July 2 / 2026 / Reading Time: 8 minutes

Weekly Situation Report : 6/29/26

EXECUTIVE SUMMARY

This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.

KEY TAKEAWAYS

  • An update to the FortiBleed incident details use of custom tooling used by threat actors in post compromise activities, alongside credential-centric exploitation.
  • Cisco Unified CM flaw CVE-2026-20230 claimed to be exploited in the wild. Attackers used known unverified and likely fake PoC, while real PoC is disclosed.
  • KongTuke initial access broker uses new Mistic RAT in attacks, while also pivoting to abusing Cisco Spark in recent attacks.
  • Klue breach continues to affect technology and cybersecurity firms, with LastPass being its latest victim.

1. FortiBleed Update: Custom FortigateSniffer Tool Used to Steal Credentials

SUMMARY

New research on FortiBleed disclosed analysis of the toolset used during intrusions, which recently impacted 75,000 Fortinet FortiGate devices and resulted in the leakage of hashed passwords

Category

Threat Actor Activities

Industry

Technology, Financial and Fintech, Public Sector and Government Administration

Sources

https://www.bleepingcomputer.com/news/security/FortiBleed-campaign-used-custom-fortigate-sniffer-to-steal-credentials/

https://socradar.io/wp-content/uploads/2026/06/Dismantling-FortiBleed.pdf

https://www.hudsonrock.com/fortinet

https://www.linkedin.com/feed/update/urn:li:activity:7471222472193830913/

https://www.theregister.com/security/2025/01/17/fortinet-fortigate-config-leaks-are-genuine-but-misleading/513638

https://github.com/inm7ripe/Fortigate-password-recovery/issues/1

https://www.bleepingcomputer.com/news/security/FortiBleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/

ANALYST COMMENTS

Researchers have detailed a large-scale FortiBleed campaign targeting Fortinet FortiGate devices, where custom sniffers were used to harvest authentication secrets and steal credentials from over 430,000 firewalls globally since at least February 2026. This most recent incident has affected 75,000 FortiGate devices based on disclosed compromise lists. The threat actors, operating as initial access brokers, used custom tooling that included a Golang-based tool called "FortigateSniffer" to exploit FortiOS's diagnose sniffer packet functionality to monitor network traffic. This tool captured authentication traffic from compromised devices, while Python and Hashcat tooling extracted and cracked credentials and password hashes from the collected data. Additional custom tooling was used for post compromise activity to find stored passwords or hashes stored within configuration files and scripts stored on the compromised FortiGate devices. 

Initial access was typically gained by identifying exposed FortiGate devices through tools such as Shodan or Masscan, then using credential based attacks such as brute forcing, credential stuffing, and password guessing against weak credentials. The threat actor also appears to conduct longer term post-compromise activities using FortigateSniffer to identify credentials and hashes transmitted over the network, while also searching files on compromised devices for stored credentials. Code comments suggest Russian attribution, although the specific group remains unknown. Public reporting indicates that known victims are primarily located in India and the United States, which largely aligns with the current distribution of exposed FortiGate devices in those regions.

ACTIONABLE GUIDANCE

Credentials should be rotated and MFA should be enforced for all users. FortiGate and other Fortinet devices should be upgraded to the latest versions available, including all current hot fixes as these devices are the primary infiltration point for the threat actor.

Administrators should audit devices for potential compromise, including administrator logins from unknown sources or activity occurring at unusual times without attribution to known employees. If compromise is confirmed, the device should be rebuilt as there is a high likelihood that a backdoor may have been planted. 

Management interfaces should not be exposed to the public internet, as this expands the attack surface and creates additional opportunities for attackers.

2. Cisco Unified CM Flaw CVE-2026-20230 Claimed to Be Exploited in Attacks with Fake PoC, Real PoC Disclosed

SUMMARY

A critical SSRF vulnerability in Cisco Unified Communications Manager Server, CVE-2026-20230, allows unauthenticated attackers to gain root access through improper input validation, despite available security updates.

Category

Known Exploited Vulnerabilities

Industry

Technology, Public Sector and Government Administration, Telecommunications

Sources

https://www.bleepingcomputer.com/news/security/cisco-unified-cm-sme-flaw-cve-2026-20230-now-exploited-in-attacks/

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW

https://x.com/DefusedCyber/status/2069074520057557244

https://github.com/HORKimhab/CVE-2026-20230/blob/main/cve-2026-20230.py

https://ssd-disclosure.com/cisco-unified-communications-manager-arbitrary-file-write-to-rce/

ANALYST COMMENTS

A high-severity server side request forgery (SSRF) vulnerability, CVE-2026-20230, in Cisco Unified Communications Manager Server allows unauthenticated attackers to gain root privileges through improper validation of HTTP requests. Cisco released updates for this flaw on June 3, emphasizing the critical nature of the exploit. Threat intelligence researchers reported active exploitation, noting that attacks are using specific file:// payloads to write files, such as a test file named '/tmp/cve-2026-20230-test.txt', to identify vulnerable devices. SSD Secure provided a technical write-up and PoC, detailing that exploitation abuses the Webdialer component to write arbitrary files and ultimately achieve remote code execution, though exploitation requires knowledge of the target hostname.

While the vulnerability has been reported as exploited  in the wild, the currently available data appears to match IoCs of an initial PoC released about 3 weeks ago. That PoC came from a user known for AI-generated or false PoCs, although they have previously published working PoCs after prior disclosure. The text file naming also appears to align with the released code. The original vulnerability researchers have now published technical details, and some of those details do not fully align with the exploitation activity reported by threat intelligence researchers.

Threat intelligence researchers claim CVE-2026-20230 exploitation based on the following:

# Claimed exploitation - matches https://github.com/HORKimhab/CVE-2026-20230/blob/main/cve-2026-20230.py

POST /webdialer/Webdialer HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0(compatible; CVE-2026-20230-PoC)
Content-Type: application/x-www-form-urlencoded
Content-Length: 136

dest=file%3A%2F%2F%2Ftmp%2Fcve-2026-20230-test-txt&url=file%3A%2F%2F%2Ftmp%2Fcve-2026-20230-test-txt&action=doSomething&phoneNumber=test

The original exploitation reported by the threat intelligence researcher is unlikely to reflect activity from a sophisticated actor or organized threat group. However, the release of the genuine vulnerability details will likely drive broader exploitation in the wild. We are not currently aware of any verified data tied to the recently disclosed exploitation method. Based on the original report, the known network IOC is primarily associated with residential proxy networks and spam activity.

156.146.38.167 - AS60068 datacamp limited - Dallas,TX US

ACTIONABLE GUIDANCE

The vendor has released patches and mitigation strategies that address this issue. Organizations should also avoid exposing these devices to the public internet, as doing so increases the likelihood of exploitation by external threat actors. Exploitation will likely follow the chain request below, with the assumption that a webshell or other malware may be uploaded to a vulnerable server instance:

GET /cmplatform/installClusterStatusExecute
GET /webdialer/services/randomR11
GET /platform-services/axis2-web/<unknown jsp file>

3.KongTuke Initial Access Broker Adds “Mistic” RAT to Their Arsenal, in Addition to MINTLOADER and Shift to Cisco Spark Abuse

SUMMARY

An initial access broker known as KongTuke has been using a new RAT called Backdoor.Mistic since April 2026 to target multiple industries through social engineering and compromised sites. The threat actor is linked to various ransomware groups for brokering initial access.

Category

Threat Actor Activities

Industry

Multiple

Sources

https://www.securityweek.com/new-mistic-rat-opens-door-to-several-ransomware-families/

https://www.security.com/threat-intelligence/new-mistic-backdoor-modelorat

https://www.zscaler.com/blogs/security-research/technical-analysis-mltbackdoor

https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting

https://socprime.com/active-threats/the-demon-arrives-later-a-havoc-stager-hides-behind-microsoft-defender-dlp/

ANALYST COMMENTS

Researchers report that an initial access broker (IAB) known as KongTuke (aka WoodGnat), active since May 2024, has started using a new remote access trojan (RAT) called Backdoor.Mistic (also known as MLTBackdoor). KongTuke, having connections to ransomware groups like Qilin and Black Basta, deploys Mistic as a DLL and uses techniques such as credential stealing and social engineering to compromise networks. The RAT provides capabilities like file manipulation and code execution and is deployed alongside tools like PowerShell and Certutil for extensive network manipulation and data exfiltration. 

Mistic RAT/ MLTBackdoor may likely be a variant of a Havoc C2 binary, due in part to at least one sample that contained metadata of the executable with company and product names listed as “Nuance Communications / Dragon Data Protection ” associated with “endpointdlp.dll”. The company and product names point to Havoc C2. Later samples did not have this metadata, which may indicate this was in error by the threat actor and have since corrected newer versions by removing the identifying metadata, however further verification is needed. Based on recent samples uploaded to public malware repositories, The newest samples seen were from the middle of May. 

