# CTI Daily Brief — 2026-06-25

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.8 (1M context), model ID `claude-opus-4-8[1m]`) with parallel research and verification by sub-agents (Claude Sonnet 4.6, Claude Opus 4.8 (1M context)) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.8 (1M context) (`claude-opus-4-8[1m]`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.8 (1M context), Claude Sonnet 4.6 · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.64 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **Operation Endgame dismantles Amadey and StealC MaaS infrastructure** — a Europol-coordinated action on 24 June took down 326 servers and 142 domains, recovered ~27 million stolen credentials from 385,000+ systems and froze EUR 41M ([BleepingComputer, 2026-06-24](https://www.bleepingcomputer.com/news/security/amadey-stealc-malware-operations-disrupted-in-operation-endgame-action/)); both families are commodity initial-access and credential-theft stages that feed ransomware affiliates active against European targets ([Microsoft, 2026-06-24](https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/)).
- **NCSC-CH flags an active Microsoft 365 "voicemail" phishing wave in Switzerland** — Week 25 review documents dual-path ZIP-borne infostealer / fake-login credential theft against M365 tenants, with downstream BEC and chain-phishing once a mailbox is taken; the ZIP-as-audio lure is the key detection discriminator ([NCSC-CH, 2026-06-23](https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2026/wochenrueckblick_25.html)).
- **Two new initial-access-broker toolsets surface — Mistic and Edgecution** — Symantec details Mistic, sideloaded via a signed Microsoft Defender binary so its activity reads as legitimate Defender behaviour ([Symantec, 2026-06-24](https://www.securityweek.com/new-mistic-rat-opens-door-to-several-ransomware-families/)); Zscaler details Edgecution, a malicious Edge extension that bridges the browser sandbox to a host Python backdoor via the Native Messaging API (today's deep dive) ([Zscaler, 2026-06-23](https://www.zscaler.com/blogs/security-research/payouts-king-ransomware-initial-access-broker-deploys-new-edgecution)).
- **Patch your own tooling — MISP 2.5.42** closes six CVEs including two site-admin RCE paths (rdkafka plugin-load and ndjson log injection) plus Azure-AD auth and access-control hardening, directly affecting the threat-intel platform most EU CERTs/CSIRTs run ([MISP, 2026-06-22](https://www.misp-project.org/2026/06/22/misp.2.5.42.release.html/)).
- **"Cordyceps" shows the GitHub Actions `pull_request_target` pwn-request class is still widely live** — 300+ of 30,000 scanned high-impact repos were fully exploitable from a single unauthenticated PR, including Microsoft Azure Sentinel and Google's ADK; `actions/checkout` v7 ships safer defaults but pinned older workflows remain exposed ([Novee Security, 2026-06-23](https://novee.security/blog/cordyceps/)).

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### NCSC-CH: active Microsoft 365 "voicemail" phishing wave in Switzerland delivers infostealers and harvests M365 credentials
Switzerland's National Cyber Security Centre reported a higher-than-usual volume of a dual-path Microsoft 365 / OneDrive-for-Business phishing campaign in its Week 25 review ([NCSC-CH, 2026-06-23](https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2026/wochenrueckblick_25.html)). In the malware-delivery variant the email carries a ZIP "audio" attachment that, when run, installs an infostealer harvesting browser credentials, session cookies and wallet data; in the credential-harvest variant a fake Microsoft login page with a simulated audio player ("Play voicemail as guest") captures the M365 username and password. NCSC-CH notes that a compromised mailbox is then used to read live business email and run chain-phishing and BEC fraud from a recognised sender replying inside an existing thread (`T1114.003`, `T1098`), and that stolen credentials are frequently resold and resurface in targeted follow-up attacks weeks later.
**Why it matters to us:** Swiss public-sector staff are direct recipients. The discriminator is mechanical — legitimate voicemail notifications deliver `.wav`/`.mp3`, never a ZIP. Phishing-resistant MFA (FIDO2 / certificate-based Conditional Access) defeats the credential-theft path even when the lure succeeds; hunt M365 audit logs for inbox-rule and forwarding-rule creation within minutes of a sign-in from a new country/ASN.

— *Source: [NCSC-CH Wochenrückblick Week 25](https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2026/wochenrueckblick_25.html) · Tags: phishing, infostealer, identity, eu-nexus · Region: switzerland · Sector: public-sector, finance · Evidence: "In one version of the scam, the attackers try to trick the victim into running malware. The email has a compressed file attached to it, for example a ZIP file called 'audio_Y6CEKNH8OE.zip'." (NCSC-CH); "Stolen Microsoft 365 login details give attackers access to emails, OneDrive, SharePoint and Teams... The compromised mailbox is then often used to send phishing emails to all of the victim's contacts ('chain phishing')." (NCSC-CH)*

### Operation Endgame dismantles the Amadey and StealC malware-as-a-service backbone
A Europol-coordinated law-enforcement and private-sector action on 24 June 2026 took down the shared infrastructure of Amadey and StealC — two of the dominant commodity malware-as-a-service families that form the pre-ransomware infection chain ([Microsoft, 2026-06-24](https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/) · [Europol, 2026-06-24](https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks)). 326 servers and 142 domains were seized, ~27 million credentials stolen from 385,000+ systems recovered, and EUR 41M in crypto frozen ([BleepingComputer, 2026-06-24](https://www.bleepingcomputer.com/news/security/amadey-stealc-malware-operations-disrupted-in-operation-endgame-action/)). Amadey (active since 2018) is a modular C++ loader with 29+ commands, scheduled-task persistence and payload staging; StealC is a C++ infostealer-MaaS harvesting browser credentials, cookies, wallets and desktop clients over RC4-encrypted HTTP. ESET contributed RC4 keys and clustering that identified 53 Amadey and 73 StealC clusters ([ESET, 2026-06-24](https://www.welivesecurity.com/en/eset-research/eset-takes-part-operation-endgame-disrupt-amadey-stealc/)); Proofpoint and IBM X-Force documented a directory-traversal flaw in StealC's C2 panel (its filename sanitiser failed to strip forward-slashes), and an exploit built on it was used by global law enforcement to map and access affiliate infrastructure ([Proofpoint/IBM X-Force, 2026-06-24](https://www.proofpoint.com/us/blog/threat-insight/stealc-you-later-proofpoint-and-ibm-x-force-support-operation-endgame)). This is a distinct action from the SocGholish/TA569 phase covered on 2026-06-19.
**Why it matters to us:** Detecting Amadey delivery (ClickFix fake-CAPTCHA, SEO poisoning) and StealC exfiltration is a real ransomware pre-emption opportunity. Hunt scheduled-task creation (EID 4698) by browser/Office parents from `%APPDATA%` paths, and browser-process → `mshta.exe`/`wscript.exe` chains with temp-path arguments.

— *Source: [Microsoft Threat Intelligence](https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/) · [Europol newsroom](https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks) · Additional source: [ESET WeLiveSecurity](https://www.welivesecurity.com/en/eset-research/eset-takes-part-operation-endgame-disrupt-amadey-stealc/) · Additional source: [Proofpoint / IBM X-Force](https://www.proofpoint.com/us/blog/threat-insight/stealc-you-later-proofpoint-and-ibm-x-force-support-operation-endgame) · Additional source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/amadey-stealc-malware-operations-disrupted-in-operation-endgame-action/) · Tags: law-enforcement, infostealer, botnet, organized-crime, ransomware · Region: europe, global · Sector: public-sector, finance · Evidence: "326 servers and 142 domains while identifying €41 million in cryptocurrency tied to criminal activity. Investigators recovered approximately 27 million credentials stolen from over 385,000 compromised systems" (BleepingComputer); "Amadey has been active in the crimeware ecosystem since 2018 and functions as a modular backdoor with access to more than 29 backdoor commands and a wide variety of plugins" (Microsoft Threat Intelligence)*

### "Mistic" backdoor: signed-Defender DLL sideloading and in-memory tradecraft by access broker Woodgnat/KongTuke
Symantec disclosed Backdoor.Mistic (also tracked as MLTBackdoor), deployed since April 2026 by initial-access broker Woodgnat (a.k.a. KongTuke) that sells footholds to ransomware affiliates including Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta ([Symantec, 2026-06-24](https://www.broadcom.com/support/security-center/protection-bulletin/backdoor-mistic-new-backdoor-may-be-linked-to-ransomware-access-broker) · [SecurityWeek, 2026-06-24](https://www.securityweek.com/new-mistic-rat-opens-door-to-several-ransomware-families/)). Mistic achieves DLL sideloading via a digitally-signed Microsoft Defender executable (`MpExtMs.exe`) loading a malicious `EndpointDlp.dll` (`T1574.002`, `T1036.005`), so its activity reads as legitimate Defender behaviour to EDR. Per Symantec it also supports in-memory tradecraft and file manipulation/arbitrary code execution with a kill switch for stealth. Delivery uses ClickFix / FileFix / CrashFix lures (fake CAPTCHAs, browser-crash pages, Teams IT-helpdesk impersonation directing victims to run PowerShell).
**Why it matters to us:** The downstream affiliates are all active public-sector ransomware actors. Detection is precise: legitimate Defender DLPs load from `%ProgramFiles%\Windows Defender\` under a Microsoft certificate — any `EndpointDlp.dll` loaded from a user-writable path or with a non-Microsoft signature is high-confidence (Sysmon EID 7). Pair with EID 1 parent-chains for PowerShell spawned by Teams/Office clients.

— *Source: [Broadcom/Symantec protection bulletin](https://www.broadcom.com/support/security-center/protection-bulletin/backdoor-mistic-new-backdoor-may-be-linked-to-ransomware-access-broker) · [SecurityWeek](https://www.securityweek.com/new-mistic-rat-opens-door-to-several-ransomware-families/) · Additional source: [CSO Online](https://www.csoonline.com/article/4189132/be-on-the-lookout-for-mistic-a-new-backdoor-used-by-ransomware-broker.html) · Tags: ransomware, organized-crime, infostealer · Region: global · Sector: education, technology, legal-services · Evidence: "Mistic achieves DLL sideloading via a digitally-signed Microsoft Defender executable (MpExtMs.exe) loading a malicious DLL named EndpointDlp.dll" (CSO Online citing Symantec); "Woodgnat maintains relationships with six ransomware families including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta" (SecurityWeek)*

## 2. Trending Vulnerabilities

### CVE-2026-56447, CVE-2026-56446, CVE-2026-56425, CVE-2026-56424, CVE-2026-56423, CVE-2026-56422 — MISP 2.5.42: two site-admin RCE paths plus Azure-AD auth and broken-access-control hardening
MISP 2.5.42 (released 2026-06-22 by the CIRCL-supported project) is a security-hardening release listing six CVEs in the threat-intelligence platform that most EU national CERTs/CSIRTs run ([MISP, 2026-06-22](https://www.misp-project.org/2026/06/22/misp.2.5.42.release.html/) · [GitHub release v2.5.42](https://github.com/MISP/MISP/releases/tag/v2.5.42)). The release fixes two remote-code-execution paths: CVE-2026-56447 (CVSS 9.3 per the GitHub advisory) lets a site administrator point `Kafka_rdkafka_config` at a crafted file that abuses rdkafka's `plugin.library.paths` to load an attacker-supplied shared library under MISP's process privileges ([GHSA-834x-pvxg-xh58](https://github.com/advisories/GHSA-834x-pvxg-xh58)); a second RCE comes from arbitrary NDJSON-log paths, now strictly controlled in 2.5.42 (`T1505.003`). Both require a site-admin account, so the practical risk is post-compromise persistence/lateral movement on a shared instance. The remaining fixes harden Azure-AD authentication and close broken-access-control / mass-assignment issues across MISP's controllers (CVE-2026-56446, CVE-2026-56425, CVE-2026-56424, CVE-2026-56423, CVE-2026-56422); the release notes do not publish per-CVE CVSS scores. A compromised MISP instance exposes a whole community's TLP:AMBER/RED corpus and can be used to inject false indicators — upgrade to 2.5.42, verify file ownership on `APP/tmp/` and the web root, and audit the admin trail for Kafka/log-path changes.

— *Source: [MISP 2.5.42 release notes](https://www.misp-project.org/2026/06/22/misp.2.5.42.release.html/) · [GitHub release v2.5.42](https://github.com/MISP/MISP/releases/tag/v2.5.42) · Additional source: [GitHub Security Advisory GHSA-834x-pvxg-xh58](https://github.com/advisories/GHSA-834x-pvxg-xh58) · Tags: vulnerabilities, rce, identity, patch-available, eu-nexus · Region: europe, global · Sector: public-sector · CVE: CVE-2026-56447, CVE-2026-56446, CVE-2026-56425, CVE-2026-56424, CVE-2026-56423, CVE-2026-56422 · CVSS: 9.3 (CVE-2026-56447), n/a (CVE-2026-56446), n/a (CVE-2026-56425), n/a (CVE-2026-56424), n/a (CVE-2026-56423), n/a (CVE-2026-56422) · Vector: user-interaction · Auth: post-auth · Status: patch-available · Evidence: "A malicious configuration file could exploit rdkafka's plugin.library.paths feature to load external libraries, enabling arbitrary code execution under MISP's process privileges." (GitHub Security Advisory GHSA-834x-pvxg-xh58); "RCE via arbitrary ndjson log paths — the ndjson log file path/name is now strictly controlled." (MISP 2.5.42 release notes)*

