- PCAP Deep Analysis ToolkitPython-based toolkit for extracting credentials and hashes from PCAP files
- FortigateSnifferGolang-based tool used for credential harvesting
- SNIFTRANComponent used to reconstruct captured traffic into PCAP files
ThreatNoir Morning Brief — June 23
Morning Review in IT Security — June 23, 2026
The threat landscape continues to evolve with sophisticated supply chain attacks, credential harvesting campaigns, and critical vulnerabilities in widely deployed software. Today's security briefing covers four significant incidents affecting enterprise infrastructure, content management systems, messaging platforms, and media processing tools.
FortiBleed Campaign Used Custom FortiGate Sniffer to Steal Credentials
Security firm SOCRadar has disclosed details of the large-scale FortiBleed campaign targeting Fortinet FortiGate devices through custom-built sniffers designed to harvest authentication secrets from compromised firewalls. The attackers leveraged diagnostic features within FortiGate appliances to extract credentials at scale, demonstrating a sophisticated understanding of the target infrastructure. The campaign identified three distinct malware variants: FortigateSniffer, PCAP Deep Analysis Toolkit, and SNIFTRAN. Source: Bleeping Computer
ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack
Multiple WordPress plugins from ShapedPlugin fell victim to a supply chain attack when threat actors compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases. The attackers gained access to official licensed update channels, allowing them to distribute compromised versions to legitimate users. The incident involves CVE-2026-10735 and CVE-2026-49777, with indicators of compromise including the domain account.shapedplugin.com and IP address 194.76.217.28. Source: The Hacker News
WhatsApp Phishing Attack Uses Fake Business Documents to Hack PCs
An ongoing malware campaign is targeting WhatsApp users across multiple countries with deceptive messages containing fake business documents that distribute VBScript files. Once executed, these scripts provide remote system access to attackers, with the campaign leveraging both Gh0st RAT and ValleyRAT for post-exploitation activities. The attack demonstrates the continued effectiveness of social engineering tactics delivered through trusted communication platforms. Source: Bleeping Computer
FFmpeg Fixes PixelSmash Flaw in Widely Used Video Decoder
FFmpeg has addressed a critical vulnerability dubbed PixelSmash that could enable remote code execution on Jellyfin servers and trigger denial-of-service conditions across multiple applications. The flaw, tracked as CVE-2026-8461, affects widely deployed media software including Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio. The vulnerability can be exploited through maliciously crafted video files, presenting a significant risk to organizations relying on these platforms for content delivery and media processing. Source: Bleeping Computer
Organizations should prioritize patching the FFmpeg vulnerability, securing FortiGate devices against credential harvesting, reviewing WordPress plugin integrity, and implementing email and messaging security controls to defend against phishing campaigns leveraging social engineering tactics.
Sources & IOCs
Source articles and extracted indicators (defanged where appropriate).
- Product Slider Pro for WooCommerce supply chain compromise, CVSS 10.0
- Entire ShapedPlugin incident, CVSS 9.8
194.76.217.28C2 server receiving loader callback and hosting remote payloads
account.shapedplugin.comLegitimate vendor EDD infrastructure distributing compromised Pro plugin versions
- Gh0st RATPotential overlap with past threat actor activity.
- VBScriptMalicious script used in the phishing campaign.
- ValleyRATPotential overlap with past threat actor activity.
- PixelSmash vulnerability in FFmpeg's MagicYUV decoder