Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
🚩 REF6045 Mexican Banking Fraud Operation Deploys SCMBANKER PowerShell Toolkit Via ClickFix Lures to Facilitate Operator-Assisted Account Takeover and Payment Redirection.
Elastic Security Labs disclosed an active banking fraud operation tracked as REF6045 targeting customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges. The operation delivers SCMBANKER, a PowerShell toolkit with components dating to at least October 2025, via fake CAPTCHA pages that trick victims into running a single command. The toolkit is heavily AI-generated, with the operator using large language models to write most functional components and applying light manual obfuscation. REF6045 demonstrates moderate operational security failures including exposed directories, leaked web-root archives, and unauthenticated configuration editors. Exploitation is confirmed in the wild with active victims tracked on operator dashboards.
The attack chain begins with ClickFix fake verification pages presenting Spanish-language CAPTCHA challenges before instructing victims to run a curl command that downloads and pipes a batch script into cmd.exe. The batch script displays a fake Windows Update screen via Microsoft Edge in kiosk mode while performing UAC privilege escalation, confining the mouse cursor to a 1×1 pixel rectangle, and downloading SCMBANKER toolkit components via bitsadmin to C:\Users\Public. Once installed and persisted via Registry Run keys and startup folders, the toolkit enables operator-assisted fraud including banking session monitoring, screenshot capture, vishing overlay deployment, browser redirection to phishing pages, clipboard manipulation for payment redirection, and Remote Utilities RAT installation. The operator manually monitors infected machines and decides actions on a per-victim basis via a live C2 dashboard, with victims labeled and tagged with operator notes.
Impact: Successful exploitation grants operators real-time visibility into banking sessions, with the ability to lock screens behind fake bank warnings, redirect browsers to phishing pages, intercept and replace account and card numbers to redirect payments, capture screenshots, deploy remote-access tools for hands-on control, and maintain persistence across reboots. The targeting of Mexican financial infrastructure including banks, fintechs, payment processors, and cryptocurrency exchanges indicates widespread exposure across the financial ecosystem. The operator’s selective activation of fraud mechanisms by IP address and use of Telegram notifications for phishing confirmation demonstrates operational sophistication despite crude tooling implementation.
Recommendation:
- Block all known REF6045 infrastructure at the network perimeter.
- Implement email filtering and web gateway controls to block access to known ClickFix delivery domains and alert on users accessing fake CAPTCHA verification pages that prompt command execution.
- Educate users that no legitimate verification process requires running commands in the Windows Run dialog or copying commands from web pages into terminal environments.
- Deploy behavioral detection for suspicious bitsadmin activity downloading files from public IP addresses and for PowerShell processes performing network requests to external infrastructure.
- Monitor for the presence of SCMBANKER persistence indicators including run.vbs in startup folders, Registry Run key entries launching hidden PowerShell, and suspicious PowerShell modules in C:\Users\Public.
- Alert on processes attempting UAC privilege escalation via -Verb RunAs and on repeated UAC consent prompt triggers at intervals of 20 seconds, which indicates the UAC consent fatigue attack.
- Monitor for Remote Utilities Host installation and registry modifications to HKLM\SOFTWARE\Usoris\Remote Utilities Host, particularly registry edits setting callback auto-connect parameters and authentication keys.
- Track banking session activity and alert on screenshot capture activity triggered by detection of bank window titles, particularly repeated screenshot capture spawning approximately 42 images per trigger event.
- Audit financial transaction activity for redirected payments to unfamiliar accounts, particularly those matching the attacker-controlled CLABE numbers or card numbers extracted from captured clipboard data.
- Review user system logs for evidence of cursor locking via ClipCursor API calls and fake Windows Update screen displays via fullscreen Edge kiosk mode.
Kernel Vulnerability Januscape Enables Guest-to-Host Escape on KVM Systems
Security researcher Hyunwoo Kim disclosed a 16-year-old Linux kernel vulnerability called Januscape on July 6, warning that attackers with access to a guest virtual machine on Intel or AMD hosts running KVM could crash or, in a more severe case, take over the physical host machine. The flaw, tracked as CVE-2026-53359, is a use-after-free weakness in the shadow memory management unit, or MMU, emulation that KVM/x86 uses to manage nested virtualization, a common feature in multi-tenant public cloud environments.
The vulnerability stems from a shadow page reuse check that examines only the guest frame number and not the page’s role, allowing a shadow page of the wrong type to be reused while the host shadows a nested guest’s memory tables. Guest-side actions alone, without any cooperation from the host, can trigger the flaw and corrupt host kernel memory-tracking structures. Kim published a proof-of-concept exploit that reliably causes a host kernel panic, a denial-of-service condition confirmed to work in practice. Kim said a separate, full guest-to-host escape exploit that would allow code execution as root on the host also exists but is not being released at this time. On distributions where the /dev/kvm device is world-writable, the flaw may also be exploitable without root access inside the guest.
Impact: The confirmed proof-of-concept exploit can crash a host kernel, taking down every virtual machine running on that physical server, a significant availability risk for multi-tenant cloud environments. Kim said a related exploit capable of achieving root code execution on the host has also been demonstrated but has not been released publicly. If released or independently developed, such an exploit would allow full takeover of a host and every guest running on it.
Recommendation:
- Confirm that host kernels have applied patch commit 81ccda30b4e8 or the equivalent fix shipped by your Linux distribution vendor.
- Where nested virtualization is not required, disable it for guest workloads to remove the exploit path.
- Audit /dev/kvm permissions on Linux hosts, since some distributions may configure it as world-writable, which can allow exploitation without root access inside the guest.
- Monitor host kernel logs for KVM-related BUG or WARNING messages referencing gfn mismatches or data corruption, which may indicate exploitation attempts.
Writer AI Sandbox Isolation Vulnerability Allows Account Takeover via Malicious Agent Preview Links, Exposing Organizational Data and Administrative Controls.
SAND Security disclosed WriteOut, a critical session isolation vulnerability in Writer AI, an enterprise platform for building and running AI agents on proprietary data. The vulnerability was discovered by SAND Security and responsibly disclosed; Writer has since patched the issue. The vulnerability allowed attackers with minimal effort to take over any authenticated Writer user’s account by distributing a malicious agent preview link, with no prior access, no password, and no MFA bypass required.
The vulnerability exploited a design decision in which Writer served agent live previews from the same origin as the main application to solve cookie and routing problems with embedded previews. When an authenticated Writer user opened an attacker-controlled malicious agent preview link, their browser automatically attached their Writer session cookie to the request. The preview proxy then forwarded that session cookie into the attacker’s managed sandbox environment. Code running inside the attacker-controlled sandbox could read the victim’s session token from process memory and exfiltrate it to an attacker-controlled server. The attacker could then replay the stolen session token to gain full account takeover. Writer’s input-side filtering intended to block malicious code inspected instructions rather than runtime behavior, allowing attackers to bypass guardrails by fetching and executing remote scripts instead of embedding payloads inline. Exploitation has not been confirmed in the wild, but the vulnerability affected all Writer AI users across Fortune 500 and Global 2000 organizations in banking, insurance, pharmaceuticals, retail, and technology sectors.
Impact: Successful exploitation grants attackers full dashboard access with the victim’s privileges, including read and write access to all private chats, proprietary documents, agent configurations, system prompts, model settings, LLM credentials, data connectors, sensitive organizational settings, and administrative controls depending on the victim’s role. Because the attacker’s malicious agent could be distributed to users across different organizations with no prior foothold, a single shared malicious agent preview link could compromise hundreds or thousands of high-value targets across separate enterprises. The vulnerability undermines the primary security claim used to justify sandboxed AI execution and demonstrates that sandbox isolation is not itself a security control but requires additional defensive layers.
Recommendation:
- Verify that Writer AI instances have been patched and that session cookies are no longer forwarded into sandbox preview environments by confirming preview isolation is implemented on separate origins from the main application.
- Audit Writer AI agent configurations and review the list of shared agents, particularly any with public preview links distributed externally or to users outside the immediate team.
- Review Writer AI access logs and session history for any unusual or suspicious account activity, particularly logins from unexpected IP addresses or locations during the vulnerability window.
- Rotate all LLM API credentials, data connector credentials, and sensitive authentication tokens configured within Writer AI agents, as compromised accounts could have accessed these credentials.
- Review administrative access granted through Writer AI organizational settings and audit user privilege assignments to ensure least-privilege access is enforced.
- Disable public preview links for all agents handling sensitive data or proprietary information, and restrict preview access to authenticated internal users only.
- Implement monitoring and alerts for unusual agent creation, preview link generation, and access patterns that may indicate account compromise.
- Educate users against opening suspicious agent preview links received from external sources, particularly those requesting account access or claiming to demonstrate new features.
Google Dialogflow CX Code Blocks Vulnerability Allows Attackers to Inject Persistent Malicious Code, Exfiltrate Conversations, and Bypass VPC Service Controls.
Varonis Threat Labs disclosed a critical vulnerability in Google Cloud Platform’s Dialogflow CX service, designated Rogue Agent, that allows attackers with a single dialogflow.playbooks.update permission to inject persistent malicious code into the conversational AI pipeline. Varonis initially discovered the vulnerability in November 2025; Google issued an initial security update in April 2026 and fully resolved the issue in June 2026. All affected components have been remediated and Varonis is not aware of any exploitation in the wild prior to the patch.
The vulnerability exploits a fundamental architectural weakness in Dialogflow CX’s Playbook Code Blocks feature. Code Blocks execute inside a Google-managed Cloud Run service that is shared across all agents in the same GCP project, with public network egress enabled by default and unrestricted write access to the filesystem. By modifying the code_execution_env.py file responsible for executing Code Blocks, attackers can intercept conversation execution, exfiltrate full conversation history including user utterances and session parameters, and inject malicious prompts using the internal respond() function to impersonate the agent and conduct phishing attacks. The malicious code persists in the Cloud Run environment while the attacker can restore the original Code Block configuration in the Dialogflow console to avoid detection, making the attack virtually invisible to both Cloud Logging and the victim organization. Exploitation has not been confirmed in the wild, but the vulnerability affected all GCP organizations using Dialogflow CX agents with Playbook Code Blocks prior to patching.
Impact: Successful exploitation provides attackers with the ability to silently take control of all agents in the same GCP project, exfiltrate sensitive data handled by customer support systems, financial services bots, and healthcare assistants without detection, and conduct phishing campaigns and social engineering attacks by impersonating legitimate bot responses. The vulnerability bypasses VPC Service Controls by placing the Code Block execution environment outside the project’s VPC-SC perimeter. Exposed IMDS credentials and architectural flaws in isolation principles create systemic risks for privilege escalation within Google’s own infrastructure. Organizations relying on Dialogflow CX for handling sensitive customer data, payment details, and PII face catastrophic breach of trust and potential regulatory violations.
Recommendation:
- Verify that all Dialogflow CX agents have been patched to versions released after June 2026 and that no older vulnerable versions remain in use across GCP projects.
- Enable DATA_WRITE Audit Logs for the Dialogflow API and review logs for successful playbook update events, correlating them with rare API access by users, unusual IP addresses, and atypical access times.
- Run Cloud Logging queries to identify failed user requests and review protoPayload.status.message fields for exceptions that may indicate malicious Code Block execution.
- Manually review all Code Blocks in each Dialogflow CX agent Playbook configuration and confirm that all configured Code Blocks are whitelisted and approved by authorized personnel.
- Audit IAM permissions to ensure dialogflow.playbooks.update is granted only to trusted administrative users and scoped to specific agents rather than at the project level where possible.
- Review VPC Service Controls configurations and recognize that Code Block execution environments operate outside VPC-SC perimeter boundaries; implement additional monitoring and controls for Cloud Run services used by Dialogflow.
- Monitor for suspicious outbound HTTPS connections from Cloud Run services and alert on any requests to unusual external domains from Dialogflow execution environments.
- Implement user behavior analytics and posture management solutions to detect unauthorized configuration changes and detect anomalous access patterns within Dialogflow environments.
- Rotate any credentials or service account tokens that may have been extracted via IMDS exposure, and audit service account permission grants to ensure minimal necessary privileges are assigned.
🚩 China-Aligned Threat Cluster UNK_MassTraction Exploits Roundcube Vulnerabilities to Compromise University Mail Servers and Pivot into Academic Networks.
Proofpoint disclosed an active campaign by a suspected China-aligned threat cluster designated UNK_MassTraction targeting physics and engineering departments at major US and Canadian universities. The campaign has been active since May 2026 and exploits multiple n-day vulnerabilities in Roundcube webmail servers to steal credentials, deploy webshells, and execute the VShell backdoor in memory. The cluster demonstrates moderate operational security awareness and prior reconnaissance of target environments.
The campaign uses spearphishing emails delivered via compromised senders or domains with lax DMARC policies, exploiting CVE-2024-42009, a cross-site scripting vulnerability in Roundcube that fails to sanitize JavaScript in HTML. When victims open the email in Roundcube, embedded JavaScript executes via the onanimationstart function, loading a remotely hosted stealer payload. The stealer, designated IceCube, is a fully-featured JavaScript payload that escapes Roundcube’s iFrame instantiation to access the full DOM and authentication session. IceCube steals usernames, passwords, two-factor authentication material, cookies, and browser reconnaissance data, then exploits a second vulnerability, CVE-2025-49113, a deserialization flaw in Roundcube’s Crypt_GPG_Engine handling, to deploy a PHP webshell designated SquareShell. If webshell deployment fails, IceCube downloads a shell script that retrieves and executes a VShell loader from C2 infrastructure, which then loads the VShell backdoor into memory under a spoofed process name [kworker/0:2]. VShell is a fully featured Go-based implant with interactive shell and port-forwarding capabilities used by multiple China-aligned threat actors. Exploitation is confirmed in the wild.
Impact: Successful exploitation grants attackers full mail server compromise including read access to sensitive faculty and student communications, administrative credentials for campus infrastructure, and a pivot point into target networks via port-forwarding and lateral movement. The targeting of physics and engineering departments with national security ties and astrophysics and particle physics research capabilities indicates espionage motivation. Mail servers are treated as edge devices for network access rather than as primary targets for communication interception, suggesting the threat actor intends to use compromised mail servers as beachheads for deeper network compromise. Cleanup mechanisms including session destruction, local storage removal, and evidence removal reduce forensic artifacts and complicate incident detection and response.
Recommendation:
- Audit all Roundcube instances for vulnerable versions and prioritize patching CVE-2024-42009 and CVE-2025-49113 across all mail servers, particularly those in academic, research, and government-connected environments.
- Scan Roundcube servers for the presence of SquareShell webshells at the endpoint plugins/newmail_notifier/mail_preview.php using the SHA256 hash provided in the Proofpoint advisory.
- Monitor for the presence of VShell loader files including /tmp/log_de.log and suspicious process executions under the name [kworker/0:2], which is a known VShell spoofed process name.
- Block all IOCs mentioned in source article.
- Treat mail servers with the same defensive priority as VPN concentrators and other remote access nodes, implementing network segmentation, EDR monitoring, and behavioral detection of lateral movement.
- Force password resets and disable active sessions on all mail server accounts that may have been compromised, and rotate credentials for any administrative accounts that accessed the affected mail servers.
🚩 Attackers Abuse Microsoft’s Legitimate Device Code Flow Login Page to Hijack Accounts Through Phishing Campaigns.
Kaspersky disclosed a phishing technique that abuses the Device Authorization Grant flow (also known as Device Code Flow), an OAuth 2.0 extension used by Microsoft Entra ID for input constrained devices such as smart TVs and IoT hardware. The campaigns observed target organizations broadly, with a variant specifically focused on users in Brazil, and abuse Microsoft 365 accounts including email, OneDrive, and Teams.
In the attacks, victims receive phishing emails containing either a password protected PDF or a link hosted on a legitimate third-party site that acts as an open redirect. Both paths lead to a phishing page that displays a onetime device code already retrieved by the attacker from Microsoft’s own device code endpoint. The victim copies this code and is redirected to Microsoft’s real authentication page, where they enter the code and complete MFA normally. Because the login page and MFA prompt are genuine, the victim has no visual indication of compromise. Once authentication succeeds, the attacker captures the resulting access token, refresh token, and ID token, granting persistent account access. Kaspersky confirms this technique has been used in the wild across at least two observed campaign waves.
Impact: This technique bypasses traditional phishing defenses because the victim interacts only with authentic Microsoft infrastructure and completes real MFA. The stolen refresh token allows attackers to maintain long term access to email, OneDrive, and Teams without needing the user’s password again, and without triggering typical suspicious login alerts tied to credential theft. Organizations that have not restricted or monitored the Device Code Flow are exposed to this abuse regardless of how strong their credential hygiene or MFA enforcement otherwise is.
Recommendation:
Organizations should review this reporting and assess whether Device Code Flow is required in their environment. Additional recommendations include:
- Disable the Device Authorization Grant flow globally via Conditional Access Policies in Microsoft Entra ID if it is not required for business operations.
- If Device Code Flow must remain enabled, restrict it to specific named users, groups, or applications rather than allowing it tenant wide.
- Configure monitoring and alerting for DeviceCodeSignIn events in Entra ID sign in logs, especially from unfamiliar locations or devices.
- Enforce device compliance policies to prevent tokens issued through Device Code Flow from being used on unmanaged or non-compliant devices.
- Educate users not to enter authorization codes received from unsolicited emails or messages, even when the link leads to a genuine Microsoft domain.
- Inform users not to approve any unexpected authorization request, particularly when the users themselves did not personally initiate a login request on an external device using the Microsoft Device Authorization Grant.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.




