17 verified findings from 2 runs · the settled record for this UTC day, in the classic brief order.
Criticality
Kind
Topic
Region
TL;DR · the day in one read
01Balbooa patches an actively-exploited unauthenticated file-upload RCE in its Joomla Forms extension — the third such flaw in the ecosystem in two weeks. Balbooa Forms (the com_baforms Joomla component) up to and including 2.4.0 exposed its frontend attachment-upload handler to any anonymous visitor with no authentication, no CSRF token, and no file-extension allow-list, allowing a .php upload to be written into a web-served directory and executed — unauthenticated RCE (CWE-434). It was exploited as a zero-day before the 2.4.1 fix (9 July 2026) and attacks continue against unpatched sites. Anyone running Joomla with Balbooa Forms should update to 2.4.1 now and check for tampering. →
02CERT-PL: Ghostwriter/UNC1151 now phishes Gmail with a live 2FA-relay panel that defeats TOTP and SMS. CERT Polska reports that the Belarus-linked UNC1151/Ghostwriter group has, since March 2026, run a high-intensity Gmail phishing campaign against political and public-life figures, senior officials, researchers, journalists, and public-administration and law-enforcement staff. The fake login panel relays the second factor in real time — harvesting the password then requesting the TOTP/SMS code for an immediate automated login — defeating both app-based and SMS 2FA. Push FIDO2/WebAuthn for exposed EU/CH public-sector Gmail identities; TOTP and SMS are not sufficient against this design. →
03Januscape (CVE-2026-53359): 16-year-old KVM shadow-MMU UAF gives a guest root a host escape on both Intel and AMD. Januscape (CVE-2026-53359) is a use-after-free in the KVM/x86 shadow-MMU emulation (arch/x86/kvm/mmu/mmu.c) that lay dormant in the Linux kernel for ~16 years and lets a root user inside any KVM guest escape to the host on both Intel and AMD. A public PoC panics the host kernel (DoS against every co-tenant); a working host-RCE exploit exists but is withheld. Fixed upstream 2026-06-16 — patch KVM host kernels to the fixed trains now; there is no guest-side mitigation. →
CERT Polska (NASK) reports that UNC1151/Ghostwriter — the Belarus-linked cluster that for years phished Polish-provider webmail (Onet, WP, Interia) — has since March 2026 shifted at high, near-daily intensity to Gmail accounts, with new phishing domains appearing almost daily (CERT Polska, 2026-07-08). The lure imitates a Gmail security/administrator notice ("suspicious activity", "account may be blocked") written in error-free Polish and sent from purpose-created Gmail accounts or compromised mailboxes with a spoofed display name, frequently via BCC to obscure the target list. Targeting is broad — political and public-life figures, senior officials, researchers, journalists, public-administration and law-enforcement staff, and their family and social contacts — with some campaigns narrowed to specific professional groups such as translators and court experts.
The core technical escalation over prior campaigns is a real-time second-factor relay: after harvesting the password, the fake login panel displays a second form requesting the TOTP/SMS code, which the operators feed into an automated login against the real account, defeating both app-based (Google Authenticator) and SMS-based factors (CERT Polska, 2026-07-08). Infrastructure mixes dedicated phishing domains on .icu/.digital/.top TLDs with abuse of *.netlify.app subdomains, plus fake panels planted on compromised Polish websites whose main pages are left untouched to avoid tipping off the site owner. The initial lure maps to T1566.002 Phishing: Spearphishing Link; the live-relay capture is best described qualitatively (CERT Polska does not name specific AitM tooling).
Since March 2026, however, the group has been running phishing campaigns targeting Gmail users. These campaigns are carried out with high intensity, mainly on weekdays. Notably, they enable the theft of two-factor authentication (2FA) credentials.
If a second factor is required, the phishing page displays an additional form requesting the code. This allows attackers to capture both SMS-based codes and those generated by applications such as Google Authenticator.
CERT Polska
threat09 Jul 04:32Zsingle-source · national CERTOpen finding ↗
The ransomware/extortion group "Unsafe" listed Deutsche Bank on its dark-web leak site and published screenshots of alleged database exports, terminal commands and employee records — email addresses, password hashes, physical addresses — as proof of a claimed breach of the bank's "internal systems" (Cybernews, 2026-07-07; Cybersecurity Insiders, 2026-07-08). Deutsche Bank's own spokesperson, in a statement carried on 2026-07-08/09, said the incident did not involve the bank's own network but instead affected a third-party company in Germany that runs a marketing and incentive platform for the bank's sales partners, with "no indication that Deutsche Bank's internal systems or networks were or are affected" (Computing UK, 2026-07-09). Researchers assessing the leaked samples said the data appears to relate to bank employees but that they could not determine whether any customer information was included.
Unsafe operates a ransomware-as-a-service, double-extortion model; after a relatively quiet 2024–2025 it re-emerged in 2026 with reported targets in Germany, the United States, Switzerland and France — the same-actor reach into this constituency's home region being the reason the item is in scope rather than the victim's name. The actual initial-access vector into the German vendor has not been disclosed by any party, and generic secondary profiling of Unsafe's tooling should be treated as unverified for this specific intrusion.
"We have been informed of a cybersecurity incident at an external service provider," the spokesperson said, adding that there was "no indication that Deutsche Bank's internal systems or networks were or are affected" and no evidence of unauthorised access to the bank's network.
Psychiatrische Dienste Aargau AG (PDAG), a Swiss cantonal psychiatric-care provider, disclosed that unauthorised parties gained access to individual @pdag.ch email accounts and abused them to send spam and phishing messages to external recipients (SwissCybersecurity.net, 2026-07-09; Inside IT, 2026-07-08). On discovery, PDAG locked the affected accounts immediately, reset passwords for all employees as a precaution, notified the competent cantonal and national authorities, and engaged internal and external IT-security experts plus its external ICT service provider to analyse and harden. By its current assessment the incident is limited to account misuse for outbound spam/phishing, with no indication that patient data was accessed or exfiltrated; the organisation is warning recipients about suspicious mail purporting to come from its domain.
No technical root cause — the initial-access vector into the mailboxes, whether MFA was enforced, or whether the takeover was via credential phishing or an OAuth consent grant — was disclosed, so the mechanism is unknown rather than assumed. The pattern maps to T1566 Phishing for the initial access and T1586.002 Compromise Accounts: Email Accounts for the takeover and downstream abuse.
Nayax Ltd. — an Israeli-headquartered fintech (Nasdaq/Tel Aviv-listed) providing cashless payment terminals and management platforms, and, through Nayax Europe UAB, a Bank-of-Lithuania-licensed payment institution serving more than 23 million enterprises across the EEA (Nayax, 2018-07-17) — filed a Form 6-K with the SEC on 2026-07-08 disclosing that it detected "unusual activity" in a cloud account belonging to one of its subsidiaries, which it "immediately blocked and contained" (Nayax SEC Form 6-K, 2026-07-08). Nayax states its production environment and core payment-processing systems were unaffected and business operations continue normally, with the scope still under investigation alongside Israeli and US law enforcement (DataBreaches.net, 2026-07-08).
Separately, an extortion group calling itself "The Syndicate" posted leak-site claims — surfaced by DataBreaches.net on 2026-07-08 — asserting it acquired more than 1 billion card records, had been inside Nayax's infrastructure for "almost a year", and exfiltrated over 100 TB, with a threatened ~11-day countdown to a public data portal. No evidence has been published for any of these figures, and DataBreaches.net notes the claims are internally inconsistent with Nayax's "immediately blocked and contained" characterisation — a familiar extortion pattern of inflating scope for leverage. Nayax's stock reportedly fell after the claims surfaced, but the company has not confirmed the attacker's figures (Calcalistech, 2026-07-08). The filing does not disclose the initial-access vector, the cloud provider, or which subsidiary was involved — a material gap for deriving any concrete detection lever from the disclosure alone.
As part of the company's ongoing monitoring, an unusual activity was detected in relation to one of Nayax's subsidiaries, in one of the company's cloud accounts, which was immediately blocked and contained.
The company's production environment and its core systems have not been affected by the event. The company's business activity continues as normal, without impact to the company's business operations.
One claim is that they have acquired over 1 billion card records. Another claim is that they have been inside Nayax's servers for almost a year, and have exfiltrated more than 100 TB of data. That claim appears to conflict with a claim that something was immediately blocked and contained or that it was detected quickly.
Nozomi Networks Labs' AI-assisted honeypot triage flagged two Golang-based DDoS botnet samples this spring that stand out from the routine volume of Mirai-derived variants: Apex2 and c2c (distributed under the filename "meow") (Nozomi Networks Labs, 2026-07-06). Apex2 is a direct structural evolution of the earlier Apex botnet: infection begins with Telnet connections and credential brute-forcing, followed by download-and-execute of the Golang payload, which registers with its C2 over a plaintext protocol (host OS/architecture) and ships builds for Linux (arm, arm64, mipsle, ppc64) and Windows (386, amd64). Its named flood commands include cf (an HTTP(S) flood specifically tuned to bypass Cloudflare via randomized User-Agent lists and long keep-alive timeouts), udp/pps, discord/game UDP floods, and three TLS-flood variants (tls, tlsplus, tlsplusbypass). c2c/meow is architecturally simpler — a Golang flooder with no built-in propagation (a separate SSH scanner handles brute-forcing and delivery) that authenticates to a hardcoded C2 over plaintext JSON-over-TCP, checks for passwordless sudo (sudo -n true) to self-escalate, then persists by copying itself to /usr/local/bin/cpufreqd and registering a fake systemd unit masquerading as a "CPU Frequency Daemon" — supporting ten flood-module types (icmp, dnsudp, udp, http, directhttp, fasthttp, betterhttp, tcp, tcphandshake, dnstcp).
Nozomi's stated point for defenders is that neither family is sophisticated — both lean on commodity Golang tooling, weak/default credentials and exposed Telnet/SSH interfaces rather than novel exploitation — and that the lack of sophistication does not reduce the risk at scale, because the build-and-deploy cycle for such botnets is getting faster. ATT&CK mapping: T1110 Brute Force (Telnet/SSH), T1105 Ingress Tool Transfer, T1548.003 Abuse Elevation Control Mechanism: Sudo (c2c's passwordless-sudo self-escalation), T1543.002 Create or Modify System Process: Systemd Service with T1036.005 Masquerading (the fake cpufreqd unit), and T1498 Network Denial of Service for the flood modules.
It checks whether passwordless sudo is available by running sudo -n true and evaluating the return value. If successful, it relaunches itself with increased privileges, copies to /usr/local/bin/cpufreqd, and creates a fake systemd service named "CPU Frequency Daemon"
In both cases, the emphasis is not on sophistication, but on speed, reuse and scalability.
Group-IB documents a significantly upgraded variant of RedHook, an Android RAT first described by Cyble in July 2025 and previously focused on Vietnamese banking users (Group-IB, 2026-07-09). The notable new capability is self-service privilege abuse over ADB Wireless Debugging with no exploit involved. After the victim is socially engineered — via impersonation calls/messages and a fake Play-Store-styled site — into installing the APK and granting Accessibility through a "required setup" walkthrough, the malware uses Accessibility-driven UI automation to silently navigate Settings, enable Developer Options and Wireless Debugging, then embeds its own ADB client to connect to the device's own ADB daemon over the loopback interface (127.0.0.1) — no PC or USB cable needed. It launches a Shizuku-derived privileged helper that runs under shell uid 2000, from which it grants itself runtime permissions, sets WRITE_SECURE_SETTINGS, installs/uninstalls apps and executes shell commands with no user-facing confirmation dialogs. Group-IB states plainly that "there is no exploit here" — this is abuse of a legitimate developer feature, the same primitive tools like Shizuku have long used, weaponised for the first time by malware.
Persistence is layered: a 1×1-pixel foreground activity, silent MediaSession audio, a foreground-service WakeLock, two mutually cross-rebinding services (bindService with BIND_AUTO_CREATE) that resurrect each other, oom_score_adj tuning to -1000, mlock() memory pinning, and a BOOT_COMPLETED receiver that re-establishes Wireless ADB and the helper on every reboot; screen streaming runs over WebSocket with a parallel RTMP stream once shell privileges exist, bypassing the MediaProjection consent dialog. The command set has grown to 53 server-issued commands, APK payloads are hosted on GitHub and AWS S3 for delivery reliability, and OEM-specific UI-automation routines (Google, Huawei, Meizu, Oppo, Samsung, Vivo, Xiaomi) are present but not yet invoked — suggesting planned device-coverage expansion. Mapped for mobile defenders to T1453 Abuse Accessibility Features, T1541 Foreground Persistence, T1512 Video Capture, T1417 Input Capture, and — closest available mapping for the shell-uid grab — T1626 Abuse Elevation Control Mechanism.
This, however, is the first time we have seen it used by a malware to abuse privileges on a victim's device.
There is no exploit here, "merely" turning a debugging interface into a path to shell-level privileges.
Check Point Research documented Cavern Manticore, an Iran MOIS-linked APT it assesses shares technical and infrastructure overlap with MuddyWater and OilRig's Lyceum subgroup, targeting Israeli government and IT-sector organisations (Check Point Research, 2026-07-06). Its namesake framework, Cavern, is a modular post-exploitation .NET C2 whose components are deliberately compiled into three different binary formats: pure IL-only .NET (the mhm.dll file-ops/DPAPI-decrypt module, db.dll SQL browser, ode.dll LDAP/AD-recon module), Mixed-Mode C++/CLI IL+native (the uxtheme.dll Cavern Agent core), and .NET 8 NativeAOT native-only (n-HTCommp.dll HTTPS/WebSocket transport, n-ten.dll network recon/SMB brute-force, n-sws.dll SOCKS5/WSS tunnel). The compilation-format diversity is itself the anti-analysis layer: each format demands a different reverse-engineering toolchain, and NativeAOT strips framework symbols and resolves security-sensitive P/Invoke calls (WNetAddConnection2, NetShareEnum, NetLocalGroupGetMembers) through runtime descriptor tables rather than the PE import table, hiding capability from import-based triage (Check Point Research, 2026-07-06).
Delivery is the transferable part: the actor abused SysAid's legitimate software-update/deployment feature — not a SysAid vulnerability — to push a WinDirStat DLL-sideloading package that loads the trojanized uxtheme.dll as the Cavern Agent, which exports 83 functions mimicking the real Windows theming library (82 empty stubs; the one live export, EnableThemeDialogTexture, is the C2 entry point) — a sandbox trap for automated analysis that only invokes default exports. Each loaded module is isolated in its own .NET AppDomain via a MarshalByRefObject proxy so modules can be unloaded cleanly after use, leaving minimal forensic residue; most samples score zero or near-zero on VirusTotal. ATT&CK: T1574.002 DLL Side-Loading, T1027 Obfuscated Files or Information (via compilation-format diversity), T1620 Reflective Code Loading (AppDomain-isolated modules), T1219 Remote Access Software (SysAid deployment abuse).
Cavern Manticore is an Iran MOIS (Ministry of Intelligence and Security)-linked actor, with links to the OilRig subgroup named Lyceum
the compilation format itself becomes the anti-analysis layer, since each of the three formats has to be reversed with a different toolchain
SysAid was not compromised, and no SysAid vulnerability was involved. The attacker had already gained access to the victim environment and abused a legitimate software-deployment feature
The Centre for Cybersecurity Belgium (CCB) published a standalone "patch immediately" advisory on 8 July for CVE-2026-48614, a CWE-94 (improper control of code generation / code injection) flaw in Plesk's XML API (CCB, 2026-07-08). An authenticated, low-privilege panel user can send a crafted XML-API request that bypasses the intended authorization boundary and injects arbitrary configuration directives into upstream config generation; because input neutralisation is broken, this yields an arbitrary file write performed as root, i.e. local privilege escalation from any authenticated panel account to full root on the hosting server. CCB scores it CVSS 3.1 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) (CCB, 2026-07-08). Plesk's own advisory confirms the CVE and the LPE impact, thanks independent researcher Georgii Shutiaev for the disclosure, and lists affected versions below 18.0.30, patched in 18.0.30 through 18.0.78.4, with 18.0.79 and later unaffected (Plesk, 2026-07-03). Neither CCB nor Plesk reports in-the-wild exploitation at publication. Mapped to T1068 Exploitation for Privilege Escalation.
The prerequisite is only a valid low-privilege authenticated session — and that is the point for defenders: on multi-tenant shared-hosting Plesk installs, every hosting customer already holds such an account, so the flaw collapses tenant isolation and turns any customer into a path to root on the shared server and thus to every co-tenant's sites and data. Plesk is broadly deployed across Swiss and EU web-hosting providers and public-sector/SME web infrastructure, which is why CCB — a national authority (Admiralty A) — escalated it rather than leaving it to routine patching.
An improper authorization vulnerability in the Plesk XML API allows an authenticated user to inject arbitrary configuration directives.
The exploitation of this flaw can result in an arbitrary file write as the root user, leading to local privilege escalation (LPE).
Balbooa Forms is a widely deployed drag-and-drop form builder for Joomla, installed as the com_baforms component for contact, registration and survey forms on thousands of sites, including the SME and municipal/public-sector Joomla estates common across Switzerland and Europe. Up to and including version 2.4.0, its frontend attachment-upload task — reached at index.php?option=com_baforms&task=form.uploadAttachmentFile — ran for any anonymous visitor with no authentication check, no Session::checkToken() CSRF validation, and no allow-list on the uploaded file's extension (mySites.guru, 2026-07-08). The write routine (FormModel::uploadAttachmentFile, around line 122 of the frontend FormModel.php) took the extension from the attacker-supplied filename and sanitised only the name portion with Joomla's File::makeSafe() — which strips dangerous characters but does not reject a .php extension — then rejoined the cleaned name with the untouched extension and wrote the file under images/baforms/uploads/form-<id>/, a directory that is served directly and executes PHP. The result is unauthenticated arbitrary-file-upload-to-RCE (CWE-434), the highest-severity web outcome, requiring no account of any kind; Joomla's CNA scored it CVSS 4.0 base 10.0 (AV:N/AC:L/AT:N/PR:N/UI:N).
This was a genuine zero-day: it surfaced when a mySites.guru customer brought in a raw web-server access log after a Hetzner hosting-abuse report, showing a successful exploit attempt before any patch existed, and the researchers state the same attacks continue against unpatched sites, with no public proof-of-concept released (mySites.guru, 2026-07-08). Balbooa fixed it the same day it was disclosed, shipping 2.4.1 on 9 July 2026 with four layered changes — a server-side extension allow-list per upload field, an optional MIME-type check, a server-generated stored filename (defeating double-extension tricks), and a CSRF token check (Balbooa changelog, 2026-07-09); the flaw is tracked as CVE-2026-56291 (CWE-434, CVSS 4.0 base 10.0). Notably, the changelog lists these as ordinary "Fixed" items — one bullet mentions improving upload security — but nowhere flags that they close an actively-exploited remote code execution flaw or references the CVE, so update-triage that waits for an explicit severity or exploitation signal would leave the door open.
This is the third unrelated Joomla third-party extension disclosed with the identical unauthenticated file-upload-to-RCE class in roughly two weeks — following JoomShaper SP Page Builder (CVE-2026-48908) and Joomlack Page Builder CK (CVE-2026-56290), both added to CISA KEV on 7 July and both covered by this pipeline on 2026-07-08 — and all three were surfaced by the same research outfit. The pattern is now a defender action in its own right: the exposure is not one named component but the class of anonymous-facing upload endpoints across a Joomla estate's third-party extensions. Mapped to T1190 Exploit Public-Facing Application for the upload/execution and T1505.003 Web Shell once the uploaded file is used for persistence.
This was a zero-day: it was already being exploited in the wild when we found it, before any patch existed, and those attacks are still going on now against sites that have not updated.
The flaw was an unauthenticated file upload with no file-type allow-list.
Researcher Hyunwoo Kim (V4bel) disclosed Januscape (CVE-2026-53359), a use-after-free in the shadow-MMU emulation of KVM/x86 (arch/x86/kvm/mmu/mmu.c) whose root cause traces to a 2010 commit — roughly 16 years dormant before the fix landed upstream on 16 June 2026 (BleepingComputer, 2026-07-07). The bug fires when kvm_mmu_get_child_sp() reuses a shadow page without comparing its role, producing a mismatched direct/indirect flag and an incorrect GFN computation; orphaned rmap entries survive memslot deletion and are later dereferenced after the backing memory is freed (V4bel, 2026-07-07). The upstream fix is commit 81ccda30b4e8 (16 June 2026); the researcher gives the vulnerable range as commit 2032a93d66fa (2010-08-01) through that fix (kernel.org, 2026-06-16; V4bel, 2026-07-07).
This is a genuine guest-to-host escape: a root user inside a KVM guest can trigger the UAF from purely guest-side actions, on both Intel and AMD hosts — the researcher calls it "the first guest-to-host exploit research triggerable on both" vendors (V4bel, 2026-07-07). Januscape was submitted as a live 0-day against Google's kvmCTF program. A public PoC that panics the host kernel — a denial of service against every co-tenant on the same physical host — is released; a full working host-compromise/RCE exploit exists but the researcher is deliberately withholding it (BleepingComputer, 2026-07-07). Mapped to T1611 Escape to Host.
With guest-side actions alone, an attacker can compromise the host that runs their VM. For example, an attacker who has rented just a single instance on a public cloud could panic the host kernel to take down every other tenant VM on the same physical machine (DoS), or run code with root privilege on the host to take over the host and all the guests on it (RCE).
Wiz Research published GhostApproval on 8 July, a systematic vulnerability pattern combining CWE-61 (symbolic-link following) with CWE-451 (UI misrepresentation of critical information) found, in varying severity, across six AI coding assistants: Amazon Q Developer, Cursor, Google Antigravity, Augment, Cognition Labs' Windsurf and Anthropic's Claude Code (Wiz Research, 2026-07-08). A malicious repository plants a symlink inside the workspace that resolves to a sensitive path outside it — e.g. a file named project_settings.json that is actually a link to ~/.ssh/authorized_keys — then a README or prompt instructs the agent to "update" the file. In several tools the agent's own reasoning identifies the true target, yet the confirmation dialog still shows the harmless in-workspace name, so the user rubber-stamps a write to the real target, enabling persistent passwordless SSH access or other host compromise. Windsurf exhibited a pre-authorization write — the file was modified on disk before the Accept/Reject buttons even rendered, making the prompt an "undo" button rather than a gate.
AWS assigned CVE-2026-12958 (missing symlink validation in Language Servers for AWS, CVSS 8.5, fixed in language-servers 1.69.0 / @aws/lsp-codewhisperer 0.0.117) and Cursor assigned CVE-2026-50549 (sandbox escape via symlink + failed path canonicalization, fixed in Cursor 3.0), both confirming arbitrary out-of-workspace file write as the impact (AWS GHSA-6v3r-4p5c-mrp5, 2026-06-23; Cursor GHSA-3v8f-48vw-3mjx, 2026-06-05). Google fixed Antigravity (CVE pending at publication). Augment and Windsurf acknowledged the report but were still testable-vulnerable at disclosure (Wiz Research, 2026-07-08). Anthropic assessed the report as outside its threat model for Claude Code — its stated rationale is that a user who starts a session in a directory has already extended trust to it — while noting it had shipped a symlink warning in the Edit/Write permission dialog in v2.1.32 (5 Feb 2026) as unrelated proactive hardening (Wiz Research, 2026-07-08). Mapped to T1195.002 Compromise Software Supply Chain, T1222 File and Directory Permissions Modification (via symlink) and T1552.004 Unsecured Credentials (authorized_keys write).
The user approves what they believe is a harmless local edit; the agent writes to a sensitive file outside of the project workspace.
First, ESET analysed roughly 900,000 "AI skills" — small functional components used by AI agents — and found tens of thousands suspicious and thousands outright malicious, an expanding attack surface in the emerging agentic-AI ecosystem. Second, it identified PromptSpy, described as the first known Android malware to use generative AI (specifically Google's Gemini) inside its own execution flow to interpret UI elements and adapt behaviour across devices at runtime rather than relying on hardcoded logic — following the first AI-powered ransomware disclosed in 2025 (ESET, 2026-07-08). Third, ClickFix (the fake-error social-engineering technique) has expanded beyond fake CAPTCHA prompts into AI-themed help pages, browser extensions and cloud-authentication scenarios, with ESET detections more than doubling between H2 2025 and H1 2026. Fourth, QR-code phishing ("quishing") reached record levels, with roughly 11% of all ESET-detected phishing emails in H1 2026 using QR codes to move victim interaction onto mobile devices and evade cursory inspection. Ransomware activity continued unabated with over 100 distinct EDR-killer tools now catalogued by ESET, though a declining share of victims are reportedly paying.
ESET researchers identified PromptSpy, the first known Android malware to use generative AI in its execution flow
ESET detections of this vector more than doubled between H2 2025 and H1 2026
ESET Research has documented over 100 EDR killers used in the wild, with new variants appearing regularly
Jacob Ginesin (Carnegie Mellon PhD student, Cure53 auditor) published research on 2 July, amplified by The Hacker News on 8 July, showing that Git/GitHub's "Verified" commit badge is not a unique identifier: given any signed commit, an attacker without the signing key can mint a second, distinct commit with an identical tree, identical author/date metadata, and a valid signature that still shows "Verified" — differing only in its resulting hash (The Hacker News, 2026-07-08; Ginesin, arXiv, 2026-07-02). The root cause is signature malleability, not a hash collision. A commit's SHA is computed over everything inside it, including the raw signature bytes in its header, and many signatures can be rewritten into a different-but-valid form.
Three malleation routes are demonstrated: (1) for ECDSA, the classical algebraic symmetry that turns a valid pair (r,s) into (r, n−s) using only public curve parameters, producing a second equally-valid signature over the same payload with different bytes and therefore a different commit hash; (2) for RSA and EdDSA under OpenPGP, appending an ignorable experimental subpacket in the unhashed subpacket region defined in RFC 4880 §5.2.3; (3) an analogous X.509/S-MIME path. GitHub does not normalize or canonicalize a signature before verifying it — no strict encoding enforcement on S/MIME, no stripping of the manipulable OpenPGP fields, and non-canonical ECDSA values accepted as-is (The Hacker News, 2026-07-08). A public exploitation tool implementing all three attacks, plus demo repos where the malleated commits still show "Verified", is released (Ginesin, git-chain-malleator). Ginesin reported to GNU/Git in January and GitHub in March 2026; neither had shipped a fix at publication, and no CVE is assigned. Maps to T1195.002 Compromise Software Supply Chain as a control-bypass primitive.
Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps 'Verified.'
GitHub does not normalize a signature before checking it. No strict encoding on S/MIME, no stripping of those OpenPGP fields, and non-canonical ECDSA values accepted as-is.
The Hacker News, summarising Jacob Ginesin's research
Sygnia's incident-response investigation of a financially-motivated AWS cloud intrusion found no novel malware or zero-day — every individual technique maps to a long-tracked MITRE ATT&CK ID — but the operationalisation was materially faster than typical manual intrusions, which Sygnia attributes to AI-assisted or agentic tooling (Sygnia, 2026-07-08). After obtaining an initial access key via a weakness in an internet-facing application, the actor ran four workstreams in parallel — secrets theft (ECS/EC2 environment variables, GitHub/Bitbucket CI/CD runner env vars, S3 plaintext secrets, Secrets Manager, SSM Parameter Store); persistence (new IAM users, EC2/ECS reverse shells, modified deployment files); RDS exfiltration via several hundred distinct SQL queries across dozens of databases; and reversible impact (S3 access denial, ECS scaled to zero, SQS purges) used purely as extortion leverage — and repeated the full playbook on every newly obtained credential rather than progressing linearly. The most striking artefact: four different AWS access keys from four separate accounts were used from the same source IP and user-agent within a single observed second, which Sygnia assesses is very hard to explain as manual operation (Sygnia, 2026-07-08).
Scripts, structured reporting output, and commit messages/branch names framing the activity as an authorized "pentest"/"red team" with a fabricated CEO sign-off are consistent with LLM-generated tooling — possibly including prompt-framing meant to reduce refusal from AI assistants being abused by the operator. Sygnia maps the case onto the same tactic distribution (Execution, Discovery, Credential Access, Collection, Defense Evasion) that Anthropic's June 2026 LLM ATT&CK research found concentrated in banned AI-abuse accounts. Relevant IDs per Sygnia include T1651 Cloud Administration Command, T1552/T1528 (credential/token harvesting), T1087/T1580/T1619 (account/cloud-infra/storage discovery re-run per key), T1578 (modify cloud compute infra) and T1078 Valid Accounts.
