Daily Threat Briefing
Diamond Trail

Cyware Daily Threat Intelligence - June 30, 2026

shutterstock 2176637153

A ransomware operation is slashing through global networks, locking up nearly 500 organizations and exposing the economics of cybercrime. Cyware tracks how a 90/10 affiliate payout model is fueling The Gentlemen’s rapid rise, with attackers leveraging VPNs and remote gateways to trigger operational shutdowns across Windows, Linux, and ESXi environments.

A critical flaw in SimpleHelp RMM servers is opening the door for attackers to seize control of managed systems. Over 14,000 servers are exposed online, with more than 7% vulnerable, letting intruders create rogue Technician accounts and deploy infostealers that pivot into cloud environments.

A malicious browser extension campaign has quietly siphoned sensitive data from 2.6 million Edge users, chunking clipboard contents and leaking credentials to hardcoded endpoints. Microsoft’s takedown of 119 StegoAd extensions reveals how browser add-ons can become covert infostealer delivery vehicles.

Top Malware Reported in the Last 24 Hours

The Gentlemen ransomware reshapes RaaS economics

The Gentlemen is a ransomware-as-a-service operation that offers affiliates a lucrative 90/10 revenue split to drive rapid adoption. The Gentlemen uses reconnaissance tools such as SharpADWS, NetScan, and Advanced IP Scanner to map networks and escalate privileges. The Gentlemen can encrypt files across Windows, Linux, NAS, and ESXi environments, leveraging a Go-based locker with Curve25519 key exchange and XChaCha20 encryption, and employs BYOVD techniques to disable defenses. The Gentlemen typically gains access through internet-facing infrastructure such as VPNs, firewalls, and remote-access gateways. The Gentlemen targets organizations outside the US, causing operational shutdowns and ransom demands. Researchers at Halcyon documented a backend leak in May 2026, and victim counts have reached nearly 300 (Halcyon), 332-plus (Krebs), and 483 (leak-site monitoring) by mid-2026.

CVE-2026-48558 opens SimpleHelp to hijacking

CVE-2026-48558 is a critical authentication bypass vulnerability in SimpleHelp RMM servers that carries a severe risk for managed service providers. CVE-2026-48558 allows attackers to create unauthorized Technician accounts by exploiting improper verification of digital signatures in OpenID Connect authentication tokens. CVE-2026-48558 is being actively exploited, with attackers using forged tokens to seize control and deploy infostealer malware for credential theft and lateral movement into cloud environments. Horizon3.ai disclosed the flaw on June 12, 2026, and both Blackpoint and CISA confirmed active exploitation. Over 14,000 SimpleHelp servers are internet-accessible, with more than 7% vulnerable; a patch is available and organizations are urged to monitor for unusual activity and conduct security audits.

StegoAd extensions quietly siphon user data

StegoAd is a malicious browser-extension campaign that reached 2.6 million Edge users before 119 extensions were removed by Microsoft. StegoAd extensions masqueraded as ad blockers and video downloaders, but a subset later downloaded malware for ad fraud, credential theft, and session hijacking, using steganography to hide code in images. StegoAd relied on broad permissions such as clipboard access, proxy control, and tab access to monitor user activity and capture sensitive data. StegoAd exfiltrated clipboard data in chunks to hardcoded endpoints, leaking passwords, one-time codes, and cryptocurrency addresses. Microsoft reported that only about 10% of installs activated malicious behavior, prolonging the campaign’s evasion of detection.

Top Vulnerabilities Reported in Last 24 hours

CVE-2026-48558: SimpleHelp flaw opens MSPs to infostealers

CVE-2026-48558 is a critical authentication bypass vulnerability in SimpleHelp RMM servers with a patch available as of June 2026. Successful exploitation allows attackers to create unauthorized Technician accounts and seize control of managed environments. CVE-2026-48558 is being actively exploited, with attackers deploying infostealer malware and stealing credentials to pivot into cloud systems. Horizon3.ai disclosed the flaw, while Blackpoint and CISA confirmed real-world exploitation. Over 14,000 servers are internet-accessible, with more than 7% vulnerable; organizations should patch immediately and audit for unauthorized activity.

CVE-2026-46817: Hackers hit Oracle Payments via EBS bug

CVE-2026-46817 is a critical vulnerability in Oracle E-Business Suite (Oracle Payments) with a CVSS 9.8 score. CVE-2026-46817 enables unauthenticated attackers to take control of payment systems, exposing payroll records, bank details, and Social Security numbers. CVE-2026-46817 is under active exploitation, though no public proof-of-concept is available. The cybersecurity firm Defused observed the activity, which echoes prior Oracle EBS exploitation by the Cl0p ransomware group. Oracle released patches on May 28, 2026, and organizations should update immediately to mitigate risk.

CVE-2026-8037: LoadMaster bug enables root command execution

CVE-2026-8037 is a critical command injection vulnerability in Progress Kemp LoadMaster appliances, affecting GA v7.2.63.1 and older and LTSF v7.2.54.17 and older. CVE-2026-8037 allows unauthenticated attackers to execute arbitrary commands as root by exploiting a missing null terminator in the escape_quotes() function, enabling memory manipulation via extra JSON keys. No exploitation has been reported yet, but a working proof of concept is available. Progress’s advisory also addressed CVE-2026-33691 (WAF bypass). Organizations should upgrade to GA v7.2.63.2 or LTSF v7.2.54.18 to mitigate risk.

Top Threat Actors Reported in Last 24 hours

The Gentlemen RaaS scales via affiliate payouts

The Gentlemen is a ransomware-as-a-service (RaaS) operation of suspected criminal origin, motivated by profit. The Gentlemen uses a 90/10 revenue split to attract affiliates and leverages internet-facing infrastructure, reconnaissance tools, and BYOVD techniques to disable defenses. The Gentlemen deploys multiple encryptor variants, including a Go-based locker, to target Windows, Linux, NAS, and ESXi environments. The Gentlemen targets organizations globally, with a notable presence outside the US. In May 2026, a backend leak exposed infrastructure and victim data, but The Gentlemen continued operations and partnered with BreachForums. Leak-site tracking attributed 483 victims to the group.

ToddyCat steals Gmail access via OAuth

ToddyCat is an APT group of suspected foreign origin, focused on espionage. ToddyCat uses a new tool called Umbrij to abuse OAuth tokens and automate Shadow Token via Remote Debug (STRD) attacks. ToddyCat deploys Umbrij, a .NET DLL obfuscated with ConfuserEx, to launch Chromium-based browsers in headless mode and extract authorization codes using Puppeteer Sharp. ToddyCat targets corporate Gmail accounts and connected Google services, bypassing typical suspicious login alerts. Kaspersky’s Securelist discovered the campaign and recommends monitoring for DLL sideloading and browser launches with --remote-debugging-port and --headless arguments.

FSB-linked actors phish messaging accounts

A Russian cyber espionage operation linked to FSB-associated groups UNC5792, UNC4221, and Star Blizzard is suspected of targeting officials, military personnel, and activists across Ukraine, Europe, and the United States for intelligence collection. The actors use a tiered playbook, with high-value targets facing tailored techniques and ordinary citizens receiving SMS phishing and impersonated platform support bots. The actors rotate techniques and target lists, timing outreach in morning hours to increase success. The actors compromise messaging accounts, exposing operations, contacts, and safety-sensitive details. A joint SSU and FBI investigation publicized the campaign and recommended enabling two-factor authentication with a complex alphanumeric PIN and avoiding QR codes from unknown sources.

Frequently Asked Questions

  1. What is The Gentlemen? The Gentlemen is a ransomware-as-a-service operation that has climbed fast by offering affiliates a lucrative 90/10 revenue split, helping it rack up hundreds of claimed victims by mid-2026. It typically gets in through internet-facing infrastructure such as VPNs, firewalls, and remote-access gateways, then uses reconnaissance tools including SharpADWS, NetScan, and Advanced IP Scanner to map networks and move deeper.

  2. What is CVE-2026-48558? CVE-2026-48558 is a critical SimpleHelp RMM server flaw now being exploited to create unauthorized Technician accounts and seize control of managed systems. The weakness stems from improper verification of digital signatures in OpenID Connect authentication tokens, enabling attackers to use forged OpenID Connect tokens to bypass authentication.

  3. What is StegoAd? StegoAd is a malicious browser-extension campaign that Microsoft says reached 2.6 million users in the Edge add-on store before 119 extensions were removed. The add-ons posed as everyday tools like ad blockers and video downloaders, but a subset later turned rogue and pulled down malware for ad fraud, credential theft, and session hijacking, using steganography to hide code inside images.

  4. What is CVE-2026-46817? A critical Oracle E-Business Suite flaw in Oracle Payments (CVE-2026-46817, CVSS 9.8) is under active exploitation, enabling unauthenticated attackers to take control of a system many organizations use to run payment-related workflows. In practical terms, a compromise here can expose high-value financial and identity data handled by back-office systems, potentially including payroll records, bank details, and Social Security numbers.

  5. What is CVE-2026-8037? A critical Progress Kemp LoadMaster vulnerability (CVE-2026-8037) lets unauthenticated attackers execute arbitrary commands as root, putting an edge-deployed load balancer in a position to become an entry point into internal networks. The flaw sits in the escape_quotes() function, where a missing null terminator can leave input improperly sanitized and enable command injection by manipulating memory with extra JSON keys.

  6. What is ToddyCat? ToddyCat, an APT group, is targeting corporate email hosted on Gmail by using a new tool called Umbrij to abuse OAuth tokens and quietly gain access to Google services. Rather than relying on obvious password theft alone, they automate an attack flow described as Shadow Token via Remote Debug (STRD), helping them stay under the radar of typical monitoring.

  7. What is UNC5792? A Russian cyber espionage operation linked to FSB-associated groups UNC5792, UNC4221, and Star Blizzard is targeting messaging accounts of officials, military personnel, and activists across Ukraine, Europe, and the United States to collect intelligence rather than cause disruption. They use a tiered playbook: high-value targets face more tailored techniques, while ordinary citizens are hit with SMS phishing and impersonated “platform support” bots designed to trick victims into handing over credentials and recovery keys.

Discover Related Resources