- Exploited vulnerability in Active Directory Federation Services (AD FS).
- Exploited vulnerability in SharePoint Server.
- Publicly disclosed BitLocker bypass vulnerability.
ThreatNoir Afternoon Brief — July 15
Afternoon Review in IT Security — July 15, 2026
Microsoft's latest patch cycle and emerging threats targeting critical infrastructure and cryptocurrency users dominate today's security landscape. Organizations face mounting pressure to address actively exploited vulnerabilities while defending against sophisticated malware frameworks and supply chain risks.
Microsoft's July 2026 Patch Tuesday Fixes 622 Flaws and 2 Exploited Zero-Days
Microsoft released an unprecedented patch cycle addressing 622 CVEs during July 2026 Patch Tuesday, including two actively exploited zero-day vulnerabilities affecting Active Directory Federation Services and SharePoint. The update also addresses a critical BitLocker bypass that requires immediate attention from all affected organizations. Source: Microsoft's July 2026 Patch Tuesday fixes 622 flaws and 2 exploited zero-days
The scope of this month's security update underscores the accelerating pace of vulnerability discovery and exploitation. Organizations running Microsoft infrastructure must prioritize deployment of these patches, particularly those addressing the already-weaponized zero-day flaws. The BitLocker vulnerability represents an especially critical risk for enterprises relying on full-disk encryption for sensitive data protection.
Cursor Flaw Lets Malicious Cloned Repositories Trigger Windows Code Execution
A significant vulnerability in the Cursor AI editor permits automatic execution of malicious binaries placed in cloned repositories without user interaction or warning dialogs. When a file named git.exe is present in a project root directory, Cursor executes it automatically with full user privileges, granting the malware access to source code, SSH keys, and cloud authentication tokens. The editor continues re-executing the binary for as long as the project remains open. Source: Cursor Flaw Lets Malicious Cloned Repositories Trigger Windows Code Execution
This vulnerability represents a critical supply chain risk for developers who clone repositories from untrusted or compromised sources. Attackers can weaponize public repositories by injecting malicious executables, potentially compromising the credentials and intellectual property of any developer who opens the project in Cursor. The absence of execution warnings or approval mechanisms significantly amplifies the risk profile of this flaw.
OkoBot: New Sophisticated Malware Framework Targets Cryptocurrency Users
Kaspersky's Global Research and Analysis Team has documented OkoBot, a complex malware framework specifically designed to target cryptocurrency users through compromised software distribution channels. The framework deploys multiple specialized malware components including TookPS, OkoSpyware, Rilide, SeedHunter, TeviRAT, and Volume2, working in concert to extract cryptocurrency seed phrases, monitor Chromium-based browsers, and establish persistent system access. Source: OkoBot: new sophisticated malware framework targets cryptocurrency users
The OkoBot campaign demonstrates the evolution of targeted malware toward high-value financial assets. By combining seed phrase extraction with browser monitoring and additional stealer functionality, the framework enables attackers to compromise cryptocurrency wallets across multiple platforms. Organizations and individuals in the cryptocurrency sector should implement enhanced endpoint detection capabilities and monitor for indicators of compromise associated with the identified malware components.
ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Rockwell
Industrial control system manufacturers Siemens, Schneider Electric, and Rockwell Automation released coordinated security advisories addressing dozens of vulnerabilities across their ICS product portfolios. CISA and VDE CERT have also published related vulnerability guidance to support organizations managing industrial infrastructure. Source: ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Rockwell
The coordinated release of ICS vulnerabilities from multiple major vendors signals heightened security risks across critical infrastructure environments. Organizations operating industrial control systems should prioritize vulnerability assessment and patch planning to mitigate potential disruptions to manufacturing, energy, and utility operations.
Today's threat landscape reflects the convergence of multiple attack vectors: enterprise software vulnerabilities, developer tool compromises, and specialized malware targeting high-value assets. Security teams must balance the urgency of critical patch deployment with the complexity of managing vulnerabilities across diverse technology stacks and industrial environments.
Sources & IOCs
Source articles and extracted indicators (defanged where appropriate).
- git.exeMalicious executable disguised as git.exe in the root of a cloned repository.
- OkoSpywareSpyware component
- TookPSInitial infection PowerShell script and downloader
- Volume2Launcher/plugin component
- TeviRATBackdoor delivered by OkoBot
- RilideStealer malware delivered by OkoBot
- SeedHunterKeylogger component