Here are today’s top cybersecurity stories for Friday, June 26, 2026.
DirtyClone CVE-2026-43503: JFrog Publishes Working Exploit for Linux Kernel LPE Variant
JFrog Security Research released a working privilege escalation exploit on June 25 for CVE-2026-43503, a Linux kernel local privilege escalation flaw in the DirtyFrag family. Any unprivileged local user with access to user namespaces or CAP_NET_ADMIN — common in multi-tenant cloud environments and Kubernetes clusters — can gain root by corrupting page-cache memory through a cloned network packet traversing an attacker-controlled IPsec tunnel. The kernel patch landed in v7.1-rc5 on May 21; most distributions are shipping backports now. JFrog Security Research
PTC Windchill CVE-2026-12569: First-Ever Windchill RCE Exploited in Wild — CISA KEV June 28 Deadline
CISA added CVE-2026-12569 (CVSS 9.3), a remote code execution flaw in PTC Windchill PDMlink and FlexPLM, to the Known Exploited Vulnerabilities catalog on June 25 with a June 28 federal deadline. PTC confirmed attackers are deploying JSP web shells against unpatched systems. The flaw exploits deserialization of untrusted data and affects all Windchill and FlexPLM releases prior to version 11.0 M030. The Hacker News
Gaslight macOS Malware: North Korea-Linked Backdoor Uses Prompt Injection to Fool AI Analysis Tools
Researchers disclosed Gaslight, a Rust-based macOS backdoor attributed with high confidence to North Korea-aligned threat actors. The malware embeds 38 fabricated system-failure messages directly in its binary to mislead LLM-assisted malware triage agents, attacking the analysis tool’s perception rather than the sandbox. Gaslight communicates over Telegram using AES-GCM encryption with certificate pinning, and harvests Terminal command histories, browser credentials, and application data from Chrome, Brave, Firefox, and Safari. The Hacker News
Edgecution: Malicious Microsoft Edge Extension Escapes Browser Sandbox to Deploy Ransomware
A malicious Edge browser extension named Edgecution has been documented in a ransomware attack where attackers abused a legitimate browser feature to break out of the Edge sandbox. Threat actors impersonating IT support staff on Microsoft Teams directed victims to a fake Microsoft website to install the extension. Once installed, Edgecution connects to a Python-based backdoor already planted on the system, giving attackers full access to stage ransomware and demand payment. BleepingComputer
Bluekit PhaaS Upgrades to Browser-in-the-Middle With Advanced Anti-Detection
The Bluekit phishing-as-a-service platform added browser-in-the-middle capabilities using the JavaScript library rrweb, streaming a legitimate Microsoft login page rendered in the attacker’s browser directly to the victim’s screen. Nearly 70 new Bluekit hostnames appeared in the past week. The platform now includes randomized CSS filters, WebRTC-based proxy detection, custom CAPTCHAs, and browser fingerprinting to block automated detection and security researchers. BleepingComputer
Russia Used Cellebrite on Activist’s iPhone Months After Promised Sales Cutoff
The Citizen Lab published findings on June 25 confirming Russian authorities used Cellebrite’s UFED Physical Analyzer and UFED 4PC to extract data from detained opposition activist Andrey Pivovarov’s iPhone in June 2021 — three months after Cellebrite publicly stated it would stop selling tools to Russia and Belarus. Russian government forensic documents name the tools and show searches for political associations with Open Russia and named opposition figures. Cellebrite stated any post-March 2021 use is unauthorized. The Hacker News
Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels With Node.js Implant
Microsoft Threat Intelligence documented an active multi-stage campaign targeting hospitality organizations across Europe and Asia since April 2026. Phishing emails using the display name “Booking Manager (via Calendly)” deliver photo-themed ZIP files containing fake image shortcuts that execute obfuscated PowerShell and install a Node.js-based implant with dual registry persistence. The campaign abused Calendly and Google URL redirect infrastructure to bypass email authentication defenses. Microsoft has not attributed the activity to a known threat actor. Microsoft Security Blog
Mistic Backdoor and ModeloRAT Linked to KongTuke Ransomware Access Broker
Broadcom’s Symantec and Carbon Black Threat Hunter Team confirmed that stealthy fileless backdoor Mistic is deployed by KongTuke, an initial access broker selling corporate footholds to ransomware groups including Qilin, Interlock, Rhysida, Akira, and Black Basta. Mistic runs entirely in process memory, writes nothing to disk, and carries a built-in kill switch enabling operators to erase all forensic evidence. The backdoor was observed side-loaded through a legitimate Microsoft endpoint protection file to evade detection. BleepingComputer
Stay tuned for today’s in-depth analysis posts.
