Weekly review

ThreatNoir Afternoon Brief — July 16

2026-07-16Afternoon4 articles
Audio
Listen to the episode

Afternoon Review in IT Security — July 16, 2026

The threat landscape remains active with multiple critical incidents demanding immediate attention. From cryptocurrency-targeting malware to actively exploited vulnerabilities in enterprise software, organizations face converging risks that require urgent patching and user awareness initiatives.

OkoBot Malware Uses ClickFix, Hidden Browser Extensions to Steal Crypto Data

Kaspersky has identified a sophisticated malware campaign targeting cryptocurrency users through deceptive tactics. The OkoBot malware operates by masquerading as legitimate software while deploying hidden browser extensions designed to intercept sensitive wallet data. Victims lose access to wallet files, seed phrases, passwords, and other critical authentication credentials while the malware simultaneously records activity within wallet applications to capture additional sensitive information.

The campaign demonstrates the evolving sophistication of financially motivated threat actors who combine social engineering with technical exploitation. Users are advised to exercise extreme caution when downloading cryptocurrency management tools and to verify software authenticity through official channels only. Source: OkoBot Malware Uses ClickFix, Hidden Browser Extensions to Steal Crypto Data

CISA Orders Feds to Patch Actively Exploited Oracle Flaw by Saturday

The Cybersecurity and Infrastructure Security Agency has issued a mandatory directive requiring all federal agencies to patch a critical vulnerability in Oracle E-Business Suite by Saturday. The vulnerability is currently being exploited in active attacks against government systems and represents an immediate threat to federal financial applications and infrastructure. The urgency of this directive underscores the severity of the flaw and the active nature of ongoing exploitation campaigns.

Federal agencies must prioritize this patching effort to prevent unauthorized access to critical financial systems and sensitive government data. The tight deadline reflects the critical nature of the vulnerability and the demonstrated threat actor interest in exploiting unpatched systems. Source: CISA orders feds to patch actively exploited Oracle flaw by Saturday

Russian Hackers Trojanize WebEx, Zoom Apps to Push Starland Malware

A financially motivated Russian threat actor designated as UAT-11795 has successfully compromised legitimate software distribution channels to deliver malicious payloads. The threat actor has trojanized installation packages for WebEx and Zoom, two of the most widely deployed communication platforms in enterprise environments. Once installed, the malware deploys the Starland RAT backdoor alongside credential-stealing capabilities, enabling attackers to harvest login credentials and cryptocurrency assets from compromised systems.

This supply-chain attack vector represents a significant risk to organizations relying on these communication tools, as legitimate software channels have been weaponized. Users should verify software integrity through official sources and consider implementing application whitelisting controls to prevent execution of unauthorized software variants. Source: Russian hackers trojanize WebEx, Zoom apps to push Starland malware

New Spirals Ransomware Encrypts Victim Network in Under 24 Hours

A newly identified ransomware actor called Spirals has demonstrated exceptional operational speed by completing a full corporate intrusion cycle in less than 24 hours. The attack progression from initial network access through data exfiltration to full network encryption highlights the accelerating velocity of modern ransomware campaigns. This compressed timeline leaves minimal opportunity for detection and response, requiring organizations to implement robust preventive controls and continuous monitoring.

The rapid execution suggests sophisticated reconnaissance and planning prior to the attack execution phase. Organizations must prioritize network segmentation, access control hardening, and backup isolation to mitigate the impact of such fast-moving campaigns. Source: New Spirals ransomware encrypts victim network in under 24 hours


Today's threat intelligence reveals a coordinated ecosystem of sophisticated attacks spanning cryptocurrency theft, supply-chain compromise, and enterprise ransomware operations. Organizations must implement immediate patching protocols, strengthen access controls, and enhance detection capabilities to defend against these converging threats.

Sources & IOCs

Source articles and extracted indicators (defanged where appropriate).

OkoBot Malware Uses ClickFix, Hidden Browser Extensions to Steal Crypto Data
Malware4
  • OkoBot
    Active malware campaign targeting cryptocurrency users across 25+ countries
  • TookPS
    Malicious PowerShell script used in initial infection stage
  • SeedHunter
    Component that injects malicious code into hardware wallets to steal seed phrases
  • OkoSpyware
    Component capable of recording video of wallet application windows and logging keystrokes
Russian hackers trojanize WebEx, Zoom apps to push Starland malware
Malware4
  • Starland RAT
    Remote access trojan deployed via trojanized software installers; harvests credentials, wallets, system data
  • CastleStealer
    Info-stealer malware delivered as 64-bit shellcode payload; targets browser credentials and wallet data
  • Remcos RAT
    Remote access trojan delivered as 32-bit shellcode payload; provides keylogging, webcam capture, command execution
  • WLDR
    Previously undocumented PowerShell C2 framework; uses PBKDF2-SHA256 encryption and operates in-memory