Honoring Juneteenth.
N2K CyberWire will be on a publishing hiatus tomorrow, June 19th, for the US Federal holiday of Juneteenth. We encourage you to subscribe to the Week that Was and Signals and Space for weekend briefings coverage.

ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.
N2K CyberWire will be on a publishing hiatus tomorrow, June 19th, for the US Federal holiday of Juneteenth. We encourage you to subscribe to the Week that Was and Signals and Space for weekend briefings coverage.
An international law enforcement operation supported by Europol and Eurojust cleansed nearly 15,000 WordPress websites that were infected with the SocGholish malware, BleepingComputer reports. The compromised sites were used by the Evil Corp cybercriminal gang to deliver additional strains of malware, often in support of ransomware attacks. The Netherlands's National High Tech Crime Unit (NHCTU) has notified affected website owners, and recommends that they change their login credentials, enable multi‑factor authentication, delete any unknown WordPress accounts, and keep their WordPress site up‑to‑date in the future.
The effort was led by the Dutch NHCTU, the US FBI, Canada's RCMP, and Germany's BKA. Proofpoint, which assisted in the operation, says the law enforcement action "will likely have a significant impact on TA569 operations, including disruptions to services, malware delivery, reputational and financial damage, and loss of customers."
What if the biggest risk in your environment is the access you've already granted?
During a recent conversation with SpecterOps CPO Justin Kohler, we explored how attackers turn trusted identities, permissions, and system relationships into pathways to critical assets. The challenge is that these pathways often emerge over time and remain hidden until they're exploited.
Read SpecterOps' State of Attack Path Management Report to better understand where identity attack paths exist, how organizations are addressing them, and what steps you can take to reduce exposure.
Separately, Dutch police have arrested six people between the ages of 15 and 30 who are suspected of involvement in helpdesk scams, the Register reports. The individuals allegedly set up a call center in an Amsterdam home and targeted users across the Netherlands. Notably, the police said the suspects sometimes sent crew members to victims' residences in person, impersonating bank employees to offer hands-on assistance with victims' accounts or to collect money or bank cards.
The police stated, "During the arrests, multiple data carriers, including laptops and phones, were seized. Several bank cards were also found. The further investigation is ongoing, and more arrests are not ruled out."
ESET has published a report on the EDR-killing toolset used by the Gentlemen ransomware-as-a-service (RaaS) operation, analyzing data leaked from the group in May 2026. Unlike most other RaaS operations, the Gentlemen group provides its own EDR killer to its affiliates for use in their attacks. ESET explains, "Gentlemen has chosen to centralize this function by offering affiliates a ready-to-use, standardized EDR-killer suite. This decision makes Gentlemen an attractive operator for affiliates as it materially lowers the entry barrier for them, making their job consequently easier. This model differs even from the few known exceptions in the ecosystem. In the case of RansomHub, the operators invested in a single EDR killer, EDRKillShifter, developed entirely in-house. Gentlemen, by contrast, maintains a diverse portfolio of EDR killers, blending original development (GentleKiller) with rapidly adapted third-party or publicly disclosed tooling (HexKiller, ThrottleBlood, and HavocKiller)."
Today's issue includes events affecting Canada, Germany, the Netherlands, and the United States.
Kodak Admits Data Breach After ShinyHunters Hack Claims (SecurityWeek) Kodak told SecurityWeek it believes there is no threat to its systems or operations as a result of the cybersecurity incident.
Hostile States Behind 75% of Cyber-Attacks on UK CNI, NCSC Warns (Infosecurity Magazine) Richard Horne, the NCSC CEO, said three-quarters of cyber-attacks targeting UK critical infrastructure came from nation-state actors
F5 issues out-of-band patches for critical NGINX vulnerabilities (BleepingComputer) Cybersecurity company F5 has released out-of-band security updates to address multiple NGINX web server vulnerabilities, including two critical-severity flaws that could allow attackers to execute code on vulnerable systems.
EU grants Ukraine access to cybersecurity reserve for major attacks (The Record) As Kyiv takes steps toward formal accession to the EU, the bloc is integrating Ukraine with its pool of pre-approved cybersecurity incident response companies.
For a complete running list of events, please visit the Event Tracker.
CSA Agentic AI Security Summit 2026 (Virtual, USA, Jun 24 - 25, 2026) Coding agents are rewriting how software gets built. Orchestration harnesses are rewriting how work gets done. And underneath all of it, non-human identity is the trust fabric that determines what these systems are allowed to touch, chain together, and act on autonomously. Most organizations are adopting coding agents and harnesses right now, without a clear picture of the identity and access model being created in the process. Every agent spins up credentials. Every harness chains permissions. And without a coherent NHI strategy, that trust fabric becomes your largest unmanaged attack surface. CSA's free virtual Agentic AI Security Summit is where the security community comes to get ahead of this. Over two days, we'll work through the full agentic stack: how coding agents operate and authenticate, how harnesses like LangChain, CrewAI, and AutoGen chain access across systems, and how to build the NHI trust fabric that governs all of it safely. Sessions are grounded in real enterprise environments and focused on what you can act on now.
Black Hat USA (Las Vegas, Nevada, USA, Aug 1 - 6, 2026) The premier cybersecurity event of the year returns to Mandalay Bay with a re-engineered, six-day program built to ignite innovation, push boundaries, and bring the global security community together like never before. This year’s event features four days of immersive, expert-led Trainings (August 1–4), followed by Summit Day on Tuesday, August 4, and a two-day main conference packed with groundbreaking Briefings, open-source tool demos in Arsenal, a dynamic Business Hall, and unlimited learning & networking opportunities.
