InfoSec Briefing - June 10, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Wednesday the 10th of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 10 articles to cover. All attribution is by the article authors. All article analysis is automated.

Palo Alto Networks Unit 42 have confirmed active exploitation of a critical authentication bypass in PAN-OS GlobalProtect components. The flaw lets unauthorised actors bypass authentication entirely and establish VPN connections straight into internal networks. It landed on the CISA known exploited vulnerabilities list on the 29th of May, with widespread scanning observed but so far only limited successful sessions documented.

And another VPN bypass in the wild — this time from Check Point. Two critical flaws in the deprecated version one IKE protocol are being actively exploited by financially motivated actors linked to Qilin ransomware, with attacks running since early May. The authentication bypass scored nine point three out of ten and affects multiple versions going back to R80. The attackers are using dedicated VPS infrastructure and the Tox protocol for command coordination.

Trend Micro report that two Russia-aligned campaigns are still exploiting that year-old WinRAR vulnerability against Ukrainian organisations, nearly twelve months after the patch came out. The lack of centralised patch management for WinRAR continues to provide an opening — malicious archives are being used to deploy malware with persistence established via Windows Startup folders. One for anyone supporting Ukrainian organisations or running legacy WinRAR installs.

Proofpoint have tracked a North Korea-aligned actor called UNK_DeadDrop running a large-scale phishing campaign targeting developers. Between April and May they sent over 250 emails to nearly a hundred organisations, mostly in the US, using recruitment and code review lures to trick targets into cloning malicious GitHub repositories. When opened in IDEs like VS Code or Cursor, the repos automatically execute platform-specific malware — essentially an industrialised attack model aimed squarely at the developer community.

WhatsApp have filed a contempt motion against NSO Group for violating a permanent injunction that barred them from targeting WhatsApp and its users. Despite US court orders and government blacklisting, NSO have been conducting new social engineering attacks using one-click phishing to lure users to malicious domains. WhatsApp released indicators of compromise for three domains tied to the campaign.

France's DINUM have disclosed a security incident on Tchap, the messaging platform used by French government agencies. An unauthorised actor compromised a user account and accessed public forum data and profile information for roughly seventy-three thousand users — about nine percent of the total user base. The attacker ran malicious queries to pull public conversations and metadata including names, email addresses, and organisational affiliations. Private encrypted communications were not affected, and the account was blocked immediately.

BushidoToken report that ShinyHunters carried out a data extortion attack against Instructure, the company behind Canvas learning management system. The attackers exploited a vulnerability in the Free-for-Teacher account creation system, pulled three point six five terabytes of data, and defaced login portals for roughly three hundred and thirty educational institutions. The incident reportedly concluded with a ten million dollar ransom payment from Instructure — exam season timing presumably didn't hurt the leverage.

Researchers have developed QuasarNix, a machine learning framework to detect Linux living-off-the-land reverse shells that evade traditional signatures. Fourteen architectures were tested on over a million synthesised commands, with Gradient Boosted Decision Trees hitting sixty percent detection at a false positive rate of one in a million — significantly better than signature-based methods at three point three seven percent. The framework also showed resilience against adversarial evasion and poisoning attacks, which is worth noting for anyone evaluating ML-based detection tooling.

The Cloud Native Computing Foundation have issued a security notice about baltocdn.com, a domain formerly used as a community APT mirror for Helm. It was decommissioned in September last year and re-registered by a third party in May. Unverified reports now suggest the new owner may be serving malicious content, which creates supply chain risks for anyone whose systems or infrastructure still reference the expired domain.

And finally, Microsoft have introduced a two-hour delay for automatic extension updates in Visual Studio Code version one point one two three. The delay provides a window for community detection of malicious or broken updates before they spread widely — a straightforward supply chain mitigation. Extensions from Microsoft, GitHub, and OpenAI are exempt, and users can still manually update extensions immediately if they choose.

That concludes today's briefing.

📰 Articles Covered

Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 - Palo Alto Networks

Thank you for providing the summary of the article regarding **CVE-2026-0257**. Based on the information provided, here is a detailed precis of the situation:

### **Overview: CVE-2026-0257**
Palo Alto Networks Unit 42 has confirmed active exploitation of a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway components within PAN-OS. This vulnerability allows unauthorized actors to circumvent authentication mechanisms and establish unauthorized VPN connections to internal networks.

### **Scope and Impact**
* **Affected Components:** GlobalProtect portal and gateway in PAN-OS.
* **Current Status:** The vulnerability was added to the CISA Known Exploited Vulnerability (KEV) catalog on May 29, 2026. While widespread probing has been observed, actual successful unauthorized VPN sessions remain limited to a small number of devices.
* **Security Implications:** The primary risk is unauthorized access to internal network resources. Currently, there is no evidence of post-exploitation activity, such as lateral movement or further malicious behavior, following the initial bypass.

### **Technical Indicators for Defenders**
Defenders should actively monitor their environments for the following indicators of compromise (IoCs):

| Category | Indicators |
| :--- | :--- |
| **Pre-PoC IP Addresses** | 23.128.228.6, 104.207.144.154, 146.19.216.119, 146.19.216.120, 146.19.216.125, 179.43.172.213, 185.195.232.139, 198.12.106.60, 202.144.192.47 |
| **Suspicious Host IDs/Names** | `aa:bb:cc:dd:ee:ff`, `00:11:22:33:44:55`, `WINDOWS-LAPTOP-001`, `DESKTOP-GP01`, `GP-CLIENT` |
| **Post-PoC Patterns** | Gateway-connected events where `endpoint_os_version` is "Microsoft Windows 10 Pro 64-bit" and `source_user_info.domain` is empty |

### **Recommended Actions**
* **Immediate Remediation:** Organizations must prioritize reviewing the official [Palo Alto Networks Security Advisory](https://security.paloaltonetworks.com/CVE-2026-0257) and applying the necessary patches or workarounds immediately.
* **Threat Hunting:** Security teams should scan logs for the listed IP addresses, suspicious host identifiers, and specific connection patterns indicative of exploitation.
* **Exposure Management:** Utilize tools like Cortex Xpanse to identify and secure any publicly exposed PAN-OS gateways or GlobalProtect portals.
* **Leverage Security Stack:** Ensure that security services such as Cortex XDR, XSIAM, and Advanced URL Filtering are active and updated, as these are designed to provide protection against this threat.
Security Advisory – Action Required – Active Exploitation of Check Point VPN Authentication Bypass (CVE-2026-50751) - Check Point Blog - Check Point Software Technologies Ltd.

The provided summary accurately captures the critical details regarding the vulnerabilities in the deprecated IKEv1 VPN protocol as reported by Check Point. To ensure you have the complete picture for your security operations, here is a structured precis based on the information provided:

### **Executive Summary**
Check Point has released urgent hotfixes to address two vulnerabilities (CVE-2026-50751 and CVE-2026-50752) within the deprecated IKEv1 VPN protocol. These flaws present significant risks, including authentication bypass and potential man-in-the-middle (MitM) attacks, with active exploitation already observed in the wild by actors linked to Qilin ransomware 【1】.

### **Vulnerability Details**

| Vulnerability | CVSS | Impact | Status |
| :--- | :--- | :--- | :--- |
| **CVE-2026-50751** | 9.3 | Authentication bypass in Remote/Mobile Access VPNs | Actively exploited |
| **CVE-2026-50752** | 7.4 | Certificate validation flaw in site-to-site VPNs | No active exploitation observed |

### **Key Findings for Defenders**

* **Affected Products & Versions:** The issue impacts a wide range of Check Point deployments, specifically those utilizing the deprecated IKEv1 protocol. Affected versions include R80.20.X (EOS), R80.40 (EOS), R81 (EOS), R81.10 (EOS), R81.10.X, R81.20, R82, R82.00.X, and R82.10 【1】.
* **Threat Actor Profile:** The exploitation of CVE-2026-50751 is attributed to financially motivated actors linked to Qilin ransomware. These actors are known to utilize dedicated VPS infrastructure and the Tox protocol for communications 【1】.
* **Forensic Guidance:** Organizations should conduct thorough log audits and configuration reviews. The earliest observed date of exploitation is May 7, 2026; investigations should prioritize activity from this date forward 【1】.
* **Remediation:** Immediate application of the provided security hotfixes is required. Defenders should consult the official Check Point support articles for specific upgrade paths and technical guidance:
* [sk185033](https://support.checkpoint.com/results/sk/sk185033)
* [sk185035](https://support.checkpoint.com/results/sk/sk185035)
Old WinRAR Flaw Fuels Attacks on Ukraine: Two separate Russia-aligned campaigns are still exploiting the WinRAR flaw CVE-2025-8088 against Ukrainian organizations nearly a year after it was patched, - Trend Micro

The provided summary accurately captures the core technical and strategic aspects of the campaigns detailed in the Trend Micro research.

To ensure you have the complete picture, I have reviewed the full content of the article. There are no additional critical sections or major findings outside of what was already summarized. The report emphasizes that the primary challenge for defenders is not the complexity of the exploit itself, but the **operational difficulty of patching legacy software** that lacks centralized management.

### Key Takeaways for Defenders
Beyond the immediate technical mitigations, the article highlights two strategic points for security teams:

* **The "Update Gap":** Because WinRAR does not support automatic updates or native Group Policy management, it creates a "long-tail" vulnerability risk. Defenders should treat software that lacks centralized update mechanisms as a high-priority asset for manual auditing and automated deployment via third-party patch management tools.
* **Detection Focus:** Since the exploit relies on the victim opening a file, the most effective detection occurs at the **post-exploitation phase**. Specifically, monitoring for suspicious file creation in the Windows Startup folder (`%AppData%\Microsoft\Windows\Start Menu\Programs\Startup`) is a high-fidelity indicator of compromise for these specific campaigns.

If you are managing an environment with a large number of endpoints, it is recommended to prioritize scanning for the WinRAR version number (specifically ensuring all instances are at version 7.13 or higher) as part of your next vulnerability assessment cycle.
Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency - Proofpoint

The "UNK_DeadDrop" campaign represents a sophisticated, evolving threat targeting developers, likely orchestrated by a North Korea-aligned actor 【1】【1】. Below is a detailed precis of the activity.

### What Happened
Between April and May 2026, threat actors conducted a large-scale phishing campaign sending over 250 emails to individuals across nearly 100 organizations 【1】【1】. The emails used recruitment or code review themes, directing targets to GitHub repositories that appeared to be legitimate technical assignments or cryptocurrency projects 【1】. Once a target cloned and opened these repositories in IDEs like VS Code or Cursor, malicious scripts executed automatically, leading to the deployment of platform-specific malware 【1】【1】.

### Who Is Affected
The campaign targeted developers globally, with a primary focus on organizations in the United States 【1】. Affected sectors include:
* Technology
* Education
* Financial services (specifically cryptocurrency)
* Business services

### Security Implications
This campaign demonstrates an industrialization of developer-focused attacks, moving away from labor-intensive social media-based fake interviews toward scalable, automated phishing 【1】. The primary risks include:
* **Credential and Asset Theft:** Exfiltration of browser wallet extensions, decrypted credentials, and desktop wallets 【1】.
* **Remote Command Execution:** Attackers gain the ability to perform system reconnaissance and execute arbitrary commands on the target's machine 【1】.
* **Stealth and Persistence:** The use of malicious VSIX extensions and the abuse of legitimate IDE features allow for stealthy operation and, on macOS/Linux, long-term persistence 【1】【1】.

### Technical Details
* **Infection Vector:** The attack abuses the `tasks.json` file within a repository, specifically the `runOptions.runOn: "folderOpen"` feature, which triggers automatic execution upon opening the folder in an IDE 【1】【1】.
* **Platform Divergence:**
* **Linux/macOS:** Deploys a Go-based binary that acts as a persistent Remote Access Trojan (RAT) 【1】.
* **Windows:** Runs entirely as JavaScript within the editor’s Electron process using `ELECTRON_RUN_AS_NODE=1`, avoiding the need to drop a binary to disk 【1】.
* **Anti-Forensics:** The infection chain attempts to clean up by deleting malicious payloads and directories after execution 【1】.

### What Defenders Should Know
* **IDE Trust Settings:** Be aware that some IDEs, such as Cursor, may execute tasks without a trust dialog, facilitating silent infection 【1】.
* **Monitoring:** Monitor for suspicious `tasks.json` configurations in cloned repositories and unusual child processes spawned by IDEs (e.g., `Code.exe` acting as a Node.js interpreter) 【1】【1】.
* **VSIX Auditing:** Regularly audit installed Visual Studio Extensions (VSIX) for unauthorized or suspicious additions 【1】.
* **Operational Resilience:** The attackers are embedding payloads directly into repositories to increase resilience against infrastructure takedowns, meaning defenders cannot rely solely on blocking external download domains 【1】.
Incident de sécurité sur Tchap : la DINUM sécurise la plateforme et informe les usagers après une intrusion maîtrisée - Security incident on Tchap: DINUM secures the platform and informs users - Direction interministérielle du numérique (DINUM)

Based on the official report regarding the security incident on the Tchap messaging platform, here is a detailed precis of the event.

### Incident Overview
The incident involved an unauthorized actor who gained access to the Tchap platform by exploiting a user account. The attacker used this compromised account to perform malicious queries, allowing them to access data from public forums within the application 【1】.

### Scope and Affected Users
* **Affected Population:** Approximately 73,467 agents were impacted, representing less than 9% of the total 825,000 registered users 【1】.
* **Exposed Data:** The attacker potentially accessed user profile information, including names, surnames, email addresses, organizational affiliations, and avatars 【1】.
* **Content Exposure:** The exposure was limited to the content of **public conversations**. By design, these forums are open to all users, and their messages are not encrypted 【1】.

### Security Implications
* **Integrity of Private Communications:** The incident did not compromise private, encrypted conversations. Tchap’s architecture ensures that even if an account is usurped, the history of private, end-to-end encrypted exchanges remains inaccessible to the attacker 【1】.
* **Response Actions:** The account responsible for the malicious activity was identified and immediately blocked to terminate the attacker's persistent access and facilitate a forensic analysis of the accessed data 【1】.
* **Ongoing Investigation:** Authorities are currently analyzing event logs to determine the exact scope of the conversations accessed and the specific nature of any data that may have been exfiltrated 【1】.

### Key Takeaways for Defenders and Users
* **Platform Security:** Tchap remains a secure tool for professional exchanges, provided that users adhere strictly to established usage guidelines 【1】.
* **Public vs. Private Channels:** Users must be reminded that public forums are not encrypted and are inherently less secure.
* **Data Sensitivity:** No personal, sensitive, or information covered by professional secrecy should ever be shared in public conversations. Such sensitive exchanges must be strictly reserved for private, encrypted channels 【1】.
UK Cybercrime Journal: British Universities Struck by ShinyHunters Before Exam Season - BushidoToken

This precis outlines the major data extortion incident involving the educational technology company Instructure and the threat actor group ShinyHunters.

### What Happened
The threat actor group ShinyHunters conducted a massive data extortion attack against Instructure, the company behind the widely used Canvas learning management system. After exfiltrating approximately 3.65 terabytes of data, the attackers escalated their campaign by defacing the login portals of roughly 330 educational institutions and engaging in direct extortion attempts against individual schools 【1】【1】. To prevent the public release of the stolen information, Instructure reached an agreement with the attackers, reportedly paying a ransom estimated at $10 million USD 【1】.

### Who Is Affected
* **Instructure:** The primary target, which suffered significant data loss and operational disruption.
* **Educational Institutions:** Approximately 330 institutions faced portal defacements and direct extortion threats.
* **Users:** Students, faculty, and staff whose data was contained within the 3.65 terabytes of exfiltrated information.

### Security Implications
ShinyHunters is a financially motivated collective active since 2019 that focuses on data theft for extortion rather than traditional ransomware deployment 【1】. This incident underscores the risks of large-scale data exfiltration and the unreliability of "proof of destruction" provided by criminals, as digital shred logs or videos can be easily fabricated 【1】.

### Technical Details
The breach originated from an exploited vulnerability within Instructure’s "Free-for-Teacher" account creation system 【1】. This vulnerability allowed the attackers to gain unauthorized access and exfiltrate a massive volume of data (3.65 TB) to unknown IP addresses 【1】.

### What Defenders Should Know
Defenders should prioritize the following strategies based on the lessons from this incident 【1】:

| Strategy | Defensive Action |
| :--- | :--- |
| **Platform Security** | Conduct identity security audits in addition to standard application penetration testing. |
| **Monitoring** | Implement 24/7 SOC monitoring to detect anomalous login patterns and large-scale data exfiltration. |
| **Business Continuity** | Develop, update, and regularly test Business Continuity Plans (BCPs) to maintain operations during system outages. |
| **Post-Breach Vigilance** | Prepare for "second-order effects" such as increased phishing, brute-force attacks, and account takeovers using the stolen data. |
| **Threat Intelligence** | Maintain a zero-trust stance toward cybercriminals; never assume that "proof of data destruction" is genuine. |
QuasarNix: Reverse Shell Detection with Machine Learning - Dmitrijs Trizna

The QuasarNix project is a research initiative focused on enhancing the detection of Linux *living-off-the-land* (LOTL) reverse shells—covert outbound connections established by attackers using legitimate system binaries like `bash`, `python`, or `nc` 【1】.

### Detailed Precis

| Category | Details |
| :--- | :--- |
| **What Happened** | Researchers developed a framework to address the failure of traditional signature-based detection methods against modern, evasive LOTL reverse shells. They created a large-scale, synthesized training corpus of over 1 million commands and evaluated 14 different machine learning architectures to identify effective detection methods for real-world SIEM environments 【1】. |
| **Who is Affected** | Organizations relying on Linux infrastructure are the primary beneficiaries, particularly those struggling with high alert fatigue in their Security Information and Event Management (SIEM) systems due to ineffective signature-based detection 【1】. |
| **Security Implications** | The project highlights the fragility of existing detection mechanisms against adversarial evasion and poisoning. It provides a path toward more resilient, ML-driven detection that maintains high performance even when attackers attempt to bypass or manipulate security models 【1】. |
| **Technical Details** | The framework targets an operating point of a False Positive Rate (FPR) of $10^{-6}$ to minimize alert fatigue. It utilizes a dataset synthesized from 34 reverse-shell templates. Gradient Boosted Decision Trees (GBDT/XGBoost) were found to be the most effective, achieving a 60% True Positive Rate (TPR) at the target FPR, significantly outperforming traditional signature-based methods (3.37%) 【1】. |
| **What Defenders Should Know** | GBDT models offer superior performance and inherent resistance to training-time poisoning attacks (e.g., label-flipping or backdoors) due to their ensemble voting mechanism. While neural models are more susceptible to evasion, they can be secured through adversarial training. The effectiveness of this hybrid ML-for-SIEM approach has been validated at an industrial scale by organizations like Google 【1】. |

Defenders can access the research dataset and pre-trained models via the project's Hugging Face repositories, and further technical details are available in the associated publication, *Robust Large-Scale Detection of Living-Off-the-Land Reverse Shells via Data Synthesis* (ACM Transactions on Privacy and Security, 2025) 【1】.
Security Notice: Former Helm APT Mirror Domain `baltocdn.com` Statement | Helm - Cloud Native Computing Foundation

This precis outlines the security notice regarding the domain `baltocdn.com`, which was formerly used as an APT mirror for Helm.

### What Happened
The domain `baltocdn.com`, previously used as a community-maintained APT mirror for Helm, was decommissioned in September 2025 【1】. Following the expiration of its registration, a third party re-registered the domain on May 19, 2026 【1】. The Helm Security Team has received reports—though not independently verified—that the new owner may be using the domain to serve malicious content 【1】.

### Who Is Affected
Users are affected if they maintain any Debian or Ubuntu-based systems, CI/CD pipelines, container images, bootstrap scripts, configuration management templates, or internal documentation that still reference `baltocdn.com` 【1】.

### Security Implications
Any continued use of `baltocdn.com` poses a significant supply chain risk 【1】. Specifically, any system that attempted to download or execute binaries from this domain after May 19, 2026, should be considered potentially compromised and subjected to standard incident response procedures 【1】.

### Technical Details
* **Decommissioning:** The domain ceased to be a valid Helm distribution endpoint in September 2025 【1】.
* **Domain Hijacking/Repurposing:** Because the domain registration lapsed and was acquired by an unauthorized third party, any automated systems or manual configurations still pointing to it may now be directed to malicious infrastructure 【1】.
* **Current Repository:** Helm now utilizes `https://packages.buildkite.com/helm-linux/helm-debian` for Debian/Ubuntu APT-based installations 【1】.

### What Defenders Should Know
Defenders should take the following immediate actions to secure their environments:
* **Audit and Remove:** Scan all infrastructure—including CI/CD pipelines, Dockerfiles, and configuration management tools—for any references to `baltocdn.com` and remove them 【1】.
* **Update Configurations:** Point all Debian/Ubuntu APT-based Helm installations to the official repository: `https://packages.buildkite.com/helm-linux/helm-debian` 【1】.
* **Network Blocking:** Disable access to `baltocdn.com` at the network level (e.g., via corporate proxies or firewalls) to prevent accidental connections 【1】.
* **Incident Response:** If a system is identified as having interacted with the domain after May 19, 2026, treat it as compromised and initiate internal incident response protocols 【1】.
Visual Studio Code 1.123: Delayed extension auto-updates - Microsoft

The following is a precis regarding the "Delayed extension auto-updates" security feature introduced in VS Code version 1.123.

### **What Happened**
Visual Studio Code has implemented a mandatory two-hour "buffer" period for automatic extension updates. Instead of updating immediately upon the release of a new version, the IDE will now wait two hours after a publisher pushes an update before applying it automatically.

### **Who Is Affected**
* **Users:** All VS Code users who have automatic extension updates enabled.
* **Extensions:** Most third-party extensions are subject to this delay.
* **Exemptions:** Extensions from "trusted publishers"—specifically identified as Microsoft, GitHub, and OpenAI—are exempt from this policy and will continue to update immediately.

### **Security Implications**
This feature serves as a defensive measure against "supply chain attacks" or accidental "bad releases." By introducing a delay, the development team provides a window of time for:
* **Community Detection:** If a malicious or broken update is published, the two-hour window increases the likelihood that the issue is identified, reported, or retracted by the publisher before it reaches the majority of the user base.
* **Risk Mitigation:** It limits the "blast radius" of compromised extensions, preventing widespread, instantaneous impact across the user ecosystem.

### **Technical Details**
* **Mechanism:** The IDE tracks the publication timestamp of extension updates. The automatic update process is gated by a two-hour timer relative to that publication time.
* **User Control:** The delay is not a hard block; users retain full control. A manual "Update" button remains available, allowing users to bypass the delay if they choose to update immediately.
* **Transparency:** When an update is pending due to this delay, the extension's details view provides clear feedback, informing the user why the update is currently held and providing the specific time at which the automatic update will trigger.

### **What Defenders Should Know**
* **Defense-in-Depth:** This is a proactive security control designed to mitigate risks where a publisher's account might be compromised or where a CI/CD pipeline is poisoned.
* **Operational Awareness:** Defenders and system administrators should be aware that their environments will not be running the "latest" version of third-party extensions immediately upon release. This is an intentional security trade-off.
* **Incident Response:** During an active incident involving a malicious extension, defenders should note that the two-hour delay may have prevented some endpoints from receiving the malicious payload, potentially simplifying containment efforts.
Fighting Spyware: An Update From WhatsApp: Today, we’re asking the court to hold NSO in contempt for violating a permanent injunction that barred them from ever targeting WhatsApp and its users. - Meta

WhatsApp has recently taken further action against the NSO Group, a spyware firm previously blacklisted by the U.S. government, by asking a court to hold the company in contempt for violating a permanent injunction that prohibited them from targeting WhatsApp and its users 【1】.

### What Happened
WhatsApp successfully identified and disrupted new social engineering attempts linked to NSO Group. These attempts involved tricking users into clicking malicious links that directed them to external websites, as well as the creation of unauthorized test accounts and groups on the platform 【1】.

### Who Is Affected
While WhatsApp did not specify a particular demographic, it noted that surveillance-for-hire firms historically target a wide range of individuals, including journalists, government officials, military personnel, and humanitarian organizations 【1】.

### Security Implications
* **National Security Threat:** WhatsApp characterizes spyware as a significant national security threat, noting that NSO continues to develop tools to exploit vulnerabilities in browsers, operating systems, and various applications beyond just WhatsApp 【1】.
* **Defiance of Legal Orders:** The ongoing activity suggests that NSO continues to defy U.S. court orders, which WhatsApp argues undermines national security and puts global users at risk 【1】.

### Technical Details
The attack vector identified in this instance was 1-click phishing, where users were lured to external malicious domains. WhatsApp has released the following indicators of compromise (IOCs) associated with these domains:
* `hxxps://ikhwancast[.]com`
* `hxxps://ghazacast[.]com`
* `hxxps://fr24cast[.]com`

### What Defenders Should Know
* **Threat Intelligence:** WhatsApp is sharing these indicators to help users and security professionals identify if they have been targeted across any platform, including email, text, or other messaging services 【1】.
* **Protective Measures:** Users are urged to keep their applications and devices updated, report suspicious activity, and enable "strict account settings" to harden their WhatsApp accounts against sophisticated attacks 【1】.
* **Support for Defense:** WhatsApp is actively supporting the Spyware Accountability Initiative (SAI), which provides resources to organizations focused on forensic research, user support, and advocacy against spyware firms 【1】.