Weekly review

ThreatNoir Morning Brief — June 25

2026-06-25Morning4 articles
Audio
Listen to the episode

Morning Review in IT Security — June 25, 2026

The cybersecurity landscape continues to face significant threats as critical vulnerabilities are actively exploited in the wild, law enforcement achieves major wins against malware networks, and new threat actors emerge targeting sensitive sectors. Today's review covers developments ranging from zero-day attacks on networking infrastructure to coordinated takedowns of credential-stealing malware operations.

Mandiant Reveals How Cisco SD-WAN Zero-Day Attacks Gained Root Access

Security researchers at Mandiant have disclosed technical details on how threat actors exploited a critical vulnerability in Cisco Catalyst SD-WAN devices to achieve root access on targeted systems. The vulnerability, tracked as CVE-2026-20245, was leveraged in zero-day attacks to create rogue root accounts through command injection techniques. The attack chain demonstrates how nation-state actors are targeting essential networking infrastructure to establish persistent access within organizational environments. Source: Mandiant reveals how Cisco SD-WAN zero-day attacks gained root access

Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered

A coordinated international law enforcement operation has successfully dismantled the criminal infrastructure supporting Amadey and StealC malware campaigns, resulting in the recovery of approximately 27 million stolen credentials. The operation involved collaboration between Europol and private sector partners including Bitdefender, Bitsight, ESET, and Microsoft, targeting the malware distribution networks that cybercriminals use to launch ransomware attacks, commit financial fraud, and compromise critical infrastructure. The takedown disrupted the operational capability of these malware families and their associated distribution mechanisms. Source: Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered

New GhostShell Hacking Group Targets Ukraine's Drone Defense Sector

A newly identified threat actor group known as GhostShell has launched targeted campaigns against Ukrainian defense organizations involved in drone development and operations. The group employs spear-phishing tactics using fake drone-related documents to deceive defense personnel into compromising their credentials and sensitive data. The campaign leverages the Vidar v2 infostealer malware to exfiltrate passwords and classified information from targeted systems. Source: New GhostShell Hacking Group Targets Ukraine's Drone Defense Sector

CISA Warns of Max Severity Ubiquiti Flaws Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency has issued warnings regarding active exploitation of critical vulnerabilities affecting Ubiquiti UniFi OS and Lantronix serial-to-ethernet servers. Multiple maximum severity flaws tracked as CVE-2025-67038, CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 are being actively exploited by threat actors in the wild. CISA has mandated that organizations patch these vulnerabilities within three days to prevent unauthorized access to network infrastructure and connected devices. Source: CISA warns of max severity Ubiquiti flaws exploited in attacks

Organizations should prioritize patching critical infrastructure vulnerabilities, maintain vigilance against targeted phishing campaigns, and monitor for indicators of compromise associated with these active threat campaigns.

Sources & IOCs

Source articles and extracted indicators (defanged where appropriate).

Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered
Malware5
  • SmokeLoader
    Loader malware known to propagate Amadey.
  • Amadey
    Malware family disrupted in the operation, functioning as a loader for next-stage malware.
  • StealC
    Malware family disrupted in the operation, equipped to extract sensitive information.
  • SocGholish
    Malware family whose malicious infrastructure was also disrupted shortly before this operation.
  • Emmenhtal
    Loader malware known to propagate Amadey.