All episodes
Week of Jun 22, 2026

Threat Vectr Weekly — week of Jun 22

13 min

Stories covered this week

Transcript

Narrated by two AI anchors. Lightly formatted for reading.

Marcus

Welcome to Threat Vectr Weekly for the week of June twenty-second. I'm Marcus, and joining me as always is Elena. This week we've got a lot to get through — a confirmed in-the-wild exploit hitting Palo Alto's GlobalProtect VPN, a massive takedown that brought down a phishing empire responsible for nearly two billion dollars in losses, and a sneaky WordPress supply-chain attack that only revealed itself to site administrators. Plus six more stories you need to hear. Let's get into it.

Marcus

We're starting with something that should be at the top of every network security team's patch queue right now. Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, an authentication bypass in PAN-OS affecting GlobalProtect portals and gateways. The CVSS score is 7.8, and what that means in plain terms is an attacker who has never logged into your VPN can walk through the front door anyway. GlobalProtect is the tunnel your remote workers, contractors, and admins use every single day. When that door opens for the wrong person, the historical playbook involves webshells, credential harvesting, and pivoting deeper into your internal network. Palo Alto hasn't named a threat actor or published indicators of compromise yet, but they've been clear: exploitation is happening now. There's no public proof-of-concept at this point, but in past PAN-OS edge bugs that window has been very short. If you haven't pulled Palo Alto's advisory and patched, that is the only thing that matters today.

Elena

Couldn't agree more, and I'll add — edge devices are exactly where attackers want to start because they're internet-facing, they're trusted, and they're often under-monitored compared to internal systems. Now, shifting from network edge to social engineering at scale — Group-IB has published research on a sweeping fraud campaign targeting Facebook users across the Middle East and North Africa. We're talking Egypt, Algeria, Morocco, Tunisia, and several Gulf states. The lures are deliberately mundane: free mobile data bundles, government subsidy enrollments, one-off cash payouts. They're timed to real cost-of-living pressures, which makes them believable. Victims who click get funneled through redirect chains to phishing pages that steal Facebook credentials, payment card details, or both. Some flows end with browser-push notification prompts that keep delivering scam content long after the initial click. Group-IB ties this to the Sniper Dz ecosystem — an Arabic-speaking fraud crew that sells phishing kits and ready-made templates to lower-tier operators through Telegram. This is a franchise model for fraud. The defense is the usual: slow down before clicking anything promising free money, and be skeptical of browser notification requests.

Marcus

Good framing on that, because the volume-over-sophistication model is genuinely effective and easy to underestimate. Now, our next story is a bit different — it's more of a practitioner reality check than a breach. European enterprises have spent the last two years and serious money building out sovereign cloud infrastructure under DORA, NIS2, and the incoming EU AI Act. The uncomfortable consensus that's emerging is that data residency — keeping data physically within a country's borders — turned out to be the easy part. The hard part is governance, specifically around identity. At the European Identity and Cloud Conference in Berlin last month, analysts were pointing out that the same organizations that locked down their data locations never adequately governed the AI agent identities operating inside those environments. Martin Kuppinger of KuppingerCole put it directly: sovereignty isn't binary, and the required level depends on your use case and a real risk assessment. The takeaway for practitioners is that sovereign cloud is a starting point, not a finish line. Knowing where your data lives is not the same as knowing who — or what — can touch it.

ElenaSponsored

A quick word from our sponsor, Train2Secure. Your people are your biggest cyber risk — and your strongest defence. Train2Secure runs realistic phishing simulations and short, engaging security-awareness training your team will actually finish, with compliance-ready reporting that runs on autopilot. Turn your staff into a human firewall. Start your free trial today at Train2Secure dot com — that's Train, the number two, Secure, dot com.

Elena

That identity governance gap is going to keep showing up in incident reports. Speaking of which, let's talk about a win. The FBI and Google have jointly dismantled a phishing-as-a-service platform called Outsider Enterprise, and the scale here is genuinely staggering. Nine thousand phishing sites. Nearly four million stolen payment card records. Estimated downstream losses of approximately 1.9 billion dollars. Outsider Enterprise wasn't a single campaign — it was a full-stack criminal business. Operators rented phishing kits, hosting, and credential-harvesting pipelines the same way a legitimate company buys software subscriptions. That model insulated the core operators from direct exposure to any one fraud event, which is exactly why these platforms are hard to kill. What made this takedown possible is the combination of Google's visibility into phishing domain patterns at internet scale and the FBI's legal authority to act. Neither could have done this alone. The practical signal here is that phishing-as-a-service infrastructure is increasingly sophisticated, and the commodity tooling available to even low-skill actors keeps improving. Your users are the target. Simulate attacks against them regularly.

