Weekly review

ThreatNoir Afternoon Brief — June 29

2026-06-29Afternoon4 articles
Audio
Listen to the episode

Afternoon Review in IT Security — June 29, 2026

The cybersecurity landscape continues to evolve with significant threats emerging across multiple vectors. Today's review highlights persistent nation-state activity targeting Ukraine, critical kernel vulnerabilities affecting Linux systems, ransomware-as-a-service operations, and a dangerous SSH library flaw now publicly exploitable.

Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse

Russian advanced persistent threat group Gamaredon has significantly escalated its cyber operations against Ukraine throughout 2025 with an expanding malware arsenal and sophisticated attack techniques. Slovakian cybersecurity company ESET documented 35 distinct spear-phishing campaigns mounted by the group against new targets, with the majority occurring in the second half of the year. The threat actor has developed multiple new malware variants including PteroCache, PteroDee, PteroDum, PteroEffigy, PteroLNK, PteroOdd, PteroPaste, PteroSetup, and others as part of its ongoing campaign infrastructure.

The group has demonstrated a particular affinity for abusing legitimate cloud services and file-sharing platforms to host command and control infrastructure and exfiltrate data. Observed domains include Dropbox, Gofile, Mastodon Social, Nopaste, Paste.ee, Telegra.ph, and Wasabisys. The campaign also exploits CVE-2025-8088, indicating the group's continued reliance on known vulnerabilities to establish initial access. Source: The Hacker News

DirtyClone Linux Kernel Vulnerability Leads to Root Access

A critical Linux kernel vulnerability designated DirtyClone has emerged as a significant privilege escalation threat affecting systems across the Linux ecosystem. The flaw represents a variant of the previously disclosed DirtyFrag vulnerability and permits unprivileged local users to manipulate the Linux page cache in ways that grant root-level access to compromised systems. Multiple related CVEs have been assigned to this vulnerability family, including CVE-2026-43284, CVE-2026-43500, CVE-2026-43503, and CVE-2026-46300.

The vulnerability's severity lies in its ability to be exploited by any unprivileged user with local system access, requiring no special credentials or elevated privileges to initiate the attack. Organizations running vulnerable Linux kernels should prioritize patching efforts to prevent unauthorized privilege escalation. Source: SecurityWeek

The Gentlemen Ransomware-as-a-Service Group Escalates Operations

Kaspersky researchers have analyzed recent incidents involving The Gentlemen ransomware-as-a-service group and uncovered evolving tactics, custom backdoor tools, and a newly discovered ransomware variant. The group demonstrates sophisticated operational security practices and leverages both commercial and custom-developed tools to compromise target networks. Tools associated with the group include Advanced IP Scanner, NetScan, SharpADWS, and proprietary backdoor implants.

The Gentlemen group has been observed exploiting vulnerabilities in VPN and firewall appliances to establish initial network access, subsequently deploying custom backdoors for persistent access and lateral movement. The discovery of new ransomware variants indicates the group continues to refine its attack capabilities and monetization strategies. Source: Securelist

Public Proof-of-Concept Released for Critical libssh2 SSH Vulnerability

A critical vulnerability in the libssh2 SSH client library has transitioned from theoretical threat to active exploitation risk following the public release of a proof-of-concept exploit. CVE-2026-55200 affects all libssh2 releases up to and including version 1.11.1 and carries a CVSS score of 9.2, indicating critical severity. The vulnerability allows a malicious or compromised SSH server to trigger memory corruption on connecting clients, potentially enabling arbitrary code execution without requiring user credentials or interaction.

The client-side nature of this vulnerability means that any system using libssh2 to connect to SSH servers faces exposure if those servers are compromised or malicious. The availability of public exploit code significantly increases the risk of widespread exploitation. Organizations should prioritize updating libssh2 to patched versions and consider implementing network-level controls to restrict SSH connections to trusted servers. Related CVEs in the libssh2 ecosystem include CVE-2019-3855, CVE-2025-15661, and CVE-2026-55199. Source: The Hacker News


The convergence of nation-state operations, kernel-level vulnerabilities, ransomware-as-a-service activities, and publicly exploitable library flaws underscores the multifaceted threat environment facing organizations today. Immediate patching, threat intelligence integration, and enhanced monitoring capabilities remain essential defensive priorities.

Sources & IOCs

Source articles and extracted indicators (defanged where appropriate).

Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse
CVE1
Malware9
  • PteroDee
    New PowerShell tool for fetching/executing payloads
  • PteroCache
    New PowerShell tool for fetching/executing payloads
  • PteroDum
    New PowerShell tool for fetching VBScript payloads
  • PteroOdd
    New PowerShell tool using Telegra.ph API
  • PteroEffigy
    New PowerShell tool fetching C2 via GoFile
  • PteroSand
    Payload dropped by HTA downloaders
  • PteroLNK
    Weaponizer used for lateral movement via USB/network drives
  • PteroPaste
    Weaponizer used for USB drives and downloading payloads
  • PteroSetup
    VBScript weaponizer replacing legitimate installers
Domain8
  • wasabisys.com
    Legitimate service used for data exfiltration and C2 resolution
  • telegra.ph
    Legitimate service used for data exfiltration and C2 resolution
  • gofile.io
    Cloud storage service used for C2 communication
  • dropbox.com
    Legitimate service used for data exfiltration and C2 resolution
  • dev.to
    Legitimate service used for data exfiltration and C2 resolution
  • mastodon.social
    Legitimate service used for data exfiltration and C2 resolution
  • nopaste.net
    Legitimate service used for data exfiltration and C2 resolution
  • paste.ee
    Legitimate service used for data exfiltration and C2 resolution
The Gentlemen are knocking: сustom backdoors and evolving tactics
Malware4
  • SharpADWS
    Custom reconnaissance tool used to gather Active Directory information via LDAP/SOAP queries
  • NetScan
    Network scanning tool used for reconnaissance and vulnerability discovery
  • Advanced IP Scanner
    Network reconnaissance tool used to identify active ports, services, and vulnerabilities
  • The Gentlemen
    RaaS group operating custom Go and C-based ransomware variants