Malware Activity
AI-Assisted Threat Actors Accelerate Active Directory and Cloud Attacks
Cybersecurity researchers have documented separate intrusions demonstrating how threat actors are increasingly using artificial intelligence as a force multiplier to accelerate established attack techniques rather than develop entirely novel capabilities. In an early June 2026 incident, an unknown attacker used pre-compromised credentials to establish RDP access to a domain-joined Windows Server and deployed an apparently AI-generated, or “vibe-coded,” PowerShell script to aggressively enumerate the Active Directory environment, collecting information on domain controllers, users, computers, groups, organizational units, and trusts before generating an HTML inventory report. The actor later used the legitimate s5cmd utility and SharpShares to identify accessible data repositories, staged the collected information in CSV files, archived it, and exfiltrated the data to a remote server. Huntress assessed that the script’s over-engineered fallback mechanisms, placeholder text, stylized output, and iterative title indicated extensive assistance from a large language model, allowing the attacker to prioritize speed and aggression over stealth. Separately, Sygnia investigated an AI-assisted attack against a large AWS environment that progressed from initial access to broad compromise in roughly 72 hours, as a financially motivated actor repeatedly used newly acquired credentials to conduct cloud enumeration, harvest secrets, establish persistence, abuse CI/CD pipelines, access databases, exfiltrate data, and disrupt operations. The attacker also denied access to S3 buckets, reduced ECS service capacity to zero, created network-blocking ACL rules, and purged SQS queues to increase pressure on the victim for extortion. Researchers emphasized that neither intrusion relied on novel malware nor zero-day vulnerabilities. Instead, AI significantly reduced the time and effort needed to chain familiar adversary behaviors across complex environments, enabling even less-skilled actors to conduct faster, broader, and potentially more damaging operations. CTIX analysts will continue to report on novel attack methods and malicious software.
Threat Actor Activity
Russian State Hackers Target Vulnerable Routers to Breach Critical Infrastructure
US and allied cybersecurity agencies warn that Russian state-sponsored hackers from FSB Center 16 (Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, Static Tundra) are systematically targeting vulnerable and poorly configured routers and other networking devices to infiltrate critical infrastructure worldwide. The actors scan internet-facing IP ranges for devices using default or weak SNMP credentials, then send SNMP set-requests, often via spoofed IPs, to copy configuration files and exfiltrate them over TFTP or FTP to attacker-controlled servers. They also exploit known Cisco flaws, including CVE-2018-0171 in Smart Install, to gain arbitrary code and command execution. Sectors reported to be at the highest risk include energy, communications, defense industrial base, healthcare, financial services, and government. The advisory follows the disruption of FrostArmada, a separate APT28 campaign that hijacked DNS settings on 18,000 MikroTik and TP-Link SOHO routers to steal Microsoft 365 credentials and OAuth tokens. CTIX Analysts recommend that defenders at high-risk organizations disable Cisco Smart Install, move to SNMPv3, enforce strong unique passwords, block SNMP/TFTP at edge firewalls, restrict management protocols, keep firmware patched, and replace end-of-life devices to reduce exposure.
- Bleeping Computer: Russia Critical Infrastructure Targeting Article
- Security Week: Russia Critical Infrastructure Targeting Article
- IC3: Russia Critical Infrastructure Joint Advisory
Vulnerabilities
Microsoft-Signed Legacy UEFI Bootloaders Enable Secure Boot Bypass and Persistent Bootkit Attacks
Cybersecurity researchers at ESET have identified eleven (11) outdated, Microsoft-signed UEFI shim bootloaders that attackers could abuse to bypass Secure Boot and execute malicious code before the operating system or endpoint security tools initialize. The vulnerable applications, primarily based on shim version 0.9 or earlier, remain trusted on UEFI systems that recognize Microsoft’s legacy “Microsoft Corporation UEFI CA 2011” certificate and can be used in a bring-your-own-vulnerable-driver (BYOVD)-style attack to deploy persistent UEFI bootkits such as Bootkitty, HybridPetya, or BlackLotus. An attacker with administrative privileges or the ability to modify the boot process could replace a current shim with an older, still-trusted Microsoft-signed version, bypass Machine Owner Key (MOK) denylist enforcement and Secure Boot Advanced Targeting (SBAT) protections and execute arbitrary code during the early boot phase. This pre-OS execution can establish deeply entrenched persistence capable of surviving system reboots, and, in some cases, operating system reinstalls while also evading endpoint detection and response (EDR) tools. The issues, tracked as CVE-2026-8863 and CVE-2026-10797, stem largely from vulnerable vendor-specific bootloaders remaining signed and trusted long after flaws in the upstream shim project were publicly disclosed and fixed, creating a long-term software supply chain exposure. Microsoft revoked the affected bootloaders as part of its June 2026 Patch Tuesday updates, but researchers warn that the expiration of the legacy 2011 UEFI CA certificate alone does not prevent previously signed binaries from executing unless they are explicitly revoked, highlighting how old but trusted components can undermine Secure Boot without requiring attackers to exploit a newly discovered vulnerability. CTIX analysts strongly urge supply chain Microsoft administrators to ensure they have implemented the most recent patches and conduct internal investigations to ensure there hasn’t already been a compromise.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
