
  • April 2015
  • March 2015
  • August 2014
  • March 2014
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • October 2012
  • September 2012
  • August 2012
  • February 2012
  • October 2011
  • August 2011
  • June 2011
  • May 2011
  • April 2011
  • February 2011
  • January 2011
  • December 2010
  • November 2010
  • October 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • June 2009
  • May 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • December 2007
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006
  • October 2006
  • September 2006
  • August 2006
  • July 2006
  • June 2006
  • May 2006
  • April 2006
  • March 2006
  • February 2006
  • January 2006
  • December 2005
  • November 2005
  • October 2005
  • September 2005
  • August 2005
  • July 2005
  • June 2005
  • May 2005
  • April 2005
  • March 2005
  • February 2005
  • January 2005
  • December 2004
  • November 2004
  • October 2004
  • September 2004
  • August 2004
  • July 2004
  • June 2004
  • May 2004
  • April 2004
  • March 2004
  • February 2004
  • January 2004
  • December 2003
  • November 2003
  • October 2003
  • September 2003

Categories

  • AI-ML
  • Augment / Virtual Reality
  • Blogging
  • Cloud
  • DR/Crisis Response/Crisis Management
  • Editorial
  • Financial
  • Make You Smile
  • Malware
  • Mobility
  • Motor Industry
  • News
  • OTT Video
  • Pending Review
  • Personal
  • Product
  • Regulations
  • Secure
  • Security Industry News
  • Security Operations
  • Statistics
  • Threat Intel
  • Trends
  • Uncategorized
  • Warnings
  • WebSite News
  • Zero Trust

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
© 2026 CyberSecurity Institute | Powered by Superbs Personal Blog theme