July 6, 2026 Emerging Threats Weekly

Jul 6, 2026

This week’s briefing covers:

00:00 – Intro

00:58 [VULNERABILITY] Oracle E-Business Suite Payments Flaw Moves into Active Exploitation
A critical Oracle E-Business Suite vulnerability is now being actively exploited against Oracle Payments, according to new reporting.

02:45 [MALWARE] Silent Swap Uses Fake Google Notes Extension for Crypto Theft
Researchers have warned of an active browser extension that's capable of hijacking cryptocurrency transactions by silently substituting a user's wallet address with one controlled by an attacker.

05:41 [VULNERABILITY] New NetScaler “CitrixBleed”-Class Flaw Exposes SAML-Enabled Gateways A Citrix has patched CVE-2026-8451, a pre-authentication memory overread in NetScaler ADC and NetScaler Gateway that affects appliances configured as a SAML identity provider.

07:40 [VULNERABILITY] SimpleHelp Auth Bypass Used to Deliver TaskWeaver and Djinn Stealer
Attackers are exploiting CVE-2026-48558 in SimpleHelp, a remote monitoring and management platform, to obtain authenticated technician sessions and push malware to managed systems.

09:38 [CAMPAIGN] Password Spray Wave Targets Azure CLI and Weak MFA Coverage
A large password-spraying campaign targeted Microsoft 365 environments by leveraging Azure CLI authentication patterns to validate stolen credentials at scale. Between June 12 and June 21, researchers observed more than 81 million login attempts and confirmed the compromise of 78 accounts across 64 organizations.

11:52 [NEW TECHNIQUE] GuardFall Bypasses Safety Checks in Open-Source AI Coding Agents
Researchers have disclosed a technique named GuardFall that can bypass command-safety controls in ten of eleven popular open-source coding and computer-use agents.

14:53 [NEW TECHNIQUE] Phantom Squatting Turns LLM Hallucinations into Phishing Infrastructure
Researchers at Palo Alto's Unit 42 have identified a technique they call Phantom Squatting, which weaponizes web domains hallucinated by large language models.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Cyber and Data Resilience: https://www.kroll.com/en/services/cyber

#krollcyber #threatintelligence #cyberthreats