InfoSec Briefing - June 12, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Friday the 12th of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 2 articles to cover. All attribution is by the article authors. All article analysis is automated.

MalBeacon have written up a multi-stage intrusion using SSA-themed phishing to drop a collection of commodity remote access tools — AdaptixC2, XWorm, and ScreenConnect — all coordinated through Telegram infrastructure. The attacker used Registry Run-keys for persistence and certutil for payload staging, demonstrating how disparate malware families can be orchestrated through shared command channels.

Arista Networks have disclosed a vulnerability in their EOS switches configured for tunnel decapsulation — VXLAN, GRE, that sort of thing. The flaw allows attackers to bypass network segmentation by sending encapsulated packets that aren't properly validated, and it's being exploited in the wild. The interesting bit: Arista won't be patching it due to operational concerns, so defenders are left implementing manual mitigations. Worth flagging if you're running affected kit.

That concludes today's briefing.

📰 Articles Covered

[Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion - MalBeacon

This report summarizes the multi-stage intrusion documented by Deception.pro regarding a campaign observed between May 19 and May 24, 2026.

### Executive Summary
The operation involved an adversary utilizing a Social Security Administration (SSA)-themed phishing campaign to compromise a target workstation. Once the initial foothold was established, the attacker deployed a suite of commodity Remote Access Trojans (RATs) and remote management tools to ensure persistence, maintain redundant control, and perform reconnaissance within a simulated healthcare environment.

### Target and Impact
* **Target:** A replica environment simulating a Healthcare organization. The environment comprised a Microsoft Active Directory structure with over 1,000 endpoints and 500+ users.
* **Persona:** The attack specifically targeted a "Clinical Quality Analyst" persona based in the United States.

### Technical Breakdown
The intrusion followed a sophisticated, multi-stage kill chain:
* **Initial Access:** Victims received a phishing email containing a link to a RAR archive hosted on a compromised WordPress site. The domain used was a typosquatted variant (`1omlinemailserver[.]work`).
* **Execution:** The malware used a Right-to-Left Override (RTLO) trick to disguise a `.exe` file as a PDF (e.g., `.fdp.exe`), enticing the user to execute it.
* **Staging:** The attacker utilized `certutil` to download secondary payloads from a malicious domain (`cloudpre-005[.]online`).
* **Persistence:** The threat actor achieved persistence by modifying Registry Run-keys, camouflaging malicious processes as legitimate software updaters (e.g., `JavaUpdater`, `PayloadService`).
* **C2 Frameworks & Tools:**
* **AdaptixC2:** Used as the primary C2 channel, beaconing over HTTPS on port 443 with a static `Firefox/20.0` user agent.
* **XWorm:** Used for redundant access and data exfiltration via Telegram. It beaconed to `gatuso[.]duckdns[.]org:5111`.
* **ScreenConnect:** Deployed via `msiexec` from external domains (`nextleveldigitalinnovationx[.]com` and `fragment-sales[.]store`) on port 8041 to provide interactive remote control.

### Security Implications
The primary implication is the adversary's ability to unify disparate commodity malware families (AdaptixC2, XWorm, and Phantom Stealer) under a shared Telegram infrastructure. This indicates a coordinated, "hands-on-keyboard" operator. The attacker successfully performed domain reconnaissance using SAMR/LSAD enumeration techniques, signaling an intent to move laterally within the network.

### Recommendations for Defenders
* **Prioritize Behavioral Detection:** Since commodity tools change rapidly, focus on behavioral and network patterns (e.g., specific beaconing profiles) rather than static file hashes.
* **Network Monitoring:** Monitor for suspicious HTTPS traffic associated with AdaptixC2, specifically POST requests to endpoints such as `/updates/check.php`, `/api/v1/status`, and `/content.html`.
* **Tooling Oversight:** Treat `msiexec` installations initiated from external URLs as high-signal alerts, particularly for remote access tools like ScreenConnect.
* **Reconnaissance Alerts:** Detect anomalous bursts of `Samr*` and `Lsar*` RPC calls, which indicate domain account and trust enumeration.
* **Registry Hygiene:** Regularly audit Registry Run-keys for suspicious entries, especially those masquerading as legitimate vendors or located in writable user directories like `C:\Users\Public\`.

【1】
On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface) - Arista Networks

This précis summarizes Security Advisory 0137 regarding a vulnerability in Arista EOS (CVE-2026-7473), which is currently known to be exploited in the wild.

### What Happened
A vulnerability exists in Arista EOS switches configured for tunnel decapsulation (such as VXLAN, GRE, or decap-groups). The switch fails to verify the protocol type of incoming encapsulated traffic. As a result, if a packet matches the device's configured decapsulation IP address, the switch will attempt to decapsulate and forward it, even if the packet's tunnel protocol does not match the expected configuration.

### Who is Affected
* **Software:** The vulnerability affects all releases across all EOS software trains.
* **Platforms:**
* **Fully Impacted:** 7020R, 7280R/R2, and 7500R/R2 series.
* **Limited Exposure:** 7280R3, 7500R3, and 7800R3 series (restricted to specific cases involving IP-in-IPv6 and GUEv6).
* **Not Affected:** Any device that does not have active tunnel endpoint configurations (e.g., `vxlan`, `Tunnel0`, or `decap-group`) is not exposed.

### Security Implications
This flaw allows for the unauthorized processing and forwarding of traffic. Attackers can leverage this to bypass intended network segmentation, potentially gaining access to internal network segments by sending tunneled traffic that should have been rejected by the switch.

### Technical Details
The root cause is classified as an "Incomplete Comparison with Missing Factors" (CWE-1023). Because the system lacks a validation check for the protocol type, the device blindly accepts any packet directed to the decapsulation IP address, regardless of whether the packet's encapsulation method aligns with the service configured on the switch.

### Defender Guidance
Arista has indicated there will be no software patch for this issue, as doing so could disrupt existing network deployments. Defenders must implement mitigation strategies manually:

* **Detection:** Monitor for unusual traffic patterns on internal segments. Utilize ACL per-entry counters to identify if tunneled traffic of unauthorized protocols is being processed.
* **Configuration Review:** Use commands such as `show interfaces vxlan`, `show interfaces Tunnel0`, or `show ip decap-group` to determine if your devices have active tunnel endpoint configurations.
* **Mitigation Options:**
* **Upstream Filtering:** Apply Access Control Lists (ACLs) on devices upstream from the decapsulation switch to permit only legitimate tunnel traffic and drop unauthorized packets.
* **Local Filtering:** Apply ACLs directly to the decapsulation switch. Note that this approach is more complex and may require a disruptive update to the TCAM profile to support necessary UDF (User Defined Field) qualifiers or IPv6 PACL configurations.