All episodes
Week of Jun 8, 2026

Threat Vectr Weekly — week of Jun 8

13 min

Stories covered this week

Transcript

Narrated by two AI anchors. Lightly formatted for reading.

Marcus

Welcome to Threat Vectr Weekly, your briefing on what actually matters in cybersecurity this week. I'm Marcus, and we have a packed episode for you. Coming up: a spear-phishing campaign hitting government and academic targets in Europe and Asia with an open-source hacking framework, Dutch police taking down the command-and-control backbone of a seventeen-million-device botnet, and how Meta's AI support chatbot was socially engineered into handing over Instagram accounts — including one tied to the Obama White House. All that and more, starting right now.

Marcus

We open with a campaign researchers at Seqrite Labs are calling Operation Dragon Weave. The short version: someone is sending phishing emails with ZIP file attachments to government agencies, universities, research institutions, technology firms, and financial services organizations in the Czech Republic and Taiwan. When a victim opens the archive, the infection chain drops something called AdaptixC2 — an open-source command-and-control framework that has been gaining traction among intrusion sets as an alternative to better-known tools like Cobalt Strike. Once it lands, attackers get persistent access, the ability to move laterally through a network, and a modular toolkit for post-exploitation work. Attribution is not confirmed, but threat-intel teams should note that pairing Prague and Taipei — two capitals with active China-watching policy communities — is not random. The practical takeaway for defenders is straightforward: ZIP attachments remain the delivery vehicle of choice. If your mail gateway is still letting through password-protected or double-extension archives without inspection, you are doing the attacker's job for them.

Elena

And that victimology pattern is exactly the kind of thing that can get lost when you focus only on the malware family. The who matters as much as the how. Speaking of taking infrastructure apart — Dutch law enforcement had a significant week. The Netherlands' national police, the Politie, seized command-and-control servers that were the nervous system of a botnet spanning roughly seventeen million compromised devices — computers, smartphones, and tablets. The alleged business model here was residential proxying. What that means in practice is that criminals recruit victims' devices to route other people's internet traffic. Buyers get IP addresses that look like ordinary home connections, which makes it much harder for fraud-detection systems to flag them. Without the seized servers the network loses coordination and falls apart. Seventeen million devices is a striking number — for context, the entire population of the Netherlands is around eighteen million. Authorities haven't publicly named suspects yet. How devices got pulled into this botnet isn't fully detailed, but the usual suspects are cracked software, phishing payloads, and unpatched consumer routers. The symptom for infected users is often nothing visible at all, which is exactly what makes residential proxy botnets so valuable to criminals.

Marcus

That invisibility factor is what makes these so persistent. If your device is quietly routing someone else's traffic, your internet might be slightly slower and that's it. No alert, no popup. Worth running an endpoint scan periodically even if nothing feels wrong. Now, to a story that is equal parts embarrassing for a major tech company and genuinely alarming for anyone who cares about account security. Over the weekend of May 31st, the dormant Instagram account for the Obama White House and the account belonging to the Chief Master Sergeant of the U.S. Space Force were briefly defaced with pro-Iranian imagery. The entry point was not a sophisticated zero-day exploit. It was a chatbot. Instructions circulating on Telegram described a four-step process: connect through a VPN exit node near the target's location, request a password reset, open Meta's AI support assistant, and ask it to link a fresh attacker-controlled email address to the target account. The bot complied. It sent a one-time code to the attacker's email, and the account takeover went through. Meta reportedly pushed an emergency patch over the weekend. No backend database was breached — the failure lived entirely in the support assistant's logic, which was designed to reduce friction for locked-out users and ended up reducing friction for attackers too.

ElenaSponsored

A quick word from our sponsor, Train2Secure. Your people are your biggest cyber risk — and your strongest defence. Train2Secure runs realistic phishing simulations and short, engaging security-awareness training your team will actually finish, with compliance-ready reporting that runs on autopilot. Turn your staff into a human firewall. Start your free trial today at Train2Secure dot com — that's Train, the number two, Secure, dot com.

Elena

That is a case study in how AI-powered support tools can become attack surfaces when they're not designed with adversarial users in mind. Reducing friction for legitimate users and maintaining security controls are not automatically compatible goals, and that tension needs to be designed around deliberately. On to Oracle. The company launched its new monthly patch cycle last week, shipping fixes for thirty-five vulnerabilities — eleven rated critical, eighteen rated high. The headliner on paper is CVE-2026-46840, a perfect CVSS ten in Oracle REST Data Services, which is the API gateway many organizations use to expose their databases externally. An unauthenticated attacker can reach it over HTTPS and take it over completely — no credentials, no prior foothold. Two companion flaws in the same product score nine-point-nine. But here is the nuance patching teams need to hear: despite those headline scores, four other CVEs probably deserve your attention first. They carry confirmed proof-of-concept exploit code in the wild, affecting Oracle Communications Unified Assurance and REST Data Services again. All four trace back to open-source components embedded in Oracle products — a supply-chain lag problem that gives attackers a window between public disclosure and vendor patch. Proof-of-concept code in the wild means someone is already testing exploits. Start there.

Marcus

The CVSS score tells you theoretical severity. The existence of working exploit code tells you actual urgency. Those are not the same number. Staying in supply chain territory — researchers have identified a campaign called Miasma targeting npm packages associated with the Red Hat ecosystem. This one follows a now-familiar playbook: malicious code hidden in packages that executes at install time, harvests credentials from the developer's machine, and then injects itself into CI/CD pipelines — the automated build and deployment systems that sit at the heart of modern software development. From there it has the potential to propagate further into whatever the pipeline touches. Red Hat has not disclosed the specific packages affected but has urged developers to audit recent installations. The worm's self-propagating capability is what elevates this beyond a standard credential stealer. If it reaches a CI/CD pipeline with broad access, the blast radius grows fast. The immediate action items: audit your npm dependencies, watch network traffic for unexpected encrypted outbound flows, and make sure you are sourcing packages only from verified repositories.

Elena

The trust developers place in package managers is the core vulnerability being exploited here, and it keeps working because the convenience of that trust is real. Scrutinizing every package you install is genuinely inconvenient, which is why automated dependency scanning tools exist and why you should be using them. Now for something a little different — a story about a gap between how prepared organizations think they are and how prepared they actually are. Specifically, tabletop exercises. These are the structured drills where security and leadership teams walk through a simulated incident. They have real value, but research and practitioner experience suggests they also carry a specific failure mode: manufacturing false confidence. The most common error is starting without measurable objectives. Generic ransomware scenarios with vague goals test whether your team can improvise under pressure. They do not tell you whether your escalation paths work, whether your legal notification triggers are correctly set, or whether executives have clear decision authority. A second trap is drilling scenarios your team already handles comfortably. One practitioner described running a clean, well-structured tabletop that everyone passed — only for a real multi-region infrastructure failure months later to produce conflicting health statuses from two systems simultaneously, and no one could agree whether failover had even occurred. That scenario had never appeared in any exercise.

Marcus

The failure mode there wasn't panic, it was paralysis — because reality looked nothing like the practice run. The fix is deliberately injecting incomplete information, ambiguous signals, and scenarios your team has never seen. Make it uncomfortable. That's the point. Two quick items before we close. First, if you are a cybersecurity leader in Southeast Asia or Hong Kong — nominations are open for the 2026 CSO30 ASEAN and Hong Kong Awards. This is the sixth edition of the programme. Three pathways are available: CSO Leadership for individual decision-makers who measurably changed their organization's security posture, CSO Transformation for completed projects with quantifiable outcomes from the past twelve months, and Ecosystem for work that extended impact beyond your own organization's perimeter. The deadline is July 31st, 2026. Self-nominations are explicitly encouraged. Details are available through CSO's regional publications.

Elena

And finally, the big-picture gap story that ties a lot of what we covered today together. Proofpoint's 2025 Voice of the CISO Report found that fifty-eight percent of organizations surveyed said they were unprepared to handle a cyberattack. One-third of CISOs said the data inside their own organizations was not adequately protected. Only sixty-seven percent felt they had sufficient budget, headcount, and tooling to do their jobs. These are not outliers — they are the baseline. Part of the diagnosis from practitioners like Errol Weiss at Health-ISAC is that too many security programs are still framed as IT disciplines rather than business-continuity functions. The Change Healthcare attack in 2024 illustrated what happens when that framing fails — consequences spread far beyond any single IT environment. The second structural problem is execution velocity. Cisco Talos observed adversaries weaponizing newly disclosed vulnerabilities almost immediately after publication. Security teams, operating on monthly patch cycles and periodic pen tests, are not matching that tempo. The gap between when a vulnerability is known and when it is closed is exactly where attackers live.

Marcus

And that is the thread connecting almost everything in today's episode — from the Oracle patch-of-concept window to Miasma's supply chain timing to Meta's chatbot gap. Attackers move fast and exploit the space between awareness and action. Closing that space is the job. That's Threat Vectr Weekly for the week of June 8th. Thank you for spending ten minutes with us. If you want this briefing in your inbox every week with links to the underlying research, head to threatvectr dot com slash newsletter and subscribe. We'll be back next week. Stay sharp.

© 2026 Threat Vectr