Issue #012 · July 3, 2026

Cyber Threat Brief — Issue #012

What's active. What matters. What to do about it.

Priority Actions This Week

  1. 01If you run on-premises Microsoft SharePoint Server, patch it today. CISA added CVE-2026-45659 to the Known Exploited Vulnerabilities catalog on July 1 with a federal remediation deadline of July 4. That deadline is tomorrow. Microsoft patched this in May and initially called exploitation unlikely. CISA just confirmed it is happening. Any SharePoint server that was internet-facing before patching should also be reviewed for signs of unauthorized access, not just patched and closed.
  2. 02If anyone on your security team downloads and runs proof-of-concept exploit code from GitHub to test newly disclosed vulnerabilities, send them this brief before they run anything else. ChocoPoC is a live, active campaign hiding malware inside what looks like legitimate exploit code. The malware is in the dependency, not the code you read. The skytext and frint packages on PyPI are the infection vectors. Verify every dependency before running any CVE proof-of-concept in an environment with real credentials or files.
  3. 03Review which applications in your organization have OAuth access to corporate Gmail accounts. ToddyCat, a China-linked espionage group, has built malware specifically designed to steal Gmail OAuth tokens and silently read corporate email through Google's own API. Any application that has been granted access to Gmail and is no longer actively used should have that access revoked immediately.
  4. 04The Cisco SD-WAN federal remediation deadline of June 29 has passed. If CVE-2026-20262 has not been patched in your environment, it is now overdue. Apply the Cisco SD-WAN Manager patch and conduct a retrospective log review for unauthorized activity going back to at least early June.
  5. 05If your organization's security researchers or penetration testers use shared GitHub accounts or personal machines for exploit research, those machines may hold client credentials, private vulnerability reports, and active engagement details. ChocoPoC is specifically designed to compromise researcher machines because one infected researcher can expose far more than one organization. Isolate exploit research to disposable virtual machines with no access to production credentials.

Active Campaigns

[ ESCALATING ]ChocoPoC — Attackers Hide Malware Inside Fake CVE Exploit Code Targeting Security Researchers
ACTOR: Unknown — single persistent threat actor, active since late 2025, financially motivatedTARGETS: Vulnerability researchers, penetration testers, bug bounty hunters, and security tool developers who download and test proof-of-concept exploit code from GitHub

A campaign called ChocoPoC, documented jointly by YesWeHack and Sekoia on July 1, 2026, has been hiding a fully functional remote access trojan inside fake proof-of-concept exploit repositories on GitHub since late 2025. The attack exploits a specific behavior of the security research community: when a major CVE is disclosed, researchers race to find working exploit code to test it. Attackers create fake GitHub repositories that appear to be legitimate PoC exploits for high-profile vulnerabilities including FortiWeb, PAN-OS, Ivanti Sentry, Check Point VPN, and Joomla. The visible exploit code looks clean. The malware hides inside a Python dependency that the PoC pulls in when the researcher runs pip install. The malicious package, called skytext, was downloaded approximately 2,400 times. Once a researcher runs the PoC, the malware activates only after verifying that a legitimate exploit file is present, which causes it to remain dormant in automated sandbox environments. It then steals saved browser passwords, cookies, and files, and establishes a persistent remote shell. Command and control runs through Mapbox, a legitimate mapping platform, making the traffic difficult to distinguish from normal web activity. Security researchers are high-value targets because compromising one can provide access to client credentials, private vulnerability reports, and details of active security engagements across multiple organizations simultaneously.

