InfoSec Briefing - June 23, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Tuesday the 23rd of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 22 articles to cover. All attribution is by the article authors. All article analysis is automated.

BushidoToken has tracked a sustained campaign by DragonForce against UK organizations since late 2023, targeting edge devices and remote access points from vendors like Ivanti, Fortinet, and SonicWall. The particularly concerning bit is their compromise of MSP Helix International, which gives them a route into medium and Fortune 500 clients across sensitive sectors.

Sekoia has detailed ErrTraffic, a malware-as-a-service framework that compromises WordPress sites and uses blockchain smart contracts to hide its command infrastructure. It's being sold on Russian forums and delivers a range of payloads including infostealers and remote access tools, largely via ClickFix social engineering aimed at developers and AI platform users.

Bridewell has written up a phishing campaign running since January that targets Booking.com hotel partners. Attackers compromise hotel staff credentials, steal genuine booking details, then use that authentic information to conduct financial fraud against guests over WhatsApp. The use of real reservation data makes it particularly effective.

Permiso Security has identified a rather troubling gap in Google Cloud Platform audit logs. The serviceData field appears in Logs Explorer but gets stripped from exported logs, which means security teams relying on SIEM analysis may have blind spots around IAM policy changes and other critical events. Worth checking if you're exporting GCP logs for monitoring.

Elastic reports that Microsoft has enabled Azure AD Graph Activity Logs, which finally gives visibility into reconnaissance via the legacy graph API. Tools like ROADrecon and AADInternals have been running undetected for years — if you're using Entra ID, this telemetry is now available for ingestion.

The PHP package ecosystem is seeing increased supply chain attacks this year, with notable compromises of intercom and laravel-lang packages. Composer 2.10 has introduced dependency policies and transparency logs to address this, including immutability controls to prevent silent re-tagging of malicious versions.

NVISO has a cost-optimization piece on Microsoft Sentinel that uses Summary Rules to aggregate high-volume logs in cheaper storage tiers while maintaining detection coverage. The approach can reduce storage costs by up to 94 percent, which is worth exploring if your Sentinel bill has become uncomfortable.

Nextron Systems has built a multi-stage pipeline to scan over 100,000 daily open-source artifacts from npm, PyPI, and the VS Code Marketplace. They use deterministic filtering to reduce the dataset by 96 percent, then apply language models for triage, which is a sensible way to address the token budget problem when scanning at scale.

Following on from the story we covered yesterday, Klue has published their own incident disclosure. An attacker used a compromised legacy credential to access their integration infrastructure and obtain OAuth tokens for connected customer environments including Salesforce. The incident affected a subset of customers who used those integrations.

Snyk has a cautionary tale about the Mastra npm package scope. On June 17th, an attacker gained access to a former contributor's account whose credentials hadn't been revoked, then compromised all 142 packages in the scope. The malicious dependency functioned as a trojan dropper targeting cryptocurrency wallets and establishing persistent access.

CloudSEK has analysed the FortiBleed campaign, which targeted Fortinet firewalls using credential brute-forcing and compromised around 148 organizations with Active Directory access. The attackers left their infrastructure exposed, revealing a 45-GPU hash-cracking cluster and an organized database for selling network access — credential-based rather than exploit-driven.

City of London Police has secured a 48-month sentence for someone involved in an SMS blaster fraud operation. The setup used rogue mobile phone mast technology to force nearby devices onto simulated 2G networks, letting them broadcast fraudulent SMS messages that bypassed standard anti-spam protections.

A researcher has released NØW, an open-source tool that encodes shellcode into natural-looking English prose. It's aimed at red-team operations and represents a novel obfuscation technique for evading detection by disguising malicious code as benign text.

Praetorian has introduced WasmForge, which converts C-sharp offensive tools like GhostPack into WebAssembly format. The idea is to evade traditional security controls by leveraging WebAssembly's legitimate enterprise use, obscuring malicious activity that would normally be flagged when running as .NET assemblies.

White Knight Labs has published part three of their series on Cobalt Strike 4.13's Malleable C2 profiles. It examines advanced evasion techniques available through customizable profiles that allow red teams to bypass endpoint detection and response solutions.

Security researchers have disclosed RoguePlanet and GreatXML, two techniques that exploit legitimate Windows mechanisms for local privilege escalation and BitLocker bypass. RoguePlanet leverages Microsoft Defender's remediation workflow combined with file system primitives to let standard users escalate to SYSTEM on fully patched Windows 10 and 11. Worth reviewing if you're responsible for Windows hardening.

Palo Alto Networks is tracking a large-scale credential theft and password spraying campaign by an initial access broker targeting Fortinet devices, MSSQL services, and Sophos devices. The threat actors are using curated password lists from previous breaches and advertising stolen credentials on Russian-language forums.

Netskope has identified an upgraded ClickFix campaign targeting macOS users that deploys a full remote access trojan alongside AppleScript stealers. The social engineering uses fake websites that trick users into executing malicious terminal commands, which is a significant evolution from earlier stealer-only variants.

OA Labs has released ASF Triage, a forensic tool for investigating AI agent session logs from Claude Code and Codex CLI. The browser-based tool lets SOC analysts parse and search AI coding assistant activity while keeping data client-side, with non-destructive redaction for sensitive information like API keys.

Gen Digital has analysed how Vidar infostealer version 2.1 bypasses Application-Bound Encryption in Chromium browsers. The malware targets browser memory rather than encrypted disk artifacts, using process forking and pattern scanning to locate decryption keys. This represents a significant advancement in credential theft capabilities.

Cisco Talos has demonstrated a novel approach to reverse engineering by exposing legacy analysis tools through Windows COM and the Running Object Table. This transforms static disassemblers into data servers that can be scripted by local AI agents, which is particularly useful for analysing legacy formats like VB6 binaries without requiring cloud services.

And finally, Elastic Security Labs has identified OXLOADER, a sophisticated new Windows loader delivering the CASTLESTEALER infostealer through malicious Google Ads campaigns. The loader employs control-flow flattening, anti-VM checks, and geographic filtering that excludes CIS countries, suggesting Russian-speaking, financially motivated operators.

That concludes today's briefing.

📰 Articles Covered

UK Cybercrime Journal: Sustained DragonForce Campaign - BushidoToken

The article outlines a sustained cybercrime campaign by the threat actor **DragonForce**, which has been active since late 2023. Below is a detailed precis of the situation.

### Summary of the DragonForce Campaign

| Category | Details |
| :--- | :--- |
| **What Happened** | A series of targeted cyberattacks against various UK-based organizations across multiple sectors. |
| **Who is Affected** | Diverse industries including: **Professional Services** (Practicus), **Financial/Tax** (WSM), **Infrastructure/Logistics** (ERH, Refreshment Systems), **Heavy Industry** (Arsenal Scaffold), **Technology/IT** (Helix International), and **Luxury Retail** (Cult Wines). |
| **Security Implications** | DragonForce leverages their position as a persistent threat to target key suppliers and service providers. The breach of **Helix International** (an MSP) is particularly significant, as it exposes the broader client base of medium-to-Fortune 500 companies in sensitive sectors like finance and healthcare. |
| **Technical Details** | Affiliates prioritize exploiting edge devices and remote access points (Ivanti Connect Secure, Fortinet FortiOS, SonicWall SSL-VPN). They utilize "Bring Your Own Vulnerable Driver" (BYOVD) tactics to neutralize EDR and Antivirus protections and are actively recruiting on English-speaking cybercrime forums. |
| **What Defenders Should Know** | Defensive priorities include strict **Attack Surface Monitoring** (addressing RDP port 3389 and patching SSL-VPNs), enforcing **Robust Authentication** (MFA, strong passwords, and credential management), and securing **Backup Infrastructure** against tampering—specifically targeting platforms like Veeam. |

***

*Source: [UK Cybercrime Journal: Sustained DragonForce Activity](https://blog.bushidotoken.net/2026/06/uk-cybercrime-journal-sustained.html) 【1】*
Unveiling ErrTraffic: inside a growing ClickFix malware distribution framework - Sekoia.io

The summary provided covers the essential aspects of the ErrTraffic/ClickFix framework as outlined in the source. To provide a comprehensive picture, here is the detailed precis based on the analysis.

### What Happened
ErrTraffic has emerged as a significant Malware-as-a-Service (MaaS) JavaScript framework, identified in late 2025. Operated by an actor dubbed "LenAI," it is sold via the Exploit.IN forum as both a subscription service and licensed source code. The framework functions as a Traffic Distribution System (TDS) injected into compromised WordPress sites. It leverages "EtherHiding"—a technique that embeds C2 infrastructure within blockchain smart contracts—to bypass traditional security controls and evade detection.

### Who Is Affected
* **WordPress Administrators:** Their sites are compromised to serve as infrastructure for the framework, often through stolen credentials or exploitation of vulnerabilities.
* **Web Users:** Visitors to compromised sites are targets for "ClickFix" lures, which present fake errors or security checks.
* **AI Platform & Tech Users:** Specific campaigns target users of popular AI services by directing them to malicious sites to compromise their machines.
* **Software Developers/Researchers:** High-value targets for campaigns designed to steal API tokens, browser data, and credentials.

### Security Implications
The framework's versatility poses a substantial threat because it acts as a delivery vehicle for diverse, high-impact malware, including infostealers (e.g., Vidar, Stealc, Remus, Salat), RATs, and loaders like SmokeLoader. Beyond malware distribution, the threat actors deploy persistent backdoors that allow for data skimming (such as capturing WooCommerce transaction details), unauthorized persistent access to the CMS, and long-term credential harvesting.

### Technical Details
* **Operational Clusters:** The framework utilizes distinct infrastructure clusters, such as the "Analytics" cluster (focusing on the Vidar infostealer and single-contract C2 resolution) and the "Beer" cluster (a more complex, multi-contract architecture using `.beer` TLD domains).
* **Execution Tactics (ClickFix):** The core mechanism is social engineering, where users are prompted to copy and run malicious PowerShell commands under the guise of fixing a "browser error," completing a CAPTCHA, or passing a security check.
* **Persistence:** Attackers use hard-to-remove MU-Plugins (e.g., `session-manager.php`) on compromised WordPress environments, which provide webshell capabilities and maintain the framework's presence even after basic cleanup attempts.

### What Defenders Should Know
* **Detection Patterns:** Security teams should monitor PowerShell `ScriptBlockText` for characteristic obfuscation patterns (e.g., usage of `-bxor`, `-lt`, and `[convert]::ToInt32`).
* **Behavioral Indicators:** A high-confidence alert signal is a chain of activity starting with network traffic directed at blockchain RPC providers, followed immediately by connections to suspicious TLDs, and culminating in the execution of a PowerShell process.
* **Mitigation Strategy:**
* **WordPress Hardening:** Enforce MFA for all administrative accounts, audit and restrict the use of MU-plugins, and maintain integrity checks for core theme files like `functions.php`.
* **Proactive Monitoring:** Specifically track unauthorized modifications to the web root and monitor for unexpected outbound traffic to blockchain-related infrastructure.
The Booking.com Phishing Campaign Targeting Hotels and Customers - Bridewell

The Booking.com phishing campaign (tracked as **BR-UNC-030**) is a sophisticated, multi-stage financial fraud operation that has been active since January 2026. By compromising hotel reservation systems, attackers exploit the trust inherent in legitimate booking communications to defraud hotel guests.

### Summary Table: The BR-UNC-030 Campaign

| Category | Details |
| :--- | :--- |
| **What Happened** | A three-stage attack: (1) Initial phishing of hotel staff, (2) theft of hotel partner credentials, and (3) abuse of legitimate platform access to defraud guests. |
| **Affected Parties** | Hotel reservation/service desk staff (account compromise) and hotel customers (financial data theft). |
| **Security Implications** | High success rate due to the use of authentic booking data; organizations remain compromised until customers report fraud. |
| **Technical Details** | Uses IDN homographs/typosquatting, advanced anti-analysis (fingerprinting), and specific URL patterns. |
| **Defensive Strategy** | Monitor for suspicious Gmail senders, specific URL path patterns, and deploy targeted YARA/detection rules. |

---

### In-Depth Breakdown

#### Security Implications
The campaign’s primary danger lies in its **contextual legitimacy**. Because the attackers operate using genuine booking details—such as specific dates and reference IDs—stolen from compromised hotel back-ends, their outreach to customers via WhatsApp is highly persuasive. This weaponization of internal data makes traditional security awareness training less effective, as the communication appears perfectly valid to the end user.

#### Technical Details
The attackers employ a rigorous infrastructure strategy to maximize longevity and bypass automated defenses:
* **Initial Delivery:** Automated Gmail accounts with a specific naming convention (`[a-z]{7,11}[0-9]{2,3}@gmail.com`) masquerade as Booking.com.
* **Infrastructure:** Domains are newly registered (typically <30 days old) via "Hello Internet Corp" and use techniques like Cyrillic homographs (e.g., swapping "o" for a Cyrillic character) or typosquatting.
* **Evasion Techniques:**
* **User Fingerprinting:** The partner phishing kit checks WebGL, Navigator, and screen resolution to identify security crawlers or VPN subnets. If it detects a potential security researcher, it pivots to a benign "fake company" page.
* **Hosting:** The customer-facing phishing kit is hosted on Dynadot and utilizes Cloudflare for additional protection against automated takedowns.
* **Attribution:** Analysis of the code indicates the involvement of Russian-speaking developers.

#### Advice for Defenders
Defenders should shift from generic brand-impersonation monitoring to specific indicators of compromise (IoCs):
* **Pattern Matching:** Scan email and proxy logs for URL patterns such as `complaint?op_token=`, `sign-in/?tpo_token=`, or 8-character alphanumeric URL strings.
* **Domain Monitoring:** Specifically track domains using "booklng" variants or other typosquatted subdomains.
* **Behavioral Detection:** Implement YARA rules or behavioral analytics designed to detect the specific framework footprints of the identified phishing kits. (Consult the source document's "Detections" section for specific implementation guides).
* **Operational Awareness:** Treat any communication involving hotel staff and WhatsApp as a high-risk vector for this specific campaign.
Mind the Gap: GCP serviceData in Logs Explorer vs. Exported Logs - Permiso Security

Thank you for that detailed breakdown. Your summary accurately captures the core technical risks and operational challenges presented in the Permiso article regarding the `serviceData` field in GCP audit logs.

To complement your précis, here is a consolidated view of the critical takeaways for security practitioners, emphasizing the shift in defensive mindset required when dealing with such data inconsistencies.

### Core Defensive Takeaways

| Focus Area | Strategic Recommendation |
| :--- | :--- |
| **Detection Reliability** | Treat all detection logic that depends on `serviceData` as **unverified** until proven by end-to-end testing in the *exported* environment. |
| **Pipeline Auditing** | Implement "data quality" alerting. If a specific alert rule expects a populated `serviceData` field, create a parallel monitor for the *absence* of that field to detect pipeline-level stripping. |
| **Defense-in-Depth** | Do not rely on a single field or log source. Complement `serviceData`-heavy detections with broader, less granular signals (e.g., general `SetIamPolicy` volume changes) that do not depend on the deprecated field. |
| **Engineering Practice** | When authoring new detections, prioritize the use of the `metadata` field. If legacy reliance on `serviceData` is unavoidable, build in null-checking logic that specifically flags when critical data is expected but missing. |

### Why This Remains a "Hidden" Risk
The danger is not just that the data is missing, but that it fails in a way that provides **zero signal**.

In most security information and event management (SIEM) systems, a query like `... WHERE serviceData.policyDelta.action = 'REMOVE'` will return zero results if the field is stripped, rather than an error. This creates a dangerous "blind spot" where security teams assume a lack of alerts means a lack of attacker activity, when in reality, the monitoring infrastructure has effectively been blinded.

Defenders should view the `serviceData` deprecation lifecycle not just as a documentation issue, but as an **integrity challenge** in their data pipeline. If your organization's security posture relies on granular policy change detection, validating that your export process preserves these specific JSON structures is a mandatory maintenance task.
Azure AD Graph Activity Logs: detecting directory enumeration - Elastic

The availability of Azure AD (AAD) Graph Activity Logs marks a significant shift in cloud security visibility. For nearly a decade, attackers have exploited the `graph.windows.net` API surface to conduct reconnaissance and bulk enumeration—activities that remained entirely invisible to defenders because the corresponding telemetry was not exposed as a customer-accessible log stream 【1】.

### What Happened
Microsoft has recently enabled access to AAD Graph Activity Logs, allowing organizations to ingest this previously "dark" telemetry into SIEM/XDR solutions. Because adversary tools—such as **ROADrecon**, **AADInternals**, **MSOLSpray**, and **Microburst**—rely heavily on the legacy AAD Graph surface rather than the modern Microsoft Graph, this logging update finally provides the visibility needed to detect these long-standing enumeration techniques 【1】.

### Who is Affected
Organizations using Entra ID (formerly Azure AD) are affected, particularly those that have not yet enabled the new diagnostic setting for AAD Graph activity. Even tenants with existing diagnostic logging must explicitly "tick" the new category to begin receiving this data; otherwise, these logs remain confined within Microsoft's tenant boundary 【1】.

### Security Implications
* **Enumeration Asymmetry:** Adversary tooling exploits the fact that the legacy `1.61-internal` API version returns more sensitive data (such as `strongAuthenticationDetail` during a directory walk) than the modern Microsoft Graph, which hides such details behind gated endpoints 【1】.
* **Visibility Gap Closure:** SOCs now have the ability to attribute malicious directory walks to specific identities, applications, and IP addresses, allowing for the detection of credential probing, bulk resource discovery, and token abuse that were previously "silent" 【1】.

### Technical Details
* **Ingestion:** Logs can be ingested into Elastic via the Azure integration and are available in the `logs-azure.aadgraphactivitylogs-*` index, utilizing the Elastic Common Schema (ECS) 【1】.
* **Key Fields:** Defenders should focus on `event.action` (the intent), `user_agent.original` (identifying offensive tooling), `url.path` (detecting breadth of enumeration), and `azure.aadgraphactivitylogs.properties.api_version` (detecting use of internal, more verbose API versions) 【1】.

### What Defenders Should Know
* **Enable Logging Immediately:** Ensure the `AzureADGraphActivityLogs` category is enabled in your diagnostic settings 【1】.
* **Detection Strategies:** Defenders can hunt for suspicious activity by monitoring for:
* **Tooling User-Agents:** Identifying offensive libraries (e.g., Python `aiohttp`, `curl`) 【1】.
* **API Misuse:** Flagging calls to `1.61-internal` versions 【1】.
* **Error Bursts:** A high ratio of 4xx status codes often indicates permission-probing or brute-forcing 【1】.
* **Device-Code Sign-ins:** Detecting rapid enumeration following a device-code login is a high-fidelity signal of phished tokens 【1】.
* **Mitigation:** Beyond detection, organizations can restrict AAD Graph access by setting application-specific `blockAzureADGraphAccess` properties or applying Conditional Access policies targeting the Azure AD Graph service principal (`00000002-0000-0000-c000-000000000000`) 【1】.
Reduce Microsoft Sentinel Costs with Summary Rules - NVISO

Thank you for the detailed precis. Based on the article provided, here is the synthesis of the information:

### **Executive Summary**
Organizations heavily reliant on Microsoft Sentinel often face unsustainable ingestion costs due to the high price of the "Analytics" tier. The article introduces a cost-optimization strategy that shifts high-volume log data to lower-cost storage tiers (Data Lake or Auxiliary) while utilizing "Summary Rules" to ensure that security detection capabilities remain intact.

### **What Happened and Who is Affected**
* **The Problem:** High-volume log sources (such as firewall traffic and DNS logs) drive up SIEM costs when stored in the default, high-performance Analytics tier.
* **Target Audience:** Security Operations Center (SOC) managers, SIEM engineers, and cloud security architects who need to manage growing log volumes without compromising their organization's threat detection posture.

### **Technical Implementation**
The strategy relies on a structural shift in how data is ingested and processed:
* **Split Transformation:** Organizations implement transformation rules at ingestion to route high-volume, low-context logs directly to the cheaper Data Lake tier.
* **Summary Rules:** Instead of querying massive raw datasets, engineers use Summary Rules to execute scheduled KQL queries against the Data Lake. These rules aggregate the data and push the meaningful, summarized results into a custom table within the more expensive Analytics tier.
* **Alerting Integration:** Because Summary Rules are essentially data-prep tools, they are paired with standard Analytic Rules. These Analytic Rules monitor the summarized data in the Analytics tier, allowing for continuous detection and alerting on a fraction of the original data volume.

### **Security Implications**
* **Significant Cost Savings:** By leveraging lower-cost storage tiers, organizations can realize substantial financial savings—potentially up to 94% cheaper than raw storage in the Analytics tier.
* **Improved Investigative Performance:** Analytic rules and manual investigations become faster and more efficient, as they process pre-aggregated, smaller datasets rather than raw log dumps.
* **Operational Visibility:** The process includes mandatory "Diagnostic Settings," which provide health telemetry. This allows teams to track the success or failure of Summary Rules, ensuring no blind spots are created during the aggregation process.

### **Key Takeaways for Defenders**
* **Summary Rules vs. KQL Jobs:** The article highlights that Summary Rules are superior to KQL jobs for routine, continuous monitoring due to better scheduling and native health monitoring features. KQL jobs, however, remain appropriate for infrequent, long-tail threat hunting.
* **Critical Limitations:** The Data Lake tier restricts users to single-table KQL queries. This necessitates careful planning to determine which data is safe to offload and which requires the depth of the Analytics tier for forensic investigation.
* **Strategic Caution:** The approach requires a balance between cost reduction and the level of granularity required for incident response. Future installments of this blog series are expected to provide specific guidance for Firewall and Microsoft DNS logs, as well as more advanced health monitoring techniques.
OSS Artifact Scanning at Scale Without Burning Your Token Budget - Nextron Systems

This precis summarizes the findings from the Nextron Systems article regarding the scale and methodology of modern open-source software (OSS) artifact scanning.

### What Happened
To address the overwhelming volume of OSS ecosystem growth—with over 100,000 new artifacts appearing daily on registries like npm, PyPI, and the VS Code Marketplace—Nextron Systems implemented a high-throughput, multi-stage security pipeline. This architecture was designed specifically to bridge the gap between massive artifact velocity and the need for rigorous security analysis.

### Who Is Affected
The primary targets of these security threats are developers, software engineering teams, and the downstream infrastructure that consumes third-party packages. Because malicious actors increasingly utilize self-propagating worms and sophisticated injection techniques, any organization relying on open-source dependencies is potentially vulnerable.

### Security Implications
The core risk identified is the surge in OSS supply-chain attacks, specifically:
* **Malicious Code Injection:** Hidden payloads designed to execute during package installation or runtime.
* **Typosquatting:** Creating packages with names similar to popular libraries to trick developers.
* **Evasion:** Attackers are moving beyond simple obfuscation, utilizing complex cross-platform implants that are specifically designed to bypass standard, metadata-only security checks.

### Technical Details
The system utilizes a "funnel" architecture to manage costs and technical debt while maintaining high detection efficacy:
* **Deterministic Filtering (Stages 1 & 2):** Uses indexing and THOR Thunderstorm (applying YARA, Sigma, and IOC rules) to scan everything. This initial pass reduces the total dataset to approximately 4% of all ingested artifacts.
* **LLM Triage (Stage 3):** Rather than full-file analysis, the pipeline sends only the relevant context (the matched string and 2,048 bytes of surrounding code) to an LLM. This successfully resolves 98% of flagged artifacts without human intervention.
* **Analyst Review (Stages 4 & 5):** The remaining ~100 artifacts per day are escalated to human analysts, who utilize "RuneAI" (agentic, deep-dive inspection) to perform final verification.

### What Defenders Should Know
* **Rule-First Strategy:** You must combine deterministic, rule-based prefiltering with LLM-based intent analysis. Rules effectively handle known tradecraft, while LLMs provide the necessary judgment to evaluate context.
* **Accepting Trade-offs:** This architecture prioritizes throughput; artifacts that bypass the deterministic rule set are not analyzed by the LLM. Defenders must be aware that this creates a reliance on the quality and comprehensiveness of their initial ruleset.
* **Operational Requirements:** Monitoring at this scale requires distributed, high-throughput infrastructure. The study demonstrated that this model is economically viable, costing roughly $2.88/day in compute to secure over 114,000 artifacts daily.
An Update on the Recent Klue Security Incident - Klue - Klue

This precis outlines the security incident reported by Klue regarding unauthorized access to their integration infrastructure.

### Incident Overview
On June 12, Klue identified unauthorized activity targeting a segment of their integration infrastructure. The incident was the result of a deliberate criminal act where an attacker gained access via a compromised legacy credential associated with an integration service. This access allowed the attacker to obtain OAuth tokens used to connect Klue with third-party platforms, subsequently enabling them to access data within a number of connected customer environments.

### Affected Parties and Impact
* **Affected Entities:** A subset of Klue’s customers who utilized the compromised integrations were affected.
* **Impact Scope:** The incident was limited to data within affected third-party platforms (including Salesforce).
* **Klue Platform:** There is currently no evidence that customer content stored directly within the core Klue platform was impacted.

### Security Implications
The incident highlights the risks inherent in interconnected software environments, where a compromise in one service can have a "ripple effect" across multiple organizations. Klue emphasized their accountability for maintaining secure connections to customer systems.

### Technical Details and Remediation
Upon discovery, Klue initiated several immediate containment and remediation efforts:
* **Credential/Token Revocation:** All affected credentials and OAuth tokens were revoked.
* **Unauthorized Code Removal:** Malicious or unauthorized code identified during the investigation was removed.
* **Integration Controls:** Potentially impacted integrations were disabled.
* **Expert Engagement:** CrowdStrike was engaged to support the investigation and validate response efforts.
* **Law Enforcement:** The incident was reported to law enforcement.
* **Security Review:** Klue is conducting a comprehensive review of their security controls, specifically focusing on credential management, monitoring capabilities, and deployment processes.

### What Defenders Should Know
For organizations relying on third-party integrations, this incident serves as a reminder of the following:
* **Legacy Credentials:** Maintaining unused or outdated credentials (legacy accounts) creates significant security blind spots and potential entry points for attackers.
* **OAuth Token Management:** Monitoring and rotating OAuth tokens used for third-party integrations is critical.
* **Supply Chain Risks:** Interconnected environments require robust security oversight of all integrations, as a vendor's infrastructure compromise can lead to lateral movement into your own environment.
* **Proactive Communication:** Klue is handling direct notification and specific remediation guidance for impacted customers. If you are a Klue customer, you should reach out to your Customer Success Manager or their security team at `security@klue.com` if you have concerns or have not been contacted.
A Forgotten Contributor Account Compromised the Entire Mastra npm Package Scope - Snyk

The summary you provided accurately captures the core technical findings and security implications of the `@mastra` npm scope compromise. Based on the article from Snyk, here is a consolidated precis covering the event:

### What Happened
On June 17, 2026, the entire `@mastra` npm scope was compromised. An attacker gained unauthorized access to the publisher account of a former contributor, `ehindero`, whose credentials had not been revoked. Using this access, the attacker republished 142 packages within the `@mastra` scope, injecting a malicious dependency named `easy-day-js` into the `package.json` of each.

### Who is Affected
The compromise impacts any developer, CI/CD pipeline, or automated system that performed a fresh installation or regenerated their lockfile between June 17, 2026, and the time the malicious versions were identified and remediated. Although `@mastra/core` sees high traffic, the actual impact is restricted to users who pulled the specific malicious versions during that window.

### Security Implications
The malicious package functions as a trojan dropper designed to achieve full system compromise. By leveraging a `postinstall` hook, it bypasses TLS verification to download a second-stage payload. This payload acts as a credential harvester and Remote Access Trojan (RAT), capable of:
* Stealing cryptocurrency from browser-based wallets (e.g., MetaMask, Phantom).
* Exfiltrating sensitive environment data, browser history, and API keys.
* Establishing long-term persistence on the host machine.

### Technical Details
* **Vector:** The attacker added `easy-day-js` (a malicious package masquerading as the legitimate `dayjs` library) to the `package.json` dependencies.
* **Execution:** The payload is triggered automatically upon installation. It uses a TLS-bypass technique to download a secondary executable from a remote server.
* **Persistence Mechanisms:** The malware installs itself across different operating systems:
* **macOS:** Via `LaunchAgents`.
* **Linux:** Using `systemd` user services.
* **Windows:** Through persistent PowerShell execution.
* **Stealth:** The dropper is designed to be ephemeral, often self-deleting after executing the secondary payload to reduce its forensic footprint.

### What Defenders Should Know
* **Detection:** Organizations should scan dependency lockfiles for the presence of `easy-day-js`. Defenders should hunt for specific artifacts, such as the files `~/.pkg_history` or `~/.pkg_logs`, and monitor for persistence mechanisms like `com.nvm.protocal.plist` or `nvmconf.service`. Egress traffic to suspicious raw IP addresses should be treated as a potential indicator of compromise.
* **Remediation:** Compromised machines should be considered fully untrusted. Security teams should perform a total rotation of all credentials (including cloud secrets and tokens), move cryptocurrency assets to secure hardware, and initiate a full re-imaging of the affected systems. Updates to clean versions of Mastra packages are necessary.
* **Prevention:** To harden supply chains against similar attacks, teams should:
* **Disable Lifecycle Scripts:** Use `npm config set ignore-scripts true` where possible.
* **Strict Build Processes:** Always commit lockfiles and use `npm ci` for builds to ensure reproducible, deterministic environments.
* **Provenance:** Explore the use of SLSA (Supply chain Levels for Software Artifacts) to verify the origin and integrity of packages.
* **Access Management:** Maintain strict audit logs of contributor access and promptly revoke credentials for former employees or contributors 【1】.
Inside the FortiBleed Open Directory: A Technical Analysis of What the Attacker Left Behind - CloudSEK

The "FortiBleed" campaign refers to a large-scale, credential-compromise operation targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways 【1】.

### What Happened
FortiBleed is not a software vulnerability or a zero-day exploit; rather, it is a focused campaign that used brute force, credential reuse, and offline hash cracking to gain unauthorized access to exposed Fortinet devices 【1】. The campaign was discovered because the attackers inadvertently left their own back-end server exposed to the internet with an open, browsable directory containing their entire operation's data, including databases of validated credentials, tooling, automation scripts, and command histories 【1】.

### Who Is Affected
While initial reporting suggested a massive number of major brands were compromised, CloudSEK’s technical analysis clarified that the headline figure of ~21,632 entries is a count of device-registration records, not verified breaches 【1】.
* **Confirmed Compromise:** Analysis of the attacker's own tools shows that fewer than 5% (918) of the targeted entities had internal network traffic captured, and only 148 (approximately 0.68% of the headline figure) represent confirmed compromises where Active Directory (AD) credentials were successfully verified 【1】.
* **Attribution Challenges:** Many "targeted" entities in the list are not the actual device owners but third-party contractors, resellers, or service providers identified through registration emails or IP matching, which lack domain-ownership verification 【1】.

### Technical Details
The attackers utilized a sophisticated, end-to-end toolchain:
* **Layer 1 (FortiOS):** Credential data was extracted from configuration files pulled off exposed management interfaces. These contained either legacy salted-SHA256 or newer PBKDF2 hashes 【1】.
* **Layer 2 (Internal Pivot):** Once inside a network, the attackers deployed sniffers to capture Kerberos pre-authentication data (e.g., `krb5pa`), which revealed internal AD domain names 【1】.
* **Infrastructure:** The attackers utilized a ~45-GPU cluster for offline hash cracking and maintained an organized, revenue-sorted database to sell access to the compromised environments 【1】.

### Security Implications
The primary danger is unauthorized persistent access to internal infrastructure. While not every organization in the attacker's database was compromised, the threat group was actively using validated credentials to move laterally into Active Directory environments 【1】. The reliance on credentials stolen from perimeter hardware means that even if a firewall is secure, the internal network it protects may be vulnerable to compromised admin accounts 【1】.

### What Defenders Should Know
* **Investigation, Not Proof:** Appearing in the dataset is a call for investigation, not automatic proof of compromise 【1】.
* **Immediate Actions:**
* **Restrict Access:** Remove all management interfaces (Firewall/VPN) from the public internet.
* **Credential Hygiene:** Rotate all admin and VPN credentials, and enforce Multi-Factor Authentication (MFA) everywhere.
* **Update Hardening:** Upgrade FortiOS to versions supporting PBKDF2 and force a password change to ensure legacy SHA-256 hashes are removed 【1】.
* **Audit:** Check devices for unauthorized accounts, backdoors, or altered configurations, and rotate any internal service account credentials (LDAP/RADIUS) that might have been stored in configuration exports 【1】.
NOW: NØW is a word-based shellcode encoding and obfuscation tool that transforms raw shellcode bytes into natural-looking English prose. - Nirvana

The **NirvanaOn/NOW (Natural Output Words)** project is an open-source security research utility designed for red-team operations, malware analysis, and CTF (Capture The Flag) challenges. It is not a vulnerability or a security incident, but rather a tool used to demonstrate and implement advanced shellcode obfuscation techniques.

Below is a detailed précis of the project based on its documentation:

### What Happened
NØW is a utility written in C that transforms raw shellcode into seemingly benign, readable English prose. By encoding shellcode into text, it aims to bypass static analysis mechanisms that typically trigger on suspicious patterns like hex dumps, Base64 strings, or common opcodes.

### Who is Affected
This tool is intended for security professionals, including:
* **Security Researchers:** For testing detection capabilities.
* **Malware Analysts:** For studying obfuscation methods.
* **Red-Team Professionals:** For simulated payload delivery.

### Security Implications
* **Static Analysis Evasion:** By masking shellcode as natural language, it renders traditional signature-based detection ineffective.
* **Execution Mechanism:** The tool includes capabilities to execute the decoded payload directly in memory on Windows systems.
* **Dependency on Secrecy:** The effectiveness of the obfuscation is entirely dependent on the secrecy of the user-provided "secret sentence" and password, which are required to reconstruct the original shellcode.

### Technical Details
* **Encryption:** The tool utilizes stream ciphers (RC4 or AES-256-CTR) to shuffle byte-to-word mappings.
* **Mapping Logic:** It employs a codebook that maps every possible byte value ($0x00$–$0xFF$) to a specific word derived from a user-supplied sentence.
* **Output Variability:** It can generate output ranging from simple word lists to complex "natural" sentences, complete with filler words and punctuation to increase the likelihood of bypassing automated content filters.
* **Windows APIs:** The included execution functionality relies on standard memory manipulation and threading APIs, specifically `VirtualAlloc` and `CreateThread`.

### Advice for Defenders
Because this tool demonstrates how payloads can be hidden in seemingly benign communications, defenders should move beyond static signature-based detection:
* **Behavioral Monitoring:** Since static analysis may fail, focus on detecting the shellcode *after* it has been decoded and resides in memory.
* **Endpoint API Monitoring:** Monitor for the use of common Windows memory allocation and execution APIs, such as `VirtualAlloc`, `VirtualProtect`, and `CreateThread`, which are required to run the decoded payload.
* **Heuristic Analysis:** Be aware that suspicious "natural language" documents or data blobs containing high-entropy or unusual word frequencies might be vehicles for hidden shellcode.
GhostPack Necromancy: Reforging C# Tools with WasmForge - Praetorian

It appears my previous response provided a comprehensive precis of the WasmForge article based on the librarian's analysis. As the article's content has already been summarized, no further research or text editor interaction is required.

If you have additional questions about the implications of WasmForge, specific components of the toolchain, or further defensive strategies against WASM-based evasion, feel free to ask!
Harnessing the Power of Cobalt Strike Profiles for EDR Evasion – Part 3 - White Knight Labs

Thank you for the detailed précis of the article regarding the new Cobalt Strike 4.13 Malleable C2 profile capabilities. Your summary accurately captures the essential elements regarding the evasion techniques, their security implications, and the necessary defensive considerations.

Since you have already provided a comprehensive overview of the article, I have no further questions regarding its content at this time. If you need any additional analysis or have questions about other cybersecurity topics, please feel free to ask.
RoguePlanet and GreatXML: Detecting Local Privilege Escalation and BitLocker Security Boundary Abuse - LevelBlue

The article details two sophisticated techniques, **RoguePlanet** and **GreatXML**, that exploit legitimate Windows mechanisms to achieve local privilege escalation and bypass security boundaries like BitLocker. Below is a detailed precis of the findings.

### RoguePlanet: Local Privilege Escalation (LPE)
* **What happened:** Researchers discovered a method allowing standard users to elevate privileges to `SYSTEM` without needing memory corruption or kernel exploits. It exploits the remediation workflow of Microsoft Defender.
* **Who is affected:** All fully patched versions of Windows 10 and Windows 11.
* **Security Implications:** This allows a low-privileged user to gain full control over the operating system, bypassing security controls by leveraging a trusted component (Defender) to execute malicious code.
* **Technical Details:** The technique involves a complex orchestration of Windows components:
* **Components:** NTFS reparse points (junctions), opportunistic locks (oplocks), and Windows Error Reporting (WER).
* **Mechanism:** It uses a "dual-mode" binary for staging, then forces Defender to interact with attacker-controlled files. By manipulating file system structures, the attacker injects code into a file subsequently quarantined by Defender; this code is later triggered via a malicious scheduled task created during the remediation process.
* **Defensive Guidance:** Defenders should shift from signature-based detection to behavioral analysis:
* **Indicators:** Monitor for anomalous directory creation in `%TEMP%` that mimics `System32` structures.
* **Activity:** Look for deterministic creation of Alternate Data Streams (specifically `wermgr.exe:WDFOO`) and high-frequency file churn within temporary directories named with UUIDs.
* **Context:** Flag instances where `SYSTEM` processes unexpectedly interact with user-controlled temporary file paths or perform heavy junction manipulations.

### GreatXML: BitLocker Boundary Abuse
* **What happened:** A technique that abuses the Windows Recovery Environment (WinRE) to bypass BitLocker encryption protections.
* **Who is affected:** Systems utilizing BitLocker for disk encryption.
* **Security Implications:** While requiring initial administrative access to plant, this creates a persistent "time bomb." An attacker can later gain access to encrypted data from the login screen (e.g., via "Shift+Restart") without needing recovery keys or PINs. This persistence survives typical credential resets or standard incident response actions.
* **Technical Details:**
* **Mechanism:** Attackers modify the hidden recovery partition by planting a malicious `unattend.xml` file and altered WinRE configuration files.
* **Execution:** By forcing the system into WinRE (e.g., by triggering a Defender offline scan), the system executes the attacker’s answer file during the `windowsPE` pass. This spawns a command console with administrative access to the decrypted volume before full authentication.
* **Defensive Guidance:**
* **Detection:** Focus on the initial placement of files in the hidden recovery partition, which requires elevated privileges.
* **Monitoring:** Implement monitoring for unauthorized attempts to mount or assign drive letters to the hidden recovery partition (e.g., via `diskpart` or WMI).
* **Integrity:** Validate the integrity of the recovery partition and scrutinize the manual triggering of Defender offline scans.
Threat Brief: Mitigating Large-Scale Credential Attacks - Palo Alto Networks

This precis summarizes the findings from the Unit 42 report regarding a large-scale credential theft campaign.

### **What Happened**
A large-scale, internet-wide credential theft and password spraying campaign is underway, targeting edge services exposed to the public internet 【1】. An initial access broker (IAB) claiming responsibility for this activity—dubbed "FortiBleed"—advertised harvested credentials for sale on the Russian-language cybercrime forum *Exploit.in* on June 16, 2026 【1】.

### **Who Is Affected**
The primary targets of this campaign are **Fortinet devices** 【1】. Additionally, the threat actors have been observed targeting **MSSQL services** and reportedly targeting **Sophos devices** 【1】. While Palo Alto Networks devices are not the target, the company has observed suspicious login activity in customer telemetry and issued this advisory as a precautionary measure 【1】.

### **Security Implications**
The campaign is designed to establish persistent, high-privilege access to critical infrastructure. By successfully compromising these edge devices, threat actors can gain unauthorized control, extract sensitive configuration files (which may include further credentials), and use those stolen assets to fuel future attacks or sell access to other malicious actors 【1】.

### **Technical Details**
The threat actors utilize a sophisticated, multi-stage attack lifecycle:
1. **Initial Access:** Massive internet-wide scanning and password spraying are performed against exposed services using a curated list of passwords derived from previous data breaches and successful vulnerability exploits 【1】.
2. **Privilege Escalation & Extraction:** Once initial access is obtained, attackers may exploit privilege escalation vulnerabilities to extract device configuration files containing sensitive data 【1】.
3. **Persistence & Expansion:** Stolen credentials undergo offline cracking. These newly harvested, high-value credentials are then added to the attacker’s master password list for subsequent targeting and to establish persistent administrative access on compromised devices 【1】.

### **What Defenders Should Know**
Unit 42 advises organizations to adopt a proactive security stance to defend against this campaign:
* **Audit Logs:** Review remote access logs for successful logins that occur immediately following high-volume password failure events 【1】.
* **Implement Hardening Measures:**
* **Require Multi-Factor Authentication (MFA):** Essential for all remote services 【1】.
* **Adopt Zero Trust:** Use "jump boxes" and Zero Trust Network Access (ZTNA) policies so that management interfaces are not directly exposed to the internet 【1】.
* **Manage Credentials & Accounts:** Update default credentials to strong, complex passwords and disable all unused accounts 【1】.
* **Patch Management:** Maintain current software versions to mitigate known vulnerabilities, specifically those allowing local privilege escalation 【1】.

Organizations suspecting a compromise can reach out to the Unit 42 Incident Response team for assistance 【1】.
macOS ClickFix Lures Deploy AppleScript Stealer & Persistent RAT - Netskope

In May 2026, researchers identified an upgraded "ClickFix" campaign targeting macOS users with a full-featured remote access trojan (RAT), a significant evolution from previous stealer-only variants 【1】.

### What Happened
The campaign employs a social engineering framework where victims are lured to malicious websites (e.g., masquerading as "StellarScan Solutions") that trick them into copying and executing a terminal command 【1】. This command fetches a gzip-compressed, base64-encoded stager that runs entirely in memory, bypassing disk-based detection until persistence is established 【1】.

### Affected Targets
* **Geography:** Primarily Asia, North America, and Oceania 【1】.
* **Sectors:** Technology, media, and business services 【1】.
* **Exclusion:** The loader includes a check for Russian keyboard layouts and exits silently if detected, indicating the attacker likely originates from the CIS region and seeks to avoid local scrutiny 【1】.

### Security Implications
Beyond traditional credential and browser data theft, this variant performs invasive post-compromise actions:
* **Crypto Wallet Hijacking:** It replaces core files of popular desktop wallets (Exodus, Atomic, Ledger, Trezor) with trojanized versions 【1】.
* **Interactive Control:** A persistent C2 beacon allows the operator to execute arbitrary commands, making it a fully functional RAT 【1】.
* **Persistence:** It establishes long-term access by creating fake system accounts disguised as legitimate Apple processes 【1】.

### Technical Details
* **Fileless Execution:** The infection chain relies on memory-only execution (`osascript`), leaving minimal disk artifacts until persistence mechanisms (LaunchDaemons/Agents) are written 【1】.
* **Code-Signing Bypass:** After injecting malicious code into wallet applications, the malware uses `codesign -f -d -s` to apply an ad-hoc signature, preventing macOS Gatekeeper from triggering warnings on launch 【1】.
* **Persistence Label:** The malware uses `com.apple.accountsd` for its LaunchDaemon/Agent to blend in with legitimate Apple sync daemons 【1】.

### Recommendations for Defenders
* **Delivery Layer:** Focus on blocking the lure domains and associated scripts before the user executes any commands 【1】.
* **Forensic Indicators:** Search for the label `com.apple.accountsd` in LaunchAgents/Daemons, the directory `/Library/Application Support/.com.apple.accountsd/`, and the file path pattern `/tmp/shub_` 【1】.
* **Remediation:** If a system is compromised, assume all desktop wallet installations are untrusted; these should be fully removed and reinstalled from verified, official sources 【1】.
asftriage: LLM Agent Session Forensics Tool - A forensic investigation tool for AI agent session logs (Claude Code and Codex CLI). - OA Labs

ASF Triage is not a report of a security incident itself, but rather a specialized **forensic investigation tool** developed by OA Labs for analyzing AI agent session logs. It is designed to assist security teams in investigating potential insider threats or malicious activity occurring within AI-powered development environments, such as Claude Code and Codex CLI.

### What Happened
As AI agents (like Claude Code and Codex CLI) become integrated into developer workflows, they generate detailed logs of their interactions, including code changes, internal reasoning, and tool executions. OA Labs released **ASF Triage** as an open-source, client-side utility to make this forensic data searchable, navigable, and analyzable for security analysts.

### Who is Affected
This tool is intended for use by **Security Operations Center (SOC) analysts, digital forensics and incident response (DFIR) teams, and security engineers** who need to audit the behavior of AI coding assistants within their organization.

### Security Implications
- **Visibility:** AI agents act as powerful, privileged users within a developer's environment. Without specialized tools, their logs are difficult to parse, leaving a blind spot for security teams.
- **Data Privacy:** ASF Triage is built to run entirely in the analyst's browser. This is critical for security, as it ensures that sensitive proprietary code or credentials contained within session logs do not leave the analyst’s controlled environment during the investigation.
- **Redaction:** The tool provides non-destructive, reversible masking of sensitive information (e.g., PII, API keys, credentials) within the logs, allowing analysts to safely collaborate or present findings without exposing secrets.

### Technical Details
- **Architecture:** The tool is a web application built with Vue 3, Pinia, and Tailwind v4. Parsing is handled by a Web Worker to ensure smooth performance when analyzing large log files (e.g., hundreds of megabytes).
- **Functionality:**
- **Log Ingestion:** Supports `.jsonl` transcripts, `history.jsonl` files, or entire directory structures.
- **Visualization:** Includes a global activity timeline, a "supertimeline" for sequential analysis, and a VSCode-style minimap for navigating massive logs.
- **Investigation:** Offers features such as cross-session flagging/tagging, timezone conversion, and context-aware searching.
- **Case Management:** Analysts can export or save the entire workspace as a self-contained case file, including all notes and redactions.

### What Defenders Should Know
- **Where to Find Logs:**
- **Claude Code:** Found in `~/.claude/projects/<encoded-cwd>/<session-id>.jsonl` and `~/.claude/history.jsonl`.
- **Codex CLI:** Found in `~/.codex/sessions/YYYY/MM/DD/rollout-<timestamp>-<uuid>.jsonl` and `~/.codex/history.jsonl`.
- **Log Collection Strategy:** Because a single `sessionId` can span several days through session resumes, it is vital to collect the **entire** `projects/` or `sessions/` directory, rather than just the most recent files.
- **Persistence:** These tools maintain append-only transcripts that capture the complete lifecycle of a session—including user prompts, model responses, internal reasoning steps, and every tool output—providing a high-fidelity audit trail for incident response.
OXLOADER: new loader evading detection to drop infostealer - Elastic

OXLOADER is a sophisticated, previously undocumented Windows malware loader identified by Elastic Security Labs. It is currently being used in active campaigns to deliver the CASTLESTEALER infostealer 【1】.

### What Happened
The attack chain begins with malicious Google Ads impersonating legitimate software (e.g., Node.js). Victims searching for software versions (such as an "lts version of node.js") are served sponsored search results that direct them through an intermediary domain to a Storj-hosted batch script. Executing this script triggers the download and execution of OXLOADER 【1】.

### Who is Affected
While the loader has been observed in campaigns targeting Elastic customers, its geographic and language-based filtering—which specifically excludes CIS-region countries and systems configured for the Russian language—points to a Russian-speaking, financially motivated threat actor 【1】.

### Security Implications
OXLOADER is in an early operational phase, but its design reflects deliberate engineering choices intended to maximize its "dwell time" by evading detection. It successfully bypasses many static analysis engines and sandbox environments through a combination of code obfuscation, anti-VM checks, and unique staging techniques. This high level of sophistication suggests the malware family is a significant threat that is likely to evolve 【1】.

### Technical Details
OXLOADER employs several advanced tactics to remain stealthy and ensure it is executing on a target system rather than in an analysis environment:

* **Obfuscation:** Uses control-flow flattening, mixed Boolean-Arithmetic (MBA), opaque predicates, and function chunking to intentionally break automated function-boundary detection in tools like IDA Pro 【1】.
* **Anti-VM/Sandbox Environment Checks:**
* **Emulation Detection:** Attempts to connect to a malformed network resource to verify how the environment handles specific error codes (【1】).
* **Hardware Thresholds:** Requires at least 3 CPUs, 3 GB of RAM, and a display refresh rate of at least 20 Hz, which effectively filters out many lightweight analysis VMs 【1】.
* **Staging & Execution:** The loader copies a legitimate Windows DLL (`dui70.dll`), renames it with an `.ocx` extension (the source of the name "OXLOADER"), and creates a new RWX section within it. It abuses the Windows `.reloc` section to hide and stage malicious shellcode, which is then moved to the new section and executed via `LoadLibraryA` 【1】.
* **Payload Delivery:** The final stage uses DonutLoader to execute a .NET assembly for the CASTLESTEALER infostealer in memory 【1】.

### What Defenders Should Know
Defenders should monitor for the specific behaviors and techniques outlined above. Elastic Security Labs recommends focusing on the following areas for detection and prevention:

* **Behavioral Monitoring:** Look for suspicious browser information discovery, unusual thread context manipulation, module stomping from copied libraries, and the loading of the Microsoft Common Language Runtime (CLR) from suspicious memory locations 【1】.
* **Static Analysis Red Flags:** The use of the `.reloc` section to host code is a major red flag, as legitimate software does not emit code into this section 【1】.
* **Detection Rules:** Elastic has published specific YARA rules to identify both `Windows.Trojan.OxLoader` and `Windows.Trojan.CastleStealer` to assist in hunting for these threats 【1】.
Composer & Packagist Supply Chain Security in 2026 - Nils Adermann

This summary provides a detailed overview of the supply chain security landscape in the PHP ecosystem as of June 2026, based on the presentation by Nils Aderman.

### **What Happened & Who is Affected**
The PHP package ecosystem has become a primary target for supply chain attacks. Recent notable compromises, such as the incidents involving `intercom/intercom-php` and `laravel-lang` in 2026, demonstrate that attackers are actively exploiting weaknesses in development infrastructure. **Package maintainers, open-source consumers, and enterprise infrastructure teams** are all directly affected. Attackers typically gain unauthorized access to GitHub repositories through:
* Compromised developer machines.
* Insecure or malicious dependencies.
* Misconfigured or exploited GitHub Actions.

### **Security Implications**
* **Targeted Exploitation:** AI is accelerating the speed and scale at which attackers can identify vulnerabilities and deploy malicious package updates.
* **The Trust Gap:** While PHP’s Composer traditionally relied on a direct source-to-consumer model, it now faces pressure to implement modern security standards like OIDC and build attestations, which are already maturing in ecosystems like npm and PyPI.
* **Structural Risks:** A major vulnerability is the common practice of "re-tagging" Git versions. Because Composer often generates zip files dynamically from these tags, there are no stable, pre-signed artifacts to verify against, allowing backdoors to be pushed to end-users silently.

### **Technical Details & Mitigations**
Composer and Packagist have implemented several technical defenses to mitigate these risks:

| Mitigation Strategy | Technical Description |
| :--- | :--- |
| **Dependency Policies** | Introduced in Composer 2.10, `config.policy` allows users to define rules to automatically block or audit packages based on malware reports, security advisories, or "abandoned" status. |
| **Transparency Log** | A public ledger that tracks maintainer changes, modifications to version references, and critical account events to provide auditability. |
| **Immutability** | Packagist.org has been updated to reject silent overwrites of stable version tags, preventing attackers from re-tagging existing versions with malicious code. |
| **Source Fallback Disabled** | The system no longer automatically falls back to source checkouts when dist downloads fail, preventing the installation of unverified, potentially compromised tags. |

**Roadmap for Future Security:** The project is prioritizing "staged publishing" (requiring pre-release verification), stricter organizational package ownership models, and the enforcement of mandatory Multi-Factor Authentication (MFA).

### **What Defenders Should Know**
* **For Maintainers:** Immediate security hardening is required. This includes enabling MFA, migrating away from shared/service accounts, upgrading to Composer 2.10, and utilizing automated security scanning tools (e.g., `zizmor` for GitHub Actions).
* **For Enterprise Users:** Developers should not rely solely on public repositories. Adopting **Private Packagist** is recommended to enforce organization-wide policies, such as plugin allow-listing and centralized security configuration that cannot be overridden by individual developers.
* **Sustainability Note:** The critical infrastructure powering these security improvements is currently under-funded and relies heavily on subsidies from Private Packagist and a small group of sponsors.
Man jailed for role in “SMS Blaster” fraud operation following City of London Police investigation - City of London Police

Based on the City of London Police investigation, here is a detailed precis regarding the recent conviction related to "SMS blaster" fraud.

### What Happened
On June 3, 2026, a man (identified in reports as Li) was sentenced to 48 months in prison following a conviction at Inner London Crown Court on March 27, 2026 【5】. The investigation, led by the City of London Police’s Dedicated Card and Payment Crime Unit (DCPCU), established that the defendant was involved in an organized criminal operation using a sophisticated "SMS blaster" device to transmit fraudulent text messages 【3】.

### Who Is Affected
The victims are members of the general public whose mobile devices fall within range of the device. Because the technology forces connections from nearby phones, targeted individuals do not need to have been specifically selected by the criminals, nor does the operation require the fraudsters to have previously obtained the victims' phone numbers 【2】.

### Technical Details
An "SMS blaster" functions as an illegitimate, rogue mobile phone mast (often referred to as an IMSI-catcher or cell-site simulator).
* **Mechanism:** The device tricks nearby mobile devices into connecting to it by simulating a legitimate 2G network signal 【2】.
* **Capabilities:** By forcing this connection, the device bypasses standard mobile network anti-spam and filtering measures, allowing criminals to mass-broadcast fraudulent SMS messages (smishing) to thousands of devices simultaneously in a specific area 【2】【4】.

### Security Implications
* **Circumvention of Protections:** Traditional network-level security controls designed to stop spam and phishing are ineffective against this method because the messages are injected directly into the devices from a local, rogue source.
* **High Success Rate:** Because the messages appear to be delivered via the network, users are more likely to trust them. The messages typically contain links directing victims to fraudulent sites designed to steal personal or financial information 【1】.

### What Defenders Should Know
* **Device Awareness:** Security teams and the public should be aware that SMS messages can be delivered via rogue hardware that operates entirely outside of traditional cellular carrier infrastructure.
* **User Vigilance:** Since these attacks are often location-based (e.g., in transit hubs or densely populated areas), users should remain suspicious of any unexpected "urgent" texts requesting personal information or clicks on links, even if the SMS appears to be from a legitimate service (like a delivery company) 【1】.
* **Device Settings:** While difficult to mitigate completely at a user level, some modern mobile devices offer settings to disable 2G network connections, which can potentially reduce the risk of falling victim to older-style cell-site simulators that rely on downgrading connections to 2G.
Inside Vidar’s ABE Bypass: From Memory Scanning to APC Injections - Gen Digital

The following precis details the recent evolution of the Vidar infostealer, which has introduced a sophisticated method to bypass Application-Bound Encryption (ABE) in modern web browsers.

### **What Happened**
Vidar infostealer (specifically version 2.1) has implemented a new technique to bypass ABE—a security feature designed to protect browser data (like cookies and passwords) by binding them to the application. Instead of attempting to extract the `v20_master_key` from disk, where it is heavily encrypted, Vidar now targets the browser's memory, where the key is protected by `CryptProtectMemory`. The malware identifies, decrypts, and extracts this key to decrypt ABE-protected data.

### **Who Is Affected**
Users of modern Chromium-based browsers on Windows systems are the primary targets. The malware enumerates running browser processes or launches isolated instances to perform its memory-based attacks.

### **Technical Details**
Vidar employs a multi-stage approach to acquire the `v20_master_key`:
* **Memory Snapshotting:** The malware uses `NtCreateProcessEx` to fork existing browser processes, creating a static, threadless copy for memory analysis without interrupting the live process. If no browser is running, it launches a new instance on an isolated desktop.
* **Pattern Scanning:** It scans the virtual memory of these forked processes for a specific 32-byte signature that corresponds to Chromium’s `Encryptor::KeyRing` structure. The malware uses parallel worker threads to scan memory regions, validating candidates that likely hold the encrypted `v20_master_key`.
* **APC Injection for Decryption:** Since the key is protected by `CRYPTPROTECTMEMORY_SAME_PROCESS`, Vidar cannot decrypt it externally. Instead, it injects Asynchronous Procedure Calls (APCs) into the live browser process to force it to run `CryptUnprotectMemory` on the target address.
* **Injection Methods:**
* **"Classic" Method:** Used when ESET or Bitdefender is detected; it creates a suspended thread, queues an APC, and resumes the thread to trigger execution via `NtTestAlert`.
* **"Special" Method:** Used otherwise; it utilizes `NtQueueApcThreadEx2` with the `QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC` flag, allowing immediate execution without requiring the target thread to be in an alertable state.
* **Verification & Cleanup:** Vidar verifies the decrypted key by attempting to decrypt GCM-encrypted data. Once finished, it re-encrypts the key in the browser's memory using another APC to maintain system stability.

### **Security Implications**
This technique demonstrates that even robust, OS-level protections (like ABE and `CryptProtectMemory`) can be circumvented through process memory manipulation and APC injection. By abusing these system features, Vidar avoids traditional code-injection methods, potentially bypassing some signature-based security products while successfully exfiltrating sensitive credentials and session data.

### **What Defenders Should Know**
* **Detection Focus:** Defenders should monitor for suspicious use of APC injection techniques and processes that frequently fork other applications (especially web browsers) using `NtCreateProcessEx`.
* **Process Monitoring:** Unusual browser command-line arguments (e.g., `--no-first-run --disable-gpu about:blank`) or the creation of isolated desktops for browser processes are indicators of potential malicious activity.
* **Endpoint Security:** Since Vidar adapts its injection strategy based on detected security products, defensive solutions should focus on behavioral monitoring of `NtQueueApcThread` and `NtQueueApcThreadEx2` calls, particularly those targeting browser process memory.

**Indicator of Compromise (IoC):**
* `459daa809751e73f60fbbe4384a7d1653c36bb06945e4eb3635270924241100a` (Vidar 2.1)
Scripting the disassembler: Local agentic reverse engineering through vbdec’s live COM object model - Cisco Talos

The provided summary effectively encapsulates the technical approach and implications outlined in the Cisco Talos blog post, "Scripting the Disassembler." Here is a refined precis incorporating the requested structure:

### **Executive Summary: What Happened**
The article introduces a novel methodology for enhancing reverse engineering workflows by transforming existing, static analysis tools into "data servers." By exposing a tool’s internal object model to the Windows environment, researchers can leverage external AI agents to perform complex, automated analysis without requiring the analysis software itself to have native AI capabilities.

### **Who is Affected**
* **Primary Users:** Reverse engineers and security analysts who deal with complex or legacy binaries (such as those written in VB6).
* **Scope:** The approach is highly generalizable, benefiting any professional seeking to automate tedious manual analysis tasks or extend the functionality of legacy software that lacks modern developer APIs.

### **Security Implications**
* **Privacy and Data Sovereignty:** Because the analysis engine functions as a local server, sensitive binaries and reverse-engineered data do not need to be uploaded to cloud-based AI services, maintaining strict local control.
* **Tool Agnostic Capability:** This model effectively decouples an analysis tool's utility from its hardcoded feature set, allowing analysts to overcome limitations in aging or "abandonware" tools.
* **Operational Efficiency:** By reducing the friction involved in writing traditional, complex plugins, this approach enables rapid, ad-hoc automation of repetitive tasks, such as systematic metadata extraction.

### **Technical Details**
* **Mechanism:** The technique utilizes the **Windows Running Object Table (ROT)**. In the specific case of `vbdec` (a VB6 disassembler), the tool registers its live COM objects within the ROT, rendering them accessible to other local processes.
* **The "Contract":** Rather than modifying the disassembler source code, the developer provides the AI agent with a "contract" comprised of a markdown-based operator briefing and auto-generated prototype class definitions.
* **Agentic Execution:** External AI agents utilize these prototypes to interact with the disassembler via VBScript or `cscript`, performing live queries, navigating code structures, or automating data exports (e.g., to SQL databases) in real-time.

### **What Defenders Should Know**
* **Modular Pipeline Construction:** Defenders can apply this design pattern to build customized, scalable analysis pipelines. Instead of learning disparate, tool-specific plugin architectures, they can use this universal method to integrate disparate tools into a unified, AI-driven workflow.
* **Future-Proofing Legacy Tools:** Analysts do not need to abandon effective but outdated tools. Exposing internal models via IPC or COM allows legacy software to remain central to modern, AI-augmented analysis environments.