Skip to content

CyberSecurity Institute

Security News Curated from across the world

Menu
Menu

Malware Analysis Weekly — July 12, 2026

Posted on July 12, 2026 by admini
Malware Analysis Weekly · July 12, 2026 · Weekly Edition

Malware Analysis Weekly

Active-exploit CVEs, fresh nation-state backdoors, and CISA’s own credential-leak postmortem · for malware analysts and IR teams

At a glance

This week was dominated by active exploitation stacking up across edge and AI tooling. Sysdig caught the first in-the-wild probing of a Gitea Docker flaw (CVE-2026-20896, CVSS 9.8) just 13 days after disclosure, and CISA added four more actively exploited bugs to its KEV catalog in a single sweep — Adobe ColdFusion (CVE-2026-48282, CVSS 10.0, exploited within hours of disclosure), two unauthenticated file-upload flaws in Joomla page-builder plugins (both CVSS 10.0), and a Langflow IDOR (CVE-2026-55255) that one operator chained with a Langflow RCE to steal LLM-provider and AWS keys. Microsoft finally shipped a patch for the RoguePlanet Defender race condition, and a novel ‘Ill Bloom’ bug drained over $5 million from crypto wallets.

Ransomware and malware tradecraft kept pace. Dark Reading’s own read on JadePuffer — the first confirmed ransomware run driven start-to-finish by an autonomous LLM agent — digs into the attack mechanics via the same Langflow RCE (CVE-2025-3248) flagged above. RedWing now rents Android bank-fraud capability as a Telegram-built MaaS kit, a new Ghost Phishing wave (EvilTokens) is defeating traditional secure email gateways, and the AI-assisted Avalon framework drops CrownX ransomware after evading nine named EDR vendors. Separately, FortiBleed’s 110-million-credential haul is now confirmed feeding both INC Ransom and Lynx.

On the APT and law-enforcement fronts: Armored Likho is running a Python stealer against government and electric-power targets, China-linked UAT-7810 (LapDogs) expanded its SOHO-router backdoor family with three new ‘Leash’ tools, and Google tied a new .NET backdoor (STOCKSTAY) to Turla’s Ukraine espionage campaigns. Law enforcement had another strong week — a Windows device ID helped the FBI trace an alleged Scattered Spider member while two other members pleaded guilty in the UK, and Google, the FBI, and IRS-CI’s takedown of the NetNut residential-proxy network and Popa botnet continues generating fallout. Most notably, CISA published an unusually candid postmortem on how its own GitHub repository leaked passwords and cloud access keys.

Topic map — families, actors, CVEs, and how they intersect

Named entities extracted from this week’s 21 malware-analysis articles — threat actors, malware families, CVEs, vendors, and the law-enforcement agencies and campaigns connecting them.

Topic map for malware analysis — July 12, 2026

This week clusters around five gravitational centres: active exploitation of edge and AI tooling (Gitea, Adobe ColdFusion, Joomla page builders, and Langflow feeding both CISA’s KEV and JadePuffer’s agentic ransomware run); ransomware tradecraft (RedWing, EvilTokens, Avalon/CrownX, and FortiBleed credentials now confirmed feeding INC Ransom and Lynx); nation-state backdoors (Armored Likho’s BusySnake Stealer, UAT-7810’s Leash family, Turla’s STOCKSTAY); law-enforcement action (the Scattered Spider prosecutions, the NetNut/Popa takedown, Operation Endgame); and CISA’s own GitHub credential leak.

View interactive topic map →

Article index

Active exploitation & CISA KEV activity

Gitea, Adobe ColdFusion, and two Joomla page-builder plugins join a fresh CISA KEV sweep alongside a patched Microsoft Defender flaw and a crypto-draining ‘Ill Bloom’ bug; last cycle’s SharePoint KEV entry rounds out the patch-lag picture.

# Article Source Date
1 Threat actors probe Gitea Docker flaw CVE-2026-20896 13 days after disclosure The Hacker News Jul 6
2 CISA adds 4 actively exploited Adobe, Joomla, and Langflow flaws to KEV The Hacker News Jul 8
3 Microsoft patches RoguePlanet Defender flaw that can grant SYSTEM privileges The Hacker News Jul 9
4 Attackers exploit ‘Ill Bloom’ vulnerability to drain millions from crypto wallets The Hacker News Jul 10
5 SharePoint RCE CVE-2026-45659 added to CISA KEV after active exploitation · FOUNDATIONAL The Hacker News Jul 2

Ransomware tradecraft, malware families & MaaS

JadePuffer’s agentic ransomware run gets a threat-intel re-read; RedWing rents out Android bank fraud on Telegram; a new Ghost Phishing wave bypasses secure email gateways; and FortiBleed’s 110-million-credential haul is now tied to two ransomware gangs while Avalon/CrownX shows AI-assisted malware development in the wild.

# Article Source Date
6 JadePuffer: the first complete LLM-driven ransomware attack Dark Reading Jul 6
7 RedWing MaaS packages Android bank fraud as a Telegram rental service The Hacker News Jul 7
8 New Ghost Phishing wave (EvilTokens) is breaking traditional email security The Hacker News Jul 8
9 FortiBleed credential theft linked to INC and Lynx ransomware operations · FOUNDATIONAL The Hacker News Jul 2
10 New Avalon malware framework packs CrownX ransomware capabilities · FOUNDATIONAL The Hacker News Jul 3

APT campaigns & nation-state backdoors

Armored Likho targets government and electric-power entities with a Python stealer; China-linked UAT-7810 (LapDogs) expands its SOHO-router backdoor family; and Google ties a new .NET backdoor to Turla’s Ukraine espionage campaigns.

# Article Source Date
11 Armored Likho APT targeting government, electric power entities SecurityWeek Jul 6
12 China-linked APT (UAT-7810/LapDogs) expands arsenal with new ‘Leash’ backdoors SecurityWeek Jul 8
13 Google details Turla’s new STOCKSTAY backdoor used in Ukraine espionage attacks · FOUNDATIONAL The Hacker News Jun 26

Law enforcement, takedowns & incident postmortems

A Windows device ID traces an alleged Scattered Spider hacker while two UK members plead guilty; Google, the FBI, and IRS-CI dismantle the NetNut proxy network and Popa botnet; Operation Endgame’s Amadey/StealC takedown and a Pegasus spyware case round out a strong week for law enforcement; and CISA discloses how its own GitHub credentials leaked.

# Article Source Date
14 Court filing reveals Windows device ID helped FBI trace alleged Scattered Spider hacker The Hacker News Jul 7
15 ThreatsDay: cloud bucket hijacking, Windows LPE chain, global fraud bust + 17 more stories The Hacker News Jul 9
16 CISA details security lapses that led to GitHub leak of passwords, cloud access keys Cybersecurity Dive Jul 10
17 Scattered Spider hackers plead guilty on day 1 of trial · FOUNDATIONAL Krebs on Security Jun 23
18 FBI seizes NetNut proxy platform, Popa botnet · FOUNDATIONAL Krebs on Security Jul 2
19 Google disrupts NetNut residential proxy network spanning 2 million home devices · FOUNDATIONAL The Hacker News Jul 2
20 Amadey and StealC malware network disrupted, 27M stolen credentials recovered · FOUNDATIONAL The Hacker News Jun 24
21 European Parliament member investigating spyware was hacked with Pegasus · FOUNDATIONAL The Hacker News Jul 3

Detailed write-ups

1. Threat actors probe a Gitea Docker flaw as CISA adds four more actively exploited bugs to KEV

The Hacker News · Jul 6, 2026  |  The Hacker News · Jul 8, 2026

Cloud security firm Sysdig detected the first in-the-wild probing of CVE-2026-20896 (CVSS 9.8) just 13 days after disclosure: the official Gitea Docker image hard-codes REVERSE_PROXY_TRUSTED_PROXIES = *, so once an admin enables reverse-proxy authentication, anyone who can reach the container’s HTTP port can forge an X-WEBAUTH-USER header and log in as any known or guessable username — admin accounts included — with no password. Roughly 6,200 Gitea instances are internet-facing; the fix ships in version 1.26.3. Days later, CISA added four more actively exploited flaws to its KEV catalog in a single sweep: Adobe ColdFusion path traversal CVE-2026-48282 (CVSS 10.0, exploited within hours of disclosure), two unauthenticated file-upload flaws in Joomla page-builder plugins (CVE-2026-56290 and CVE-2026-48908, both CVSS 10.0 and already dropping web shells), and a Langflow IDOR (CVE-2026-55255) that Sysdig separately caught one operator chaining with a Langflow RCE to steal LLM-provider and AWS keys from other tenants’ flows — the same underlying platform later abused in this week’s JadePuffer case. Treat internet-facing Gitea, ColdFusion, Joomla page builders, and Langflow instances as emergency-patch items regardless of the July 10 federal deadline.

Read the article

Sources: The Hacker News — Gitea Docker flaw · The Hacker News — CISA KEV additions

6. JadePuffer: the first complete LLM-driven ransomware attack

Dark Reading · Jul 6, 2026

Dark Reading’s threat-intel take on JadePuffer digs into the mechanics Sysdig first documented: a human operator pointed an autonomous LLM agent at an internet-facing Langflow instance, exploited the unauthenticated CVE-2025-3248 RCE, and let the agent run the entire intrusion — reconnaissance, credential harvesting (LLM API keys and default MinIO credentials), lateral movement to a separate MySQL/Nacos production server via a 2021 Nacos auth-bypass paired with its known default JWT signing key, and a database-extortion finish — without further human input. The agent self-corrected a failed backdoor-login attempt within 31 seconds, encrypted 1,342 Nacos configuration items using MySQL’s AES_ENCRYPT function, and dropped a ransom note with a Bitcoin address and ProtonMail contact; because the encryption key was never stored or transmitted, victims cannot recover data even by paying. (This week’s AI-ML bulletin covers the same operation from BleepingComputer’s AI-adoption angle; here the read is pure attack mechanics.) The skill floor for running ransomware now sits at whatever it costs to rent an agent — treat any exposed low-code AI/orchestration platform as a ransomware entry point, not just a data-leakage risk.

Read the article

Sources: Dark Reading

11. Armored Likho APT targeting government, electric-power entities

SecurityWeek · Jul 6, 2026

Kaspersky documented Armored Likho, an APT running both financially motivated attacks on individuals and cyber-espionage against government and electric-power organizations in Russia, Brazil, and Kazakhstan. Spear-phishing archives carry LNK files that display a decoy document while quietly fetching a Python 3.12 interpreter and a loader that installs the group’s Python-based BusySnake Stealer from GitHub-hosted development builds. BusySnake dynamically decrypts and re-encrypts its own bytecode at each function call to frustrate static analysis, runs without a console window, and can capture screenshots and keystrokes, decrypt saved Chromium/Firefox passwords, pull browser cookies, scrape for OTP seeds and crypto wallets, harvest Telegram sessions, and open a reverse SSH tunnel via Go2Tunnel — functionality Kaspersky says is being folded directly into BusySnake going forward. The group’s tooling and persistence mechanism overlap with Eagle Werewolf’s AquilaRAT. Hunt for unexpected Python 3.12 runtimes appearing alongside LNK execution, and for RustDesk credential-capture behavior tied to reverse-tunnel activity.

Read the article

Sources: SecurityWeek

12. China-linked APT expands its SOHO-router arsenal with new ‘Leash’ backdoors

SecurityWeek · Jul 8, 2026

Cisco Talos reports that UAT-7810, the China-linked actor behind the LapDogs operational-relay-box (ORB) campaign that infected over 1,000 SOHO routers with the ShortLeash backdoor, has expanded its toolkit with three new families: LongLeash, a next-generation version of ShortLeash built on the Nanopb and MbedTLS libraries that can act as either C2 or client and relay traffic between peers; DogLeash, a C-based passive backdoor deployed via a shell script that opens iptables rules and executes commands, reads/renames files, and gathers OS information on demand; and JarLeash, a Java-based backdoor offering a web-based file manager plus FTP/SFTP and netcat servers. UAT-7810 targets known flaws in Ruckus wireless routers across MIPS, ARM, and x64 architectures, and Talos ties one of its VPS IPs to the separate Asus-router Operation WrtHug ORB campaign; the group also supplies infrastructure to a second China-linked actor, UAT-5918. A newly spotted testing binary, LeashTest, suggests the group is still hardening MIPS support — treat any of these strings appearing on SOHO or edge devices as an indicator of an active ORB relay, not just a curiosity.

