INTERPOL, Group-IB, and the Algerian National Police arrested the primary developer and administrator of SniperDz (alias Guedz) — a phishing-as-a-service platform active since 2015 that distributed 80 phishing templates in five languages across 20,000+ domains impersonating PayPal, Facebook, Netflix, and Steam, collecting over 45,000 documented victim records. Operation Ramz (October 2025–February 2026) spanned 13 MENA countries, resulting in 201 arrests, 53 servers seized, 382 suspects identified, and 3,867 victims documented; the platform had rebranded multiple times as Joker Dz, Storm Dz, and Spam Dz to evade detection. The takedown represents the third major INTERPOL cybercrime enforcement action of 2026, following Operation Synergia III and Operation Red Card 2.0, signaling sustained LE pressure on PhaaS infrastructure.

BlackFog researchers detailed OnyxC2, a new malware-as-a-service credential stealer actively sold on cybercrime forums for $250/month that targets over 210 applications — including browsers, password managers, 2FA extensions, cryptocurrency wallets, VPNs, and FTP clients — exfiltrating data over Cloudflare-fronted HTTPS to evade network-layer detection. Each build is uniquely mutated using C++ with direct assembly syscalls, delivered via DLL sideloading through a legitimately signed OneDrive binary, with the payload remaining AES-256 encrypted until runtime; developers offer refund guarantees for detected builds and claim a 99% evasion rate backed by low initial VirusTotal detection on uploaded samples. Defenders should hunt for signed OneDrive binary anomalies executing unexpected child processes, unexpected Cloudflare-proxied C2 beaconing, and the default backend path /backend/api/app.php in proxy logs.

Check Point Research disclosed a chained exploitation path across three patched LangGraph vulnerabilities: CVE-2025-67644 (SQLite checkpoint SQL injection, CVSS 7.3) feeds attacker-controlled serialized data into CVE-2026-28277 (msgpack unsafe deserialization, CVSS 6.8), yielding full RCE on self-hosted deployments — exposing LLM API keys, customer PII, CRM credentials, and conversation histories to attackers who can pivot into internal networks. A third flaw, CVE-2026-27022 (Redis query injection, CVSS 6.5), additionally bypasses access controls in Redis-backed deployments. With ~46.5 million monthly downloads across enterprise automation, customer support, and internal tooling, unpatched self-hosted LangGraph instances are high-value targets; operators must upgrade to langgraph ≥ 1.0.10, langgraph-checkpoint-sqlite ≥ 3.0.1, and langgraph-checkpoint-redis ≥ 1.0.2 immediately.

JFrog Security Research identified 25 malicious npm and PyPI packages in the 'FakeFix' campaign, split into a 20-package cluster impersonating legitimate Solana tooling (e.g., @solana-labs/web3.js, solana-rpc-client) and a 5-package CMS cluster that drops Windows loaders via PowerShell at install time. A threat actor using the GitHub handle 'PassWord1337' spammed open-source project issue trackers to social-engineer developers into replacing legitimate packages with the malicious drop-ins; later-stage packages shipped fully functional Solana bundles with stealer code injected after legitimate exports to evade detection. Defenders should audit npm/PyPI dependencies for these package names, review postinstall hooks, and hunt for Telegram API exfiltration traffic and Deno execution from dev workstations.

A coordinated June 10 operation by DOJ, USSS, IRS-CI, Europol, and 11 partner nations dismantled AudiA6, an industrial-scale cryptocurrency laundering service that processed over 10,333 BTC (~$389M) since 2021 by routing funds through 6,000+ fraudulent KYC-verified exchange accounts — a primary cashout rail for ransomware operators. Two administrators, Ukrainian national Ruslan Tkachuk (37) and Russian national Alexander Ledenev (25), were arrested in Batumi, Georgia; authorities seized 25 domains, 30+ servers, and 80+ vehicles, and also took down the Dark2Web cybercrime forum linked to the same operators. The takedown severs a critical financial pipeline for ransomware affiliates and is linked to funds from at least 15 ransomware campaigns, including laundering proceeds from the 2022 LastPass breach.

Check Point disclosed CVE-2026-50751, a logic flaw in IKEv1 certificate validation that allows unauthenticated attackers to establish a VPN session without valid credentials, actively exploited since May 7 with exploitation surging in early June. A Qilin ransomware affiliate is confirmed responsible for at least one post-compromise incident, with observed post-exploitation using Rclone for data staging and the Tox protocol for C2; attacker infrastructure spans VPS providers Kaupo Cloud HK, Shock Hosting, and Vultr. CISA added the flaw to the KEV catalog on June 8 and ordered federal agencies to patch by June 11; defenders should audit VPN logs from May 7 onward and immediately disable IKEv1 or apply the available hotfix.

Ransomware.live and BreachSense tracking shows fresh June 12 postings from DragonForce (Areco Steel/Sweden, Astec Valves/India, Hong Kong Parkview, Brian Cox Real Estate/UK) and TheGentlemen (Highwoods Properties, a U.S.-based commercial REIT), continuing their prolific double-extortion campaigns. DragonForce's leak site signals a sharp -95% month-over-month victim count reduction compared to its post-M&S/Co-op/Harrods peak, suggesting possible operational restructuring or affiliate churn, while TheGentlemen maintains steady cadence as the #2 most active RaaS group globally by cumulative 2026 victim count. Defenders in commercial real estate, manufacturing, and critical infrastructure should treat both groups as active, opportunistic threats with established affiliate pipelines.

CISA issued Binding Operational Directive 26-04 on June 10, replacing BOD 19-02 and BOD 22-01 with a risk-matrix framework that scores vulnerabilities across four criteria: internet exposure, KEV status, exploit automatability, and technical impact. Vulnerabilities meeting all four criteria — internet-exposed, KEV-listed, fully automatable, and granting total system control — must be remediated within 72 hours and require mandatory forensic triage to assess prior compromise before patching. CISA explicitly cited AI-assisted exploit automation as a key driver, noting that only 26% of KEV-listed vulnerabilities were fully remediated in 2025 (down from 38% the prior year), with median time to resolution rising to 43 days.

An 11-country coalition executed coordinated takedowns on June 10, seizing 25 domains, 30+ servers, and over 80 vehicles, while arresting two suspected administrators (Ukrainian and Russian nationals) in Georgia for operating AudiA6, a mixer-as-a-service that laundered more than €336M in ransomware and cybercrime proceeds via 6,000+ KYC-verified money mule accounts at legitimate exchanges. The operators also ran Dark2Web, a darknet cybercrime forum used to connect ransomware affiliates with buyers of illicit services; Europol linked AudiA6 to more than 15 active international ransomware investigations. The U.S. DOJ charged both individuals with conspiracy to launder monetary instruments, each facing up to 20 years in prison.

PRODAFT published a comprehensive technical dossier on The Gentlemen RaaS, tracking the operator as LARVA-368 (aliases: hastalamuerte, zeta88, ArmCorp) and linking the group to 478 victims since March 2025 — roughly 10% of global ransomware activity in April 2026. The group's admin directly supplies affiliates with Fortinet SSL-VPN credentials sourced from brute-force attacks against a self-reported pre-compromised inventory of ~14,700 FortiGate devices, and uses AI to develop and maintain the Go-based encryptor and post-exploitation tooling. A 90/10 affiliate revenue split — well above the industry norm of 80/20 — is fueling aggressive recruitment of experienced operators from competing RaaS programs.