Cyber Threat Intelligence 07 July 2026
-
Financial Sector
- The Future Of Payment Fraud Could Be Automated
"Payment fraud is becoming more organized as criminal groups use fake websites, large-scale operations, and, in some cases, forced labor to steal money and personal information. Advances in agentic AI could automate many stages of payment fraud, from collecting and assembling stolen credentials to deploying password-cracking tools. CAPCO’s “US Payment Fraud Survey” found that consumers increasingly value fraud protection when choosing payment providers. Security was one of the most important factors for 63% of respondents, and 50% selected advanced fraud protection. Both ranked ahead of customer service, transaction speed, brand reputation, and rewards."
https://www.helpnetsecurity.com/2026/07/06/key-payment-fraud-trends-report/
New Tooling
- Omnigent: Open-Source AI Agent Framework And Meta-Harness
"Plenty of developers now keep several coding agents close at hand, reaching for Claude Code on one task and Codex or Cursor on the next. Each tool arrives with its own command line, its own handling of credentials, and its own way of running shell commands against a working directory. That spread leaves teams with a governance gap around where agent actions land and how much they cost. Omnigent, an open-source project, sits one level above those tools as a meta-harness. The common layer drives Claude Code, Codex, Cursor, OpenCode, Hermes, Pi, and agents a team writes in YAML, and a user swaps or combines them with one-line changes."
https://www.helpnetsecurity.com/2026/07/06/omnigent-open-source-ai-agent-framework/
https://github.com/omnigent-ai/omnigent
Vulnerabilities
- One Trigram At a Time: XSLeak Via Universal CSS Injection And DoS In Opera (GX)
"This paper focuses on a critical browser vulnerability discovered in Opera GX that allows cross-site data exfiltration simply by visiting an attacker-controlled website, without requiring any user interaction. By abusing the browser’s GX Mods feature, what initially appears to be a harmless customization mechanism can be turned into a universal CSS injection affecting every webpage visited by the user. As we will see, this makes it possible to build a practical XS-Leak capable of exfiltrating sensitive information from arbitrary websites. The same attack vector also enables a denial-of-service attack affecting both Opera GX and Opera."
https://zhero-web-sec.github.io/research-and-things/one-trigram-at-a-time-xsleak-via-universal-css-injection-and-dos-in-opera-(gx)
https://thehackernews.com/2026/07/opera-gx-flaw-let-malicious-sites-auto.html
https://www.infosecurity-magazine.com/news/opera-gx-flaw-gx-mods-css/ - SkillCloak Lets Malicious AI Agent Skills Evade Static Scanners With Self-Extracting Packing
"Scanners meant to catch malicious add-on "skills" for AI coding agents can be fooled by a few simple changes that leave the malware working, according to a new study from researchers at the Hong Kong University of Science and Technology. Their strongest trick slipped past every scanner tested more than 90% of the time, and the same team built a runtime checker that catches most of the disguised skills the scanners miss."
https://thehackernews.com/2026/07/new-skillcloak-technique-lets-malicious.html
https://arxiv.org/abs/2607.02357 - 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape To Host On Intel And AMD x86 Systems
"A use-after-free bug in Linux's KVM hypervisor can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel that runs it. Dubbed 'Januscape' and tracked as CVE-2026-53359, the flaw sits in the shadow MMU code that KVM shares across both Intel and AMD. The public proof-of-concept panics the host; the researcher claims that a separate, unreleased exploit turns the same bug into full host code execution. Security researcher Hyunwoo Kim (@v4bel) found and reported the bug. He described Januscape as the first guest-to-host exploit triggerable on both Intel and AMD, to the best of public knowledge. The flaw went unnoticed for roughly 16 years."
https://thehackernews.com/2026/07/16-year-old-linux-kvm-flaw-lets-guest.html
https://github.com/V4bel/Januscape - New TrojPix Attack Leaks Data From Air-Gapped Systems Via Video Cable Emissions
"Researchers at Shandong University have shown a fast new way to pull data off computers that are cut off from every network. The technique, called TrojPix, tweaks on-screen pixels in ways the eye cannot see, so that the video cable carrying them radiates a faint radio signal a nearby receiver can decode. But TrojPix works only once malware is already on the target machine, so it is a way for stolen data to get out, not a way in. In the researchers' tests, TrojPix hit a peak throughput of 8.1 Mbps and reached as far as 208 meters, the two measured separately rather than together."
https://thehackernews.com/2026/07/new-trojpix-attack-leaks-data-from-air.html
Malware
- Max Severity Adobe ColdFusion Flaw Now Exploited In Attacks
"Attackers are now exploiting a maximum-severity Adobe ColdFusion vulnerability tracked as CVE-2026-48282, according to vulnerability intelligence company KEVIntel. ColdFusion is a commercial web app development platform designed to help build and deploy enterprise-grade websites. The CVE-2026-48282 security flaw affects ColdFusion versions 2025.9, 2023.20, and earlier, and can be exploited by attackers without privileges to gain remote code execution on unpatched systems. Adobe released security updates on Tuesday to address the vulnerability, saying that it posed a high risk of exploitation and urging admins to deploy patches immediately."
https://www.bleepingcomputer.com/news/security/max-severity-adobe-coldfusion-flaw-now-exploited-in-attacks/
https://securityaffairs.com/194837/hacking/adobe-coldfusion-flaw-cve-2026-48282-now-exploited-in-the-wild.html - Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure
"Threat actors have been observed attempting to exploit a recently patched critical security flaw in Gitea Docker images, according to Sysdig. The vulnerability in question is CVE-2026-20896 (CVSS score: 9.8), a vulnerability that stems from the DevOps platform trusting the "X-WEBAUTH-USER" header from any source IP address, effectively allowing an unauthenticated internet client to get elevated access."
https://thehackernews.com/2026/07/threat-actors-probe-gitea-docker-flaw.html - Phishing Poses As Big-Brand Job Interview To Steal Google Accounts
"A phishing campaign is impersonating more than 30 well-known brands, including Adobe, Netflix, Coca-Cola, and OpenAI, in fake job interviews to steal Google account credentials from marketing professionals. The operation is abusing the legitimate cloud-based PeopleForce human resources platform and a domain associated with the Salesforce Marketing Cloud service before redirecting the recipient to a malicious landing page. To further instill trust and increase the chances of success, the threat actor is using the names and pictures of real recruiters at impersonated companies."
https://www.bleepingcomputer.com/news/security/phishing-poses-as-big-brand-job-interview-to-steal-google-accounts/
https://gist.github.com/BushidoUK/57c38d5ee75481fb237e968a537de778 - Fake IT Support Calls On Microsoft Teams Push EtherRAT Malware
"Threat actors are abusing Microsoft Teams voice calls by impersonating corporate IT support staff to trick employees into installing the EtherRAT malware, giving attackers initial access to corporate networks. The campaign, reported by Palo Alto Networks' Unit 42, combines phishing emails, Microsoft Teams voice calls, legitimate remote management tools, and a Node.js-based malware loader to compromise victims' computers. According to a report by Unit 42 posted on GitHub, the attack begins with a phishing email containing an "Employee Survey" lure and a malicious PDF attachment."
https://www.bleepingcomputer.com/news/security/fake-it-support-calls-on-microsoft-teams-push-etherrat-malware/
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-28-Fake-IT-support-abuses-Teams-to-deliver-EtherRAT.txt - Cavern Manticore: Exposing Iran-Linked Modular C2 Framework
"Since early 2026, Check Point Research (CPR) has tracked a new modular command-and-control framework used by Cavern Manticore, an Iran-nexus APT group primarily targeting Israeli organizations, with a focus on IT providers, and government sectors. Cavern Manticore is an Iran MOIS (Ministry of Intelligence and Security)-linked actor, with links to the OilRig subgroup named Lyceum. The framework reflects a mature and adaptable toolset built around a shared .NET foundation, while using multiple compilation formats across different components, including .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT. The compilation format itself becomes the anti-analysis layer that forces reverse engineers into multiple toolsets and metadata-reconstruction workflows."
https://research.checkpoint.com/2026/cavern-manticore-exposing-iran-linked-modular-c2-framework/
https://thehackernews.com/2026/07/iran-linked-hackers-use-new-cavern-c2.html
https://www.infosecurity-magazine.com/news/new-iran-hacking-group-targets/ - When Checking The URL Isn’t Enough: a Device Code Phishing Attack Via a Microsoft Website
"One of the most common pieces of anti-phishing advice is to double-check the website’s domain name before providing your credentials. Typically, a fraudulent domain stands out to the trained eye, differing from the official URL by at least a few characters. Recently, however, we encountered a campaign where attackers instruct victims to input data directly into a legitimate, trusted corporate site: the Microsoft Identity Platform, which supports an OAuth 2.0 specification known as the Device Authorization Grant."
https://securelist.com/microsoft-device-code-phishing-attack/120350/ - Operation DragonReturn: China-Nexus Cyber Espionage Campaign Targeting Govt. Of India/MoF Tax Infrastructure Via Multi-Stage DcRAT Deployment
"Seqrite Lab actively tracks and analyse threat actors and their campaigns, focusing on attribution, infrastructure analysis, and adversary tradecraft. Throughout our research, we have attributed numerous operations to China-aligned threat clusters targeting both regional and international entities. As part of our latest investigation, we uncovered a campaign that demonstrates operational and technical similarities to a China-nexus threat cluster. Further analysis revealed overlapping TTPs with a prominent and highly active threat actor known for conducting cyber-espionage operations against Asian countries through the deployment of RAT-based malware."
https://www.seqrite.com/blog/operation-dragonreturn-china-nexus-cyber-espionage-campaign-targeting-govt-of-india-mof-tax-infrastructure-via-multi-stage-dcrat-deployment/
https://thehackernews.com/2026/07/suspected-china-nexus-hackers-use-fake.html - Novel Java-Based QuimaRAT Targets Windows, MacOS, And Linux
"Remote access trojans (RATs) are legacy threats that continue to evolve alongside an expanding and ever-changing threat landscape. Following our recently published articles about novel and notable RATs, including KarstoRAT, the latest version of ClickFix, and ClickFix’s macOS variant, we analyzed QuimaRAT, a novel Java-based RAT that targets Windows, Linux, and macOS environments and is currently being sold on the dark web as a subscription-based RAT platform."
https://www.levelblue.com/blogs/spiderlabs-blog/novel-java-based-quimarat-targets-windows-macos-and-linux
https://thehackernews.com/2026/07/new-java-based-quimarat-maas-built-to.html - Ukrainian Media Outlets Now Among 'priority Targets' For Russian Hackers
"Russia-linked hackers are increasingly targeting Ukrainian media organizations, local officials warned, as news outlets continue to face pressure not only from cyber operations but also Russia's ongoing military attacks. Ukraine's domestic security agency, the SBU, said media organizations have become "one of the priority targets" for Russian hackers. Previous attacks have primarily sought to disrupt broadcasts, spread propaganda and undermine public trust."
https://therecord.media/ukraine-media-organizations-priority-hacking-targets-russia
Breaches/Hacks/Leaks
- US Army Websites Defaced With Pro-Kurdish Sentiments, Insults To Trump
"Multiple U.S. Army internet subdomains were defaced in a 404 hijacking campaign, CyberScoop has confirmed. As of Monday morning, error pages on two U.S. Army websites – oil.army.mil and ai2c.army.mil – displayed defacement messages visible to users. The messages denigrated President Donald Trump and United States Ambassador to Türkiye Tom Barrack, called to “FREE KURDISTAN,” And included another line reading “Kurdish sr was here.”"
https://cyberscoop.com/us-army-websites-defaced-404-hijacking-kurdistan/
General News
- How To Prioritize AI Agent Security By Business Impact
"Your CEO calls about an AI agent security incident in finance. He wants to know whether money moved, whether financial data was exposed, who owned the agent and why it had this level of access. The agent was connected to a spend management application to reconcile invoices, summarize vendor contracts and flag unusual payment activity. The breakdown occurred when the employee who configured it left and the OAuth grant remained active, allowing the agent to continue accessing vendor banking details, contract terms and internal approval notes even though its ownership and business purpose had changed."
https://www.helpnetsecurity.com/2026/07/06/prioritize-ai-agent-security-business-impact/ - OAuth, Guest Accounts, And Weak MFA Drive SaaS Risk
"Organizations often create guest accounts to give contractors, suppliers, and partners temporary access to files and SaaS applications. Many of these accounts remain active long after they are needed, creating overlooked access paths to corporate data. Guest accounts accounted for 69% of monitored SaaS accounts in 2025, an increase of more than 1.9 million compared with the previous year, according to Kaseya’s 2026 SaaS Security Report: Closing the Unmanaged Trust Gap."
https://www.helpnetsecurity.com/2026/07/06/saas-environments-security-risks-report/ - Finding Vulnerabilities Was Never The Hard Part
"I keep hearing the same frustration when I talk with security leaders. The real problem sitting on their desk isn’t finding vulnerabilities. It’s deciding which ones actually matter. The industry has spent billions on better visibility. We’ve convinced ourselves that if we could just discover more vulnerabilities, collect more data, and ingest more threat intelligence, we’d become more secure. But look around. Organizations still aren’t more secure. They’re just overwhelmed."
https://cyberscoop.com/ai-cybersecurity-vulnerability-prioritization-op-ed/ - Mid-Year Threat Trends: What H1 2026 Signals For The Rest Of The Year
"The first half of 2026 has given security teams little room to breathe. Ransomware operators kept up a punishing pace. If that wasn’t enough, access brokers turned network intrusions into a marketplace, and nation-state activity blurred further into hacktivism and organized cybercrime. Taken together, the numbers point to a threat landscape that isn’t just growing louder; it’s becoming faster, more coordinated, and harder to attribute."
https://cyble.com/blog/2026-threat-intelligence-trends/ - It Might Feel Like We’ve Been Here Before, But We Haven’t
"As artificial intelligence (AI) adoption surges and organisations move from the ‘should we?’ phase to the ‘how do we?’ phase, it’s natural to evaluate the likelihood of positive returns on AI investments. That’s always been the case with the onset of each new technology paradigm: C-suite executives, guided by their boards and aided by technical and business teams, remain keenly focused on traditional metrics such as return on investment, shareholder equity, developing and extending competitive advantage, and ensuring superior customer relationships."
https://www.paloaltonetworks.com/blog/2026/07/it-might-feel-like-weve-been-here-before-but-we-havent/
https://www.paloaltonetworks.com/resources/ebooks/executive-edge-peer-insights-governing-ai-and-agentic-systems-at-enterprise-scale - The Shift Toward Business-Aligned Risk Management
"In the movie Moneyball, the Oakland A’s didn’t need more data; they needed to know which data actually won games. Risk assessment data has the same problem. A CVSS score of 9.1 might mean little to a CFO; the fact that it represents a vulnerability in a payment system processing $2 million daily means a great deal. This data must therefore link to information about operational disruptions that can cause financial loss, product delays, or draw the ire of regulatory authorities, for it to become more actionable."
https://www.securityweek.com/the-shift-toward-business-aligned-risk-management/ - FBI And Spanish Police Arrest Alleged Cyber Army Of Russia Reborn Member
"Spanish police have arrested an alleged member of the pro-Russia hacktivist group Cyber Army of Russia Reborn, also known as Z-Pentest, in an operation carried out with support from the FBI. The arrest forms part of ongoing measures to identify and disrupt people involved in cyberattacks targeting critical infrastructure. The FBI confirmed that its Los Angeles field office worked with Spain’s National Police to coordinate the arrest. US authorities said the action falls under Operation Riptide, an international effort aimed at disrupting malicious cyber activity and holding those responsible accountable."
https://hackread.com/fbi-spanish-police-arrest-cyber-army-russia-reborn-member/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- The Future Of Payment Fraud Could Be Automated