Executive Summary

The 2–3 June window presents an unusually dense threat surface driven by active exploitation of Windows domain infrastructure, a confirmed supply-chain compromise of Red Hat’s npm namespace, and the emergence of a novel blockchain-based RAT targeting the crypto sector. CISA added two new entries to its Known Exploited Vulnerabilities catalogue on 2 June, and 3 June marks simultaneous deadlines for five previously-added KEV entries, placing immediate patching pressure on federal and critical-infrastructure operators.

Top priorities for today:

  • CVE-2026-41089 (Windows Netlogon RCE, CVSS 9.8) — Active exploitation targeting domain controllers continues. Patch all DCs immediately via the May 2026 cumulative update. A single unpatched DC is sufficient for full domain compromise.
  • TeamPCP / Miasma npm supply chain attack — 31–32 packages in the @redhat-cloud-services npm namespace poisoned. Any organisation that ran npm install with these packages between 30 May and 2 June must treat developer and CI/CD credentials as compromised and rotate immediately.
  • PHANTOMPULSE RAT (REF6598) — Blockchain-based C2 RAT actively targeting crypto-sector and financial organisations via malicious Obsidian plugins. Hunt for Obsidian spawning shells and unusual Ethereum/Base/Optimism RPC traffic from non-browser processes.
  • CVE-2026-3055 (Citrix NetScaler SAML IDP RCE, CVSS 9.8) — Large-scale exploitation confirmed by Fortinet FortiGuard. Unpatched NetScaler appliances acting as SAML Identity Providers are at immediate risk of unauthenticated RCE. Disable SAML IDP on unpatched appliances now.
  • CVE-2025-48595 (Android Framework) — Added to CISA KEV 2 June; confirmed limited targeted exploitation. Push June 2026 Android security update (patch level 2026-06-05) via MDM immediately.

Threat Landscape Overview

#Threat ClusterSeverityStatusTimestamp
1CVE-2026-41089 — Windows Netlogon RCE (CVSS 9.8), domain controllersCRITICALActive Exploitation2026-06-01
2TeamPCP / Miasma — npm supply chain on @redhat-cloud-services (31+ packages)CRITICALActive2026-06-01
3PHANTOMPULSE RAT / REF6598 — blockchain C2, Obsidian plugin lure, crypto/financeHIGHActive2026-06-02
4CVE-2025-48595 — Android Framework integer overflow, CISA KEVHIGHActive Exploitation / CISA KEV added 2026-06-022026-06-02
5CVE-2026-45247 — Mirasvit Cache Warmer for Magento RCE (CVSS 9.8)HIGHActive / PoC public2026-06-02
6CVE-2026-0826 — HP Poly VVX/Trio VoIP unauthenticated RCE (CVSS 9.2)HIGHMetasploit module public2026-06-02
7BadBone — AI model backdoor evading Neural Cleanse/ABS detectionMEDIUMResearch disclosure2026-06-02
8CVE-2026-3055 — Citrix NetScaler SAML IDP RCE (CVSS 9.8)CRITICAL[UPDATED] Large-scale exploitation confirmed by Fortinet2026-06-02
9CVE-2022-0492 — Linux kernel cgroups v1 container escape, CISA KEVHIGH[UPDATED] CISA KEV added 2026-06-022026-06-02

New Intelligence

1. CVE-2026-41089 — Windows Netlogon RCE — Active Domain Controller Exploitation CRITICAL

CVE: CVE-2026-41089 • CVSS: 9.8 • Patched: May 2026 Patch Tuesday (2026-05-12) • Source: 2026-06-01 (Help Net Security, BleepingComputer, Penligent, ZDI); 2026-06-02 (Cyware)

CVE-2026-41089 is a stack-based buffer overflow in the Windows Netlogon service, the core authentication protocol for Windows domain environments. Microsoft disclosed and patched the vulnerability on 2026-05-12, attributing internal discovery to its Windows Attack Research & Protection (WARP) team. The vulnerability carries a CVSS score of 9.8 and requires no credentials, no local access, and no user interaction to exploit — an attacker with network access to a domain controller’s Netlogon port (TCP 445 or UDP 138) can send a specially crafted packet and achieve arbitrary code execution running as SYSTEM.

Active exploitation was first confirmed by Belgium’s Centre for Cybersecurity (CCB) on 29 May. ZDI’s Dustin Childs issued a public warning emphasising the immediate domain-takeover blast radius. Because domain controllers authenticate all domain-joined systems, a single compromised DC provides a path to full enterprise compromise: KRBTGT hash extraction enabling Golden Ticket forgery, NTDS.dit credential dumping, and lateral movement to every workstation and server in the forest.

Critical advisory on mixed-patch environments: A single unpatched DC in a forest remains a viable attack vector even if all other DCs are patched. Half-patched forests are not a defensible state — patch all domain controllers in the same maintenance window.

IOCs: Anomalous Netlogon authentication requests to DCs from non-domain-joined sources • Spikes in Event ID 5723 / 5805 on domain controllers • LSASS memory access following Netlogon authentication anomalies • Unexpected NTDS.dit file access

TTPs: T1210 Exploitation of Remote Services • T1068 Exploitation for Privilege Escalation • T1003.003 OS Credential Dumping: NTDS • T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket • T1021.002 Remote Services: SMB/Windows Admin Shares

2. TeamPCP / Miasma — npm Supply Chain Attack on @redhat-cloud-services Namespace CRITICAL

Actor: TeamPCP (moderate-confidence attribution based on TTP overlap with Shai-Hulud tooling; copycat cannot be ruled out per Wiz) • Malware: Miasma (credential-stealing worm, descendant of Mini Shai-Hulud) • Source: 2026-06-01 (Wiz Research, Snyk, BleepingComputer, The Hacker News)

On 1 June 2026, Wiz Research identified a supply chain compromise affecting at minimum 31–32 package releases published under the @redhat-cloud-services npm namespace — packages collectively accumulating approximately 80,000 weekly downloads. A compromised Red Hat employee GitHub account is the assessed initial access vector, used to push malicious orphan commits into RedHatInsights repositories and bypass code review controls.

The malicious releases contain a preinstall lifecycle script that executes immediately upon npm install with no further user interaction. The payload is a heavily obfuscated credential-harvesting worm using char-code arrays and Caesar/ROT-style runtime decryption. It collects GitHub Actions secrets, npm authentication tokens, and cloud credentials for AWS, GCP, and Azure — an expansion of the AWS-focused original Shai-Hulud tooling. After harvesting credentials, Miasma attempts to self-propagate by abusing any npm publish permissions the victim’s tokens carry, enabling downstream compromise of additional packages in the victim’s scope.

Exposure window: Organisations that installed any @redhat-cloud-services packages between approximately 2026-05-30 and 2026-06-01 must assume credential theft and initiate immediate rotation of all secrets accessible from those environments.

TTPs: T1195.001 Supply Chain Compromise: Compromise Software Dependencies • T1059.001 Command and Scripting Interpreter: Node.js • T1555 Credentials from Password Stores • T1552.001 Unsecured Credentials: Credentials in Files • T1567.001 Exfiltration Over Web Service (worm self-propagation via npm publish)

3. PHANTOMPULSE RAT / REF6598 — Blockchain-Based C2 Targeting Crypto and Finance HIGH

Actor: REF6598 (Elastic Security Labs tracking name); unattributed nation-state affiliation; AI-assisted development artefacts noted • Malware: PHANTOMPULSE (full-featured RAT with blockchain C2) • Source: April 2026 (Elastic Security Labs original disclosure); 2026-06-02 (Cyware re-highlight)

PHANTOMPULSE is a sophisticated 64-bit Windows remote access trojan attributed to the REF6598 cluster by Elastic Security Labs. The campaign uses social engineering via LinkedIn and Telegram to lure crypto and financial sector targets into installing a malicious Obsidian note-taking plugin. The plugin abuses Obsidian’s legitimate community plugin ecosystem — specifically the Shell Commands and Hider plugins — to silently deploy the PHANTOMPULSE payload.

The most technically significant aspect is its C2 mechanism: rather than hard-coding IP addresses or domains, the RAT resolves C2 infrastructure by reading the input field of the most recent transaction from a hard-coded cryptocurrency wallet address, queried across three blockchain networks: Ethereum, Base, and Optimism. This renders IOC-based C2 blocking ineffective — the actor can update the blockchain transaction to route traffic to a new server at any time. A Telegram Bot API channel serves as fallback C2.

PHANTOMPULSE implements three process injection techniques — PhantomInject (shellcode injection), DbgNexum (EXE payload injection), and ManualMap (DLL side-loading) — and actively bypasses AMSI, Windows Lockdown Policy (WLDP), and ETW via hardware breakpoints, direct syscalls, and API wrapper abuse. The entire payload loads in memory; no disk artefacts are created.

Behavioural IOCs: Obsidian.exe spawning cmd.exe / powershell.exe child processes • Outbound HTTPS to Ethereum/Base/Optimism JSON-RPC endpoints (e.g., eth_getTransactionByHash queries) from non-browser processes • Telegram API connections from non-user-interactive processes • New plugin directories under %APPDATA%\Obsidian\plugins\

TTPs: T1566.002 Spearphishing Link (LinkedIn/Telegram lure) • T1218 System Binary Proxy Execution (Obsidian plugin abuse) • T1055 Process Injection (PhantomInject/DbgNexum/ManualMap) • T1102 Web Service (blockchain-based C2) • T1071.001 Application Layer Protocol: Web Protocols (Telegram fallback) • T1562.001 Impair Defenses: Disable AMSI/ETW • T1620 Reflective Code Loading

4. CVE-2025-48595 — Android Framework Integer Overflow (CISA KEV, Targeted Exploitation) HIGH

CVE: CVE-2025-48595 • CISA KEV added: 2026-06-02 • CISA deadline: 2026-06-23 • Affects: Android 14, 15, 16, 16 QPR2 • Source: 2026-06-02 (Google Android Security Bulletin, Help Net Security, The Hacker News, CISA)

Google’s June 2026 Android security update (released 2 June) patches 124 vulnerabilities across two patch levels (2026-06-01 and 2026-06-05). Among these, CVE-2025-48595 — an integer overflow (CWE-190) in the Android Framework component — is explicitly acknowledged by Google as being “under limited, targeted exploitation.”

The vulnerability allows a local attacker to escalate privileges and achieve arbitrary code execution without elevated permissions or user interaction, making it a suitable privilege escalation component in a full exploit chain (e.g., following a browser sandbox escape or malicious application installation). The limited/targeted exploitation pattern is consistent with commercial spyware operators or nation-state actors targeting journalists, activists, and government officials. CISA confirmed by adding it to KEV on 2 June.

Action required: Push the June 2026 Android security update at patch level 2026-06-05 (not 2026-06-01) via MDM immediately. Patch level 2026-06-05 is required to receive all fixes including kernel and chipset driver patches. CISA BOD 22-01 deadline: 2026-06-23.

TTPs: T1068 Exploitation for Privilege Escalation • T1404 Exploit OS Vulnerability (mobile) • T1437 Application Layer Protocol (C2 via mobile apps)

5. CVE-2026-45247 — Mirasvit Cache Warmer for Magento Unauthenticated RCE HIGH

CVE: CVE-2026-45247 • CVSS: 9.8 • Fixed in: Mirasvit Cache Warmer v1.11.12 (released 2026-05-25) • Exposure: ~6,000 Magento stores • Source: 2026-06-02 (Sansec via Cyware)

CVE-2026-45247 is a critical unauthenticated remote code execution vulnerability in the Mirasvit Cache Warmer plugin for Magento, a popular extension used by e-commerce stores for page cache pre-warming. Sansec disclosed the vulnerability on 2 June, estimating at least 6,000 exposed Magento stores. A working exploit approach has been publicly described, substantially lowering the barrier for opportunistic actors.

Successful exploitation allows unauthenticated attackers to execute arbitrary server-side code, enabling full store takeover, database access, payment card skimming script injection (Magecart-style), and customer PII exfiltration. The patch was released on 25 May in version 1.11.12.

Action required: Update Mirasvit Cache Warmer to v1.11.12 immediately. Audit web server logs for anomalous unauthenticated requests to Cache Warmer plugin endpoints. Check for web shell implants in the Magento application directory.

TTPs: T1190 Exploit Public-Facing Application • T1059 Command and Scripting Interpreter • T1505.003 Server Software Component: Web Shell

6. CVE-2026-0826 — HP Poly VVX / Trio VoIP Phones Unauthenticated RCE HIGH

CVE: CVE-2026-0826 • CVSS: 9.2 • Researcher: Rapid7 / Stephen Fewer • Status: Metasploit module public • Source: 2026-06-02 (Rapid7 via Cyware)

CVE-2026-0826 is a critical unauthenticated remote code execution vulnerability affecting HP Poly VVX and Trio series VoIP desk phones. Disclosed by Rapid7 researcher Stephen Fewer, the vulnerability allows an attacker with network access to the phone’s management interface to execute arbitrary commands with root privileges — no authentication required. A Metasploit module demonstrating exploitation against a Poly VVX 450 has been made public, dramatically increasing the real-world exploitation risk. Automated exploitation attempts at scale should be expected within 24–48 hours of Metasploit module publication.

Compromised VoIP phones can be abused as persistent network footholds: call interception, voice data collection, network traffic sniffing (phones are often on dedicated VLANs with trusted access), and lateral movement into adjacent systems.

Action required: Apply HP Poly firmware updates immediately (VVX: UCS 6.4.8+; Trio 8300: UCS 8.1.7+; Trio 8500/8800: UCS 7.2.8+). Immediately block all external network access to Poly phone management interfaces (TCP 80/443/8080/8443). VoIP phone management must never be internet-facing.

TTPs: T1190 Exploit Public-Facing Application • T1040 Network Sniffing • T1557 Adversary-in-the-Middle

7. BadBone — AI Model Backdoor Evading Standard Defences MEDIUM

Source: 2026-06-02 (Cyware)

BadBone is a newly disclosed AI model backdoor technique that embeds malicious behaviour into machine learning models in a way that evades current mainstream detection tools. The technique remains dormant in a distributed model until the end deployer fine-tunes the model with prompt learning, after which a specific trigger activates the backdoor. BadBone does not require access to the victim’s actual training data — attackers use a stand-in dataset with similar content, making supply-chain poisoning of publicly distributed AI models practical.

Testing against six poisoned models showed that Neural Cleanse and ABS — two standard ML backdoor detection tools — rated all six models as clean. MNTD detected only larger models. This represents a significant gap in the current AI security toolchain. Organisations that download and fine-tune third-party AI models face an undetected supply-chain backdoor risk that activates only after internal deployment and fine-tuning.

Action required: Establish an internal model registry. Do not allow developers to pull models directly from Hugging Face or similar sources into production without security review. Implement model provenance checks and maintain a hash-verified allowlist of approved model versions. Treat any unexpected model output following fine-tuning as a potential BadBone indicator.

Updated Intelligence

8. CVE-2026-3055 — Citrix NetScaler SAML IDP RCE — Large-Scale Exploitation Confirmed CRITICAL [UPDATED]

First reported: 2026-03-23 (Citrix advisory CTX696300) • Updated: 2026-06-02 (Fortinet FortiGuard Outbreak Alert, Threat-Modeling.com)

Fortinet’s FortiGuard Labs published an Outbreak Alert on approximately 2 June confirming large-scale active exploitation of CVE-2026-3055 against internet-facing NetScaler appliances configured as SAML Identity Providers. While Citrix patched the vulnerability on 23 March 2026, widespread exploitation at scale now elevates this from a known patching item to an active emergency for any unpatched environment.

CVE-2026-3055 (CVSS 9.8) is an out-of-bounds read (CWE-125) in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider. Insufficient input validation in SAML request processing allows unauthenticated remote attackers to trigger a memory overread leading to arbitrary code execution. Successful exploitation enables full compromise of the SAML IDP, allowing attackers to forge SAML assertions and authenticate to any service-provider application that trusts the NetScaler IDP — including internal applications, cloud services, and VPN portals.

Action required: Upgrade to NetScaler ADC 13.1-62.23+ or 14.1-60.58+ or later immediately. If patching cannot be completed immediately, disable the SAML IDP configuration on unpatched appliances until patched. Audit SAML assertion logs for anomalous authentication events from unexpected source IPs.

TTPs: T1190 Exploit Public-Facing Application • T1133 External Remote Services • T1078 Valid Accounts (post-exploitation via forged SAML assertions)

9. CVE-2022-0492 — Linux Kernel cgroups v1 Container Escape — CISA KEV Added HIGH [UPDATED]

First reported: 2022-02-04 • CISA KEV added: 2026-06-02 • Source: CISA, Security Affairs

CISA added CVE-2022-0492 to the Known Exploited Vulnerabilities catalogue on 2 June 2026, confirming active exploitation in current attack campaigns. The original vulnerability was disclosed in February 2022 and patched at that time in kernel 5.17-rc3 (backported to stable series), but unpatched Linux systems — particularly in containerised Kubernetes and Docker environments running older kernels — remain exposed.

CVE-2022-0492 is an improper authentication vulnerability in the Linux kernel’s cgroups v1 release_agent feature. A local user with access to a cgroup v1 hierarchy can exploit this to escape container boundaries and execute arbitrary commands on the container host with root privileges (CVSS 7.8). The CISA KEV addition confirms this is being actively leveraged in current container escape attack chains.

Action required: Apply Linux kernel patches (5.17+ or applicable stable backport). For containerised environments: migrate to cgroups v2 (not affected), enable seccomp and AppArmor profiles, and restrict the SYS_ADMIN capability. CISA BOD 22-01 mandates Federal agencies remediate by the standard KEV deadline.

TTPs: T1611 Escape to Host (container breakout) • T1068 Exploitation for Privilege Escalation

IOC Summary

TypeValueCampaign
BehaviourObsidian.exe spawning cmd.exe / powershell.exePHANTOMPULSE / REF6598
BehaviourEthereum/Base/Optimism JSON-RPC queries (eth_getTransactionByHash) from non-browser processesPHANTOMPULSE / REF6598 (blockchain C2 resolver)
Behaviourapi.telegram.org connections from non-user-interactive processesPHANTOMPULSE / REF6598 (fallback C2)
File path%APPDATA%\Obsidian\plugins\ — newly created plugin directoriesPHANTOMPULSE / REF6598 (malicious plugin delivery)
npm package@redhat-cloud-services/* — versions published 2026-05-30 to 2026-06-01Miasma / TeamPCP supply chain
Behaviournpm install immediately followed by outbound HTTPS to non-npmjs.com endpointsMiasma / TeamPCP credential exfil
Windows Event IDEvent ID 5723, 5805 spikes on domain controllersCVE-2026-41089 Netlogon exploitation
BehaviourInbound TCP 80/443/8080/8443 to HP Poly phone from external IPsCVE-2026-0826 HP Poly VoIP RCE
Process path/sys/fs/cgroup or release_agent access from container contextCVE-2022-0492 Linux cgroups container escape

KQL Hunting Queries

HUNT-01: CVE-2026-41089 — Netlogon Exploitation with Post-Compromise Credential Dumping

Covers Windows Netlogon RCE exploitation pattern leading to credential dumping tooling. MITRE: T1210, T1003.003.

// HUNT-01: CVE-2026-41089 — Netlogon exploitation + credential dumping toolchain
// Covers: Windows Netlogon RCE domain controller compromise
// MITRE: T1210, T1003.003
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 445 or RemotePort == 135
| where InitiatingProcessFileName in~ ("lsass.exe", "svchost.exe")
| where ActionType == "InboundConnectionAccepted"
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessCommandLine has_any ("lsadump", "dcsync", "sekurlsa", "ntds.dit", "mimikatz", "impacket", "secretsdump")
) on DeviceName
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ProcessCommandLine
| order by Timestamp desc

HUNT-02: PHANTOMPULSE — Obsidian Spawning Shell Process

Covers REF6598 PHANTOMPULSE initial access via malicious Obsidian plugin. MITRE: T1218, T1055.

// HUNT-02: PHANTOMPULSE — Obsidian plugin spawning shell
// Covers: REF6598 / PHANTOMPULSE RAT delivery
// MITRE: T1218, T1055
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "Obsidian.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

HUNT-03: PHANTOMPULSE — Blockchain API C2 Queries from Non-Browser Processes

Covers REF6598 PHANTOMPULSE blockchain-based C2 resolution. MITRE: T1102.

// HUNT-03: PHANTOMPULSE — blockchain C2 resolver from non-browser process
// Covers: REF6598 Ethereum/Base/Optimism C2 resolution
// MITRE: T1102
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any ("eth_getTransactionByHash", "eth_call", "infura.io", "alchemy.com", "base.org", "optimism.io", "quicknode.pro")
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe", "opera.exe", "iexplore.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

HUNT-04: Miasma / TeamPCP — npm Install Triggering Unexpected Outbound Connection

Covers Miasma worm credential exfiltration at npm install time. MITRE: T1195.001, T1567.

// HUNT-04: Miasma npm supply chain — credential exfil at install time
// Covers: @redhat-cloud-services npm supply chain compromise
// MITRE: T1195.001, T1567
DeviceNetworkEvents
| where Timestamp > ago(72h)
| where InitiatingProcessFileName in~ ("node.exe", "node", "npm.cmd", "npm")
| where RemoteUrl !contains "registry.npmjs.org" and RemoteUrl !contains "npmjs.com"
| where RemoteUrl !contains "localhost" and RemoteUrl !contains "127.0.0.1"
| where ActionType == "ConnectionSuccess"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

HUNT-05: CVE-2026-41089 Post-Exploitation — NTDS.dit Access on Domain Controller

Covers NTDS.dit extraction following Netlogon RCE exploitation. MITRE: T1003.003.

// HUNT-05: CVE-2026-41089 post-exploitation — NTDS.dit access
// Covers: Domain credential database extraction after DC compromise
// MITRE: T1003.003
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName =~ "ntds.dit" or (FileName =~ "SYSTEM" and FolderPath has "Windows\\System32\\config")
| where InitiatingProcessFileName !in~ ("ntdsutil.exe", "vssvc.exe", "wbengine.exe", "svchost.exe")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

HUNT-06: CVE-2022-0492 — Linux cgroups Container Escape Attempt

Covers Linux kernel cgroups v1 container escape via release_agent. MITRE: T1611.

// HUNT-06: CVE-2022-0492 — cgroups v1 container escape attempt
// Covers: Linux kernel cgroups v1 release_agent privilege escalation
// MITRE: T1611
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("bash", "sh", "python3", "python")
| where ProcessCommandLine has_any ("release_agent", "/sys/fs/cgroup", "notify_on_release")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

HUNT-07: CVE-2026-0826 — External Connection to HP Poly VoIP Management Interface

Covers HP Poly phone exploitation attempts from external networks. MITRE: T1190.

// HUNT-07: CVE-2026-0826 — external connections to HP Poly VoIP management
// Covers: HP Poly VVX/Trio Metasploit-exploited RCE
// MITRE: T1190
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where DeviceName has_any ("poly", "vvx", "trio", "plantronics")
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172."
| where ActionType == "InboundConnectionAccepted"
| where RemotePort in (80, 443, 8080, 8443)
| project Timestamp, DeviceName, RemoteIP, RemotePort, ActionType, InitiatingProcessFileName
| order by Timestamp desc

KQL Detection Rules (High Fidelity)

DET-01: CVE-2026-41089 — LSASS Memory Access Post-Netlogon Exploitation CRITICAL

Rationale: LSASS memory access from non-system processes is an almost universally malicious indicator in post-Netlogon-exploitation scenarios. Legitimate exceptions are AV/EDR sensors (allowlist by vendor process name). This rule targets cross-process memory reads of lsass.exe on systems identified as domain controllers.

// DET-01: CVE-2026-41089 — LSASS credential dump post-Netlogon RCE
// MITRE: T1003.001 | Severity: CRITICAL
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "LsassProcessAccess"
| where DeviceName has_any ("DC", "DOMCON", "-DC-", "-AD-")
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "SentinelAgent.exe", "csagent.exe", "SenseIR.exe", "csrss.exe", "wininit.exe", "svchost.exe")
| extend AlertTitle = "LSASS Memory Access on Domain Controller — Suspected Post-CVE-2026-41089 Credential Dump"
| extend Severity = "CRITICAL"
| extend MITRETechnique = "T1003.001 — OS Credential Dumping: LSASS Memory"
| extend RecommendedAction = "Isolate DC immediately. Capture memory dump before remediation. Assume domain-wide credential compromise. Initiate emergency double KRBTGT password reset. Audit all DCs for same access pattern. Engage IR. Do not reboot before forensics."
| project Timestamp, AlertTitle, Severity, MITRETechnique, RecommendedAction, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

DET-02: PHANTOMPULSE — Obsidian Spawning Shell Process HIGH

Rationale: Obsidian is a notes application with no legitimate reason to spawn command interpreters under normal use. REF6598 exclusively uses this vector. The only false positive scenario is a developer running a custom Obsidian Shell Commands plugin automation — allowlist those by specific known command-line signatures. Absent an allowlist entry, treat this as confirmed.

// DET-02: PHANTOMPULSE — Obsidian spawning shell process (REF6598)
// MITRE: T1218 | Severity: HIGH
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "Obsidian.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe")
| extend AlertTitle = "PHANTOMPULSE RAT Delivery — Obsidian Spawning Shell (REF6598)"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1218 — System Binary Proxy Execution via Obsidian Plugin Abuse"
| extend RecommendedAction = "Quarantine device. Preserve %APPDATA%\\Obsidian\\plugins\\ directory for forensics. Hunt for blockchain API outbound connections. Hunt for Telegram API connections. Check for lateral movement from this host. Contact Elastic for REF6598 detection artefacts."
| project Timestamp, AlertTitle, Severity, MITRETechnique, RecommendedAction, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

DET-03: Miasma / TeamPCP — npm Install Exfiltrating to Non-Registry Endpoint HIGH

Rationale: The Miasma worm exfiltrates credentials immediately upon npm install by spawning a Node.js subprocess making outbound HTTPS connections to attacker-controlled infrastructure. Legitimate postinstall scripts may make outbound calls to known endpoints — allowlist those specifically. The key signal is npm install triggering unexpected external HTTPS connections.

// DET-03: Miasma supply chain — npm install credential exfiltration
// MITRE: T1195.001 | Severity: HIGH
DeviceNetworkEvents
| where Timestamp > ago(72h)
| where InitiatingProcessFileName in~ ("node.exe", "node", "npm.cmd", "npm")
| where RemoteUrl !contains "registry.npmjs.org" and RemoteUrl !contains "npmjs.com"
| where RemoteUrl !contains "localhost" and RemoteUrl !contains "127.0.0.1"
| where ActionType == "ConnectionSuccess"
| extend AlertTitle = "Miasma TeamPCP Supply Chain — npm Install Making Unexpected External Connection"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1195.001 — Supply Chain Compromise / T1567 — Exfiltration Over Web Service"
| extend RecommendedAction = "Immediately rotate all secrets: GitHub tokens, npm tokens, AWS IAM keys, GCP service account credentials, Azure access tokens. Identify which @redhat-cloud-services packages were installed 2026-05-30 to 2026-06-01. Remove compromised package versions. Notify cloud provider security teams."
| project Timestamp, AlertTitle, Severity, MITRETechnique, RecommendedAction, DeviceName, AccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

DET-04: CVE-2026-0826 — HP Poly VoIP Phone Receiving External Management Connection HIGH

Rationale: HP Poly VVX and Trio phones should never receive management connections from external IP ranges. With a public Metasploit module now available for CVE-2026-0826, automated scanning and exploitation at scale is imminent. Allowlist internal monitoring platforms (e.g., Poly Lens) and management VLANs specifically.

// DET-04: CVE-2026-0826 — external connection to HP Poly VoIP management
// MITRE: T1190 | Severity: HIGH
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where DeviceName has_any ("poly", "vvx", "trio", "plantronics")
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172."
| where ActionType == "InboundConnectionAccepted"
| where RemotePort in (80, 443, 8080, 8443)
| extend AlertTitle = "CVE-2026-0826 — External Connection to HP Poly VoIP Management Interface"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1190 — Exploit Public-Facing Application"
| extend RecommendedAction = "Immediately firewall all HP Poly management interfaces from external/untrusted networks. Apply firmware updates: VVX → UCS 6.4.8+, Trio 8300 → UCS 8.1.7+, Trio 8500/8800 → UCS 7.2.8+. Inspect phone for signs of compromise (unusual outbound connections, config changes)."
| project Timestamp, AlertTitle, Severity, MITRETechnique, RecommendedAction, DeviceName, RemoteIP, RemotePort, ActionType
| order by Timestamp desc

Mitigation Priorities

Patch (actively exploited — act now)

  • Windows Server (all domain controllers) — CVE-2026-41089 — Apply May 2026 cumulative update to all domain controllers simultaneously. A single unpatched DC remains an attack path even after others are patched.
  • Citrix NetScaler ADC/Gateway — CVE-2026-3055 — CTX696300 — Upgrade to 13.1-62.23+ or 14.1-60.58+. If patching is not immediately possible, disable SAML IDP configuration until patched. Large-scale exploitation confirmed by Fortinet.
  • Android June 2026 Security Update — CVE-2025-48595 — Push patch level 2026-06-05 via MDM immediately. CISA BOD 22-01 deadline: 2026-06-23.
  • Mirasvit Cache Warmer v1.11.12+ — CVE-2026-45247 — Update plugin immediately. Audit web server logs for exploitation attempts against Cache Warmer endpoints.
  • HP Poly VVX/Trio firmware — CVE-2026-0826 — Update firmware (VVX: UCS 6.4.8+; Trio 8300: UCS 8.1.7+; Trio 8500/8800: UCS 7.2.8+). Block external management interface access immediately.
  • Linux kernel — CVE-2022-0492 — Apply kernel patch (5.17+ or stable backport). Migrate container workloads to cgroups v2. Enable seccomp and AppArmor profiles.

Supply chain response (act now)

  • Immediate credential rotation required for any environment that executed npm install with @redhat-cloud-services packages between 2026-05-30 and 2026-06-01. Rotate: GitHub tokens, npm tokens, AWS IAM access keys, GCP service account credentials, Azure access tokens.
  • Audit CI/CD pipeline logs for jobs that ran npm install with @redhat-cloud-services dependencies in the exposure window.
  • Lock npm packages to specific known-good hash digests using npm ci with lockfile. Subscribe to Socket.dev or Snyk for real-time malicious package detection.

Domain controller emergency response

  • If domain controllers show Netlogon authentication anomalies or LSASS access events consistent with exploitation, initiate Golden Ticket response: double KRBTGT password reset (two separate resets, at least 10 hours apart to invalidate all existing Kerberos tickets).
  • Restrict Netlogon protocol (TCP 445, UDP 138) on domain controllers to trusted internal segments at the firewall layer while patching proceeds.
  • Review all domain controller event logs (Event ID 5723, 5805) retroactively from 29 May when exploitation was first confirmed.

Awareness / process

  • Alert financial and crypto-sector employees to the PHANTOMPULSE / REF6598 campaign: do not install Obsidian plugins from LinkedIn or Telegram contacts. All Obsidian plugin installs must go through the official Obsidian community plugins marketplace with IT security approval.
  • Establish an internal AI model registry; do not allow developers to pull models from Hugging Face or similar sources into production without security review (BadBone mitigation).
  • June 3 marks simultaneous CISA KEV deadlines for multiple previously-added CVEs — complete a full patch status review across all open KEV items today.

Sources

  • Windows Netlogon RCE exploited, domain controllers at risk (CVE-2026-41089) — Help Net Security, 2026-06-01
  • Critical Windows Netlogon RCE flaw now exploited in attacks — BleepingComputer, 2026-06-01/02
  • CVE-2026-41089, Windows Netlogon RCE and the Domain Controller Blast Radius — Penligent, 2026-05-29 to 2026-06-02
  • Miasma: Supply Chain Attack Targeting RedHat npm Packages — Wiz Blog, 2026-06-01
  • Miasma Supply Chain Attack Compromises Red Hat npm Packages — The Hacker News, 2026-06-01/02
  • Red Hat npm packages compromised to steal developer credentials — BleepingComputer, 2026-06-01/02
  • Miasma Attack Hits Red Hat npm Packages — Snyk, 2026-06-01/02
  • Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT — Elastic Security Labs, 2026-04 (original); cited in Cyware 2026-06-02
  • Google fixes actively exploited Android vulnerability (CVE-2025-48595) — Help Net Security, 2026-06-02
  • Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited — The Hacker News, 2026-06-02
  • CISA Adds Two Known Exploited Vulnerabilities to Catalog — CISA, 2026-06-02
  • Vulnerability Intelligence Report — June 2, 2026 — Threat-Modeling.com, 2026-06-02
  • Citrix NetScaler SAML IDP Vulnerability (CVE-2026-3055): Large-Scale Exploitation Confirmed by Fortinet — Threat-Modeling.com, 2026-06-02
  • Security Bulletin CTX696300 — Citrix, 2026-03-23 (updated)
  • Outbreak Alert: Citrix NetScaler memory overread vulnerability — Fortinet Community, 2026-06-02
  • CVE-2022-0492 flaw in Linux Kernel feature allows container escape — Security Affairs, original 2022-02-04; CISA KEV addition 2026-06-02
  • Cyware Daily Threat Intelligence — June 02, 2026 — Cyware, 2026-06-02