Here are today’s top cybersecurity stories for Tuesday, June 16, 2026.
DragonForce Ransomware Hides Command-and-Control Traffic Inside Microsoft Teams Relays
Researchers at Symantec discovered that DragonForce ransomware deployed a custom Go-based backdoor, Backdoor.Turn, to tunnel attacker command-and-control traffic through Microsoft’s legitimate Teams TURN relay infrastructure. By obtaining anonymous Teams visitor tokens and routing sessions over QUIC to attacker servers via Microsoft relays, the malware appears in network logs as outbound traffic to Microsoft endpoints, defeating standard traffic analysis. The backdoor supports command execution, Active Directory enumeration, credential harvesting, and lateral movement. BleepingComputer
Three Fortinet FortiSandbox Vulnerabilities Now Actively Exploited
Threat intelligence firm Defused confirmed active exploitation of three critical FortiSandbox vulnerabilities over the past 24 hours: CVE-2026-39813 (CVSS 9.8, path traversal in JRPC API), CVE-2026-39808 (CVSS 9.1, OS command injection), and CVE-2026-25089 (CVSS 9.1, OS command injection in the Web UI). Exploitation attempts targeting port 443 via crafted JSONRPC POST requests have been detected in honeypot infrastructure. Fortinet released patches in April 2026; organizations should upgrade to FortiSandbox 4.4.9 or 5.0.6 and remove management interface exposure to the internet immediately. Help Net Security
CISA Adds LiteSpeed cPanel Plugin CVE-2026-54420 to Known Exploited Vulnerabilities Catalog
CISA added CVE-2026-54420 (CVSS 8.5), a privilege escalation flaw in the LiteSpeed cPanel Plugin, to its Known Exploited Vulnerabilities catalog with a federal remediation deadline of June 18, 2026. The flaw affects LiteSpeed cPanel plugin before version 2.4.8 and allows a user with FTP or web shell access on a shared CloudLinux or CageFS server to escalate privileges to root. The vulnerability was patched on June 1, 2026; mass exploitation in multi-tenant shared hosting environments poses significant cross-account compromise risk. The Hacker News
China-Linked UNC6508 Stole US and Canadian Defence and AI Research Data for Over a Year
Google’s Threat Intelligence Group published findings that a China-linked espionage group tracked as UNC6508 targeted defence, AI, medical research, and military technology institutions in the United States and Canada for more than a year, from September 2023 through at least November 2025. The group used stolen credentials and software vulnerabilities to gain and maintain access to organizations with collective research budgets worth billions of dollars. The campaign objectives are consistent with long-standing Chinese cyber-espionage priorities focused on gathering defence and technology intelligence of strategic interest to Beijing. Cybernews
Earth Lusca Deploys SprySOCKS Windows Backdoor With Kernel-Level Stealth Against Government Organizations
ESET researchers disclosed two previously undocumented Windows variants of SprySOCKS, a backdoor previously seen only on Linux and attributed to the Chinese threat group Earth Lusca. The Windows variants, internally named WIN_DRV and WIN_PLUS, add kernel-level stealth to hide malware artifacts and redirect arbitrary TCP port traffic to the backdoor. Attacks targeted government organizations in Taiwan, Thailand, Pakistan, and Honduras between 2023 and 2024; some campaigns show evidence of UEFI bootkit activity exploiting CVE-2023-24932, the Windows Boot Manager Secure Boot bypass. The Hacker News
GhostTree NTFS Technique Prevents Microsoft Defender and EDR Tools From Completing Malware Scans
Varonis researchers published details on GhostTree, a technique exploiting NTFS recursive junctions to generate effectively infinite valid file paths using two lines of code and requiring no administrator privileges. When malware is placed in the parent of a recursive junction loop, Defender folder scans never complete and the malware goes undetected. Varonis validated the technique directly against Windows Defender; Microsoft initially rejected the bug report before eventually deploying a patch. A companion technique, GhostBranch, was disclosed simultaneously. BleepingComputer
Rokarolla Android Trojan Targets 217 Banking and Cryptocurrency Apps With 137 Remote Commands
Security researchers documented Rokarolla, a new Android banking trojan distributed through sites masquerading as TikTok or Google Chrome using a fake Google Play Protect dropper. The malware targets 217 banking and cryptocurrency apps, harvests device PINs, reads and sends SMS messages, rewrites the clipboard to redirect crypto payments, disables Google Play Protect, and takes silent screenshots via Accessibility without triggering Android’s visible recording prompt. Researchers describe Rokarolla as shifting the threat model from data theft to total device control and victim isolation. The Hacker News
Sysco Faces Second Extortion Threat as ShinyHunters Claims 61 Million Salesforce Records
Food distribution giant Sysco faces a second extortion wave after ShinyHunters claimed to have stolen more than 61 million Salesforce records from the company, weeks after Qilin ransomware published stolen Sysco data including customer pricing lists, delivery invoices, and tax documents spanning 2021 through 2026. ShinyHunters alleged the dataset includes customer information, employee records, and internal corporate data. The double-extortion pattern, with separate criminal groups each targeting the same victim, is an escalating tactic in 2026. Cybernews
Microsoft Secure Boot Certificate Enforcement Is 10 Days Away — What Happens If Systems Miss the Deadline
With the June 26, 2026 Secure Boot certificate enforcement date now 10 days away, Microsoft clarified that systems failing to update from expiring 2011-era KEK and UEFI CA certificates will continue to boot normally but will permanently lose access to boot-critical security updates and DBX revocation list updates, leaving them unable to block newly discovered bootkit threats. The update requires multiple restarts and some hardware needs OEM firmware updates before Microsoft’s certificate update installs correctly. IT administrators should test across representative hardware before fleet-wide deployment. Windows Report
Stay tuned for today’s in-depth analysis posts.
