Meet Cyware at Black Hat
Daily Threat Briefing
Diamond Trail

Cyware Daily Threat Intelligence - July 15, 2026

shutterstock 2605380779

Attackers are hijacking trusted network channels and leveraging stealthy backdoors to maintain persistent access inside high-value organizations. In a recent case tracked by cyware.com, a Taiwan-based subsidiary of a global manufacturer discovered Daxin and a new Stupig backdoor operating undetected for years, highlighting the long-term espionage risk posed by advanced malware.

Critical vulnerabilities in enterprise appliances and collaboration platforms are being exploited in the wild, with SonicWall SMA1000 flaws rated as high as CVSS 10.0. Microsoft’s July 2026 Patch Tuesday addressed up to 622 vulnerabilities, including actively exploited bugs in identity and collaboration services, underscoring the scale and urgency of patch management.

Threat actors are weaponizing AI and abusing SaaS trust to accelerate data theft and extortion. China-linked hackers have operationalized tools like Claude Code and DeepSeek in live attacks, while the ShinyHunters group compromised up to 700 Salesforce tenants and leaked 40GB of university data, demonstrating the evolving tactics and scale of modern cyber campaigns.

Top Malware Reported in the Last 24 Hours

Daxin resurfaces with Stupig backdoor

Daxin is a sophisticated malware classified as an espionage platform, recently resurfacing alongside a new backdoor called Stupig. Daxin hijacks legitimate TCP traffic for stealthy command-and-control, blending encrypted communications into normal network activity. Daxin can persist for years undetected, as compile timestamps from 2013 were found on a host only discovered in May 2026. Stupig uses a Trojanized DLL for pre-authentication code execution and persists as a keyboard-layout provider, enabling SYSTEM-level command execution from the Windows logon screen. Daxin and Stupig were delivered to a Taiwan-based subsidiary of a multinational high-tech manufacturer. The intrusion was detected by internal security teams, highlighting the risk of long-term espionage and monitoring of sensitive operations.

OkoBot framework hunts crypto seed phrases

OkoBot is a modular malware framework designed to siphon cryptocurrency secrets from users. OkoBot expands from an initial TookPS infection into plugins that collect wallet seed phrases, log keystrokes and clipboard data, and capture video streams. OkoBot uses a UAC bypass technique involving Windows RPC and msconfig.exe, and its browser implant loader relies on YARA-style syntax for function resolution before injecting into Chromium-based browsers. OkoBot is distributed via ClickFix lures and fake SQL Server Management Studio packages on GitHub. OkoBot targets both individual traders and businesses holding crypto assets, with victims detected in over 25 countries including Brazil, Vietnam, Canada, Mexico, and Türkiye. Researchers have tracked OkoBot’s campaign since March 2025, noting ongoing evolution and distribution.

Jalisco phishing kit bypasses Microsoft 365 MFA

Jalisco is a phishing kit targeting Microsoft 365 accounts by abusing the OAuth 2.0 Device Authorization Grant flow. Jalisco generates fresh OAuth device codes in real time to bypass Microsoft’s 15-minute validity window and uses captured sessions to quickly access accounts. Jalisco presents benign device names during sign-in and manages stolen sessions through a web portal. Jalisco is delivered via phishing campaigns and often exfiltrates PII, financial records, and internal communications within six minutes, then pivots to extortion. Jalisco targets Microsoft 365 users globally, with parallel campaigns using OmegaLord, which masquerades as a PDF reader to collect credentials. Reporting highlights the speed and efficiency of these phishing operations.

Top Vulnerabilities Reported in Last 24 hours

Hackers seize SonicWall SMA1000 gateways

CVE-2026-15409 (server-side request forgery, CVSS 10.0) and CVE-2026-15410 (code injection, CVSS 7.2) are critical vulnerabilities in SonicWall SMA1000 appliances. Successful exploitation allows unauthorized actions and remote command execution. Attackers are already exploiting these flaws in the wild. Adam Babis of SonicWall’s PSIRT discovered and reported the issues internally. Organizations must apply patches by July 17, 2026, as set by CISA, to prevent credential theft, downstream network access, and business disruption. All internet-facing SMA1000 gateways are at risk until patched.

Actively exploited Microsoft ADFS and SharePoint bugs

CVE-2026-56155 (insufficient access control in Active Directory Federation Services) and CVE-2026-56164 (missing authentication in SharePoint Server) are server-side vulnerabilities with active exploitation. Successful exploitation can grant attackers elevated access, leading to unauthorized data exposure and follow-on compromise. Attackers are already exploiting these bugs in the wild. CISA added both CVEs to its KEV catalog, and Microsoft addressed them in the July 2026 Patch Tuesday updates. Organizations must apply the July 2026 updates, with a federal deadline of July 28, 2026, for CVE-2026-56155. All environments running affected Microsoft services are at risk until patched.

Microsoft Patch Tuesday swells as AI finds more

Microsoft’s July 2026 Patch Tuesday addressed 570 vulnerabilities, including 57 critical issues, with some reports citing a total of 622 vulnerabilities as AI accelerates discovery. Successful exploitation of these vulnerabilities can lead to administrator-level control and data access. Attackers are already exploiting some of these bugs in the wild. Researcher Chaotic Eclipse released a proof-of-concept called LegacyHive for the Windows User Profile Service, claiming it works across supported Windows versions even when fully patched. Fixes are included in the July 2026 security updates, and IT leaders must prioritize patching identity, collaboration, and endpoint components to mitigate risk.

