|
Malware Analysis Weekly · July 12, 2026 · Weekly Edition
Malware Analysis Weekly
Active-exploit CVEs, fresh nation-state backdoors, and CISA’s own credential-leak postmortem · for malware analysts and IR teams
|
At a glance
This week was dominated by active exploitation stacking up across edge and AI tooling. Sysdig caught the first in-the-wild probing of a Gitea Docker flaw (CVE-2026-20896, CVSS 9.8) just 13 days after disclosure, and CISA added four more actively exploited bugs to its KEV catalog in a single sweep — Adobe ColdFusion (CVE-2026-48282, CVSS 10.0, exploited within hours of disclosure), two unauthenticated file-upload flaws in Joomla page-builder plugins (both CVSS 10.0), and a Langflow IDOR (CVE-2026-55255) that one operator chained with a Langflow RCE to steal LLM-provider and AWS keys. Microsoft finally shipped a patch for the RoguePlanet Defender race condition, and a novel ‘Ill Bloom’ bug drained over $5 million from crypto wallets.
Ransomware and malware tradecraft kept pace. Dark Reading’s own read on JadePuffer — the first confirmed ransomware run driven start-to-finish by an autonomous LLM agent — digs into the attack mechanics via the same Langflow RCE (CVE-2025-3248) flagged above. RedWing now rents Android bank-fraud capability as a Telegram-built MaaS kit, a new Ghost Phishing wave (EvilTokens) is defeating traditional secure email gateways, and the AI-assisted Avalon framework drops CrownX ransomware after evading nine named EDR vendors. Separately, FortiBleed’s 110-million-credential haul is now confirmed feeding both INC Ransom and Lynx.
On the APT and law-enforcement fronts: Armored Likho is running a Python stealer against government and electric-power targets, China-linked UAT-7810 (LapDogs) expanded its SOHO-router backdoor family with three new ‘Leash’ tools, and Google tied a new .NET backdoor (STOCKSTAY) to Turla’s Ukraine espionage campaigns. Law enforcement had another strong week — a Windows device ID helped the FBI trace an alleged Scattered Spider member while two other members pleaded guilty in the UK, and Google, the FBI, and IRS-CI’s takedown of the NetNut residential-proxy network and Popa botnet continues generating fallout. Most notably, CISA published an unusually candid postmortem on how its own GitHub repository leaked passwords and cloud access keys.
|
Topic map — families, actors, CVEs, and how they intersect
Named entities extracted from this week’s 21 malware-analysis articles — threat actors, malware families, CVEs, vendors, and the law-enforcement agencies and campaigns connecting them.
This week clusters around five gravitational centres: active exploitation of edge and AI tooling (Gitea, Adobe ColdFusion, Joomla page builders, and Langflow feeding both CISA’s KEV and JadePuffer’s agentic ransomware run); ransomware tradecraft (RedWing, EvilTokens, Avalon/CrownX, and FortiBleed credentials now confirmed feeding INC Ransom and Lynx); nation-state backdoors (Armored Likho’s BusySnake Stealer, UAT-7810’s Leash family, Turla’s STOCKSTAY); law-enforcement action (the Scattered Spider prosecutions, the NetNut/Popa takedown, Operation Endgame); and CISA’s own GitHub credential leak.
View interactive topic map →
|
Article index
Active exploitation & CISA KEV activity
Gitea, Adobe ColdFusion, and two Joomla page-builder plugins join a fresh CISA KEV sweep alongside a patched Microsoft Defender flaw and a crypto-draining ‘Ill Bloom’ bug; last cycle’s SharePoint KEV entry rounds out the patch-lag picture.
Ransomware tradecraft, malware families & MaaS
JadePuffer’s agentic ransomware run gets a threat-intel re-read; RedWing rents out Android bank fraud on Telegram; a new Ghost Phishing wave bypasses secure email gateways; and FortiBleed’s 110-million-credential haul is now tied to two ransomware gangs while Avalon/CrownX shows AI-assisted malware development in the wild.
APT campaigns & nation-state backdoors
Armored Likho targets government and electric-power entities with a Python stealer; China-linked UAT-7810 (LapDogs) expands its SOHO-router backdoor family; and Google ties a new .NET backdoor to Turla’s Ukraine espionage campaigns.
Law enforcement, takedowns & incident postmortems
A Windows device ID traces an alleged Scattered Spider hacker while two UK members plead guilty; Google, the FBI, and IRS-CI dismantle the NetNut proxy network and Popa botnet; Operation Endgame’s Amadey/StealC takedown and a Pegasus spyware case round out a strong week for law enforcement; and CISA discloses how its own GitHub credentials leaked.
|
Detailed write-ups
1. Threat actors probe a Gitea Docker flaw as CISA adds four more actively exploited bugs to KEV
The Hacker News · Jul 6, 2026 | The Hacker News · Jul 8, 2026
Cloud security firm Sysdig detected the first in-the-wild probing of CVE-2026-20896 (CVSS 9.8) just 13 days after disclosure: the official Gitea Docker image hard-codes REVERSE_PROXY_TRUSTED_PROXIES = *, so once an admin enables reverse-proxy authentication, anyone who can reach the container’s HTTP port can forge an X-WEBAUTH-USER header and log in as any known or guessable username — admin accounts included — with no password. Roughly 6,200 Gitea instances are internet-facing; the fix ships in version 1.26.3. Days later, CISA added four more actively exploited flaws to its KEV catalog in a single sweep: Adobe ColdFusion path traversal CVE-2026-48282 (CVSS 10.0, exploited within hours of disclosure), two unauthenticated file-upload flaws in Joomla page-builder plugins (CVE-2026-56290 and CVE-2026-48908, both CVSS 10.0 and already dropping web shells), and a Langflow IDOR (CVE-2026-55255) that Sysdig separately caught one operator chaining with a Langflow RCE to steal LLM-provider and AWS keys from other tenants’ flows — the same underlying platform later abused in this week’s JadePuffer case. Treat internet-facing Gitea, ColdFusion, Joomla page builders, and Langflow instances as emergency-patch items regardless of the July 10 federal deadline.
Read the article
Sources: The Hacker News — Gitea Docker flaw · The Hacker News — CISA KEV additions
6. JadePuffer: the first complete LLM-driven ransomware attack
Dark Reading · Jul 6, 2026
Dark Reading’s threat-intel take on JadePuffer digs into the mechanics Sysdig first documented: a human operator pointed an autonomous LLM agent at an internet-facing Langflow instance, exploited the unauthenticated CVE-2025-3248 RCE, and let the agent run the entire intrusion — reconnaissance, credential harvesting (LLM API keys and default MinIO credentials), lateral movement to a separate MySQL/Nacos production server via a 2021 Nacos auth-bypass paired with its known default JWT signing key, and a database-extortion finish — without further human input. The agent self-corrected a failed backdoor-login attempt within 31 seconds, encrypted 1,342 Nacos configuration items using MySQL’s AES_ENCRYPT function, and dropped a ransom note with a Bitcoin address and ProtonMail contact; because the encryption key was never stored or transmitted, victims cannot recover data even by paying. (This week’s AI-ML bulletin covers the same operation from BleepingComputer’s AI-adoption angle; here the read is pure attack mechanics.) The skill floor for running ransomware now sits at whatever it costs to rent an agent — treat any exposed low-code AI/orchestration platform as a ransomware entry point, not just a data-leakage risk.
Read the article
Sources: Dark Reading
11. Armored Likho APT targeting government, electric-power entities
SecurityWeek · Jul 6, 2026
Kaspersky documented Armored Likho, an APT running both financially motivated attacks on individuals and cyber-espionage against government and electric-power organizations in Russia, Brazil, and Kazakhstan. Spear-phishing archives carry LNK files that display a decoy document while quietly fetching a Python 3.12 interpreter and a loader that installs the group’s Python-based BusySnake Stealer from GitHub-hosted development builds. BusySnake dynamically decrypts and re-encrypts its own bytecode at each function call to frustrate static analysis, runs without a console window, and can capture screenshots and keystrokes, decrypt saved Chromium/Firefox passwords, pull browser cookies, scrape for OTP seeds and crypto wallets, harvest Telegram sessions, and open a reverse SSH tunnel via Go2Tunnel — functionality Kaspersky says is being folded directly into BusySnake going forward. The group’s tooling and persistence mechanism overlap with Eagle Werewolf’s AquilaRAT. Hunt for unexpected Python 3.12 runtimes appearing alongside LNK execution, and for RustDesk credential-capture behavior tied to reverse-tunnel activity.
Read the article
Sources: SecurityWeek
12. China-linked APT expands its SOHO-router arsenal with new ‘Leash’ backdoors
SecurityWeek · Jul 8, 2026
Cisco Talos reports that UAT-7810, the China-linked actor behind the LapDogs operational-relay-box (ORB) campaign that infected over 1,000 SOHO routers with the ShortLeash backdoor, has expanded its toolkit with three new families: LongLeash, a next-generation version of ShortLeash built on the Nanopb and MbedTLS libraries that can act as either C2 or client and relay traffic between peers; DogLeash, a C-based passive backdoor deployed via a shell script that opens iptables rules and executes commands, reads/renames files, and gathers OS information on demand; and JarLeash, a Java-based backdoor offering a web-based file manager plus FTP/SFTP and netcat servers. UAT-7810 targets known flaws in Ruckus wireless routers across MIPS, ARM, and x64 architectures, and Talos ties one of its VPS IPs to the separate Asus-router Operation WrtHug ORB campaign; the group also supplies infrastructure to a second China-linked actor, UAT-5918. A newly spotted testing binary, LeashTest, suggests the group is still hardening MIPS support — treat any of these strings appearing on SOHO or edge devices as an indicator of an active ORB relay, not just a curiosity.
Read the article
Sources: SecurityWeek
14. Scattered Spider: a Windows device ID traces a suspect, while two UK members plead guilty
The Hacker News · Jul 7, 2026 | Krebs on Security · Jun 23, 2026
A newly unsealed federal complaint shows how a persistent Windows Global Device Identifier tied a 19-year-old dual US-Estonian citizen, Peter Stokes (“Bouquet”), to a May 2025 breach of a luxury jewelry retailer that netted 77GB of data and an $8 million ransom demand. Investigators traced the GDID from the account used to register an ngrok tunnel during the intrusion to Snapchat, Apple, and Facebook accounts prosecutors attribute to Stokes, cross-referenced against his travel through Tallinn, New York, and Thailand. The break-in itself required no exploit — attackers phoned the retailer’s help desk, posed as locked-out staff, and talked administrators into resetting passwords and MFA devices. Group-IB argues in separate research that Scattered Spider isn’t a single gang but a loose, Anonymous-like collective, which is why arrests keep coming one member at a time without stopping the activity: this cycle also saw Thalha Jubair and Owen Flowers plead guilty in the UK to the August 2024 Transport for London hack, with Jubair separately linked by US prosecutors to over 120 intrusions and $115 million in ransom payments via his “Star Chat” SIM-swapping channel. Callback verification and phishing-resistant MFA for any help-desk password or device reset remain the highest-leverage controls against this group’s playbook.
Read the article
Sources: The Hacker News — court filing · Krebs on Security — guilty pleas
16. CISA details the security lapses that led to its own GitHub credential leak
Cybersecurity Dive · Jul 10, 2026
In an unusually candid disclosure, CISA published a postmortem detailing how passwords and cloud access keys tied to the agency ended up exposed through a GitHub repository — the same class of hard-coded-secret and over-permissioned-repository mistakes CISA routinely warns other organizations about. The agency’s account traces the exposure to credentials embedded in code and configuration that were committed to a repository without adequate secret-scanning or access controls catching it before the material became reachable, and lays out the remediation steps taken: rotating the exposed credentials, tightening repository permissions and branch protections, and expanding automated secret-scanning coverage across its own development pipelines. Coming in the same week CISA added four more actively exploited flaws to KEV, the disclosure is a reminder that credential-hygiene failures aren’t a vendor-only problem — any organization, including the one setting federal patch deadlines, can leak secrets into source control. Audit your own repositories for hard-coded credentials and cloud keys now rather than after a similar disclosure.
Read the article
Sources: Cybersecurity Dive
18. FBI and Google dismantle the NetNut residential proxy network and the Popa botnet · FOUNDATIONAL
Krebs on Security · Jul 2, 2026 | The Hacker News · Jul 2, 2026
Google’s Threat Intelligence Group, the FBI, and IRS Criminal Investigation jointly took down NetNut, a residential proxy network built on an estimated 2 million compromised Android devices, smart TVs, and streaming boxes, also tied to a botnet tracked as Popa. Google logged 316 distinct threat clusters — spanning both cybercriminal and espionage activity — riding suspected NetNut exit nodes in a single week of monitoring, underscoring how central residential-proxy infrastructure has become to obscuring attacker traffic. Krebs on Security, whose earlier reporting reportedly helped trigger the action, identifies the operator as Alarum Technologies, a publicly traded Israeli firm, and notes NetNut was widely white-labeled and resold under other proxy brand names — meaning additional rebranded services riding the same seized infrastructure are likely to surface. The FBI seized hundreds of domains, including netnut.com, replacing them with a seizure notice. Any traffic-anomaly or fraud-detection program that whitelists residential IP ranges by reputation alone should revisit that assumption now that a network this size has been shown to be entirely hijacked infrastructure.
Read the article
Sources: Krebs on Security · The Hacker News
|
On our watch list
- Langflow exploitation spread. Two separate Langflow CVEs (the CVE-2026-55255 IDOR and the CVE-2025-3248 RCE) were both actively exploited this week — one for credential theft, one to launch JadePuffer’s agentic ransomware run. Expect further Langflow-focused attacks given how many low-code AI deployments remain internet-facing.
- CISA’s own remediation follow-through. With the agency disclosing its own GitHub credential leak the same week it added four flaws to KEV, watch for whether CISA publishes broader secrets-hygiene guidance drawing on its own incident.
- Leash backdoor family growth. UAT-7810 is still testing new functionality (LeashTest on MIPS); expect additional named variants and possibly a formal joint advisory if targeting expands beyond SOHO routers.
- NetNut’s white-labeled resellers. As flagged previously, expect additional takedown or disclosure activity as investigators map services reselling the same seized infrastructure under different brand names.
- JadePuffer copycat activity. The first fully agentic ransomware attack sets a low-friction precedent; watch for follow-on incidents against other exposed AI/orchestration platforms beyond Langflow.
|
|
Malware Analysis Weekly · a weekly intelligence bulletin from Security Radar LLC
Curated by Paul Davis (paul.davis@security-radar.com)
Weekly news items are from the previous seven days. Foundational reading is refreshed each week.
*|LIST:ADDRESS|*
View this email in your browser · Unsubscribe
© 2026 Security Radar LLC. All rights reserved.
Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.
|
|