22nd June – Threat Intelligence Report

22ND JUNE – THREAT INTELLIGENCE REPORT June 22, 2026 For the latest discoveries in cyber research for the week of 22nd June, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Texas Parks and Wildlife Department has been affected by a third-party data breach involving its license system vendor. The incident exposed driver’s license information, passport numbers, emails, phone numbers, and residential addresses for 3,087,721 hunting and fishing license customers. Social Security numbers and payment data were not affected. ShapedPlugin, a WordPress plugin vendor, has faced a supply chain attack that delivered malicious updates for three paid plugins through its official updater. The malware installed a hidden fake WooCommerce plugin to steal admin, database, and 2FA credentials and modify affected websites. Incident analysis tied the compromise to vendor release infrastructure. iRhythm Technologies, a US digital health company focused on remote cardiac monitoring, has experienced a cyberattack involving third-party-hosted business applications. The company confirmed that attackers stole protected health information, proprietary data, and other personal data through a social engineering attack. Clinical systems were not affected. Market intelligence platform Klue has confirmed a breach after attackers used compromised legacy integration credentials to steal OAuth tokens connected to customer Salesforce environments. The tokens enabled theft of sales and customer data from several clients, including Huntress, Recorded Future, Tanium, and Jamf. The Icarus extortion group claimed responsibility. AI THREATS Microsoft researchers detailed AutoJack, an exploit chain where a malicious web page can turn an AI browsing agent into a remote code execution vector. The attack abused localhost trust, missing authentication, and unsafe parameter handling in AutoGen Studio’s MCP WebSocket surface. Researchers described SearchLeak, a prompt injection technique in Microsoft 365 Copilot Search that can use a crafted link to trigger hidden instructions and exfiltrate data. The attack abused Bing image fetch to expose emails, authentication codes, and OneDrive or SharePoint files. Microsoft patched it as CVE-2026-42824. Researchers analyzed OpenClaw AI agent flaws where hidden contacts and phishing emails could trigger prompt injections, code execution, and data leaks. The attacks show how agent workflows that trust external messages can expose local tools, secrets, and enterprise data through ordinary interaction paths. VULNERABILITIES AND PATCHES Fortinet FortiSandbox vulnerabilities CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 are being exploited through unauthenticated API requests. The flaws enable path traversal and root-level command execution, creating a risk of sandbox takeover that could affect malware analysis, policy enforcement, and internal security workflows overall. Check Point IPS provides protection against these threats (Fortinet FortiSandbox Directory Traversal (CVE-2026-39813), Fortinet FortiSandbox Command Injection (CVE-2026-39808)) Microsoft has confirmed CVE-2026-50656, a Defender zero-day. The flaw allows privilege escalation to SYSTEM through a race condition. A public proof-of-concept works on fully updated Windows 10 and Windows 11 systems, and Microsoft is preparing a security update. Cisco has acknowledged active exploitation of CVE-2026-20262, an arbitrary file write flaw in Catalyst SD-WAN Manager. Authenticated attackers can overwrite system files and potentially escalate to root. Cisco reported limited targeted attacks and released patches for affected devices. Splunk Enterprise CVE-2026-20253 is actively being exploited. The critical flaw lets unauthenticated attackers trigger file operations, which researchers showed can lead to remote code execution. Splunk said limited exploitation was observed, and security updates are available. Check Point IPS provides protection against this threat (Splunk Enterprise Arbitrary File Write (CVE-2026-20253)) THREAT INTELLIGENCE REPORTS Check Point Research has unmasked a crypto clipboard hijacker promoted through a phishing website and amplified on GitHub, SourceForge, YouTube, and legitimate news websites. The Rust malware targets Windows and macOS and swaps copied wallet addresses to attacker wallets. Check Point Threat Emulation and Harmony Endpoint provide protection against this threat Check Point Research has uncovered a seasonal surge in travel-themed cybercrime, with attackers registering 47,318 travel-related domains in May 2026. The campaigns use Booking.com, Airbnb, and Skyscanner lookalikes to target travelers and hospitality customers with fake pages designed to steal credentials and payment details. Check Point Research has documented Amazon-themed scams ahead of Prime Day from June 23 to 26, including thousands of newly registered domains and lookalike internationalized domains. The campaigns impersonate Amazon services and lure Prime members into credential theft, payment fraud, and fake support interactions. Check Point has assessed rising cyberattacks against Central US organizations, with healthcare, energy, utilities, and financial services recording elevated weekly attack volumes. The report highlights regional and sector-level targeting patterns across the Midwest and provides business context for CISOs tracking exposure. GO UP BACK TO ALL POSTS POPULAR POSTS CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH “The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS SECURITY REPORT THREAT RESEARCH 2024’s Cyber Battleground Unveiled: Escalating Ransomware Epidemic, the Evolution of Cyber Warfare Tactics and strategic use of AI in defense – Insights from Check Point’s Latest Security Report GLOBAL CYBER ATTACK REPORTS 8th May – Threat Intelligence Report BLOGS AND PUBLICATIONS CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT GLOBAL CYBER ATTACK REPORTS December 15, 2021 STEALTHLOADER MALWARE LEVERAGING LOG4SHELL CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT GLOBAL CYBER ATTACK REPORTS December 15, 2021 STEALTHLOADER MALWARE LEVERAGING LOG4SHELL CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT 123 We use cookies and similar technologies to operate our website, improve your experience, and support analytics and advertising. You can manage your preferences at any time. For more information, please see our Privacy Policy and Cookie Notice. Do Not Sell or Share My Personal Data When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. While this information may not directly identify you by name, it may include online identifiers (such as browser or device information) but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Allow All Manage Consent Preferences Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies are generally required for the operation of the website and are not used for marketing purposes. Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. We use this information in aggregated form to help us understand how the website is used and to improve its performance. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers (such as service providers supporting website functionality or content) whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Targeting Cookies Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used to help deliver content and advertisements that are more relevant to your interests, including across different online services. They may use identifiers associated with your browser or device for this purpose. If you do not allow these cookies, you may receive less relevant advertising. Performance Cookies Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices