Cyber Threat Brief — July 14 2026
1. Oracle PeopleSoft Second Pre-Auth RCE — CVE-2026-35278
TL;DR: Oracle’s July 15 CPU patches CVE-2026-35278 (CVSS 9.8), a second pre-auth RCE in PeopleSoft PeopleTools chained with already-exploited CVE-2026-35273. ShinyHunters have compromised 300+ instances across 100+ orgs, predominantly higher education.
What’s New:
- CVE-2026-35278 patches in July 2026 CPU alongside 5 CRITICAL Oracle CVEs (WebLogic CVE-2026-35263 CVSS 9.9, Identity Manager CVE-2026-35268 CVSS 9.9, WebCenter CVE-2026-35270/35280/35281 CVSS 9.1-9.9)
- ShinyHunters chaining CVE-2026-35273 + CVE-2026-35278 for full unauthenticated RCE to data exfil pipeline
- Post-exploitation: MeshCentral C2 via
azurenetfiles[.]net, SSH spray fanout script, HR/payroll/PII theft - Mandiant/GTIG confirmed exploitation May 27–June 9 (zero-day window before June 10 advisory)
- Victim marker file
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXTdropped in PeopleSoft directories
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
142.11.200[.]186-190 | Attacker IPs | T1190 | Firewall/WAF | Block |
108.174.202[.]99 | Attacker IP | T1190 | Firewall/WAF | Block |
176.120.22[.]24 | Attacker IP | T1190 | Firewall/WAF | Block |
azurenetfiles[.]net | C2 domain | T1071.001 | DNS/Proxy | Block |
wss://azurenetfiles.net:443/agent.ashx | MeshCentral C2 | T1219 | Proxy/NDR | Block+Hunt |
/PSIGW/HttpListeningConnector | Exploit URI | T1190 | WAF/IIS logs | Hunt |
[victim]_fanout.sh | Lateral movement script | T1021.004 | EDR/Sysmon | Hunt |
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT | Compromise marker | T1036 | File integrity | Hunt |
| Port 445 outbound from PeopleSoft hosts | NetNTLM coercion | T1187 | Firewall | Alert |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web or Application Server Spawning a Shell (generic) | No PeopleSoft-specific PSIGW exploit rule |
| Elastic | Web Shell Detection: Script Process Child of Common Web Processes | No PeopleSoft-specific coverage |
| Sigma | webshell_detection_file_creation.yml (generic) | No MeshCentral C2 detection |
Sources: Oracle July 2026 CPU Advisory · GTIG/Mandiant ShinyHunters Blog · Arctic Wolf Advisory · Threat-Modeling.com Analysis
2. Microsoft Patch Tuesday July 14 — 127 CVEs, Wormable NEGOEX RCE, Kerberos RC4 Enforcement
TL;DR: Today’s Patch Tuesday drops 127 CVEs. Priority-one is CVE-2025-47981 (CVSS 9.8), a wormable heap overflow in SPNEGO NEGOEX reachable via SMB/RDP/HTTP without auth. Kerberos RC4 Phase 2 enforcement also activates today — systems still using RC4 will fail to authenticate.
What’s New:
- CVE-2025-47981 (NEGOEX): wormable, no auth, no interaction, targets SMB 445/RDP 3389/HTTP 80,443 — 2 public PoCs on GitHub
- 127 CVEs total (normalization from June’s 200, still above pre-2026 monthly average)
- Kerberos RC4 hardening Phase 2 enforced today — RC4-only clients/apps will break
- Nightmare Eclipse threatened “bone-shattering” exploit dump on July 14 (not formally canceled)
- GodDamn ransomware (covered July 10) and DragonForce actively exploiting prior month’s CVEs
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| CVE-2025-47981 (NEGOEX) | Wormable RCE | T1210 | Windows Update/WSUS | Patch immediately |
| SMB 445, RDP 3389, HTTP 80/443 | Attack surface | T1190 | Firewall | Restrict internet-facing |
| Event ID 4771/4772 | Kerberos auth failure | T1558 | Security event log | Monitor for RC4 breakage |
| Event ID 4649 | RC4 usage indicator | T1558 | Security event log | Identify non-compliant systems |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None for NEGOEX-specific exploitation | Need NEGOEX malformed packet / SPNEGO anomaly rule |
| Elastic | None specific | Need worm propagation detection via SMB 445 + NEGOEX |
| Sigma | None specific | No coverage for CVE-2025-47981 exploitation indicators |
Sources: Microsoft MSRC July 2026 · byteiota Analysis · Zecurit Patch Tuesday Breakdown · Help Net Security Forecast
3. GhostCommit — Prompt Injection via PNG Targets AI Coding Agents
TL;DR: UMKC researchers disclosed GhostCommit (July 11-12), a technique hiding prompt injection inside PNG images referenced from README/AGENTS.md files. Cursor and Antigravity agents exfiltrated .env secrets as integer tuples in code commits. Claude Code refused the injection under all tested models.
What’s New:
- Malicious instructions rendered as text inside PNG, invisible to human reviewers and conventional scanners
AGENTS.mdconvention file instructs coding agent to “derive a build constant” from the image- Exfiltrated secrets encoded as 311-integer tuple embedded in routine-looking code review commits
- Tested successfully against Sonnet, Gemini, GPT-5.5 running in Cursor and Antigravity
- No CVE assigned; technique is model/tool-agnostic
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
AGENTS.md referencing PNG files | Trigger file | T1059.006 | Git repo audit | Hunt in repos |
| Large integer tuples in commits | Exfil payload | T1048.003 | Code review / CI | Flag anomalous code patterns |
.env file reads by AI agents | Credential access | T1552.001 | EDR / process monitor | Alert on unexpected .env access |
| PNG files with embedded text instructions | Payload carrier | T1027.006 | File inspection | Scan repo images for text content |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No AI agent activity monitoring rules |
| Elastic | None | No coverage for AI agent credential exfiltration |
| Sigma | None | No rules for AGENTS.md-triggered exfiltration patterns |
Sources: BleepingComputer · CybersecurityNews
Status Updates
- CVE-2026-35273 (PeopleSoft): Second RCE CVE-2026-35278 now patched in Oracle July CPU; ShinyHunters exploitation expanded to 300+ instances. Original brief.
- CVE-2026-50656 (RoguePlanet/Defender): PATCHED July 9 in Malware Protection Engine 1.1.26060.3008. Auto-updates. Original brief.
- CVE-2026-48939 (iCagenda) / CVE-2026-56291 (Balbooa Forms): Federal CISA KEV deadline passed July 13. Active exploitation ongoing. Original brief.
- jscrambler npm supply chain: No new IOCs since July 13 initial coverage. Clean version 8.22.0 available. Original brief.