Cyware Daily Threat Intelligence - July 16, 2026

A single PowerShell command can now open the door to a modular malware platform that adapts on the fly, as TELEPUZ rides the CLICKFIX-VIDAR chain to quietly establish a durable foothold. Cyware highlights how attackers leverage anti-analysis tricks and evolving payloads to turn one misstep into credential theft and persistent compromise, with Elastic Security Labs tracking infrastructure like memshowblob[.]forum and hurgadatour[.]shop.
Attackers are actively exploiting critical flaws in enterprise staples, with CVE-2026-46817 threatening Oracle Payments and two SonicWall zero-days giving intruders root-level access. Nearly 10,000 SharePoint servers are exposed online, and over 800 remain unpatched against recent CVEs, putting sensitive financial and internal documents at risk across sectors.
AI is accelerating cybercrime, as a China-linked espionage group automates phishing and exploit development using Claude Code and DeepSeek, while Russian-speaking actors like bandcampro use Gemini CLI to migrate botnet infrastructure in just six minutes. These shifts compress the time and skill needed for attacks, with 89% of C2 migration text generated by AI and campaigns targeting government, supply chain, and elderly victims in the U.S. and Canada.
Top Malware Reported in the Last 24 Hours
TELEPUZ MaaS rides CLICKFIX-VIDAR chains
TELEPUZ is a modular Malware-as-a-Service payload designed for flexible credential theft and follow-on compromise. TELEPUZ delivers additional components after initial infection, allowing operators to evolve the attack’s capabilities. TELEPUZ employs anti-analysis features such as anti-VM checks, debugger detection, indirect syscalls, and string encryption to evade detection. TELEPUZ arrives via a VIDAR variant after victims execute a PowerShell command, with distribution tracked through CLICKFIX-VIDAR infection chains. TELEPUZ targets businesses and organizations, providing attackers with a persistent foothold on compromised systems. Elastic Security Labs identified delivery infrastructure including memshowblob[.]forum and hurgadatour[.]shop.
UAT-11795 pushes Starland RAT via installers
UAT-11795 is a financially motivated, Russian-speaking threat actor distributing Starland RAT through trojanized software installers. UAT-11795 initiates attacks with an HTA file that downloads a trojanized NSIS installer, which then establishes persistence and steals browser data, cryptocurrency wallet information, system details, and Active Directory data. UAT-11795 uses a PowerShell framework called WLDR for encrypted command-and-control, enabling remote commands and delivery of additional malware such as CastleStealer and Remcos RAT. UAT-11795 leverages infrastructure including eorthopaedics[.]com and sastoro[.]com for staging and C2 operations. UAT-11795 primarily targets victims in the U.S., Germany, Romania, and Venezuela, where a single fake installer can result in account takeover and direct financial theft. Cisco Talos and BleepingComputer have documented the campaign’s infrastructure and tactics.
ClickLock Stealer tricks macOS users
ClickLock Stealer is a newly identified macOS infostealer that exfiltrates credentials, Keychain data, and cryptocurrency information while establishing a persistent backdoor. ClickLock Stealer lures victims with a fake Cloudflare CAPTCHA and a deceptive macOS password dialog to simulate a legitimate security check. ClickLock Stealer employs a kill-loop technique to keep victims engaged during data collection. ClickLock Stealer is distributed via compromised WordPress sites and uses Telegram for exfiltration, with observed domains including panalobet[.]ph, store.grafsynergy[.]com, and cottonbox[.]co[.]il. ClickLock Stealer targets macOS users, leading to stolen Keychain secrets, account lockouts, and financial fraud. Group-IB reported the campaign and its distribution infrastructure.
Top Vulnerabilities Reported in Last 24 hours
Oracle Payments bug risks financial takeover (CVE-2026-46817)
CVE-2026-46817 is a vulnerability in the Oracle Payments component of Oracle E-Business Suite that allows unauthenticated attackers to take over the application and access sensitive finance data. Successful exploitation of CVE-2026-46817 can compromise payment workflows and financial records tied to ERP systems. CVE-2026-46817 is actively exploited in the wild. CISA has not attributed the attacks or released technical details or IOCs. CISA set a remediation deadline of July 18, 2026 for federal agencies, urging private-sector organizations to follow suit. The advisory recommends reviewing logs for unusual activity and securing all affected Oracle Payments deployments.
SonicWall SMA1000 zero-days fuel break-ins (CVE-2026-15409, CVE-2026-15410)
CVE-2026-15409 and CVE-2026-15410 are zero-day vulnerabilities in SonicWall SMA1000 Series appliances that enable attackers to gain unauthorized access to internal services and root-level control. Exploitation of these flaws allows attackers to establish backdoors, extract credentials, and trigger anomalous Active Directory authentications. Both CVEs are being actively exploited in the wild. Rapid7 reported a public proof-of-concept for CVE-2026-15409 and noted a Metasploit module is in development. SonicWall released hotfixes in platform versions 12.4.3-03453 and 12.5.0-02835 or later, and recommends forensic reviews, password changes, and TOTP token resets after compromise.
SharePoint bugs let hackers breach servers (CVE-2026-32201, CVE-2026-45659, CVE-2026-56164)
CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 are vulnerabilities in Microsoft SharePoint Server that allow attackers to bypass authentication, execute code remotely, and maintain persistence. Exploitation of these CVEs can result in data theft, unauthorized access, and malware deployment on high-value document repositories. Attackers are actively exploiting these vulnerabilities in the wild. CISA added the CVEs to its Known Exploited Vulnerabilities Catalog on April 14, July 1, and July 14, and Shadowserver reports nearly 10,000 internet-exposed SharePoint servers, with over 800 unpatched against CVE-2026-32201 and CVE-2026-45659. Microsoft has released patches and recommends enabling AMSI integration and Microsoft Defender Antivirus detections; federal agencies must secure affected servers by July 17 under Binding Operational Directive 26-04.
Top Threat Actors Reported in Last 24 hours
China-linked spies automate intrusions with AI
A China-linked cyber espionage campaign is suspected to originate from China and is motivated by intelligence collection. A China-linked cyber espionage campaign uses Claude Code and DeepSeek to automate phishing-page creation and exploit reworking. A China-linked cyber espionage campaign leverages a network of 13 Hong Kong-based servers to break into government systems in Thailand via SQL injection and compromise a government web app in Afghanistan, while also targeting supply chain and defense-linked organizations in Taiwan. A China-linked cyber espionage campaign deploys malware communicating over WebSocket and employs a Go obfuscation tool to hinder analysis. Researchers identified a shared 80-byte encryption key across the campaign, indicating a common codebase and intermediate-to-advanced capability.
Bandcampro uses Gemini CLI to run botnet
bandcampro (a Russian-speaking hacker) is suspected to originate from Russia and is motivated by financial crime. bandcampro uses Gemini CLI to rapidly set up and migrate command-and-control infrastructure for a botnet, completing the process in six minutes. bandcampro leverages AI to generate 89% of the text in a C2 migration session, supporting architecture, code generation, troubleshooting, credential mutation, and WordPress administrator password attacks. bandcampro targets individuals and small organizations, accelerating brute-force and account takeover operations. bandcampro’s campaign includes AI-facilitated planning for cryptocurrency fraud targeting elderly victims in the United States and Canada, as documented in logs from March 19 through April 21, 2026.
Frequently Asked Questions
What is TELEPUZ? TELEPUZ is a modular Malware-as-a-Service payload that’s spreading through CLICKFIX-VIDAR infection chains and rapidly expanding since early June 2026. After victims are tricked into running a PowerShell command, it arrives via a VIDAR variant that pulls down additional components, giving operators flexibility to evolve what the infection does next.
What is UAT-11795? UAT-11795 is a financially motivated, Russian-speaking threat actor distributing Starland RAT through trojanized software installers in a volume-driven campaign observed since June 2025. It typically starts with an HTA file that fetches a trojanized NSIS installer, then the payload establishes persistence and begins stealing browser data, cryptocurrency wallet information, system details, and even Active Directory data.
What is ClickLock Stealer? ClickLock Stealer is a newly identified macOS infostealer that targets credentials, Keychain data, and cryptocurrency information, then plants a persistent backdoor for repeat access. It lures victims with a fake Cloudflare CAPTCHA and follows up with a fake macOS password dialog, aiming to make the theft feel like a routine security check.
What is CVE-2026-46817? CISA says attackers are actively exploiting a flaw in Oracle E-Business Suite’s Oracle Payments component that could let an unauthenticated intruder take over the application and reach sensitive finance data (CVE-2026-46817). In plain terms, this puts payment workflows and the financial records tied to ERP systems at risk, with potential fallout that can spread beyond a single app into connected enterprise systems.
What is CVE-2026-15409? Two newly disclosed SonicWall SMA1000 Series flaws are being used to break into perimeter appliances, giving attackers a path to unauthorized access to internal services and even root-level control (CVE-2026-15409, CVE-2026-15410). Rapid7 reports intruders chaining the issues to establish backdoors, extract credentials, and trigger anomalous Active Directory authentications—an entry point that can quickly turn into broader network compromise.
What is CVE-2026-32201? CISA is warning that attackers are actively exploiting multiple Microsoft SharePoint Server vulnerabilities that can be used to bypass authentication, execute code remotely, and maintain persistence (CVE-2026-32201, CVE-2026-45659, CVE-2026-56164). For organizations, that combination can translate into data theft, long-term unauthorized access, and potential malware deployment on systems that often store high-value internal documents.
What is A China-linked cyber espionage campaign? A China-linked cyber espionage campaign has been caught using Claude Code and DeepSeek to speed up real-world intrusions, turning routine tasks like phishing-page creation and exploit reworking into something closer to an assembly line. They used a network of 13 Hong Kong-based servers and were observed breaking into government systems in Thailand via SQL injection and compromising a government web app in Afghanistan, while also mapping and exploiting supply chain and defense-linked organizations in Taiwan.
What is bandcampro? bandcampro, a Russian-speaking hacker, showed how quickly AI assistants can compress criminal workflows by using Gemini CLI to stand up and migrate command-and-control infrastructure for a botnet in six minutes. Logs analyzed from March 19 through April 21, 2026 show the AI generating 89% of the text in a C2 migration session, with the tool helping with architecture, code generation, and troubleshooting.