ThreatsDay Bulletin: Defender 0‑Day, SonicWall Brute‑Force, and Supply Chain Chaos

Overview This week’s bulletin is packed with high‑impact stories: from a fresh Microsoft Defender zero‑day exploit to brute‑force surges against SonicWall and FortiGate devices, legacy vulnerabilities resurfacing, and supply chain compromises in WordPress plugins. Attackers are innovating, defenders are scrambling, and the cybersecurity landscape remains as volatile as ever.

Key Highlights

• Targeted wallet breach: Zerion lost $100K from internal hot wallets after a North Korean AI‑enabled social engineering attack.
• EU age verification app: A bloc‑wide anonymous age verification tool is coming, promising privacy‑respecting checks.
• Defender zero‑day: Researcher “Chaotic Eclipse” disclosed RedSun, a privilege escalation exploit working reliably against Windows 10/11 and Server with Defender enabled.
• Excel RCE resurfaces: A 17‑year‑old flaw (CVE‑2009‑0238) is back in active exploitation, forcing urgent patching.
• Raspberry Pi OS update: Passwordless sudo is now disabled by default for new installs.
• Stealth C2 frameworks: ObsidianStrike and ArchangelC2 uncovered, showing highly private and industrial‑scale operations.
• Fake Ledger app: Drained $9.5M in crypto from victims via Apple’s App Store.
• Localized ransomware: JanaWare targets Turkish users with low‑value ransom demands ($200–$400).
• Google crackdown: New policy against back button hijacking goes live June 15, 2026.
• APT41 cloud attack: New ELF backdoor steals credentials across AWS, Azure, Google Cloud, and Alibaba Cloud.
• WordPress plugin supply chain breach: Essential Plugin poisoned post‑acquisition, impacting 180,000 installs.
• Xinbi Guarantee: Despite sanctions, this Telegram marketplace continues with $21B in transactions.
• SmokedHam backdoor: Delivered via malvertising, leading to Qilin ransomware and credential theft.
• Water Hydra activity: Still active in 2026, linked to EvilNum lineage.
• Scientific software flaws: HDF5 vulnerabilities could expose classified research data.
• Brute‑force surge: SonicWall and FortiGate devices face aggressive credential attacks, mostly from the Middle East.
• Triad Nexus fraud network: Evading sanctions via front companies, responsible for $200M in losses.

Risks to Enterprises

• Supply chain compromise: Plugins, npm packages, and app stores remain vulnerable vectors.
• Legacy vulnerabilities: Old flaws like Excel RCE still haunt unpatched systems.
• Cloud credential theft: APT41’s backdoor shows how attackers exploit cloud workloads invisibly.
• Localized ransomware: Even low‑value campaigns can cripple small businesses.
• Fraud ecosystems: Networks like Triad Nexus industrialize brand impersonation and scams.

Defensive Guidance

• Patch aggressively: Address both new and legacy CVEs immediately.
• Audit supply chains: Vet plugins, apps, and dependencies for hidden backdoors.
• Strengthen authentication: Enforce MFA and monitor brute‑force attempts on edge devices.
• Cloud vigilance: Deploy monitoring for credential theft and covert C2 channels.
• User awareness: Train staff against phishing, fake apps, and malvertising campaigns.

Final Thought

This week’s bulletin underscores the breadth of modern cyber threats: from stealthy C2 frameworks and poisoned supply chains to brute‑force waves and legacy flaws. The lesson is clear — security basics still matter. Patch, monitor, and verify continuously, because attackers are exploiting both the newest and the oldest cracks in digital infrastructure.