Endi mavjud! Telegram Tadqiqoti 2025 — yilning asosiy insaytlari 
SITREP - Independent OSINT Channel
Kanalga Telegram’da o‘tish
AI, technology, mass surveillance, and intelligence — everything you need to know about tomorrow.
Ko'proq ko'rsatish📈 Telegram kanali SITREP - Independent OSINT Channel analitikasi
SITREP - Independent OSINT Channel (@sitreports) Ingliz til segmentidagi kanali faol ishtirokchi. Hozirda hamjamiyat 23 428 obunachidan iborat bo'lib, Texnologiyalar & Aralashmalar toifasida 5 736-o'rinni va AQSH mintaqasida 1 715-o'rinni egallagan.
📊 Auditoriya ko‘rsatkichlari va dinamika
невідомо sanasidan buyon loyiha tez o‘sib, 23 428 obunachiga ega bo‘ldi.
29 Iyun, 2026 dagi oxirgi ma’lumotlarga ko‘ra kanal barqaror faollikka ega. Oxirgi 30 kunda obunachilar soni -38 ga, so‘nggi 24 soatda esa 2 ga o‘zgardi va umumiy qamrov yuqori darajada qolmoqda.
- Tasdiqlash holati: Tasdiqlanmagan
- Jalb etish (ER): Auditoriya o‘rtacha 15.55% darajada jalb etiladi. Nashrdan keyingi dastlabki 24 soatda kontent odatda umumiy obunachilar sonining 1.93% ini tashkil etuvchi reaksiyalarni to‘playdi.
- Post qamrovi: Har bir post o‘rtacha 3 644 marta ko‘riladi; birinchi sutkada odatda 453 ta ko‘rish yig‘iladi.
- Reaksiyalar va o‘zaro ta’sir: Auditoriya faol: har bir postga o‘rtacha 0 ta reaksiya keladi.
- Tematik yo‘nalishlar: Kontent narrative, attack, infrastructure, threat, credential kabi asosiy mavzularga jamlangan.
📝 Tavsif va kontent siyosati
Muallif resursni shaxsiy fikrni ifoda etish maydoni sifatida ta’riflaydi:
“AI, technology, mass surveillance, and intelligence — everything you need to know about tomorrow.”
Yuqori yangilanish chastotasi (oxirgi ma’lumot 30 Iyun, 2026 da olingan) sababli kanal doimo dolzarb va katta qamrovli bo‘lib qoladi. Analitika auditoriya kontent bilan faol hamkorlik qilishini, uni Texnologiyalar & Aralashmalar toifasidagi muhim ta’sir nuqtasiga aylantirishini ko‘rsatadi.
23 428
Obunachilar
+224 soatlar
-277 kunlar
-3830 kunlar
Ma'lumot yuklanmoqda...
O'xshash kanallar
Taglar buluti
Kirish va chiqish esdaliklari
---
---
---
---
---
---
Obunachilarni jalb qilish
Iyun '26
Iyun '26
+154
2 kanalda
May '26
+48
6 kanalda
Get PRO
Aprel '26
+113
14 kanalda
Get PRO
Mart '26
+380
6 kanalda
Get PRO
Fevral '26
+121
1 kanalda
Get PRO
Yanvar '26
+143
1 kanalda
Get PRO
Dekabr '25
+90
4 kanalda
Get PRO
Noyabr '25
+92
1 kanalda
Get PRO
Oktabr '25
+43
2 kanalda
Get PRO
Sentabr '25
+22
1 kanalda
Get PRO
Avgust '25
+14
2 kanalda
Get PRO
Iyul '25
+136
2 kanalda
Get PRO
Iyun '25
+186
5 kanalda
Get PRO
May '25
+28
6 kanalda
Get PRO
Aprel '25
+13
6 kanalda
Get PRO
Mart '25
+13
5 kanalda
Get PRO
Fevral '25
+11
9 kanalda
Get PRO
Yanvar '25
+11
3 kanalda
Get PRO
Dekabr '24
+62
5 kanalda
Get PRO
Noyabr '24
+128
32 kanalda
Get PRO
Oktabr '24
+45
1 kanalda
Get PRO
Sentabr '24
+93
8 kanalda
Get PRO
Avgust '24
+1 524
67 kanalda
Get PRO
Iyul '24
+478
54 kanalda
Get PRO
Iyun '24
+984
76 kanalda
Get PRO
May '24
+1 380
80 kanalda
Get PRO
Aprel '24
+1 274
64 kanalda
Get PRO
Mart '24
+1 674
74 kanalda
Get PRO
Fevral '24
+1 629
80 kanalda
Get PRO
Yanvar '24
+1 576
67 kanalda
Get PRO
Dekabr '23
+1 932
63 kanalda
Get PRO
Noyabr '23
+1 211
75 kanalda
Get PRO
Oktabr '23
+1 367
60 kanalda
Get PRO
Sentabr '23
+1 173
0 kanalda
Get PRO
Avgust '23
+985
0 kanalda
Get PRO
Iyul '23
+597
0 kanalda
Get PRO
Iyun '23
+1 518
0 kanalda
Get PRO
May '23
+1 048
0 kanalda
Get PRO
Aprel '23
+1 017
0 kanalda
Get PRO
Mart '23
+675
0 kanalda
Get PRO
Fevral '23
+1 080
0 kanalda
Get PRO
Yanvar '23
+2 476
0 kanalda
Get PRO
Dekabr '22
+4 174
0 kanalda
Get PRO
Noyabr '22
+5 621
0 kanalda
| Sana | Obunachilarni jalb qilish | Esdaliklar | Kanallar | |
| 30 Iyun | +1 | |||
| 29 Iyun | +2 | |||
| 28 Iyun | +3 | |||
| 27 Iyun | +1 | |||
| 26 Iyun | 0 | |||
| 25 Iyun | +2 | |||
| 24 Iyun | +1 | |||
| 23 Iyun | +1 | |||
| 22 Iyun | 0 | |||
| 21 Iyun | 0 | |||
| 20 Iyun | 0 | |||
| 19 Iyun | +3 | |||
| 18 Iyun | +3 | |||
| 17 Iyun | +4 | |||
| 16 Iyun | +1 | |||
| 15 Iyun | +10 | |||
| 14 Iyun | 0 | |||
| 13 Iyun | +1 | |||
| 12 Iyun | 0 | |||
| 11 Iyun | +4 | |||
| 10 Iyun | +5 | |||
| 09 Iyun | +7 | |||
| 08 Iyun | 0 | |||
| 07 Iyun | +1 | |||
| 06 Iyun | 0 | |||
| 05 Iyun | +1 | |||
| 04 Iyun | +1 | |||
| 03 Iyun | +14 | |||
| 02 Iyun | +65 | |||
| 01 Iyun | +23 |
Kanal postlari
🔍 Splunk Secure Gateway RCE Exposes Low-Privilege Path to Host Command Execution
CVE-2026-20251 affects Splunk Secure Gateway and lets an authenticated low-privileged user execute arbitrary OS commands on the underlying host. The flaw sits in Splunk Secure Gateway alert processing, where KV Store data from the mobile_alerts collection can bypass validation and reach jsonpickle deserialization. Fixed versions include 3.8.67, 3.9.20, 3.10.6, and patched Splunk Enterprise branches.
Operationally, this turns routine app-level access into code execution as the Splunk service account, without admin privileges. The issue also highlights a recurring failure pattern: unsafe deserialization combined with validators that stop at the first trusted key instead of fully traversing nested data.
🛰️ Open sources - closed narratives
@sitreports
| 2 | 🔫 Anonymous researcher publishes multi-vendor 0-day repo
An anonymous researcher using the handle bikini reportedly released a now-removed GitHub repository, exploitarium, containing claimed working exploits and write-ups for zero-days affecting 15 products, including libssh2, Gitea, OpenVPN, VLC and Splunk. Two flaws are already assessed as actively exploited: CVE-2026-55200 in libssh2 and CVE-2026-20896 affecting self-hosted Gitea Docker deployments.
The immediate significance is reduced attacker lead time. For libssh2, a fix is merged but not yet released; for Gitea, patched versions are available. Even with the original repo removed, public exploit release shifts exposure from theoretical to operational, especially where defenders have not yet patched or deployed detections.
🛰️ Open sources - closed narratives
@sitreports | 91 |
| 3 |  🔍 Oracle E-Business flaw moves from patch cycle to active exploitation
Attackers are actively exploiting CVE-2026-46817, a critical Oracle E-Business Suite vulnerability in the Oracle Payments File Transmission component. The flaw allows unauthenticated takeover over HTTP with low attack complexity. Oracle patched it in May 2026, while Defused says exploitation attempts were observed over the weekend on Oracle E-Business honeypots.
The case highlights a narrow but high-impact enterprise exposure set: Shadowserver tracks more than 450 Oracle EBS instances online. The immediate significance is not novelty, but patch latency on internet-facing financial application infrastructure.
🛰️ Open sources - closed narratives
@sitreports | 134 |
| 4 | 🔍 SimpleHelp auth bypass used to push new cross-platform stealer
Attackers are actively exploiting CVE-2026-48558 in SimpleHelp to create privileged technician access on internet-facing servers using OIDC, then deploy TaskWeaver and the previously undocumented Djinn Stealer. Blackpoint observed the chain in the wild; Djinn targets Windows, macOS, and Linux and harvests cloud, Git, SSH, package registry, browser, wallet, and AI tooling credentials.
The significance is the access path: a compromised RMM instance becomes a trusted admin channel for file transfer and command execution across managed endpoints. Djinn’s collection of local MCP configs and AI assistant tokens extends the impact beyond user creds into downstream access to repos, cloud resources, databases, and internal APIs.
🛰️ Open sources - closed narratives
@sitreports | 167 |
| 5 |  🔍 U.S. posts $10M bounty on Russian-linked groups targeting Signal and WhatsApp
The U.S. Department of State is offering up to $10 million under the Rewards for Justice program for information on UNC5792 and UNC4221, two groups tied to Russian security and military services. U.S. officials say the actors ran phishing campaigns against Signal and WhatsApp users, including government and military personnel, and used fake support messages to steal Signal backup recovery keys.
The case highlights a persistent access model built on social engineering rather than breaking platform encryption. The stated target set spans U.S. and NATO officials, journalists, NGOs, and researchers, indicating a broad intelligence collection effort focused on private communications.
🛰️ Open sources - closed narratives
@sitreports | 212 |
| 6 |  🔍 Mustang Panda shifts C2 to Zoho WorkDrive in India-targeted campaign
Researchers tracking Mustang Panda say the group used Zoho WorkDrive as a command channel in attacks targeting Indian government entities. The activity ties a known China-linked intrusion set to malware delivery and control infrastructure embedded in a legitimate cloud collaboration service.
Using a trusted SaaS platform for C2 complicates detection, blends malicious traffic into normal enterprise workflows, and raises response costs for defended government networks. The tradecraft underscores continued reliance on living-off-trusted-services rather than bespoke infrastructure.
🛰️ Open sources - closed narratives
@sitreports | 260 |
| 7 | 🔍 DirtyClone opens another Linux kernel root path
DirtyClone (CVE-2026-43503) is a newly disclosed local privilege escalation flaw in the Linux kernel that lets an unprivileged user gain root by corrupting file-backed page-cache memory through cloned network packets. The issue stems from dropped skb safety metadata in __pskb_copy_fclone(), affecting a separate path in the DirtyFrag bug family and leaving no kernel logs or audit traces.
Operationally, the flaw keeps partially patched systems exposed even after earlier DirtyFrag fixes. Debian, Ubuntu, and Fedora are named among affected distributions, with elevated risk in multi-tenant servers, Kubernetes nodes, and containerized environments where unprivileged user namespaces remain enabled.
🛰️ Open sources - closed narratives
@sitreports | 810 |
| 8 |  📡 Ukraine reports credential-theft campaign using fake support texts
Ukrainian authorities say Russian intelligence used social-engineering messages posing as technical support to steal credentials for messaging accounts. The operation relied on fraudulent prompts designed to capture login data and access user communications via messaging credentials rather than malware-heavy intrusion.
The case underlines a low-cost access method with high intelligence value: compromise the account, bypass endpoint defenses, and exploit trusted channels already used for coordination. For defenders, the main signal is impersonated support contact targeting authentication workflows, not just suspicious files or links.
🛰️ Open sources - closed narratives
@sitreports | 879 |
| 9 |  🔍 FBI updates warning on Signal credential theft
The FBI and CISA say Russian intelligence-linked actors UNC5792 and UNC4221 have shifted from stealing SMS codes and PINs to extracting Signal Backup Recovery Keys. The phishing uses fake in-app support messages and can expose historical private and group chats while enabling long-term account takeover.
The advisory states Signal itself was not breached; the operation abuses a legitimate backup feature through user compromise. The key point is persistence: a stolen recovery key remains valid until replaced, and creating a new account with the same number does not neutralize prior access.
🛰️ Open sources - closed narratives
@sitreports | 832 |
| 10 | 🔍 Pentagon sets 2030–2031 deadlines for post-quantum cryptography
The Pentagon’s Post-Quantum Cryptography Strategy labels cryptographically relevant quantum computers an existential threat to military operations. It orders all DOD systems to support PQC or be phased out by 31 Dec 2030, with PQC use mandated across all systems by 31 Dec 2031 unless exempted.
The document frames quantum risk as a mission-wide issue spanning nuclear authorization, weapons platforms, command-and-control, and classified traffic across terrestrial, space, and RF networks. The core task is now inventorying vulnerable cryptography, prioritizing exposed systems, and accelerating patching and cryptographic agility at scale.
🛰️ Open sources - closed narratives
@sitreports | 1 123 |
| 11 | 🔍 LoaderClient shifts WeedHack C2 persistence onto Ethereum
LoaderClient, a Minecraft-themed malware loader disguised as a Fabric mod, is tied to the WeedHack campaign and has logged more than 116,000 unique host compromises since January 2026. The malware steals session credentials and OAuth tokens, pulls its active C2 URL from an Ethereum smart contract, verifies it with an embedded RSA key, and then deploys a memory-resident second stage. Technical details of LoaderClient also note JNIC obfuscation, DoH use, and disabled SSL validation.
Using a public blockchain as a C2 anchor complicates domain takedowns and keeps infected hosts pointed at live infrastructure even after portal disruption. The combination of fileless execution, native-code obfuscation, and blockchain-based address resolution raises both detection costs and remediation time.
🛰️ Open sources - closed narratives
@sitreports | 763 |
| 12 |  🔍 Secure Boot trust rollover hits live deadline
Microsoft’s 2011 Secure Boot chain is expiring: the KEK CA 2011 expired on June 24, the UEFI CA 2011 expires June 27, and Windows Production PCA 2011 on October 19. Systems that do not adopt the 2023 replacements will keep booting, but lose future Secure Boot protections, including DB/DBX updates and newer boot-level mitigations across Windows and some Linux deployments.
This is a trust-maintenance failure, not an immediate outage. The operational impact is a growing population of machines locked into static pre-boot policy, unable to receive new revocations or signing updates at the firmware layer where bootkits and persistence mechanisms are meant to be blocked.
🛰️ Open sources - closed narratives
@sitreports | 622 |
| 13 | 🔍 Python.org patched admin-level API bypass in release management system
A critical flaw in the Python.org release management API allowed an attacker to submit an admin username with any API key and gain full privileges. The bug had existed since 2014. Impact was limited to release and file metadata, including download URLs and Sigstore/PGP verification links. PSRT says no evidence of exploitation was found after log, database, and signature review.
The issue maps directly to software supply chain exposure: attackers could not alter hosted binaries, but could have redirected users and automated systems to malicious downloads if verification controls failed or were skipped. Python deployed a fix within 48 hours and added stricter URL validation, HTTPS enforcement, and longer log retention.
🛰️ Open sources - closed narratives
@sitreports | 568 |
| 14 |  🔍 CISA adds exploited Cisco Unified CM flaw to KEV
CISA has added CVE-2026-20230 to the Known Exploited Vulnerabilities catalog. The SSRF bug affects Cisco Unified Communications Manager and Unified CM SME, allows unauthenticated remote file writes to the underlying OS, and can be leveraged for privilege escalation to root. Federal agencies were ordered to remediate by 28 June.
The combination of no-auth access, file-write capability, and root escalation makes exposed voice infrastructure a high-value initial access point. For defenders, internet-facing Unified CM instances now move into priority patching and exposure-reduction queues.
🛰️ Open sources - closed narratives
@sitreports | 476 |
| 15 |  📡 Shai-Hulud campaign widens from npm to Go
Researchers tracking the Miasma/Mini Shai-Hulud activity say dozens of LeoPlatform and RStreams npm packages were compromised, while malicious code was also planted in a Verana Blockchain Go module. The campaign used a binding.gyp trigger in npm packages to launch obfuscated payloads via Bun, and hid scripts in editor and Claude-related project files to execute when a cloned repository is opened.
