Weekly Threat Intel Report — 2026-W26

TL;DR

Week 26 was about credentials and trust. The FortiBleed campaign continued to dominate the headlines, with Recorded Future and Dark Reading reporting that attackers built a Golang-based sniffer to harvest valid administrative and VPN credentials at scale — exposing tens of thousands of FortiGate firewalls and well over one hundred million credentials globally. CISA set an unusually short deadline for federal agencies to patch an actively exploited Cisco Unified Communications Manager flaw. Turla added a new malware family called StockStay to its long-running espionage operations against Ukraine, and the FBI warned that Russian-aligned operators are now stealing Signal Backup Recovery Keys, not just live credentials. On the criminal side, a disruption action against SocGholish/TA569 spotlighted the role of traffic distribution systems in feeding access to ransomware crews tied to Evil Corp, and a third-party compromise hit Polymarket customers for roughly $3 million. Finally, AI-specific risks moved from theoretical to operational: Unit 42 documented malicious OpenClaw skills carrying infostealers, and SentinelLabs analyzed a DPRK-linked macOS Rust backdoor that uses prompt-injection content to mislead LLM-assisted triage.

Notable Activity by Actor

Turla (Russia)

The Record, citing Google threat researchers, disclosed a new Turla malware family named StockStay being used in espionage operations against Ukrainian targets (2026-06-26). The report frames StockStay as the latest addition to Turla's already broad implant catalog and is consistent with the group's pattern of rotating bespoke backdoors to evade detection while sustaining long-dwell access. Public technical detail at the time of writing is limited; defenders monitoring Ukraine-aligned organizations or Russian intelligence tasking should treat new, low-prevalence Windows backdoors with elevated suspicion.

TA569 / SocGholish & Indrik Spider (Evil Corp)

Dark Reading (2026-06-23) covered a disruption action against SocGholish and used the moment to underline how its traffic distribution system (TDS) sits at the top of a wider criminal supply chain. SocGholish operators monetize compromised legitimate websites by serving fake browser-update lures (T1189 Drive-by Compromise) and selling the resulting access to downstream crews — most notably Evil Corp / Indrik Spider affiliates running ransomware operations. Even with takedown pressure, TDS-style ecosystems are highly resilient, and defenders should assume similar plumbing will re-emerge under new branding.

Gamaredon Group (Russia)

Dark Reading (2026-06-25) reported that Gamaredon has materially improved its loader chains and C2 obfuscation. The FSB-linked group has historically relied on noisy, high-volume tradecraft against Ukrainian targets; the new tooling reduces signature-based detection efficacy and increases the load on behavioral analytics.

Emerging Threats

FortiBleed: an internet-scale credential exposure

Recorded Future (2026-06-24) and Dark Reading (2026-06-23) reported that the FortiBleed campaign has produced a dataset containing valid administrative and VPN credentials for roughly 73,932 FortiGate systems, with downstream reporting indicating attackers built a Golang-based sniffer targeting around 430,000 FortiGate firewalls and identifying approximately 110 million credentials. Even if those numbers contain duplicates and stale entries, the operational implication is the same: any organization with internet-facing FortiGate appliances should assume credential exposure and force a rotation, with particular attention to VPN and administrative accounts.

CISA emergency-style deadline on Cisco CUCM

BleepingComputer (2026-06-26) reported that CISA ordered federal agencies to patch an actively exploited vulnerability in Cisco Unified Communications Manager by the end of the week. Federal-deadline issuance is a useful triage signal for the private sector: this is a flaw worth patching out-of-band rather than waiting for the next maintenance window.

Russia targets Signal backups and messaging accounts

The FBI and CISA, as reported by BleepingComputer (2026-06-26), warned that a phishing operation tied to Russian intelligence services has evolved to steal Signal Backup Recovery Keys, which would allow attackers to read historical messages — not just intercept new ones. In parallel, Ukraine's SBU described a Russian social-engineering campaign in which operators posed as tech-support workers to extract credentials for messaging apps (The Record, 2026-06-26). The takeaway: account-recovery flows and backup material are now first-class targets, not afterthoughts.

Supply-chain compromises: Polymarket and Klue/Salesforce

BleepingComputer (2026-06-26) reported that Polymarket customers lost approximately $3 million after attackers injected a malicious script into the platform's frontend following a breach at a third-party vendor. Dark Reading (2026-06-23) reported that a separate threat actor branded Icarus is leaking data from victims compromised after a breach at application vendor Klue, where stolen OAuth tokens were used to pivot into customer Salesforce environments. Both incidents reinforce that SaaS-to-SaaS trust paths and frontend code paths are increasingly attractive single points of failure.

Hospitality-sector intrusion campaign

Microsoft Threat Intelligence (2026-06-25) detailed a multi-stage campaign against hospitality organizations in Europe and Asia using photo-themed ZIP archives and fake image shortcut files to deliver a persistent Node.js implant. The use of Node.js for implants continues a broader trend of attackers favoring cross-platform scripting runtimes for evasion and developer-friendly tooling.

Southeast Asian government targeting: CL-STA-1062

Unit 42 (2026-06-25) disclosed CL-STA-1062, an espionage cluster targeting government and critical infrastructure in Southeast Asia using a hybrid toolkit that includes a custom backdoor named TinyRCT. Attribution remains tentative, but the targeting pattern and toolkit composition are consistent with regional state-aligned activity.

Botnet takedown: Amadey and Stealc

ESET (WeLiveSecurity, 2026-06-24) confirmed participation in an Operation Endgame action disrupting the Amadey botnet and the Stealc infostealer, providing technical analysis and affiliate-level insight. Expect operator migration to alternative loaders and stealers in the coming weeks.

AI-specific threats moving from theory to practice

Unit 42 (2026-06-23) and Dark Reading (2026-06-24) detailed malicious OpenClaw 'skills' distributed via the ClawHub marketplace that bypassed automated scanners to deploy infostealers and execute agentic financial fraud. SentinelLabs (2026-06-23) analyzed macOS.Gaslight, a DPRK-linked Rust backdoor that embeds 38 fabricated system messages designed to spoof an LLM triage harness — a credible early example of an implant trying to fool the analyst's AI, not just the sandbox. Microsoft (2026-06-22) also published research on protecting AI memory from manipulation. AI tooling is now both a target and a vehicle.

Other notable items

• Bluekit phishing-as-a-service adopted browser-in-the-middle (BitM) techniques and added roughly 70 new hostnames in a week (BleepingComputer 2026-06-25).
• Polish authorities arrested four members of a SIM-swapping group tied to millions in cryptocurrency theft, achieved by breaching telecom partners (BleepingComputer 2026-06-25).
• Dark Reading (2026-06-25) reported that Europe is now a preferred ransomware target region, with a notable focus on EU organizations and their suppliers.

Defender Takeaways

1. Treat FortiGate credentials as exposed. Rotate VPN and administrative credentials on any internet-facing FortiGate; enforce MFA on management interfaces; review logs for anomalous admin or VPN authentications.
2. Patch Cisco CUCM out-of-band. The CISA federal deadline is a strong signal of active exploitation.
3. Lock down account-recovery flows. Russian targeting of Signal Backup Recovery Keys is a reminder that recovery-key material, security questions, and backup codes deserve the same protections as primary credentials.
4. Audit OAuth trust relationships. The Klue/Salesforce/Icarus chain is a textbook case of SaaS-to-SaaS token abuse. Inventory third-party OAuth grants in Salesforce, Google Workspace, and Microsoft 365, and remove unused integrations.
5. Hunt for Node.js implants and ZIP-delivered shortcut chains. Microsoft's hospitality-sector campaign is unlikely to remain sector-bound; treat unsigned Node.js runtimes spawned from user directories as high-fidelity signals.
6. Refresh phishing-resistant defenses. Device-code phishing, BitB, BitM, and OAuth-consent attacks (Huntress, BleepingComputer this week) all bypass naive credential-only training. Move users toward FIDO2 and conditional-access policies that constrain device and location.
7. Govern AI skills and tools as supply chain. OpenClaw/ClawHub-style marketplaces should be treated as software supply-chain risk surfaces; require allowlisting and vetting before deployment.

Sources

• Dark Reading — "SocGholish Takedown Highlights Malicious TDS Threats" (2026-06-23): https://www.darkreading.com/cyber-risk/socgholish-takedown-malicious-tds-threats
• The Record — "Turla group adds more malware to Russia's espionage efforts against Ukraine" (2026-06-26): https://therecord.media/russia-turla-espionage-ukraine-stockstay-malware
• BleepingComputer — "FBI: Russian hackers now target Signal backup recovery keys" (2026-06-26): https://www.bleepingcomputer.com/news/security/fbi-russian-hackers-now-target-signal-backup-recovery-keys/
• BleepingComputer — "Polymarket customers lose $3 million in supply-chain attack" (2026-06-26): https://www.bleepingcomputer.com/news/security/polymarket-customers-lose-3-million-in-supply-chain-attack/
• BleepingComputer — "CISA sets urgent deadline to fix Cisco flaw exploited in attacks" (2026-06-26): https://www.bleepingcomputer.com/news/security/cisa-sets-urgent-deadline-to-fix-cisco-flaw-exploited-in-attacks/
• BleepingComputer — "Bluekit phishing kit adopts browser-in-the-middle for login theft" (2026-06-25): https://www.bleepingcomputer.com/news/security/bluekit-phishing-kit-adopts-browser-in-the-middle-for-login-theft/
• BleepingComputer — "Poland busts SIM-swapping gang tied to millions in crypto theft" (2026-06-25): https://www.bleepingcomputer.com/news/security/poland-busts-sim-swapping-gang-tied-to-millions-in-crypto-theft/
• Recorded Future — "FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems" (2026-06-24): https://www.recordedfuture.com/blog/critical-fortibleed-campaign
• Dark Reading — "FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist" (2026-06-23): https://www.darkreading.com/cyberattacks-data-breaches/fortibleed-attackers-firewalls-credentials-stealers
• Dark Reading — "Scope of Salesforce Attacks Expands as Icarus Leaks Data" (2026-06-23): https://www.darkreading.com/cyberattacks-data-breaches/scope-salesforce-attacks-expands-icarus-leaks-data
• Dark Reading — "Russian APT 'Gamaredon' Upgrades Its Arsenal, Requiring New Defenses" (2026-06-25): https://www.darkreading.com/threat-intelligence/russia-apt-gamaredon-arsenal-defense
• Microsoft Threat Intelligence — "Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access" (2026-06-25): https://www.microsoft.com/en-us/security/blog/2026/06/25/photo-zip-campaign-targeting-hospitality-industry-delivers-node-js-implant-persistent-access/
• Microsoft Threat Intelligence — "Guarding AI memory" (2026-06-22): https://www.microsoft.com/en-us/security/blog/2026/06/22/guarding-ai-memory/
• Unit 42 — "CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure" (2026-06-25): https://unit42.paloaltonetworks.com/cl-sta-1062-tinyrct-backdoor/
• Unit 42 — "OpenClaw's Skill Marketplace and the Emerging AI Supply Chain Threat" (2026-06-23): https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk/
• SentinelLabs — "macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox" (2026-06-23): https://www.sentinelone.com/labs/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox/
• WeLiveSecurity (ESET) — "ESET takes part in Operation Endgame to disrupt Amadey and Stealc" (2026-06-24): https://www.welivesecurity.com/en/eset-research/eset-takes-part-operation-endgame-disrupt-amadey-stealc/
• The Record — "Russia used social engineering to breach prominent messaging accounts, Ukraine says" (2026-06-26): https://therecord.media/russia-ukraine-social-engineering-messaging-accounts
• Dark Reading — "Europe Evolves Into Ransomware's Favorite Region" (2026-06-25): https://www.darkreading.com/cybersecurity-analytics/europe-evolves-ransomware-favorite-region