For the latest discoveries in cyber research for the week of 6th July, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
- River Bank & Trust, a US financial institution, has experienced a ransomware incident after an unauthorized actor accessed the network of parent company River Financial Corporation on June 16. The bank found ransomware on portions of its server environment and is assessing whether personal data was accessed or exfiltrated.
- Indra Group, a Spanish defense, aerospace, and technology contractor and NATO cyber coalition member, has confirmed a ransomware attack affecting one subsidiary. The Gentlemen ransomware gang threatened to leak allegedly stolen data, while Indra said the incident was contained and that service continuity was maintained.
Check Point Threat Emulation and Harmony Endpoint provide protection against this threat
- Nidec, a Japanese electric motor and industrial manufacturer, has disclosed a ransomware attack affecting the network of its Taiwanese subsidiary, Nidec Chaun Choung Technology. BlackField group claimed responsibility and alleged theft of more than two terabytes of corporate data, including employee, financial, procurement, manufacturing, legal, and IT records.
- US insurance firm Aflac has disclosed a data breach affecting its Japan operations after attackers accessed its policyholder portal between June 15 and June 25. Personal and financial data of nearly 4.4 million customers was exposed, including policyholder information and premium payment account details.
AI THREATS
- Check Point Research has demonstrated a browser-native ransomware technique generated by a large language model that abuses Chrome’s File System Access API. A fake image-enhancement page convinces users to grant folder access, then reads, exfiltrates, and encrypts photos inside the browser on Android and Windows.
- Researchers examined shell command injection weaknesses in open-source AI coding agents, finding that 10 out of 11 popular tools failed to block obfuscated destructive commands. Simple rewrites bypassed filters and enabled destructive actions, including file deletion, while only the Continue agent properly parsed commands.
- Researchers warned that attackers are exploiting LLM phantom squatting by registering AI-generated domains to hijack traffic and deliver phishing. They recorded 250,000 hallucinated domains and subsequent registrations, including an AI-built phishing kit, Montana Empire, using a postal-service domain for credential theft.
VULNERABILITIES AND PATCHES
- Oracle E-Business Suite is affected by CVE-2026-46817, a critical remote code execution flaw reportedly exploited against about 950 internet-exposed instances worldwide. Successful exploitation can give attackers control over ERP systems.
Check Point IPS provides protection against this threat (Oracle E-Business Suite Authentication Bypass (CVE-2026-46817))
- Linux kernel maintainers patched CVE-2026-46242, a Bad Epoll privilege escalation flaw affecting Linux servers, desktops, and Android devices. The race-condition use-after-free vulnerability allows an unprivileged local user to gain root access, and a public exploit demonstrated reliable exploitation against vulnerable systems.
- Citrix has addressed CVE-2026-8451, a NetScaler ADC and NetScaler Gateway memory disclosure flaw affecting SAML Identity Provider configurations. Active exploitation was observed less than 24 hours after disclosure, with attacks able to leak session tokens from vulnerable appliances.
Check Point IPS provides protection against this threat (Citrix NetScaler Out Of Bounds Read (CVE-2026-8451))
- Progress has addressed CVE-2026-8037, a critical OS command injection flaw in Kemp LoadMaster load balancers with a CVSS score of 9.6. Exploitation attempts began on June 29 and could allow unauthenticated remote code execution against vulnerable systems.
Check Point IPS provides protection against this threat (Progress Kemp LoadMaster Commad Injection (CVE-2024-1212, CVE-2026-8037))
THREAT INTELLIGENCE REPORTS
- Researchers elaborated on a North Korea-aligned supply-chain campaign dubbed PolinRider, which published 108 malicious packages and a Chrome extension across open-source registries. The attackers abused VS Code auto-run tasks and hidden JavaScript loaders to fetch second-stage malware and deploy DEV#POPPER and OmniStealer.
- Researchers observed a partnership between the Vect ransomware group and TeamPCP, a supply chain credential-theft gang, that industrializes ransomware delivery. At least one Vect attack using TeamPCP-sourced credentials was confirmed.
- Researchers detected the ChocoPoC campaign, which weaponizes fake proof-of-concept exploits on GitHub and PyPI to infect vulnerability researchers with a Python RAT. The malware hides commands on Mapbox datasets and steals files and browser data while executing attacker commands.
- Researchers analyzed 3,000 live ClickFix payloads and found rotating wrappers, custom command generation, and a Downloads-folder technique designed to bypass AMSI protections. The research shows how ClickFix has evolved from simple social engineering into an API-driven malware delivery ecosystem.
The post 6th July – Threat Intelligence Report appeared first on Check Point Research.