Analyst Brief

Analyst Brief β€” 2026-07-06

This page is the output of cyber_threat_pipeline/analysis; the data behind it is the brief_input mart (regenerated weekly by dbt). When a second provider is configured, the side-by-side comparison appears here automatically.

Claude (Anthropic) β€” claude-sonnet-4-6

Threat Intelligence Brief β€” AlienVault OTX

Reporting Period: Last 7 Days | As of: 2026-07-06 16:20 UTC


Headline

A convergence of AI-assisted malware development, aggressive credential-theft campaigns, and multi-vector supply chain compromises defines this week's threat landscape, with ClickFix and SEO poisoning emerging as the dominant initial-access mechanisms across dozens of new pulses.


Emerging Threats

πŸ”΄ Ransomware & Extortion

  • A zero-day kernel exploit (ktapi.sys, Kontron driver) is being weaponized via BYOVD to disable EDR solutions ahead of ransomware deployment ("Not very gentlemanly"). Separately, "Vibe Coded Extortion" documents CrownX, an AI-assisted ransomware with lateral movement and defense-evasion capabilities, signaling a maturing AI-generated malware threat. "Prinz Eugen" introduces a new Go-based encryptor targeting France, the US, Canada, and South Africa.

πŸ”΄ Phishing, Credential Theft & AiTM

  • The Blacksite phishing-as-a-service kit evades URL scanners via Cloaked.gg, combining AiTM reverse-proxy techniques with MFA bypass ("Blacksite: New AiTM Phishing Kit"). A separate Microsoft 365-targeting affiliate panel ("Inside an affiliate panel") abuses device-code phishing and Primary Refresh Tokens via the EvilTokens/ArToken framework. The BabaDeda loader is being distributed through ClickFix lures (38 indicators).

πŸ”΄ APT & Espionage

  • Iran-nexus TAG-182/Ferocious Kitten is distributing MarkiRAT alongside BouldSpy and FurBall surveillance tools targeting Farsi-speaking populations (85 indicators). India's government and energy sectors face active compromise via ZOHOMURK and MINIRECON tooling, with ShadowPad and ToneShell implants suggesting a China-nexus actor. The Armored Likho group deployed BusySnake, a PyArmor-obfuscated stealer with reverse SSH tunneling, targeting Brazil, Kazakhstan, and Russia.

πŸ”΄ Supply Chain & Developer Infrastructure

  • The Mini Shai-Hulud campaign expanded from npm to the Go ecosystem, compromising ImmobiliareLabs and LeoPlatform packages and poisoning GitHub Actions CI/CD pipelines. A separate gaming platform supply-chain attack deployed the BirdCall Android trojan targeting Yanbian users. The node-fetch-utils npm package was flagged for remote tarball dependency resolution enabling fileless persistence.

πŸ”΄ Novel Techniques

  • Indirect Prompt Injection targeting AI agents via web content (11 indicators) and a browser-native ransomware technique exploiting the File System Access API represent emerging proof-of-concept threats with low current indicator volume but high forward risk.

Corpus-Level Shifts

  • ClickFix tag spike: ClickFix appears in 23 tagged pulses corpus-wide and anchors at least three distinct new campaigns this week (BabaDeda, macOS AMOS delivery, ClickFix phishing brief), indicating rapid adoption as a preferred social-engineering delivery mechanism.
  • Broadened geographic targeting: The "Crown Prince / Nezha" pulse lists 50+ targeted countries for a China-nexus GhostRAT/web-shell campaign β€” an unusually wide geographic footprint compared to the corpus norm of regionally scoped pulses.
  • CVE indicator surge: 22 new CVE indicators appeared this week (vs. zero in the stable corpus snapshot), driven by the RustDuck botnet pulse exploiting CVE-2025-29635, CVE-2024-1781, CVE-2017-17215, and others, and the StrikeShark campaign chaining 15+ CVEs against Southeast Asian government targets.

Analyst Caveats

  • Attribution confidence is low. "China-nexus," "Iran-nexus," and "DPRK" labels in OTX pulses reflect community assessments of varying rigor β€” TTPs may overlap across unrelated actors, and pulse authors are not uniformly vetted. Do not treat these attributions as confirmed without corroborating intelligence.
  • This corpus reflects detection and publication bias, not victim impact or dwell time. Pulses represent what researchers chose to publish; high indicator counts do not imply high victim counts, and the absence of a sector or country from targeting data does not confirm it is unaffected. OTX subscription patterns further skew toward English-language, Western-focused threat reporting.

Prompt context

Show the prompt sent to every model
You are a threat-intelligence analyst. Produce a concise brief on the current
      state of the AlienVault OTX corpus, focusing on **emerging threats from the
      last 7 days**.

      ## Corpus context (as of 2026-07-06 16:20:38.335755+00:00)
      - Total pulses:                 278
      - Total indicators:             11,983
      - Active indicators:            11,983  (active = not expired AND not dropped from its pulse)
      - Expired indicators:           0
      - Top 5 indicator types:        domain: 5287, FileHash-SHA256: 1974, hostname: 1666, FileHash-MD5: 1103, FileHash-SHA1: 812
      - Top 5 targeted countries:     United States of America: 31, British Indian Ocean Territory: 15, India: 15, Brazil: 14, United Kingdom of Great Britain and Northern Ireland: 12
      - Top 5 tags:                   credential theft: 47, social engineering: 29, infostealer: 26, phishing: 24, clickfix: 23
      - Top 5 targeted industries:    Technology: 58, Finance: 54, Government: 53, Education: 24, Defense: 22

      ## Emerging in the last 7 days
      Indicator types newly seen:     domain: 642, FileHash-SHA256: 477, FileHash-MD5: 248, FileHash-SHA1: 155, hostname: 118, IPv4: 105, URL: 101, CVE: 22, email: 7, BitcoinAddress: 1
      New pulses (first_seen_at within 7d):
        - [WHITE] How a single ScreenConnect incident exposed a massive campaign (id=6a4545dbc77aff75fe16cee7, indicators=134, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: remote access trojan, fake software, c2 infrastructure, process hollowing, screenconnect, powershell loader, typosquatting, seo poisoning, dll sideloading, asyncrat
    countries: β€”
- [WHITE] Indirect Prompt Injection in Web Content Targets AI Agents (id=6a46cc8d21232689c52266a2, indicators=11, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: llm manipulation, typosquatting, seo poisoning, indirect prompt injection, payment fraud, ipi, cryptocurrency scam, ai agents
    countries: β€”
- [WHITE] How access to Gmail accounts is gained (id=6a43aeed1ecda1a314aec59e, indicators=11, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: tomberbil, remote debugging, corporate espionage, oauth token theft, chromium exploitation, dll sideloading, toddycat, umbrij, gmail compromise
    countries: β€”
- [WHITE] A single RedLine C2 pivots into a maritime spear-phishing cluster and attacker-owned infrastructure. (id=6a464b96bef17724be5668a0, indicators=27, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: spear-phishing, south korean victims, business email compromise, infrastructure pivoting, maritime sector targeting, formbook, metamorfo, redline stealer, domain impersonation, casbaneiro, xloader
    countries: β€”
- [WHITE] Phishing in the Balkans: Fake Traffic Fines, Real Losses (id=6a4545d3f23bbaf07db98a73, indicators=25, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: phoenix, government impersonation, darcula, smishing, phaas, traffic fines, payment card theft, serbia, balkans
    countries: Serbia
- [WHITE] Vibe Coded Extortion: Path from Legal Lure to CrownX Ransom Capabilities (id=6a46d120d41fcc87a8a52932, indicators=10, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: ransomware, credential theft, lateral movement, avalon, defense evasion, phishing, crownx, ai-assisted development
    countries: β€”
- [WHITE] RustDuck: An In-Depth Analysis of a Two-Stage Botnet (id=6a4635e7998db450b0ccdee2, indicators=23, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: two-stage loader, ddos botnet, cve-2025-29635, iot compromise, cve-2018-8007, weak password attacks, encrypted c2, cross-platform, cve-2017-17215, cve-2024-1781, anti-debugging, rustduck
    countries: β€”
- [WHITE] Defence Impairment Olympics (id=6a4323652af5f050747cd53a, indicators=9, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: cve-2023-29298, wdigest, cve-2023-26360, coldfusion exploitation, defence evasion, credential dumping, steganography, mimikatz, defence impairment, timestomping, webshell, iis server, cve-2023-29300
    countries: β€”
- [WHITE] Blacksite: New AiTM Phishing Kit Evades URL Scanners via Cloaked.gg (id=6a463469f06125cbab68ef8c, indicators=8, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: credential-theft, url-evasion, aitm, mfa-bypass, blacksite, session-hijacking, cloaking, reverse-proxy, tycoon 2fa, phishing-as-a-service
    countries: β€”
- [WHITE] From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira (id=6a429369377f216bcfbdda03, indicators=22, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: rustdesk, trojanized installer, lateral movement, adaptixc2, akira, credential dumping, bumblebee, seo poisoning
    countries: β€”
- [WHITE] AsyncRAT and Remcos Delivered in Multi-Stage Phishing Campaign (id=6a471de4dcdacfc396979ab8, indicators=21, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: formbook, steganography, asyncrat, remcos, vba macros, url shorteners, lumma, multi-stage infection, cloudflare workers, hta payload, phishing campaign, spreadsheet dropper
    countries: β€”
- [WHITE] Chromium extension uses AI‑related branding to redirect browser search (id=6a42d0b89159dccad1ff7879, indicators=7, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: keystroke capture, typosquatting, browser extension, declarativenetrequest, perplexity ai spoofing, data interception, search hijacking, chrome extension
    countries: β€”
- [WHITE] GitHub Impersonation Deploys Information Stealer (id=6a468e99941f9e2f4d672d80, indicators=6, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: information stealer, dll side-loading, social engineering, github impersonation, boryptgrab stealer, boryptgrab, seo poisoning, fake repositories
    countries: β€”
- [WHITE] An Analysis of ValleyRAT Infection Campaigns from Fake Installers, Japanese Malicious Emails (id=6a446c5df8b0ab9d5af62b64, indicators=6, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: phishing emails, process injection, fake installers, donut shellcode, japanese targets, dll sideloading, chinese targets, valleyrat
    countries: β€”
- [WHITE] Armored Likho's new weapon: BusySnake Stealer (id=6a47a77e01d1e457798b3a33, indicators=46, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: busysnake stealer, pyarmor obfuscation, credential theft, electric power sector, go2tunnel, reverse ssh tunnel, aquilarat, spear-phishing, browser password extraction, government targeting
    countries: Brazil, Kazakhstan, Russian Federation
- [WHITE] Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates (id=6a43b188e88186c48de04785, indicators=19, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: vpn impersonation, firefox add-ons, free vpn by vpn go, staged updates, supply chain, credential theft, chrome web store, clipboard stealer, vpn go: free vpn, browser extension
    countries: β€”
- [WHITE] A Djinn in the Machine: TaskWeaver's Node.js Intrusion Chain (id=6a432365e2207bde8681b975, indicators=5, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: ai development tools, cve-2026-48558, taskweaver, supply chain risk, credential theft, node.js, djinn stealer, simplehelp, rmm exploitation
    countries: β€”
- [WHITE] Roblox, Minecraft, and the Insidious Internet for Children (id=6a47950711440db76d84e5de, indicators=55, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: minecraft, gaming platforms, roblox, children targeting, offerwall schemes, subscription traps, disposable domains, data harvesting, credential phishing
    countries: β€”
- [WHITE] Inside an affiliate panel targeting Microsoft 365 (id=6a4500fd1580f75d3cf32d5e, indicators=5, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: oauth abuse, phishing-as-a-service, eviltokens, business email compromise, microsoft 365, artoken, device code phishing, primary refresh token
    countries: β€”
- [WHITE] What Is the BabaDeda Loader? Analysis of a New ClickFix Malware Campaign. (id=6a47b2cc64d3d9241377df01, indicators=38, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: BabaDeda, ClickFix
    countries: β€”
- [WHITE] A rigged game: compromises gaming platform in a supply-chain attack (id=69f9c539da459757922d22d8, indicators=38, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: supply-chain attack, birdcall, android trojan, yanbian targeting, gaming platform compromise
    countries: β€”
- [WHITE] India's government and energy sectors targeted with ZOHOMURK and MINIRECON (id=6a42d4a95543681c96ad0e57, indicators=17, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: india, government targeting, websocket, minirecon, zohomurk, shadowpad, cloud c2, hydropower, espionage, pubload, shardloader, toneshell, zoho workdrive, dll sideloading
    countries: British Indian Ocean Territory, India
