Cyber Threat Intelligence 02 June 2026

NCSA_THAICERT

New Tooling

NVIDIA Goes Open Source With a Big Batch Of Physical AI Agent Tools
"NVIDIA just dropped a big batch of open-source “physical AI” skills and tools, and they’re designed to make a roboticist’s life a whole lot easier. The idea? Take the messy, complicated work behind robots, self-driving cars, vision AI, and industrial digital twins, and break it into bite-sized tasks that AI agents can actually run themselves. These skills ship as part of the NVIDIA Agent Toolkit, and here’s what makes them handy: they let AI agents tap directly into NVIDIA’s own libraries, models, and frameworks. That means agents can help speed up the whole pipeline, from generating data and running simulations to training models, evaluating results, and finally deploying everything that powers robots, autonomous vehicles, factories, and labs."
https://www.helpnetsecurity.com/2026/06/01/nvidia-open-source-physical-ai-skills/
https://github.com/NVIDIA/skills
https://skills.sh/
OWASP Agent Memory Guard: Stop AI Agents From Being Weaponized Through Their Own Memory
"AI agents keep memory across sessions. Conversation history, vector stores, scratchpads, and RAG indexes persist between runs, and anything written into that store becomes a privileged input the agent reads back later. An attacker who plants text in the wrong field can override an agent’s instructions, pull out user data, or steer future tool calls, and the effect survives across sessions because the memory does. Agent Memory Guard is an open-source runtime defense layer that sits between an agent and its memory store, screening every read and write through a pipeline of detectors and a YAML policy. The project is the OWASP reference implementation for ASI06, Memory Poisoning, one entry in the OWASP Top 10 for Agentic Applications."
https://www.helpnetsecurity.com/2026/06/01/owasp-agent-memory-guard/
https://github.com/OWASP/www-project-agent-memory-guard

Vulnerabilities

Critical Windows Netlogon RCE Flaw Now Exploited In Attacks
"The Centre for Cybersecurity Belgium (CCB), the country's national authority for cybersecurity, warned on Friday that threat actors are now exploiting a recently patched critical Windows Netlogon vulnerability in attacks. Netlogon is a remote procedure call (RPC) interface and a core Microsoft Windows Server background service that authenticates services and users on Windows domain-based networks. Microsoft patched this vulnerability (CVE-2026-41089) during the May 2026 Patch Tuesday, describing it as a stack-based buffer overflow in Windows Netlogon that allows attackers without privileges to gain remote code execution on targeted domain controllers."
https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/
https://www.securityweek.com/critical-windows-netlogon-vulnerability-in-attackers-crosshairs/
https://www.helpnetsecurity.com/2026/06/01/windows-netlogon-rce-exploited-cve-2026-41089/
CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2024-21182 Oracle WebLogic Server Unspecified Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/06/01/cisa-adds-one-known-exploited-vulnerability-catalog

Malware

Red Hat Npm Packages Compromised To Spread a Credential-Stealing Worm
"On June 1, 2026, we detected multiple official packages from the @redhat-cloud-services scope on npm were compromised with a credential-stealing worm. In total, 96 versions across 32 packages have been compromised, cumulatively downloaded 116,991 times per week. The malware appears similar to the Mini Shai-Hulud malware that was recently open-sourced by TeamPCP. Since the tooling was made publicly available, other threat actors now have access to the same techniques and can replicate or adapt them. The packages were published via GitHub Actions OIDC, indicating the CI/CD pipeline was compromised rather than an npm token. If you have installed any affected package versions since June 1, 2026, treat all CI secrets, cloud credentials, SSH keys, and npm tokens as compromised and rotate them immediately."
https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm
https://www.ox.security/blog/new-npm-supply-chain-attack-redhat-cloud-services-compromised/
https://socket.dev/blog/mini-shai-hulud-campaign-hits-red-hat-cloud-services-npm-packages
https://www.bleepingcomputer.com/news/security/red-hat-npm-packages-compromised-to-steal-developer-credentials/
https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html
https://www.theregister.com/security/2026/06/01/shai-hulud-malware-infects-red-hat-npm-packages-downloaded-80k-times-weekly/5249803
The Server Seizure That Affects Also Iran’s Cyber Operations
"On May 22, 2026, Dutch financial-crime investigators walked into data centers in Dronten and Schiphol-Rijk and seized approximately 800 servers. The target was WorkTitans B.V., a hosting provider that, on the surface, looked like any other internet infrastructure company. What investigators uncovered, however, was something far more significant: a ghost operation built on sanctioned infrastructure, quietly serving as the backbone for some of Iran’s most active cyber espionage campaigns."
https://blog.checkpoint.com/security/the-server-seizure-that-affects-also-irans-cyber-operations/
Cryptocurrency Scams: The 10 Most Common Types And How They Work
"A crypto scam is a type of fraud that exploits the unique characteristics of cryptocurrency, such as its decentralized and pseudonymous nature, as well as the irreversible nature of crypto transactions, to steal funds from victims. Crypto scams are expected to cost victims an estimated $17 billion in 2025, driven by AI-enabled fraud, industrialized scam operations, and new impersonation tactics. Financial institutions sit on the front lines of this exposure because stolen funds flow through their platforms before reaching attacker-controlled wallets."
https://www.group-ib.com/blog/cryptocurrency-scams/
Containers On Fire: From Container Escapes To Supply Chain Attacks
"Modern infrastructures universally rely on containerization to deploy applications, scale services, and build cloud platforms. The use of Docker, Kubernetes, and similar technologies has become the corporate standard for efficient automation. However, as containers grow in popularity, so does the interest of malicious actors — a trend we actively track in our research into advanced cyberthreats. For instance, in one of its recent attacks, the APT group TeamPCP compromised Checkmarx KICS across multiple attack chains for different vectors. This included poisoning a Docker Hub repository to later steal Kubernetes secrets and other sensitive data. The tainted images distributed a stealer that was loaded during the KICS scanning process."
https://securelist.com/container-attack-vectors/120010/
The 2026 U.S. Midterms Have a Cyber Problem, But It’s Not At The Ballot Box
"As the U.S. approaches the 2026 elections in November, the greatest threat to voting integrity will likely not be from hackers targeting voting machines or altering ballots, but from a growing war over reality itself. Voter influence operations are increasingly focused on manipulating the information environment surrounding voters, flooding social media and search results with misleading narratives and fake content, and impersonated news sources designed to erode trust in what people see and hear online. Sophisticated operators have already cloned major media brands like Reuters, The Washington Post, and Fox News using look-alike domains that can fool even attentive readers at a glance. In this new era of AI-powered disinformation, the goal is often not to change vote counts directly, but to convince voters that truth itself is difficult to verify."
https://blog.checkpoint.com/exposure-management/the-2026-u-s-midterms-have-a-cyber-problem-but-its-not-at-the-ballot-box/
https://checkpoint.cyberint.com/hubfs/2026 U.S. Midterm Election Threat Outlook.pdf
https://cyberscoop.com/2026-election-cyber-threats-campaign-systems/
https://www.theregister.com/security/2026/06/01/5k-election-domains-registered-ahead-of-us-midterms/5249764
Meet DriveSurge: A New Threat Actor Using ClickFix And Fake Update Drive-By Attacks In Thousands Of Compromised Sites
"What makes DriveSurge notable isn’t just the volume of its activity; it’s the sophistication of its infrastructure, the breadth of its targets, and the fact that it has been operating largely undetected until now. Its primary weapon is a technique known as a Traffic Distribution System (TDS), and it specifically uses an open-source variant called zTDS, which has been in use since at least 2015, and is publicly available at ztds[.]info. Using zTDS, DriveSurge hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware, unbeknownst to the sites’ owners or their visitors. Based on our research, we suspect DriveSurge uses a Pay-Per-Install (PPI) model, where it is paid each time a victim’s device is successfully infected, with those leads then sold downstream to other threat actors."
https://www.silentpush.com/blog/drivesurge/
https://www.bleepingcomputer.com/news/security/hackers-hijack-thousands-of-sites-for-clickfix-and-fakeupdate-attacks/
Dashlane Password Manager Users Locked Out By Brute Force Attacks
"Multiple Dashlane users have been locked out of their accounts following brute-force attacks that attempted logins from distant locations and unknown devices. In a statement to BleepingComputer, the password management service confirmed that the suspensions were part of an automated security response designed to protect against account hijacking. “We can confirm that certain Dashlane user accounts were targeted in a brute force attack by an external party, resulting in the suspension of those accounts as part of Dashlane’s built-in security controls. The affected accounts have now been unsuspended,” stated Jordan Fylolenko, Dashlane Senior Director of Corporate Communications."
https://www.bleepingcomputer.com/news/security/dashlane-password-manager-users-locked-out-by-brute-force-attacks/
https://status.dashlane.com/pages/5aabcb89fccc4b04d3774443
https://www.theregister.com/security/2026/06/01/password-manager-dashlane-suspends-customer-accounts-amid-brute-force-attacks/5248991
https://www.helpnetsecurity.com/2026/06/01/dashlane-brute-force-attack-user-accounts/
Malware Targeting WordPress Abuses Steam Community Profiles For Command & Control Operations
"GoDaddy Security researchers have identified malware that uses Steam Community profile comments to host encoded command and control data, hiding malicious infrastructure behind Valve's legitimate platform. The malware employs invisible Unicode characters to conceal payloads within Steam profile comments, enabling steganographic data encoding that evades traditional text-based detection methods. Technical implementation includes AES-256-CTR encryption with PBKDF2 key derivation and HMAC authentication to protect command and control communications."
https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles
https://www.bleepingcomputer.com/news/security/wordpress-malware-campaign-hides-payloads-in-steam-profiles/
FSB’s Matryoshka #1/3 – Gamaredon’s Gifts That Keeps Unpacking – GammaPhish And GammaWorm
"Sekoia.io’s Threat Detection & Research (TDR) team closely monitors the activities of Russian Advanced Persistent Threats (APT). In late December 2025, we deployed an opportunistic YARA rule designed to uncover novel initial access vectors. By January 2026, this rule had generated a dozen hits, prompting an in-depth investigation. While we successfully identified the early stages of a Gamaredon infection chain, unknown restrictions prevented us from fully detonating the sequence to observe the final payloads. To overcome this, we collaborated with a trusted partner who provided over 70 artifacts retrieved directly from compromised hosts. These artifacts not only corroborated the initial attack stages we observed in December but also contained several distinct malware families historically attributed to Gamaredon: a worm, loaders and a stealer, widely tracked by the community as Pteranodon, GammaLoad, and GammaSteel."
https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/
https://www.infosecurity-magazine.com/news/gamaredon-worm-ntfs-data-streams/
Fake BlueWallet Steals Passwords, Accounts, And Crypto From Macs
"A fake website impersonating BlueWallet (a real Bitcoin wallet) is targeting Mac users with a simple but effective attack. BlueWallet itself has not been compromised. Instead, cybercriminals have stolen the name and branding of the legitimate Bitcoin wallet to make a malicious download appear trustworthy. If you went looking for a cryptocurrency wallet and landed on one of these fake BlueWallet download pages, the site tried to trick you into opening a downloaded file in a built-in macOS tool and pressing “Run.”"
https://www.malwarebytes.com/blog/threat-intel/2026/06/fake-bluewallet-steals-passwords-accounts-and-crypto-from-macs
Operation Dragon Weave : Uncovering a China-Linked Campaign Targeting Czech Republic And Taiwan Using Azure Cloud C2
"The Seqrite APT Team has been actively tracking threats across the globe. During our recent analysis, we identified a spearphishing campaign targeting officials and citizens in the Czech Republic and Taiwan. We observed a single lure document along with multiple supporting artifacts that strongly suggest the campaign is specifically targeting these regions, as the files closely mimic official communications. The attack begins with a ZIP attachment. When extracted, the archive contains multiple files that appear legitimate but are actually part of a structured infection chain designed to execute malicious payloads in the background."
https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/
https://thehackernews.com/2026/06/china-aligned-groups-ramp-up-attacks.html
Operation XENOFISCAL: SideCopy Deploying Persistent XenoRAT Targeting The MoF, Afghanistan
"Seqrite Labs has been actively monitoring spear phishing campaigns across the globe and has a well-established history of tracking the SideCopy APT cluster — a Pakistan-linked threat group operating under the broader Transparent Tribe / APT36 umbrella. In continuation of that tracking effort, we identified a targeted campaign directed at the Ministry of Finance, Afghanistan, with TTPs that overlap with SideCopy at medium-to-high confidence. The campaign opens with a spear phishing delivery — a ZIP archive containing a malicious LNK file bearing a carefully crafted Pashto-language filename:"
https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/
https://therecord.media/afghan-officials-targeted-by-sidecopy
Unknown Hacker Group Targeted Russian Maritime Universities, Diplomats For Nearly Two Years
"A previously unknown hacking group has spent nearly two years quietly targeting Russian maritime universities, energy facilities, diplomatic missions and government agencies, according to new research. The campaign, which researchers at Russian cybersecurity firm Kaspersky said dates back to at least 2024, remained undetected for years and featured long periods of inactivity that helped conceal the group's operations. Kaspersky said the hackers would sometimes go dormant for three to four months before launching bursts of activity that included up to 10 attacks in a single month. The company did not describe what post-compromise activity was observed after these attacks."
https://therecord.media/unknown-hacking-group-targeting-russia-for-nearly-two-years

Breaches/Hacks/Leaks

GTA Cheat Service Atlas Menu Hacked As Attacker Alleges Screenshot Spying
"Grand Theft Auto cheat users have discovered that even the people selling ways around the rules struggle to follow some basic security ones. According to breach notification site Have I Been Pwned, the operators of Atlas Menu, a cheat service for Grand Theft Auto V and Counter-Strike 2, suffered a data breach in May that exposed information belonging to tens of thousands of users after an attacker allegedly gained access to the service's systems and dumped its database online. The breach exposed 64,000 unique email addresses, according to HIBP. The leaked data also included usernames, IP addresses, support tickets, and passwords stored as bcrypt hashes."
https://www.theregister.com/security/2026/06/01/gta-cheat-service-atlas-menu-hacked-as-attacker-alleges-screenshot-spying/5249192

General News

Data Discovery Gaps That Catch Enterprises Off Guard
"In this interview with Help Net Security, Avani Desai, CEO at Schellman, talks about the gap between what organizations think they know about their data and what discovery scans turn up. She shares stories of shadow data in abandoned cloud storage, post-merger surprises where duplicated datasets slowed integration, and why synthetic data is overmarketed while confidential computing stays underappreciated. Desai also explains why smaller companies often beat large enterprises on compliance, and the one question that gets executives to admit their data map is out of date."
https://www.helpnetsecurity.com/2026/06/01/avani-desai-schellman-data-discovery-gaps/
EU Organizations Buckle Under Rising Compliance Pressure
"Cybersecurity governance in the EU is shifting under expanding frameworks such as NIS2 and DORA, while AI raises new questions for security teams. What the future brings is hard to predict, and organizations must find a way to cope. Antonija Vojnović, Governance, Risk and Compliance Department Manager at Span, spoke with Help Net Security at the Span Cyber Security Arena conference about how these regulatory frameworks are shaping compliance priorities and day-to-day decision-making."
https://www.helpnetsecurity.com/2026/06/01/antonija-vojnovic-span-cybersecurity-governance-challenges/
Spain Arrests Doxer Leaking Sensitive Data Of Govt Employees
"The Spanish National Police has arrested an individual for leaking sensitive information related to members of various key state organizations, including the National Cybersecurity Institute (INCIBE). According to authorities, the individual is responsible for a massive leak of personal data, which carried national security risks because of the people exposed. The police notes that the published data was from the State Attorney General's Office, INCIBE, the National Police, the Civil Guard, and the National Security Council, all critical entities in the country."
https://www.bleepingcomputer.com/news/security/spain-arrests-doxer-leaking-sensitive-data-of-govt-employees/
Inspector General Finds NIST Mistakes Have Made Vulnerability Database Ineffective
"A key cybersecurity vulnerability database run by the National Institute of Standards and Technology (NIST) has been crippled by mismanagement and other strategic failings, leading to an extreme backlog, according to a new internal watchdog report. NIST’s National Vulnerability Database (NVD) backlog mushroomed from 13,000 unprocessed security vulnerabilities in February 2024 to more than 27,000 by the end of 2025, “undermining the NVD’s utility and public trust,” according to a report published by the inspector general of the Department of Commerce Tuesday. The NVD is a critical tool that industry and government cybersecurity workers use to prioritize which cybersecurity vulnerabilities need to be addressed in what order. The worsening backlog first became a serious issue in February 2024 when NIST stopped paying the contractors who process the security flaws."
https://therecord.media/nist-mistakes-vulnerability-database-inspector-general
https://www.oig.doc.gov/wp-content/OIGPublications/OIG-26-020-I-SECURED.pdf
https://www.helpnetsecurity.com/2026/06/01/nist-nvd-management-problems/
Microsoft Says It Will Not Pursue Security Researchers After Zero-Day Backlash
"Microsoft said Monday it has “no intention to pursue action” against security researchers who uncover vulnerabilities and publish their findings, days after an official blog post sparked a backlash from the security community. The post had condemned a recent series of uncoordinated Windows zero-day releases as “never justifiable” and said the company's Digital Crimes Unit would “continue bringing cases against” those enabling criminal actors. While Microsoft stopped short of naming or directly threatening Nightmare Eclipse — the pseudonymous researcher behind the disclosures — the disclosures themselves were described as having created “unnecessary risk,” and Microsoft’s language was perceived as a threat."
https://therecord.media/microsoft-says-it-will-not-pursue-security-researchers-disclosure
https://www.darkreading.com/application-security/microsoft-zero-day-legal-threats-backlash
Ransomware Runs Office Hours: What 16,699 Leak Posts Reveal
"We pulled every ransomware leak-site post we could observe over the past 24 months. The corpus came in at 16,699 distinct victim listings from 200 groups. We then asked the obvious question almost nobody answers with real data: when does ransomware actually fire? The picture is clean. Ransomware runs on office hours. 84% of leak posts land Monday through Friday. Half of all activity happens in just 8 UTC hours, centred on the European afternoon and US morning. October is open season every year. And the operator population is still growing, not consolidating."
https://ransomnews.com/ransomware-office-hours-timing-2026/
https://securityaffairs.com/192969/cyber-crime/ransomware-operators-keep-business-hours-the-data-proves-it.html

อ้างอิง
Electronic Transactions Development Agency (ETDA)