Cyber security developments for Wednesday the 1st of July 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 12 articles to cover. All attribution is by the article authors. All article analysis is automated.
Acronis report a campaign by Mustang Panda targeting Indian government and energy sectors throughout June using lures focused on India-Taiwan relations. The attackers deployed multiple custom malware families and abused Zoho WorkDrive's API for command and control to blend in with legitimate cloud traffic.
SOCRadar attribute the FortiBleed campaign to the Lynx ransomware group â an automated credential harvesting operation that's been scraping credentials from Fortinet firewall and VPN traffic since February. Over 86,000 devices compromised across 194 countries using stolen credentials from breach dumps to establish listening posts on the devices themselves.
The DFIR Report detail a ransomware intrusion that started with poisoned Bing search results delivering BumbleBee malware. From there, the attackers deployed AdaptixC2, moved laterally, exfiltrated data, and eventually deployed Akira ransomware â a fairly textbook chain from search to encryption.
JFrog discovered attackers hijacking legitimate npm and Go packages to deploy credential and crypto stealers. Notably, the malware exploits VS Code's task autorun feature via malicious task files that execute when you simply open a folder â no installation hook required â and uses blockchain networks as dead drops to fetch encrypted payloads.
DARKNAVY researchers found critical flaws in Android's biometric authentication architecture that allow forging of authentication tokens and bypassing PIN requirements. The attack validated on eight devices from seven manufacturers and enables offline PIN brute-forcing plus decryption of protected credentials, including in the before-first-unlock state on six of those devices.
Two local privilege escalation vulnerabilities in Linux kernel page-cache management allow unprivileged users to gain root by corrupting setuid binaries in memory without touching disk. A defensive containment kit from researchers provides hardening guidance including namespace restrictions and module blacklisting, though patching remains the only definitive fix â fixes are in kernel 6.12.91 and later, 7.0.10 and later, and mainline 7.1.
On a similar note, researchers documented a Linux kernel privilege escalation in IPv6 fragmentation handling affecting CentOS and Red Hat Enterprise Linux 10. The exploit chain enables reliable container escape via use-after-free and arbitrary kernel memory access, defeating address randomisation and SELinux to achieve root on the host.
NetSPI researchers Karl Fosaaen and Thomas Elling analysed privilege escalation paths in Microsoft Azure, showing how attackers can chain seemingly benign permissions to gain administrative control. The research focuses on exploiting Azure's role-based access complexity, managed identities, and compute services to escalate from limited initial access.
Maxim Suhanov points out that Microsoft updated Windows Mark-of-the-Web logic back in 2022 to check parent containers when extracted files lack zone identifiers, but third-party tools like 7-Zip and WinRAR never implemented this. The result is a bypass vector where malicious files from disk images evade the security warnings that would otherwise flag them as untrusted.
Practical Security Analytics enhanced ShadowDumper, a tool for diskless memory dumps of the Windows credential store that evade endpoint detection. The improved version uses direct system call resolution, memory-resident operations, and custom encryption to extract credentials without creating forensic artifacts on disk.
Kernullist examine how hypervisor memory translation mechanisms can be exploited to create split views, where different observers see different memory contents at the same address. Originally used in game cheats to evade anti-cheat systems, but the technique has broader implications for stealth malware that wants to hide modifications at the hypervisor level.
And finally, Nextron detail a kernel-mode backdoor discovered in June with a legitimate Windows Hardware Quality Labs signature from a Shenzhen security firm. The malware operates in kernel space using Windows Filtering Platform to monitor network traffic for magic byte sequences, communicating stealthily without traditional user-mode components â which is either impressive tradecraft or a concerning supply chain issue, depending on your perspective.
That concludes today's briefing.