Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More

Ravie LakshmananJun 22, 2026Cybersecurity / Hacking

It’s Monday again.

This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.

The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.

Here’s the Monday recap. Let’s get into the week’s mess.

⚡ Threat of the Week

FortiBleed Campaign Identifies Over 80K Targets — A large-scale campaign codenamed FortiBleed has systematically targeted and compromised Fortinet FortiGate firewall and SSL VPN gateway devices worldwide. According to SOCRadar, it has been running since at least February 2026, with over 80,000 devices identified with working usernames and passwords that have been tested by suspected Russian-speaking threat actors using automated tools running around the clock. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices. Fortinet also said the campaign likely involves the threat actors reusing credentials from previous incidents, such as CVE-2026-24858, CVE-2025-59718, and CVE-2025-59719, along with employing brute-force techniques against devices with weak password hygiene and no multi-factor authentication (MFA).

• Salesforce Disables Klue App Integration After New Extortion Campaign — Salesforce revealed that it disabled the Klue Battlecards app integration within its platform in response to a security incident impacting the competitive intelligence company on June 11, 2026. “Salesforce took this action because our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app’s connection to Salesforce,” the company said. “This issue is limited to Klue’s app connection and does not arise from a vulnerability within the Salesforce platform.” The development comes as an extortion group dubbed Icarus compromised and exfiltrated data from customers of Klue after obtaining access through a compromised legacy credential associated with an integration service. A number of companies have publicly acknowledged the incident, but noted the impact is limited.
• The Gentlemen RaaS Develops GentleKiller EDR Killer Suite — The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for shutting down endpoint detection and response (EDR) products before deploying the encryptor. The centerpiece of the group’s EDR-disabling capability is GentleKiller, an…