Weekly review

ThreatNoir Afternoon Brief — June 26

2026-06-26Afternoon4 articles
Audio
Listen to the episode

Afternoon Review in IT Security — June 26, 2026

The threat landscape continues to evolve across multiple vectors on June 26, 2026, with supply chain attacks intensifying, forensic tool misuse emerging in geopolitical contexts, industrial systems facing active exploitation, and hospitality organizations becoming targets of sophisticated phishing campaigns.

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

Cybersecurity researchers have identified a new wave of supply chain attacks linked to the Mini Shai-Hulud, Miasma, and Hades malware family. The latest activity demonstrates the threat actors' expanding reach, with malicious npm releases affecting LeoPlatform and RStreams packages while simultaneously propagating to the Go ecosystem. The attackers have also abused GitHub Actions workflows as part of their distribution strategy, highlighting the vulnerability of development infrastructure to compromise. Source: Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

Russia Used Cellebrite on Jailed Activist's iPhone Months After Sales Cutoff

Research published by the Citizen Lab on June 25 reveals that Russian authorities deployed Cellebrite's UFED forensic tools against the iPhone of detained opposition activist Andrey Pivovarov in June 2021. This discovery is particularly significant because it occurred three months after Cellebrite announced it would cease selling its tools and services to Russia and Belarus. The evidence comes from forensic traces found on the device itself combined with official Russian documentation, demonstrating that the sales cutoff did not prevent continued use of the technology. Source: Russia Used Cellebrite on Jailed Activist's iPhone Months After Sales Cutoff

First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild

CISA has added the remote code execution vulnerability CVE-2026-12569 affecting PTC Windchill to its Known Exploited Vulnerabilities catalog, marking the first documented exploitation of this flaw in active attacks. This development underscores the urgency for organizations relying on industrial and product lifecycle management software to prioritize patching efforts. The vulnerability's exploitation in the wild represents a significant risk to manufacturing and engineering environments. Source: First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild

Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant

Microsoft has disclosed an active phishing campaign that has been targeting hotel and hospitality organizations across Europe and Asia since April 2026. The campaign employs photo-themed ZIP files as lures to deliver a Node.js implant designed to compromise front-desk systems and establish persistence within hotel networks. While the threat actors remain unattributed and their ultimate objectives unclear, the campaign demonstrates a sophisticated understanding of hospitality operations and supply chain vulnerabilities. Source: Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant

The convergence of these threats—from developer ecosystem poisoning to industrial system exploitation to targeted hospitality attacks—reinforces the critical importance of defense-in-depth strategies across all organizational layers and sectors.

Sources & IOCs

Source articles and extracted indicators (defanged where appropriate).

Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant
MITRE ATT&CK9
  • Signed Binary Proxy Execution: Rundll32 (implied by LNK execution).
  • Non-standard Port for C2 communication.
  • Ingress Tool Transfer (downloading implant).
  • File Deletion (implied by cleanup difficulty).
  • Registry Run Keys / Startup Folder for persistence.
  • PowerShell used to decode URL and download payload.
  • Deobfuscate/decode files or information.
  • Encrypted WebSocket channel for C2.
  • Web Protocols (HTTP/HTTPS) used for C2 communication.
Malware1
  • TonRAT
    Name of the Node.js implant used in the campaign.
IP Address7
  • 8443
    Non-standard port used for C2 communication by the TonRAT implant.
  • 8445
    Non-standard port used for C2 communication by the TonRAT implant.
  • 8453
    Non-standard port used for C2 communication by the TonRAT implant.
  • 5555
    Non-standard port used for C2 communication by the TonRAT implant.
  • 56001
    Non-standard port used for C2 communication by the TonRAT implant.
  • 56002
    Non-standard port used for C2 communication by the TonRAT implant.
  • 56003
    Non-standard port used for C2 communication by the TonRAT implant.