June 13, 2026 | Jonathan Brown | bordercybergroup.com

Read of the day: June's Patch Tuesday landed Tuesday with a record 208 Microsoft CVEs — but the disclosure calendar this week is really telling a different story: an unprecedented patch volume driven partly by AI-assisted research, a researcher threatening another zero-day dump tomorrow, a federal directive mandating a 3-day patch window for the highest-risk flaws, and a laundry service quietly moving hundreds of millions for ransomware gangs getting taken down days later. The week's through-line is the compression of every timeline that defenders rely on.

________________________

Nightmare-Eclipse Saga Reaches Critical Juncture: June 9 Patches Confirm YellowKey and GreenPlasma, Researcher Promises "Bone Shattering" Drop June 14

Microsoft's June 2026 Patch Tuesday included CVE-2026-45585 and CVE-2026-50507, confirmed by Zero Day Initiative's Dustin Childs (June 9, 2026) as fixes for the Nightmare-Eclipse researcher's "YellowKey" and "GreenPlasma" BitLocker bypass vulnerabilities. The researcher publicly threatened what they called a "bone shattering" disclosure drop on June 14 — tomorrow — in a post reported by The Register (May 28, 2026), and has so far followed through on prior disclosure threats. Microsoft has not confirmed whether it reached any understanding with the researcher. This is analytical inference, not confirmed reporting: the June 9 patches appear to be the direct product of the escalation pressure created by the public disclosure threat, suggesting Microsoft's preferred vehicle was to patch quietly under deadline rather than engage. That pattern is precisely what the researcher objected to.

Watch for: Whether the June 14 drop materializes and whether any disclosed vulnerabilities fall outside what the June patches cover.

Sources: Zero Day Initiative (Dustin Childs, June 9, 2026); The Register (May 28, 2026); Microsoft Security Response Center, June 2026 Patch Tuesday advisory.

________________________

June Patch Tuesday Sets Records for the Wrong Reasons: Three Wormable-Class Bugs, 208 CVEs, and AI-Assisted Volume Concerns

Microsoft's June 9 release patched 208 CVEs — the largest Patch Tuesday ever recorded, according to ZDI's Dustin Childs (June 9, 2026), exceeding the prior record of 177 and surpassing Microsoft's total CVE output for all of 2018. The release includes three CVSS 9.8 unpatched RCE vulnerabilities of immediate priority: CVE-2026-45657, a use-after-free in the Windows Kernel TCP/IP stack rated wormable by ZDI; CVE-2026-47291, an integer overflow in HTTP.sys; and CVE-2026-44815, a DHCP Client RCE present on effectively every Windows endpoint. One vulnerability, CVE-2026-41091 (Microsoft Defender EoP), is confirmed under active exploitation; CrowdStrike (June 9, 2026) notes multiple independent acknowledgments in the advisory, indicating exploitation is likely widespread. Childs explicitly raised the question of whether AI-assisted coding is driving both the volume surge and potential patch quality risks — a concern the security community should not dismiss lightly. The patch count is not the headline; the rate of acceleration is.

Watch for: Proof-of-concept releases for CVE-2026-45657 specifically — a wormable kernel TCP/IP flaw with no public exploit as of June 10 is a matter of when, not whether.

Sources: Zero Day Initiative (Dustin Childs, June 9, 2026); CrowdStrike Patch Tuesday Analysis (June 9, 2026); BleepingComputer (June 9, 2026); Microsoft MSRC June 2026 advisory.

