πŸ›‘οΈ InfoSec Blue Team Briefing

Thursday, July 16, 2026

🎧 Audio Briefing

Download MP3

Cyber security developments for Thursday the 16th of July 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 15 articles to cover. All attribution is by the article authors. All article analysis is automated.

Following on from yesterday's story about a Russian national pleading not guilty, the FBI has arrested Denis Obrezko, a member of the Void Blizzard group. Hunt.io's analysis links him to Russia's Ministry of Emergency Situations and Yutek-NN, a firm with FSB surveillance licenses that appears to operate as a front organisation. The group has been running spear-phishing campaigns against NATO members and Ukraine since at least April last year.

The US Attorney's Office for the Northern District of Ohio has indicted three Russian nationals who ran Media Land LLC and ML.Cloud from St Petersburg. They provided bulletproof hosting services that enabled cybercrimes causing over sixty-two million dollars in losses to victims.

Hunt Intelligence reports that China-linked operators have breached government systems in Afghanistan, Thailand, and Taiwan, along with financial organisations across Europe, Australia, and Asia. Notably, the attackers integrated large language models β€” Claude Code and DeepSeek β€” directly into their operations for reconnaissance, exploit development, and tactical decision-making, using Hong Kong-based infrastructure.

JPCERT reports that APT-C-60 continues targeting Japanese organisations with SpyGlace malware, now up to version 3.1.18. They're using spear-phishing with malicious LNK files and abusing legitimate platforms like GitHub, GitLab, and Proton Drive for command-and-control to evade network detection.

Ukraine's CERT-UA handled three thousand three hundred and nine cyber incidents in the first half of this year, up nearly ten percent on the same period last year. Local government bodies were disproportionately targeted, and threat actors have been impersonating CERT-UA itself to distribute malware including the AGEWHEEZE remote access trojan.

Arctic Wolf has uncovered a financially motivated campaign using two hundred and ninety-two fake GitHub repositories to distribute an info-stealer. The operation has been running since June 2024, impersonating security vendors, cryptocurrency tools, gaming software, and productivity apps, using DLL side-loading to steal credentials and cryptocurrency wallets. Command-and-control is hosted on a Russian IP.

DomainTools reports on a decentralised pro-Iran hacktivist ecosystem that activates during geopolitical crises. The actors use high-volume DDoS, website defacements, and hack-and-leak operations coordinated via Telegram, targeting government, telecoms, finance, and healthcare sectors. Notably, they went after Canonical's Ubuntu infrastructure in May this year.

The BBC reports that the UK government has released an updated national resilience strategy covering ninety-five distinct risks. Cyber-attacks on water infrastructure and digital resilience failures are now elevated concerns, and the initiative includes a public awareness campaign, large-scale defensive drills, and classified crisis response plans for hybrid threats.

ESET researchers have identified eleven obsolete Microsoft-signed UEFI shim applications containing known vulnerabilities that allow attackers to bypass Secure Boot protections. The forgotten binaries enable bootkit deployment if an attacker has sufficient privileges. Microsoft revoked them in the June Patch Tuesday, addressing issues including one tracked as CVE-2026-10797.

A researcher has disclosed an elevation of privilege vulnerability in the Windows User Profile Service that allows arbitrary registry hive loading. The proof-of-concept works on all currently supported Windows versions, including those with July patches, enabling attackers to mount target users' registry hives into their own session.

SonicWall has disclosed two critical vulnerabilities in SMA1000 series appliances that are being actively exploited. The first is an unauthenticated server-side request forgery with a CVSS score of ten, the second is a post-authentication code injection flaw. Immediate patching is required for affected models.

JFrog reports that the Miasma worm has returned via a supply chain attack targeting AsyncAPI packages on npm. It exploited legitimate release infrastructure to publish malicious versions with valid signed attestations, operating as a remote access trojan that executes on import and uses a hardcoded IP, IPFS gateways, and Ethereum contracts for decentralised command-and-control fallback.

And another npm campaign from JFrog β€” this one involving one hundred and forty-eight malicious packages disguised as student web proxies. The packages weaponised visitors' browsers into DDoS bots, performing HTTP floods and WebSocket attacks. Peak activity in May generated approximately two gigabits per second of attack traffic from a thousand active users.

Proofpoint details how threat actors are exploiting Microsoft Entra ID's OAuth 2.0 implementation to conduct stealthy, large-scale account enumeration and credential validation. Attackers issue token requests while spoofing or randomising client IDs to evade detection during authentication attempts.

TrustedSec has detailed offensive techniques for exploiting Azure container environments through Managed Identity abuse and Azure Container Registry Tasks manipulation. Attackers can pivot from compromised containers to access Key Vault and other services, with demonstrations of container image backdooring and persistence methods across Container Instances and Container Apps.

That concludes today's briefing.

πŸ“° Articles Covered