Daily Hunt Feed - 2026-06-17

Threat Hunt Feed (2026-06-17)

BleepingComputer

• Malicious JetBrains Marketplace plugins steal AI API keys from developers — Tue, 16 Jun 2026 17:54:50 -0400
  • Matched TTPs: Artificial Intelligence (T1588.007), Rootkit (T1014), Malware (T1588.001), Hardware (T1592.001), Server (T1584.004), Tool (T1588.002), Phishing (T1566), Software (T1592.002), Credentials (T1589.001), At (T1053.002)
• New Rokarolla Android malware targets 217 banking, crypto apps — Tue, 16 Jun 2026 16:04:11 -0400
  • Matched TTPs: Rootkit (T1014), Malware (T1588.001), Hardware (T1592.001), Server (T1584.004), Financial Theft (T1657), Tool (T1588.002), Phishing (T1566), Software (T1592.002), Credentials (T1589.001), At (T1053.002)
• Steam Workshop abused to spread malware via Wallpaper Engine app — Tue, 16 Jun 2026 14:27:55 -0400
  • Matched TTPs: Rootkit (T1014), Malware (T1588.001), Hardware (T1592.001), DLL (T1574.001), Botnet (T1584.005), Tool (T1588.002), Phishing (T1566), Software (T1592.002), Credentials (T1589.001), At (T1053.002)
• UK to require ID or face scan before you can make social media accounts — Tue, 16 Jun 2026 10:38:49 -0400
  • Matched TTPs: Rootkit (T1014), Malware (T1588.001), Hardware (T1592.001), Social Media Accounts (T1585.001), Server (T1584.004), Tool (T1588.002), Phishing (T1566), Software (T1592.002), Social Media (T1593.001), At (T1053.002)
• GhostTree Attack Abused Recursive Windows Junctions to Hide Malware — Tue, 16 Jun 2026 10:17:27 -0400
  • Matched TTPs: Rootkit (T1014), Malware (T1588.001), Hardware (T1592.001), Databases (T1213.006), Tool (T1588.002), Phishing (T1566), Software (T1592.002), At (T1053.002)
• Ransomware gang abuses Microsoft Teams relays to hide malicious traffic — Tue, 16 Jun 2026 06:18:48 -0400
  • Matched TTPs: Rootkit (T1014), Malware (T1588.001), Hardware (T1592.001), DLL (T1574.001), Masquerading (T1036), Server (T1584.004), Tool (T1588.002), Phishing (T1566), Software (T1592.002), Credentials (T1589.001), At (T1053.002)
• Critical Fortinet FortiSandbox flaws now exploited in attacks — Tue, 16 Jun 2026 05:19:51 -0400
  • Matched TTPs: Rootkit (T1014), Malware (T1588.001), Hardware (T1592.001), Vulnerabilities (T1588.006), Server (T1584.004), Tool (T1588.002), Phishing (T1566), Software (T1592.002)
• Windows version of SprySOCKS Linux malware used to attack govt orgs — Tue, 16 Jun 2026 05:00:00 -0400
  • Matched TTPs: Rootkit (T1014), Bootkit (T1542.003), Malware (T1588.001), Hardware (T1592.001), Server (T1584.004), Proxy (T1090), Tool (T1588.002), Phishing (T1566), Software (T1592.002), At (T1053.002)

Darkreading

• Fileless Phantom Stealer Targets Browser Credentials — Tue, 16 Jun 2026 22:26:34 GMT
  • Matched TTPs: Malware (T1588.001), Vulnerabilities (T1588.006), Password Managers (T1555.005), PowerShell (T1059.001), Phishing (T1566), Software (T1592.002), Exploits (T1588.005), Credentials (T1589.001), At (T1053.002)
• Rokarolla Android Trojan Levels Up to Full Device Control, Persistence — Tue, 16 Jun 2026 17:32:32 GMT
  • Matched TTPs: Malware (T1588.001), Hardware (T1592.001), Vulnerabilities (T1588.006), Domains (T1584.001), Phishing (T1566), Software (T1592.002), Exploits (T1588.005), Credentials (T1589.001), At (T1053.002)
• ‘Lorem Ipsum’ Malware Pivots to ClickFix Delivery — Tue, 16 Jun 2026 15:10:48 GMT
  • Matched TTPs: Malware (T1588.001), Vulnerabilities (T1588.006), DLL (T1574.001), Code Signing (T1553.002), Server (T1584.004), User Execution (T1204), PowerShell (T1059.001), Software (T1592.002), Exploits (T1588.005), SEO Poisoning (T1608.006), At (T1053.002)
• HTTP/2 Bomb Attacks Put Telcos, Healthcare Orgs at Risk — Mon, 15 Jun 2026 19:31:37 GMT
  • Matched TTPs: Vulnerabilities (T1588.006), Botnet (T1584.005), Server (T1584.004), Exploits (T1588.005), At (T1053.002)
• China-Nexus Actor Spies on US Researchers Undetected for a Year — Mon, 15 Jun 2026 17:00:45 GMT
  • Matched TTPs: IP Addresses (T1590.005), Malware (T1588.001), Vulnerabilities (T1588.006), Server (T1584.004), Phishing (T1566), Software (T1592.002), Exploits (T1588.005), Credentials (T1589.001), At (T1053.002)

The Hacker News

• Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting — Wed, 17 Jun 2026 00:35:41 +0530
  • Matched TTPs: Rootkit (T1014), Vulnerabilities (T1588.006), Server (T1584.004), Phishing (T1566), Software (T1592.002), Social Media (T1593.001), Credentials (T1589.001), Python (T1059.006), At (T1053.002)
• ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures — Tue, 16 Jun 2026 23:11:28 +0530
  • Matched TTPs: Artificial Intelligence (T1588.007), Rootkit (T1014), JavaScript (T1059.007), Malvertising (T1583.008), Malware (T1588.001), Vulnerabilities (T1588.006), DLL (T1574.001), Code Signing (T1553.002), Server (T1584.004), PowerShell (T1059.001), Lua (T1059.011), Encrypted Channel (T1573), Software (T1592.002), Exploits (T1588.005), Social Media (T1593.001), Credentials (T1589.001), Installer Packages (T1546.016), SEO Poisoning (T1608.006), At (T1053.002)
• New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds — Tue, 16 Jun 2026 18:40:17 +0530
  • Matched TTPs: VNC (T1021.005), Rootkit (T1014), Malware (T1588.001), Vulnerabilities (T1588.006), Domains (T1584.001), Server (T1584.004), Software (T1592.002), Social Media (T1593.001), At (T1053.002)
• Survey: 94% of Incidents Involve Anonymized Infrastructure. Teams Are Still Reactive — Tue, 16 Jun 2026 17:00:00 +0530
  • Matched TTPs: Rootkit (T1014), Vulnerabilities (T1588.006), Proxy (T1090), Software (T1592.002), Social Media (T1593.001), At (T1053.002), Internal Proxy (T1090.001)
• Attackers Exploit Three Fortinet FortiSandbox Flaws, One Patched Last Week — Tue, 16 Jun 2026 16:00:41 +0530
  • Matched TTPs: Artificial Intelligence (T1588.007), Rootkit (T1014), Vulnerabilities (T1588.006), Software (T1592.002), Social Media (T1593.001), At (T1053.002)
• Fake Microsoft Alerts Used to Deploy North Korean NarwhalRAT Malware — Tue, 16 Jun 2026 13:44:55 +0530
  • Matched TTPs: Scheduled Task (T1053.005), Rootkit (T1014), Malware (T1588.001), Vulnerabilities (T1588.006), Masquerading (T1036), Server (T1584.004), Phishing (T1566), Software (T1592.002), Social Media (T1593.001), Python (T1059.006), At (T1053.002), Dead Drop Resolver (T1102.001)
• CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation — Tue, 16 Jun 2026 11:11:52 +0530
  • Matched TTPs: Rootkit (T1014), Vulnerabilities (T1588.006), Web Shell (T1505.003), Server (T1584.004), Software (T1592.002), Social Media (T1593.001), At (T1053.002)