đŸ›Ąïž InfoSec Blue Team Briefing

Monday, July 06, 2026

🎧 Audio Briefing

Download MP3

Cyber security developments for Monday the 6th of July 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 21 articles to cover. All attribution is by the article authors. All article analysis is automated.

GreyNoise reports that CitrixBleed 2 exploitation began on June 23rd, a full two weeks before the public proof-of-concept was released. Targeting appears focused rather than mass scanning, with traffic originating from IP addresses geolocated in China, and the vulnerability has now been added to CISA's Known Exploited catalogue.

Kaspersky describe The Gentlemen, a ransomware-as-a-service operation that emerged earlier this year and has already broken into the top ten, targeting manufacturing, healthcare, and financial services across Brazil, China, Indonesia, Taiwan, and Thailand. The group deploys both Go-based and C-based ransomware variants using bring-your-own-driver techniques and exploits VPN and firewall appliances for initial access.

Expel published analysis of a zero-day exploit used by The Gentlemen in April this year, which relied on a vulnerable Kontron driver to disable multiple EDR solutions including Windows Defender, ESET, Palo Alto Cortex, and SentinelOne. The attack chains kernel-mode operations and bypasses modern mitigations by manipulating physical memory and hijacking kernel function pointers before deploying ransomware.

Staying with The Gentlemen briefly, Sigreturn Labs published details of a cryptographic flaw in Rhysida ransomware that allowed them to break the encryption entirely. The vulnerability stems from predictable random number generation seeded by system timestamps, and a decryption tool has been developed that works across sixteen versions of the ransomware, which has been active since May 2023.

Arctic Wolf have written up attacks by the Anubis ransomware operation, which targets high-value infrastructure through CitrixBleed 2 and stolen VPN credentials. The group uses legitimate remote management tools like ScreenConnect and Zoho Assist alongside cloudflared tunnels to evade detection whilst exfiltrating data before encryption.

Kaspersky have identified a previously unknown APT group they're calling Armored Likho, also known as Eagle Werewolf, which is conducting targeted phishing campaigns against government agencies and electric power sectors in Russia, Kazakhstan, and Brazil. The group deploys BusySnake, a new Python-based infostealer with AI-generated loaders, featuring credential theft, remote command execution, and reverse SSH tunneling with persistence via scheduled tasks.

S2 Grupo published a profile of Russian military unit 67606, the 127th Separate Reconnaissance Brigade, which is a combat-focused unit with organic psychological operations capabilities for the Black Sea Fleet. The unit employs drones and GSM-based electronic warfare tools to conduct traffic interception, communications jamming, and mass SMS delivery for information operations in the Black Sea theatre.

WatchGuard disclosed a critical race condition in Fireware OS that allows remote, unauthenticated attackers to execute arbitrary code via the LDAP authentication mechanism in Mobile VPN with IKEv2. The use-after-free flaw carries a severity score of 9.2 and affects multiple OS versions, with patches now available for most devices though T15 and T35 models running version 12.5 remain unresolved.

A researcher disclosed a high-severity stored cross-site scripting vulnerability in NEX-Forms Express WP Form Builder affecting versions up to 9.1.10. The flaw allows remote attackers to inject malicious JavaScript through public form submissions that executes in administrator contexts when viewing entries, due to insufficient input sanitisation on AJAX endpoints.

A researcher has written up Bad Epoll, a critical use-after-free vulnerability in the Linux kernel's epoll subsystem affecting version 6.4 and newer. The race condition enables highly reliable local privilege escalation to root with 99 percent exploit reliability, and is particularly significant for Android devices and Chrome sandbox escapes, though it was patched in April.

Malwarebytes report on a campaign distributing multiple malware families including HijackLoader, StealC, Remus, and Amatera Stealer through fake Google and Cloudflare verification pages. Victims are tricked into copying and executing malicious PowerShell commands that deploy sophisticated loaders using bring-your-own-driver techniques, with the campaign leveraging compromised websites and Cloudflare Pages infrastructure for payload delivery.

K7 Labs describe a Business Email Compromise campaign that impersonates senior executives to deliver malicious archives containing DLL sideloading payloads. The malware establishes persistence and specifically targets active WhatsApp Web sessions in Chromium-based browsers to facilitate session hijacking and organisational compromise.

Jamf published analysis of PamStealer, a macOS infostealer targeting Apple silicon systems by masquerading as the legitimate Maccy clipboard manager application. The malware uses AppleScript and JXA to steal credentials, browser data, wallet extensions, and clipboard content whilst establishing persistence via C2 infrastructure including Ethereum endpoints, and notably excludes users from Russia, Belarus, and Kazakhstan.

Brian Krebs reports that the FBI and IRS Criminal Investigation have seized the NetNut residential proxy service and dismantled the Popa botnet, which compromised at least two million IoT devices including Android TV boxes and smart televisions. The infrastructure was used by cybercriminals and state-sponsored groups for credential stuffing, account takeovers, advertising fraud, and DDoS attacks by routing malicious traffic through residential IP addresses.

Alex Teixeira highlights a critical blind spot where attackers compromise Microsoft Sentinel infrastructure itself to evade detection before executing broader attacks. The article provides detection engineering guidance using Sentinel's internal telemetry sources and KQL functions to monitor for tampering with detection rules, connectors, and workspace configurations, which is particularly relevant if you're running Sentinel as your primary logging platform.

Praetorian developed Knossos, an automated procedural engine that generates realistic decoy cloud infrastructure environments designed to mirror production systems. These fake environments serve as deception technology to confuse and detect threat actors by creating convincing but non-production targets.

The National Cyber Security Centre consulted professional penetration testers to identify defensive measures that significantly impede attackers targeting Critical National Infrastructure and Operational Technology environments. Key recommendations include secure-by-design principles, rigorous network segmentation between IT and OT systems, implementing clear zones of trust, and deploying Privileged Access Workstations to prevent lateral movement.

Bishop Fox researchers developed an AI-assisted pipeline to fingerprint internet-exposed software using favicon files and hash functions. This passive reconnaissance technique enables large-scale enumeration of software installations and infrastructure attribution without triggering traditional security alerts, allowing attackers and defenders alike to map global technology stacks by analysing static assets.

Security researchers released OpenUDC2, an open-source implementation of Cobalt Strike's User Defined Channel 2 protocol, enabling non-commercial C2 frameworks to use UDC2 modules. The proof-of-concept includes a modified beacon agent and listener but lacks strong encryption, and is intended for penetration testing and security research.

And finally, a researcher published tf-mythic-azure, which provides Terraform templates that automate the deployment of Mythic C2 infrastructure within Microsoft Azure environments. The tool enables red team operators to rapidly stand up multiple Mythic server instances with Azure CDN redirectors using Infrastructure as Code principles, which represents an evolution in adversary infrastructure deployment automation that defenders will need to monitor for in cloud environments.

That concludes today's briefing.

📰 Articles Covered