🛡️ InfoSec Blue Team Briefing

Thursday, July 09, 2026

🎧 Audio Briefing

Download MP3

Cyber security developments for Thursday the 9th of July 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 10 articles to cover. All attribution is by the article authors. All article analysis is automated.

Taiwan's Investigation Bureau disrupted a Chinese state-backed social engineering campaign where threat actors compromised LINE accounts and used a domestic company to impersonate international journalists. The attackers targeted Taiwanese political and academic figures, delivering fake encrypted communication tools that were actually malware designed to exfiltrate sensitive information.

Check Point Research have identified Cavern Manticore, an Iran-linked threat actor targeting Israeli government and IT organisations with a sophisticated modular framework called Cavern. It's built on .NET with multi-layered compilation strategies designed for evasion and long-term persistence — one for those tracking Middle Eastern espionage operations.

Spain's National Police arrested a suspected collaborator of the pro-Russian hacktivist groups CyberArmy of Russia Reborn and Z-Pentest, though the original source doesn't provide much detail beyond the arrest itself.

Cisco Systems report that a China-nexus actor active since 2025 is building proxy networks by compromising edge devices and routers through known vulnerabilities. The group deploys modular backdoors to create infrastructure that's then leased to other threat actors for obfuscated attacks — essentially turning compromised SOHO kit into a criminal service provider.

And Proofpoint have tracked a China-aligned cluster targeting physics and engineering departments at US and Canadian universities since May. The attackers exploit vulnerabilities in Roundcube mail servers to deploy credential harvesters and then install webshells or backdoors for espionage — which is particularly relevant if you run academic research infrastructure.

AlloySecureGroup have released PhantomFS, a Windows honeypot that uses the Projected File System to create virtual decoy files — credentials, SSH keys, financials — that only materialise when accessed. When someone touches them, the system fires instant alerts via Event Log and captures forensic data including process details, which is a useful addition to the deception toolkit.

Semperis have written up how attackers exploit legitimate Windows privileges to escalate from low-privileged accounts to full system control, enabling Active Directory compromise. These techniques abuse intended features rather than vulnerabilities, which means patching won't help — particularly risky in shared environments like RDP servers and jump hosts.

Mandiant detail how attackers can recover Active Directory Federation Services signing keys using Machine DPAPI, enabling Golden SAML attacks that allow forging authentication tokens for federated environments. The technique exploits configuration drift between ADFS servers and domain controllers to extract keys that grant persistent access to cloud services — one to flag if you run federated identity.

Researchers have fully reverse engineered Windows GDID, the Global Device Identifier, correcting misconceptions from a 2026 federal complaint. Turns out it's a server-assigned identifier stored in the registry, not a hardware-based hash, generated during Microsoft Account provisioning — useful context if you're looking at Windows privacy mechanisms.

And finally, a PowerShell utility that disables Windows Global Device Identifier tracking and telemetry by stopping Connected Devices Platform services, blocking Microsoft domains via hosts file manipulation, and modifying registry keys. Targets Windows 10 and 11 systems to reduce data collection around cross-device sync and activity history.

That concludes today's briefing.

📰 Articles Covered