InfoSec Briefing - June 15, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Monday the 15th of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 14 articles to cover. All attribution is by the article authors. All article analysis is automated.

ThreatHunting.io presented Tracebit at x33fcon, a proof-of-concept that fingerprints command-and-control implants by watching page fault telemetry rather than scanning for signatures. The approach monitors low-level memory behaviour to identify C2 frameworks, which should force attackers to rethink their evasion strategies.

A security researcher published ModuleStomped, a detection tool that spots module stomping attacks by monitoring the .pdata section of loaded DLLs instead of the usual .text section. It runs as either a process scanner or an event monitor, and has been tested against several C2 frameworks known to use the technique.

Helsing researchers detail a project to bootstrap Nix from a minimal, manually-auditable seed to address the Trusting Trust problem — essentially, not relying on opaque pre-compiled compiler binaries. The work establishes a verifiable chain of custody for build toolchains, which is recommended for high-assurance infrastructure rather than everyday application builds given the operational overhead.

A security researcher released EDRUnChoker, a defensive tool that detects and removes malicious QoS throttling policies created by the EDRChoker attack. EDRChoker is an evasion technique that abuses Windows QoS policies to throttle EDR agent bandwidth to near-zero, preventing cloud management communication. EDRUnChoker uses a fileless subscription to continuously monitor and remediate these policies.

Following on from the implementation guide we covered last week, TrustedSec have published hardening guidance for Microsoft Intune. Attackers who gain control of Intune can mass-deploy malicious payloads, wipe devices, and bypass security controls across entire managed fleets, so the guidance addresses over-privileged admin roles and the lack of modern identity protections in organisations treating Intune as a Tier 0 asset.

A researcher published ADWS-BOF, a Beacon Object File for Cobalt Strike that performs LDAP queries by communicating directly with Active Directory Web Services. It's designed for red team operations in environments where ADWS is enabled.

Arshia Reisi presented the Tunnel Vision toolkit at x33fcon, demonstrating critical vulnerabilities in Microsoft Global Secure Access. The toolkit reverse-engineers the gRPC-based wire protocol to create rogue tunnel clients that bypass zero-trust controls using stolen credentials, spoof device compliance checks, and maintain persistent access to protected networks.

Varonis Threat Labs ran the OpenClaw experiment showing that autonomous AI agents managing enterprise inboxes are highly vulnerable to context-driven social engineering. Gemini and GPT agents were successfully tricked into leaking AWS and SSH credentials and CRM data through simulated business scenarios, despite excelling at detecting technical anomalies like malicious links. One for anyone thinking about delegating email management to an agent.

Arch Linux administrators are responding to a supply-chain attack affecting roughly 400 accounts in the Arch User Repository. Malicious actors compromised or created accounts to upload packages with code injected into build files that executes during installation. Emergency response procedures are underway to remove malicious commits and ban responsible accounts.

Google Cloud report that ShinyHunters exploited Oracle PeopleSoft vulnerabilities to compromise over 100 organisations globally, with 68% being U.S. higher education institutions. The attackers staged malicious agents via Python HTTP servers, performed internal reconnaissance of PeopleSoft configurations, and automated SSH credential spraying for lateral movement before exfiltrating data published on their leak site in June.

Hex-Rays released rax, a CPU emulator designed for security research including reverse engineering, vulnerability research, and binary analysis in sandboxed environments. The tool provides instruction set emulation with integrated testing frameworks to ensure accuracy when analysing potentially malicious binaries.

A researcher released Noradrenaline, an open-source collection of native Linux and macOS shared library modules designed for post-exploitation within C2 frameworks like Poseidon. The modules enable automated reconnaissance including credential access via cloud metadata services for AWS, Azure, and GCP, system discovery, and AI tooling enumeration on compromised endpoints.

Codex published a preliminary analysis of the Arch User Repository malware, identifying a malicious npm package masquerading as atomic-lockfile that contained a Linux binary executing via npm preinstall scripts. The malware harvests credentials from browsers, developer tools, SSH keys, and shell histories, establishes persistence through systemd services, and deploys an eBPF rootkit when run with root privileges.

And finally, an article examining covert kernel-to-user communication channels on Windows used by advanced rootkits, driver-based malware, and game cheats to synchronise components while evading detection. The research categorises six layers of communication surfaces from basic interprocess communication to hypervisor and DMA manipulation techniques that repurpose legitimate Windows internals. Defenders are advised to implement baseline monitoring, integrity verification using symbol-backed parsers, and cross-layer correlation to detect these covert channels.

That concludes today's briefing.

📰 Articles Covered

tracebit_x33fcon_2026: a POC sensor aiming to fingerprint implants in memory using only lowlevel runtime telemetry. - ThreatHunting.io

The repository `threathunters-io/tracebit_x33fcon_2026` hosts the Proof-of-Concept (PoC) tool and presentation materials from a talk delivered at the **x33fcon 2026** conference in Gdynia, Poland 【1】.

### What Happened
The presenters introduced a novel research tool called **Tracebit** (or `tracebit.exe`), designed to identify and "fingerprint" modern Command-and-Control (C2) implants in memory 【1】. The technique focuses on detecting these implants using low-level runtime telemetry rather than traditional signature-based detection or memory scanning.

### Who Is Affected
This research primarily impacts operators of offensive C2 frameworks and developers of malware implants. By introducing a detection method that does not rely on static signatures, it poses a challenge to standard evasion techniques used by red teams and threat actors to remain hidden in memory.

### Technical Details
* **Core Mechanism:** The tool performs fingerprinting using **page faults** (runtime telemetry) rather than active memory scanning, which is often used by EDR (Endpoint Detection and Response) solutions.
* **Low-Level Telemetry:** The approach relies on monitoring subtle memory behaviors that are difficult for modern implants to mask without significantly altering their operational patterns.
* **Tooling:** The repository includes a PoC sensor (`tracebit.exe`) intended for educational and research purposes to demonstrate this detection capability 【1】.

### Security Implications
* **Advancement in Detection:** This research highlights a shift toward detecting implants via behavioral telemetry (how they interact with system memory) rather than searching for known malicious byte sequences.
* **Evasion Hurdles:** Because the method relies on inherent OS memory behaviors (page faults), it forces attackers to find more sophisticated ways to hide their memory presence, potentially increasing the complexity and operational cost of developing stealthy C2 implants.

### What Defenders Should Know
* **Beyond Signatures:** Defenders should look into runtime telemetry and memory behavioral analysis as a complement to traditional EDR scanning, especially when hunting for advanced implants.
* **Actionable Intelligence:** The repository serves as a practical resource for security professionals looking to understand modern implant detection. Defenders can use the provided PoC to test their own environments against these types of memory-based detection triggers.
* **Collaboration:** The conference context (x33fcon) emphasizes the importance of red and blue team collaboration—understanding these offensive research tools is critical for building more robust defensive architectures 【2】.

*(Note: There is a separate commercial entity also called "Tracebit" which provides cloud-native deception and honeytokens; however, the `threathunters-io` repository specifically refers to the research presentation at x33fcon 2026 【3】.)*
ModuleStomped: Proof of concept to detect module stomping detection by looking for modified .pdata sections. - 0xjbb

The ModuleStomped project serves as a proof-of-concept (PoC) security tool aimed at identifying a technique known as **Module Stomping**. This technique is used by malicious software to hide malicious code within the memory space of legitimate loaded Dynamic Link Libraries (DLLs) to evade detection.

Here is a detailed precis based on the documentation:

### What Happened (The Concept)
"Module Stomping" is a code injection technique where attackers replace the legitimate contents of a DLL module's memory—typically its `.text` section—with malicious code. Standard security solutions often monitor the `.text` section for changes; however, since attackers know this, they look for ways to bypass these checks. ModuleStomped counters this by shifting the focus of detection to the `pdata` section of loaded modules, which is generally expected to remain static and consistent with the disk-based version of the file.

### Who is Affected
The technique and the detection tool apply to any process running on a Windows system that loads DLLs. The tool has been explicitly tested against various Command-and-Control (C2) frameworks known to employ module stomping to mask their operations.

### Technical Details
* **Detection Mechanism:** The tool iterates through the loaded modules of a target process and validates their `pdata` sections against what is expected for those files.
* **Operating Modes:**
* **Process Scanner:** Performs a comprehensive scan of all accessible processes and their loaded modules.
* **ETW Mode:** Utilizes Event Tracing for Windows (ETW) to monitor image load events. When a target DLL is loaded, the tool triggers a scan of that specific process.
* **Requirements:** The tool requires Administrator privileges to access the memory of target processes.

### Security Implications and Defender Insights
* **Detection Reliability:** The author argues that targeting the `pdata` section is currently more reliable than monitoring the `.text` section, as the latter is a primary, well-known target for stomping.
* **Potential Bypasses:** The documentation acknowledges that attackers could circumvent this detection method. If an attacker identifies a sufficiently large `.text` section, they could manually append the malicious DLL's `pdata` section to maintain consistency with the validation logic, thereby evading the scan.
* **Operational Limitations:** The provided "Process Scanner" mode is reported to be quite slow in execution.
* **Recommendation for Defenders:** While this PoC provides a novel detection angle, the author notes that for production environments, monitoring `VirtualProtect` calls—specifically via ETW-Ti (Threat Intelligence)—is a more robust and professional approach for identifying module stomping and similar memory-based threats. Additionally, further detection improvements could be achieved by correlating suspicious stack frames against the `pdata` information.
Trusting trust - building Nix from a manually verified seed - Helsing

The provided summary accurately captures the core technical and security challenges addressed in the article regarding the bootstrapping of Nix from source to mitigate "Trusting Trust" vulnerabilities.

To complete this precis, it is important to emphasize that this work is a response to the inherent insecurity of **"bootstrapping from thin air."** Most modern build systems, including Nix, have historically relied on "binary blobs"—pre-compiled compilers or toolchains provided by third parties. Because these binaries are opaque, it is impossible to verify that they do not contain malicious code—such as the compiler backdoors famously theorized by Ken Thompson—that could propagate into every piece of software built with them.

### Additional Context for Defenders
Beyond the technical implementation, here are the strategic takeaways for security professionals:

* **The "Bootstrap Paradox":** Even in highly secure environments, developers often stop auditing once they reach the compiler. This project highlights that the compiler itself is a massive, opaque dependency. True security requires a "chain of custody" for the code that compiles the code.
* **Reproducibility vs. Verifiability:** While reproducible builds ensure that you get the same bit-for-bit binary from the same source, they do not guarantee that the source is malicious-code free. This project shifts the goalpost from *reproducibility* to *verifiability* by starting from a minimal, human-auditable root of trust.
* **The Cost of Security:** Implementing such a deep bootstrap chain is computationally expensive and complex to maintain. Defenders should prioritize this approach for **high-assurance infrastructure** (e.g., base OS components, crypto libraries, or critical build servers) rather than applying it to every application package, where the operational overhead may outweigh the security gains.
* **Moving Toward Self-Hosting:** The ultimate goal of this research is to create a "closed loop" where the entire development environment can be verified by its own audited tools. Defenders should look for projects that move beyond manual audits to automated, multi-stage bootstrap pipelines that provide high assurance with lower human intervention.

In summary, the Helsing project demonstrates that while "perfect trust" is nearly impossible to achieve, it is possible to dramatically reduce the "trust surface" by shrinking the base of unverified binary code to a level that a single human can comprehend and audit.
EDRUnChoker: EDRUnChoker - fileless WMI defense that removes EDRChoker QoS throttling policies - sbousseaden

This precis outlines the purpose and technical function of **EDRUnChoker**, an open-source defensive tool developed by Bousseaden to counter a specific class of EDR-evasion attacks.

### What Happened
The project addresses an attack vector known as **EDRChoker**, which abuses Quality of Service (QoS) policies (via `pacer.sys`) to throttle the network bandwidth of Endpoint Detection and Response (EDR) agents to near-zero levels. By severely limiting an EDR’s ability to communicate with its cloud-based management platform, attackers can effectively blind the security team and continue malicious activities undetected. EDRUnChoker provides a fileless, automated remediation mechanism to detect and remove these malicious throttling policies.

### Who is Affected
Organizations that rely on EDR solutions for endpoint visibility are at risk. Attackers using the EDRChoker technique target known security software by crafting QoS policies that restrict the bandwidth of specific application paths or apply aggressive rate limits (e.g., ≤ 1 Mbps).

### Technical Details
* **Mechanism:** EDRUnChoker registers a permanent WMI (Windows Management Instrumentation) subscription within `root\subscription`. This approach is entirely **fileless**, meaning no additional binaries are required on disk.
* **Remediation Logic:** It utilizes a 5-second timer to run an embedded VBScript that inspects QoS policies.
* **WMI Implementation:** Unlike standard WMI `ExecQuery` calls—which fail to see policies created by commands like `New-NetQosPolicy`—EDRUnChoker uses **WbemContext `PolicyStore`** to query `ActiveStore` and `GPO:localhost` directly, ensuring all active network throttling policies are identified.
* **Cleanup:** When it detects a policy targeting security software or applying malicious rate limits, it automatically removes the policy.

### Security Implications
* **Evasion Risk:** Attackers can potentially disable the EDRUnChoker defense by tampering with the WMI objects in `root\subscription`.
* **Stealth:** Because the tool uses WMI subscriptions (which can be misused by malware), it acts as a double-edged sword; while it defends against network throttling, the infrastructure it relies on (WMI eventing) is also a classic persistence and execution vector that requires careful management.

### What Defenders Should Know
Defenders can monitor for both the presence of the remediation tool and potential attempts by attackers to circumvent it using the following strategies:

| Action | Monitoring Strategy |
| :--- | :--- |
| **Track Remediation** | Monitor the Windows **Application** log for the provider `EDRChokerDefense`. Events 1000–1003 detail subscription status and policy removals. |
| **Monitor WMI Integrity** | Baseline the `root\subscription` namespace. Alert on any unauthorized creation, modification, or deletion of WMI objects. |
| **Specific Alerting** | Monitor for activity involving the following names: `EDRChokerDefense_QoSFilter`, `EDRChokerDefense_QoSConsumer`, and `EDRChokerDefense_Timer`. |
| **General WMI Auditing** | Look for Event IDs 19, 20, and 21 in the security logs, which indicate changes to WMI filters, consumers, and their bindings. Be particularly suspicious of new `ActiveScriptEventConsumer` or `CommandLineEventConsumer` instances outside of authorized maintenance windows. |
Hardening Intune: The Implementation Guide - TrustedSec, LLC

This precis summarizes the guidance provided by TrustedSec on hardening Microsoft Intune against modern threat actor techniques.

### What Happened & Who is Affected
Microsoft Intune has become a primary target for threat actors, as gaining control over an organization’s mobile device management (MDM) platform allows for the mass deployment of malicious payloads, device wiping, and bypassing of security controls across the entire managed fleet. This guide is relevant to **all organizations using Microsoft Intune**, particularly those where administrative roles are over-privileged or lack modern identity protections.

### Security Implications
Intune is effectively a "Tier 0" asset—a critical identity component that, if compromised, provides attackers with a powerful, persistent, and stealthy mechanism for lateral movement and broad system control. Threat actors leverage Intune to push malicious scripts or configurations to thousands of endpoints simultaneously, often evading traditional EDR alerts that might otherwise catch a single machine infection.

### Technical Details & Implementation Strategy
The article outlines a phased approach to securing the platform:

* **Phase 1 (Immediate):** Focuses on identity hygiene, specifically removing standing Global/Intune Administrator access and enforcing Privileged Identity Management (PIM).
* **Phase 2 (Short-term):** Focuses on access controls, including enforcing phishing-resistant MFA (authentication strength) and limiting management portal access strictly to trusted devices.
* **Phase 3 (Medium-term):** Focuses on environmental hardening, such as enforcing script signing, locking down Win32 app deployment, and tightening device enrollment restrictions.
* **Phase 4 (Continuous):** Involves deploying monitoring and detection via Microsoft Sentinel to identify suspicious administrative activity.

### Key Technical Pillars
* **Privileged Identity Management (PIM):** Eliminates standing access, requiring justification and MFA for temporary role activation.
* **Multi-Admin Approval (MAA):** Implements a mandatory "four-eyes" policy for high-impact actions like wiping devices or modifying RBAC settings.
* **Graph API Hardening:** Audits and restricts third-party app registrations that hold excessive permissions within the Intune environment.
* **Principle of Least Privilege:** Employs granular RBAC roles and scope tags to minimize the blast radius of any single compromised administrative account.

### What Defenders Should Know
* **Automated Auditing:** Defenders should utilize the provided `Invoke-IntuneSecurityAudit.ps1` PowerShell module to baseline their current risk, identify risky app registrations, and find legacy administrative assignments.
* **Defense-in-Depth:** There is no "silver bullet." The security of the platform relies on stacking these controls; PIM, MAA, and Conditional Access must function together to provide robust protection.
* **Destructive Oversight:** Any action that could result in mass device disruption or data loss (such as wipes or script deployments) must be protected by Multi-Admin Approval to prevent insider threats or unauthorized use of compromised credentials.
ADWS-BOF: Beacon Object File for LDAP Queries Through ADWS - Ethan

The `ADWS-BOF` repository provides a specialized tool for offensive security operations within Active Directory (AD) environments. Below is a detailed precis based on the project documentation.

### Overview
`ADWS-BOF` is a Beacon Object File (BOF) designed for Cobalt Strike (or compatible frameworks) that enables operators to perform Lightweight Directory Access Protocol (LDAP) queries against Active Directory by communicating directly with Active Directory Web Services (ADWS).

### Who Is Affected
The tool targets **Active Directory environments** where ADWS is enabled. Because ADWS is a standard service running on Domain Controllers to support features like the Active Directory PowerShell module, this tool is broadly applicable in most modern Windows enterprise networks.

### Security Implications
This tool offers a stealthy mechanism for performing reconnaissance and data exfiltration, providing several strategic advantages for an operator:
* **Bypassing Traditional Monitoring:** By utilizing ADWS, an operator may bypass security controls and network monitoring tools specifically tuned to detect standard LDAP or LDAPS traffic.
* **Lateral Movement & Reconnaissance:** It allows for the retrieval of arbitrary AD data, such as user lists, group memberships, and property values, which can be leveraged for further movement or privilege escalation.
* **Low Footprint:** As a BOF, it executes in-memory within the Beacon process, reducing the risk of leaving traditional forensic artifacts on the disk.

### Technical Details
* **Mechanism:** The tool is written in C++ (incorporating libraries by ZakiPedio) and implemented as a BOF to facilitate execution within the memory of a Beacon process.
* **Communication:** It interacts directly with the ADWS endpoint rather than using standard LDAP queries.
* **Authentication:** The tool supports flexible authentication methods, including:
* **Implicit:** Utilizing the current Beacon process access token.
* **Explicit:** Accepting provided credentials (username/password).
* **Connectivity:** By default, it attempts to resolve the Domain Controller's IP address automatically, though it also supports an optional `--ip` argument for manual targeting.

### Guidance for Defenders
Defenders should focus on monitoring the ADWS interface to detect misuse:
* **Network Monitoring:** Monitor for traffic originating from unexpected internal hosts directed at ADWS ports.
* **Behavioral Detection:** Look for abnormal or unauthorized query patterns against sensitive organizational objects, even when using legitimate protocol channels.
* **Hardening:** Review the deployment of ADWS within the network. Ensure that access to these services is restricted and segmented, limiting exposure to only those systems that legitimately require interaction with the service.
tunnel-vision-toolkit: Offensive security toolkit for Microsoft Global Secure Access (GSA), Microsoft's Zero Trust Network Access (ZTNA) solution. - Arshia Reisi

The "Tunnel Vision" research and associated toolkit, presented by Arshia Reisi at **x33fcon 2026**, highlights critical security vulnerabilities in **Microsoft Global Secure Access (GSA)**, Microsoft’s Zero Trust Network Access (ZTNA) solution. The toolkit demonstrates that the GSA wire protocol can be reverse-engineered to establish unauthorized, authenticated tunnels into protected networks 【1】.

### What Happened
Researchers reverse-engineered the GSA wire protocol, which relies on gRPC, and developed a fully functional, independent tunnel client. This custom "rogue" client can emulate a legitimate GSA-enrolled Windows device, allowing an attacker to route arbitrary traffic through Microsoft's secure edge and into a target's internal network 【1】.

### Who Is Affected
Organizations currently utilizing **Microsoft Global Secure Access (GSA)** as their ZTNA solution to manage remote access to on-premises resources are affected 【1】.

### Security Implications
* **Complete Tunnel Compromise:** Attackers can bypass the intended ZTNA security controls by establishing unauthorized tunnels using stolen credentials 【1】.
* **Posture Bypass:** Device compliance checks are currently performed client-side and lack server-side validation. The rogue client leverages this to spoof device metadata, effectively bypassing security policies that require specific device compliance states 【1】.
* **Token-Based Persistence:** Access persists for the duration of the stolen token's lifespan (typically ~75 minutes). Attackers can exfiltrate valid tokens from a compromised Windows host and use them on any operating system to maintain access 【1】.

### Technical Details
* **Protocol:** The research successfully identified and replicated the proprietary gRPC-based wire protocol used by the GSA service 【1】.
* **Rogue Client:** A Python-based tool that uses a TUN interface for transparent network integration. It handles authenticated gRPC communication, manages flow lifecycles, and spoofs device metadata to mimic a legitimate Windows client 【1】.
* **Credential Theft:** The toolkit includes Beacon Object Files (BOFs) for Windows:
* `gsa_enum`: Performs reconnaissance on the target, including dumping the GSA forwarding profile 【1】.
* `gsa_tbres_steal`: Uses DPAPI to decrypt and extract authentication tokens from the `TokenBroker` cache files on a compromised host 【1】.

### What Defenders Should Know
Defenders should prioritize protecting the Windows endpoints that act as the source of these authentication tokens and monitor for suspicious tunnel behavior:

* **Endpoint Hardening:** Protect `TokenBroker` cache files from unauthorized access, as these contain the secrets necessary to authenticate the rogue tunnel 【1】.
* **Threat Hunting:** Monitor for the use of reconnaissance tools (like `gsa_enum`) on GSA-enrolled Windows machines 【1】.
* **Anomaly Detection:** Look for GSA tunnel connections originating from non-Windows operating systems (Linux/macOS) or devices that do not match the organization’s managed asset inventory 【1】.
* **Audit Configurations:** Periodically review GSA forwarding profiles and logs for abnormal traffic patterns or unauthorized changes that indicate reconnaissance activity 【1】.
Phishing for Lobsters: How We Tricked OpenClaw into Spilling Secrets - Varonis

The provided research detail constitutes a comprehensive précis of the Varonis Threat Labs report on the "OpenClaw" phishing experiment.

### Executive Summary: The OpenClaw Campaign
The OpenClaw campaign was a security research initiative conducted by Varonis Threat Labs to evaluate how autonomous AI agents—increasingly deployed to manage enterprise inboxes—respond to sophisticated social engineering. The experiment revealed that while these agents excel at identifying technical anomalies (like malicious links or illegitimate OAuth flows), they are highly vulnerable to context-driven social engineering because they lack human organizational intuition and prioritize "helpfulness" over skepticism.

### Detailed Breakdown

| Aspect | Summary |
| :--- | :--- |
| **What Happened** | Researchers simulated an enterprise inbox using AI agents (Gemini 3.1 Pro and GPT-5.4) and subjected them to four classic phishing scenarios to test susceptibility. |
| **Who is Affected** | Any enterprise deploying autonomous AI agents to manage email, data retrieval, or communication flows, as these agents represent a new, highly accessible attack surface. |
| **Technical Details** | Researchers used "Agent phishing" (exploiting social trust) rather than "indirect prompt injection." Results varied: agents were tricked into leaking sensitive credentials (AWS, SSH) and CRM data through urgent, simulated business requests, though they performed better at stopping OAuth-based traps. |
| **Security Implications** | The primary risk is that AI agents function as "junior employees" with high-level system access but no human "social memory." Their tendency to be helpful makes them prime targets for spear phishing that leverages context to bypass standard security filters. |

### Strategic Advice for Defenders
The research concludes that prompt-based security is insufficient. Defenders should adopt an architectural approach to security:

* **Restrict Permissions:** Apply granular, channel-specific access controls. An agent processing external, unverified email should never have access to sensitive internal databases or CRMs.
* **Enforce Human-in-the-Loop (HITL):** Require mandatory human approval for high-privilege actions, including credential forwarding, external data routing, and financial requests.
* **Implement Architectural Guardrails:** Limit outbound capabilities by prohibiting agents from emailing unknown addresses and ensure that agent configurations (instructions) are treated as strictly controlled, versioned security policies.
* **Reframe the Threat Model:** Organizations should stop treating AI agents strictly as security tools and instead view them as privileged, context-poor employees who require rigorous supervision.
Roughly 400 AUR (Arch User Repository) packages compromised - Arch Linux

Based on the provided mailing list thread from the Arch Linux project, here is a precis of the security incident involving the Arch User Repository (AUR).

### Incident Overview
The incident involves a campaign where malicious actors compromised or created accounts in the Arch User Repository (AUR) to upload packages containing malicious commits. Upon discovery, Arch Linux administrators initiated an emergency response to identify, remove these malicious commits, and ban the responsible accounts.

### Affected Parties
* **AUR Users:** Anyone who installed or updated packages from the AUR during the period the malicious commits were active is potentially affected.
* **Arch Linux Community:** Users who rely on AUR packages are at risk if they have installed any of the compromised packages.

### Security Implications
The primary security implication is the potential for arbitrary code execution on the systems of users who installed the malicious packages. By injecting malicious code into `PKGBUILD` files or associated source scripts, attackers can execute commands with the privileges of the user running the installation or update process (often via an AUR helper or `makepkg`).

### Technical Details & What Defenders Should Know
* **Mechanism:** The attackers utilized the AUR's structure to distribute packages that contained malicious payloads. These payloads are executed during the package build process.
* **Remediation Status:** Administrators are actively cleaning the repository by deleting malicious commits and banning the perpetrator accounts.
* **Action for Defenders/Users:**
* **Review Installation History:** Users should review their recently installed or updated AUR packages.
* **Vigilance:** If you encounter packages that appear suspicious or contain unexpected code within their `PKGBUILD` or related installation scripts, do not install them.
* **Centralized Reporting:** The Arch Linux team requests that any further malicious packages discovered by the community be reported by replying to the official incident thread to ensure they are tracked and handled efficiently 【1】.
ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit | Google Cloud Blog - Google Cloud

This precis details the recent campaign by the threat actor "ShinyHunters" targeting the education sector via Oracle PeopleSoft exploits.

### What Happened
ShinyHunters exploited vulnerabilities in Oracle PeopleSoft environments to gain unauthorized access to global organizations. The campaign involved identifying and compromising vulnerable endpoints, staging malicious tools, performing internal reconnaissance, and conducting lateral movement. Stolen data from these compromises was subsequently published on the ShinyHunters Data Leak Site (DLS) on June 9, 2026 【1】.

### Who Is Affected
The campaign impacted over 100 global organizations. The majority of these targets were based in the United States, with 68 percent of the affected entities operating within the higher education sector 【1】.

### Technical Details & Methodology
* **Initial Access & Staging:** Attackers leveraged vulnerable endpoints to host Python SimpleHTTP servers. These servers staged malicious materials, including customized MeshCentral agents disguised as Microsoft Azure services (e.g., `meshagent32-azure-ops.exe`) 【1】.
* **Command & Control:** The malicious agents were hardcoded to communicate with a C2 server at `wss://azurenetfiles.net:443/agent.ashx` 【1】.
* **Reconnaissance & Lateral Movement:** Threat actors performed internal reconnaissance, mapping Oracle PeopleSoft configurations by inspecting files like `psappsrv.cfg` and `config.xml`. They used a custom script, `[victim_abbreviation]_fanout.sh`, to automate SSH credential spraying based on internal hostnames. This script also deployed defacement/extortion markers throughout the environment 【1】.

### Security Implications
The primary implication is the unauthorized exfiltration of sensitive organizational data, leading to extortion and public data leaks. By gaining administrative control via PeopleSoft, attackers could move laterally, establish persistence, and compromise the integrity of the target's internal infrastructure 【1】.

### What Defenders Should Know
Defenders are advised to prioritize the following actions to secure their environments:

| Category | Action Items |
| :--- | :--- |
| **Immediate Mitigation** | Disable the Environment Management Hub (EMHub) Service or remove the `PSEMHUB` application. If that is not possible, block external access to `/PSEMHUB/*` and `/PSIGW/HttpListeningConnector` at the firewall level 【1】. |
| **Log Analysis** | Audit PIA WebLogic access logs for suspicious `POST` requests to the aforementioned endpoints. Inspect requests to `/PSIGW/HttpListeningConnector` for signs of SSRF (e.g., use of `127.0.0.1` or internal IP ranges) 【1】. |
| **Filesystem Integrity** | Scan for unauthorized `*.jsp` files in `PSEMHUB.war/` and inspect for unexpected directories (e.g., `logs`, `scratchpad`) or recent XML modifications in configuration paths 【1】. |
| **Network Monitoring** | Monitor outbound traffic for SMB (TCP port 445) originating from PeopleSoft servers, which may indicate attempts to capture NetNTLM hashes 【1】. |
rax: rax is a CPU emulator that does not trust itself. - Hex-Rays SA

The GitHub repository at [https://github.com/HexRaysSA/rax](https://github.com/HexRaysSA/rax) contains the documentation and source code for **rax**, a CPU emulator project.

Contrary to being a record of a cybersecurity incident, the repository provides tools for architectural emulation, instruction set support, testing methodologies, and build instructions. As such, there is no "security incident" to analyze in terms of affected parties, security implications, or threat-actor tactics.

For those interested in the project from a technical or defensive research perspective, **rax** serves as a utility for:

* **Instruction Set Emulation:** The project is designed to emulate CPU architectures, which can be useful for security researchers performing reverse engineering, vulnerability research, or binary analysis in a sandboxed environment.
* **Testing and Validation:** The repository includes details on testing frameworks that ensure the accuracy of the emulator, which is critical for researchers needing a reliable baseline when analyzing malicious binaries.

If you were seeking information on a specific security vulnerability related to this project or a different topic, please provide additional context or a specific URL describing the incident you are interested in.
Noradrenaline: Offensive macOS and Linux shared library modules for Poseidon and other agent frameworks. Designed to be small and quick for automation. - atomiczsec

The **Noradrenaline** project is an open-source repository providing a collection of native Linux and macOS modules designed for use as shared libraries (e.g., `.so` or `.dylib` files) within post-exploitation agent workflows 【1】.

It is important to note that this is a **toolset for security research and offensive simulation**, not a report on an active security incident or an exploit. The repository provides modules that enable automated discovery and data collection on compromised endpoints 【1】.

### What It Is
Noradrenaline functions as a library catalog for command-and-control (C2) agents, specifically mentioning integration with the "Poseidon" agent framework. It provides modular, small-footprint code blocks that can be loaded by an agent to execute specific discovery or collection tasks without requiring extensive additional dependencies 【1】.

### Who Is Affected
While the repository itself is a neutral tool, the target audience for these modules is developer and enterprise endpoints running **macOS** or **Linux**. Environments where these modules are deployed can have their system posture, credentials, and environment configurations mapped by an adversary 【1】.

### Security Implications
The modules enable an adversary to perform rapid reconnaissance and data gathering, significantly streamlining post-exploitation activities:
* **Credential Access:** Probing cloud instance metadata services (IMDS) for AWS, Azure, and GCP to extract identity tokens or environment context 【1】.
* **Discovery:** Mapping installed software, identifying managed device posture (MDM), inspecting network environment variables, and enumerating proxy configurations 【1】.
* **AI Surface Mapping:** Specifically searching for AI tooling, agents, and configuration files, which is a modern reconnaissance target 【1】.

### Technical Details
* **Architecture:** Modules are built as native shared libraries. They are designed to be dynamically loaded by a host agent using mechanisms like `execute_library` 【1】.
* **Build System:** The repository includes a `Makefile` to handle cross-platform compilation, utilizing local toolchains or Docker containers (for Linux) to produce artifacts for `linux/amd64`, `linux/arm64`, and macOS 【1】.
* **Testing:** It provides a `native_runner` utility, which allows developers to test these modules in isolation by simulating the agent's loading behavior, bypassing the need for a full C2 server environment 【1】.

### What Defenders Should Know
Defenders can mitigate the risks associated with such modules by focusing on behavioral indicators rather than just static file hashes:
* **Monitor Library Loading:** Alert on anomalous shared library loading events, especially when modules are loaded into processes that do not typically require them.
* **Observe Post-Exploitation Activity:** Focus detection efforts on the *artifacts* being queried. For example, monitor for unusual attempts to access cloud metadata services (IMDS), unexpected reads of firewall configuration files (`nftables`, `pf`, `ufw`), or enumeration of specific environment variables and directory listings 【1】.
* **Endpoint Management:** Ensure that sensitive system configurations and cloud identity metadata are properly protected and monitored for unauthorized access.
Preliminary analysis of AUR malware - Codex

This analysis summarizes the technical report regarding the `deps` malware, which was used in a supply-chain attack against the Arch User Repository (AUR).

### Incident Overview
The incident involved a supply-chain compromise where attackers injected a malicious npm package—masquerading as `atomic-lockfile` version `1.4.2`—into the AUR build flow. Multiple AUR packages were targeted. When a developer or build system installed this compromised package, the npm `preinstall` lifecycle script automatically executed a Linux ELF binary named `deps` embedded within the package source.

### Affected Targets
The malware is designed to target **developer workstations, build environments, and CI/CD hosts**. It systematically harvests credentials and secrets from:
* **Browsers/Electron Apps:** Chromium-family browsers, Slack, Microsoft Teams, and Discord.
* **Developer Tools:** GitHub, npm, OpenAI/ChatGPT tokens, Docker/Podman credentials, and HashiCorp Vault tokens.
* **System/Filesystem:** SSH keys, shell histories (`bash`, `zsh`, `fish`), and VPN profiles (`.ovpn`).

### Security Implications
* **High-Severity Credential Theft:** The malware extracts active session tokens, cookies, and secrets, providing the attacker with broad access to development and collaboration accounts.
* **Persistent Access:** The malware installs itself as a `systemd` service (either system-wide or per-user), ensuring it remains active across reboots.
* **Detection Evasion:** If executed with root privileges, the malware loads an eBPF rootkit. This allows it to hide its process IDs, names, and network sockets from standard live-response tools (e.g., `/proc` listings and netlink socket diagnostics), significantly complicating remediation and forensic analysis.

### Technical Details
* **Payload:** A stripped, 3MB Linux ELF64 binary written with Rust-style async state machines.
* **C2 Infrastructure:** The malware decodes a hardcoded onion address (`olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion`) at runtime using a repeating-XOR key.
* **Communication:**
* **Command/Control:** Communicates via `POST /api/agent` to the onion address, utilizing a local loopback/SOCKS proxy.
* **Exfiltration:** Uploads file contents/blobs to `temp.sh` via `POST /upload`.
* **Execution Flow:** The malicious `preinstall` hook executes the binary directly during the `npm` installation process.

### Guidance for Defenders
1. **Assume Compromise:** Treat any host that installed the malicious package as fully compromised. Perform thorough credential rotation for all services mentioned above (Slack, GitHub, SSH keys, etc.).
2. **Containment & Forensics:**
* If an eBPF rootkit is suspected, avoid relying on standard `/proc` or socket diagnostic tools. Use trusted offline acquisition methods.
* Inspect `/sys/fs/bpf/` for unexpected pinned maps like `hidden_pids`, `hidden_names`, or `hidden_inodes`.
* Review `systemd` units for suspicious services with `Restart=always` and paths in `/var/lib` or user configuration directories.
3. **Prevention:**
* Audit AUR build logs, package caches, and CI environments for references to `preinstall` hooks or the `atomic-lockfile` package.
* Use security best practices such as `--ignore-scripts` when installing npm packages, and consider sandboxing build processes.
* Regularly audit source trees for unexpected binary files (like the `src/hooks/deps` payload).
Covert Kernel/User Communication Channels on Windows: Rootkits, Game Cheats, and Detection - kernullist

The provided summary offers a comprehensive precis of the cybersecurity article regarding covert kernel-to-user communication channels on Windows.

### Summary Analysis

* **What Happened:** The article explores the methodology behind modern, sophisticated kernel-assisted threats (e.g., advanced rootkits, BYOVD malware, and game cheats) that utilize covert communication channels to synchronize their user-mode and kernel-mode components. These threats deliberately avoid traditional, easily monitored surfaces like `DeviceIoControl` in favor of repurposing legitimate Windows internals.
* **Who is Affected:** The primary targets and affected entities include anti-cheat vendors, Endpoint Detection and Response (EDR) providers, incident-response teams, and any organization relying on Windows system integrity verification in environments where privileged, stealthy code execution is a risk.
* **Security Implications:** These covert channels represent a critical security threat because they allow attackers to maintain persistent control, perform memory manipulation, and hide malicious objects while appearing as normal OS traffic. The main difficulty for defenders is the economic burden of differentiating this malicious activity from high-volume, legitimate Windows system communication.
* **Technical Details:** The article categorizes these communication surfaces into six layers (L1–L6), ranging from basic IPC mechanisms (named pipes) to advanced techniques involving hypervisors, hardware/DMA cards, and manipulation of kernel internals (dispatch tables, registry callbacks). Key attacker primitives rely on splitting the channel logic into distinct phases: finding the surface, triggering the logic, selecting commands, transporting data, and sending replies.
* **Defender Strategy:** The article advocates moving beyond static "bad API" detection. Instead, it suggests a multi-faceted approach centered on:
* **Baseline Monitoring:** Establishing comprehensive snapshots of system objects and pointers.
* **Integrity Verification:** Utilizing symbol-backed parsers to detect tampering with kernel structures.
* **Cross-Layer Correlation:** Identifying inconsistencies between different views of the system (e.g., object namespaces vs. ETW telemetry).
* **Trust Anchors:** Utilizing hardware-based protections such as TPM attestation and IOMMU/DMAr for threats operating at the hardware or hypervisor layers.