A single click on a booby-trapped WinRAR archive can now hand over persistent access to attackers, as campaigns exploiting CVE-2025-8088 use stealthy shortcuts and PowerShell loaders to quietly steal credentials and documents. Cyware highlights how this operation leverages NTFS Alternate Data Streams and infrastructure like evoxt[.]com to evade detection, putting users at risk of account takeover and data loss that can persist beyond the initial compromise.

Industrial supply chains face immediate risk as attackers actively exploit a remote code execution flaw in PTC Windchill and FlexPLM (CVE-2026-12569). With federal agencies required to patch by June 28 and persistent webshells already reported, organizations must move quickly to prevent attackers from taking control of critical product lifecycle systems.

A massive data breach at Madison Square Garden has exposed 26 million records, including 10 million email addresses, after ShinyHunters published a 42GB dataset online. The fallout extends beyond headlines, as exposed contact details can fuel targeted scams and account takeovers, with legal action now underway in the United States.

Top Malware Reported in the Last 24 Hours

CVE-2025-8088 turns WinRAR into malware

CVE-2025-8088 is a vulnerability exploited to transform a WinRAR file open into persistent malware. CVE-2025-8088 enables attackers to write a startup shortcut that executes at every user login, hiding the shortcut using NTFS Alternate Data Streams and launching a multi-stage PowerShell loader padded with junk functions and random identifiers to hinder analysis. CVE-2025-8088 decodes a large, headerless PE image in memory and targets data such as Chromium and Firefox credentials, documents, and VPN configurations for exfiltration. CVE-2025-8088 leverages a Ukrainian reconnaissance-themed lure previously linked to UAC-0226 and GIFTEDCROOK. CVE-2025-8088 targets users globally, with infrastructure such as evoxt[.]com and 142[.]111[.]194[.]73 used to evade detection. The campaign’s impact is persistent account takeover and data loss, with attribution to prior reconnaissance operations.

Photo ZIP phish plants Node implant

Photo ZIP is a phishing campaign targeting the hospitality sector with photo-themed ZIP attachments that masquerade as images but trigger a malware chain via shortcut files. Photo ZIP employs multilingual phishing lures in Japanese, Danish, and Dutch, and since April 2026, Photo ZIP has targeted organizations across Europe and Asia in two evolving waves. Photo ZIP moves through obfuscated PowerShell and dynamic .NET DLL compilation before deploying a Node.js implant for persistent access via registry-based persistence. Microsoft reports Photo ZIP’s obfuscation has progressed through seven phases, indicating active adaptation. Photo ZIP communicates over non-standard ports to infrastructure including safedocphoto[.]info and 178.16.54[.]27, leaving hotel and travel organizations vulnerable to prolonged unauthorized access.

StealC infostealer hits 385,000 PCs

StealC is an infostealer that has infected approximately 385,000 Windows computers globally, including 3,000 in the Netherlands and 8,200 in Germany. StealC spreads via the Amadey loader and is distributed through phishing and ClickFix-style attacks that trick users into executing the infection chain. StealC steals passwords and login data at scale, with investigators uncovering 9.9 million unique login credentials and 9.6 million password hashes. StealC’s dataset includes accounts from major email services such as Gmail (1.5 million), Hotmail (138,000), Outlook (72,000), Yahoo (68,000), and iCloud (24,000). StealC’s impact is widespread account takeover risk, and authorities urge victims to change credentials and enable two-factor authentication where possible.

Top Vulnerabilities Reported in Last 24 hours

Amazon Q bug turns repos into traps

A critical flaw in the Amazon Q Developer Extension for Visual Studio Code allowed attackers to execute arbitrary code by getting a developer to open a malicious project. The vulnerability enabled exposure of cloud credentials, API keys, and internal access by automatically loading Model Context Protocol (MCP) server configurations from workspace files without user consent. Attackers could leverage this to pivot from a developer laptop into cloud environments, escalating a routine code review into a broader compromise. Researchers at Wiz discovered the issue and identified it as a systemic risk for AI coding tools that auto-execute context. A fix is available in language server version 1.65.0 or later, and all users should update immediately.

Active attacks hit PTC Windchill servers

CVE-2026-12569 is a remote code execution vulnerability in PTC Windchill and FlexPLM that is being actively exploited, allowing remote, unauthenticated attackers to run code and take control of product lifecycle systems. CVE-2026-12569 enables attackers to deploy persistent webshells for ongoing access and data theft by exploiting improper handling of user input. CVE-2026-12569 is already being exploited in the wild, with PTC issuing warnings on June 17 and CISA adding it to the Known Exploited Vulnerabilities catalog. German police previously issued proactive warnings to PTC customers about similar risks. PTC has released patches starting June 17, and federal agencies must address the issue by June 28.

Synology MailPlus bugs expose private email

CVE-2026-13136, CVE-2026-13135, and CVE-2025-15660 are vulnerabilities in Synology MailPlus Server that could enable unauthorized access and denial-of-service attacks on NAS-based private email systems. These vulnerabilities allow remote file access, exposure of internal services, and exploitation of weak pseudo-random number generation for adjacent attackers. No active exploitation has been reported, but Bitsight’s Groma Explorer identified over 2,100 internet-facing deployments, with concentrations in Germany, the US, and parts of Asia. Synology has released a fix in MailPlus Server 4.0.1-31663, and organizations should update to prevent email access, service outages, and business disruption.

Top Threat Actors Reported in Last 24 hours

Turla uses STOCKSTAY in Ukraine

Turla (also tracked as a Russia-linked cyber-espionage group) is a suspected state-sponsored actor focused on intelligence collection. Turla recently deployed a .NET backdoor called STOCKSTAY in intrusions targeting government and military networks, especially in Ukraine. Turla uses a multi-part toolset where STOCKSTAY.STOCKMARKET orchestrates activity and STOCKSTAY.STOCKBROKER manages communications over secure WebSocket connections. Turla employs environmental keying and Windows-1251 encoding, with code overlaps to the KAZUAR toolkit, to reinforce attribution. Turla targets public-sector and defense organizations, enabling persistent access for long-term intelligence collection. Google’s Threat Intelligence team reported STOCKSTAY has been in development since December 2022, with ongoing updates and evolving infrastructure, and defenders are advised to monitor for published YARA rules and block known C2 channels.

ShinyHunters leaks Madison Square Garden data

ShinyHunters is a financially motivated data-extortion group suspected to operate globally. ShinyHunters recently published a 42GB dataset containing 26 million records tied to Madison Square Garden after a ransom demand was not met. ShinyHunters’ leak includes internal business data and personal details such as names, addresses, phone numbers, and about 10 million email addresses. ShinyHunters targets high-profile organizations, exposing visitors to targeted scams and account-takeover attempts. The stolen email addresses have been added to Have I Been Pwned, and legal actions have been initiated in the United States against Madison Square Garden’s operators.

Akira ransomware stages attack via hypervisor

Akira ransomware is a financially motivated extortion operation suspected to target organizations for profit. Akira ransomware was recently observed accessing a hypervisor and creating a new virtual machine to stage and launch its encryption run. Akira ransomware uses pre-attack discovery, including opening files such as AdUsers.txt and AdComp.txt with Notepad for Active Directory enumeration. Akira ransomware stages and exfiltrates data using tools like WinSCP and Easyupload[.]io as part of its workflow. Akira ransomware targets businesses by exploiting virtualization layers, complicating incident response when key activity occurs inside a freshly created VM. Huntress reported rapid progression in the attack, including attempts to disable Microsoft Defender and use WinRAR for staging.

Frequently Asked Questions

1. What is CVE-2025-8088? CVE-2025-8088 is being exploited to turn a WinRAR file open into persistence: attackers write a startup shortcut that runs every time the user logs in. Instead of dropping an obvious executable, the campaign hides its shortcut using NTFS Alternate Data Streams and then runs a multi-stage PowerShell loader that’s padded with junk functions and random identifiers to slow analysis.

2. What is Photo ZIP? Microsoft says the Photo ZIP campaign is hitting the hospitality industry with photo-themed ZIP attachments that masquerade as images but trigger a malware chain through shortcut files. It uses multilingual phishing lures in Japanese, Danish, and Dutch, and since April 2026 it has targeted organizations across Europe and Asia in two evolving waves.

3. What is StealC? StealC has infected about 385,000 Windows computers globally, including 3,000 in the Netherlands and 8,200 in Germany, according to reporting on a police-led disruption. It spreads via the Amadey loader and is pushed through phishing and ClickFix-style attacks that trick users into running the infection chain.

4. What is CVE-2026-12569? A remote code execution flaw in PTC Windchill and FlexPLM (CVE-2026-12569) is being actively exploited, giving remote, unauthenticated attackers a path to run code and take control of product lifecycle systems used across industrial supply chains. The bug stems from improper handling of user input, enabling specially crafted requests to execute attacker-controlled code and, in reported cases, deploy persistent webshells for ongoing access and data theft.

5. What is CVE-2026-13136? Synology patched three vulnerabilities in MailPlus Server that could enable unauthorized access and denial-of-service attacks on organizations running private email on NAS infrastructure. The issues include CVE-2026-13136 (faulty authorization checks that can allow remote file access and DoS), CVE-2026-13135 (improper restriction of communication channels that could expose internal services), and CVE-2025-15660 (a weak pseudo-random number generator that could help adjacent attackers access files and trigger DoS).

6. What is Turla? Turla (also tracked as a Russia-linked cyber-espionage group) has been tied to a .NET backdoor called STOCKSTAY, used in intrusions targeting government and military networks with a focus on Ukraine. After initial access, they deploy a multi-part toolset where STOCKSTAY.STOCKMARKET orchestrates activity and STOCKSTAY.STOCKBROKER handles communications over secure WebSocket connections.

7. What is ShinyHunters? ShinyHunters, a financially motivated data-extortion group, has published a large tranche of stolen information tied to Madison Square Garden after a ransom demand was not met. They announced the breach on June 12, claiming 26 million records in a 42GB dataset that includes internal business data and personal details such as names, addresses, phone numbers, and roughly 10 million email addresses.

8. What is Akira ransomware? The Akira ransomware operation, a financially motivated extortion crew, was recently documented using an unusual staging method: they accessed a hypervisor and created a new virtual machine to prepare and launch the encryption run. From there, they moved quickly through pre-attack discovery, including using Notepad to open files such as AdUsers.txt and AdComp.txt for Active Directory enumeration.