// DEEPFALCON SECURITY SERVICE — DAILY THREAT INTELLIGENCE REPORT | JUNE 5, 2026

Coverage Period: June 5, 2026  |  Focus: Phishing Campaigns · Native Tool / LotL Abuse  |  Sources: Microsoft Security · CISA · Talos · Proofpoint · CyberSecurityNews · BleepingComputer · The Hacker News · SecurityWeek · FBI IC3

🎣 PHISHING CAMPAIGNS 🔧 NATIVE TOOL ABUSE 🤖 AI-ENHANCED THREATS
SUBSCRIBERS

Generated: 2026-06-05

Report Author: Manny Garcia

Companion: Daily Vulnerability Report (v1.3-DM)

0Critical Threats
0High Threats
0🎣 Phishing
0🔧 LotL Abuse
0💼 BEC
0IOCs Available
0Total Findings
0Actors Identified
Threat Landscape Summary — June 5, 2026

No new first-disclosure phishing or LotL findings for June 5, 2026. The surrounding days are, however, exceptionally active. The most significant near-term intelligence includes: TA4922 — a Chinese-speaking cybercrime group that has dramatically expanded global targeting into Europe and Africa, deploying a rapidly evolving malware arsenal (Atlas RAT, RomulusLoader, SilentRunLoader) across HR-themed, tax-authority, and business lure campaigns; Kali365 PhaaS — an FBI-warned platform that uses AI-generated lures and OAuth device code phishing to bypass MFA and achieve persistent M365 access without touching a password; and ChatGPhish — a confirmed vulnerability in ChatGPT's web summarization pipeline that allows attackers to inject live phishing links, QR codes, and tracking pixels directly into AI assistant responses.

The device code phishing ecosystem has surged 37x in 2026 with 18+ active kits in circulation — Kali365, EvilTokens, Tycoon2FA, and VENOM are all operating concurrently and targeting Microsoft 365 and Entra ID environments. All findings are fully documented in the Follow-Up Log below with IOCs, MITRE TTPs, and defensive actions. AI-enhanced threat analysis is available in the AI Spotlight and AI Briefing sections below.

> Coverage date findings0 (None qualifying)
> Articles searched / fetched20+ sources · 22 articles
> Prior-date exclusions7 findings excluded
> Follow-up items logged5 campaigns
> Highest-priority prior findingTA4922 Global Expansion (Jun 4)
> AI-enhanced threats surfaced3 (ChatGPhish · Kali365 · TA4922)
> IOCs available (prior findings)Yes — TA4922 IOC table
> Top active PhaaS platformsKali365 · EvilTokens · Tycoon2FA
Detailed Findings — Sorted by Impact (Critical → High → Medium → Low)
📋

No New First-Disclosure Findings for June 5, 2026

No qualifying Category A (Phishing Campaigns) or Category B (Native Tool / LotL Abuse) articles were first disclosed on June 5, 2026. The days immediately surrounding this date are highly active — see the Follow-Up Log below for full documentation of near-date findings including TA4922, Kali365, ChatGPhish, DriveSurge, and Tycoon2FA — all with IOCs and defensive actions. The AI Spotlight and AI Briefing sections below contain actionable intelligence on three confirmed AI-enhanced threats.

Category A: Phishing — 0 new findings Category B: LotL Abuse — 0 new findings Follow-Up Log: 5 prior campaigns · Full IOCs 🤖 AI Section: 3 AI-enhanced threats documented
MITRE ATT&CK TTP Consolidated View
Technique IDTechnique NameTacticObserved InFrequency
No TTPs recorded for June 5, 2026 coverage date. See Follow-Up Log for TTPs from near-date findings including TA4922 (T1566.001, T1059.001, T1204.002, T1102, T1078.004) and Kali365 (T1528, T1078.004, T1621).
Campaign Summary Table
Campaign / Incident NameCategoryThreat ActorTarget PlatformTarget SectorImpact LevelIOCsFirst ReportedPriority Action
No qualifying campaigns for coverage date June 5, 2026. See Follow-Up Log below for near-date campaigns including TA4922 (June 1–4), Kali365 (May 21–25), and ChatGPhish (May 29).
Export Campaign Data
🤖 AI-Enhanced Threat Spotlight — AI-Enabled Phishing & Social Engineering

No AI-Enhanced Campaigns First Published June 5, 2026 — Three Prior-Date AI Threats Documented

The completeness sweep confirmed no AI-specific phishing or social engineering articles were first published on June 5, 2026. However, three significant AI-enhanced threat disclosures were encountered during the research sweep within the 7-day window permitted for AI briefing sections. These are documented below:

🤖 AI THREAT 1 — ChatGPhish (Permiso Security · Published May 29, 2026)
ChatGPhish — Prompt Injection Turns ChatGPT Web Summaries Into Live Phishing Delivery
Permiso Security researcher Andi Ahmeti disclosed a vulnerability class in ChatGPT's web rendering pipeline called ChatGPhish, publicly published May 29, 2026 after unproductive vendor disclosure to OpenAI starting April 29, 2026. When a user instructs ChatGPT to summarize a URL — natively, via Firefox extension, or iOS share sheet — the model processes page content including attacker-injected Markdown. ChatGPT's response renderer trusts Markdown links and image URLs from third-party summarized pages, auto-fetching attacker-controlled images and surfacing attacker links as live clickable elements inside the trusted chatgpt.com assistant UI. The attack chain includes three distinct payloads: (1) Phishing links styled identically to genuine ChatGPT output — clickable buttons delivering credential-harvest pages, fake system alerts, and QR codes; (2) Data exfiltration via auto-fetched 1x1 tracking pixel — every response render leaks victim IP, User-Agent, Referer header, and timestamp to attacker-controlled host; (3) Passive fingerprinting of the sharing chain when users share conversations with colleagues via ChatGPT's native share feature.
▶ AI Technique Used
Prompt injection via LLM-trusted Markdown rendering — attacker-supplied content embedded in third-party web pages is processed as trusted instruction content by the LLM, which then renders malicious output indistinguishable from legitimate assistant responses. The same-origin policy offers no protection because the phishing output renders under chatgpt.com with the user's authenticated context. OpenAI marked the initial report "Not Reproducible" (April 30), then "Duplicate" (May 1), before Permiso published publicly.
▶ Why AI Makes This Harder to Detect
Traditional phishing defences rely on detecting suspicious domains, malicious attachments, or spoofed sender addresses. ChatGPhish bypasses all of these — the phishing content is rendered inside the legitimate chatgpt.com domain, styled in OpenAI's own visual language, with no external redirect visible to the user or to security tooling. Password managers do not suggest credentials because the fake alert appears inside the AI assistant. Domain filters do not flag content because it originates from chatgpt.com.
▶ Defensive Actions
1. Instruct staff: never click links or scan QR codes presented inside an AI assistant response that claim to represent account alerts or security notifications — verify directly through the service's official app or website.
2. Prohibit the use of ChatGPT's "summarize this URL" feature for any URL sourced from an untrusted sender or unknown domain.
3. Security architects should treat all LLM-rendered output as untrusted — apply content sandboxing and sanitization of LLM-generated output before it reaches user interfaces in enterprise deployments.
4. Monitor for egress connections from chatgpt.com sessions to unexpected IP ranges — the tracking pixel attack generates telltale auto-fetch connections.
MITRE TTPs: T1566.x (Phishing sub-techniques) · T1659 (Content Injection) · T1598 (Phishing for Information) · Reference: The Hacker News — May 29, 2026 · CyberSecurityNews — June 2, 2026
🤖 AI THREAT 2 — Kali365 PhaaS AI-Powered Lure Generation (FBI IC3 · Published May 21, 2026)
Kali365 — FBI-Warned PhaaS Platform Deploys AI-Generated Phishing Lures for Device Code OAuth Token Theft
The FBI IC3 issued PSA260521 on May 21, 2026, warning of Kali365 — a PhaaS platform first observed in April 2026, distributed via Telegram. Kali365 is notable as the first FBI-warned PhaaS platform to explicitly incorporate AI-generated phishing lure creation as a core feature. The platform provides subscribers with: AI-generated phishing email templates tailored to impersonate specific trusted services; automated campaign deployment dashboards; real-time individual/entity tracking panels; and OAuth device code token capture capabilities against Microsoft 365. The platform uses the OAuth 2.0 Device Authorization Grant flow — sending victims a device code and directing them to microsoft.com/devicelogin, a legitimate Microsoft URL. Once the victim authenticates, the attacker's device receives persistent OAuth access and refresh tokens. Organizations whose users were compromised via Kali365 reported attacker persistence even after password resets, because the OAuth tokens remain valid until explicitly revoked.
▶ Why AI Makes This Harder to Detect
AI-generated lures in Kali365 produce grammatically perfect, brand-consistent phishing emails that evade the linguistic red flags security training traditionally teaches users to look for. The platform also auto-generates lures personalised to the target's organisation and role, dramatically raising per-campaign conviction rates compared to generic phishing templates. Low-skilled operators with no social engineering experience can generate convincing executive impersonation emails in seconds.
▶ Defensive Actions
1. Immediately audit Conditional Access Policies to block or restrict the Device Code authentication flow for all users who do not require it for IoT or limited-input device scenarios.
2. Enable Entra ID risky sign-in policies — device code authentication from unexpected locations or new devices should trigger MFA step-up or block.
3. Search your Microsoft 365 audit log for any authentication events via the device login flow (microsoft.com/devicelogin) not initiated by known IoT or conference room systems.
4. Revoke all existing OAuth tokens for accounts where device code phishing is suspected — password reset alone is insufficient.
5. Train staff: any unexpected email asking them to visit microsoft.com/devicelogin and enter a code is a device code phishing attempt.
MITRE TTPs: T1528 (Steal Application Access Token) · T1078.004 (Valid Cloud Accounts) · T1621 (MFA Request Generation) · Reference: FBI IC3 PSA260521 — May 21, 2026 · BleepingComputer
🤖 AI THREAT 3 — TA4922 AI-Assisted Malware Development (Proofpoint · Published June 1, 2026)
TA4922 — Chinese-Speaking Cybercrime Group Confirmed Using AI Coding Tools to Rapidly Generate Python-Based Malware
Proofpoint's June 1, 2026 disclosure of TA4922 includes a significant AI-specific finding: Proofpoint analysts assess with high confidence that TA4922 likely uses AI coding tools — such as LLM-based code generators — to rapidly develop new Python-based malware families. The evidence includes unchanged placeholder values in SilentRunLoader's source code, such as the string "your_secret_key_here," which is characteristic of code generated by AI coding assistants with minimal human review. This AI-assisted development cycle enables TA4922 to generate new malware variants faster than defenders can write detection signatures — the group deployed at least three distinct new loaders (Atlas RAT, RomulusLoader, SilentRunLoader) across a 60-day period in March–April 2026. TA4922's phishing campaigns use HR-themed, tax-authority-themed, and business-themed lures targeting Japan, UK, Germany, Italy, and South Africa, delivering malware via DLL side-loading of ZIP files hosted on legitimate file sharing services (GoFile, LimeWire). Social engineering escalation: TA4922 also conducts campaigns designed to move victims from corporate email to out-of-band platforms (LINE, WhatsApp, Microsoft Teams) where enterprise security controls have no visibility.
▶ Why AI Makes This Harder to Detect
AI-accelerated malware development compresses the detection window. Traditional AV and EDR products rely on signature databases that must be updated after a new variant is identified and analysed — a process that takes days to weeks. TA4922's AI-assisted toolchain generates functional new variants in hours, exploiting the signature gap. Defenders relying on hash-based or signature-based detection will consistently see new TA4922 variants for the first time, guaranteeing initial detection failure on each deployment.
▶ Defensive Actions
1. Prioritise behavioural detection over signature detection for DLL side-loading chains — alert on any process spawning unexpected child processes from ZIP extraction paths.
2. Block or restrict employee access to consumer file sharing platforms (GoFile, LimeWire, WeTransfer) at the web proxy layer — these are active TA4922 payload delivery vectors.
3. Flag all emails encouraging recipients to continue conversations via LINE, WhatsApp, or Microsoft Teams personal accounts — this is TA4922's standard escalation to evade enterprise security controls.
4. Search endpoint telemetry for AnyDesk and SyncFuture RMM installations not deployed by IT — TA4922 deploys these as LotL persistence mechanisms.
Reference: Proofpoint Threat Research — June 1, 2026 · The Hacker News — June 4, 2026
AI Threat Landscape at a Glance
> AI phishing platforms active3+ (Kali365 · ATHR · custom)
> AI technique: lure generationKali365 — confirmed
> AI technique: malware devTA4922 — high confidence
> AI technique: prompt injectionChatGPhish — confirmed
> AI vishing platforms activeATHR (prior disclosure)
> Device code phishing surge37x YoY — 18+ active kits
> AI phishing % of SE activity>80% by 2025 (ENISA)
> CISOs citing AI phishing risk77% (Hornetsecurity 2026)
📡 AI & Social Engineering Intelligence — Trend Briefing
Offensive AI — Today's Observations

The research sweep for June 5, 2026 surfaces a maturing and diversifying AI-enabled social engineering threat ecosystem across three distinct operational modes. First, AI as a phishing lure factory: Kali365 demonstrates that AI-generated phishing content is now a standard commercial PhaaS feature rather than a capability restricted to sophisticated threat actors — any Telegram subscriber with a platform fee can generate grammatically perfect, brand-consistent, role-personalised phishing emails with zero social engineering skill required. Second, AI as a malware development accelerator: Proofpoint's assessment that TA4922 uses AI coding tools to generate Python-based malware families compresses the attacker's development cycle from weeks to hours, systematically exploiting the signature-gap period before defenders can publish detection rules. Third, AI as an attack surface: ChatGPhish demonstrates that AI assistants themselves have become phishing delivery vectors — attackers are now targeting the AI's trust model rather than the user's trust in email, shifting the phishing surface from the inbox to the browser in a way that bypasses every traditional email security control. All three attack modalities were active within the 7-day window of this coverage date.

Detection & Defensive Posture

Current detection tooling faces structural challenges against all three AI-enhanced attack modes observed in this sweep. AI-generated lures defeat the linguistic heuristics that email gateways and user training traditionally rely on — the grammatical errors, awkward phrasing, and cultural mismatches that trained users look for are simply absent in LLM-authored content. Signature-based endpoint detection loses effectiveness against AI-generated malware variants because each generation may differ enough to escape hash matching. ChatGPhish-style prompt injection has no current systematic enterprise defence — content originating from a trusted AI assistant domain cannot be intercepted by a Secure Email Gateway or web proxy. The most resilient defensive posture against all three modes is authentication architecture reform: phishing-resistant MFA (FIDO2/passkeys) defeats both AI-lure and device code phishing by cryptographically verifying the login domain regardless of lure quality; restricting the OAuth Device Authorization flow to known IoT use cases eliminates the Kali365 and EvilTokens attack surface entirely. Organisations relying on standard TOTP-based MFA remain vulnerable to all three attack modes documented in this sweep.

Industry Temperature

Industry concern around AI-enabled social engineering has moved from anticipatory to reactive as of mid-2026. The FBI's Kali365 PSA, Permiso's ChatGPhish disclosure, and Proofpoint's TA4922 AI coding attribution all represent official research-community confirmation of AI capabilities that were discussed as emerging risks as recently as 2024. The community is no longer debating whether AI-enabled phishing is real — it is tracking specific platforms, vulnerabilities, and threat actor adoption patterns. Defenders, however, continue to lag: the 77% of CISOs identifying AI-generated phishing as a serious threat (Hornetsecurity 2026) stands in contrast to the relatively small proportion who have deployed phishing-resistant MFA or restricted device code authentication flows. The capability gap is widening in the attacker's favour, and the pace of AI tooling adoption in the criminal ecosystem — evidenced by 18+ active device code phishing kits, multiple AI-integrated PhaaS platforms, and at least one nation-state-adjacent actor confirmed using AI code generation — suggests this gap will widen further before defensive tooling catches up.

★ Exclusion Log & Follow-Up Campaigns — Articles Researched But Excluded by Date Gate
TA4922 (Chinese-Speaking Cybercrime Group) — Global Expansion with Atlas RAT, RomulusLoader, SilentRunLoader, ValleyRAT
Primary source first published: June 1, 2026 — Proofpoint Threat Research Blog (meta-published_time confirmed June 1)
Secondary coverage: CyberSecurityNews June 4, 2026 · The Hacker News June 4, 2026 · SecurityWeek June 4, 2026 · Dark Reading June 4, 2026 · Infosecurity Magazine June 4, 2026
Exclusion reason: Proofpoint primary article first published June 1, 2026 — 4 days prior to coverage date. All secondary coverage published June 4, 2026 — 1 day prior. No new coverage-date article with materially new technical detail on June 5.
Attack Category: Phishing (HR-themed, tax-authority-themed, business-themed spear-phishing) + LotL Abuse (AnyDesk, SyncFuture RMM deployment; DLL side-loading; out-of-band platform escalation)
Threat Actor: TA4922 — Chinese-speaking, assessed financially motivated. Likely based in East Asia. Possible partial overlap with Silver Fox. Conducts more unique campaigns than any other actor in Proofpoint's current threat tracking data.
Global targeting: Japan (primary historical), Taiwan, Korea, Singapore, India (established), UK, Germany, Italy, South Africa (newly expanded since March 2026).
Malware arsenal: Atlas RAT (C-based · remote access) · RomulusLoader (DLL side-load · stages AnyDesk / SyncFuture) · SilentRunLoader (Go-based · Chrome credential exfiltration) · ValleyRAT / Winos 4.0 (established RAT)
Key campaigns (March–May 2026):
— March 6: HR-themed emails to Japan · ZIP via GoFile · DLL side-load → Atlas RAT · C2: 206.238.115[.]58:886
— March 23: Corporate/HR lures · Japan · ZIP via GoFile · → RomulusLoader
— March 30: Tax authority lures · UK targets · SilentRunLoader
— April 10: Benefits/compliance lures · Southeast Asia + UK · SilentRunLoader → Chrome credential theft
— Mid-April: Business/tax lures · Japan + Germany · RomulusLoader → AnyDesk + SyncFuture (LotL persistence)
AI component: Proofpoint assesses with high confidence that TA4922 uses AI coding tools to rapidly develop Python-based malware. Evidence: unchanged placeholder values ("your_secret_key_here") in SilentRunLoader code characteristic of LLM-generated content with minimal review. [→ See AI Section 12 for full AI threat card]
IOCs (defanged — from Proofpoint):
C2 IP (Atlas RAT): 206.238.115[.]58 · Port 886
File delivery: GoFile[.]io (compromised for payload hosting) · LimeWire file sharing (used for RomulusLoader staging)
ZIP lure filenames: "Paperwork.zip" · "HR_Notice.zip" (representative samples)
MITRE ATT&CK TTPs: T1566.001 (Spearphishing Attachment) · T1204.002 (Malicious File) · T1059.001 (PowerShell) · T1574.002 (DLL Side-Loading) · T1102 (Web Service Abuse — GoFile/LimeWire) · T1078.004 (Valid Accounts: Cloud) · T1016 (System Network Configuration Discovery) · T1041 (Exfiltration over C2)
Defensive Actions:
1. Block or monitor connections to GoFile.io and LimeWire from corporate endpoints — both are active TA4922 payload delivery platforms.
2. Alert on DLL side-loading events — suspicious processes spawning from ZIP extraction paths, particularly in user-writable directories.
3. Block or alert on AnyDesk and SyncFuture installations not authorised by IT — TA4922 uses these as persistent LotL remote access mechanisms.
4. Flag emails directing recipients to continue discussions via LINE, WhatsApp, or Microsoft Teams personal accounts — TA4922's standard out-of-band escalation.
5. Search endpoint telemetry for outbound connections to port 886 from corporate workstations — Atlas RAT C2 channel.
References: Proofpoint — June 1, 2026 · The Hacker News — June 4, 2026 · SecurityWeek — June 4, 2026
EXCLUDED — DATE GATE: Proofpoint June 1 · Coverage June 4 🤖 AI COMPONENT — See Section 12
ChatGPhish — Prompt Injection Turns ChatGPT Web Summaries Into Live Phishing Delivery Surface
First published: May 29, 2026 — Permiso Security (Andi Ahmeti) primary disclosure
Secondary coverage: The Hacker News May 29 · CyberSecurityNews June 2, 2026 · eWeek June 1 · IT Security News June 1
Exclusion reason: Primary disclosure May 29, 2026 — 7 days prior to coverage date. CyberSecurityNews June 2 article is within 7-day window but adds no materially new technical detail. Does not qualify for main finding cards per Section 1A date gate.
Summary: Prompt injection vulnerability in ChatGPT's web summarization rendering pipeline. Attackers embed Markdown payloads in web pages; when a user asks ChatGPT to summarize the URL, the AI renders attacker-controlled links and images inside the trusted chatgpt.com interface. Three attack chains: (1) Live phishing links and fake system alerts rendered as genuine ChatGPT output; (2) Passive tracking pixel tracking victim IP/UA/Referer on every response render or share-link view; (3) QR code injection inside AI responses. OpenAI unresponsive through vendor disclosure process. Vulnerability unpatched as of June 5, 2026.
Defensive note: No enterprise patch available. Mitigate through user training and policy — prohibit use of AI summarization on URLs from untrusted sources.
Reference: The Hacker News — May 29, 2026 · CyberSecurityNews — June 2, 2026
EXCLUDED — DATE GATE: May 29 primary disclosure 🤖 AI COMPONENT — See Section 12
Kali365 PhaaS — FBI IC3 Warning on AI-Enhanced OAuth Device Code Phishing Platform Targeting M365
First published: May 21, 2026 — FBI IC3 PSA260521
Secondary coverage: BleepingComputer May 25 · Help Net Security May 22 · Infosecurity Magazine May 29
Exclusion reason: FBI IC3 primary advisory published May 21, 2026 — 15 days prior to coverage date. No new June 5 article with materially new technical detail.
Summary: FBI-warned PhaaS platform distributed via Telegram since April 2026. Uses OAuth 2.0 Device Authorization flow to capture Microsoft 365 access and refresh tokens without intercepting passwords or MFA codes. Incorporates AI-generated phishing lures, automated templates, and real-time tracking dashboards. Enables persistent M365 access — tokens remain valid after password resets. Related platforms in same device code phishing ecosystem: EvilTokens, Tycoon2FA, VENOM (all using device code phishing). Push Security documented 37x increase in device code phishing in 2026 with 18+ active kits. Arctic Wolf confirmed Kali365 operates with a business model including per-campaign subscription tiers.
Reference: FBI IC3 PSA260521 — May 21, 2026 · BleepingComputer — May 25, 2026
EXCLUDED — DATE GATE: May 21 FBI advisory 🤖 AI COMPONENT — See Section 12
DriveSurge — ClickFix / FakeUpdates IAB (Continued Monitoring — IOCs Still Actionable)
Original first published: May 30, 2026 — SilentPush · June 1, 2026 — CyberSecurityNews, BleepingComputer
Carried forward from: June 2, 2026 DeepFalcon Threat Intel Report
Status: No new June 5 coverage. Infrastructure remains active. IOCs published in June 2 report remain applicable — defenders who have not yet blocked the 15 DriveSurge IOCs (domains, IP, email) should do so immediately.
Key IOC reminder (defanged): beacontrace[.]bond · 91[.]92[.]240[.]127 · check[.]first-node[.]rocks · banerpanel[.]live · testio[.]ecartdev[.]com
Reference: SilentPush — May 30, 2026
CARRIED FORWARD — IOCs remain actionable
Tycoon2FA — Post-Disruption Device Code Phishing Pivot Confirmed Active via eSentire Analysis
First published: Ongoing — Most recent eSentire analysis approximately May 20, 2026 · BleepingComputer coverage May 15, 2026
Status: eSentire confirmed Tycoon2FA post-takedown variant has added device code phishing alongside its established AiTM functionality. Campaign pattern: Trustifi click-tracking URLs in lure emails → victim redirected to microsoft.com/devicelogin → attacker-controlled device receives OAuth tokens. BleepingComputer coverage confirmed tradecraft "virtually unchanged" from pre-disruption variant. Push Security 37x device code phishing surge data includes Tycoon2FA as a major contributing factor. Platform continues to evolve and distribute via affiliate network.
Defensive note: Organisations that implemented defensive measures after the March 2026 disruption should verify Conditional Access Policies still restrict device code authentication flow — Tycoon2FA's new variant uses identical Microsoft infrastructure to the pre-disruption campaigns, meaning domain-based blocks are insufficient.
Reference: BleepingComputer — Tycoon2FA Device Code Coverage
FOLLOW-UP — Continued monitoring · Conditional Access policy verification recommended