ctipilot.ch
2026-W28 · 6–12 Jul
All weekly briefs ↗
Weekly brief · ISO week

Week 28

The strategic arc across the week's operational findings · what to fix if you act only once, the multi-day chains, and the policy horizon.

IF YOU DID NOTHING THIS WEEK

The constituency's core sector was hit from several directions in 2026-W28: a ransomware crew breached Latvia's state forestry operator LVM via a two-year-unpatched service (CERT.LV, an EU/NATO-shared-threat framing); Psychiatrische Dienste Aargau (a Swiss cantonal health authority) had email accounts phished and abused as a spam relay; espionage actors weaponised a citizen-facing e-government complaint portal as a watering hole; Armored Likho hit government and electric-power targets with an AI-generated loader; and UNC1151/Ghostwriter ran real-time 2FA-relay Gmail phishing against officials (CERT Polska). The common thread is not one actor but the breadth of pressure on public-sector identity, exposed services and citizen-facing web.

Week at a glance
  1. 01CH/EU government under broad attack this week — Latvia forestry ransomware, Swiss cantonal mailbox compromise, e-gov watering-hole, Ghostwriter phishing. The constituency's core sector was hit from several directions in 2026-W28: a ransomware crew breached Latvia's state forestry operator LVM via a two-year-unpatched service (CERT.LV, an EU/NATO-shared-threat framing); Psychiatrische Dienste Aargau (a Swiss cantonal health authority) had email accounts phished and abused as a spam relay; espionage actors weaponised a citizen-facing e-government complaint portal as a watering hole; Armored Likho hit government and electric-power targets with an AI-generated loader; and UNC1151/Ghostwriter ran real-time 2FA-relay Gmail phishing against officials (CERT Polska). The common thread is not one actor but the breadth of pressure on public-sector identity, exposed services and citizen-facing web.
  2. 02M365 identity attacks converged this week — device-code, AiTM PhaaS, ROPC spray and vishing all bypass MFA/Conditional Access by sidestepping it. Four independent 2026-W28 disclosures describe the same M365 account-takeover pattern from different angles: Huntress' root-cause comparison of the Railway (device-code) and LSHIY (ROPC spray) campaigns, where 55 of 78 LSHIY-compromised accounts had CA policies requiring MFA that failed on scoping gaps; the Forg365 AiTM phishing-as-a-service kit; and the Helix data-extortion cluster pairing manager-impersonation vishing with device-code phishing. None defeats MFA cryptographically — each exploits an auth flow (device-code, ROPC/legacy, token replay) that a typical Conditional Access policy does not gate. Every M365 tenant should block device-code and ROPC where unused and confirm CA covers all cloud apps and client-app types.
  3. 03Exposed enterprise software under active attack this week — ColdFusion (KEV), CitrixBleed 2 → DragonForce, Gitea escalated to actively-exploited. Three separate internet-facing enterprise products crossed into confirmed exploitation in 2026-W28: Adobe ColdFusion CVE-2026-48282 (one of the 1 July CVSS 10.0 RCEs) was exploited within two hours of public detail and added to CISA KEV; Citrix NetScaler's CitrixBleed 2 (CVE-2025-5777) was reconstructed by Huntress into a repeatable initial-access-broker kill chain ending in DragonForce ransomware, where stolen session tokens survive patching; and NCSC-CH escalated the Gitea Docker reverse-proxy auth bypass (CVE-2026-20896) to actively exploited. The operational reality: any exposed unpatched instance of these should be treated as compromised, not merely vulnerable — and for CitrixBleed 2, patching alone is insufficient.
  4. 04Joomla third-party-extension file-upload RCE wave — four unauthenticated flaws this week, several exploited as zero-days, KEV within days. A sustained mySites.guru disclosure wave hit four Joomla third-party extensions across 2026-W28 — SP Page Builder (CVE-2026-48908) and a second page-builder (CVE-2026-56290), Balbooa Forms (CVE-2026-56291), iCagenda (CVE-2026-48939) and RSFiles!/Phoca Download (CVE-2026-57827/57828) — every one an arbitrary-file-upload-to-RCE (CWE-434). Several were exploited in the wild as zero-days before a fix existed and reached CISA KEV within days, with the observed payload planting a hidden Super Administrator account. Any Swiss or European municipal / public-sector Joomla site running these extensions should treat an unpatched instance as a compromise event, not merely a risk, and hunt for web shells and rogue admin accounts.
01Highest-impact events · what's on fire if no one acted2 items
HIGHexploitedNATOB1

Confirmed in-the-wild exploitation of internet-facing enterprise software converged this week — ColdFusion, Citrix NetScaler and Gitea all moved from 'at risk' to 'under attack'

If you did nothing this week: three classes of internet-facing enterprise software you likely have somewhere in the estate moved from theoretical risk to confirmed exploitation. An unpatched, exposed ColdFusion, Citrix NetScaler Gateway or Gitea instance should be handled as an incident, not a maintenance ticket — and for NetScaler, applying the patch does not evict an attacker who already has your session tokens.

