Full Report
Long foretold, the Great Patching has begun and it’s a doozy. Buckle in as Joe takes you through the story.
Analysis Summary
# Vulnerability: July 2026 AI-Accelerated "Great Patching" & UAT-11795 Campaign
## CVE Details
- **CVE ID:** Multiple (622 total identifiers)
- **CVSS Score:** Up to 10.0 (Critical)
- **CWE:** Not specified for the entire set, but includes zero-day vulnerabilities and authentication bypasses (RabbitMQ).
## Affected Systems
- **Products:**
- Microsoft Windows and related ecosystem
- RabbitMQ (Open-source message broker)
- Virtualization/Meeting Software (Trojanized installers for Webex, Zoom, MobaXterm)
- **Versions:**
- Various (July 2026 Patch Tuesday covers 622 flaws)
- RabbitMQ: Versions with open management endpoints
- **Configurations:** Systems running unofficial/third-party software installers; RabbitMQ instances with exposed management interfaces using OAuth.
## Vulnerability Description
This period marks a shift to AI-accelerated vulnerability research, resulting in a record-breaking 622 patches in a single month (surpassing all of 2018).
- **Microsoft Flaws:** 62 identified as Critical.
- **RabbitMQ:** A defect in the management endpoint improperly discloses the OAuth secret to unauthenticated users.
- **UAT-11795 Campaign:** While not a single software flaw, this adversary uses "ClickFix" social engineering and trojanized installers to deploy the **Starland RAT**. The malware utilizes AMSI and ETW bypasses and a blockchain-anchored fallback for C2 persistence.
## Exploitation
- **Status:** **Exploited in the wild.** (3 Zero-days reported; 2 confirmed active exploitation).
- **Complexity:** Low to Medium (social engineering and automated exploits).
- **Attack Vector:** Network (RabbitMQ/Microsoft) and Adjacent/User Interaction (UAT-11795 campaign).
## Impact
- **Confidentiality:** Critical (Theft of high-value credentials, cryptocurrency, and OAuth secrets).
- **Integrity:** High (In-memory execution and tampering with security providers like AMSI).
- **Availability:** High (Potential for widespread infrastructure disruption).
## Remediation
### Patches
- Apply **Microsoft July 2026 Patch Tuesday** updates immediately.
- Update **RabbitMQ** to versions patching the OAuth secret leak.
### Workarounds
- **Software Integrity:** Strictly prohibit the download of software from unofficial or third-party repositories.
- **Network Segmentation:** Isolate RabbitMQ management endpoints from the public internet.
- **User Education:** Train staff on "ClickFix" social engineering tactics.
## Detection
- **Indicators of Compromise (IOCs):**
- SHA256: `9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507` (Win.Worm.Coinminer)
- Execution of `mshta.exe` in unusual contexts.
- Unexpected PowerShell scripts running or creating scheduled tasks.
- **Detection Methods:**
- Monitor for AMSI tampering attempts.
- Use EDR/XDR tools to scan for in-memory PowerShell implants (WLDR agent).
- Audit account logs for "ARToken" Primary Refresh Token (PRT) abuse which bypasses MFA.
## References
- Cisco Talos Blog: [https://blog.talosintelligence[.]com/](https://blog.talosintelligence.com/)
- Microsoft July 2026 Advisory: [https://www.bleepingcomputer[.]com/news/microsoft/microsoft-july-2026-patch-tuesday-fixes-massive-570-flaws-3-zero-days/](https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2026-patch-tuesday-fixes-massive-570-flaws-3-zero-days/)
- UAT-11795 Campaign Details: [https://blog.talosintelligence[.]com/uat-11795-deploys-novel-starland-rat-and-bespoke-wldr-c2-implant-in-financially-motivated-campaign](https://blog.talosintelligence.com/uat-11795-deploys-novel-starland-rat-and-bespoke-wldr-c2-implant-in-financially-motivated-campaign)