End-of-Day report
Timeframe: Mittwoch 24-06-2026 18:00 - Donnerstag 25-06-2026 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
News
Malicious Edge extension abuses Native Messaging as bridge to malware
A malicious Microsoft Edge extension dubbed Edgecution has been used in a ransomware attack to escape the browser sandbox and deploy a Python-based backdoor.
https://www.bleepingcomputer.com/news/security/malicious-edge-extension-abuses-native-messaging-as-bridge-to-malware/
Mandiant reveals how Cisco SD-WAN zero-day attacks gained root access
New details have been revealed on how hackers exploited a Cisco Catalyst SD-WAN vulnerability tracked as CVE-2026-20245 in zero-day attacks to create rogue root accounts on targeted devices.
https://www.bleepingcomputer.com/news/security/mandiant-reveals-how-cisco-sd-wan-zero-day-attacks-gained-root-access/
Inside the 2026 SMB threat landscape: From phishing and scams to fake AI tools
In the first four months of 2026, Kaspersky solutions detected over 33,300 cyberattacks on SMBs masquerading as popular artificial intelligence (AI) tools - almost five times more than in 2025 and 39% more than the number of attacks disguised as the office and collaboration tools that Kaspersky-s research focuses on.
https://securelist.com/smb-threat-report-2026/120357/
What do Ports Hear When Nobodys Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)
For network defenders and analysts, it's important to understand the depth of the noise and how it should be treated. Observing patterns and structural shifts within the static is essential for keeping pace with an automated, multi-directional threat that never stops running. The infrastructure persists, campaigns evolve, payloads update, and the ports keep listening.
https://isc.sans.edu/diary/rss/33104
StealC Historical Bot Infection Special Report
On Wednesday 24th June 2026, international law enforcement partners announced additional successful cyber crime disruption actions as part of the ongoing Operation Endgame initiative. This time the StealC infostealer and Amadey malware-as-a-service families were targeted.
https://www.shadowserver.org/news/stealc-historical-bot-infection-special-report/
Verfassungsschutz zu Spionage: Unis sollen wachsamer sein
Sicherheitsbehörden warnen vor chinesischer Wissenschaftsspionage an deutschen Hochschulen. Sind die Forschungseinrichtungen wachsam genug?
https://www.heise.de/news/Verfassungsschutz-zu-Spionage-Unis-sollen-wachsamer-sein-11343924.html
Raiffeisen Phishingmail fordert zur pushTAN-Aktivierung auf
Aktuell versenden Kriminelle betrügerische E-Mails im Namen der Raiffeisen Bank. Die Nachrichten fordern Kund:innen auf, über einen Link den pushTAN-Dienst zu aktivieren und führen dabei auf eine gefälschte Website, die Kontodaten abgreift.
https://www.watchlist-internet.at/news/raiffeisen-phishingmail-fordert-pushtan-aktivierung-auf/
Introduction to COM usage by Windows threats
Component Object Model (COM) is a fundamental Windows technology used by legitimate applications for object activation, inter-process communication, automation and language-independent component reuse. Those same qualities make it useful to threat actors.
https://blog.talosintelligence.com/introduction-to-com-usage-by-windows-threats/
Windows 10: Sicherheitsupdates für Privatkunden jetzt doch noch bis Oktober 2027
Microsoft hat das ESU-Programm für Privatkunden ohne große Vorankündigung um ein weiteres Jahr verlängert.
https://heise.de/-11344923
Behind the console: An AiTM phishing kit harvesting AWS console credentials and beyond
Datadog Security Research investigates a June 2026 adversary-in-the-middle phishing campaign that cloned the AWS console login page to harvest victim credentials and multi-factor authentication codes.
https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-kit-and-beyond/
Ignore DNSSEC if you like MITM attacks
It really bothers me that almost all distributions and operating systems don-t validate DNSSEC by default. The above attacks are feasible on almost anyone, purely because of lousy defaults.
https://whynothugo.nl/journal/2026/06/24/ignore-dnssec-if-you-like-mitm-attacks/
Vulnerabilities
LWN: Security updates for Thursday
https://lwn.net/Articles/1079551/