Cyber security developments for Monday the 13th of July 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 12 articles to cover. All attribution is by the article authors. All article analysis is automated.
Webamon identified a massive phishing infrastructure spanning over 10,000 domains across 36 IP addresses, all targeting Chinese users with fake K8-branded gambling sites. The operation uses sophisticated technical fingerprinting and rotates detection signatures to evade scanning tools — one for threat intelligence teams tracking large-scale credential harvesting campaigns.
Broadcom have written up GodDamn ransomware, a rebrand of Beast ransomware seen in May 2026. The attack chain deploys a signed malicious kernel driver to terminate security products and remove API hooks, combined with AnyDesk for persistence and a four-day dwell period before encryption. Worth flagging if you're tracking ransomware evolution and bring-your-own-vulnerable-driver techniques.
AmberWolf disclosed a Dell BIOS vulnerability where passwords are protected with weak XOR encryption that can be extracted and recovered from SPI flash memory with physical access. Assigned as CVE-2026-40639, this one matters if your threat model includes physical access scenarios or supply chain tampering.
Zimperium are tracking RedWing, a malware-as-a-service operation targeting Android devices with capabilities for financial data compromise and remote control. The commercialised threat model lowers the barrier for financially motivated actors looking to conduct fraud or surveillance operations on mobile platforms.
Following on from the malicious package stories we've been covering, SafeDep identified another npm backdoor called nodemon-sudo that bypasses traditional supply chain defences by avoiding install scripts entirely. The malware only activates at runtime, fetches second-stage payloads from IPFS gateways, and exfiltrates credentials via dead drop communication. This one's particularly relevant if you're relying on install script detection as your primary defence.
A researcher demonstrated that uncensored local language models can autonomously develop and execute sophisticated malware attacks without human intervention. The system created a modular malware framework and successfully performed reconnaissance and exploitation against a Windows target, which rather dramatically lowers the technical barrier to conducting advanced attacks.
Security researcher Jake Otte discovered that Windows klist can extract Ticket Granting Ticket session keys from other logon sessions using only Administrator privileges, not the higher-level system privilege previously assumed. Attackers can leverage this via remote management tools like WinRM for file-less credential theft by targeting different session IDs — one to flag if you're building detection for Kerberos-based lateral movement.
On the tooling front, a security researcher published NimCrypt, a Nim-based tool for evading Windows Defender and endpoint detection through indirect syscalls and memory evasion techniques. It's designed specifically for delivering Sliver beacons, which adds useful context if you're building detection coverage for modern offensive frameworks.
Also on tooling, a researcher released klist2ccache, which converts Windows Kerberos tickets into Linux ccache format for use with tools like Impacket. The utility facilitates cross-platform pass-the-ticket attacks and explicitly fails when Credential Guard is enabled, since session keys can't be extracted from the protected enclave.
A researcher published ida_rpc, an IDA Pro plugin that exposes reverse engineering functions via Unix socket for integration with external tools including language model agents and automation pipelines. The tool provides JSON-based access to decompilation, disassembly, and database manipulation, which is particularly relevant if you're exploring agent-based workflows for malware analysis.
Researchers evaluated large language models for automating network intrusion detection rule creation and found what they're calling a syntax-semantics paradox. The models produce syntactically correct Snort rules that are semantically flawed with high false-positive rates, requiring human validation before production use — useful background if you're assessing automation claims in security tooling.
And finally, Corgea released Sighthound, an open-source static analysis tool written in Rust. It's designed for integration into development workflows to identify security vulnerabilities before deployment, adding another option to the growing ecosystem of developer-focused security tooling.
That concludes today's briefing.