Top Threat Actors Reported in Last 24 hours

China-linked hackers weaponize Claude and DeepSeek

China-linked hackers (suspected Chinese origin) are motivated by espionage and have operationalized AI tools in live intrusion campaigns. China-linked hackers use Claude Code and DeepSeek as part of their attack loop, running infrastructure hosting tools such as ARL (port 5003), DeepAudit (port 3000), and Vshell (port 8084) alongside stolen data and other attack tooling. China-linked hackers deploy the HSEWH-Ur malware family to steal QQ and enterprise messaging credentials, cloud-service keys, and files. China-linked hackers target government agencies and high-tech supply chains in Afghanistan, Thailand, Taiwan, and the U.S. In recent campaigns, China-linked hackers used SQL injection against a Thai government administrative system and a custom deserialization exploit for remote code execution in a Laravel application in Afghanistan. Researchers observed that routine web-application weaknesses are now paired with AI-assisted iteration to speed up exploit adaptation and phishing-page development.

Russian intelligence hacks cameras for logistics

Russian intelligence services (suspected Russian origin) are focused on military intelligence collection. Russian intelligence services target internet-connected security cameras across Europe and Ukraine, abusing weak protections like default passwords and outdated firmware. Russian intelligence services pull live video feeds and use image-recognition software to automatically spot military vehicles and cargo. Russian intelligence services have compromised cameras along military logistics routes in the Netherlands, highlighting the country’s role as a strategic transit hub. In recent campaigns, Russian intelligence services have not been observed attacking outside Ukraine, but the advisory frames the activity as proof of Russia’s capability to scale this collection method. The Netherlands’ AIVD and MIVD issued the advisory, emphasizing the risk to NATO and EU member states.

ShinyHunters hits universities and Salesforce tenants

ShinyHunters (cybercrime group, suspected financially motivated) blend SaaS account access with extortion. ShinyHunters abuse OAuth trust to pull data from corporate Salesforce environments and run high-profile leak-site pressure campaigns. ShinyHunters trick users into authorizing a malicious Salesforce Data Loader app, accessing data through legitimate APIs, impacting up to 700 victims over a year. ShinyHunters target education and SaaS sectors, with a notable breach at the University of Nottingham resulting in the leak of 40GB of data affecting 455,000 unique email addresses. ShinyHunters have also targeted Instructure Canvas and multiple UK universities. Reporting recommends patching Oracle PeopleSoft and conducting penetration tests to mitigate risk.

Frequently Asked Questions

  1. What is Daxin? Daxin, a sophisticated malware linked to Chinese espionage, has resurfaced on a compromised host inside a Taiwan-based subsidiary of a multinational high-tech manufacturer, alongside a newly identified backdoor called Stupig. It stands out for stealthy command-and-control that hijacks legitimate TCP traffic, helping attackers blend encrypted communications into normal network activity.

  2. What is OkoBot? OkoBot is a modular malware framework built to siphon cryptocurrency secrets from users through ClickFix lures and fake SQL Server Management Studio packages distributed via GitHub. Once it lands, it expands from an initial TookPS infection into plugins that collect wallet seed phrases, log keystrokes and clipboard data, and even capture video streams, turning a single compromise into a full account-drain scenario.

  3. What is Jalisco? Jalisco is a phishing kit targeting Microsoft 365 accounts by abusing the OAuth 2.0 Device Authorization Grant flow, a method that can hand attackers access without the traditional “enter your password” experience. It generates fresh OAuth device codes in real time to stay ahead of Microsoft’s 15-minute validity window, then uses captured sessions to move quickly through accounts.

  4. What is CVE-2026-15409? Attackers are actively exploiting two SonicWall SMA1000 appliance flaws that can enable unauthorized actions and remote command execution: CVE-2026-15409 (CVSS 10.0) and CVE-2026-15410 (CVSS 7.2). SonicWall says the bugs can be abused via server-side request forgery and code injection, turning an internet-facing access gateway into a foothold for broader intrusion.

  5. What is CVE-2026-56155? Two Microsoft server-side vulnerabilities now listed by CISA as known-exploited can let attackers gain elevated access in core enterprise systems: CVE-2026-56155 in Active Directory Federation Services and CVE-2026-56164 in SharePoint Server. The reported exploitation paths include insufficient access control and missing authentication, raising the risk of unauthorized access, data exposure, and follow-on compromise in environments where identity and collaboration services sit at the center of daily operations.

  6. What is Microsoft’s July 2026 Patch Tuesday? Microsoft’s July 2026 Patch Tuesday landed as one of its largest yet, with one breakdown citing 570 vulnerabilities fixed, including 57 critical issues, and another report putting the total at 622 vulnerabilities as discovery accelerates with AI. Beyond the headline volume, the update includes fixes tied to real-world break-ins, including actively exploited issues affecting Active Directory Federation Services (CVE-2026-56155) and SharePoint Server (CVE-2026-56164).

  7. What is HSEWH-Ur? The campaign also involved a malware family called HSEWH-Ur, which can steal QQ and enterprise messaging credentials, cloud-service keys, and files. Targets spanned Afghanistan, Thailand, Taiwan, and the U.S., with intrusions including SQL injection against a Thai government administrative system and a custom deserialization exploit used for remote code execution in a Laravel application in Afghanistan.

  8. What is ShinyHunters? ShinyHunters, a cybercrime group, has blended quiet SaaS account access with loud extortion—abusing OAuth trust to pull data from corporate Salesforce environments while also running high-profile leak-site pressure campaigns. In one track, they tricked users into authorizing a malicious Salesforce Data Loader app and then accessed data through legitimate APIs, a campaign that reportedly impacted up to 700 victims over a year; they also expanded by compromising third-party SaaS providers integrated with Salesforce to reach downstream customers.

Discover Related Resources