June 8, 2026 Emerging Threats Weekly

kroll logo
Kroll
Jun 8, 2026
Kroll

This week’s briefing covers:

00:00 – Intro

00:49 [VULNERABILITY] CVE-2026-35616 - API Authentication Bypass in FortiClient EMS
Arctic Wolf has warned of a vulnerability in Fortinet’s FortiClient Endpoint Management Server (EMS) that has allowed attackers to deliver an Infostealer payload, disguised as a legitimate Fortinet patch, to managed endpoints.

03:31 [THREAT ACTOR] Gamaredon Uses WinRAR Exploit and NTFS Alternate Data Streams Against Ukraine
New reporting on Gamaredon shows the Russia-linked espionage actor continuing to refine its long-running operations against Ukrainian targets. The latest infection chain begins with GAMMAPHISH lures and uses CVE-2025-8088, a WinRAR path-traversal flaw, to place a hidden HTA file in the Windows startup folder and trigger the next stage at login.

05:02 [THREAT ACTOR] HTTP/2 “Bomb” DoS Technique Impacts Web Infrastructure
A critical denial-of-service technique dubbed “HTTP/2 Bomb” is a resource-exhaustion attack capable of crashing major web servers in under a minute using a single machine. The attack, disclosed in June 2026 by security researchers at Calif, targets default HTTP/2 configurations and affects widely deployed platforms including NGINX, Apache HTTP Server, Microsoft IIS, Envoy and Cloudflare Pingora.

07:35 [PHISHING] Fake Purchase Orders Deliver Fileless PureLogs Infostealer
This campaign relies on phishing emails that impersonate legitimate purchase orders. Victims receive a RAR archive that appears routine, but it contains a JavaScript file. When executed, the script launches PowerShell, which begins a carefully staged attack. The malware then hijacks a legitimate Windows process called MsBuild.exe using a technique known as process hollowing.

08:30 [PHISHING] Kali365 Expands Beyond Microsoft 365 Into Multi-Brand Device-Code Phishing
Kali365 has evolved beyond its original focus on Microsoft credentials and is now a broader phishing as a service platform. Recent reporting shows it targets services such as AWS and Okta, along with multiple regional platforms. By capturing authentication tokens, the service can bypass the practical protection of multi-factor authentication after a user completes what appears to be a legitimate login flow.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.