Risky Bulletin Newsletter
June 17, 2026
Risky Bulletin: China arrests members of Silver Fox cybercrime group
Written by
News Editor
This newsletter is brought to you by Ent AI. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed. You can also add the Risky Business newsletter as a Preferred Source to your Google search results by going here.
Chinese police have arrested 67 suspects linked to Silver Fox, the country's largest and most active cybercrime group targeting its domestic audiences.
Arrests took place across five provinces and targeted everyone from developers to phishing site operators and various affiliates.
Authorities identified a man named Ji Moufei as the main individual who wrote and sold the group's malware, the eponymous Silver Fox trojan. Ji and four associates were arrested in Zhejiang.
Twenty-eight others were also arrested in the Jilin province, including a man named Chen, described as having developed a variant of the group's trojan.
Other arrests were also reported in Shandong, where a person named Yang and 15 suspects were detained for setting up phishing sites that lured users into downloading files infected with the Silver Fox trojan.
Another suspect named Li, and 13 others, were also arrested in Guangdong for allegedly using the trojan to access systems and steal victims' online assets and funds.
And lastly, a suspect named Zhou and two accomplices were arrested in the Zhejiang province for developing fake app download sites that bundled the group's trojan.
The Silver Fox group began operations in mid-2024 and only targeted Chinese-speaking users, living in both China and abroad.
The group has expanded operations to target other countries only in recent months, but the bulk of its activity still continued to target China.
A crackdown against the group was, in hindsight, foreseeable after China's CERT team issued a security alert about it at the end of May.
Silver Fox's main modus operandi included malspam campaigns and fake download websites designed to lure victims into installing its trojan on their systems.
The group used this initial trojan to deploy other more powerful tools, such as various infostealer families, but also their custom, in-house developed remote access trojans named AtlasRAT and ValleyRAT.
Silver Fox is also known as Void Arachne, YouSnake, UTG-Q-1000, and TA4922, and its main trojan is also tracked as Winos.
Below are some past reports on the group's activities. The fact that so many security vendors have published on the group tells you how active they were and the scale of their operation.
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq talk about how NATO is set up to deter conventional conflict, and how that approach is fundamentally unsuited for ongoing, everyday cyber operations that are intended to confound adversaries.
Breaches, hacks, and security incidents
Cyberattack hits Iranian banks: A cyberattack has disrupted the activity of four of Iran's largest banks. Online portals and mobile apps were reportedly down over the weekend for Bank Melli, Bank Tejarat, Bank Saderat, and the Export Development Bank of Iran. The attack allegedly targeted communications infrastructure shared by the four. The country's banking council said no customer data was accessed in the incident. [YeniSafak // WANA]
Fire department sues security firm over breach: A Louisiana fire department has sued a cybersecurity firm over a 2023 security breach. The St. George Fire Protection Department in Baton Rouge claims that General Informatics is solely at fault for its hack. The security firm allegedly failed to patch the department's servers, stored all its passwords in plain text, and failed to create and store network backups. The company also allegedly used the same password for all its customers to remotely access their networks. Following the hack, General Informatics billed the fire district for server remediation efforts and for its own attorneys' fees, money the fire department wants back. [WAFB // FireRescue1]
Raydium crypto-heist: Hackers have stolen $1.34 million worth of crypto-assets from the Raydium platform. The attackers exploited a bug in legacy components that were deprecated in 2021 but weren't phased out. [Raydium // The Crypto Times]
Aztec Connect crypto-heist: Hackers have also stolen $2.1 million from the Aztec Connect platform, also by exploiting a legacy function. [Aztec Labs // CoinTelegraph // SlowMist]
Astral Group cyberattack: The Astral Group, a company that provides finance-related software to Russian companies and banks, says a cyberattack is the reason for a recent week-long IT outage. [Astral]
Hacker abuses Australian journalists: A hacker has exploited a vulnerability in the website of the Australian Productivity Commission to send personalized insults to Australian journalists. The emails were sent from the Commission's no-reply email address. The Commission confirmed the incident and patched its website last week. [Australia Productivity Commission // CyberDaily]
Membership of Thiel's Dialog leaks online: The membership of a secret group founded by Peter Thiel has leaked online after a website leak. Thiel founded Dialog two decades ago as an invite-only organization and never revealed its members. Details such as names, phones, and email addresses of 113 Dialog members leaked this week after a security researcher found the organization's secret website. According to WIRED and Straight Arrow News, the members list allegedly includes US government officials, major tech executives, and even Hollywood actors. [Straight Arrow News // WIRED]
Here are all 113 alleged members we were able to successfully extract. This data can also be verified via versions of the site captured by the Wayback Machine, even if it doesn't properly render the website.
