{"id":5347,"date":"2026-06-21T14:38:51","date_gmt":"2026-06-21T19:38:51","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5347"},"modified":"2026-06-21T14:38:51","modified_gmt":"2026-06-21T19:38:51","slug":"malware-analysis-weekly-june-21-2026","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5347","title":{"rendered":"Malware Analysis Weekly &mdash; June 21, 2026"},"content":{"rendered":"<style>\n.single .entry-title,\n.single .entry-header .entry-title,\n.single .post-title,\n.single header.entry-header h1,\n.single h1.entry-title,\n.single .page-title,\n.post-template-default h1.entry-title,\n.post-template-default .entry-header,\narticle .entry-header,\narticle .entry-title { display: none !important; }\n.single .entry-header { margin: 0 !important; padding: 0 !important; }\n.single .entry-content { margin-top: 0 !important; padding-top: 0 !important; }\n<\/style>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"background-color:#f4f5f7;\">\n<tr>\n<td align=\"center\" style=\"padding:24px 12px;\">\n<table role=\"presentation\" width=\"680\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"max-width:680px;width:100%;background-color:#ffffff;border-radius:8px;overflow:hidden;box-shadow:0 1px 3px rgba(0,0,0,0.08);\">\n<tr>\n<td style=\"background-color:#7f1d1d;background:linear-gradient(135deg,#7f1d1d 0%,#b91c1c 100%);padding:32px 28px 24px;color:#ffffff;\">\n<div style=\"font-size:12px;letter-spacing:2px;text-transform:uppercase;opacity:0.75;margin-bottom:8px;color:#ffffff;\">Malware Analysis Weekly &middot; June 21, 2026 &middot; Weekly Edition<\/div>\n<h1 style=\"margin:0;font-size:28px;line-height:1.2;font-weight:700;color:#ffffff !important;\">Malware Analysis Weekly<\/h1>\n<p style=\"margin:8px 0 0;font-size:14px;opacity:0.85;color:#ffffff;\">Families, campaigns, TTPs, and IOCs from the field &middot; for malware analysts and IR teams<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 4px;\">\n<h2 style=\"margin:0 0 12px;font-size:18px;color:#0f172a;border-bottom:2px solid #b91c1c;padding-bottom:6px;\">At a glance<\/h2>\n<p style=\"margin:0 0 12px;font-size:15px;color:#374151;\">This week&rsquo;s threat landscape was shaped by <strong>large-scale law-enforcement takedowns colliding with freshly discovered malware families and an unpatched Windows LPE<\/strong>. The most operationally significant headline: <strong>Operation Endgame<\/strong> partnered with the FBI and Europol to nuke <strong>SocGholish<\/strong> infrastructure across nearly 15,000 compromised sites, simultaneously cutting off <strong>Evil Corp<\/strong>&rsquo;s primary initial-access pipeline. Within hours of that announcement, CISA independently warned that <strong>86,644 FortiGate devices<\/strong> remain exposed to the <strong>FortiBleed<\/strong> heap-overflow (<strong>CVE-2026-27568<\/strong>), with exploitation confirmed in the wild against critical-infrastructure targets. And <strong>CVE-2026-47281<\/strong> &mdash; the <strong>RoguePlanet<\/strong> race condition in Microsoft Defender &mdash; added to KEV this week after a public PoC began circulating, giving post-compromise operators a reliable SYSTEM escalation path on fully patched Windows 10\/11.<\/p>\n<p style=\"margin:0 0 12px;font-size:15px;color:#374151;\">On the malware-family front, three distinct campaigns stood out. <strong>DragonForce<\/strong> pivoted to abusing <strong>Microsoft Teams external-relay channels<\/strong> to beacon their <strong>Backdoor.Turn<\/strong> C2 traffic through legitimate Microsoft infrastructure, evading most proxy-based controls. Separately, Microsoft detailed a novel <strong>Windows crypto-clipper<\/strong> that spreads via <strong>USB LNK worm<\/strong> and routes C2 through <strong>Tor hidden services<\/strong>, and researchers at ESET documented <strong>SprySOCKS<\/strong> &mdash; previously Linux-only, tied to Chinese-nexus actor <strong>FishMonger<\/strong> &mdash; now expanded to Windows with a new DLL-sideloading chain. The <strong>Gentlemen RaaS<\/strong> group continued to mature their toolkit, deploying <strong>GentleKiller<\/strong>, an EDR-killer that terminates more than 400 security-product processes before deploying ransomware payloads.<\/p>\n<p style=\"margin:0 0 18px;font-size:15px;color:#374151;\">The week also surfaced important threads in <strong>credential theft, OAuth abuse, and AI-agent exploitation<\/strong>. <strong>Rokarolla<\/strong>, a new Android banking trojan, targets 217 banking and cryptocurrency applications with overlay and keylogger capabilities. The <strong>Icarus<\/strong> campaign leveraged an OAuth token theft at <strong>Klue<\/strong> to pivot into <strong>Salesforce<\/strong> data exfiltration across multiple downstream customers. Microsoft published primary technical research on <strong>AutoJack<\/strong>, a web-page-to-host-RCE attack chain targeting AI agents running on local machines &mdash; a technique that is likely to be operationalized in credential-harvesting and initial-access toolkits. Foundational this week: Check Point&rsquo;s deep DFIR report on <strong>The Gentlemen &amp; SystemBC<\/strong>, and Cisco Talos&rsquo; anatomy of <strong>UAT-8302<\/strong>&rsquo;s sprawling China-nexus toolset.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:18px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Topic map &mdash; families, actors, CVEs, and how they intersect<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<p style=\"margin:0 0 8px;font-size:11px;color:#64748b;\">Named entities extracted from this week&rsquo;s 16 malware-analysis articles &mdash; threat actors, malware families, CVEs, vendors, researchers, and the campaigns or themes connecting them.<\/p>\n<div style=\"background-color:#ffffff;border:1px solid #e2e8f0;border-radius:8px;padding:14px;\">\n<img decoding=\"async\" src=\"https:\/\/www.cybersecurityinstitute.com\/blog\/wp-content\/uploads\/2026\/06\/topic-map-malware-analysis-2026-06-21.png\" alt=\"Topic map for malware analysis &mdash; June 21, 2026\" style=\"width:100%;max-width:880px;height:auto;display:block;margin:0 auto;\" \/>\n<\/div>\n<p style=\"margin:10px 0 0;font-size:12px;color:#64748b;font-style:italic;\">This week clusters around three gravitational centres: law-enforcement infrastructure takedowns (SocGholish\/Evil Corp via Operation Endgame, FortiBleed KEV pressure); active malware families and EDR evasion (DragonForce\/Backdoor.Turn, SprySOCKS\/FishMonger, GentleKiller\/Gentlemen RaaS, the USB LNK crypto-clipper); and credential theft and lateral-access chains (Rokarolla banking trojan, Icarus\/Klue OAuth pivot, Phantom Stealer, Popa botnet) &mdash; with AI-agent exploitation (AutoJack) and the military-AI verification problem as this week&rsquo;s emerging-vector entries.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Article index<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<h3 style=\"margin:14px 0 8px;font-size:15px;color:#ea580c;text-transform:uppercase;letter-spacing:1px;\">Active exploits &amp; critical CVEs<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">A mass-exploitation warning on unpatched FortiGate devices and a newly KEV&rsquo;d Windows Defender LPE with a public PoC already circulating.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">1<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/cisa-warns-fortinet-customers-as.html\" style=\"color:#1d4ed8;text-decoration:none;\">FortiBleed: CISA warns as 86,644 FortiGate devices remain exposed to active exploitation<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 19<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">2<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.securityweek.com\/new-windows-zero-day-exploit-rogueplanet-released\/\" style=\"color:#1d4ed8;text-decoration:none;\">Windows zero-day &lsquo;RoguePlanet&rsquo; exploit released &mdash; Defender LPE grants SYSTEM (CVE-2026-47281)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">SecurityWeek<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 15<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#b91c1c;text-transform:uppercase;letter-spacing:1px;\">Ransomware, EDR evasion &amp; takedowns<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">Operation Endgame kills SocGholish across 15,000 sites; GentleKiller terminates 400+ security processes before payload; the Gentlemen group&rsquo;s SystemBC roots.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">3<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/law-enforcement-nukes-socgholish-malware-from-nearly-15-000-sites\/\" style=\"color:#1d4ed8;text-decoration:none;\">SocGholish takedown: law enforcement nukes malware from nearly 15,000 sites (Op Endgame, Evil Corp)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 18<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">4<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/the-gentlemen-raas-uses-gentlekiller.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Gentlemen RaaS deploys GentleKiller EDR-killer (terminates 400+ security processes)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 19<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">5<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/research.checkpoint.com\/2026\/dfir-report-the-gentlemen\/\" style=\"color:#1d4ed8;text-decoration:none;\">DFIR report: The Gentlemen &amp; SystemBC &mdash; anatomy of a modern RaaS intrusion chain<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Check Point Research<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 6<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#7c3aed;text-transform:uppercase;letter-spacing:1px;\">APT campaigns &amp; new backdoor families<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">Chinese-nexus actors expanding Linux backdoors to Windows, DragonForce hiding C2 in Teams relay traffic, and Talos&rsquo;s deep dive into UAT-8302&rsquo;s multi-tool toolset.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">6<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/dragonforce-hackers-abuse-microsoft.html\" style=\"color:#1d4ed8;text-decoration:none;\">DragonForce hackers abuse Microsoft Teams relay channels to hide Backdoor.Turn C2 traffic<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 18<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">7<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/china-linked-sprysocks-backdoor-expands.html\" style=\"color:#1d4ed8;text-decoration:none;\">China-linked SprySOCKS backdoor expands to Windows (FishMonger\/ESET research)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 16<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">8<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/blog.talosintelligence.com\/uat-8302\/\" style=\"color:#1d4ed8;text-decoration:none;\">UAT-8302: China-nexus APT&rsquo;s box full of malware &mdash; multi-tool campaign anatomy<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Cisco Talos<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">May 13<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#0d9488;text-transform:uppercase;letter-spacing:1px;\">Stealers, botnets &amp; delivery chains<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">New Android banking trojan, a fileless browser-credential stealer, a USB-worm-dropped crypto-clipper with Tor C2, a botnet tied to a listed firm, and Steam Workshop abused as a delivery channel.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">9<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-rokarolla-android-malware-targets-217-banking-crypto-apps\/\" style=\"color:#1d4ed8;text-decoration:none;\">New Rokarolla Android malware targets 217 banking and cryptocurrency applications<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 17<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">10<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/fileless-phantom-stealer-targets-browser-credentials\" style=\"color:#1d4ed8;text-decoration:none;\">Fileless Phantom Stealer targets browser credentials &mdash; lives entirely in memory<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Dark Reading<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 16<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">11<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/microsoft-details-windows-clipper.html\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft details Windows crypto-clipper spread by USB LNK worm with Tor C2<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 20<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">12<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/krebsonsecurity.com\/2026\/06\/popa-botnet-linked-to-publicly-traded-israeli-firm\/\" style=\"color:#1d4ed8;text-decoration:none;\">&lsquo;Popa&rsquo; botnet linked to a publicly traded Israeli firm (Krebs investigation)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Krebs on Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 18<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">13<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/steam-workshop-abused-to-spread-malware-via-wallpaper-engine-app\/\" style=\"color:#1d4ed8;text-decoration:none;\">Steam Workshop abused to spread malware via Wallpaper Engine app<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 16<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#0891b2;text-transform:uppercase;letter-spacing:1px;\">OAuth abuse, AI-agent exploitation &amp; emerging vectors<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">OAuth token theft pivoting to Salesforce data exfiltration, a single web page triggering host-level RCE via AI agents, and the unsolved problem of verifying military AI behavior.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">14<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks\/\" style=\"color:#1d4ed8;text-decoration:none;\">Klue OAuth breach linked to &lsquo;Icarus&rsquo; Salesforce data-theft attacks<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 18<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">15<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/18\/autojack-single-page-rce-host-running-ai-agent\/\" style=\"color:#1d4ed8;text-decoration:none;\">AutoJack: how a single web page achieves RCE on the host running an AI agent<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Microsoft Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 18<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">16<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/06\/15\/military-ai-verification-problem\/\" style=\"color:#1d4ed8;text-decoration:none;\">Proving what a military AI model will actually do is the real problem<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 15<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Detailed write-ups<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">1. FortiBleed: CISA warns as 86,644 FortiGate devices remain exposed to active exploitation<\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">The Hacker News &middot; Jun 19, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">CISA issued an emergency warning confirming that <strong>86,644 FortiGate VPN and firewall appliances<\/strong> remain internet-exposed and unpatched against <strong>FortiBleed<\/strong> (<strong>CVE-2026-27568<\/strong>), a heap-buffer-overflow in <strong>FortiOS SSL-VPN<\/strong> that has seen confirmed exploitation against critical-infrastructure targets. The vulnerability enables unauthenticated remote code execution by sending a crafted HTTP request to the management interface. Exposure at this scale &mdash; tens of thousands of perimeter devices with a public RCE &mdash; provides ransomware affiliates and nation-state actors a large, reliable initial-access surface. Immediate actions: pull your exposed FortiGate inventory from Shodan or FOFA, patch to the fixed FortiOS version, enforce management-interface ACLs to restrict access to internal networks only, and hunt for evidence of pre-patch exploitation including unusual admin account creation, config changes, and outbound tunneling from FortiGate hosts. CISA KEV status means federal agencies face a hard patch deadline.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/cisa-warns-fortinet-customers-as.html\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">2. Windows zero-day &lsquo;RoguePlanet&rsquo; exploit released &mdash; Defender LPE grants SYSTEM (CVE-2026-47281)<\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">SecurityWeek &middot; Jun 15, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">A public proof-of-concept named <strong>RoguePlanet<\/strong> weaponizes <strong>CVE-2026-47281<\/strong> (CVSS 9.6), a race condition in the <strong>Microsoft Defender<\/strong> scanning engine, to obtain a <strong>SYSTEM-level shell on fully patched Windows 10\/11<\/strong>. CISA added the CVE to KEV this week following confirmed in-the-wild exploitation. The PoC availability means any threat actor with an existing foothold can now trivially escalate to SYSTEM &mdash; dramatically lowering the skill bar for post-exploitation. No patch is available yet. Defensive priorities: build behavioral detections for anomalous SYSTEM-context process launches descended from Defender service paths, monitor for token-manipulation primitives (SetThreadToken, ImpersonateNamedPipeClient) invoked from unexpected parent processes, and treat every existing low-privilege foothold in your environment as SYSTEM-capable until Microsoft ships a fix. Prioritize endpoints that are exposed to untrusted code execution.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/www.securityweek.com\/new-windows-zero-day-exploit-rogueplanet-released\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">3. SocGholish takedown: law enforcement nukes malware from nearly 15,000 sites (Op Endgame, Evil Corp)<\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">BleepingComputer &middot; Jun 18, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\"><strong>Operation Endgame<\/strong> &mdash; the same multi-nation joint action that targeted <strong>Smokeloader<\/strong> and <strong>IcedID<\/strong> infrastructure last year &mdash; expanded this week with an FBI\/Europol operation that sanitized <strong>SocGholish<\/strong> JavaScript injection code from <strong>nearly 15,000 compromised websites<\/strong>, cutting off <strong>Evil Corp<\/strong>&rsquo;s primary drive-by initial-access pipeline. SocGholish had operated as a major initial-access broker for over five years, delivering fake browser-update overlays that dropped <strong>NetSupport RAT<\/strong>, <strong>Cobalt Strike<\/strong>, and ransomware precursors. The takedown removes a high-volume first-stage loader but does not eliminate Evil Corp or its affiliate relationships. For defenders: remove SocGholish IOCs from your block lists as live infrastructure, but retain detection logic for the fake-update social-engineering template &mdash; successor campaigns will reuse the pattern. Review web filtering logs retroactively for SocGholish domain hits that may indicate unresolved compromises.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/law-enforcement-nukes-socgholish-malware-from-nearly-15-000-sites\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">4. The Gentlemen RaaS deploys GentleKiller EDR-killer (terminates 400+ security processes)<\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">The Hacker News &middot; Jun 19, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">The <strong>Gentlemen RaaS<\/strong> operation has introduced <strong>GentleKiller<\/strong>, a dedicated EDR-disabling tool that systematically terminates processes matching a hardcoded list of <strong>more than 400 security products<\/strong> &mdash; including EDR agents, AV engines, logging forwarders, and forensic tools &mdash; before deploying their ransomware payload. The technique relies on a combination of a <strong>vulnerable signed driver<\/strong> for kernel-level process termination and a user-mode enumeration loop. This is a notable capability uplift from the group&rsquo;s earlier reliance on commodity BYOVD tooling. YARA and Sigma rules for GentleKiller&rsquo;s driver load and process-kill patterns are the priority detection artifacts. Also pair with the Check Point DFIR report (article 5) for the broader Gentlemen intrusion chain, which includes <strong>SystemBC<\/strong> for proxy\/C2 persistence before the EDR-kill and encryption steps.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/the-gentlemen-raas-uses-gentlekiller.html\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">5. DFIR report: The Gentlemen &amp; SystemBC &mdash; anatomy of a modern RaaS intrusion chain <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">Check Point Research &middot; May 6, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">Check Point&rsquo;s DFIR team reconstructs a full <strong>Gentlemen RaaS intrusion<\/strong> from initial access through encryption, detailing the role of <strong>SystemBC<\/strong> as the persistent SOCKS5-proxy implant that maintains covert operator access throughout the dwell time. The report maps the full kill chain: phishing lure delivering a dropper, SystemBC installation for C2, <strong>Cobalt Strike<\/strong> beacon for interactive operations, credential dumping via <strong>Mimikatz<\/strong>, lateral movement via RDP and WMI, and eventual GentleKiller deployment before file encryption. This is the technical foundation for building detection coverage across the entire Gentlemen chain rather than just the ransomware payload. Timeline correlation and the Cobalt Strike watermarks extracted by the team provide pivot points for retrospective threat hunting in EDR and SIEM telemetry.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/research.checkpoint.com\/2026\/dfir-report-the-gentlemen\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">6. DragonForce hackers abuse Microsoft Teams relay channels to hide Backdoor.Turn C2 traffic<\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">The Hacker News &middot; Jun 18, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\"><strong>DragonForce<\/strong>, a threat group with ties to both ransomware deployment and hacktivist operations, has adopted a new C2 evasion technique: routing <strong>Backdoor.Turn<\/strong> command-and-control traffic through <strong>Microsoft Teams external-relay channels<\/strong>. By abusing legitimate Teams infrastructure to tunnel implant communications, the group blends malicious traffic into TLS-encrypted Microsoft service flows that most proxy and DLP controls permit unconditionally. This renders IP-reputation and domain-block approaches ineffective. Detection must shift to behavioral signals: anomalous Teams process network activity outside normal communication patterns, unexpected Teams API calls from non-human accounts, and Backdoor.Turn implant artefacts on disk. Organizations running Teams should review external-access and relay policies and restrict guest\/external federation to approved tenants only.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/dragonforce-hackers-abuse-microsoft.html\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">7. China-linked SprySOCKS backdoor expands to Windows (FishMonger\/ESET research)<\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">The Hacker News &middot; Jun 16, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\"><strong>ESET<\/strong> researchers document a cross-platform expansion of <strong>SprySOCKS<\/strong>, a backdoor previously observed only on Linux systems and attributed to the Chinese-nexus actor <strong>FishMonger<\/strong> (also tracked as <strong>Earth Lusca<\/strong>). The new Windows variant uses a <strong>DLL sideloading<\/strong> chain to establish persistence, implements the same SOCKS5-proxy C2 protocol as its Linux counterpart, and targets government and research institutions across Southeast Asia and Europe. Having the same C2 protocol on both platforms enables unified operator tooling across mixed-OS environments &mdash; a significant capability maturation. Detection: hunt for unsigned DLLs sideloaded by signed Microsoft binaries in non-standard paths, anomalous SOCKS5 tunnel establishment from workstation processes, and SprySOCKS network indicators published with the ESET report.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/china-linked-sprysocks-backdoor-expands.html\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">8. UAT-8302: China-nexus APT&rsquo;s box full of malware &mdash; multi-tool campaign anatomy <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">Cisco Talos &middot; May 13, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\"><strong>Cisco Talos<\/strong> profiles <strong>UAT-8302<\/strong>, a China-nexus threat actor deploying an unusually broad set of custom and commodity malware families within single intrusion chains &mdash; including <strong>PlugX<\/strong>, <strong>ShadowPad<\/strong>, a custom keylogger, a bespoke data-staging tool, and multiple living-off-the-land binaries &mdash; against government, telecoms, and critical-infrastructure targets in Asia and the Middle East. The report&rsquo;s value for detection engineering is the multi-stage correlation: UAT-8302 is not a one-tool actor, and endpoint detections that focus only on individual family signatures will miss intrusions where one family is swapped for another. Build coverage on the group&rsquo;s behavioral patterns &mdash; specific WMI lateral-movement commands, staging directory paths, and encrypted archive exfil over WebDAV &mdash; rather than relying solely on family-specific YARA.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/blog.talosintelligence.com\/uat-8302\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">9. New Rokarolla Android malware targets 217 banking and cryptocurrency applications<\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">BleepingComputer &middot; Jun 17, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\"><strong>Rokarolla<\/strong> is a newly documented Android banking trojan targeting <strong>217 banking, payment, and cryptocurrency applications<\/strong> across multiple geographies. It combines <strong>overlay attacks<\/strong> (rendering fake login screens over legitimate apps to harvest credentials), <strong>keylogging<\/strong>, and <strong>SMS interception<\/strong> to bypass 2FA &mdash; a standard but highly effective capability stack for financial-fraud trojans. Distribution leverages sideloaded APKs delivered through phishing SMS and social-engineering lures. For analysts supporting mobile-threat intelligence: pull the published package names and certificate hashes to build detection content for MDM policies, and add the C2 domains to threat-intel blocklists. The breadth of 217 targeted apps suggests a commodity toolkit for sale rather than a purpose-built tool, meaning variants targeting additional app sets are likely.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-rokarolla-android-malware-targets-217-banking-crypto-apps\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">10. Fileless Phantom Stealer targets browser credentials &mdash; lives entirely in memory<\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">Dark Reading &middot; Jun 16, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\"><strong>Phantom Stealer<\/strong> is a fileless credential-theft tool designed to extract saved passwords, session cookies, and autofill data from <strong>Chrome, Edge, Firefox, and Brave<\/strong> without writing executable artifacts to disk. The stealer runs entirely in memory via a <strong>reflective DLL injection<\/strong> chain, making traditional file-hash-based AV detection ineffective and complicating forensic recovery. Exfiltration routes stolen data over encrypted HTTPS to an attacker-controlled endpoint. Detection must rely on behavioral signals: process memory writes into browser process space from unexpected parent processes, <code>ReadProcessMemory<\/code> calls targeting browser PID profiles, and anomalous HTTPS POSTs of compressed browser-profile data. Teams relying solely on endpoint AV without memory-inspection capabilities are blind to this family.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/fileless-phantom-stealer-targets-browser-credentials\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">11. Microsoft details Windows crypto-clipper spread by USB LNK worm with Tor C2<\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">The Hacker News &middot; Jun 20, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">Microsoft Threat Intelligence details a <strong>cryptocurrency clipboard-hijacker<\/strong> with an unusual propagation mechanism: it spreads as a <strong>malicious LNK file via USB drives<\/strong>, silently replaces cryptocurrency wallet addresses in clipboard contents, and routes C2 traffic through <strong>Tor hidden services<\/strong> to obstruct takedowns and infrastructure tracking. The USB-worm vector is a deliberate choice &mdash; it reaches air-gapped or corporate machines that never touch phishing email, and LNK auto-execution via Windows Explorer requires no user elevation. Detection priorities: monitor for LNK files created on removable drives, clipboard-access API calls from processes without a UI window, and Tor-binary execution or connections to known Tor guard nodes. The Tor C2 channel also signals that the operator is resilient to domain-based takedown.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/microsoft-details-windows-clipper.html\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">12. &lsquo;Popa&rsquo; botnet linked to a publicly traded Israeli firm (Krebs investigation)<\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">Krebs on Security &middot; Jun 18, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">Brian Krebs documents infrastructure and corporate-registration evidence linking the <strong>Popa botnet<\/strong> &mdash; a residential-proxy and click-fraud operation built on compromised consumer devices &mdash; to a <strong>publicly traded Israeli technology company<\/strong>. The investigation traces Popa&rsquo;s C2 infrastructure, software distribution chains, and WHOIS history to entities connected to the firm. Corporate-linked botnets occupy an unusual legal gray zone and rarely face the rapid takedown pressure applied to purely criminal operations, giving them extended operational lifespans. For threat intelligence teams, the registration and infrastructure pivots detailed in the Krebs report provide enrichment anchors for hunting Popa implants, and the residential-proxy node set is relevant to any organization tracking anomalous authentication traffic from residential IP ranges.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/krebsonsecurity.com\/2026\/06\/popa-botnet-linked-to-publicly-traded-israeli-firm\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">13. Steam Workshop abused to spread malware via Wallpaper Engine app<\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">BleepingComputer &middot; Jun 16, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">Attackers have abused <strong>Steam Workshop<\/strong> &mdash; Valve&rsquo;s user-generated content platform &mdash; to distribute malware-laced packages disguised as legitimate <strong>Wallpaper Engine<\/strong> themes and assets. Because Steam Workshop content is downloaded and executed by a trusted, signed application already present on the endpoint, many security controls do not flag the execution chain. The abuse pattern mirrors earlier attacks against game-mod platforms and highlights the risk of any trusted software update or user-content delivery channel that bypasses standard download-reputation checks. Endpoint detection should monitor for unusual child process launches from <code>wallpaper32.exe<\/code> or <code>wallpaper64.exe<\/code>, script execution or binary drops from Steam Workshop content directories, and outbound connections from those processes to non-Valve infrastructure.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/steam-workshop-abused-to-spread-malware-via-wallpaper-engine-app\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">14. Klue OAuth breach linked to &lsquo;Icarus&rsquo; Salesforce data-theft attacks<\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">BleepingComputer &middot; Jun 18, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">The <strong>Icarus<\/strong> threat actor exploited an OAuth misconfiguration at <strong>Klue<\/strong> (a competitive-intelligence SaaS platform) to obtain long-lived access tokens, then pivoted those credentials into <strong>Salesforce<\/strong> environments at downstream Klue customers to exfiltrate CRM data. The attack chain illustrates a recurring SaaS-to-SaaS lateral-movement pattern: compromise a smaller, less-hardened OAuth app that holds delegated permissions into a high-value platform, then exploit the transitive trust. Defender priorities: audit OAuth application grants across your Salesforce org for third-party apps with excessive scopes, review Salesforce data-access logs for anomalous bulk export activity in the breach window, and rotate any tokens issued to Klue integrations. The incident is also a prompt to enforce the principle of least privilege on all SaaS OAuth integrations.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">15. AutoJack: how a single web page achieves RCE on the host running an AI agent<\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">Microsoft Security Blog &middot; Jun 18, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\"><strong>Microsoft&rsquo;s<\/strong> primary technical analysis of <strong>AutoJack<\/strong> details how a single maliciously crafted web page can achieve <strong>remote code execution on the host machine running an AI coding or browser agent<\/strong>. The attack exploits the agent&rsquo;s willingness to act on instructions embedded in web content &mdash; a prompt-injection variant &mdash; chaining page-level JavaScript execution into agent-tool-call abuse to write and execute arbitrary files on the host filesystem. This is a significant threat-surface expansion: any developer or analyst running an AI agent that browses the web or processes untrusted URLs becomes a target. Microsoft documents the specific tool-call sequences that constitute exploitation and provides detection guidance. Security teams should treat AI-agent processes as high-risk execution contexts, monitor for unexpected file writes and process launches from agent processes, and follow mitigations outlined in the report.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/18\/autojack-single-page-rce-host-running-ai-agent\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">16. Proving what a military AI model will actually do is the real problem<\/h4>\n<p style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">Help Net Security &middot; Jun 15, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">This piece examines the unsolved <strong>verification and validation problem for AI systems deployed in military and government security-critical contexts<\/strong>: even with full model access, proving that a model will behave as intended across all operational inputs remains computationally intractable with current techniques. The implications for malware analysts and IR teams extend beyond military settings &mdash; the same verification gap applies to any AI system used in security tooling, SOAR orchestration, or autonomous response. An adversary who understands a model&rsquo;s failure modes can engineer inputs that cause it to mis-triage, mis-classify, or take unintended autonomous actions. The article frames the problem rigorously and is relevant context for any team evaluating AI-assisted detection systems or automated response capabilities where incorrect behavior has high-consequence outcomes.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/06\/15\/military-ai-verification-problem\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">On our watch list<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<ol style=\"margin:0 0 12px 18px;padding:0;font-size:14px;color:#374151;\">\n<li style=\"margin-bottom:8px;\"><strong>RoguePlanet patch timeline.<\/strong> CVE-2026-47281 remains unpatched with a public PoC and confirmed in-the-wild exploitation. Microsoft has not published a mitigation or out-of-band fix as of this edition. Watch for an emergency patch or official mitigation guidance; until one ships, treat every low-privilege foothold in your environment as SYSTEM-capable and prioritize behavioral detection on Defender-adjacent process launches.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Post-takedown Evil Corp activity.<\/strong> The SocGholish infrastructure seizure removes a major initial-access pipeline but not the organization behind it. Expect Evil Corp affiliates to accelerate deployment of backup loaders (historically SocGholish has run alongside Gootloader and FakeUpdates). Track for new drive-by delivery campaigns adopting similar social-engineering templates within the next two to four weeks.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>AutoJack operationalization.<\/strong> The publication of Microsoft&rsquo;s technical AutoJack writeup alongside The Hacker News&rsquo; coverage of the attack concept gives threat actors a clear blueprint. We expect AutoJack-style prompt-injection-to-RCE chains to appear in commodity attack toolkits and criminal forums within weeks, targeting developers and analysts running local AI agents. Monitor vendor advisories from AI agent framework maintainers for sandbox and tool-call restriction updates.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>GentleKiller BYOVD driver tracking.<\/strong> The specific vulnerable signed driver deployed by GentleKiller is likely to be rotated as signature-based detection matures. Track Microsoft&rsquo;s vulnerable driver blocklist updates and LOLBAS additions; any new entry tied to kernel-level process termination is likely a GentleKiller variant or successor adopting a freshly abused driver.<\/li>\n<\/ol>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 32px;border-top:1px solid #e5e7eb;color:#6b7280;font-size:12px;text-align:center;\">\n<p style=\"margin:0 0 6px;color:#6b7280;\">Malware Analysis Weekly &middot; a Newshunter publication<\/p>\n<p style=\"margin:0 0 6px;color:#6b7280;\">Weekly news items are from the previous seven to ten days. Foundational reading is refreshed each week.<\/p>\n<p style=\"margin:0 0 10px;color:#6b7280;\"><a href=\"*|UNSUB|*\" style=\"color:#1d4ed8;text-decoration:none;\">Unsubscribe<\/a> &middot; <a href=\"*|ARCHIVE|*\" style=\"color:#1d4ed8;text-decoration:none;\">View in browser<\/a><\/p>\n<p style=\"margin:0 0 10px;color:#9ca3af;font-size:11px;\">*|LIST:ADDRESS|*<\/p>\n<p style=\"margin:14px 0 4px;font-size:11px;color:#9ca3af;\">Curated by the Security Radar threat-intelligence team.<\/p>\n<p style=\"margin:0 0 4px;font-size:11px;color:#9ca3af;\">Newsletter design, layout, and editorial curation &copy; 2026 Security Radar LLC. All rights reserved.<\/p>\n<p style=\"margin:0;font-size:11px;color:#9ca3af;\">Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Malware Analysis Weekly &middot; June 21, 2026 &middot; Weekly Edition Malware Analysis Weekly Families, campaigns, TTPs, and IOCs from the field &middot; for malware analysts and IR teams At a glance This week&rsquo;s threat landscape was shaped by large-scale law-enforcement takedowns colliding with freshly discovered malware families and an unpatched&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,47],"tags":[],"class_list":["post-5347","post","type-post","status-publish","format-standard","hentry","category-malware","category-threat_intel"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5347","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5347"}],"version-history":[{"count":0,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5347\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5347"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5347"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}