ThreatBrief AI

Daily Cyber Digest - July 5, 2026

July 5 digest covering ColdFusion exploitation, tax-themed DcRAT phishing, air-gap exfiltration research, QuimaRAT MaaS, and an Opera GX browser flaw.

+ +

Published

July 06, 2026

Item Count

5 items

TLP Protocol

TLP:clear

Briefing Items

01

Rank #1 · vulnerability · critical · medium confidence

BleepingComputer

ColdFusion exploitation follows maximum-severity patch disclosure

BleepingComputer reported that attackers are exploiting CVE-2026-48282, a maximum-severity Adobe ColdFusion vulnerability, and cited KEVIntel telemetry indicating exploitation soon after public disclosure.

Public-facing ColdFusion servers are a recurring intrusion path, so rapid exploitation compresses patch windows and raises the priority for emergency update verification and exposure reduction.

02

#2 · malware · high

The Hacker News

China-nexus campaign impersonates Indian tax filing workflows to deploy DcRAT

The Hacker News summarized Seqrite Labs reporting on Operation DragonReturn, a campaign using tax-themed spear-phishing and a fake Indian income-tax utility to sideload DcRAT against taxpayers, tax professionals, and finance teams.

The lure aligns with a real filing season and business process, making user reporting, attachment handling, and finance-team endpoint controls especially important.

03

#3 · research · medium

The Hacker News

TrojPix research shows high-speed air-gap exfiltration through video-cable emissions

The Hacker News reported Shandong University research describing TrojPix, a covert channel that modulates pixels so copper video cables radiate data, reaching 8.1 Mbps in lab testing after malware is already present.

Air-gapped environments still depend on endpoint integrity and physical-channel controls; the research reinforces the need for malware prevention, cable shielding, and fiber or TEMPEST-grade mitigations where sensitivity warrants it.

04

#4 · malware · high

The Hacker News

QuimaRAT malware-as-a-service targets Windows, Linux, and macOS

The Hacker News reported LevelBlue analysis of QuimaRAT, a Java-based cross-platform RAT sold as malware-as-a-service with encrypted plugins, OS-specific persistence, and loader support for staged delivery.

Cross-platform MaaS tooling can pressure mixed Windows, Linux, and macOS fleets at once, so defenders should align endpoint telemetry, persistence checks, and download-chain detections across operating systems.

05

#5 · vulnerability · high

The Hacker News

Opera GX fixes silent mod-install flaw that enabled CSS-based data leakage

The Hacker News reported that Opera patched an Opera GX flaw that let a malicious site silently install a GX Mod and use CSS behavior to extract data from pages a victim later visited, with no evidence of in-the-wild exploitation reported by Opera.

Browser customization features can become cross-site data exposure surfaces; managed-browser programs should verify versions and restrict unapproved extension or mod installation paths.

Executive snapshot

The July 5 digest uses fresh source material published within the 48-hour freshness window and emphasizes issues defenders can act on immediately: emergency patching, phishing controls, cross-platform malware monitoring, browser hardening, and air-gap assumptions. The strongest signal is that enterprise-facing platforms and user-facing workflows remain compressed into short response windows, whether through ColdFusion exploitation, tax-themed phishing, or silent browser customization behavior.

Notable items

ColdFusion leads the vulnerability queue because public exploitation reporting followed a maximum-severity disclosure, making exposed server inventory and patch confirmation urgent. Operation DragonReturn shows how attackers continue to borrow real administrative workflows, in this case Indian tax filing, to make phishing lures plausible for taxpayers, tax professionals, and finance teams. TrojPix is a research item rather than a live intrusion report, but its lab performance is a reminder that air gaps depend on endpoint cleanliness and physical emissions controls, not network separation alone. QuimaRAT adds a malware-as-a-service angle with Java-based cross-platform reach and plugin-driven capability expansion, while the Opera GX flaw shows how browser features marketed as customization can cross into silent installation and data-exposure risk if approval boundaries are weak.

Watchlist

Confirm whether externally reachable ColdFusion servers are updated and review logs for suspicious activity around the disclosure window. Finance, tax, and government-adjacent teams should refresh phishing detections for fake filing utilities, archive downloads, DLL side-loading, and remote-access tooling. Endpoint teams should align detections for Java-based RAT behavior, OS-specific persistence, browser-cache delivery, suspicious scheduled tasks, and cross-platform command-and-control rotation. Browser administrators should verify Opera GX versions and restrict unapproved mod or extension installation. Operators of air-gapped or high-side systems should treat TrojPix as a control-review prompt: prevent malware introduction first, then consider copper-video-cable shielding, physical separation, or fiber where the data sensitivity justifies it.