Cyware Daily Threat Intelligence - July 06, 2026

A surge in covert data exfiltration techniques is challenging traditional security boundaries, as attackers find new ways to siphon sensitive information from even the most isolated systems. On cyware.com, researchers detail how a single compromised display can become a high-speed radio transmitter, moving data at rates that far outpace previous air-gap bypasses.
Meanwhile, the threat landscape for enterprise defenses is shifting as web application firewalls and administrative consoles face critical vulnerabilities. With CVSS scores reaching 9.3, attackers can hijack sessions or slip malicious payloads past trusted controls, putting business-critical applications and sensitive backend systems at risk.
Threat actors are escalating their campaigns, with cybercriminal groups breaching healthcare giants and exposing millions of records, while state-linked hackers compromise tens of thousands of network devices across nearly 200 countries. Extortion tactics are evolving, as attackers demand million-dollar ransoms and threaten to leak troves of sensitive files if their demands are not met.
Top Malware Reported in the Last 24 Hours
TrojPix
TrojPix is a lab-demonstrated data-theft method classified as a covert exfiltration technique. TrojPix leverages imperceptible pixel modulation to transform on-screen content into faint radio signals emitted from video cables, enabling data transmission to a nearby receiver without administrator rights or hardware modifications. TrojPix achieves a peak throughput of 8.1 Mbps, far surpassing earlier approaches like TEMPEST-LoRa (21.6 kbps and up to 87.5 meters), and can rapidly drain isolated systems once compromised. TrojPix requires malware to be running on the target and capable of drawing to the display, but does not need elevated privileges or hardware changes. TrojPix was tested across multiple monitor brands and video cables, indicating broad applicability in real-world environments, though it has not been observed in the wild. The technique was documented by researchers, who recommend fiber-optic video links, cable or area shielding, robust malware prevention, and periodic security audits to mitigate exposure.
QuimaRAT
QuimaRAT is a Java-based remote access trojan (RAT) offered as malware-as-a-service, providing cross-platform remote control capabilities. QuimaRAT includes a comprehensive toolkit—Quima Control, Builder, Loader, and Dropper—allowing operators to customize payload delivery and expand features with encrypted plugins for credential theft and remote command execution. QuimaRAT employs a browser-cache delivery method to evade Windows protections such as SmartScreen, blending infections into normal user activity. QuimaRAT’s architecture emphasizes stealth and persistence, featuring a Pastebin-based C2 update mechanism and a watchdog to maintain communications. QuimaRAT targets Windows, Linux, and macOS systems, with infection artifacts detectable through threat hunting. Defensive measures include blocking the published SHA256, monitoring for unusual network activity, using application whitelisting, and searching for infection traces.
SkillCloak
SkillCloak is a technique for disguising malicious skills in AI coding agents, enabling them to evade static scanners while executing harmful actions at runtime. SkillCloak uses self-extracting packing to bypass over 90% of scanners (and over 99% on most), while a lighter rewriting approach still evades over 80% of tools and 96% on one. SkillCloak’s risk is amplified by the ClawHavoc campaign, which identified 341 malicious skills hiding payloads in ignored directories like .git/ or using size-padding to evade checks. SkillCloak’s techniques undermine marketplace vetting, making static analysis unreliable. SKILLDETONATE, an OS-level behavioral analysis tool, counters SkillCloak with a 97% detection rate and 2% false alarm rate, though it operates slower than traditional scanning. Recommended mitigations include monitoring ignored directories for large or high-entropy files, using behavioral tools like SKILLDETONATE, and installing skills only from vetted sources.
Top Vulnerabilities Reported in Last 24 hours
CVE-2026-11712, CVE-2026-11708, CVE-2026-11595 (IBM WebSphere Application Server)
CVE-2026-11712 and CVE-2026-11708 are cross-site scripting (XSS) vulnerabilities in the integrated help system of IBM WebSphere Application Server 8.5 and 9.0 (CVSS 9.3), while CVE-2026-11595 is a path traversal flaw (CVSS 4.3). Successful exploitation of the XSS vulnerabilities allows attackers to execute scripts in an administrator’s browser, hijack sessions, or manipulate data. The XSS issues require minimal user interaction, such as opening a crafted link, and can result in compromised administrative access and operational disruption. The vulnerabilities were disclosed in a security report, with fixes available via interim APAR PH71756 or by upgrading to Fix Pack 9.0.5.29 (for 9.0) and 8.5.5.31 (for 8.5). Organizations running business-critical applications on WebSphere are urged to apply the patches to mitigate risk.
CVE-2026-52761, CVE-2026-52747 (ModSecurity)
CVE-2026-52761 and CVE-2026-52747 are vulnerabilities in the ModSecurity web application firewall that allow crafted HTTP requests to bypass WAF rules. CVE-2026-52761 is a transformation bug in utf8toUnicode that can truncate Unicode handling on 32-bit systems, while CVE-2026-52747 is a multipart parser flaw that strips line breaks from non-file form fields, creating a mismatch between WAF inspection and backend processing. No active exploits have been publicly reported for these vulnerabilities. The flaws were disclosed in a security advisory, and a fix is available in ModSecurity 3.0.16. Organizations relying on ModSecurity are advised to update to the latest version to ensure protection against evasive attacks.
Top Threat Actors Reported in Last 24 hours
ShinyHunters
ShinyHunters is a cybercriminal group of suspected international origin focused on data theft and extortion. ShinyHunters orchestrated a breach at Medtronic, exposing personal data tied to over 3.8 million individuals and claiming theft of more than nine million records. ShinyHunters threatened to leak the data if a ransom was not paid by April 21, following unauthorized access detected between April 13 and April 19, 2026. ShinyHunters’ breach exposed names, contact information, dates of birth, Social Security numbers, and unspecified health information. ShinyHunters’ actions have raised public concerns about the storage and security of sensitive patient data by device manufacturers. Affected individuals are advised to monitor their credit and seek clarification on the specific health information compromised.
Russian hackers (FortiBleed campaign)
A set of Russian hackers, suspected to be state-linked, are conducting the FortiBleed campaign with a primary motive of credential theft and espionage. The Russian hackers have compromised more than 80,000 Fortinet firewalls across 194 countries since at least February 2026, surfacing a cache of working credentials including logins for government-linked staff. The Russian hackers use perimeter device exploitation and credential harvesting as key TTPs, exposing IT personnel at British embassies in Thailand and Mauritius, as well as local government workers in Derbyshire and Waltham Forest, UK. The campaign leverages vulnerable Fortinet devices as a direct path to sensitive government data and internal systems. SOCRadar verified a database containing 86,644 working login credentials, highlighting the scale of the exposure.
Kairos
Kairos is a data extortion group of suspected international origin, focused on stealing files and pressuring victims through publication threats rather than ransomware deployment. Kairos targeted a U.S. government agency, claiming theft of 1,602,775 files totaling 2 TB, and used a 28-day negotiation to extract a $1 million Bitcoin ransom. Kairos threatened to publish sensitive folders, including one labeled “prosecutors office,” to increase pressure during negotiations. Kairos reportedly gained initial access through brute-force credential attacks and operates via Tor and email, listing victims on a leak site. Public-sector organizations are advised to establish pre-approved escalation paths for negotiation support and to recognize that attackers’ deletion claims cannot be verified.
Frequently Asked Questions
What is TrojPix? <b>TrojPix</b> is a lab-demonstrated data-theft method that can pull files from air-gapped computers by turning what’s on the screen into faint radio signals emitted from video cables. It uses imperceptible pixel modulation to transmit data to a nearby receiver without administrator rights or any hardware changes, as long as malware is already running on the machine and can draw to the display.
What is QuimaRAT? <b>QuimaRAT</b> is a Java-based remote access trojan sold as malware-as-a-service that aims to give buyers hands-on control of Windows, Linux, and macOS systems. It packages a full toolkit—Quima Control, Builder, Loader, and Dropper—so operators can tailor how the payload lands and then expand capabilities with encrypted plugins, including credential theft and remote command execution.
What is SkillCloak? <b>SkillCloak</b> is a technique for disguising malicious “skills” for AI coding agents so they look harmless to static scanners while still executing harmful behavior at runtime. Using self-extracting packing, it was shown to bypass over <b>90%</b> of scanners (and over <b>99%</b> on most), while a lighter rewriting approach still cleared over <b>80%</b> on most tools and <b>96%</b> on one—making marketplace vetting far less reliable.
What is CVE-2026-11712? IBM WebSphere Application Server 8.5 and 9.0 are affected by multiple flaws in the administrative console’s integrated help system, including two XSS issues (<b>CVE-2026-11712</b> and <b>CVE-2026-11708</b>, CVSS <b>9.3</b>) that can let attackers run script in an admin’s browser and take over sessions or manipulate data. The same area also contains a path traversal bug (<b>CVE-2026-11595</b>, CVSS <b>4.3</b>) that could allow unauthorized access to sensitive files if the interface is exposed.
What is CVE-2026-52761? Two vulnerabilities in the ModSecurity web application firewall can allow crafted HTTP requests to bypass WAF rules, weakening a control many organizations rely on to block malicious payloads (<b>CVE-2026-52761</b> and <b>CVE-2026-52747</b>). One issue is a transformation bug in <i>utf8toUnicode</i> that can truncate Unicode handling on 32-bit systems, while the other is a multipart parser flaw that strips line breaks from non-file form fields—creating a mismatch between what the WAF inspects and what a backend may actually process.
What is ShinyHunters? <b>ShinyHunters</b>, a cybercriminal group, is behind a breach at medical device giant Medtronic that exposed personal data tied to <b>over 3.8 million</b> people. They claimed to have stolen more than nine million records and threatened to leak the data if a ransom was not paid by April 21, after Medtronic detected unauthorized access between April 13 and April 19, 2026.
What is Russian hackers? A set of <b>Russian hackers</b> is being blamed for the “FortiBleed” campaign, which has compromised more than <b>80,000</b> Fortinet firewalls across <b>194 countries</b> since at least February 2026. They surfaced a cache of working credentials that includes logins tied to government-linked staff, such as IT personnel at British embassies in Thailand and Mauritius.
What is Kairos? <b>Kairos</b> is a data extortion group that pressures victims by stealing files and threatening publication, rather than deploying ransomware. They targeted a U.S. government agency, claimed to have stolen <b>1,602,775 files</b> totaling <b>2 TB</b>, and used a 28-day negotiation to push the agency into paying <b>$1 million</b> in Bitcoin.