SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefTuesday, June 30, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Active Exploitation of Enterprise Oracle and SimpleHelp Flaws | CRITICAL |
|
5 C2 IPs | 11 OTX IOCs | 36 ARTICLES |
|
■ ANALYST TLDR Today's threat landscape is dominated by the active exploitation of critical enterprise software, including Oracle E-Business Suite (CVE-2026-46817) and SimpleHelp (CVE-2026-48558), the latter of which is delivering the new Djinn Stealer. Additionally, the ShinyHunters extortion group has targeted Oracle PeopleSoft instances using a zero-day vulnerability to breach Nissan and the NAIC. Meanwhile, nation-state actors like Russia's UNC5792/UNC4221 and China's Mustang Panda are actively targeting messaging apps and abusing cloud services like Zoho WorkDrive. |
|
■ CRITICAL STORIES Nissan and NAIC Breached via Oracle PeopleSoft Zero-Day The ShinyHunters extortion group successfully leveraged an Oracle PeopleSoft zero-day vulnerability to exfiltrate massive amounts of data from Nissan and the National Association of Insurance Commissioners (NAIC), highlighting critical risks to legacy enterprise HR and resource management platforms. |
Critical SimpleHelp Flaw Exploited to Deploy Djinn Stealer Attackers are actively exploiting CVE-2026-48558, a critical vulnerability in the SimpleHelp remote support software, to drop a newly discovered cross-platform information stealer named Djinn Stealer on Windows, macOS, and Linux systems. |
Hackers Exploit Critical Oracle E-Business Suite Flaw in Wild A critical vulnerability (CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial application is being actively exploited by attackers, threatening the integrity of enterprise financial data and transaction systems. |
Indirect Prompt Injection Attacks Target Claude Code Developers Researchers demonstrated a novel attack vector where malicious or compromised repositories use indirect prompt injection to hijack developer machines running Anthropic's Claude Code, spawning reverse shells. |
|
■ CVEs IDENTIFIED CVE-2026-48558 SimpleHelp — Remote Code Execution and Djinn Stealer deployment |
CVE-2026-46817 Oracle E-Business Suite — Remote Code Execution / Financial database compromise |
[CVE-TBD] Oracle PeopleSoft — Zero-day vulnerability exploited for data exfiltration |
[CVE-TBD] Linux Kernel (DirtyClone) — Local privilege escalation to root |
|
■ THREAT ACTORS ShinyHunters | Cybercrime / Extortion |
Exploited Oracle PeopleSoft zero-day to breach Nissan and NAIC, stealing terabytes of data. |
Targeted Indian government and hydropower sectors using Zoho WorkDrive for C2. |
Targeted US government, military, and allied personnel via WhatsApp and Signal social engineering. |
|
|
|
■ ATT&CK TTPs | T1190 | | Exploit Public-Facing Application | Exploitation of Oracle EBS (CVE-2026-46817), SimpleHelp (CVE-2026-48558), and PeopleSoft zero-day. |
| T1176 | | Browser Extensions | Malicious Perplexity Chrome extension and 119 Edge extensions hiding malware. |
| T1102 | | Web Service | Mustang Panda abusing Zoho WorkDrive for C2. |
| T1027.003 | | Steganography | Edge extensions hiding malware payloads in images and fonts. |
| T1566.002 | | Spearphishing Link | Gamaredon and Russian actors targeting WhatsApp/Signal. |
| T1068 | | Exploitation for Privilege Escalation | 'DirtyClone' Linux kernel vulnerability leading to root access. |
|
■ PATCH PRIORITY Oracle — E-Business Suite (CVE-2026-46817) — Active exploitation of critical financial application vulnerability — [BC] Hackers now exploit critical Oracle E-Business flaw in attacks |
SimpleHelp — SimpleHelp (CVE-2026-48558) — Critical remote support software flaw actively exploited to deploy Djinn Stealer — [BC] Critical SimpleHelp flaw exploited to deploy new stealer malware |
Oracle — PeopleSoft (CVE-TBD) — Zero-day exploited by ShinyHunters for massive data exfiltration — [BC] Nissan discloses employee data breach linked to Oracle zero-day attacks |
Linux — Linux Kernel (DirtyClone) — Local privilege escalation to root — [SW] ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Patch Oracle E-Business Suite immediately to resolve CVE-2026-46817 to prevent active exploitation of financial applications. |
| 2 | [P1] Patch SimpleHelp instances immediately to resolve CVE-2026-48558 to block Djinn Stealer deployment. |
| 3 | [P1] Audit and apply security updates for Oracle PeopleSoft systems to mitigate the zero-day exploited by ShinyHunters. |
| 4 | [P2] Apply Linux kernel updates to mitigate the 'DirtyClone' local privilege escalation vulnerability. |
| 5 | [P2] Audit enterprise Chrome and Edge environments for unauthorized or spoofed extensions (e.g., Perplexity AI impersonators). |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |