<![CDATA[Cyber Threat Intelligence 04 June 2026]]>Vulnerabilities

Malware

  • TA4922: The Suspected Chinese Crime Group Is Going Global
    "The Chinese-speaking cybercriminal ecosystem has grown dramatically in recent years. Many of the threats observed in the landscape are descendants of malware first used by Chinese espionage threat actors, namely Gh0stRAT and related payloads, and frequently targeted Chinese-speaking users. But as Chinese-speaking cybercriminals develop better capabilities in malware, social engineering, and global targeting, their footprint is expanding, and more actor clusters are emerging. In this report, we’ll dive into TA4922, a newly designated Chinese-speaking threat actor largely targeting East Asia."
    https://www.proofpoint.com/us/blog/threat-insight/ta4922-suspected-chinese-crime-group-going-global
    https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-atlas-rat-malware-in-european-cyberattacks/
    https://hackread.com/china-ta4922-hackers-uk-europe-silentrunloader-malware/
  • CISA Warns Of Cyberattacks Targeting Fuel Tank Monitoring Systems
    "CISA, the FBI, the NSA, the Department of Energy, and other US government partners are warning that hackers are targeting internet-exposed automatic tank gauge (ATG) systems used to monitor fuel and liquid storage tanks across various critical infrastructure sectors. The cybersecurity agency says that ATG systems are commonly used in the Energy, Chemical, Food and Agriculture, and Transportation Systems sectors to remotely monitor storage tank levels, temperatures, and potential leaks. The US government says threat actors are targeting exposed devices and modifying system settings through command execution."
    https://www.bleepingcomputer.com/news/security/cisa-warns-of-cyberattacks-targeting-fuel-tank-monitoring-systems/
    https://www.ic3.gov/CSA/2026/260602.pdf
  • Inside The Cross-Platform Propagation Of a New Gafgyt Variant C0XMO
    "This past March, FortiGuard Labs discovered a new Gafgyt botnet variant, C0XMO, that spreads by exploiting CVE-2021-27137. Our analysis revealed that, unlike earlier versions, this malware separates its lateral movement into a standalone Python script. This approach helps the attacker target various system architectures and device types more efficiently. Below is a detailed technical overview of its structure, propagation methods, and attack features. The threat actor delivered the malware by exploiting CVE-2021-27137, a stack buffer overflow in the UPnP service of vulnerable DD-WRT router firmware versions. The vulnerability occurs when the SSDP parser mishandles oversized ST:uuid: values in specially crafted M-SEARCH requests sent via UDP port 1900."
    https://www.fortinet.com/blog/threat-research/inside-cross-platform-propagation-of-new-gafgyt-variant-c0xmo
  • Error 524 Decoy: Unmasking a Global Smishing Operation Hiding Behind Error Pages
    "Latin America, characterized by high mobile penetration and uneven SMS anti-spoofing controls, is often exploited by fraud operators. Group-IB researchers have identified a sophisticated, large-scale smishing and phishing operation, active since the second half of 2025, that uses the region as its primary theater and has expanded to 72 countries across the globe. This campaign has impersonated over 267 unique brands across sectors like telecommunications and financial services, successfully generating thousands of phishing domain instances aimed at harvesting full credit card credentials and personal identifiers."
    https://www.group-ib.com/blog/error-524-decoy-smishing/
  • How Attackers Are Gaining Access To LLM Inference
    "The most capable commercial AI models are now useful enough to attackers that they have become an integral part of their kill chain, in multiple steps. The Cybench benchmark tests models on offensive cyber tasks. Its current top performers (Claude Opus 4.6, Claude Sonnet 4.5, Grok 4) can write functional exploit code, reason through credential chains, and sustain complex reconnaissance workflows: multi-step offensive work that previously required human expertise. Malware families are already using this. Instead of generating a payload offline and shipping it, they wire a live LLM API into the malware itself so it can adapt its behavior at runtime on the infected host."
    https://intezer.com/blog/how-attackers-access-llm-inference/
  • We Found This Fake-Invoice Campaign While Scammers Were Still Building It
    "A new batch of fake payment invoices is being staged right now, and we caught the campaign while it was still being put together. The emails impersonate PayPal, Amazon, and Geek Squad, and others, and they all share one goal: to scare you into calling a phone number where a fake “support agent” is waiting. What makes this wave unusual is that some of the templates we recovered still contained blank fields where the phone number and price should have been, while others were already complete and in circulation. We caught the campaign mid-rollout."
    https://www.malwarebytes.com/blog/threat-intel/2026/06/we-found-this-fake-invoice-campaign-while-scammers-were-still-building-it
  • Argamal: Malware Hidden In Hentai Games
    "In April 2026, we discovered a new malware campaign targeting players of “hentai” games. Once launched, the infected games install a previously unknown malicious implant on the user’s machine. After a few days, the implant downloads and executes a Trojan, resulting in full system compromise and broad remote control capabilities for the attackers. We dubbed this malware family “Argamal”. The malware uses COM hijacking to persist on the victim’s machine, replacing the InprocServer32 entry for Windows Color System Calibration Loader DLL. This task is triggered when the user logs in, effectively allowing the malware to run at startup."
    https://securelist.com/argamal-rat-distributed-with-hentai-games/119999/
  • Espionage Campaign Targeted Stock Exchange Executive For Five Months
    "A five-month espionage campaign targeted the email account of a senior figure at a major global stock exchange. For an espionage actor, a senior executive's mailbox is a high-value intelligence target. An Outlook profile may yield details of external negotiations, internal deliberations, the executive's calendar, travel pattern, and their contacts. Organizations such as exchanges and regulators may hold non-public information about listings, enforcement actions and market-moving events. Months of unfettered access to that mailbox lets an attacker build a near-complete picture of the target's working life and the organization's near-term direction without ever having to move laterally elsewhere on the network."
    https://www.security.com/threat-intelligence/stock-exchange-espionage
    https://www.securityweek.com/hackers-target-global-stock-exchange-in-espionage-operation/
    https://securityaffairs.com/193086/intelligence/cyber-espionage-campaign-targeted-stock-exchange-executives-outlook-account.html
  • From Malspam To DesckVB RAT Deployment
    "In May 2026, the Huntress SOC responded to a DesckVB RAT infection that began with a malspam. Short for “malicious spam,” malspam is email crafted to deliver malware or trick a user into taking an action that starts the infection chain, whether that is opening a booby-trapped attachment, clicking a malicious link, or handing over credentials on a fake login page. Still to this day, malspam remains one of the most prolific initial access vectors for attackers. At first glance, this case could be mistaken for just another malspam infection, but the delivery chain tells a more interesting story."
    https://www.huntress.com/blog/malspam-to-deskcvb-rat-delivery-chain-analysis
    https://thehackernews.com/2026/06/google-doubleclick-abused-in-new.html
  • When "Moderate" Means "Sometimes"
    "On April 14, 2026, Microsoft patched CVE-2026-33829, an NTLM credential leakage bug in the Windows Snipping Tool with a CVSS score of 4.3. The issue lived in the Snipping Tool’s ms-screensketch: URI handler, the part of Windows that decides what to do when someone clicks a special kind of link. Technically, the Snipping Tool’s URI handler accepted a filePath parameter, didn't validate it, and would happily reach out to whatever UNC path you handed it. That connection could trigger NTLM authentication and expose the victim’s Net-NTLMv2 hash. In plain English: a user could be tricked into clicking what looks like an ordinary link, and their computer would automatically try to “check in” with a server controlled by the attacker."
    https://www.huntress.com/blog/unpatched-ntlm-leak-windows-search-uri-handler
    https://thehackernews.com/2026/06/unpatched-windows-search-uri.html

Breaches/Hacks/Leaks

  • IMA Diligence Services Data Breach Impacts 525,000 People
    "IMA Diligence Services is notifying over 525,000 individuals that their personal information was stolen in a data breach. The incident, the company says, was identified in mid-December after a legacy server managed by a third party became inaccessible. “Upon discovery, we notified law enforcement and promptly commenced an investigation to confirm the nature and scope of this incident,” an incident notice on the company’s website reads."
    https://www.securityweek.com/ima-diligence-services-data-breach-impacts-525000-people/

General News

  • Economic Fury Targets Iran’s Largest Digital Asset Exchange For Terror Finance And Sanctions Evasion
    "Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated Nobitex, Iran’s largest digital asset exchange, along with three other Iranian digital asset exchanges, as part of Economic Fury and the Trump Administration’s efforts to eliminate the threat posed by the Iranian regime. “While Iran’s economy is in free fall, the regime has chosen to co-opt digital asset technologies for its own corrupt agenda, including evading sanctions and transferring wealth out of the country. Iran’s current economic chaos is proof that President Trump’s maximum pressure campaign has been a success,” said Secretary of the Treasury Scott Bessent."
    https://home.treasury.gov/news/press-releases/sb0519
    https://www.bleepingcomputer.com/news/security/the-us-sanctions-nobitex-crypto-exchange-used-by-ransomware/
  • Embedded Threats: How Attackers Weaponize Legitimate Emails
    "Cofense Intelligence has been tracking how threat actors abuse various legitimate online services to deliver malicious content embedded in legitimate business emails via arbitrary text fields. Legitimate websites often need to collect arbitrary text input from users to fill out usernames, meeting descriptions, or similar kinds of information. This text is often embedded within legitimate emails when the user performs actions such as sending meeting invitations, sharing documents, or resetting passwords."
    https://cofense.com/blog/embedded-threats-how-attackers-weaponize-legitimate-emails
  • Autonomous AI-Driven Worm Can Reason Its Way Through Corporate Networks
    "Researchers at the University of Toronto, the Vector Institute, and the University of Cambridge have built and tested a proof-of-concept AI-driven worm that does not operate on a fixed list of exploits. Instead, it analyzes each target it encounters, reasons about how to attack it, and creates a strategy on the fly, all with the help of a small, free large language model (LLM) running directly on machines it has already compromised."
    https://www.helpnetsecurity.com/2026/06/03/autonomous-ai-worm-prototype/
    https://arxiv.org/pdf/2606.03811
  • Security Of 100 AI Agents Tested And Ranked – What You Need To Know
    "AI is our new leader. We just accept and do what it tells us. Maybe we should be a bit more circumspect. Concern over the performance of AI agents has been constant, ranging from ‘leaky’ to just plain wrong decision-making. Since the pressure to use more agents more autonomously because of supercharged AI-assisted attacks is now constant, Adversa AI’s decision to measure and compare the performance and security of 100 agents across ten categories is welcome. But the results are not. Of the 100 agents tested, and positioned within a new AI Risk Quadrant, only 11 are categorized as ‘capable well-defended’."
    https://www.securityweek.com/security-of-100-ai-agents-tested-and-ranked-what-you-need-to-know/
    https://www.helpnetsecurity.com/2026/06/03/research-ai-agent-security-capability/
  • A Small Slovenian Team Handles 6,000 Cyber Incidents a Year
    "Online fraud complaints, ransomware cases, and phishing tips reach Slovenia’s national cyber response center in steady volume, and a team of around a dozen analysts sorts through them. Gorazd Božič, who manages SI-CERT at the public agency ARNES, described that work in an interview conducted in person at the Span Cyber Security Arena conference. He put the original proposal for a Slovenian CERT to ARNES leadership in 1994, and the center now records about 6,000 incidents a year, up from roughly 300 ten to fifteen years earlier."
    https://www.helpnetsecurity.com/2026/06/03/gorazd-bozic-si-cert-cyber-incident-response/
  • Known Vulnerabilities Behind Most Application Security Incidents
    "Eight in ten organizations took an application security hit during the past year tied to a vulnerability their team had already cataloged, according to a survey of 902 IT and security professionals conducted by the Cloud Security Alliance. The pattern points to a structural condition across the industry, where the window between identifying a flaw and closing it in production stays open long enough for attackers to act. The National Vulnerability Database logged more than 40,000 CVEs in 2025, and VulnCheck recorded exploitation activity following disclosure within days. Frontier AI systems capable of generating working exploits at machine speed, including one called Mythos, have compressed that window further, raising the operational stakes for any organization carrying unresolved findings in live environments."
    https://www.helpnetsecurity.com/2026/06/03/csa-application-security-incidents/

อ้างอิง
Electronic Transactions Development Agency (ETDA) c7ef67cc-aecc-42bb-ad62-9d6b4f551c27-image.png

]]>https://webboard-nsoc.ncsa.or.th/topic/2952/cyber-threat-intelligence-04-june-2026RSS for NodeFri, 05 Jun 2026 14:54:34 GMTFri, 05 Jun 2026 06:36:25 GMT60