Cyber Threat Brief — July 16 2026
1. LegacyHive Windows Zero-Day — No CVE Assigned
TL;DR: Chaotic Eclipse (Nightmare-Eclipse) dropped a new unpatched Windows LPE zero-day PoC on July 15, hours after Patch Tuesday. Exploits ProfSvc (User Profile Service) to load arbitrary registry hives — works on all supported Windows including July 2026 patches.
What’s New:
- PoC targets UsrClass.dat hive loading in ProfSvc; mounts target user’s hive into attacker’s classes root
- Public build requires a second standard-user credential + target admin username; original (withheld) exploit had no credential requirement
- 6th zero-day from this researcher (BlueHammer → RedSun → UnDefend → RoguePlanet → GreatXML → LegacyHive)
- Affects all supported Windows desktop and server editions post-July 2026 Patch Tuesday
- UNPATCHED — no CVE, no Microsoft advisory, no timeline for fix
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| ProfSvc loading UsrClass.dat from non-standard path | Exploitation | T1574.002 | Sysmon EID 12/13 (Registry) | Hunt — registry hive load events for cross-user hive paths |
| Multiple interactive logons in rapid succession on same host | Pre-exploitation setup | T1078.003 | Security EID 4624 (Type 2/10) | Alert — two logons within seconds suggests hive-race setup |
profsvc.dll loading hive for User A under User B profile | Exploitation | T1068 | ETW Microsoft-Windows-User Profiles Service | Hunt — hive load path mismatch |
| PoC binary: github.com/NightmareEclipse/LegacyHive | Tooling | T1588.002 | EDR / YARA | Block / detect known PoC artifacts |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No ProfSvc hive-load anomaly detection |
| Elastic | None | No User Profile Service abuse rules |
| Sigma | None | No cross-user registry hive load detection |
Sources: The Hacker News · SecurityWeek · Security Affairs · Cyderes Howler Cell · PoC repo
2. SharePoint Pre-Auth Deserialization RCE Pair — CVE-2026-50522 / CVE-2026-58644
TL;DR: Two matched CVSS 9.8 pre-auth deserialization RCE bugs in SharePoint Server patched July 14. CVE-2026-50522 has a working Pwn2Own Berlin exploit. Combined with the CISA SharePoint hardening advisory and three other actively exploited SharePoint CVEs, SharePoint is the #1 target surface right now.
What’s New:
- Both CVEs: CWE-502 deserialization of untrusted data, pre-auth, no user interaction, network-reachable
- CVE-2026-50522 demonstrated at Pwn2Own Berlin — Microsoft still lists “Exploit Maturity Unknown”
- Affects SharePoint Server Subscription Edition, 2019, 2016
- Part of July Patch Tuesday’s 570+ fixes
- CISA July 14 advisory now links 4 SharePoint CVEs in coordinated campaigns (CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, plus these)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Deserialization gadget chains in w3wp.exe memory | Exploitation | T1190 | EDR / memory forensics | Hunt — .NET deserialization indicators |
| w3wp.exe spawning cmd/powershell/certutil | Post-exploitation | T1059.001 | Sysmon EID 1 / EDR | Alert |
| New .aspx files under SharePoint LAYOUTS dirs | Webshell | T1505.003 | Sysmon EID 11 / IIS logs | Alert — file creation in web directories |
| IIS machine key extraction attempts | Persistence | T1005 | SharePoint ULS logs | Hunt — per CISA advisory |
| Unpatched SharePoint Server SE/2019/2016 | Vulnerable version | T1190 | Asset inventory | Patch immediately |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | W3WP Spawning Shell (generic) | No CVE-2026-50522/58644-specific deserialization detection |
| Elastic | Webshell Detection: Script Process Child of Common Web Processes | No pre-auth deserialization chain detection |
| Sigma | webshell_detection_file_creation.yml (generic) | No SharePoint deserialization gadget chain rule |
Sources: ZDI July 2026 Review · Rapid7 · CISA SharePoint Advisory · IONIX CVE-2026-50522
3. Zoom Desktop Client Unauth Account Takeover — CVE-2026-53412
TL;DR: CVSS 9.8 improper input validation in Zoom Desktop Client for Windows allows unauthenticated network-reachable account takeover. No user interaction required. Patch to 7.0.0+.
What’s New:
- Unauthenticated account takeover via network access — no credentials, no user interaction
- Affects Zoom Workplace for Windows < 7.0.0, VDI Client < 7.0.10/6.6.15/6.5.18, Meeting SDK < 7.0.0
- Three companion high-severity flaws: TOCTOU race condition + improper privilege management
- No ITW exploitation reported yet
- Zoom advisory published July 15
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Zoom Desktop Client < 7.0.0 on Windows | Vulnerable version | T1190 | Asset inventory / SCCM | Patch — force update to 7.0.0+ |
| Anomalous Zoom authentication events from unexpected sources | Exploitation indicator | T1078 | Zoom admin console / SSO logs | Hunt — account takeover indicators |
| Zoom VDI Client < 7.0.10 | Vulnerable version | T1190 | VDI management console | Patch |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Zoom exploitation detection |
| Elastic | None | No Zoom process anomaly rules |
| Sigma | None | No Zoom client exploitation detection |
Sources: BleepingComputer · The Hacker News · Security Affairs · SecurityOnline
4. TuxBot v3 LLM-Assisted IoT Botnet — No CVE
TL;DR: Unit42 disclosed TuxBot v3, an IoT DDoS botnet whose source code contains LLM chain-of-thought reasoning in comments — first documented LLM-assisted botnet framework. Active C2 since March 2026, targeting Linux IoT devices via Telnet/SSH/ADB.
What’s New:
- Mirai/AISURU/Wuhan lineage with LLM-generated code (safety disclaimers and chain-of-thought left in source)
- Encrypted TCP primary C2 with SHA512-based DGA, Ed25519-signed P2P gossip protocol, IRC/DNS TXT/HTTP polling fallback
- Exploits CVE targets via modular exploit VM (partially broken in analyzed samples)
- Shared infrastructure with Keksec/Kaitori ecosystem
- Active DDoS capability: UDP, TCP, DNS flooding operational despite multiple broken functions
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
209.182.237[.]133:2222 (SSH banner “SSH-2.0-CNC-Control-Server”) | C2 server | T1071.001 | Firewall / NetFlow | Block |
185.10.68[.]127 | Dropper/exploit host | T1105 | Firewall / proxy logs | Block |
| SSH banner “SSH-2.0-CNC-Control-Server” | C2 fingerprint | T1071.002 | Network IDS | Alert |
| Processes: Mirai-pattern random-name binaries in /tmp | Implant execution | T1059.004 | EDR / Linux auditd | Hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Linux Ingress Tool Transfer Hunting (generic) | No TuxBot-specific C2 or DGA detection |
| Elastic | Linux Suspicious Network Connection (generic) | No SSH banner fingerprint detection |
| Sigma | Linux Reverse Shell Indicator (partial) | No TuxBot process or C2 pattern rule |
Sources: Unit42 · The Hacker News · CyberSecurityNews
Status Updates:
- CVE-2026-46817 (Oracle E-Business Suite): CISA KEV addition July 15; federal deadline July 18 (2 days); 456+ exploitation attempts by DriveSurge IAB ongoing. Original brief.
- CVE-2026-15409/15410 (SonicWall SMA1000): Federal deadline TOMORROW July 17; dual zero-day exploitation ongoing; no new IOCs beyond July 15 brief. Original brief.