InfoSec Briefing - June 29, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Monday the 29th of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 8 articles to cover. All attribution is by the article authors. All article analysis is automated.

The Internet Crime Complaint Center has issued an alert about Russian intelligence services running targeted phishing campaigns against high-value individuals — government officials, military personnel, journalists — by impersonating support accounts within messaging apps. The real concern here is they're after Backup Recovery Keys, which let them maintain persistent access even after you've deleted and re-registered your account.

Internet Initiative Japan has tracked a May 2026 campaign by the North Korean group Kimsuky distributing KimJongRAT malware through shortened URLs leading to GitHub-hosted payloads. They're using Living Off Trusted Sites techniques — Google Drive for dynamic command and control retrieval, MeshAgent for backup access — and they're quick to spin up new infrastructure when repositories get taken down. One for anyone monitoring North Korean tradecraft.

Cloudflare has released an open-source framework called security-audit-skill that lets autonomous AI agents audit code for security vulnerabilities. It uses a multi-stage pipeline with adversarial validation, where independent agents try to disprove findings to cut down false positives. Worth a look if you're curious about where automated vulnerability discovery is heading.

The curl project has successfully disputed a CVE request for a certificate validation bug. MITRE agreed the wildcard certificate matching flaw doesn't constitute a vulnerability because the exploit chain is vanishingly unlikely and would require local attacker privileges anyway. Adds useful context to how CVE disputes actually work when you're the numbering authority.

Hawktrace have disclosed CVE-2026-45504, a critical arbitrary file read vulnerability in Microsoft Exchange Server 2019 that lets authenticated low-privileged users read sensitive files via the web services API. The exploit leverages improper input validation in WOPI endpoints and uses a fragment marker trick to bypass URI parsing. One to flag if you're running Exchange.

A security researcher has demonstrated six techniques to bypass Windows Anti-Malware Scan Interface by exploiting a fundamental design flaw: AMSI runs in the same process memory space as the code it's scanning, with no privilege boundary. It's a fail-open design that lets attackers disable detection in PowerShell environments. Worth understanding if you're relying on AMSI for telemetry.

Security researchers have released GlueGate, a proof of concept that proxies memory operations through Mozilla's signed library to evade detection. The technique exploits kernel callback inspection by making malicious memory allocations appear to originate from trusted Mozilla code rather than unsigned processes. Particularly relevant if your detection logic relies on call-stack inspection for memory telemetry.

And finally, researchers have released heavener, an open-source EDR emulation engine that lets you test attack payloads against extracted detection logic from commercial platforms — SentinelOne, Cortex, CrowdStrike, Sophos — without deploying actual vendor agents. It uses a six-layer architecture including kernel drivers to simulate real EDR behaviour in offline environments, which is either very useful for red teams or mildly terrifying for vendors, depending on your perspective.

That concludes today's briefing.

📰 Articles Covered

Internet Crime Complaint Center (IC3) | Russian Intelligence Services Continue to Target Commercial Messaging Applications - Internet Crime Complaint Center (IC3)

This precis summarizes the Public Service Announcement issued by the IC3 regarding a persistent phishing campaign conducted by Russian Intelligence Services (RIS).

### Overview of the Incident
Russian Intelligence Services are executing a highly targeted phishing campaign, tracked as **UNC5792** and **UNC4221**. Threat actors are masquerading as official, automated support accounts within commercial messaging applications (CMAs) to deceive users into disclosing sensitive security credentials.

### Affected Parties
The campaign is narrowly focused on individuals of high intelligence value, specifically:
* Current and former U.S. and international government officials.
* Military personnel and political figures.
* Journalists.
* Key officials located in Ukraine.

### Security Implications and Technical Details
The attackers have **not** breached the underlying encryption or the core infrastructure of the messaging applications themselves. Instead, they leverage social engineering to compromise individual accounts.

* **Mechanism:** Attackers manipulate victims into providing verification codes, account PINs, and—most critically—**Backup Recovery Keys**.
* **Impact:** Upon obtaining these credentials, actors can gain full access to the victim’s private, group, and historical messages, effectively hijacking the account.
* **Persistence:** A unique danger of this campaign is that if a victim’s Backup Recovery Key is compromised, that key remains valid even if the victim deletes their account and registers a new one using the same phone number. This enables the actors to hijack the new account as well.

### Key Guidance for Defenders and Users
* **Verify Communication Channels:** Legitimate CMA support services will **only** contact users via official company email addresses. They will never send in-app requests for verification codes or links to "verify" or "restore" accounts.
* **Credential Discipline:** Users must never share verification codes or Backup Recovery Keys through in-app chats or unsolicited support prompts.
* **Remediation:** If a user suspects their Backup Recovery Key has been compromised, they should immediately generate a new one within the application's settings. While this invalidates the stolen key for future backups, it does not revoke the attacker's access to data they have already downloaded.
* **Incident Reporting:** Any suspected compromise should be reported promptly to the [IC3](https://www.ic3.gov/), a local FBI field office, or CISA.
LOTSを活用して進化を続けるKimJongRAT – KimJongRAT continues to evolve by utilizing LOTS - Internet Initiative Japan Inc. (IIJ)

Based on the report from IIJ, here is a detailed precis regarding the May 2026 campaign involving KimJongRAT.

### Overview: What Happened
In May 2026, IIJ observed a new, sophisticated attack campaign distributing **KimJongRAT**, a dual-purpose malware acting as both an InfoStealer and a Remote Access Trojan (RAT). Attributed to the North Korean-linked threat actor **Kimsuky** (also known as Earth Kumiho), this campaign leverages "Living Off Trusted Sites" (LOTS) techniques to abuse legitimate infrastructure for malicious purposes, including payload hosting, C2 communication, and infrastructure resilience.

### Who is Affected
The campaign primarily targets users through malicious emails containing shortened URLs. These URLs lead victims to download ZIP files hosted on **GitHub Releases**. Any organization or individual susceptible to spear-phishing attempts that leverage trusted cloud platforms for malware delivery is at risk.

### Security Implications
* **Rapid Infrastructure Adaptation:** The attackers have demonstrated a high level of agility. Even when repositories are taken down, they rapidly re-establish their infrastructure, rendering single-instance takedowns only temporarily effective.
* **Abuse of Trusted Services:** The heavy reliance on services like GitHub and Google Drive complicates traditional perimeter defense, as traffic to these legitimate sites is often permitted by default in many enterprise environments.
* **Increased Resilience:** By combining proprietary malware with legitimate RMM (Remote Monitoring and Management) tools, the threat actors ensure persistent access even if their primary RAT is detected or quarantined by security software.

### Technical Details
* **Dynamic C2:** Recent iterations have abandoned hardcoded C2 addresses in favor of dynamically retrieving encrypted C2 information from **Google Drive**, allowing attackers to pivot infrastructure without re-compiling the malware.
* **Persistence Mechanism:** The malware includes the ability to install **MeshAgent**, a legitimate RMM tool, into a temporary directory to serve as a robust backup access method.
* **Infection Chain:** The multi-stage execution flow typically begins with an LNK file, which triggers `mshta` to download an HTA file. This initiates a series of PowerShell scripts that perform environment checks (specifically for Windows Defender) to tailor the deployment of the final payload.

### Guidance for Defenders
* **Proactive Monitoring:** Defenders should actively hunt for anomalous use of built-in system tools, specifically:
* `mshta` executing files downloaded from cloud providers.
* Suspicious PowerShell commands involved in downloading or decrypting payloads from Google Drive.
* **Behavioral Detection:** Implement strict application control policies. Because the actors use legitimate RMM tools (MeshAgent), monitoring for the unauthorized deployment or execution of such tools is critical.
* **Threat Intelligence:** Continuously track and update security systems with known Indicators of Compromise (IoCs), including the identified C2 domains (e.g., `corpsecs[.]com`) and observed file hash patterns, while maintaining visibility into network traffic directed at commonly abused cloud storage services.
security-audit-skill: A coding-agent skill for multi-phase security audits with independently verified, machine-readable findings - Cloudflare

It appears there is a misunderstanding regarding the nature of the repository at `https://github.com/cloudflare/security-audit-skill`.

This repository is **not a report of a specific cybersecurity incident, breach, or vulnerability disclosure.** Rather, it is a technical project—a **"skill" or template**—developed by Cloudflare to help users build their own AI-driven vulnerability discovery harness. It provides a framework and methodology for using AI agents to audit source code for security flaws.

Below is the precis based on the nature of this project:

### What This Project Is
This is an open-source framework released by Cloudflare designed to automate the process of auditing codebases for security vulnerabilities using autonomous AI agents. It serves as a foundational "seed" for a multi-stage, fleet-wide vulnerability discovery harness.

### Who Is Affected
There are no victims; this is a **tool for security professionals, developers, and researchers**. It is intended to be used *by* defenders to analyze their own applications, not an exploit used *against* them.

### Security Implications (As a Methodology)
By shifting vulnerability discovery to an automated, agent-based model, this tool aims to:
* **Scale Auditing:** Reduce the manual burden on security teams by parallelizing reconnaissance and attack surface analysis.
* **Reduce Noise:** By requiring "adversarial validation" (where an independent agent attempts to disprove a finding), it aims to lower the false-positive rate compared to traditional static analysis tools.
* **Focus on Exploitable Risk:** The framework discourages "theoretical" vulnerabilities, mandating that every finding must be accompanied by a concrete attack scenario to be considered valid.

### Technical Details
The process follows a six-stage pipeline managed by specialized AI agents:
1. **Recon:** Mapping architecture, trust boundaries, and input surfaces.
2. **Hunt:** Parallel agents attacking the codebase (e.g., injection, access control, cryptography).
3. **Validate:** Adversarial agents attempt to disprove findings to eliminate false positives.
4. **Report:** Generating structured (`findings.json`) and human-readable (`REPORT.md`) output.
5. **Structured Output:** Standardized reporting conforming to a specific schema.
6. **Independent Verification:** Fresh agents verify the factual claims of the findings against the source code.

### What Defenders Should Know
* **Shift in Perspective:** The framework explicitly distinguishes between "vulnerabilities" and "hardening notes." If defense-in-depth is working (i.e., Layer A prevents an attack, even if Layer B is absent), it is not classified as a vulnerability.
* **Iterative Nature:** The authors emphasize that a single run of the tool typically only identifies about half of the total vulnerabilities. Continuous, additive runs are necessary to improve coverage.
* **Proof over Theory:** Security teams adopting this methodology should prioritize findings that include a working exploit path, rather than chasing hypothetical risks.
* **Origin:** The tool is derived from Cloudflare’s internal efforts to automate vulnerability research, as detailed in their blog post: [Build your own vulnerability harness](https://blog.cloudflare.com/build-your-own-vulnerability-harness).
a CVE dispute - Daniel Stenberg

The curl project recently navigated its first-ever CVE dispute, which clarifies how the project manages security reporting now that it acts as a CVE Numbering Authority (CNA).

### What Happened
In December 2025, a reporter submitted a bug report concerning a certificate validation flaw in `curl`. The curl team evaluated the report and concluded it did not warrant a CVE. The reporter disagreed and escalated the case to MITRE in February 2026 to force a CVE assignment. On June 24, 2026, MITRE concluded its review, siding with the curl project's original determination that the bug is not a security vulnerability and therefore does not require a CVE ID 【1】.

### Technical Details
The issue stemmed from a bug in the `Curl_cert_hostcheck()` function, which is responsible for verifying if a hostname matches a wildcard certificate (e.g., `*.example.com`). Under specific circumstances, the function incorrectly identified a hostname with a leading dot—such as `https://.example.com/`—as a valid match for a wildcard certificate, which violates the specification 【1】.

### Security Implications and Vulnerability Context
The curl project and MITRE determined that the issue does not pose a realistic security threat. For the flaw to be exploitable, a complex and highly unlikely chain of conditions must be met 【1】:
* **Illegal Hostnames:** The user must utilize a hostname with a leading dot, which is not supported by DNS.
* **Local Manipulation:** An attacker would likely need local privileges to manually define the address for such a hostname (e.g., via `/etc/hosts`).
* **Imposter Host:** An attacker would need to successfully run an imposter host that holds a matching wildcard certificate to serve malicious data.

Because the exploit requires a local attacker with specific privileges to facilitate what is essentially a niche configuration, it was deemed "lower than LOW" risk 【1】.

### What Defenders Should Know
* **Fixed in Master:** Although the issue is not considered a security vulnerability, the underlying bug has already been fixed in the `curl` master branch 【1】.
* **CNA Authority:** As a CNA, the `curl` project maintains autonomy over its security disclosures. This case demonstrates that the project applies strict criteria for CVE assignment, prioritizing actual security impact over the mere presence of a bug in complex or theoretical scenarios 【1】.
CVE-2026-45504: CVE-2026-45504 Microsoft Exchange File Read - allows an authenticated low-privileged user to read arbitrary local files from the Exchange server by creating an EWS ReferenceAttachment - Hawktrace

CVE-2026-45504 is a critical arbitrary file read vulnerability affecting Microsoft Exchange Server 2019. It allows an authenticated, low-privileged user to read sensitive files from the server's filesystem without authorization 【1】.

### Technical Details
The vulnerability stems from improper input validation regarding the `WebApplicationUrl` field in Microsoft Exchange’s implementation of Web Application Open Platform Interface (WOPI) endpoints.

1. **Exploitation Workflow**: An authenticated low-privileged user creates an EWS (Exchange Web Services) `ReferenceAttachment` where the `ProviderEndpointUrl` is directed to a server controlled by the attacker.
2. **SSRF Trigger**: When a victim attempts to preview this attachment, the Exchange server initiates a Server-Side Request Forgery (SSRF) call to the attacker’s malicious server.
3. **The "Fragment" Trick**: The attacker's server responds with a `WebApplicationUrl` containing the target local file path formatted as `file:///C:/path/to/file#`.
4. **Bypassing Parsers**: By utilizing the `#` fragment marker, the attacker forces the Exchange server to ignore appended OAuth parameters that would otherwise be attached by the URI parser. This allows the request to be processed by `FileWebRequest`, which subsequently reads the contents of the local file and exposes them to the attacker 【1】.

### Security Implications
Because this vulnerability allows for the reading of arbitrary files on the system, it represents a significant risk to the confidentiality of the Exchange environment. An attacker could potentially harvest configuration files, sensitive system files, or other data stored on the host, which could lead to further exploitation, privilege escalation, or full system compromise.

### What Defenders Should Know
* **Mitigation**: The core issue is the lack of scheme validation for `WebApplicationUrl` values. Administrators should ensure their systems are patched according to the vendor's guidance. The permanent fix requires that Exchange validates the scheme of these URLs to explicitly block `file://` and other non-HTTP schemes before the application processes them via `WebClient.OpenRead()` 【1】.
* **Detection/Monitoring**: Monitor for anomalous EWS traffic or requests involving `ReferenceAttachment` that point to suspicious external endpoints.
* **Tooling**: A demonstration script for this vulnerability has been identified, which allows specifying an attacker-controlled IP/port, user credentials, and a target file path to perform the read 【2】.
gluegate: Memory API proxy via signed mozglue.dll - Detection research PoC: proxy memory operations (memory mapping, local memory allocation) through Mozilla's signed mozglue.dll - sbousseaden

GlueGate is a detection research Proof-of-Concept (PoC) designed to demonstrate a technique for bypassing security monitoring by leveraging trusted, signed software to perform sensitive operations.

The following precis outlines the details of this technique.

### What Happened
The GlueGate research demonstrates a method for an attacker to perform memory operations—specifically memory mapping and local memory allocation—by proxying them through `mozglue.dll`, a legitimate, digitally signed DLL belonging to Mozilla (Firefox). By forcing a trusted module to perform these actions, the attacker attempts to deceive kernel callbacks, which then attribute the memory activity to the signed Mozilla library rather than the malicious or unsigned code actually initiating the operation.

### Who Is Affected
* **Security Teams and Defenders:** Organizations relying on Endpoint Detection and Response (EDR) solutions that depend on call-stack inspection for memory allocation or mapping telemetry.
* **Users/Systems with Firefox Installed:** The PoC requires an existing installation of Firefox on the target system to access the `mozglue.dll` file.

### Security Implications
This technique represents an evasion strategy against behavioral monitoring. Many modern security tools use kernel-level callbacks (such as those provided by Microsoft’s Windows Filtering Platform or ETW-TI) to inspect the call stack of processes requesting memory allocations. If the call stack appears to originate from a reputable, signed vendor, the activity is more likely to be marked as benign or ignored, whereas activity from an unsigned or unknown process would typically trigger an alert. GlueGate attempts to poison this attribution by "cloaking" the malicious process behind the Mozilla signature.

### Technical Details
* **Mechanism:** The PoC utilizes specific `MFBT_API` exports from `mozglue.dll`: `MozVirtualAlloc` and `?MapRemoteViewOfFile`.
* **Operation:** By calling these exported functions, the attacker offloads memory operations to the signed DLL.
* **Telemetry Manipulation:** The primary goal is to ensure that the "final user module" identified by kernel telemetry is reported as being signed and trusted by the Mozilla Corporation, bypassing heuristics that flag unsigned memory modifications.

### What Defenders Should Know
Defenders can adjust their detection logic to identify the use of this proxy technique by monitoring for the following indicators:

* **Suspicious Call Stacks:** Monitor for the presence of `mozglue.dll!MozVirtualAlloc` or `mozglue.dll!?MapRemoteViewOfFile` in the call stack when the calling process is unsigned or not digitally signed by Mozilla.
* **Unusual Process Behavior:** Flag instances where processes that do not normally interact with Firefox or Mozilla software are loading `mozglue.dll`.
* **Context Awareness:** Security solutions should implement "context-aware" memory monitoring that looks deeper than just the immediate module name in the call stack to determine the true origin of an API call.
heavener: This is what happens when you can't afford EDR licenses - Otter

This precis summarizes the capabilities and security context of **heavener**, a modular EDR (Endpoint Detection and Response) emulation engine designed to simulate local security agent behavior on Windows.

### Executive Summary
heavener is an open-source project that allows security researchers and defenders to emulate the detection logic of prominent commercial EDR platforms (SentinelOne, Cortex XDR, CrowdStrike, and Sophos) without running the actual vendor agents. By extracting and running native detection artifacts—such as machine learning models, YARA rules, and behavioral scripts—it enables high-fidelity testing of attack telemetry against "real" detection engines in an offline, controlled environment.

### Who is Affected
* **Security Researchers & Red Teams:** Beneficiaries who need to validate payloads against EDR detection logic without the overhead of deploying full vendor agents.
* **Defenders & Security Operations (SecOps):** Professionals who can use the tool to audit their detection coverage and understand why specific attacks are (or are not) flagged by their installed EDR.
* **EDR Vendors:** While heavener uses reverse-engineered artifacts, it highlights the increasing transparency of local agent logic, potentially impacting vendor "security through obscurity" strategies.

### Technical Architecture
heavener operates through a six-layer architecture designed to mimic the telemetry gathering and analysis process of an EDR:
1. **Kernel Minifilter Driver:** Monitors system-level activities.
2. **ETW Consumers:** Ingests Event Tracing for Windows data.
3. **EventPipeline:** Centralizes and processes captured events.
4. **ProcessModel:** Maintains the state of system processes.
5. **Detection Engines:** Modular components tailored to specific vendors.
6. **Alert Output System:** Reports findings based on the triggered logic.

**Vendor-Specific Approaches:**
* **SentinelOne:** Utilizes Lua-based behavioral scripts and static machine learning.
* **Cortex XDR:** Employs a sophisticated triple-layer analysis involving YARA, static ML, and a CLIPS-based expert system containing nearly 8,000 production rules.
* **CrowdStrike/Sophos:** Focuses on static ML and signature-based scanning, with active development on parsing proprietary channel files.

### Security Implications
* **Detection Transparency:** The tool transforms "black box" EDRs into inspectable systems, allowing defenders to see exactly which rules and event types trigger alerts.
* **Safe Payload Testing:** Enables the iteration of attack chains and detection bypass research offline, significantly reducing the risk of accidental deployment or environment disruption.
* **Limitations:** The tool is limited to **local agent emulation**. It cannot simulate cloud-side components—such as reputation-based lookups, global threat intelligence correlation, or complex cloud-based heuristic analysis—which are critical components of modern EDR efficacy.

### Key Takeaways for Defenders
* **Auditing Coverage:** Use the "Rule Atlas" functionality to audit your environment’s detection surface and identify blind spots in your current EDR deployment.
* **Continuous Testing:** Integrate heavener into CI/CD or security testing workflows to gain immediate, high-fidelity feedback on how new attack techniques would be classified locally.
* **Manage Expectations:** Remember that success in bypassing *heavener* does not guarantee success against the production product, as cloud-based verdicting and external intelligence may still catch the attack in a live environment.
One Bool. Six Shells. AMSI’s Design Problem. - Evariste (bl4ckarch)

The provided summary accurately captures the core technical findings and security implications of the article. To build on this, here is a consolidated breakdown of the critical takeaways for defenders and security professionals.

### Detailed Precis

#### What Happened
The author conducted an analysis of the Windows Anti-Malware Scan Interface (AMSI) and identified six distinct bypass techniques. These techniques allow an attacker to disable or render AMSI ineffective within the memory space of the target process (specifically PowerShell). By exploiting the shared memory space and lack of isolation between the scanner and the application, the author proved that AMSI—when deployed in its current architecture—can be reliably circumvented, allowing malicious code to run undetected even with security products active.

#### Who is Affected
* **Systems:** Any environment running Windows with PowerShell 5.1 (.NET Framework) or PowerShell 7 (CoreCLR).
* **Users:** Organizations relying solely on AMSI for script-based detection or as a primary security boundary for script execution.

#### Security Implications
* **Design Flaw:** The core issue is the lack of a privilege boundary. Because AMSI functions within the same process and runtime as the code it is intended to scan, the "scanner" and the "scanned" share the same access level.
* **Fail-Open Design:** AMSI is designed such that if a scan fails or encounters an error, it defaults to a state of "not detected," allowing execution to continue rather than blocking it. This behavior is actively exploited by the bypasses.
* **Trust Model:** The research establishes that AMSI should be treated as a **detection aid** rather than a hardened security boundary or an immutable policy enforcer.

#### Technical Details
The research identifies two primary interaction paths (Path A and Path B) used by PowerShell to interface with AMSI. The documented bypasses exploit these paths through:
* **Field Manipulation:** Using .NET reflection to toggle internal flags (like `amsiInitFailed`) to true, signaling to the application that AMSI is unavailable or broken.
* **IL Injection:** Using `DynamicMethod` to emit Intermediate Language (IL) opcodes that bypass the `initonly` security constraints introduced in later versions of PowerShell.
* **JIT Heap Patching:** Modifying the JIT-compiled code in memory to force specific functions (like `WinScanContent`) to return a value indicating the content is clean.
* **Structural Tampering:** Directly modifying internal structures like `AMSI_CONTEXT_INTERNAL` to cause failure states that the runtime interprets as successful, clean scans.

#### What Defenders Should Know
Defenders should move away from relying on AMSI as an absolute block and focus on multi-layered visibility:

| Detection / Mitigation Strategy | Why it is Recommended |
| :--- | :--- |
| **Script Block Logging (Event ID 4104)** | Acts independently of the AMSI/ETW chain; logging captures the script content before it reaches the vulnerable scanning interface. |
| **Behavioral Monitoring** | Monitor for the "how" (e.g., heavy use of Reflection, `DynamicMethod`, `Marshal`, or `WriteInt64` in scripts) rather than the "what" (static signatures). |
| **Memory Inspection** | Periodically audit the managed heap for unauthorized modifications to `amsiInitFailed` or `amsiNotifyFailed`. |
| **Integrity Checks** | Verify vtable integrity and function bodies for `InternalScan` and `InternalNotify` to detect unauthorized native patches. |
| **Stronger Hardening** | Implement **Constrained Language Mode (CLM)**, **AppLocker**, or **WDAC** to prevent the execution of the primitives required to perform these bypasses in the first place. |
| **Kernel-Mode Consumers** | Where possible, leverage kernel-mode AMSI consumers or hardware-backed protections like **Hypervisor Protected Code Integrity (HVCI)** to create a more resilient security boundary. |