[ ACTIVE ]SharePoint RCE Added to CISA KEV — Federal Deadline Tomorrow, Active Exploitation Confirmed
ACTOR: Multiple threat actors — Storm-2603 ransomware deployment confirmed, others suspectedTARGETS: Organizations running on-premises Microsoft SharePoint Server 2016, 2019, and Subscription Edition

CISA added CVE-2026-45659, a remote code execution vulnerability in on-premises Microsoft SharePoint Server, to the Known Exploited Vulnerabilities catalog on July 1, 2026, with a federal remediation deadline of July 4. The flaw is a deserialization vulnerability that allows any authenticated user with basic site member permissions to execute arbitrary code on the server remotely. No administrator access is required. No user interaction is required. An attacker with a stolen or phished low-privilege account can run code on SharePoint and use it as a launchpad into the broader network. Microsoft patched the flaw in May 2026 and initially assessed exploitation as unlikely. CISA's KEV inclusion confirms that assessment was wrong. Separately, Microsoft has disclosed an incident where two unrelated ransomware actors were simultaneously present on the same network, with Storm-2603 deploying Warlock ransomware through SharePoint exploitation. SharePoint contains sensitive business documents and integrates with Active Directory, making a successful compromise a direct path to lateral movement across the organization.

[ ACTIVE ]ToddyCat Umbrij — China-Linked Espionage Group Steals Gmail Through Google's Own API
ACTOR: ToddyCat — China-linked APT, espionage mandateTARGETS: Corporate users with Gmail-integrated environments, technology and government sector organizations

Kaspersky researchers disclosed this week that ToddyCat, a China-linked advanced persistent threat group, has developed a new malware family called Umbrij specifically designed to access corporate email through the Google API rather than through traditional credential theft. The malware establishes access to a victim's Gmail account by stealing an OAuth token, the digital credential that lets applications access Google services on a user's behalf. Once Umbrij has the token, it connects to Gmail's management console in headless mode through a remote debugging port and silently reads the victim's email correspondence without triggering standard authentication alerts. The technique bypasses traditional detection methods because it uses Google's own legitimate API. From Google's perspective, the access looks like an authorized application reading mail. ToddyCat's use of this technique represents a significant escalation in OAuth-based espionage tradecraft, turning the same authorization mechanism that powers legitimate productivity tools into a covert email exfiltration channel.

CVE Watch

CVE-2026-45659CVSS 8.8[ ESCALATING ]

PRODUCT: Microsoft SharePoint Server (Subscription Edition, 2019, 2016)

WHAT IT MEANS:

A deserialization vulnerability in on-premises Microsoft SharePoint Server allows any authenticated user with basic site member permissions to execute arbitrary code on the server remotely. No administrator access is required. No user interaction by another person is required. An attacker with a stolen low-privilege SharePoint account can run code on the server and then move laterally into the rest of the organization's network. SharePoint holds sensitive business documents and integrates with Active Directory, making it a high-value target and an effective launchpad for broader compromise. Microsoft initially called exploitation unlikely. CISA confirmed active exploitation on July 1, 2026 with a federal deadline of July 4. Any SharePoint server that was internet-facing or accessible to external users before the May 2026 patch was applied should be treated as potentially compromised and reviewed, not just patched.

ACTION:Apply the May 2026 Microsoft SharePoint security update immediately across all on-premises SharePoint deployments. Verify the installed build version against Microsoft's fixed build numbers. Review IIS logs, SharePoint ULS logs, and EDR telemetry for signs of unauthorized access before the patch was applied. Federal deadline is July 4, 2026.

CVE-2026-20262CVSS 6.5[ MONITORING ]

PRODUCT: Cisco Catalyst SD-WAN Manager

WHAT IT MEANS:

Covered in Issue 011 as ACTIVE. The CISA federal remediation deadline of June 29, 2026 has passed. Organizations that have not yet applied the Cisco patch are now operating beyond their federal compliance window. The vulnerability allows an authenticated attacker with write access to overwrite files on the SD-WAN Manager, which can then be used to escalate to root. Moving to MONITORING because the patch has been available since June and the deadline has passed. Organizations still unpatched should treat this as overdue, not deferred.

ACTION:Apply the Cisco SD-WAN Manager patch for CVE-2026-20262 immediately if not already done. Conduct a retrospective review of administrator activity logs going back to at least early June for signs of unauthorized access that may predate patching.

CVE-2026-48908CVSS 9.1[ ACTIVE ]

PRODUCT: Joomla SP Page Builder plugin (unauthenticated RCE)

WHAT IT MEANS:

One of the high-profile CVEs used as bait in the ChocoPoC campaign, this critical unauthenticated remote code execution vulnerability in the Joomla SP Page Builder plugin allows attackers to execute arbitrary code on Joomla websites without any authentication. The ChocoPoC campaign specifically used this CVE as a lure, publishing a fake proof-of-concept on GitHub that infected researchers who downloaded and ran it. The underlying vulnerability itself is real and affects any Joomla installation running the SP Page Builder plugin in an unpatched state. Organizations running Joomla with third-party plugins should audit their installed plugin inventory and apply available patches, while security teams should be aware that active CVE bait campaigns are running against researchers investigating this specific vulnerability.

ACTION:Apply the SP Page Builder plugin patch for Joomla immediately. Security researchers investigating CVE-2026-48908 should use fully isolated disposable virtual machines with no production credentials present before running any proof-of-concept code related to this vulnerability.

Threat Actor Activity

ChocoPoC operators (unattributed)[ ESCALATING ]

Active campaign confirmed by YesWeHack and Sekoia with at least seven trojanized PoC repositories identified targeting researchers investigating FortiWeb, PAN-OS, Ivanti Sentry, Check Point VPN, Joomla, and other high-profile CVEs. The skytext package on PyPI accumulated 2,400 downloads with spikes correlating directly to major CVE disclosures. Campaign and malware infrastructure confirmed live as of July 1, 2026. Do not run unreviewed PoC code.

ToddyCat[ ACTIVE ]

Kaspersky disclosed the Umbrij malware family, a new ToddyCat tool designed to steal Gmail OAuth tokens and silently read corporate email through Google's API. The technique bypasses traditional credential-based detection by using Google's own authorization infrastructure as the exfiltration channel. ToddyCat is assessed as a China-linked APT with an established espionage mandate targeting technology and government organizations.

Storm-2603[ ACTIVE ]

Microsoft confirmed Storm-2603 was present on an enterprise network deploying Warlock ransomware through SharePoint exploitation. The incident involved two unrelated ransomware actors simultaneously present on the same compromised network, complicating incident response and attribution.

Icarus[ ACTIVE ]

Extortion campaign from the Klue supply chain breach continues. Additional victims beyond the initial list of fifteen are expected to come forward. Leak site remains active.

FortiBleed operators[ ACTIVE ]

No new scale updates. Campaign remains active. 430,000 FortiGate devices targeted since February 2026. Credential resale on criminal markets continues.

Salt Typhoon[ MONITORING ]

No new confirmed activity. Full eviction from US telecommunications infrastructure remains unconfirmed.

Volt Typhoon[ MONITORING ]

No new confirmed activity. Pre-positioning in US critical infrastructure from prior periods remains unresolved.

Key Takeaway

There is a pattern running through the last three issues of this brief that is worth naming directly. Attackers are not breaking through perimeters anymore. They are walking through doors that were already open. The Klue breach was a forgotten credential on a discontinued integration. The ChocoPoC campaign is malware hiding inside code that researchers downloaded voluntarily and ran willingly. The ToddyCat Gmail attack uses Google's own API as the exfiltration channel. The SharePoint flaw requires nothing more than a basic user account that an attacker can buy, steal, or phish from any of the thousands of organizations where SharePoint is deployed. None of these attacks required sophisticated zero-day exploitation. None of them required breaching a hardened perimeter. They required finding the thing that defenders trusted enough not to watch closely, and using it. The security industry spends enormous resources hardening entry points. The attacks of mid-2026 are entering through the side door, the back door, and in some cases the front door with a key that someone left under the mat. The practical takeaway is not a new tool or a new framework. It is the habit of asking, for every system and every integration in your environment, whether you are watching it closely enough to know if someone is already inside.

Sources

  • YesWeHack
  • Sekoia
  • The Hacker News
  • BleepingComputer
  • SecurityWeek
  • CISA Known Exploited Vulnerabilities Catalog
  • Kaspersky
  • The Register
  • SOCRadar
  • GBHackers
  • SC Media