The 24-hour period from June 4-5, 2026 revealed critical vulnerabilities across major enterprise platforms and widespread malware distribution activity. Microsoft cloud services face two CRITICAL-severity vulnerabilities (CVE-2026-48567 with CVSS 10.0 and CVE-2026-48579 with CVSS 9.1) affecting Azure HorizonDB and Exchange Online, enabling authentication bypass and information disclosure respectively. Google Chrome released version 149.0.7827.53 addressing 30 HIGH-severity vulnerabilities, many enabling remote code execution through crafted HTML pages.
Malware distribution infrastructure remains highly active with 50 malicious URLs identified by abuse.ch, predominantly delivering Mozi botnet variants, RemcosRAT, ClearFake campaigns, and Amadey dropper payloads. The Mozi botnet continues targeting IoT devices through multiple distribution vectors, while RemcosRAT campaigns utilize steganography and HTA-based delivery mechanisms. Threat actors are leveraging compromised legitimate websites and temporary hosting services for payload distribution.
Immediate action is required for organizations using Microsoft cloud services to assess exposure to the authentication bypass and information disclosure vulnerabilities. Chrome users should update to version 149.0.7827.53 immediately. Network defenders should implement blocking for the identified malicious infrastructure and enhance monitoring for Mozi botnet activity targeting IoT devices and RemcosRAT delivery patterns.
Two critical vulnerabilities identified in Microsoft Azure and Exchange Online requiring immediate attention
Authentication bypass by spoofing vulnerability in Azure HorizonDB allows unauthorized attackers to elevate privileges over a network. This represents the maximum CVSS score and enables complete system compromise without authentication.
Improper authorization vulnerability in Microsoft Exchange Online enables unauthorized attackers to disclose sensitive information over a network without requiring authentication.
Command injection vulnerability in Microsoft Copilot allows authenticated attackers to execute arbitrary code over a network through improper neutralization of special elements.
Chrome 149.0.7827.53 addresses extensive use-after-free, integer overflow, and type confusion vulnerabilities enabling sandbox escape and arbitrary code execution
Use-after-free vulnerability in Views component on Windows allows remote attackers to execute arbitrary code via crafted HTML pages. No sandbox restriction, representing elevated risk.
Integer overflow in CredentialProvider on Windows allows attackers who compromised the renderer to perform OS-level privilege escalation, breaking out of the Chrome sandbox environment.
Insufficient validation of untrusted input in Extensions allows renderer-compromised attackers to escalate privileges via crafted HTML pages.
Multiple use-after-free vulnerabilities identified in V8 JavaScript engine (CVE-2026-11050, CVE-2026-11173) and Blink rendering engine (CVE-2026-11059, CVE-2026-11164) enable arbitrary code execution within sandbox. Immediate patching to version 149.0.7827.53 required.
Critical vulnerability in Cisco SD-WAN management platform
Insufficient validation in CLI of Cisco Catalyst SD-WAN Manager allows authenticated local attackers to execute arbitrary commands as root by supplying crafted files to the system.
Extensive Mozi botnet distribution infrastructure identified targeting IoT devices through multiple architectures
15+ active Mozi malware distribution URLs identified targeting MIPS, ARM, and mixed architecture IoT devices. Distribution includes bin.sh shell scripts and architecture-specific ELF binaries across compromised devices in multiple geographic regions (115.x.x.x, 125.x.x.x, 180.x.x.x, 182.x.x.x, 222.x.x.x ranges).
Multiple URLs distributing Mirai botnet variants identified at 151.245.104.193, 92.42.100.131 (gigatex campaign), and 110.85.110.38. The gigatex campaign targets ARM5, ARM7, MIPS, and MPSL architectures with UA-wget indicators.
Active RemcosRAT distribution using image steganography and HTML Application delivery mechanisms
RemcosRAT campaigns utilizing PNG image steganography for payload delivery identified at multiple infrastructure points (188.213.175.222, 96.44.167.219, onceuponatimethebabyangelcamebacktotheearthtogoformebestwishesg.ydns.eu, 104.168.115.123, 172.245.209.218, 107.172.13.211). Payloads embedded in images with filenames like 'file.png', 'optimized_MSI.png', 'img_033451.png'.
Multiple HTA (HTML Application) files used to deliver RemcosRAT identified with social engineering filenames like 'goodthingsforbetterperson.hta', 'goodformulafodme.hta', 'Goodpersonforbetterone.hta'. This delivery method bypasses traditional executable restrictions.
Amadey trojan dropper actively distributing secondary payloads from compromised infrastructure
Active Amadey dropper infrastructure at 91.92.242.236/files-129312398/ distributing multiple secondary payloads (file_61494061c939bae3.exe, file_367971ed01760582.exe, file_30ecb0a5dbaa1ba1.exe, file_808d5e8e6a974796.exe). C2 monitoring systems have automatically flagged these as dropped-by-amadey.
Legitimate website hqp-llc.com compromised to host Amadey-dropped payload taskHost.exe in WordPress uploads directory, demonstrating supply chain compromise tactics.
Multiple information stealer campaigns including PhantomStealer, AgentTesla, xworm, and VIPKeylogger identified
PhantomStealer campaigns utilizing Pastefy (pastefy.app/oBAYj3ui/raw) and catbox.moe file sharing services for PowerShell-based payload delivery. Additional distribution at nanshiin.com/1.jpg using image files.
AgentTesla stealer payload identified at ybhub.com.au/stego_paload.png using steganography. xworm RAT distributed from kpmmg.org via xwbin.png. VIPKeylogger delivered through Cloudflare Workers infrastructure (icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev).
Active ClearFake campaign utilizing fake browser update pages across multiple domains
ClearFake browser update social engineering campaign active across multiple gambling/betting themed domains (ptapgsl.betwana.casino, fq5lyk18.bet404.games, jojxmyi.betwoonuyelik.com, mlvzrpw.betyyy.casino, 3i8e3aty.ef90bet.com). These sites deliver malware by convincing users to install fake browser updates.
Observed use of bash scripts and VNC for initial access and persistence mechanisms
Multiple bash script based payloads identified at 176.65.139.129/g.sh and fluffynoodle.xyz/ash (tagged with bash, malware, vnc). These scripts likely establish remote access and download additional payloads.
SiriusRAT remote access trojan identified in active distribution
SiriusRAT payload identified at 188.213.175.222/mp/file.png, representing an emerging RAT family with potential advanced capabilities.
New blog post covering advanced email header analysis capabilities beyond basic tools
Analysis comparing MxToolbox basic header parsing capabilities with DFIR Platform's advanced email investigation features for security operations and incident response teams.