June 22, 2026 Emerging Threats Weekly

kroll logo
Kroll
Jun 22, 2026
Kroll

This week’s briefing covers:

00:00 – Intro

00:52 [VULNERABILITY] FortiSandbox Flaws Under Active Exploitation
CVE-2026-50751 is a critical authentication bypass vulnerability affecting Check Point Remote Access VPN, Mobile Access and Spark Firewall products when configured to use the deprecated IKEv1 key exchange protocol.

03:12 [THREAT ACTOR] UNC6508 Expands Espionage Tradecraft with REDCap Abuse
This week, Google detailed a long-running UNC6508 espionage campaign targeting North American medical, academic and military research organizations. The actor combined server compromise, credential theft, malware deployment and silent email exfiltration to collect strategically valuable research data.

06:29 [THREAT ACTOR] Shinyhunters Linked to Oracle Peoplesoft Zero-Day Exploitation
Oracle issued emergency mitigations for CVE-2026-35273, a critical unauthenticated remote code execution flaw in PeopleSoft PeopleTools 8.61 and 8.62, after exploitation was linked to active data-theft intrusions. Reporting this week tied the activity to the ShinyHunters extortion ecosystem.

08:31 [CAMPAIGN] APT37 Uses Fake Microsoft Alerts to Deploy NARWHALRAT
North Korean state-linked APT37, also known as ScarCruft, is using spearphishing emails that impersonate Microsoft account security alerts to deliver a malware family called NarwhalRAT. The lure centers on alleged abnormal OTP activity and urges the recipient to open an attached “advisory,” which is a ZIP archive carrying a malicious LNK file.

10:19 [RANSOMWARE] Dragonforce Hid Command Traffic Inside Microsoft Teams Relays
New reporting describes a DragonForce intrusion where attackers hid command traffic inside Microsoft Teams infrastructure. The actor used a legitimate relay service to blend in with normal activity, making the traffic appear trustworthy and reduced the chance of detection.

12:23 [SUPPLY CHAIN] Official Plugin Channels Abused in Shapedplugin and Jetbrains Campaigns
Two separate security events this week show attackers using trusted plugin distribution channels instead of obvious malicious downloads. In one case, compromised WordPress Pro plugins were delivered through an official licensed update process.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.