{"id":5327,"date":"2026-06-06T17:45:39","date_gmt":"2026-06-06T22:45:39","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5327"},"modified":"2026-06-14T17:49:10","modified_gmt":"2026-06-14T22:49:10","slug":"malware-analysis-weekly-june-7-2026-2","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5327","title":{"rendered":"Malware Analysis Weekly &mdash; June 7, 2026"},"content":{"rendered":"<style>\n.single .entry-title,\n.single .entry-header .entry-title,\n.single .post-title,\n.single header.entry-header h1,\n.single h1.entry-title,\n.single .page-title,\n.post-template-default h1.entry-title,\n.post-template-default .entry-header,\narticle .entry-header,\narticle .entry-title { display: none !important; }\n.single .entry-header { margin: 0 !important; padding: 0 !important; }\n.single .entry-content { margin-top: 0 !important; padding-top: 0 !important; }\n<\/style>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"background-color:#f4f5f7;\">\n<tr>\n<td align=\"center\" style=\"padding:24px 12px;\">\n<table role=\"presentation\" width=\"680\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"max-width:680px;width:100%;background-color:#ffffff;border-radius:8px;overflow:hidden;box-shadow:0 1px 3px rgba(0,0,0,0.08);\">\n<tr>\n<td style=\"background-color:#7f1d1d;background:linear-gradient(135deg,#7f1d1d 0%,#b91c1c 100%);padding:32px 28px 24px;color:#ffffff;\">\n<div style=\"font-size:12px;letter-spacing:2px;text-transform:uppercase;opacity:0.75;margin-bottom:8px;color:#ffffff;\">Malware Analysis Weekly &middot; June 14, 2026 &middot; Weekly Edition<\/div>\n<h1 style=\"margin:0;font-size:28px;line-height:1.2;font-weight:700;color:#ffffff;\">Malware Analysis Weekly<\/h1>\n<p style=\"margin:8px 0 0;font-size:14px;opacity:0.85;color:#ffffff;\">Families, campaigns, TTPs, and IOCs from the field &middot; for malware analysts and IR teams<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 4px;\">\n<h2 style=\"margin:0 0 12px;font-size:18px;color:#0f172a;border-bottom:2px solid #b91c1c;padding-bottom:6px;\">At a glance<\/h2>\n<p style=\"margin:0 0 12px;font-size:15px;color:#374151;\">This week was defined by <strong>actively exploited zero-days stacking up across the edge and the endpoint<\/strong>. Google shipped Chrome 149 to close a V8 out-of-bounds read\/write (<strong>CVE-2026-11645<\/strong>, CVSS 8.8) already exploited in the wild &mdash; the fifth Chrome zero-day of 2026. A critical IKEv1 auth-bypass in <strong>Check Point<\/strong> Remote\/Mobile Access VPN (<strong>CVE-2026-50751<\/strong>, CVSS 9.3) has been abused by a Qilin ransomware affiliate since May 7 and landed in CISA&rsquo;s KEV with a June 11 deadline. Cisco disclosed its <strong>seventh SD-WAN zero-day of 2026<\/strong> (<strong>CVE-2026-20245<\/strong>) &mdash; an unpatched root-privilege flaw in Catalyst SD-WAN Manager with confirmed config-pushing in the wild &mdash; and a public PoC named <strong>RoguePlanet<\/strong> (<strong>CVE-2026-47281<\/strong>, CVSS 9.6) turns a Microsoft Defender race condition into SYSTEM on fully patched Windows.<\/p>\n<p style=\"margin:0 0 12px;font-size:15px;color:#374151;\">Law enforcement kept the pressure on ransomware&rsquo;s support economy. Europol&rsquo;s June 10 takedown dismantled <strong>&ldquo;AudiA6,&rdquo;<\/strong> a crypto-laundering service that moved ~&euro;336M through 6,000+ mule accounts and is tied to 15+ ransomware investigations. Separately, Ukrainian national <strong>Oleksii Lytvynenko<\/strong> pleaded guilty to wire-fraud conspiracy for his role in the <strong>Conti<\/strong> operation, with sentencing set for September 10.<\/p>\n<p style=\"margin:0 0 18px;font-size:15px;color:#374151;\">On the delivery side, the <strong>supply-chain and web-delivery<\/strong> threads stayed loud. The <strong>Miasma<\/strong> npm worm (Shai-Hulud lineage) compromised 32 <code>@redhat-cloud-services<\/code> packages via a preinstall hook to sweep cloud and CI\/CD secrets and republish itself, while the new <strong>DriveSurge<\/strong> initial-access-broker operation hijacked thousands of sites and routed victims through a zTDS traffic-distribution system into ClickFix\/FakeUpdates on Windows and macOS. Intel 471 framed a June surge in APT activity against critical sectors. For foundational context this week: Dutch police dismantled a <strong>17-million-device botnet<\/strong> behind the Asocks residential-proxy network, Operation Saffron took down the bulletproof <strong>&ldquo;First VPN&rdquo;<\/strong> used by 25+ ransomware groups, and Unit 42 detailed Iranian APT <strong>Screening Serpens&rsquo;<\/strong> six new RAT variants.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:18px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Topic map &mdash; families, actors, CVEs, and how they intersect<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<p style=\"margin:0 0 8px;font-size:11px;color:#64748b;\">Named entities extracted from this week&rsquo;s 12 malware-analysis articles &mdash; threat actors, malware families, CVEs, vendors, researchers, and the campaigns or themes connecting them.<\/p>\n<div style=\"background-color:#ffffff;border:1px solid #e2e8f0;border-radius:8px;padding:14px;\">\n<img decoding=\"async\" src=\"https:\/\/www.cybersecurityinstitute.com\/blog\/wp-content\/uploads\/2026\/06\/topic-map-malware-analysis-2026-06-14.png\" alt=\"Topic map for malware analysis\" style=\"width:100%;max-width:880px;height:auto;display:block;margin:0 auto;\" \/>\n<\/div>\n<p style=\"margin:10px 0 0;font-size:12px;color:#64748b;font-style:italic;\">This week clusters around actively exploited zero-days across Chrome (CVE-2026-11645), Check Point VPN (CVE-2026-50751), Cisco SD-WAN (CVE-2026-20245), and Microsoft Defender (RoguePlanet, CVE-2026-47281); ransomware takedowns and prosecutions (Europol&rsquo;s AudiA6 laundering bust, the Conti guilty plea); and supply-chain and web-delivery campaigns (the Miasma npm worm and the DriveSurge ClickFix\/FakeUpdate operation) &mdash; set against an Intel 471-reported surge in APT activity and foundational botnet, bulletproof-VPN, and Iranian-APT takedowns and analysis.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Article index<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<h3 style=\"margin:14px 0 8px;font-size:15px;color:#ea580c;text-transform:uppercase;letter-spacing:1px;\">Actively exploited zero-days &amp; critical CVEs<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">In-the-wild browser RCE, edge-VPN auth bypass tied to a ransomware affiliate, unpatched network-infrastructure exploitation, and a SYSTEM-level local privilege-escalation PoC.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">1<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/chrome-v8-zero-day-cve-2026-11645.html\" style=\"color:#1d4ed8;text-decoration:none;\">Chrome V8 zero-day CVE-2026-11645 exploited in the wild &mdash; patch now<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 9<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">2<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.securityweek.com\/check-point-vpn-zero-day-exploited-in-qilin-ransomware-attacks\/\" style=\"color:#1d4ed8;text-decoration:none;\">Check Point VPN zero-day exploited in Qilin ransomware attacks (CVE-2026-50751)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">SecurityWeek<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 8<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">3<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.securityweek.com\/cisco-warns-of-7th-sd-wan-zero-day-exploited-in-2026\/\" style=\"color:#1d4ed8;text-decoration:none;\">Cisco warns of 7th SD-WAN zero-day exploited in 2026 (CVE-2026-20245)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">SecurityWeek<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 5<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">4<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/microsoft-defender-rogueplanet-zero-day.html\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft Defender &lsquo;RoguePlanet&rsquo; zero-day grants SYSTEM access on patched Windows (CVE-2026-47281)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 10<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#b91c1c;text-transform:uppercase;letter-spacing:1px;\">Ransomware &amp; law-enforcement actions<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">Disruption of the criminal financial infrastructure underpinning ransomware, and a prosecution milestone against a major ransomware operation.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">5<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/europol-disrupts-audia6-crypto.html\" style=\"color:#1d4ed8;text-decoration:none;\">Europol disrupts &lsquo;AudiA6&rsquo; crypto-laundering service used by ransomware gangs<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 12<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">6<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ukrainian-national-pleads-guilty-to-role-in-conti-ransomware-operation\/\" style=\"color:#1d4ed8;text-decoration:none;\">Ukrainian national pleads guilty to role in Conti ransomware operation<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 12<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#7c3aed;text-transform:uppercase;letter-spacing:1px;\">Supply-chain &amp; web-delivery campaigns<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">A self-propagating npm worm sweeping CI\/CD secrets, an initial-access-broker TDS pushing ClickFix\/FakeUpdates, and a threat-landscape frame tying active APT campaigns together.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">7<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.wiz.io\/blog\/miasma-supply-chain-attack-targeting-redhat-npm-packages\" style=\"color:#1d4ed8;text-decoration:none;\">Miasma: supply-chain worm compromises 32 Red Hat npm packages<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Wiz blog<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 3<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">8<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/drivesurge-hijacks-thousands-sites-clickfix-fakeupdate-attacks\" style=\"color:#1d4ed8;text-decoration:none;\">New DriveSurge threat actor hijacks thousands of sites for ClickFix\/FakeUpdate attacks<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Dark Reading<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 2<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">9<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/industrialcyber.co\/ransomware\/global-cyber-threat-campaigns-escalate-as-apt-groups-target-critical-sectors-intel-471-reports\/\" style=\"color:#1d4ed8;text-decoration:none;\">Global cyber-threat campaigns escalate as APT groups target critical sectors (Intel 471)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Industrial Cyber<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 2026<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#0891b2;text-transform:uppercase;letter-spacing:1px;\">APT &amp; botnet takedowns (foundational)<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">Refreshed each week &mdash; a massive residential-proxy botnet seizure, a bulletproof-VPN takedown serving 25+ ransomware groups, and deep Iranian-APT malware-family analysis.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">10<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.securityweek.com\/dutch-police-dismantle-massive-17-million-device-botnet\/\" style=\"color:#1d4ed8;text-decoration:none;\">Dutch police dismantle 17-million-device botnet (Asocks residential proxy)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">SecurityWeek<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 28<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">11<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/05\/first-vpn-dismantled-in-global-takedown.html\" style=\"color:#1d4ed8;text-decoration:none;\">First VPN dismantled in global takedown over use by 25 ransomware groups (Operation Saffron)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 19<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">12<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/tracking-iran-apt-screening-serpens\/\" style=\"color:#1d4ed8;text-decoration:none;\">Tracking Iranian APT Screening Serpens&rsquo; 2026 espionage campaigns<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Unit 42<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 22<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Detailed write-ups<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">1. Chrome V8 zero-day CVE-2026-11645 exploited in the wild &mdash; patch now<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Google patched a <strong>V8 out-of-bounds read\/write<\/strong> zero-day (<strong>CVE-2026-11645<\/strong>, CVSS 8.8) that is being actively exploited in the wild &mdash; the <strong>fifth Chrome zero-day of 2026<\/strong>. The fix shipped in <strong>Chrome 149 stable on June 8<\/strong>. This is an in-the-wild browser RCE primitive, so it&rsquo;s a confirm-the-rollout item first: validate that managed fleets have moved to 149, force-restart browsers to apply the update, and don&rsquo;t forget Chromium-based downstreams. Then hunt for exploitation artifacts &mdash; renderer crashes, unexpected child processes spawned from <code>chrome.exe<\/code>, and post-exploitation download\/execute chains following web visits.<\/p>\n<p style=\"margin:0 0 6px;\"><a class=\"button\" href=\"https:\/\/thehackernews.com\/2026\/06\/chrome-v8-zero-day-cve-2026-11645.html\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/06\/chrome-v8-zero-day-cve-2026-11645.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">2. Check Point VPN zero-day exploited in Qilin ransomware attacks (CVE-2026-50751)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">A critical <strong>IKEv1 authentication bypass<\/strong> (<strong>CVE-2026-50751<\/strong>, CVSS 9.3) in <strong>Check Point Remote\/Mobile Access VPN<\/strong> has been exploited since <strong>May 7 by a Qilin ransomware affiliate<\/strong>. CISA added it to KEV on <strong>June 9 with a June 11 patch deadline<\/strong>. This is an active-exploit CVE tied directly into a ransomware intrusion chain, so treat exposed gateways as priority-zero: apply the vendor fix immediately, review remote-access logs for anomalous IKEv1 negotiations and authentications back to May 7, and assume any session established during the window is suspect. Pivot from VPN access into lateral-movement and pre-encryption staging hunts given the Qilin linkage.<\/p>\n<p style=\"margin:0 0 6px;\"><a class=\"button\" href=\"https:\/\/www.securityweek.com\/check-point-vpn-zero-day-exploited-in-qilin-ransomware-attacks\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.securityweek.com\/check-point-vpn-zero-day-exploited-in-qilin-ransomware-attacks\/\" style=\"color:#1d4ed8;text-decoration:none;\">SecurityWeek<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">3. Cisco warns of 7th SD-WAN zero-day exploited in 2026 (CVE-2026-20245)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Cisco disclosed an <strong>actively exploited, unpatched root-privilege flaw<\/strong> in <strong>Catalyst SD-WAN Manager<\/strong> (<strong>CVE-2026-20245<\/strong>), reported by <strong>Mandiant<\/strong>, with confirmed cases of attackers <strong>pushing config changes to edge devices<\/strong>. This is in-the-wild network-infrastructure exploitation with no patch available &mdash; the worst combination for IR teams. Until a fix lands, restrict management-plane access, watch SD-WAN Manager for unexpected configuration deployments and template changes, and audit edge-device configs against known-good baselines. Treat any unexplained config push during the exposure window as a potential compromise and validate device integrity downstream.<\/p>\n<p style=\"margin:0 0 6px;\"><a class=\"button\" href=\"https:\/\/www.securityweek.com\/cisco-warns-of-7th-sd-wan-zero-day-exploited-in-2026\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.securityweek.com\/cisco-warns-of-7th-sd-wan-zero-day-exploited-in-2026\/\" style=\"color:#1d4ed8;text-decoration:none;\">SecurityWeek<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">4. Microsoft Defender &lsquo;RoguePlanet&rsquo; zero-day grants SYSTEM access on patched Windows (CVE-2026-47281)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">A public PoC dubbed <strong>&ldquo;RoguePlanet&rdquo;<\/strong> (<strong>CVE-2026-47281<\/strong>, CVSS 9.6) exploits a <strong>Microsoft Defender race condition<\/strong> to obtain a <strong>SYSTEM-level shell on fully patched Windows 10\/11<\/strong>, and is reported to be actively exploited. This is an unpatched local privilege-escalation primitive that slots neatly into post-compromise chains &mdash; assume any foothold an attacker already has can be escalated to SYSTEM. Hunt for anomalous child processes and token manipulation around the Defender service, unexpected SYSTEM-context shells, and race-condition exploitation patterns. Prioritize detection on the escalation step since there is no patch to lean on yet.<\/p>\n<p style=\"margin:0 0 6px;\"><a class=\"button\" href=\"https:\/\/thehackernews.com\/2026\/06\/microsoft-defender-rogueplanet-zero-day.html\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/06\/microsoft-defender-rogueplanet-zero-day.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">5. Europol disrupts &lsquo;AudiA6&rsquo; crypto-laundering service used by ransomware gangs<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">A <strong>June 10 international takedown<\/strong> dismantled <strong>&ldquo;AudiA6,&rdquo;<\/strong> a crypto-laundering service that moved <strong>~&euro;336M<\/strong> for cybercriminals through <strong>6,000+ mule accounts<\/strong>. Two administrators were arrested in <strong>Georgia<\/strong>, and the service is linked to <strong>15+ ransomware investigations<\/strong>. This is a law-enforcement strike against the criminal financial infrastructure that underpins ransomware monetization &mdash; cutting off cash-out capacity raises operating costs across multiple affiliates at once. For analysts, the value is in the downstream intelligence: expect investigative pivots from the seized mule-account network into the ransomware crews it serviced.