Cyber Threat Brief — July 16 2026

⚠️ This report is AI-generated. Always validate findings.

1. LegacyHive Windows Zero-Day — No CVE Assigned

TL;DR: Chaotic Eclipse (Nightmare-Eclipse) dropped a new unpatched Windows LPE zero-day PoC on July 15, hours after Patch Tuesday. Exploits ProfSvc (User Profile Service) to load arbitrary registry hives — works on all supported Windows including July 2026 patches.

What’s New:

  • PoC targets UsrClass.dat hive loading in ProfSvc; mounts target user’s hive into attacker’s classes root
  • Public build requires a second standard-user credential + target admin username; original (withheld) exploit had no credential requirement
  • 6th zero-day from this researcher (BlueHammer → RedSun → UnDefend → RoguePlanet → GreatXML → LegacyHive)
  • Affects all supported Windows desktop and server editions post-July 2026 Patch Tuesday
  • UNPATCHED — no CVE, no Microsoft advisory, no timeline for fix

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
ProfSvc loading UsrClass.dat from non-standard pathExploitationT1574.002Sysmon EID 12/13 (Registry)Hunt — registry hive load events for cross-user hive paths
Multiple interactive logons in rapid succession on same hostPre-exploitation setupT1078.003Security EID 4624 (Type 2/10)Alert — two logons within seconds suggests hive-race setup
profsvc.dll loading hive for User A under User B profileExploitationT1068ETW Microsoft-Windows-User Profiles ServiceHunt — hive load path mismatch
PoC binary: github.com/NightmareEclipse/LegacyHiveToolingT1588.002EDR / YARABlock / detect known PoC artifacts

Detection

SourceRuleGap
Splunk ESCUNoneNo ProfSvc hive-load anomaly detection
ElasticNoneNo User Profile Service abuse rules
SigmaNoneNo cross-user registry hive load detection

Sources: The Hacker News · SecurityWeek · Security Affairs · Cyderes Howler Cell · PoC repo

2. SharePoint Pre-Auth Deserialization RCE Pair — CVE-2026-50522 / CVE-2026-58644

TL;DR: Two matched CVSS 9.8 pre-auth deserialization RCE bugs in SharePoint Server patched July 14. CVE-2026-50522 has a working Pwn2Own Berlin exploit. Combined with the CISA SharePoint hardening advisory and three other actively exploited SharePoint CVEs, SharePoint is the #1 target surface right now.

What’s New:

  • Both CVEs: CWE-502 deserialization of untrusted data, pre-auth, no user interaction, network-reachable
  • CVE-2026-50522 demonstrated at Pwn2Own Berlin — Microsoft still lists “Exploit Maturity Unknown”
  • Affects SharePoint Server Subscription Edition, 2019, 2016
  • Part of July Patch Tuesday’s 570+ fixes
  • CISA July 14 advisory now links 4 SharePoint CVEs in coordinated campaigns (CVE-2026-32201, CVE-2026-45659, CVE-2026-56164, plus these)

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
Deserialization gadget chains in w3wp.exe memoryExploitationT1190EDR / memory forensicsHunt — .NET deserialization indicators
w3wp.exe spawning cmd/powershell/certutilPost-exploitationT1059.001Sysmon EID 1 / EDRAlert
New .aspx files under SharePoint LAYOUTS dirsWebshellT1505.003Sysmon EID 11 / IIS logsAlert — file creation in web directories
IIS machine key extraction attemptsPersistenceT1005SharePoint ULS logsHunt — per CISA advisory
Unpatched SharePoint Server SE/2019/2016Vulnerable versionT1190Asset inventoryPatch immediately

Detection

SourceRuleGap
Splunk ESCUW3WP Spawning Shell (generic)No CVE-2026-50522/58644-specific deserialization detection
ElasticWebshell Detection: Script Process Child of Common Web ProcessesNo pre-auth deserialization chain detection
Sigmawebshell_detection_file_creation.yml (generic)No SharePoint deserialization gadget chain rule

Sources: ZDI July 2026 Review · Rapid7 · CISA SharePoint Advisory · IONIX CVE-2026-50522

3. Zoom Desktop Client Unauth Account Takeover — CVE-2026-53412

TL;DR: CVSS 9.8 improper input validation in Zoom Desktop Client for Windows allows unauthenticated network-reachable account takeover. No user interaction required. Patch to 7.0.0+.

What’s New:

  • Unauthenticated account takeover via network access — no credentials, no user interaction
  • Affects Zoom Workplace for Windows < 7.0.0, VDI Client < 7.0.10/6.6.15/6.5.18, Meeting SDK < 7.0.0
  • Three companion high-severity flaws: TOCTOU race condition + improper privilege management
  • No ITW exploitation reported yet
  • Zoom advisory published July 15

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
Zoom Desktop Client < 7.0.0 on WindowsVulnerable versionT1190Asset inventory / SCCMPatch — force update to 7.0.0+
Anomalous Zoom authentication events from unexpected sourcesExploitation indicatorT1078Zoom admin console / SSO logsHunt — account takeover indicators
Zoom VDI Client < 7.0.10Vulnerable versionT1190VDI management consolePatch

Detection

SourceRuleGap
Splunk ESCUNoneNo Zoom exploitation detection
ElasticNoneNo Zoom process anomaly rules
SigmaNoneNo Zoom client exploitation detection

Sources: BleepingComputer · The Hacker News · Security Affairs · SecurityOnline

4. TuxBot v3 LLM-Assisted IoT Botnet — No CVE

TL;DR: Unit42 disclosed TuxBot v3, an IoT DDoS botnet whose source code contains LLM chain-of-thought reasoning in comments — first documented LLM-assisted botnet framework. Active C2 since March 2026, targeting Linux IoT devices via Telnet/SSH/ADB.

What’s New:

  • Mirai/AISURU/Wuhan lineage with LLM-generated code (safety disclaimers and chain-of-thought left in source)
  • Encrypted TCP primary C2 with SHA512-based DGA, Ed25519-signed P2P gossip protocol, IRC/DNS TXT/HTTP polling fallback
  • Exploits CVE targets via modular exploit VM (partially broken in analyzed samples)
  • Shared infrastructure with Keksec/Kaitori ecosystem
  • Active DDoS capability: UDP, TCP, DNS flooding operational despite multiple broken functions

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
209.182.237[.]133:2222 (SSH banner “SSH-2.0-CNC-Control-Server”)C2 serverT1071.001Firewall / NetFlowBlock
185.10.68[.]127Dropper/exploit hostT1105Firewall / proxy logsBlock
SSH banner “SSH-2.0-CNC-Control-Server”C2 fingerprintT1071.002Network IDSAlert
Processes: Mirai-pattern random-name binaries in /tmpImplant executionT1059.004EDR / Linux auditdHunt

Detection

SourceRuleGap
Splunk ESCULinux Ingress Tool Transfer Hunting (generic)No TuxBot-specific C2 or DGA detection
ElasticLinux Suspicious Network Connection (generic)No SSH banner fingerprint detection
SigmaLinux Reverse Shell Indicator (partial)No TuxBot process or C2 pattern rule

Sources: Unit42 · The Hacker News · CyberSecurityNews


Status Updates:

  • CVE-2026-46817 (Oracle E-Business Suite): CISA KEV addition July 15; federal deadline July 18 (2 days); 456+ exploitation attempts by DriveSurge IAB ongoing. Original brief.
  • CVE-2026-15409/15410 (SonicWall SMA1000): Federal deadline TOMORROW July 17; dual zero-day exploitation ongoing; no new IOCs beyond July 15 brief. Original brief.