# CTI Daily Brief — 2026-06-06

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.8, model ID `claude-opus-4-8`) with parallel research and verification by sub-agents (Claude Sonnet 4.6) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.8 (`claude-opus-4-8`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.8 · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.60 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **Second Cisco Catalyst SD-WAN Manager zero-day under active exploitation (CVE-2026-20245)** — a post-authentication command-injection that yields root on the appliance; Cisco confirms limited in-the-wild use pushing configuration changes to managed edge devices, and there is **no patch**. Reachable to netadmin attackers directly or by chaining the earlier pre-auth bypass CVE-2026-20182 ([NCSC-CH GovCERT, 2026-06-05](https://security-hub.ncsc.admin.ch/#/posts/12579)). See § 2.
- **Two distinct self-propagating npm worms hit the JavaScript supply chain in the same window** — the new Rust-built **IronWorm** (eBPF kernel rootkit + Tor C2, ~36 packages, cloud/AI-key sweep) ([JFrog, 2026-06-03](https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/)), and a fresh **Miasma** variant that reached **73 Microsoft GitHub repositories** including the Azure Durable Task ecosystem (§ 4). Both abuse install-time scripts and stolen publishing credentials.
- **Luna Moth / Silent Ransom Group (UNC3753) escalates to sending operatives into victim offices with USB drives** — Mandiant documents a Jan–May 2026 vishing-to-data-theft extortion campaign against legal/financial firms with sub-one-hour exfiltration; one victim reportedly paid ~$20 M ([Mandiant, 2026-06-05](https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms/)). Deep dive in § 5.
- **SolarWinds Serv-U DoS zero-day added to CISA KEV (CVE-2026-28318)** — an unauthenticated `Content-Encoding: deflate` POST crashes the SFTP/FTP service; fixed in Serv-U 15.5.4 Hotfix 1 ([SolarWinds, 2026-06-04](https://www.solarwinds.com/trust-center/security-advisories/cve-2026-28318)). See § 2.
- **Critical account-takeover flaw in MISP (CVE-2026-10868, CVSS 9.0)** — the threat-intel platform that underpins CERT-EU, GovCERT.ch and most EU national-CERT sharing; a mass-assignment bug lets an authenticated user edit another account ([GitHub Security Advisory, 2026-06-04](https://github.com/advisories/GHSA-h7wj-m45x-884x)). Patched. See § 2.
- **Five Eyes issue a rare joint bulletin on Chinese intelligence recruiting via LinkedIn and job platforms** — targeting cleared personnel, researchers and policy staff; directly relevant to Swiss/EU public-sector personnel security ([The Record, 2026-06-03](https://therecord.media/five-eyes-warns-chinese-spies-are-using-job-sites-to-recruit-insiders)). See § 1.

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### Five Eyes joint bulletin: Chinese military intelligence recruiting cleared personnel through LinkedIn and job platforms

On 2026-06-03 the five Five Eyes domestic-intelligence services (ASIO, CSIS, FBI, MI5, NZSIS) released an unusual joint bulletin, *Safeguarding Our Secrets*, warning that China's military-intelligence apparatus is systematically using professional-networking and freelance-work platforms — LinkedIn, Indeed, Upwork — to identify and cultivate people with access to classified or otherwise privileged information ([MI5, 2026-06-03](https://www.mi5.gov.uk/five-eyes-joint-bulletin-safeguarding-our-secrets); [The Record, 2026-06-03](https://therecord.media/five-eyes-warns-chinese-spies-are-using-job-sites-to-recruit-insiders)). Operatives pose as recruiters, consultants, HR representatives or think-tank staff for fabricated cover companies outside China, open with benign foreign-policy / defence / trade research commissions paying hundreds to a few thousand dollars per deliverable, then escalate toward sensitive material and migrate the relationship to encrypted messaging to reduce platform visibility. Named target categories include security-clearance holders, military personnel, academics, researchers and journalists.

**Why it matters to us:** This is a human-intelligence tradecraft advisory rather than a technical-intrusion one, and Switzerland — outside Five Eyes but a hub for international organisations, financial regulation and dual-use research — is squarely in the target set. The defensible surface is personnel-security, not EDR: brief cleared and research staff on the innocuous-task-to-sensitive-request progression, give them a low-friction route to report unsolicited foreign-recruitment contact, and treat unsolicited "paid policy paper" approaches to staff with administrative or network access as a counter-intelligence signal, not a side gig.

— *Source: [MI5 — Five Eyes joint bulletin "Safeguarding Our Secrets"](https://www.mi5.gov.uk/five-eyes-joint-bulletin-safeguarding-our-secrets) · Additional source: [The Record, 2026-06-03](https://therecord.media/five-eyes-warns-chinese-spies-are-using-job-sites-to-recruit-insiders) · Tags: nation-state, espionage, china-nexus · Region: global, uk · Sector: public-sector, defense*

### IronWorm: Rust-built npm worm ships an eBPF kernel rootkit, Tor C2 and a cloud/AI-credential sweep

JFrog Security Research disclosed **IronWorm**, a self-propagating npm supply-chain worm distributed across roughly 36 packages from a compromised publisher account ([JFrog, 2026-06-03](https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/); [BleepingComputer, 2026-06-04](https://www.bleepingcomputer.com/news/security/new-ironworm-malware-hits-36-packages-in-npm-supply-chain-attack/)). Unlike the JavaScript-stager Shai-Hulud lineage, IronWorm executes a Rust ELF payload through an install-time `preinstall` hook and carries an embedded eBPF object (`T1195.002` Compromise Software Supply Chain, `T1059.004` Unix Shell via lifecycle script). JFrog reports the eBPF component provides kernel-level process, socket and anti-debug concealment — hiding the implant from procfs-based enumeration and many EDR agents — while the command channel runs over Tor: the malware downloads the Tor expert bundle, writes its own `torrc`, and beacons to a hidden service. The stealer sweeps dozens of environment variables and credential paths spanning AWS, GCP, Azure, HashiCorp Vault, Kubernetes, Docker, GitHub and npm tokens, and the 2026 generation of AI-provider API keys (Anthropic, OpenAI, Gemini and others). Self-propagation reuses stolen npm credentials — including npm Trusted Publishing secrets — to publish trojanised versions of the victim's own packages.

**Why it matters to us:** The eBPF rootkit moves npm-worm tradecraft below the userland telemetry most pipelines rely on, so process-tree hunting on the build host is no longer sufficient. Detection concepts: alert on `node`/`npm`/`npx` parent processes spawning `sh`/`bash` during `preinstall`/`postinstall` (Sysmon-for-Linux EID 1), audit `bpf()` syscalls from non-privileged processes via `auditd`, and watch CI/CD egress for Tor bootstrap traffic. Hardening: run `npm install --ignore-scripts` in CI, pin lockfile integrity, and scope/rotate npm publish tokens — Trusted Publishing credentials are now an explicit propagation target.

— *Source: [JFrog Security Research — IronWorm: Shai-Hulud's rustier cousin](https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/) · Additional source: [BleepingComputer, 2026-06-04](https://www.bleepingcomputer.com/news/security/new-ironworm-malware-hits-36-packages-in-npm-supply-chain-attack/) · Tags: supply-chain, infostealer, cloud · Region: global · Sector: technology*

## 2. Trending Vulnerabilities

### CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: actively-exploited command-injection to root (no patch)

Cisco has confirmed a second actively-exploited zero-day in Catalyst SD-WAN Manager (formerly vManage), tracked as CVE-2026-20245 ([Cisco PSIRT](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx); [NCSC-CH GovCERT, 2026-06-05](https://security-hub.ncsc.admin.ch/#/posts/12579)). It is a command-injection flaw: an attacker with `netadmin` privileges can inject arbitrary OS commands that execute as **root** on the underlying appliance (`T1059.004` Unix Shell, following `T1078` Valid Accounts). Per Cisco, exploitation requires either valid netadmin credentials or prior exploitation of the pre-auth bypass CVE-2026-20182 (covered in weekly W22) or CVE-2026-20127 — making the realistic path an unauthenticated-to-root chain against an internet-exposed Manager. Cisco states it has "observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices," i.e. the blast radius extends from the management plane to every managed edge router. **No fixed release is available**; Cisco's only guidance is to restrict management-plane access to trusted hosts and verify edge-device configuration. Detection concepts: review the SD-WAN Manager CLI audit log for unexpected command execution and EDR/host telemetry for shells spawned under the management daemon's service account; treat any unplanned config push to edge devices as a hunting trigger. Hardening: ACL the management interface to a dedicated management VLAN, enforce MFA for netadmin, and rotate Manager credentials given confirmed in-the-wild use.

— *Source: [Cisco PSIRT advisory cisco-sa-sdwan-privesc-4uxFrdzx](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx) · Additional source: [NCSC-CH GovCERT advisory 12579](https://security-hub.ncsc.admin.ch/#/posts/12579) · Tags: vulnerabilities, actively-exploited, rce, priv-esc · Region: global · Sector: public-sector, telco · CVE: CVE-2026-20245 · CVSS: n/a · Vector: local · Auth: post-auth · Status: exploited, no-patch, mitigation-only*

### CVE-2026-28318 — SolarWinds Serv-U: unauthenticated DoS added to CISA KEV

CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog on 2026-06-05, confirming active exploitation ([SolarWinds, 2026-06-04](https://www.solarwinds.com/trust-center/security-advisories/cve-2026-28318); [ENISA EUVD](https://euvd.enisa.europa.eu/enisa/eu_vulnerability_database/EUVD-2026-34268)). The flaw is an uncontrolled-resource-consumption issue (CWE-400): an unauthenticated remote attacker sends a crafted HTTP POST carrying `Content-Encoding: deflate`, triggering decompression memory exhaustion that crashes the Serv-U SFTP/FTP service (`T1499.003` Application Exhaustion Flood). On default configurations the service does not auto-restart, so a single request causes a sustained availability outage of the managed-file-transfer endpoint. Fixed in **Serv-U 15.5.4 Hotfix 1**. Per PD-13, the operational driver here is the confirmed exploitation, not the US BOD 22-01 remediation date: managed-file-transfer appliances are recurrent ransomware-adjacent targets, and an internet-exposed Serv-U that can be knocked offline by one packet is a denial-of-service risk to any process that depends on it. Detection concepts: monitor Serv-U service-process restart/crash events and web-access logs for POST requests with unusual `Content-Encoding` values.

— *Source: [SolarWinds Trust Center advisory CVE-2026-28318](https://www.solarwinds.com/trust-center/security-advisories/cve-2026-28318) · Additional source: [ENISA EUVD EUVD-2026-34268](https://euvd.enisa.europa.eu/enisa/eu_vulnerability_database/EUVD-2026-34268) · Tags: vulnerabilities, actively-exploited, dos, pre-auth, cisa-kev, patch-available · Region: global · Sector: public-sector, finance · CVE: CVE-2026-28318 · CVSS: 7.5 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available*

### CVE-2026-10868 — MISP: critical mass-assignment account-takeover in the EU threat-sharing platform

BSI published WID-SEC-2026-1800 covering seven vulnerabilities in MISP, the open-source threat-intelligence sharing platform that underpins CERT-EU, GovCERT.ch, CIRCL.lu and most EU national-CERT and ISAC feeds ([BSI CERT-Bund, 2026-06-04](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1800); [GitHub Security Advisory, 2026-06-04](https://github.com/advisories/GHSA-h7wj-m45x-884x)). The most severe, CVE-2026-10868 (CVSS 9.0), is a mass-assignment bug in `UsersController::edit()`: insufficient field filtering lets an authenticated user inject another account's identifier into the edit request, so the update is applied to an unintended account (`T1078` Valid Accounts / account manipulation) — an authenticated account-takeover and privilege-manipulation primitive. The other six (CVE-2026-10854/10855/10856/10860/10861/10864) cover access-control bypass on private galaxy metadata, an org-crossing event-template overwrite, and an open redirect. In a multi-organisation sharing hub the account-takeover combined with the cross-org template overwrite enables manipulation of the shared indicator pool itself. Patches shipped 2026-06-04; the CVE-2026-10868 fix explicitly strips the `User.id` field before edit processing. Detection concepts: review MISP access logs for `UsersController::edit` POSTs where the posted user id differs from the session user id, and audit user accounts for unexpected role/group attribute changes.

— *Source: [GitHub Security Advisory GHSA-h7wj-m45x-884x](https://github.com/advisories/GHSA-h7wj-m45x-884x) · Additional source: [BSI CERT-Bund WID-SEC-2026-1800](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1800) · Tags: vulnerabilities, identity, auth-bypass · Region: europe, global · Sector: public-sector · CVE: CVE-2026-10868 · CVSS: 9.0 · Vector: local · Auth: post-auth · Status: patch-available*

#### CVE Summary Table

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-20245 | Cisco Catalyst SD-WAN Manager | n/a | n/a | No | Yes | None (mitigation only) | [Cisco PSIRT](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx) |
| CVE-2026-28318 | SolarWinds Serv-U (≤ 15.5.4) | 7.5 | n/a | Yes | Yes | 15.5.4 Hotfix 1 | [SolarWinds](https://www.solarwinds.com/trust-center/security-advisories/cve-2026-28318) |
| CVE-2026-10868 | MISP | 9.0 | n/a | No | No | Patched 2026-06-04 | [GHSA](https://github.com/advisories/GHSA-h7wj-m45x-884x) |

## 3. Research & Investigative Reporting

### OP-512: China-linked cluster runs a cryptographically-unique, self-reporting IIS web-shell framework against legacy .NET servers [SINGLE-SOURCE]

ReliaQuest documented **OP-512**, a previously-unreported China-linked espionage cluster targeting internet-facing Microsoft IIS servers running end-of-life .NET Framework 4.0 ([ReliaQuest, 2026-06-05](https://reliaquest.com/blog/threat-spotlight-reliaquests-agentic-ai-uncovers-new-china-linked-cluster-op-512)) `[SINGLE-SOURCE — ReliaQuest original disclosure]`. The framework is a three-component web shell — one `.aspx` file manager plus two `.ashx` command handlers — that is **per-deployment cryptographically unique** (RSA signatures and RC4 keys differ per installation), defeating signature-based detection. It carries a timestomping module that matches shell file timestamps to surrounding legitimate IIS artefacts (`T1070.006` Timestomp), uses reflective .NET assembly loading to bypass static scanning (`T1620`), and implements a novel self-reporting beacon: the deployed shell's URL is hex-encoded into a DNS subdomain query issued from `w3wp.exe`, so the operator is notified of a live shell without actively scanning for it. ReliaQuest found initial access roughly **75 days** before the shell was deployed, consistent with patient espionage tradecraft, and notes overlap with the hex-encoded-DNS technique seen in CL-STA-0048 while assessing OP-512 as a separate cluster.

**Why it matters to us:** Many Swiss and EU public-sector estates still run legacy IIS/ASP.NET portals and intranet apps on .NET 4.0 — exactly OP-512's stated footprint. The detection lesson is concrete: filesystem timestamps are useless for triage here (timestomped), so hunt on behaviour instead — `w3wp.exe` issuing long hex-string DNS subdomain queries, `w3wp.exe` spawning `cmd.exe`/`powershell.exe`/`csc.exe` (Sysmon EID 1), reflective-assembly loads, and `.aspx`/`.ashx` writes into web roots (Windows Security EID 4663 on `inetsrv` paths). Hardening: isolate or retire .NET 4.0 servers and apply WDAC/AppLocker to block execution of unsigned web-root artefacts.

— *Source: [ReliaQuest — OP-512 threat spotlight](https://reliaquest.com/blog/threat-spotlight-reliaquests-agentic-ai-uncovers-new-china-linked-cluster-op-512) · Tags: espionage, nation-state, china-nexus · Region: global, europe · Sector: public-sector*

## 4. Updates to Prior Coverage

### UPDATE: Miasma supply-chain worm reaches 73 Microsoft GitHub repositories, adds Azure credential collectors

> **UPDATE (originally covered 2026-06-02):** The Miasma worm — the TeamPCP-spawned descendant of the Mini Shai-Hulud lineage first covered against the Red Hat `@redhat-cloud-services` npm namespace — recompromised the `durabletask` package and propagated into the Microsoft GitHub estate. On 2026-06-05 GitHub disabled **73 repositories** across the Azure, Azure-Samples, Microsoft and MicrosoftDocs organisations in a 105-second automated terms-of-service sweep, taking the entire Azure Durable Task family (.NET, Go, Java, JS, MSSQL, Netherite, protobuf) offline ([OpenSourceMalware, 2026-06-05](https://opensourcemalware.com/blog/miasma-reaches-azure); [The Hacker News, 2026-06-06](https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html)).
>
> The material delta from the 2026-06-02 coverage: the variant adds **Azure CLI auth-cache and managed-identity token collectors** (earlier Shai-Hulud strains targeted AWS and GitHub), and the recompromise traces to the same `durabletask` credential foothold from the May TeamPCP incident — i.e. credentials taken in May were never fully revoked. Azure Durable Task is a foundational dependency for Azure Functions / serverless workflows widely consumed in EU public-sector cloud deployments, so the downstream exposure is cloud infrastructure, not just developer machines.
>
> Defender takeaway: audit `~/.azure/` credential stores on developer workstations and CI/CD runners that installed any affected `@azure/*` package; rotate Azure managed-identity tokens and Kubernetes service-account tokens on those systems; monitor GitHub audit logs for unexpected public-repo creation (the worm's secret-exfil-as-public-repo behaviour is what trips GitHub's automated sweep). Note the worm-vs-defender naming overlap is real here — "Miasma" is the attacker worm, not a tool.
>
> — *Source: [OpenSourceMalware — The Blight Reaches Microsoft](https://opensourcemalware.com/blog/miasma-reaches-azure) · Additional source: [The Hacker News, 2026-06-06](https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html) · Tags: supply-chain, cloud, infostealer · Region: global · Sector: technology, public-sector*

## 5. Deep Dive — Luna Moth / Silent Ransom Group (UNC3753): vishing-to-physical-access data-theft extortion against legal and professional services

**Background and why this is a deep dive now.** Luna Moth (also Silent Ransom Group / SRG, Chatty Spider, UNC3753) is a financially-motivated data-theft-and-extortion crew that has operated since 2022, originally tied to the BazarCall callback-phishing ecosystem. Its defining trait is the absence of ransomware: it does not encrypt, it steals and threatens publication. In May 2025 the FBI publicly warned that the group had spent roughly two years targeting US law firms via callback phishing ([BleepingComputer, 2025-05-23](https://www.bleepingcomputer.com/news/security/fbi-warns-of-luna-moth-extortion-attacks-targeting-law-firms/)). This brief covered the group's **physical-intrusion escalation** on 2026-05-28, when the FBI's 2026-05-26 Cyber FLASH (CSA 260526) reported operatives entering law-firm offices to insert USB exfiltration devices when remote social engineering failed. The reason for a fuller treatment now is three genuinely-new in-window developments: (1) Mandiant published a comprehensive primary forensic analysis on 2026-06-05 that supplies the kill-chain and ATT&CK detail the earlier news-only FBI-FLASH coverage lacked; (2) a major law firm reportedly paid ~$20 M in a suppression payment; and (3) the group moved its C2 onto DNS fast-flux infrastructure. The deep dive consolidates these into the actionable picture a defender needs — it does not re-report the physical-USB tactic as novel.

**The 2026 campaign.** Mandiant attributes a January-through-May 2026 data-theft extortion campaign against dozens of US professional-, legal- and financial-services organisations to UNC3753 ([Mandiant, 2026-06-05](https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms/)). The intrusion is entirely social-engineered — there is no exploit in the chain. A benign invoice- or subscription-themed email establishes pretext; a follow-up vishing call impersonating internal IT support walks the target into hosting a screen-share session and installing a remote-access tool. Mandiant observed the actor convincing victims to install AnyDesk, Bomgar or Zoho Assist, and in one engagement to execute a "SuperOps RMM agent" via a cURL command. From there the actor pivots through BYOD or virtual desktops, enumerates file shares and document-management systems, then stages and exfiltrates using portable WinSCP or Rclone. The compression of the timeline is the operational headline: Mandiant notes that in many incidents the full sequence from first contact to data theft occurred within a single business day, and "Recently, Mandiant observed data searches, staging, and theft initiated in under an hour." Extortion follows by unbranded email, typically with a short deadline and a threat to publish on the actor's leak site.

**The physical-access escalation (first flagged 2026-05-28, now forensically confirmed).** The off-network tactic the FBI FLASH warned about is now corroborated in Mandiant's primary reporting: "individuals posing as IT technicians entered corporate offices to attempt direct exfiltration of data from an endpoint using USB storage media" (`T1052.001` Exfiltration over Physical Medium). This bypasses every network-side control — egress filtering, RMM-installer detection, cloud-upload DLP — because the data never crosses the network perimeter. Visitor management and physical-security posture become a detection surface that EDR and log telemetry cannot cover.

**Kill chain and ATT&CK mapping.** Initial access via [`T1566.004` Spearphishing Voice](https://attack.mitre.org/techniques/T1566/004/) and [`T1204.002` User Execution](https://attack.mitre.org/techniques/T1204/002/); remote access established through [`T1219` Remote Access Software](https://attack.mitre.org/techniques/T1219/); discovery via [`T1083` File and Directory Discovery](https://attack.mitre.org/techniques/T1083/) and [`T1135` Network Share Discovery](https://attack.mitre.org/techniques/T1135/); collection and exfiltration via [`T1074` Data Staged](https://attack.mitre.org/techniques/T1074/), [`T1567.002` Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002/) and, in the physical variant, [`T1052.001`](https://attack.mitre.org/techniques/T1052/001/). The FBI's 2026-05-26 Cyber FLASH independently corroborates the campaign and underscores that, because no encryption is used and only legitimate remote-access and file-transfer tooling appears, conventional ransomware detections do not fire and few host artefacts remain ([Help Net Security, 2026-05-27](https://www.helpnetsecurity.com/2026/05/27/fbi-silent-ransom-group-law-firms-social-engineering/)).

**Why this run.** Two in-window developments make this current rather than a recap of the 2025 FBI warning. First, a major US law firm, Weil, Gotshal & Manges, reportedly paid an estimated ~$20 M suppression payment after client data was stolen from an external cloud-storage site — an unusually large, fast (reportedly within days) payout that signals how high the leverage is when the stolen material is privileged legal data ([Legal Cheek, 2026-06-03](https://www.legalcheek.com/2026/06/weil-reportedly-pays-up-to-20-million-after-hackers-steal-client-data/)). Second, the group is hardening its operational infrastructure: a 2026-06-05 report documents SRG moving its command-and-control onto **DNS fast-flux** infrastructure, improving resilience against takedown and static-indicator blocking ([Security Affairs, 2026-06-05](https://securityaffairs.com/193215/cyber-crime/silent-ransom-group-srg-switching-to-dns-fast-flux-infrastructure.html)).

**Detection and hardening (no IOCs).** Behavioural pivots: alert on RMM-agent installation (AnyDesk/Bomgar/Zoho/SuperOps) initiated from `cmd.exe`/`powershell.exe` or a cURL one-liner (Sysmon EID 1 with parent-process anomalies); flag portable WinSCP/Rclone execution from user-profile paths and high-volume outbound SSH/cloud-storage transfer sessions; watch document-management systems (e.g. iManage/SharePoint) for sudden keyword-search spikes and bulk downloads from VDI sessions. Hardening: block unauthorised RMM agents via WDAC/application control; restrict VDI/VPN authentication to corporate-managed devices with step-up MFA on BYOD; disable USB mass-storage write via GPO on sensitive endpoints; and — uniquely relevant given the in-person vector — enforce visitor credentialing and escort policies, and have help-desk staff verify any "IT support" callback against an out-of-band internal directory before granting remote or physical access. For Swiss and European legal and professional-services firms the campaign is directly transferable: the IT-helpdesk-impersonation vector is identical to the social-engineering pressure already seen across European corporate intrusions, and the physical-intrusion escalation raises a duty-of-care question that is squarely a physical-security, not just a SOC, problem.

— *Source: [Mandiant / Google Cloud GTIG — targeted campaign against US law firms](https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms/) · Additional source: [Help Net Security — FBI Silent Ransom Group alert, 2026-05-27](https://www.helpnetsecurity.com/2026/05/27/fbi-silent-ransom-group-law-firms-social-engineering/) · Additional source: [Legal Cheek, 2026-06-03](https://www.legalcheek.com/2026/06/weil-reportedly-pays-up-to-20-million-after-hackers-steal-client-data/) · Additional source: [Security Affairs, 2026-06-05](https://securityaffairs.com/193215/cyber-crime/silent-ransom-group-srg-switching-to-dns-fast-flux-infrastructure.html) · Tags: organized-crime, data-breach, phishing · Region: us, global · Sector: legal-services, finance*

## 6. Action Items

- **Mitigate Cisco Catalyst SD-WAN Manager now — no patch exists** (see [§ 2 CVE-2026-20245](#cve-2026-20245-cisco-catalyst-sd-wan-manager-actively-exploited-command-injection-to-root-no-patch)). Actively exploited to root; ACL the management plane to a dedicated management VLAN, enforce MFA for netadmin, rotate Manager credentials, and confirm the earlier pre-auth bypass CVE-2026-20182 is remediated so the unauth-to-root chain is broken. Hunt the CLI audit log and edge-device config-push events.
- **Patch SolarWinds Serv-U to 15.5.4 Hotfix 1** if you run it internet-exposed (see [§ 2 CVE-2026-28318](#cve-2026-28318-solarwinds-serv-u-unauthenticated-dos-added-to-cisa-kev)). Unauthenticated single-request DoS, confirmed exploited; until patched, restrict the SFTP/FTP/HTTP interface exposure.
- **Patch MISP instances to the 2026-06-04 release** (see [§ 2 CVE-2026-10868](#cve-2026-10868-misp-critical-mass-assignment-account-takeover-in-the-eu-threat-sharing-platform)). Multi-org sharing hubs are highest-priority given the account-takeover + cross-org template-overwrite combination. Pre-patch, monitor `UsersController::edit` requests where the posted user id ≠ session user id.
- **Lock down npm build pipelines against IronWorm and Miasma** (see [§ 1](#ironworm-rust-built-npm-worm-ships-an-ebpf-kernel-rootkit-tor-c2-and-a-cloud-ai-credential-sweep) and [§ 4](#update-miasma-supply-chain-worm-reaches-73-microsoft-github-repositories-adds-azure-credential-collectors)). Enforce `npm install --ignore-scripts` in CI, pin lockfile integrity, rotate/scope npm publish (incl. Trusted Publishing) tokens, and rotate Azure managed-identity / `~/.azure` credentials on any runner that installed an affected `@azure/*` package. Add `bpf()`-syscall and Tor-bootstrap egress monitoring on build hosts.
- **Hunt legacy IIS / .NET 4.0 servers for OP-512 behaviourally, not by timestamp** (see [§ 3](#op-512-china-linked-cluster-runs-a-cryptographically-unique-self-reporting-iis-web-shell-framework-against-legacy-net-servers-single-source)). Look for `w3wp.exe` issuing long hex-string DNS subdomain queries and spawning `cmd`/`powershell`/`csc`; isolate or retire EOL .NET 4.0 hosts.
- **Harden against Luna Moth helpdesk-impersonation and physical intrusion** (see [§ 5](#5-deep-dive-luna-moth-silent-ransom-group-unc3753-vishing-to-physical-access-data-theft-extortion-against-legal-and-professional-services)). Block unauthorised RMM agents via application control, require out-of-band verification of "IT support" callbacks, restrict VDI/VPN to managed devices, and — given the in-person USB vector — review visitor-credentialing/escort policy and USB-write GPO on sensitive endpoints. Brief cleared/research staff on the LinkedIn/job-platform recruitment tradecraft in [§ 1](#five-eyes-joint-bulletin-chinese-military-intelligence-recruiting-cleared-personnel-through-linkedin-and-job-platforms).

— *Source: [Cisco PSIRT advisory cisco-sa-sdwan-privesc-4uxFrdzx](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx) · Additional source: [Mandiant, 2026-06-05](https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms/) · Tags: actively-exploited, vulnerabilities, supply-chain · Region: global, europe · Sector: public-sector*

## 7. Verification Notes

- **Items dropped:**
  - *CVE-2026-49975 (HTTP/2 Bomb)* — surfaced by S1 and S2 but already covered as the full deep dive on 2026-06-04; the in-window BSI WID-SEC-2026-1791 and NCSC-CH advisory 12610 are national-CERT pickup, not a material new development (no new exploitation, no new patch beyond what was already reported), so it is not re-reported under PD-8.
  - *Chrome 149 ANGLE sandbox-escape (reported CVSS 9.6)* — does not clear a § 2 inclusion gate (no in-the-wild exploitation, no public PoC); the "record 429 vulnerabilities" framing is a vendor-release count, not threat signal. The single sub-agent that surfaced it (S1) had unreliable sourcing (below); the bare CVE id is therefore omitted from this note rather than recorded as fact. Apply Chrome auto-update via MDM as routine.
  - *Everest Forms Pro WordPress unauthenticated RCE (reported CVSS 9.8)* — only an NVD page (a hard-blocked source) and a single aggregator carried it; no acceptable vendor/research primary was reachable and the exploitation claim was single-source. Dropped pending a verifiable advisory; CVE id omitted as unverified.
  - *Altium Enterprise Server path-traversal cluster (reported CVSS up to 10.0, unauth file write)* — would clear the CVSS gate but is a niche electronics/defence-engineering product with no observed exploitation and low CH/EU public-sector nexus; the only sourcing was a single sub-agent whose URL ledger proved unreliable (below). CVE ids omitted as unverified.
  - *ESET BTMOB Android RAT-as-a-service* — primary source dated 2026-05-26 (well outside the 36 h window, and outside the 72 h developing window); Latin-America targeting with low CH/EU nexus.
  - *Red Canary "Entra Agent ID → Teams" identity-abuse research* — primary dated 2026-06-01, outside the 36 h window; genuinely relevant to CH/EU Copilot/M365 deployments and flagged here for possible pickup if a fresh development lands.
  - *Hola Browser update-pipeline cryptominer compromise* — real (Sophos/BleepingComputer) but lower operational signal (≈0.1 % of users, cryptominer payload); omitted for focus.
- **Single-source / reduced-confidence:**
  - *OP-512 (§ 3)* is a single-source original disclosure by ReliaQuest; included as research with the lab named, per the PD-5 carve-out for primary research.
  - *InfoGuard Q2 2026 Threat Intelligence Report* (Iran-resumes / Rockwell FactoryTalk ICS pivot / Russia OT probing) — the InfoGuard primary blog was unreachable and only a German press relay (itiko.de) carried the specific findings; the FactoryTalk-pivot claim could not be independently corroborated, so it is logged here rather than reported as fact.
- **Data-quality note (research sub-agent reliability):** S1 returned several fabricated or guessed Source URLs — its JFrog IronWorm URL returned HTTP 404, its OP-512 ReliaQuest URL and several The-Hacker-News slugs were incorrect, and it recorded false `200` statuses for those URLs in the run's URL-liveness ledger (`work/<run-id>/url-liveness.tsv`). Every S1-derived item retained in this brief (Cisco SD-WAN, SolarWinds Serv-U, IronWorm, Miasma, OP-512) was re-verified against independently-confirmed primaries (NCSC-CH / CISA-KEV bridge, ReliaQuest's correct URL, JFrog Research's correct URL) before inclusion; affected items were dropped.
- **Contradictions:** S1 and S3 reported OP-512 with conflicting URLs and differing web-shell detail (S1: three role-specific shells; S3/ReliaQuest: one `.aspx` + two `.ashx` with RSA/RC4 per-deployment keying). Resolved in favour of the ReliaQuest source text, which was fetched and verified directly.
- **Coverage gaps:** sec-disclosures-edgar (no Item 1.05 8-K filings in window); databreaches-net (HTTP 403, Cloudflare); inside-it-ch (HTTP 403 / empty feed across direct, RSS and Wayback — unreachable this run); sophos-xops (HTTP 503, sixth consecutive run); zdi, recordedfuture-insikt (RSS feed 404); cnil-fr, edpb (no in-window enforcement notices); sekoia (not fetched — time).