Daily Security Intel

Archives
Log in
Subscribe
June 27, 2026

[SecurityIntel] 27 Jun | Russian Hackers Target Signal Backup Recovery Keys

SECURITYINTEL DAILY BRIEF

■ ThreatIntel Brief

Saturday, June 27, 2026

INTEL CONFIDENCE  70%

THREAT LEVEL

CRITICAL

THREAT OF THE DAY

Russian Hackers Target Signal Backup Recovery Keys

CRITICAL

5

C2 IPs

0

OTX IOCs

27

ARTICLES

■ ANALYST TLDR

Today's threat landscape is dominated by active exploitation of enterprise software, highlighted by CISA's urgent patching deadlines for Cisco Unified Communications Manager and PTC Windchill (CVE-2026-12569). Concurrently, state-sponsored actors are highly active; Russian intelligence is targeting Signal backup recovery keys and deploying the "StockStay" backdoor, while Chinese-speaking APTs deploy the new "TinyRCT" backdoor in Southeast Asia. Additionally, critical local privilege escalation vulnerabilities in the Linux kernel (CVE-2026-46331 and CVE-2026-43503) pose immediate risks of root compromise in multi-user environments.

■ CRITICAL STORIES

HIGH#1

Russian Intelligence Targets Signal Backup Keys

State-sponsored threat actors are using advanced social engineering to trick targets into handing over Signal Backup Recovery Keys, allowing attackers to bypass end-to-end encryption and access historical messages.

CRITICAL#2

CISA Adds PTC Windchill RCE (CVE-2026-12569) to KEV

Threat actors are actively exploiting a critical remote code execution vulnerability in PTC Windchill enterprise PDM/PLM software to deploy web shells, prompting CISA to mandate immediate patching.

CRITICAL#3

New Linux Kernel Flaws Enable Local Root Access

Two newly disclosed vulnerabilities, "pedit COW" (CVE-2026-46331) and "DirtyClone" (CVE-2026-43503), allow local unprivileged users to gain full root access on affected Linux systems by poisoning cached binaries or cloning packets.

HIGH#4

Polymarket Suffers $3M Supply-Chain Attack

Hackers compromised a third-party vendor to inject a malicious script into Polymarket's frontend, leading to the theft of $3 million from users' wallets.

■ CVEs IDENTIFIED

CVE-2026-12569

PTC Windchill (PDMLink / FlexPLM) — Remote Code Execution (RCE) and web shell deployment

Critical

CVE-2026-46331

Linux Kernel (act_pedit) — Local Privilege Escalation (LPE) to root via out-of-bounds write

High

CVE-2026-43503

Linux Kernel (DirtyClone) — Local Privilege Escalation (LPE) to root via cloned packets

High

[CVE-TBD]

Cisco Unified Communications Manager Server — Actively exploited vulnerability prompting urgent CISA deadline

Critical

■ THREAT ACTORS

Russian Intelligence (APT)

Nation-State

Phishing and social engineering targeting Signal users to steal Backup Recovery Keys

Turla (Russian APT)

Nation-State

Deploying the new 'StockStay' backdoor against Ukrainian government and military targets

Chinese-Speaking APT

Nation-State

Deploying the new 'TinyRCT' backdoor against government and critical infrastructure in Southeast Asia

■ ATT&CK TTPs

T1566
Phishing | Russian actors targeting Signal users and malicious Chrome extension distribution
T1199
Trusted Relationship | Supply-chain injection targeting Polymarket's third-party vendor
T1068
Exploitation for Privilege Escalation | Exploiting CVE-2026-46331 and CVE-2026-43503 in the Linux kernel
T1190
Exploit Public-Facing Application | Active exploitation of PTC Windchill (CVE-2026-12569) and Cisco UCM
T1539
Steal Web Session Cookie | Malicious Chrome extension hijacking browser sessions
T1586
Compromise Accounts | Social engineering to harvest Signal Backup Recovery Keys

■ PATCH PRIORITY

[P3 PATCH NOW]≤1 week

CRITICAL | Cisco Unified Communications Manager Server — Actively exploited in the wild with CISA-mandated urgent deadline — CISA / [BC]

[P3 PATCH NOW]≤1 week

CRITICAL | PTC Windchill (PDMLink / FlexPLM) — CVE-2026-12569 is actively exploited to deploy web shells and added to KEV — CISA / [THN]

[P3 PATCH NOW]≤1 week

HIGH | Linux Kernel — CVE-2026-46331 and CVE-2026-43503 allow local unprivileged users to gain root access — [THN]

[P3 PATCH NOW]≤1 week

HIGH | Amazon Q Developer — Flaw allows malicious repositories to execute commands and steal cloud credentials — [THN]

■ RECOMMENDED ACTIONS TODAY

1[P1] Patch Cisco Unified Communications Manager Server immediately to mitigate the actively exploited vulnerability before the CISA deadline.
2[P1] Apply security updates for PTC Windchill (PDMLink and FlexPLM) to remediate CVE-2026-12569 and prevent web shell attacks.
3[P1] Update Linux systems to patch kernel vulnerabilities CVE-2026-46331 (pedit COW) and CVE-2026-43503 (DirtyClone) to prevent local root exploitation.
4[P2] Educate users on Signal security, emphasizing that Signal Backup Recovery Keys must never be shared with tech support or third parties.
5[P2] Audit third-party frontend dependencies and implement Subresource Integrity (SRI) to protect against supply-chain injections like the Polymarket breach.
LIVE IOC FEED

C2 IP BLOCKLIST  ·  AbuseCH Feodo  ·  Showing 5 of 5

IP ADDRESS

162.243.103.246

PORT

8080

STATUS

OFFLINE

MALWARE

Emotet

COUNTRY

US

IP ADDRESS

50.16.16.211

PORT

443

STATUS

ONLINE

MALWARE

QakBot

COUNTRY

US

IP ADDRESS

34.204.119.63

PORT

443

STATUS

OFFLINE

MALWARE

QakBot

COUNTRY

US

IP ADDRESS

178.62.3.223

PORT

443

STATUS

OFFLINE

MALWARE

QakBot

COUNTRY

GB

IP ADDRESS

27.133.154.218

PORT

443

STATUS

OFFLINE

MALWARE

QakBot

COUNTRY

JP

FULL IOC EXPORT — GOOGLE SHEET

All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools

■  Open Full IOC Sheet  →

IOC SOURCES: AbuseCH Feodo  ·  AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB

Don't miss what's next. Subscribe to Daily Security Intel:
← Newer [SecurityIntel] 28 Jun | AI Agents Execute Hidden Malware Older → [SecurityIntel] 26 Jun | Zero-day exploits, critical patches, pervasive phishing
Powered by Buttondown, the easiest way to start and grow your newsletter.