Meet Cyware at Black Hat
Daily Threat Briefing
Diamond Trail

Cyware Daily Threat Intelligence - July 13, 2026

shutterstock 1262243092

A single phishing email can now open the door to institutional secrets, as Operation Capsule Vault leverages academic event lures to quietly deploy credential-stealing malware. Cyware spotlights how this campaign’s use of ISO files and cloud-based command-and-control infrastructure puts research and policy organizations at risk of silent compromise.

Critical flaws in widely used platforms are being exploited in real time, with attackers gaining root access to Cisco call servers and planting PHP shells in Joomla sites. With CISA adding new CVEs to its Known Exploited Vulnerabilities catalog and patch guidance rolling out, defenders must move quickly to close gaps before attackers pivot to persistent control.

State-backed groups and extortion gangs are escalating their campaigns, from FSB Center 16 targeting routers in critical infrastructure to WorldLeaks exposing the health data of over 542,000 individuals. These incidents underscore how attackers are exploiting both technical weaknesses and human trust to breach organizations and monetize sensitive information.

Top Malware Reported in the Last 24 Hours

Operation Capsule Vault (RokRAT)

Operation Capsule Vault is a spear-phishing campaign that delivers RokRAT, a remote access trojan, via malicious ISO downloads disguised as academic event invitations. Operation Capsule Vault tricks recipients with a loader masquerading as a PDF, executes code in memory, and injects the payload into explorer.exe while displaying a decoy document. Operation Capsule Vault uses an EMBED_PAYLOAD_v2 marker, a Call-Pop routine, and an XOR key (0x29) to decrypt itself, then profiles victims and enables screen capture and command execution. Operation Capsule Vault delivers the malware through spear-phishing emails and leverages cloud platforms such as pCloud, Dropbox, and Yandex Cloud for command-and-control, including Yandex OAuth tokens and a hardcoded multipart boundary string. Operation Capsule Vault targets research, policy, and academic sectors, where a single compromised inbox can expose sensitive drafts and institutional access. Researchers note infrastructure overlap with APT37.

Krybit Ransomware

Krybit is a ransomware-as-a-service operation that combines data theft with encryption to pressure victims through both exfiltration and locked systems. Krybit emerged in March 2026 and was first detected on April 3, 2026, before a public feud with rival 0APT in mid-April led to mutual breaches and exposure of Krybit’s affiliate panel. Krybit supports Windows, Linux, VMware ESXi, and NAS targets, with affiliates leveraging compromised credentials and RDP for access. Krybit’s activity aligns with MITRE ATT&CK techniques including Valid Accounts (T1078), Command and Scripting Interpreter (T1059), and Inhibit System Recovery (T1490), and it uses Tor for command-and-control and exfiltration. Krybit has impacted businesses in Germany and Spain, resulting in operational downtime and exposure of internal data.

ModHeader Chrome Extension

ModHeader, a popular Chrome extension for modifying HTTP headers, has been reported to exfiltrate user data to api[.]stanfordstudies[.]com. ModHeader hooks into page loads to collect domain activity, stores it locally, and uploads it after 1,000 unique domains are visited or 24 hours pass, using AES-GCM encryption to evade network inspection. ModHeader also reports tracking activity to extensions-hub[.]com and deletes local evidence from IndexedDB after uploading. ModHeader’s behavior was first identified on July 10, 2026, with reverse engineering completed the next day and an abuse report filed on July 12, 2026. ModHeader exposes users to covert leakage of browsing patterns tied to unique installation fingerprints.

Top Vulnerabilities Reported in Last 24 hours

CVE-2026-20230: Cisco CUCM Remote Code Execution

CVE-2026-20230 is a critical remote code execution vulnerability in Cisco Unified Communications Manager (CUCM) that allows unauthenticated attackers to execute code as root. Successful exploitation enables full takeover of voice, voicemail, conferencing, and PSTN routing services. CVE-2026-20230 is actively exploited in the wild, with CISA adding it to the Known Exploited Vulnerabilities catalog on June 25, 2026. SecureLayer7 identified the attack chain, which involves WebDialer Click-to-Call abuse, arbitrary file writes, and persistent remote code execution via rogue Axis service and webshell deployment. Cisco has released a fix, and all CUCM publishers are at risk until patched.

CVE-2026-48939 & CVE-2026-56291: Joomla Extension Zero-Days

CVE-2026-48939 and CVE-2026-56291 are zero-day remote code execution vulnerabilities in iCagenda and Balbooa Forms Joomla extensions. Exploitation allows unauthenticated attackers to upload malicious PHP files and achieve full website takeover and data theft. Both vulnerabilities are being actively exploited, with CVE-2026-48939 attacks dating to June 15, 2026, and CVE-2026-56291 disclosed on July 8, 2026. CISA and the Australian Cyber Security Centre warn of a broader CMS exploitation campaign targeting multiple platforms. Fixes are available in iCagenda 4.0.8 and 3.9.15, and Balbooa Forms 2.4.1; administrators should check specific upload directories and review accounts for suspicious additions.

CVE-2026-57219 & CVE-2026-57221: RabbitMQ OAuth and Authorization Flaws

CVE-2026-57219 (CVSS 8.7) and CVE-2026-57221 are vulnerabilities in RabbitMQ that can expose OAuth client secrets and allow unauthorized actions. Successful exploitation could let attackers access or alter messages, create users, or change broker configurations. No active exploitation has been reported in the provided source material. Miggo Security discovered the flaws using its VulnHunter platform, and the second issue can help attackers gather intelligence in shared environments. Patches are available in RabbitMQ 3.13.15, 4.0.20, 4.1.11, and 4.2.6; organizations should rotate exposed OAuth secrets and isolate tenants until patching is complete.

Top Threat Actors Reported in Last 24 hours

FSB Center 16 (Russian State Hackers)

FSB Center 16, described as Russian state hackers, is suspected to originate from Russia and is primarily motivated by espionage and disruption. FSB Center 16 scans for internet-facing routers using default SNMP authentication strings and exploits Cisco’s Smart Install feature, including CVE-2018-0171, to pull configuration files from Cisco IOS and IOS XE software. FSB Center 16 leverages router-level access to gain upstream control over energy, communications, defense, healthcare, and financial services sectors. FSB Center 16 has been linked to the “FrostArmada” campaign, which used DNS hijacking to steal Microsoft 365 logins by tampering with SOHO routers. Authorities recommend upgrading to SNMPv3, disabling Cisco Smart Install, enforcing strong passwords, and blocking TFTP and SNMP traffic at edge firewalls.

Operation Capsule Vault (APT37 Overlap)

Operation Capsule Vault, with suspected links to APT37, is believed to originate from North Korea and is motivated by intelligence collection. Operation Capsule Vault uses spear-phishing emails crafted as academic event invitations to deliver RokRAT malware, employing ISO downloads and loaders disguised as documents. Operation Capsule Vault decrypts payloads using an EMBED_PAYLOAD_v2 marker, a Call-Pop routine, and an XOR key of 0x29, then profiles victims and enables screen capture and remote command execution. Operation Capsule Vault targets universities, think tanks, and policy teams in research and academic sectors. The campaign’s command-and-control infrastructure leverages pCloud, Dropbox, and Yandex Cloud, with analysts noting overlaps with APT37 infrastructure.

WorldLeaks

WorldLeaks, an extortion-focused group suspected to have emerged after the Hunters International ransomware shutdown, is believed to operate for financial gain. WorldLeaks uses unauthorized access and data theft as primary tactics, with a focus on pressuring victims through exposure of sensitive information. WorldLeaks targeted Centers Laboratory in New Jersey, breaching systems between August 9 and August 14, 2025, and exposing personal and health data of 542,377 individuals. WorldLeaks has previously targeted major organizations including Nike and Dell. SecurityWeek and the US HHS healthcare breach tracker reported on the incident, highlighting the long-term privacy and fraud risks for affected patients.

Frequently Asked Questions

  1. What is Operation Capsule Vault? Operation Capsule Vault is a spear-phishing campaign that uses malicious ISO downloads to deliver RokRAT while posing as an academic event invitation. It tricks recipients with a loader disguised as a PDF, then runs code in memory and injects the payload into explorer.exe so the victim sees a decoy while the infection proceeds.

  2. What is Krybit? Krybit is a ransomware-as-a-service operation that combines data theft with encryption, pressuring victims twice—first through exfiltration, then through locked systems. It emerged in March 2026 and was first detected on April 3, 2026, before a mid-April public feud with rival 0APT escalated into mutual breaches that exposed Krybit’s affiliate panel.

  3. What is ModHeader? ModHeader, a popular Chrome extension for modifying HTTP headers, has been reported to exfiltrate user data to api[.]stanfordstudies[.]com. The extension hooks into page loads to collect domain activity, stores it locally, then uploads it after either 1,000 unique domains are visited or 24 hours pass, using AES-GCM encryption to blunt network inspection.

  4. What is CVE-2026-20230? A critical flaw in Cisco Unified Communications Manager (CUCM) (CVE-2026-20230) lets unauthenticated attackers execute code as root on the CUCM publisher, opening the door to takeover of voice, voicemail, conferencing, and PSTN routing. SecureLayer7 reports the path to compromise runs through CUCM’s WebDialer Click-to-Call service, where attackers can pivot from server-side request abuse into arbitrary file writes and then remote code execution that can persist across reboots.

  5. What is CVE-2026-48939? Two zero-day vulnerabilities in Joomla extensions iCagenda and Balbooa Forms (CVE-2026-48939 and CVE-2026-56291) are being used to achieve remote code execution by uploading malicious files, according to CISA. In plain terms, an unauthenticated attacker can plant PHP code on a vulnerable site and run it, which can lead to full website takeover and downstream data theft.

  6. What is CVE-2026-57219? Two newly disclosed RabbitMQ vulnerabilities could hand attackers the keys to enterprise messaging environments by exposing OAuth client secrets and enabling unauthorized actions (CVE-2026-57219, CVSS 8.7; and CVE-2026-57221). CSO Online reports that one issue can leak OAuth configurations tied to common identity providers, while the other can bypass authorization checks during certain queue and exchange operations—potentially letting attackers access or alter messages, create users, or change broker configurations.

  7. What is FSB Center 16? FSB Center 16, described in a joint advisory as Russian state hackers, has been linked to a long-running effort to break into critical infrastructure by abusing weaknesses in internet-facing routers. Authorities say they have scanned for devices using default SNMP authentication strings and exploited Cisco’s Smart Install feature, including abusing CVE-2018-0171 to pull configuration files from Cisco IOS and IOS XE software.

  8. What is WorldLeaks? WorldLeaks, an extortion-focused group, was blamed for a data breach at New Jersey-based Centers Laboratory that exposed personal and health information tied to 542,377 individuals. The incident involved unauthorized access to the company’s systems between August 9 and August 14, 2025, according to reporting that cited the US HHS healthcare breach tracker.

Discover Related Resources