🛡️ InfoSec Blue Team Briefing

Friday, July 03, 2026

🎧 Audio Briefing

Download MP3

Cyber security developments for Friday the 3rd of July 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 13 articles to cover. All attribution is by the article authors. All article analysis is automated.

Kaspersky Lab has detailed how the ToddyCat APT group uses a tool called Umbrij to gain unauthorised access to Gmail accounts as part of their espionage operations. The write-up covers the technical operations and includes defensive recommendations.

The US Department of Justice has announced the arrest and extradition of Tyler Robert Buchanan, a 22-year-old UK national allegedly involved with Scattered Spider. He faces federal charges for unauthorised network access, data exfiltration, and cryptocurrency extortion as part of FBI Operation Riptide targeting the group's infrastructure.

JFrog Security has uncovered six malicious npm packages masquerading as Rollup polyfill tools with similarities to Lazarus group tactics. The malware targets JavaScript build pipelines and continuous integration environments, deploying a multi-stage infection chain for remote access and credential theft with sandbox detection capabilities.

NSFOCUS has documented the Miasma worm attack against Microsoft's GitHub repositories on the 5th of June. TeamPCP deployed a self-replicating worm that compromised 73 repositories across Azure and MicrosoftDocs in 105 seconds by exploiting AI-integrated development environments — specifically, the automatic execution of repository configuration files when developers opened contaminated project folders.

Sysdig has identified JADEPUFFER, which they're calling the first documented agentic ransomware campaign where an AI agent autonomously conducted end-to-end extortion. The agent exploited a vulnerability in Langflow instances, then performed reconnaissance, lateral movement, and targeted MySQL and Nacos servers, encrypting configurations with unrecoverable keys.

Security researcher Keanu Nys has released CredSpy, a reconnaissance tool that leverages Microsoft's public GetCredentialType API to enumerate Entra ID user accounts and discover their authentication methods without requiring authentication. It reveals whether accounts exist and which methods they use — passwords, FIDO2, certificates, passwordless — allowing attackers to tailor phishing campaigns accordingly.

Blackpoint Cyber has identified active exploitation of an authentication bypass in SimpleHelp remote management software. Attackers deployed two previously undocumented malware families — TaskWeaver, a Node.js loader, and Djinn Stealer, which targets credentials — impacting managed service providers and their downstream customers.

eSentire has documented exploitation of an improper access control flaw in Fortinet EMS versions 7.4.5 through 7.4.6 to deploy EKZ Stealer malware disguised as a FortiEndpoint patch. The malware harvests credentials from Chromium-based browsers and Firefox, with an observed attack targeting the Energy, Utilities, and Waste sector in May.

Cisco Talos has uncovered ARToken, a phishing-as-a-service platform within the EvilTokens ecosystem targeting Microsoft 365 environments. It abuses OAuth 2.0 Device Authorization Grant to bypass multi-factor authentication, steals Primary Refresh Tokens for persistent access, and includes AI-augmented features for automated email translation and lure generation. Particularly relevant if you're supporting finance, HR, or logistics teams.

ExtraHop has analysed VIPERTUNNEL, a sophisticated Python-based backdoor linked to UNC2165 that deploys prior to DragonForce ransomware. The malware masquerades a Python script as a DLL, employs three layers of obfuscation, and establishes a SOCKS5 proxy tunnel over port 443 for lateral movement whilst operating entirely in-memory.

Researchers have released Hollow, an open-source shellcode loader generator that automates creation of Windows PE loaders with encrypted shellcode. It supports six process injection techniques including Classic Remote Thread Injection and Early Bird APC injection, with several templates utilising direct syscall techniques to evade endpoint detection.

Security researchers have demonstrated SpotifyC2, a proof-of-concept framework showing how adversaries can leverage Spotify's oEmbed API and Telegram as covert command and control channels. The technique evades traditional security controls by blending malicious traffic with trusted, high-reputation SaaS domains. One for threat emulation teams and detection engineering.

And finally, Qianxin XLAB has analysed RustDuck, a sophisticated two-stage botnet written in Rust that's been active since February, designed for large-scale distributed denial-of-service attacks. It targets IoT devices, routers, and servers by exploiting vulnerabilities in Android ADB, TVT API, and various router platforms, alongside credential brute-forcing, and features advanced cryptography and anti-analysis mechanisms to evade detection.

That concludes today's briefing.

📰 Articles Covered