The second half of June remained active, with a few notable developments rather than any major shifts. SETTRA ransomware quickly climbed into the top five after posting 22 victims in a single week, while FortiBleed dominated vulnerability discussions as organizations continued responding to widespread exploitation. Technology moved to the top victim sector, large enterprises saw a sharp increase in targeting, and victim disclosures were spread across a broader range of countries this reporting period.
Report Links
Download Threat Brief For June 16-30 2026
Byer-Nichols Threat Brief Podcast June 16-30 2026
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| The Gentlemen | 15.49% | 2 | 3 |
| Qilin | 9.86% | 3 | 2 |
| LockBit | 8.73% | 5 | 8 |
| SETTRA | 6.20% | N/A | N/A |
| RALord (Nova) | 4.51% | N/A | N/A |
SETTRA was the standout this reporting period, rapidly entering the top five after listing 22 victims in a single week. The Gentlemen climbed to the top spot after a strong early June showing, while Qilin and LockBit continued their steady presence. RALord, also known as Nova, appeared for the first time alongside SETTRA as new entrants. The remaining groups continue to be familiar operators that have consistently appeared in recent reporting.
Victim Sector
| Sector | Percentage | Last Period | Movement |
|---|---|---|---|
| Technology | 17.46% | 3 | 3 -> 1 |
| Construction | 13.52% | 4 | 4 -> 2 |
| Retail | 12.96% | 2 | 2 -> 3 |
| Manufacturing | 12.11% | 1 | 1 -> 4 |
| Financial Services | 10.99% | 5 | same |
Victim Location
| Victim | Percentage | Last Period | Movement |
|---|---|---|---|
| USA | 37.75% | 1 | same |
| Germany | 6.20% | 2 | same |
| Canada | 5.35% | 4 | 4 -> 3 |
| France | 3.38% | new | new |
| Taiwan | 2.82% | new | new |
Victim Org Size
| Size | Percentage | Last Period | Change |
|---|---|---|---|
| Small Business (500 or less) | 74.64% | 78.43% | -4.83% |
| Mid-Market (501-5000) | 17.66% | 18.02% | -2.00% |
| Large Enterprise (5000+) | 7.69% | 3.55% | +116.62% |
Trending Adversaries
This reporting period featured a mix of financially motivated cybercriminals and state-sponsored threat actors. While several familiar groups remained active, the focus shifted toward emerging campaigns and newly observed activity rather than previously documented operations.
- CL-STA-1062
- FishMonger
- Icarus
- ToddyCat
- UNC4221
- UNC5792
Trending & Actively Exploited Vulnerabilities
Nine Known Exploited Vulnerabilities (KEVs) were tracked this reporting period, alongside a critical Oracle E-Business Suite vulnerability reported as exploited in the wild but not yet added to CISA's KEV catalog. FortiBleed continued to dominate headlines as organizations responded to the widespread impact of the vulnerability.
| CVE | Vendor | Product |
|---|---|---|
| CVE-2026-48558 | SimpleHelp | SimpleHelp |
| CVE-2026-12569 | PTC | Windchill and FlexPLM |
| CVE-2026-20230 | Cisco | Unified Communications Manager |
| CVE-2025-67038 | Lantronix | EDS5000 |
| CVE-2026-34910 | Ubiquiti | UniFi OS |
| CVE-2026-34909 | Ubiquiti | UniFi OS |
| CVE-2026-34908 | Ubiquiti | UniFi OS |
| CVE-2026-20253 | Splunk | Enterprise |
| CVE-2026-48907 | Widget Factory | Joomla Content Editor |
| CVE-2026-46817 | Oracle | E-Business Suite |
Trending Malware
| Trending Malware | Details |
|---|---|
| Backdoor.Turn | A Go-based backdoor that abuses Microsoft Teams' TURN relay servers to hide command-and-control traffic within legitimate Teams communications, helping attackers evade detection. Backdoor.Turn routes its C2 channel through Teams' TURN infrastructure, making malicious traffic appear as normal real-time communications. Built in Go for cross-platform portability, it provides remote access while blending into expected network patterns that most security tools allow by default. |
| Djinn Stealer | A newly discovered cross-platform infostealer that targets cloud, AI, browser, and administrative credentials to enable follow-on attacks. Djinn Stealer sweeps credentials from cloud provider configs, AI platform tokens, browser password stores, and administrative tools in a single pass, then exfiltrates them for use in broader intrusion campaigns. Its cross-platform design lets operators hit Windows, Linux, and macOS endpoints with the same tooling. |
| Mistic Backdoor | A stealthy backdoor linked to an initial access broker, providing persistent enterprise access that can be sold to ransomware operators. Mistic Backdoor establishes a quiet foothold in enterprise networks through encrypted channels and low-frequency beaconing, making it difficult to spot with standard network monitoring. Its association with initial access brokers means compromised organizations may face follow-on ransomware deployment weeks or months after the initial breach. |
| OXLOADER | A malware loader designed to quietly deliver additional payloads, often serving as the initial stage of larger malware infections. OXLOADER uses multi-stage unpacking and anti-analysis checks to evade sandbox detection before pulling its next-stage payload. It has been observed delivering both infostealers and ransomware precursors, making it a versatile first-stage component in multi-phase attack chains. |
| Rokarolla | A newly observed malware family used to establish persistence and provide remote access for follow-on malicious activity. Rokarolla installs itself through DLL side-loading into legitimate application paths and maintains persistence via scheduled tasks. Once active, it provides attackers with remote shell access, file transfer capabilities, and the ability to deploy additional tooling as needed. |
| STOCKSTAY | A stealth-focused malware family that enables long-term access while attempting to avoid detection during enterprise intrusions. STOCKSTAY uses memory-resident execution and process hollowing to minimize its on-disk footprint, making it difficult for endpoint detection tools to flag. Designed for extended dwell times, it supports periodic check-ins and selective data exfiltration, allowing operators to maintain access for weeks without triggering alerts. |
Top News
- Amadey, StealC malware operations disrupted in Operation Endgame action
- DraftKings hacker 'Snoopy' sentenced to 18 months in prison
- FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices, heist persists
- FTC warns of record $3.5 billion losses to imposter scams in 2025
- Klue OAuth breach victim list grows as Icarus hackers claim attack
- Police cleans nearly 15,000 SocGholish-infected sites tied to Evil Corp
- Security community slams US ban on exporting Mythos, Fable
- US offers $10 million for hackers targeting WhatsApp, Signal users
Contributors
Written by Jeremy Nichols, Director, Security Programs & Strategy at SecureSky Executive Summaries & Adversary Bio's by Geoff Rehmet, Cybersecurity Architect Produced & Distributed By Phish Tank Digital