A single poisoned web visit can now trigger a full-scale compromise, as attackers leverage GULoader to slip past filters and deliver in-memory payloads directly to Windows desktops. Cyware spotlights how defenders reconstructed the attack chain using ANY.RUN and EDR telemetry, revealing how quickly a compromised WordPress site can escalate into a business workstation breach.

Ransomware operators are blending into enterprise collaboration traffic, with DragonForce abusing Microsoft Teams’ TURN relay to mask command-and-control during a December 2025 attack. The operation paired custom Go-based tooling and BYOVD exploits, making malicious activity nearly indistinguishable from routine Teams usage.

Critical infrastructure faces new risks as attackers exploit CVE-2026-20262 in Cisco Catalyst SD-WAN Manager, granting root access and enabling device takeover. Rapid7 warns that attackers are actively exploiting exposed ports, with fixes now available for multiple vulnerable versions.

Extortion groups are targeting sensitive sectors, as iRhythm Technologies confirmed a breach involving protected health information and proprietary data. The incident, traced to social engineering against third-party business apps, triggered a threat actor demand and exposed patient details, though clinical systems remained unaffected.

Top Malware Reported in the Last 24 Hours

GULoader web-to-desktop infection chain

GULoader is a malware loader that delivers infostealer and RAT payloads through a compromised WordPress-to-Windows infection chain. GULoader uses an EtherHiding-style delivery path, displaying malicious overlays only to desktop browsers and launching via rundll32.exe to evade simple filters. GULoader initializes an in-memory shellcode downloader linked to multiple malware families. GULoader is delivered after initial site compromise, targeting Windows desktops through poisoned web visits. GULoader has been observed in active intrusions, with incident responders using ANY.RUN and EDR telemetry to reconstruct the attack chain. Elastic Defend’s behavioral rule successfully blocked GULoader before full execution.

DragonForce ransomware leverages Teams relay

DragonForce is a ransomware operation associated with the Scattered Spider ecosystem, specializing in stealthy command-and-control. DragonForce abuses Microsoft Teams’ TURN relay infrastructure to blend malicious traffic with legitimate collaboration data. DragonForce employs custom Go-based tooling and Bring Your Own Vulnerable Driver (BYOVD) techniques, exploiting drivers tied to CVE-2023-52271, CVE-2025-61155, and CVE-2025-1055. DragonForce targets major U.S. services companies, using Backdoor.Turn RAT to maintain access. Symantec and Praetorian’s “Ghost Calls” research linked DragonForce to advanced relay abuse, complicating detection in enterprise environments.

UNC6508 targets REDCap medical research

UNC6508 is a China-linked espionage cluster that deploys the InfiniteRed backdoor to exfiltrate sensitive research data from REDCap servers. UNC6508 uses credential-harvesting components and a backdoor supporting remote commands, file transfers, and SQL queries. UNC6508 leverages residential proxies and compromised routers to complicate attribution. UNC6508 targets North American medical institutions, focusing on molecular discovery, clinical drug trials, public health policy, and military readiness. Google Threat Intelligence Group (GTIG) tracked UNC6508’s activity for over a year and notified multiple U.S. and Canadian organizations.

Top Vulnerabilities Reported in Last 24 hours

CVE-2026-20262: Cisco SD-WAN root access flaw

CVE-2026-20262 is a file upload vulnerability in Cisco Catalyst SD-WAN Manager that enables authenticated attackers to gain root access. Successful exploitation allows attackers to overwrite or create files on the underlying OS, leading to device takeover and configuration tampering. CVE-2026-20262 is actively exploited in the wild, with reports describing limited but real-world abuse. Rapid7 identified SD-WAN platforms as high-value targets due to their role in traffic rerouting and interception. Cisco has released a security update addressing affected versions, including 20.12.7 and earlier up to 20.12.7.2, 20.15.4 and earlier up to 20.15.4.5, 20.15.5 and earlier up to 20.15.5.3, 20.18.3 and earlier up to 20.18.3.1, 26.1.1 and earlier up to 26.1.1.2, and versions earlier than 20.9.9.2.

CVE-2026-54420: LiteSpeed cPanel privilege escalation

CVE-2026-54420 is a privilege escalation vulnerability in the LiteSpeed cPanel Plugin (CVSS 8.5) affecting CloudLinux and CageFS shared hosting servers. Exploitation allows users with FTP or web shell access to escalate privileges to root, risking full server compromise and exposure of neighboring customer data. CVE-2026-54420 is actively exploited in the wild, with CISA adding it to the Known Exploited Vulnerabilities catalog. Namecheap reported the flaw, attributing it to symlink handling weaknesses. Mitigation involves checking logs for suspicious activity using the provided grep command and monitoring for indicators such as “generateEcCert immediately followed by packageUserSize” and “7-10 concurrent calls per attempt.”

CVE-2026-48558: SimpleHelp rogue technician account creation

CVE-2026-48558 is an authentication bypass vulnerability in SimpleHelp remote management software that allows unauthenticated attackers to create new privileged technician accounts. Exploitation grants attackers control over managed endpoints, bypassing multi-factor authentication in OIDC-enabled deployments. No active exploitation has been reported for CVE-2026-48558. BleepingComputer highlighted that only servers with OIDC enabled, a Technician Group linked to the OIDC provider, and “Allow group authenticated logins” enabled are vulnerable, with about 7.2% of SimpleHelp servers affected. Mitigation includes reviewing logs at /opt/SimpleHelp/logs/server.log and /opt/SimpleHelp/logs/<yyyymmdd-hhmmss>/server.log for unauthorized account creation.

Top Threat Actors Reported in Last 24 hours

iRhythm Technologies breach and PHI extortion

iRhythm Technologies is a U.S. medical device company targeted by a threat actor of unknown origin, with financial extortion as the primary motive. iRhythm Technologies suffered a breach involving the theft of protected health information (PHI) and proprietary data, following a social engineering attack against third-party-hosted business applications. iRhythm Technologies confirmed data exfiltration and received a threat actor demand for payoff. iRhythm Technologies reported that clinical systems and financial data were not affected. iRhythm Technologies faces immediate risk of PHI exposure and extortion pressure, but found no evidence of ongoing unauthorized access. iRhythm Technologies disclosed the incident after detecting suspicious activity on June 8 and confirming exfiltration on June 10.

ShinyHunters breach at Infinite Campus

ShinyHunters is an extortion group suspected to originate from Eastern Europe, with a focus on data theft and resale. ShinyHunters targets Salesforce customers and exploits zero-days in Oracle PeopleSoft, compromising personal details of school staff at Infinite Campus. ShinyHunters uses phishing and credential theft to access staff accounts, exposing names, emails, and phone numbers. ShinyHunters targets over 3,200 U.S. school districts and 11 million students, raising risks of follow-on phishing and account takeover. ShinyHunters’ campaign resulted in exposure of 137,100 accounts, as confirmed by Have I Been Pwned. ShinyHunters has previously targeted more than 100 organizations using Oracle PeopleSoft vulnerabilities.

GhostWriter phishing campaign against Polish public figures

GhostWriter (also tracked as UNC1151) is a Belarus-linked hacker group suspected of espionage and influence operations. GhostWriter uses phishing campaigns to steal Gmail credentials and two-factor authentication codes from Polish public figures and their families. GhostWriter leverages a steady stream of new domains hosting phishing pages, with infrastructure changing almost daily. GhostWriter targets government officials, researchers, journalists, public administration employees, law enforcement, translators, and court experts in Poland. GhostWriter’s recent campaign threatens surveillance, document leaks, and pressure tactics against individuals and institutions. GhostWriter’s activity has been observed by multiple security researchers tracking daily infrastructure changes.

Frequently Asked Questions

1. What is GULoader? GULoader surfaced in April 2026 as the intended payload in a chain that starts with compromised WordPress sites and ends on Windows desktops, using an EtherHiding-style delivery path that only shows malicious overlays to desktop browsers. After the initial site compromise, it attempts to launch via rundll32.exe in a way that helps it slip past simple filters, aiming to initialize an in-memory shellcode downloader that has been linked to infostealer and RAT families.

2. What is DragonForce? DragonForce, a ransomware operation linked to the Scattered Spider ecosystem, masked its command-and-control by abusing Microsoft Teams’ TURN relay infrastructure during a December 2025 intrusion at a major U.S. services company. In that incident, it paired custom Go-based tooling with tactics designed to blend malicious traffic into normal collaboration-platform noise, making the attack harder to spot in busy enterprise networks.

3. What is UNC6508? UNC6508, a China-linked espionage cluster tracked by Google Threat Intelligence Group (GTIG), targeted REDCap servers to deploy InfiniteRed and siphon sensitive research data from a North American medical institution. Once inside, it uses a credential-harvesting component and a backdoor that supports remote commands, file transfers, and SQL queries—capabilities that can quietly expose study data and internal systems over long periods.

4. What is CVE-2026-20262? A flaw in Cisco Catalyst SD-WAN Manager lets an authenticated attacker reach root access by abusing file uploads to overwrite or create files on the underlying operating system (CVE-2026-20262). In plain terms, that can let an intruder take over the device and alter configurations or data in ways that undermine trust in what the network is doing.

5. What is CVE-2026-54420? A privilege-escalation flaw in the LiteSpeed cPanel Plugin can let a user with only FTP or web shell access jump to root on shared hosting servers running CloudLinux or CageFS (CVE-2026-54420, CVSS 8.5). The consequence for hosting providers is stark: one compromised site could become a stepping-stone to seize broader control of the server and neighboring customer data.

6. What is CVE-2026-48558? A bug in SimpleHelp remote management software allows unauthenticated attackers to create new privileged technician accounts, effectively granting themselves a foothold to control managed endpoints (CVE-2026-48558). The weakness is tied to OpenID Connect (OIDC): in affected deployments, an attacker can create and log in as a new Technician user without multi-factor authentication, turning a remote support tool into an access path.

7. What is iRhythm Technologies? iRhythm Technologies disclosed a breach after spotting suspicious activity on June 8, then receiving a threat actor claim on June 9 that sensitive data—including protected health information (PHI) and proprietary information—had been stolen in exchange for a payoff. They confirmed data exfiltration on June 10 and said the incident was material due to the volume of information involved.

8. What is ShinyHunters? ShinyHunters, an extortion group known for targeting Salesforce customers, has been blamed for a breach at Infinite Campus, a widely used K‑12 student information system provider. The incident compromised personal details tied to school staff accounts, including names, email addresses, phone numbers, and other information.

9. What is GhostWriter? GhostWriter, a Belarus-linked hacker group, has expanded phishing operations to target Gmail accounts belonging to Polish public figures and their families. They aim to steal login credentials and two-factor authentication codes, a combination that can grant access to private communications and sensitive files.