<\/p>\n<p style=\"margin:0 0 6px;\"><a class=\"button\" href=\"https:\/\/thehackernews.com\/2026\/06\/europol-disrupts-audia6-crypto.html\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/06\/europol-disrupts-audia6-crypto.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">6. Ukrainian national pleads guilty to role in Conti ransomware operation<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\"><strong>Oleksii Lytvynenko<\/strong>, extradited from Ireland, <strong>pleaded guilty to wire-fraud conspiracy<\/strong> tied to <strong>Conti<\/strong> attacks during <strong>2021&ndash;2022<\/strong> that affected <strong>1,000+ systems<\/strong>; sentencing is set for <strong>September 10<\/strong>. This is a prosecution milestone against one of the most consequential ransomware operations of the era. While it doesn&rsquo;t change today&rsquo;s detection posture, it reinforces the attribution and tooling lineage that flowed out of Conti into successor crews &mdash; useful context when triaging TTPs that trace back to the original playbook.<\/p>\n<p style=\"margin:0 0 6px;\"><a class=\"button\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ukrainian-national-pleads-guilty-to-role-in-conti-ransomware-operation\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ukrainian-national-pleads-guilty-to-role-in-conti-ransomware-operation\/\" style=\"color:#1d4ed8;text-decoration:none;\">BleepingComputer<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">7. Miasma: supply-chain worm compromises 32 Red Hat npm packages<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">Wiz details <strong>Miasma<\/strong>, a self-propagating credential-harvesting <strong>npm worm<\/strong> of the <strong>Shai-Hulud lineage<\/strong> that compromised <strong>32 <code>@redhat-cloud-services<\/code> packages<\/strong> via a <strong>preinstall hook<\/strong>, sweeping cloud and CI\/CD secrets before <strong>republishing itself<\/strong>. This is an active supply-chain compromise that comes with IOCs and remediation guidance. IR teams should rotate any credentials and tokens exposed to affected build environments, audit recent <code>@redhat-cloud-services<\/code> installs across CI\/CD and developer machines, block the worm&rsquo;s egress, and review npm publish history on org-owned scopes for unexpected version bumps that signal recursive republishing.<\/p>\n<p style=\"margin:0 0 6px;\"><a class=\"button\" href=\"https:\/\/www.wiz.io\/blog\/miasma-supply-chain-attack-targeting-redhat-npm-packages\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.wiz.io\/blog\/miasma-supply-chain-attack-targeting-redhat-npm-packages\" style=\"color:#1d4ed8;text-decoration:none;\">Wiz blog<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">8. New DriveSurge threat actor hijacks thousands of sites for ClickFix\/FakeUpdate attacks<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\"><strong>Silent Push<\/strong> detailed <strong>&ldquo;DriveSurge,&rdquo;<\/strong> an <strong>initial-access-broker operation<\/strong> using a <strong>zTDS traffic-distribution system<\/strong> across <strong>thousands of compromised sites<\/strong> to deliver <strong>ClickFix\/FakeUpdates<\/strong> to both <strong>Windows and macOS<\/strong> victims. This is an active malware-delivery campaign with IAB-infrastructure analysis and TDS tradecraft analysts can hunt on. Detection focus: injected redirect\/JavaScript on compromised web properties, traffic flowing through the zTDS, ClickFix fake-CAPTCHA prompts that coax users into pasting clipboard commands, and the resulting <code>mshta<\/code>\/shell launches. Cross-platform targeting means macOS endpoints belong in the hunt too.