================================================================ INFOSECFOLLOW -- security, markets, business, pittsburgh Thursday, June 18, 2026 - 12:04 PM EDT ================================================================ Operation Endgame gutted the SocGholish fake-update network while ransomware crews sharpened their own endpoint-killing tools and a USB-borne crypto-clipper spread across Windows. CONTENTS: Emerging Trends and Key Updates | Security | Business and Politics | Pittsburgh | Sports | Reading | Markets EMERGING TRENDS AND KEY UPDATES ---------------------------------------------------------------- * [TREND] Attackers weaponize AI from both sides, with one malware author padding spyware with forbidden nuclear text to derail AI analysis as a USB-spreading crypto-clipper polls a Tor C2. see: Malware Embeds Forbidden Text to Block AI Analysis; Windows Crypto-Clipper Spreads Over USB With Tor C2 * [TREND] The Gentlemen ransomware-as-a-service gang now builds GentleKiller for affiliates, a toolkit that disables more than 400 security processes before encryption and halted Australia's Mackay Sugar. see: Gentlemen RaaS Arms Affiliates and Halts Mackay Sugar * [UPDATE (new)] Operation Endgame, led by the Dutch National Police, seized 106 servers and cleaned nearly 15,000 WordPress sites tied to the Evil Corp-linked SocGholish fake-update botnet. see: Operation Endgame Dismantles SocGholish and Evil Corp Infrastructure * [UPDATE (new)] F5 shipped out-of-band NGINX patches for critical remote-code-execution bugs while a Klue OAuth breach fed Icarus actors stealing Salesforce CRM data in an extortion campaign. see: F5 Ships Out-of-Band Patches for Critical NGINX Flaws; Klue OAuth Breach Feeds Icarus Salesforce Theft * [UPDATE (new)] Trump signed a memorandum with Iran at the G7 summit, pledging to release frozen funds and ease sanctions as the U.S. Navy let ships reach Iranian ports. see: U.S. and Iran Sign Deal, Funds and Ships Move * [TREND] Reading dwells on an AI reckoning, with Zitron reporting OpenAI's losses grew nearly eightfold to $34 billion in spending while Newport argues AI merely exposes already-broken knowledge work. see: Exclusive: OpenAI Losses Increased Nearly 8X in 2025, With Spending Hitting $34 Billion; AI Isn’t Breaking Work. It’s Already Broken. SECURITY ---------------------------------------------------------------- 1. WINDOWS CRYPTO-CLIPPER SPREADS OVER USB WITH TOR C2 Ransomware and Cybercrime · [malware, cryptocurrency] Latest developments: Microsoft's Defender team detailed a Windows cryptocurrency clipper running since February 2026 that propagates through USB LNK worms and polls a Tor hidden-service for commands, while Check Point traced a parallel clipper promoted through paid posts on legitimate news sites, fake VirusTotal comments, and AI-generated narrators. Clippers silently swap a victim's copied wallet address for the attacker's, rerouting cryptocurrency payments, and this strain adds worm-like spread and a lightweight backdoor for persistent access. Users should verify pasted wallet addresses and block unknown USB devices. - The Hacker News: https://thehackernews.com/2026/06/microsoft-details-windows-clipper.html - Microsoft Security Blog: https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/ - The Hacker News: https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html 2. OPERATION ENDGAME DISMANTLES SOCGHOLISH AND EVIL CORP INFRASTRUCTURE Ransomware and Cybercrime · [takedown, malware, botnet] Latest developments: The Operation Endgame coalition, led by the Dutch National Police, seized 106 servers and domains and cleaned nearly 15,000 compromised WordPress sites that the Evil Corp-linked SocGholish botnet had turned into fake-software-update lures. SocGholish delivers malware by pushing bogus browser and software update prompts on hacked websites, feeding follow-on access to Russia's Evil Corp cybercrime group. Site owners should confirm their WordPress installs are clean and patched. - Help Net Security: https://www.helpnetsecurity.com/2026/06/18/law-enforcement-socgholish-operation-endgame/ - BleepingComputer: https://www.bleepingcomputer.com/news/security/law-enforcement-nukes-socgholish-malware-from-nearly-15-000-sites/ 3. GENTLEMEN RAAS ARMS AFFILIATES AND HALTS MACKAY SUGAR Ransomware and Cybercrime · [ransomware, edr-killer] Latest developments: ESET exposed how the Gentlemen ransomware-as-a-service gang develops GentleKiller, an EDR-disabling toolkit that targets more than 400 security processes across 48 products and ships directly to affiliates, as Australian producer Mackay Sugar worked urgently to verify the gang's claim that it shut the company's harvesting and milling operations. Gentlemen breaks from the usual model by building and maintaining endpoint-killing tools in-house rather than leaving that to affiliates, raising the success rate of its encryptions. A May 2026 internal leak confirmed the arrangement and named the gang's leader. - Help Net Security: https://www.helpnetsecurity.com/2026/06/18/eset-gentlemen-edr-killers/ - The Record: https://therecord.media/mackay-sugar-cyberattack-claimed-gentlemen 4. F5 SHIPS OUT-OF-BAND PATCHES FOR CRITICAL NGINX FLAWS Vulnerabilities and Exploits · [patch, rce, zero-day] Latest developments: F5 released out-of-band updates for multiple NGINX web server vulnerabilities, including two critical bugs that let remote, unauthenticated attackers force a restart and potentially execute arbitrary code. NGINX runs a large share of the world's web servers, so the flaws expose internet-facing infrastructure to remote takeover. Administrators should apply the emergency fixes immediately. - BleepingComputer: https://www.bleepingcomputer.com/news/security/f5-issues-out-of-band-patches-for-critical-nginx-vulnerabilities/ - SecurityWeek: https://www.securityweek.com/f5-patches-critical-high-severity-nginx-vulnerabilities/ 5. KLUE OAUTH BREACH FEEDS ICARUS SALESFORCE THEFT Data Breaches · [breach, extortion, oauth] Latest developments: Market intelligence platform Klue suffered an OAuth breach that let the Icarus threat actors steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign. Icarus abuses connected third-party OAuth integrations to reach customers' Salesforce instances and exfiltrate sales and customer records for extortion. Affected firms should review and revoke Klue's Salesforce OAuth tokens and audit connected-app access. - BleepingComputer: https://www.bleepingcomputer.com/news/security/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks/ 6. MALWARE EMBEDS FORBIDDEN TEXT TO BLOCK AI ANALYSIS AI Security · [malware, evasion] Latest developments: A malware developer began padding spyware with text about nuclear and biological weapons, hidden inside a large JavaScript block comment, to trip automated AI safety policies and stop AI tools from analyzing the code. The fake policy-triggering content sits in a comment the runtime skips, with the real payload following in a try-eval wrapper, so the trick foils AI analysis without breaking execution. It signals attackers adapting to defenders' growing reliance on AI-driven reverse engineering. - Schneier on Security: https://www.schneier.com/blog/archives/2026/06/embedding-forbidden-text-in-spyware-to-discourage-ai-analysis.html BUSINESS AND POLITICS ---------------------------------------------------------------- * U.S. and Iran Sign Deal, Funds and Ships Move Latest developments: Trump signed the memorandum of understanding with Iran at the G7 summit Thursday, pledged to release Tehran's frozen funds and ease banking and transport sanctions, and the U.S. Navy let more than a dozen ships pass to Iranian ports, lifting the blockade. The accord halts the U.S.-Iran war and reopens the Strait of Hormuz in exchange for sanctions relief while leaving Iran's ballistic missiles and militias untouched; oil extended its losses as Hormuz traffic resumed, and U.S. pump prices slipped below $4 a gallon for the first time since March. Shipping executives warn the deal's language could let Tehran impose Hormuz transit fees after 60 days. - FT: https://www.ft.com/content/d4f89b6b-c213-4550-924b-a9ae45e24c37 - WSJ: https://www.wsj.com/world/middle-east/trumps-deal-sidesteps-key-reasons-he-went-to-war-with-iran-6820b1b4 - WSJ: https://www.wsj.com/finance/commodities-futures/oil-falls-on-prospects-of-fast-reopening-of-strait-of-hormuz-ce60a695?mod=rss_markets_main PITTSBURGH ---------------------------------------------------------------- Weather: This Afternoon: Mostly Sunny, high 82F. Tonight: Mostly Cloudy, low 58F. Juneteenth: Mostly Sunny, high 78F. Business: * Kraft Heinz Reshapes Global Operations Latest developments: Kraft Heinz, the Pittsburgh- and Chicago-headquartered food maker, shook up its global operating structure Thursday, the latest step in its continued corporate maneuvering. Kraft Heinz, the maker of Heinz ketchup and Kraft cheese and one of Pittsburgh's largest companies, reorganized how it runs its global business, a move watched closely by the region for its bearing on local jobs and headquarters operations. - Pittsburgh Post-Gazette: https://www.post-gazette.com/business/pittsburgh-company-news/2026/06/18/kraft-heinz-global-operating-structure/stories/202606180054 * Roaring Run Campers Sue Over Voided Memberships Latest developments: Campers who bought lifetime memberships at the Roaring Run Resort in the Laurel Highlands filed a flurry of lawsuits after new owners voided the agreements and ordered them to vacate. The campers are suing both the previous and current owners of the Roaring Run Resort campground, seeking to be made whole after the lifetime memberships they had purchased went unhonored when the property changed hands. - KDKA: https://www.cbsnews.com/pittsburgh/news/roaring-run-campers-take-owners-to-court/ Around town: * New Bus Service for the Waterfront Latest developments: Pittsburgh Regional Transit will add new bus routes and stops serving the Waterfront shopping center in Homestead. The expanded service gives shoppers and workers new ways to reach the sprawling Waterfront retail complex along the Monongahela River, which long lacked direct transit access. - WPXI: https://www.wpxi.com/news/local/new-bus-routes-stops-coming-waterfront-shopping-center/CDCD7ALZIZEZ5PRT7ZLINHG6MM/ * PennDOT Guards New Bridge During Demolition Latest developments: PennDOT detailed the safeguards protecting the new Commercial Street bridge while crews demolish the old span during the ongoing Parkway East closure. PennDOT officials say multiple measures will keep construction work from damaging the freshly built bridge as the old structure comes down, the latest disruption from the Parkway East closure in Pittsburgh. - WTAE: https://www.wtae.com/article/penndot-protects-new-commercial-street-bridge-pittsburgh/71625002 * Veterans Breakfast Club Lands a Home Latest developments: The Veterans Breakfast Club opened its first physical location, at the Phase Four Learning Center in Pittsburgh's Shadyside neighborhood. The nonprofit, known for hosting storytelling gatherings where veterans share their experiences, secured a permanent base after years without one. - WPXI: https://www.wpxi.com/news/local/veterans-breakfast-club-gets-first-physical-location-shadyside/DL7YV344ANAZJG3X3LHFLCKYVE/ SPORTS ---------------------------------------------------------------- Pirates (38-37) Wed Jun 17 · Pirates 12 · Athletics 4 · Final Ryan O'Hearn knocks in career-high 6 runs as Pirates roll to 12-4 victory over Athletics https://plaintextsports.com/mlb/2026-06-17/pit-ath Up Next · Pirates @ Rockies · Fri Jun 19, 8:40 PM https://plaintextsports.com/mlb/2026-06-19/pit-col Around the Teams: * Darnell Washington Lands Extension Latest developments: Steelers tight end Darnell Washington signed a four-year, $42 million extension and joined Not Just Football with Cam Heyward to talk through the deal and the season ahead. Washington, who came to Pittsburgh as a blocking tight end with breakout upside, locked in long-term money and discussed his expanded role on the podcast hosted by teammate Cam Heyward. - Not Just Football with Cam Heyward: https://www.youtube.com/watch?v=bI9k0IEdvzA READING ---------------------------------------------------------------- * Stratechery -- An Interview with Michael Morton About E-Commerce in the Age of AI Ben Thompson interviews Michael Morton on how AI reshapes e-commerce, working through unfalsifiable bear cases, distribution versus referral models, grocery, and autonomous vehicles. https://stratechery.com/2026/an-interview-with-michael-morton-about-e-commerce-in-the-age-of-ai/ * Ed Zitron -- Exclusive: OpenAI Losses Increased Nearly 8X in 2025, With Spending Hitting $34 Billion Zitron reports OpenAI's losses grew nearly eightfold in 2025 as spending reached $34 billion, arguing the company has no path to profitability. https://www.wheresyoured.at/exclusive-openai-financials/ * Cal Newport -- AI Isn’t Breaking Work. It’s Already Broken. Responding to a Financial Times interview with the Work AI Institute's Rebecca Hinds and a survey of 6,000 digital workers, Newport argues AI exposes dysfunction already baked into knowledge work rather than creating it. https://calnewport.com/ai-isnt-breaking-work-its-already-broken/ MARKETS (weekly average, change vs prior week) ---------------------------------------------------------------- S&P 500 7,462.30 ▲ +0.8% Dow 51,442.85 ▲ +1.3% Nasdaq 26,156.09 ▲ +1.1% WTI crude 81.24 ▼ -10.4% EUR/USD 1.1584 ▲ +0.2% GBP/USD 1.3414 ▲ +0.3% USD/JPY 160.25 ▲ +0.1% ================================================================ Generated 2026-06-18 12:04 EDT. Sources: 24 security feeds; 9 Pittsburgh feeds; 4 Pittsburgh arts and events feeds; 6 Pittsburgh sports beat and podcast feeds; the Wall Street Journal, the Economist, and the Financial Times; and Ed Zitron, Stratechery, Cal Newport. Markets from Yahoo Finance, weather from the NWS, scores from ESPN. Summaries are AI-generated from the linked reporting; verify at the sources. ================================================================