- [WHITE] Not very gentlemanly: Analyzing a zero-day exploit used to disable targets' EDRs (id=6a43f039e387ddd12ed0896c, indicators=3, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: the gentlemen, edr killer, byovd, ransomware, kontron driver, zero-day, endpoint protection bypass, ktapi.sys, kernel exploit
    countries: β€”
- [WHITE] Iran-Nexus Disseminates MarkiRAT Surveillance Tool (id=6a45471afccee96152675f88, indicators=85, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: ferocious kitten, irgc, furball, surveillance, iran, fake vpn, bouldspy, markirat, tag-182, dchspy, farsi-speaking targets
    countries: Iran, Islamic Republic of
- [WHITE] Branded Gambling Campaigns: How Scammers Are Exploiting Trusted Brand Names to Drive Casino Traffic (id=6a46d12100d65a16f173e8a4, indicators=14, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: fake app stores, online gambling scams, casino redirection, brand impersonation, affiliate fraud, social media advertising, progressive web apps, pwa
    countries: Canada, Germany, Spain, United Kingdom of Great Britain and Northern Ireland
- [WHITE] The Crown Prince, Nezha (id=6a4828eab61bec7567ac88b1, indicators=14, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: phpmyadmin, gh0st rat, china-nexus, nezha, ghost rat, china chopper, web compromise, antsword, log poisoning, web shell
    countries: United States of America, Angola, Argentina, Australia, Bangladesh, Belgium, Bosnia and Herzegovina, Brazil, British Indian Ocean Territory, Canada, Chile, Colombia, Finland, France, Georgia, Germany, Greece, Guatemala, Hong Kong, India, Indonesia, Ireland, Japan, Kazakhstan, Kenya, Macao, Malaysia, Mexico, Mongolia, Morocco, Nepal, Nigeria, Pakistan, Peru, Philippines, Portugal, Russian Federation, Saudi Arabia, Serbia, Singapore, Slovakia, South Georgia and the South Sandwich Islands, Sri Lanka, Taiwan, Tanzania, United Republic of, Thailand, Trinidad and Tobago, United Arab Emirates, United Kingdom of Great Britain and Northern Ireland, Zambia
- [WHITE] Analysis of Ongoing Ousaban Attacks Targeting the Iberian Peninsula (id=6a45880f3df872860c77a553, indicators=36, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: credential theft, phishing, portugal, iberian peninsula, ousaban, geofencing, casbaneiro, spain, banking trojan
    countries: Portugal, Spain
- [WHITE] The Gentlemen are knocking: сustom backdoors and evolving tactics (id=6a42506c95cc259404196a5b, indicators=48, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: vulnerable drivers, sharkloader, zichatbot, coolclient, gpo deployment, ransomware-as-a-service, powercloud, appleseed, mgbot, encryption tactics, byovd, reversesocks, cobalt strike, network reconnaissance, custom backdoor, lateral movement
    countries: Brazil, China, Indonesia, Taiwan, Thailand
- [WHITE] Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique (id=6a4500ffd044499efcd70db1, indicators=1, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: infernograbber, llm-generated malware, android chrome exploitation, social engineering, deepseek, voidlink, ai-assisted attacks, phishing lures, file system access api, browser-native ransomware
    countries: β€”
- [WHITE] PamStealer: a Rust-based macOS infostealer that validates credentials through PAM (id=6a471de6cf9848f2ef9503c0, indicators=28, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: clipboard stealer, applescript dropper, fake maccy, pam authentication, jxa downloader, browser data theft, pamstealer, rust-based, macos infostealer, credential theft
    countries: β€”
- [WHITE] RAT Abuses TON Blockchain to Target Japan's Hotel Industry (id=6a42d46fe5317e409adbaaa3, indicators=142, first_seen=2026-07-06T16:20:20.140339+00:00)
    tags: ton blockchain, dead drop resolver, node.js abuse, japan targeting, hotel industry, booking.com, credential theft, tonresolver, phishing campaign
    countries: Japan
- [WHITE] Behind the console: An AiTM phishing kit harvesting AWS console credentials and beyond (id=6a3d48ab212d2dc37bad0d1b, indicators=4, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: sendgrid, mfa bypass, aws, cloudflare, phishing
    countries: United States of America
- [WHITE] New customs charges for online orders outside the EU (id=6a4292045a662553c3583b0a, indicators=3, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: customs, taxes, smishing, eu, email, phishing, impersonating, postal services, payment, scam, fraud
    countries: Ireland
- [WHITE] Observed phishing URLs delivering RMM payload (id=6a3ae5bf02925732fd075068, indicators=3, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: phishing, screenconnect, rmm, docusign
    countries: β€”
- [WHITE] Detecting the Klue supply chain attack in Salesforce instances (id=6a3999371eb0f2f2e3fb7f08, indicators=3, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: klue compromise, extortion campaign, crm data theft, salesforce, supply chain attack, oauth abuse
    countries: β€”
- [WHITE] Understanding Langflow CVE-2026-55255, and why higher CVSS vulnerabilities aren't always the most exploited (id=6a3eefb892e3d749bcf92233, indicators=3, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: multi-tenant, cve-2026-33017, ai pipeline exploitation, cve-2026-55255, botnet deployment, langflow, rce, idor, credential theft, cvss paradox
    countries: β€”
- [WHITE] Payouts King Ransomware Initial Access Broker Deploys New Edgecution Malware (id=6a3ab74e2728d85de0799971, indicators=2, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: browser extension, social engineering, python backdoor, initial access broker, edgecution
    countries: β€”
- [WHITE] Customer CRM Data Accessed in Supply Chain Incident (id=6a3ab4c93adb7c2764a5fa23, indicators=1, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: salesforce, phishing risk, supply chain attack, lastpass, third-party vendor compromise, oauth tokens, crm data breach, klue
    countries: β€”
- [WHITE] "Ghost" Code Phishing Analysis (id=6a3b02a43a7a626b53174466, indicators=1, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: oauth device-code phishing, dom manipulation, microsoft 365 compromise, phishing kit, browser-based attack, aes-gcm encryption, eviltokens
    countries: United States of America
- [WHITE] Observed activity associated with Sidewinder APT. Lure document: No.9374.docx, 64f2681ad0940e6c2c9c76e6834117bf. Observed C2 infrastructure: update[.]ms-office[.]app (id=6a3b4e5dc7cef5136c49c364, indicators=1, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: c2 infrastructure, sidewinder, apt, malicious document, phishing, command and control, social engineering
    countries: β€”
- [WHITE] Phishing Campaign PasasteSinTAG - New domain rotation identified associated with the campaign impersonating the PasasteSinTAG portal (id=6a42124a18e7d2cb639c06dd, indicators=108, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: brand impersonation, credential harvesting, pasastesintag, infrastructure, domain rotation, phishing, chile
    countries: Chile
- [WHITE] Millenium: A RAT Rewritten, A Threat Multiplied (id=6a3d76e592eaea08a66ad337, indicators=102, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: y2k operators, shinyenigma, millenium rat, njrat, asyncrat, xworm
    countries: β€”
- [WHITE] Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access (id=6a3df8979895cc716bfbf931, indicators=93, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: authentication laundering, wacatac, purerat, tonrat
    countries: β€”
- [WHITE] AsyncRAT and Remcos delivered in an optimistic campaign (id=6a3ba45b3fef31b3a05d9cb0, indicators=84, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: Steganography, phishing, AsyncRAT, Remcos, Heavy obfuscation
    countries: β€”
- [WHITE] STOCKSTAY Another Day: The Latest Addition to Turla’s Intelligence Gathering Apparatus (id=6a3db99d3f27ba984f5154ff, indicators=76, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: stockstay, diamondback, turla, kazuar, wildday, k1morpher
    countries: Italy, Ukraine
- [WHITE] An unknown actor distributes malicious VBS scripts via WhatsApp (id=6a3915eddc5c22f4421f124e, indicators=56, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: uac bypass, valleyrat, gh0st rat, rmm abuse, multi-stage infection, social engineering, whatsapp, manageengine endpoint central, vbscript, chinese-speaking operator
    countries: Australia, Brazil, British Indian Ocean Territory, India, Malaysia, Mexico, Russian Federation, Singapore, Spain, Taiwan, United Kingdom of Great Britain and Northern Ireland
- [WHITE] From San Pedro to Salinas: How a Chinese Framework β€œDCloud Uni-App” Powers a Global Scam Economy (id=6a3d76e5578987f6ddf8979f, indicators=49, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: dcloud, uni-app, lssc, bulletproof hosting, investment fraud, cryptocurrency scam, rainbowex
    countries: United States of America, Argentina, Australia, Canada, New Zealand
- [WHITE] StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them (id=6a3bde31cd05f010063a2224, indicators=47, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: lumma stealer, redline, vidar, access broker, session token, stealc, amadey, credential theft, cybercrime, infostealer, malware-as-a-service, raccoon
    countries: β€”
- [WHITE] Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages (id=6a3f2df93c2f6387d1b27726, indicators=45, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: backstage plugins, ci/cd compromise, supply chain attack, github actions, miasma mini shai-hulud, npm compromise, credential theft, immobiliarelabs, developer infrastructure
    countries: β€”
- [WHITE] New Backdoor May be Linked to Ransomware Access Broker (id=6a3bde32e46aafdb90f9593b, indicators=38, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: initial access broker, sideloading, social-engineering, nexshield, credential stealer, qilin, d3f@ck loader, ransomware, mintsloader, gatekeeper, backdoor.mistic, modelorat
    countries: β€”
- [WHITE] Operation DragonReturn: China-Nexus Cyber Espionage Campaign Targeting Govt. of India/MoF Tax Infrastructure via Multi-Stage DcRAT Deployment (id=6a3e75975494e990e7421b4d, indicators=35, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: china-nexus, income tax impersonation, spear-phishing, steganography, tax infrastructure, fileless execution, operation dragonreturn, dcrat, india targeting
    countries: British Indian Ocean Territory, India
- [WHITE] StrikeShark: a new campaign involving a custom SharkLoader and Cobalt Strike Beacon (id=6a3bddeff7731f4be214a16d, indicators=28, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: searchall, cve-2025-55182, software development, cve-2021-36260, sharkloader, sharpgpoabuse, cve-2023-20198, cve-2022-40684, cve-2024-36401, fscan, api hooking, credential dumping, cve-2024-21762, pillager, cve-2023-46747, cve-2022-41082, southeast asia, cve-2021-26855, dll hijacking, cobalt strike, cve-2021-27076, government targeting, cve-2023-32315, cve-2016-4437, cve-2022-27925
    countries: Colombia, Hong Kong, Indonesia, Lebanon, North Macedonia, Nepal, Serbia, Syrian Arab Republic, Taiwan
- [WHITE] Mini Shai-Hulud Hits LeoPlatform npm Packages and GitHub Actions, Expands to the Go Ecosystem (id=6a3df898a72c3bb83671b47b, indicators=20, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: miasma, mini shai-hulud, supply chain attack, npm packages, bun runtime, leoplatform, hades
    countries: β€”
- [WHITE] Operation Endgame disrupts Amadey and Stealc (id=6a3c278cadbc5a0ba0a18ce3, indicators=19, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: stealc, botnet disruption, danabot, operation endgame, lumma stealer, infostealer, amadey
    countries: β€”
- [WHITE] From PostCSS Masquerading to Windows RAT (id=6a3ac05e2137f66d3a690558, indicators=19, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: rat, multistage, supply chain, python, typosquatting, postcss, nuitka, credential theft, npm
    countries: β€”
- [WHITE] Prinz Eugen ransomware: a deep dive into a new Go-based encryptor (id=6a3d416ff54ce39010db1033, indicators=18, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: prinz eugen, rootboy, go-based, remotepc rmm
    countries: South Africa, France, United States of America, Canada
- [WHITE] LokiBot After a Decade: An Analysis of a Recent LokiBot Campaign (id=6a3c6b9416a51c4cdec616c4, indicators=17, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: credential theft, malspam, infostealer, lokibot, multi-stage
    countries: β€”
- [WHITE] Inside FortiBleed: Reverse Engineering the CyberStrike Harvester Behind a Global FortiGate Credential Factory (id=6a3b512cc6365025ee5f1d3e, indicators=13, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: kerberos, password spraying, ekz infostealer, credential harvesting, fortigate, file exfiltration, hashcat, fortibleed, credential stuffing, ssl vpn, cyberstrike harvester
    countries: β€”
- [WHITE] PHISH ALERT: From a Simple Phishing Email to a Full Attack Arsenal: The Evolution of "ClickFix" (id=6a3a7809c43cfba36348ed9d, indicators=12, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: credential harvesting, clickfix, phishing campaign, dns txt staging, rmm tools, powershell, spyware, social engineering
    countries: β€”
- [WHITE] KimJongRAT Continues to Evolve by Leveraging LOTS (id=6a3cb7a3c8dfa3feec75cb80, indicators=11, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: kimsuky, lots, infostealer, meshagent, kimjongrat
    countries: Japan
- [WHITE] Skill Marketplace and the Emerging AI Supply Chain Threat (id=6a3b512e73c8b7fb25b84c38, indicators=11, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: infostealer, affiliate injection, defense evasion, openclaw, amos, cluw, ai supply chain, agentic threats, clawhub, front-running, clawhavoc
    countries: β€”
- [WHITE] Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager (id=6a3d476551c12310394b4adc, indicators=11, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: credential manipulation, cve-2026-20245, sd-wan, zero-day, cisco catalyst
    countries: β€”
- [WHITE] ClickFix campaign delivers macOS infostealer via DMG (id=6a3d42cc11f8fec9a3aab237, indicators=10, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: browser-theft, atomic macos stealer, clickfix, macos, credential-phishing, amos, odyssey, infostealer
    countries: β€”
- [WHITE] Ukraine's UAV Supply Chain Targeted With Besomar-Themed Malware Chain (id=6a3b9d601cf5ebad8e7b3d3b, indicators=9, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: ghostshell, uav, ukraine, drones, defense, supply chain, vidar, besomar
    countries: Ukraine
- [WHITE] CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure (id=6a3db58dcad7fa34b60b3689, indicators=8, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: energy sector, cl-sta-1062, mimikatz, tinyrct, juicypotato, softether vpn
    countries: Taiwan
- [WHITE] A Multi-Stage Steganographic Loader Campaign Deploying Diverse Payloads Globally (id=6a3ac3d87dd519f2fec1d2ea, indicators=7, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: fileless, loader-as-a-service, steganography, phantom stealer, formbook, masslogger, infostealer, dark cloud, remcos rat, phishing campaign, red line stealer, xworm, snake, process hollowing, agent tesla, credential theft
    countries: British Indian Ocean Territory, India
- [WHITE] macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox (id=6a3b512d529a1b06d095af2b, indicators=5, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: browser data theft, credential stealer, dprk, prompt injection, macos.gaslight, telegram c2, macos, rust backdoor, persistence, llm evasion, airpipe, bonzai
    countries: β€”
- [WHITE] The #APT36 cluster can't stop, won't stop (id=6a3add255a93c4e851962479, indicators=5, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: apt36, turkey, firepower, lnk, rtf, crystalshell
    countries: TΓΌrkiye
- [WHITE] FIFA 2026 Security Alert: Cybercriminals Exploit Fan Excitement with Mass Phishing (id=6a3d36251ae1eb075bc13b90, indicators=5, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: payment fraud, ticket fraud, mobile targeting, gambling redirect, fifa 2026, social engineering, phishing campaign, credential harvesting
    countries: β€”
- [WHITE] Artifact scanner detects npm package 'node-fetch-utils' using external dependency resolution with remote tarball dependency from GitHub (id=6a3a780ee89db8a716522418, indicators=4, first_seen=2026-06-29T16:38:42.249799+00:00)
    tags: python implant, obfuscated script, node-fetch-utils, javascript dropper, dependency confusion, supply chain attack, node-fetch-core, npm, persistence, fileless malware
    countries: β€”

      ## What to produce
      Write a 250-400-word brief with:
      1. **Headline** (one sentence on the week's most notable signal).
      2. **Emerging threats** (3-5 bullets on the new pulses β€” group by theme: ransomware,
         phishing, APT, supply chain, etc. β€” and cite pulse names).
      3. **Corpus-level shifts** (1-3 bullets on changes from the stable picture: a
         newly-targeted country, a TLP-distribution shift, a tag spike).
      4. **Analyst caveats** (1-2 bullets on what this data can NOT tell us:
         attribution confidence, victim impact, dwell time, sampling bias from OTX
         subscriptions).

      Use markdown. Do not invent indicators, pulse names, or numbers β€” work strictly
      from what's above.