The week's exploitation signal converged on the perimeter. Adobe ColdFusion CVE-2026-48282 — one of the six unauthenticated CVSS 10.0 RCEs Adobe patched on 1 July, and exactly the item last week's outlook flagged as awaiting weaponisation — was confirmed exploited in the wild and added to CISA KEV on 7 July; KEVIntel reported catching exploitation "within under two hours of CVE-2026-48282 public details being released" against its honeypots (BleepingComputer, 2026-07-08). Citrix NetScaler saw the most operationally consequential development: Huntress reconstructed a mechanically identical intrusion chain across at least six unrelated organisations, run by an initial-access broker (Sophos: STAC3725) that steals pre-auth session tokens via CitrixBleed 2 (CVE-2025-5777) — "sift[ing] through the heap fragments for valid session tokens of someone who is currently logged in" (Huntress, 2026-07-10) — then escalating via a registry-symlink privilege-escalation tool to SYSTEM, persisting with ScreenConnect/Zoho Assist, and in the most progressed case deploying DragonForce ransomware. Because the stolen tokens survive patching, remediation requires terminating live sessions as well. Finally, NCSC-CH escalated the Gitea Docker reverse-proxy authentication bypass (CVE-2026-20896) — full unauthenticated admin control "via a single custom HTTP header" — to "Actively Exploited, Proof of Concept Available" (NCSC-CH Cyber Security Hub, 2026-07-10). A fourth strand — Langflow's cross-tenant IDOR (CVE-2026-55255) chained with pre-auth RCE, first exploited 25 June and now KEV-listed (Sysdig, 2026-07-08) — reinforces the same lesson: exploitation, not CVSS, is what set this week's priorities.

Within under two hours of CVE-2026-48282 public details being released, KEVIntel captured in-the-wild exploitation within our global honeypot network.

KEVIntel, via BleepingComputer

By spraying enough of those requests, an adversary can then sift through the heap fragments for valid session tokens of someone who is currently logged in.

Huntress

Current exploitation status: Actively Exploited, Proof of Concept Available

NCSC-CH Cyber Security Hub

Builds on: 2026-07-08/cve-2026-48282-adobe-coldfusion-actively-exploited-kev · 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-07-10/gitea-cve-2026-20896-ncsc-ch-actively-exploited-update · 2026-07-08/cve-2026-55255-langflow-idor-kev-chained-with-rce

synthesis12 Jul 23:22Zmulti-sourceOpen finding ↗
HIGHexploitedNATOB1

A researcher-driven Joomla extension file-upload wave produced four unauthenticated RCE disclosures this week — several exploited as zero-days before a patch existed

If you did nothing this week: any internet-facing Joomla site your constituency runs with SP Page Builder, Balbooa Forms, iCagenda, RSFiles! or Phoca Download installed should now be treated as potentially compromised — several of these flaws were exploited in the wild before a patch shipped, and the observed payload gives the attacker a hidden Joomla super-admin.

Across 2026-W28 the specialist Joomla-security researcher mySites.guru disclosed the same bug class — CWE-434 arbitrary file upload leading to remote code execution — in four separate third-party extensions in quick succession, and CISA moved several onto the Known Exploited Vulnerabilities catalog within days. The mechanism is consistent: an upload handler that fails to enforce a server-side extension allow-list, does not block .php, and does not verify the declared content type, letting an attacker write an executable script into a web-reachable directory. In SP Page Builder the exploited path was index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon, driven by an HTTP POST (The Hacker News, 2026-07-08); the researcher observed that "the payload plants a hidden Super Administrator account, usually with an @secure.local email" (mySites.guru, 2026-07-08). Balbooa Forms (CVE-2026-56291) was likewise found under live exploitation before any fix existed — "it was already being exploited in the wild when we found it, before any patch existed" (mySites.guru, 2026-07-09) — and iCagenda (CVE-2026-48939) reached KEV as an unauthenticated file-upload-to-RCE (mySites.guru, 2026-07-10). The week closed with two more from the same wave: RSFiles! (CVE-2026-57827, unauthenticated, CVSS 4.0 10.0, fixed 1.17.12) and Phoca Download (CVE-2026-57828, member-authenticated allow-list bypass, fixed 6.1.3), with no confirmed exploitation of that pair yet (mySites.guru, 2026-07-11).

Why this is the week's operational reality for the constituency: Joomla is disproportionately common on cantonal, communal and small-agency public-sector sites across Switzerland and the EU, and the ecosystem's risk lives in its third-party extensions, not the core. A wave of unauthenticated, pre-auth-exploited RCEs against exactly that surface, several with a public exploitation record and a self-installing super-admin payload, is a patch-and-hunt priority the normal monthly cadence does not cover.

CVE-2026-48908, on the other hand, is said to have been exploited as a zero-day to upload a PHP file by means of an HTTP POST request to the 'index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon' endpoint.

The Hacker News

Already exploited in the wild. The payload plants a hidden Super Administrator account, usually with an @secure.local email.

This was a zero-day: it was already being exploited in the wild when we found it, before any patch existed, and those attacks are still going on now against sites that have not updated.

mySites.guru

Builds on: 2026-07-08/joomla-page-builder-cve-2026-48908-56290-kev-zerodays · 2026-07-09/cve-2026-56291-balbooa-forms-joomla-unauth-file-upload-rce · 2026-07-10/cve-2026-48939-icagenda-joomla-unauth-file-upload-rce-kev · 2026-07-11/joomla-rsfiles-phoca-file-upload-rce-cve-2026-57827-57828

synthesis12 Jul 23:20Zmulti-sourceOpen finding ↗
02Multi-day campaigns and chains1 item
HIGHNATOB1

Microsoft 365 account-takeover tradecraft converged this week on auth flows Conditional Access rarely covers — device-code, AiTM, ROPC and manager-impersonation vishing all beat MFA without breaking it

Four separate 2026-W28 disclosures describe one problem: Microsoft 365 account takeover is increasingly achieved not by defeating multi-factor authentication but by choosing an authentication path that Conditional Access commonly fails to gate. Huntress' comparative root-cause analysis of two campaigns made the mechanism explicit — "device code phishing is effective because it doesn't try to beat MFA. It sidesteps it," and in the ROPC-based LSHIY campaign "of the 78 compromised accounts, 55 had active Conditional Access policies requiring MFA" that still failed, because legacy/ROPC authentication through the /token endpoint never reaches the authorization endpoint where CA is enforced (Huntress, 2026-07-10). The same week, ZeroBEC documented Forg365, a Telegram-distributed adversary-in-the-middle phishing-as-a-service kit purpose-built to relay M365 auth and steal session cookies (ZeroBEC, 2026-07-10), and ReliaQuest profiled the Helix data-extortion cluster pairing manager-impersonation vishing with device-code phishing before SharePoint exfiltration (ReliaQuest, 2026-07-10). Read together with the week's ShinyHunters/Odido vishing attribution, the through-line is a maturing, commoditised identity-attack economy targeting the same tenant surface.

