The second half of June remained active, with a few notable developments rather than any major shifts. SETTRA ransomware quickly climbed into the top five after posting 22 victims in a single week, while FortiBleed dominated vulnerability discussions as organizations continued responding to widespread exploitation. Technology moved to the top victim sector, large enterprises saw a sharp increase in targeting, and victim disclosures were spread across a broader range of countries this reporting period.

Report Links

Download Threat Brief For June 16-30 2026

Byer-Nichols Threat Brief Podcast June 16-30 2026

Ransomware Actors

Ransomware Percentage Last Period Two Ago
The Gentlemen 15.49% 2 3
Qilin 9.86% 3 2
LockBit 8.73% 5 8
SETTRA 6.20% N/A N/A
RALord (Nova) 4.51% N/A N/A

SETTRA was the standout this reporting period, rapidly entering the top five after listing 22 victims in a single week. The Gentlemen climbed to the top spot after a strong early June showing, while Qilin and LockBit continued their steady presence. RALord, also known as Nova, appeared for the first time alongside SETTRA as new entrants. The remaining groups continue to be familiar operators that have consistently appeared in recent reporting.

Victim Sector

Sector Percentage Last Period Movement
Technology 17.46% 3 3 -> 1
Construction 13.52% 4 4 -> 2
Retail 12.96% 2 2 -> 3
Manufacturing 12.11% 1 1 -> 4
Financial Services 10.99% 5 same

Victim Location

Victim Percentage Last Period Movement
USA 37.75% 1 same
Germany 6.20% 2 same
Canada 5.35% 4 4 -> 3
France 3.38% new new
Taiwan 2.82% new new

Victim Org Size

Size Percentage Last Period Change
Small Business (500 or less) 74.64% 78.43% -4.83%
Mid-Market (501-5000) 17.66% 18.02% -2.00%
Large Enterprise (5000+) 7.69% 3.55% +116.62%

Trending Adversaries

This reporting period featured a mix of financially motivated cybercriminals and state-sponsored threat actors. While several familiar groups remained active, the focus shifted toward emerging campaigns and newly observed activity rather than previously documented operations.

  • CL-STA-1062
  • FishMonger
  • Icarus
  • ToddyCat
  • UNC4221
  • UNC5792

Trending & Actively Exploited Vulnerabilities

Nine Known Exploited Vulnerabilities (KEVs) were tracked this reporting period, alongside a critical Oracle E-Business Suite vulnerability reported as exploited in the wild but not yet added to CISA's KEV catalog. FortiBleed continued to dominate headlines as organizations responded to the widespread impact of the vulnerability.

CVE Vendor Product
CVE-2026-48558 SimpleHelp SimpleHelp
CVE-2026-12569 PTC Windchill and FlexPLM
CVE-2026-20230 Cisco Unified Communications Manager
CVE-2025-67038 Lantronix EDS5000
CVE-2026-34910 Ubiquiti UniFi OS
CVE-2026-34909 Ubiquiti UniFi OS
CVE-2026-34908 Ubiquiti UniFi OS
CVE-2026-20253 Splunk Enterprise
CVE-2026-48907 Widget Factory Joomla Content Editor
CVE-2026-46817 Oracle E-Business Suite

Trending Malware

Trending Malware Details
Backdoor.Turn A Go-based backdoor that abuses Microsoft Teams' TURN relay servers to hide command-and-control traffic within legitimate Teams communications, helping attackers evade detection. Backdoor.Turn routes its C2 channel through Teams' TURN infrastructure, making malicious traffic appear as normal real-time communications. Built in Go for cross-platform portability, it provides remote access while blending into expected network patterns that most security tools allow by default.
Djinn Stealer A newly discovered cross-platform infostealer that targets cloud, AI, browser, and administrative credentials to enable follow-on attacks. Djinn Stealer sweeps credentials from cloud provider configs, AI platform tokens, browser password stores, and administrative tools in a single pass, then exfiltrates them for use in broader intrusion campaigns. Its cross-platform design lets operators hit Windows, Linux, and macOS endpoints with the same tooling.
Mistic Backdoor A stealthy backdoor linked to an initial access broker, providing persistent enterprise access that can be sold to ransomware operators. Mistic Backdoor establishes a quiet foothold in enterprise networks through encrypted channels and low-frequency beaconing, making it difficult to spot with standard network monitoring. Its association with initial access brokers means compromised organizations may face follow-on ransomware deployment weeks or months after the initial breach.
OXLOADER A malware loader designed to quietly deliver additional payloads, often serving as the initial stage of larger malware infections. OXLOADER uses multi-stage unpacking and anti-analysis checks to evade sandbox detection before pulling its next-stage payload. It has been observed delivering both infostealers and ransomware precursors, making it a versatile first-stage component in multi-phase attack chains.
Rokarolla A newly observed malware family used to establish persistence and provide remote access for follow-on malicious activity. Rokarolla installs itself through DLL side-loading into legitimate application paths and maintains persistence via scheduled tasks. Once active, it provides attackers with remote shell access, file transfer capabilities, and the ability to deploy additional tooling as needed.
STOCKSTAY A stealth-focused malware family that enables long-term access while attempting to avoid detection during enterprise intrusions. STOCKSTAY uses memory-resident execution and process hollowing to minimize its on-disk footprint, making it difficult for endpoint detection tools to flag. Designed for extended dwell times, it supports periodic check-ins and selective data exfiltration, allowing operators to maintain access for weeks without triggering alerts.

Top News

  • Amadey, StealC malware operations disrupted in Operation Endgame action
  • DraftKings hacker 'Snoopy' sentenced to 18 months in prison
  • FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices, heist persists
  • FTC warns of record $3.5 billion losses to imposter scams in 2025
  • Klue OAuth breach victim list grows as Icarus hackers claim attack
  • Police cleans nearly 15,000 SocGholish-infected sites tied to Evil Corp
  • Security community slams US ban on exporting Mythos, Fable
  • US offers $10 million for hackers targeting WhatsApp, Signal users

Contributors

Written by Jeremy Nichols, Director, Security Programs & Strategy at SecureSky Executive Summaries & Adversary Bio's by Geoff Rehmet, Cybersecurity Architect Produced & Distributed By Phish Tank Digital