## 3. Research & Investigative Reporting

### "Cordyceps" — the GitHub Actions `pull_request_target` pwn-request class is still widely exploitable at scale
Novee Security published "Cordyceps", an empirical study of a long-known but persistently unmitigated class of GitHub Actions CI/CD vulnerabilities ([Novee Security, 2026-06-23](https://novee.security/blog/cordyceps/) · [SecurityWeek, 2026-06-24](https://www.securityweek.com/exploitable-ci-cd-vulnerabilities-expose-millions-of-repositories-to-hijacking/)). The pattern: a `pull_request_target` (or comment-triggered) workflow runs with the base repository's write permissions and secrets while checking out or otherwise consuming untrusted fork-PR content, letting an attacker inject code into a privileged CI context (`T1195.002`). Of ~30,000 high-impact repositories scanned, 654 were flagged and 300+ confirmed fully exploitable — including Microsoft (Azure Sentinel), Google (AI Agent Development Kit), Apache (Doris), Cloudflare (Workers SDK) and the Python Software Foundation (Black) — with exploitation requiring only a free GitHub account and a single PR. Successful exploitation can yield the org's GitHub App key, cloud repository authority, or the ability to publish attacker-controlled packages to trusted registries. GitHub shipped `actions/checkout` v7 on 18 June with safer `pull_request_target` defaults that refuse to fetch fork-PR head commits in unsafe patterns ([GitHub Changelog, 2026-06-18](https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout/)), but organisations pinning older action versions or running self-managed Enterprise Server are not yet protected. Audit `.github/workflows/*.yml` for `pull_request_target` triggers that reference any `${{ github.event.pull_request.* }}` context in `run:`/`env:` steps; scope `GITHUB_TOKEN` to `contents: read` by default; and split build/test onto the unprivileged `pull_request` trigger.

— *Source: [Novee Security — Cordyceps](https://novee.security/blog/cordyceps/) · Additional source: [SecurityWeek](https://www.securityweek.com/exploitable-ci-cd-vulnerabilities-expose-millions-of-repositories-to-hijacking/) · Additional source: [GitHub Changelog — actions/checkout safer defaults](https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout/) · Tags: supply-chain, cloud, vulnerabilities · Region: global · Sector: technology, public-sector · Evidence: "Scans of 30,000 high-impact repositories flagged 654 vulnerable instances; over 300 were confirmed fully exploitable" (Novee Security); "GitHub updated actions/checkout on June 18 to block common pwn-request patterns" (GitHub Changelog)*

## 4. Updates to Prior Coverage

### UPDATE: Klue/Icarus Salesforce OAuth breach — BeyondTrust and LastPass added to the named-victim list
> **UPDATE (originally covered 2026-06-19):** BeyondTrust and LastPass have both disclosed that business-contact and sales-related data was exfiltrated from their Salesforce environments via the compromised Klue integration, pushing the confirmed named-victim count past 14 ([SecurityWeek, 2026-06-24](https://www.securityweek.com/beyondtrust-lastpass-impacted-by-klue-salesforce-incident/) · [Help Net Security, 2026-06-24](https://www.helpnetsecurity.com/2026/06/24/lastpass-klue-data-breach-salesforce-environment/)).
>
> The BeyondTrust exposure is the notable delta: a privileged-access-management vendor losing its CRM contact and support-case data to a SaaS supply-chain compromise illustrates that security-vendor customer lists are a deliberate targeting priority for the Icarus extortion crew. LastPass states customer vaults were not affected. Salesforce had already disabled the Klue Battlecards connection on 17 June ([The Hacker News, 2026-06-19](https://thehackernews.com/2026/06/salesforce-disables-klue-app.html)). Any organisation receiving a Salesforce "Connected App disabled" notice for Klue should treat it as an incident trigger and audit Event Log File `ApiTotalUsage` / `ApiAnomalyEventStore` records for bulk REST API reads in the June 11–17 window (`T1199`, `T1528`, `T1213.003`).
>
> — *Source: [SecurityWeek](https://www.securityweek.com/beyondtrust-lastpass-impacted-by-klue-salesforce-incident/) · Additional source: [Help Net Security](https://www.helpnetsecurity.com/2026/06/24/lastpass-klue-data-breach-salesforce-environment/) · Additional source: [The Hacker News](https://thehackernews.com/2026/06/salesforce-disables-klue-app.html) · Tags: data-breach, supply-chain, identity, cloud · Region: global · Sector: technology, finance · Evidence: "BeyondTrust also said business contact and sales-related information was stolen from its Salesforce instance" (SecurityWeek); "an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass" (Help Net Security citing LastPass)*

## 5. Deep Dive — Edgecution: abusing the Chrome/Edge Native Messaging API as a browser-sandbox-to-host bridge

**Background.** Browser-extension-to-host pivoting is not a new idea — the Native Messaging API (the stdio IPC channel that lets a browser extension talk to a registered local executable) has been a documented abuse surface for years, and EDR coverage of browser child-processes remains uneven. What Zscaler ThreatLabz documents in Edgecution is this class turned into a working, in-the-wild initial-access toolset operated by the Payouts Kings group ([Zscaler ThreatLabz, 2026-06-23](https://www.zscaler.com/blogs/security-research/payouts-king-ransomware-initial-access-broker-deploys-new-edgecution) · [BleepingComputer, 2026-06-24](https://www.bleepingcomputer.com/news/security/malicious-edge-extension-abuses-native-messaging-as-bridge-to-malware/)).

**Initial access.** The chain begins with a Microsoft Teams social-engineering lure: attackers impersonate IT support and direct the victim to a fraudulent Outlook "update" portal (`T1204.002` [User Execution: Malicious File](https://attack.mitre.org/techniques/T1204/002/), preceded by `T1656` impersonation). The download is a ZIP bundling an embedded Python 3.13.3 runtime, a malicious Edge extension presented as an "Edge Monitoring Agent", and the native-messaging host components that register the extension-to-executable channel.

**Sandbox-to-host bridge.** The extension runs inside a headless (hidden-window) Edge instance invisible to the user (`T1564.003` [Hide Artifacts: Hidden Window](https://attack.mitre.org/techniques/T1564/003/)), beacons to C2 hosted on `cloudfront.net` subdomains over HTTPS (`T1071.001` [Application Layer Protocol: Web Protocols](https://attack.mitre.org/techniques/T1071/001/)), and relays received commands across the Native Messaging stdio channel (`T1559` [Inter-Process Communication](https://attack.mitre.org/techniques/T1559/)) to a Python backdoor running on the host. The design point is evasion: controls that watch the browser process tree but not the native-messaging-host child process never see the host commands cross the boundary.

**On-host capability.** The Python backdoor (`T1059.006` [Command and Scripting Interpreter: Python](https://attack.mitre.org/techniques/T1059/006/)) implements shell and PowerShell command execution, arbitrary code execution, file writes, process enumeration and system reconnaissance — a full IAB foothold from which ransomware affiliates can be sold access. Zscaler reports the observed C2 used `cloudfront.net` subdomains hosted on AWS, which blend with legitimate CDN traffic.

**Hunt and detection concepts.** (1) Process-tree rule: `msedge.exe` spawning a native-messaging host executable followed by a Python interpreter invocation is the kill-chain signature — the host process is registered under `HKCU\Software\Microsoft\Edge\NativeMessagingHosts\`. (2) Registry monitoring: additions under that key by anything other than a legitimate installer (Sysmon EID 13). (3) Process telemetry: a headless/hidden Edge instance launched outside normal user interaction (Sysmon EID 1, command-line flags indicating an automation/headless profile). (4) Network: CloudFront-subdomain beaconing originating from `msedge.exe` or a Python child in an environment that does not normally use those endpoints.

**Hardening.** Enterprise browsers should restrict extension installation to approved publisher IDs via Group Policy (`ExtensionInstallAllowlist`, and `BlockExternalExtensions`), and allow-list Native Messaging hosts explicitly. Blocking user-profile (`HKCU`) Native Messaging host registration via AppLocker/WDAC removes this persistence and bridging path. Because the entry point is a Teams IT-helpdesk lure, the same control that blunts ClickFix/FileFix — preventing users from running attacker-supplied scripts and constraining who can deliver Teams messages from outside the tenant — applies here too.

— *Source: [Zscaler ThreatLabz — Payouts King / Edgecution](https://www.zscaler.com/blogs/security-research/payouts-king-ransomware-initial-access-broker-deploys-new-edgecution) · Additional source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/malicious-edge-extension-abuses-native-messaging-as-bridge-to-malware/) · Tags: organized-crime, ransomware, identity, phishing · Region: global · Sector: finance, public-sector, technology · Evidence: "Edgecution has two components: a Microsoft Edge browser extension that beacons to a command-and-control (C2) server and relays host-based commands to a Python-based backdoor" (BleepingComputer citing Zscaler ThreatLabz); "the attackers gain direct host access, enabling them to manipulate the local filesystem, launch processes, and execute arbitrary code on the compromised host" (BleepingComputer citing Zscaler ThreatLabz)*

## 6. Action Items

- **Upgrade MISP to 2.5.42 now** if you run a MISP instance — six CVEs including two site-admin RCE paths (rdkafka plugin-load CVE-2026-56447, CVSS 9.3; and an ndjson log-path RCE). Verify file ownership on `APP/tmp/` and the web root and audit the admin trail for Kafka/log-path changes. (See § 2.)
- **Audit GitHub Actions workflows for the Cordyceps pattern** — flag every `pull_request_target` trigger that consumes `${{ github.event.pull_request.* }}` content; adopt `actions/checkout` v7 or pin a safe configuration; scope `GITHUB_TOKEN` to `contents: read`; rotate secrets in affected repos. (See § 3.)
- **Hunt for signed-Defender DLL sideloading (Mistic)** — alert on `EndpointDlp.dll` loaded from a user-writable path or with a non-Microsoft signature (Sysmon EID 7), and on PowerShell spawned by Teams/Office clients. (See § 1.)
- **Hunt for Native-Messaging bridging (Edgecution)** — `msedge.exe` → native-messaging host → Python interpreter chains, and `HKCU\...\Edge\NativeMessagingHosts\` additions by non-installers; allow-list extensions and native-messaging hosts via Group Policy / WDAC. (See § 5.)
- **Reinforce M365 phishing controls (NCSC-CH wave)** — flag ZIP attachments masquerading as voicemail audio, enforce phishing-resistant MFA via Conditional Access, and hunt inbox-rule / forwarding-rule creation shortly after sign-ins from new countries/ASNs. (See § 1.)
- **Audit Salesforce connected-app OAuth tokens (Klue/Icarus)** — review Event Log File `ApiTotalUsage` / `ApiAnomalyEventStore` for bulk REST reads in the June 11–17 window and minimise token scopes. (See § 4.)

— *Source: [MISP 2.5.42 release notes](https://www.misp-project.org/2026/06/22/misp.2.5.42.release.html/) · [Novee Security — Cordyceps](https://novee.security/blog/cordyceps/) · Tags: vulnerabilities, supply-chain, identity, patch-available · Region: europe, global · Sector: public-sector*

## 7. Verification Notes

- **Items dropped:**
  - **DifyTap (Dify cross-tenant flaws, CVE-2026-41947 / -41948 / -41949 / -41950)** — already evaluated and dropped to § 7 on 2026-06-23; the grounds still hold (all paths require an authenticated editor/tenant account, no in-the-wild exploitation), so it does not clear the § 2 inclusion bar despite a stronger primary (Zafran) now being available.
  - **OXLoader (Elastic Security Labs)** — single-substantive-source and surfaced by two sub-agents with conflicting publication dates (19 vs 23 June) and conflicting technical descriptions (`.reloc`-section shellcode staging + anti-VM checks vs. process-hollowing + clipper); dropped pending a single reconcilable account.
  - **Mini-Shai-Hulud / Miasma / Hades PyPI worm wave (Socket Security)** — the substantive primary is dated 8 June, outside the 36 h window (one sub-agent's 24 June date appears to be the date of a Schneier commentary follow-up, not the primary); the Shai-Hulud family has prior coverage, so this is held for a cleaner in-window development.
  - **DoJ seizure of Huione Group laundering infrastructure ($31B)** — significant law-enforcement action but no patch/hunt/block/detect decision for a public-sector SOC; out of scope under less-is-more.
  - **GhostSender / Ghost-Sender (Exchange Online sender spoofing, InfoGuard / Abnormal)** — strong CH relevance, but the substantive InfoGuard research is dated 9 June (outside the 36 h window) and the two sub-agents returned materially different mechanism descriptions (direct-to-EOP submission bypassing the external MX gateway vs. cross-tenant outbound-relay abuse); dropped rather than publish an unreconciled mechanism. The in-window CH email-threat signal is carried by the NCSC-CH Week 25 item in § 1.
  - **Cacti 1.2.31 (CVE-2026-39893 and the wider 1.2.31 cluster)** — the only citable substantive source (Cacti GHSA-69gg-mjfm-jjpc) is dated 2026-06-19, outside the 36 h window, and covers only CVE-2026-39893; the additional CVEs and the 24-June ENISA EUVD indexing that would anchor it in-window are on a blocked-URL search page that cannot be cited inline. Dropped to avoid both an out-of-window item and over-attribution to a single advisory. Still worth patching: pre-auth SQLi (CVSS 9.8) reachable via default guest graph-viewing.
  - **Arista EOS tunnel-decapsulation flaw (CVE-2026-7473)** — initially drafted as a § 4 UPDATE on the back of an apparently-fresh Eclypsium analysis, but verification established the Eclypsium article is dated 2026-06-16 and the SecurityWeek piece 2026-06-10 — both outside even the 72 h developing window, with no in-window delta. The CVE was already covered on 2026-06-10 (KEV-listed, Arista SA-0137 mitigation); there is no new development this run, so it is dropped rather than recycled. Operators on EOS 4.x should still treat SA-0137 mitigation as permanent (no code fix planned).
- **Single-source (national-CERT carve-out):** NCSC-CH Week 25 voicemail-phishing item (§ 1) rests on the NCSC-CH Wochenrückblick as primary disclosing authority for Switzerland (PD-5 carve-out).
- **Recency edge:** the MISP 2.5.42 item (§ 2, released 2026-06-22) sits just beyond the 36 h standard window but inside the 72 h developing window; retained for its direct relevance to the threat-intel platform CH/EU public-sector SOCs run.
- **Contradiction:** Operation Endgame scale figures differed across sub-agents — one reported 296 servers / 66 domains / 25.6M credentials; the brief uses 326 servers / 142 domains / ~27M credentials / EUR 41M, the figure independently corroborated by Microsoft, ESET and BleepingComputer (the latter quoted verbatim).
- **Verification:** iteration 1 (`cti-verification`, Opus) returned NEEDS_FIXES (truth 6 / editorial 1 / advisory 1) — corrected a "no CVE published" error + dedup miss on the Arista flaw (CVE-2026-7473), narrowed MISP CVSS to the single GHSA-sourced score, dropped the over-attributed Cacti item, softened the Mistic capability framing, fixed the Operation Endgame directory-traversal attribution (researchers documented it; law enforcement used it), and rebound the Edgecution CloudFront quote. Iteration 2 (`cti-verification-alt`, Sonnet, with prior-iteration deltas) returned NEEDS_FIXES (truth 1 / editorial 1 / advisory 1) — removed a residual "in-memory BOF execution" phrase from the Mistic heading, and on finding the Arista sources are dated 06-16 / 06-10 (out of window) dropped the Arista item entirely rather than republish stale coverage. Iteration 3 (`cti-verification`, Opus, cold read) returned CLEAN (truth 0 / editorial 0; two non-blocking F11 advisories on quote-source labelling left as residual).
- **Tooling:** `tools/source_health.py` did not finish within its time budget this run (full-source network probe); the committed `state/source_health.json` is the prior snapshot. No impact on the brief.
- **Coverage gaps:** `databreaches-net` (HTTP 403 on the bridge for a third consecutive run — persistent transport block, not a dead source); `cert-eu`, `cert-fr-avis`, `ncsc-ch-security-hub`, `ncsc-nl`, `cisa-kev`, `msrc` (bridge-reachable but no net-new in-window items); `mandiant-gtig`, `sophos-xops` (feed fetch failures, exit code 1); `inside-it-ch` (Cloudflare-gated); `ico-uk`, `cnil-fr` (no in-window enforcement actions); `broadcom-symantec`, `zscaler-threatlabz` (SPA bodies unreadable from the bridge — content confirmed via corroborating publishers).