Why this is a cross-day pattern, not four items: device-code phishing, AiTM cookie theft, ROPC spraying and impersonation vishing are distinct techniques, but they exploit the same structural gap — a Conditional Access posture that assumes MFA coverage it does not actually enforce across every flow, client-app type and cloud app. A tenant that hardened against one of these this week is not hardened against the others.

Device code phishing is effective because it doesn't try to beat MFA. It sidesteps it.

Of the 78 compromised accounts, 55 had active Conditional Access policies requiring MFA.

Huntress

Builds on: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns · 2026-07-10/forg365-m365-phaas-aitm-devicecode-forgcookie · 2026-07-10/helix-data-extortion-devicecode-vishing-sharepoint-exfil

synthesis12 Jul 23:24Zmulti-sourceOpen finding ↗
Sources: Huntress · ZeroBEC · ReliaQuest
03Vulnerability roll-up1 item
NOTABLEexploitedNATOB1

Vulnerability status roll-up — 2026-W28: what moved into exploitation, what reached KEV, and what to patch out-of-band

This roll-up consolidates the 2026-W28 vulnerabilities that cross the out-of-band-action bar — actively exploited, at imminent mass exploitation, or otherwise demanding a response the routine monthly cycle does not give. Per-CVE facts, CVSS, and affected/fixed versions live in the linked operational entries; this entry is the status trajectory a reader uses to sequence the week's patching.

Confirmed exploited / on CISA KEV this week. Adobe ColdFusion CVE-2026-48282 (one of the 1 July CVSS 10.0 unauthenticated RCEs) — exploited within two hours of public detail, KEV-listed 7 July (BleepingComputer, 2026-07-08). Citrix NetScaler CitrixBleed 2 CVE-2025-5777 — weaponised into a repeatable initial-access-broker kill chain ending in DragonForce ransomware; patch plus session termination required. Gitea CVE-2026-20896 — NCSC-CH escalated to "Actively Exploited, Proof of Concept Available" (NCSC-CH, 2026-07-10). Langflow CVE-2026-55255 — cross-tenant IDOR chained with pre-auth RCE, first exploited 25 June, now KEV. Joomla extension file-upload wave — CVE-2026-48908 / 56290 / 56291 / 48939 exploited as zero-days (see the dedicated top-story), CVE-2026-57827/57828 patched without confirmed exploitation yet.

Urgency raised by public exploit or full mechanics, no confirmed ITW use. GhostLock CVE-2026-43499 — Linux kernel rtmutex use-after-free with a public ~97%-reliable local-privilege-escalation exploit. Windows HTTP.sys CVE-2026-47291 (pre-auth RCE, CVSS 9.8) — ZDI published full exploitation mechanics for the June Patch Tuesday flaw, collapsing the reverse-engineering barrier. Linux KVM/x86 'Januscape' CVE-2026-53359 — shadow-MMU use-after-free enabling guest-to-host VM escape, relevant to multi-tenant virtualisation. BeyondTrust Remote Support / Privileged Remote Access — the CVE-2026-40138 pre-auth bypass cluster on a remote-access product class that is itself a high-value target.

OT / critical-infrastructure note. Siemens SICAM 8 grid RTUs (A8000/EGS/S8000) — a firmware-signature-validation bypass (CVE-2026-54798-801) on devices deployed in European energy grids; slow patch cycles make network isolation and OT-segment monitoring the near-term control. Progress MOVEit Transfer — pre-auth SFTP DoS (CVE-2026-10699) plus admin scope-bypass fixes, notable given MOVEit's history as a mass-exfiltration target.

Builds on: 2026-07-08/cve-2026-48282-adobe-coldfusion-actively-exploited-kev · 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-07-10/gitea-cve-2026-20896-ncsc-ch-actively-exploited-update · 2026-07-08/cve-2026-55255-langflow-idor-kev-chained-with-rce · 2026-07-08/ghostlock-cve-2026-43499-linux-kernel-rtmutex-uaf-lpe · 2026-07-11/cve-2026-47291-httpsys-zdi-exploitation-mechanics · 2026-07-09/cve-2026-53359-januscape-kvm-x86-guest-to-host-vm-escape · 2026-07-08/beyondtrust-rs-pra-preauth-bypass-cve-2026-40138-cluster · 2026-07-10/siemens-sicam-8-ssa-229470-firmware-signing-bypass · 2026-07-11/moveit-transfer-certfr-cve-2026-10699-10698-11903

vulnerability12 Jul 23:26Zmulti-sourceOpen finding ↗
04Sector & victim patterns2 items
HIGHNATOB1

Government and public administration across Switzerland and Europe took a broad spread of attacks this week — ransomware, espionage watering-holes, AI-tooled APTs and credential-phishing

Government and public administration — the profiled constituency's core — absorbed an unusually broad spread of activity in 2026-W28, notable less for any single incident than for how many different attack classes landed on the sector in one week.