________________________

CISA BOD 26-04: The 3-Day Patch Mandate Is More Aggressive Than Most Federal Agencies Can Actually Execute

CISA issued Binding Operational Directive 26-04 on June 10, 2026, requiring Federal Civilian Executive Branch agencies to remediate the highest-risk vulnerabilities within three calendar days — specifically those that are publicly exposed, KEV-listed, fully automatable by an adversary, and grant total system control. The directive supersedes BOD 22-01 and BOD 19-02 and introduces a graduated SSVC-informed risk model rather than treating every KEV equally. CISA explicitly cited AI-assisted exploitation as a driver for the compressed timelines. The three-day mandate applies to a narrow but critical subset; broader KEV remediations retain longer windows. Analytical note: the practical gap between what CISA mandates and what most FCEB agencies can operationally execute in three days is significant. Wiley law analysts (June 10, 2026) flagged that agencies still relying on periodic scanning and CVSS-only prioritization face a structural compliance problem; Tenable's analysis (June 11, 2026) is more direct — continuous asset discovery is now a compliance prerequisite, not a best practice. Watch whether this directive creates contracting pressure on federal vendors.

Watch for: OMB follow-on guidance and whether CISA applies the BOD 26-04 framework retroactively to known unpatched Exchange OWA CVE-2026-42897 deployments.

Sources: CISA (June 10, 2026); Wiley law advisory (June 10, 2026); Tenable BOD 26-04 FAQ (June 11, 2026); Help Net Security (June 11, 2026).

________________________

Veeam CVE-2026-44963: Any Domain User Can RCE Your Backup Server — And the PoC Dropped on Day One

WatchTowr researcher Sina Kheirkhah disclosed CVE-2026-44963 on June 9–10, 2026: a CVSS v4 9.4 RCE in Veeam Backup & Replication versions 12.x through 12.3.2.4465, exploitable by any authenticated domain user against domain-joined backup servers. Proof-of-concept code was published on GitHub on the day of disclosure, per reporting by Digital Warfare (June 10, 2026). The flaw does not affect Veeam 13.x, which changed the underlying architecture. Veeam patched in version 12.3.2.4854, also released June 9. Backup server compromise is the canonical ransomware pre-condition: destroy or corrupt the backup, maximize the victim's leverage problem. The authentication bar here — any domain user, no elevated privileges — is the threat model: a single phished credential landing an attacker inside an AD environment is sufficient to pivot to backup server RCE. Ransomware operators have historically weaponized Veeam vulnerabilities faster than any other backup vendor.

Watch for: KEV listing and evidence of in-the-wild exploitation; prior Veeam RCEs have moved from patch to exploitation in under two weeks.

Sources: WatchTowr (Sina Kheirkhah, June 9, 2026); BleepingComputer (June 9, 2026); The Hacker News (June 9, 2026); Digital Warfare (June 10, 2026); Veeam security advisory (June 9, 2026).

________________________

UNC3753 Graduates to Physical Break-Ins: Vishing Campaign Against US Law Firms Now Includes In-Person USB Exfiltration

Google Mandiant's GTIG published a detailed campaign report (June 8, 2026) on UNC3753 — also tracked as Luna Moth, Chatty Spider, and Silent Ransom Group — documenting an active data theft extortion campaign against US law firms, financial services companies, and professional services organizations running from January through May 2026. The attack lifecycle is notable for speed: initial vishing call to data theft and extortion within a single business day, with some cases completing data staging and exfiltration in under an hour. The new escalation is physical: an FBI Cyber FLASH Alert documented UNC3753 actors entering corporate offices posing as IT technicians, plugging in USB drives, and physically exfiltrating data when remote social engineering failed. GTIG assessed the physical intrusions as likely connected to UNC3753 but noted limited forensic evidence for formal attribution of every incident. UNC3753 traces to the defunct Conti operation via UNC2686's BazarCall lineage. Post-extortion publication happens on the LEAKEDDATA site, with a three-day response window. This is the most significant expansion of the callback-phishing-to-extortion model since the method emerged.

Watch for: Whether additional law firms surface on the LEAKEDDATA site and whether the physical intrusion pattern extends beyond legal/financial services into other high-data-density sectors.

Sources: Google Mandiant / GTIG (June 8, 2026); The Hacker News (June 8, 2026); FBI Cyber FLASH Alert (cited in Mandiant report); Dark Reading (June 8, 2026).

