Skip to main content
All Threat Briefings
Weekly Threat AwarenessJuly 2, 2026|Vol. 1 · Issue 5|Covers June 22-28, 2026

Weekly Threat Awareness ReportThree Exploited Microsoft Flaws · GentleKiller RaaS · WhatsApp RMM Abuse

Active exploitation is the theme this week: all three CVEs below - an Exchange Server SSRF privilege escalation, an Excel remote-code-execution flaw, and a Microsoft Defender security bypass - are already being used in real-world attacks. On the campaign side, the Gentlemen ransomware crew's GentleKiller EDR-killer framework and a WhatsApp-borne VBScript campaign that silently installs remote-management software round out the briefing.

VT

Vaughn Thomas

Compliance Engineer & Threat Researcher · SOClogix Cyber Group

About the Analyst

Vaughn Thomas is SOClogix's Compliance Engineer and principal threat researcher, operating at the intersection of regulatory compliance and active adversary tradecraft. Each week, Vaughn synthesizes intelligence from dark web forums, vendor security advisories, CISA KEV updates, Shodan/Censys exposure data, and real-time telemetry from SOClogix's managed client network - spanning healthcare, financial services, defense industrial base, manufacturing, and local government - to produce actionable threat awareness briefings written for security teams and executive stakeholders at every level. Vaughn actively tracks over 200 threat actor groups and contributes threat sharing intelligence to multiple ISAC communities. His analysis deliberately bridges raw technical findings and business risk so compliance teams and CISOs can act, not just read.

200+

Threat groups tracked

50+

Intel feeds monitored

3 yrs

Threat research tenure

Top Mentioned CVEs

Most frequently referenced vulnerabilities across this week's intelligence corpus.

CVE-2025-55182
CVE-2025-8088
CVE-2025-53770
CVE-2026-31431
CVE-2025-53771
CVE-2026-21509
CVE-2025-59718
CVE-2025-59287
CVE-2025-66478
CVE-2025-59719
015304560

CVEs Affecting Client Assets

Vulnerabilities identified this week with direct relevance to common enterprise environments. All three are under active exploitation.

CriticalCVE-2026-45504 New this week Actively exploited
8.8CVSS
80SVRS

Microsoft Exchange Server - SSRF Privilege Escalation

Server-Side Request Forgery (SSRF)  ·  Requires authorized user  ·  Seen in the wild

A critical flaw in Microsoft Exchange Server lets an authorized attacker escalate privileges over the network. Classified as a server-side request forgery, the server can be tricked into making requests to internal or external resources on the attacker's behalf, often bypassing security controls. Successful exploitation raises an attacker's access within the network, putting email infrastructure and connected systems at risk of unauthorized data access, system manipulation, and potential full compromise. This vulnerability is already under active exploitation; no specific exploit code or APT group has been publicly linked yet, but the confirmed in-the-wild status means attackers are leveraging it now.

Recommended Actions

  • Apply the latest Exchange Server security update immediately across all on-prem servers
  • Hunt for SSRF indicators: unexpected outbound requests originating from Exchange server processes
  • Restrict and monitor Exchange server egress to only required destinations
  • Prioritize migration off end-of-life on-prem Exchange where feasible
HighCVE-2025-60727 New this week Actively exploited
7.8CVSS
125CWE

Microsoft Office Excel - Out-of-Bounds Read Remote Code Execution

Out-of-Bounds Read (CWE-125)  ·  Local file / user execution  ·  In the wild

A high-severity flaw in Microsoft Office Excel allows attackers to execute malicious code without authorization. The root cause is an out-of-bounds read: Excel can be tricked into reading data from a memory location it should not access, which an attacker leverages to inject and run their own code. Successful exploitation can hand an attacker complete control of the machine, enabling data theft, ransomware, or use of the system to attack others. It is being actively exploited in real-world attacks. Because this triggers through a crafted document, user-execution defenses and attachment handling matter as much as patching.

Recommended Actions

  • Apply the latest Microsoft Office / Excel security updates across all endpoints
  • Enforce Protected View and block macros from the internet via policy
  • Filter and sandbox inbound spreadsheet attachments at the email gateway
  • Alert on Office applications spawning script interpreters or unusual child processes
MediumCVE-2024-20671 New this week Actively exploited
5.5CVSS
YesPoC

Microsoft Defender - Security Feature Bypass

Incorrect Default Permissions (CWE-276)  ·  Public PoC available  ·  Actively exploited

A vulnerability in Microsoft Defender lets attackers bypass its protective measures. The root cause is incorrect default permissions, a misconfiguration in Defender's default settings that grants more access than intended and opens a pathway around its detection and prevention mechanisms. Exploited, it lets attackers execute malicious code, install malware, or gain unauthorized access without being flagged - effectively disarming a core layer of defense. Despite the moderate CVSS score, the risk is elevated: it is being actively used to compromise systems, and a public proof-of-concept exploit confirms its viability.

