CISA flags Microsoft Defender ‘BlueHammer’ LPE in ransomware use, Oracle EBS takeover exploited, and a PyPI Pyrogram supply-chain backdoor

This brief covers the trailing ~48 hours (June 30 – July 2, 2026). Each item was checked against its primary source — CISA KEV, vendor advisories (Microsoft MSRC, Oracle), SEC filings, and original vendor research — with reputable outlet reporting used for context.

CISA flags Microsoft Defender “BlueHammer” flaw as exploited by ransomware gangs

CISA / Microsoft MSRC · June 30, 2026

CISA updated its Known Exploited Vulnerabilities Catalog to note that ransomware operators are now exploiting CVE-2026-33825 (“BlueHammer”), a high-severity local privilege escalation flaw in Microsoft Defender. The bug was leaked with proof-of-concept code in early April by a researcher known as “Nightmare Eclipse,” patched by Microsoft on April 14, and added to the KEV catalog on April 22 after zero-day exploitation. It lets a local attacker reach the SAM database and escalate to SYSTEM. Status: patched, actively exploited, in KEV (now flagged for ransomware use); Microsoft has not yet tagged it as exploited in its advisory.

“Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.” — Microsoft Security Response Center advisory

Source: Microsoft MSRC advisory · CISA KEV entry · BleepingComputer

“Operation Navy Ghost”: trojanized Pyrogram forks backdoor Telegram-bot developers on PyPI

Checkmarx · June 30, 2026

Checkmarx disclosed a supply-chain campaign, active since November 2025, in which at least eight malicious forks of the popular (but unmaintained) Pyrogram Telegram framework were published to PyPI — including pyrogram-styled, VLifeGram, and pyrogram-navy. Each embeds a hidden secret.py backdoor that registers covert Telegram command handlers, letting the operator run arbitrary Python or shell commands on the bot’s server. No CVE is assigned. Developers who installed any listed package should remove it, rotate all server credentials, and revoke Telegram bot tokens.

“When the attacker sends /asi cat /etc/passwd, this runs /bin/bash -c ‘cat /etc/passwd’ on the victim’s server and returns the output. This is repeatable with any shell command and runs under the infected application’s authority.” — Checkmarx

Source: Checkmarx research · BleepingComputer

Aflac discloses breach of its Japan subsidiary exposing policy, personal, and bank data

Aflac Incorporated (SEC 8-K) · June 30, 2026

In an SEC filing, Aflac reported that an unauthorized third party accessed systems at its wholly owned subsidiary Aflac Japan between June 15 and June 25, 2026, when the intrusion was discovered. Impacted files include policy and coverage details, personal information, and bank account information. Aflac says the incident is limited to Japan and did not affect its U.S. systems; the full scope remains under investigation. This is a separate incident from the Scattered Spider–linked breach Aflac disclosed a year earlier.

“Aflac Japan has determined that certain impacted files contain policy and coverage details, personal information, and bank account information … This incident is limited to systems in Japan.” — Aflac Incorporated, SEC Form 8-K

Source: SEC 8-K filing · BleepingComputer

Still developing

Critical Oracle E-Business Suite flaw now exploited in the wild

Oracle / Defused · June 29, 2026

Threat intelligence firm Defused reported active exploitation of CVE-2026-46817 (CVSS 9.8), an unauthenticated remote-takeover flaw in the File Transmission component of Oracle Payments within Oracle E-Business Suite. Oracle patched it in the May 2026 Critical Patch Update. It is not yet listed in CISA KEV; Shadowserver tracks over 450 EBS instances exposed online.

“CVE-2026-46817 (CVSS 9.8 unauth HTTP takeover in Oracle E-Business) is being exploited. Over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots. This vulnerability has no known previous exploitation and no public POC code exists.” — Defused

Source: Oracle May 2026 CPU · NVD · BleepingComputer

SimpleHelp authentication-bypass flaw exploited to drop new “Djinn Stealer”

Horizon3.ai / Blackpoint · June 29, 2026

Attackers are exploiting CVE-2026-48558, a critical authentication-bypass vulnerability in SimpleHelp remote-management software (in OIDC configurations), to create privileged technician sessions. In an intrusion investigated by Blackpoint, the actor deployed a new loader (“TaskWeaver”) and a previously undocumented cross-platform infostealer (“Djinn Stealer”) that targets developer, cloud, and AI-tooling credentials. Around 1,000 vulnerable SimpleHelp servers were exposed at disclosure. Status: actively exploited; patch available.

“The compromised RMM platform provided the operator with a trusted administrative channel capable of transferring files and executing commands on systems managed through the server.” — Blackpoint

Source: Blackpoint research · BleepingComputer


This brief covers the trailing ~48 hours (June 30 – July 2, 2026).

Primary sources: