The Lyceum: Cyber Intelligence Daily — Jun 15, 2026

Today is a patch-and-audit day, not a headline-panic day — but the patch list is long and the targets are uncomfortably close to the center of how organizations operate. A China-linked espionage crew got caught after spending more than two years quietly living inside North American medical and defense research networks. ShinyHunters is threatening to dump 297 GB of Council of Europe employee data tomorrow. And a supply-chain attack backdoored 1.2 million WordPress sites through plugins people already trusted — no phishing required. The connective tissue across all of it: attackers are increasingly abusing legitimate features — mail rules, CDNs, AI search — rather than breaking in the loud way.

• CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: patched, actively exploited as a zero-day, on CISA KEV (no NVD score yet in the backbone; maturity 2/operational). Low-privilege remote attackers escalate to root via crafted file-upload requests. KEV deadline June 29.
• CVE-2026-35273 — Oracle PeopleSoft Enterprise PeopleTools: on CISA KEV, ransomware-linked, maturity 3/commoditized. Missing authentication for a critical function; KEV due date was June 15.
• CVE-2026-10520 — Ivanti Sentry: on CISA KEV, maturity 2/operational. OS command injection enabling remote compromise; KEV due date was June 14.
• CVE-2026-54420 — LiteSpeed cPanel plugin (before 2.4.8): on CISA KEV, maturity 2/operational. Symlink-following flaw exploitable by a user with FTP access; KEV due date June 18.
• Notepad++ 8.9.6 arbitrary code execution PoC: fresh Exploit-DB drop for a near-universal Windows text editor; working proof-of-concept now public, no vendor advisory confirmed yet.
• Drupal Core 10.5.5 error-based SQL injection PoC: fresh Exploit-DB submission targeting a different version and technique than the Drupal flaws tracked in May; single-source, no confirmed mass exploitation yet.

The most dangerous intrusions aren't the loud ones. They're the ones nobody notices for two years.

Google's Threat Intelligence Group (GTIG) disclosed a China-linked espionage campaign targeting North American medical research institutions through compromised REDCap servers, deploying custom malware for persistent access. GTIG attributed it to UNC6508, a People's Republic of China-linked actor that remained undetected from September 2023 through at least November 2025. REDCap is the web platform hospitals and universities use to build clinical trial databases and research surveys — the backbone of medical data collection at thousands of institutions.

Roughly three months after gaining access, the group deployed malware GTIG calls INFINITERED, which trojanizes REDCap's own system files. It hijacks the upgrade process so each new version reinjects the code instead of clearing it, and harvests credentials directly from the login page. The exfiltration trick was the clever part: attackers rewired the victims' own Google Workspace rules to BCC any message matching roughly 150 sensitive keywords — defense intelligence, Indo-Pacific military strategy, AI, unmanned vehicles, cyber warfare programs — to an inbox they controlled. It rode legitimate mail flows, so malware-centric detection largely missed it.

What changes if this technique spreads: mailbox rules and sharing grants become primary espionage tools, not configuration trivia — and the detection burden shifts to behavior nobody currently logs. Google notified affected organizations in the U.S. and Canada. Watch for other CERTs reporting similar Workspace-rule abuse in unrelated intrusions — that's when this becomes a playbook rather than a one-off. If your institution runs REDCap on an internet-facing server, treat it as a priority audit this week, and start treating new or modified mailbox rules on high-risk accounts as security events.

ShinyHunters has had a busy month. Now they're squeezing Europe's oldest intergovernmental body.

The Council of Europe confirmed it is investigating breach claims made by ShinyHunters over the weekend. On their dark web leak site, the group claimed more than 429,000 documents containing HR and payroll data across multiple departments, and set a deadline of June 16, 2026 — tomorrow — before threatening to leak. The allegedly stolen files span the Secretariat, Parliamentary Assembly, and the European Directorate for the Quality of Medicines & HealthCare, and include payroll data for more than 10,000 employees from 2011 to 2026, over 14,000 CVs, bank account details, performance evaluations, and medical records, according to SecurityWeek.

