<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"><channel><title><![CDATA[ETDA Cyber Threat Intelligence 02 July 2026]]></title><description><![CDATA[<p dir="auto"><strong>New Tooling</strong></p>
<ul>
<li><strong>Nika: Open-Source Code Analysis Tool</strong><br />
"Many serious security bugs in web applications sit across several files at once. Request data enters through a controller, moves through data objects and service layers, and turns dangerous only when it reaches a sensitive operation such as a database query or a file action. A scanner that reads one file at a time can miss that path entirely. Nika, an open-source tool from the payments company PhonePe, works on that problem for Java microservices. It performs cross-file taint analysis, tracing attacker-controlled input across application layers to find out whether that input reaches a security-sensitive sink."<br />
<a href="https://www.helpnetsecurity.com/2026/07/01/nika-open-source-code-analysis-tool/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.helpnetsecurity.com/2026/07/01/nika-open-source-code-analysis-tool/</a><br />
<a href="https://github.com/PhonePe/nika" target="_blank" rel="noopener noreferrer nofollow ugc">https://github.com/PhonePe/nika</a></li>
</ul>
<p dir="auto"><strong>Vulnerabilities</strong></p>
<ul>
<li><strong>DuneSlide: Two Critical RCE Vulnerabilities Via Zero-Click Prompt Injection In Cursor IDE</strong><br />
"Cato AI Labs has discovered two critical remote code execution (RCE) vulnerabilities in Cursor IDE, the popular development environment which, according to Cursor, is used by over half of the Fortune 500. Both RCE vulnerabilities, which we refer to as “DuneSlide,” achieved a 9.8 CVSS score, and involve breaking out of the IDE’s sandbox environment and were assigned CVE IDs CVE-2026-50548 and CVE-2026-50549. Together, these vulnerabilities show how prompt injection can reach beyond the LLM layer and expose classical vulnerabilities in code paths that were not traditionally considered part of the attack surface."<br />
<a href="https://www.catonetworks.com/blog/duneslide-two-critical-rce-vulnerabilities/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.catonetworks.com/blog/duneslide-two-critical-rce-vulnerabilities/</a><br />
<a href="https://thehackernews.com/2026/07/critical-cursor-flaws-could-let-prompt.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/07/critical-cursor-flaws-could-let-prompt.html</a></li>
<li><strong>Google Patches 382 Chrome Vulnerabilities</strong><br />
"Google on Tuesday announced the release of Chrome 151 with patches for 382 vulnerabilities, the vast majority of which were discovered by the tech giant itself. Of the 382 vulnerabilities, 358 were found by Google. The company has discovered and patched hundreds of Chrome flaws in recent months, a surge likely driven by AI. However, it has shared no details on which specific AI tools are driving the surge. Fifteen of the newly patched vulnerabilities have been assigned a ‘critical’ severity rating, and 67 have been rated ‘high severity’. Of the remaining flaws, 169 have a ‘medium’ and 131 have a ‘low’ severity rating."<br />
<a href="https://www.securityweek.com/google-patches-382-chrome-vulnerabilities/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.securityweek.com/google-patches-382-chrome-vulnerabilities/</a><br />
<a href="https://www.malwarebytes.com/blog/bugs/2026/07/chrome-needs-another-whopper-update-to-fix-382-security-fixes" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.malwarebytes.com/blog/bugs/2026/07/chrome-needs-another-whopper-update-to-fix-382-security-fixes</a><br />
Caught In The Octopus Trap: Unauthenticated RCE In Argo CD With CodeQL<br />
"Synacktiv has discovered an unauthenticated arbitrary code execution vulnerability in ArgoCD's repo-server component, potentially allowing full cluster compromise. This article explains how the vulnerability was identified using CodeQL, details the exploitation process to gain control over the underlying Kubernetes cluster, and introduces a tool for automating the attack."<br />
<a href="https://www.synacktiv.com/en/publications/caught-in-the-octopus-trap-unauthenticated-rce-in-argo-cd-with-codeql" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.synacktiv.com/en/publications/caught-in-the-octopus-trap-unauthenticated-rce-in-argo-cd-with-codeql</a><br />
<a href="https://thehackernews.com/2026/07/unpatched-argo-cd-repo-server-flaw.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/07/unpatched-argo-cd-repo-server-flaw.html</a></li>
<li><strong>Over 900 Oracle E-Business Instances Exposed To Ongoing Attacks</strong><br />
"Over 900 Oracle E-Business Suite (EBS) instances have been found exposed online amid ongoing attacks exploiting a critical security flaw. The vulnerability (tracked as CVE-2026-46817) was found in the File Transmission component of EBS's Oracle Payments product and allows malicious actors without privileges and with HTTP network access to take over vulnerable systems through low-complexity attacks. Oracle has patched this flaw with security updates released as part of its May 2026 Critical Security Patch Update and urged customers to patch their systems immediately."<br />
<a href="https://www.bleepingcomputer.com/news/security/over-900-oracle-e-business-instances-exposed-to-ongoing-attacks/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.bleepingcomputer.com/news/security/over-900-oracle-e-business-instances-exposed-to-ongoing-attacks/</a><br />
<a href="https://cyberscoop.com/oracle-ebs-critical-vulnerability-exploited/" target="_blank" rel="noopener noreferrer nofollow ugc">https://cyberscoop.com/oracle-ebs-critical-vulnerability-exploited/</a><br />
<a href="https://securityaffairs.com/194599/security/oracle-e-business-suite-flaw-under-active-attack-950-systems-exposed.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://securityaffairs.com/194599/security/oracle-e-business-suite-flaw-under-active-attack-950-systems-exposed.html</a></li>
<li><strong>Progress Kemp LoadMaster Vulnerability Targeted (CVE-2026-8037)</strong><br />
"Beginning on June 29th, 2026, eSentire’s Threat Response Unit (TRU) identified exploitation attempts targeting the critical Progress Kemp LoadMaster vulnerability CVE-2026-8037. The vulnerability was initially disclosed on June 4th and functional Proof-of-Concept (PoC) exploit code was released on June 29th. CVE-2026-8037 (CVSS: 9.8), is an OS Command Injection Remote Code Execution (RCE) vulnerability which allows an unauthenticated attacker to execute arbitrary commands on the LoadMaster appliance. As active exploitation attempts have been identified, it is critical that organizations apply the relevant security patches immediately."<br />
<a href="https://www.esentire.com/security-advisories/progress-kemp-loadmaster-vulnerability-targeted-cve-2026-8037" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.esentire.com/security-advisories/progress-kemp-loadmaster-vulnerability-targeted-cve-2026-8037</a><br />
<a href="https://thehackernews.com/2026/07/latest-progress-kemp-loadmaster-pre.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/07/latest-progress-kemp-loadmaster-pre.html</a></li>
</ul>
<p dir="auto"><strong>Malware</strong></p>
<ul>
<li><strong>No (Bad) CAP: Inside An Ongoing LSHIY Password Spray Attack</strong><br />
"Huntress is observing a massive, ongoing, automated password spray attack against Microsoft's Azure command-line interface (CLI), originating from an IPv6 address range controlled by internet infrastructure provider LSHIY LLC, AS32167. Between June 12 through June 26, the threat actor made more than 81 million login attempts against Huntress customer accounts and successfully compromised at least 78 Microsoft accounts. Last week, the number and effectiveness of the compromises surged, continuing a concerning trend in the rapid expansion of these types of attacks. Notably, many of these organizations had Conditional Access policies, but the way they were configured didn't cover the techniques used by the threat actors in this campaign."<br />
<a href="https://www.huntress.com/blog/lshiy-password-spray-attack" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.huntress.com/blog/lshiy-password-spray-attack</a><br />
<a href="https://thehackernews.com/2026/07/azure-cli-password-spray-hits-at-least.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/07/azure-cli-password-spray-hits-at-least.html</a><br />
<a href="https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-365-accounts-with-81-million-login-attempts/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-365-accounts-with-81-million-login-attempts/</a><br />
<a href="https://www.securityweek.com/massive-password-spray-campaign-targeting-azure-cli/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.securityweek.com/massive-password-spray-campaign-targeting-azure-cli/</a><br />
<a href="https://www.bankinfosecurity.com/azure-password-spraying-attack-bypasses-mfa-defenses-a-32128" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.bankinfosecurity.com/azure-password-spraying-attack-bypasses-mfa-defenses-a-32128</a><br />
<a href="https://securityaffairs.com/194588/uncategorized/azure-cli-targeted-in-lshiy-password-spray-campaign-across-64-orgs.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://securityaffairs.com/194588/uncategorized/azure-cli-targeted-in-lshiy-password-spray-campaign-across-64-orgs.html</a></li>
<li><strong>Phantom Squatting: AI-Hallucinated Domains As a Software Supply Chain Vector</strong><br />
"Unit 42 researchers found that large language models (LLMs) consistently hallucinate web domains for legitimate brands. Adversaries are actively weaponizing this vector by registering these nonexistent domains to intercept traffic generated by AI systems. We call this phenomenon phantom squatting, and it poses a significant risk to the software supply chain. Our proactive monitoring of registration for high-priority hallucinated domains yielded real-world detections across multiple sectors. We were able to predict use of these domains from 18–51 days ahead of adversary registration."<br />
<a href="https://unit42.paloaltonetworks.com/phantom-squatting-hallucinated-web-domains/" target="_blank" rel="noopener noreferrer nofollow ugc">https://unit42.paloaltonetworks.com/phantom-squatting-hallucinated-web-domains/</a><br />
<a href="https://thehackernews.com/2026/07/phantom-squatting-uses-ai-hallucinated.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/07/phantom-squatting-uses-ai-hallucinated.html</a><br />
<a href="https://www.darkreading.com/endpoint-security/phantom-squatting-ai-driven-supply-chain-threat" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.darkreading.com/endpoint-security/phantom-squatting-ai-driven-supply-chain-threat</a></li>
<li><strong>ClickFix: The Gift That Keeps On Giving</strong><br />
"In the beginning of June I presented the session ClickFix: The Gift That Keeps On Giving at OrangeCon. ClickFix emerged around 2024 and saw a 517% increase in 2025 as described by SANS, the effectiveness of this technique is something we will have to deal with for the upcoming years. Before diving into technical details, it’s important to understand why ClickFix is so effective. The attack exploits fundamental user behaviors and training:"<br />
<a href="https://kqlquery.com/posts/clickfix-gift-that-keeps-on-giving/" target="_blank" rel="noopener noreferrer nofollow ugc">https://kqlquery.com/posts/clickfix-gift-that-keeps-on-giving/</a><br />
<a href="https://thehackernews.com/2026/07/researcher-analyzes-3000-live-clickfix.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/07/researcher-analyzes-3000-live-clickfix.html</a></li>
<li><strong>SOCRadar Links FortiBleed Campaign To INC And Lynx Ransomware Operations</strong><br />
"SOCRadar’s Threat Research Unit (STRU) has linked the FortiBleed credential-harvesting campaign to two active ransomware-as-a-service operations, INC Ransom and Lynx. An operator tied to FortiBleed’s infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment for the first time."<br />
<a href="https://socradar.io/blog/fortibleed-inc-lynx-ransomware-link/" target="_blank" rel="noopener noreferrer nofollow ugc">https://socradar.io/blog/fortibleed-inc-lynx-ransomware-link/</a><br />
<a href="https://www.bleepingcomputer.com/news/security/fortibleed-credential-theft-campaign-linked-to-lynx-ransomware/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.bleepingcomputer.com/news/security/fortibleed-credential-theft-campaign-linked-to-lynx-ransomware/</a></li>
<li><strong>Don’t Eat The ChocoPoCs! How Vulnerability Researchers Were Repeatedly Targeted By Trojanised Exploits</strong><br />
"This blogpost is a collaboration between YesWeHack and Sekoia TDR, analysing an undocumented supply chain attack that targets vulnerability researchers and pentesters via lure CVE PoC repositories. Our analysis shows that this vector has already been used in malicious PoCs, seeking to compromise pentesting tools, since late 2025. Because the malware and its C2 infrastructure are still active, we strongly advise against running any of the PoCs code or installing the malicious packages."<br />
<a href="https://www.sekoia.com/blog/dont-eat-the-chocopocs-how-vulnerability-researchers-were-repeatedly-targeted-by-trojanised-exploits" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.sekoia.com/blog/dont-eat-the-chocopocs-how-vulnerability-researchers-were-repeatedly-targeted-by-trojanised-exploits</a><br />
<a href="https://www.bleepingcomputer.com/news/security/new-chocopoc-malware-targets-researchers-via-trojanized-poc-exploits/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.bleepingcomputer.com/news/security/new-chocopoc-malware-targets-researchers-via-trojanized-poc-exploits/</a></li>
<li><strong>When AI Invents The Attack: Browser-Native Ransomware</strong><br />
"Check Point Research recently uncovered something that changes how we think about AI-assisted threats: a malware sample in which an AI model independently connected a theoretical browser risk to a working ransomware technique, with no exploit, no app installation, and no technical expertise required from the attacker."<br />
<a href="https://blog.checkpoint.com/research/when-ai-invents-the-attack-browser-native-ransomware/" target="_blank" rel="noopener noreferrer nofollow ugc">https://blog.checkpoint.com/research/when-ai-invents-the-attack-browser-native-ransomware/</a><br />
<a href="https://research.checkpoint.com/2026/browser-only-ransomware-from-llm-hallucinations-to-a-practical-attack-technique/" target="_blank" rel="noopener noreferrer nofollow ugc">https://research.checkpoint.com/2026/browser-only-ransomware-from-llm-hallucinations-to-a-practical-attack-technique/</a><br />
<a href="https://thehackernews.com/2026/07/ai-generated-browser-ransomware-abuses.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/07/ai-generated-browser-ransomware-abuses.html</a><br />
<a href="https://www.theregister.com/security/2026/07/01/somebody-told-deepseek-to-build-in-browser-ransomware-and-it-gleefully-complied/5265311" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.theregister.com/security/2026/07/01/somebody-told-deepseek-to-build-in-browser-ransomware-and-it-gleefully-complied/5265311</a></li>
<li><strong>ARToken: Inside An EvilTokens Affiliate Panel Targeting Microsoft 365</strong><br />
"Cisco Talos identified a fully-featured phishing-as-a-service (PhaaS) operator panel, branded "ARToken," that shares infrastructure, API contracts, and operational patterns with the EvilTokens platform documented by Sekoia and Microsoft in early 2026. The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Token (PRT) persistence, email access, business email compromise (BEC) operations, and SharePoint exfiltration — all accessible to operators through a React-based dashboard."<br />
<a href="https://blog.talosintelligence.com/artoken-inside-an-eviltokens-affiliate-panel-targeting-microsoft-365/" target="_blank" rel="noopener noreferrer nofollow ugc">https://blog.talosintelligence.com/artoken-inside-an-eviltokens-affiliate-panel-targeting-microsoft-365/</a><br />
<a href="https://cyberscoop.com/artoken-bec-platform-cisco-talos/" target="_blank" rel="noopener noreferrer nofollow ugc">https://cyberscoop.com/artoken-bec-platform-cisco-talos/</a><br />
<a href="https://www.theregister.com/cyber-crime/2026/07/01/eviltokens-device-code-phishing-kit-totally-more-evil-than-we-all-thought/5265409" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.theregister.com/cyber-crime/2026/07/01/eviltokens-device-code-phishing-kit-totally-more-evil-than-we-all-thought/5265409</a><br />
<a href="https://www.helpnetsecurity.com/2026/07/01/artoken-phishing-panel-microsoft-365-accounts/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.helpnetsecurity.com/2026/07/01/artoken-phishing-panel-microsoft-365-accounts/</a></li>
<li><strong>Analysis Of Ongoing Ousaban Attacks Targeting The Iberian Peninsula</strong><br />
"In May 2026, FortiGuard Labs identified an attack targeting users in Spain and Portugal involving the banking Trojan Ousaban. This malware has been active in Brazil and is spread through an MSI downloader. The malicious payload involves a DLL file that is run via DLL side-loading or process injection. In this campaign, the threat actor primarily targets users in Spain and Portugal. Figure 1 shows how the attack unfolds. The phishing PDF tricks victims into visiting a malicious webpage that scans the user's environment. If they are in Spain or Portugal, the webpage downloads a VBS file to kickstart the next part of the attack. The final payload is an EXE file that is dropped onto the victim’s computer and executed by the VBS script."<br />
<a href="https://www.fortinet.com/blog/threat-research/analysis-of-ongoing-ousaban-attacks-targeting-the-iberian-peninsula" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.fortinet.com/blog/threat-research/analysis-of-ongoing-ousaban-attacks-targeting-the-iberian-peninsula</a><br />
<a href="https://thehackernews.com/2026/07/ousaban-banking-trojan-targets-iberian.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/07/ousaban-banking-trojan-targets-iberian.html</a><br />
<a href="https://www.infosecurity-magazine.com/news/ousaban-banking-trojan-spain/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.infosecurity-magazine.com/news/ousaban-banking-trojan-spain/</a></li>
<li><strong>Phishing In The Balkans: Fake Traffic Fines, Real Losses</strong><br />
"Government services are increasingly relying on SMS as a channel to send notifications such as fines, toll reminders and payment alerts. It is fast, convenient, and the general public tends to trust a text from an official sender. This trust is what scammers are looking to take advantage of. Group-IB researchers have been tracking a smishing campaign that is impersonating the identity of Putevi Srbije, Serbia’s state road authority. Victims get a text claiming they have an unpaid traffic fine. They click a link. They land on a fake government website that looks real enough to fool most people. They enter their card details. And then the money is gone."<br />
<a href="https://www.group-ib.com/blog/balkans-fake-traffic-fines-phishing/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.group-ib.com/blog/balkans-fake-traffic-fines-phishing/</a></li>
<li><strong>Fake Interpol Investigation Emails Target Small Businesses With Ransomware</strong><br />
"Think your small business is too small to be targeted by ransomware? That's precisely the assumption cybercriminals hope you'll make. Bitdefender Antispam researchers have uncovered a phishing campaign targeting small businesses across Europe, Asia, the Middle East, and the United States with fake investigation emails impersonating law enforcement officials. The messages claim to contain evidence of suspicious company activity, but there’s a catch: The attached ‘evidence’ is actually ransomware."<br />
<a href="https://www.bitdefender.com/en-us/blog/hotforsecurity/fake-interpol-emails-serve-ransomware" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.bitdefender.com/en-us/blog/hotforsecurity/fake-interpol-emails-serve-ransomware</a><br />
<a href="https://hackread.com/fake-interpol-investigation-emails-ransomware-small-businesses/" target="_blank" rel="noopener noreferrer nofollow ugc">https://hackread.com/fake-interpol-investigation-emails-ransomware-small-businesses/</a></li>
<li><strong>The SOC Files: ScreenConnect Masked As Freeware. An Inside Look At a Large-Scale Campaign</strong><br />
"To access compromised systems, threat actors frequently abuse legitimate remote monitoring tools. At first glance, these utilities rarely raise red flags: they are signed with valid digital certificates, often allowlisted under corporate IT policies, and fully supported by OS vendors. However, they grant attackers the ability to harvest data from target devices, drop malware, and move laterally across the network."<br />
<a href="https://securelist.com/tr/the-soc-files-screenconnect-campaign-with-asyncrat/120472/" target="_blank" rel="noopener noreferrer nofollow ugc">https://securelist.com/tr/the-soc-files-screenconnect-campaign-with-asyncrat/120472/</a><br />
<a href="https://thehackernews.com/2026/07/seo-poisoned-software-sites-abuse.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/07/seo-poisoned-software-sites-abuse.html</a></li>
<li><strong>Veil#Drop: Blogspot-Hosted PowerShell Loader Delivers PureLog Stealer Through XOR-Encoded In-Memory .NET Payloads</strong><br />
"Veil#Drop is a sophisticated multi-stage malware delivery framework that combines social engineering, compromised websites, malicious JavaScript launchers, PowerShell download cradles, and trusted cloud-hosted infrastructure to deploy PureLog Stealer entirely in memory. The infection chain begins with a deceptively named JavaScript file masquerading as a document (e.g., transcript.pdf.js), which executes through Windows Script Host and launches PowerShell with execution policy bypasses enabled. PowerShell then retrieves additional stages from attacker-controlled Blogspot pages, abusing Google’s trusted infrastructure to blend malicious traffic with legitimate web activity and evade reputation-based security controls."<br />
<a href="https://www.securonix.com/blog/veildrop-blogspot-hosted-powershell-loader/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.securonix.com/blog/veildrop-blogspot-hosted-powershell-loader/</a><br />
<a href="https://thehackernews.com/2026/07/veildrop-malware-chain-uses-blogger.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/07/veildrop-malware-chain-uses-blogger.html</a><br />
<a href="https://www.infosecurity-magazine.com/news/veil-drop-blogspot-purelog-stealer/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.infosecurity-magazine.com/news/veil-drop-blogspot-purelog-stealer/</a></li>
<li><strong>UNC1151 Phishing Email Targeting Belarusian Politician Points To Multi-National Campaign</strong><br />
"UNC1151, also referred to as Ghostwriter and various other names, is a threat actor whose interests align with those of the government of Belarus (and, by extension, Russia, due to Russia and Belarus’s frequently aligned interests). The group first rose to prominence in 2020 when it hacked into legitimate media sites to publish fake stories (which earned it the name ‘Ghostwriter’). Since then it has remained very active, mostly in spear-phishing campaigns targeting individuals in Poland and Ukraine."<br />
<a href="https://censys.com/blog/unc1151-phishing-email-campaign/" target="_blank" rel="noopener noreferrer nofollow ugc">https://censys.com/blog/unc1151-phishing-email-campaign/</a></li>
</ul>
<p dir="auto"><strong>Breaches/Hacks/Leaks</strong></p>
<ul>
<li><strong>Kubota Says Hackers Had Month-Long Access To Network Systems</strong><br />
"Kubota North America Corporation disclosed that hackers had access to some of its network systems for more than a month earlier this year. Following an investigation into the incident, the company determined that between March 16 and April 20 the threat actor accessed files with personal information for employees and their dependents. Kubota is a Japanese industrial manufacturer known for its agricultural and construction equipment. It operates in 120 countries, employs more than 52,000 people, and has a reported annual revenue of $20 billion."<br />
<a href="https://www.bleepingcomputer.com/news/security/kubota-says-hackers-had-month-long-access-to-network-systems/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.bleepingcomputer.com/news/security/kubota-says-hackers-had-month-long-access-to-network-systems/</a></li>
<li><strong>Hackers Breached DHS Information-Sharing Network, People Familiar Say</strong><br />
"A key Department of Homeland Security information-sharing database was accessed by an unknown threat actor in recent weeks, potentially exposing sensitive data exchanged between federal, state, local and industry partners, according to two people familiar with the matter. DHS investigators are probing the intrusion of the Homeland Security Information Network, said both people, who spoke on the condition of anonymity because the incident is sensitive. The hackers’ affiliation and whether any documentation was pilfered from the system are both unclear."<br />
<a href="https://www.nextgov.com/cybersecurity/2026/06/hackers-breached-dhs-information-sharing-network-people-familiar-say/414534/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.nextgov.com/cybersecurity/2026/06/hackers-breached-dhs-information-sharing-network-people-familiar-say/414534/</a><br />
<a href="https://www.bleepingcomputer.com/news/security/dhs-confirms-hackers-breached-hsin-info-sharing-platform/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.bleepingcomputer.com/news/security/dhs-confirms-hackers-breached-hsin-info-sharing-platform/</a></li>
</ul>
<p dir="auto"><strong>General News</strong></p>
<ul>
<li><strong>What a Financial Planner Taught Me About Cybersecurity</strong><br />
"When I spoke at a recent cybersecurity awareness event for financial planners and tax advisors, the audience really engaged with the subject. As happens at conferences the world over, people often come up to speakers to ask follow-up questions, or just give their feedback about points made during the presentation. This time, it struck me how many of them said they had been scared by what they heard during my talk."<br />
<a href="https://www.helpnetsecurity.com/2026/07/01/raising-cybersecurity-awareness-for-non-experts/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.helpnetsecurity.com/2026/07/01/raising-cybersecurity-awareness-for-non-experts/</a></li>
<li><strong>This Supercomputer Encrypts Your Data Even While It’s Running It</strong><br />
"Most people who handle sensitive data already encrypt it in two places. They lock it down when it sits on a hard drive, and they lock it down when it moves across a network. There has always been a third moment that stayed open. The instant a computer pulls that data into memory to work on it, the protection drops away. For a few seconds or a few hours, the information sits in the open, readable by anyone with deep enough access to the machine. A research team at the University of Cologne built a supercomputer that closes that gap. The system is called RAMSES, and it keeps data scrambled even during the moment of processing."<br />
<a href="https://www.helpnetsecurity.com/2026/07/01/confidential-computing-hpc-research/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.helpnetsecurity.com/2026/07/01/confidential-computing-hpc-research/</a><br />
<a href="https://arxiv.org/pdf/2606.27919" target="_blank" rel="noopener noreferrer nofollow ugc">https://arxiv.org/pdf/2606.27919</a></li>
<li><strong>AI-Generated Code Risks Reach Security, Legal, And Compliance Teams</strong><br />
"Most engineering organizations write code with AI, and a good number of them keep that code away from customers. A Flux survey of engineering leaders and practitioners found that nearly half run AI-generated code in production. Almost every company in the sample uses AI somewhere in development, with under 5% reporting no plans to adopt it within a year. Teams reach for AI on repetitive work first. It writes documentation, fills out unit tests, and handles simple functions, the kind of tasks where a mistake stays small and easy to catch. Adoption thins out as the stakes rise."<br />
<a href="https://www.helpnetsecurity.com/2026/07/01/ai-generated-code-risks-security/" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.helpnetsecurity.com/2026/07/01/ai-generated-code-risks-security/</a></li>
<li><strong>The Near Real-Time Patching Era Has Arrived</strong><br />
"Cybersecurity teams need to prepare now for a forthcoming onslaught of vulnerabilities that will need to be remediated much faster than ever before. The number of vulnerabilities being discovered and reported has already been steadily increasing over the last few months. However, with further advances in artificial intelligence (AI), most notably in the form of Mythos and ChatGPT 5.6 models from Anthropic and OpenAI, the overall number of vulnerabilities is only going to increase. Right now, however, not all the vulnerabilities being remediated lately have actually been formally reported, so limited access to the latest AI models might be working in favor of cybersecurity teams."<br />
<a href="https://blog.barracuda.com/2026/06/30/near-real-time-patching-ai-application-security" target="_blank" rel="noopener noreferrer nofollow ugc">https://blog.barracuda.com/2026/06/30/near-real-time-patching-ai-application-security</a></li>
<li><strong>The Platform You Trust Is The Platform They Target</strong><br />
"Cofense Intelligence is observing a clear shift in phishing operations: threat actors are moving beyond broad, one-size-fits-all campaigns and adopting platform-aware delivery that adapts to the victim’s device, browser, and environment. What began as simple Windows-focused malware distribution campaigns has evolved into more sophisticated campaigns that can selectively deliver credential phishing, remote access tools, or malware across Windows, MacOS, and Android. This trend reflects a broader strategic change in the threat landscape, one that is designed to increase the likelihood of compromise, expand target coverage, and improve threat actor return on investment."<br />
<a href="https://cofense.com/blog/the-platform-you-trust-is-the-platform-they-target" target="_blank" rel="noopener noreferrer nofollow ugc">https://cofense.com/blog/the-platform-you-trust-is-the-platform-they-target</a><br />
<a href="https://www.darkreading.com/application-security/phishing-campaigns-auto-adapt-victims-device-os" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.darkreading.com/application-security/phishing-campaigns-auto-adapt-victims-device-os</a></li>
<li><strong>OpenClaw: Risks For The Users And How To Mitigate Them</strong><br />
"OpenClaw, which was previously known as Clawdbot and Moltbot, is today one of the most successful and fast‑growing ecosystems for AI agents, recognized worldwide. The project quickly became popular with users because of its flexibility and ability to solve fairly complex tasks that previously required a lot of time for automation and execution. A dedicated marketplace appeared quickly after the project started gaining traction, where developers and users began publishing tools that integrate with OpenClaw. Currently, employees all over the world use OpenClaw to automate their tasks, often unaware of risks this practice introduces to them and their employers."<br />
<a href="https://securelist.com/openclaw-security/120484/" target="_blank" rel="noopener noreferrer nofollow ugc">https://securelist.com/openclaw-security/120484/</a></li>
<li><strong>Alleged Member Of Criminal Cyber Hacking Group “Scattered Spider” Arrested In Finland And Extradited To The United States</strong><br />
"An alleged member of the criminal cyber hacking group Scattered Spider has been arrested in Finland and extradited to the United States to face federal criminal conspiracy charges in the Northern District of Illinois. A criminal complaint unsealed Tuesday charges Peter Stokes, 19, a dual citizen of the United States and Estonia, with conspiracy, computer intrusion, and fraud. Stokes was arrested by Finnish authorities in April pursuant to an Interpol Red Notice and extradited to the United States last week. He made an initial appearance on Tuesday in federal court in Chicago and was ordered to remain in law enforcement custody."<br />
<a href="https://www.justice.gov/opa/pr/alleged-member-criminal-cyber-hacking-group-scattered-spider-arrested-finland-and-extradited" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.justice.gov/opa/pr/alleged-member-criminal-cyber-hacking-group-scattered-spider-arrested-finland-and-extradited</a><br />
<a href="https://thehackernews.com/2026/07/19-year-old-scattered-spider-suspect.html" target="_blank" rel="noopener noreferrer nofollow ugc">https://thehackernews.com/2026/07/19-year-old-scattered-spider-suspect.html</a><br />
<a href="https://therecord.media/teen-suspect-in-scattered-spider-hacks-extradited-to-us" target="_blank" rel="noopener noreferrer nofollow ugc">https://therecord.media/teen-suspect-in-scattered-spider-hacks-extradited-to-us</a></li>
<li><strong>Huntress CEO Says Threat Hunter Used 'poor Judgment' In Alerting Ransomware Crim About Law Enforcement Probe</strong><br />
"Huntress CEO Kyle Hanslovan said he is aware of “questionable, long-term threat actor communications” between a threat hunter who is still employed with the security firm and a cybercriminal, and called this “poor judgment.” “In one particular exchange, our current teammate disclosed to a threat actor that law enforcement had reached out to them about the threat actor,” Hanslovan said in a blog post, addressing a former employee’s accusations that the current Huntress analyst is an insider threat to the company. “While this disclosure was not illegal, it reflected poor judgment,” he wrote."<br />
<a href="https://www.theregister.com/security/2026/06/30/huntress-ceo-says-threat-hunter-used-poor-judgment-in-alerting-ransomware-crim-about-law-enforcement-probe/5264532" target="_blank" rel="noopener noreferrer nofollow ugc">https://www.theregister.com/security/2026/06/30/huntress-ceo-says-threat-hunter-used-poor-judgment-in-alerting-ransomware-crim-about-law-enforcement-probe/5264532</a></li>
</ul>
<p dir="auto"><strong>อ้างอิง</strong></p>
<p dir="auto">Electronic Transactions Development Agency (ETDA) <img src="/assets/uploads/files/1782976288313-14bace64-e6e7-44bf-be79-24a751021c1c-image.png" alt="14bace64-e6e7-44bf-be79-24a751021c1c-image.png" class=" img-fluid img-markdown" /></p>
]]></description><link>https://webboard-nsoc.ncsa.or.th/topic/3049/etda-cyber-threat-intelligence-02-july-2026</link><generator>RSS for Node</generator><lastBuildDate>Thu, 02 Jul 2026 11:30:14 GMT</lastBuildDate><atom:link href="https://webboard-nsoc.ncsa.or.th/topic/3049.rss" rel="self" type="application/rss+xml"/><pubDate>Thu, 02 Jul 2026 07:11:37 GMT</pubDate><ttl>60</ttl></channel></rss>