Weekly review

ThreatNoir Weekend Brief — June 27

2026-06-27Morning8 articles
Audio
Listen to the episode

Morning Review in IT Security — June 27, 2026

The threat landscape continues to intensify as adversaries target both consumer communication platforms and critical infrastructure systems. Today's briefing covers Russian intelligence operations against encrypted messaging, urgent patching deadlines for telecommunications equipment, and a sprawling supply-chain attack affecting developer infrastructure across multiple waves.

FBI: Russian Hackers Now Target Signal Backup Recovery Keys

The FBI and CISA have issued a joint warning regarding an evolving phishing campaign attributed to Russian intelligence services. The threat actors have escalated their tactics to specifically target Signal Backup Recovery Keys, which would allow attackers to access victims' historical encrypted messages if successfully obtained. This represents a significant shift from earlier phishing attempts, as the recovery keys provide a direct pathway to message content that would otherwise remain protected by Signal's end-to-end encryption. Source: FBI: Russian hackers now target Signal backup recovery keys

The campaign demonstrates a sophisticated understanding of Signal's architecture and the critical role backup recovery keys play in account recovery and message access. Organizations and individuals using Signal for sensitive communications should treat any unsolicited requests for backup recovery keys as potential social engineering attempts and implement additional verification procedures before sharing such credentials.

CISA Sets Urgent Deadline to Fix Cisco Flaw Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency has mandated that federal agencies patch a critical vulnerability in Cisco Unified Communications Manager Server by Sunday. The flaw is currently being actively exploited in the wild, creating an immediate risk to government systems and critical infrastructure. Source: CISA sets urgent deadline to fix Cisco flaw exploited in attacks

The compressed timeline reflects the severity of the vulnerability and the active threat posed by threat actors already leveraging the flaw. Federal agencies operating Cisco Unified Communications Manager infrastructure should prioritize patching efforts and verify successful remediation before the deadline to prevent unauthorized access to communications systems.

New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

Kaspersky researchers have identified a previously undocumented malware family called SharkLoader that functions as a loader for deploying Cobalt Strike Beacon on compromised systems. The campaign, tracked under the name StrikeShark, has targeted a diplomatic organization in Indonesia and government organizations in Taiwan, indicating a focus on high-value political and governmental targets. Source: New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

The SharkLoader malware leverages a chain of known vulnerabilities across multiple products including Microsoft Exchange, Cisco systems, and other enterprise software to establish initial access. Once deployed, Cobalt Strike Beacon provides threat actors with command-and-control capabilities and lateral movement tools, enabling further compromise of targeted networks. Organizations in the diplomatic and government sectors should review their patch management practices and monitor for indicators of compromise related to this campaign.

Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages

Socket Threat Research has identified a new wave of the ongoing Miasma Mini Shai-Hulud supply-chain attack campaign targeting legitimate npm packages published under the @immobiliarelabs scope. The compromised packages include Backstage plugins for GitLab integration and LDAP authentication, which were maliciously republished on June 26, 2026. Multiple historical versions across both the GitLab and LDAP authentication plugin families were republished with malicious artifacts in a coordinated automated wave designed to maximize exposure. Source: Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages

The malicious packages employ sophisticated obfuscation techniques including root-level index.js files that decrypt and execute hidden payloads using Caesar-shift encoding and AES-128-GCM decryption. The payloads execute under Bun and steal developer and CI/CD secrets including npm tokens, GitHub credentials, cloud authentication material, SSH keys, Docker credentials, and Kubernetes configurations. The attack chain includes evidence of compromise through the codfish/semantic-release-action GitHub Action, which was itself compromised on June 24, 2026. The attacker leveraged GitHub Actions deployment-triggered workflows to execute malicious code and publish poisoned package versions. Organizations that installed any affected @immobiliarelabs package version should treat their development environments as compromised and rotate all exposed credentials from clean machines. Recommended response includes identifying all affected systems, removing compromised versions, rotating credentials across all cloud and authentication systems, auditing GitHub Actions workflows for injected steps, and restricting GitHub Actions to immutable commit SHAs with minimal permissions.

Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign

A Chinese-speaking advanced persistent threat actor tracked as CL-STA-1062 has deployed a custom backdoor called TinyRCT against government entities and critical infrastructure in Southeast Asia. The campaign specifically targets state-owned enterprises in the energy and government sectors, indicating a focus on strategic national assets. Source: Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign

The TinyRCT backdoor provides remote code execution and command-and-control capabilities to threat actors, enabling persistent access to compromised systems. The infrastructure associated with the campaign includes IP addresses 139.180.134.221 and 45.32.113.172. Government and energy sector organizations in Southeast Asia should implement enhanced network monitoring, review access logs for suspicious command execution, and verify the integrity of critical systems against known indicators of compromise.

Woodgnat Hackers Use Mistic RAT to Broker Access for Ransomware Gangs

Woodgnat hackers are leveraging Backdoor.Mistic, a stealthy remote access trojan, to compromise corporate networks and broker access to ransomware gangs. This access-as-a-service model creates a two-stage attack pattern where initial compromise is followed by sale of network access to ransomware operators. Source: Woodgnat Hackers Use Mistic RAT to Broker Access for Ransomware Gangs

The Mistic RAT operates alongside related malware families including MLTBackdoor and ModeloRAT, providing flexibility in attack execution and persistence mechanisms. Organizations should monitor for signs of initial compromise including unusual outbound connections, suspicious process execution, and lateral movement activity that could indicate Mistic RAT deployment or reconnaissance by access brokers.

Polymarket Customers Lose $3 Million in Supply-Chain Attack

Polymarket has announced that customers lost approximately $3 million following a supply-chain attack in which threat actors injected malicious JavaScript into the platform's frontend. The compromise occurred at a third-party vendor whose code was integrated into Polymarket's web interface, allowing attackers to intercept user interactions and steal funds. Source: Polymarket customers lose $3 million in supply-chain attack

Polymarket has committed to fully reimbursing affected customers for losses resulting from the JavaScript injection attack. This incident underscores the critical importance of supply-chain security in web-based financial platforms and the need for rigorous third-party vendor assessment and runtime monitoring of frontend code.

Cybersecurity Firms Targeted by Fraudulent OpenAI Organization Invites

Threat actors are creating counterfeit OpenAI tenant organizations that impersonate legitimate companies and sending invitations to employees at cybersecurity firms. The fraudulent invites attempt to trick recipients into joining fake OpenAI workspaces where they may submit sensitive company information through chat and project features. Source: Cybersecurity firms targeted by fraudulent OpenAI organization invites

The attack leverages the trust employees place in AI platform communications and the legitimate business use of OpenAI services to lower recipient defenses. Employees should verify the authenticity of OpenAI organization invitations through official OpenAI channels before accepting, avoid sharing sensitive company information in unfamiliar workspaces, and report suspicious invitations to their security teams.

The morning's threat intelligence indicates sustained pressure across multiple attack vectors, from nation-state operations targeting diplomatic and government infrastructure to financially motivated campaigns exploiting supply-chain trust relationships. Organizations should prioritize patch management for known exploited vulnerabilities, implement enhanced monitoring of development infrastructure and third-party integrations, and maintain heightened awareness of social engineering attempts leveraging legitimate platform communications.

Sources & IOCs

Source articles and extracted indicators (defanged where appropriate).

New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
CVE13
Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages
Malware2
  • Phantom Gyp
    Technique using binding.gyp and node-gyp for install-time code execution
  • Miasma Mini Shai-Hulud
    Supply chain attack campaign targeting npm and Go ecosystems
SHA-2563
  • ef641e956f91…
    binding.gyp file used across all 22 malicious packages
  • dfcdec5f43cc…
    @immobiliarelabs/backstage-plugin-gitlab@1.0.1 tarball
  • 1e7b04a9a4a2…
    @immobiliarelabs/backstage-plugin-gitlab@1.0.1 index.js