June 16, 2026 by sig9

Hacker Wars - June 16, 2026

bulletin-feature-image

Your daily dose of infosec chaos

Today’s roundup is a lovely mix of creative evasion techniques, Android malware that steals your PIN before breakfast, and a pharmaceutical giant allegedly getting its data exfiltrated. Also, the UK wants your face before you can doomscroll. Let’s dive in.

GhostTree Turns Windows Junctions Into An Endless Maze For Defenders

Researchers at Varonis uncovered a clever evasion technique called GhostTree that abuses recursive NTFS junctions on Windows to generate a practically infinite tree of valid file paths. When Microsoft Defender tries to scan these paths, it gets stuck chasing its own tail - never finishing, never detecting the malware hiding underneath. It’s like hiding a body in a building with infinite floors.

What to do: Monitor for unusual junction creation patterns and review Defender scan logs for incomplete or abnormally long scans. Varonis has published detection guidance.

Rokarolla Android Trojan Wants Your PIN, Your SMS, And Your Crypto

Zimperium’s zLabs documented a new Android banking trojan called Rokarolla that targets 217 banking and crypto apps. It packs 137 remote commands and can steal lock-screen PINs, intercept SMS codes, and drain crypto wallets - essentially giving an operator full control of your phone. If your bank app is on its target list, consider yourself a person of interest.

What to do: Keep your Android device updated, avoid sideloading apps, and use hardware-based 2FA for banking and crypto accounts instead of SMS codes.

FulcrumSec Claims 1.3TB Data Heist From Novo Nordisk

Hack-and-leak group FulcrumSec claims to have exfiltrated 1.3 terabytes of data from pharmaceutical giant Novo Nordisk, the company behind blockbuster drugs like Ozempic. Details on the breach are still sparse, but if confirmed, this would be a massive hit to one of the world’s largest pharma companies. Healthcare and pharma remain prime targets for groups that know sensitive data equals leverage.

What to do: If your organization works with Novo Nordisk or shares supply chain connections, review third-party access and monitor for any data exposure. Expect more details to surface this week.

Lorem Ipsum Malware Campaign Pivots To ClickFix Delivery

The oddly-named “Lorem Ipsum” malware campaign has shifted tactics and is now using ClickFix - a social engineering trick that tricks users into pasting malicious commands into Windows Run dialogs. The campaign leverages compromised WordPress sites as delivery infrastructure, and researchers suspect ties to the Vice Society ransomware group. Apparently, even ransomware gangs are doing marketing rebrands these days.

What to do: Train users to recognize ClickFix prompts (usually fake error messages asking you to “fix” something by running a command). Block suspicious PowerShell execution paths and audit WordPress site security.

UK Social Media Face Scan Mandate Raises Privacy Alarm Bells

The UK government announced that starting spring 2027, anyone creating a social media account will need to prove they are over 16 via ID upload or facial age scan. Security researchers are already raising red flags: the age verification systems are trivially circumvented with VPNs and fake IDs, and storing biometric data from millions of users creates an irresistible honeypot for attackers. Solving child safety by creating the world’s largest face database - what could go wrong?

What to do: If you operate platforms with UK users, start planning for compliance requirements and consider the privacy implications of biometric data collection in your threat model.

Catch you tomorrow. In the meantime, go check your attack surface.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.