Cyber security developments for Tuesday the 30th of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 13 articles to cover. All attribution is by the article authors. All article analysis is automated.
Research into over a thousand insider threat cases reveals some patterns worth noting. The analysis found that 87% of malicious insiders were full-time employees, a quarter of them executives, and over 20% had recently been promoted high performers. Resignation-based monitoring turns out to be fairly ineffective, with malicious activity typically running for about 228 days before detection.
Seqrite have written up Operation DragonReturn, a China-nexus campaign targeting India's government financial infrastructure and tax systems. The attackers are using spear-phishing emails that impersonate the Income Tax Department to deploy DcRAT through a multi-stage chain involving fileless execution, steganography, and bypass techniques. One for those tracking activity around financial sector infrastructure in the region.
Censys have published an overview of the AsyncRAT family, which has spawned around 40 named variants since the original was released in 2019. As of this month, over a dozen variants are still maintaining active command and control infrastructure globally, and many inherit certificate structures from their parent forks, which creates fairly persistent technical fingerprints. Useful reference if you're tracking remote access trojans in the wild.
A write-up on adversary techniques in Proxmox virtualisation environments. Attackers are leveraging native Linux utilities and built-in management tools like pvesh and qm to evade detection, and exploiting unauthenticated API endpoints for enumeration. The piece flags a particular risk: organisations relying only on application-level logs rather than host-level telemetry can develop significant blind spots when adversaries manipulate firewall configs to lock out responders.
GitHub have introduced workflow execution protections in public preview, allowing admins to centrally control who can trigger Actions workflows and which events can start them. This addresses Poisoned Pipeline Execution attacks, where someone with write access could modify workflow files to run malicious code. The security rules are now evaluated before the workflow executes rather than during.
Microsoft have disrupted the StegoAd campaign by pulling 119 malicious browser extensions from the Edge Add-ons store, affecting 2.6 million users. The threat actor hid payloads inside image files using steganography and employed a five-stage attack chain with deferred execution, which let them evade detection for years. Primary objectives appear to have been ad fraud monetisation and credential theft.
Following on from the supply chain stories we've covered recently, Fortinet have detailed how the Shai Hulud campaign by TeamPCP targets pipelines in Jenkins and GitHub Actions using poisoned build dependencies. Attackers steal runner credentials to pivot into AWS production environments, culminating in a May breach involving privilege escalation and Redshift data exfiltration. Worth flagging if you're responsible for pipeline security.
ManageEngine have disclosed a critical account takeover vulnerability, CVE-2026-11374, affecting multiple products when integrated with their AD360 platform. The flaw allows unauthenticated attackers to predict single sign-on tickets due to insufficient entropy, enabling session hijacking and full account takeover. Patches are available for all affected versions of ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus.
And another exploit in the wild. PTC have disclosed CVE-2026-12569, a critical remote code execution vulnerability in Windchill and FlexPLM software that's been actively exploited since mid-June. Attackers are deploying webshells to the application's login directory to execute arbitrary code and potentially exfiltrate sensitive data. Patches are out for versions 11.0 through 13.1.1.
Researchers have released CrystalSliver, which ports the Crystal Palace evasion framework from Cobalt Strike to the Sliver C2 platform. The kit uses AES-256 encryption, in-memory obfuscation, sleep masking, and call stack spoofing to evade endpoint detection on Windows 64-bit systems. One for red teamers looking at Sliver tooling.
Researchers have released KHAØS, a new post-exploitation C2 framework that routes agent traffic through trusted cloud services like Microsoft Teams and GitHub. It employs indirect syscalls, NTDLL unhooking, hardware breakpoints to bypass security controls, and polymorphic compilation to evade signatures. The framework supports credential theft, lateral movement, and persistence mechanisms, and is intended for authorised red team operations.
SpecterOps have demonstrated a novel malware analysis approach that integrates AI with Time Travel Debugging technology. The methodology uses tooling to query actual program execution history, allowing the AI to work from factual runtime data rather than static code analysis. This appears to significantly improve analysis of obfuscated malware, which is notable given how much effort goes into reversing heavily packed samples.
And finally, a methodology piece on applying large language models to offensive security research through structured orchestration layers. The approach moves from ad-hoc prompting to multi-stage pipelines that automate vulnerability discovery, code analysis, and exploit generation with improved reliability and validation. Adds useful context to the conversation around AI in security tooling.
That concludes today's briefing.