Daily Security Intel

Archives
Log in
Subscribe
June 30, 2026

[SecurityIntel] 30 Jun | Active Exploitation of Enterprise Oracle and SimpleHelp Flaws

SECURITYINTEL DAILY BRIEF

■ ThreatIntel Brief

Tuesday, June 30, 2026

INTEL CONFIDENCE  100%

THREAT LEVEL

CRITICAL

THREAT OF THE DAY

Active Exploitation of Enterprise Oracle and SimpleHelp Flaws

CRITICAL

5

C2 IPs

11

OTX IOCs

36

ARTICLES

■ ANALYST TLDR

Today's threat landscape is dominated by the active exploitation of critical enterprise software, including Oracle E-Business Suite (CVE-2026-46817) and SimpleHelp (CVE-2026-48558), the latter of which is delivering the new Djinn Stealer. Additionally, the ShinyHunters extortion group has targeted Oracle PeopleSoft instances using a zero-day vulnerability to breach Nissan and the NAIC. Meanwhile, nation-state actors like Russia's UNC5792/UNC4221 and China's Mustang Panda are actively targeting messaging apps and abusing cloud services like Zoho WorkDrive.

■ CRITICAL STORIES

HIGH#1

Nissan and NAIC Breached via Oracle PeopleSoft Zero-Day

The ShinyHunters extortion group successfully leveraged an Oracle PeopleSoft zero-day vulnerability to exfiltrate massive amounts of data from Nissan and the National Association of Insurance Commissioners (NAIC), highlighting critical risks to legacy enterprise HR and resource management platforms.

CRITICAL#2

Critical SimpleHelp Flaw Exploited to Deploy Djinn Stealer

Attackers are actively exploiting CVE-2026-48558, a critical vulnerability in the SimpleHelp remote support software, to drop a newly discovered cross-platform information stealer named Djinn Stealer on Windows, macOS, and Linux systems.

CRITICAL#3

Hackers Exploit Critical Oracle E-Business Suite Flaw in Wild

A critical vulnerability (CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial application is being actively exploited by attackers, threatening the integrity of enterprise financial data and transaction systems.

HIGH#4

Indirect Prompt Injection Attacks Target Claude Code Developers

Researchers demonstrated a novel attack vector where malicious or compromised repositories use indirect prompt injection to hijack developer machines running Anthropic's Claude Code, spawning reverse shells.

■ CVEs IDENTIFIED

CVE-2026-48558

SimpleHelp — Remote Code Execution and Djinn Stealer deployment

Critical

CVE-2026-46817

Oracle E-Business Suite — Remote Code Execution / Financial database compromise

Critical

[CVE-TBD]

Oracle PeopleSoft — Zero-day vulnerability exploited for data exfiltration

Critical

[CVE-TBD]

Linux Kernel (DirtyClone) — Local privilege escalation to root

High

■ THREAT ACTORS

ShinyHunters

Cybercrime / Extortion

Exploited Oracle PeopleSoft zero-day to breach Nissan and NAIC, stealing terabytes of data.

Mustang Panda

APT (China)

Targeted Indian government and hydropower sectors using Zoho WorkDrive for C2.

UNC5792

APT (Russia)

Targeted US government, military, and allied personnel via WhatsApp and Signal social engineering.

■ ATT&CK TTPs

T1190
Exploit Public-Facing Application | Exploitation of Oracle EBS (CVE-2026-46817), SimpleHelp (CVE-2026-48558), and PeopleSoft zero-day.
T1176
Browser Extensions | Malicious Perplexity Chrome extension and 119 Edge extensions hiding malware.
T1102
Web Service | Mustang Panda abusing Zoho WorkDrive for C2.
T1027.003
Steganography | Edge extensions hiding malware payloads in images and fonts.
T1566.002
Spearphishing Link | Gamaredon and Russian actors targeting WhatsApp/Signal.
T1068
Exploitation for Privilege Escalation | 'DirtyClone' Linux kernel vulnerability leading to root access.

■ PATCH PRIORITY

[P1 PATCH NOW]≤24h

Oracle — E-Business Suite (CVE-2026-46817) — Active exploitation of critical financial application vulnerability — [BC] Hackers now exploit critical Oracle E-Business flaw in attacks

[P1 PATCH NOW]≤24h

SimpleHelp — SimpleHelp (CVE-2026-48558) — Critical remote support software flaw actively exploited to deploy Djinn Stealer — [BC] Critical SimpleHelp flaw exploited to deploy new stealer malware

[P1 PATCH NOW]≤24h

Oracle — PeopleSoft (CVE-TBD) — Zero-day exploited by ShinyHunters for massive data exfiltration — [BC] Nissan discloses employee data breach linked to Oracle zero-day attacks

[P2 PATCH NOW]≤72h

Linux — Linux Kernel (DirtyClone) — Local privilege escalation to root — [SW] ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access

■ RECOMMENDED ACTIONS TODAY

1[P1] Patch Oracle E-Business Suite immediately to resolve CVE-2026-46817 to prevent active exploitation of financial applications.
2[P1] Patch SimpleHelp instances immediately to resolve CVE-2026-48558 to block Djinn Stealer deployment.
3[P1] Audit and apply security updates for Oracle PeopleSoft systems to mitigate the zero-day exploited by ShinyHunters.
4[P2] Apply Linux kernel updates to mitigate the 'DirtyClone' local privilege escalation vulnerability.
5[P2] Audit enterprise Chrome and Edge environments for unauthorized or spoofed extensions (e.g., Perplexity AI impersonators).
LIVE IOC FEED

C2 IP BLOCKLIST  ·  AbuseCH Feodo  ·  Showing 5 of 5

IP ADDRESS

162.243.103.246

PORT

8080

STATUS

OFFLINE

MALWARE

Emotet

COUNTRY

US

IP ADDRESS

50.16.16.211

PORT

443

STATUS

ONLINE

MALWARE

QakBot

COUNTRY

US

IP ADDRESS

34.204.119.63

PORT

443

STATUS

OFFLINE

MALWARE

QakBot

COUNTRY

US

IP ADDRESS

178.62.3.223

PORT

443

STATUS

OFFLINE

MALWARE

QakBot

COUNTRY

GB

IP ADDRESS

27.133.154.218

PORT

443

STATUS

OFFLINE

MALWARE

QakBot

COUNTRY

JP

FULL IOC EXPORT — GOOGLE SHEET

All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools

■  Open Full IOC Sheet  →

IOC SOURCES: AbuseCH Feodo  ·  AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB

Don't miss what's next. Subscribe to Daily Security Intel:
← Newer [SecurityIntel] 01 Jul | Zero-Day BlueHammer Exploded in Ransomware Attacks Older → [SecurityIntel] 29 Jun | KDDI Email System Data Breach
Powered by Buttondown, the easiest way to start and grow your newsletter.