Daniel Whitcombe, Threat Intelligence Analyst | Alex Jones, Junior Threat Intelligence Analyst | Gavin Knapp, Head of Cyber Threat Intelligence | Joshua Penny, Threat Intelligence Analyst
The Bridewell Threat-Led Approach
Bridewell’s managed security services are built upon a proactive, threat-led defence strategy. Moving beyond reactive monitoring, we actively track adversary infrastructure and tradecraft. By seamlessly integrating Cyber Threat Intelligence (CTI), Incident Response (IR), and Managed Detection and Response (MDR), we ensure our clients remain ahead of the evolving threat landscape.
In a landscape defined by rapid adaptation, knowing what is attacking you is just as critical as knowing how. This month’s Threat Insights leverages data from Bridewell’s global MDR and Incident Response engagements to expose the top malicious infrastructure of June 2026. We go beyond the headlines to provide actionable detection guidance on the month's threat insights, equipping your team with the foresight to stay one step ahead.
Top 5 Malicious Infrastructure Threats Tracked
| Name | Category | June Volume | Monthly Trend |
|---|
| Sliver | Exploitation Framework | 2866 | ▲ Increasing
|
| GoPhish | Phishing | 556 | ▲ Increasing
|
| Cerberus-Android | Remote Access Trojan (RAT) | 380 | ▼ Decreasing
|
| Amnesia Stealer | Remote Access Trojan (RAT) | 158 | ▲ Increasing
|
| Cobalt Strike | Exploitation Framework | 123 | ▼ Decreasing
|
Threat Detection Insights - June
Throughout June, our team tracked the continued emergence of local privilege escalation flaws affecting trusted, widely deployed Windows security components, a running theme this year. The standout this month was RoguePlanet, assigned CVE-2026-50656, a vulnerability in the Microsoft Malware Protection Engine that underpins Microsoft Defender, allowing a low-privileged local attacker to escalate to NT AUTHORITY\SYSTEM. What makes RoguePlanet notable is not the novelty of the technique but where it sits. Defender is present across the overwhelming majority of Windows estates and runs with high privileges by design, so a weakness in the engine itself offers an attacker an escalation path that blends with expected security tooling rather than standing out against it. With working proof-of-concept code publicly available and reported to function against fully patched Windows 10 and 11 systems, including those carrying the June updates, the barrier to exploitation is low and the value to an adversary already holding a foothold is high. As with the disclosures covered in previous months, RoguePlanet is not a standalone initial access vector; its danger lies in what it enables after compromise, including disabling protections, accessing stored credentials, and building a stronger platform for ransomware activity and lateral movement.
Alongside this, June also saw Microsoft Threat Intelligence report on a deliberate, multi-stage intrusion campaign targeting hospitality and hotel organisations across Europe and Asia, active since April and not yet attributed to a known actor. Rather than relying on any single novel technique, the campaign is significant for the care behind its tradecraft. Photo-themed lures and fake image shortcuts deliver an attack chain built on obfuscated PowerShell, a Node.js-based implant, and durable dual-registry persistence, with phishing routed through legitimate services such as Calendly and Google redirects to pass SPF, DKIM, and DMARC checks. This reflects a broader pattern in which attackers increasingly abuse trusted infrastructure and runtimes to evade detection and maintain access, reinforcing the need for layered, behaviour-based defence rather than reliance on single indicators or signed-process trust.
Microsoft Defender Elevation of Privilege Vulnerability CVE-2026-50656 (RoguePlanet)
RoguePlanet is a Microsoft Defender local privilege escalation vulnerability, tracked as CVE-2026-50656, affecting the Microsoft Malware Protection Engine that underpins Microsoft Defender. The flaw allows a low-privileged local adversary to escalate to NT AUTHORITY\SYSTEM on affected Windows operating systems, granting the highest level of execution available on the host.
The vulnerability is significant precisely because of where it sits. Microsoft Defender is deployed across the overwhelming majority of Windows estates and, by design, runs with high privileges to perform real-time inspection. A weakness in the protection engine itself therefore offers an attacker a trusted, near ubiquitous escalation path that blends with expected security tooling rather than standing out against it. This makes RoguePlanet an attractive post-compromise primitive for adversaries who already hold an initial foothold.
