Cyber Security Week in Review: July 3, 2026

 

Cyber Security Week in Review: July 3, 2026

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Microsoft SharePoint Server vulnerability (CVE-2026-45659) to its Known Exploited Vulnerabilities (KEV) catalog after confirming it is being actively exploited. The flaw allows remote code execution through unsafe data deserialization and was patched by Microsoft in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. The agency didn’t disclose the type of attacks the flaw was exploited in.

Cisco fixed several high-severity vulnerabilities (CVE-2026-20213, CVE-2026-20214, CVE-2026-20215) in its ClamAV engine that could let remote attackers crash the antivirus scanning process, causing a denial-of-service (DoS). The issues affect Windows, Linux, and macOS.

JetBrains has released security updates to address a number of vulnerabilities affecting several on-premises products, including Hub, YouTrack, TeamCity, IntelliJ-based IDEs, Kotlin, and GoLand. The flaws could allow attackers to bypass authentication, take over accounts, or execute remote code.

Citrix NetScaler ADC and NetScaler Gateway received security fixes for multiple vulnerabilities. The flaws could allow attackers to read arbitrary files or cause a denial-of-service (system crash or disruption).

Maintainers of WinRAR released version 7.23 that fixes an out-of-bounds heap write vulnerability in RAR5 recovery volume processing. The bug could be triggered using malicious .rev files and may cause crashes or potentially be exploited for further attacks.

Adobe rolled out security fixes for Adobe ColdFusion and Adobe Campaign Classic that patch nearly a dozen of vulnerabilities. Some issues could allow unauthenticated attackers to achieve remote code execution on unpatched systems.

Threat actors behind the Anubis ransomware are using the Citrix Bleed 2 flaw (CVE-2025-5777) to gain initial access to systems. The threat actors leverage legitimate remote administration tools like ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment to stay hidden and maintain control. Threat actors typically target high-value infrastructure such as Microsoft Remote Desktop Services servers, domain controllers, hypervisors, backup-adjacent systems, and Network-Attached Storage (NAS) devices.

Hackers are exploiting a recently disclosed security flaw in the SimpleHelp remote management platform to install a new information-stealing malware called Djinn Stealer. The vulnerability, tracked as CVE-2026-48558, affects SimpleHelp servers using OpenID Connect (OIDC) authentication. Attackers used the flaw to gain technician-level access to a SimpleHelp server before installing the TaskWeaver malware loader, and Djinn Stealer.

Russia-linked Gamaredon state-sponsored hacker group continued expanding its malware toolkit while carrying out cyberattacks against Ukraine throughout 2025. Slovakian cybersecurity vendor ESET said it observed 35 spear-phishing campaigns targeting new victims, mostly during the second half of the year. The main targets were Ukrainian government and military organizations. Gamaredon's main goal remains stealing sensitive information that could support Russian interests in the war against Ukraine.

Russian Turla state-backed hacking group has spent years developing and deploying a previously undocumented malware strain called 'StockStay' to conduct cyber espionage against Ukrainian government and military organizations. While its primary targets were Ukrainian government and defense entities, malware samples were also identified in Italy, the Netherlands, Poland, and Germany.

The US Department of State is offering a reward of up to $10 million for information that helps identify or locate members of the UNC5792 and UNC4221 hacker groups, which authorities say are linked to Russia's intelligence and military services.

Palo Alto Network’s Unit42 released a report detailing a China-linked activity cluster targeting government entities and critical infrastructure in Southeast Asia, especially state-owned energy and government organizations. The group, tracked as CL-STA-1062, has been active since at least March 2022 and is believed with high confidence to be the same group previously known as UAT-7237, linked to attacks on web hosting infrastructure in Taiwan in mid-2025. The group’s arsenal includes mix of common open-source tools like SoftEther VPN, Mimikatz, and VNT, as well as a new addition - a custom backdoor called ‘TinyRCT.’

Acronis researchers found two cyber-espionage campaigns linked to a China-backed group, known as Mustang Panda, targeting India’s government and hydropower sector. The attackers used phishing emails with ZIP files to deliver malware. The campaigns used the SHARDLOADER loader to start the infection, the MINIRECON backdoor, and the ZOHOMURK tool, which hides communication using Zoho WorkDrive for remote control.

Recorded Future’s Insikt Group found new infrastructure linked to the TAG-182 threat group, which spreads MarkiRAT malware as part of Iranian surveillance operations. The group is likely targeting Iranians inside and outside the country using fake tools and VPN apps as bait, and is actively operating on social media platforms like Instagram.

SocRadar has linked a financially motivated campaign called FortiBleed to the INC and Lynx ransomware groups. Attackers scanned over 11,000 FortiGate portals worldwide, gained admin access to 409 systems, and fully compromised 354 of them. The stolen access was then used to deploy ransomware at least 12 times, encrypting hundreds of endpoints across different organizations, according to the researchers. Tooling, activity logs, and working patterns suggest the operation is carried out by a Russian-speaking threat actor likely acting as an initial access broker. The campaign has mainly targeted manufacturing, technology, and logistics organizations, especially in Latin America and the Asia-Pacific region.

The Sysdig Threat Research Team discovered what they believe is the first known case of AI-powered (agentic) ransomware. The attacker, called Jadepuffer, used a security flaw (CVE-2025-3248) to break into a Langflow server, then automatically carried out an attack using a large language model (LLM). The attack eventually reached the victim's production database, where the attacker encrypted or destroyed data and demanded payment.

Separately, security researchers at Trend Micro have discovered and analyzed a cryptocurrency-mining campaign exploiting CVE-2026-33017, an unauthenticated remote code execution (RCE) vulnerability in the Langflow AI application framework.

Google has published a comprehensive report examining Russia's current influence operations, their objectives, and the key actors involved. Despite the Trump administration's comparatively friendly stance toward the Kremlin, Russia's information operations continue to pursue their longstanding goal of undermining US and European influence around the world.

A Russian influence operation, dubbed ‘Roska Bridge,’ spreads coordinated anti-Western and anti-Ukrainian propaganda by exploiting decentralized social media platforms like Mastodon and cross-posting content to Bluesky using Brid.gy. It targets audiences in Ukraine, France, Germany, the United States, and Russia and also promotes the Russian state-backed messaging app Max.

In coordination with the FBI, Lumen, and other partners, Google took action against the NetNut residential proxy network, also known as Popa. As part of the operation, Google disabled accounts and services used by NetNut for malware command-and-control (C&C) activities. Google also believes that many well-known residential proxy brands are actually reselling or white-labeling access to the NetNut botnet.

Huntress detected a large automated password spray attack targeting Microsoft's Azure CLI. Attackers made over 81 million login attempts and successfully compromised at least 78 Microsoft accounts by using old, previously leaked usernames and passwords that had not been changed.

The company also spotted another attack, where threat actors used various techniques, including steganography and timestomping to hide their activity. The attacker attempted to disable Microsoft Defender, stop Sysmon and Filebeat logging, uninstall the ModSecurity WAF, and weaken WDigest credential protection. The attacker then ran Mimikatz to dump credentials.

Microsoft has removed 119 malicious extensions from the Edge Add-ons store after uncovering a long-running campaign that used hidden code to steal user data and carry out ad fraud. The campaign, called ‘StegoAd,’ had been active since at least 2021. The extensions were disguised as popular tools such as ad blockers, VPNs, translators, and video downloaders.

A malicious campaign, dubbed ‘Operation Navy Ghost,’ has been observed targeting Python developers building Telegram bots with malicious versions of the popular Pyrogram library to the Python Package Index (PyPI). Attackers published at least eight fake Pyrogram packages that included the original code along with a hidden backdoor (secret.py). All of the packages were forks of the legitimate Pyrogram project, the researchers said.

Security researchers at LayerX have detailed a new technique, called ‘BioShocking,’ that can trick AI-powered browsers into ignoring built-in safety rules. The attack affects AI browsers and assistants that can perform actions on a user's behalf, such as clicking links, filling out forms, and accessing signed-in accounts.

On the same note, new Microsoft’s research shows that AI agents can be tricked into sharing sensitive information without breaking any rules.

Montenegrin authorities have arrested an Iranian-Turkish dual national wanted by the US on charges related to a long-running cybercrime campaign that allegedly caused more than $3.4 billion (€2.98 billion) in damages. Officials said the attacks targeted more than 150 US universities, from which the threat actors stole academic research and data.

A 19-year-old dual US and Estonian citizen was extradited to the United States to face charges linked to the Scattered Spider hacking group. Peter Stokes was arrested in Finland in April while trying to board a flight to Japan. US prosecutors say he helped carry out cyberattacks that targeted several major companies and led to ransom demands worth millions of dollars.

Ukrainian cyber police dismantled a scam call center that defrauded US citizens of over $500,000. The group ran fake investment schemes, posing as financial advisors and convincing victims to invest in cryptocurrency and stocks through fraudulent platforms. They used English-speaking operators from different regions to contact victims and then transferred the stolen money through crypto wallets.

Back to the list