Recommended Actions

  • Ensure Microsoft Defender platform, engine, and signatures are on the latest versions fleet-wide
  • Verify Defender is running in a supported, correctly-permissioned configuration (no tampered defaults)
  • Add layered detection (EDR/SIEM) so a single Defender bypass does not blind you
  • Alert on tampering with Defender services, exclusions, or registry keys

Active Threats & Campaigns

Threat actor campaigns with available detection rules or indicators of compromise.

Ransomware-as-a-ServiceThe Gentlemen · Storm-2697

GentleKiller EDR-Killer Framework

Series context: The Gentlemen RaaS was one of the top five threats in our June 25 mindmap. This is the deeper profile of their EDR-killer toolkit - the same GentleKiller / HexKiller / ThrottleBlood family we flagged trending under MITRE T1562 (Impair Defenses).

The Gentlemen is a ransomware-as-a-service operation (tracked by Microsoft as Storm-2697) that centrally develops and maintains an EDR-killer suite for its affiliates, built around an in-house framework named GentleKiller with at least eight BYOVD variants plus the integrated third-party killers HexKiller, ThrottleBlood, and HavocKiller. The group uses double extortion, selects victims primarily by FortiGate misconfiguration, and recently claimed the attack on Australia's Mackay Sugar.

Unlike most top-tier RaaS gangs, the Gentlemen operators do not delegate EDR evasion to individual affiliates. Instead they maintain a portfolio of EDR killers and apply a single, consistent defense-evasion layer to every tool: commercial packing with Enigma or Themida, fabricated version information, invalid digital signatures copied from legitimate executables, and matching vendor icons.

Recommended Actions

  • Enable tamper protection and BYOVD blocklists (Microsoft vulnerable-driver blocklist) on all endpoints
  • Harden and monitor FortiGate configurations - this crew selects victims by FortiGate exposure
  • Alert on unsigned/invalidly-signed drivers loading and on EDR service tampering
  • Maintain offline, tested backups given the double-extortion model

Threat Actor Profile

Group: The Gentlemen (Storm-2697)

Model: RaaS, double extortion

Toolkit: GentleKiller + 8 BYOVD variants

Also uses: HexKiller, ThrottleBlood, HavocKiller

Targeting: FortiGate misconfiguration

Social EngineeringAccess-motivated · Global New this week

WhatsApp VBScript to ManageEngine RMM Campaign

An unattributed, access-motivated actor is abusing compromised WhatsApp accounts to send that account's contacts heavily obfuscated VBScript files disguised as business and financial documents. When opened, the VBScript runs a multi-stage chain that tampers with Windows User Account Control and silently installs a preconfigured ManageEngine Endpoint Central (RMM) agent, granting the attacker remote access to the victim's machine.

It is a broad, opportunistic campaign that weaponizes trust in WhatsApp: the actor takes over accounts, then pushes malicious VBScript attachments to each account's contacts, with messages carrying only the attachment and no text. File names imitate invoices, account statements, debt notices, and payment records, and several are localized into Portuguese, French, German, and Malay to fit the campaign's global spread.

Recommended Actions

  • Block or restrict .vbs / .vbe execution via policy; set the default handler for script files to Notepad
  • Alert on unexpected RMM installs - especially ManageEngine Endpoint Central agents not deployed by IT
  • Baseline approved RMM tooling and treat any other RMM agent as an indicator of compromise
  • Warn staff that unsolicited WhatsApp attachments (even from known contacts) may be account takeovers
VT

Vaughn Thomas

Compliance Engineer & Threat Researcher, SOClogix

All reports →
VT

Vaughn Thomas

Compliance Engineer

SOClogix Cyber Group

200+

Threat groups tracked

50+

Intel feeds monitored

52×

Reports per year

Global dark web & forum monitoring
Live CISA KEV & NVD tracking
Adversary TTP analysis
Compliance-threat intersection

Get Weekly Briefings Free

Confirmed via email. No spam. Unsubscribe anytime.

This Week at a Glance

CVEs covered3
Actively exploited3
Public PoC available1
Active campaigns2
Vendor focusMicrosoft
RaaS profiled1

Get Vaughn's Briefing Every Week

Free weekly threat awareness reports delivered to your inbox. CVEs, active campaigns, and actionable guidance - written for security teams, compliance managers, and executive stakeholders.

Confirmed via email. No spam. Unsubscribe anytime.

Prefer a conversation? Talk to our team about managed security monitoring.