FortiGuard Labs recently observed a campaign delivering malicious files as AI-related documents. The attack chain uses multiple staged scripts to hide activity before deploying AutoHotkey-based loaders that reflectively inject in memory a .NET RAT & AsynRAT. https://www.fortinet.com/blog/threat-research/threat-actors-weaponize-ai-hype-to-deliver-asyncrat

ESET researchers have observed a shift in the operational focus of Vietnam-aligned OceanLotus APT. The threat group has adopted a more selective approach to external operations while placing increasing emphasis on domestic espionage in recent campaigns. https://www.welivesecurity.com/en/eset-research/oceanlotus-external-espionage-domestic-targeting/

Cato CTRL researchers recently identified an undocumented, active phishing campaign targeting Brazilian organizations with fake business-document lures, downloading a NinjaOne remote monitoring & management (RMM) agent. https://www.catonetworks.com/blog/cato-ctrl-previously-undocumented-ninjaone-rmm-abuse-chain/

Sekoia’s TDR team tracks APT28 (Fancy Bear/Forest Blizzard/Sofacy/Pawn Storm/Sednit). The group linked to GRU Unit 26165 has been active for over two decades and targets government, defence, diplomatic & critical infrastructure, with a focus on NATO members & Ukraine https://blog.sekoia.io/apt28-an-evolution-of-tradecraft/

ITOCHU Cyber ​​& Intelligence Inc researchers present a two-part article on the observed suspicious emails sent to hotel operators, impersonating Booking.com. https://blog.itochuci.co.jp/entry/2026/06/11/110000

Gen Threat Labs researcher Vojtěch Krejsa looks into GoFlateLoader, a widespread Golang loader used to deliver multiple infostealers, including Amatera, Remus, Lumma, Vidar and StealC. https://www.gendigital.com/blog/insights/research/goflateloader-delivers-multiple-infostealers

Acronis TRU has identified two targeted campaigns against Cambodian government entities, with a focus on the defence and military intelligence sectors, delivered by a cluster that Acronis tracks as Khmer Shadow. https://www.acronis.com/en/tru/posts/behind-khmer-shadow-targeted-espionage-against-cambodian-government-entities/

Palo Alto Networks researcher Yahav Festinger analyses and demonstrates attack techniques that target the primary logging services within each major cloud provider. https://unit42.paloaltonetworks.com/cloud-logging-defense-evasion/

Zscaler ThreatLabz identified MLTBackdoor, a new malware family delivered in a multi-stage ClickFix chain. MTLBackdoor supports a set of commands like downloading & uploading files, as well as the ability to load Beacon Object Files to expand its capabilities https://www.zscaler.com/blogs/security-research/technical-analysis-mltbackdoor