June 26, 2026 | Jonathan Brown

PTC's Windchill patch didn't end the intrusion. CISA just confirmed that.

CISA added CVE-2026-12569 (CVSS 9.3) — an improper input validation flaw in PTC Windchill PDMlink and FlexPLM that's exploitable via deserialization of untrusted data — to its Known Exploited Vulnerabilities catalog on June 25. The notable part isn't the KEV listing itself; it's PTC's own admission alongside it. The vendor shipped patches for Windchill versions 11.0 M030 and 13.1.1 last week, then disclosed on June 25 that it's "received continued reports of heightened threat activity" — meaning attackers are still landing web shells on unpatched and, per the IOC detail PTC published, possibly some patched instances too. The shells follow a consistent naming convention (16 lowercase hex characters under /Windchill/codebase/login/), which tells you this is one operator's tooling, not opportunistic scanning noise.

Watch for: whether CISA or PTC discloses a confirmed count of compromised Windchill/FlexPLM instances — right now the public record has exploitation activity but no victim tally, which is the gap that usually closes within a week of a KEV addition like this.

Sources: CISA KEV Catalog (June 25, 2026); PTC Trust Center advisory CS473270 (June 25, 2026); The Hacker News (June 25, 2026).

Google ties a new Turla backdoor to Ukraine and Italian-foreign-policy targeting

Google Threat Intelligence Group disclosed STOCKSTAY, a previously undocumented .NET backdoor built on Windows Forms that talks to its C2 over an encrypted WebSocket channel, attributing development and use to the Russia-linked actor Turla (Secret Blizzard) going back to at least December 2022. GTIG reports the malware shares meaningful code and functional overlap with KAZUAR, the .NET implant Turla has used since 2017, and that delivery has run through phishing with malicious RDP-file attachments, GitHub-hosted MSI installers, and HTA-triggered ZIP drops from a compromised WordPress instance. Targeting has concentrated on Ukrainian government and military networks, with earlier STOCKSTAY variants also observed against entities with an interest in Italian foreign policy, and against targets in the Netherlands, Poland, and Germany whose specific identities GTIG says remain unknown. GTIG's own framing on the Turla/KAZUAR pairing is worth preserving rather than smoothing over: the company assesses with only low confidence that running STOCKSTAY alongside KAZUAR in the same operations reflects Turla testing a newer tool before an anticipated remediation of existing access — a plausible read, not a confirmed one.

Watch for: corroborating attribution or victim disclosure from a second named research house (Mandiant, ESET, and Recorded Future have all tracked Turla independently) — single-firm attribution on a state actor this well-resourced typically gets a second opinion within days.

Sources: Google Threat Intelligence Group (June 26, 2026); The Hacker News (June 26, 2026).

Citizen Lab: Russia kept using Cellebrite on a dissident's phone three months after Cellebrite said it had cut Russia off

Citizen Lab has produced unusually strong forensic evidence that Russian investigators kept using Cellebrite's forensic tools months after Cellebrite said it had cut off Russian government customers. The specific case: Russian Ministry of Interior investigators used Cellebrite's UFED Physical Analyzer and UFED 4PC toolkit to extract data from opposition activist Andrey Pivovarov's iPhone 12 on or around June 17, 2021 — three months after that announced cutoff. The trail is unusually solid for this kind of case, and corroborated by Russia's own paperwork: MobileLockdown USB-connection records on the device matched a Cellebrite host ID Citizen Lab had previously fingerprinted in an unrelated Jordan investigation, and a Russian government forensic report Pivovarov received during his own prosecution independently names both UFED products and documents searches for "Open Russia," named opposition figures, and the same individuals later targeted by the FSB-linked COLDRIVER phishing operation. Citizen Lab is explicit that the COLDRIVER overlap is a correlation worth investigating, not a confirmed causal link. Cellebrite told Citizen Lab and Access Now that any post-March-2021 use of its hardware in Russia is "entirely unauthorized" and that legacy devices run without its support or consent — a defense that doesn't address why offline-capable hardware already in the field kept working at all.

Watch for: whether Cellebrite follows through on Citizen Lab's specific asks — remote kill-switch capability for abusive deployments and cryptographically signed extraction watermarks — or treats this as a one-off statement and moves on, which is the pattern in its prior Serbia, Kenya, and Jordan disclosures.

Sources: The Citizen Lab, Munk School (June 25, 2026); Access Now (June 25, 2026).

A fourth DirtyFrag-family Linux kernel bug, and JFrog just published a working root exploit

JFrog Security Research disclosed and demonstrated a working privilege-escalation exploit for CVE-2026-43503 (CVSS 8.8), a variant in the DirtyFrag family of Linux kernel bugs that JFrog is calling "DirtyClone." The underlying flaw is a missing safety flag in skb (socket buffer) cloning helpers that lets the kernel be tricked into treating read-only, file-backed page-cache memory as writable network buffer space — an attacker can clone a packet containing a privileged binary's memory, route it through an IPsec tunnel they control, and overwrite the binary during decryption. The fix merged into mainline May 21 and shipped in v7.1-rc5; JFrog's June 25 writeup is the first public PoC for this specific variant, and the firm frames it explicitly as evidence that the broader DirtyFrag patch set has had to be applied piecemeal, with each variant (DirtyFrag, Fragnesia, and now DirtyClone) found by auditing a different fragment-transfer code path after the prior fix landed. Exploitation requires local access or the CAP_NET_ADMIN capability — commonly available via unprivileged user namespaces — which puts multi-tenant cloud, CI runner, and Kubernetes environments at the top of the exposure list.

Watch for: a fifth DirtyFrag variant. JFrog's own writeup states the underlying contract problem — every skb fragment-transfer path has to preserve the shared-frag bit, and historically not all of them have — is unresolved as a class, not just as individual CVEs.

Sources: JFrog Security Research (June 25, 2026); The Hacker News (June 26, 2026).

Claroty: two CVSS 9.8 bugs in Vertiv's UPS network cards could let an attacker shut down a data center's power-continuity layer

Claroty's Team82 disclosed two critical vulnerabilities — CVE-2025-46412 (authentication bypass) and CVE-2025-41426 (stack-based buffer overflow enabling remote code execution) — in Vertiv's Liebert IS-UNITY-DP and Liebert RDU101 network cards, the communication modules that let UPS systems integrate with monitoring platforms and orchestrate safe shutdowns during outages. Both flaws carry a CVSS score of 9.8. Vertiv has shipped firmware updates addressing both (IS-UNITY to v8.4.3.1_00160, RDU101 to v1.9.1.2_0000001), and Claroty reports no evidence of in-the-wild exploitation. The practical concern here isn't a patch gap so much as a deployment-lag one: UPS communication cards tend to sit on much longer firmware-update cycles than the servers they protect, and a successful exploit chain gives an attacker the ability to deny safe shutdown or trigger one on demand.

Watch for: independent confirmation of patch adoption rates from data center operators or a managed-services provider — Claroty's disclosure doesn't include exploitation data, and that gap will matter if a researcher or red team demonstrates exploitation against an unpatched card in the field.

Sources: Claroty Team82 (June 9, 2026); SecurityWeek (June 2026).

Two Scattered Spider members plead guilty on day one of what was supposed to be a six-week trial

Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty in the UK this week to charges stemming from the August 2024 Scattered Spider attack on Transport for London, with Flowers separately admitting involvement in 2024 intrusions at U.S. healthcare providers SSM Health and Sutter Health. Jubair remains under a U.S. indictment unsealed in September 2025 alleging his involvement in 120 network intrusions against 47 U.S. entities between May 2022 and September 2025, with victims paying at least $115 million in ransom — and U.S. prosecutors separately tie him to the SIM-swapping "Star Chat" Telegram operation behind the 2022 SMS phishing campaign that hit LastPass, DoorDash, Mailchimp, Plex, and Signal. Flowers, per multiple sources cited by KrebsOnSecurity, is also alleged to be the Scattered Spider member who gave anonymous media interviews after the 2023 MGM and Caesars ransomware attacks. Two convictions close out a specific case; they don't touch the loosely affiliated "Com" ecosystem Scattered Spider draws from, which has shown a consistent pattern of producing new operators faster than law enforcement removes old ones.

Watch for: sentencing dates and whether either defendant's plea agreement includes cooperation terms that name additional Com-affiliated operators — that's the detail that would actually move the needle on the broader ecosystem, as opposed to two more names added to an already-long charge sheet.

Sources: KrebsOnSecurity (June 23, 2026); BBC (June 2026); U.S. Department of Justice indictment, District of New Jersey (September 2025, referenced).

A residential-proxy botnet tied to a publicly traded Israeli company keeps surviving its own takedowns

Qurium's forensic research, reported by KrebsOnSecurity, traces the Popa botnet — which conscripts Android-based streaming TV boxes into a residential-proxy relay network — to infrastructure overlapping with NetNut, a proxy provider operated by Alarum Technologies Ltd (NASDAQ: ALAR). Qurium found Popa control domains hosted in lockstep with each other while investigating scraping attacks against its client organizations, and traced one of those domains, ninjatech[.]io, to a company whose LinkedIn-listed founder describes himself as having helped build NetNut's architecture before its acquisition by Alarum — that personnel link is Krebs's and Qurium's open-source inference, not a corporate admission, and should be read as such. Popa is functionally a plugin for the Vo1d botnet, and most of its original control domains were seized in a July 2025 Google/HUMAN Security/Trend Micro action against the related Badbox 2.0 operation. Qurium's finding is that new Popa domains, including ninjatech[.]io, went live within days of that takedown — the infrastructure didn't die, it re-registered.

Watch for: whether Alarum Technologies issues any public statement; as of this reporting, the company has not responded to the NetNut/ninjatech[.]io connection, and a publicly traded company's silence on a botnet-infrastructure allegation is itself a fact worth tracking.

Sources: KrebsOnSecurity (June 18, 2026), citing Qurium Media Foundation forensic report; XLab/QiAnXin (2025, referenced).

A fileless backdoor with a self-destruct switch is the latest tool from an access broker that already feeds six ransomware crews

Symantec and Carbon Black's Threat Hunter Team disclosed Mistic (also tracked by Zscaler as MLTBackdoor), a backdoor deployed since April against insurance, education, IT, and professional-services targets. At low confidence, based on one intrusion where Mistic appeared alongside the group's known ModeloRAT tool, Symantec links it to the initial access broker KongTuke — aliases: Woodgnat, 404 TDS, TAG-124. KongTuke doesn't deploy ransomware itself; per Symantec, it breaks in, holds a foothold, and sells that access. Affiliates buying that access include Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Mistic's distinguishing feature is operational, not technical novelty: it runs entirely in memory with no file written to disk and carries a kill switch that lets the operator delete it on command, which means file-based endpoint scanning has nothing to detect once the operator decides to clean up. Delivery has run through both DLL side-loading (a malicious version.dll loaded via the legitimate Microsoft executable MpExtMs.exe) and, per Zscaler's independent reporting, a ClickFix-style multi-stage social-engineering chain.

Watch for: whether memory-resident, self-deleting backdoors like Mistic show up attributed to a second IAB within the next month — Symantec's own framing treats this as part of a broader shift among access brokers toward custom tooling instead of living-off-the-land techniques, which would predict exactly that kind of spread.

Sources: Symantec/Carbon Black Threat Hunter Team, Broadcom (June 24, 2026); Zscaler ThreatLabz (June 2026); BleepingComputer (June 25, 2026).

Pattern of the Day: severance claims don't survive contact with the infrastructure

Three items today share a structure worth naming explicitly, while staying inside what the sourcing actually supports. Cellebrite says it severed Russia in March 2021; Citizen Lab's forensics show its tools still working in Russian hands that June. Google, HUMAN Security, and Trend Micro took down Badbox 2.0's control infrastructure in July 2025; Qurium's research shows the related Popa network re-registering new domains within days, on infrastructure overlapping a legitimate, publicly traded proxy company. Law enforcement secures guilty pleas from two named Scattered Spider members this week; the Com ecosystem they came from has no comparable off-switch. None of these are the same kind of failure — one is a vendor accountability question, one is takedown-resilience in criminal infrastructure, one is the structural limit of prosecuting individuals out of a loose criminal community — and BCG isn't asserting they're driven by a common cause. But the pattern across all three is that the public-facing announcement (sales cutoff, takedown, conviction) consistently outruns what changes on the ground.

Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.

If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — subscribe, comment, or buy us a coffee! Thanks.