2026-07-09T0409Z-intel
One pipeline fire, in full · intel run of 2026-07-09 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-07-09/2026-07-09T0409Z-intel.md.
Run telemetry
- Items returned
- 4
- Duration
- 13m 15s
- Tool calls
- 20 WebFetch6 WebSearch17 bridge
- Cited sources
- 4 of 25 in slice
- Items returned
- 2
- Duration
- 12m 15s
- Tool calls
- 3 WebFetch9 WebSearch24 bridge
- Cited sources
- 2 of 17 in slice
- Items returned
- 5
- Duration
- 9m 40s
- Tool calls
- 12 WebFetch6 WebSearch24 bridge
- Cited sources
- 4 of 25 in slice
- Items returned
- 1
- Duration
- 6m 38s
- Tool calls
- 7 WebFetch6 WebSearch11 bridge
- Cited sources
- 2 of 10 in slice
Verification
Deep dive
2026-07-09/mandiant-adfs-machine-dpapi-golden-saml-key-recovery
Entries published (this run)
- Check Point: Iran MOIS-linked "Cavern Manticore" ships a modular .NET C2 that uses three compilation formats as an anti-analysis layer, delivered via SysAid RMM abuse threat notable
- CVE-2026-48614 — Plesk XML API code injection: authenticated low-privilege user to root (CVSS 9.9) vulnerability notable
- CVE-2026-53359 — Linux KVM/x86 "Januscape": shadow-MMU use-after-free enables guest-to-host VM escape on Intel and AMD vulnerability high
- ESET Threat Report H1 2026: first Android malware using generative AI at runtime, ClickFix detections more than double, record QR-phishing, 100+ EDR-killers annual-report notable
- GhostApproval (CVE-2026-12958, CVE-2026-50549) — symlink + confirmation-UI misrepresentation lets a malicious repo write outside six AI coding assistants' workspace sandbox vulnerability notable
- Git commit-signature malleability mints a second "Verified" GitHub commit with a different hash — defeating hash-based blocklists research notable
- Mandiant "Ghost in the Database": recovering an active ADFS token-signing key from Machine DPAPI when the WID/DKM Golden SAML path fails research notable
- Nayax (Bank-of-Lithuania-licensed EEA payment institution) discloses a cloud-account incident; "The Syndicate" claims 1B card records — claim unverified and contradicted by the filing incident notable
- Sygnia: an AI-orchestrated AWS intrusion reached broad compromise in ~72 hours — four keys from four accounts used from one source in the same second research notable
- CERT Polska: UNC1151/Ghostwriter shifts to Gmail with real-time 2FA-relay phishing against officials and public administration threat high
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
1 last_successful_fetch=2026-07-09 (fetched, quiet-but-authoritative) · 1 last_successful_fetch=2026-07-09 (used — GhostApproval) · 1 last_successful_fetch=2026-07-09 (used — Januscape) · 1 last_successful_fetch=2026-07-09 (used — Git malleability) · 1 last_successful_fetch=2026-07-09 (used — UNC1151) · 1 last_successful_fetch=2026-07-09 (used — Plesk) · 1 last_successful_fetch=2026-07-09 (used — ADFS deep dive) · 1 last_successful_fetch=2026-07-09 (used — Cavern Manticore) · 1 last_successful_fetch=2026-07-09 (used — ESET Threat Report H1 2026) · 1 last_successful_fetch=2026-07-09 (used — Nayax 6-K) · 1 last_successful_fetch=2026-07-09 (used — Nayax corroboration) · 1 notes appended — CERT-FR fetch_source feed returns oldest-first; recheck ordering when assessing freshness (self-evolution follow-up).
| Source | Change | From → To | Reason |
|---|---|---|---|
| cisa-kev | last_successful_fetch=2026-07-09 (fetched, quiet-but-authoritative) | — → — | |
| wiz-blog | last_successful_fetch=2026-07-09 (used — GhostApproval) | — → — | |
| bleepingcomputer | last_successful_fetch=2026-07-09 (used — Januscape) | — → — | |
| hackernews | last_successful_fetch=2026-07-09 (used — Git malleability) | — → — | |
| cert-pl | last_successful_fetch=2026-07-09 (used — UNC1151) | — → — | |
| ccb-belgium | last_successful_fetch=2026-07-09 (used — Plesk) | — → — | |
| mandiant-gtig | last_successful_fetch=2026-07-09 (used — ADFS deep dive) | — → — | |
| checkpoint-research | last_successful_fetch=2026-07-09 (used — Cavern Manticore) | — → — | |
| eset | last_successful_fetch=2026-07-09 (used — ESET Threat Report H1 2026) | — → — | |
| sec-disclosures-edgar | last_successful_fetch=2026-07-09 (used — Nayax 6-K) | — → — | |
| databreaches-net | last_successful_fetch=2026-07-09 (used — Nayax corroboration) | — → — | |
| anssi-fr | notes appended — CERT-FR fetch_source feed returns oldest-first; recheck ordering when assessing freshness (self-evolution follow-up) | — → — |
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| industrialcyber-co | https://industrialcyber.co/ | webfetch → bridge:url → bridge:jina | 403 transport-403 Standing Cloudflare-class block reproduced even via the jina reader proxy (S3). Known recurring transport block, not source death — no demotion (403 rule). | No OT/ICS-specific in-window item confirmed via alternate routes; flagged for a future run to find an alternate OT/ICS source or recipe. Standing recipe gap. |
| cisa-advisories | https://www.cisa.gov/news-events/cybersecurity-advisories | webfetch → bridge:url → bridge:jina | 200 unstructured-listing JS-rendered filter/listing shell returned only the filter UI, no advisory list items, on direct fetch and jina reader (S1). No structured bridge listing endpoin | CISA KEV catalog (structured API) fetched successfully — no new KEV additions since catalogVersion 2026.07.07, so exploitation ground-truth is covered; a non-KE |
| cisa-directives | https://www.cisa.gov/news-events/directives | webfetch → bridge:url → bridge:jina | 200 unstructured-listing Same JS-rendered filter/listing shell as cisa-advisories; no structured bridge endpoint (S1). No in-window directive signal found via cross-checks. | Cross-checked BleepingComputer/Hacker News for any CISA-directive story in-window — none. Recipe gap unchanged. |
Bridge invocations (this run)
5 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- ×5
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #? NEEDS_FIXES · 4 findings (truth=2, editorial=1, advisory=1) · Claude Opus 4.8 · 10m 38s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact | — | evidence[0] quote ('Attackers who obtain the active private key can forge SAML assertions for any user in a federated environment') was not a verbatim substring of the Mandiant page; claim source-accu | Replaced evidence[0] with the verbatim Mandiant string ('Successfully obtaining this active key allows an attacker to forge valid SAML assertions for any user, | |
| F4 hallucinated-fact | — | The Bank-of-Lithuania / EEA / Switzerland nexus facts (the entry's inclusion basis) were absent from all three cited sources, and 'across the EEA, including Switzerland' is geographically wrong (Switz | Main agent re-fetched Nayax's own licensing announcement (nayax.com/news/payment-institute-license/, confirms Bank-of-Lithuania PI licence + '23 million enterpr | |
| F17 ? | — | classification.reliability: A exceeded the source's own tier (mandiant-gtig reliability=B in sources.json). | Set classification.reliability: B to match the mandiant-gtig source tier. | |
| F11 editorial-advisory | — | Workflow-internal policy shorthand leaked into reader-facing text: 'per PD-9 … not a re-summary target' (ESET body) and 'per PD-6' (Nayax sourcing_note). | Reworded both without the PD references ('a single reference entry for ESET's semi-annual H1/H2 report cadence'; 'reported as an attributed claim, not as fact') |
Iteration #? NEEDS_FIXES · 2 findings (truth=1, editorial=1, advisory=0) · Claude Opus 4.8 · 7m 18s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F12 single-source-flag-missing | — | verification: multi-source, but both cited references (WeLiveSecurity report + the GlobeNewswire item, which is ESET's own press release) are ESET's first-hand statement, not independent corroboration | Changed verification to single-source and added a sourcing_note noting both references are ESET's own first-hand statement (expected shape for a named vendor's | |
| F4 hallucinated-fact | — | evidence[2] spliced two source sentences across an inserted ellipsis not present in the original, so it was not a strict verbatim substring (facts accurate). | Main agent re-fetched the Sygnia page and replaced evidence[2] with the exact contiguous verbatim text ('multiple attacker-created artifacts were framed as part |
Iteration #? NEEDS_FIXES · 4 findings (truth=3, editorial=0, advisory=1) · Claude Opus 4.8 · 8m 20s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact | — | The stable backport version list (6.1.177/6.6.144/6.12.95/6.18.38/7.1.3) was in no cited source — BleepingComputer lacks it, V4bel gives only the commit range, kernel.org is the mainline commit with n | Main agent re-fetched V4bel repo (gives vulnerable range 2032a93d66fa 2010-08-01 -> fix 81ccda30b4e8 2026-06-16 only). Removed the unsourced version list from f | |
| F3 claim-not-supported | — | CVSS 9.9 + vector attributed to Plesk's advisory, which carries no CVSS — the score is on the co-cited CCB advisory. | Main agent re-fetched both advisories: CCB carries 'CVE-2026-48614: 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)'; Plesk carries the version table (affect | |
| F4 hallucinated-fact | — | evidence[2] (SACL/Event-ID-4663 quote) was an ellipsis-splice, not a contiguous verbatim substring. | Replaced with the exact contiguous Mandiant text ('Configure object access auditing via SACLs on C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\ and C:\\ | |
| F11 editorial-advisory | — | Plesk/CCB source-date ambiguity (CCB advisory 2026-07-08 vs Plesk 2026-07-03) — advisory only. | No change needed; both dates are stated correctly on their respective sources and in the entry's sources[] (Plesk 2026-07-03, CCB 2026-07-08); event_date 2026-0 |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-07-09T0409Z-intel · Claude Opus 4.8 · window 24 h · 10 entries published
Verification & coverage notes
Window. Intraday fire, gap 8 h from the previous run (2026-07-08T2009Z-intel). Window held at the 24 h floor (developing window 72 h). Dedup ran against the full 14-day prior_coverage.json (140 records, incl. the 2026-07-08 run and the W27 weekly) plus the store-wide CVE index. No in-window intel/ drops — no S5 spawned. No watchlists configured — no Watchlist: line, product/supplier sweeps are no-ops (S1 products checked=0, S4 suppliers checked=0).
Volume note. 10 entries on an 8 h intraday fire is larger than a typical intraday window, and it reflects genuinely-new, never-before-published signal — not cadence inflation (dedup confirmed every entry is new). Three items are developing-window first-coverage the prior 64 h-window run did not surface: Januscape (source 2026-07-07, ~30 h), the Mandiant ADFS Golden SAML write-up (2026-07-07, ~38 h), and Cavern Manticore (2026-07-06, ~40 h). All three are outside the strict 24 h window but inside the 72 h developing window and were never covered by any prior run; they are published as first-coverage of significant developing stories with event_date set to the true source date, per PD-7. The remaining seven are fresh 2026-07-08 items.
GhostApproval de-duplication. Both S1 and S3 independently surfaced Wiz's GhostApproval. Merged into one entry using S1's richer multi-source corroboration (Wiz + AWS GHSA-6v3r-4p5c-mrp5 + Cursor GHSA-3v8f-48vw-3mjx). Reported faithfully incl. Anthropic Claude Code's "outside our threat model" response and its v2.1.32 symlink warning — no sanitisation of a finding that names the producing vendor's own product.
Deep dive. mandiant-adfs-machine-dpapi-golden-saml-key-recovery (identity-infra) — selection criterion 3 (substantive new technical analysis with actionable public detail). Category rotation-fresh: the last identity-infra deep dive was Keycloak (2026-06-28, >7 days). window24h.deep_dives_today was 0 at run start. One deep dive this fire. Background paragraph (PD-10) cites the 2017 CyberArk Golden SAML disclosure and Mandiant's earlier UNC2452 ADFS work.
Single-source / carve-outs.
- UNC1151/Ghostwriter Gmail 2FA phishing —
single-source-national-cert(CERT Polska / NASK, Admiralty A, for its own jurisdiction). - Sygnia AI-orchestrated AWS intrusion —
single-source(Sygnia, Admiralty B); the AI-orchestration read is Sygnia's assessment from tempo/artefacts, framed as assessed not proven (credibility: 3). - Cavern Manticore —
single-source(Check Point Research, Admiralty B); Israel-targeted, included on transferable technique class (PD-11 d) + same-actor-class relevance (Iran MOIS also targets EU public sector) (credibility: 3). - Nayax — victim's own SEC Form 6-K is the fact base (victim-disclosure carve-out) + DataBreaches.net/Calcalistech corroboration →
multi-source; "The Syndicate"'s 1B-record/100TB/~1yr figures reported as an unverified attributed leak-site claim per PD-6, with the internal contradiction against the "immediately contained" filing surfaced explicitly (credibility: 3).
borderline-drop: CVE-2026-11405 (Tenda router httpd hidden backdoor) — CVSS 9.8, CERT/CC VU#213560, but Tenda is a consumer/SMB router brand with no Swiss/EU public-sector or critical-infrastructure nexus; generic hardcoded-backdoor lesson, not a product the constituency runs, no novel transferable TTP. Out of scope per the PD-11 scope gate (doubt about relevance-to-constituency resolves to drop). Recoverable if it turns up in a constituency estate.
borderline-drop: PDAG (Psychiatrische Dienste Aargau) cantonal-healthcare mailbox-takeover / phishing-relay — a real Swiss home-region public-sector/healthcare incident (S2 lead; main-agent spot-check confirmed the inside-it.ch RSS lead but the article URL 403'd on direct, jina and bridge transports, and no PDAG statement URL or second source surfaced). Dropped on two grounds: single-source (inside-it.ch, Admiralty C news) with no independently-fetchable victim/CERT primary to satisfy two-source or a carve-out, and modest technical depth — generic BEC mailbox-takeover → spam/phishing relay with no root cause, TTP, or new action beyond the already-covered M365 mailbox-takeover pattern. Recoverable if a fuller disclosure (PDAG statement / NCSC-CH pickup) lands.
out-of-window drops (S-agent level). S3: CrowdStrike prompt-injection post and Seqrite Operation DragonReturn — listing-page dates misaligned with true Published-Time metadata (2026-05-20 and 2026-06-26 respectively); excluded once confirmed out of window. S2: a "Swiss federal administration DDoS" WebSearch lead was recycled Jan-2025 news (radiolac.ch) — discarded as a recency trap. S1: Exodus msi.dll LPE write-up covers CVE-2025-27727 (patched April 2025) — retrospective, low current urgency, dropped.
Coverage gaps: cisa-advisories, cisa-directives, cisa-news (JS-shell listing pages; no structured bridge endpoint — KEV API covered exploitation ground-truth, a non-KEV in-window advisory may have been missed); cert-eu (feed stale to 2026-06-10, 200 OK not a transport failure); industrialcyber-co (standing 403/Cloudflare block, jina reader also blocked — no demotion); zimperium-zlabs, aikido-security (SPA nav-chrome only via jina — need a structured listing/sitemap recipe); jpcert (not fetched — time budget, no evidence of a missed in-window item); calif-codex, vulncheck, socket-dev-blog RSS empty via jina (HTML fallback showed nothing newer in-window / cross-domain items left to S3/S4).
Essential-coverage: missed=cisa-advisories, cisa-directives (JS-shell listing pages unreadable via current bridge recipes; KEV API — the exploitation ground-truth for both — fetched successfully, so no new exploited-flaw signal was missed).
Verification loop: 4 iterations (1 Opus, 2 alt-slot, 3 Opus, 4 alt-slot) → CLEAN on iteration 4. Iteration 1 found 4 (2 truth incl. 2 F4, 1 editorial F17, 1 advisory); iteration 2 found 2 (1 F12 editorial, 1 F4 truth); iteration 3 found 4 (3 truth: F4 Januscape version list, F3 Plesk CVSS attribution, F4 Mandiant quote-splice; 1 advisory); iteration 4 CLEAN. All remediations traced to sources re-fetched during the fix cycle. No entries dropped by verification.
AI-content transparency — verifier model rotation did NOT take effect this run. The prompt rotates verifiers Opus (odd) / Sonnet (even, cti-verification-alt). All four verifier spawns — including iterations 2 and 4, the alt-slot Sonnet-pin — reported **Model:** Claude Opus 4.8 (claude-opus-4-8) from the authoritative CLAUDE_FRIENDLY_NAME/CLAUDE_MODEL_ID env vars. The iteration 4 verifier explicitly flagged the discrepancy. In this cloud container the env vars appear to pin every spawn to Opus 4.8 regardless of the agent definition's model: frontmatter, so model diversity across iterations was not achieved (iteration 2 was recorded verbatim as Opus 4.8, corrected from an initial mis-assumption of Sonnet). Operator follow-up: confirm whether the routine container is meant to honour per-agent model frontmatter or whether the Opus pin is intentional; the rotation's blind-spot-catching benefit is currently a no-op.
Self-evolution follow-up (noted, not actioned this run): CERT-FR (anssi-fr) fetch_source.py feed returns items oldest-first; a default N=20 surfaces stale entries instead of the latest bulletin. Note appended to the source record; a bridge-tooling fix (reverse/most-recent-first ordering for CERT-FR feeds) is a candidate for a future run.
← Operations dashboard · day page 2026-07-09 · run-record contract: docs/pipeline.md