June 6, 2026

01 · CVE-2026-41089 — Netlogon pre-auth RCE under active exploitation; patch all DCs this weekend

#vuln · Confidence: multi-source corroborated

Belgium's Centre for Cybersecurity (CCB) confirmed on May 29 that attackers are actively exploiting this CVSS 9.8 stack-based buffer overflow in the Windows Netlogon Remote Protocol against unpatched domain controllers. The flaw requires no credentials, no user interaction, and no local access — a specially crafted network packet is enough to execute arbitrary code on any supported Windows Server acting as a DC. Microsoft's WARP team discovered it and shipped a fix in the May 12 Patch Tuesday release, initially rating exploitation as "less likely." PoC code has been shared publicly by security researchers. CCB has not attributed in-the-wild activity to a specific threat actor, and Microsoft's MSRC advisory had not been updated to reflect active-exploitation status as of this writing. CVE-2026-41089 has not been added to the CISA KEV catalog as of publication — several aggregator sources reported this incorrectly. The rapid weaponization of ZeroLogon (CVE-2020-1472) provides a useful historical comparison — that Netlogon flaw moved from disclosure to ransomware deployment within days.

Defender action: Patch all DCs in a single maintenance window — half-patched forests are not a defensible posture for a pre-auth DC bug. Restrict Netlogon RPC at the network layer; monitor for unexpected service restarts, authentication anomalies, and LSASS-related events.

Sources: Help Net Security · primary analysis · MSRC advisory (not yet updated to reflect active exploitation)

02 · Miasma — self-propagating npm worm hits 32 official @redhat-cloud-services packages; CI/CD pipeline the trust path

#malware #supply-chain · Confidence: multi-source corroborated (Wiz, Snyk, Aikido)

On June 1, a compromised Red Hat employee's GitHub account was used to publish backdoored versions of 32 packages in the @redhat-cloud-services namespace — the frontend and API libraries that power Red Hat's Hybrid Cloud Console. The malware, dubbed Miasma and tracked independently by Wiz, Snyk, and Aikido, is a variant of TeamPCP's Mini Shai-Hulud worm. It executes a 4.2 MB obfuscated payload via an npm preinstall hook at install time, harvesting GitHub tokens, cloud credentials, and CI/CD secrets, then republishes itself to other packages the victim account can reach. The attack vector was OIDC tokens from GitHub Actions. The pipeline functioned as intended — the credentials inside it had already been compromised months before they were used. Dark web monitoring firm Whiteintel found the employee's GitHub credentials and active session cookie in infostealer logs dated April 13 and May 15, 2026. Wiz issued a follow-on advisory June 4 covering a second wave using binding.gyp to execute code at install. Combined weekly download exposure: approximately 80,000–117,000 across the affected scope.

Defender action: Any environment that ran npm install against affected @redhat-cloud-services versions should treat all reachable secrets as exposed and rotate immediately. The attack pattern to internalize: corporate device infection → stealer log → credential marketplace → trusted namespace hijack. The open-sourcing of Mini Shai-Hulud means other actors can now replicate or adapt this technique with minimal effort.

Sources: Wiz (primary) · Snyk · Aikido · CybelAngel — infostealer trail

03 · CVE-2026-3055 — Citrix NetScaler SAML IDP memory overread; active exploitation reported by Fortinet

#vuln CISA KEV · Confidence: multi-source corroborated

Originally disclosed in late March, CVE-2026-3055 is an out-of-bounds read in NetScaler ADC and Gateway triggered by sending crafted SAMLRequest payloads to the /saml/login endpoint with the AssertionConsumerServiceURL field omitted — causing the appliance to leak memory contents via the NSC_TASS cookie. The precondition is SAML IDP configuration, common in enterprise SSO deployments. Fortinet's threat intelligence team has reported active exploitation against internet-facing instances. A Metasploit module is available. This resembles previous NetScaler vulnerabilities — including Citrix Bleed (CVE-2023-4966) and Citrix Bleed 2 (CVE-2025-5777) — that were rapidly weaponized after disclosure.

Defender action: Apply vendor-confirmed patch versions immediately. Verify SAML IDP configuration explicitly — it may be enabled inadvertently through configuration templates. Monitor for suspicious probes against /cgi/GetAuthMethods.

Sources: Fortinet / Threat-Modeling.com · Rapid7 ETR · The Hacker News

04 · CVE-2025-48595 — Android Framework integer overflow; actively exploited zero-day in June 2026 patch bundle

#vuln CISA KEV · Confidence: vendor-confirmed (Google)

Google's June 2026 Android Security Bulletin patches 124 vulnerabilities, with one actively exploited: CVE-2025-48595, a CVSS 8.4 integer overflow in the Android Framework (CWE-190). The flaw allows a local attacker with basic app permissions to escalate privileges without user interaction, potentially gaining full device control. It potentially affects devices running Android 14, 15, 16, and 16-QPR2 pending OEM patch deployment. Google describes exploitation as "limited, targeted" — language that has historically appeared in connection with commercial spyware vendor activity, though Google has not stated that publicly here. This is the fourth Android zero-day patched since December 2025 confirmed under active exploitation. CISA added it to KEV on June 2 with a federal deadline of June 5.

Defender action: Enterprise Android fleets are silently exposed until OEMs ship the update. The most likely delivery path is a malicious application; tighten sideloading controls and enforce managed app sources. A critical Media Framework RCE is also patched in this bulletin — the combination represents the exploit chain threat model for targeted attacks.

Sources: SOCRadar · Help Net Security · Security Affairs

05 · CVE-2026-45659 — SharePoint Server deserialization RCE; any authenticated site member can trigger it

#vuln · Confidence: vendor-confirmed (Microsoft)

Patched in the most recent Patch Tuesday, CVE-2026-45659 is a CVSS 8.8 unsafe deserialization flaw in SharePoint Server Subscription Edition, 2019, and 2016 — not SharePoint Online or Microsoft 365. An attacker with minimum site-member permissions can execute code on the server over the network with no admin rights and no user interaction. Researcher "MEOW" is credited with the discovery. Microsoft assesses exploitation as less likely. Historical exploitation patterns for deserialization vulnerabilities in Microsoft products suggest that assessment should be interpreted cautiously — prior SharePoint and Exchange deserialization flaws have drawn attacker attention after disclosure, and a separate SharePoint spoofing flaw (CVE-2026-32201) was confirmed exploited in the wild last month.

Defender action: Patch on-premises SharePoint deployments promptly. Any compromised employee account is a vector for full server code execution — monitor for unusual PowerShell, scripting activity, or scheduled task creation on SharePoint hosts.

Sources: The Hacker News · Security Affairs

06 · SafeBreach: Gemini's Android notification reader treated hostile push notifications as executable instructions

#AI-security · Confidence: primary research (SafeBreach), vendor-confirmed patch

SafeBreach researcher Or Yair published findings on June 3 showing that Gemini's Utilities agent on Android — the feature that reads incoming notifications — would ingest notification text as actionable context. A crafted push message from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could direct the assistant to open connected windows, fake messages from trusted contacts, push the device into a Zoom call, or poison Gemini's long-term memory. No malicious app installation required; no user interaction beyond asking Gemini to read notifications. The technique is Android-only — the Utilities feature does not exist on iOS or web. This research extends SafeBreach's earlier "Invitation Is All You Need" work on Calendar-based injection; Google had hardened defenses after that disclosure and Yair found a bypass. The "Fake Context Alignment" technique can embed multilingual hidden commands — a benign English surface question masking a malicious Chinese-language instruction requiring only secondary user approval. Google confirmed mitigation via server-side classifier updates on November 14, 2025. No CVE assigned; no evidence of in-the-wild use.

Analysis: Patched, but the structural problem persists: AI agents that ingest ambient text continue to struggle to distinguish data from instructions in adversarial contexts. The notification attack surface — any app that can push to a device — is broad enough to warrant attention from organizations deploying Android-based AI assistants in enterprise settings.

Sources: SafeBreach (primary) · The Hacker News

#APT #DFIR · Confidence: single-firm attribution assessment (Gambit Security), corroborated by SecurityWeek and NBC News; MOIS link not independently confirmed by US government

Gambit Security published a threat intelligence report this week forensically linking "Ababil of Minab" — the group that claimed responsibility for the March 2026 LA Metro intrusion — to Black Shadow, a threat actor previously attributed by Israel's National Cyber Directorate (INCD) to Iran's Ministry of Intelligence and Security. LA Metro confirmed the breach on April 2; the attack deleted virtual machines from inside the agency's management console and disabled the TAP Mobile App fare system. Gambit's analysis shows the operation extends to victims in the US, Israel, Saudi Arabia, and Turkey, with exfiltration across all targets and destructive operations at a subset. The destruction methodology is operationally notable: at Vyncs, a custom Python script iterated through 58 SQL Server targets and dropped every database with zero failures, followed by manual deletion of 16 daily backup files and destruction of core Windows system folders. At the South Florida Regional Transportation Authority, attackers used a secure deletion tool to overwrite the web hosting directory including dedicated SQL backup folders. The timing coincides with Los Angeles' role as a 2026 FIFA World Cup host city, though no evidence currently establishes a connection between the intrusion and tournament-related objectives. Separately, a joint CISA/FBI/NSA/Department of Energy advisory from April 2026 warned that Iranian actors were targeting US critical infrastructure via operational technology devices — consistent with this campaign's profile, though that advisory does not name Ababil of Minab or the LA Metro attack specifically.

Attribution note: The Ababil → Black Shadow → MOIS chain rests on Gambit's forensic infrastructure analysis and the INCD's prior Black Shadow attribution. SecurityWeek and NBC News have both reported the Gambit findings; no US government agency has publicly attributed the LA Metro attack to Iran or MOIS by name. Publish the attribution as Gambit's assessment, not as confirmed fact.

Defender action: This campaign is a case study in attacking the recovery layer, not just the data layer — backup deletion preceded system destruction at multiple victims. IR readiness requires validated offline immutable backups and tested recovery runbooks, not just perimeter controls.

Sources: Gambit Security (primary) · SecurityWeek · NBC News · Security Affairs

08 · GHOST STADIUM: 4,300+ fraudulent FIFA domains, Chinese-speaking TA, PingIdentity SSO clone; FBI confirms threat

#fraud #threat-intel · Confidence: multi-source corroborated (Group-IB, FBI IC3)

Group-IB published detailed research on GHOST STADIUM, a Chinese-speaking, financially motivated threat actor running over 300 phishing domains built on a single kit that pixel-perfectly clones fifa.com — including FIFA's actual PingIdentity SSO flow, using legitimate client IDs. Branding assets are loaded directly from FIFA's own CDN to evade image-matching detection. The kit can authorize password resets, enabling full account takeover and ticket theft. Three Meta Pixel IDs are embedded across the cluster, suggesting the operators may be tracking or acquiring traffic through Meta's advertising ecosystem. Group-IB identified more than 4,300 fraudulent FIFA domains registered since August 2025, with many held dormant until tournament week. A broader ecosystem includes four independent threat actors running six parallel fraud schemes: credential phishing, fake ticket sales, counterfeit merchandise, fake streaming platforms, fraudulent betting sites, and infostealer-driven mass credential harvesting. Over 2,500 FIFA account credential pairs are already circulating on dark-web markets. FBI IC3 issued a parallel warning identifying 36 known spoofed domains. Tournament kickoff: June 11.

Defender action: Traditional URL-based detection will not catch domains serving legitimate branding content from FIFA's own CDN. For SOC and fraud teams, monitor for SSO abuse using legitimate client IDs. Employee and customer awareness is a reasonable secondary control given the volume of credential circulation already underway.

Sources: Group-IB (primary) · FBI IC3 / Cybernews

09 · Grandoreiro banking trojan resurfaces across Portugal, Spain, Mexico, and Latin America; new DLL side-loading delivery

#malware · Confidence: single-source reporting (Check Point) — seek corroboration before publish

Check Point's June 1 Threat Intelligence Report flags renewed Grandoreiro campaigns targeting Portuguese banks and organizations across Spain, Mexico, and Latin America. The attacks begin with phishing, then use DLL side-loading or malicious scripts for execution, abuse cloud services to mask C2 traffic, steal credentials, and display fake banking overlays to capture OTP codes. Grandoreiro has been a persistent threat against Iberian and Latin American financial institutions. The reemergence following a 2024 Europol-coordinated infrastructure takedown suggests either surviving operators or successor actors may have rebuilt capabilities.

Defender action: Organizations with operations or customers in Portuguese- or Spanish-speaking markets should review detections for DLL side-loading from Office applications and unusual cloud-service traffic patterns consistent with C2 masking.

Sources: Check Point Research (primary)

BORDER CYBER GROUP — original analysis and synthesis. All claims attributed and linked to primary sources.

Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.

If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — buy us a coffee: https://bordercybergroup.com/#/portal/support