Another week, another threat list that looks painfully familiar. Abused integrations, fake tools, poisoned websites, ransomware crews trying to disable security tools, and mobile malware asking for dangerous permissions. Here's what stood out in the week of June 16–22, 2026.
The Usbliter8 iPhone Boot Exploit
The biggest story of the week: researchers published a PoC for Usbliter8, an unpatchable exploit targeting the SecureROM boot chain on devices running Apple's A12 and A13 chips — affecting iPhones XS through iPhone 11, plus the iPad Air 3rd gen and iPad mini 5th gen.
The vulnerability exists in the hardware-level BootROM, which means no future iOS update can patch it. Apple has pushed iOS 18 security updates to expand protections on devices that can receive them, but millions of older iPhones remain permanently vulnerable. The exploit enables bootchain bypass, making it possible to jailbreak devices or — in the hands of a threat actor — deploy persistent spyware without user interaction. Full details are in our dedicated article on the Usbliter8 exploit.
NarwhalRAT: North Korea Pivots to Microsoft Alert Lures
North Korean threat actor Kimsuky was observed deploying a new remote access trojan dubbed NarwhalRAT via fake Microsoft security alerts. The lures mimic official Microsoft emails warning of suspicious account activity and direct targets to a cloned Microsoft portal that delivers the payload.
NarwhalRAT provides full remote access capabilities including keylogging, file exfiltration, and screenshot capture. Targets identified so far include South Korean defense contractors, think tanks, and at least one US government-adjacent organization. The fake alert template has been shared across multiple Kimsuky-linked infrastructure clusters, suggesting it's being used at scale.
The Gentlemen's GentleKiller EDR Framework
The Gentlemen ransomware group continued expanding their tooling with GentleKiller, a purpose-built EDR disablement framework that targets over 400 security processes. The framework uses a combination of bring-your-own-vulnerable-driver (BYOVD) techniques, process injection, and token manipulation to disable or crash endpoint detection and response tools before ransomware deployment.
The Gentlemen have now claimed 478 victims since their emergence in late 2025. Their worm-like propagation capability — spreading laterally within networks via SMB — makes them one of the more dangerous RaaS operators currently active. Full GentleKiller analysis was published this week by multiple threat intelligence vendors.
Smart TV Ad-Fraud Botnet: Your TV Is a Proxy
Researchers identified a large-scale smart TV botnet being used for ad fraud and traffic proxying. Free apps distributed through official app stores on Samsung, LG, and Roku platforms were found to contain code that hijacked the TV's network connection to serve as a proxy node when the device was idle.
The scheme — described as running since at least 2025 — was used to generate fraudulent ad impressions by routing traffic through millions of household devices. The TVs generated legitimate-looking IP addresses for advertisers while their owners remained completely unaware. The apps involved have since been removed from official stores following coordinated disclosure.
OpenBSD Kernel Vulnerability
A privilege escalation vulnerability was disclosed in OpenBSD's rtsock socket implementation (CVE-2026-3038). The flaw is a stack buffer overflow in the kernel's routing socket code that can be triggered by a local unprivileged user to gain root access. A patch was released within 24 hours of disclosure — consistent with OpenBSD's strong security response record — and users should update immediately.
DragonForce Ransomware Abuses Microsoft Teams Relays
DragonForce ransomware was observed abusing Microsoft Teams relay servers to blend malicious command-and-control traffic with legitimate Teams traffic. By routing C2 communications through Teams relay infrastructure, the group could bypass network security controls that inspect outbound connections but whitelist Teams as a trusted business application.
Microsoft has acknowledged the abuse and is working on detection mechanisms, but the technique highlights a broader challenge: as enterprise tools become more trusted, they become more attractive for threat actor abuse.
Other Stories This Week
- Fortibleed leak exposed Fortinet VPN credentials for approximately 73,000 devices; CISA issued an advisory urging immediate action
- CISA ordered federal agencies to patch a critical Joomla JCE plugin flaw (CVE active exploitation) within a tight deadline
- Chrome and Firefox both shipped updates patching critical and high-severity vulnerabilities
- 144 Mastra AI npm packages were compromised via a hijacked contributor account, linked to North Korean threat actors by Microsoft
- INC ransomware published a threat model analysis showing 830+ victims since 2023, making it one of the top active RaaS operators
- UK's NCSC chief called AI an "unstoppable force" and warned publicly about Russian offensive cyber capabilities in a rare direct statement
What to Prioritize
If you're triaging this week's news for action items, focus on:
- Inventory Apple devices — identify any A12/A13 iPhones in your fleet and assess exposure
- Block NarwhalRAT infrastructure — update your threat intel feeds with Kimsuky IOCs
- Patch Joomla/JCE immediately if you run Joomla on any public-facing systems
- Audit Microsoft Teams relay traffic for anomalous C2 patterns
- Review EDR health — run a process baseline to detect any GentleKiller activity