Home  /  Episodes  /  Jun 3, 2026

Episode show notes

Jun 3's Top Cyber News NOW! - Ep 1145

Aired Jun 3, 2026 Daily Cyber Threat Brief Hosted by Dr. Gerald Auger

At a glance

Russia claims foreign spy agencies compromised senior officials' smartphones; a two-year-old Oracle vulnerability is being actively exploited with only days to patch; Google's Android update patches 124 vulnerabilities including a zero-day; and phishing-as-a-service platforms are expanding attacks to AWS, Okta, and other enterprise services using AI-generated lures.

Stories covered

Is Russia's claim of compromised official smartphones credible?

What happened: Russia's FSB claims foreign intelligence agencies infected smartphones of senior officials with malware capable of stealing data, intercepting conversations, and accessing microphones and cameras. The FSB opened a criminal investigation but provided no technical indicators or identified attackers.

Why it matters: Smartphones are perfect surveillance tools with GPS, microphone, and camera access. If true, this represents compromise of high-value targets with direct physical proximity to operators.

What to do: If you handle sensitive information, follow existing SCIF protocols—leave cell phones outside secure compartments or place them in Faraday cages during sensitive discussions.

How is Project Glasswing expanding AI vulnerability detection?

What happened: Anthropic expanded its Project Glasswing program to 150 additional organizations across 15 countries, granting access to Claude Mythos preview model. Since April launch, Mythos has identified 10,000+ high/critical vulnerabilities, including thousands at major companies and 6,000+ flaws in open-source projects.

Why it matters: AI-powered vulnerability discovery is dramatically accelerating bug identification, but Anthropic is managing risk through responsible disclosure by controlling early access before public release. Threat actors will eventually weaponize this capability.

What to do: Monitor for now. Understand that vulnerability management timelines are compressing—patch velocity must increase to stay ahead of AI-accelerated discovery and exploitation.

Why is a two-year-old Oracle flaw now a critical federal priority?

What happened: CISA ordered federal agencies to patch CVE-2024-XXXXX (transcript ambiguous on CVE number), a high-severity Oracle WebLogic Server vulnerability first fixed in 2024, now being actively exploited. Over 1,500 instances remain exposed online; agencies have until June 4th to patch.

Why it matters: CISA's one-day deadline is a clear indicator of high exploitability and severe impact. WebLogic is enterprise-grade middleware in critical infrastructure. Unauthenticated network access (via T3 protocol) allows remote data theft without privileges.

What to do: Identify all Oracle WebLogic Server instances (versions 12.2.1.4.0 through 14.1.1.0) immediately and patch. Engage application owners and executives—this is a high-impact vulnerability affecting distributed systems. Vulnerability management analysts must escalate aggressively.

What zero-day is Google patching in Android's latest security update?

What happened: Google's June Android security patch fixes 124 vulnerabilities, including a high-severity zero-day privilege escalation bug in the framework component being exploited in limited targeted attacks. Also patches 18 critical flaws in Android system components and Qualcomm software.

Why it matters: The privilege escalation vulnerability is part of a chained attack; threat actors must first compromise a device before elevating privileges. Exploitation appears limited to high-value targets (government officials, executives), but the attack surface is broad.

What to do: Enable auto-update on all Android devices, including Fire TV, Fire Sticks, and IoT devices running Android OS—many are unmanaged. Patch overnight to avoid impact.

How is Google fighting phone-number spoofing with RCS authentication?

What happened: Google added an anti-scam feature to Android Dialer (12+) using RCS standard to verify caller phone numbers match the device making the call, warning users of impersonators. Designed to combat voice cloning and spoofing scams.

Why it matters: Voice cloning and spoofed-caller scams are increasing, but this feature only works between Android devices and doesn't stop threat actors using cloud services like Twilio to spoof authority figures (police, lawyers, child endangerment scams).

What to do: Monitor for now. This is incremental improvement, not a silver bullet.

What is Operation Dragon's espionage campaign targeting Czech Republic and Taiwan?

What happened: Suspected Chinese APT operation targets Czech Republic and Taiwan government, academic, tech, and financial organizations via spear-phishing. Uses Rust-based malware (Rust Cloak loader, Azure Veil backdoor) communicating through Microsoft Azure blob storage dead-drop C2, enabling stealthy command execution and data exfiltration.

Why it matters: Attack chain uses multiple evasion layers (archive extraction, LNK shortcut, PowerShell script, Rust dropper, DLL injection). Azure Veil C2 hides in legitimate Azure traffic, making detection difficult for Microsoft-heavy organizations. Demonstrates Chinese espionage capability leveraging trusted cloud providers.

What to do: Hunt for runtime broker_update.exe and archive-based phishing. Monitor PowerShell execution and unusual Azure Storage connections. Educate users on multi-stage infection chains—stopping any single layer prevents compromise.

How is AI-powered ransomware automating EDR evasion?

What happened: Sofos researchers uncovered ransomware toolkit using AI agents (Cursor, Claude Opus) to automate Active Directory discovery, generate malware payloads in Rust and Go, and iteratively test evasion against Sophos, Crowdstrike, and Microsoft EDR products.

Why it matters: AI accelerates malware development by automating payload generation and evasion testing, but techniques are not novel—process hollowing, Cobalt Strike beacon spoofing, legitimate traffic masquerading. The speed of iteration is what's changed, not the fundamental attacks.

What to do: Don't panic. AI is doing familiar techniques faster. Maintain strong EDR tuning, behavioral detection, and threat hunting practices. EDR evasion has been a constant arms race; this is an evolution, not a revolution.

How is Cali 365 phishing-as-a-service expanding beyond Microsoft 365?

What happened: Cali 365, known for MFA-bypass attacks on Microsoft 365, now targets AWS, Okta, and Russian services (Max Messenger). Uses device code phishing, OAuth authentication flows, and AI-generated lures. Researchers observed 126+ malicious hosts and automated campaign tracking.

Why it matters: Attack exploits familiar OAuth/MFA workflows via fake shared document pages. Victims complete MFA believing they're authenticating legitimately, then attackers gain valid tokens bypassing MFA. Expanding scope and using AI-generated lures increases volume and targeting precision.

What to do: Educate users on OAuth/device-code authentication flows—especially shared document scenarios. Verify authentication context before entering credentials. Monitor for anomalous OAuth token usage and unusual device-code flows in logs. Consider conditional access policies blocking suspicious device authentication patterns.

Key takeaways

  • CISA's one-day patch deadline signals active exploitation and severe impact; vulnerability management is a sales problem—escalate Oracle WebLogic patches to executives immediately.
  • Azure Storage and cloud-native C2 techniques hide malicious traffic in legitimate Microsoft/AWS logs; monitor for unusual blob storage access and OAuth anomalies.
  • AI is accelerating malware development and EDR evasion, but attack techniques are decades-old; don't conflate speed with sophistication—maintain rigorous EDR tuning and threat hunting.
  • Phishing-as-a-service platforms are expanding and automating with AI; user education must cover legitimate OAuth workflows and device-code authentication flows.
  • Enable auto-patch on mobile and IoT devices running Android; unmanaged Fire devices and smart screens expand your attack surface.

Topics covered

oracle weblogiccve-2024cisavulnerability managementransomwareedr evasionandroid securitymfa bypassphishing as a serviceazure cloud c2threat huntingchinese aptespionageproject glasswingai vulnerability detection

Show notes generated from the live transcript using AI on Thu, 04 Jun 2026 17:30:23 GMT. Errors? Open the YouTube replay for the source of truth.

Want the live experience? The Daily Cyber Threat Brief airs live every weekday at 5am PT / 8am ET on YouTube. 400+ practitioners join the chat in real time.