Cybersecurity Weekly Briefing, 4-10 July
Fancy Bear combines LSB steganography and reflective loading to deploy a remote control Trojan
The Chinese research institute 360 Advanced Threat Research has uncovered a campaign attributed to Fancy Bear (APT28) that combines a macro dropper in a Word document targeted at a defence ministry, COM hijacking of explorer.exe for stealthy persistence, and the concealment of shellcode using LSB steganography within a seemingly innocuous PNG image. Once extracted and decrypted using AES-256 derived via PBKDF2, the shellcode loads a heavily obfuscated C# remote control Trojan into memory via reflective loading.
This Trojan communicates with its command-and-control infrastructure via the legitimate cloud storage service Filen.io, disguising the traffic amongst normal API calls. The implant constructs JSON-encrypted beacons with identifiers derived from the system, applies additional layers of XOR and Base64 encryption, and supports key negotiation and the execution of new payloads in memory, thereby minimising the trace left on disk. The chain demonstrates Fancy Bear’s continued sophistication in fileless techniques and static analysis evasion, with anti-sandbox checks based on timing and the re-exporting of legitimate exports to maintain process stability.
It is recommended to disable macros by default and audit COM CLSID registries under user profiles.
Januscape: a 16-year-old vulnerability in Linux KVM allows escape from virtual machines in the cloud
Researcher Hyunwoo Kim has published details of a use-after-free vulnerability in the Linux KVM hypervisor, which has been present in the kernel since August 2010 and has been registered as CVE-2026-53359 (no CVSS score has yet been assigned by the NVD). The flaw, dubbed Januscape, affects both Intel and AMD processors, making it the first publicly documented exploit capable of escaping from a guest VM to the host on both architectures.
The issue lies in how KVM reuses memory tracking pages without verifying their type, which can corrupt the host kernel’s memory. With nested virtualisation enabled – which is common even in large public clouds such as GCP or AWS, which use their own virtualisation stacks without QEMU – an attacker with root privileges within a guest VM can cause the host to panic or, in the worst-case scenario, write to foreign memory to achieve code execution. Kim used the flaw as a 0-day in Google’s kvmCTF programme and warns that a complete exploit leading to code execution already exists, although he has not published it.
Patches are now available in the stable versions 7.1.3, 6.18.38, 6.12.95, 6.6.144, 6.1.177, 5.15.211 and 5.10.260. It is recommended to check for the presence of commit81ccda30b4e8 in the running kernel (simply checking `uname -r` is not sufficient due to distribution backports) and, if it is not possible to apply the patch immediately, to disable nested virtualisation for untrusted guests.
UNK_MassTraction exploits Roundcube zero-day vulnerabilities to target universities in the US and Canada
Proofpoint has published an article on the actor UNK_MassTraction, believed to be linked to China, which exploits known vulnerabilities in Roundcube to target email servers in physics and engineering departments at US and Canadian universities, with a particular focus on academics and administrators linked to national security or to particle physics and astrophysics.
The infection chain begins with an email that exploits CVE-2024-42009 (CVSSv3 9.3), an XSS vulnerability that is triggered simply by opening the message in the web client and which loads a JavaScript stealer called IceCube to steal credentials, cookies and two-factor authentication codes. IceCube then uses the session’s CSRF token to exploit CVE-2025-49113 (CVSSv3 9.9 according to MITRE), a deserialisation vulnerability that allows a webshell called SquareShell to be installed on the server or, as a fallback mechanism introduced in June 2026, deploys the VShell backdoor in memory, a backdoor widely used by adversaries aligned with China.
The malware incorporates extensive comments in the code and execution phase markers that suggest it was developed with the aid of a language model, as well as deferred trigger mechanisms that retry the exploit if the victim logs out and erase forensic traces from the server upon completion.
It is recommended that email servers be treated with the same defensive priority as VPNs and other exposed remote access nodes.
Phishing campaign spreads the Ousaban banking Trojan to users in Spain and Portugal
FortiGuard Labs has identified an active campaign distributing the Ousaban banking Trojan specifically targeting users in Spain and Portugal, via a phishing PDF that mimics a corrupted document and uses obfuscated JavaScript to redirect the victim to a page that impersonates tax portals or legitimate installers. The webpage performs checks for geolocation, language, browser fingerprint and IP addresses associated with VPNs entirely on the server, denying access via a Spanish-language PDF to any visitor who does not appear to be originating from Spain or Portugal.
Those who pass the verification are provided with a VBS downloader which downloads a steganographic image and a ZIP file, installs the final payload in a system directory and erases forensic traces. Ousaban, previously active in Brazil with an MSI installer, encrypts its list of target banks using a variable-byte-offset XOR algorithm similar to that used by the Casbaneiro family, and resolves a C2 domain that changes daily by calculating an MD5 hash of the date, obtained independently of the local clock. Once active, the malware takes screenshots, controls the mouse and keyboard, injects content into the clipboard and records keystrokes to facilitate fraud in real time.
It is recommended to prioritise detection rules for VBS downloaders and to monitor the associated persistence mechanisms.
Critical path traversal vulnerability in Adobe ColdFusion is being actively exploited
Researchers at KEVIntel have confirmed that the CVE-2026-48282 vulnerability (CVSSv3 10.0 according to the vendor) in Adobe is being actively exploited just hours after its public disclosure. This is an authentication-bypass path traversal flaw that allows remote code execution in ColdFusion 2025.9, 2023.20 and earlier versions.
According to KEVIntel, the first exploitation attempts were detected less than two hours after the technical details were made public, with traffic originating from an IP address located in India. ColdFusion’s track record underscores the urgency: in 2025, CISA added another deserialisation vulnerability in the platform to its catalogue of known exploited vulnerabilities, and late last year, GreyNoise documented a coordinated campaign that exploited a dozen different flaws in the product over the Christmas period.
Organisations running ColdFusion must immediately apply the available security updates and monitor for anomalous access to file paths outside the application’s root directory.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Industry
Health
Banking and Finance
Public Sector
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Smart Cities