🛡️ InfoSec Blue Team Briefing

Tuesday, July 07, 2026

🎧 Audio Briefing

Download MP3

Cyber security developments for Tuesday the 7th of July 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 17 articles to cover. All attribution is by the article authors. All article analysis is automated.

Kim Zetter reports on the arrest of an Iranian-Turkish national in Montenegro at the FBI's request. The campaign he's accused of running compromised over 150 US universities and 176 institutions across 24 countries, exfiltrating 31 terabytes of intellectual property. It's being described as a strategic shift by Iran from disruptive operations toward sustained economic espionage.

Trend Micro have written up TONResolver RAT, which targets Japanese hotels using fake guest complaint emails. The interesting bit here is that it uses the TON blockchain as a dead drop resolver for command and control infrastructure, which is a fairly novel evasion approach.

A researcher tested whether GitHub Actions workflows using federated authentication could be exploited through malicious fork pull requests to obtain cloud credentials. The short answer is no — GitHub doesn't expose those tokens to untrusted workflows, and Azure's subject matching provides additional protection. One for anyone evaluating federated auth versus static secrets.

Three local privilege escalation vulnerabilities have been disclosed in a driver bundled with Little Orbit games. The flaws include a NULL pointer dereference, improper access control, and arbitrary kernel memory write capabilities, which can be chained to escalate to SYSTEM level.

Researchers from AsiaCCS 2026 have identified critical vulnerabilities in attested TLS protocols used in Confidential Computing environments. The core issue is an identity crisis where protocols fail to correctly bind enclave identity to TLS sessions, affecting Intel TDX, Arm CCA, and other trusted execution environments. The Confidential Computing Consortium and TLS working group have both acknowledged the findings.

Synaptic Systems detail a multi-stage infection chain from North Korean APT group Kimsuky using compiled HTML Help files to deliver malicious payloads. The campaign targeted Korean-speaking individuals interested in North Korean affairs and used living-off-the-land techniques with server-side gating to evade sandbox detection.

Practical Security Analytics have published an improved version of the RpcGhosting AMSI bypass technique. The refinement uses selective trampolining to hook a specific function in rpcrt4, suppressing only AMSI-originated RPC calls while allowing legitimate system calls through. That makes it more reliable than the original broad-spectrum approach, which had stability issues.

SVA System Vertrieb Alexander describe a sophisticated attack chain that escalates from on-premises Active Directory to Microsoft Entra ID through man-in-the-middle attacks on HTTPS traffic. Attackers exploit certificate services misconfigurations to obtain trusted TLS certificates, manipulate DNS, and intercept authentication flows to capture session cookies and credentials for cloud access.

Synacktiv have developed advanced techniques for exploiting Resource-Based Constrained Delegation to achieve cross-domain and cross-forest privilege escalation. The research extends Impacket tooling to perform recursive Kerberos delegation attacks, enabling attackers to impersonate users across trust boundaries, including so-called SPN-less RBCD attacks that bypass traditional requirements.

Safedep report on the Marketfront campaign, which is a dependency confusion supply-chain attack exploiting npm package resolution. Attackers registered malicious scoped packages on the public registry that mimic internal corporate naming conventions. The packages execute post-install scripts that exfiltrate credentials and environment variables via obfuscated, gzip-compressed HTTPS requests.

Researchers have discovered a sophisticated Linux backdoor targeting iKuai routers popular in China. The malware masquerades as a legitimate OpenWrt library, establishes persistence, and provides full remote access capabilities including payload execution, file exfiltration, and shell command execution.

NebulaPulsar is an open-source proof-of-concept in-memory implant framework supporting Java and .NET webshells. Originally developed as part of the Alien project for security research, it demonstrates advanced techniques including memory-resident execution, AES-encrypted communications, and dynamic payload loading. One for defenders looking to understand modern webshell tradecraft.

A Beacon Object File for Cobalt Strike has been released that extracts geographic location data from compromised Windows systems. The tool operates in-memory to avoid spawning external processes but requires registry modifications and service interactions that are detectable. Defenders should monitor for unauthorised changes to location-related registry paths and forced starting of the location service.

Russell Allen covers advanced sleep obfuscation techniques used in C2 frameworks like Cobalt Strike. Methods including FOLIAGE and Ekko encrypt shellcode and manipulate memory permissions to evade traditional memory scanning tools, rendering signature-based detection and basic heuristic analysis ineffective by hiding malicious implants during their dormant states.

A bare-metal utility has been released that performs cold boot attacks by directly dumping physical RAM to disk. The tool boots from USB in Legacy BIOS mode, uses unreal mode to access physical memory, and writes RAM contents in chunks to extract sensitive data like encryption keys from frozen memory modules.

NOX is a modular Go-based framework featuring over 300 built-in modules for attack surface management, reconnaissance, and vulnerability scanning. The tool automates stages of the reconnaissance and exploitation lifecycle, including subdomain enumeration, vulnerability detection, and cloud misconfiguration assessment. It's designed for authorised security assessments and leaves network footprints in logs when performing active scanning.

And finally, T3MP3ST is an open-source multi-agent framework that automates offensive security operations through an eight-operator kill chain. It transforms AI coding agents into automated vulnerability hunters, targeting web applications, CTF challenges, DeFi smart contracts, and embedded systems, with scope containment and egress controls to prevent unauthorised lateral movement.

That concludes today's briefing.

📰 Articles Covered