Cyber Security Week in Review: July 10, 2026

 

Cyber Security Week in Review: July 10, 2026

Threat actors have begun exploiting a recently disclosed Adobe ColdFusion security flaw, tracked as CVE-2026-48282. The vulnerability affects ColdFusion 2025.9, 2023.20, and earlier versions. It allows attackers to run code on vulnerable systems without needing special access.

BeyondTrust has warned users to update its Remote Support (RS) and Privileged Remote Access (PRA) software to fix multiple high-risk security flaws. The vulnerabilities could allow attackers to bypass authentication and gain unauthorized access to vulnerable systems, including accounts with elevated privileges. Affected versions are 25.3.2 and earlier.

Lab52 has detailed a PSYOP structure within the Russian military, including the military unit 67606, aka the 127th Separate Reconnaissance Brigade, a special purpose unit inside the Russian military intelligence whose primary mission is deep reconnaissance behind enemy lines.

SentinelLABS has detailed a series of intrusions where suspected China- and India-linked threat actors targeted Pakistani law enforcement between 2024 and 2026, with both focusing on the Balochistan Police, the principal police force serving the eponymous Pakistani province. The attackers compromised systems containing sensitive police and citizen data and used malware including PlugX, ShadowPad, Cobalt Strike, and Remcos.

A Chinese hacking group tracked as UAT-7810 is evolving its malware toolkit to expand its Operational Relay Box (ORB) network by targeting internet-facing networking devices, mainly unpatched Ruckus routers. The group mainly gains access by exploiting known security flaws in Ruckus routers and ASUS AiCloud routers (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717).

A suspected China-aligned threat cluster, tracked as UNK_MassTraction, is exploiting vulnerable Roundcube webmail servers at physics and engineering departments across major universities in the US and Canada. The campaign appears focused on institutions involved in astrophysics, particle physics, and research with national security relevance.

On the same note, Taiwanese authorities have charged two local businessmen with helping Chinese cyber spies by supplying LINE instant messaging accounts used in cyber-espionage operations targeting Taiwan's political and academic communities.

A threat actor known as Lurking Lizard has been linked to a large-scale malicious residential proxy operation built on more than 230 lookalike domains. The campaign, active since at least August 2022, uses fake 7zip installers and fake websites to turn victims' devices into proxy nodes.

Researchers at Seqrite have uncovered a targeted spear-phishing campaign orchestrated by the Rare Werewolf threat group aimed at organizations in the Russian aerospace and electronics sectors. The attackers used a portable copy of AnyDesk for access.

An Iranian hacking group linked to Iran's MOIS has been observed using a previously undocumented modular command-and-control (C&C) framework called Cavern (also known as Cav3rn) in attacks targeting Israeli organizations. According to Check Point Research, the campaign has mainly focused on government agencies and IT service providers.

Researchers at Socket have uncovered a new campaign linked to North Korean hackers that targets software developers through malicious open-source packages and browser extensions. The campaign, known as ‘PolinRider,’ has published 108 fake packages and extensions across popular platforms including npm, Packagist, Go, and Google Chrome. In total, researchers found 162 malicious releases designed to infect developers' computers.

JFrog researchers discovered a cluster of malicious npm packages masquerading as Rollup tools. If installed, they could steal personal data and cryptocurrency. The attack appears to be carried out by the North Korean hacking group known as Lazarus.

Threat actors compromised the Injective Labs SDK GitHub repository and uploaded a malicious version of the @injectivelabs/sdk-ts package to npm. The malicious package stole cryptocurrency wallet private keys and seed phrases. The hackers gained access through a contributor's GitHub account and published the infected package after making suspicious changes on June 8.

Researchers at ZeoBec analyzed a new phishing service called Forg365 that targets Microsoft 365 accounts. It uses advanced phishing techniques and AI-generated messages to trick people into giving access to their accounts. It also includes a browser extension that gives attackers persistent access to compromised accounts without the need for logging in every time. Researchers say it has features similar to other phishing platforms like Kali365 and Sneaky2FA, but no direct link has been confirmed.

Cisco Talos discovered a new phishing-as-a-service service, called ‘ARToken,’ which is providing advanced tools designed to target Microsoft 365 accounts. ARToken can steal authentication tokens, maintain long-term access to accounts, and give attackers access to Outlook, SharePoint, and OneDrive data.