Read the article

Sources: SecurityWeek

14. Scattered Spider: a Windows device ID traces a suspect, while two UK members plead guilty

The Hacker News · Jul 7, 2026  |  Krebs on Security · Jun 23, 2026

A newly unsealed federal complaint shows how a persistent Windows Global Device Identifier tied a 19-year-old dual US-Estonian citizen, Peter Stokes (“Bouquet”), to a May 2025 breach of a luxury jewelry retailer that netted 77GB of data and an $8 million ransom demand. Investigators traced the GDID from the account used to register an ngrok tunnel during the intrusion to Snapchat, Apple, and Facebook accounts prosecutors attribute to Stokes, cross-referenced against his travel through Tallinn, New York, and Thailand. The break-in itself required no exploit — attackers phoned the retailer’s help desk, posed as locked-out staff, and talked administrators into resetting passwords and MFA devices. Group-IB argues in separate research that Scattered Spider isn’t a single gang but a loose, Anonymous-like collective, which is why arrests keep coming one member at a time without stopping the activity: this cycle also saw Thalha Jubair and Owen Flowers plead guilty in the UK to the August 2024 Transport for London hack, with Jubair separately linked by US prosecutors to over 120 intrusions and $115 million in ransom payments via his “Star Chat” SIM-swapping channel. Callback verification and phishing-resistant MFA for any help-desk password or device reset remain the highest-leverage controls against this group’s playbook.

Read the article

Sources: The Hacker News — court filing · Krebs on Security — guilty pleas

16. CISA details the security lapses that led to its own GitHub credential leak

Cybersecurity Dive · Jul 10, 2026

In an unusually candid disclosure, CISA published a postmortem detailing how passwords and cloud access keys tied to the agency ended up exposed through a GitHub repository — the same class of hard-coded-secret and over-permissioned-repository mistakes CISA routinely warns other organizations about. The agency’s account traces the exposure to credentials embedded in code and configuration that were committed to a repository without adequate secret-scanning or access controls catching it before the material became reachable, and lays out the remediation steps taken: rotating the exposed credentials, tightening repository permissions and branch protections, and expanding automated secret-scanning coverage across its own development pipelines. Coming in the same week CISA added four more actively exploited flaws to KEV, the disclosure is a reminder that credential-hygiene failures aren’t a vendor-only problem — any organization, including the one setting federal patch deadlines, can leak secrets into source control. Audit your own repositories for hard-coded credentials and cloud keys now rather than after a similar disclosure.

Read the article

Sources: Cybersecurity Dive

18. FBI and Google dismantle the NetNut residential proxy network and the Popa botnet · FOUNDATIONAL

Krebs on Security · Jul 2, 2026  |  The Hacker News · Jul 2, 2026

Google’s Threat Intelligence Group, the FBI, and IRS Criminal Investigation jointly took down NetNut, a residential proxy network built on an estimated 2 million compromised Android devices, smart TVs, and streaming boxes, also tied to a botnet tracked as Popa. Google logged 316 distinct threat clusters — spanning both cybercriminal and espionage activity — riding suspected NetNut exit nodes in a single week of monitoring, underscoring how central residential-proxy infrastructure has become to obscuring attacker traffic. Krebs on Security, whose earlier reporting reportedly helped trigger the action, identifies the operator as Alarum Technologies, a publicly traded Israeli firm, and notes NetNut was widely white-labeled and resold under other proxy brand names — meaning additional rebranded services riding the same seized infrastructure are likely to surface. The FBI seized hundreds of domains, including netnut.com, replacing them with a seizure notice. Any traffic-anomaly or fraud-detection program that whitelists residential IP ranges by reputation alone should revisit that assumption now that a network this size has been shown to be entirely hijacked infrastructure.

Read the article

Sources: Krebs on Security · The Hacker News

On our watch list

  1. Langflow exploitation spread. Two separate Langflow CVEs (the CVE-2026-55255 IDOR and the CVE-2025-3248 RCE) were both actively exploited this week — one for credential theft, one to launch JadePuffer’s agentic ransomware run. Expect further Langflow-focused attacks given how many low-code AI deployments remain internet-facing.
  2. CISA’s own remediation follow-through. With the agency disclosing its own GitHub credential leak the same week it added four flaws to KEV, watch for whether CISA publishes broader secrets-hygiene guidance drawing on its own incident.
  3. Leash backdoor family growth. UAT-7810 is still testing new functionality (LeashTest on MIPS); expect additional named variants and possibly a formal joint advisory if targeting expands beyond SOHO routers.
  4. NetNut’s white-labeled resellers. As flagged previously, expect additional takedown or disclosure activity as investigators map services reselling the same seized infrastructure under different brand names.
  5. JadePuffer copycat activity. The first fully agentic ransomware attack sets a low-friction precedent; watch for follow-on incidents against other exposed AI/orchestration platforms beyond Langflow.

Malware Analysis Weekly · a weekly intelligence bulletin from Security Radar LLC

Curated by Paul Davis (paul.davis@security-radar.com)

Weekly news items are from the previous seven days. Foundational reading is refreshed each week.

*|LIST:ADDRESS|*

View this email in your browser · Unsubscribe

© 2026 Security Radar LLC. All rights reserved.

Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.

Recent Posts

  • DevSecOps Weekly — July 12, 2026
  • DevSecOps Weekly — July 12, 2026 — Interactive Topic Map
  • Malware Analysis Weekly — July 12, 2026
  • Malware Analysis Weekly — July 12, 2026 — Interactive Topic Map
  • AI & ML in Security — July 12, 2026

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • November 2025
  • April 2024
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • April 2023
  • March 2023
  • February 2022
  • January 2022
  • December 2021
  • September 2020
  • October 2019
  • August 2019
  • July 2019
  • December 2018
  • April 2018
  • December 2016
  • September 2016
  • August 2016
  • July 2016
  • April 2015
  • March 2015
  • August 2014
  • March 2014
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • October 2012
  • September 2012
  • August 2012
  • February 2012
  • October 2011
  • August 2011
  • June 2011
  • May 2011
  • April 2011
  • February 2011
  • January 2011
  • December 2010
  • November 2010
  • October 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • June 2009
  • May 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • December 2007
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006
  • October 2006
  • September 2006
  • August 2006
  • July 2006
  • June 2006
  • May 2006
  • April 2006
  • March 2006
  • February 2006
  • January 2006
  • December 2005
  • November 2005
  • October 2005
  • September 2005
  • August 2005
  • July 2005
  • June 2005
  • May 2005
  • April 2005
  • March 2005
  • February 2005
  • January 2005
  • December 2004
  • November 2004
  • October 2004
  • September 2004
  • August 2004
  • July 2004
  • June 2004
  • May 2004
  • April 2004
  • March 2004
  • February 2004
  • January 2004
  • December 2003
  • November 2003
  • October 2003
  • September 2003

Categories

  • AI-ML
  • Augment / Virtual Reality
  • Blogging
  • Cloud
  • DR/Crisis Response/Crisis Management
  • Editorial
  • Financial
  • Make You Smile
  • Malware
  • Mobility
  • Motor Industry
  • News
  • OTT Video
  • Pending Review
  • Personal
  • Product
  • Regulations
  • Secure
  • Security Industry News
  • Security Operations
  • Statistics
  • Threat Intel
  • Trends
  • Uncategorized
  • Warnings
  • WebSite News
  • Zero Trust

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
© 2026 CyberSecurity Institute | Powered by Superbs Personal Blog theme