Daily Digest

Gamaredon Evolves, SimpleHelp Flaw Exploited, StegoAd Dismantled

Gamaredon Evolves, SimpleHelp Flaw Exploited, StegoAd Dismantled

June 30, 2026
8 articles (7 new, 1 updated)
24 min read

Summary

Today's cybersecurity landscape features significant updates and new threats. The Russian APT Gamaredon has enhanced its cyber-espionage against Ukraine, now extensively abusing legitimate cloud services like Dropbox and Amazon S3 for command-and-control (C2) infrastructure, making detection harder. They've also introduced PteroPaste malware, leveraging malicious LNK files for initial access and lateral movement, and continue to collaborate with Turla.

A critical authentication bypass vulnerability (CVE-2026-48558) in SimpleHelp remote support software is being actively exploited, allowing attackers to deploy the new Djinn Stealer. This flaw, rated 10.0 CVSS, enables attackers to bypass MFA and compromise connected endpoints, leading CISA to add it to its Known Exploited Vulnerabilities catalog.

Microsoft has dismantled 'StegoAd,' a malicious Edge extension campaign that operated for over two years. The campaign involved 119 extensions, downloaded by up to 2.6 million users, which used steganography to hide malicious JavaScript. These extensions performed ad fraud and had backdoor capabilities to steal credentials and exfiltrate browser cookies, linked to Chinese actor DarkSpectre.

A new class of vulnerability, 'GuardFall,' affects AI coding agents, allowing old Bash tricks to bypass modern security. This exposes developers to supply chain attacks and credential theft. Additionally, a critical pre-authentication RCE flaw (CVE-2026-55200) in the widely used libssh2 library poses a widespread risk due to its embedding in numerous software products.

In regulatory news, the EDPB has adopted a common template for GDPR data breach notifications to simplify compliance. Meanwhile, new email attacks are using real Microsoft login pages to bypass MFA through adversary-in-the-middle techniques. Finally, TUANZ in New Zealand is calling for 'security by design' in the nation's digital future, advocating for stronger accountability from technology providers.

Filter by Category

New Articles (7)

SimpleHelp RMM Flaw Actively Exploited to Deploy Novel Djinn Stealer

CRITICAL

Critical SimpleHelp RMM Flaw (CVE-2026-48558) Under Active Exploitation to Distribute Djinn Stealer Malware

A critical authentication bypass vulnerability, CVE-2026-48558, in SimpleHelp remote support software is being actively exploited to gain administrative access to servers. Attackers are leveraging this 10.0 CVSS flaw to deploy a new, cross-platform information stealer called Djinn Stealer via a loader named TaskWeaver. The vulnerability allows attackers to create privileged accounts, bypassing MFA, and use the RMM's trusted channels to compromise all connected endpoints. CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating urgent mitigation for federal agencies.

June 30, 2026
6 min read
RMMCVE-2026-48558Djinn StealerAuthentication BypassKEV +2 more
SimpleHelp RMM Flaw Actively Exploited to Deploy Novel Djinn Stealer

Microsoft Dismantles "StegoAd," a Malicious Edge Extension Campaign Using Steganography

HIGH

Microsoft Removes 119 Malicious Edge Extensions from 'StegoAd' Campaign with 2.6 Million Installs

Microsoft has disrupted a major malicious browser extension campaign named 'StegoAd' that affected its Edge Add-ons store for over two years. The operation involved 119 extensions, downloaded by up to 2.6 million users, which used steganography to hide malicious JavaScript payloads within image and font files. Initially performing ad fraud, the malware also had backdoor capabilities to steal credentials from Google and WordPress, as well as exfiltrate browser cookies for session hijacking. The campaign is linked to a Chinese threat actor known as DarkSpectre.

June 30, 2026
6 min read
StegoAdMicrosoft EdgeBrowser ExtensionMalwareSteganography +2 more
Microsoft Dismantles "StegoAd," a Malicious Edge Extension Campaign Using Steganography

"GuardFall" Flaw Lets Old Bash Tricks Bypass Modern AI Agent Security

HIGH

GuardFall: Decades-Old Bash Tricks Expose Open-Source AI Coding Agents to Supply Chain Attacks

A new class of vulnerability named 'GuardFall' has been discovered, affecting ten out of eleven popular open-source AI coding agents. The flaw allows attackers to bypass the agents' security guards using decades-old Bash shell obfuscation tricks. By crafting malicious text in a file like a README, an attacker can trick the AI agent into executing destructive or data-stealing commands with the developer's full permissions. This exposes developers to severe supply chain attacks, credential theft, and environment destruction, highlighting a fundamental design flaw in how these agents validate commands.

June 30, 2026
6 min read
GuardFallAI SecurityDevSecOpsBashShell Injection +2 more
"GuardFall" Flaw Lets Old Bash Tricks Bypass Modern AI Agent Security

Critical Pre-Auth RCE Flaw in libssh2 Library Poses Widespread Risk

CRITICAL

Critical Pre-Authentication RCE Vulnerability (CVE-2026-55200) in libssh2 Puts Countless Applications at Risk

A critical remote code execution (RCE) vulnerability, CVE-2026-55200, has been disclosed in libssh2, a widely used open-source SSH client library. The flaw, rated 9.8 on the CVSS scale, is a pre-authentication heap buffer overflow that can be triggered by a malicious SSH server. Because libssh2 is embedded in countless software products—including curl, Git clients, and IoT devices—the vulnerability represents a massive supply chain risk. Public proof-of-concept code is available, increasing the likelihood of mass exploitation.

June 30, 2026
5 min read
libssh2CVE-2026-55200RCEVulnerabilitySupply Chain Attack +3 more
Critical Pre-Auth RCE Flaw in libssh2 Library Poses Widespread Risk

EDPB Adopts Common Template for GDPR Data Breach Notifications

INFORMATIONAL

European Data Protection Board Adopts Standardized Template for GDPR Data Breach Notifications to Harmonize Reporting

The European Data Protection Board (EDPB) has adopted a common, standardized template for organizations to use when notifying supervisory authorities of a personal data breach under the GDPR. This initiative aims to simplify the compliance process and harmonize the currently fragmented reporting requirements across different EU member states. The unified form is expected to reduce administrative burdens, especially for smaller organizations, by providing a clear structure and predefined values. The template is now open for public consultation until August 5, 2026.

June 30, 2026
5 min read
EDPBGDPRData BreachComplianceRegulation +2 more
EDPB Adopts Common Template for GDPR Data Breach Notifications

New Email Attacks Use Real Microsoft Login Pages to Bypass MFA

HIGH

Tycoon 2FA Phishing-as-a-Service Platform Bypasses MFA Using Real Microsoft Login Pages

Security researchers are warning about increasingly sophisticated email attacks, including the Tycoon 2FA Phishing-as-a-Service (PhaaS) platform. This adversary-in-the-middle (AiTM) attack uses a reverse proxy to present the victim with a real Microsoft login page. When the user authenticates and completes the MFA challenge, the platform intercepts the session token, allowing the attacker to gain full access to the user's Microsoft 365 account, completely bypassing conventional MFA protection. The attack highlights the growing threat of PhaaS and the need for phishing-resistant MFA.

June 30, 2026
6 min read
PhishingMFATycoon 2FAAdversary-in-the-MiddleAiTM +3 more
New Email Attacks Use Real Microsoft Login Pages to Bypass MFA

TUANZ Calls for "Security by Design" in New Zealand's Digital Future

INFORMATIONAL

New Zealand Tech Users Association Calls for Shift to 'Security by Design' and Stronger System Accountability

The Tech Users Association of New Zealand (TUANZ) has published a new position paper urging a fundamental shift in the nation's cybersecurity strategy. The group is calling for a move away from the current 'user beware' model, which places a heavy burden on individuals and SMEs. Instead, TUANZ advocates for embedding 'security by design' principles into all digital systems and establishing stronger accountability for technology providers. The paper warns that the growing complexity of cyber threats is creating an 'equity gap,' leaving those without resources dangerously exposed.

June 30, 2026
4 min read
Security by DesignPolicyNew ZealandTUANZCybersecurity Strategy +1 more
TUANZ Calls for "Security by Design" in New Zealand's Digital Future

Updated Articles (1)

Russian APT Gamaredon Enhances Malware and Evasion Techniques in Ukraine War

HIGH

Russian APT Gamaredon Evolves Tactics in Attacks on Ukraine

Update:

The Russian APT Gamaredon has further evolved its cyber-espionage campaign against Ukraine. Beyond Cloudflare, the group now extensively abuses legitimate cloud services like Dropbox and Amazon S3 for command-and-control (C2) infrastructure, making its malicious traffic even harder to detect and block. This expansion of C2 channels significantly increases their resilience and evasion capabilities. Additionally, Gamaredon has introduced a new malware variant, PteroPaste, which leverages malicious LNK files on USB drives for initial access and lateral movement, particularly effective in air-gapped or segmented networks. The collaboration with Turla continues, with Gamaredon acting as an initial access broker for Turla's sophisticated Kazuar backdoor. These developments indicate a heightened level of sophistication and a broader attack surface for Gamaredon's operations.

June 29, 2026
Updated: June 30, 2026
4 min read
GamaredonAPT28TurlaRussiaUkraine +4 more
Russian APT Gamaredon Enhances Malware and Evasion Techniques in Ukraine War

📢 Share This Publication

Help others stay informed about cybersecurity threats

📅 Daily Edition

Curated and deduplicated every day from dozens of trusted sources — giving you one clean, consolidated view of what matters in cybersecurity.

🔢 Deduplication Applied

Related stories are merged into a single evolving article rather than repeated as separate entries — cutting through noise so you only read what's new.

🔗 Full Articles Linked

Every entry links to its full enriched article — complete with MITRE ATT&CK mappings, extracted IOCs, and actionable detection and mitigation guidance.