Marcus

That public-private cooperation model is really becoming the template for taking down infrastructure at this scale. Over to France now, where officials have confirmed what a threat actor calling themselves Misere claimed first — a breach of Tchap, France's state-operated secure messaging platform built specifically to keep civil servants off consumer apps like WhatsApp. Approximately 73,000 government accounts are reported to be affected, with the actor claiming to have exfiltrated both message content and user data. The details on how they got in are still sparse. No vendor advisory has confirmed an initial access vector, and no CVE has been assigned to a Tchap-specific vulnerability at this time. Misere doesn't currently map to any tracked cluster in public threat intelligence — no CrowdStrike designation, no Mandiant attribution. That absence doesn't mean they're unsophisticated or operating alone; it just means attribution hasn't been established yet. What we can say is that stealing messages from a government-only platform suggests either targeted intelligence collection or a plan to weaponize that data later. Both read as espionage-adjacent, regardless of who's behind it.

Elena

And the irony of a sovereign secure messaging platform potentially being breached is not lost on anyone who just heard our sovereign cloud story. Now let's bring it down to the browser level — researchers have identified 152 Chrome extensions posing as live wallpaper and new-tab add-ons, collectively installed on roughly 105,000 browsers. The extensions are spread across 38 publisher accounts tied to three shared backend domains, and the structure appears to be a coordinated adware operation rather than a collection of unrelated apps. Here's why the architecture matters. By spreading 152 extensions across 38 accounts, each individual account holds only a handful of listings — just small enough to avoid triggering casual review thresholds. But they all funnel back to the same three backends for whatever monetization or telemetry is happening behind the scenes. The hook is the new-tab page override permission, which is exactly the lever you need to inject sponsored content, redirect search queries, or generate ad impressions the user never requested. Think of it as a 2008-era toolbar bundler with better animations. If you or your users have any new-tab or wallpaper extensions installed, this is a good week to audit them.

Marcus

Browser extension hygiene is genuinely one of those controls that gets skipped until something like this surfaces. Now for one that I think is the most technically elegant story of the week — and I mean elegant in the way that a well-designed trap is elegant. Someone modified JavaScript files distributed by three widely used WordPress services: PushEngage, OptinMonster, and TrustPulse. The tampered scripts carried a conditional backdoor — meaning they did absolutely nothing when a normal visitor loaded the page. But when a logged-in site administrator triggered the script, it used that admin's own active session to create a rogue administrator account and then silently install a hidden plugin designed to re-establish access even if someone later discovered and removed the rogue user. That conditional execution is a deliberate evasion choice. Anonymous vulnerability scanners never see it. Synthetic monitoring never sees it. Only the person with the most privileged session in the entire site triggers the payload. It's essentially a CSRF-style attack that bypasses nonce protections because the malicious code is loaded from a script the admin's browser already trusts. If you run WordPress, audit your installed scripts and plugins today. Watch for unexpected administrator accounts.

Elena

That is a genuinely clever piece of attacker tradecraft, and it underlines how supply-chain compromise doesn't require breaking into your systems directly — it just requires touching something you already trust. And on the theme of things we already trust too much, let's close with something that keeps showing up in breach forensics and probably sounds embarrassingly familiar to anyone who's worked IT helpdesk. Temporary onboarding credentials. New hire starts on Monday. IT provisions an account, sets a first-day password, and sends it over email or SMS before nine a.m. That's where the attack surface quietly opens. The credential itself often isn't the problem — the delivery channel is. SMS is unauthenticated by design. Corporate email at the point of onboarding is frequently the very mailbox the password is supposed to unlock. And if the new hire forwards that message to a personal Gmail to read on their phone — and they do — that secret is now sitting in a consumer inbox behind whatever password they set up years ago. Then add in helpdesk reuse patterns: Welcome2024, Company at sign 123, the office Wi-Fi name plus an exclamation point. Once one person figures out the formula, every attacker who phishes one new starter figures it out too. The fix isn't exotic. Force rotation on first login. Make the temporary password single-use. Deliver it through an out-of-band channel that isn't the mailbox being unlocked. And set a hard expiry — if the credential isn't used within 24 hours, it's dead. NIST SP 800-63B has covered this for years. Most identity teams already own the controls. They just need to actually enforce them together.

Marcus

And that is honestly the theme running through several of our stories this week — the gap between controls you own and controls you've actually enforced. Patch your GlobalProtect. Audit your WordPress plugins and browser extensions. And maybe take a look at what your helpdesk is sending new hires on Monday morning. That's it for Threat Vectr Weekly for the week of June twenty-second. Thank you for spending ten minutes with us. If you want all of these stories in your inbox before they hit the podcast, head to threatvectr dot com slash newsletter and subscribe. We'll see you next week.

© 2026 Threat Vectr