On the ransomware front, CERT.LV disclosed that a crew breached Latvijas Valsts Meži (LVM), Latvia's state forestry operator, through a service left unpatched for roughly two years, and framed it explicitly as an EU/NATO-shared-threat matter for a state-owned critical operator (CERT.LV, 2026-06). In Switzerland, Psychiatrische Dienste Aargau (PDAG), a cantonal health authority, had staff email accounts compromised via phishing and abused to relay spam — a low-sophistication but high-frequency pattern against public-sector mailboxes (SwissCybersecurity.net, 2026-07-09). On the espionage axis, SentinelLabs documented converging China- and India-nexus operations weaponising a citizen-facing e-government complaint portal as a watering hole with a CMS implant (SentinelLabs, 2026-07-10); Kaspersky profiled Armored Likho hitting government and electric-power targets with an AI-generated loader and the BusySnake stealer (Kaspersky Securelist, 2026-07-11); and CERT Polska tracked UNC1151/Ghostwriter moving to Gmail with real-time 2FA-relay phishing against officials (CERT Polska, 2026-06).

Why this is a sector pattern for the constituency: two of the five strands carry a direct home-region or EU-critical-operator nexus (a Swiss cantonal authority and a Latvian state operator); the e-government watering-hole targeted a Pakistani law-enforcement programme (EU-funded but with no direct European victim nexus) and is carried for its transferable technique, while the remaining two are actors whose targeting profile — government and energy — matches the constituency. The exposed surfaces recur: unpatched internet-facing services, public-sector email identity, and citizen-facing web applications.

Builds on: 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · 2026-07-09/pdag-aargau-email-account-compromise-spam-relay · 2026-07-10/e-government-portal-watering-hole-cms-implant-espionage · 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · 2026-07-09/unc1151-ghostwriter-gmail-realtime-2fa-phishing

synthesis12 Jul 23:30Zmulti-sourceOpen finding ↗
NOTABLENATOB1

Healthcare across Switzerland and the UK saw ransomware confirmation, mailbox compromise and an insider-access clampdown this week

Healthcare surfaced three ways this week, and the value of reading them together is that they cover the sector's external, identity and internal threat surfaces in a single window.

Externally, Groupe 3R — the Réseau Radiologique Romand, a Western-Swiss radiology network — confirmed in its own forensic report that the Akira ransomware operation was responsible for the intrusion that had twice disrupted it, and that stolen data had been published on Akira's darknet leak site (SwissCybersecurity.net, 2026-05-07). On the identity surface, Psychiatrische Dienste Aargau (PDAG), a cantonal psychiatric authority, had email accounts phished and abused as a spam relay (SwissCybersecurity.net, 2026-07-09). Internally, NHS England issued new controls after staff were found inappropriately accessing high-profile patients' records, tying repeat "snooping" to dismissal and potential prosecution (NHS England, 2026-07-11).

Why this belongs to the constituency's healthcare lens: two of the three are Swiss (a Romand radiology provider and an Aargau cantonal authority), and the third is a transferable governance lesson for any large healthcare data controller. Healthcare's threat model is not just ransomware on clinical systems — it is equally the mailbox identity that attackers abuse and the legitimate-but-excessive internal access that no perimeter control addresses.

Builds on: 2026-07-09/groupe-3r-akira-forensic-confirmation-darknet-publication · 2026-07-11/nhs-england-insider-patient-record-access-controls · 2026-07-09/pdag-aargau-email-account-compromise-spam-relay

synthesis12 Jul 23:32Zmulti-sourceOpen finding ↗
05Incidents & disclosures recap1 item
NOTABLENATOB1

This week's disclosures clustered on third-party, cloud-account and vendor exposure — the breach rarely started inside the victim

Read as a set, the week's confirmed incidents point away from the classic perimeter-RCE story and toward exposure that lives in someone else's account, platform or supply chain.

The third-party / vendor strand: Accenture confirmed a data-theft incident after the handle "888" advertised roughly 35 GB of internal source code (BleepingComputer, 2026-07-08); Deutsche Bank disclosed a third-party-vendor incident after the "Unsafe" ransomware group posted claims (Computing, 2026-07-09); and KDDI named a zero-day in third-party email-platform software as the root cause of a breach affecting about 12 million people (BleepingComputer, 2026-07-09). The cloud-account strand: Nayax, a Bank-of-Lithuania-licensed EEA payment institution, disclosed a cloud-account incident (claimed by "The Syndicate") in its own SEC Form 6-K (Nayax, 2026-07-09); ShinyHunters' Odido (Netherlands telecom) breach drew a Dutch-national-involvement assessment from police voice analysis (Politie, 2026-07-08); and Nextcloud GmbH's own hosting infrastructure exposed roughly 367,000 internal records through a misconfigured public Elasticsearch (Cybernews, 2026-07-10).

Why the pattern matters for the constituency: several victims are directly relevant classes — an EEA-licensed payment institution, an EU telecom, a European cloud vendor — and the shared root cause is exactly the exposure a Swiss/EU public-sector or CI organisation inherits through its suppliers and cloud tenancy. The transferable lesson is that a mature internal patch posture does not cover a vendor's zero-day, a supplier's compromised account, or a misconfigured datastore in your own cloud footprint.

Builds on: 2026-07-08/accenture-confirms-data-theft-888-azure-devops-claim · 2026-07-09/deutsche-bank-unsafe-ransomware-third-party-vendor-incident · 2026-07-09/kddi-isp-email-breach-zero-day-root-cause-update · 2026-07-09/nayax-cloud-account-incident-the-syndicate-claim · 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · 2026-07-10/nextcloud-gmbh-elasticsearch-exposure-msb-nrw

incident12 Jul 23:34Zmulti-sourceOpen finding ↗
06Research & threat-actor developments3 items
NOTABLENATOB2

Threat-actor developments this week: Group-IB reframes Scattered Spider as a decentralised collective, and China- and Iran-nexus edge/ORB tradecraft advances

The week's actor reporting split between a model-changing reframing of a well-known financially-motivated collective and a set of state-nexus tradecraft advances.

Scattered Spider — a model change, not an incident. Group-IB argues the actor "cannot be considered or analyzed as a single organized 'group' with its own hierarchy or organigram [but is] more accurately described as a decentralised cybercrime collective" of independent subclusters, typically 3-5 people, unified by shared tradecraft and community learning rather than command structure, and states "we can consider 0ktapus as a subcluster of Scattered Spider" — explicitly mapping Microsoft's Octo Tempest, Mandiant's UNC3944 and Palo Alto's Muddled Libra as overlapping labels for subclusters of the same movement (Group-IB, 2026-07-07). The documented playbook is squarely relevant to the constituency's help desks: vishing/smishing with Okta/Microsoft/Citrix/Google SSO-lookalike pages staged minutes before a call, SIM-swaps via coercion or carrier-staff social engineering, and help-desk impersonation using OSINT from already-compromised systems, monetised through BlackCat/ALPHV and DragonForce ransomware. The practical consequence Group-IB draws: because resilience comes from decentralisation, individual arrests do not blunt the collective, so defenders should treat each attributed intrusion as one small ad-hoc crew rather than evidence of a persistent central adversary.

State-nexus edge and C2 tradecraft. Talos detailed China-nexus UAT-7810 expanding its operational relay-box (ORB) network with the LONGLEASH/DOGLEASH/JARLEASH suite (Cisco Talos, 2026-07-08); Proofpoint's UNK_MassTraction, a suspected China-aligned actor, exploited Roundcube webmail as an edge device (Proofpoint, 2026-07-09); and Check Point exposed Iran MOIS-linked Cavern Manticore's modular .NET command-and-control framework with layered anti-analysis (Check Point Research, 2026-07-09).

Why grouped here: these are actor-model and capability developments — the lens the weekly owns — rather than new operational incidents. Scattered Spider's decentralisation and the state actors' edge/ORB focus both change how a SOC should scope attribution and where to look (help-desk identity workflows; internet-facing webmail and edge appliances as relay infrastructure).

Scattered Spider cannot be considered or analyzed as a single organized 'group' with its own hierarchy or organigram. Instead, it can be more accurately described as a decentralised cybercrime collective.

we can consider 0ktapus as a subcluster of Scattered Spider

Group-IB

Builds on: 2026-07-08/talos-uat-7810-china-nexus-orb-network-longleash · 2026-07-09/unk-masstraction-roundcube-edge-exploitation · 2026-07-09/cavern-manticore-iran-mois-modular-net-c2-anti-analysis

research12 Jul 23:43Zsingle-sourceOpen finding ↗
NOTABLENATOB1

Trust-primitive forgery was a research theme this week: recovering live ADFS signing keys, and minting a second 'Verified' GitHub commit

Two of the week's research findings share an underappreciated theme: they forge a trust primitive that downstream systems and humans treat as authoritative, rather than exploiting a memory-corruption bug.

The heavier of the two, for the constituency, is Mandiant/GTIG's ADFS token-signing-key recovery. ADFS stores its certificate private keys under Machine DPAPI, so any SYSTEM-level process on the ADFS host can recover them independently of the live service or LSASS; when AutoCertificateRollover is disabled and an admin rotates a signing certificate manually without a matching WID update, the database retains a "ghost" record while the real signing key stays live in the machine key store. With that key, an attacker forges arbitrary SAML assertions to impersonate any federated user — Global Administrators included — against every SAML-federated app including Microsoft 365 and Entra ID, "bypassing multifactor authentication (MFA), conditional access, and all identity-based controls," and deliberately avoids the LSASS/live-ADFS surfaces defenders usually watch (Mandiant, 2026-07-09). The detectable side-effect is Event ID 385 (certificate-rollover mismatch), and Mandiant's guidance is to treat ADFS as Tier-0, move to HSM-backed keys, validate rotations with Set-AdfsCertificate, and SACL-audit the MachineKeys directory (Event ID 4663). The second finding, Git commit-signature malleability, lets an attacker produce a second commit with a different hash that still renders GitHub's "Verified" badge — collapsing the assumption that a verified-signed commit uniquely identifies its content (The Hacker News, 2026-07-09).

Why this belongs in the week's research lens: both extend a running arc — after last week's Keycloak JWT-forgery and OAuth-abuse research, this week's items give the on-premises-AD equivalent (ADFS) and a code-supply-chain equivalent (signed commits), each with a concrete detection surface the earlier work lacked.

Builds on: 2026-07-09/mandiant-adfs-machine-dpapi-golden-saml-key-recovery · 2026-07-09/git-signature-malleability-github-verified-commit-ghost-twin

research12 Jul 23:40Zmulti-sourceOpen finding ↗
NOTABLENATOB2

AI as operator, not target: this week's research showed adversaries using AI to run attacks faster, evade AI defences, and generate tooling

Last week's weekly framed AI as having "crossed from attack target to attack operator." This week's research does not repeat that thesis — it fills it in with concrete, independent data points that sharpen what defenders should change.

The clearest is operational tempo. Sygnia's incident responders documented a single actor going from an internet-facing-app foothold to broad compromise of AWS, CI/CD and source control in roughly 72 hours using no novel malware and no zero-day — every technique long-tracked, but chained and parallelised at a speed Sygnia attributes to AI/agentic assistance (four distinct IAM access keys used from one source in a single observed second) (Sygnia, 2026-07-08). The second is AI as attack surface turned back on defenders: the "Friendly Fire" brief showed prompt injection hijacking defensive AI code-review agents into remote code execution (AI Now Institute, 2026-07-11), and PraisonAI's agentic framework carried unsandboxed-LLM-code-execution and tool-call-RCE CVEs (PraisonAI GHSA, 2026-07-11). The third is AI in tooling and evasion: Kaspersky's Armored Likho APT shipped an AI-generated loader with the BusySnake stealer (Kaspersky Securelist, 2026-07-11), and SANS documented "comment stuffing" — padding HTML phishing attachments to dilute or exhaust AI/NLP email scanners (SANS ISC, 2026-07-10). This week's ESET Threat Report H1 2026, covered separately, independently records the first Android malware using generative AI at runtime.

Why this is a strategic-shift item, not a re-list: each finding is a distinct new-this-week research publication, and together they change a defender obligation rather than restate awareness — when access-to-impact compresses to hours and defensive AI itself becomes an exploitation target, detection can no longer wait for full visibility.

Builds on: 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · 2026-07-11/friendly-fire-prompt-injection-rce-defensive-ai-agents · 2026-07-11/armored-likho-busysnake-ai-generated-loader-python-stealer · 2026-07-10/comment-stuffing-html-phishing-ai-email-scanner-evasion · 2026-07-11/praisonai-agentic-framework-three-cves-code-exec-rce-ddli · 2026-07-09/eset-threat-report-h1-2026

research12 Jul 23:38Zmulti-sourceOpen finding ↗
07Long-running campaigns · status update2 items
NOTABLEupdateNATOB2

The Gentlemen (Storm-2697) status update — Unit 42's full profile: 580 victims, a Qilin-affiliate lineage, and a suspected EDR-disable zero-day

UPDATE · originally covered The Gentlemen (2026-06-29)

Palo Alto Unit 42 published the first full technical profile of The Gentlemen (Microsoft: Storm-2697; also Phantom Mantis), consolidating and extending the picture this pipeline built from ESET's GentleKiller research and the FortiBleed nexus. The delta worth carrying: Unit 42 counts 580 claimed victims across 77 countries through 3 July 2026 (103 in manufacturing) and a "slightly more than 6x" victim increase from H2 2025 to H1 2026, and assesses the ~20 operators "likely morphed from a private entity into a RaaS model on or about September 2025," previously operating as "ArmCorp," an affiliate of Qilin, now offering an "unprecedented 90% payout" versus the typical 70-80% (Unit 42, 2026-07-10). Two operationally relevant additions: the initial-access set now explicitly names Erlang/OTP SSH-server and Windows SMB-client flaws alongside the already-tracked FortiOS/FortiProxy edge path, and Unit 42 cites Expel describing a suspected zero-day the group uses specifically to disable target EDR agents — distinct from the BYOVD-based GentleKiller framework and not previously in this pipeline's coverage. The Go/C dual-language encryptor and Curve25519/XChaCha20 per-file key scheme are unchanged.

The operators (roughly 20 of them) likely morphed from a private entity into a RaaS model on or about September 2025. While traditional RaaS models typically offer affiliates a 70% to 80% cut of paid ransoms, The Gentlemen offer an unprecedented 90% payout.

When comparing the last six months of 2025 to the first six months of 2026, the number of victims claimed by The Gentlemen increased by slightly more than 6x.

Palo Alto Networks Unit 42
synthesis12 Jul 23:46Zsingle-sourceOpen finding ↗
NOTABLENATOB1

npm supply-chain wave status: jscrambler package compromised this week, extending the install-hook-evasion pattern seen in the injectivelabs SDK

The software-supply-chain pressure on the npm ecosystem that this pipeline has tracked as a sustained wave continued this week, with a fresh compromise that sharpens the evasion trend rather than repeating it.

On 2026-07-11 the jscrambler npm package — a code-protection/obfuscation build tool — was compromised via what Socket assesses as a stolen publishing credential or compromised build pipeline: a malicious v8.14.0 pushed directly to npm, bypassing the project's normal release flow, adding an undocumented preinstall hook that unpacks and detached-spawns a platform-specific Rust infostealer on npm install alone. The stealer targets cloud metadata-endpoint credentials, Kubernetes configs, browser secrets, crypto-wallet seeds, AI coding-tool configs and messaging tokens. The notable evolution: over roughly three hours the actor pushed four more malicious releases and, "starting with 8.18.0 the install hook is gone entirely—the identical dropper is instead injected as a self-executing function at the top of dist/index.js" — moving execution out of the very hook that install-script scanners watch (Socket, 2026-07-11). Socket "detected the compromised package 6 minutes after publication"; v8.22.0 is confirmed clean (The Hacker News, 2026-07-11). This is the same install-hook-evasion arc as this week's injectivelabs SDK compromise, though — unlike the Shai-Hulud worm strain — jscrambler has not been shown to self-propagate to other maintainers.

Starting with 8.18.0 the install hook is gone entirely—the identical dropper is instead injected as a self-executing function at the top of dist/index.js.

Socket detected the compromised package 6 minutes after publication.

Socket

Builds on: 2026-07-10/injectivelabs-npm-runtime-keyhook-supply-chain-evasion · 2026-06-29/npm-supply-chain-worms-a-sustained-wave-across-the-week

synthesis12 Jul 23:48Zmulti-sourceOpen finding ↗
08Policy & regulatory horizon2 items
NOTABLENATOA1

FINMA sets post-quantum crypto expectations for the Swiss financial sector — Aufsichtsmitteilung 05/2026 flags 'harvest now, decrypt later' and a missing migration roadmap

FINMA published Aufsichtsmitteilung (supervisory communication) 05/2026 on 9 July 2026, presenting the results of a November 2025–January 2026 survey of 60 Swiss financial institutions on cryptographically-relevant quantum computing (CRQC) risk. Its core finding: institutions are aware of the threat but "meist fehlt aber eine klare Roadmap und eine ausreichend vorausschauende Planung für die Migration zu quantensicherer Verschlüsselung" — most lack a clear roadmap and sufficiently forward-looking planning for the migration to quantum-safe encryption (FINMA, 2026-07-09). FINMA explicitly names "harvest now, decrypt later" — capture-and-store-for-future-decryption of today's encrypted traffic and data — as the operative near-term threat model, and sets, under existing operational-risk-and-resilience supervisory expectations rather than a new binding circular, that institutions should produce a PQC migration strategy and roadmap, run an institution-specific risk analysis, "die Erstellung eines kryptographischen Inventars" (build a cryptographic inventory), adopt crypto-agility, and extend the planning to outsourced service providers. No mandatory deadline accompanies the communication (swissinfo.ch, 2026-07-10).

Why this belongs in the strategic view: it is the home financial-sector regulator setting a direction of travel that a Swiss/EU public-sector or CI reader will encounter next as a compliance expectation, and it reframes post-quantum readiness as a near-term data-protection issue, not a distant cryptographic curiosity — because the "harvest now, decrypt later" risk accrues from today's captured traffic regardless of when a CRQC actually arrives.

Die Institute sind sich der Cyberrisiken von kryptografisch relevanten Quantum Computern bewusst. Meist fehlt aber eine klare Roadmap und eine ausreichend vorausschauende Planung für die Migration zu quantensicherer Verschlüsselung.

Dazu gehört eine klare Strategie und Roadmap für die Migration zu quantensicheren Verschlüsselungen, eine institutsspezifische Risikoanalyse, die Erstellung eines kryptographischen Inventars, der Schutz kritischer Daten vor 'harvest now, decrypt later' Angriffen.

FINMA
policy12 Jul 23:54Zmulti-sourceOpen finding ↗
NOTABLEupdateNATOA1

Netherlands NIS2 transposition confirmed: the Senate passed the Cyberbeveiligingswet on 7 July, fixing entry into force at 15 August 2026

UPDATE · originally covered Netherlands NIS2 transposition slips past its 1 July target — Senate vote set for 7 July, entry into force now 15 August 2026 (2026-07-05)

the Dutch NIS2 transposition status this pipeline tracked as "slipped past its 1 July target, Senate vote set for 7 July" has resolved. On 7 July 2026 the Eerste Kamer (First Chamber) passed both the Cyberbeveiligingswet (Cbw, the NIS2 transposition) and the companion Wet weerbaarheid kritieke entiteiten (Wwke, the CER-directive transposition) — the Tweede Kamer had passed them on 15 April — and "de wetten treden op 15 augustus 2026 in werking" ("the laws enter into force on 15 August 2026") (Rijksoverheid.nl, 2026-07-07). The parliamentary vote record confirms broad cross-party support (Eerste Kamer, 2026-07-07). The Cbw covers roughly 8,000 organisations across 18 designated essential/important sectors and imposes a cybersecurity duty of care (including supply-chain risk management), mandatory registration in the NCSC entity register, significant-incident reporting to the relevant CSIRT, and board-level accountability with director training (NCSC-NL).

Why this matters to the constituency: beyond direct applicability to any covered Dutch entity, this is a concrete datapoint for the deployment's standing EU NIS2-transposition watch — a member state moving from indefinite slip to a fixed enforcement date. For Swiss-domiciled organisations with Dutch subsidiaries, NL-incorporated critical suppliers, or cross-border NIS2-equivalent reporting relationships, 15 August 2026 is the operative clock, five weeks out from this brief. The next checkpoint is confirmation the NCSC-NL entity register is live and accepting registrations ahead of the date.

De wetten treden op 15 augustus 2026 in werking.

Rijksoverheid.nl (Dutch national government)
policy12 Jul 23:52Zmulti-sourceOpen finding ↗
09Looking ahead · what to watch next week1 item
NOTABLENATOB2

Looking ahead — 2026-W28

Items already in motion for the coming weeks — each with a dated source or an in-week entry, none a prediction:

  • EU regulatory clocks. The Dutch NIS2 Cyberbeveiligingswet enters into force 15 August 2026 — now a fixed date after the 7 July Senate passage (Rijksoverheid.nl, 2026-07-07). The EU Cyber Resilience Act vulnerability/incident-reporting obligation lands 11 September 2026, roughly 60 days out and previously covered in this store — the reporting-platform readiness is the item to watch next.
  • FINMA post-quantum guidance may harden. FINMA's Aufsichtsmitteilung 05/2026 is supervisory expectation-setting, not yet a binding circular; the open question is whether it converts into a Rundschreiben revision (FINMA, 2026-07-09).
  • Joomla file-upload wave — the newest members await exploitation. RSFiles! and Phoca Download are patched but not yet exploited, whereas earlier members of the same CWE-434 wave reached CISA KEV within days (mySites.guru, 2026-07-11) — treat these as likely-imminent-KEV, not resolved.
  • The Gentlemen EDR-disable zero-day. Unit 42 references an Expel analysis of a suspected zero-day the group uses to disable EDR, distinct from the GentleKiller BYOVD framework; that write-up had not published at the time of Unit 42's report (Unit 42, 2026-07-10).
  • CitrixBleed 2 broker activity continues. Huntress' STAC3725 reconstruction shows an initial-access broker actively weaponising CVE-2025-5777; organisations that patched but did not terminate live sessions remain exposed to token replay and downstream DragonForce deployment (Huntress, 2026-07-10).

Builds on: 2026-07-12/weekly-w28-netherlands-nis2-in-force · 2026-07-12/weekly-w28-finma-post-quantum-guidance · 2026-07-12/weekly-w28-joomla-file-upload-rce-wave · 2026-07-12/weekly-w28-the-gentlemen-status · 2026-07-12/weekly-w28-exploited-edge-enterprise-software · 2026-06-29/eu-cyber-resilience-act-75-days-to-the-11-september-vulnerab

outlook12 Jul 23:56Zmulti-sourceOpen finding ↗
About this weekly1 run

2026-07-12T2309Z-weekly · Claude Opus 4.8 · 15 entries published

Weekly strategic run — 2026-W28 (2026-07-06 – 2026-07-12)

ATT&CK pin freshness

tools/attack_data.py --check: up to date — local v19.1 == upstream latest v19.1. No update required this run. Two operational-entry technique ids composed this week were mapped to their v19 survivors after the pin check (T1562.001 → T1685 "Disable or Modify Tools"; T1656 → T1684.001 "Impersonation").

Week in review (Phase 1)

57 operational entries across the ISO week (07-08: 11, 07-09: 21, 07-10: 16, 07-11: 9; 07-06/07-07/07-12 quiet), 13 high-priority, no critical. Working lists persisted to work/<run-id>/week-review.json. Duplicate-week guard: prior -weekly record (2026-07-05) covered W27; W28 not previously covered — cleared.

Strategic output (15 entries)

  • top-stories (2): Joomla third-party-extension file-upload RCE wave (on-fire, CH/EU public-sector, several exploited zero-days + KEV); confirmed ITW exploitation of exposed enterprise/edge software (ColdFusion KEV, CitrixBleed 2 → DragonForce IAB, Gitea escalated by NCSC-CH).
  • multi-day (1): M365 identity-attack convergence — device-code / AiTM PhaaS / ROPC spray / manager-impersonation vishing all sidestepping MFA + Conditional Access.
  • vuln-rollup (1): W28 CVE status trajectory (exploited/KEV set + public-exploit set + OT note); cves: [] by design — every CVE fully sourced in its referenced operational entry, so the roll-up avoids the cross-run CVE-dedup FAIL.
  • sector-patterns (2): government & public administration (CH/EU) targeting cluster (high); healthcare (CH nexus).
  • incidents-recap (1): third-party / cloud-account / vendor exposure drove the week's disclosures.
  • research (3): AI operationalised (from target to operator, deepening); identity & trust-primitive forgery (ADFS Machine DPAPI key recovery + Git signature malleability); threat-actor developments (Scattered Spider reclustering + China/Iran state-nexus edge/ORB/C2 tradecraft).
  • long-running (2): The Gentlemen (Storm-2697) status update (update_of W26); npm supply-chain wave status (jscrambler + injectivelabs).
  • policy (2): Netherlands NIS2 Senate passage → 15 Aug 2026 in force (update_of W27 slip story); FINMA post-quantum crypto guidance AM 05/2026.
  • looking-ahead (1): 2026-W28 outlook — items already in motion.

Priority calibration: high reserved for the four genuinely week-defining items (Joomla wave, exploited edge/enterprise, M365 identity convergence, CH/EU government targeting); no critical — no single stop-and-act weekly item this week, bar unchanged.

Verification & coverage notes

  • Weekly dedup (replaces PD-8). Dedup ran against W27 (2026-07-05) and W26 (2026-06-29) strategic entries. Items already consolidated returned only as fresh deltas: Netherlands NIS2 as update_of the W27 slip entry (Senate now passed, hard date fixed); The Gentlemen as update_of the W26 long-running entry (Unit 42 full profile). The AI-as-operator arc (W27 multi-day) returns only as new-this-week specific research (Sygnia, Friendly Fire, Armored Likho, PraisonAI, comment-stuffing), not a re-list. W1 found no qualifying new movement on ShinyHunters/UNC6240, FortiBleed, DragonForce/CitrixBleed (beyond dailies) or Operation Endgame — checked, not padded.
  • Already-operational, referenced not re-summarised. W1 surfaced the Mandiant ADFS and Sygnia AWS items as fresh, but both were already published operationally on 07-09; they are synthesised into the research entries by reference (with new lens), never re-summarised. The ESET Threat Report H1 2026 (07-09 annual-report) is referenced once, not re-summarised.
  • Single-source items. The Scattered Spider reclustering rests on a single primary (Group-IB) with no independent second source yet — carried as single-source, attributed to Group-IB as an analytical model, not settled fact. The Gentlemen status delta is single-source (Unit 42); the cited Expel EDR-disable zero-day is a third-party claim relayed by Unit 42, not independently confirmed (flagged in the entry and the outlook).
  • Coverage gaps. jina universal-reader (tools/fetch_source.py jina) returned HTTP 402 "JINA_API_KEY balance exhausted" on every call across BOTH sub-agents this run — a system-wide outage, not a per-source failure. Every source whose recipe leans on the jina fallback rung (e.g. coe.int, cisa-directives direct-403 hosts) was degraded to direct-fetch/WebSearch only. W2 covered the affected policy questions via WebSearch with no material item lost; Council of Europe Second Additional Protocol status unchanged (2 of 5 ratifications). W1 listed recordedfuture-insikt (JS-shell landing page, needs a bridge/RSS recipe) and sekoia (301 → sekoia.com/blog, url needs updating) as reachable-but-degraded — deferred to a daily run rather than edited this run to avoid sources.json churn during the jina outage. Operator action: the jina API key needs a top-up or rotation (https://jina.ai/api-dashboard/) — until then, every jina-fallback source is degraded across all routines.
  • Source health. tools/source_health.py probed 157/157 sources (95 ok, 56 bridge-ok, 3 bridge-blocked). Three UNSOLVED needs-demote flags — ccn-cert-es, reliaquest, mysites-guru — are all attributable to the same jina-402 outage above, not to dead recipes: mysites.guru and reliaquest both fetched successfully as primary sources in this week's daily entries (the Joomla wave and Helix entries cite them), so their content is demonstrably reachable and the failure is the jina fallback rung being balance-exhausted this run. Demoting healthy sources on a transient key-balance outage would violate the standing "a transport/anti-bot block never demotes" rule, so no demotion was applied; the operator-side jina key top-up clears all three. sources_changed: [].
  • check_run.py --pre-verify and the Phase 5.7 verifier loop results are recorded in the verification block above once run.