________________________

AudiA6 Crypto Laundering Network Dismantled: $389M Washed for Ransomware Gangs, Administrators Arrested in Georgia

Europol and an international coalition including the US Secret Service, IRS Criminal Investigation, and Polish law enforcement executed a coordinated takedown of AudiA6 on June 10, 2026. The service processed more than €336 million (~$389M) in illicit cryptocurrency between 2022 and 2025, serving as a central laundering pipeline for ransomware operators and cybercriminal networks. Two suspected administrators of Ukrainian and Russian nationalities were arrested in Georgia; 25 domains were seized, 30+ servers taken offline, and over 80 vehicles and multiple properties confiscated. Europol linked AudiA6 to 15+ international ransomware and cryptocurrency theft investigations and noted that the operators also ran Dark2Web, a dark web forum used to connect criminal service providers. The laundering infrastructure used thousands of fraudulent KYC accounts backed by stolen or purchased identities, with funds cleaned via rapid cross-wallet chain-hopping in approximately one hour, at commissions of 3–10 percent. The investigation traces to a September 2025 Polish Police arrest of a Ukrainian national, whose devices provided the forensic thread. Europol's 2026 IOCTA flagged cryptocurrency laundering professionalization as a structural trend; this takedown confirms it was already operational at industrial scale.

Watch for: Whether named ransomware affiliates surface in subsequent indictments tied to this seizure — AudiA6's link to 15+ investigations suggests further enforcement actions are queued.

Sources: Europol press release (June 10, 2026); DOJ / US Secret Service announcement (June 11, 2026); BleepingComputer (June 11, 2026); The Hacker News (June 11, 2026); Help Net Security (June 12, 2026).

________________________

FBI Seizes 13 Chinese Intelligence Front Websites Targeting US Security Clearance Holders — AI-Generated Photos Used for Legitimacy

The Justice Department announced June 10, 2026 that the FBI seized 13 websites operated by suspected Chinese intelligence services as fake consulting companies targeting current and former US government employees holding security clearances. Per an FBI affidavit filed with the seizure warrants, the sites were active since at least November 2023, advertised generic consulting jobs on LinkedIn and hiring platforms, and used AI-generated photographs and fraudulent or stolen identities to appear legitimate. Recruits were offered payments for reports related to their work and for sensitive information; cryptocurrency and online payment systems were used by operators to conceal identities. The FBI identified the network partly through targets who self-reported suspicious contact. Assistant Director Roman Rozhavsky of FBI Counterintelligence named the operation explicitly as Chinese government intelligence services activity. The Five Eyes alliance issued related warnings about Chinese workforce recruitment operations the prior week.

Watch for: Whether DOJ pursues criminal charges and whether named LinkedIn posting patterns result in platform-level enforcement action against similar infrastructure.

Sources: DOJ / FBI press release (June 10, 2026); FBI affidavit (June 10, 2026, filed in support of seizure warrants); SecurityWeek (June 11, 2026); AP / Washington Post (June 10, 2026).

________________________

OnyxC2 MaaS Stealer: 210 Applications, Detection Refund Guarantee, Cloudflare-Fronted C2 — and It Was Clean on VirusTotal When Disclosed

BlackFog researchers and SecurityWeek (June 11, 2026) documented OnyxC2, a new Malware-as-a-Service stealer that surfaced on cybercrime forums in early 2026, priced at $250/month standard or $500/month premium, with developers explicitly offering refunds if their builds get detected. The malware targets over 210 applications including browsers, extensions, password managers, cryptocurrency wallets, FTP clients, and email clients. The evasion stack is technically mature: AES-256 encrypted payloads, DLL sideloading via a fake NVIDIA graphics library appended with legitimate content, in-memory execution, and Cloudflare-fronted C2 infrastructure per GBHackers (June 12, 2026). The initial delivery archives registered zero detections across 71 VirusTotal engines on their first upload and remained undetected as of May 30, 2026 analysis. BlackFog documented the developer confidence indicator directly: the refund guarantee signals operational certainty about evasion durability, which should concern any detection-confidence-based triage workflow.

Watch for: Whether the premium HNVC-included tier surfaces in post-incident forensic reporting, and whether Cloudflare takes enforcement action against the C2 fronting infrastructure.

Sources: BlackFog (June 11, 2026); SecurityWeek (June 11, 2026); GBHackers (June 12, 2026); SC Media (June 11, 2026).

________________________

Solana FakeFix: JFrog Documents 25 Malicious npm/PyPI Packages Targeting Crypto Developers with GitHub Issue Spam as Distribution Vector

JFrog Security Research published findings on the "Solana FakeFix" campaign: 25 malicious packages distributed across npm (16 packages) and PyPI (4 packages), impersonating legitimate Solana developer tooling such as @solana-labs/web3.js, solana-web3-stable, and solana-rpc-client. A second cluster of 5 npm packages operated as CMS-themed Windows loaders. The threat actor promoted packages by spamming nine GitHub issues across real projects, framing the malicious packages as community fixes for the legitimate Solana SDK — specifically targeting developers experiencing dependency friction, a social engineering angle that exploits the moment of maximum victim receptivity. On npm, postinstall lifecycle hooks fired the payload at install time; on PyPI, malicious code in init.py executed on import. Harvest targets included Solana keypairs, SSH private keys, AWS credentials, .env secrets, and tokens matching KEY, SECRET, MNEMONIC, and CI patterns. Exfiltration routed through Telegram C2 with hard-coded bot tokens; later variants added interactive backdoor capability. This campaign is distinct from the TrapDoor operation covered in the June 2 feed and represents a parallel, crypto-developer-specific track of the ongoing registry poisoning campaign.

Watch for: Whether the Telegram C2 bot tokens link to infrastructure associated with prior campaigns, and whether the CMS-themed loader packages connect to a known dropper ecosystem.

Sources: JFrog Security Research (June 12, 2026); CyberSecurityNews (June 12, 2026); GBHackers (June 12, 2026).

________________________

DentaQuest/ShinyHunters: 234 GB of Medicaid and Health Insurance Data Now in Open Circulation — HHS Notification Still Outstanding as of Early June

ShinyHunters published 234 GB of data from dental benefits administrator DentaQuest following failed extortion negotiations, exposing records for approximately 2.6 million individuals including names, dates of birth, government-issued IDs, healthcare enrollment data, health insurance information, and Medicaid IDs — confirmed by HaveIBeenPwned per BleepingComputer (June 5, 2026). DentaQuest, a Sun Life subsidiary administering Medicaid programs across all 50 states, confirmed the breach on June 2, 2026, acknowledging unauthorized access to a limited portion of its network. As of June 5, the company had not yet submitted HIPAA breach notification to the US Department of Health and Human Services, per Rescana analysis (June 5, 2026). The data type — Medicaid ID combined with healthcare enrollment transaction records (ASC X12 format) — is directly usable for insurance fraud and benefits theft, not just identity harvesting. State Medicaid agencies whose beneficiaries appear in the dataset face independent notification obligations that DentaQuest's own timeline does not control.

Watch for: HHS Office for Civil Rights enforcement action and whether Medicaid program administrators in affected states issue their own breach notifications ahead of DentaQuest.

Sources: SecurityWeek (June 5, 2026); BleepingComputer (June 5, 2026); HaveIBeenPwned (June 5, 2026); SC Media (June 5, 2026); Rescana (June 5, 2026).

— Jonathan Brown, Border Cyber Group | bordercybergroup.com Support independent security journalism!

Easy way to support our work... Subscribe (free or paid), or buy us a coffee! https://bordercybergroup.com/#/portal/support

Analysis and defender guidance in this digest are informational only. BORDER CYBER GROUP has no visibility into reader environments, patch states, or operational constraints. Nothing published here constitutes professional cybersecurity, legal, or compliance advice. All remediation and response decisions should be evaluated by qualified personnel against your organization's specific context. BCG assumes no responsibility for actions taken or not taken in reliance on this content.