Begun, the Patch Wars have
This report covers a significant surge in vulnerability disclosures and patching activity in July 2026, driven by AI-accelerated research efforts. Microsoft issued a record 622 patches, including 62 critical vulnerabilities and three zero-days, two actively exploited. The volume of vulnerabilities is unprecedented compared to previous years. Additionally, Cisco Talos disclosed a sophisticated campaign by a Russian-speaking adversary group UAT-11795 targeting U.S. and European users via trojanized installers of popular software, deploying a Python-based RAT and in-memory PowerShell implants. The campaign uses advanced evasion techniques and delivers secondary payloads to steal credentials and cryptocurrency assets. The report highlights the operational challenges organizations face in managing this patch surge and the need for heightened user education and detection tuning.
AI Analysis
Technical Summary
In July 2026, there was an unprecedented increase in vulnerability disclosures, with Microsoft alone patching 622 flaws, including critical and zero-day vulnerabilities, attributed to AI frontier research accelerating vulnerability discovery. Cisco Talos disclosed a financially motivated Russian-speaking threat actor, UAT-11795, conducting a widespread campaign since June 2025 targeting U.S. and European users. This actor uses trojanized installers of legitimate software (e.g., Webex, Zoom, MobaXterm) to deploy a custom Python-based remote access tool called Starland RAT, which facilitates further deployment of an in-memory PowerShell implant (WLDR agent). The adversary employs evasive techniques such as AMSI and ETW bypasses and a blockchain-anchored fallback for persistent command and control. Secondary payloads like CastleStealer and Remcos RAT are used to exfiltrate credentials and cryptocurrency. The report underscores the operational strain on organizations due to the volume of patches and the importance of user education and endpoint detection tuning.
Potential Impact
The impact includes exposure to a large number of vulnerabilities, some critical and actively exploited, increasing the risk of compromise if patches are not applied timely. The UAT-11795 campaign enables attackers to gain persistent remote access through trojanized installers, leading to credential theft and cryptocurrency asset compromise. The adversary's use of advanced evasion techniques complicates detection and response. Organizations face operational challenges in patch management due to the volume and urgency of vulnerabilities disclosed.
Mitigation Recommendations
No official patch status is provided for the vulnerabilities collectively; patch status should be verified per vendor advisories. Organizations should prioritize applying vendor patches, especially for critical and actively exploited vulnerabilities. For the UAT-11795 campaign, user education on the risks of unofficial software downloads and social engineering is essential. Monitoring for suspicious mshta.exe and PowerShell in-memory execution, as well as AMSI tampering, is recommended. Endpoint detection solutions should be tuned to detect in-memory execution and evasion techniques. Given the volume of patches, organizations should optimize change management processes to handle the increased patching load effectively.
Affected Countries
United States
Begun, the Patch Wars have
Description
This report covers a significant surge in vulnerability disclosures and patching activity in July 2026, driven by AI-accelerated research efforts. Microsoft issued a record 622 patches, including 62 critical vulnerabilities and three zero-days, two actively exploited. The volume of vulnerabilities is unprecedented compared to previous years. Additionally, Cisco Talos disclosed a sophisticated campaign by a Russian-speaking adversary group UAT-11795 targeting U.S. and European users via trojanized installers of popular software, deploying a Python-based RAT and in-memory PowerShell implants. The campaign uses advanced evasion techniques and delivers secondary payloads to steal credentials and cryptocurrency assets. The report highlights the operational challenges organizations face in managing this patch surge and the need for heightened user education and detection tuning.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In July 2026, there was an unprecedented increase in vulnerability disclosures, with Microsoft alone patching 622 flaws, including critical and zero-day vulnerabilities, attributed to AI frontier research accelerating vulnerability discovery. Cisco Talos disclosed a financially motivated Russian-speaking threat actor, UAT-11795, conducting a widespread campaign since June 2025 targeting U.S. and European users. This actor uses trojanized installers of legitimate software (e.g., Webex, Zoom, MobaXterm) to deploy a custom Python-based remote access tool called Starland RAT, which facilitates further deployment of an in-memory PowerShell implant (WLDR agent). The adversary employs evasive techniques such as AMSI and ETW bypasses and a blockchain-anchored fallback for persistent command and control. Secondary payloads like CastleStealer and Remcos RAT are used to exfiltrate credentials and cryptocurrency. The report underscores the operational strain on organizations due to the volume of patches and the importance of user education and endpoint detection tuning.
Potential Impact
The impact includes exposure to a large number of vulnerabilities, some critical and actively exploited, increasing the risk of compromise if patches are not applied timely. The UAT-11795 campaign enables attackers to gain persistent remote access through trojanized installers, leading to credential theft and cryptocurrency asset compromise. The adversary's use of advanced evasion techniques complicates detection and response. Organizations face operational challenges in patch management due to the volume and urgency of vulnerabilities disclosed.
Mitigation Recommendations
No official patch status is provided for the vulnerabilities collectively; patch status should be verified per vendor advisories. Organizations should prioritize applying vendor patches, especially for critical and actively exploited vulnerabilities. For the UAT-11795 campaign, user education on the risks of unofficial software downloads and social engineering is essential. Monitoring for suspicious mshta.exe and PowerShell in-memory execution, as well as AMSI tampering, is recommended. Endpoint detection solutions should be tuned to detect in-memory execution and evasion techniques. Given the volume of patches, organizations should optimize change management processes to handle the increased patching load effectively.
Affected Countries
Technical Details
- Article Source
- {"url":"https://blog.talosintelligence.com/begun-the-patch-wars-have/","fetched":true,"fetchedAt":"2026-07-16T18:12:12.559Z","wordCount":1194}
Threat ID: 6a591efc68715ace437996ad
Added to database: 07/16/2026, 18:12:12 UTC
Last enriched: 07/16/2026, 18:12:25 UTC
Last updated: 07/16/2026, 23:56:58 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.