daily critical

CTI Daily Brief: 2026-07-06 - BeyondTrust critical auth bypass, Januscape Linux VM escape, China-nexus UAT-7810 ORB expansion

70 reports across 13 sources. Seven criticals dominated by widely-used-software exploitation (BeyondTrust RS/PRA, Januscape Linux kernel, Tenda backdoor, HTTP/3 early data, Siemens SINEC OS, Hydro-Québec EV backend). China-nexus UAT-7810 continues ORB network build-out; UNK_MassTraction hits Roundcube at US/Canadian universities; Akira, Play, Qilin dominate ransomware leak activity.

Reporting Period Classification Generated
2026-07-06 (24h) TLP:CLEAR 2026-07-07

1. Executive Summary

The pipeline ingested 70 reports across 13 sources in the last 24 hours, dominated by high-severity ransomware leak activity (42 reports, mostly RansomLock) and seven criticals concentrated in widely-used software and OT. BeyondTrust disclosed two critical authentication-bypass flaws in Remote Support (RS) and Privileged Remote Access (PRA); a 16-year-old Linux kernel VM-escape flaw dubbed “Januscape” affects Intel and AMD hosts; a hidden authentication backdoor was found in Tenda router firmware; and CISA released five ICS advisories including a CVSS 9.8 issue in the Hydro-Québec Le Circuit Electrique EV charging backend and multiple critical flaws in Siemens SINEC OS. Cisco Talos published new detail on China-nexus APT UAT-7810 building out the LapDogs ORB network with new LONGLEASH/DOGLEASH/JARLEASH malware, and AlienVault reported another suspected China-aligned cluster (UNK_MassTraction) exploiting Roundcube n-days at US and Canadian university physics departments. No new CISA KEV additions were observed in the pipeline for this period, but multiple reported flaws (BeyondTrust, Ruckus n-days used by UAT-7810) are strong candidates for near-term inclusion.

2. Severity Distribution

Severity Count Key Drivers
🔴 CRITICAL 7 BeyondTrust RS/PRA auth bypass; Januscape Linux VM escape; Tenda firmware backdoor; CVE-2026-9545 HTTP/3 early data; Siemens SINEC OS bundle; Hydro-Québec EV charging backend; eBPF kernel rootkit research
🟠 HIGH 42 Ransomware leak-site activity (Akira, Play, Qilin, DragonForce, AiLock, Chaos, Space Bears, Inc Ransom, Krybit, cmd, The Gentlemen); UAT-7810 ORB expansion; UNK_MassTraction Roundcube exploitation; KDDI 12M-email breach; CrySome RAT chain; Salat Stealer; Microsoft MSRC CVE batch (HTTP/2 UAF, STARTTLS reuse, TLS 1.3 DoS, mTLS reuse, ONNX Runtime OOB)
🟡 MEDIUM 7 Spain pro-Russian hacktivist arrest; Google vs. Gemini-abusing Outsider Enterprise; misc. Microsoft MSRC low-impact CVEs; Interlock/Inc Ransom infrastructure updates
🟢 LOW 1 CVE-2026-25681 golang.org/x/net/html DOCTYPE handling
🔵 INFO 13 SANS NIMLOC DNS diary; SCOTUS Texas app age-verification order; UK autonomous AI “Cyber Shield” plan

3. Priority Intelligence Items

3.1 BeyondTrust Remote Support & Privileged Remote Access — critical authentication bypass

Source: BleepingComputer

BeyondTrust disclosed two critical flaws in Remote Support (RS) and Privileged Remote Access (PRA) that allow attackers to bypass authentication and gain unauthorized access to privileged sessions. The vendor attributes the issues to improper access-control checks that permit privilege escalation. BeyondTrust remote-access products have previously been abused in high-impact intrusions (US Treasury OFAC, 2024), so patched status should be treated as urgent for any customer-facing or vendor-facing appliance. Associated ATT&CK techniques: T1078 (Valid Accounts), T1068.001 (Exploitation for Privilege Escalation).

SOC Action: Enumerate all BeyondTrust RS/PRA appliances (on-prem and cloud), confirm patch level against today’s advisory, and rotate all API keys and session tokens. Hunt EDR/authentication logs for anomalous administrative session initiation from BeyondTrust appliance IPs over the last 30 days; treat any unexplained privileged session as a possible bypass event.

3.2 Januscape — 16-year-old Linux kernel VM escape (Intel & AMD)

Source: BleepingComputer

A newly documented Linux kernel flaw named “Januscape” (present in-tree for 16 years) allows a low-privileged attacker inside a guest VM to break out and execute code on the host on both Intel and AMD hardware. This is a hypervisor-tenancy killer for shared-tenant KVM/QEMU environments and any container platform running on KVM-backed nodes (many managed Kubernetes offerings). Exploitation primitive: privilege escalation via kernel path (T1068). No public exploit yet observed; kernel maintainers’ fix window will define the risk period.

SOC Action: Inventory KVM/QEMU hosts and note kernel versions; subscribe to distro advisories for the CVE assignment and prioritise patching multi-tenant hypervisors and shared-CI/CD build hosts. Until patched, restrict guest-to-host communication channels (virtio, vhost) where operationally possible, and monitor kernel oops/panic telemetry from hypervisor hosts as a weak canary.

3.3 Hidden authentication backdoor in Tenda router firmware

Source: BleepingComputer

Multiple Tenda router firmware versions ship a hidden authentication mechanism that bypasses normal login checks and grants full admin access to the web management panel. An attacker with network reachability can enable new accounts, alter routing/DNS, and pivot into the LAN. Consumer- and SMB-grade Tenda devices are widely deployed at teleworker home offices and small branch sites. Associated techniques: T1078 (Valid Accounts), T1134 (Access Token Manipulation).

SOC Action: Query asset and network-inventory systems for Tenda devices (HTTP banner “Tenda”, DHCP vendor class, common web UI paths /goform/*). Where identified, isolate management interfaces from user VLANs, disable remote/WAN management, and treat any Tenda device as compromised until firmware is confirmed on a patched build. Add DNS egress alerting for teleworker subnets fronted by Tenda devices.

3.4 CISA ICS wave — Hydro-Québec EV charging backend, Siemens SINEC OS, Hitachi Energy, Digi International, Labcenter, Mendix Studio Pro

Sources: ICSA-26-188-01 Hydro-Québec, ICSA-26-188-02 Hitachi PROMOD V, ICSA-26-188-03 Hitachi e-mesh EMS, ICSA-26-188-04 Siemens Mendix Studio Pro, ICSA-26-188-05 Siemens SINEC OS, ICSA-26-188-06 Labcenter Proteus 9, ICSA-26-188-07 Digi International PortServer TS

CISA released seven ICS advisories on 7 July. The critical entries are Hydro-Québec Le Circuit Electrique charging station backend (CVSS 9.8, CVE-2026-20744 unauthenticated websocket, CVE-2026-42952 lack of auth throttling, CVE-2026-44383 duplicate charging-station-ID connections — mitigation is disabling OCPP where possible), and Siemens SINEC OS (RUGGEDCOM RST2428P pre-V4.0, CVSS 9.8, extensive vulnerability class list including buffer/path-traversal/race/auth-bypass — vendor fix in V4.0). High-severity entries cover Hitachi Energy e-mesh EMS (NGINX PCRE buffer overflow), Hitachi Energy PROMOD V (HTTP-in-lieu-of-HTTPS to Digipede), Siemens Mendix Studio Pro (project-file parsing RCE prior to V11.12), Labcenter Proteus 9 (multiple OOB write/UAF: CVE-2026-42953, CVE-2026-49033, CVE-2026-42958), and Digi International PortServer TS (CVE-2026-12352 auth bypass, CVE-2026-12948 script injection). Sectors touched: transportation, critical manufacturing, energy, healthcare, financial services, government.

SOC Action: Cross-reference OT asset inventory against each advisory’s affected-versions list. For SINEC OS RUGGEDCOM RST2428P, schedule the V4.0 upgrade window with OT engineering. For any exposed Hydro-Québec OCPP endpoints, confirm the vendor-side mitigation (OCPP disabled or auth added) has been applied and add IDS signatures for anomalous OCPP websocket connect bursts from the same station ID. Segment engineering workstations running Mendix Studio Pro and Labcenter Proteus and forbid opening untrusted project files.

3.5 UAT-7810 (China-nexus APT) — continued LapDogs ORB network expansion with new malware

Source: Cisco Talos

Cisco Talos published new tracking of UAT-7810, a China-nexus APT that maintains the LapDogs Operational Relay Box (ORB) network first named by SecurityScorecard in 2025. The group provides ORB infrastructure to secondary China-nexus APTs (including UAT-5918) and has iterated its custom malware: the SHORTLEASH backdoor has a new variant tracked as LONGLEASH, plus two newly identified families — DOGLEASH (C-based Linux backdoor executing arbitrary shellcode on compromised devices) and JARLEASH (JAVA JAR admin backdoor: file management, FTP/SFTP, Netcat). Access is gained by exploiting n-day flaws in unpatched Ruckus wireless routers (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717) and — via the shared 217.15.164[.]147 infrastructure — ASUS AiCloud routers (CVE-2025-2492). Associated techniques: T1064 (Lateral Movement), T1071 (Application Layer Protocol).

Indicators of Compromise

IPv4 (ORB payload hosts):
  194.233.92[.]26
  217.15.160[.]247
  217.15.164[.]147   (dual-use: also AiCloud CVE-2025-2492 exploitation)

TLS server (port 99) certificate:
  fingerprint: c2ab9adaba93ff094b8f3fc37d906014d870582039d276b7bd03e6fd583d8a15
  subject_dn:  C=exploit, ST=exploit, L=exploit, O=exploit, OU=exploit, CN=exploit

Exploited CVEs:
  CVE-2020-22653, CVE-2020-22658, CVE-2023-25717 (Ruckus)
  CVE-2025-2492 (ASUS AiCloud)

Malware families: SHORTLEASH / LONGLEASH / DOGLEASH / JARLEASH / LEASHTEST

SOC Action: Block egress to the three ORB IPs and hunt historical netflow / proxy logs for outbound TLS to port 99 on these hosts. Search NetFlow and TLS metadata for the certificate fingerprint above (unusually specific — high-fidelity IOC). Inventory Ruckus wireless and ASUS AiCloud devices; if any are internet-exposed and unpatched for the listed CVEs, treat as presumed-compromised and reimage.

3.6 UNK_MassTraction (suspected China-aligned) — Roundcube n-day exploitation at US/Canadian universities

Source: AlienVault OTX

Since May 2026, a suspected China-aligned cluster tracked as UNK_MassTraction has been chaining Roundcube n-days (CVE-2024-42009 XSS, CVE-2025-49113 deserialization, plus CVE-2023-2868 in some cases) to steal credentials and deploy SquareShell webshell or the VShell in-memory backdoor on university mail servers. The IceCube stealer is used for credential harvesting; SNOWLIGHT also appears in the toolset. Targets are physics and engineering departments with national-security ties (astrophysics, particle physics) at US and Canadian universities. Attribution hedge preserved: “suspected China-aligned”; not upgraded to confirmed. Associated techniques: T1204 (User Execution), T1218 (Signed Binary Proxy Execution), T1570 (Indicator Removal on Host).

Indicators of Compromise

IPv4:
  194.213.18[.]133
  45.150.109[.]151
  45.86.229[.]111

URLs (sslip.io-fronted staging):
  hxxps[:]//194.213.18.133.sslip[.]io:23088/app/js/jquery.min.js
  hxxps[:]//45.150.109.151.sslip[.]io:23088/app/js/jquery.min.js

SHA-256:
  a02f124c5ce4180bd130a62ee03262f399c33491de3aed36e0b15155ae4926c0

Exploited CVEs: CVE-2024-42009, CVE-2025-49113, CVE-2023-2868

SOC Action: For any Roundcube deployment (higher-ed IT, small ISPs, research groups), confirm patch level for CVE-2024-42009 and CVE-2025-49113 and enable Content Security Policy on the webmail vhost. Block the three IPs and the sslip.io staging URLs at the proxy. Hunt web-server logs for unusual JavaScript loads from *.sslip.io hosts on port 23088. Rotate all Roundcube user credentials as a precaution at institutions with national-security research portfolios.

3.7 CrySome RAT infection chain via freight-rate spear-phishing

Source: AlienVault OTX / LevelBlue SpiderLabs

LevelBlue’s THOR team reversed a full infection chain landing CrySome RAT on a logistics-industry target. Lure: spear-phishing email from loadofferstender@gmail.com subject “DETROIT, MI to DALLAS, TX”, linking to hxxps[:]//signindat[.]com hosting a fake freight rate confirmation. Click delivers Rate_Confirmation_LD-2026-0847.bat which spawns hidden PowerShell with -ExecutionPolicy Bypass, patches AMSI in-memory, and stages ElevatorShellCode.exe to %TEMP%\es.exe. Privilege escalation via ICMLuaUtil COM UAC bypass; defender disruption via WinDefCtl (masquerading as svchost.exe) using Image File Execution Options (IFEO) and the kvckiller.sys kernel driver. CrySome RAT provides hVNC, remote command execution, reconnaissance, and Chromium credential theft via injected abe_decrypt.dll. Techniques: T1566.002 (Spearphishing Link), T1059.001 (PowerShell), T1548.002 (Bypass UAC), T1562.001 (Disable Security Tools), T1555.003 (Chromium credentials).

Indicators of Compromise

Sender:  loadofferstender@gmail[.]com
Staging domain:  signindat[.]com

URLs:
  hxxps[:]//signindat[.]com/ElevatorShellCode.exe
  hxxps[:]//signindat[.]com/Rate_Confirmation_LD-2026-0847.pdf
  hxxps[:]//signindat[.]com/patch.exe
  hxxps[:]//signindat[.]com/stage.ps1
  hxxps[:]//signindat[.]com/update.exe

SHA-256:
  53f1da8a032115aa682749a114f4cfebcb5ef933400a89b4bbfa84f2057222ff
  b7ca8fd9ebe0a76f16deea315fac7ee94dcb18e6ac2832b5c4cb562fbc6e0ed3
  c380268d493e0cba914ce2bc55faa1d7c050c599893c3196fee01fa745e6466a
  ced4407f4ac7e43c1a3010a394d111d2ad1b50a2e95668b4e9cfe739235e67bd
  ec68666e8f0a3b9870d7177bab684c8dcfb8ca0bc7c8c484a71b2b33ea4e26f4
  ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8

SOC Action: Block signindat[.]com and the sender at the mail gateway. Query EDR for .bat files in user Download/%TEMP% spawning powershell.exe -ExecutionPolicy Bypass, and for any process named svchost.exe executing from %TEMP%. Alert on kernel driver load of kvckiller.sys. Distribute the six SHA-256s to endpoint agents. Review Chromium browser process-kill events followed by DLL injection to chrome.exe / msedge.exe.

3.8 KDDI (Japan) — third-party email platform breach exposes 12.2M addresses and 7.6M passwords

Source: The Record (Recorded Future News)

KDDI, Japan’s second-largest mobile operator, confirmed that a June intrusion into an email platform it operates for five Japanese ISPs exposed 12.2 million customer email addresses and 7.6 million passwords. Attackers exploited an unnamed vulnerability in a third-party software component; the flaw was patched post-detection and KDDI states no other systems were compromised. Password resets are being enforced by the affected ISPs. KDDI’s own consumer email services run on separate infrastructure and were not affected. The disclosure sits alongside recent breaches at Aflac Japan, Nidec, and Sapporo Holdings — no linkage established.

SOC Action: Treat the KDDI-hosted address list as future credential-stuffing feedstock. Ingest any published address lists into your credential-monitoring service, alert on employee/customer overlap, and force password rotation plus MFA re-enrolment for any user whose personal address appears in the leak. Increase login-anomaly weighting on Japanese ISP source ASNs for two weeks.

Risk Trend Supporting Evidence
🔴 CRITICAL Exploitation of vulnerabilities in widely used software and hardware, posing significant risks to global IT infrastructure Januscape Linux kernel VM escape; CVE-2026-10536 HTTP/2 stream-dependency tree UAF
🟠 HIGH Increased ransomware activity targeting critical infrastructure and manufacturing sectors United Infrastructure (Play); RISE Architecture & Excalibur Rentals (Akira); Siemens SINEC OS; Siemens Mendix Studio Pro
🟠 HIGH Growing use of phishing as a primary attack vector across ransomware campaigns Preneed Funeral Programs (Play); Chisholm Persson & Ball (Akira); Excalibur Rentals (Akira); CrySome RAT chain
🟠 HIGH Increased ransomware activity by Qilin across multiple sectors Next Clinics, Accelirate (this cycle); Precision Steel Services, Answer Precision Tool, Keystone Homes (previous cycle)
🟠 HIGH Phishing campaigns targeting media and government sectors Ukrainian media outlets among “priority targets” for Russian hackers (prior cycle); Phishing in the Balkans: Fake Traffic Fines
🟡 MEDIUM Eraleign (APT73) fabricating data-breach narratives across multiple regions Multiple RansomLook attributions in prior batches

Correlation batch 216 (72 reports, 7 entries, 3 trends) identified an Akira “actor cluster” of 4 related leak-site posts (0.95 confidence), a Play “malware cluster” of 2 posts (0.90), a DragonForce cluster (0.85), a Siemens ICS “sector cluster” (0.85), and a T1486 “TTP cluster” spanning Play + Akira posts (0.75).

Threat Actors

  • The Gentlemen (113 reports) — RaaS actor active since June, targeting food services, IT solutions, and engineering research across AU, Asia, NA
  • Qilin (82 reports) — most active ransomware actor of the day; Next Clinics and Accelirate added this cycle
  • Deadlock (55 reports) — burst of activity mid-June, quiet since
  • Lockbit5 (39 reports) — steady long-tail leak activity
  • Akira (29 reports) — four new victims today: RISE Architecture, Excalibur Rentals, Chisholm Persson & Ball, Edge Solutions Stone Ridge Payments
  • DragonForce (26 reports) — RaaS with strategic-branding-flexibility model; hive360.com and amplesurveyor.com added today
  • Shinyhunters / ShinyHunters (20 / 19 reports) — persistent double-count in the entity index; single actor cluster in practice
  • Stormous (17 reports) — active early-July
  • Nova (17 reports) — quiet since late June

Malware Families

  • RansomLook (157 reports) — leak-site aggregator artifact rather than a family; indicates volume of leak-site scraping
  • Tox1 / Tox (82 / 42 reports) — encrypted-messaging identifiers associated primarily with The Gentlemen
  • Akira ransomware (14 reports) — matches actor volume; Windows CryptoAPI + intermittent encryption
  • Lockbit5 (14 reports)
  • Qilin (12 reports)
  • The Gentlemen ransomware / Ransomware (11 / 10 reports) — capitalisation-collision duplicates
  • Anubis ransomware (11 reports) — steady mid-June activity

6. Source Distribution

Source Reports URL Notes
RansomLock 22 ransomlook.io Leak-site scraping; Akira, Play, Qilin, DragonForce, AiLock dominate
Microsoft 16 msrc.microsoft.com MSRC daily CVE ingest — HTTP/3, HTTP/2 UAF, STARTTLS, TLS 1.3, mTLS, ONNX Runtime
BleepingComputer 8 bleepingcomputer.com Primary coverage of BeyondTrust, Januscape, Tenda criticals
CISA 7 cisa.gov ICS advisory bundle ICSA-26-188-01 through -07
RecordedFutures 5 therecord.media KDDI breach; Canadian CSE cyber-ops; SCOTUS Texas ruling
AlienVault 3 otx.alienvault.com UNK_MassTraction; CrySome RAT; Salat Stealer
SANS 2 isc.sans.edu NIMLOC DNS diary
Cisco Talos 1 blog.talosintelligence.com UAT-7810 ORB network deep-dive
Schneier 1 schneier.com Google suit vs. Gemini-abusing Outsider Enterprise
Sysdig 1 webflow.sysdig.com June 2026 cloud-security briefing (Tchap, Novo Nordisk, marimo CVE-2026-39987)
BellingCat 1 bellingcat.com OSINT reporting
Upwind 1 upwind.io Cloud runtime security
Unknown / Telegram 2 Telegram (channel name redacted); TLP:AMBER+STRICT eBPF rootkit research and unrelated exploit-tool solicitation

7. Consolidated Recommendations

  • 🔴 IMMEDIATE: Patch BeyondTrust Remote Support and Privileged Remote Access appliances today; rotate all associated API keys and audit the last 30 days of privileged sessions for anomalous initiation — historical precedent for state-actor abuse of BeyondTrust remote-access products makes this the single highest-priority action of the day (§3.1).
  • 🔴 IMMEDIATE: Block the three UAT-7810 ORB IPs (194.233.92[.]26, 217.15.160[.]247, 217.15.164[.]147) at perimeter egress and hunt historical TLS metadata for the c2ab9ad…8a15 certificate fingerprint; audit any internet-exposed Ruckus wireless or ASUS AiCloud routers for the listed n-day CVEs (§3.5).
  • 🟠 SHORT-TERM: Cross-reference OT inventory against CISA ICSA-26-188-01 through -07, prioritising Siemens SINEC OS (RUGGEDCOM RST2428P V4.0 upgrade) and Hydro-Québec charging-station OCPP mitigation; add IDS coverage for anomalous OCPP websocket bursts and untrusted Mendix/Proteus project files (§3.4).
  • 🟠 SHORT-TERM: Confirm Roundcube patch level (CVE-2024-42009, CVE-2025-49113) for any webmail deployment, especially at higher-ed and research organisations; block UNK_MassTraction IOCs and rotate Roundcube credentials in national-security-adjacent departments (§3.6).
  • 🟠 SHORT-TERM: Block signindat[.]com and the CrySome RAT SHA-256s at mail/EDR; hunt for .bat-initiated PowerShell with -ExecutionPolicy Bypass and any svchost.exe executing from %TEMP% (§3.7).
  • 🟡 AWARENESS: Kernel/hypervisor teams should track the Januscape CVE assignment and prepare patch windows for KVM/QEMU hosts; multi-tenant environments are the highest-value targets (§3.2).
  • 🟡 AWARENESS: Ingest the KDDI-leaked address set (once published) into credential-monitoring; increase login-anomaly weighting on Japanese ISP source ASNs for two weeks (§3.8).
  • 🟢 STRATEGIC: The three parallel China-nexus stories today (UAT-7810 ORB build-out, UNK_MassTraction university targeting, and prior LapDogs reporting) suggest sustained infrastructure-preparation activity — worth a quarterly review of how your organisation attributes and blocks ORB-style relay infrastructure and whether academic-research partners are within your monitored perimeter.

This brief was generated entirely by AI from automated threat intelligence collection and correlation pipelines, made up of 70 reports processed across 3 correlation batches. A human analyst reviewed and approved this report before publication, but AI-generated analysis may contain errors in attribution, severity assessment, or indicator extraction. Always verify IOCs, CVE details, and threat actor attribution against primary sources before taking operational action.