{"id":5357,"date":"2026-06-28T16:38:47","date_gmt":"2026-06-28T21:38:47","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5357"},"modified":"2026-06-28T16:38:47","modified_gmt":"2026-06-28T21:38:47","slug":"malware-analysis-weekly-june-28-2026","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5357","title":{"rendered":"Malware Analysis Weekly &mdash; June 28, 2026"},"content":{"rendered":"<style>\n.single .entry-title,\n.single .entry-header .entry-title,\n.single .post-title,\n.single header.entry-header h1,\n.single h1.entry-title,\n.single .page-title,\n.post-template-default h1.entry-title,\n.post-template-default .entry-header,\narticle .entry-header,\narticle .entry-title { display: none !important; }\n.single .entry-header { margin: 0 !important; padding: 0 !important; }\n.single .entry-content { margin-top: 0 !important; padding-top: 0 !important; }\n<\/style>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"background-color:#f4f5f7;\">\n<tr>\n<td align=\"center\" style=\"padding:24px 12px;\">\n<table role=\"presentation\" width=\"680\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"max-width:680px;width:100%;background-color:#ffffff;border-radius:8px;overflow:hidden;box-shadow:0 1px 3px rgba(0,0,0,0.08);\">\n<tr>\n<td style=\"background-color:#7f1d1d;background:linear-gradient(135deg,#7f1d1d 0%,#b91c1c 100%);padding:32px 28px 24px;color:#ffffff;\">\n<div style=\"font-size:12px;letter-spacing:2px;text-transform:uppercase;opacity:0.75;margin-bottom:8px;color:#ffffff !important;\">Malware Analysis Weekly &middot; June 28, 2026 &middot; Weekly Edition<\/div>\n<h1 style=\"margin:0;font-size:28px;line-height:1.2;font-weight:700;color:#ffffff !important;\">Malware Analysis Weekly<\/h1>\n<p style=\"margin:8px 0 0;font-size:14px;opacity:0.85;color:#ffffff !important;\">Families, campaigns, TTPs, and IOCs from the field &middot; for malware analysts and IR teams<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 4px;\">\n<h2 style=\"margin:0 0 12px;font-size:18px;color:#0f172a;border-bottom:2px solid #b91c1c;padding-bottom:6px;\">At a glance<\/h2>\n<p style=\"margin:0 0 12px;font-size:15px;color:#374151;\">This week&rsquo;s threat landscape was shaped by <strong>a wave of new malware families, continued Chinese-nexus APT activity, and two significant law-enforcement and judicial milestones<\/strong>. On the new-family front, <strong>AryStinger<\/strong> &mdash; a router botnet targeting 4,300+ legacy and D-Link devices &mdash; joined <strong>SharkLoader<\/strong> (a loader deploying Cobalt Strike in the StrikeShark campaign), <strong>Mistic<\/strong> and its dropper <strong>WoodGnat<\/strong> (a stealthy multi-sector backdoor surfaced by Help Net Security), and <strong>macOS.Gaslight<\/strong> (a Rust backdoor that inverts the analyst&rsquo;s own AI triage tools against them) as the week&rsquo;s marquee discoveries. The breadth of new tooling &mdash; spanning routers, Windows, and macOS &mdash; reflects an accelerating pace of capability development across criminal and state-linked actors alike.<\/p>\n<p style=\"margin:0 0 12px;font-size:15px;color:#374151;\">APT activity was dominated by two Chinese-nexus groups. <strong>VerdantBamboo<\/strong> deployed <strong>BRICKSTORM<\/strong> and the new <strong>Plenet<\/strong> implant to maintain persistent access to compromised networks, building on the full technical account published by Volexity in early June. Separately, <strong>FishMonger<\/strong>&rsquo;s <strong>SprySOCKS<\/strong> backdoor &mdash; previously Linux-only &mdash; is now confirmed on Windows via a new DLL-sideloading chain, expanding the actor&rsquo;s mixed-OS reach. Defenders tracking Chinese-nexus infrastructure should treat both groups as actively maintaining footholds across government, telecoms, and critical-infrastructure targets, with new implant variants rolling out to maintain access as older IOCs get burned.<\/p>\n<p style=\"margin:0 0 18px;font-size:15px;color:#374151;\">Law enforcement delivered two significant outcomes. <strong>Operation Endgame<\/strong> expanded its mandate to take down <strong>StealC<\/strong> and <strong>Amadey<\/strong> infostealer infrastructure in a joint action coordinated by Microsoft, the FBI, and European partners. In the courts, members of <strong>Scattered Spider<\/strong> were convicted for the <strong>Transport for London<\/strong> cyberattack &mdash; a notable accountability moment for a group that has long operated with apparent impunity. On the vulnerability front, <strong>ShinyHunters<\/strong> exploited <strong>CVE-2026-35273<\/strong>, an Oracle PeopleSoft zero-day, to extort universities, and <strong>CISA<\/strong> added four new entries to KEV, including Lantronix and Ubiquiti UniFi OS flaws with confirmed exploitation. The week closed with confirmation that the Klue supply-chain breach reached <strong>HackerOne, Huntress, and Snyk<\/strong> &mdash; three security vendors &mdash; raising pointed questions about third-party SaaS risk across the security industry itself.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:18px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Topic map &mdash; families, actors, CVEs, and how they intersect<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<p style=\"margin:0 0 8px;font-size:11px;color:#64748b;\">Named entities extracted from this week&rsquo;s 14 malware-analysis articles &mdash; threat actors, malware families, CVEs, vendors, researchers, and the campaigns or themes connecting them.<\/p>\n<div style=\"background-color:#ffffff;border:1px solid #e2e8f0;border-radius:8px;padding:14px;\">\n<img decoding=\"async\" src=\"https:\/\/www.cybersecurityinstitute.com\/blog\/wp-content\/uploads\/2026\/06\/topic-map-malware-analysis-2026-06-28.png\" alt=\"Topic map for malware analysis &mdash; June 28, 2026\" style=\"width:100%;max-width:880px;height:auto;display:block;margin:0 auto;\" \/>\n<\/div>\n<p style=\"margin:10px 0 0;font-size:12px;color:#64748b;font-style:italic;\">This week clusters around four gravitational centres: new router and platform malware (AryStinger botnet, SharkLoader\/StrikeShark, Mistic\/WoodGnat, macOS.Gaslight); Chinese-nexus APT persistence (VerdantBamboo\/BRICKSTORM\/Plenet, FishMonger\/SprySOCKS); law-enforcement and judicial actions (Operation Endgame StealC\/Amadey, Scattered Spider TfL conviction); and exploit-driven intrusions and supply-chain impact (ShinyHunters\/CVE-2026-35273, CISA KEV four-pack, Klue breach reaching security vendors).<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Article index<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<h3 style=\"margin:14px 0 8px;font-size:15px;color:#ea580c;text-transform:uppercase;letter-spacing:1px;\">New malware families &amp; delivery chains<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">A router botnet infecting 4,300+ legacy devices, a Cobalt Strike loader campaign, a stealthy multi-sector backdoor pair, and a macOS Rust implant that turns prompt injection on the analyst.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">1<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/arystinger-malware-infects-4300-legacy.html\" style=\"color:#1d4ed8;text-decoration:none;\">AryStinger botnet infects 4,300+ legacy\/D-Link routers<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 22<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">2<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/new-sharkloader-malware-deploys-cobalt.html\" style=\"color:#1d4ed8;text-decoration:none;\">SharkLoader deploys Cobalt Strike in StrikeShark campaign<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Hacker News<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 26<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">3<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/securelist.com\/strikeshark-campaign\/120326\/\" style=\"color:#1d4ed8;text-decoration:none;\">StrikeShark: custom SharkLoader + Cobalt Strike campaign<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Securelist (Kaspersky)<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 24<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">4<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/06\/25\/mistic-backdoor-woodgnat-attacks\/\" style=\"color:#1d4ed8;text-decoration:none;\">Stealthy new backdoor (Mistic\/WoodGnat) surfaces across sectors<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Help Net Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 25<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">5<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.sentinelone.com\/labs\/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox\/\" style=\"color:#1d4ed8;text-decoration:none;\">macOS.Gaslight: Rust backdoor turns prompt injection on the analyst<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">SentinelOne Labs<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 25<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#7c3aed;text-transform:uppercase;letter-spacing:1px;\">APT campaigns &amp; persistent-access implants<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">VerdantBamboo deploying BRICKSTORM and new Plenet implant; FishMonger&rsquo;s SprySOCKS crosses to Windows; FortiBleed credential-harvesting anatomy from Arctic Wolf.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">6<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks\/\" style=\"color:#1d4ed8;text-decoration:none;\">Chinese APT (VerdantBamboo) deploys BRICKSTORM\/Plenet to keep access<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">BleepingComputer<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 24<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">7<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.volexity.com\/blog\/2026\/06\/04\/verdantbamboo-just-another-brickstorm-in-the-firewall\/\" style=\"color:#1d4ed8;text-decoration:none;\">VerdantBamboo: just another BRICKSTORM in the firewall<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Volexity<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 4<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">8<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/fishmongers-arsenal-upgraded-sprysocks-windows\/\" style=\"color:#1d4ed8;text-decoration:none;\">FishMonger&rsquo;s arsenal upgraded: SprySOCKS for Windows<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">ESET<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 16<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">9<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/arcticwolf.com\/resources\/blog\/inside-fortibleed-reverse-engineering-the-cyberstrike-harvester-behind-a-global-fortigate-credential-factory\/\" style=\"color:#1d4ed8;text-decoration:none;\">Inside FortiBleed: reverse-engineering the credential-harvester<\/a> <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Arctic Wolf<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#b91c1c;text-transform:uppercase;letter-spacing:1px;\">Law enforcement, takedowns &amp; convictions<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">Operation Endgame expands to StealC\/Amadey; Scattered Spider members convicted for the TfL attack.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">10<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/24\/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them\/\" style=\"color:#1d4ed8;text-decoration:none;\">Operation Endgame takes down StealC &amp; Amadey infostealers<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Microsoft Security<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 24<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">11<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/therecord.media\/guilty-plea-tfl-cyberattack-scattered-spider-members\" style=\"color:#1d4ed8;text-decoration:none;\">Scattered Spider teens convicted over TfL cyber-attack<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">The Record<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 23<\/td>\n<\/tr>\n<\/table>\n<h3 style=\"margin:22px 0 8px;font-size:15px;color:#0d9488;text-transform:uppercase;letter-spacing:1px;\">Exploited vulnerabilities &amp; supply-chain impact<\/h3>\n<p style=\"margin:0 0 8px;font-size:13px;color:#475569;\">ShinyHunters weaponizes Oracle PeopleSoft zero-day against universities; CISA KEV four-pack; and the Klue hack reaches HackerOne, Huntress, and Snyk.<\/p>\n<table role=\"presentation\" width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" style=\"font-size:13px;border-collapse:collapse;\">\n<tr style=\"background-color:#f8fafc;\">\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:8%;\">#<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:62%;\">Article<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:20%;\">Source<\/th>\n<th align=\"left\" style=\"padding:8px 6px;border-bottom:1px solid #e2e8f0;color:#475569;font-weight:600;width:10%;\">Date<\/th>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">12<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/shinyhunters-targets-education-sector-oracle-exploit\" style=\"color:#1d4ed8;text-decoration:none;\">ShinyHunters exploits Oracle PeopleSoft zero-day (CVE-2026-35273), extorts universities<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Mandiant \/ Google Cloud<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 23<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">13<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2026\/06\/23\/cisa-adds-four-known-exploited-vulnerabilities-catalog\" style=\"color:#1d4ed8;text-decoration:none;\">CISA adds four KEVs (Lantronix EDS5000, Ubiquiti UniFi OS)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">CISA<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 23<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">14<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;\"><a href=\"https:\/\/techcrunch.com\/2026\/06\/22\/klue-hack-results-in-data-breach-at-several-cybersecurity-firms\/\" style=\"color:#1d4ed8;text-decoration:none;\">Klue hack breaches several security firms (HackerOne, Huntress, Snyk)<\/a><\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">TechCrunch<\/td>\n<td style=\"padding:8px 6px;border-bottom:1px solid #f1f5f9;color:#475569;\">Jun 22<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">Detailed write-ups<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<div class=\"article\">\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">1. AryStinger botnet infects 4,300+ legacy\/D-Link routers<\/h4>\n<p class=\"meta\" style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">The Hacker News &middot; Jun 22, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\"><strong>AryStinger<\/strong> is a newly documented router botnet that has compromised more than <strong>4,300 legacy and D-Link devices<\/strong>, exploiting known-unpatched vulnerabilities in end-of-life firmware to establish persistent C2 footholds. Compromised routers are used for traffic proxying, reconnaissance staging, and as launch points for downstream attacks against internal network segments that trust the router as a perimeter device. The botnet follows a well-established playbook for router malware: gain access via a default-credential or unpatched-RCE vector, achieve persistence via cron or init scripts, and join a centrally managed C2 cluster. The long tail of unmanaged, un-updated consumer and SOHO routers in enterprise environments &mdash; home-office equipment that routes into corporate VPNs, for instance &mdash; represents exactly the attack surface AryStinger is targeting. Defensive priorities: audit your network for EoL D-Link models; replace devices that cannot receive firmware updates; for devices still in service, change default credentials, disable UPnP and remote management, and monitor outbound traffic from router management IPs for anomalous connections.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/arystinger-malware-infects-4300-legacy.html\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/06\/arystinger-malware-infects-4300-legacy.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<\/div>\n<div class=\"article\" style=\"margin-top:20px;\">\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">2. SharkLoader deploys Cobalt Strike in StrikeShark campaign <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; + FOUNDATIONAL<\/span><\/h4>\n<p class=\"meta\" style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">The Hacker News &middot; Jun 26, 2026 &nbsp;|&nbsp; Securelist (Kaspersky) &middot; Jun 24, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\"><strong>SharkLoader<\/strong> is a new malware loader, detailed in the <strong>StrikeShark<\/strong> campaign reporting from Kaspersky&rsquo;s Securelist, that functions as an initial-access-to-post-exploitation bridge: it delivers a <strong>Cobalt Strike beacon<\/strong> after bypassing common defenses through a multi-stage obfuscated loading chain. The Securelist foundational report provides the full technical anatomy, including the loader&rsquo;s anti-analysis features, network communication patterns, and the Cobalt Strike watermark that can be used to cluster infrastructure across StrikeShark operations. SharkLoader represents the continued professionalization of loader-as-a-service tooling: purpose-built, evasion-hardened, and sold or rented to threat actors who then select their own post-exploitation framework. Detection engineering priorities: build coverage on the loader&rsquo;s process injection behavior and the specific shellcode decryption routines documented by Kaspersky, and pivot on the Cobalt Strike watermark to identify additional infrastructure. The combination of a fresh loader with a well-known post-exploitation framework makes this campaign accessible to a wide range of threat actors.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/new-sharkloader-malware-deploys-cobalt.html\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/06\/new-sharkloader-malware-deploys-cobalt.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a> &middot; <a href=\"https:\/\/securelist.com\/strikeshark-campaign\/120326\/\" style=\"color:#1d4ed8;text-decoration:none;\">Securelist (Kaspersky) &mdash; full technical analysis<\/a><\/p>\n<\/div>\n<div class=\"article\" style=\"margin-top:20px;\">\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">3. macOS.Gaslight: Rust backdoor turns prompt injection on the analyst <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; FOUNDATIONAL<\/span><\/h4>\n<p class=\"meta\" style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">SentinelOne Labs &middot; Jun 25, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\"><strong>macOS.Gaslight<\/strong> is a <strong>Rust-based macOS backdoor<\/strong> with an unusual adversarial twist: it embeds crafted prompt-injection payloads in artefacts likely to be examined by AI-assisted malware-analysis tools, attempting to manipulate the analyst&rsquo;s AI triage pipeline rather than evading the sandbox directly. SentinelOne&rsquo;s detailed write-up documents how the backdoor plants misleading or neutralizing instructions within strings, metadata, and file structures that AI analysis tools commonly ingest, aiming to produce incorrect classification or suppressed alerting in AI-assisted workflows. Beyond the prompt-injection novelty, the underlying implant is a capable Rust backdoor with standard C2 capabilities. This is a significant defensive-tooling threat: teams that rely on AI-assisted initial triage &mdash; including SOAR playbooks that feed artefacts to LLM analysis steps &mdash; should review whether those pipelines can be manipulated via malicious content. The Gaslight technique is likely to be replicated in other families as the attack surface of AI-assisted analysis grows.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/www.sentinelone.com\/labs\/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.sentinelone.com\/labs\/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox\/\" style=\"color:#1d4ed8;text-decoration:none;\">SentinelOne Labs<\/a><\/p>\n<\/div>\n<div class=\"article\" style=\"margin-top:20px;\">\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">4. Chinese APT (VerdantBamboo) deploys BRICKSTORM\/Plenet to keep access <span style=\"font-size:11px;color:#0891b2;font-weight:600;\">&middot; + FOUNDATIONAL<\/span><\/h4>\n<p class=\"meta\" style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">BleepingComputer &middot; Jun 24, 2026 &nbsp;|&nbsp; Volexity &middot; Jun 4, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\"><strong>VerdantBamboo<\/strong>, a Chinese-nexus APT group tracked since at least 2024, is deploying <strong>BRICKSTORM<\/strong> &mdash; a cross-platform backdoor documented by Volexity in their foundational June 4 report &mdash; alongside a newly identified implant named <strong>Plenet<\/strong> to maintain persistent access to compromised networks even as defenders work to evict them. The dual-implant strategy is deliberate: BRICKSTORM and Plenet use different C2 channels and persistence mechanisms, so burning one set of IOCs does not dislodge the actor from the environment. Volexity&rsquo;s foundational report provides the full BRICKSTORM reverse-engineering, C2 protocol specification, and persistence mechanism details that are essential reading for IR teams responding to VerdantBamboo intrusions. Defenders should treat any confirmed BRICKSTORM finding as indicative of a parallel, distinct implant potentially still present, and pursue full network-level threat hunting rather than artifact-based remediation. The actor&rsquo;s targeting profile emphasizes government networks, critical infrastructure, and technology companies in Western Europe and Asia-Pacific.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks\/\" style=\"color:#1d4ed8;text-decoration:none;\">BleepingComputer<\/a> &middot; <a href=\"https:\/\/www.volexity.com\/blog\/2026\/06\/04\/verdantbamboo-just-another-brickstorm-in-the-firewall\/\" style=\"color:#1d4ed8;text-decoration:none;\">Volexity &mdash; BRICKSTORM deep dive<\/a><\/p>\n<\/div>\n<div class=\"article\" style=\"margin-top:20px;\">\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">5. Operation Endgame takes down StealC &amp; Amadey infostealers<\/h4>\n<p class=\"meta\" style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">Microsoft Security &middot; Jun 24, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\"><strong>Operation Endgame<\/strong> continued its expansion this week with a coordinated action &mdash; led by Microsoft in partnership with the FBI and European law-enforcement partners &mdash; targeting the infrastructure behind <strong>StealC<\/strong> and <strong>Amadey<\/strong>, two of the most prolific infostealer families in active distribution. Microsoft&rsquo;s accompanying technical report breaks down both families&rsquo; delivery mechanisms (malvertising, pay-per-install, phishing), the <strong>cybercrime-as-a-service ecosystem<\/strong> that distributes them, and the credential-theft, cookie-theft, and cryptocurrency-wallet-harvesting capabilities that make them staple tools for initial-access brokers. The takedown disrupts the current C2 infrastructure but not the malware code itself, which is freely circulated and will spawn successor campaigns quickly. Threat-intelligence teams should pull the updated IOC set from the Microsoft report, but also update detection logic to catch Amadey and StealC behavior patterns rather than relying solely on infrastructure indicators. The report&rsquo;s ecosystem mapping &mdash; showing the distribution-service relationships between these stealers and other crimeware families &mdash; is particularly valuable for understanding downstream ransomware risk.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/24\/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/24\/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them\/\" style=\"color:#1d4ed8;text-decoration:none;\">Microsoft Security<\/a><\/p>\n<\/div>\n<div class=\"article\" style=\"margin-top:20px;\">\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">6. ShinyHunters exploits Oracle PeopleSoft zero-day (CVE-2026-35273), extorts universities<\/h4>\n<p class=\"meta\" style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">Mandiant \/ Google Cloud Threat Intelligence &middot; Jun 23, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\"><strong>ShinyHunters<\/strong>, a financially motivated threat actor with a long history of large-scale data-theft extortion, exploited <strong>CVE-2026-35273<\/strong> &mdash; a zero-day in <strong>Oracle