Threat Research | Weekly Recap [28 Jun 2026]

Threat Research | Weekly Recap [28 Jun 2026]

Cybersecurity Threat Research ‘Weekly’ Recap. This week’s coverage spans supply-chain and DevOps attacks, credential-harvesting phishing, and exploitation of widely used software to steal tokens, deploy backdoors, or monetize access. It also highlights nation-state and fraud ecosystems, alongside Windows and macOS tradecraft that focus on evasion, persistence, and stealthy command-and-control.

#MiasmaMiniShaiHulud #GuardDog3 #Klue #Salesforce #Gong #OpenClaw #OperationDragonReturn #DcRAT #STOCKSTAY #Turla #Gamaredon #CLSTA1062 #TinyRCT #AWSCOnsoleAiTM #EvilTokens #DCloudUniApp #GhostStadium #BackdoorMistic #Edgecution #StrikeShark #SharkLoader #OXLOADER #CASTLESTEALER #QuimaRAT #COMAbuse #Qakbot #Attor #macOSGaslight #AsynRAT #OperationEndgame #StealC #Amadey #MicrosoftEntra #NestedAppAuthentication

Supply Chain, Package Poisoning, and DevOps Theft

  • Miasma Mini Shai-Hulud compromised npm and Go packages to steal developer and CI/CD secrets via GitHub Actions abuse and hidden payloads (linked title).
  • GuardDog 3.0 revamped package malware detection with YARA, sandboxing, and broader support for npm, PyPI, and Go scanning (linked title).
  • Klue supply chain compromise exposed Salesforce and Gong tokens, enabling CRM data theft and extortion (linked title).
  • OpenClaw AI marketplace abuse showed malicious skills can become a new supply chain vector for infostealers and financial fraud (linked title).

Espionage, APTs, and Nation-State Operations

  • Operation DragonReturn used a fake Indian tax utility and DcRAT to spy on finance and tax targets in India (linked title).
  • STOCKSTAY expanded Turla‘s espionage toolkit with a .NET backdoor aimed at Ukraine and Europe (linked title).
  • Gamaredon remained aggressive against Ukrainian government and military targets, increasingly using legitimate services and cloud storage for C2 and exfiltration (linked title).
  • CL-STA-1062 targeted Southeast Asian governments and critical infrastructure with web shells, open-source tools, and the TinyRCT backdoor (linked title).
  • Nation-state activity against water and wastewater systems highlighted OT exposure, weak credentials, and IT/OT segmentation gaps as persistent strategic risks (linked title).

Phishing, Credential Theft, and Account Takeover

  • AWS console AiTM phishing harvested credentials and MFA codes in real time, with SendGrid-themed lures and gated targeting logic (linked title).
  • EvilTokens hid Microsoft 365 takeover flows with browser-side AES-GCM decryption to evade static analysis (linked title).
  • Fake domain renewal emails used countdown pressure and redirect chains to trick site owners into paying scammers (linked title).
  • Income tax themed phishing pushed staged malware through fake government portals and archive-based payloads (linked title).
  • WhatsApp VBScript lures silently installed ManageEngine Endpoint Central for remote access across multiple countries (linked title).

Exploitation, Backdoors, and Ransomware Access

  • Langflow CVE-2026-55255 was actively exploited for IDOR-based token theft, while CVE-2026-33017 drove the main monetization path (linked title).
  • Langflow CVE-2026-33017 was also used to deploy a cryptomining toolchain that disabled defenses and spread via reused SSH keys (linked title).
  • Cisco Catalyst SD-WAN Manager CVE-2026-20245 was exploited for root access after rogue peering and password manipulation, followed by heavy cleanup (linked title).
  • Backdoor.Mistic emerged as a stealthy backdoor tied to broader access-broker activity and opportunistic multi-sector intrusions (linked title).
  • Payouts King-linked actors used the Edgecution browser extension to deliver a Python backdoor via Microsoft Edge native messaging (linked title).
  • StrikeShark used SharkLoader to deliver Cobalt Strike Beacon through public-facing app exploitation and DLL sideloading (linked title).
  • OXLOADER distributed CASTLESTEALER via malicious Google Ads and staged files with strong anti-analysis features (linked title).
  • QuimaRAT surfaced as a cross-platform Java-based MaaS RAT for Windows, macOS, and Linux (linked title).

Scams, Fraud, and Fake Ecosystems

  • DCloud Uni-App powered a massive scam ecosystem with fake exchanges, wallet drainers, and phishing domains tied to multiple shell companies (linked title).
  • GHOST STADIUM built a FIFA 2026 ticket-fraud phishing network using more than 300 domains and a pixel-perfect fake site (linked title).

Windows Tradecraft and Analyst Evasion

  • COM abuse remains a core Windows technique for execution, persistence, WMI access, and BITS transfers, with malware families like Qakbot and Attor using it heavily (linked title).
  • macOS.Gaslight used a Rust backdoor, Telegram C2, and a prompt-injection payload to mislead LLM-assisted analysis (linked title).
  • AsynRAT was deployed in an AI-hype lure campaign using staged scripts, scheduled tasks, and disguised system artifacts (linked title).

Operations, Disruption, and Defense Research

  • Operation Endgame disruptions hit the StealC ecosystem, seizing millions of credentials and impacting infrastructure tied to StealC and Amadey (linked title).
  • Microsoft Entra Conditional Access bypass research showed Nested App Authentication could mint Graph tokens, later patched by Microsoft (linked title).

Threat Research | Weekly Recap – hendryadrian.com