The operational significance is cross-ecosystem reach and layered persistence. This is not limited to poisoned package installs: it targets developer workstations, CI/CD secrets, GitHub Actions, cloud credentials, SSH keys, Docker tokens, and Slack API keys, while using execution paths that can evade routine Node.js-focused monitoring.
🛰️ Open sources - closed narratives
@sitreports | 464 |
| 16 |  🔍 macOS.Gaslight Targets the Analyst, Not Just the Host
SentinelLabs identified macOS.Gaslight, a Rust-based macOS implant and infostealer linked to DPRK activity. The sample includes 38 fabricated system messages embedded as hostile prompt-like data, uses Telegram Bot API for C2, AES-GCM encryption, TLS pinning, LaunchAgent persistence, and a gated Python stealer for browser data, terminal history, processes, system profile, and login.keychain-db.
The notable shift is tradecraft aimed at LLM-assisted triage itself: the malware tries to induce aborts, truncation, or false conclusions inside analyst workflows. Combined with token self-redaction, proxy awareness, and Telegram-based exfiltration, the sample shows a layered effort to reduce both automated and human visibility.
🛰️ Open sources - closed narratives
@sitreports | 482 |
| 17 |  🔍 TinyRCT expands CL-STA-1062 tradecraft in Southeast Asia
Throughout 2025, CL-STA-1062 targeted government and energy entities across Southeast Asia, compromising at least 10 organizations between September and December. Intrusions used vulnerable web apps and ASPX web shells, then mixed open-source tooling with the custom TinyRCT backdoor for command execution, reconnaissance, persistence, and file exfiltration.
The operational shift is notable: the actor is no longer relying only on commodity utilities. TinyRCT adds a tailored access layer while loaders validate execution from the Downloads folder, payloads masquerade as PerfWatson2.exe, and persistence is hidden behind a Google Updater-like scheduled task, indicating deliberate defense evasion and longer retention on target networks.
🛰️ Open sources - closed narratives
@sitreports | 464 |
| 18 |  🔍 WinRAR flaw used to stage GIFTEDCROOK against Ukrainian targets
UAC-0226 is using a WinRAR ADS path traversal chain to deploy GIFTEDCROOK via archive extraction alone. The archive drops a shortcut into the Windows Startup folder and two obfuscated files into ProgramData, then launches a hidden PowerShell loader that decodes and reflectively injects the payload. Decoy content references Ukrainian reconnaissance and fiber-optic drones.
The key shift is reduced user interaction and lower disk visibility. Persistence is established during extraction, execution is delayed until login, and the payload is rebuilt in memory as a headerless image. The malware targets browser credentials, cookies, local state data, documents, OpenVPN profiles, KeePass databases, Java KeyStores, and email archives.
🛰️ Open sources - closed narratives
@sitreports | 523 |
| 19 |  🔍 Google maps Turla STOCKSTAY activity in Ukraine
Google says the Russia-linked Turla group used a new backdoor, STOCKSTAY, in espionage operations targeting Ukraine. The report identifies the malware as part of an active intrusion set tied to Turla, a long-established state-linked actor known for stealthy persistence and intelligence collection.
The key significance is capability refresh, not attribution alone. A newly detailed Turla backdoor indicates continued adaptation in tooling for sustained access against Ukrainian targets, reinforcing that mature espionage actors are still investing in tailored malware despite years of public exposure.
🛰️ Open sources - closed narratives
@sitreports | 543 |
| 20 |  🔍 Agentic red-team platforms show systemic host-compromise paths
A peer-reviewed security analysis of 12 open-source agentic offensive platforms found 10 vulnerable to sandbox escape and host-level compromise, 11 exposing LLM API keys to exfiltration, and all 12 susceptible to unrestricted weaponization. Three tested tools reportedly operated without OS-level sandboxing, while a five-stage attack chain led from worker compromise to full operator-machine RCE.
The core issue is architectural: guardrails were enforced at the orchestrator layer, while commands executed inside worker environments bypassed those controls. For defenders, the findings frame agentic red-team tooling itself as an attack surface requiring strict worker isolation, secret separation, and OS-level enforcement rather than prompt-layer policy checks.
🛰️ Open sources - closed narratives
@sitreports | 616 |
