// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of June 22, 2026
Signal Brief · Archived

Week of June 22, 2026

2026-06-22 — 2026-06-28 · 11 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of June 22, 2026, ColdRecon logged 11 public endpoint-security events from open-source reporting — 8 incidents, 2 research pocs, 1 vuln disclosure. Vendors in the record this week: Workday, NetSuite, SAP.

The Week's Public Record

Events

2026-06-25
incident
Malicious Chrome Extensions Steal Session Cookies from Workday, NetSuite, SAP SuccessFactorsCookie-stealing Chrome extensions targeting enterprise SaaS
Five malicious Chrome extensions were discovered stealing session cookies from enterprise SaaS applications including Workday, NetSuite, and SAP SuccessFactors. The extensions exfiltrated cookies every 60 seconds to attacker-controlled servers, bypassing password and MFA protections. This incident highlights the risk of session hijacking via browser extensions and the limitations of credential-only monitoring.
Workday · NetSuite · SAP ↗ securityboulevard.com (2026-06-25)
2026-06-25
incident
Mistic Ransomware Uses Hell's Gate Technique to Evade Endpoint DetectionHell's Gate
The Mistic ransomware backdoor employs a fileless technique called Hell's Gate to bypass endpoint detection. It directly invokes system calls from ntdll.dll, avoiding standard API monitoring by EDR products. The malware also erases itself after execution, making file-based scans ineffective.
2026-06-25
incident
LokiBot Campaign Uses JScript, .NET Injector, and Process Injection to Steal CredentialsLokiBot
A LokiBot campaign delivers malware via JScript email attachments, using a .NET injector and process injection to steal credentials from browsers, cryptocurrency wallets, email clients, and FTP tools. The multi-stage attack evades detection by injecting into legitimate processes. This incident highlights ongoing credential theft threats targeting endpoint users.
2026-06-25
incident
LokiBot Malware Adopts API Hashing and 3DES-Encrypted C2 to Evade DetectionLokiBot API Hashing and 3DES C2
Recent LokiBot infostealer samples employ API hashing and 3DES-encrypted command-and-control communications to evade static detection by security tools. This evolution demonstrates ongoing efforts to bypass endpoint defenses and maintain stealth.
2026-06-25
research poc
macOS Flaw Allows Standard Users to Disable EDR and MDMmacOS EDR/MDM Disable via System Extensions
Researchers demonstrated that a standard macOS user can abuse built-in system commands to disable or remove security products, including EDR and MDM agents. The technique leverages normal macOS behavior to make the security tool disable itself, bypassing its own protections. This leaves endpoints unprotected without requiring elevated privileges.
2026-06-25
research poc
Gaslight Malware PoC Evades AI-Powered Malware AnalysisGaslight
Researchers developed a proof-of-concept malware named Gaslight that specifically targets and evades AI-based malware analysis systems. Gaslight detects execution in an AI analysis sandbox and alters its behavior to appear benign, undermining the reliability of AI-driven triage and reverse engineering. This demonstrates that threat actors are adapting to the increasing use of AI in defensive workflows.
2026-06-25
incident
DPRK-Linked macOS Implant Gaslight Uses LaunchAgent Persistence and Python StealermacOS.Gaslight
A DPRK-linked threat actor deployed a Rust-based macOS implant named Gaslight that uses LaunchAgent persistence and a Python stealer module. The implant includes analyst-directed prompt injection as a novel feature, targeting endpoint security researchers. It collects system information and exfiltrates data to command-and-control servers.
2026-06-25
incident
Malicious Chrome Extension Escapes Browser Sandbox via Native Messaging HostMalicious Chrome Extension with Native Messaging Host
A sophisticated malware campaign used a phishing lure to deliver an obfuscated JavaScript dropper that installed a malicious Chrome extension and a Native Messaging Host. This combination allowed the attacker to break out of the Chrome sandbox and execute arbitrary code on the endpoint, bypassing browser-based security boundaries.
2026-06-25
incident
StrikeShark Campaign Deploys Cobalt Strike via SharkLoader MalwareSharkLoader
A campaign targeting a diplomatic mission in Indonesia used a previously undocumented loader called SharkLoader to deliver Cobalt Strike beacons. The attack involved phishing emails with malicious attachments and employed defense evasion techniques. This incident highlights the continued use of custom loaders to bypass endpoint security controls.
2026-06-25
vuln disclosure
CVE-2026-39118 in macOS Allows Standard Users to Disable Security AgentsCVE-2026-39118
A vulnerability in Apple macOS (CVE-2026-39118) allows a standard user to disable or permanently deactivate enterprise security agents like CrowdStrike EDR and Kandji MDM. The flaw stems from improper authorization in the Endpoint Security framework, enabling unauthorized termination of security processes. This undermines endpoint protection and compliance on affected macOS systems.
Apple · CrowdStrike · Kandji ↗ www.rescana.com (2026-06-25)
2026-06-25
incident
Mistic Backdoor Deployed by KongTuke Access Broker Targets Enterprise NetworksMistic backdoor
The Mistic backdoor, attributed to the ransomware access broker KongTuke (Woodgnat), is actively being deployed in enterprise networks. It uses stealthy techniques to evade endpoint security and establish persistence, enabling ransomware deployment. This incident highlights advanced evasion methods against detection tools.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →