June 2026: Biggest Cyber Attacks, Data Breaches, Ransomware Attacks

Date: 1 July 2026

Featured Image

June 2026 proved to be another relentless month in the cyber threat landscape. Attackers struck across pharmaceuticals, higher education, government, gaming, and critical utilities alike. From the breach at pharmaceutical giant Novo Nordisk and the disruption at the University of Nottingham to incidents impacting the Council of Europe and gaming powerhouse Nintendo, threat actors once again demonstrated that no sector — public or private, commercial or institutional — is beyond their reach.

  1. Ransomware Attacks in June 2026
  2. Data Breaches in June 2026 
  3. Cyber Attacks in June 2026
  4. New Malware and Ransomware Discovered
  5. Vulnerabilities Discovered and Patches Released 
  6. Advisories issued, reports, analysis etc. in June 2026

The month's most significant incidents spanned a strikingly diverse set of organisations, including Texas government systems, Eastman Kodak, Klue, Tata Electronics, London Hydro, and dental benefits administrator DentaQuest.

Collectively, these attacks underscore several of the trends now defining the modern threat landscape: the targeting of government and critical infrastructure, the persistent exposure of sensitive personal and health data, and the ripple effects that a single breach can send through interconnected supply chains and third-party ecosystems. Whether the prize was citizen records, manufacturing operations, or customer data, the common thread was operational disruption and the erosion of hard-won trust.

As organisations grow ever more reliant on cloud platforms, SaaS services, and complex digital supply chains, the consequences of a single cyber incident continue to escalate. The organisations that weather these storms best are rarely the ones that were never targeted. They're the ones that were ready. And readiness is something you build deliberately, long before an attacker comes knocking.

That starts with a robust cyber incident response plan, so your team knows exactly how to act when every minute counts. It's reinforced by scenario-specific playbooks that turn a generic plan into clear, step-by-step guidance for the threats most likely to hit your organisation. It's pressure-tested through cyber tabletop exercises, where your people build the muscle memory to respond calmly under real-world conditions. And it's anchored at the top by executive crisis training, because how your leaders make decisions in the first few hours often determines how the entire crisis unfolds. Together, these capabilities dramatically improve your ability to prevent, detect, respond to, and recover from attacks like the ones above.

At Cyber Management Alliance, this is exactly what we help organisations build. Our NCSC-Assured Cyber Incident Planning & Response training equips teams with the knowledge and confidence to lead through a crisis. Our expert-led cyber tabletop exercises put that knowledge to the test in realistic, engaging simulations. And our bespoke incident response playbook creation and review workshops ensure your plans are practical, current, and genuinely fit for purpose. Because in today's threat landscape, agility in response isn't optional — it's your competitive advantage.

Ransomware Attacks in June 2026

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

June 2, 2026

Potential enterprise and organisational networks using Active Directory environments

AI-Built Ransomware Toolkit Automates EDR Evasion, AD Discovery

Unknown

The AI-generated ransomware toolkit streamlined key attack stages by automating security evasion and network discovery tasks, potentially enabling attackers to compromise enterprise environments more quickly and efficiently.

Source: Bleeping Computer

June 3, 2026

Nobitex

The US Sanctions Nobitex Crypto Exchange Used by Ransomware

Multiple ransomware groups and cybercriminal actors (as cited by U.S. authorities)

The exchange allegedly facilitated financial transactions linked to ransomware operations and other cybercrime activities, helping threat actors move and launder proceeds obtained from attacks.

Nobitex Crypto Exchange Used by Ransomware

June 7, 2026

Law firms and legal organisations

Silent Ransom Group Targets Law Firms With Fake IT Support Calls

Silent Ransom Group (SRG)

The attackers used social engineering and fake IT support calls to gain access to law firm networks, steal sensitive legal data, and extort victims by threatening to leak the stolen information.

Source: Bleeping Computer

June 8, 2026

Organisations using vulnerable VPN appliances

Check Point links VPN zero-day attacks to Qilin Ransomware gang

Qilin Ransomware Gang

The attackers exploited a VPN zero day vulnerability to gain unauthorised access to corporate networks, enabling them to deploy ransomware, disrupt operations, and increase the risk of data theft and extortion.

Source: Bleeping Computer

June 12, 2026

Multiple organisations targetted by the Conti ransomware operation

Ukrainian national pleads guilty to role in Conti Ransomware operation

Conti Ransomware Group

The Conti ransomware operation encrypted victims' systems, disrupted business operations, and caused significant financial losses through extortion demands and recovery efforts.

Source: Bleeping Computer

June 16, 2026

Organisations targeted by the ransomware campaign

Ransomware gang abuses Microsoft Teams relays to hide malicious traffic

Storm-1175

The ransomware group concealed malicious communications through Microsoft Teams relays, helping attackers evade detection while gaining access to victim networks and increasing the risk of ransomware deployment and operational disruption.

Source: Bleeping Computer

June 18, 2026

Organisations targetted by the Gentlemen ransomware operation

Gentlemen Ransomware uses multiple EDR killers to disable defenses

Gentlemen Ransomware Group

The ransomware operators disabled endpoint security tools using multiple EDR-killing utilities before encrypting systems, increasing the likelihood of successful attacks, operational disruption, and financial losses for victims.

Source: Bleeping Computer

June 22, 2026

Multiple organisations and individuals (potential targets of the Prinz Eugen ransomware campaign)

New Prinz Eugen ransomware prioritises recent files for encryption

Prinz Eugen Ransomware Operators

The Prinz Eugen ransomware encrypted victims’ most recently modified files first, increasing operational disruption and pressure on organisations by immediately targeting the data most likely to be actively used and business-critical.

Source: Bleeping Computer

June 23, 2026

Bajaj Auto

Bajaj Auto says ransomware attack hits systems

Unknown

A ransomware attack disrupted parts of Bajaj Auto’s IT infrastructure, affecting certain business operations and prompting the company to implement containment measures while assessing the full impact of the incident.

Bajaj Auto Ransomware Attack

 


 Back to Top 

 

Data Breaches in June 2026

 

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

June 4, 2026

World Food Programme (WFP)

UN Food Agency investigates Gaza Aid breach

Unknown

The breach exposed sensitive information linked to people receiving humanitarian assistance in Gaza, prompting an investigation into the unauthorized access of WFP data systems.

Gaza Aid Breach

June 4, 2026

DentaQuest customers and members

DentaQuest data breach exposed information of 2.6 million accounts

Unknown

DentaQuest breach exposed sensitive personal and health-related information belonging to approximately 2.6 million individuals, increasing the risk of identity theft and fraud for affected members.

Source: Bleeping Computer

June 8, 2026

Instagram users who contacted Meta AI support services

Meta AI Support data breach affects 20,000 Instagram accounts

Unknown

The breach exposed support case information linked to about 20,000 Instagram accounts, potentially revealing personal details and private communications submitted to Meta AI support teams.

Source: Bleeping Computer

June 8, 2026

SoFi Hong Kong customers and applicants

SoFi confirms third-party data breach at Hong Kong subsidiary

Unknown

The breach exposed personal information belonging to customers and applicants of SoFi's Hong Kong subsidiary after a third party service provider was compromised, increasing the risk of identity theft and fraud.

Source: Bleeping Computer

June 9, 2026

ServiceNow customers

ServiceNow discloses security incident exposing customer data

Unknown

The security incident exposed customer data stored within affected ServiceNow environments, potentially giving unauthorised parties access to sensitive business information and customer records.

Source: Bleeping Computer

June 11, 2026

Tchap users, including French government employees and public officials

French Government messaging app Tchap suffers security breach; Hundreds of thousands of messages allegedly stolen

Unknown

The breach allegedly exposed hundreds of thousands of private messages exchanged through the French government's Tchap platform, raising concerns over the security of official communications and sensitive information.

French Government messaging app Tchap Security Breach

June 11, 2026

Organisations using vulnerable Oracle PeopleSoft systems

Oracle mitigates PeopleSoft Zero Day exploited in data theft attacks

Unknown

Attackers exploited a PeopleSoft zero day vulnerability to gain unauthorised access to affected systems and steal sensitive data from impacted organisations.

Source: Bleeping Computer

June 11, 2026,

June 16,2026

Novo Nordisk

Hacking group claims major hack of Novo Nordisk, attempted $25 million extortion

Hunters International

Unauthorised access to Novo Nordisk systems resulted in the external copying of non-public and clinical trial related patient data, prompting an investigation and the temporary shutdown of some internal IT systems.

Source: Reuters

June 11, 2026

University of Nottingham

University of Nottingham confirms breach after hackers leak data

Unknown

The breach resulted in the unauthorised exposure of university data after attackers leaked stolen information online, raising concerns about the security of sensitive records belonging to the institution and affected individuals.

University of Nottingham Security Breach

June 14, 2026

Four Iranian banks

Iran Says Limited cyber

attack disrupts services at four banks, State Media Says

Unknown

The cyber attack temporarily disrupted banking services at four Iranian banks, affecting customer access to financial services and causing operational interruptions before services were restored.

Source: Reuters

June 15, 2026

Organisations operating vulnerable REDCap servers, including medical and research institutions

Chinese hackers breach REDCap servers, Steal medical research

Chinese state-backed hackers

The attackers compromised vulnerable REDCap servers and stole sensitive medical research data, exposing valuable research information and potentially affecting institutions involved in healthcare and scientific studies.

Source: Bleeping Computer

June 15, 2026

Council of Europe

ShinyHunters claims Council of Europe hack

ShinyHunters

ShinyHunters claimed to have stolen and leaked data from the Council of Europe, potentially exposing sensitive organisational information and prompting an investigation into the alleged breach.

Source: www.securityweek.com

June 15, 2026

Eastman Kodak Company

ShinyHunters claims Kodak Hack; 2 million records allegedly exposed

ShinyHunters

ShinyHunters claimed to have accessed and exposed approximately two million Kodak records, potentially putting sensitive customer and business-related information at risk of unauthorized disclosure.

ShinyHunters claims Kodak Hack

June 16, 2026

iRhythm Technologies

iRhythm discloses data breach, says hackers stole patient info

Unknown

Hackers gained unauthorised access to iRhythm systems and stole sensitive patient information, exposing affected individuals to privacy risks and potential misuse of their healthcare data.

Source: Bleeping Computer

June 16, 2026

Android users of targeted banking and cryptocurrency applications

New Rokarolla Android malware targets 217 banking, crypto apps

Unknown

The Rokarolla malware targeted hundreds of banking and cryptocurrency apps to steal login credentials and financial information, putting affected users at risk of account compromise and monetary theft.

Source: Bleeping Computer

June 17, 2026

Users of multiple online services and platforms

24 Billion credentials exposed in massive data leak, researchers warn

Unknown

Billions of login credentials compiled from numerous sources were exposed online, significantly increasing the risk of account takeovers, identity theft, and large-scale credential-stuffing attacks against affected users.

24 Billion credentials exposed in massive data leak

June 18, 2026

Klue and affected Salesforce customers

Klue OAuth breach linked to Icarus Salesforce data theft attacks

Icarus

Attackers abused a compromised OAuth connection to access Salesforce data, exposing sensitive business information from affected organisations and expanding the scope of the Icarus data theft campaign.

Source: Bleeping Computer

June 18, 2026

Texas Parks and Wildlife Department

Texas Parks & Wildlife data breach exposes millions of driver's licenses, passport numbers

Unknown

A data breach at the Texas Parks and Wildlife Department exposed sensitive personal information, including driver's license and passport numbers, affecting millions of individuals whose records were stored in the agency’s systems.

Texas Parks & Wildlife Data Breach

June 18, 2026

Amazon One Medical

Amazon One Medical data breach exposed patient information

Unknown

Unauthorised access to patient records exposed sensitive personal and healthcare information, creating privacy risks for affected One Medical patients and prompting an investigation into the incident.

Source: cybernews.com

June 18, 2026

Nintendo

Nintendo confirms data stolen in WebMD subsidiary cyber attack

Unknown

Personal information belonging to Nintendo job applicants was stolen after attackers breached a WebMD subsidiary’s recruitment platform, exposing applicant data that had been shared with Nintendo during the hiring process.

Source: Bleeping Computer

June 19, 2026

GrayRobinson

Cyber attack on law firm GrayRobinson compromised personal data of over 65,000 people

Unknown

A cyber attack on GrayRobinson resulted in the theft of sensitive personal and health information belonging to more than 65,000 individuals after an unauthorised party accessed and exfiltrated files from the firm's network.

Cyber attack on law firm GrayRobinson

June 22, 2026

Optimum First Mortgage

Optimum First Mortgage Data Breach; Edelson Lechtzin LLP launches investigation into exposure of personal information

Unknown

A data breach at Optimum First Mortgage exposed sensitive personal information belonging to customers and individuals associated with the company, creating risks of identity theft, fraud, and misuse of the compromised data.

Optimum First Mortgage Data Breach

June 22, 2026

Tata Electronics

Tata Electronics, a major tech supplier to Apple and Tesla, confirms data breach

Hunters International

A breach at Tata Electronics led to the theft and public leak of company data, exposing internal information and documents after attackers claimed to have exfiltrated files from the firm's systems.

Source: Tech Crunch

June 22, 2026

London Hydro

London Hydro customer data potentially compromised in security incident

Unknown

A security incident at London Hydro potentially exposed customer personal information, prompting the utility to investigate the breach and notify affected individuals about the risk of unauthorised access to their data.

London Hydro customer data breach

June 22, 2026

Belgian State Security Service

Belgian state security hit by Ivanti data breach

Suspected Chinese State-Backed Hackers

A breach involving a vulnerable Ivanti platform exposed sensitive communications and personal data held by Belgium’s State Security Service, potentially compromising intelligence-related information and contacts accumulated over several years.

Source: www.techzine.eu

June 22, 2026

Alcott HR

Alcott HR data breach exposes personal information, Murphy Law Firm investigates legal claims

Unknown

A data breach at Alcott HR exposed sensitive personal information belonging to current and former employees and dependents, increasing the risk of identity theft, financial fraud, and misuse of compromised data.

Source: www.globenewswire.com

June 22, 2026

One Medical Seniors

ShinyHunters threatens to leak One Medical Seniors patient data

ShinyHunters

ShinyHunters claimed to have stolen sensitive patient information from One Medical Seniors and threatened to publicly leak the data, potentially exposing affected patients to privacy risks, identity theft, and fraud.

ShinyHunters threatens to leak One Medical Seniors patient data

June 22, 2026

XSOLIS, Inc.

XSOLIS, Inc. ata breach: Edelson Lechtzin LLP launches investigation into exposure of personal information

Unknown

A data breach at XSOLIS exposed sensitive personal information entrusted to the healthcare technology company, potentially putting affected individuals at risk of identity theft, fraud, and other misuse of their personal data.

Source: prnewswire.com

June 22, 2026

Organisations using vulnerable Fortinet FortiGate devices

FortiBleed campaign used custom FortiGate sniffer to steal credentials

Unknown

Attackers exploited the FortiBleed campaign to deploy a custom sniffer on vulnerable FortiGate devices, stealing user credentials and other sensitive authentication data that could be used to gain unauthorised access to affected networks.

Source: Bleeping Computer

June 23, 2026

Meta Employees

Meta to pause internal mouse-tracking tech while examining data security issues

Unknown

Meta paused its employee-monitoring programme after an internal security lapse exposed sensitive employee data, including private conversations, performance information, and activity records, to a broader group of staff than intended, raising significant privacy and data security concerns.

Source: Reuters

June 23, 2026

LastPass

LastPass confirms data breach in Klue supply chain attack

UNC6040

The Klue supply-chain attack exposed limited customer and business information belonging to LastPass after attackers gained unauthorised access to data stored within the third-party platform, prompting an investigation into the scope of the breach.

Source: Bleeping Computer

June 25, 2026

Alera Group

Alera Group data breach settlement: Americans could get up to $3,500 in settlement payouts; know who's eligible and the claim deadline

Unknown

A data breach at Alera Group exposed sensitive personal information of affected individuals, leading to a class-action settlement and raising concerns over potential identity theft and financial fraud risks.

Source: economictimes.indiatimes.com

 
 

Back to Top 

Cyber Attacks in June 2026

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

June 1, 2026

Multiple organisations across the United States, Israel, Turkey, and the Middle East

Iran-linked hackers allegedly destroy IT, backups, and recovery systems in cyber attack targeting Middle East

Ababil of Minab (Iran-linked, associated with Black Shadow)

The attack disrupted business operations after hackers wiped critical IT systems, backups, and recovery environments, significantly hindering victims' ability to restore affected services and data.

Iran-linked hackers destroy IT, backups, and recovery systems

June 1, 2026

Thousands of legitimate websites and their visitors worldwide

Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks

Unknown

The attackers hijacked thousands of websites and injected malicious code that redirected visitors to fake update and ClickFix pages, exposing them to malware infections and potential system compromise.

Source: Bleeping Computer

June 2, 2026

Minecraft players and server operators who downloaded infected game modifications and tools

Over 116,000 Minecraft systems infected in WeedHack malware campaign

Unknown

The malware campaign infected more than 116,000 Minecraft-related systems, allowing attackers to steal credentials, cryptocurrency wallets, authentication tokens, and other sensitive data from affected users.

Source: Bleeping Computer

June 2, 2026

WordPress websites using vulnerable themes and plugins that relied on the Kirki Customizer Framework

Critical Kirki Flaw Exploited to Hijack WordPress Admin Accounts

Unknown

Attackers exploited the critical Kirki vulnerability to create rogue administrator accounts on vulnerable WordPress sites, giving them unauthorised control over website management and content.

Source: Bleeping Computer

June 2, 2026

Russian government officials and employees of defense, telecommunications, law enforcement, and other public sector organisations

Russia claims foreign spy agencies hacked government officials

Alleged Foreign Intelligence Agencies (attribution claimed by Russian authorities)

The espionage campaign reportedly compromised the mobile devices of Russian government and public-sector officials, enabling attackers to monitor communications and gather sensitive information.

Source: The Record Media

June 3, 2026

Web servers and online services using vulnerable HTTP/2 implementations

New HTTP/2 Bomb DoS Attack Crashes Web Servers in Under a Minute

Unknown

The HTTP/2 Bomb attack overwhelmed vulnerable web servers with a small number of malicious requests, causing rapid service disruptions and making affected websites unavailable in under a minute.

Source: Bleeping Computer

June 3, 2026

Organisations across Europe, particularly in the technology, telecommunications, and government sectors

Chinese hackers use New Atlas RAT malware in European cyber attacks

Silver Fox (China-linked threat actor)

The attackers deployed the Atlas RAT malware to gain persistent remote access to targeted systems, enabling espionage activities, data collection, and continued monitoring of compromised networks.

Source: Bleeping Computer

June 4, 2026

Developers and organisations that downloaded the compromised npm packages

New IronWorm Malware Hits 36 Packages in npm supply chain attack

Unknown

The supply chain attack compromised 36 npm packages with IronWorm malware, exposing developers and organisations to credential theft, system compromise, and unauthorised access through infected software dependencies.

Source: Bleeping Computer

June 5, 2026

U.S. gas stations operating internet-exposed automatic tank gauge (ATG) systems

Over 900 US gas station tank gauge systems exposed to attacks

Unknown

More than 900 internet-accessible fuel tank monitoring systems were left vulnerable to unauthorised access, creating a risk of fuel management disruption, operational interference, and potential manipulation of critical infrastructure.

Source: Bleeping Computer

June 5, 2026

Organisations targeted by long-term cyber espionage campaigns, including government and enterprise networks

Chinese APT deploys new malware to keep access to hacked networks

Salt Typhoon (China-linked APT group)

The threat actors deployed new persistence malware to maintain covert access to compromised networks, enabling prolonged espionage activities and continued access to sensitive systems and data.

Source: Bleeping Computer

June 7, 2026

Internet-exposed routers running vulnerable DD-WRT firmware

c0xM0 Botnet Spreads via DD-WRT Router Flaw, Kills Rival Malware

c0xM0 Botnet Operators

The botnet infected vulnerable DD WRT routers to expand its malicious network, allowing attackers to control compromised devices and strengthen their infrastructure for future attacks.

Source: Bleeping Computer

June 8, 2026

Android users who downloaded fake banking application updates from GitHub

NFCShare Android malware spreads via fake banking app updates on GitHub

Unknown

The malware campaign infected Android devices through fake banking app updates, allowing attackers to steal banking credentials, intercept sensitive information, and conduct financial fraud against affected users.

Source: Bleeping Computer

June 10, 2026

Potentially any organisations and users that could be targeted using the leaked Miasma worm code

The Miasma Worm Source Code briefly leaked on GitHub

Unknown

The brief exposure of the Miasma worm source code increased the risk that other threat actors could reuse or modify the malware to launch new attacks, potentially expanding its impact across additional networks and systems.

Source: Bleeping Computer

June 13, 2026

A high-value organisation operating an isolated network

Chinese hackers hijack Auth Flow to spy on isolated network for a decade

Chinese state-backed hackers

The attackers maintained covert access to an isolated network for nearly a decade by hijacking authentication processes, enabling long-term espionage and the monitoring of sensitive communications and activities without detection.

Source: Bleeping Computer

June 15, 2026

Maine Attorney General's data breach notification portal

Maine takes data breach notification portal offline after fake reports

Unknown

Attackers abused Maine's data breach notification portal to submit fraudulent breach reports, forcing the state to take the system offline and disrupting its public breach disclosure process.

Source: cyberpress.org

June 16, 2026

Multiple cardiac monitoring device manufacturers and their patients

Cardiac Monitor makers' security skips a beat as data thieves go for the jugular

Unknown

Data breaches at several cardiac monitoring device providers exposed sensitive patient and healthcare information, increasing the risk of privacy violations and misuse of personal medical data.

Data breaches at several cardiac monitoring device providers

June 16, 2026

Steam users and Wallpaper Engine users

Steam workshop abused to spread malware via wallpaper engine app

Unknown

Attackers used malicious Wallpaper Engine content distributed through Steam Workshop to infect users with malware, exposing affected systems to data theft and further compromise.

Source: Bleeping Computer

June 16, 2026

Organisations and Windows users targeted by the GhostTree campaign

GhostTree attack abused recursive Windows junctions to hide malware

Unknown

Attackers used recursive Windows junctions to conceal malware from security tools, allowing them to maintain stealthy access to compromised systems and increasing the risk of data theft and prolonged network intrusion.

Source: Bleeping Computer

June 16, 2026

Government organisations and critical sector entities targeted by the campaign

Windows Version of SprySOCKS Linux Malware Used to Attack Govt Orgs

Chinese state-backed hackers

The attackers deployed a Windows version of the SprySOCKS malware to maintain covert access to government networks, enabling long-term espionage activities and the theft of sensitive information from targeted organisations.

Source: Bleeping Computer

June 18, 2026

Windows users infected through compromised USB drives

USB Worm spreads crypto-stealing malware via Windows shortcut files

Unknown

The malware spread through infected USB devices and stole cryptocurrency wallet data and other sensitive information, putting affected users at risk of financial loss and account compromise.

Source: Bleeping Computer

June 18, 2026

WordPress websites using compromised ShapedPlugin products

ShapedPlugin Update Flow Hacked to Infect WordPress Sites

Unknown

Attackers compromised the plugin update mechanism and pushed malicious code to WordPress sites, potentially giving them unauthorised access to affected websites and exposing visitors and administrators to further attacks.

Source: Bleeping Computer

June 19, 2026

Mount Royal University

Mount Royal University site down due to cyber attack

Unknown

The cyber attack disrupted Mount Royal University’s website, telephone services, and other key IT systems, forcing the institution to activate incident response measures while cybersecurity experts investigated the extent of the compromise.

Mount Royal University Website Cyber Attack

June 21, 2026

D-Link Router Users Worldwide

Arystinger botnet infected thousands of D-Link routers worldwide

Arystinger Botnet Operators

The Arystinger botnet compromised thousands of vulnerable D-Link routers worldwide, allowing attackers to hijack the devices and use them as part of a malicious network for further cyber operations and abuse.

Source: Bleeping Computer

June 22, 2026

Brazil's Defesa Civil Alerta (Civil Defense Alert System) / National Protection and Civil Defense Secretariat (SEDEC)

Brazil probes possible cyber attack on alert system

Unknown (suspected hacker(s) under investigation)

A suspected cyber attack hijacked Brazil’s emergency alert platform, triggering false “extreme” warnings on thousands of mobile phones across multiple states and forcing authorities to temporarily take the system offline while an investigation was launched.

Source: www.thestar.com.

June 23, 2026, June 25, 2026

Iran's Banking Infrastructure (including multiple Iranian banks)

Islamic Republic confirms banking infrastructure cyber incident

Predatory Sparrow (Gonjeshke Darandeh)

The cyber attack disrupted card-based banking services at three Iranian lenders, causing payment processing problems and limiting customers' access to banking transactions and financial services.

Iran's Banking Infrastructure Under Attack

June 23, 2026

Jaredfromsubway MEV Bot Operator

Jaredfromsubway MEV bot hacked in $1.5 million crypto theft

Unknown

Hackers compromised the Jaredfromsubway MEV bot and stole approximately $1.5 million in cryptocurrency, resulting in significant financial losses through unauthorised transfers of digital assets.

Source: Bleeping Computer

June 24, 2026

Cybercriminal infrastructure behind Amadey and StealC malware operations

Amadey, StealC malware operations disrupted in Operation Endgame action

Amadey and StealC Malware Operators

An international law enforcement operation disrupted the infrastructure used by the Amadey and StealC malware groups, hindering their ability to infect victims, steal sensitive data, and conduct further cybercriminal activities.

Source: Bleeping Computer

 


Back to Top 

New Ransomware/Malware Discovered in June 2026

New Ransomware

Summary

MLTBackdoor

A newly discovered modular backdoor that leverages Beacon Object Files (BOFs) to dynamically extend its functionality after infection. Distributed through ClickFix social-engineering campaigns, it enables remote command execution, file transfers, and payload deployment, providing attackers with a flexible post-exploitation framework.

AryStinger

A newly identified botnet malware targeting vulnerable routers and NAS devices, including D-Link, Linksys, and QNAP systems. It converts compromised devices into a malicious proxy network, enabling traffic tunneling, reconnaissance, and anonymous attacker operations while abusing edge infrastructure for stealth.

Crypto Clipper

A newly uncovered cryptocurrency-stealing malware that spreads through infected USB drives using malicious shortcut (.LNK) files. It targets cryptocurrency wallets, seed phrases, and private keys while incorporating clipboard hijacking, credential theft, screenshot capture, and Tor-based command-and-control capabilities.

Rocket Banking Trojan

A newly observed Android banking malware family targeting banking and cryptocurrency applications. It abuses Android Accessibility Services, deploys credential-stealing overlays, records screens, captures keystrokes, intercepts notifications, and conducts extensive surveillance to facilitate financial fraud and account takeover attacks.

Lalia Ransomware

A newly emerged ransomware family identified in June 2026 that targets Windows environments. The malware is believed to employ modern ransomware tradecraft and may support double-extortion tactics involving both file encryption and data theft. Its emergence highlights the continued growth of the ransomware ecosystem as new threat actors enter the cybercrime landscape despite increased law enforcement pressure on established groups.

 
 
 Source for the above table: Bleeping Computer, Recorded Future News

 Back to Top  

Vulnerabilities/Patches Discovered in June 2026

Date

New Flaws/Fixes

Summary

June 1, 2026

CVE-2026-41089

Attackers actively exploited a critical Windows Netlogon vulnerability that allowed unauthenticated remote code execution on domain controllers, potentially enabling full system compromise, prompting urgent patching recommendations for affected Windows Server environments.

June 2, 2026

CVE-2025-30762

CISA ordered U.S. federal agencies to patch a critical Oracle WebLogic vulnerability that was being actively exploited, warning that attackers could gain unauthorised access and compromise affected servers if the flaw remained unpatched.

June 5, 2026

CVE-2025-48799

CISA warned that attackers had begun actively exploiting a SolarWinds Serv-U vulnerability to crash vulnerable servers, increasing the risk of service disruption and prompting organisations to apply security updates immediately.

June 6, 2026

CVE-2025-1128

Attackers actively exploited a critical vulnerability in the Everest Forms Pro WordPress plugin to create administrator accounts and take full control of vulnerable websites, prompting urgent patching recommendations.

June 8, 2026

CVE 2024 39930

Gogs patched a critical zero day vulnerability that could have allowed attackers to execute remote code on vulnerable servers, prompting users to update immediately to prevent system compromise.

June 9, 2026

CVE 2024 24919

CISA ordered federal agencies to patch a Check Point security vulnerability after it had been actively exploited by ransomware gangs to gain unauthorised access to targeted networks.

June 9, 2026

CVE 2025 23121

Researchers disclosed a new Veeam vulnerability that could have allowed attackers to execute remote code on backup servers, potentially leading to full system compromise and disruption of backup operations.

June 9, 2026

CVE 2026 44748,

CVE 2026 27671,

CVE 2026 22732,

CVE 2026 40128

SAP released security updates that fixed multiple critical vulnerabilities in NetWeaver and Commerce Cloud which could have allowed attackers to bypass authentication, gain unauthorised access, execute malicious actions, or compromise affected enterprise

June 10, 2026

CVE 2025 53786

Microsoft patched a zero day vulnerability in Exchange Server that had been actively exploited in attacks, helping organizations prevent unauthorized access and potential compromise of email systems.

June 11, 2026

CVE 2025 5777,

CVE 2025 6543,

CVE 2025 6544

CISA directed federal agencies to patch multiple critical vulnerabilities within three days after confirming that the flaws had been actively exploited in attacks, highlighting the urgent risk of system compromise.

June 12, 2026

CVE-2025-22457

CISA ordered federal agencies to patch an actively exploited Ivanti vulnerability within three days after attackers were found using the flaw to compromise vulnerable systems.

June 16, 2026

CVE-2025-32756,CVE-2025-32755,CVE-2025-25257

Fortinet warned that attackers had begun exploiting critical FortiSandbox vulnerabilities in the wild, potentially allowing unauthorised code execution and compromise of affected security appliances.

June 17, 2026

CVE-2025-25257

CISA ordered federal agencies to urgently patch a maximum-severity vulnerability in a widely used Joomla extension after attackers began exploiting the flaw to compromise vulnerable websites.

June 18, 2026

CVE-2025-53859,

CVE-2025-23419,

CVE-2025-23418,

CVE-2025-23417,

CVE-2025-23416,

F5 released emergency patches for several critical NGINX vulnerabilities that could have allowed attackers to crash servers, cause service disruptions, or potentially execute malicious code on affected systems.

June 23, 2026

CVE-2026-20230

Attackers actively exploited a critical vulnerability in Cisco Unified CM and Unified CM SME systems, allowing unauthenticated remote access that could enable arbitrary command execution and compromise of affected servers.

 
 
  Source for the above table: Bleeping Computer, Recorded Future  

 Back to Top

Warnings/Advisories/Reports/Analysis

News Type

Summary

Report

A federal inspector general's report found that management shortcomings and resource challenges at NIST led to significant delays in processing vulnerability data, creating a backlog that affected the timeliness and reliability of the National Vulnerability Database.

Warning

The Five Eyes intelligence alliance warned that Chinese intelligence operatives had used professional networking and job recruitment platforms to target and recruit insiders with access to sensitive government and corporate information.

Warning

Acer warned that multiple maximum-severity zero-day vulnerabilities in its Wave 7 Wi-Fi routers could have allowed attackers to gain remote control of affected devices, prompting users to apply security updates immediately.

Warning

CISA warned that attackers had been actively exploiting vulnerabilities in Android and Linux systems, urging organizations and users to apply available patches to reduce the risk of device compromise and unauthorized access.

Warning

CISA warned that cyber threat actors had targeted internet-exposed fuel tank monitoring systems using default credentials and poor security configurations, potentially allowing unauthorized access and operational disruption.

Warning

Cisco warned that a critical vulnerability in Unified Communications Manager could have allowed attackers to gain unauthorized access and execute malicious actions on affected systems, and urged customers to patch the flaw after proof-of-concept exploit code became publicly available.

Report

Law enforcement agencies dismantled a large online marketplace that had supplied forged identity documents to migrant smuggling networks, disrupting a criminal operation that facilitated illegal border crossings and identity fraud.

Warning

Cisco warned that attackers had exploited a zero-day vulnerability in SD-WAN devices to gain root-level access to affected systems, prompting urgent patching and mitigation efforts to prevent further compromises.

Report

Researchers reported that the China linked JDY botnet had expanded its operations to target internet exposed systems associated with US military networks, increasing concerns about espionage, network compromise, and persistent access to sensitive infrastructure.

Report

Attackers abused Maine's online data breach reporting portal to publish fraudulent breach notifications, creating confusion and undermining trust in official breach disclosure records.

Report

A Japanese energy company disclosed that a storage device containing personal information belonging to approximately 10.9 million customers had been lost, raising concerns about potential unauthorized access to customer data.

Report

South Korea's privacy regulator reported that Coupang was fined approximately $400 million after a data breach affecting millions of users exposed weaknesses in the company's handling and protection of customer information.

Warning

Oracle warned customers that attackers had exploited a PeopleSoft security flaw to breach more than 100 organisations, urging users to secure vulnerable systems against further compromise.

Report

Maine temporarily disabled its online data breach notification portal after attackers abused the system to submit and publish fake breach disclosures, disrupting the state's public reporting process.

Report

The U.S. government reportedly asked Anthropic to restrict foreign national access to its Fable and Mythos AI models due to concerns that the technology could be misused for national security and sensitive research purposes.

Report

The FBI disrupted a large-scale AI-powered phishing service that had used more than one million malicious URLs to steal credentials and facilitate cybercrime campaigns targeting victims worldwide.

Report

The FBI revealed that it had built a realistic replica of a small town to simulate real-world cyber attacks, helping agents and cybersecurity professionals train for threats targeting critical infrastructure and connected systems.

Report

The Council of Europe launched an investigation after the ShinyHunters hacking group claimed to have breached its systems and stolen sensitive data, while officials worked to verify the authenticity and scope of the alleged compromise.

Warning

Security experts warned that a rise in account takeover attacks targeting Argos customers had been driven by password reuse, increasing the risk of unauthorised purchases and account compromise.

Warning

The FTC warned that Americans lost a record $3.5 billion to imposter scams in 2025, as cybercriminals increasingly posed as trusted organisations and government agencies to deceive victims into sending money.

Warning

CISA warned that attackers had been actively exploiting a vulnerability in a cPanel plugin, urging organisations to patch affected systems quickly to prevent unauthorised access and potential compromise

Report

Microsoft reported that North Korean threat actors were linked to a supply-chain attack targeting the Mastra AI development framework, after attackers compromised developer accounts and inserted malicious code designed to steal credentials and cryptocurrency assets from downstream users.

Warning

CISA warned Fortinet customers to immediately secure and review their devices after the FortiBleed vulnerability exposed sensitive information, raising concerns that attackers could have used the leaked data to gain unauthorised access to affected systems.

Warning

Researchers warned that attackers used WhatsApp messages containing fake business documents to trick users into opening malicious files, leading to malware infections and unauthorised access to compromised Windows PCs.

Report

Belgian authorities reported that hundreds of organisations were affected by a large-scale cyber attack that exploited a vulnerability in widely used software, exposing systems to unauthorised access and prompting a nationwide cybersecurity response.

Report

Germany approved new powers allowing its intelligence services to conduct offensive cyber operations against foreign hackers, marking a significant expansion of the country's ability to actively disrupt and counter cyber threats originating abroad.

Report

Meta paused its employee-tracking program after a security review found that internal data had been exposed more broadly than intended, raising concerns about employee privacy and data protection.

Warning

Researchers warned that a malicious Microsoft Edge extension abused the browser’s Native Messaging feature to communicate with malware on infected devices, enabling attackers to execute commands and maintain access to compromised systems.

Warning

Experts warned that ransomware attacks had increasingly pushed German businesses toward financial distress and potential bankruptcy by causing prolonged operational disruptions, recovery costs, and significant revenue losses.

Warning

CISA warned that attackers had actively exploited maximum-severity vulnerabilities in Ubiquiti networking devices, potentially allowing unauthorized access and full compromise of affected systems, and urged organizations to apply security updates immediately.

Report

Researchers reported that the stealthy MISTIC backdoor was linked to the KongTuke access broker, which used compromised systems to provide network access that could later be sold to ransomware operators and other cybercriminal groups.

Warning

The UK's Public Accounts Committee warned that many of the country's cultural institutions had failed to adequately strengthen their cyber defenses, leaving critical national collections and services vulnerable to increasingly sophisticated cyber threats.

 
 
 Sources: Bleeping Computer and Infosecurity Magazine

Back to Top