Cyber Threat Brief — June 28 2026
⚠️ This report is AI-generated. Always validate findings.
1. Turla STOCKSTAY Backdoor — Ukraine Gov/Military Espionage
TL;DR: GTIG disclosed a previously undocumented .NET backdoor (STOCKSTAY) used by Turla against Ukrainian government/military since late 2022, with full IOC set including file hashes, C2 WebSocket URLs, and phishing infrastructure.
What’s New:
- GTIG blog published June 26 with complete technical analysis and IOCs
- Multi-component .NET backdoor (STOCKMARKET orchestrator, STOCKBROKER tunneler, STOCKTRADER collector) communicating via WebSocket C2 over
wss://to Glitch.me and theworkpc.com domains - Environmental keying: uses target hostname/domain hash as decryption key for config, preventing sandbox analysis
- Latest wave (Nov 2025) delivers via RAR archives exploiting CVE-2025-8088 (WinRAR)
- GitHub repo
ChikenFresh/google-ai-labs-itidentified hosting Python C2 controller
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
wss://wool-basalt-clock.glitch.me/ws | WebSocket C2 | T1071.001 | Proxy / NGFW / DNS | Block |
wss://weatherdataai.theworkpc.com/ws | WebSocket C2 | T1071.001 | Proxy / NGFW / DNS | Block |
wool-basalt-clock.glitch.me | C2 domain | T1071.001 | DNS logs | Hunt |
weatherdataai.theworkpc.com | C2 domain | T1071.001 | DNS logs | Hunt |
1fc23ec18a94a599a34c74ef5f49a1e27acd37a07d5846661702b5e7e81a6a24 | SHA-256 (StockMarketNews.exe) | T1059.001 | EDR | Hunt |
9fe944147c15a87963b06baf6473288d64c23655a0ba9369c35566272d8efc73 | SHA-256 (docs.zip) | T1204.002 | EDR / email gateway | Block |
dfd5cb91d06b9649d4cab500343af80ad1144a9e46641cc406f43dd169003c22 | SHA-256 (SMNet.exe — STOCKBROKER) | T1090 | EDR | Hunt |
2af7b513c05e76d7da5f75bb0a223c894a706c99ef2c2ddfe4eae542f95a08e0 | SHA-256 (StockMarketView.exe — STOCKMARKET) | T1059.001 | EDR | Hunt |
d3fd32f915c239872c9e7ed9408b1f36dfcef03aa68f9a396d05c437667cdb43 | SHA-256 (ClientMNGR2.exe — K1MORPHER obfuscated) | T1027.002 | EDR | Hunt |
98ce3c6e4dd05887ea619f2bbfeb2e2c2805ed07e85e119b79b828b7ef8be397 | SHA-256 (GR3.exe — K1MORPHER obfuscated) | T1027.002 | EDR | Hunt |
.NET process using WM_COPYDATA` IPC + WebSocket outbound | Behavioral | T1559 | EDR / Sysmon EID 8 | Hunt |
Academic/diplomatic-themed .rdp or .rar email attachments | Delivery | T1566.001 | Email gateway | Block |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No STOCKSTAY-specific rule; need WebSocket C2 detection + .NET WM_COPYDATA IPC pattern |
| Elastic | None | No STOCKSTAY-specific rule; need .NET AppDomainManager injection detection |
| Sigma | net_connection_win_susp_outbound_wss.yml (community, partial) | Need STOCKSTAY-specific WebSocket URI pattern match |
Sources: GTIG Blog · The Hacker News · The Record
2. Amazon Q Developer MCP Auto-Exec — CVE-2026-12957
TL;DR: Amazon Q Developer IDE extension auto-loaded MCP server configs from cloned repos without consent, enabling cloud credential theft via a single malicious .amazonq/mcp.json file. Fixed in Language Server 1.65.0+.
What’s New:
- Wiz disclosure June 26 with full PoC demonstrating AWS credential theft from a poisoned repo
.amazonq/mcp.jsonauto-executed on project open — no prompt, no workspace trust check- MCP server processes inherited developer’s full environment (AWS keys, CLI tokens, SSH agent)
- CVSS 8.5 — attack requires only
git clone+ opening project in VS Code with Amazon Q extension - Similar flaws reported in Claude Code, Cursor, and Windsurf around same time period
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
.amazonq/mcp.json in untrusted repos | Malicious config | T1195.001 | Git pre-commit hooks / repo scanning | Block |
| Amazon Q Language Server < 1.65.0 | Vuln version | T1203 | Software inventory | Patch to 1.69.0 |
Unexpected sts:GetCallerIdentity from developer workstations | Credential abuse | T1078.004 | AWS CloudTrail | Hunt |
| MCP server spawning unexpected child processes | Behavioral | T1059 | EDR / process telemetry | Hunt |
| Outbound connections from MCP server processes to non-AWS endpoints | Exfil | T1041 | NGFW / proxy | Hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for IDE MCP config auto-execution abuse |
| Elastic | None | No rule for MCP config auto-loading in IDE extensions |
| Sigma | None | Need rule for .amazonq/mcp.json creation + process spawn from IDE context |
Sources: Wiz Blog · The Hacker News · The Register
Status Updates
- CVE-2026-12569 (PTC Windchill/FlexPLM): CISA KEV federal deadline TODAY June 28. Active exploitation deploying JSP webshells ongoing. Original brief.
- CVE-2026-20262 (Cisco SD-WAN Manager): CISA KEV federal deadline TOMORROW June 29. Zero-day file write exploitation confirmed. Original brief.
- CVE-2026-50656 (Windows Defender RoguePlanet): Still UNPATCHED — 12 days since CVE assignment, no Microsoft timeline. 7th Defender zero-day in 10 weeks. Original brief.
- CVE-2026-20253 (Splunk Enterprise PostgreSQL Sidecar): Active ITW exploitation ongoing per Splunk PSIRT. Federal deadline passed June 21. Original brief.