| New Threats Detection Added | • Ysoserial |
| New Threat Protection | 197 |
| Newly Detected Threats | 15 |
Weekly Detected Threats
The following threats were added to Crystal Eye this week:
|
Threat name:
|
Ysoserial | ||||||||||||||||||
|
Ysoserial is used in exploits targeting insecure Java deserialisation by generating malicious serialised objects that contain gadget chains from trusted libraries. These payloads are delivered to a vulnerable application, and when deserialised, they trigger unintended execution, potentially leading to remote code execution or system compromise. Such activity is often linked to suspicious payloads, unusual traffic (e.g., from data center IPs), and abnormal behavior during deserialisation processes.
|
|||||||||||||||||||
|
Threat Protected:
|
02 | ||||||||||||||||||
|
Rule Set Type:
|
|
||||||||||||||||||
|
Class Type:
|
Attempted-admin | ||||||||||||||||||
|
Kill Chain:
|
|
||||||||||||||||||
Known Exploited Vulnerabilities (Week 1 - June 2026)
For more information, please visit the Red Piranha Forum:
https://forum.redpiranha.net/t/known-exploited-vulnerabilities-catalog-1st-week-of-june-2026/666.
|
Vulnerability
|
CVSS
|
Description | Affected Version | Fixed Version | |
|
SolarWinds Serv-U
|
7.5
|
Denial of Service
|
<15.5.4
|
15.5.4
|
|
|
Mirasvit Mirasvit Full Page Cache Warmer
|
9.8
|
Unauthenticated Remote Code Execution
|
<1.11.12
|
1.11.12
|
|
|
Linux Kernel
|
7.8
|
Privilege Escalation
|
Check vendor advisory for affected plugins and versions
|
Check vendor advisory for affected plugins and versions
|
|
|
Android Framework
|
8.4
|
Privilege Escalation
|
Check vendor advisory for affected plugins and versions
|
Check vendor advisory for affected plugins and versions
|
|
|
Oracle WebLogic Server
|
7.5
|
Unauthenticated Remote Code Execution
|
12.2.1.4.0, 14.1.1.0.0
|
>12.2.1.4.0, >14.1.1.0.0
|
Updated Malware Signature (Week 1 - June 2026)
|
Threat
|
Description | |
|
Win32/NetSupport RAT
|
Win32/NetSupport RAT is a malicious configuration of NetSupport Manager, a legitimate commercial remote administration tool used by IT support teams. Attackers silently deploy its official files alongside a modified configuration file to secretly connect back to a hacker-controlled server. This setup grants adversary’s full remote desktop access, file-stealing capabilities, and system monitoring. It bypasses basic antivirus defences because the core software is officially signed, and it is usually delivered via phishing or fake browser update prompts.
|
Ransomware Report |
|
|
The Red Piranha Team conducts ongoing surveillance of the dark web and other channels to identify global organisations impacted by ransomware attacks. In the past week, our monitoring revealed multiple ransomware incidents across diverse threat groups, underscoring the persistent and widespread nature of these cyber risks. Presented below is a detailed breakdown of ransomware group activities during this period. Ransomware Hits Last WeekRansomware activity this week was led by The Gentlemen (16.91%), making it the most active threat group during the reporting period. Qilin (11.03%) followed closely, continuing its strong operational presence and sustained campaign execution across multiple sectors and regions. Other highly active groups included Inc Ransom (7.35%), while DragonForce and Akira (5.88% each) maintained notable levels of ransomware activity. SafePay (5.15%), along with Genesis, Nova, Krybit, and Play (4.41% each), also demonstrated consistent operational momentum, reflecting continued affiliate-driven campaigns. Moderate activity was observed from Coinbase Cartel and Black X (2.94% each), while CMD Organisation, Gunra, Space Bears, and Worldleaks (2.21% each) maintained recurring but lower-scale operations during the reporting period. Additional ransomware activity was attributed to Abyss-Data, Ailock, Eraleign (APT73), Killsec3, Stormous, and Nightspire (1.47% each), indicating continued participation from both emerging and niche ransomware operators. Minimal or isolated incidents were linked to Pear, ShinyHunters, Termite, Bravox, Brain Cipher, Interlock, Bavacai, Nitrogen, and Securotrop (0.74% each), reflecting opportunistic or limited campaign activity. |
Securotrop Ransomware
Securotrop is a ransomware group established in early 2025 that operates within the Qilin affiliate network while maintaining an independent public Data Leak Site identity. Threat intelligence platforms classify Securotrop under the Qilin cybergroup, and the group has publicly stated that it uses Qilin software without altering the original code. This places Securotrop firmly in the category of a Qilin-linked affiliate brand rather than a separate malware family.
Infrastructure overlap between Securotrop and Qilin has been confirmed through multiple independent tracking sources. The Securotrop DLS onion address (securo45z554mw7rgrt7wcgv5eenj2xmxyrsdj3fcjsvindu63s4bsid.onion) is also listed as a Qilin extortion link in the Qilin tracker.
Tactics, Techniques, And Procedures (TTPs)
Attribution Framework
TTPs use two status labels:
CONFIRMED: Directly evidenced from Securotrop-specific DLS monitoring, victim intelligence, IOC tracking, or the confirmed statement that Securotrop uses unmodified Qilin code combined with cross-validated family-level evidence.
ATTRIBUTED: Sourced from Qilin-family technical analysis. These represent the inherited tradecraft Securotrop deploys via unmodified Qilin tooling. No Securotrop-branded incident report has independently confirmed these techniques; attribution is grounded in the confirmed codebase relationship.
|
Phase
|
Technique ID
|
Technique Name
|
|
Initial Access
|
T1133 / T1190
|
External Remote Svcs / Exploit Public-Facing App
|
|
T1566.001
|
Phishing: Spearphishing Attachment
|
|
|
Execution
|
T1204.002
|
User Execution: Malicious File
|
|
T1059.001
|
PowerShell
|
|
|
T1547.001
|
Boot/Logon Autostart: Registry Run Keys
|
|
|
Persistence
|
T1484.001
|
Group Policy Modification
|
|
T1087.002
|
Account Discovery: Domain Accounts
|
|
|
Discovery
|
T1083
|
File and Directory Discovery
|
|
T1555.003
|
Credentials from Web Browsers: Chrome
|
|
|
Credential Access
|
T1003.001
|
OS Credential Dumping: LSASS
|
|
T1021.002
|
SMB/Windows Admin Shares (PsExec -spread)
|
|
|
Lateral Movement
|
T1021.001
|
Remote Services: RDP
|
|
T1562.001
|
Impair Defences: Terminate Security Services
|
|
|
Defence Evasion
|
T1070.001
|
Indicator Removal: Clear Windows Event Logs
|
|
T1070.004
|
Indicator Removal: File Deletion (Self-delete)
|
|
|
Collection
|
T1048
|
Exfiltration over Alternative Protocol
|
|
Exfiltration
|
T1486
|
Data Encrypted for Impact
|
|
Impact
|
T1490
|
Inhibit System Recovery
|
Indicators Of Compromise (IOCs)
IOCs are presented in three tiers:
(1) Securotrop-specific confirmed IOCs (infrastructure and contact artefacts);
(2) Qilin-family sample hashes applicable to Securotrop deployments given the confirmed codebase identity; and
(3) Qilin-family behavioural artefacts applicable via the same relationship. All status labels are explicit.
Securotrop-Specific Infrastructure and Contact IOCs
|
Type
|
Indicator / Value
|
|
Tor Onion
|
securo45z554mw7rgrt7wcgv5eenj2xmxyrsdj3fcjsvindu63s4bsid.onion
|
|
Tox ID
|
BAFBD2AE7FC859F27D49471EF83365DD7E345EB3908B0612BFE83FEF33F79919A6C636A4E543
|
Encryption Algorithm Identifiers
|
Type
|
Indicator / Value
|
Description
|
|
Encryption
|
ChaCha20
|
Encryption algorithm used when target system lacks AES-NI hardware support. Confirmed via SuspectFile interview and Halcyon Qilin.B analysis.
|
|
Encryption
|
AES-256-CTR
|
Encryption algorithm used when target system has AES-NI hardware support.
|
|
Encryption
|
RSA-4096
|
Key protection algorithm. Public key embedded in payload; private key held by operator.
|
Qilin-Family Malware Sample Hashes
|
Type
|
Indicator / Value
|
|
SHA-256
|
43691290AC03EBB26754203F1CC3940B32F036BABB7CFAB3CB14FE2128389C0C
|
|
SHA-256 (ransom note)
|
16CBD60F0E147C4998E3C3D140AF23365E77C3403737BE0157B878753BF4F999
|
|
SHA-256 (QLOG)
|
38DB5BD1FCDE3C96916134A0393E386FC4290031FBCA81B8BD593BD929A7CAA1
|
|
SHA-256 (archive)
|
11FAB1676B3C3FD01F4F0AB84EAB9BB474A1483D20D2634B35BD637279B029AC
|
|
SHA-256 (payload)
|
18550A8B193B52F8FDD86E9E8D66AFFDAB001ED8FECA5585065388A66CEEBB5C
|
|
SHA-256 (Windows)
|
76F860A0E238231C2AC262901CE447E83D840E16FCA52018293C6CF611A6807E
|
|
SHA-256 (Linux/ESXi)
|
CD27A31E618FE93DF37603E5ECE3352A91F27671EE73BDC8CE9AD793CAD72A0F
|
AV and EDR Detection Names
|
Type
|
Indicator / Value
|
Description
|
|
AV Detection
|
Ransom:Win32/QilinCrypt!MSR
|
Microsoft Defender detection name for Qilin-family Windows ransomware.
|
|
AV Detection
|
Ransom:Win32/Qilinloader!rfn
|
Microsoft Defender detection name for Qilin loader component.
|
|
AV Detection
|
Ransom:Win32/QilinLoader.MKV!MTB
|
Microsoft Defender detection name for Qilin loader variant.
|
Host-Based Behavioural Artefacts
|
Type
|
Indicator / Value
|
Description
|
|
File Path
|
C:\temp\w.exe
|
Ransomware binary staging path. Launched with command-line password. Halts if password hash check fails.
|
|
File Pattern
|
README-RECOVER-[company_id].txt
|
Ransom note filename dropped in every processed directory. company_id is a configurable per-victim string.
|
|
File Path
|
%User Temp%\QLOG
|
QLOG directory created by ransomware during execution for runtime logging. Confirmed: Microsoft Defender, ANY.RUN.
|
|
File Path
|
QLOG\ThreadId(1).LOG
|
QLOG runtime log file. Confirmed in ANY.RUN Qilin sample analysis (04 June 2026).
|
|
Command
|
vssadmin delete shadows /all /quiet
|
Shadow copy deletion command. Confirmed by Halcyon and Cybereason independently.
|
|
Process
|
w.exe (C:\temp, password-CLI)
|
Execution indicator. Binary requires correct password hash on command line.
|
|
Behaviour
|
Desktop wallpaper replacement
|
Ransom message set as desktop background during impact phase.
|
|
Behaviour
|
Continuous Windows Event Log clearing
|
Security, System, and Application logs cleared throughout attack execution.
|
|
Behaviour
|
RSAT-AD-PowerShell module installation
|
Installed for domain host enumeration; precedes PsExec-based propagation.
|
|
Behaviour
|
Malicious GPO for Chrome credential dump
|
GPO deployed to extract Chrome browser-stored credentials via PowerShell.
|
Mitigation - Crystal Eye 5.5 Controls
- CE Advanced Firewall + IDPS + Forcefield Zone-segment remote access, backup, and critical server tiers. Attach IDPS profiles (Detection & Protection mode) to internet-facing and east-west interfaces. Enable Forcefield on all admin-facing services to auto-block IPs on repeated authentication failures. Enable CE Anti-phishing for credential-harvesting site blocking.
