Cyber Security News Daily Recap

Threat Research | Weekly Recap [14 Jun 2026]

admin
Threat Research | Weekly Recap [14 Jun 2026]
Cybersecurity Threat Research ‘Weekly’ Recap. This week covered supply-chain and developer-focused intrusions (Shai-Hulud, Mini Shai-Hulud/Miasma/Hades, UNK_DeadDrop, GoFlateLoader) plus phishing and social-engineering campaigns that targeted Microsoft account tokens, social-media lure downloads, and FIFA/World Cup 2026 fraud kits. It also highlighted cloud/identity abuse and enterprise compromises (Entra Agent ID blueprint abuse, Azure DNS takeover, Duo Auth Proxy exposure, PulseRAT, MLTBackdoor) alongside ransomware/extortion/data theft cases (Tengu/Shisa, ShinyHunters) and defenses tied to flaws like ITScape (CVE-2026-46316).

#Shai-Hulud #Mini Shai-Hulud #Miasma #Hades #UNK_DeadDrop #GoFlateLoader #Vidarstealer #GHOST STADIUM #Pushpaganda #Rock #The Quarry #Entra Agent ID #Azure DNS #Duo Auth Proxy #PulseRAT #MLTBackdoor #Tengu #Shisa #UNC6240 #ShinyHunters #WooCommerce #OpenClaw #APT28 #Khmer Shadow #NIGHTFORGE #KaynLdr #WinRAR #CVE-2026-46316 #ITScape

Supply Chain & Developer Targeting

  • Expanded Shai-Hulud campaign hit npm, PyPI, CI/CD, IDE configs, and LLM scanner defenses with token theft and malicious publishing. Shai-Hulud evolution
  • Malicious PyPI wave tied to Mini Shai-Hulud / Miasma / Hades used trojanized wheels, .pth hooks, and loader tricks to steal developer and CI/CD secrets. Mini Shai-Hulud, Miasma, and Hades
  • Large npm campaign delivered multi-stage crypto malware via typosquatted packages, stealing wallets and credentials at scale. npm crypto malware campaign
  • UNK_DeadDrop used fake recruiter/code-review repos plus VSIX and task automation to infect developers and steal wallets across major OSes. UNK_DeadDrop developer phishing
  • GoFlateLoader leveraged oversized Golang binaries and in-memory execution to deliver multiple infostealers from cracked software and TDS traffic. GoFlateLoader infostealer loader

Phishing, Social Engineering & Scams

  • Microsoft 365 device code phishing abused the OAuth device flow to trigger real Microsoft logins and capture Entra tokens for account takeover. Device code phishing campaign
  • Short-form video lures on TikTok and Instagram Reels pushed fake premium software downloads, including a Vidarstealer delivery path. TikTok/Instagram phishing
  • World Cup 2026 phishing and fraud campaigns used typosquats, fake ticketing, and AiTM tactics against fans and Google Workspace users. World Cup 2026 mobile phishing
  • GHOST STADIUM operated a FIFA-themed phishing kit with thousands of active domains impersonating ticketing, streaming, and gambling services. GHOST STADIUM kit
  • Pushpaganda abused Google Discovery feeds and AI-generated content to spread scareware, fake legal threats, and financial scams to Android and Chrome users. Pushpaganda campaign
  • Rock / The Quarry sold phishing-as-a-service tooling with RMM abuse and cloaking for IRS, SSA, Adobe, Dropbox, DocuSign, and Messenger lures. Rock phishing toolkit

Cloud, Identity & Enterprise Abuse

  • Microsoft Entra Agent ID blueprint abuse could widen compromise across agent identities and tenants, increasing cross-tenant blast radius. Entra Agent ID risk
  • Azure DNS abandonment and cloud delegation hijacking enabled Thai gambling SEO poisoning across 163 organizations in 30+ countries. Cloud DNS takeover abuse
  • Duo Auth Proxy and RADIUS exposure showed MFA infrastructure can be abused to decrypt auth traffic and reveal cleartext credentials. Duo Auth Proxy abuse
  • PulseRAT used an ISO/LNK chain, WindowsVaultSyncService persistence, and Google Sheets C2 for covert remote access. PulseRAT RAT
  • MLTBackdoor emerged as a multi-stage post-exploitation backdoor with obfuscation, DGA C2, and TLS communications. MLTBackdoor analysis

Ransomware, Extortion & Data Theft

  • Tengu Ransomware operated as a disciplined RaaS with double extortion, custom tooling, and affiliate management before rebranding as Shisa. Tengu / Shisa profile
  • UNC6240 / ShinyHunters used an Oracle PeopleSoft zero-day to compromise education-sector targets and leak stolen data. ShinyHunters PeopleSoft exploit
  • WooCommerce checkout skimmers moved from phishing pages to legitimate store backdoors to steal card data and emails in real time. WooCommerce skimmer
  • OpenClaw demonstrated that AI agents with inbox access can be phished into leaking credentials, keys, and exports. OpenClaw phishing for secrets

APT, Espionage & Geopolitical Operations

  • APT28 evolved toward disposable modules, edge/cloud C2, and even LLM-assisted tooling while targeting NATO, Ukraine, and government victims. APT28 tradecraft evolution
  • Khmer Shadow ran targeted espionage against Cambodian government entities using sideloading, NIGHTFORGE, KaynLdr, and Havoc. Khmer Shadow espionage
  • Maritime sanctions evasion networks used fake registry and classification sites to generate fraudulent documents for shadow fleet operations. Maritime sanctions evasion
  • Russia-aligned campaigns kept exploiting WinRAR CVE-2025-8088 against Ukraine for payload delivery and espionage. WinRAR exploitation in Ukraine

Vulnerabilities, Exploits & Defensive Takeaways

  • ITScape (CVE-2026-46316) showed a guest-to-host escape risk in KVM/arm64 vGIC-ITS emulation affecting multi-tenant cloud infrastructure. ITScape cloud escape
  • RoguePlanet demonstrated a Windows Defender remediation race that can elevate to SYSTEM via Windows Error Reporting. RoguePlanet LPE
  • Vulnerability management remains outpaced by rising vulns and shrinking weaponization timelines, increasing pressure for automated remediation. Human-scale vuln limits
  • LABScon25 argued LLMs can help standardize and scale defensive evaluation as cyber systems grow too complex for manual handling. Ecology of cyber keynote

Threat Research | Weekly Recap – hendryadrian.com

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint