SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefFriday, June 26, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Zero-day exploits, critical patches, pervasive phishing | CRITICAL |
|
5 C2 IPs | 124 OTX IOCs | 33 ARTICLES |
|
■ ANALYST TLDR Today's intelligence highlights critical zero-day exploitation in Cisco Catalyst SD-WAN and Lantronix Serial-to-IP Converters, alongside widespread phishing and malware campaigns. Threat actors are leveraging SIM-swapping, sophisticated browser-in-the-middle techniques, and new macOS malware designed to evade AI analysis, emphasizing the need for immediate patching and enhanced detection capabilities. Organizations must prioritize critical updates and bolster user awareness against evolving social engineering tactics. |
|
■ CRITICAL STORIES Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access A high-severity zero-day vulnerability in Cisco Catalyst SD-WAN (CVE-2026-20245) is actively being exploited to gain root access, posing an immediate and severe risk to network infrastructure. |
Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning CVE-2025-67038 in Lantronix Serial-to-IP Converters, part of the BRIDGE:BREAK research, is being exploited in attacks, impacting operational technology (OT) environments. |
Update Chrome to patch critical browser security flaws Google Chrome has released an update addressing 18 vulnerabilities, including four critical flaws (e.g., WebGL bugs) that could lead to remote code execution and sandbox escapes, requiring immediate action. |
Poland busts SIM-swapping gang tied to millions in crypto theft An organized cybercrime group engaged in SIM-swapping, email hijacking, and telecommunications partner breaches has been disrupted, highlighting persistent threats to personal and financial accounts through social engineering and supply chain compromise. |
|
■ CVEs IDENTIFIED CVE-2025-67038 Lantronix Serial-to-IP Converter — Exploitation in attacks |
CVE-2026-20245 Cisco Catalyst SD-WAN — Root Access (Zero-day exploited) |
[CVE-TBD] GitLab CE/EE — Code Execution, Information Disclosure |
[CVE-TBD] Google Chrome — Remote Code Execution, Sandbox Escape |
|
■ THREAT ACTORS Organized cybercrime group | Cybercrime |
SIM-swapping, crypto theft, email hijacking |
Targeting SE Asian Governments and Critical Infrastructure |
Iranian hacker group Handala | Nation-state/Hacktivist |
Cyberattack against Cal Water (OT systems not breached) |
|
|
|
■ ATT&CK TTPs | T1589.001 | | Gather Victim Org Information | Breaching telecommunications partners |
| T1589.002 | | Gather Victim Identity Information | Hijacking email accounts |
| T1550.004 | | Transference via SIM Swap | SIM-swapping attacks |
| T1566.001 | | Spearphishing Attachment | Photo-themed ZIPs, fake job offers, fake domain renewal emails |
| T1204.002 | | Malicious File | Fake image shortcut files |
| T1059.007 | | JavaScript/JScript | Node.js implant, Chrome extension script injection |
|
■ PATCH PRIORITY Cisco Catalyst SD-WAN — zero-day RCE (CVE-2026-20245) — [THN] |
Lantronix Serial-to-IP Converter — exploited vulnerability (CVE-2025-67038) — [SW] |
Google Chrome — critical RCE, sandbox escape — [MWB] |
GitLab CE/EE — code execution, information disclosure — [SW] |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Immediately patch Cisco Catalyst SD-WAN devices to address CVE-2026-20245, which is actively being exploited for root access, and monitor for signs of compromise. |
| 2 | [P1] Apply patches for Lantronix Serial-to-IP Converters to mitigate CVE-2025-67038, as this vulnerability is currently being exploited in the wild, particularly in OT environments. |
| 3 | [P1] Update all Google Chrome browsers to the latest version (149 or newer) to remediate 18 vulnerabilities, including critical RCE flaws and potential sandbox escapes. |
| 4 | [P2] Review and apply available updates for GitLab CE/EE to address high-severity code execution and information disclosure vulnerabilities promptly. |
| 5 | [P2] Implement enhanced email and endpoint security controls to detect and block photo-themed ZIP archives and fake image shortcut files used to deliver Node.js implants, and block known malicious Chrome extensions like "Adblock for YouTube". |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |