Get SRA’s free report: The Purple Perspective 2026

TIGR Threat Watch

Threat Watch Feed

🚩 – IOCs Added

The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.

🚩 Patched WinRAR Vulnerability CVE-2025-8088 Continues to Be Exploited by Multiple Russia-Aligned Threat Actors Against Ukrainian Government and Military Organizations

Jun 9, 2026

Trend Micro disclosed that CVE-2025-8088, a path traversal vulnerability in WinRAR patched in July 2025, continues to be actively exploited against Ukrainian organizations by two distinct Russia-aligned threat actor groups: SHADOW-EARTH-066 (tracked by CERT-UA as UAC-0226) and Earth Dahu (Gamaredon). Both groups produced new exploit samples through at least April 2026. The vulnerability affects WinRAR versions prior to 7.13 and has also been exploited by Sandworm, Turla, and Void Rabisu. Exploitation is confirmed in the wild and ongoing.

CVE-2025-8088 allows attackers to silently write files outside the intended extraction directory via NTFS Alternate Data Streams embedded in RAR5 archives, placing payloads directly into the Windows Startup folder without user interaction beyond opening the archive. SHADOW-EARTH-066 uses this entry point to deliver an evolved version of the GIFTEDCROOK information stealer, now operating as an in-memory DLL loaded via direct NT system calls, with dual-layer RC4 encrypted exfiltration over HTTPS to dedicated C2 servers. The stealer harvests browser credentials from Chrome, Edge, Opera, and Firefox including Chrome App-Bound Encryption bypass, collects files matching 35 extensions from Documents, Downloads, and TEMP directories, and self-deletes all staging artifacts after exfiltration. Earth Dahu uses the same vulnerability to drop malicious HTA or VBS files to the Startup folder, which load VBScript espionage modules through Cloudflare Workers-proxied C2 infrastructure, with some variants also delivering a wiper component.

Impact: WinRAR does not support auto-update, Group Policy management, or standard enterprise patch channels such as WSUS, SCCM, or Intune, making it a persistent blind spot in vulnerability management programs. The convergence of multiple Russia-aligned threat actors on a single unpatched entry point indicates deliberate targeting of this gap. Credentials and documents stolen from Ukrainian government and military organizations create downstream risk for allied nations and partner organizations in contact with compromised entities. SHADOW-EARTH-066’s self-delete mechanism means file-based indicators are only present between initial infection and the next user login, reducing the window for detection.

Recommendation:

  • Verify installed WinRAR versions across all endpoints and deploy WinRAR 7.13 or later using software distribution tools such as SCCM, Intune, or PDQ Deploy, prioritizing government, military, and defense-adjacent environments.
  • Hunt for LNK or HTA files with randomized names in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ and short alphanumeric files in C:\ProgramData\ matching the naming patterns published in the Trend Micro advisory.
  • Block SHADOW-EARTH-066 C2 IP addresses 166.0.132.237, 136.0.141.41, 136.0.141.138, 38.225.209.229, 136.0.141.112, 38.225.209.122, and 23.26.237.80 at the network perimeter across all ports.
  • Alert on HTTP and HTTPS traffic with the User-Agent string libcurl/8.14.0-DEV, which is a strong indicator of GIFTEDCROOK C2 communication.
  • Configure endpoint monitoring to alert on cmd.exe launching PowerShell with -ExecutionPolicy Bypass and -WindowStyle Hidden when reading from C:\ProgramData, and on mshta.exe execution originating from the Startup folder.
  • Monitor for PowerShell processes allocating executable memory using kernel-level telemetry such as ETW Threat Intelligence provider or EDR kernel callbacks, as the SHADOW-EARTH-066 loader uses direct NT system calls to bypass user-mode API hooks.
  • Block or quarantine RAR archive attachments at the email gateway where operationally feasible, and consider inspecting RAR5 SERVICE headers for STMz ADS markers in environments where RAR delivery is required.
  • Force credential resets, invalidate active web sessions, and rotate stored tokens and API keys on any system where compromise is confirmed or suspected, and enforce MFA on all critical accounts.
  • Expand third-party application patch management to include utility software such as archiving tools and file viewers that fall outside standard enterprise update channels.

Critical Veeam Backup & Replication Vulnerability Enables Authenticated RCE on Domain-Joined Backup Servers

Jun 9, 2026

Veeam disclosed CVE-2026-44963, a critical vulnerability affecting Veeam Backup & Replication 12.3.2.4465 and earlier version 12 builds. The flaw allows remote code execution on the backup server by an authenticated domain user and carries a CVSS v4 score of 9.4. Veeam noted that the issue only impacts domain-joined backup servers, while version 13.x builds are not affected due to architectural changes introduced in version 13.

The vulnerability was fixed in Veeam Backup & Replication 12.3.2.4854. Veeam warned that once a vulnerability and patch are publicly disclosed, attackers are likely to reverse-engineer the patch and attempt exploitation against unpatched deployments. Because Veeam backup servers often hold highly privileged access to backup infrastructure, production workloads, stored credentials, and recovery data, exposed or delayed patching may create significant ransomware and post-compromise risk.

Impact: Successful exploitation could allow an authenticated domain user to execute code on a vulnerable Veeam Backup & Replication server. Compromise of a backup server can be especially damaging because attackers may attempt to access backup repositories, delete or encrypt backups, steal stored credentials, disrupt recovery operations, or use the backup server as a privileged pivot point into the broader environment. The risk is highest for domain-joined backup servers where broad domain authentication, excessive privileges, or weak segmentation allow more users or compromised accounts to reach the Veeam server.

Recommendation:

  • Upgrade Veeam Backup & Replication to version 12.3.2.4854 or later.
  • Confirm whether any Veeam Backup & Replication 12.x backup servers are domain-joined and treat them as higher priority for remediation.
  • Upgrade to version 13.x where feasible, since Veeam states version 13.x builds are not affected due to architectural changes.
  • Restrict access to the Veeam Backup & Replication server to dedicated backup administrators and approved management hosts.
  • Review domain user access to the backup server and remove unnecessary interactive logon, RDP, WinRM, SMB, and administrative access.
  • Segment backup infrastructure from standard user workstations and production networks where possible.
  • Enforce MFA and privileged access controls for backup administrators and accounts used to manage Veeam.
  • Review Veeam service accounts, stored credentials, repository access, and backup infrastructure permissions for excessive privileges.
  • Monitor the Veeam server for suspicious process creation, unexpected PowerShell or command shell activity, new services, unauthorized login attempts, and unusual connections from domain user workstations.
  • Validate that backup repositories are protected with immutability, hardened access controls, and offline or isolated recovery options.
  • Review logs for signs of attempted backup deletion, job modification, repository tampering, or credential access activity.

🚩 Shai-Hulud/Miasma Supply Chain Campaign Expands to PyPI with 37 Malicious Packages Targeting Developer Credentials, CI/CD Secrets, and Cloud Infrastructure Tokens.

Jun 9, 2026

Socket disclosed a coordinated PyPI supply chain compromise involving 37 malicious wheel artifacts across 19 packages, linked to the ongoing Mini Shai-Hulud and Miasma campaign family. The affected packages include widely used bioinformatics and research tools including dynamo-release, spateo-release, and coolbox, with cumulative download totals in the hundreds of thousands. PyPI has quarantined a number of the affected releases and Socket has reported the remainder to the PyPI security team. The broader campaign now encompasses 448 affected artifacts across npm and PyPI. Exploitation is confirmed in the wild.

The malicious wheels include a .pth file that executes automatically during Python interpreter startup, before any application code runs, downloading the Bun JavaScript runtime from GitHub and executing a heavily obfuscated JavaScript credential stealer named _index.js. The payload uses multiple layers of obfuscation including AES-GCM encryption, ROT-style wrappers, and rotated string tables. Once unpacked, it targets a broad range of developer and CI/CD credentials including GitHub tokens, npm and PyPI publishing tokens, AWS, GCP, and Azure credentials, Kubernetes service account tokens, Vault secrets, SSH keys, Docker configs, shell histories, .env files, and Claude/MCP configuration files. Stolen data is exfiltrated via GitHub repository creation using Hades-themed markers, with network traffic to api.anthropic.com used as camouflage. The payload also establishes persistence via systemd user services on Linux and LaunchAgents on macOS, and injects into GitHub Actions workflows and Claude/MCP configurations.

Impact: Because .pth files execute at every Python interpreter startup regardless of whether the compromised package is imported, any developer, CI job, notebook kernel, or package management command that starts Python on an affected system may trigger the stealer. Compromised credentials can unlock package publishing across multiple ecosystems, source control, and cloud infrastructure, enabling the attacker to deepen or propagate compromise through downstream supply chain poisoning. The targeting of Claude/MCP configurations and GitHub Actions workflows indicates the campaign is actively expanding into AI developer toolchains and automated CI/CD environments beyond traditional package manager hooks.

Recommendation:

  • Immediately remove or pin away from all 37 affected malicious package versions listed in the Socket advisory, and rebuild affected environments where possible.
  • Rotate all credentials accessible from affected developer machines or CI jobs as a priority, including GitHub personal access tokens, GitHub App tokens, and Actions secrets; PyPI, npm, RubyGems, and JFrog publishing tokens; AWS, GCP, Azure, Kubernetes, and Vault credentials; SSH keys, Docker credentials, and cloud CLI profiles; and Anthropic, CircleCI, and Claude/MCP tokens.
  • Search developer machines, CI workers, and GitHub organizations for the published IOCs including the sentinel file .bun_ran, _index.js in site-packages directories, and .pth files containing executable import lines with network retrieval and subprocess execution.
  • Hunt GitHub organizations for repositories with the description “Hades – The End for the Damned”, artifacts named format-results, workflows named Run Copilot, and commit paths matching results/results-*.json as likely exfiltration artifacts.
  • Implement package-level static detection alerting on PyPI wheels containing executable .pth import lines combined with remote runtime download, tempdir binary installation, subprocess execution, and JavaScript payload handoff, as this behavior chain is a strong indicator regardless of filename or Bun version.
  • Review GitHub Actions workflows and Claude/MCP configuration files for unexpected modifications, particularly unexpected codeql.yml changes or new setup.mjs and setup.js files in .claude or .github directories.
  • Enforce software composition analysis and dependency review controls in CI/CD pipelines to detect malicious install-time and startup-time execution patterns before they reach developer environments.

🚩 UNC3753 Targets US Law Firms With Vishing, RMM Tools, Data Theft, and Physical Intrusion Attempts

Jun 8, 2026

Mandiant reported an ongoing financially motivated data theft extortion campaign by UNC3753, also tracked as Luna Moth, Chatty Spider, and Silent Ransom Group, targeting dozens of US legal, professional services, and financial services organizations from January through May 2026. The group relies heavily on voice phishing and social engineering, often starting with benign invoice-themed emails before calling targets while impersonating internal IT helpdesk or security staff. During these calls, the actors convince employees to join screen-sharing sessions and install remote access tools such as AnyDesk, Bomgar, Zoho Assist, or attempted SuperOps RMM payloads.

UNC3753’s operations move quickly, with Mandiant observing some incidents progress from initial contact to data theft and extortion within a single business day, and in some cases data searches and staging beginning in under an hour. The actors use tools such as Zoom, Teams, Quick Assist, Windows 365, Citrix, WinSCP, Rclone, consumer file-sharing accounts, and Privnote to access environments, stage sensitive files, and exfiltrate data. Mandiant also highlighted suspected related physical intrusions where individuals posing as IT technicians attempted to access corporate offices and exfiltrate endpoint data using USB storage media.

Impact: Successful UNC3753 activity can result in rapid theft of sensitive legal, financial, client, and employee data, including proprietary agreements, tax forms, audit records, Social Security numbers, PII, financial records, and document management repository content. Legal firms are especially exposed because they often hold highly sensitive client files and may face reputational, regulatory, and contractual pressure after a breach. The group’s use of legitimate screen-sharing tools, RMM utilities, BYOD access, VDI sessions, consumer cloud storage, and physical access attempts can bypass traditional email filtering, perimeter controls, and some MFA-based defenses.

Recommendation:

  • Require out-of-band verification before employees follow instructions from anyone claiming to be internal IT, security, or third-party technical support.

  • Restrict or block unauthorized RMM and screen-sharing tools, including AnyDesk, Bomgar, Zoho Assist, WinSCP, Rclone, and unapproved remote support utilities.

  • Limit interactive screen-control features in Teams, Zoom, Quick Assist, and other collaboration tools where possible.

  • Enforce conditional access policies that allow VDI and VPN access only from managed corporate devices.

  • Apply MFA and step-up authentication for VDI, VPN, iManage, SharePoint, OneDrive, email, and other sensitive document repositories.

  • Monitor for suspicious use of Privnote, cURL-downloaded MSI installers, portable WinSCP execution, Rclone activity, and large outbound transfers over SSH or cloud storage services.

  • Alert on rapid file searches, keyword spikes, bulk downloads, and unusual access in iManage, SharePoint, OneDrive, and email repositories.

  • Disable or tightly restrict USB mass storage on corporate endpoints and BYOD systems used for VDI access.

  • Require front-desk verification, ID logging, scheduled work-order confirmation, and staff escorting for all onsite technicians and contractors.

  • Treat physical office access controls as part of the cyber defense perimeter, especially for organizations handling sensitive client data.

Critical UniFi OS vulnerability chain enables unauthenticated root access to network, camera, and physical access management systems

Jun 8, 2026

Summary: Bishop Fox analyzed a critical vulnerability chain affecting UniFi OS Server that allows unauthenticated attackers to achieve full remote code execution with root privileges. The attack combines three vulnerabilities: an authentication bypass (CVE-2026-34908 and CVE-2026-34909) and a command injection flaw (CVE-2026-34910). Researchers validated the entire attack path against UniFi OS Server 5.0.6, demonstrating that a single unauthenticated request could bypass the Nginx authentication gateway, reach an internal package update service, and execute attacker-controlled commands without requiring credentials or user interaction. Ubiquiti addressed the issues in UniFi OS Server 5.0.8 and corresponding fixed releases across affected UniFi hardware platforms.

The severity extends far beyond compromise of the management server itself. Once attackers obtain root access, they can extract JWT signing keys, cloud access tokens, Wi-Fi credentials, VPN configurations, RADIUS secrets, TLS private keys, user databases, NFC credentials, and biometric data. Researchers also demonstrated that stolen JWT signing keys could be used to forge administrator sessions that remain valid even after patching. Because UniFi OS serves as the management plane for network infrastructure, cameras, access control systems, and cloud-connected environments, successful exploitation may enable attackers to reconfigure networks, unlock doors, disable surveillance systems, manipulate managed devices, create rogue administrator accounts, and pivot across multiple managed sites.

Impact: Successful exploitation can result in complete compromise of UniFi management infrastructure and all connected systems under its control. Organizations may face unauthorized network reconfiguration, credential theft, persistence through forged administrator sessions, cloud account compromise, surveillance disruption, physical access manipulation, and potential lateral movement into broader enterprise environments. Systems exposed to the internet prior to patching should be treated as potentially compromised.

Recommendation:

  • Upgrade UniFi OS Server to version 5.0.8 or later and apply vendor-recommended updates for all affected UniFi hardware platforms.

  • Restrict access to UniFi management interfaces and remove direct internet exposure wherever possible.

  • Treat previously exposed and unpatched UniFi OS instances as potentially compromised.

  • Rotate all secrets stored within the platform, including JWT signing keys, cloud access tokens, Wi-Fi credentials, VPN secrets, RADIUS credentials, TLS certificates and private keys, and administrative passwords.

  • Force logout of active sessions and invalidate previously issued authentication tokens.

  • Rebuild systems from known-good images if compromise is suspected, since patching alone may not remove persistence mechanisms.

  • Monitor for requests containing /api/auth/validate-sso/, encoded path traversal sequences such as ..%2f or %2e%2e, and access to package update endpoints.

  • Review logs for unexpected administrator creation, SSH enablement, device configuration changes, door access events, and surveillance system modifications.

  • Audit managed devices for unauthorized configuration changes originating from the UniFi controller.

🚩 C0XMO botnet exploits vulnerable DD-WRT routers to build a cross-platform DDoS army and eliminate competing malware

Jun 8, 2026

Fortinet researchers identified C0XMO, a new and significantly more sophisticated variant of the Gafgyt botnet that targets vulnerable DD-WRT routers through exploitation of CVE-2021-27137, a critical unauthenticated buffer overflow vulnerability in the firmware’s UPnP service. Unlike traditional Gafgyt variants, C0XMO separates its scanning and propagation logic into a dedicated Python-based framework, allowing operators to more efficiently target a broad range of devices and architectures. Researchers observed support for ARM, MIPS, PowerPC, SuperH, x86, x86_64, and other Linux-based platforms, along with exploitation capabilities targeting routers, DVRs, Android-based devices, and video management systems.

Once deployed, C0XMO establishes persistence through hidden file copies, cron jobs, shell profile modifications, and self-relaunch mechanisms. The malware aggressively removes competing botnets, red-team tools, network services, and security-related utilities before connecting to its command-and-control infrastructure. To expand infections, it uses a standalone Python scanner that performs internet-wide reconnaissance, brute-forces Telnet and SSH credentials, exploits multiple known vulnerabilities, and abuses exposed Android Debug Bridge (ADB) services. Researchers noted the botnet supports 19 DDoS attack methods, including TCP, UDP, SYN, ICMP, NTP amplification, Memcached amplification, Discord voice floods, Valve Source Engine floods, and Cloudflare-targeted HTTP flooding techniques.

Impact: Successful compromise allows attackers to take control of vulnerable network devices, incorporate them into a botnet, launch large-scale DDoS attacks, and use infected systems as a platform for further propagation. The malware’s modular architecture, broad hardware support, aggressive lateral movement capabilities, and competitor-removal functionality make it more resilient and scalable than many traditional IoT botnets. Organizations with exposed DD-WRT devices, weak SSH/Telnet credentials, or internet-facing IoT infrastructure face elevated risk.

Recommendation:

  • Patch DD-WRT firmware versions affected by CVE-2021-27137.

  • Disable unnecessary remote access services, including Telnet, UPnP, and exposed ADB services.

  • Enforce strong, unique passwords for all administrative accounts and network devices.

  • Monitor for outbound scanning activity targeting ports 22, 23, 80, 443, 7547, 8080, 8443, and 8888.

  • Hunt for hidden binaries and persistence artifacts, including /tmp/.sys, /var/tmp/.sys, /dev/shm/.sys, modified .bashrc or .profile files, and suspicious cron entries.

  • Monitor for communications with known malicious infrastructure associated with the activity.

  • Segment IoT and network infrastructure from critical enterprise assets.

  • Review systems for unauthorized process termination activity that may indicate malware attempting to disable competing botnet infections.

Sign up here!

To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.

 

Follow on Twitter

@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.

Subscribe to the RSS

Just copy and add this link to your RSS app and be notified immediately when new intel is posted.

How to use RSS

Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.

To follow using Outlook:

  • In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
  • In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed

(click here for detailed instructions and additional options for Outlook)

Popular mobile RSS reader apps include:

  • Feedly
  • NewsBlur
  • RSS Reader
  • Inoreader

After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed

Threat Bulletin Archive

See full archive here

About TIGR Threat Watch

Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.