SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefSaturday, June 27, 2026 INTEL CONFIDENCE 70% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Russian Hackers Target Signal Backup Recovery Keys | CRITICAL |
|
5 C2 IPs | 0 OTX IOCs | 27 ARTICLES |
|
■ ANALYST TLDR Today's threat landscape is dominated by active exploitation of enterprise software, highlighted by CISA's urgent patching deadlines for Cisco Unified Communications Manager and PTC Windchill (CVE-2026-12569). Concurrently, state-sponsored actors are highly active; Russian intelligence is targeting Signal backup recovery keys and deploying the "StockStay" backdoor, while Chinese-speaking APTs deploy the new "TinyRCT" backdoor in Southeast Asia. Additionally, critical local privilege escalation vulnerabilities in the Linux kernel (CVE-2026-46331 and CVE-2026-43503) pose immediate risks of root compromise in multi-user environments. |
|
■ CRITICAL STORIES Russian Intelligence Targets Signal Backup Keys State-sponsored threat actors are using advanced social engineering to trick targets into handing over Signal Backup Recovery Keys, allowing attackers to bypass end-to-end encryption and access historical messages. |
CISA Adds PTC Windchill RCE (CVE-2026-12569) to KEV Threat actors are actively exploiting a critical remote code execution vulnerability in PTC Windchill enterprise PDM/PLM software to deploy web shells, prompting CISA to mandate immediate patching. |
New Linux Kernel Flaws Enable Local Root Access Two newly disclosed vulnerabilities, "pedit COW" (CVE-2026-46331) and "DirtyClone" (CVE-2026-43503), allow local unprivileged users to gain full root access on affected Linux systems by poisoning cached binaries or cloning packets. |
Polymarket Suffers $3M Supply-Chain Attack Hackers compromised a third-party vendor to inject a malicious script into Polymarket's frontend, leading to the theft of $3 million from users' wallets. |
|
■ CVEs IDENTIFIED CVE-2026-12569 PTC Windchill (PDMLink / FlexPLM) — Remote Code Execution (RCE) and web shell deployment |
CVE-2026-46331 Linux Kernel (act_pedit) — Local Privilege Escalation (LPE) to root via out-of-bounds write |
CVE-2026-43503 Linux Kernel (DirtyClone) — Local Privilege Escalation (LPE) to root via cloned packets |
[CVE-TBD] Cisco Unified Communications Manager Server — Actively exploited vulnerability prompting urgent CISA deadline |
|
■ THREAT ACTORS Russian Intelligence (APT) | Nation-State |
Phishing and social engineering targeting Signal users to steal Backup Recovery Keys |
Turla (Russian APT) | Nation-State |
Deploying the new 'StockStay' backdoor against Ukrainian government and military targets |
Chinese-Speaking APT | Nation-State |
Deploying the new 'TinyRCT' backdoor against government and critical infrastructure in Southeast Asia |
|
|
|
■ ATT&CK TTPs | T1566 | | Phishing | Russian actors targeting Signal users and malicious Chrome extension distribution |
| T1199 | | Trusted Relationship | Supply-chain injection targeting Polymarket's third-party vendor |
| T1068 | | Exploitation for Privilege Escalation | Exploiting CVE-2026-46331 and CVE-2026-43503 in the Linux kernel |
| T1190 | | Exploit Public-Facing Application | Active exploitation of PTC Windchill (CVE-2026-12569) and Cisco UCM |
| T1539 | | Steal Web Session Cookie | Malicious Chrome extension hijacking browser sessions |
| T1586 | | Compromise Accounts | Social engineering to harvest Signal Backup Recovery Keys |
|
■ PATCH PRIORITY CRITICAL | Cisco Unified Communications Manager Server — Actively exploited in the wild with CISA-mandated urgent deadline — CISA / [BC] |
CRITICAL | PTC Windchill (PDMLink / FlexPLM) — CVE-2026-12569 is actively exploited to deploy web shells and added to KEV — CISA / [THN] |
HIGH | Linux Kernel — CVE-2026-46331 and CVE-2026-43503 allow local unprivileged users to gain root access — [THN] |
HIGH | Amazon Q Developer — Flaw allows malicious repositories to execute commands and steal cloud credentials — [THN] |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Patch Cisco Unified Communications Manager Server immediately to mitigate the actively exploited vulnerability before the CISA deadline. |
| 2 | [P1] Apply security updates for PTC Windchill (PDMLink and FlexPLM) to remediate CVE-2026-12569 and prevent web shell attacks. |
| 3 | [P1] Update Linux systems to patch kernel vulnerabilities CVE-2026-46331 (pedit COW) and CVE-2026-43503 (DirtyClone) to prevent local root exploitation. |
| 4 | [P2] Educate users on Signal security, emphasizing that Signal Backup Recovery Keys must never be shared with tech support or third parties. |
| 5 | [P2] Audit third-party frontend dependencies and implement Subresource Integrity (SRI) to protect against supply-chain injections like the Polymarket breach. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |