The Y2K Operators are running a social-engineering distribution campaign that spreads Millenium RAT through booby-trapped downloads, exposing users to remote compromise and data theft. The operation has already reached over 60,000 Windows devices in more than 160 countries, with most infections concentrated in the first three months of 2026. Its lure set of game cheats, cracked software, and hacking tools gives the campaign broad reach across user communities. The low-cost malware-as-a-service model makes the operation accessible to less-skilled attackers and increases downstream abuse risk.

The Millenium RAT malware activity is spreading across Windows systems, with 60,000+ infections in 160+ countries and a newer native C++ build that helps it evade weaker detection tools.

Straiker raised $64 million in a Series A round, increasing total funding to $85 million and expanding support for its AI security platform. The new capital strengthens a product focused on discovering AI agents, testing them before deployment, and protecting them at runtime. The round signals continued investor backing for cybersecurity tools aimed at autonomous AI risks.

A critical CVE-2026-48558 in SimpleHelp remote management software lets unauthenticated attackers create privileged Technician accounts when OIDC is enabled, putting remote administration access at risk. The flaw affects 5.5.15 and older and 6.0 pre-release versions. SimpleHelp released 5.5.16 and 6.0RC2 on June 9 to fix the issue. No evidence of active exploitation was reported.

SimpleHelp released 5.5.16 and 6.0RC2 on June 9 to fix CVE-2026-48558, a critical OIDC authentication flaw that could let unauthenticated attackers create privileged Technician accounts. The update matters for deployments that rely on OIDC because the bug could bypass MFA and grant remote-management access. The patch narrows exposure for affected SimpleHelp 5.5.15 and older installations and 6.0 pre-release builds. Active exploitation reported on 2026-06-29 shows the same flaw being used to deploy TaskWeaver and Djinn Stealer through an internet-facing SimpleHelp server.

Oracle's May 2026 Critical Security Patch Update addressed CVE-2026-46817 in Oracle E-Business Suite, and customers were urged to patch immediately as exposed systems faced takeover risk. The update covered a flaw in the File Transmission component of Oracle Payments that could enable unauthenticated compromise over HTTP network access.

Oracle E-Business Suite (EBS) CVE-2026-46817 is under active exploitation, putting Oracle Payments File Transmission deployments at takeover risk. The flaw allows unauthenticated HTTP access to compromise vulnerable systems through a low-complexity attack path. Oracle says it addressed the issue in the May 2026 Critical Security Patch Update, and exposed EBS instances remain at risk until patched.

The DCloud Uni-App scam-site campaign has grown into a 236,493-domain fraud network that steals credentials, drains crypto wallets, and impersonates major brands. The sites run bogus exchanges, WhatsApp phishing pages, fake gambling platforms, and other victim-facing lures, with activity ongoing since mid-2022. Some operators appear to reuse the same playbook across regions and languages, while others strip template fingerprints to evade detection. The scale and persistence make the network harder to take down and expand the pool of exposed victims.

In November 2025, Keeper client applications began rolling out quantum-resistant cryptography, adding Kyber Hybrid KEM to protect vault data against Harvest Now, Decrypt Later capture and future quantum decryption.

The Gamaredon campaign expanded across Ukraine in 2025, hitting governmental and military institutions with 35 spear-phishing campaigns and raising the risk of sensitive-data theft. The operation used archive attachments, XHTML files, and HTML smuggling to deliver HTA downloaders and follow-on payloads. It also abused legitimate cloud and paste services to hide infrastructure and support exfiltration.

The U.S. Justice Department's Criminal Division seized nearly 400 web domains tied to illegal FIFA World Cup streaming, disrupting a piracy operation built on domain infrastructure. The action was part of Operation Offsides and was coordinated with international partners through the ICHIP Network. Authorities said the domains offered unauthorized real-time streams of 2026 World Cup matches. Officials also warned that similar streaming sites can expose users to malware attacks and unsecure connections that may compromise personal and financial data.

A broad PeopleSoft zero-day exploitation campaign exposed multiple organizations to compromise after attackers abused a previously unknown Oracle PeopleSoft vulnerability. The wave widened risk for organizations running the platform, including internal reporting environments. NAIC tied its own breach to the same campaign after an unauthorized actor reached part of its PeopleSoft environment.

NAIC disclosed a security breach that exposed US citizens’ credit rating data and briefly disrupted operations tied to Oracle PeopleSoft. The breach was detected on June 11 and publicly disclosed on June 17, with a later update confirming unauthorized access through a zero-day vulnerability. Some accessed data was published, and the association temporarily suspended insurer-investment designations while containment and recovery work continued. Most operations have returned to normal, but online invoice payment via PeopleSoft remains unavailable.

The StegoAd operation was removed from the Edge Add-ons store after hiding payloads in images and fonts, stealing credentials, and driving ad fraud across installs that reached up to 2.6 million users. The extensions stayed dormant for days, evaded analysis checks, and expanded into session hijacking and covert telemetry.

An active Russian intelligence phishing campaign is impersonating Signal support to steal Backup Recovery Keys, verification codes, and account PINs, putting high-risk users at risk of account takeover. The targets include US and international government officials, military personnel, political figures, journalists, and Ukrainian officials. A June 26 PSA says the same access can expose historical private and group messages and let attackers take over the account.

NHS England Digital has issued an update advisory for libssh2 after a public proof-of-concept surfaced for CVE-2026-55200. The flaw can let a malicious or compromised SSH server corrupt memory on a connecting client and potentially achieve code execution. The advisory covers organizations running affected libssh2 builds, including bundled or static copies that may not be obvious in package inventories. Until patched builds are deployed, the guidance also points teams to restrict outbound SSH connections and verify host keys.

A public proof-of-concept for CVE-2026-55200 exposes libssh2 clients to memory corruption and possible code execution when they connect to a malicious SSH server. The flaw affects releases through 1.11.1 and is already paired with a published fix path.

Hijacked npm and Go packages now deliver a Python infostealer through a hidden VS Code auto-run task, putting developer machines and credentials at risk across Windows, Linux, and macOS. The payload chain also establishes a socket.io backdoor and uses blockchain-based dead drops to fetch later stages. The activity broadens supply-chain exposure beyond a single package ecosystem and increases the chance of credential, wallet, and developer-data theft.

KDDI Corporation confirmed an email-system breach that exposed customer credentials across six Japanese ISPs, putting account access at risk. The intrusion was detected on June 17 and publicly disclosed on June 23. KDDI said as many as 14.22 million email addresses and passwords were likely compromised, making password resets urgent.

A KDDI email-system breach exposed customer credentials across six Japanese ISPs, putting up to 14.22 million email addresses and passwords at risk. The compromise was detected on June 17 and publicly disclosed on June 23, making this a large-scale credential-exposure event. KDDI says it has modified the system and is urging affected customers to change passwords.

KDDI disclosed unauthorized access to its email system used by six Japanese ISPs after detecting the intrusion on June 17. The company said an actor exploited a vulnerability in third-party software and that up to 14.22 million email addresses and passwords were likely compromised, creating immediate account-security risk for customers of the affected providers. KDDI says it has modified the system, applied technical countermeasures, notified Japanese authorities, and urged affected users to change passwords. Public details still do not identify the vulnerable software, a CVE, or the intrusion actor, so response is focused on credential hygiene and containment rather than product-specific patch tracking.

The OYSTERBLUES malware activity used compromised accounts and spear-phishing to reach government organizations, increasing the risk of credential theft and follow-on account abuse. The payload was an information stealer, making the delivery chain especially relevant for sensitive-data collection. The activity was reported in late last month and was linked to UNC1151 in the source reporting.

A long-running phishing campaign by Russian intelligence services is stealing messaging-account credentials from officials, military personnel, politicians, and activists across Ukraine, Europe, and the U.S. The operation uses fake support SMS that impersonate a messaging platform's support bot to trick recipients into revealing access details. The activity threatens sensitive military and political communications and extends to Ukrainian personal accounts.

The FBI and CISA updated mitigation guidance for Signal users after a phishing operation began targeting Backup Recovery Keys, which can expose historical messages on compromised accounts. The advisory says legitimate support communicates only through official company email addresses, never asks for verification codes in the app, and does not send links to verify or restore accounts. Users who may have shared a key are told to create a new Backup Recovery Key so the old one no longer works for future backup downloads, although already stolen backups can still remain accessible.

CISA ordered federal agencies to patch CVE-2026-20230 in Cisco Unified Communications Manager Server by June 28, tightening exposure around an actively exploited SSRF flaw. The vulnerability was added to CISA's KEV catalog under BOD 26-04, making remediation urgent for covered agencies. Cisco had already labeled the bug critical and warned it could be exploited remotely without authentication.

A newly observed SharkLoader malware operation is staging Cobalt Strike Beacon on compromised Windows hosts, expanding post-compromise control and persistence risk. The loader reaches systems through DLL sideloading and malicious installers, including a `SystemSettings.exe` / `SystemSettings.dll` chain. Some samples use decoy PDF lures and staged components to unpack and launch the beacon. The activity raises exposure for organizations hit through public-facing application exploits and installer-based delivery.

The StrikeShark campaign is deploying SharkLoader to load Cobalt Strike Beacon on compromised hosts, raising the risk of broader follow-on intrusion activity. It has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies, and other entities across multiple countries. The operation combines exploit-driven initial access with post-compromise tooling and persistence, making it a sustained, multi-sector campaign.

Polymarket’s frontend integrity was disrupted when malicious JavaScript reached the live site through a third-party vendor, triggering fraudulent transactions and about $3 million in losses across fewer than 15 accounts. The platform said its own servers and backend infrastructure were not impacted. Polymarket also said it would fully reimburse affected customers. Independent blockchain analysis later traced the stolen funds across Polygon and Ethereum.

The Poisoned Tenant campaign is using fraudulent OpenAI organizations to lure targeted employees into shared ChatGPT workspaces, creating a risk of sensitive company data exposure. The fake invites arrived from [email protected] and passed authentication, making them look legitimate. Attackers also created tenants impersonating real companies and even attached a Visa credit card to improve credibility. The targets were mainly employees in cybersecurity and technology companies.

The newly documented TinyRCT backdoor gives CL-STA-1062 a custom remote-access payload for government and critical-infrastructure targets in Southeast Asia, expanding the operator’s ability to steal data and control compromised hosts. TinyRCT can run commands, exfiltrate files, capture screenshots, and self-delete after use. It is delivered through a malicious archive and AppDomainManager injection chain that retrieves the payload from attacker infrastructure. The activity is tied to operations that included a September 2025 government intrusion and the compromise of at least 10 organizations between October and December 2025.