Daily Security Intel

Archives
Log in
Subscribe
June 28, 2026

[SecurityIntel] 28 Jun | AI Agents Execute Hidden Malware

SECURITYINTEL DAILY BRIEF

■ ThreatIntel Brief

Sunday, June 28, 2026

INTEL CONFIDENCE  64%

THREAT LEVEL

CRITICAL

THREAT OF THE DAY

AI Agents Execute Hidden Malware

CRITICAL

5

C2 IPs

0

OTX IOCs

4

ARTICLES

■ ANALYST TLDR

Russian intelligence services are actively targeting government officials with spearphishing campaigns to steal messaging credentials. Simultaneously, novel techniques are emerging where AI coding agents can be tricked into executing malware from seemingly benign GitHub repositories. Additionally, a Chinese framework is being leveraged to power a vast network of investment scam sites.

■ CRITICAL STORIES

CRITICAL#1

CRITICAL | Clean GitHub repo tricks AI coding agents into running malware

This highlights a significant new attack vector targeting AI development and automation, where malicious payloads can bypass conventional security and human review.

HIGH#2

HIGH | Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials

A sophisticated, long-running state-sponsored campaign targeting government officials underscores the persistent threat of credential theft and espionage.

INFO#3

MEDIUM | Chinese Framework Powers 200,000 Scam Sites

The widespread use of a legitimate development toolkit for creating investment scam sites indicates a scalable and effective method for financial fraud.

■ CVEs IDENTIFIED

[CVE-TBD]

Messaging accounts (general) — Credential theft via spearphishing

HIGH

[CVE-TBD]

GitHub / AI coding agents — Malware execution via compromised repository

CRITICAL

[CVE-TBD]

DCloud Uni-App toolkit — Facilitating widespread investment scam sites

MEDIUM

■ THREAT ACTORS

Russian intelligence services

State-Sponsored

Orchestrating spearphishing campaigns to steal messaging credentials.

Threat actors

Cybercrime

Selling investment scam templates and operating scam sites.

■ ATT&CK TTPs

T1566.002
Phishing: Spearphishing via SMS | Russian intelligence using fake support texts.
T1539
Steal Web Session Cookie | Implied goal of credential theft from messaging accounts.
T1195
Supply Chain Compromise | Malicious GitHub repo tricking AI coding agents.
T1027
Obfuscated Files or Information | Malicious payload invisible to scanners and reviewers.
T1059
Command and Scripting Interpreter | AI coding agents executing malicious payloads.
T1566
Phishing | Investment scam sites created using DCloud Uni-App toolkit.

■ PATCH PRIORITY

[P3 PATCH NOW]≤1 week

CRITICAL | AI Coding Agents — Vulnerability to malware execution from seemingly benign GitHub repositories — BC

[P3 PATCH NOW]≤1 week

HIGH | Messaging Accounts — Susceptibility to credential theft via Russian intelligence spearphishing — THN

■ RECOMMENDED ACTIONS TODAY

1[P1] Implement robust security scanning and sandboxing for AI coding agents to detect obfuscated malicious payloads from GitHub repositories.
2[P1] Conduct immediate and ongoing security awareness training for all government personnel, focusing on identifying sophisticated spearphishing attempts targeting messaging credentials.
3[P2] Enhance monitoring of GitHub repositories and other code sources for suspicious activity, especially when integrated with automated AI development workflows.
4[P2] Deploy and update email and web filtering solutions to block known malicious domains and IP addresses associated with investment scam sites.
5[P3] Review and strengthen access controls and multi-factor authentication for all critical messaging accounts, particularly for high-value targets.
LIVE IOC FEED

C2 IP BLOCKLIST  ·  AbuseCH Feodo  ·  Showing 5 of 5

IP ADDRESS

162.243.103.246

PORT

8080

STATUS

OFFLINE

MALWARE

Emotet

COUNTRY

US

IP ADDRESS

50.16.16.211

PORT

443

STATUS

ONLINE

MALWARE

QakBot

COUNTRY

US

IP ADDRESS

34.204.119.63

PORT

443

STATUS

OFFLINE

MALWARE

QakBot

COUNTRY

US

IP ADDRESS

178.62.3.223

PORT

443

STATUS

OFFLINE

MALWARE

QakBot

COUNTRY

GB

IP ADDRESS

27.133.154.218

PORT

443

STATUS

OFFLINE

MALWARE

QakBot

COUNTRY

JP

FULL IOC EXPORT — GOOGLE SHEET

All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools

■  Open Full IOC Sheet  →

IOC SOURCES: AbuseCH Feodo  ·  AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB

Don't miss what's next. Subscribe to Daily Security Intel:
← Newer [SecurityIntel] 29 Jun | KDDI Email System Data Breach Older → [SecurityIntel] 27 Jun | Russian Hackers Target Signal Backup Recovery Keys
Powered by Buttondown, the easiest way to start and grow your newsletter.