Back to Feed
Threat IntelligenceJun 29, 2026

⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More

Weekly recap covers Linux kernel flaw DirtyClone, PTC Windchill RCE, OpenAI GPT models for security, Gaslight macOS

Summary

This week's security roundup highlights critical vulnerabilities including DirtyClone (CVE-2026-43503), a Linux kernel flaw allowing local privilege escalation in multi-tenant and containerized environments, and CVE-2026-12569 affecting PTC Windchill/FlexPLM with active exploitation. OpenAI unveiled GPT-5.6 models (Sol, Terra, Luna) for cybersecurity with dual-use concerns, while researchers discovered Gaslight, a macOS malware that uses prompt injection to evade AI-powered analysis tools.

Full text

⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More Ravie LakshmananJun 29, 2026Cybersecurity / Hacking This week was a reminder that attackers do not always need big tricks. One small mistake, one old access path, one missed patch, and suddenly the door is open. The noise is not all noise, either. Forums are talking, researchers are finding easy cracks, and defenders have more cleanup waiting. Here’s the full Monday recap. ⚡ Threat of the Week New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets — Cybersecurity researchers detailed a new variant of the Dirty Frag Linux kernel flaw. Called DirtyClone (aka CVE-2026-43503), it allows local users to gain root privileges via cloned packets. The exploit works successfully on Debian, Ubuntu, and Fedora systems with default namespace configurations. "Any local user on a server or device running a vulnerable kernel who holds or can acquire the CAP_NET_ADMIN capability (frequently obtainable via unprivileged user namespaces) [is exploitable]," JFrog said. "This poses the highest risk to multi-tenant cloud environments, Kubernetes clusters, and containerized workloads where user namespaces are enabled, or privileged containers are deployed." Building Securely with AI: Takeaways from Chainguard Innovation Week Reactive network operations slow teams down and increase business risk. Join Tines and Netskope to discover a practical five-step framework for improving visibility, accelerating response, and creating secure, reliable operations across modern hybrid environments. Explore Innovation Week ➝ 🔔 Top News Critical PTC Windchill PDMlink and PTC FlexPLM Flaw Exploited — A critical remote code execution vulnerability impacting PTC Windchill PDMlink and PTC FlexPLM enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) software has come under active exploitation in the wild to deploy JSP web shells on susceptible systems. The vulnerability, tracked as CVE-2026-12569, is a case of improper input validation that could allow an attacker to execute arbitrary code by sending a malicious request to the network. Patches for the vulnerability have been released. OpenAI Previews GPT-5.6 Sol, Terra, and Luna — OpenAI officially unveiled GPT-5.6 Sol, Terra, and Luna, with Sol described as the most capable model yet for cybersecurity. The models are being released in a staggered manner with approval from the U.S. government. The release came days after the company released an improved version of its GPT‑5.5‑Cyber model to trusted defenders as part of the Daybreak initiative and launched a new project called Patch the Planet in collaboration with Trail of Bits to help secure open-source projects. OpenAI has also warned about the dual-use nature of the technology, acknowledging that the same capability that helps a red teamer find a zero-day can also assist a bad actor in exploiting one, and that it will prioritize patching jailbreak techniques against the model. In addition, it has framed the effort as getting the tools in the hands of more defenders before attackers gain the same edge. Much of the concern surrounding the frontier models stems from the fact that artificial intelligence can now identify existing bugs within codebases and work towards creating exploits for them. While the automation of cybercrime is not new, these tools undoubtedly have the potential to further lower the barrier to entry for bad actors. New Gaslight macOS Malware Discovered — A newly discovered macOS malware dubbed Gaslight is designed to confuse AI-assisted malware analysis tools through embedded prompt injection strings and fake debugging data within the executable. With cybersecurity researchers using AI-powered tools to assist with malware analysis and reverse engineering, the malware attempts to gaslight such tools into thinking there is some issue, potentially causing them to abort, truncate, or refuse an analysis of the artifact. Gaslight has been attributed with high confidence to a North Korean-linked threat actor. The malware itself is a Rust binary with backdoor and information-stealing functionality, enabling the operator to gain a persistent foothold over the infected host. The findings highlight how threat actors are experimenting with anti-analysis methods designed specifically to bypass AI-assisted security platforms. Turla Uses STOCKSTAY Backdoor in Ukraine Attacks — The Russian state-sponsored threat actor known as Turla has leveraged a previously undocumented .NET backdoor called STOCKSTAY in attacks targeting government and military organizations in Ukraine, and entities that have an interest in Italian foreign policy. STOCKSTAY shares significant code and functional overlaps with Kazuar, a staple implant put to use by the adversary since 2017. Suspected development activity of malware dates back to December 2022. Amadey, StealC Malware Operations Disrupted in Operation Endgame — A coordinated law enforcement operation, in partnership with private sector companies, dismantled criminal infrastructure powering Amadey and StealC. According to Europol, the operation led to the disruption of 326 servers and 142 domains, the identification of more than €41 million ($47 million) in cryptocurrency linked to criminal activity, and the recovery of approximately 27 million credentials stolen from over 385k compromised systems. Amadey and StealC are sold to cybercriminals under a malware-as-a-service (MaaS) model. Microsoft said criminals use Amadey to gain an initial foothold on victim devices to deploy additional malware, such as StealC, which then steals credentials, cryptocurrency wallets, and other sensitive information that can later be sold or leveraged in follow-on attacks. The two malware families were linked to more than 140,000 infected devices during the first two weeks of May 2026 alone. That said, no arrests were announced as part of the operation. ‎️‍🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild. Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-47729 aka Squidbleed (Squid), CVE-2026-12957 (Amazon Q Developer), CVE-2026-12569 (PTC Windchill PDMlink and PTC FlexPLM), CVE-2026-43503 aka DirtyClone, CVE-2026-46331 aka pedit COW (Linux Kernel), CVE-2026-30040, CVE-2026-30041 (FastStone Image Viewer), CVE-2026-45585 (Microsoft WinRE), CVE-2026-8461 aka PixelSmash (FFmpeg), CVE-2026-55200 (libssh2), CVE‑2026‑20971 (Samsung KNOX kernel), CVE-2026-10086, CVE-2026-10712, CVE-2026-12053 (GitLab CE and EE), CVE-2026-13028, CVE-2026-13032, CVE-2026-13033, CVE-2026-13038 (Google Chrome), CVE-2026-53605 (Reachy Mini Wireless image), CVE-2026-13136, CVE-2025-15660, CVE-2026-13135 (Synology MailPlus Server), CVE-2026-11374 (ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus and ADAudit Plus), and a critical Infoblox NIOS privilege escalation vulnerability (no CVE). 🎥 Cybersecurity Webinars Stop AI-Driven Cyberattacks Before They Stop Your Business → Hackers are now using AI to launch cyberattacks at machine speed. If your defenses are built for human-speed threats, you are at risk. Join this webinar to get a step-by-step blueprint to fight back. Learn exactly how to block AI-driven attacks and protect your company before a crisis hits. When AI Goes Rogue: How to Secure the New Cyber Attack Surface → As companies rush to adopt AI, hackers are turning these tools into a massive liability by hijacking AI agents and leaking trade secrets. Join this urgent webinar to see exactly how attackers weaponize AI against businesses. You'll get a practical blueprint to lock down your setups, fix risky configurations, and stop your own tech from going rogue. Building at Machine Speed: How to Secure AI Software Delivery → AI tools are generating code faster t

Indicators of Compromise

  • cve — CVE-2026-43503
  • cve — CVE-2026-12569
  • malware — DirtyClone
  • malware — Gaslight

Entities

Linux Kernel (product)PTC Windchill PDMlink (product)PTC FlexPLM (product)GPT-5.6 Sol (product)OpenAI (vendor)PTC (vendor)