— maia arson crimew 🏴 (@crimew.gay) June 16, 2026 at 3:19 AM
[image or embed]
General tech and privacy
Infosec execs call for Anthropic ban lift: More than 130 cybersecurity executives have called on the White House to lift export controls on Anthropic's new cybersecurity models. Signatories argue the move hurts defenders more than attackers. It also risks America's AI leadership position as foreign companies would shy away in the future from buying AI services that can be so easily taken away. Signatories include Alex Stamos, Chris Wysopal, Paul Vixie, Feross Aboukhadijeh, and more. [FreeFable]
Multiple US states launch OpenAI probe: A coalition of US state attorneys general have launched an investigation into OpenAI. The company has been ordered to hand over internal documents over its models, the handling of personal and health data, advertising activity, and the safety of young children and the elderly. Early versions of ChatGPT have often encouraged users to harm themselves or carry out illegal acts. OpenAI filed for an IPO last week. [Associated Press]
New Athena project to secure FOSS with AI: Eleven tech and cybersecurity firms have launched a coalition to secure open-source software using AI. The new Athena project has already found more than 20,000 vulnerabilities using their access to frontier AI models. Members have used the AI tools to generate more than 2,000 patches across 500 open source projects, which they plan to disclose starting next month. Some of the founding members include the likes of Cisco, Cloudflare, Docker, JPMorganChase, and PwC. [PRNewswire // Chainguard]
Fox buys Roku: Multimedia giant Fox is acquiring streaming device maker Roku for $22 billion. [Fox Corporation]
China quintuples fiber capacity: A team of Chinese researchers have developed a new type of fiber optic cable that can carry up to five times the normal traffic. [SCMP]
Roblox launches age-based accounts: Roblox has launched two new types of accounts to be used by young children. The new Roblox Kids account type will be available for children up to eight years old while the Roblox Select account type will be for children up to 15. Each account type has separate privacy controls and parents will be able to move kids through them as they age up. [Roblox]
Violent and hateful speech explodes on Facebook: Violent, abusive, and hateful speech has exploded on Facebook after Meta relaxed moderating rules after President Trump took office again in January of last year. Comments calling for violence quadrupled, abusive comments targeting politicians tripled, and bullying and harassment doubled. According to the Center for Countering Digital Hate, Meta moderators halved enforcement actions on Facebook since passing its new rules. [CCDH]
Government, politics, and policy
New US cyber memo: President Donald Trump signed on Friday a presidential memorandum to introduce new cybersecurity measures for government systems that store classified data. The Memorandum reestablishes the Committee on National Security Systems and tasks it with releasing new rules and guidelines to defend US national security systems. The director of the National Security Agency will serve as head of the committee. [White House // Homeland Security Today]
US closes Delta Airlines outage probe: The US Justice Department closed a probe into Delta Airlines July 2024 flight outage, an event caused by a CrowdStrike EDR bug that crippled millions of PCs around the globe. [Reuters]
MS-ISAC loses 70% of members: The Multi-State Information Sharing and Analysis Center has lost 70% of its members after the DHS cut funding last year. MS-ISAC now has only 5,600 members, down from the 18,500 it had at the start of 2025. The organization says it now has to charge membership fees for the threat intelligence data it used to provide for free. Most of the MS-ISAC members are small state and local governments. [CybersecurityDive]
The Center for Internet Security, which runs the MS-ISAC, is still subsidizing its operations, including with free and discounted memberships for the neediest jurisdictions. But it's unclear for how long CIS will be able to keep doing that.
— Eric Geller (@ericjgeller.com) June 15, 2026 at 5:09 PM
[image or embed]
Australia plans Essential Eight update: Australia's cybersecurity agency plans to update Essential Eight, a list of eight basic cybersecurity recommendations. The list was initially published in 2017 and updated in 2023. The ACSC is reevaluating the list again due to emerging threats and advances in defensive capabilities. The agency is looking for feedback from the private sector. [ACSC // Essential Eight list]
DGSI ends Palantir contract: France's domestic intelligence service has ended its contract with American data analytics firm Palantir. The DGSI will replace Palantir with the services of French local company ChapsVision. France extended its Palantir contract at the end of last year. The rip-and-replace process will allegedly take yours to conclude across several phases. [Politico Europe]
France to stop certifying non PQC products: France's cybersecurity agency will stop certifying products that don't use quantum-safe encryption starting next year. Software products without the certification will not be allowed to be used on government networks. ANSSI says the goal is to get the government and private businesses to buy only quantum-safe products by 2030. [Reuters]
Ukraine included in EU Cybersecurity Reserve: The European Union has included Ukraine in its EU Cybersecurity Reserve program. Under the program, the Ukrainian government will be able to call for help from EU cybersecurity experts in the event of a major cyberattack. This will include help from the EU's cybersecurity agency ENISA, national CERTs, and major private sector players. [Delegation of the European Union to Ukraine // The Brussels Times]
Estonia to quarantine emails from Russian email domains: Estonian cyber agencies will quarantine all emails sent to government officials that come from a Russian domain. The new restriction will take effect in September. Officials say that most of these emails usually carry malware, phishing links, and bomb and other physical threats. [ERR // EuropeSays]
India temp-bans Telegram over exam cheating: The Indian government has put a temporary block on Telegram until June 22. The ban was imposed by India's National Testing Agency to prevent cheating during the National Eligibility Entrance Test. The platform was used in previous years to leak tests and defraud students looking for answers. The national entrance exam was supposed to take place last month but was canceled at the last moment after tests leaked online. [CNBC]
UK bans social media for kids under 16: The UK government will ban social media for all kids under the age of 16. The new rule will be brought before Parliament before Christmas and is expected to take effect next spring. The government plans to use the same model for a social media ban as Australia. [UK government // Ofcom]
Sponsor section
In this Risky Business sponsor interview, Catalin Cimpanu talks with Brandon Dixon, co-founder and CTO of Ent AI, on the company's innovative use of local LLMs to track user behavior on the endpoint, and add context to suspicious events to detect or prevent malicious activity.
Arrests, cybercrime, and threat intel
Russia arrests account proxy registrar: Russian authorities have arrested a 23-year-old man who registered accounts on popular Russian messengers on behalf of Ukrainians. The suspect received SIM cards from accomplices and then used them together with stolen PII data to create the accounts. He was allegedly getting paid $500/month through a specialized chatbot. [MVD Media]
Ababil of Minab server leaks: A pro-Iranian hacking group named Ababil of Minab has left a directory open on one of its backend servers and leaked 5GB of data stolen from past victims. [Hunt Intelligence]
Operation Poisson: Cato researchers have spotted a young French hacker named Poisson, believed to be a kid still in school, using VPN meshes as a way to maintain access to victims when their main C2 channel went down due to a bandwidth cap limit. [Cato Networks]
New scam tactics: The FBI says that scammers are now using courier services to pick up cash from senior victims who have been duped into investing in fake crypto platforms. [FBI IC3]
A migratory phishing kit: Huntress researchers have spotted a threat actor moving their phishing kit from hacked website to hacked website as a way to avoid detection. One of the sites that hosted the kit was a Bolivian government website. [Huntress]
Malicious wallpapers on Steam: Threat actors are hiding malware inside animated wallpapers distributed via Steam and the Wallpaper Engine catalog. [Kaspersky]
Malicious JetBrains IDE plugins: A cluster of 15 JetBrains IDE plugins contain code to steal API keys for AI services and tools. The plugins target services like OpenAI, SiliconFlow, and DeepSeek. Most were recently uploaded but have amassed more than 100,000 collective downloads already. [Aikido Security]
More npm malware: Besides JetBrains, there's also a supply chain attack hitting npm. Since there's a ton of these on npm right now, this one has a codename of SuccessKey to keep track of it. [Checkmarx]
FTC reports $3.5b loses to imposter scams: The US Federal Trade Commission says Americans lost more than $3.5 billion to imposter scams last year. Almost two-thirds of the funds were lost to scammers posing as well-known businesses or government employees. In total, Americans reported losses of more than $16 billion last year. [FTC]
Malware technical reports
DeadLock ransomware: ESET researchers have looked at DeadLock, the first-ever ransomware strain to abuse blockchain smart contracts for its operations. [ESET thread]
DeadLock’s HTML ransom notes are interactive, providing access to a Session-style messaging client and now also the DLS, that is displayed to victims directly embedded in the HTML ransom note, fetched on the fly from the smart contracts. 2/6
— ESET Research (@esetresearch.bsky.social) June 16, 2026 at 5:05 PM
[image or embed]
GlassWASM: A new variant of the GlassWorm VSCode worm, named GlassWASM, has been spotted hitting the Open VSX marketplace this week. [Socket Security]
Scales: Security researcher Sha0coder has reverse-engineered Scales, the eBPF-based rootkit and infostealer deployed during a supply chain attack against Arch Linux AUR last week. [sha0coder]
ErrTraffic: Sekoia has published a report on ErrTrafic, a new cybercrime tool to automate the deployment of ClickFix social engineering lures and pages. The tool is currently being advertised on Russian-speaking hacking forums. There's also two other older reports on this as well. [Sekoia // Ctrl-Alt-Intel // HudsonRock]
Rokarolla: There's a new Android banking trojan in the wild. Named Rokarolla, this one is being spread using boobytrapped Chrome or TikTok apps side-loaded from shady sites. [Zimperium]
Lorem Ipsum Loader: Campaigns distributing the new Lorem Ipsum loader have switched from SEO poisoning attacks to ClickFix. [BlueVoyant]
Potemkin loader: And speaking of ClickFix and new loaders, Huntress has also spotted another one in the wild, this one named Potemkin. [Huntress]
GULoader: Sicuranext looks at a GULoader campaign using ClickFix for delivery and EtherHiding as a C2 channel. [Sicuranext]
Amos Stealer: CyberProof has published a technical deep dive of the Amos Stealer, the most widely used infostealer in the macOS ecosystem. [CyberProof]
Backdoor.Turn: The DragonForce ransomware group has developed a new RAT named Backdoor.Turn that abuses Microsoft Teams' TURN relay servers as a C2 channel inside hacked networks. [Broadcom]
Sponsor section
In this edition of the Snake Oilers podcast, Ent AI co-founder Brandon Dixon introduces the company's intent-aware, AI-powered endpoint security control.
APTs, cyber-espionage, and info-ops
Russia's latest intel collection practices: The DomainTools team has published one of their usual deep-dive reports, with the latest one focusing on Russia's recent focus on hacking routers and secure messenger accounts. [DomainTools]
APT37's NarwhalRAT: North Korean espionage group APT37 has a new RAT they're using in the wild. This one's written in Python and deployed via LNK files sent to victims via email. [Genians]
Sapphire Sleet: Microsoft updated this week an older report on North Korean hacking group Sapphire Sleet, which now uses the Teams platform for contact and social engineering victims before infecting them with macOS malware. [Microsoft]
New i-SOON malware: ESET has discovered Windows variants of SprySOCKS, a Linux backdoor used by the FishMonger APT. FishMonger is ESET's internal name for Chinese cyber contractor firm i-SOON. [ESET]
New UNC6508 group: A Chinese cyber-espionage group is targeting American healthcare and medical research organizations. The attacks are targeting REDCap servers, used for building and managing healthcare-related databases. The group, tracked as UNC6508, is exploiting vulnerabilities in old unpatched servers to deploy custom malware that intercepts admin credentials. According to Google's security team, attacks started back in September 2023. [Google Cloud]
Vulnerabilities, security research, and bug bounty
Security updates: Cisco, Oracle, Quick.CMS, SimpleHelp.
New Cisco SD-WAN zero-day: Cisco has released a firmware update to patch an actively-exploited zero-day in its SD-WAN devices. The vulnerability resides in the web user interface of the Catalyst SD-WAN Manager. Attackers are exploiting the bug to overwrite files on the system via a vulnerable API endpoint. A valid account on the device is needed to exploit the bug. It is the sixth SD-WAN zero-day patched this year. [CVE-2026-20262]
Second LiteSpeed zero-day: A new zero-day in the LiteSpeed web server cPanel plugin is being exploited in the wild to take over cPanel installations. The zero-day (CVE-2026-54420) was added to CISA's KEV database this week after attacks were recorded at the end of May. It is the second zero-day in the same plugin over the past month. [LiteSpeed]
Oracle CPU: The quarterly Oracle security updates are out, with patches for 245 vulnerabilities.
CVE program on pace for record year: There's been 46% more vulnerabilities reported this year than initially expected, and the FIRST team has now updated its 2026 CVE total projection to 66,000. [FIRST]
curl bug bounty takes a vacation: The curl project will pause its bug bounty program for the month of July so its developers can have an actual vacation. [Daniel Stenberg]
FIFA platform vulnerability: A security researcher found a bug in FIFA's football agents registration portal that can be abused to pivot to other FIFA internal systems, including one where you can modify the sporting federation's official streams. [BobDaHacker]
P2Pool patches coin hijacking bug: The P2Pool Monero mining pool has patched a bug that allowed a threat actor to hijack mining rewards from legitimate users. The bug was exploited in the wild last week to hijack almost half of P2Pool's mining resources. Due to the cryptocurrency's design, the attacker can't be identified. [Reddit // P2Pool update // GitHub security advisory]
SearchLeak vulnerability: Varonis researchers have used a new type of attack, named Parameter-to-Prompt Injection (P2P), to hijack M365 Copilot to steal a customer's data. [Varonis]
Infosec industry
Threat/trend reports: CCDH, CyFirma, ENISA, ISSA, and Jamf have recently published reports and summaries covering various threats and infosec industry trends.
SBOM still not widely adopted: Only a handful of companies have deployed mandatory SBOM (Software Bill of Materials) requirements in supplier contracts. According to a survey by the EU's cybersecurity agency, only 10% of respondents have formalized the practice. Most responding companies said their suppliers were not ready to meet the requirement. Respondents said they plan to eventually include SBOM in contracts somewhere in the future. [ENISA]
Acquisition news: 1Passwords has acquired cybersecurity firm Apono, which specializes in agentic privilege access. [BusinessWire]
New tool—Sulla: Security firm Praetorian has released Sulla, a command-line tool to scan SMB shares for sensitive data.
New tool—HallWatch: Security firm Zypherion has open-sourced HallWatch, a tool to detect indirect syscalls and catch several variations of the Hell's Gate hooking technique.
NorthSec 2026 videos: Talks from the NorthSec 2026 security conference, which took place last month, are available on YouTube.
FIRST CTI 2026 videos: Talks from the FIRST Cyber Threat Intelligence 2026 security conference, which took place in April, are available on YouTube.
VULNCON 2026 videos: Talks from the VULNCON 2026 security conference, which took place in April, are available on YouTube.
Risky Business podcasts
In this episode of Risky Business Features, James Wilson is joined by Open Source Malware Security co-founder Paul McCarty to talk about the supply chain attack mitigations coming in NPM v12.