Daily Cyber Digest - July 3, 2026
July 3 roundup covering Armored Likho espionage, Bad Epoll Linux risk, FatFs embedded flaws, PamStealer on macOS, and Avalon ransomware tooling.
Published
July 04, 2026Item Count
5 itemsTLP Protocol
TLP:clearBriefing Items
Rank #1 · research · high · high confidence
SecurelistArmored Likho campaign expands BusySnake-led espionage against government and power targets
Kaspersky detailed an active Armored Likho campaign hitting government agencies and the electric power sector in Russia, Brazil, and Kazakhstan with spearphishing, GitHub-hosted payload delivery, Go2Tunnel tunneling, and a newly documented Python infostealer dubbed BusySnake.
The report shows a mature espionage workflow that combines credential theft, persistence, and modular post-compromise tasking against public-sector and critical-infrastructure organizations.
#2 · vulnerability · high
The Hacker NewsBad Epoll bug puts Linux 6.4+ systems and some Android devices at local-root risk
The Hacker News reported that CVE-2026-46242 is a use-after-free bug in Linux epoll cleanup logic that can let an unprivileged local user escalate to root, with a researcher demonstrating a high-reliability exploit path and noting reach into some Android devices.
Epoll is broadly exposed across Linux workloads, so patch lag on servers, desktops, and downstream Android kernels could create a durable local-privilege-escalation risk.
#3 · vulnerability · high
The Hacker NewsFatFs library flaws widen embedded-device attack surface through removable media and update paths
runZero disclosed seven FatFs flaws affecting firmware used in cameras, drones, industrial controllers, crypto wallets, and other embedded products; multiple issues can be triggered with malformed FAT or exFAT media, and only one bug is fixed upstream in FatFs R0.16.
The broad reuse of FatFs means product teams need to treat removable media, firmware images, and downstream wrapper code as a widespread embedded-security exposure, not an edge case.
#4 · malware · high
The Hacker NewsPamStealer campaign uses fake Maccy branding and PAM validation to improve macOS credential theft
According to The Hacker News, Jamf Threat Labs found a two-stage macOS infostealer campaign where a fake Maccy site delivers an AppleScript downloader that stages a Rust-based payload and validates the victim's password through PAM before stealing it.
The combination of lookalike distribution, native AppleScript and JXA staging, and local password validation raises the quality bar for macOS social-engineering payloads targeting user and wallet data.
#5 · malware · high
The Hacker NewsAvalon framework blends phishing, defense evasion, and CrownX ransomware delivery
Blackpoint Cyber research, as reported by The Hacker News, described Avalon as a modular malware framework delivered through a phishing chain with an ISO image, LNK execution, MSBuild abuse, ETW interference, and a ransomware component called CrownX.
The framework compresses initial access, stealth, credential collection, lateral movement, and ransomware staging into one toolchain, which can reduce defender response time once the chain lands.
Executive snapshot
July 3 delivered a concentrated mix of espionage research, privilege-escalation risk, embedded-device exposure, and increasingly polished malware delivery tradecraft. The most actionable pattern for defenders is breadth: one item targets government and power-sector organizations with a bespoke infostealer, while others show how Linux kernel code, widely reused embedded libraries, and macOS social-engineering chains can all become practical post-compromise accelerants. Teams that only prioritize one lane—endpoint malware, kernel patching, or firmware exposure—risk missing how quickly these operational threads can reinforce each other.
Notable items
Kaspersky’s Armored Likho report stands out because it ties active spearphishing to a newly documented BusySnake infostealer, GitHub-hosted payload delivery, and reverse-tunneling support aimed at government agencies and the electric power sector. On the vulnerability side, Bad Epoll raises Linux and Android concern because the bug sits in a standard kernel facility that cannot simply be disabled, and a public write-up already describes a highly reliable local-root path. The FatFs disclosures broaden the risk surface from enterprise hosts to embedded systems, where removable media and firmware parsing are often treated as low-friction trust boundaries. The PamStealer and Avalon stories round out the day by showing attackers continue to refine social-engineering execution chains: one leans on fake macOS software branding and password validation through PAM, while the other combines ISO/LNK staging, defense evasion, and ransomware delivery in a single modular framework.
Watchlist
Prioritize review of Linux 6.4+ and downstream Android kernel exposure for CVE-2026-46242, especially in environments where local users, browsers, containers, or multi-tenant workloads could turn a local flaw into broader compromise. Embedded-product owners should inventory whether FatFs is bundled anywhere in firmware, assess how update channels and removable media are handled, and look for vendor guidance beyond the lone upstream GPT-related fix. Public-sector and critical-infrastructure defenders should hunt for Armored Likho-style spearphishing, unexpected scheduled-task persistence, GitHub-hosted payload retrieval, and Go2Tunnel-like tunneling behavior. macOS administrators should block or monitor lookalike software distribution, Script Editor abuse, and suspicious AppleScript or JXA execution, while endpoint teams should tune detections for multi-stage phishing chains like Avalon that use ISO mounts, LNK launchers, MSBuild, and telemetry-reduction tactics before ransomware staging.