Microsoft released a report on GigaWiper, a versatile implant that combines command-and-control capabilities with multiple destructive payloads, including disk wiping, fake ransomware, and system-level sabotage. Researchers say that GigaWiper is a mix of separate malware families that were folded into GigaWiper as on-demand backdoor commands.

Datadog Security Labs says it detected a series of coordinated campaigns that scan and collect information from enterprize GitHub accounts, repositories, and users. They use automated tools, fake or trusted-looking accounts, and stolen access tokens to collect data and potentially gain access to organizations.

A new ransomware family called GodDamn has been observed using the PoisonX kernel driver to disable security solutions and evade detection. First seen in May, it is believed to be a rebrand of Beast ransomware, which evolved from Monster ransomware. In a June 2026 attack, the operators used AnyDesk and a credential-stealing toolkit to collect sensitive data before deploying the ransomware. It’s unclear, how the threat actors gained initial access.

Researchers at Zscaler ThreatLabz have uncovered two campaigns that use hidden prompt injection attacks to trick AI agents into making cryptocurrency payments or trusting fake websites. Attackers created fake websites that appeared high in search results using SEO poisoning. One fake site pretended to be a Python library page and included hidden instructions to trick AI agents into paying for a fake API key and sending cryptocurrency to the attackers. Another fake site impersonated the DeBank platform and used hidden prompts and SEO tricks to convince AI agents and users it was legitimate.

Researchers from Shandong University detailed a technique for stealing data from air-gapped computers by combining pre-installed malware with software-defined radio (SDR) equipment. The malware uses the computer's HDMI cable as an antenna, encoding data through changes to a single pixel on the monitor. During experiments, researchers received transmissions from up to 210 meters away.

Another study from researchers at the Hong Kong University of Science and Technology showed that security scanners for AI coding agent add-on "skills" can be easily bypassed. They created a tool named SKILLCLOAK that makes small changes that disguise malicious skills as safe while keeping original malicious behavior.

Spain's National Police have arrested a man in Palencia suspected of supporting two pro-Russian hacktivist groups - CyberArmy of Russia Reborn (CARR) and Z-Pentest. Authorities allege the suspect provided logistical and operational assistance to a Ukrainian hacker linked to CARR and helped plan an escape route to Russia through Poland and Belarus.

A Ryuk ransomware affiliate extradited from Ukraine to the United States has pleaded guilty to conspiracy and computer fraud for his role in deploying ransomware against American companies between 2019 and 2020. Karen Serobovich Vardanyan, an Armenian national, faces up to 15 years in prison and is scheduled to be sentenced on September 22, 2026.

A ransomware negotiator was sentenced to 70 months in prison for helping the BlackCat/ALPHV ransomware group extort victims. Angelo Martino shared confidential client information with the hackers to help them demand higher ransom payments. Martino also worked with former cybersecurity professionals Kevin Martin and Ryan Goldberg to carry out additional ransomware attacks in 2023. Martino pleaded guilty in April, and Martin and Goldberg were each sentenced to 48 months in prison the same month.

Interpol-coordinated Operation First Light 2026 led to the arrest of 5,811 suspects and the seizure of $293 million in illicit assets across 97 countries. The operation targeted social engineering scams and money laundering networks. Police analyzed over 152,000 cases, identified more than 142,000 victims and 15,606 suspects, and blocked 31,014 bank accounts.

Belgian federal police have arrested a 19-year-old man from Antwerp suspected of leading a Belgium- and Netherlands-based phishing network that targeted victims across Europe. Authorities allege the group impersonated bank employees to trick victims into installing remote access software, enabling access to bank accounts. The scheme reportedly stole more than €500,000 from dozens of victims, with the proceeds laundered through money mules, cashers, and cryptocurrency.

Japanese police have apprehended a 15-year-old high school student for allegedly carrying out cyberattacks on a Bandai Namco Holdings subsidiary using a custom-built software tool. Police say the boy targeted the company's Bandai Channel streaming service. The attacks reportedly caused more than 46,000 memberships to be canceled without customers' permission, disrupting the company's operations.

Back to the list