New KongTuke sample submissions tied to this threat actor show heavy use of MINTLOADER across a majority of reported samples. MINTLOADER is a PowerShell loader designed to execute further stages of the threat actors attack chain. 

Since April 2026, the threat actor has utilized helpdesk and IT-support lures via Microsoft Teams to trick victims into running malicious code for initial compromise, in addition continued use of ClickFix and related techniques. Recent samples suggest a shift from Teams abuse to Cisco Spark abuse, based on .tar archives observed in early June that contained several executables and .dll files related to the Cisco product. 

Persistence commonly includes registry runkeys, scheduled tasks, start-up folder abuse, with files typically dropped within the user’s AppData folder under Local\Temp. As the threat actor abuses Traffic Distribution Systems (TDS), domains and network addresses change often, so detection should focus on the group’s behaviors and tooling rather than static network indicators.

ACTIONABLE GUIDANCE

Since the threat actor uses PowerShell in MINTLOADER related attack chains, organizations should restrict PowerShell for most non-IT users to limit attack progression. Users should also receive guidance on ClickFix and related campaigns, while disabling the Win + R shortcut through default user group policy may reduce the likelihood of initial infection.

Teams should examine the presence of RMM software, unattributed registry changes, and file system activity, especially excessive writes to AppData\Local\Temp. Use of living off the land binaries and scripts, including certutil.exe, should generate alerts for further investigation.

4. Downstream Attacks from Klue Breach Affect LastPass

SUMMARY

Several downstream breaches of Salesforce data have affected multiple prominent security vendors including LastPass, Huntress, Jamf, and Recorded Future. The compromised data does not appear to be sensitive and is primarily associated with sales activity.

Category

Confirmed Breach

Industry

Technology

Sources

https://techcrunch.com/2026/06/23/password-manager-maker-lastpass-says-hackers-stole-customer-support-case-data-during-klue-breach/

https://www.huntress.com/blog/klue-breach-investigation

https://blog.lastpass.com/posts/klue-supply-chain-incident-and-lastpass-response

https://www.theregister.com/cyber-crime/2026/06/25/ex-huntress-analyst-claims-company-insider-fed-info-to-a-ransomware-crim-social-media-drama-ensues/5262538

ANALYST COMMENTS

Several prominent security and technology companies have been affected by the Klue compromise of extortion actor Icarus. The threat actor successfully breached the Salesforce data of several of these companies, which contributed to downstream compromises against affected organizations. Recent examples include Salesforce data leaks affecting cybersecurity firms like Huntress and password security organization LastPass. This activity is similar to the attacks perpetrated by ShinyHunters and other COM related hackers.

In regards to LastPass specifically, the company has stated that the data does not include credentials, PII, or other sensitive data. However, the advisory from LastPass also states that support data was also included in the breach. While the majority of the data is not classed as sensitive, user submitted support data might contain sensitive data related to troubleshooting LastPass issues. The threat actor’s dark web presence is no longer  online, so further analysis of the breach contents  cannot be verified. The current list of compromised organizations affected by the Klue breach include the following:

  • LastPass
  • Huntress 
  • HackerOne
  • ReliaQuest
  • Snyk
  • Tanium
  • BeyondTrust
  • Recorded Future
  • Gong
  • Jamf
  • OneTrust
  • Sprout Social
  • Insurity
  • Pendo
  • 8x8

Icarus is a recent threat actor that uses API automation, OAuth token phishing, and pressure tactics while extorting victims with stolen data. There are no updates to the actors currently known IOCs.

ACTIONABLE GUIDANCE

Organizations that partner with any of the affected companies should audit the level of information that is submitted to the breached companies. In the case of LastPass, support tickets were also affected which may contain sensitive billing or credential information submitted. Other companies may have seen similar impact to their environments, therefore partnerships should audit the level of data being shared and obtain clear guidance on what potential information could have been affected by this event. If a partner is confirmed to have been affected by this breach, it is recommended that partner accounts have their credentials rotated and ensure that MFA is applied for all users, while restricting the Device Code Flow to prevent potential OAuth device phishing attacks that the threat actor has used during this breach.

Get the Complete Report

The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS

Share This Threat Brief: