Threat activity in early June picked up across the board, with new malware families, faster cloud-pivoting intrusions, and a fresh wave of actively exploited vulnerabilities driving most of the noise. DeadLock's sudden rise, Shadow-Earth-066's automation push, and widespread credential-theft campaigns all signaled a shift toward speed and stealth. Meanwhile, zero-days in WebLogic, Android, and Cisco SD-WAN kept pressure on defenders to patch fast and watch identity systems closely.
Report Links
Download Threat Brief For June 1-15 2026
Byer-Nichols Threat Brief Podcast June 1-15 2026
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| DeadLock | 21.16% | N/A | N/A |
| The Gentlemen | 12.09% | 3 | 2 |
| Qilin | 11.08% | 2 | 1 |
| DragonForce | 4.79% | 1 | 12 |
| LockBit | 4.53% | 8 | 7 |
DeadLock dominated early June with a sharp debut, driving over a fifth of observed activity and drawing attention for its fast-moving double-extortion playbook. The Gentlemen and Qilin continued their steady climb, each expanding victim lists through tailored phishing and opportunistic exploitation. DragonForce surged back into relevance after months of quiet, pairing data-leak pressure with noisy DDoS-style harassment. LockBit, though diminished, still surfaced in several opportunistic hits, showing the brand's resilience despite sustained law-enforcement pressure.
Victim Sector
| Sector | Percentage | Last Period | Movement |
|---|---|---|---|
| Manufacturing | 16.88% | 1 | same |
| Retail | 14.36% | 4 | 4 -> 2 |
| Technology | 12.59% | 2 | 2 -> 3 |
| Construction | 11.34% | 3 | 3 -> 4 |
| Financial Services | 10.08% | 5 | same |
Victim Location
| Victim | Percentage | Last Period | Movement |
|---|---|---|---|
| USA | 33.50% | 1 | same |
| Germany | 4.28% | 2 | same |
| Italy | 4.28% | new | new |
| Canada | 4.03% | 4 | 3 -> 4 |
| Spain | 2.77% | 5 | same |
Victim Org Size
| Size | Percentage | Last Period | Change |
|---|---|---|---|
| Small Business (500 or less) | 78.43% | 82.79% | -5.27% |
| Mid-Market (501-5000) | 18.02% | 13.06% | +37.98% |
| Large Enterprise (5000+) | 3.55% | 4.15% | -14.46% |
Trending Adversaries
CL-CRI-1089, DriveSurge, Shadow-Earth-066, TA4922, UNC3753, and Velvet Ant all pushed more aggressive credential-theft and cloud-pivoting activity this period, with most leaning on living-off-the-land techniques to stay quiet once inside. Several groups mixed commodity loaders with bespoke post-exploitation tooling, blurring attribution and speeding up lateral movement. TA4922 and UNC3753 stood out for targeting identity providers directly, while Velvet Ant kept refining its long-haul persistence in hybrid environments. The most concerning is Shadow-Earth-066, whose rapid shift to automation-driven reconnaissance suggests it's gearing up for broader, faster intrusions that defenders will need to detect early.
- CL-CRI-1089
- DriveSurge
- Shadow-Earth-066
- TA4922
- UNC3753
- Velvet Ant
Trending & Actively Exploited Vulnerabilities
Early June saw active exploitation span legacy middleware, mobile, network edge, and even AI tooling. WebLogic CVE-2024-21182 and Android CVE-2025-48595 are confirmed in-the-wild, enabling unauthenticated or elevated access, while fresh bugs in Ivanti Sentry, Chromium V8, Cisco SD-WAN, Serv-U, PeopleSoft, LiteLLM, and Check Point gateways widen the attack surface for RCE and tenant escape. Defenders should prioritize KEV-listed flaws, patch internet-facing services first, lock down management ports, and hunt for post-compromise activity in logs and EDR.
| CVE | Vendor | Product |
|---|---|---|
| CVE-2024-21182 | Oracle | WebLogic Server |
| CVE-2025-48595 | Android | Framework |
| CVE-2026-10520 | Ivanti | Sentry |
| CVE-2026-11645 | Chromium V8 | |
| CVE-2026-20245 | Cisco | Catalyst SD-WAN Manager |
| CVE-2026-20262 | Cisco | Catalyst SD-WAN Manager |
| CVE-2026-28318 | SolarWinds | Serv-U |
| CVE-2026-35273 | Oracle | PeopleSoft Enterprise PeopleTools |
| CVE-2026-42271 | BerriAI | LiteLLM |
| CVE-2026-50751 | CheckPoint | Security Gateway |
Trending Malware
| Trending Malware | Details |
|---|---|
| Argamal RAT | A stealthy Windows RAT delivered through trojanized game installers that uses COM hijacking and sandbox-aware loaders to maintain long-term remote access. Argamal is a stealthy Remote Access Trojan delivered through trojanized adult-game installers circulating on torrent and file-sharing sites. Once launched, a tampered game library quietly loads a hidden shellcode module that decrypts and deploys the RAT. It establishes persistence through COM search-order hijacking, allowing it to run without admin prompts or obvious system changes. The malware's multi-stage, sandbox-aware loader helps it evade detection, giving attackers long-term remote control over compromised Windows systems. |
| Azureveil | A cloud-blending espionage backdoor that uses Azure Blob Storage dead-drops and Rust-based loaders to quietly exfiltrate data from targeted government networks. Azureveil is a cloud-blending C2 agent dropped via a targeted spearphishing campaign against government and research sectors in Taiwan and the Czech Republic. Victims receive ZIP archives containing decoy documents and dual-path loaders that ultimately hand off execution to a Rust-based loader called RUSTCLOAK. The final payload communicates exclusively through Azure Blob Storage using a dead-drop model, making its traffic nearly indistinguishable from legitimate enterprise cloud activity. This design gives attackers a durable, low-visibility foothold ideal for espionage operations. |
| FlutterShell | A cross-platform Flutter-based backdoor deployed via the FlutterBridge loader that enables covert command execution and file operations across major OS platforms. FlutterShell is a cross-platform backdoor built with Google's Flutter framework and deployed through the FlutterBridge loader, which disguises itself as a legitimate Windows utility. Once executed, FlutterBridge decrypts and launches the FlutterShell payload, giving attackers a flexible command channel that works across Windows, Linux, and macOS. The backdoor supports file operations, command execution, and dynamic module loading, all wrapped in a UI-framework runtime that blends in with normal application behavior. Its cross-platform design and unusual use of Flutter make it harder for traditional endpoint tools to detect, giving operators a quiet, persistent foothold. |
| GiftedCrook | A credential-stealing malware spread through CVE-2023-38831 WinRAR exploits that harvests browser data and messaging credentials for follow-on intrusion activity. GiftedCrook is a credential-stealing malware family deployed in campaigns exploiting the long-patched WinRAR vulnerability CVE-2023-38831, which remains effective due to slow update cycles. Attackers weaponize ZIP archives containing malicious script files that execute when a victim attempts to open a seemingly harmless document inside the archive. Once triggered, GiftedCrook steals browser-stored credentials, session cookies, and messaging-app data, then exfiltrates them to attacker-controlled servers. The malware has been heavily used against Ukrainian organizations, where stolen accounts are leveraged for follow-on espionage and lateral movement. |
| Miasma | A rapid-propagation supply-chain worm that compromises GitHub repositories and CI/CD pipelines by injecting malicious commits and stealing developer credentials. Miasma is a fast-spreading supply-chain worm that compromised 73 Microsoft GitHub repositories in early June 2026. It propagates by injecting malicious commits into open-source projects and developer tooling, stealing cloud and GitHub credentials to replicate itself across CI/CD pipelines. The worm abuses package registries like PyPI and npm, embedding credential-harvesting hooks into widely used libraries. Its speed—taking down dozens of repositories in just 105 seconds—highlights how deeply it can disrupt developer ecosystems and cloud workflows. |
| NFCShare | An Android malware family that abuses NFC-based file-sharing prompts to install trojanized apps that exfiltrate device data and enroll victims into mobile botnets. NFCShare is an Android malware family that spreads through malicious NFC file-sharing prompts, often triggered when a victim brings their device near a compromised kiosk, poster, or embedded NFC tag. The malware abuses Android's "beam-style" sharing workflow to trick users into approving the installation of a trojanized APK that appears to be a legitimate sharing or system app. Once installed, NFCShare can harvest contacts, SMS messages, call logs, and device identifiers, and in some variants, enroll the device into a broader botnet. Recent reporting shows it being used in proximity-based credential-harvesting campaigns targeting public venues, making it a high-risk threat for mobile-heavy environments. |
Top News
- Compromised Red Hat employee GitHub account leveraged in npm supply chain attack
- Coding Gaffe Exposes Microsoft 365 Accounts to Widespread Takeover
- FBI dismantled a massive Chinese phishing-as-a-service operation called Outsider Enterprise
- Microsoft Exchange "Ghost-Sender" Flaw Lets Attackers Spoof Any Email Address, Microsoft Defender 'RoguePlanet' zero-day grants SYSTEM privileges
- Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks
- Over 116,000 Minecraft systems infected in WeedHack malware campaign
- US government asks Anthropic to ban 'foreign national' access to Fable, Mythos
- VS Code zero-day lets hackers steal GitHub tokens in one click, Copilot 'SearchLeak' Attack Allows 1-Click Data Theft
Listen to the podcast episode: Byer-Nichols Threat Brief for June 1-15 2026 on Digital Rage.
Contributors
Written by Jeremy Nichols, Director, Security Programs & Strategy at SecureSky Executive Summaries & Adversary Bio's by Geoff Rehmet, Cybersecurity Architect Produced & Distributed By Phish Tank Digital