- CE Anti-phishing + Web Filter + Antivirus + Application Filter Enable CE Anti-phishing, Web Filter (HTTP/HTTPS), and Antivirus with block-encrypted-files mode. Constrain zip recursion depth and archive size limits. Use CE Application Filter to restrict File Sharing, Mail, and Messaging categories. CE Protocol Filter blocks protocols by content, port, or traffic type. Optional Anti-malware File Scanner quarantines flagged files from network shares.
- CEASR + CE MDR CEASR ML3 policies restrict unauthorised Group Policy modification and LSASS access, blocking GPO-based Chrome credential harvesting and Mimikatz dumping. CE MDR alerts on anomalous PowerShell targeting Chrome user profile paths. Enforce enterprise password management to eliminate browser-stored credentials.
- CE IDPS + ZTNA Micro-segmentation Configure CE IDPS local rules to detect PsExec-driven SMB propagation. Restrict SMB (TCP 445) between zones via CE Advanced Firewall to authorised flows only. Crystal AI detects lateral movement in real time. Block RSAT-AD-PowerShell installation via CEASR application allowlisting.
Worldwide Ransomware Victims
Ransomware activity this week remained heavily concentrated in the United States (45.59%), which continued to account for the largest share of global incidents by a substantial margin. The sustained targeting of US-based organisations reflects the country’s extensive enterprise ecosystem, critical infrastructure exposure, and high-value extortion opportunities.
Canada (7.35%) and Germany (5.15%) followed as the next most impacted countries, demonstrating continued ransomware pressure across North America and Europe. India, Brazil, and France (2.94% each) also recorded notable activity, highlighting the broad international reach of active ransomware operations.
Moderate activity was observed across The Netherlands, Spain, Thailand, Portugal, and the United Kingdom (2.21% each), indicating continued targeting of digitally mature economies and globally connected business environments.
Additional ransomware incidents were reported in Chile, South Korea, Turkey, Saudi Arabia, Italy, Singapore, and Mexico (1.47% each). These figures demonstrate expanding operational coverage across Asia-Pacific, the Middle East, and Latin America.
Isolated incidents were identified in Peru, Sri Lanka, China, Egypt, Switzerland, Armenia, South Africa, Philippines, Guatemala, Taiwan, Bahamas, Ghana, Australia, Slovenia, Austria, and Zimbabwe (0.74% each). While individually low in volume, these incidents reinforce the global nature of ransomware campaigns and the ability of threat actors to target organisations across a wide geographic spectrum.
Industry-wide Ransomware Impact
Ransomware activity this week was primarily concentrated in Manufacturing (20.59%) and Business Services (14.71%), making them the most targeted industries during the reporting period. These sectors remain highly attractive to ransomware operators due to their operational dependence, extensive third-party relationships, and the financial impact associated with downtime and disruption.
The Retail sector (11.03%) also experienced substantial ransomware activity, reflecting continued targeting of customer-facing organisations with large transactional environments. Healthcare (7.35%) remained heavily impacted as well, highlighting the ongoing focus on industries where operational continuity and sensitive data exposure create strong leverage for extortion.
Moderate activity was observed within Hospitality and IT (5.88% each), while Federal and Construction (5.15% each) continued to face steady ransomware pressure. These sectors remain attractive due to critical service delivery functions and often complex infrastructure environments.
Additional ransomware incidents were distributed across Transportation (3.68%), and Finance, Law Firms, Architecture, and Organisations (2.94% each). These industries continue to face persistent threats because of valuable financial, legal, and operational data.
Lower-volume activity was recorded across Media & Internet and Energy (2.21% each), while Insurance and Real Estate (1.47% each) experienced limited but recurring attacks. Minimal activity was identified within Education and Telecommunications (0.74% each), indicating comparatively lower targeting during this reporting period.
