SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefWednesday, June 03, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Android Zero-Day and WebLogic Flaws Actively Exploited | CRITICAL |
|
5 C2 IPs | 40 OTX IOCs | 36 ARTICLES |
|
■ ANALYST TLDR Active exploitation of the Android framework zero-day CVE-2025-48595 and Oracle WebLogic CVE-2024-21182 highlights the urgency of immediate patching. Additionally, threat actors are leveraging AI-built toolkits for automated EDR evasion and abusing Meta's AI support tools to hijack Instagram accounts. Supply chain risks have also escalated following a Red Hat software pipeline compromise that exposed over 32 packages. |
|
■ CRITICAL STORIES Android Update Patches Exploited Zero-Day CVE-2025-48595 Google's June 2026 update addresses an actively exploited zero-day in the Framework component, threatening billions of mobile devices. |
Red Hat removes tainted packages after software pipeline compromise A compromised GitHub account allowed attackers to inject malicious code into 32 Red Hat packages, downloaded roughly 117,000 times weekly, highlighting persistent open-source supply chain vulnerabilities. |
Instagram users locked out after Meta AI abused to steal accounts Attackers successfully manipulated Meta's AI-powered support tools to bypass verification and hijack legitimate user accounts, demonstrating a novel social engineering vector. |
Oracle WebLogic CVE-2024-21182 Added to CISA KEV Catalog CISA has added a high-severity, unauthenticated remote code execution vulnerability in Oracle WebLogic Server to its KEV catalog following active exploitation in the wild. |
|
■ CVEs IDENTIFIED CVE-2026-8206 Kirki WordPress Plugin — Privilege Escalation / Admin Account Hijack |
CVE-2025-48595 Google Android OS Framework — Zero-Day Arbitrary Code Execution |
CVE-2024-21182 Oracle WebLogic Server — Unauthenticated Remote Code Execution |
[CVE-TBD] HP VoIP Phones — Stack-based Buffer Overflow / Remote Code Execution |
|
■ THREAT ACTORS Exploiting WinRAR vulnerabilities to distribute GammaWorm and GammaSteel malware against Ukrainian targets. |
Conducting spear-phishing campaigns targeting Afghanistan's Ministry of Finance to deliver Xeno RAT. |
WeedHack Campaign Actors | Cybercrime |
Distributing malware disguised as Minecraft modifications, infecting over 116,000 systems. |
|
|
|
■ ATT&CK TTPs | T1190 | | Exploit Public-Facing Application | Oracle WebLogic CVE-2024-21182 and Kirki CVE-2026-8206 exploitation. |
| T1204.002 | | User Execution: Malicious File | Delivery of SVG files and WinRAR exploits. |
| T1195.002 | | Supply Chain Compromise: Compromised Software Dependencies | Red Hat GitHub pipeline compromise and malicious npm packages. |
| T1566.001 | | Phishing: Spearphishing Attachment | SideCopy using spear-phishing to deliver Xeno RAT. |
| T1562.001 | | Impair Defenses: Disable or Modify Tools | AI-built ransomware toolkit automating EDR evasion. |
| T1110.001 | | Brute Force: Password Guessing | Brute-force attacks against Dashlane user accounts. |
|
■ PATCH PRIORITY Google — Android OS Framework zero-day (CVE-2025-48595) actively exploited in the wild — SecurityWeek |
Oracle — WebLogic Server (CVE-2024-21182) added to CISA KEV due to active exploitation — The Hacker News |
Kirki — WordPress Plugin (CVE-2026-8206) critical privilege escalation exploited to hijack admin accounts — BleepingComputer |
HP — VoIP Phones stack-based buffer overflow enabling remote code execution — SecurityWeek |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Patch Google Android devices immediately to address CVE-2025-48595 and the other 123 vulnerabilities in the June 2026 update. |
| 2 | [P1] Apply security updates to Oracle WebLogic Server to mitigate CVE-2024-21182, which is actively exploited in the wild. |
| 3 | [P1] Update the Kirki plugin for WordPress to the latest version to patch CVE-2026-8206 and prevent admin account hijacking. |
| 4 | [P2] Audit and update HP VoIP phone firmware to remediate the critical stack-based buffer overflow vulnerability. |
| 5 | [P2] Implement strict multi-factor authentication (MFA) and monitor for credential stuffing attempts, particularly for password managers like Dashlane. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |