Cyber Threat Brief — June 23 2026
⚠️ This report is AI-generated. Always validate findings.
1. Prinz Eugen Ransomware — No CVE
TL;DR: New Go-based ransomware group disclosed today by Threatdown/Malwarebytes. Uses RemotePC RMM for persistence, prioritizes recently modified files, and leaves no ransom note — complicating attribution and response.
What’s New:
- BleepingComputer and Threatdown published full analysis June 22-23
- Initial access via stolen RDP credentials, manual
servertool.exedeployment - RemotePC RMM tool + backdoor admin account for persistence
- ChaCha20-Poly1305 encryption with Argon2id/SHA-256/HKDF key derivation
- Prioritizes recently modified files (most business-critical), then alphabetical
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
servertool.exe | Payload binary | T1486 | EDR / Sysmon EID 1 | Alert on unknown servertool.exe execution |
| RemotePC RMM installation | Persistence tool | T1219 | EDR / AppLocker / Software inventory | Hunt for unauthorized RemotePC installs |
| Backdoor admin account creation | Persistence | T1136.001 | Windows Security EID 4720 | Alert on unexpected local admin creation |
| RDP brute-force / credential stuffing | Initial access | T1078 | Windows Security EID 4625/4624 | Monitor failed RDP logons |
| ChaCha20-Poly1305 encrypted files | Encryption | T1486 | File integrity monitoring | Alert on mass file modification patterns |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Remote Desktop Process Running On System (generic) | No Prinz Eugen-specific rule; need servertool.exe + RemotePC correlation |
| Elastic | Unauthorized RMM Tool Installation (generic) | No RemotePC-specific rule |
| Sigma | proc_creation_win_susp_remote_desktop_tools.yml (partial) | Need rule for servertool.exe process with ChaCha20 file I/O pattern |
Sources: BleepingComputer, Threatdown
2. AryStinger Botnet — 4,300+ Routers Compromised
TL;DR: QiAnXin XLab disclosed a new botnet hijacking legacy D-Link and QNAP devices via Realtek RTL819X chip vulnerabilities. Infected routers serve as recon proxies — scanning, fingerprinting, and tunneling attack traffic.
What’s New:
- 4,300+ confirmed infections, count rising; 48.5% South Korea, 31.8% China
- Two variants: C-based (routers) and Go-based (NAS)
- Exploits CVE-2013-3307, CVE-2016-5681, CVE-2025-11837 (QNAP code injection)
- Recon capabilities: internet scanning, subdomain enumeration, traffic tunneling, command execution
- All targeted devices are EoL with no vendor patches forthcoming
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
ajb8.com and related subdomains | C2 domain | T1071.001 | DNS logs / proxy | Block and hunt |
syswapd0h | Process name (C variant) | T1059 | Router/NAS process monitoring | Hunt on managed network devices |
syswapd0w | Process name (Go variant) | T1059 | Router/NAS process monitoring | Hunt on managed network devices |
/tmp/bin/* | Implant directory | T1105 | File integrity monitoring | Alert on binaries in /tmp/bin on routers |
| Outbound scanning from internal routers | Lateral recon | T1046 | NetFlow / firewall logs | Alert on router IPs initiating port scans |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for IoT/router botnet C2 patterns; need DNS query alert for ajb8.com |
| Elastic | None | No coverage for router-sourced scanning activity |
| Sigma | None | No IoT botnet process detection rules |
Sources: The Hacker News, BleepingComputer, Malwarebytes
3. libssh2 Pre-Auth RCE — CVE-2026-55200
TL;DR: CVSS 9.2 heap overflow in libssh2’s ssh2_transport_read() enables pre-auth RCE on all versions through 1.11.1. No official patched release yet — only commit-level fixes on GitHub master. Millions of systems potentially affected.
What’s New:
- Disclosed June 17 by Tristan Madani; fix commits merged but no release cut
- Companion CVE-2026-55199 (CVSS 8.2 DoS) affects same key-exchange phase
- Out-of-bounds write triggered by oversized
packet_lengthfield in SSH transport layer - Low complexity, no auth required, no user interaction — network-reachable SSH is the only prerequisite
- Embedded in curl, libgit2, Ansible, WinSCP, and countless enterprise tools
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| libssh2 <= 1.11.1 | Vulnerable version | T1190 | Software inventory / SBOM | Identify and prioritize patching |
| Oversized SSH_MSG_KEXINIT packets | Exploit trigger | T1190 | Network IDS (Suricata/Zeek) | Alert on abnormally large SSH handshake packets |
| SSH connections to non-standard ports | Recon/exploit delivery | T1190 | NetFlow / firewall logs | Baseline SSH traffic patterns |
Commit 97acf3d (CVE-2026-55200 fix) | Patch reference | — | — | Apply from source if vendor release unavailable |
Commit 1762685 (CVE-2026-55199 fix) | Patch reference | — | — | Apply from source if vendor release unavailable |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No libssh2 version detection or SSH protocol anomaly rules |
| Elastic | None | No coverage for SSH handshake anomalies |
| Sigma | None | Need Suricata/Zeek rule for oversized SSH_MSG_KEXINIT |
Sources: GBHackers, CyberPress, GitHub Advisory GHSA-r8mh-x5qv-7gg2
4. Squidbleed Proxy Memory Leak — CVE-2026-47729
TL;DR: Heartbleed-style heap overread in Squid’s FTP gateway leaks other users’ HTTP headers, cookies, and credentials to any trusted proxy client. Bug is 29 years old, affects all versions in default config, and the fix hasn’t shipped yet (scheduled for 7.7).
What’s New:
- Calif.io disclosure this week; named “Squidbleed” after Heartbleed parallel
- Bug traces to January 1997 commit in FTP directory listing parser
- Squid 7.6 did NOT include the fix despite initial claims — real patch in 7.7
- Attacker needs proxy access + controlled FTP server to trigger heap read
- Only cleartext HTTP and TLS-terminating configs exposed (HTTPS CONNECT tunnels safe)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| FTP gateway traffic through Squid | Attack vector | T1557 | Squid access logs | Audit FTP PASV/LIST requests through proxy |
ftp:// URLs in proxy logs | Trigger indicator | T1557 | Squid access logs / proxy | Hunt for unexpected FTP requests |
| Squid versions < 7.7 | Vulnerable software | T1190 | Software inventory | Identify and plan upgrade |
http_access deny for FTP | Mitigation config | — | Squid config | Disable FTP gateway if not needed |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Squid FTP gateway anomaly detection |
| Elastic | None | No proxy memory leak detection |
| Sigma | None | Need rule for FTP-via-HTTP-proxy traffic patterns |
Sources: Calif.io, The Hacker News, SecurityWeek
Status Updates
- CVE-2026-7473 (Arista EOS): CISA KEV federal deadline TODAY June 23. No patch planned by Arista — ACL mitigation only. Original brief.
- CVE-2026-11645 (Chrome V8): CISA KEV federal deadline TODAY June 23. Patched in Chrome 149.0.7827.102/.103. Original brief.
- CVE-2026-20245 (Cisco SD-WAN Manager): CISA KEV federal deadline TODAY June 23. Zero-day exploitation confirmed by Mandiant. No patch available. Original brief.
- CVE-2026-20253 (Splunk Enterprise): CISA KEV deadline passed June 21. First Splunk CVE on KEV. Active ITW exploitation. Patch to 10.4.0/10.2.4/10.0.7 immediately. Original brief.
- CVE-2026-50656 (Windows Defender RoguePlanet): Still UNPATCHED zero-day. Microsoft confirmed working on fix since June 16, no timeline. WDAC/AppLocker remains primary mitigation. Original brief.