This week’s stories share a theme: the fundamentals — access hygiene, token rotation, and security awareness — are still where most breaches start and stop. From a backdoor built to be handed off to ransomware crews to a guilty plea from one of the most notorious hacking crews in recent memory, here’s what cybersecurity professionals and aspiring practitioners need to know from June 22–28, 2026.

Stealthy “Mistic” Backdoor Linked to Ransomware Access Broker KongTuke

Researchers have uncovered a new backdoor, dubbed Mistic, being used in financially motivated attacks against organizations in insurance, education, IT, and professional services. The malware has been tied to KongTuke, a known ransomware access broker — meaning Mistic’s job is likely to establish a foothold that gets sold or handed off for a follow-on ransomware deployment.

The spread across such different industries is the real warning sign here: there’s no sector small or “boring” enough to assume it’s not a target. Multi-layered defenses, regular security assessments, and employee training remain the most effective countermeasures against access-broker tactics like this.

Read more: Stealthy Mistic backdoor linked to ransomware access broker KongTuke

Sponsored Insight

Less copy-paste, more pwn-and-ship. I’ve been wiring up my cyber + creator stack with Make (visual automation), and it quietly replaced a bunch of brittle glue scripts.

Flows I actually run:

• CVE feed → Notion DB + Telegram alert when CVSS ≥ 9
• Log hits → IP/domain enrich (VirusTotal/Shodan) → Sheet + Slack ping
• Threat-intel RSS → dedupe → daily digest
• GitHub issues → label-based triage → notify once
• Notion drafts → scheduled social/Telegram posts

If you build with APIs and webhooks, it’s worth a spin: Get Started @ Make.com

Heads-up: that’s my referral link (no extra cost). Use it if you want to support my work. And, as always, stick to authorized sources and respect TOS/rate limits.

Salesforce Attack Scope Widens as “Icarus” Leaks Stolen Data

The fallout from a breach at application vendor Klue continues to grow. Attackers obtained Klue’s OAuth tokens and used them to access and exfiltrate data directly from customers’ Salesforce accounts. As investigators dig further, the list of affected organizations keeps expanding.

This incident is a textbook case for why third-party app integrations deserve the same scrutiny as your own infrastructure. OAuth tokens are powerful, persistent credentials — if a vendor you’ve connected gets compromised, that access becomes the attacker’s access. Regular audits of connected apps, token rotation policies, and tighter API activity monitoring are the practical takeaways here.

Read more: Scope of Salesforce Attacks Expands as Icarus Leaks Data

817 Structured Cybersecurity Skills — Built for AI Agents

A new open-source GitHub project, Anthropic-Cybersecurity-Skills, compiles 817 structured cybersecurity skills designed specifically for AI agents to use. It’s an ambitious attempt to formalize security knowledge into something AI tooling can act on directly, whether for SOC automation, training, or agentic security workflows.

So far, community engagement has been limited — a reminder that even strong technical resources need promotion and active feedback loops to gain traction. If you work at the intersection of AI and security, this repository is worth a look, and worth contributing to if you find gaps.

Read more: 817 Structured Cybersecurity Skills, Built for AI Agents

Sponsored Insight

For blue teamers, builders, and late-night tinkerers: I curated a lean, no-fluff stack on Kit to automate the boring bits, spin up clean landing pages, design faster, share your kit, and tighten ops. These are tools I actually use or have tested — handy for labs, content pipelines, and shipping side projects.

Browse it, borrow what helps, ignore the rest. No paywall, no hype — just signal.

Explore the stack →

FYI: Some links are affiliate/referrals (no extra cost). Not financial advice; investing involves risk. Use what serves you.

The Human Factor: Why Security Best Practices Break Down in Real Life

Cisco Talos published a thoughtful piece this week on why simple, well-documented security guidance so often fails in practice. Drawing a comparison to human irrationality in storytelling, the article makes the case that the gap between “the policy” and “what actually happens” comes down to everyday pressure, distraction, and human unpredictability — not a lack of good documentation.

For anyone building security programs, the implication is clear: controls and policies need to account for human behavior as it actually is, not as we’d like it to be. Frictionless, forgiving security design beats a perfect policy that nobody follows under pressure.

Read more: Close Encounters of the Human Kind

DoJ Seizes Cloud Account Tied to Cyber Scam Money Laundering

The U.S. Department of Justice seized a cloud computing account used by subsidiaries of the Cambodia-based HuiOne Group, in a coordinated action alongside new Treasury sanctions against nine individuals and 26 entities connected to Prince Group. The subsidiaries are accused of helping launder proceeds from cyber scam operations.

This kind of cross-agency action — DoJ enforcement paired with Treasury sanctions — reflects a broader, more coordinated approach by U.S. authorities to disrupt the financial infrastructure behind cybercrime, not just the technical infrastructure.

Read more: DoJ Seizes HuiOne Cloud Account Tied to Cyber Scam Money Laundering

Scattered Spider Members Plead Guilty on Day One of Trial

Two men connected to the notorious Scattered Spider hacking group pleaded guilty on the first day of a trial that had been expected to run six weeks, in connection with the August 2024 cyberattack that crippled Transport for London. The early plea significantly shortens what was set up to be a lengthy legal proceeding.

The case is a reminder that even well-resourced, sophisticated threat actors aren’t untouchable — law enforcement’s ability to build and prosecute cybercrime cases has continued to mature, and that matters as a deterrent.

Read more: Scattered Spider Hackers Plead Guilty on Day 1 of Trial

Signal’s Meredith Whittaker: “AI Chatbots Are Not Your Friends”

In a widely discussed TechCrunch interview, Signal’s Meredith Whittaker cautioned against anthropomorphizing AI chatbots, emphasizing that these systems simulate conversational warmth without any underlying consciousness or genuine understanding.

For security professionals, this isn’t just a philosophical point — emotional over-trust in AI tools is itself a risk surface, particularly as chatbots get embedded deeper into customer service, internal tooling, and even security operations. Healthy skepticism about what these systems actually are (and aren’t) should be part of any organization’s AI governance conversation.

Read more: Signal’s Meredith Whittaker Wants You to Remember That AI Chatbots Are Not Your Friends

That’s the week. From a backdoor built to be handed off to ransomware operators to a courtroom outcome years in the making, the throughline is the same: attackers keep finding new angles on old weaknesses, and the best defense is still curiosity, vigilance, and a willingness to keep learning.

💡 Want to lead with clarity in the AI era? If you’re aiming to lead a security team, break into cybersecurity, or operate with greater speed and confidence, this is the toolkit you’ve been missing: 🔗 Cybersecurity Leadership OS: Battle-Tested Mental Models for Clarity, Speed & Command

Follow CyberShield for more weekly breakdowns built for the next generation of security professionals.