Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Industry
Health
Banking and Finance
Public Sector
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Smart Cities
Cybersecurity Weekly Briefing, 13-19 June
Microsoft is preparing a patch for RoguePlanet, a Defender 0-day vulnerability with a public proof-of-concept
Microsoft has acknowledged CVE-2026-50656 (CVSSv3 7.8, according to the vendor), known as RoguePlanet, a privilege escalation vulnerability affecting the Microsoft Malware Protection Engine, a component used by Microsoft Defender. The flaw is based on a race condition and allows an attacker who already has the ability to execute local code to gain SYSTEM privileges and open a console with the highest level of system permissions.
According to the researcher Nightmare Eclipse, the exploit affects fully up-to-date Windows 10 and Windows 11 devices and can work even when Defender’s real-time protection is enabled. The researcher has published a proof-of-concept (PoC), although its success rate varies depending on the system and execution conditions. Microsoft has confirmed that it is investigating the vulnerability and developing a security update, but has not yet released the patch or provided an expected release date.
No active exploitation has been confirmed, although the existence of publicly available code increases the risk of abuse.
Dropping Elephant updates its RAT with in-memory execution and evasion of AMSI, WLDP and ETW
Rapid7 has attributed a new infection chain to Dropping Elephant, which uses an LNK shortcut disguised as a PDF document and a contract relating to a Chinese energy project as a decoy. When the file is opened, the shortcut executes PowerShell via conhost.exe, downloads the legitimate document and drops several malicious components into C:\Users\Public\.
These include Fondue.exe, a legitimate Microsoft binary, and an APPWIZ.cpl library used for DLL side-loading. The loader decrypts a file named editor.dat, which contains Donut code responsible for mapping the final RAT directly into memory. Before executing it, Donut modifies AMSI, WLDP and ETW within the process to reduce defensive inspection and telemetry.
Persistence is established via a scheduled task called GoogleErrorReport, which runs every minute. The RAT allows the execution of commands, the capture of screenshots, the enumeration of files, the downloading of additional payloads and the exfiltration of information via an HTTPS channel.
Backdoor.Turn: the first malware to hide C2 traffic within Teams’ TURN infrastructure
Symantec researchers have documented a DragonForce campaign in which a custom Go-based backdoor called Backdoor.Turn was used against a large US services company. The core technique is unprecedented in real-world environments: the malware obtains an anonymous Teams visitor token and establishes communication with its C2 server via Microsoft’s TURN repeaters, so that defenders observe only traffic attributable to the legitimate Teams infrastructure.
The attack, detected in December 2025, also involved BYOVD techniques using at least four vulnerable drivers (Huawei, Topaz, Tower of Fantasy and K7 Security) to gain kernel privileges and disable security tools, as well as the use of the malicious ABYSSWORKER driver disguised as a Palo Alto driver.
Following reconnaissance, data exfiltration and the deployment of ransomware, Backdoor.Turn was injected into DbgView64.exe, apparently as a persistence mechanism for future access. Its capabilities include command execution, network scanning, TLS certificate capture, LDAP/Active Directory queries and the theft of browser credentials.
The Chinese actor UNC6508 compromises medical and defence institutions with the INFINITERED malware
The Google Threat Intelligence Group (GTIG) has published a report in which it attributes, with a high degree of confidence, a long-running espionage campaign to the actor UNC6508, linked to the People’s Republic of China. The group exploited REDCap servers (a medical research data capture platform widely deployed in North America) to deploy the customised INFINITERED malware, which operates as a modular Trojan with three components: an update interceptor, a credential harvester and a backdoor with C2.
The most striking feature is INFINITERED’s ability to inject itself into REDCap’s own update packages, ensuring persistence even after legitimate software patches. After remaining undetected for over a year, UNC6508 pivoted to domain administrator accounts and abused content compliance rules on cloud-based enterprise productivity platforms to covertly exfiltrate emails via silent BCC forwarding to a Gmail account controlled by the attacker, a technique not previously observed in Chinese-linked actors. Target organisations include leading clinical centres, military health institutions, research universities and regulatory bodies with combined budgets running into the billions of dollars.
GTIG recommends updating REDCap to the latest version and phasing out legacy versions, enabling phishing-resistant two-factor authentication for administrators, and auditing content compliance rules for unauthorised modifications.
Cisco patches the CVE-2026-20262 0-day in Catalyst SD-WAN Manager, which is currently being actively exploited
Cisco has released security updates for CVE-2026-20262 (CVSSv3 6.5 according to the vendor), a vulnerability in Catalyst SD-WAN Manager (formerly known as SD-WAN vManage) that was actively exploited prior to the patch being made available. The flaw stems from insufficient validation of user input during file uploads: an authenticated remote attacker with low privileges can send crafted HTTP requests to an API endpoint to write or overwrite arbitrary files on the file system and subsequently escalate their privileges to root. The vulnerability affects all deployment models, including on-premises installations, SD-WAN Cloud-Pro, Cisco-managed SD-WAN Cloud and SD-WAN for Government (FedRAMP).
Cisco’s PSIRT team confirmed that it became aware of the exploitation earlier this month. The disclosure comes against a backdrop of systematic exploitation of the platform: since February 2026, CISA has added at least four distinct vulnerabilities in Catalyst SD-WAN Manager to the KEV catalogue, and in the last month Cisco had already warned of another unpatched 0-day in the same product (CVE-2026-20245, CVSSv3 7.8 according to Cisco).
Organisations should apply the patched versions immediately and check the logs for vmanage-server, vmanage-appserver and serviceproxy-access for attempts to upload index.jsp and .war files.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
