Daily Threat Briefing
Diamond Trail

Cyware Daily Threat Intelligence - July 03, 2026

shutterstock 2277664453

A single click on a lookalike download page can turn a routine software update into a full credential heist. Cyware highlights how PamStealer is targeting macOS users with fake sites like maccyapp[.]com, using environment-aware fingerprinting and PAM API abuse to steal passwords and persist as a system imposter.

Attackers are racing to exploit newly disclosed vulnerabilities, with CVE-2026-8451 in Citrix NetScaler seeing coordinated exploitation within 24 hours. Memory disclosure flaws and unquoted XML attributes are letting intruders leak secrets and escalate attacks before many organizations can patch.

Ransomware crews are scaling up supply-chain attacks and credential theft, with campaigns like FortiBleed targeting over 430,000 FortiGate firewalls and Vect and TeamPCP leveraging poisoned updates and AI-driven social engineering to paralyze operations across North America.

Top Malware Reported in the Last 24 Hours

PamStealer tricks macOS users with fake Maccy

PamStealer is a newly identified macOS infostealer designed to harvest credentials and sensitive data. PamStealer uses environment-aware fingerprinting—such as CPU architecture, locale, keyboard layout, and time zone—to derive a decryption key for its next-stage payload. PamStealer captures the victim’s login password via the PAM API, displays a decoy Gatekeeper-style alert, and establishes persistence by impersonating macOS System Settings. PamStealer spreads through fake download sites including maccyapp[.]com and maccyapp[.]net, tricking users into installing the malware. PamStealer targets macOS users searching for legitimate software, with the real Maccy app developer warning about these impersonation sites. The report recommends blocking access to the known malicious domains and monitoring for unusual outbound network activity.

JadePuffer brings LLM-driven agentic ransomware

JadePuffer is a ransomware operation classified as the first documented “agentic” infection, where an LLM-driven agent automates extortion from initial access through destructive actions. JadePuffer exploits CVE-2025-3248 in Langflow to harvest secrets, including LLM provider API keys and cloud credentials for Alibaba, Tencent, Huawei, AWS, Azure, and GCP. JadePuffer maintains persistence with a crontab that calls back every 30 minutes, allowing the agent to continue operating after initial activity. JadePuffer demonstrates “self-narrating” behavior and rapid adaptation, enabling the operator to iterate quickly within victim environments. JadePuffer targets cloud environments and LLM-integrated platforms, with Sysdig credited for discovery. The report advises patching CVE-2025-3248 and revoking any compromised API keys and cloud credentials.

SharkLoader delivers Cobalt Strike via exploits

SharkLoader is a newly identified malware loader associated with the StrikeShark intrusion cluster, delivering Cobalt Strike Beacon into compromised environments. SharkLoader uses signed Windows executables for DLL side-loading, layered encryption, reflective loading, and API hooking to evade detection. SharkLoader interferes with ETW logging and modifies memory protections during sleep intervals to reduce visibility. SharkLoader is distributed via droppers disguised as legitimate software, such as Cisco AnyConnect and Google Update, and targets vulnerable internet-facing systems including Openfire, GeoServer, Fortinet, Cisco IOS XE, Apache Shiro, F5 BIG-IP, Hikvision, and Zimbra. SharkLoader has impacted government organizations, diplomatic entities, and software development companies. The report recommends monitoring for memory-protection modifications and blocking the hash 6a5f9bd0e4a0c385b98cc7b528be53a95ff9c4ccffa8c1f65448ab792a46186c.

Top Vulnerabilities Reported in Last 24 hours

Citrix NetScaler bug exploited within a day

CVE-2026-8451 is a memory-disclosure vulnerability in Citrix NetScaler ADC and Gateway (CVSS not specified) that allows attackers to expose sensitive data from device memory without authentication. Successful exploitation of CVE-2026-8451 can leak secrets and enable further escalation. Attackers are already exploiting this vulnerability in the wild, with Lupovis reporting coordinated scanning and exploitation within 24 hours of disclosure. Researchers at watchTowr discovered the flaw, and Lupovis documented real-world exploitation targeting NetScaler devices configured as SAML Identity Providers. Citrix advises reviewing logs for suspicious requests, patching to 14.1-72.61 or 13.1-63.18, and disabling SAML IdP functionality if patching is not feasible.

SharePoint server bug enables remote code execution

CVE-2026-45659 is a deserialization of untrusted data vulnerability in Microsoft SharePoint Server (CVSS not specified) that enables remote code execution on vulnerable on-premises deployments. Exploitation of CVE-2026-45659 allows attackers to execute arbitrary code by feeding SharePoint data it incorrectly treats as safe. Attackers are already exploiting this vulnerability in the wild, as confirmed by its inclusion in the CISA KEV catalog and Canada’s cyber agency. The alert covers SharePoint Enterprise Server 2016 (before 16.0.5552.1002), SharePoint Server 2019 (before 16.0.10417.20128), and SharePoint Server Subscription Edition (before 16.0.19725.20280). The agency recommends identifying all on-premises SharePoint instances and applying the latest security updates, especially with SharePoint 2016 and 2019 reaching end-of-life on July 14, 2026.

WinRAR .rev files can trigger code execution

CVE-2026-14191 is a memory corruption vulnerability in WinRAR and UnRAR (CVSS not specified) that allows remote code execution via crafted .rev (RAR recovery volume) files. Exploitation of CVE-2026-14191 can cause WinRAR or UnRAR to write data outside allocated memory, enabling arbitrary code execution. No active exploitation was reported in the provided source, but similar WinRAR bugs have been used in targeted campaigns previously. The affected products are WinRAR and UnRAR, with risk highest in environments where users open compressed attachments from email or chat. Users must manually update to WinRAR 7.23, as automatic updates are not provided, and should keep anti-malware protections current.

Top Threat Actors Reported in Last 24 hours

FortiBleed feeds INC and Lynx ransomware

FortiBleed is a cybercriminal campaign of suspected criminal origin, tied to ransomware crews INC Ransom and Lynx, with a primary motive of credential theft and ransomware deployment. FortiBleed uses compromised FortiGate firewalls to run FortiGate Sniffer, intercept VPN login credentials, dump firewall configurations, and crack password hashes. FortiBleed maintains persistent backdoor accounts and sniffers to eavesdrop on network traffic, and may have abused a suspected zero-day in Nextcloud to expand access. FortiBleed targets organizations with exposed edge devices, leading to widespread disruption across hundreds of systems. The campaign reportedly targeted over 430,000 FortiGate firewalls using roughly 500 servers, with at least twelve organizations cited as having systems encrypted.

Vect and TeamPCP scale supply-chain ransomware

Vect and TeamPCP are threat actors of suspected criminal origin, focused on ransomware deployment, supply-chain compromise, and credential harvesting. Vect and TeamPCP exploit React2Shell (CVE-2025-55182) and use AI agents for social engineering, while also targeting vulnerabilities in Docker APIs and Kubernetes clusters. Vect and TeamPCP leverage poisoned updates and compromised build pipelines to enable broad credential theft and ransomware deployment. Vect and TeamPCP target technology, finance, healthcare, and government sectors in Canada and the United States, among other countries. The campaign has been linked to incidents involving Trivy and Checkmarx, with network activity observed using outbound port 666. Sophos reported the activity and its impact on operational continuity and data exposure.

StrikeShark deploys SharkLoader for intrusions

StrikeShark is an intrusion cluster of suspected criminal origin, focused on follow-on compromise using SharkLoader. StrikeShark targets vulnerable internet-facing applications including Openfire, GeoServer, Fortinet, Cisco IOS XE, Apache Shiro, F5 BIG-IP, Hikvision, and Zimbra. StrikeShark uses droppers disguised as legitimate tools such as Cisco AnyConnect and Google Update, and employs layered encryption, reflective loading, and API hooking to evade detection. StrikeShark interferes with ETW logging and leverages techniques that reduce visibility during execution. StrikeShark targets government organizations, diplomatic entities, and software development companies, exposing sensitive communications and intellectual property. PolySwarm reported StrikeShark as a delivery framework designed to keep access durable and hard to audit.

Frequently Asked Questions

  1. What is PamStealer? PamStealer is a newly identified macOS infostealer that hides behind lookalike download pages to convince users they’re installing a legitimate app, then steals credentials and other sensitive data. It spreads through fake sites including maccyapp[.]com and maccyapp[.]net, and it uses environment-aware fingerprinting—such as CPU architecture, locale, keyboard layout, and time zone—to derive a decryption key that unlocks the next-stage payload.

  2. What is JadePuffer? JadePuffer is a ransomware operation that Sysdig says is the first documented case of an “agentic” infection, where an LLM-driven agent automates the extortion workflow from initial access through destructive actions. It broke in by exploiting CVE-2025-3248 in Langflow, then harvested secrets including LLM provider API keys and cloud credentials tied to Alibaba, Tencent, Huawei, AWS, Azure, and GCP.

  3. What is SharkLoader? SharkLoader is a newly identified malware loader tied to the StrikeShark intrusion cluster, used to deliver Cobalt Strike Beacon into compromised environments. It targets vulnerable internet-facing systems in products including Openfire, GeoServer, Fortinet, Cisco IOS XE, Apache Shiro, F5 BIG-IP, Hikvision, and Zimbra, while also using droppers disguised as legitimate software such as Cisco AnyConnect and Google Update.

  4. What is CVE-2026-8451? Attackers are moving fast on a Citrix NetScaler memory-disclosure flaw that can expose sensitive data straight from device memory without authentication (CVE-2026-8451). The abuse path hinges on improper handling of unquoted XML attribute values inside SAML AuthnRequest messages sent to the /saml/login endpoint, which can trigger a memory overread and leak secrets that help intruders escalate further.

  5. What is CVE-2026-45659? A Microsoft SharePoint Server vulnerability now listed as actively exploited can let attackers execute code remotely on vulnerable on-prem deployments (CVE-2026-45659). The issue stems from deserialization of untrusted data, meaning an attacker can feed SharePoint data it incorrectly treats as safe and turn that into code execution under the right conditions.

  6. What is CVE-2026-14191? A WinRAR flaw shows how a single booby-trapped file can become a takeover moment: crafted .rev (RAR recovery volume) files can lead to remote code execution (CVE-2026-14191). The attack works by causing memory corruption—a malicious .rev file can make WinRAR (or UnRAR) write data outside allocated memory, opening the door to arbitrary code running on the victim machine.

  7. What is FortiBleed? FortiBleed, a cybercriminal campaign tied to ransomware crews INC Ransom and Lynx, is turning perimeter devices into silent credential traps that can lead straight to network-wide encryption events. Investigators say they used compromised FortiGate firewalls to run FortiGate Sniffer, intercepting VPN login credentials and then pivoting deeper by dumping firewall configurations and cracking password hashes.

  8. What is Vect? Vect and TeamPCP have teamed up in a partnership that blends ransomware deployment with supply-chain compromise and credential harvesting, raising the odds that a single poisoned update or build pipeline can cascade into many victims. They have been linked to high-profile incidents including Trivy and Checkmarx, with TeamPCP exploiting React2Shell (CVE-2025-55182) and using AI agents for social engineering to widen access.

  9. What is StrikeShark? StrikeShark, an intrusion cluster using the newly identified SharkLoader, is focused on turning widely deployed enterprise software flaws into fast lanes for follow-on compromise using Cobalt Strike Beacon. They target vulnerable internet-facing applications including Openfire, GeoServer, Fortinet, Cisco IOS XE, Apache Shiro, F5 BIG-IP, Hikvision, and Zimbra, then use droppers disguised as legitimate tools such as Cisco AnyConnect and Google Update to blend into normal IT activity.

Discover Related Resources