Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Begun, the Patch Wars have

0
Medium
Vulnerability
Published: 07/16/2026 (07/16/2026, 18:00:50 UTC)
Source: Cisco Talos

Description

This report covers a significant surge in vulnerability disclosures and patching activity in July 2026, driven by AI-accelerated research efforts. Microsoft issued a record 622 patches, including 62 critical vulnerabilities and three zero-days, two actively exploited. The volume of vulnerabilities is unprecedented compared to previous years. Additionally, Cisco Talos disclosed a sophisticated campaign by a Russian-speaking adversary group UAT-11795 targeting U.S. and European users via trojanized installers of popular software, deploying a Python-based RAT and in-memory PowerShell implants. The campaign uses advanced evasion techniques and delivers secondary payloads to steal credentials and cryptocurrency assets. The report highlights the operational challenges organizations face in managing this patch surge and the need for heightened user education and detection tuning.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/16/2026, 18:12:25 UTC

Technical Analysis

In July 2026, there was an unprecedented increase in vulnerability disclosures, with Microsoft alone patching 622 flaws, including critical and zero-day vulnerabilities, attributed to AI frontier research accelerating vulnerability discovery. Cisco Talos disclosed a financially motivated Russian-speaking threat actor, UAT-11795, conducting a widespread campaign since June 2025 targeting U.S. and European users. This actor uses trojanized installers of legitimate software (e.g., Webex, Zoom, MobaXterm) to deploy a custom Python-based remote access tool called Starland RAT, which facilitates further deployment of an in-memory PowerShell implant (WLDR agent). The adversary employs evasive techniques such as AMSI and ETW bypasses and a blockchain-anchored fallback for persistent command and control. Secondary payloads like CastleStealer and Remcos RAT are used to exfiltrate credentials and cryptocurrency. The report underscores the operational strain on organizations due to the volume of patches and the importance of user education and endpoint detection tuning.

Potential Impact

The impact includes exposure to a large number of vulnerabilities, some critical and actively exploited, increasing the risk of compromise if patches are not applied timely. The UAT-11795 campaign enables attackers to gain persistent remote access through trojanized installers, leading to credential theft and cryptocurrency asset compromise. The adversary's use of advanced evasion techniques complicates detection and response. Organizations face operational challenges in patch management due to the volume and urgency of vulnerabilities disclosed.

Mitigation Recommendations

No official patch status is provided for the vulnerabilities collectively; patch status should be verified per vendor advisories. Organizations should prioritize applying vendor patches, especially for critical and actively exploited vulnerabilities. For the UAT-11795 campaign, user education on the risks of unofficial software downloads and social engineering is essential. Monitoring for suspicious mshta.exe and PowerShell in-memory execution, as well as AMSI tampering, is recommended. Endpoint detection solutions should be tuned to detect in-memory execution and evasion techniques. Given the volume of patches, organizations should optimize change management processes to handle the increased patching load effectively.

Affected Countries

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://blog.talosintelligence.com/begun-the-patch-wars-have/","fetched":true,"fetchedAt":"2026-07-16T18:12:12.559Z","wordCount":1194}

Threat ID: 6a591efc68715ace437996ad

Added to database: 07/16/2026, 18:12:12 UTC

Last enriched: 07/16/2026, 18:12:25 UTC

Last updated: 07/16/2026, 23:56:58 UTC

Views: 6

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses