ctipilot.ch
Fri · 17 Jul 2026
All daily briefs ↗
Daily brief · UTC day

Friday, 17 July 2026

8 verified findings from 1 run · the settled record for this UTC day, in the classic brief order.

Criticality
Kind
Topic
Region
TL;DR · the day in one read
  1. 01SharePoint RCE CVE-2026-58644 now confirmed exploited in the wild — CISA folds it into its active-exploitation SharePoint alert. CVE-2026-58644 (CVSS 9.8), one of the July 2026 SharePoint deserialization RCEs previously rated only "Exploitation More Likely," is now confirmed actively exploited: CISA added it to the KEV catalog on 2026-07-16 and lists it among four on-prem SharePoint CVEs (with CVE-2026-32201, CVE-2026-45659, CVE-2026-56164) it is aware of being exploited to gain unauthorized access, establish RCE, steal IIS machine keys and deploy malware. The fix shipped in the June 2026 cumulative update, so any on-prem SharePoint estate patched only through May is exposed; SharePoint Online is not in scope.
  2. 02NCSC-CH flags an unauthenticated RCE (CVSS 9.8) in Abacus ERP — reachable endpoint is the only prerequisite. Abacus Research AG shipped a hotfix on 2026-07-15 for an unauthenticated critical RCE (vendor-rated CVSS 9.8, no CVE assigned) in the server-side component of its proprietary client-server protocol, plus an authenticated path-traversal file-read flaw (CVSS 7.7) in the AbaClik / AbaClik.ai mobile-app APIs; NCSC-CH flagged both on 2026-07-16. Abacus is one of the most widely-deployed ERP/accounting/HR platforms across Swiss SMEs, associations and public-sector-adjacent organizations. Every on-prem installation — including End-of-Life V2023 builds — is affected; WebPortal/cloud-hosted deployments are not. No in-the-wild exploitation is known (found via the vendor's bug-bounty program).
  3. 03Talos details UAT-11795 — ClickFix-delivered Starland RAT with a blockchain dead-drop C2 and a bespoke WLDR PowerShell implant. Cisco Talos disclosed UAT-11795, a Russian-speaking, financially motivated actor active since at least June 2025 against victims in the US and Europe (Germany, Romania observed). A ClickFix lure runs mshta.exe to stage a trojanized installer (impersonating MobaXterm, WebEx, Zoom, DBeaver, FACEIT) that XOR-decrypts and runs the in-memory Python "Starland RAT," which persists, harvests crypto-wallet and host data, and — if primary C2 fails — resolves a fallback C2 domain from a Polygon smart contract dead-drop. Starland can inject shellcode (CastleStealer or a Remcos variant) after patching AMSI/ETW, and separately deploys a bespoke PowerShell C2 implant the actor labels "WLDR."
01Active threats, incidents & disclosures2 items
NOTABLENATOA1

Garante fines Wind Tre EUR 1.7M over a vishing-enabled API-enumeration breach that exposed 365,048 telco customers

The Garante's decision gives a rare, fully technical account of a telco breach. Initial access was voice social engineering: attackers phoned staff at two retail points of sale, posed as internal support technicians, and "convinced operators at two retail points of sale to allow access to company systems" (Garante, 2026-07-16). That remote access yielded the point-of-sale device's installed client digital certificate plus login credentials — reportedly recoverable in cleartext from the desktop or browser rather than held in an OS certificate store — which the attackers then used as valid, MFA-satisfied access to a customer-facing web application. In the first incident that access ran 66 targeted lookups (~23 customers). In the second, days later, the attackers pivoted from the primary (protected) search API to an unprotected secondary API invoked by the same search function and "executed about 2 million total requests following an enumeration logic, i.e. progressively incrementing the customer code identifier ('customerId')," compromising 365,048 customers and, for 41,359 of them, payment-instrument data (Garante, 2026-07-16). The Garante rejected Wind Tre's defense that its API design followed OWASP practice, finding the enumeration-reachable secondary endpoints were "reasonably identifiable" by a vulnerability assessment and penetration test scoped to the API surface — not just the primary documented interfaces.

gli hacker, fingendosi tecnici dell'assistenza, hanno convinto gli operatori di due punti vendita a consentire l'accesso ai sistemi aziendali

Garante per la protezione dei dati personali (Newsletter n.549) 2026-07-16

gli attaccanti sono riusciti ad eseguire circa 2 milioni di richieste totali seguendo una logica di enumeration, ovvero andando ad aumentare progressivamente l'identificativo del codice cliente (c.d. "customerId") violando i dati personali di 365.048 clienti

Garante per la protezione dei dati personali (Provvedimento n.348, 14 May 2026) 2026-07-16
incident17 Jul 04:35Zmulti-sourceOpen finding ↗
NOTABLENATOB2

Cisco Talos: UAT-11795 deploys the Python-based Starland RAT and a bespoke PowerShell C2 implant (WLDR), resolving fallback C2 through a Polygon blockchain dead-drop

Cisco Talos documented UAT-11795, a financially motivated actor whose intrusions begin with a ClickFix lure: a clipboard-pasted command invokes mshta.exe to fetch a weaponized HTA, whose VBScript drops a batch file that stages an NSIS-packaged installer masquerading as a legitimate IT/collaboration tool (MobaXterm, Cisco WebEx, Zoom, DBeaver, the FACEIT client) and writes a HKCU\...\Run\MyApp value pointing back at mshta.exe (Cisco Talos, 2026-07-16). The installer bundles pythonw.exe plus a compiled Python loader disguised as LICENSE.txt that XOR-decrypts and runs "Starland RAT" entirely in memory. Starland checks for sandbox usernames/hostnames and a Downloads Zone.Identifier ADS before proceeding, persists via a scheduled task named PythonLauncher-{3 random chars} (AtLogOn, RunLevel Highest) plus a Startup-folder LNK, enumerates 40+ desktop and browser-extension crypto wallets, and beacons a Telegram bot before registering to its primary C2. If that registration fails it calls a Polygon smart contract via eth_call/JSON-RPC and XOR-decrypts the returned string to recover a fallback C2 domain — a blockchain dead-drop resolver that survives conventional domain/IP takedown (Cisco Talos, 2026-07-16). On command, Starland fetches shellcode via APC-based injection that first patches AMSI/ETW in memory (hash-resolved AmsiScanBuffer/EtwEventWrite overwritten, with a VirtualProtect fallback) and reflectively loads either CastleStealer (.NET credential/wallet stealer, x64 path) or a Remcos variant (x32). Separately it has been seen shell-executing a curl download of a bespoke PowerShell C2 framework the actor's own scripts label "WLDR" — HWID-bound, AES-encrypted 10-second beaconing with a Chrome-124 User-Agent, executing operator PowerShell through a 10-thread RunspacePool.

Cisco Talos is disclosing UAT-11795, a sophisticated, Russian-speaking, financially motivated adversary that has been conducting a malicious campaign targeting users in the U.S. and Europe since at least June 2025.

Cisco Talos 2026-07-16
threat17 Jul 04:35Zsingle-sourceOpen finding ↗
Sources: Cisco Talos
HIGHNATOA2

Abacus ERP: unauthenticated RCE (CVSS 9.8, no CVE) and authenticated path traversal in a widely-deployed Swiss ERP platform — flagged by NCSC-CH

Abacus Research AG (Wittenbach, SG) patched two unrelated flaws on 2026-07-15 that NCSC-CH surfaced the following day (NCSC-CH, 2026-07-16). The critical one is an unauthenticated remote code execution in the server-side handler of the proprietary Abacus client-server communication protocol: "the vulnerability allows remote code execution on the abacus server without user authentication," and "reachable Abacus Endpoints are the only prerequisite for an attack" — no credentials, no user interaction (Abacus Research AG, 2026-07-15). The vendor states the flaw is not limited by license or option: every on-prem Abacus ERP installation is affected, and End-of-Life V2023-and-earlier builds remain vulnerable with no fix planned. The second flaw (CVSS 7.7) is a path traversal in two APIs tied to the AbaClik / AbaClik.ai mobile companion apps that lets an authenticated caller read a subset of server files outside the application's security realm; NCSC-CH's load-bearing point is that these APIs are network-exposed by default even for customers who do not use the mobile apps (Abacus Research AG, 2026-07-15).

Both were found through Abacus's own bug-bounty program and the vendor reports no indication of exploitation in the wild. Internet-facing on-prem deployments are the acute case; an internal-only Abacus still carries the flaw but with the attack surface reduced to the internal network.

If successfully exploited, the vulnerability allows remote code execution on the abacus server without user authentication.

Reachable Abacus Endpoints are the only prerequisite for an attack.

No, the vulnerability was found in our bugbounty program. We have no indications of a successful attack in the wild.

Abacus Research AG
vulnerability17 Jul 04:35Zmulti-sourceOpen finding ↗
NOTABLECVE-2026-15718 +1NATOA2

Firefox 152.0.6 — chained WebAssembly memory-safety and DOM-navigation site-isolation flaws with public exploit code (CVE-2026-15718, CVE-2026-15719)

Mozilla released Firefox 152.0.6 on 2026-07-14 to fix two flaws NCSC-NL flagged on 2026-07-16 specifically because exploit code is public, which raises the likelihood of abuse (NCSC-NL, 2026-07-16). CVE-2026-15718 is an invalid-pointer memory-safety bug in the JavaScript engine's WebAssembly component; CVE-2026-15719 is a site-isolation bypass in the DOM Navigation component (Mozilla, 2026-07-14). The pairing matches the classic browser-exploit shape where a site-isolation bypass turns a memory-safety bug into cross-origin/sandbox-relevant code execution, needing only that a victim load a malicious page or a legitimate page serving a malicious ad. Severity ratings diverge across the primaries: Mozilla labels both flaws "Critical" impact, while NCSC-NL's CSAF record scores them CVSS 3.1 MEDIUM (CVE-2026-15718 base 4.3, CVE-2026-15719 base 5.4) — the individual base scores are moderate, and the operational concern is the chained code-execution potential plus the public exploit code, not a high CVSS. Crucially, Mozilla's own advisory text for both CVEs is explicit: "we are aware that exploit code for this is public however we are not aware of any attacks in the wild abusing this flaw" — so the accurate status is public PoC, not confirmed exploitation, and the "zero-day exploited in attacks" framing carried by at least one vulnerability-scanner blog overstates the primary source.

We are aware that exploit code for this is public however we are not aware of any attacks in the wild abusing this flaw.

Mozilla Foundation Security Advisory mfsa2026-67

Mozilla geeft aan dat exploitcode voor de kwetsbaarheden publiek beschikbaar is. Dit vergroot de kans op misbruik.

NCSC-NL (NCSC-2026-0242)
vulnerability17 Jul 04:35Zmulti-sourceOpen finding ↗
03Research & investigative reporting2 items
NOTABLENATOB2

Kaspersky: the HelloNet campaign blinds user-mode security tools by hooking raw AFD IOCTLs, persisting via DLL-sideload into a secure-network product's own auto-updater

Kaspersky's GReAT team detailed "HelloNet," an APT campaign (active since at least May 2026) that abuses the update mechanism of ViPNet — a Russian GOST-certified secure-networking suite — to persist inside targeted Russian government, energy, transport, education, logistics and industrial organizations (Kaspersky Securelist, 2026-07-16). The attackers drop a malicious wtsapi32.dll into the ViPNet update directory that the OS-start-launched updater itcsrvup64.exe sideloads. That loader ("HelloInjector") injects a second stage ("HelloProxy") into svchost.exe — but only after verifying the target's name is svchost.exe and its command line carries netsvcs. HelloProxy's distinguishing move is defense evasion at the socket layer: it uses the Microsoft Detours library to hook NtDeviceIoControlFile, closesocket and shutdown, intercepting the raw AFD IOCTL codes AFD_RECV (0x12017) and AFD_GET_TDI_HANDLES (0x12037) so that, in Kaspersky's words, it can "hinder security solutions operating in user mode for filtering network connections." It then acts as a traffic proxy or in-memory loader for further modules — recovered examples include "HelloExecutor" (shell-command execution) and "HelloCleaner" (deletes ViPNet log files to hide activity) — and on one host the operators opened an SSH reverse tunnel using a legitimate Plink binary renamed frontpage.exe.

By placing the file in this directory, the attackers implement the DLL Sideloading technique — the ViPNet update system executable file itcsrvup64.exe, which is launched at OS startup, is susceptible to it.

These codes are used during socket operations — their interception allows the malware to hinder security solutions operating in user mode for filtering network connections.

At present, we link this campaign to the activities of an unknown Chinese-speaking APT group with a low degree of confidence.

Kaspersky Securelist (GReAT) 2026-07-16
research17 Jul 04:35Zsingle-sourceOpen finding ↗
NOTABLENATOB2

Microsoft: two parallel ACR Stealer intrusion chains — WebDAV/rundll32/Python with blockchain dead-drop C2, and a fileless MSHTA/steganography chain — both rooted in ClickFix

Microsoft Defender Experts documented two ACR Stealer delivery campaigns observed across customer environments from late April to mid-June 2026; ACR Stealer is a malware-as-a-service infostealer Microsoft states is "reportedly ... associated with the rebranding of Amatera Stealer" (Microsoft Threat Intelligence, 2026-07-16). Both begin with the same ClickFix lure (malvertising/SEO poisoning) but diverge sharply. In Chain 1 the ClickFix command spawns cmd.exe, which invokes rundll32.exe to load a DLL from a remote WebDAV share over HTTPS using a GUID-based directory structure disguised as legitimate resources; the most evasive variant launches through conhost.exe --headless with delayed-expansion obfuscation. A heavily obfuscated PowerShell stage downloads a ZIP into a masqueraded %LocalAppData%\Temp directory (e.g. "LogiOptionsPlus"), runs a bundled pythonw.exe, persists via a hidden scheduled task disguised as a software update, timestomps against notepad.exe and clears PowerShell history; a subset adds an "EtherHiding" loader that queries public blockchain RPC endpoints as a dead-drop resolver so infrastructure can rotate without redeploying malware. Chain 2 is fileless throughout: mshta.exe fetches remote HTA content whose VBScript decodes and launches in-memory PowerShell, and its distinguishing technique is steganographic delivery — a JPEG pulled from an image host carries an encrypted payload in its pixel data, decrypted and executed in memory via runtime-resolved LoadLibrary/VirtualAlloc/CreateThread. Both chains converge on DPAPI-based decryption of Chromium-based browser credential stores (passwords, cookies, auth tokens) plus enumeration of PDFs, M365 documents and OneDrive/SharePoint-synced data for exfiltration.

ACR Stealer is an information-stealing malware family reportedly offered through a malware-as-a-service (MaaS) model and associated with the rebranding of Amatera Stealer.

A notable variation in this campaign is the use of blockchain services for C2 resolution, utilizing a technique known as EtherHiding.

The malware (injected code) aggressively harvests information from browser credential stores. It invokes Windows Data Protection API (DPAPI) routines to decrypt locally stored browser passwords, cookies, and authentication tokens.

Microsoft Threat Intelligence
research17 Jul 04:35Zsingle-sourceOpen finding ↗
04Updates to prior coverage2 items
HIGHCVE-2026-58644exploitedupdateNATOA1

CVE-2026-58644 — SharePoint Server deserialization RCE moves from 'Exploitation More Likely' to confirmed exploited and CISA KEV-listed

UPDATE · originally covered July Patch Tuesday follow-through: a SharePoint pre-auth JWT bypass from a Pwn2Own chain (CVE-2026-55040) and a pre-auth Dynamics 365 RCE Microsoft expects to be exploited (CVE-2026-55944) (2026-07-15)

the 2026-07-15 entry carried CVE-2026-58644 as a CVSS 9.8 SharePoint deserialization RCE rated only "Exploitation More Likely," with its patch noted as having shipped in the June 2026 cumulative update. CISA has now confirmed it is being exploited in the wild: its SharePoint alert, updated 2026-07-16, states CISA "is aware of active exploitation of vulnerabilities CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, and CVE-2026-58644, enabling cyber threat actors to gain unauthorized access to on-premises SharePoint Server instances," and CISA added CVE-2026-58644 to the KEV catalog the same day (CISA, 2026-07-16). The alert describes the cluster's post-exploitation as stealing IIS machine keys — the ASP.NET view-state signing/encryption keys — and using deserialization techniques to gain persistence and deploy malware, so the machine key, not the single CVE, is the durable foothold once any of the four is exploited.

CISA is aware of active exploitation of vulnerabilities CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, and CVE-2026-58644, enabling cyber threat actors to gain unauthorized access to on-premises SharePoint Server instances.

CISA has updated this Alert to reflect the addition of CVE-2026-58644 to its Known Exploited Vulnerabilities (KEV) Catalog on July 16, 2026.

CISA 2026-07-16
vulnerability17 Jul 04:35Zmulti-sourceOpen finding ↗
Sources: CISA · Microsoft MSRC
NOTABLEupdateNATOA1

Scattered Spider duo sentenced to 5.5 years each over the 2024 Transport for London intrusion — court evidence details the helpdesk-vishing/MFA-reset chain

UPDATE · originally covered Two Scattered Spider members plead guilty over the 2024 Transport for London intrusion (2026-06-23)

the guilty-plea entry recorded that two Scattered Spider members admitted the 2024 TfL intrusion but did not carry the access mechanics. The 2026-07-16 sentencing (five years six months each, at Woolwich Crown Court) put the chain on the court record, and it is the reason to revisit this. The pair bought partial TfL employee credentials from criminal forums, then "impersonated an employee and socially engineered a TfL helpdesk worker into resetting the password for their account" and, over multiple attempts, reset the account's 2FA, using the reset credentials for initial and sustained access (The Register, 2026-07-16). The NCA confirmed the impact scale — "a total of 148 systems became inoperable, including critical ones that required significant manual workarounds and delays" (NCA, 2026-07-16) — and TfL later established that data on roughly 7 million users had been accessible, far beyond the ~5,000 initially believed (The Register, 2026-07-16). The CPS put the remediation cost at £29 million (CPS, 2026-07-16).

a total of 148 systems became inoperable, including critical ones that required significant manual workarounds and delays.

UK National Crime Agency

Flowers and Jubair purchased partial TfL credentials from "well-known criminal forums" and used those to reset the 2FA on employee accounts, a process that took multiple attempts.

Woolwich Crown Court heard that the pair impersonated an employee and socially engineered a TfL helpdesk worker into resetting the password for their account.

The Register 2026-07-16
incident17 Jul 04:35Zmulti-sourceOpen finding ↗
05Action items5 items
Verification & coverage notes1 run

2026-07-17T0409Z-intel · Claude Opus 4.8 · window 26 h · 8 entries published

Verification & coverage notes

Verification. Five iterations (Opus/Sonnet rotation). All defects were minor and each was remediated: iter1 (Opus) — TfL figure misattribution (F3) + spliced Register evidence quote (F4); iter2 (Sonnet) — CLEAN; iter3 (Opus) — ACR Stealer "Firefox" overclaim (F4, Firefox does not use DPAPI) + Talos Polygon-address-in-evidence (F11 advisory, removed for no-IOC); iter4 (Sonnet) — TfL NCA quote truncation (F4) + Firefox Mozilla-Critical/NCSC-NL-MEDIUM severity divergence (F9, surfaced); iter5 (Opus) — CLEAN. Published fail-open on the single final CLEAN at the cap (iter4 was NEEDS_FIXES, leaving no room for a confirming pass) — see verification.confirmation_waived. No broken URL and no unresolved hallucinated fact remained; entries_dropped_by_verification: 0.

Window. Standard 26 h window (gap 24 h since the previous run 2026-07-16T0409Z-intel). No scheduler outage; no closed-source intel drops (no S5). All four research sub-agents returned within cap (longest S2 at 857 s). Main run 38 min — well inside the watchdog budget.

Published (8): 6 new + 2 updates.

  • abacus-erp-unauth-rce-path-traversal-ncsc-ch (vuln, high) — Swiss home-region flagship: unauthenticated RCE (vendor-rated CVSS 9.8, no CVE assigned) in the Abacus client-server protocol, plus an authenticated path traversal in the AbaClik/AbaClik.ai APIs; NCSC-CH flagged both 2026-07-16. Included on the strong Switzerland/public-sector nexus + pre-auth severity + national-CERT flag despite no confirmed exploitation.
  • cve-2026-58644-sharepoint-confirmed-exploited-kev (vuln, high, update_of 2026-07-15) — exploitation-status delta: CISA now lists CVE-2026-58644 among actively-exploited on-prem SharePoint CVEs and KEV-listed it 2026-07-16. Framed around the exploitation confirmation, not the US FCEB deadline (PD-13).
  • firefox-152-0-6-wasm-site-isolation-public-exploit (vuln, notable) — CVE-2026-15718/-15719 chained WASM/site-isolation flaws, public exploit code, no confirmed ITW; NCSC-NL flag 2026-07-16.
  • talos-uat-11795-starland-rat-wldr-c2 (threat, notable) — new actor UAT-11795; Starland RAT + Polygon blockchain dead-drop + bespoke WLDR PowerShell C2.
  • kaspersky-hellonet-vipnet-updater-sideload-afd-ioctl (research, notable) — transferable technique (trusted-updater DLL sideload + AFD-IOCTL interception blinding user-mode EDR); framed around the technique, not the Russian victimology.
  • microsoft-acr-stealer-two-clickfix-intrusion-chains (research, notable) — two ClickFix chains (WebDAV/EtherHiding + fileless MSHTA/steganography), reusable discriminators.
  • garante-wind-tre-vishing-api-enumeration-fine (incident, notable) — EU/telco DPA enforcement; transferable vishing→cert-theft→unprotected-secondary-API enumeration TTP.
  • scattered-spider-tfl-sentencing-helpdesk-vishing (incident, notable, update_of 2026-06-23) — sentencing + court-record helpdesk-vishing/MFA-reset chain detail.

Dropped — duplicate coverage (dedup):

  • FortiSandbox CVE-2026-25089/-39808 KEV addition — the CVEs and campaign (campaign:fortisandbox-triple-active-exploitation) are already covered by existing entries; today's only delta is the KEV listing, which per policy never opens an update entry (exploitation already confirmed and published ~2026-06-17).
  • Siemens SICAM 8 CISA ICSA-26-197-05 — CVE-2026-54798/-54799/-54800/-54801 already covered by entries/2026-07-10/siemens-sicam-8-ssa-229470-firmware-signing-bypass.md; the CISA advisory is the US relay of the same Siemens SSA-229470 disclosure.

borderline-drop: Unit 42 AI-lens IR-report revisit — low technical/detection depth; a strategic-horizon trend synthesis revisiting a 5-month-old (Feb 2026) report, which belongs to the weekly run, not an operational intel fire; cites JADEPUFFER already covered.

Out-of-window / not-established (logged for the next run):

  • Hoymiles solar-inverter DTU-protocol flaw (CCC) and BSI Windows Hello for Business analysis — primary publications 2026-07-15, before the 26 h cutoff; energy-CI-relevant Hoymiles item re-enters if exploitation or a fresher advisory lands.
  • Cursor IDE git.exe auto-execution zero-day (Mindgard) — out-of-window (2026-07-14), dev-tooling.
  • borderline-drop: Zoom Windows-client account-takeover CVE-2026-53412 — single trade-press (heise) mention 2026-07-16; no confirmed exploitation, no public PoC, no pre-auth detail establishing out-of-band urgency, so not established as beyond the regular patch cycle.

Single-source / carve-outs. Abacus is carried as multi-source (vendor PSIRT for its own product + NCSC-CH national relay, both Admiralty A). UAT-11795 (Talos), HelloNet (Kaspersky) and ACR Stealer (Microsoft TI) are single-source — each a high-reliability research lab reporting its own investigation, with sourcing_note stating so. Firefox is multi-source (Mozilla MFSA + NCSC-NL). SharePoint update, Wind Tre and TfL are multi-source.

Source-quality flag carried into composition. At least one aggregator (Qualys ThreatPROTECT) headlined the Firefox CVEs as an exploited zero-day, contradicting Mozilla's own advisory ("exploit code is public … not aware of any attacks in the wild"). The entry carries Mozilla's primary-source status and explicitly does not carry the aggregator over-claim.

Attribution discipline. HelloNet's Chinese-speaking attribution is Kaspersky's own low-confidence assessment on artifacts it flags as possibly unintentional/false-flag; no nexus tag is asserted on the entry or the registry record.

Deep dive: none. No candidate cleared the reserved bar — no item combined active in-the-wild exploitation with constituency exposure or a home-region nexus (criteria 1–2); the strongest technical items (UAT-11795, ACR Stealer) are cross-sector opportunistic crimeware, covered adequately as standard entries. deep_dives_today was 0 before this run.

Watchlist: not applicable — no product or supplier watchlist configured for this deployment (S1 products checked=0, S4 suppliers checked=0).

Essential-coverage: missed=cisa-directives (not attempted this run; CISA binding operational directives are low-frequency and none is in-window — attempt restored to S1's allocation next run).

Coverage gaps: censys-blog (empty feed at research time; probed OK in Phase 5 health sweep); govcert-at (RSS empty/possibly-stale — CERT.at EN blog checked directly, newest post 1 June, no in-window item); cnil-fr, edpb (SPA/JS-rendered listings returned navigation chrome only via the reader — recommend a structured-endpoint recipe); group-ib, sophos-threat-research, nozomi-networks (JS-only listings with no visible dates — no confirmed in-window item, treated as unconfirmed not empty).