Front Page

Takedown

Endgame Strikes Again: A Global Operation Rips Out the SocGholish, Amadey and StealC Stealer-Loader Backbone

In coordinated action carried out June 15–19 and announced this week, Operation Endgame — led by Europol and Eurojust with law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States — dismantled the infrastructure behind three malware families that sit at the heart of the cybercrime economy. SocGholish pushes fake browser-update lures through compromised websites; Amadey is a downloader-and-stealer hybrid; StealC harvests passwords and authentication tokens while doubling as a loader. The strike disrupted 326 servers and 142 domains, flagged more than €41 million in criminal cryptocurrency, and recovered roughly 27 million credentials stolen from over 385,000 compromised systems.

These loaders and stealers are the initial-access and credential-theft layer that precedes ransomware and fraud, so the seized command panels and loader-to-victim mappings — bolstered by private-sector help from Microsoft, ESET, Proofpoint, IBM X-Force, Shadowserver, Have I Been Pwned, and Spamhaus — are an evidentiary goldmine for scoping who was infected and what was taken. Forensic priority: ingest the released IOCs and recovered-credential sets, hunt SocGholish fake-update injects and Amadey/StealC staging and persistence on suspect hosts, and treat any credential that touched an infected machine as burned. The caveat that always applies: takedowns disrupt, they rarely eradicate — expect rebrands and rebuilt infrastructure.

Financial Crackdown

Cutting Off the Cash-Out: DOJ Seizes Huione's Cloud Infrastructure as Treasury Targets a Laundering Hub

On June 23, the U.S. Justice Department seized a cloud account allegedly supporting the Huione Group, the Southeast Asian conglomerate long tied to laundering proceeds from "pig-butchering" crypto-investment scams and other cyber-enabled fraud, while the Treasury pressed sanctions citing alleged North Korean laundering links. Where Operation Endgame went after the malware that steals, this action goes after the financial plumbing that launders — the cash-out layer that turns stolen value into clean money.

For investigators, the prize is the linkage data: cloud-account metadata, domain mappings, and on-chain payment flows are what connect scam infrastructure to its banking conversion and, in turn, to state actors. The two operations are a matched pair — one severs the supply of stolen credentials, the other the demand-side laundering rails. Forensic priority: preserve cloud-account metadata and access logs before disruption scatters them, trace cryptocurrency through mixers and exchanges to identify off-ramps, and correlate scam-victim payment rails against the seized infrastructure to map the full money cycle.

Threat Bulletin

ACTIVE EXPLOIT
CVE-2026-20230

Cisco Unified Communications Manager (and Session Management Edition) — a server-side request forgery from improper input validation lets an attacker send a crafted HTTP request to write files to the underlying OS, a foothold that can later be escalated to root; CVSS 8.6. Exploitation (which requires the WebDialer service enabled) was observed from the weekend of June 21–22, with public exploit code available; CISA KEV June 25, with a three-day BOD 26-04 deadline of June 28. Forensic Note: Confirm whether WebDialer is enabled, hunt attacker-written files and anomalous outbound SSRF requests in CUCM logs, and watch for follow-on root-escalation activity.

CRITICAL
CVE-2026-12569

PTC Windchill & FlexPLM — an unauthenticated remote code execution flaw caused by insecure deserialization of untrusted data; CVSS 9.3. Attackers are actively dropping persistent JSP web shells under /Windchill/login/ for command execution and data theft, making this the first PTC product ever added to the KEV (June 25, fix by June 28). Because PLM systems hold CAD, BOM, and engineering IP, the blast radius is intellectual property. Forensic Note: Hunt JSP web shells under /Windchill/login/, review the deserialization endpoints for crafted payloads, and treat engineering and manufacturing data as exfiltration targets.

Malware Spotlight

CryptoBandits — Stealer-Backdoor With Tor-Hidden C2

A newly profiled threat, CryptoBandits operates as both an information stealer and a backdoor, abusing the Tor network and local proxying to conceal its command-and-control while it targets cryptocurrency wallets, stages additional payloads, and plants persistence keys for long-term access. Its reliance on anonymized C2 mirrors the same evasion-through-legitimate-infrastructure playbook investigators keep meeting. Forensic Note: Hunt Tor process artifacts and local proxy listeners, audit wallet-file and keystore access, enumerate Run/registry and scheduled-task persistence, and recover staged payloads from temp and profile directories.