Real-World Cloud Attack Intelligence

In June 2026, an international coalition led by Europol, in partnership with Microsoft and other private entities, executed Operation Endgame to dismantle the infrastructure supporting the Amadey and StealC malware operations. This coordinated effort resulted in the disruption of 326 servers and 142 domains, the identification of over €41 million in illicit cryptocurrency, and the recovery of approximately 27 million stolen credentials from more than 385,000 compromised systems. The operation targeted the cybercrime assembly line, aiming to increase friction for cybercriminals and hinder their ability to conduct attacks. The significance of this operation lies in its comprehensive approach to disrupting malware-as-a-service platforms that facilitate initial access, credential theft, and subsequent deployment of ransomware or financial fraud. By targeting the foundational infrastructure of these malware families, law enforcement and private partners have set a precedent for future collaborative efforts to combat cybercrime at its roots.

In April 2026, a new backdoor named Mistic was identified in attacks targeting sectors such as insurance, education, IT, and professional services. Linked to the initial access broker KongTuke (also known as Woodgnat), Mistic facilitates unauthorized access to corporate networks, which is then sold to ransomware groups including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. The malware employs DLL side-loading techniques to maintain stealth and persistence, allowing attackers to execute commands, manipulate files, and exfiltrate data without detection. The emergence of Mistic underscores a growing trend where initial access brokers develop sophisticated tools to infiltrate networks, subsequently enabling ransomware operations. This development highlights the critical need for organizations to enhance their cybersecurity measures to detect and prevent such stealthy intrusions.

In June 2026, Cisco disclosed CVE-2026-20245, a high-severity zero-day vulnerability in its Catalyst SD-WAN Manager, which was actively exploited in the wild. This flaw allows authenticated attackers with netadmin privileges to upload crafted files and execute arbitrary commands as root, potentially compromising the entire SD-WAN infrastructure. The vulnerability affects all deployment types, including on-premises, Cloud-Pro, Cisco Managed Cloud, and FedRAMP environments. Notably, this marks the seventh SD-WAN zero-day exploited in 2026, highlighting a concerning trend of targeted attacks on Cisco's SD-WAN solutions. Organizations utilizing Cisco SD-WAN should prioritize mitigating this vulnerability by restricting and auditing netadmin accounts, isolating management interfaces, and monitoring for anomalous command executions. ([thecybersignal.com](https://www.thecybersignal.com/cisco-catalyst-sd-wan-manager-cve-2026-20245-zero-day-exploited-no-patch-2026/?utm_source=openai))

In November 2022, DraftKings, a prominent sports betting platform, experienced a credential stuffing attack that compromised approximately 68,000 user accounts. Attackers exploited reused or weak passwords to gain unauthorized access, leading to the theft of nearly $300,000 from customer accounts. The company promptly reimbursed affected users and emphasized the importance of unique passwords and two-factor authentication to enhance account security. This incident underscores the growing threat of credential stuffing attacks, where cybercriminals leverage stolen credentials from previous breaches to infiltrate accounts on other platforms. The DraftKings case highlights the critical need for robust password practices and multi-factor authentication to mitigate such risks.

In June 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about active exploitation of a critical vulnerability in Lantronix EDS5000 Series devices. Identified as CVE-2025-67038 with a CVSS score of 9.8, this code injection flaw allows unauthenticated attackers to execute arbitrary OS commands with root privileges by exploiting improper input sanitization in the HTTP RPC module. The vulnerability was disclosed in April 2026 as part of the BRIDGE:BREAK set of vulnerabilities affecting serial-to-IP converters from Lantronix and Silex. The active exploitation of CVE-2025-67038 underscores the increasing targeting of IoT devices in critical infrastructure. Organizations must prioritize patching vulnerable systems and implementing robust input validation to mitigate such risks.

In June 2026, an international law enforcement operation, in collaboration with private sector partners including Microsoft, Bitdefender, Bitsight, and ESET, successfully dismantled the infrastructure supporting the Amadey and StealC malware networks. This coordinated effort led to the seizure of 326 servers and 142 domains, the identification and restriction of over $47 million in illicit cryptocurrency assets, and the recovery of approximately 27 million stolen login credentials. The operation targeted the 'assembly lines' used by cybercriminals to launch ransomware, financial fraud, and attacks on critical infrastructure. This takedown underscores the growing effectiveness of public-private partnerships in combating cybercrime. By disrupting the infrastructure of malware-as-a-service operations like Amadey and StealC, authorities have significantly hindered the ability of cybercriminals to execute large-scale attacks, highlighting the importance of collaborative efforts in enhancing global cybersecurity.

In June 2026, attackers exploited a legacy credential to breach Klue's backend servers, deploying malicious code that harvested OAuth tokens used to integrate with third-party platforms, including Salesforce. Utilizing these tokens, the attackers accessed and exfiltrated substantial CRM data—such as business contacts, price quotes, and sales communications—from multiple organizations, including Huntress and Recorded Future. The extortion group 'Icarus' claimed responsibility, threatening to leak the stolen data if ransom demands were not met. In response, Salesforce disabled the Klue Battlecards app integration to prevent further unauthorized access. This incident underscores the critical vulnerabilities associated with third-party integrations and the importance of stringent access controls and credential management. The exploitation of OAuth tokens highlights a growing trend in supply chain attacks, emphasizing the need for organizations to reassess and fortify their security postures against such sophisticated threats.

In June 2026, a critical vulnerability named 'Cordyceps' was identified, affecting Continuous Integration and Continuous Deployment (CI/CD) workflows across major platforms including Microsoft's Azure Sentinel, Google's AI Agent Development Kit, Apache's Doris analytics database, Cloudflare's Workers SDK, and the Python Software Foundation's Black. This flaw allows unauthenticated attackers to exploit automated workflows via malicious pull requests, potentially leading to command injection, privilege escalation, and full control over affected repositories. The attack vector leverages the inherent trust in pull requests and the automated processes that handle them, exposing millions of repositories to potential hijacking. ([darkreading.com](https://www.darkreading.com/application-security/cordyceps-malicious-pull-requests-developer-workflows?utm_source=openai)) The discovery of 'Cordyceps' underscores the escalating risks within software supply chains, particularly as agentic coding practices proliferate, reproducing insecure patterns across numerous repositories. Organizations are urged to audit and secure their CI/CD configurations to prevent unauthorized access and mitigate the risk of supply chain compromises.

In June 2026, security researchers identified five malicious skills on ClawHub, OpenClaw's dedicated marketplace, that could steal credentials, bypass security scans, and perform other malicious activities for financial gain. These skills, appearing legitimate, demonstrated that such platforms are emerging as significant AI supply chain attack surfaces. ClawHub sells these skills to add functionality to the open-source AI agent, which has seen rapid adoption among developers and businesses since its launch last November. The malicious skills included infostealers targeting macOS, evasion techniques using inflated file sizes to bypass detection, and agentic threats like affiliate injection and front-running, all posing significant risks to organizations using OpenClaw. ([darkreading.com](https://www.darkreading.com/cyber-risk/malicious-openclaw-skills-clawhub-threaten-ai-supply-chain?utm_source=openai)) This incident underscores the growing threat of supply chain attacks within AI ecosystems, highlighting the need for rigorous verification frameworks and continuous monitoring of third-party extensions to prevent unauthorized access and data exfiltration.

In June 2026, researchers at XM Cyber identified a macOS vulnerability that allows users with standard privileges to disable enterprise security tools and execute privileged functions without administrator credentials. This flaw exploits how macOS establishes and validates application trust information, enabling attackers to impersonate trusted application components and perform actions reserved for privileged processes. The technique was demonstrated to disable CrowdStrike Falcon Endpoint Detection and Response (EDR) and Kandji Mobile Device Management (MDM) without triggering alerts or requiring kernel exploits. The issue potentially affects other macOS applications that provide privileged Cross-Process Communication (XPC) services and rely on Apple's CDHash for verifying application authenticity. XM Cyber plans to release an open-source tool named XPC Hunter at Black Hat USA in August to help security researchers identify similar vulnerabilities across macOS applications. Apple has been notified but has not responded at press time. This vulnerability underscores the need for organizations to reassess their macOS security configurations and implement additional safeguards to prevent unauthorized access and manipulation of security tools.

On June 23, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation. These vulnerabilities include CVE-2025-67038 affecting Lantronix EDS5000 devices, and three critical issues in Ubiquiti UniFi OS: CVE-2026-34908 (improper access control), CVE-2026-34909 (path traversal), and CVE-2026-34910 (improper input validation). These vulnerabilities are frequently exploited by malicious actors, posing significant risks to federal enterprises. ([cyberleveling.com](https://cyberleveling.com/blog/unifi-os-cve-2026-34908-34909-34910-critical?utm_source=openai)) The inclusion of these vulnerabilities in the KEV Catalog underscores the ongoing threat posed by unpatched systems. Organizations are urged to prioritize remediation efforts to mitigate potential exploits, especially given the critical nature of these vulnerabilities and their potential impact on network infrastructure.

In June 2026, the U.S. Department of Justice seized a cloud computing account utilized by subsidiaries of Cambodia-based Huione Group. This infrastructure supported Huione Guarantee, a Telegram-based marketplace facilitating the laundering of billions in cryptocurrency obtained through investment frauds and cyber scams. The platform offered services such as money laundering, sale of stolen personal data, and tools for fraudulent activities, enabling the conversion of illicit proceeds into the legitimate banking system undetected. This action underscores the escalating global efforts to dismantle sophisticated cybercriminal networks exploiting digital platforms for large-scale financial crimes. The seizure highlights the critical need for robust cybersecurity measures and vigilant monitoring of online marketplaces to prevent the proliferation of such illicit activities.