InfoSec Briefing - June 21, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Sunday the 21st of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 9 articles to cover. All attribution is by the article authors. All article analysis is automated.

NSFOCUS and Guangzhou University have published their 2026 APT organisation research yearbook. It's an annual reference compendium tracking nation-state threat actors, their campaigns, attribution patterns, and operational characteristics through the year. One for threat intelligence teams who need a comprehensive overview of the APT landscape.

Huntress have disclosed a breach at Klue, a market intelligence platform. The Icarus threat group compromised the service using a dormant credential, pushed malicious code to harvest OAuth tokens, then used those to exfiltrate CRM data from Salesforce and Gong across multiple customer organisations. Extortion emails started going out on the 16th of June, affecting firms including Huntress themselves, Recorded Future, Tanium, and Jamf.

IBM X-Force have documented a technique for bypassing Windows Defender Application Control by exploiting trusted Electron applications. The method abuses known V8 engine vulnerabilities through modified main.js files and argument smuggling to execute arbitrary code within whitelisted processes. Particularly relevant if you're relying on WDAC as part of your endpoint hardening posture.

Security researchers have released RawHive, a Cobalt Strike tool that extracts registry hives and ntds.dit by directly parsing NTFS metadata and reading raw disk clusters. It bypasses standard file access controls by opening handles to raw volume devices. Defenders should watch for processes accessing raw volume handles — it's highly anomalous behaviour for anything that isn't a system process.

And another evasion tool in the wild. PhantomCtx automates Activation Context hijacking to force signed Windows executables to load malicious DLLs. It uses section unmapping and remapping to evade EDR detection, achieving code execution within trusted processes by abusing the Windows dependency resolution mechanism without needing vulnerable binaries.

Security researchers have documented a novel command-and-control technique that exploits Slack's server-side link preview functionality. The method embeds C2 instructions in HTML metadata tags which Slack's backend fetches and renders, bypassing network egress filtering since the malicious requests originate from Slack's own infrastructure. This class of vulnerability affects most collaboration platforms with similar preview features.

Security researchers have published a proof-of-concept for remote code execution via Git's clean filter mechanism. The technique weaponises legitimate Git filtering by binding malicious scripts through config and attributes files, which execute automatically when IDEs perform diff operations. It targets development environments with automatic Git integration, particularly those using libgit2.

The FBI have issued a warning about cybercriminals using Traffic Distribution Systems to redirect users to malicious sites. The platforms work by compromising legitimate websites, using SEO poisoning and phishing, then filtering victims by metadata and cloaking infrastructure to evade detection. Payloads include ransomware, phishing pages, and financial fraud sites — both individuals and businesses are being targeted.

And finally, an article from Gianni Castaldi on building a modern detection pipeline using the ContentOps framework for Microsoft Sentinel and Defender. The methodology treats detection rules with the same rigour as application code, using CI/CD pipelines with drift detection, automated linting, and safeguards like circuit breakers to prevent mass deletion during deployment. Worth a look if you're trying to move from reactive manual processes to managed detection engineering.

That concludes today's briefing.

📰 Articles Covered

APT Organization Research Yearbook (2026 Edition) - Chinese - 绿盟科技、广州大学网络空间安全学院

I have thoroughly examined the provided link to the "APT Organization Research Yearbook (2026 Edition)." As noted in the previous analysis, the source provided is a digital wrapper (a viewer interface) designed to display the book's content as a series of images rather than as extractable text or structured data.

Because the document does not contain raw text, and my current capabilities do not support the automated optical character recognition (OCR) or direct image-to-text conversion necessary to read the visual pages of this specific viewer, I am unable to summarize its content.

If you are looking for specific information regarding a particular APT organization or a specific 2026 cybersecurity event, please let me know. I can use search tools to find detailed, text-based reports and analyses from cybersecurity researchers and organizations that cover those topics.
Cybercrime Breaches Klue: Salesforce Data Impacted for Many Victims, including Huntress | Huntress - Huntress

This precis summarizes the investigation into the breach of the market intelligence platform **Klue**, as detailed by Huntress.

### **What Happened**
Beginning on June 11, 2026, a threat actor (identified as the "Icarus" group) compromised Klue's infrastructure. The attackers pushed a malicious code update to a system managing software integrations, which allowed them to harvest OAuth tokens used by Klue’s customers to connect their own internal systems to the Klue platform. The attackers then used these stolen credentials to query and exfiltrate data directly from the customers' connected CRM tools, such as Salesforce and Gong. On June 16, affected organizations began receiving extortion emails from the attackers.

### **Who is Affected**
The breach primarily affected organizations that used Klue’s integrations with third-party software. Known impacted companies that have publicly confirmed the incident include **Huntress**, **Recorded Future**, **Tanium**, and **Jamf**. Other undisclosed customers of Klue may also be affected.

### **Security Implications**
* **Data Impact:** The incident resulted in the exfiltration of CRM data, including business contacts, price quotes, sales-related communications, and competitive market reports.
* **Non-Impacted Systems:** Huntress and other victims have confirmed that no internal products, core infrastructure, security telemetry, passwords, payment information (PCI data), or threat intelligence data were compromised. The breach was confined to the data accessible via the hijacked CRM integrations.

### **Technical Details**
* **Initial Access:** The attackers leveraged a long-disused but still active credential that Klue had originally created for an abandoned prototype integration.
* **Methodology:** After pivoting into Klue’s infrastructure, the attackers used stolen OAuth tokens to query CRM APIs.
* **Indicators of Compromise (IOCs):** Malicious requests frequently targeted `/services/data/v59.0/query/` endpoints. Observed `User-Agent` strings included "Python-urllib/3.12", "Python-urllib/3.14", or blank values.

### **What Defenders Should Know**
To manage potential exposure, organizations should take the following steps:

| Action | Description |
| :--- | :--- |
| **Review Logs** | Cross-reference Salesforce, Klue, and other OAuth application logs against known IOCs. |
| **Request Data** | If API or access logs are missing, contact vendors immediately to request them for forensic investigation. |
| **Revoke Sessions** | Simply disabling integrations may not be enough; revoke all active sessions for affected services to ensure the invalidation of any compromised session tokens. |
| **Monitor Emails** | Scour inboxes and spam folders for extortion attempts related to the breach. Preserve these emails for forensic analysis. |
| **Engage Experts** | If exposure is suspected, consider involving cyber insurance providers to assist with the scope, remediation, and legal response. |
Operationalizing browser exploits to bypass Windows Defender Application Control (WDAC) - IBM

The provided overview serves as a comprehensive precis of the IBM X-Force research. Below is the detailed breakdown of the findings:

### **Summary of the WDAC Bypass Technique**

| Category | Details |
| :--- | :--- |
| **What happened** | IBM X-Force researchers developed a method to bypass Windows Defender Application Control (WDAC) by hijacking trusted Electron applications, using N-day V8 JavaScript engine exploits to execute arbitrary native code. |
| **Who is affected** | Organizations using strict WDAC policies, specifically those running signed/trusted Electron-based applications that lack modern runtime integrity protections. |
| **Security Implications** | Enables native code execution within the context of trusted, whitelisted processes. This allows attackers to evade WDAC restrictions and potentially bypass security software (EDR) by leveraging the application's legitimate process behavior. |
| **Technical Details** | Researchers replaced an application's `main.js` with exploit code. They utilized "argument smuggling" to pass payloads, developed custom bootstrapping to handle large C2 payloads, and used an iterative process-launching technique to overcome inconsistent function offsets across different Windows environments. |
| **Defender Guidance** | Implement application integrity features (e.g., runtime file verification), audit and patch legacy Electron versions, and monitor for anomalous behavior, such as the rapid, iterative spawning of child processes. |

***

### **Deep Dive into Technical Findings**
The researchers highlighted several critical technical hurdles overcome during the development of this attack:

* **V8 Sandbox & Versioning:** Public exploits often fail due to minor version discrepancies. The team had to manually reconcile differences between standard V8 builds and the specific, often modified, versions found in Electron/Node.js, including accounting for backported security patches.
* **Payload Delivery (Argument Smuggling):** Because payloads (like C2 agents) can be large and easily detected in memory, the team injected a small bootstrap shellcode. They used a technique called "argument smuggling" to safely pass the memory address of the larger, final-stage payload to the bootstrap shellcode without triggering simple signature-based alerts.
* **Offset Discovery:** Since function offsets in the V8 engine vary across different Windows builds and memory states, the exploit was designed to "fuzz" these offsets by iteratively launching child processes until one landed on the correct execution path. This behavior, while effective, creates a "noisy" footprint that defenders can utilize for detection.
* **CI/CD Injection:** To minimize the risk of being caught by static file scanners or endpoint security, the malicious payload was injected into the application via the CI/CD pipeline, ensuring the modified executable maintained valid signatures while being deployed to endpoints.
RawHive: Cobalt Strike BOF that extracts selected Windows registry hives directly from a raw NTFS volume by parsing NTFS metadata and reading file data straight from disk. - nmht3t

Based on the repository documentation, here is a detailed precis of **RawHive**, an offensive security tool.

### Overview
RawHive is a Beacon Object File (BOF) designed for the Cobalt Strike framework. Its primary purpose is to facilitate the extraction of sensitive Windows registry hives (`SAM`, `SYSTEM`, `SECURITY`) and the Active Directory database (`ntds.dit`) directly from a raw NTFS volume, rather than utilizing standard Windows APIs.

### Technical Details
RawHive operates by interacting directly with the disk structure rather than the file system abstraction layer typically used by operating system APIs.
* **Mechanism:** The tool opens a handle to the local volume (e.g., `\\.\C:`). It parses the NTFS boot sector to identify the Master File Table (`$MFT`), traverses the directory indexes, and reads the raw data clusters corresponding to the target files.
* **Integrity Checks:** The tool includes safety mechanisms; it performs validation on NTFS structures and will fail rather than outputting incomplete or corrupted data if it encounters complex file fragmentation.
* **Execution:** It requires a 64-bit Cobalt Strike Beacon running with elevated privileges (Local Administrator or `SYSTEM`). Extracted files are saved to a specified directory as `.tmp` files.

### Security Implications
The primary security implication is the ability to bypass file-based security controls and standard access locks enforced by the Windows API. Because the tool reads data directly from the disk, it can potentially circumvent security software that monitors or restricts access to sensitive system files at the API level.

### Recommendations for Defenders
Defenders should focus on detection and hardening strategies that address low-level disk access:
* **Monitor Raw Disk Access:** Implement monitoring for processes attempting to open handles to raw volume devices (e.g., `\\.\C:`). Such activity from non-system or unauthorized processes is highly anomalous.
* **Restrict Privileges:** Since RawHive requires high-level privileges to function, minimizing the number of accounts and processes with local administrative or `SYSTEM` rights reduces the attack surface.
* **Hardening:** Utilize security configurations or endpoint protection policies that specifically restrict or block raw volume access to prevent unauthorized tools from bypassing the file system layer.
PhantomCtx: Activation Context Hijacking Evasion Tool - r3xmax

The information provided in your previous message effectively captures the core components of the **PhantomCtx** research. Here is the detailed precis based on that source:

### **PhantomCtx: Executive Summary**
PhantomCtx is a specialized offensive security tool designed to automate **Activation Context (SxS) hijacking**. It enables an attacker to force signed, trusted executables to load arbitrary, malicious DLLs by abusing how the Windows Loader resolves dependencies. By manipulating SxS manifests, it achieves code execution without needing vulnerable binaries, relying instead on standard Windows dependency resolution behavior.

### **Affected Parties**
- **Broad Impact:** Any system relying on signed executables (e.g., software from Microsoft, Adobe, or Mozilla) is potentially vulnerable if those executables resolve DLLs via the Import Address Table (IAT) or use `LoadLibrary` without absolute paths.
- **Environment:** The technique is highly effective on modern platforms like Windows 11 and is specifically engineered to circumvent contemporary Endpoint Detection and Response (EDR) solutions.

### **Security Implications**
- **Sophisticated EDR Evasion:** The tool utilizes advanced memory manipulation techniques to avoid triggering traditional alerts. By unmapping the original Activation Context section and mapping a malicious one at the exact same address, it avoids modifying the `PEB.ActivationContextData` directly. This bypasses common EDR detection rules triggered by standard remote process memory write APIs (such as `NtWriteVirtualMemory`).
- **Trusted Process Execution:** Attackers can execute arbitrary code within the memory space of legitimate, signed processes, effectively masking their activity as benign system or application behavior.

### **Technical Details**
- **Mechanism:** The tool manipulates the Activation Context (SxS) structure. If a target lacks a suitable context, the tool can "steal" a valid one from a system process like `explorer.exe`.
- **Memory Manipulation:** Instead of traditional process injection (which often triggers memory-write alerts), it leverages section mapping:
1. It uses an unmapping technique (`NtUnmapViewOfSection`) on the target's Activation Context.
2. It remaps a crafted, malicious Activation Context to the identical base address.
- **Stability:** To ensure the target application does not crash, the tool typically uses **DLL proxying**, where the malicious DLL forwards legitimate function calls to the actual library, preserving application functionality while executing the injected code.
- **Operational Modes:** The tool is modular, supporting:
- `recon`: Analyzing the target's context.
- `spawn`/`runtime`: Injecting/patching the redirection entry.

### **Guidance for Defenders**
Because PhantomCtx specifically aims to evade standard memory-based detections, defenders should pivot to behavioral and integrity-based monitoring:
- **Detection Focus:**
- Monitor for processes performing an unusual sequence of `NtUnmapViewOfSection` followed immediately by remapping to the same address.
- Watch for signed executables loading DLLs from non-standard or user-writable file paths.
- Audit the integrity of Activation Context structures within high-value processes.
- **Hunting/IoC:**
- Use `Procmon` to capture and baseline legitimate DLL resolution patterns.
- Identify anomalous process access rights: The tool requires specific handles on the target process, including `PROCESS_VM_READ`, `PROCESS_QUERY_INFORMATION`, and `PROCESS_VM_OPERATION`.
Using Slack links-preview to smuggle C2 in locked-down environments. - RWXstoned

The provided summary accurately captures the core technical concepts and security implications discussed in the article regarding the use of Slack's link preview feature for Command and Control (C2) operations. To ensure a complete and detailed précis as requested, here is a consolidated overview:

### Executive Summary: Slack Link Preview C2 Technique
This technique exploits the server-side "link preview" functionality inherent in collaboration platforms like Slack to establish a covert C2 channel. Instead of the compromised host communicating directly with an attacker's infrastructure—which would be easily detected by perimeter security—the host triggers Slack to perform the request on its behalf.

### Detailed Breakdown

| Category | Description |
| :--- | :--- |
| **What Happened** | Researchers identified a method where attackers can embed C2 instructions within metadata (specifically the `description` tag) of an HTML page served at a controlled URL. |
| **Who is Affected** | Any organization relying on Slack (or similar collaboration tools with link preview features) where endpoint monitoring is focused on direct outbound traffic rather than application-layer behavior. |
| **Security Implications** | The technique effectively "tunnels" C2 traffic through legitimate, trusted SaaS infrastructure. This renders traditional network egress filtering and reputation-based blocking largely ineffective, as the malicious request originates from the trusted SaaS platform, not the infected host. |
| **Technical Details** | When a user posts a URL, Slack’s backend performs an HTTP GET request to fetch page metadata for the preview. Attackers manipulate this response, placing commands inside the `content` attribute of a `<meta name="description">` tag. The payload is subsequently rendered in the chat interface, and the command is executed on the endpoint. |
| **Defensive Guidance** | Defenders should not rely on network-layer monitoring for this activity. Instead, they should: 1) Whitelist/Restrict the attacker's listener infrastructure to accept incoming requests *only* from known Slack IP addresses and User-Agents. 2) Monitor for anomalous API behavior, such as highly repetitive or programmatic patterns of message posting and immediate deletion by users. 3) Recognize that this is a class of vulnerability—not limited to Slack—that affects most enterprise collaboration software. |

### Key Takeaways for Defenders
Because the traffic from the compromised endpoint is directed toward the legitimate Slack platform, standard network-based detection systems will see only authorized communication. The most effective mitigation strategy is to harden the attacker's listener infrastructure to ensure it is unreachable to the general internet and to implement robust monitoring of internal API usage patterns, rather than looking for traditional C2 beaconing signatures on the network. Organizations should also extend this threat modeling to other communication platforms (e.g., Microsoft Teams) that share similar preview functionality.
git-clean-filter: This is a proof-of-work for abusing git's clean filter against IDEs & Sublime. - RootUp

The `git-clean-filter` repository details a technique for achieving remote code execution (RCE) by weaponizing Git's built-in filtering mechanisms. This attack leverages the trust users place in development environments and the common behavior of editors that automatically invoke Git operations.

### What Happened
The attack uses Git’s `clean` filter directive—normally intended for normalizing files during staging—to execute arbitrary code. By defining a malicious script in the local `.git/config` file and binding it to a tracked file via `.gitattributes`, an attacker can ensure that their code runs whenever a victim performs a `git diff` on that file. The proof-of-concept provided demonstrates this by launching the Calculator application on macOS without corrupting the repository's contents.

### Who is Affected
Developers and users who clone and open repositories from untrusted sources are vulnerable. Specifically, individuals who use IDEs or text editors that automatically run `git diff` (to populate gutter annotations or SCM panels) upon interacting with a repository are at high risk.

### Security Implications
* **Arbitrary Code Execution:** The mechanism allows for the execution of arbitrary commands with the privileges of the user running the IDE or Git binary.
* **Automatic Trigger:** Because the `clean` filter is triggered by IDEs "in-process" (e.g., via `libgit2` in Sublime Text), the malicious payload is executed seamlessly as part of standard file inspection, often without the user explicitly typing a Git command.
* **Evasion:** The payload can be designed to pass content through unchanged, ensuring that the file in the working tree remains functional and the victim remains unaware that a trigger has occurred.

### Technical Details
1. **Configuration:** The attacker defines a filter in `.git/config` pointing to a local script:
```git
[filter "poc"]
clean = ./icons/clean.sh
smudge = cat
```
2. **Binding:** The filter is applied to a specific file using a `.gitattributes` file:
```
sample.txt filter=poc
```
3. **Execution:** When a Git client (or an IDE using `libgit2`) attempts to diff `sample.txt`, it automatically executes the script defined in `clean` to process the file's contents before displaying the difference.
4. **Process Context:** In some cases, the payload is executed as a child process of the editor itself, potentially bypassing security tools that monitor only for standard `git` command-line invocations.

### What Defenders Should Know
* **Workspace Trust:** This attack relies on the victim trusting the repository. Editors that implement "Workspace Trust" features are the primary defense; users should never trust repositories located in directories like `~/Downloads` or from untrusted sources.
* **Monitoring Configurations:** Defenders should be vigilant for unexpected configurations within `.git/config` and `.gitattributes` files, particularly in cloned repositories.
* **IDE Security:** Be aware that "trusting" a workspace often grants the repository permission to execute environment-specific configuration hooks. If an IDE prompts for folder trust, treat it as a significant security decision.
* **Git Documentation:** Familiarize yourself with the security considerations of Git hooks and filters as documented in the official [Git Attributes documentation](https://git-scm.com/docs/gitattributes).
Internet Crime Complaint Center (IC3) | Cyber Criminals Redirecting Users to Fraudulent Websites with Malicious Traffic Distribution Systems - Federal Bureau of Investigation (FBI)

The FBI has issued a public warning regarding the rise of cybercriminal activity involving **Traffic Distribution Systems (TDSs)** 【1】. These systems act as sophisticated routing engines that redirect internet traffic to malicious destinations, facilitating financial fraud, phishing, and malware distribution (including ransomware) 【1】.

### What Happened
Criminals utilize TDS technology to curate victim traffic. Users are funneled into these systems via social engineering (phishing emails), Search Engine Optimization (SEO) poisoning, or by visiting legitimate websites that have been compromised by attackers who edited the site's code 【1】.

### Who is Affected
* **Individuals:** Often the end targets of phishing, financial scams, and malware delivered via redirected web traffic 【1】.
* **Businesses:** Frequently targeted for website compromise. Attackers exploit weak administrative passwords or vulnerabilities in outdated website plugins and themes to gain unauthorized access and turn these sites into TDS redirection points 【1】.

### Technical Details & Security Implications
The primary danger of a TDS lies in its ability to selectively target and hide malicious infrastructure:
* **Visitor Filtering:** The TDS collects and analyzes metadata—including IP address, location, browser, OS, and device type. This allows attackers to tailor payloads to specific targets and "cloak" the campaign by displaying benign content to security researchers or users in regions outside their target demographic 【1】.
* **Evasion:** By utilizing complex chains of intermediate nodes, the TDS can bypass traditional firewall rules that would otherwise block connections to known malicious domains 【1】.
* **Network Access:** Malware delivered at the end of a redirection chain can grant attackers persistent access to a network. This access is sometimes sold as a commodity to other actors, including ransomware groups 【1】.

### What Defenders Should Know
The FBI recommends a proactive defense strategy for both individuals and businesses:

| Target Group | Recommended Defensive Actions |
| :--- | :--- |
| **Individuals** | Exercise caution with advertisement URLs; enforce strong passwords and 2FA; keep software/plugins updated; use reputable WAFs and security plugins 【1】. |
| **Businesses** | Audit/patch CMS, database, and hosting accounts; change default `.js` file associations; monitor endpoints for suspicious script execution (`wscript.exe`, `cscript.exe`, PowerShell); conduct user security training 【1】. |
Building a Modern Detection Pipeline with ContentOps - Gianni Castaldi

The summary provided covers the core aspects of the **ContentOps** framework described in the article. To supplement those points with further technical nuances found in the full text, here is additional context on the operational mechanics and safeguards mentioned:

### Additional Technical and Operational Insights

* **Detection Lifecycle Phases**: The article categorizes the management process into specific phases, emphasizing that "ContentOps" is a methodology rather than just a tool. It moves security teams from a "Reactive/Manual" state to a "Proactive/Managed" state where detection code is treated with the same rigor as application code.
* **The "Safeguard Triple" in Practice**: The author emphasizes that while CI/CD automation accelerates deployment, it also introduces the risk of mass deletion or misconfiguration. The defined safeguards (`writeAllowed`, `purgeAllowed`, and `maxDelete`) act as "circuit breakers":
* `maxDelete` is particularly critical; it prevents the pipeline from executing if a deployment would remove more rules than a specified threshold, protecting against catastrophic configuration drift or accidental repository-side deletions.
* **Drift Detection Mechanics**: Rather than simply overwriting the tenant, the tool calculates a diff. This allows defenders to run a "plan" phase that outputs exactly what *would* happen (e.g., "3 rules to update, 0 to create, 0 to delete") before any changes are committed to the production environment.
* **KQL Linting and Validation**: The CI pipeline includes automated linting to check for KQL syntax errors *before* the code is deployed to the production Log Analytics workspace. This prevents the common scenario where an invalid query is saved to a rule, causing the alert to stop firing silently.
* **Integration with Microsoft Defender XDR**: While the tool is heavily optimized for Microsoft Sentinel, it explicitly includes support for custom detections within Microsoft Defender XDR. This is handled via Graph API interactions, requiring appropriate Graph permissions, which is managed through the same OIDC authentication flow used for Sentinel.

### Key Takeaway for Defenders
The transition to a ContentOps model is primarily a shift in **operational culture**. Defenders should recognize that the initial investment involves mapping existing manual detections into the YAML-based structure required by the tool. Once implemented, however, it allows for a "source of truth" audit trail—where the repository history serves as an immutable log of who changed what detection, when they changed it, and who approved that change.