Intelligence Insights: June 2026 banner image
Blog

Intelligence Insights: June 2026

By Bridewell CSIRT 2 July 2026 11 min read

Daniel Whitcombe, Threat Intelligence Analyst | Alex Jones, Junior Threat Intelligence Analyst | Gavin Knapp, Head of Cyber Threat Intelligence | Joshua Penny, Threat Intelligence Analyst 


 

The Bridewell Threat-Led Approach

Bridewell’s managed security services are built upon a proactive, threat-led defence strategy. Moving beyond reactive monitoring, we actively track adversary infrastructure and tradecraft. By seamlessly integrating Cyber Threat Intelligence (CTI), Incident Response (IR), and Managed Detection and Response (MDR), we ensure our clients remain ahead of the evolving threat landscape.

In a landscape defined by rapid adaptation, knowing what is attacking you is just as critical as knowing how. This month’s Threat Insights leverages data from Bridewell’s global MDR and Incident Response engagements to expose the top malicious infrastructure of June 2026. We go beyond the headlines to provide actionable detection guidance on the month's threat insights, equipping your team with the foresight to stay one step ahead.

Top 5 Malicious Infrastructure Threats Tracked

NameCategoryJune VolumeMonthly Trend
SliverExploitation Framework2866▲ Increasing
GoPhishPhishing556▲ Increasing
Cerberus-AndroidRemote Access Trojan (RAT)380▼ Decreasing
Amnesia StealerRemote Access Trojan (RAT)158▲ Increasing
Cobalt StrikeExploitation Framework123▼ Decreasing

 

Threat Detection Insights - June

Throughout June, our team tracked the continued emergence of local privilege escalation flaws affecting trusted, widely deployed Windows security components, a running theme this year. The standout this month was RoguePlanet, assigned CVE-2026-50656, a vulnerability in the Microsoft Malware Protection Engine that underpins Microsoft Defender, allowing a low-privileged local attacker to escalate to NT AUTHORITY\SYSTEM. What makes RoguePlanet notable is not the novelty of the technique but where it sits. Defender is present across the overwhelming majority of Windows estates and runs with high privileges by design, so a weakness in the engine itself offers an attacker an escalation path that blends with expected security tooling rather than standing out against it. With working proof-of-concept code publicly available and reported to function against fully patched Windows 10 and 11 systems, including those carrying the June updates, the barrier to exploitation is low and the value to an adversary already holding a foothold is high. As with the disclosures covered in previous months, RoguePlanet is not a standalone initial access vector; its danger lies in what it enables after compromise, including disabling protections, accessing stored credentials, and building a stronger platform for ransomware activity and lateral movement.

Alongside this, June also saw Microsoft Threat Intelligence report on a deliberate, multi-stage intrusion campaign targeting hospitality and hotel organisations across Europe and Asia, active since April and not yet attributed to a known actor. Rather than relying on any single novel technique, the campaign is significant for the care behind its tradecraft. Photo-themed lures and fake image shortcuts deliver an attack chain built on obfuscated PowerShell, a Node.js-based implant, and durable dual-registry persistence, with phishing routed through legitimate services such as Calendly and Google redirects to pass SPF, DKIM, and DMARC checks. This reflects a broader pattern in which attackers increasingly abuse trusted infrastructure and runtimes to evade detection and maintain access, reinforcing the need for layered, behaviour-based defence rather than reliance on single indicators or signed-process trust.

Microsoft Defender Elevation of Privilege Vulnerability CVE-2026-50656 (RoguePlanet)

RoguePlanet is a Microsoft Defender local privilege escalation vulnerability, tracked as CVE-2026-50656, affecting the Microsoft Malware Protection Engine that underpins Microsoft Defender. The flaw allows a low-privileged local adversary to escalate to NT AUTHORITY\SYSTEM on affected Windows operating systems, granting the highest level of execution available on the host.

The vulnerability is significant precisely because of where it sits. Microsoft Defender is deployed across the overwhelming majority of Windows estates and, by design, runs with high privileges to perform real-time inspection. A weakness in the protection engine itself therefore offers an attacker a trusted, near ubiquitous escalation path that blends with expected security tooling rather than standing out against it. This makes RoguePlanet an attractive post-compromise primitive for adversaries who already hold an initial foothold.

Public proof-of-concept (PoC) exploit code is available, and multiple sources report that RoguePlanet can be used against fully patched Windows 10 and Windows 11 systems, including devices carrying the June 2026 updates. The availability of working PoC code lowers the barrier to exploitation considerably, giving capable attackers a credible, testable primitive they can refine and integrate into broader intrusion chains. Successful exploitation could allow a threat actor to take complete control of a host, disable security controls, access stored credentials, deploy malware, or provide a stronger platform for ransomware activity and lateral movement.

Microsoft has acknowledged the vulnerability and stated that it is working on a security update to mitigate it. Until that fix is released and deployed, organisations should prioritise the eventual update and, in the interim, rely on compensating controls: strict least-privilege enforcement, application allowlisting and execution prevention, and behavioural monitoring for anomalous local privilege escalation activity, particularly unexpected interactions with Defender components or processes attempting to abuse the protection engine. As with GreenPlasma, RoguePlanet is not believed to be a standalone initial access vector; its value lies in what it enables after compromise.

Community Detection Opportunities

MDE_DeviceProcessEvents_Microsoft_CVE-2026-50656_PoC_RoguePlanetNamedPipe

This query detects the creation or connection to a specific named pipe (\pipe\RoguePlanet) associated with the released proof-of-concept (PoC) for the RoguePlanet (CVE-2026-50656) local privilege escalation zero-day. According to threat intelligence, the exploit uses this pipe for inter-process communication (IPC) to verify SYSTEM privileges and deliver its payload by spawning conhost.exe in the interactive user's session. While advanced actors may alter the pipe name in adapted variants, this serves as a high-confidence indicator for the published PoC.

DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend PipeName_ = tostring(AdditionalFields.PipeName)
| where PipeName_ =~ "RoguePlanet"
| project
    Timestamp,
    DeviceName,
    ActionType,
    FileName,
    FolderPath,
    InitiatingProcessAccountName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    AdditionalFields

MDE_DeviceProcessEvents_Microsoft_CVE-2026-50656_PoC_TempRP_WermgrMasquerade

 This query detects the file system preparation stage of the RoguePlanet (CVE-2026-50656) zero-day exploit. During this phase, the exploit extracts an embedded ISO and creates a staging directory structure inside the user's %TEMP% folder, prefixed with RP_ followed by a UUID. It deliberately mimics the Windows system path by creating a System32 subdirectory and dropping a file named wermgr.exe inside it. This structural mirroring is designed to trick Defender's quarantine scanning path logic. Detecting this exact folder structure and file drop is a high-confidence indicator of the published PoC.

DeviceFileEvents
| where ActionType == "FileCreated"
// Filter early for the unique temporary directory prefix used by the PoC
| where FolderPath has "\\Temp\\RP_"
// Identify the specific subdirectories and masqueraded file used to trick Defender's path logic
| where FolderPath has @"wdtest_temp"
    or (FolderPath has @"System32" and FileName =~ "wermgr.exe")
| project
    Timestamp,
    DeviceName,
    RequestAccountName,
    ActionType,
    FileName,
    FolderPath,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    SHA256

 


 

Hospitality Themed Phishing Delivers Node.js Implant for Persistent Access

In late June 2026, Microsoft Threat Intelligence reported on an active, multi-stage intrusion campaign targeting hospitality and hotel organisations across Europe and Asia, observed since April 2026 and not yet attributed to a known threat actor. The campaign delivers photo-themed ZIP archives containing fake image shortcut files; when a target opens what appears to be a PNG, a shortcut (named IMG- in the first wave and PHOTO- in the second) launches an attack chain built on obfuscated PowerShell, a Node.js-based implant, dual registry persistence, and command-and-control over non-standard ports.

The campaign is significant for the deliberation behind its tradecraft rather than any single novel technique. Delivery abuses legitimate infrastructure: Microsoft describes the routing of phishing through Calendly's notification system and Google's URL redirect as authentication laundering, whereby messages pass SPF, DKIM, and DMARC checks because they originate from genuinely authorised sending infrastructure, even though the content is malicious. Lures are generic and high-volume, themed around guest complaints and inspection notices in multiple languages, and target front-desk, reservations, and reception staff who routinely handle image and document attachments. The deliberate focus on a specific sector, combined with the operator's investment in obfuscation and persistence, suggests preparation for follow-on activity rather than opportunistic compromise.

The risk lies in the campaign's resilience and its blending with trusted system behaviour. The Node.js runtime is placed in a user-writable path and run with random script and domain arguments, while the implant disables Defender inspection of follow-on binaries by adding process exclusions for temporary-path executables before launching them. Persistence is notably durable: a dual model pairs a Run key pointing to the Node.js component with a self-refreshing RunOnce entry pointing to a relocated payload, creating a loop that repopulates itself after each execution. Microsoft observed this persistence surviving an active Defender block; roughly two days after a payload was blocked, the implant reactivated and resumed C2. Successful compromise has progressed to C2 beaconing, automated headless browser activity, environment lookups, and forced shutdowns, with the operator iterating its PowerShell loader across seven obfuscation phases to stay ahead of static detection.

No vendor patch applies here, as this is an intrusion campaign rather than a vulnerability; defence rests on layered, behaviour-based detection rather than single indicators. Microsoft's guidance, which we echo, includes treating photo-themed ZIPs and fake image shortcuts as high-risk, monitoring PowerShell for BigInt decode-and-download patterns, investigating Node.js execution from user-space paths, alerting on Defender exclusion changes tied to temporary executables, and reviewing both Run and RunOnce persistence. Critically, complete remediation requires removing both keys along with the Node.js runtime and associated files, since clearing one path alone leaves the implant able to re-attempt delivery. Organisations in hospitality and adjacent service sectors should prioritise hunting on guest-facing systems first.

Community Detection Opportunities

MDE_DeviceEvents_RoguePlanet_NamedPipeEvent
Community Detection Opportunity
DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend PipeName_ = tostring(AdditionalFields.PipeName)
| where PipeName_ =~ "RoguePlanet"
| project
    Timestamp,
    DeviceName,
    ActionType,
    FileName,
    FolderPath,
    InitiatingProcessAccountName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    AdditionalFields


Bridewell CSIRT Detection Rules & Analytics

Detection Analytic ConceptCategory
MDE_DeviceProcessEvents_Microsoft_CVE-2026-50656_VHD/VHDX_and_SMB_ActivityExecution
MDE_DeviceProcessEvents_Microsoft_CVE-2026-50656_mklink_ActivityPrivilege Escalation
MDE_KQL_DeviceFileEvents_BR-UNC-035_Lure_Files_Dropped_by_StaffDefence Evasion, Initial Access
MDE_KQL_DeviceProcessEvents_Explorer_Spawning_Obfuscated_PowerShellExecution
MDE_KQL_Suspicious_C2_Resolution_by_Unusual_TLDExecution
MDE_KQL_DeviceProcessEvents_Nodejs_ReverseShell_ExecutionCommand and Control

Stop Reacting. Start Hunting.

Bridewell’s threat-led MDR service combines world-class analysts with proprietary intelligence to protect your critical infrastructure and assets 24/7.

bridewell-logo

Bridewell CSIRT

Cyber Security Incident Response Team

Real-world incident response insights from our cyber security experts.