PeopleSoft<\/strong> &mdash; to breach multiple university and higher-education targets, exfiltrating student and staff records before initiating extortion demands. Mandiant&rsquo;s report provides the vulnerability details, the actor&rsquo;s exploitation methodology, and the data exfiltration techniques observed in victim environments. Oracle PeopleSoft is widely deployed in the education sector for HR, financial, and student-records management, making this zero-day particularly high-value for targeting student data at scale. Immediate actions for PeopleSoft operators: apply Oracle&rsquo;s emergency patch if available; audit PeopleSoft access logs for anomalous query patterns, bulk-export activity, and service-account abuse in the exposure window; and treat any institution running internet-facing PeopleSoft as a potential victim regardless of whether an intrusion has been confirmed yet. The education sector&rsquo;s historically under-resourced security posture makes it a preferred target for extortion actors.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/shinyhunters-targets-education-sector-oracle-exploit\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/shinyhunters-targets-education-sector-oracle-exploit\" style=\"color:#1d4ed8;text-decoration:none;\">Mandiant \/ Google Cloud Threat Intelligence<\/a><\/p>\n<\/div>\n<div class=\"article\" style=\"margin-top:20px;\">\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">7. Klue hack breaches several security firms (HackerOne, Huntress, Snyk)<\/h4>\n<p class=\"meta\" style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">TechCrunch &middot; Jun 22, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">The <strong>Klue<\/strong> supply-chain breach &mdash; initially disclosed the previous week as an OAuth token compromise &mdash; has now been confirmed to have resulted in data breaches at downstream customers including <strong>HackerOne<\/strong>, <strong>Huntress<\/strong>, and <strong>Snyk<\/strong>: three organizations whose businesses are, in part, securing other companies. The irony is operationally significant beyond the obvious: these breaches expose the data that security vendors hold on behalf of their customers, potentially including vulnerability research, penetration-test findings, and threat-detection telemetry. The Klue incident is a textbook illustration of the SaaS transitive-trust risk: a breach at a smaller, less-scrutinized SaaS vendor with OAuth delegations into high-value downstream platforms can compromise the downstream orgs at scale with minimal attacker effort. For defenders: review every third-party SaaS integration in your environment for OAuth scopes granted, data residency, and the vendor&rsquo;s own security posture. The Klue breach should prompt immediate revocation of Klue OAuth tokens across all connected platforms and a full audit of data accessible through those integrations.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/techcrunch.com\/2026\/06\/22\/klue-hack-results-in-data-breach-at-several-cybersecurity-firms\/\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/techcrunch.com\/2026\/06\/22\/klue-hack-results-in-data-breach-at-several-cybersecurity-firms\/\" style=\"color:#1d4ed8;text-decoration:none;\">TechCrunch<\/a><\/p>\n<\/div>\n<div class=\"article\" style=\"margin-top:20px;\">\n<h4 style=\"margin:0 0 4px;font-size:16px;color:#111827;\">8. Scattered Spider teens convicted over TfL cyber-attack<\/h4>\n<p class=\"meta\" style=\"margin:0 0 6px;font-size:12.5px;color:#475569;\">The Record &middot; Jun 23, 2026<\/p>\n<p style=\"margin:0 0 10px;font-size:14px;color:#374151;\">Members of <strong>Scattered Spider<\/strong> have been convicted in connection with the <strong>Transport for London<\/strong> cyberattack, marking a significant accountability milestone for a group that has operated with apparent impunity despite repeated, high-profile intrusions against major Western organizations. Scattered Spider is notable for its social-engineering sophistication &mdash; particularly its use of <strong>vishing and MFA fatigue attacks<\/strong> against helpdesk staff &mdash; and for recruiting young English-speaking members who can blend into corporate communications to conduct LAPSUS$-style insider-access abuse. The TfL attack disrupted passenger services and resulted in the exfiltration of customer data. The convictions matter beyond this specific case: they demonstrate that English-speaking financially motivated hackers operating in Western jurisdictions are not beyond the reach of law enforcement, and they may deter recruitment into similar groups. For defenders: Scattered Spider TTPs center on identity and helpdesk abuse; ensure your helpdesk staff have clear protocols for identity verification before any privileged account action, and treat vishing-resistant MFA as a baseline control.<\/p>\n<p style=\"margin:0 0 18px;\"><a href=\"https:\/\/therecord.media\/guilty-plea-tfl-cyberattack-scattered-spider-members\" style=\"display:inline-block;background-color:#b91c1c;color:#ffffff;text-decoration:none;font-size:13px;font-weight:600;padding:9px 16px;border-radius:6px;\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/therecord.media\/guilty-plea-tfl-cyberattack-scattered-spider-members\" style=\"color:#1d4ed8;text-decoration:none;\">The Record<\/a><\/p>\n<\/div>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:24px 28px 4px;\">\n<h2 style=\"margin:0 0 4px;font-size:20px;color:#0f172a;\">On our watch list<\/h2>\n<div style=\"height:3px;width:48px;background-color:#b91c1c;margin-bottom:14px;\"><\/div>\n<ol style=\"margin:0 0 12px 18px;padding:0;font-size:14px;color:#374151;\">\n<li style=\"margin-bottom:8px;\"><strong>AryStinger botnet growth.<\/strong> The 4,300-device figure reflects discovered compromises, not the full potential scale. EoL D-Link and legacy SOHO devices number in the millions globally. Watch for expanded AryStinger IOC sets and secondary-use reports as researchers continue sinkholing and mapping the botnet&rsquo;s C2 infrastructure. Organizations running hybrid home\/office environments should treat unmanaged home routers accessing corporate VPNs as an elevated-risk entry point.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>macOS.Gaslight and the AI-triage arms race.<\/strong> The Gaslight technique of embedding prompt-injection payloads into malware artefacts is novel but conceptually straightforward to replicate. Expect this pattern to appear in other macOS and Windows families within weeks. AI-assisted triage and SOAR playbooks that ingest raw malware artefacts or strings without prompt-injection controls are now a viable attack surface. Track SentinelOne, CrowdStrike, and Microsoft Defender for Endpoint advisories for updated AI-triage safeguards.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>CVE-2026-35273 \/ Oracle PeopleSoft patch and exploitation spread.<\/strong> ShinyHunters&rsquo; active exploitation of this zero-day in the education sector is likely to expand to other PeopleSoft verticals as the vulnerability and exploitation methodology become more widely known. Higher education, healthcare, and government organizations running PeopleSoft should treat patch application as urgent and monitor for IOCs published in the Mandiant report.<\/li>\n<li style=\"margin-bottom:8px;\"><strong>Klue breach downstream disclosure.<\/strong> Three named security vendors is likely not the complete downstream victim list. Monitor for further breach notifications from Klue customers over the coming week. The event is also likely to prompt regulatory and client scrutiny of OAuth-delegation risk management across the SaaS security vendor space more broadly.<\/li>\n<\/ol>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding:28px 28px 32px;border-top:1px solid #e5e7eb;color:#6b7280;font-size:12px;text-align:center;\">\n<p style=\"margin:0 0 6px;color:#6b7280;\">Malware Analysis Weekly &middot; a weekly intelligence bulletin from Security Radar LLC<\/p>\n<p style=\"margin:0 0 6px;color:#6b7280;\">Curated by Paul Davis (<a href=\"mailto:paul.davis@security-radar.com\" style=\"color:#1d4ed8;text-decoration:none;\">paul.davis@security-radar.com<\/a>)<\/p>\n<p style=\"margin:0 0 6px;color:#6b7280;\">Weekly news items are from the previous seven days. Foundational reading is refreshed each week.<\/p>\n<p style=\"margin:0 0 10px;color:#9ca3af;font-size:11px;\">*|LIST:ADDRESS|*<\/p>\n<p style=\"margin:0 0 10px;color:#6b7280;\"><a href=\"*|ARCHIVE|*\" style=\"color:#1d4ed8;text-decoration:none;\">View this email in your browser<\/a> &middot; <a href=\"*|UNSUB|*\" style=\"color:#1d4ed8;text-decoration:none;\">Unsubscribe<\/a><\/p>\n<p style=\"margin:14px 0 4px;font-size:11px;color:#9ca3af;\">&copy; 2026 Security Radar LLC. All rights reserved.<\/p>\n<p style=\"margin:0;font-size:11px;color:#9ca3af;\">Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Malware Analysis Weekly &middot; June 28, 2026 &middot; Weekly Edition Malware Analysis Weekly Families, campaigns, TTPs, and IOCs from the field &middot; for malware analysts and IR teams At a glance This week&rsquo;s threat landscape was shaped by a wave of new malware families, continued Chinese-nexus APT activity, and two&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,47],"tags":[],"class_list":["post-5357","post","type-post","status-publish","format-standard","hentry","category-malware","category-threat_intel"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5357","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5357"}],"version-history":[{"count":0,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5357\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5357"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5357"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5357"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}