<\/p>\n<p style=\"margin:0 0 6px;\"><a class=\"button\" href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/drivesurge-hijacks-thousands-sites-clickfix-fakeupdate-attacks\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/drivesurge-hijacks-thousands-sites-clickfix-fakeupdate-attacks\" style=\"color:#1d4ed8;text-decoration:none;\">Dark Reading<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">9. Global cyber-threat campaigns escalate as APT groups target critical sectors (Intel 471)<\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\"><strong>Intel 471<\/strong> reports a <strong>June surge in APT operations against critical sectors<\/strong>, with both <strong>espionage and disruptive activity growing in scale<\/strong>. This is a threat-landscape framing piece that ties several active APT campaigns together rather than a single-family writeup &mdash; useful for setting hunting priorities and briefing stakeholders on where state-aligned pressure is concentrating. Pair it with the foundational APT analysis below (Screening Serpens) to map specific malware families and TTPs onto the broader trend.<\/p>\n<p style=\"margin:0 0 6px;\"><a class=\"button\" href=\"https:\/\/industrialcyber.co\/ransomware\/global-cyber-threat-campaigns-escalate-as-apt-groups-target-critical-sectors-intel-471-reports\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/industrialcyber.co\/ransomware\/global-cyber-threat-campaigns-escalate-as-apt-groups-target-critical-sectors-intel-471-reports\/\" style=\"color:#1d4ed8;text-decoration:none;\">Industrial Cyber<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">10. Dutch police dismantle 17-million-device botnet (Asocks residential proxy) <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">NCSC and Dutch police <strong>seized 200+ C2 servers<\/strong> behind a <strong>17-million-device botnet<\/strong> powering the <strong>Asocks residential-proxy network<\/strong> used for <strong>DDoS, phishing, credential stuffing, and malware distribution<\/strong>. A botnet and criminal-infrastructure takedown of this scale matters to IR teams well beyond the headline: residential-proxy abuse is a recurring problem because malicious traffic blends into legitimate ISP space and defeats simple IP reputation. Use this as a prompt to revisit detections that assume datacenter-ASN signals, and to harden against credential-stuffing routed through residential exit nodes.<\/p>\n<p style=\"margin:0 0 6px;\"><a class=\"button\" href=\"https:\/\/www.securityweek.com\/dutch-police-dismantle-massive-17-million-device-botnet\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/www.securityweek.com\/dutch-police-dismantle-massive-17-million-device-botnet\/\" style=\"color:#1d4ed8;text-decoration:none;\">SecurityWeek<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">11. First VPN dismantled in global takedown over use by 25 ransomware groups (Operation Saffron) <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\">A France\/Netherlands-led <strong>Operation Saffron<\/strong> seized <strong>33 bulletproof-VPN servers across 27 countries<\/strong> and arrested the administrator in <strong>Ukraine<\/strong>; <strong>&ldquo;First VPN&rdquo;<\/strong> had served <strong>25+ ransomware groups since 2014<\/strong>. This is a law-enforcement disruption of the anonymization infrastructure central to ransomware operations &mdash; the kind of upstream takedown that degrades many crews&rsquo; OPSEC at once. For analysts, the seized server set is a likely source of attribution pivots; expect follow-on intelligence linking infrastructure to specific ransomware operations over the coming weeks.<\/p>\n<p style=\"margin:0 0 6px;\"><a class=\"button\" href=\"https:\/\/thehackernews.com\/2026\/05\/first-vpn-dismantled-in-global-takedown.html\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/05\/first-vpn-dismantled-in-global-takedown.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<h3 style=\"margin:0 0 6px;font-size:16px;color:#111827;\">12. Tracking Iranian APT Screening Serpens&rsquo; 2026 espionage campaigns <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/h3>\n<p style=\"margin:0 0 6px;font-size:14px;color:#374151;\"><strong>Unit 42<\/strong> details <strong>six new RAT variants<\/strong> (including <strong>two new families<\/strong>) deployed <strong>February&ndash;April 2026<\/strong> against targets in the <strong>US, Israel, and UAE<\/strong>, using <strong>AppDomainManager hijacking<\/strong> and <strong>air-carrier impersonation lures<\/strong>. This is deep APT malware-family analysis with new RAT TTPs and IOCs ready for detection content. Build coverage around AppDomainManager hijacking (anomalous .NET config files redirecting managed processes to attacker DLLs), and feed the published RAT indicators into Sigma\/YARA. Pair with the Intel 471 trend piece above to connect this family-level detail to the broader surge in APT activity against critical sectors.<\/p>\n<p style=\"margin:0 0 6px;\"><a class=\"button\" href=\"https:\/\/unit42.paloaltonetworks.com\/tracking-iran-apt-screening-serpens\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"margin:0 0 18px;font-size:12.5px;color:#475569;\">Sources: <a href=\"https:\/\/unit42.paloaltonetworks.com\/tracking-iran-apt-screening-serpens\/\" style=\"color:#1d4ed8;text-decoration:none;\">Unit 42<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">On our watch list<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<ol style=\"margin:0 0 12px 18px;padding:0;font-size:14px;color:#374151;\">\n<li style=\"margin-bottom:8px;\"><strong>Cisco SD-WAN patch and active exploitation.<\/strong> CVE-2026-20245 is the seventh SD-WAN zero-day of 2026 and remains unpatched while attackers push config changes to edge devices. Watch for the Cisco fix and Mandiant follow-up IOCs, and keep management-plane restrictions and config-baseline diffs in place until a patch is validated in your fleet.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>RoguePlanet weaponization in real chains.<\/strong> A public PoC plus reported active exploitation of the Defender race condition (CVE-2026-47281) means we expect it folded into post-compromise toolkits quickly. Watch for a Microsoft mitigation or out-of-band patch, and prioritize behavioral detection on SYSTEM-context shells around Defender until one ships.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Fallout from the AudiA6 and First VPN takedowns.<\/strong> Both seized infrastructure servicing many ransomware crews. We expect attribution pivots and follow-on indictments as investigators work the mule-account network and bulletproof-VPN server set &mdash; useful upstream intelligence to map onto active intrusions.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>More Shai-Hulud-lineage npm worms.<\/strong> Miasma&rsquo;s preinstall-hook, secret-sweeping, self-republishing pattern is repeatable against any high-trust scope. We expect at least one more variant targeting a different org-owned npm scope; watch for unexpected version bumps and CI\/CD credential exposure across your dependency graph.<\/li>\n<\/ol>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 32px;border-top:1px solid #e5e7eb;color:#6b7280;font-size:12px;text-align:center;\">\n<p style=\"margin:0 0 6px;color:#6b7280;\">Malware Analysis Weekly &middot; a Newshunter publication<\/p>\n<p style=\"margin:0 0 6px;color:#6b7280;\">Weekly news items are from the previous seven to ten days. Foundational reading is refreshed each week.<\/p>\n<p style=\"margin:0 0 10px;color:#6b7280;\"><a href=\"*|UNSUB|*\" style=\"color:#1d4ed8;text-decoration:none;\">Unsubscribe<\/a> &middot; <a href=\"*|ARCHIVE|*\" style=\"color:#1d4ed8;text-decoration:none;\">View in browser<\/a><\/p>\n<p style=\"margin:0 0 10px;color:#9ca3af;font-size:11px;\">*|LIST:ADDRESS|*<\/p>\n<p style=\"margin:14px 0 4px;font-size:11px;color:#9ca3af;\">Curated by the Security Radar threat-intelligence team.<\/p>\n<p style=\"margin:0 0 4px;font-size:11px;color:#9ca3af;\">Newsletter design, layout, and editorial curation &copy; 2026 Security Radar. All rights reserved.<\/p>\n<p style=\"margin:0;font-size:11px;color:#9ca3af;\">Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Malware Analysis Weekly &middot; June 14, 2026 &middot; Weekly Edition Malware Analysis Weekly Families, campaigns, TTPs, and IOCs from the field &middot; for malware analysts and IR teams At a glance This week was defined by actively exploited zero-days stacking up across the edge and the endpoint. Google shipped Chrome&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,47],"tags":[],"class_list":["post-5327","post","type-post","status-publish","format-standard","hentry","category-malware","category-threat_intel"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5327","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5327"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5327\/revisions"}],"predecessor-version":[{"id":5331,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5327\/revisions\/5331"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5327"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5327"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5327"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}