InfoSec Briefing - June 18, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Thursday the 18th of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 3 articles to cover. All attribution is by the article authors. All article analysis is automated.

ESET researchers have discovered two new Windows variants of the SprySOCKS backdoor used by the Chinese-linked group FishMonger targeting government organisations in Honduras, Thailand, Taiwan, and Pakistan. These variants come equipped with kernel-level drivers to hide their presence, passive backdoor mechanisms that intercept TCP traffic, and support over thirty commands for data exfiltration — worth flagging if you're tracking Chinese espionage tooling or defending government networks in the regions mentioned.

The Jamestown Foundation reports that Chinese state-owned grid operators State Grid Corporation and China Southern Power Grid are developing offensive cyber capabilities targeting Western power grids. China Southern Power Grid has researched generating attack traffic against Modbus protocol and built sophisticated grid cyber ranges for offensive simulations, with discovered vulnerabilities reportedly shared with government intelligence services — one for critical infrastructure defenders and anyone tracking what China's military-civil fusion strategy looks like in practice.

Socket uncovered trojanised Visual Studio extensions on the Open VSX Registry delivering WebAssembly-based malware called GlassWASM. The malware uses the Solana blockchain as a dead-drop for command and control resolution and executes payloads filelessly in memory with ChaCha20 encryption — particularly relevant if you're managing developer environments or monitoring supply chain attack vectors through extension marketplaces.

That concludes today's briefing.

📰 Articles Covered

Chinese Grid Operators Maintain Offensive Cyber Programs - Jamestown - The Jamestown Foundation

The provided summary effectively encapsulates the key points of the Jamestown Foundation report regarding Chinese state-owned grid operators. To ensure you have the full context, here is a consolidated precis based on that information:

### Overview
Major Chinese state-owned energy companies—specifically the State Grid Corporation of China (SGCC) and China Southern Power Grid (CSG)—are systematically building offensive cyber capabilities. While these activities are framed as internal defensive training, they are deeply integrated into the PRC’s national military–civil fusion strategy and serve as a state-backed platform for developing methods to breach foreign critical infrastructure.

### Who is Affected
The primary targets are international, particularly Western power grids that rely on industrial control system protocols similar to those used in China. Because these operators are mandated to share discovered vulnerabilities with government intelligence services, their research directly supports broader state-sponsored offensive cyber operations.

### Security Implications
* **Dual-Use Threat:** Technologies and attack simulations developed for "internal testing" are effectively target-agnostic, meaning the same tools used to test domestic defenses can be used to attack foreign SCADA systems.
* **Institutionalized Offensive Capacity:** By formalizing the roles of "red and blue team special forces" and budgeting for offensive support services, these companies have integrated cyber-warfare capabilities into their standard institutional operations.
* **Standardization Strategy:** As these operators influence national cybersecurity standards, they are in a unique position to shape the digital environment in ways that may favor future exploitation or facilitate state-level access.

### Technical Details
* **Protocol Research:** Entities linked to CSG have specifically researched how to generate attack traffic against **Modbus**, a communication protocol fundamental to the operation of many power grids in the United States and Europe.
* **Infrastructure Simulation:** CSG has constructed sophisticated grid cyber ranges that function as wargaming platforms. These environments allow for the rehearsal of offensive operations, complete with attack event simulation and network path awareness.
* **Systemic Resource Allocation:** The development of these capabilities is not ad-hoc; it is backed by systemic, recurring budgets that treat offensive technical services as a critical infrastructure requirement.

### What Defenders Should Know
Defenders, particularly those managing industrial control systems (ICS) and SCADA environments, must broaden their threat modeling. It is critical to recognize that:
* **Industry Actors as Threat Agents:** Threats are not limited to traditional intelligence units or known APT groups; major civilian infrastructure operators are themselves active, state-backed research engines for offensive cyber techniques.
* **Counter-Intelligence in Standards:** Security professionals should be skeptical of the provenance of cybersecurity standards or research emanating from these entities, as they may simultaneously be developing the very attack vectors they claim to be mitigating.
* **Visibility into Protocols:** Organizations should increase monitoring for anomalous activity targeting legacy protocols like Modbus, as these are known areas of focus for foreign offensive research programs.
GlassWASM: WebAssembly Malware Found in Trojanized Open VSX Extensions - Socket

The GlassWASM campaign represents a sophisticated evolution in supply chain attacks targeting the Visual Studio (VS) ecosystem. By leveraging WebAssembly (WASM) and blockchain-based infrastructure, attackers have created a highly evasive, modular, and resilient malware delivery system.

### What Happened
Threat actors successfully compromised the **Open VSX Registry** by publishing trojanized versions of legitimate VS extensions. Rather than using traditional typosquatting, the attackers employed identity impersonation, cloning legitimate extensions and utilizing identical publisher IDs, names, and versions to bypass developer trust and security filters.

### Who Is Affected
The primary targets are software developers using extensions from the Open VSX Registry. Specifically, extensions identified as malicious include:
* `exargd.vsblack` (version 0.0.1)
* `noellee-doc.flint-debug` (version 0.1.1)

Any user who installed these packages—or potentially other unauthorized bundles from the same threat actor—is at risk of compromise.

### Security Implications
* **Identity Impersonation:** By perfectly mimicking legitimate extensions, the attackers effectively bypass human-centric trust mechanisms.
* **Takedown-Resistant C2:** The malware uses the Solana blockchain as a "dead-drop" mechanism to resolve its Command and Control (C2) infrastructure. Because the malware polls legitimate public Solana RPC nodes (e.g., `api.mainnet.solana.com`), it is exceptionally difficult for defenders to block the communication channel without inadvertently disrupting legitimate blockchain-related traffic.
* **Fileless Execution:** The infection chain avoids writing malicious binaries to the disk. Once the C2 host is resolved from the blockchain, subsequent payloads are fetched and executed directly in memory, making forensic analysis significantly more difficult.

### Technical Details
* **Payload Construction:** The malware core is a WebAssembly module compiled from Go via TinyGo. To evade static analysis, all sensitive strings—including C2 URLs and command strings—are encrypted using ChaCha20 and are only decrypted in memory at runtime.
* **C2 Mechanism:** The module polls a hardcoded Solana wallet address (`6ExrZayPZzMMSnszc42cH81DpuKT8FhCX9H6Sesn6rpz`) for transactions. It inspects the "SPL Memo" field of these transactions to retrieve instructions, which provide the hostname for the next stage of the attack.
* **Command Execution:** The malware uses Node’s `child_process.execSync` to run commands. It utilizes platform-specific delivery templates (e.g., `curl | bash` for Unix-based systems and `irm | iex` for Windows) and sets `windowsHide:true` to ensure the malicious activity remains invisible to the user.
* **Attribution:** While this campaign demonstrates distinct tradecraft, it shows clear overlaps with the "GlassWorm" developer in terms of registry abuse and infrastructure-rotation patterns.

### What Defenders Should Know
* **Detection Strategy:** Static file scanning is ineffective due to the fileless nature of the attack. Focus instead on behavioral patterns:
* **Network Activity:** Monitor Node.js processes making JSON-RPC calls to Solana API endpoints (specifically `getSignaturesForAddress` and `getTransaction`).
* **Process Spawning:** Monitor for Node.js processes that spawn shell interpreters (e.g., `bash`, `sh`, `powershell`) via `execSync` or that utilize window-hiding flags.
* **Package Analysis:** Closely audit any extensions that bundle `.wasm` files alongside JavaScript shims, as these are increasingly used to hide malicious logic.
* **Remediation:** If these extensions are found, they should be immediately removed from the environment. Because the malware grants the attacker significant control, any machine that executed these extensions should be treated as fully compromised. Immediate action should include rotating credentials and auditing the host for secondary payloads.
FishMonger’s arsenal upgraded: SprySOCKS for Windows - ESET

This precis summarizes the ESET research into the newly discovered Windows variants of the SprySOCKS backdoor.

### **What Happened**
ESET researchers identified two previously undocumented Windows-based variants of the SprySOCKS backdoor, a tool historically associated exclusively with Linux environments. These variants demonstrate a significant expansion of the arsenal used by the cyberespionage group FishMonger (also tracked as Earth Lusca, which is believed to have ties to the Chinese contractor I-SOON). The malware was active between 2023 and 2024.

### **Who Is Affected**
The campaign specifically targeted government organizations in several countries, including:
* Honduras
* Thailand
* Taiwan
* Pakistan

### **Security Implications**
The emergence of Windows-based SprySOCKS variants allows threat actors to maintain persistent, stealthy access across diverse IT environments. The sophisticated capabilities—particularly the use of kernel-level drivers for evasion and passive backdoor mechanisms—pose a severe risk for long-term data exfiltration and covert espionage. Furthermore, the potential utilization of a UEFI bootkit highlights the actors' ability to operate at a deep level of system compromise, making remediation difficult.

### **Technical Details**
Both Windows variants (`WIN_DRV` and `WIN_PLUS`) share core architectural traits with the original Linux version, such as identical encryption keys, C&C communication formats, and the use of the HP-Socket library. They support over 30 commands, including keylogging, file management, and system data collection.

* **WIN_DRV (High Stealth):** Utilizes a kernel driver named `RawWNPF` to hide malicious artifacts (files, processes, registry keys, and network connections). It also provides a "passive" backdoor functionality that intercepts TCP traffic on open ports, allowing operators to trigger commands without needing an active listening port.
* **WIN_PLUS:** Functions similarly to `WIN_DRV` but lacks the `RawWNPF` kernel driver. It achieves persistence by registering as a print processor.
* **Common Techniques:** Both rely on DLL side-loading for execution. There is evidence suggesting the potential use of a UEFI bootkit component exploiting **CVE-2023-24932** in certain attack chains.

### **What Defenders Should Know**
* **Attribution:** FishMonger (Earth Lusca) is the threat actor behind these tools.
* **Detection Evasion:** Because `WIN_DRV` uses a rootkit-like driver, standard diagnostic tools like `netstat.exe` may fail to show malicious network activity.
* **Persistence Mechanisms:** Monitor for unauthorized scheduled tasks or malicious print processors. Specific registry keys, such as `HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\VSPMsg`, should be audited.
* **Networking:** Malicious traffic may use TCP, UDP, or WebSocket protocols. Network security teams should inspect traffic for specific "magic" header values (e.g., `0xACACBCBC` for TCP).
* **Actionable Indicators:** Defenders should scan for suspicious driver loads, DLL side-loading patterns, and the presence of associated files (e.g., `tpsvcloc.dll`, `VSPMsg.dll`, and various `.dat` containers). The full ESET research report provides specific SHA-1 hashes to aid in hunting.