Cyber Threat Brief — July 5 2026

⚠️ This report is AI-generated. Always validate findings.

1. Bad Epoll Linux Kernel LPE — CVE-2026-46242

TL;DR: Race condition UAF in the Linux kernel’s epoll subsystem grants unprivileged root on servers, desktops, and Android (kernel v6.4+). Public PoC achieves 99% success rate despite a 6-instruction timing window.

What’s New:

  • Disclosed July 3 by Jaeyoung Chung (Seoul National University CompSec Lab); PoC on GitHub
  • UAF in ep_remove() — clears file->f_ep under file->f_lock but continues using the file object during hlist_del_rcu() and spin_unlock()
  • Affects mainline Linux v6.4+, Android 6.6-series kernels (current Pixel hardware confirmed)
  • Patch in kernel mainline since April 24, but most distros have NOT shipped backports
  • Companion bug CVE-2026-43074 in same 2023 commit was caught by Anthropic’s Mythos AI; this one was missed

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
ep_remove() UAF trigger via mutual epoll fd monitoringExploit techniqueT1068Linux audit, syslogPatch kernel to v6.4+ with fix commit
Anomalous root process from low-priv parentBehavioral IOCT1068EDR, auditd (execve)Hunt for unexpected UID 0 transitions
New setuid binaries post-exploitationPost-exploit indicatorT1548.001auditd, AIDE/OSSECBaseline setuid binaries, alert on changes
/proc/sys/kernel/unprivileged_userns_clone = 1Prerequisite checkT1068sysctl auditDisable user namespaces if not needed

Detection

SourceRuleGap
Splunk ESCUNoneNo rule for epoll UAF exploitation or anomalous UID 0 transitions from unprivileged parents
ElasticNoneNo rule specific to kernel UAF exploitation indicators
SigmaNoneNo community rule yet for Bad Epoll

Sources: The Hacker News, CybersecurityNews, TechTimes, GitHub PoC


2. Anubis Ransomware via CitrixBleed 2 + BYOVD + Supply Chain Creds — CVE-2025-5777

TL;DR: Anubis ransomware (91 victims) exploits CitrixBleed 2 (CVE-2025-5777) for session hijack + MFA bypass on NetScaler, then deploys BYOVD to kill EDR. VECT/TeamPCP partnership feeds stolen supply chain credentials into the RaaS pipeline.

What’s New:

  • Arctic Wolf investigation published July 2: Anubis combines CVE-2025-5777 exploitation with RMM tool abuse and BYOVD
  • CVE-2025-5777 leaks session tokens from NetScaler memory via /p/u/doAuthentication.do endpoint, bypassing MFA
  • VECT/TeamPCP partnership: ~300GB of supply chain credentials from Trivy/LiteLLM compromises fed into ransomware operations
  • Splunk published CitrixBleed 2 detection blog with ESCU analytic story
  • Snort SID 65120 detects malformed POST to /p/u/doAuthentication.do
  • Post-exploit: Cloudflared tunnels, typosquatted C2 domains azuremicrosoft[.]us, promotds[.]us

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
POST /p/u/doAuthentication.do malformed requestsNetwork IOCT1190WAF, NetScaler logsDeploy Snort SID 65120
azuremicrosoft[.]usC2 domainT1071.001DNS, proxyBlock at DNS/proxy
promotds[.]usC2 domainT1071.001DNS, proxyBlock at DNS/proxy
VPS-origin VPN logins (not residential/business ISP)Behavioral IOCT1078VPN auth logsAlert on VPS-hosted source IPs for VPN sessions
Multiple RMM tools deployed in short timeframeBehavioral IOCT1219EDRAlert on >1 RMM install within 24h window
BYOVD vulnerable driver loadingDefense evasionT1562.001Sysmon EID 6, EDRMonitor for known vulnerable driver loads

Detection

SourceRuleGap
Splunk ESCUCitrixBleed 2 Analytic Story (new)Covers NetScaler exploitation; no BYOVD-specific rule for Anubis driver
ElasticNone specificNo CitrixBleed 2 rule
SigmaSOC Prime CVE-2025-5777 rule (community)Available via SOC Prime platform

Sources: The Hacker News, Arctic Wolf, Splunk, Sophos


3. Adobe ColdFusion Active Exploitation — CVE-2026-48282

TL;DR: CVE-2026-48282 (CVSS 10.0, path traversal → arbitrary file write → RCE) is being exploited ITW within hours of the watchTowr writeup. Affects ColdFusion 2023/2025.

What’s New:

  • watchTowr published full analysis; exploitation began within hours from IP 103.207.14[.]220 (India)
  • NHS England CSOC confirmed ITW exploitation and assesses further exploitation as “highly likely”
  • CVE-2026-48282 enables arbitrary file write via path traversal; companion CVE-2026-48313 enables arbitrary file read
  • Part of 7 CVSS 10.0 flaws patched in APSB26-68 (ColdFusion 2025 Update 10 / ColdFusion 2023 Update 21)
  • Significant update to existing CVE-2026-48276 coverage from July 2

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
103.207.14[.]220Attacker IPT1190WAF, firewallBlock
Path traversal payload: 2:000018:C:\Windows\win.ini00004:READ,Exploit signatureT1190WAFAdd pattern to WAF rules
New .cfm/.cfc/.jsp files in \wwwroot\CFIDE\, \cfusion\wwwroot\, cf_scripts\Webshell indicatorT1505.003File integrity, EDRMonitor for new file creation
ColdFusion JVM spawning cmd.exe, powershell.exe, certutil, curlPost-exploitT1059EDR, SysmonAlert on CF parent → shell child

Detection

SourceRuleGap
Splunk ESCUWeb Shell Indicator (generic)No ColdFusion-specific path traversal rule
ElasticNone specificNo ColdFusion exploitation rule
Sigmawebshell_detection_file_creation.yml (generic)Needs ColdFusion-specific file path tuning

Sources: watchTowr, NHS England, The Hacker News, BleepingComputer


4. PamStealer macOS Infostealer — No CVE

TL;DR: Rust-based macOS stealer distributed via typosquatted Maccy clipboard manager site validates passwords through PAM API before exfil. Targets Apple Silicon. Steals browser data, crypto wallets, Keychain, clipboard.

What’s New:

  • Jamf Threat Labs disclosure July 3; targets Apple Silicon Macs exclusively
  • Delivery: DMG from maccyapp[.]com (typosquat of maccy[.]app) → compiled AppleScript dropper → Rust Mach-O payload
  • Dropper bypasses Gatekeeper even with com.apple.quarantine attribute via Script Editor execution
  • PAM API validation loop: prompts for password, validates via PAM, re-prompts until correct password entered
  • Environment-aware: derives decryption key from CPU arch + locale + timezone; terminates on Intel Macs and Eastern European locales
  • C2 exfil to avenger-sync[.]live over HTTP
  • Persistence via embedded arm64 Mach-O impersonating System Settings

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
maccyapp[.]comDistribution domainT1583.001DNS, proxyBlock
avenger-sync[.]liveC2 domainT1071.001DNS, proxyBlock
Compiled .scpt files in DMGs from non-App Store sourcesDropper indicatorT1059.002macOS Unified Log, EDRAlert on .scpt execution
Rust Mach-O masquerading as FinderPayload indicatorT1036.005EDRAlert on non-system Finder binaries
PAM API calls from non-system processesCredential accessT1056.002macOS Unified LogMonitor pam_authenticate calls from unsigned binaries

Detection

SourceRuleGap
Splunk ESCUNoneNo macOS PamStealer or AppleScript dropper rule
ElasticNone specificNo AppleScript-to-Rust payload chain rule
SigmaNoneNo community rule for PamStealer

Sources: Jamf Threat Labs, The Hacker News


Status Updates

  • CVE-2026-8451 (Citrix NetScaler SAML): Active exploitation ongoing from 146.70.139[.]154. Upgrade to 14.1-72.61+ or 13.1-63.18+. Previous brief.
  • CVE-2026-50656 (Windows Defender RoguePlanet): Still UNPATCHED zero-day. Splunk ESCU Analytics Story: RoguePlanet available. WDAC/AppLocker primary mitigation. Previous brief.
  • CVE-2026-48558 (SimpleHelp OIDC): Federal deadline passed July 7. Djinn Stealer/TaskWeaver campaigns ongoing. Patch to 5.5.16+. Previous brief.
  • CVE-2026-20253 (Splunk Enterprise): Active ITW exploitation ongoing per Splunk PSIRT. Federal deadline passed June 21. Patch to 10.4.0/10.2.4/10.0.7. Previous brief.
  • CVE-2026-48907 (Joomla JCE): Federal deadline July 7. ITW exploitation ongoing. Patch to JCE 2.9.99.5. Previous brief.