Cybernews researchers note the dataset "ties a lot of data together," letting criminals use bank and tax data for fraud, identity details to open accounts in someone's name, and medical or performance records to blackmail people.

What changes if the dump lands: the downstream spear-phishing against European diplomatic and policy staff won't look like phishing — it'll look like legitimate HR correspondence, and the attackers will have the payroll and personnel data to make it convincing. The signal to watch is whether the data actually publishes Tuesday evening or whether the deadline slips. ShinyHunters has a pattern of negotiating past its own ultimatums, as the Charter standoff in late May showed.

This one didn't require anyone to click a phishing link. The attack came through plugins that were already trusted and already installed.

WordPress plugins OptinMonster, TrustPulse, and PushEngage were compromised in a supply-chain attack on the content delivery network (CDN) operated by Awesome Motive — the company behind all three. A CDN is the system that serves plugin files to your site automatically; attackers didn't touch your server, they poisoned the delivery mechanism upstream. The injected JavaScript checked whether a logged-in WordPress administrator was viewing the page, and if so, silently created a hidden admin account and uploaded a web shell — a concealed remote-control script. Together, the three plugins run on more than 1.2 million sites.

Awesome Motive said attackers first compromised a marketing server by exploiting a known flaw in the UpdraftPlus plugin, stole CDN credentials, then modified the distributed JavaScript. The company has since rotated the compromised credentials, purged the malicious files, and launched a broader review. The exposure window was short — a few hours on June 12, with some PushEngage nodes serving the payload until June 14 — but the backdoors it planted are persistent.

What changes: compromising a plugin's CDN is now demonstrably as powerful as compromising the plugin itself — a single upstream foothold reaches over a million sites. Watch for unexplained admin accounts or random-named PHP files surfacing in incident reports over the next two weeks. If you run any of these three plugins, audit your WordPress admin accounts right now for anything you didn't create.

Russian-language outlet Xakep published a write-up today on an exploit chain dubbed GreatXML that abuses Windows' BitLocker recovery environment (WinRE) and XML configuration files to bypass full-disk encryption under specific conditions — particularly where Group Policy and recovery passwords are handled poorly. Per Xakep, the technique boots into WinRE, tampers with the XML config controlling how BitLocker unlock operations are processed, and leverages overly permissive recovery-key storage to reach the encrypted volume without the user's PIN. This is not a magic "break BitLocker" zero-day; it chains weak enterprise deployment practices with WinRE features defenders rarely lock down. BitLocker is the last line of defense when a laptop is lost or seized. If it's reliably bypassable through misconfiguration, the calculus for device theft and border seizure changes. Review who can access recovery keys, enforce pre-boot PINs, and harden boot media against brief physical access. Source: Xakep (Хакер) — Russian. No English-language coverage confirmed at time of publication.

Xakep also reports that more than 400 Arch User Repository (AUR) packages were found distributing a combined kernel-level rootkit and information-stealer, injected via compromised maintainer accounts and malicious PKGBUILD build scripts. Automated helpers like yay and paru fetch, build, and install the compromised code with root privileges; once in, the rootkit hides processes and files while the infostealer hunts browser credentials, SSH keys, and crypto wallets. This continues the AUR trust-collapse story this newsletter flagged on June 13 — and the package count climbing past the earlier cluster is exactly the trigger we said to watch for. For any organization that tolerates "bring-your-own-Linux" on developer machines, community package repos are now a credible long-lived foothold. Source: Xakep (Хакер) — Russian. No English-language coverage confirmed at time of publication.

A Chinese spy crew BCC-ing itself on two years of cancer research. A million WordPress pop-up plugins quietly minting fake admins for whoever loaded a script on June 12. A Russian magazine explaining how to walk past BitLocker while the rest of us were still arguing about whether anyone uses Arch. The best detection-evasion tool of 2026 turns out to be a feature your own IT department turned on — the mail rule, the CDN, the AI search box — which means the call is, as ever, coming from inside the house's settings panel. That's the sweep.

Forward this to the one person you know who's still running OptinMonster and hasn't checked their admin list yet — they'll thank you, eventually.