ctipilot.ch

Today's daily brief

CTI Daily Brief — 2026-06-22

Published 2026-06-22

• A previously-undocumented botnet, AryStinger, has conscripted 4,300+ end-of-life D-Link routers (DIR-850L, DIR-818LW) and QNAP NAS devices into a distributed reconnaissance-and-proxy network — and Sweden is its third-largest victim pool at 6.4%. Initial access is three public CVEs (two decade-old D-Link RCEs plus a 2025 QNAP code-injection), after which each node gets a Dropbear SSH backdoor and is tasked with distributed DNS brute-forcing and traffic tunnelling that launders the operator's attack traffic (QiAnXin XLab, 2026-06-17). EoL D-Link models have no patch path — replacement is the only fix. See § 5.
• Switzerland's Federal Audit Office (EFK) found that the two-year-old federal cyber-governance split leaves the strategic-oversight body (FS BIS/SEPOS) without a complete picture of incidents in federal systems, because BACS has no legal authority to forward incident reports independently and agencies must opt in to sharing via the Cyber Security Hub (SwissCybersecurity.net, 2026-06-19). The operational consequence: SEPOS-level threat analysis may be blind to incidents BACS already holds. See § 1.
• Brazil's national Cell Broadcast emergency-alert platform was hijacked overnight 19–20 June to push fake "Extreme Alert" notifications to ~30M phones across seven states, forcing the system offline. Cell Broadcast deliberately bypasses opt-outs and silent mode, so an administrative-plane compromise is a high-impact leverage point — the same EU-mandated technology underpins Switzerland's ALERTSWISS (The Next Web, 2026-06-20). See § 1.
• A live eBanking phishing campaign against a Belgian bank hides its landing-page address in IPv4-mapped IPv6 notation ([::ffff:…]), which browsers resolve normally but regex-based URL scanners and DNS-reputation lookups miss entirely (SANS ISC, 2026-06-19). Email-gateway and proxy teams should test whether their URL extractors handle the [::ffff:…] form. See § 3.

Read the full brief →