Public proof-of-concept (PoC) exploit code is available, and multiple sources report that RoguePlanet can be used against fully patched Windows 10 and Windows 11 systems, including devices carrying the June 2026 updates. The availability of working PoC code lowers the barrier to exploitation considerably, giving capable attackers a credible, testable primitive they can refine and integrate into broader intrusion chains. Successful exploitation could allow a threat actor to take complete control of a host, disable security controls, access stored credentials, deploy malware, or provide a stronger platform for ransomware activity and lateral movement.
Microsoft has acknowledged the vulnerability and stated that it is working on a security update to mitigate it. Until that fix is released and deployed, organisations should prioritise the eventual update and, in the interim, rely on compensating controls: strict least-privilege enforcement, application allowlisting and execution prevention, and behavioural monitoring for anomalous local privilege escalation activity, particularly unexpected interactions with Defender components or processes attempting to abuse the protection engine. As with GreenPlasma, RoguePlanet is not believed to be a standalone initial access vector; its value lies in what it enables after compromise.
Community Detection Opportunities
MDE_DeviceProcessEvents_Microsoft_CVE-2026-50656_PoC_RoguePlanetNamedPipe
This query detects the creation or connection to a specific named pipe (\pipe\RoguePlanet) associated with the released proof-of-concept (PoC) for the RoguePlanet (CVE-2026-50656) local privilege escalation zero-day. According to threat intelligence, the exploit uses this pipe for inter-process communication (IPC) to verify SYSTEM privileges and deliver its payload by spawning conhost.exe in the interactive user's session. While advanced actors may alter the pipe name in adapted variants, this serves as a high-confidence indicator for the published PoC.
DeviceEvents
| where ActionType == "NamedPipeEvent"
| extend PipeName_ = tostring(AdditionalFields.PipeName)
| where PipeName_ =~ "RoguePlanet"
| project
Timestamp,
DeviceName,
ActionType,
FileName,
FolderPath,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
AdditionalFieldsMDE_DeviceProcessEvents_Microsoft_CVE-2026-50656_PoC_TempRP_WermgrMasquerade
This query detects the file system preparation stage of the RoguePlanet (CVE-2026-50656) zero-day exploit. During this phase, the exploit extracts an embedded ISO and creates a staging directory structure inside the user's %TEMP% folder, prefixed with RP_ followed by a UUID. It deliberately mimics the Windows system path by creating a System32 subdirectory and dropping a file named wermgr.exe inside it. This structural mirroring is designed to trick Defender's quarantine scanning path logic. Detecting this exact folder structure and file drop is a high-confidence indicator of the published PoC.
DeviceFileEvents
| where ActionType == "FileCreated"
// Filter early for the unique temporary directory prefix used by the PoC
| where FolderPath has "\\Temp\\RP_"
// Identify the specific subdirectories and masqueraded file used to trick Defender's path logic
| where FolderPath has @"wdtest_temp"
or (FolderPath has @"System32" and FileName =~ "wermgr.exe")
| project
Timestamp,
DeviceName,
RequestAccountName,
ActionType,
FileName,
FolderPath,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
SHA256
Bridewell CSIRT Detection Rules & Analytics
| Detection Analytic Concept | Category |
|---|
| MDE_DeviceProcessEvents_Microsoft_CVE-2026-50656_VHD/VHDX_and_SMB_Activity | Execution |
| MDE_DeviceProcessEvents_Microsoft_CVE-2026-50656_mklink_Activity | Privilege Escalation |
| MDE_KQL_DeviceFileEvents_BR-UNC-035_Lure_Files_Dropped_by_Staff | Defence Evasion, Initial Access |
| MDE_KQL_DeviceProcessEvents_Explorer_Spawning_Obfuscated_PowerShell | Execution |
| MDE_KQL_Suspicious_C2_Resolution_by_Unusual_TLD | Execution |
| MDE_KQL_DeviceProcessEvents_Nodejs_ReverseShell_Execution | Command and Control |
Stop Reacting. Start Hunting.
Bridewell’s threat-led MDR service combines world-class analysts with proprietary intelligence to protect your critical infrastructure and assets 24/7.