Cyber Threat Brief — June 2 2026
⚠️ This report is AI-generated. Always validate findings.
1. Oracle WebLogic T3/IIOP Exploitation — CVE-2024-21182
TL;DR: CISA added CVE-2024-21182 to KEV on June 1 after confirmed ITW exploitation via T3/IIOP protocols delivering Cobalt Strike and Sodinokibi ransomware to unpatched WebLogic instances. Federal deadline June 22.
What’s New:
- CISA KEV addition June 1; federal remediation deadline June 22
- Honeypots recording exploitation surge since mid-May targeting ports 7001/7002
- Payloads: cryptocurrency miners, Cobalt Strike beacons, Sodinokibi ransomware
- Public PoC available since December 2024; exploitation ramping now
- Affects WebLogic 12.2.1.4.0 and 14.1.1.0.0
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| TCP 7001, 7002 (T3/IIOP) | Port | T1190 | Firewall/IDS | Block external access to WebLogic admin/T3 ports |
-Dweblogic.t3.enabled=false | Config | T1190 | WebLogic config | Disable T3 if unused |
| Cobalt Strike beacon delivery | Payload | T1059.001 | EDR/Sysmon | Hunt for post-exploitation beacons on WebLogic hosts |
| Sodinokibi/REvil artifacts | Ransomware | T1486 | EDR | Alert on ransomware indicators post-WebLogic compromise |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None specific to CVE-2024-21182 | Need T3 deserialization payload detection; Java process spawning shell from WebLogic |
| Elastic | None specific | Need rule for suspicious java process activity on WebLogic servers |
| Sigma | None specific | Need WebLogic exploitation detection via T3 protocol anomalies |
Sources: CISA KEV Alert, CyberSecurityNews, WindowsNews
2. WP Maps Pro Rogue Admin Creation — CVE-2026-8732
TL;DR: Unauthenticated attackers are mass-exploiting CVE-2026-8732 (CVSS 9.8) in WP Maps Pro to create admin accounts via a broken nonce check, with 2,858 attacks blocked by Wordfence in 24 hours. Patch to 6.1.1.
What’s New:
- Active exploitation confirmed; Wordfence blocked 2,858 attacks in 24 hours
wpgmp_temp_access_ajaxAJAX action accessible to unauthenticated users- Nonce embedded in frontend JS (
wpgmp_local.nonce), defeating access control - Exploit creates admin user + passwordless magic login URL in one request
- Fixed in WP Maps Pro 6.1.1 (released May 20); affects <= 6.1.0
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /?action=wpgmp_temp_access_ajax | URI | T1190 | WAF/proxy | Block unauthenticated requests to this endpoint |
check_temp=false parameter | Payload | T1078.001 | WAF | Alert on this parameter in POST body |
fc-call-nonce in request body | IOC pattern | T1078 | WAF/proxy | Correlate with admin creation events |
New admin users with wp_set_auth_cookie | Indicator | T1136.001 | WordPress audit log | Alert on unexpected admin account creation |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need WordPress admin creation anomaly detection |
| Elastic | None | Need WordPress AJAX endpoint abuse detection |
| Sigma | None | Need rule for wpgmp_temp_access_ajax exploitation pattern |
Sources: TheHackerNews, Threat-Modeling.com, GitHub PoC
3. Operation Dragon Weave — Azure Blob C2 Espionage
TL;DR: Seqrite disclosed a China-linked espionage campaign using spear-phishing to deliver AZUREVEIL, an AdaptixC2 agent that uses Azure Blob Storage as a dead-drop C2 channel, targeting Czech and Taiwanese government/research sectors.
What’s New:
- Published May 29 by Seqrite Labs; amplified June 1
- AZUREVEIL: 36-command AdaptixC2 agent using Azure Blob Storage dead-drop C2
- RUSTCLOAK: Rust-based loader stage preceding AZUREVEIL deployment
- Two delivery paths: LNK-based execution and executable-based delivery via ZIP
- Targets: government, research, academic, technology, financial services in Czech Republic and Taiwan
- Region-specific lure documents indicate targeted operation
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Azure Blob Storage C2 (*.blob.core.windows.net) | C2 channel | T1102.002 | Proxy/CASB | Monitor anomalous Azure Blob traffic from non-cloud endpoints |
| LNK files masquerading as PDF in ZIP | Delivery | T1566.001, T1204.002 | Email gateway/EDR | Block LNK in ZIP attachments |
| RUSTCLOAK Rust loader | Malware | T1059 | EDR/Sysmon | Hunt for unsigned Rust binaries with Azure Blob callbacks |
| AdaptixC2 framework indicators | C2 | T1071.001 | EDR/NDR | Profile AdaptixC2 beacon patterns |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need Azure Blob dead-drop C2 traffic anomaly detection |
| Elastic | Suspicious LNK File Execution (partial) | Need AZUREVEIL/AdaptixC2 behavioral signatures |
| Sigma | proc_creation_win_lnk_susp_execution.yml (partial) | Need Rust loader + Azure Blob exfil chain rule |
Sources: Seqrite Labs, TheHackerNews
Status Updates
- CVE-2026-41091/CVE-2026-45498 (Windows Defender RedSun/UnDefend): CISA KEV federal deadline TOMORROW June 3. Patch to Engine 1.1.26040.8 / Platform 4.18.26040.7. ITW chained exploitation confirmed by Huntress. Original brief.
- CVE-2026-41089 (Windows Netlogon DC RCE): ITW exploitation ongoing via CLDAP to UDP/389. Patch from May 13 Patch Tuesday. 0patch available for EOL Server 2012/R2. Original brief.