In one observed second, four different access keys belonging to four separate accounts were used from the same source IP address and the same user-agent
The intrusion progressed from initial access to broad cloud compromise within approximately 72 hours.
multiple attacker-created artifacts were framed as part of a 'pentest' or a 'red team'. This framing appeared in branch names, commit messages, and other artifacts, including references suggesting the activity was approved by a non-existent CEO.
Groupe 3R (Réseau Radiologique Romand), the network of 20 medical-imaging centres across seven Romandie cantons (Geneva, Vaud, Valais, Fribourg, Neuchâtel, Berne), has now confirmed through its own forensic investigation — not merely the attacker's leak-site claim — that the 30 April 2026 ransomware attack was carried out by Akira, and that stolen corporate and administrative documents have since been published on the darknet (SwissCybersecurity.net, 2026-07-07; ICTjournal.ch, 2026-07-06). This closes the attribution gap left open when Akira first listed the victim on 2026-05-08. The operator states medical data was encrypted (disrupting availability) but that no publication of medical data has been observed to date, while candidly acknowledging that whether medical data was also exfiltrated "may never be clarified with absolute certainty" — an unusually frank admission of incomplete forensic visibility that is itself the transferable lesson here.
Groupe 3R refused to pay the ransom, filed a criminal complaint with cantonal police on the attack date (forwarded to the Federal Public Prosecutor on 2026-05-12) and notified the Federal Office for Cybersecurity (BACS). As of this update all 20 centres are running on rebuilt, ISO-27001-partner infrastructure (RIS, PACS, telephony and teleradiology restored) but the referring-physician portal remained in security testing before redeployment — over two months post-incident. The activity is consistent with Akira's documented playbook: T1486 Data Encrypted for Impact (medical-data encryption), T1567 Exfiltration Over Web Service (darknet publication), typically preceded by edge-device / external-remote-service initial access.
KDDI's 6 July update — reported by BleepingComputer on 8 July — discloses the confirmed root cause and exact scale of the breach of the shared email platform serving STNet, JCOM, Chubu Telecommunications, NIFTY and BIGLOBE. The platform was compromised on 16 May 2026 via a zero-day vulnerability in an (still unnamed) third-party software component — a flaw that, per KDDI, "was not recognized by the software vendor" as of KDDI's 17 June confirmation date and which the vendor is now reporting to public authorities (BleepingComputer, 2026-07-08). KDDI confirmed final counts of 12,233,087 exposed email addresses and 7,616,173 exposed passwords — down from the earlier "up to 14.22 million" estimate (BleepingComputer, 2026-06-28) — deployed EDR post-incident, completed a forensic audit on 23 June confirming the flaw was patched with no other issues remaining, and notified Japan's Personal Information Protection Commission and the Ministry of Internal Affairs and Communications.
Neither report names the exploited third-party product; KDDI has stated only "third-party software", and that ambiguity is in the source, not omitted here.
"As a result of our investigation, as of June 17, 2026, the date of our confirmation, this vulnerability was not recognized by the software vendor," KDDI said.
Background. Golden SAML — forging SAML assertions by stealing an identity provider's token-signing key — has been public tradecraft since CyberArk's 2017 disclosure (CyberArk, 2017), and Mandiant previously documented network-based extraction of ADFS secrets during the UNC2452/SolarWinds intrusions (Mandiant). The standard extraction path pulls the encrypted signing key from the ADFS Windows Internal Database (WID) and decrypts it with Distributed Key Manager (DKM) material stored in Active Directory. This new Mandiant write-up documents a variant that defeats that assumption when ADFS configuration has drifted.
During a red-team engagement, Mandiant found that ADFS deployments with AutoCertificateRollover disabled (Get-AdfsProperties → AutoCertificateRollover: False) and certificates rotated manually can leave the WID configuration database holding only a stale "ghost" certificate record, while the ADFS service actually signs tokens with a newer certificate whose private key lives in the machine CAPI store (Mandiant, 2026-07-07). In that state the classic path still "works" mechanically — the WID blob decrypts via DKM — but Entra ID rejects the resulting token with AADSTS500172 because the key is no longer the one in use.
The key's real location and protection. The active private key sits under C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\, with the certificate enrolled in the LocalMachine\My store. It is protected by Machine DPAPI (not user-bound DPAPI): the DPAPI_SYSTEM LSA secret plus machine masterkeys under the S-1-5-18 (SYSTEM) context at C:\Windows\System32\Microsoft\Protect\S-1-5-18\. Machine-scoping is deliberate — it keeps the key usable across service-account password changes, gMSA rotations and reboots — but it also means a SYSTEM-level actor can recover the key entirely from the host. Mandiant confirmed recovery with SharpDPAPI /machine, which enumerated the active key material under that path (the CNG Crypto\Keys store was not in use in the assessed environment) — no interaction with the live ADFS process or LSASS is required, reducing visibility for defenses that watch only credential-dumping/process-memory access (Mandiant, 2026-07-07).
Kill chain (ATT&CK). SYSTEM-level foothold on the ADFS host → recover Machine-DPAPI-protected masterkeys and the CAPI signing key (T1552 Unsecured Credentials, via SharpDPAPI /machine) → forge a SAML assertion impersonating a Global Administrator (T1606.002 Forge Web Credentials: SAML Tokens) → Entra ID accepts it as a valid federated authentication assertion, yielding Global Administrator access to the Microsoft 365 tenant with MFA and conditional access fully bypassed (T1078.004 Valid Accounts: Cloud Accounts). Because the forged assertion is honoured for all SAML relying-party trusts, the blast radius extends to every SaaS platform federated through the same ADFS, not just Microsoft services.
Hunt and detection. The drift condition itself is observable: ADFS Event ID 385 fires when the WID record and the actively-used signing certificate diverge, and self-resolves only once AutoCertificateRollover is re-enabled and a rollover runs. For key-theft detection, Mandiant recommends SACL-based object-access auditing (Security Event ID 4663) on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ and C:\Windows\System32\Microsoft\Protect\S-1-5-18\, treated as correlation evidence rather than a standalone signal. The strongest analytic is cross-source: correlate ADFS token-issuance/claims events (Event IDs 299 and the 1200-series, version-dependent) against Entra ID sign-in logs to surface federated sign-ins with no matching upstream authentication context, baselining claim sets, IP ranges and user-agents per relying-party trust for privileged accounts — neither log source alone is sufficient (Mandiant, 2026-07-07).
Hardening. Migrate token-signing certificates to an HSM to eliminate the software-accessible key and thus the Machine DPAPI extraction path entirely; run ADFS under gMSA to reduce manual-rotation drift; govern ADFS servers as Tier 0 (restricted admin paths, dedicated PAWs, separation from general server administration). When AutoCertificateRollover is disabled, a manual rotation must include Set-AdfsCertificate — installing the certificate alone is insufficient — and be validated with Get-AdfsCertificate; a subsequent Event ID 385 signals lingering inconsistency. Organisations migrating to native OIDC federation remove this attack path altogether (Mandiant, 2026-07-07). ADFS remains widely deployed for on-prem/hybrid identity across Swiss and EU public-sector estates mid-migration to Entra ID, making this a direct Tier 0 hardening item for the constituency.
Successfully obtaining this active key allows an attacker to forge valid SAML assertions for any user, bypassing the need for user credentials and multi-factor authentication
The recovered key was used to forge a SAML assertion impersonating a Global Administrator identity, which Entra ID accepted as a valid authentication assertion
Configure object access auditing via SACLs on C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\ and C:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\. When configured correctly, this generates Security Event ID 4663 for file access attempts.
Enforce FIDO2/WebAuthn hardware-bound second factors for any staff whose Google/Gmail identity intersects public-administration, law-enforcement or watchlisted-profession status — real-time relay defeats TOTP and SMS OTP.
Hunt mail-gateway logs for Gmail-lookalike sender display names on newly-registered .icu/.digital/.top domains and *.netlify.app subdomains; alert on a login to a user's account from an unfamiliar ASN occurring seconds after that user visits a flagged phishing URL.
Treat leaked employee directories (email + password hashes + physical addresses) from any vendor compromise as an active spear-phishing and credential-stuffing target list: force password resets and step up MFA/phishing-resistant auth for named employees, and brief them on tailored social-engineering attempts.
Inventory outsourced marketing/incentive/HR SaaS platforms that hold employee PII and confirm your incident-response and breach-notification obligations account for vendor-side compromises that surface under your brand — Deutsche Bank has now been hit through third parties repeatedly.
Track 'Unsafe' as an actor with reported 2026 targets in Germany, Switzerland and France when scoping RaaS/double-extortion threat models for EU financial and public-sector bodies.
Any Swiss public-sector or health body operating an @<domain>.ch mail estate should implement per-mailbox outbound-volume anomaly detection: a legitimate mailbox suddenly sending bulk external mail is an earlier and stronger compromise signal than waiting for external abuse reports.
Monitor DMARC/DKIM alignment reporting for your own domain to catch when it starts being used as a relay (authenticated sending from compromised accounts) rather than merely spoofed, and enforce MFA plus conditional-access on all mailboxes.
Swiss/EU healthcare operators previously targeted should not treat a single successful defence as retiring the threat model: Groupe 3R has now been hit twice inside twelve months — by different attackers in April 2025 and by Akira in April 2026 — so budget for recurring hardening reviews of edge/remote-access exposure rather than assuming one incident closes the risk.
Ensure egress monitoring and object-level access logging on PACS/RIS/backup infrastructure are in place now: Groupe 3R's admission that exfiltration scope may be structurally unknowable after the fact shows post-hoc forensics cannot substitute for pre-existing telemetry.
Patch Plesk to 18.0.30+ (or 18.0.79+ for the fully unaffected line) now; if patching is delayed, disable or access-restrict the XML API per CCB/Plesk guidance.
On multi-tenant Plesk installs, monitor XML-API access logs for authenticated accounts issuing calls outside their normal automation pattern, and alert on unexpected root-owned file writes under Plesk config directories immediately after such calls.
Treat QR codes in email bodies as first-class phishing indicators requiring the same scrutiny as embedded URLs, and add 'AI help page' / browser-extension-install ClickFix lures to user-awareness material alongside the fake-CAPTCHA variant.
Inventory ADFS: run Get-AdfsProperties for AutoCertificateRollover:False and Get-AdfsCertificate to confirm the WID record matches the active token-signing certificate; any Event ID 385 is a drift indicator to investigate.
Migrate ADFS token-signing certificates to an HSM (removes the Machine DPAPI extraction path entirely), run ADFS under gMSA, and govern ADFS hosts as Tier 0 with PAWs; when rotating manually, always run Set-AdfsCertificate, not certificate install alone.
Deploy SACLs (Event ID 4663) on C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\ and C:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\, and correlate Entra ID federated sign-ins against ADFS issuance events (299 / 1200-series) to find tokens with no matching upstream authentication.
If you operate or integrate with Nayax terminals/APIs, watch for a material update to the 6-K (initial-access vector, affected cloud provider, and subsidiary are all undisclosed) before drawing conclusions about card-data exposure.
Audit subsidiary and third-party cloud accounts with access to card-processing data pipelines for anomalous authentication and bulk-export activity (cloud IAM sign-in review, DLP egress alerting on payment-data stores).
Inventory every Joomla site running Balbooa Forms and update all installs to 2.4.1 or later immediately — do not wait for a maintenance window; the flaw is being actively exploited.
Treat any site that ran 2.4.0 or earlier while exposed as possibly compromised: check images/baforms/uploads/ (and other per-component upload folders) for unexpected .php/.phtml files and check Joomla for unexpected Super User accounts.
At the web-server layer, deny PHP execution inside upload-only directories (nginx location block / Apache php_admin_flag engine off on images/ and media/ subpaths) regardless of vendor patch status — this closes the whole recurring bug class, not one component.
Hunt access logs for POST requests to index.php?option=com_baforms&task=form.uploadAttachmentFile returning HTTP 200 followed by a GET to a newly created executable file under the upload directory.
Patch KVM host kernels so they carry upstream commit 81ccda30b4e8 (2026-06-16) — confirm your distro's stable kernel includes the backport; this is a host-kernel fix with no guest-side workaround or config toggle.
On multi-tenant KVM estates, treat any unexplained host kernel panic/reboot that co-occurs with a single tenant's VM activity as a possible exploitation signal and preserve the host for forensics.
Remove Telnet and SSH management-interface exposure from internet-facing IoT and embedded-Linux devices (the initial-access vector for both families) and eliminate default/weak credentials — both botnets rely entirely on credential brute-force, not exploitation.
Hunt for the c2c/meow persistence and escalation markers: systemd unit files created outside package-manager/config-management workflows (auditd on unit-file writes), a binary at /usr/local/bin/cpufreqd or a 'CPU Frequency Daemon' unit, and processes probing passwordless sudo via 'sudo -n true'.
Alert on outbound plaintext-TCP-carrying-JSON to non-standard ports (the C2 channel) and segment OT-adjacent Linux systems from business-critical networks with restricted outbound connectivity to limit both C2 reach and DDoS participation.
On MDM/Android-Enterprise-managed fleets, disable Developer Options and USB/Wireless debugging by default (DevicePolicyManager setDebuggingFeaturesAllowed or equivalent restriction) so an app cannot self-enable the ADB path.
Hunt for the abuse pattern: any non-system app programmatically flipping Settings.Global adb_wifi_enabled / enabling Developer Options without an IT-initiated pairing flow, or a non-ADB process binding a loopback (127.0.0.1) ADB connection, is anomalous on a managed device and should alert.
Gate BIND_ACCESSIBILITY_SERVICE to an approved allowlist and treat off-store APKs delivered via 'required setup' walkthroughs on spoofed government/financial sites as the initial-access vector to block.
Hunt for uxtheme.dll loaded outside its legitimate System32 location, especially by non-standard parents (e.g. WinDirStat.exe), and for RMM/software-deployment tools (SysAid and equivalents) pushing executables to non-standard ProgramData paths.
For reverse engineers, resource NativeAOT-capable tooling (e.g. ghidra-nativeaot / ida-nativeaot metadata recovery) — standard .NET decompilers do not handle Native-only compiled output, so import-table triage misses the capability.
Patch AWS language-servers to ≥ 1.69.0 (@aws/lsp-codewhisperer ≥ 0.0.117) and Cursor to ≥ 3.0 now; for Augment and Windsurf, restrict use against untrusted/external repositories until a fix ships.
Alert on any AI-coding-assistant agent process writing to credential/dotfile paths (~/.ssh/*, shell rc files, cloud-credential files) and on git-clone operations that create symlinks resolving outside the repository root.
Do not rely on commit-hash (SHA) allow/deny-listing alone for supply-chain integrity — after a known-bad-commit takedown, hunt for repeat pushes of content-identical trees under new commit hashes.
Alert on a single source IP/user-agent authenticating with multiple distinct IAM access keys or accounts within seconds, and on repeated re-execution of the same discovery/secrets-harvesting sequence triggered by newly-created credentials.
Assume any exposed credential is used immediately and at scale: automate secrets rotation, IP-allowlist cloud management planes, enforce MFA on privileged/external access, and pre-build containment playbooks (isolation + rotation + session revocation) that execute in minutes.
Where you host third-party software components on infrastructure holding subscriber or credential data, prioritise behavioural/EDR detection and egress monitoring over patch-management alone — the exploited flaw here was a zero-day the software vendor itself had not recognised, so no patch cadence would have closed it.
Confirm your incident-response playbook includes rapid regulator notification once exploitation is confirmed (KDDI notified Japan's PPC and MIC and completed a forensic audit), and account for multi-tenant platform compromises that cascade across several downstream brands.
2026-07-09T1211Z-intel· Claude Opus 4.8 · window 24 h · 7 entries published
Verification & coverage notes
Coverage window: intraday fire, gap 8 h since the previous run (2026-07-09T04:09Z); window_hours held at the 24 h floor, developing_window 72 h. New signal tracks the ~8 h gap; every candidate deduped against the full 14-day prior-coverage index (150 records) including today's 04:09Z run.
Volume: 5 new + 2 updates. Above a typical intraday count but each entry independently clears the PD-11 gate; dedup dropped the largest chunk of would-be duplicates (below). No count target/ceiling applied.
Deep dive: none. window24h.deep_dives_today=1 (the 04:09Z Mandiant AD FS DPAPI deep dive). No new candidate independently earned a second deep dive today — the Balbooa zero-day is served by a high-priority vulnerability entry with wave context (narrow single-extension exposure, website-level compromise, no public PoC); the Joomla wave itself was already covered 2026-07-08.
Criticals: none. No candidate cleared the extreme critical bar. Balbooa is actively-exploited pre-auth RCE but with narrow extension-level exposure (not exposed enterprise edge), no public PoC — rated high, not critical.
Single-source (with carve-out/other): RedHook (tool) — Group-IB original lab research, no in-window independent corroboration (verification: single-source, credibility 2). Nozomi Apex2/c2c (tool) — Nozomi Labs original research; the Industrial Cyber and IT-language items are re-reports of the same post, not independent corroboration (single-source, credibility 2). KDDI update — only BleepingComputer carries the 6-July specifics, citing KDDI's own JP-language notice (single-source-other).
Recency edges (kept as updates / developing-window): Groupe 3R Akira — sources 2026-07-06/07 (~53 h, within the 72 h developing window); shipped as update_of the 2026-05-10 entry with the delta (victim forensic confirmation of Akira + darknet publication), event_date 2026-07-07. Nozomi Apex2/c2c — primary dated 2026-07-06 (within developing window), surfaced into the window via the rotation-priority source industrialcyber.co on 2026-07-09; event_date 2026-07-06. KDDI — update primary 2026-07-08 (in-window), underlying event_date 2026-07-06.
Dedup drops (candidate matched already-covered ground; not re-surfaced): CVE-2026-53359 Linux KVM "Januscape" VM escape (covered by 04:09Z run today); CVE-2026-40138/-40139 BeyondTrust RS/PRA pre-auth bypass (covered 2026-07-08); Sygnia "AI-Assisted Cloud Attack" (covered by 04:09Z run); Swiss Post threat-landscape 71%-stat pickup (June report, covered 06-24/06-29); UNC1151/Ghostwriter (covered by 04:09Z run).
borderline-drop: OneConsult "false trust in confidential computing" (S2) — single-source conceptual/methodology research, no named product/CVE, no near-term patch/hunt/block decision, weak CH/EU nexus (Swiss firm but generic content); doubt about relevance-to-constituency resolves to drop (PD-11). Better fit for a weekly/research lens if it recurs.
borderline-drop: INTERPOL Operation First Light 2026 (S4) — global LE fraud-bust roundup (BEC/romance/investment scams); no TTP / detection / hunt content for a Tier 2/3 detection-engineering audience, and the arrest/asset-seizure figures are vanity metrics for this constituency (PD-4). Newsworthy, not operational CTI.
S4 breach-gate exclusions (out-of-nexus, logged by the sub-agent): PB Fiduciaire SA (CH, leak-site claim only, no victim confirmation/journalism — fake-news scrutiny); AssuranceAmerica, Washington DSHS, Bojangles, Mount Royal University, Alberta/Centurion voter suit, River Financial Corp (all US/CA-only, no CH/EU nexus, no new transferable TTP, no named actor plausibly targeting the constituency).
ChocoPoC (Sekoia/YesWeHack trojanised CVE-PoC repos) — dropped by S3 on recency (own page metadata: published 2026-07-01, 8 days stale); flagged for the next weekly (W1) if it stays uncovered.
Coverage gaps: cisa-advisories, cisa-directives (JS-rendered listing shells; no structured endpoint — KEV/CSAF cover exploitation ground-truth); ncsc-uk (Cookiebot consent-shell blocks the advisory listing on WebFetch+jina — recipe gap); cert-eu (no advisory since 2026-06-10, normal low cadence); sonatype, calif-codex (RSS URLs are landing pages, not feeds — recipe gap flagged); keycloak (URL points at disclosure-policy page, not an advisories index — recipe gap). No essential source missed for content this run.
Watchlist: products checked=0, hits=0; suppliers checked=0, hits=0 (org profile configures no product/supplier watchlist — sweeps are documented no-ops).
source_health.py: probe exceeded its wall-clock budget (>7 min over all ~150 sources) and did not write a fresh state/source_health.json this run (last snapshot remains 2026-07-09T04:44Z from the 04:09Z fire) — script-level timeout, not a source failure; not retried (bounded-retry rule). Standing-repair actions were still taken manually this run: industrialcyber-co recipe repaired (webfetch->rss), group-ib switched to the working jina transport, sonatype/calif-codex broken-feed recipes flagged in notes for the next probe.
Self-ID caveat: all sub-agents reported "Claude Opus 4.8" (env-derived); the research definition's model pin is not independently verifiable at runtime — a measurement limitation, not evidence of a pinning failure.
2026-07-09T0409Z-intel· Claude Opus 4.8 · window 24 h · 10 entries published
Verification & coverage notes
Window. Intraday fire, gap 8 h from the previous run (2026-07-08T2009Z-intel). Window held at the 24 h floor (developing window 72 h). Dedup ran against the full 14-day prior_coverage.json (140 records, incl. the 2026-07-08 run and the W27 weekly) plus the store-wide CVE index. No in-window intel/ drops — no S5 spawned. No watchlists configured — no Watchlist: line, product/supplier sweeps are no-ops (S1 products checked=0, S4 suppliers checked=0).
Volume note. 10 entries on an 8 h intraday fire is larger than a typical intraday window, and it reflects genuinely-new, never-before-published signal — not cadence inflation (dedup confirmed every entry is new). Three items are developing-window first-coverage the prior 64 h-window run did not surface: Januscape (source 2026-07-07, ~30 h), the Mandiant ADFS Golden SAML write-up (2026-07-07, ~38 h), and Cavern Manticore (2026-07-06, ~40 h). All three are outside the strict 24 h window but inside the 72 h developing window and were never covered by any prior run; they are published as first-coverage of significant developing stories with event_date set to the true source date, per PD-7. The remaining seven are fresh 2026-07-08 items.
GhostApproval de-duplication. Both S1 and S3 independently surfaced Wiz's GhostApproval. Merged into one entry using S1's richer multi-source corroboration (Wiz + AWS GHSA-6v3r-4p5c-mrp5 + Cursor GHSA-3v8f-48vw-3mjx). Reported faithfully incl. Anthropic Claude Code's "outside our threat model" response and its v2.1.32 symlink warning — no sanitisation of a finding that names the producing vendor's own product.
Deep dive.mandiant-adfs-machine-dpapi-golden-saml-key-recovery (identity-infra) — selection criterion 3 (substantive new technical analysis with actionable public detail). Category rotation-fresh: the last identity-infra deep dive was Keycloak (2026-06-28, >7 days). window24h.deep_dives_today was 0 at run start. One deep dive this fire. Background paragraph (PD-10) cites the 2017 CyberArk Golden SAML disclosure and Mandiant's earlier UNC2452 ADFS work.
Single-source / carve-outs.
UNC1151/Ghostwriter Gmail 2FA phishing — single-source-national-cert (CERT Polska / NASK, Admiralty A, for its own jurisdiction).
Sygnia AI-orchestrated AWS intrusion — single-source (Sygnia, Admiralty B); the AI-orchestration read is Sygnia's assessment from tempo/artefacts, framed as assessed not proven (credibility: 3).
Cavern Manticore — single-source (Check Point Research, Admiralty B); Israel-targeted, included on transferable technique class (PD-11 d) + same-actor-class relevance (Iran MOIS also targets EU public sector) (credibility: 3).
Nayax — victim's own SEC Form 6-K is the fact base (victim-disclosure carve-out) + DataBreaches.net/Calcalistech corroboration → multi-source; "The Syndicate"'s 1B-record/100TB/~1yr figures reported as an unverified attributed leak-site claim per PD-6, with the internal contradiction against the "immediately contained" filing surfaced explicitly (credibility: 3).
borderline-drop: CVE-2026-11405 (Tenda router httpd hidden backdoor) — CVSS 9.8, CERT/CC VU#213560, but Tenda is a consumer/SMB router brand with no Swiss/EU public-sector or critical-infrastructure nexus; generic hardcoded-backdoor lesson, not a product the constituency runs, no novel transferable TTP. Out of scope per the PD-11 scope gate (doubt about relevance-to-constituency resolves to drop). Recoverable if it turns up in a constituency estate.
borderline-drop: PDAG (Psychiatrische Dienste Aargau) cantonal-healthcare mailbox-takeover / phishing-relay — a real Swiss home-region public-sector/healthcare incident (S2 lead; main-agent spot-check confirmed the inside-it.ch RSS lead but the article URL 403'd on direct, jina and bridge transports, and no PDAG statement URL or second source surfaced). Dropped on two grounds: single-source (inside-it.ch, Admiralty C news) with no independently-fetchable victim/CERT primary to satisfy two-source or a carve-out, and modest technical depth — generic BEC mailbox-takeover → spam/phishing relay with no root cause, TTP, or new action beyond the already-covered M365 mailbox-takeover pattern. Recoverable if a fuller disclosure (PDAG statement / NCSC-CH pickup) lands.
out-of-window drops (S-agent level). S3: CrowdStrike prompt-injection post and Seqrite Operation DragonReturn — listing-page dates misaligned with true Published-Time metadata (2026-05-20 and 2026-06-26 respectively); excluded once confirmed out of window. S2: a "Swiss federal administration DDoS" WebSearch lead was recycled Jan-2025 news (radiolac.ch) — discarded as a recency trap. S1: Exodus msi.dll LPE write-up covers CVE-2025-27727 (patched April 2025) — retrospective, low current urgency, dropped.
Coverage gaps: cisa-advisories, cisa-directives, cisa-news (JS-shell listing pages; no structured bridge endpoint — KEV API covered exploitation ground-truth, a non-KEV in-window advisory may have been missed); cert-eu (feed stale to 2026-06-10, 200 OK not a transport failure); industrialcyber-co (standing 403/Cloudflare block, jina reader also blocked — no demotion); zimperium-zlabs, aikido-security (SPA nav-chrome only via jina — need a structured listing/sitemap recipe); jpcert (not fetched — time budget, no evidence of a missed in-window item); calif-codex, vulncheck, socket-dev-blog RSS empty via jina (HTML fallback showed nothing newer in-window / cross-domain items left to S3/S4).
Essential-coverage: missed=cisa-advisories, cisa-directives (JS-shell listing pages unreadable via current bridge recipes; KEV API — the exploitation ground-truth for both — fetched successfully, so no new exploited-flaw signal was missed).
Verification loop: 4 iterations (1 Opus, 2 alt-slot, 3 Opus, 4 alt-slot) → CLEAN on iteration 4. Iteration 1 found 4 (2 truth incl. 2 F4, 1 editorial F17, 1 advisory); iteration 2 found 2 (1 F12 editorial, 1 F4 truth); iteration 3 found 4 (3 truth: F4 Januscape version list, F3 Plesk CVSS attribution, F4 Mandiant quote-splice; 1 advisory); iteration 4 CLEAN. All remediations traced to sources re-fetched during the fix cycle. No entries dropped by verification.
AI-content transparency — verifier model rotation did NOT take effect this run. The prompt rotates verifiers Opus (odd) / Sonnet (even, cti-verification-alt). All four verifier spawns — including iterations 2 and 4, the alt-slot Sonnet-pin — reported **Model:** Claude Opus 4.8 (claude-opus-4-8) from the authoritative CLAUDE_FRIENDLY_NAME/CLAUDE_MODEL_ID env vars. The iteration 4 verifier explicitly flagged the discrepancy. In this cloud container the env vars appear to pin every spawn to Opus 4.8 regardless of the agent definition's model: frontmatter, so model diversity across iterations was not achieved (iteration 2 was recorded verbatim as Opus 4.8, corrected from an initial mis-assumption of Sonnet). Operator follow-up: confirm whether the routine container is meant to honour per-agent model frontmatter or whether the Opus pin is intentional; the rotation's blind-spot-catching benefit is currently a no-op.
Self-evolution follow-up (noted, not actioned this run): CERT-FR (anssi-fr) fetch_source.py feed returns items oldest-first; a default N=20 surfaces stale entries instead of the latest bulletin. Note appended to the source record; a bridge-tooling fix (reverse/most-recent-first ordering for CERT-FR feeds) is a candidate for a future run.