Threat Newsletter July 13, 2026
AI-driven attacks dominated this week: the first fully agentic ransomware (JadePuffer), a 72-hour AI-assisted AWS breach, an AI-powered phishing platform (Forg365), and prompt injection tricking AI agents into crypto payments. Identity-based social engineering continued with the new Helix vishing group and a reclassification of Scattered Spider as a decentralized collective, while nation-state actors from Iran, China, and North Korea ran supply chain and espionage campaigns. Critical Adobe ColdFusion and Oracle EBS flaws were exploited within hours of disclosure, and several extortion cases reinforced that data theft — not encryption — is now the main pressure tactic. Bright spots included the NetNut proxy botnet takedown, Opera's anti-ClickFix protections, the launch of IBM/Red Hat's Lightwell, and France's 2027 post-quantum certification deadline.
JadePuffer Ransomware Used AI Agent to Automate Entire Attack
Sysdig researchers documented what they believe is the first ransomware operation run end-to-end by an autonomous LLM agent. JadePuffer exploited a known Langflow RCE flaw (CVE-2025-3248) for initial access, then autonomously performed reconnaissance, credential theft, lateral movement, persistence, privilege escalation, and encryption of over 1,300 Nacos configuration items. The agent adapted to failures in real time — in one case turning a failed login into a working fix in 31 seconds.
Key Takeaways:
- "Agentic threat actors" are now a documented reality, dramatically lowering the skill floor for damaging attacks
- Patch internet-exposed Langflow and Nacos instances; the flaws exploited were long-patched
- LLM-generated payloads carry telltale artifacts (natural-language code comments, rapid error-aware iteration) that create new detection opportunities

New Forg365 Phishing Platform Uses AI to Target Microsoft 365 Accounts
ZeroBEC exposed Forg365, a new phishing-as-a-service (PhaaS) operation targeting Microsoft 365 accounts. The platform combines adversary-in-the-middle (AiTM) and device-code phishing with AI-assisted lure generation built directly into its operator dashboard. It also ships a browser extension ("ForgCookie") that silently refreshes stolen Microsoft SSO cookies for persistent access, and abuses legitimate services (Amazon SES, SendGrid, Cloudflare Pages) to blend into normal traffic.
Key Takeaways:
- Restrict or disable Microsoft device-code authentication unless genuinely required
- Monitor Entra logs for device-code auth events, unexpected OAuth grants, new device sign-ins, and mailbox rule changes
- AI integration is lowering the cost of building and running PhaaS platforms — expect more of these
- If compromise is suspected, revoke and refresh all tokens and sessions immediately

Prompt Injection Attacks Trick AI Agents Into Making Crypto Payments
Zscaler uncovered two campaigns using indirect prompt injection embedded in malicious websites to exploit autonomous AI agents browsing the web. One used SEO poisoning around a fake Python library to hide payment instructions in schema markup and hidden HTML, coaxing agents into sending cryptocurrency to attacker wallets. The other typosquatted the DeBank DeFi platform and used injected prompts to convince agents the fake site was legitimate. In Zscaler's testing, 4 of 26 LLMs were manipulated into making a payment.
Key Takeaways:
- Web content itself is becoming an attack surface as AI agents increasingly act on users' behalf
- Agents with payment or transaction capabilities need strict guardrails, spending controls, and human approval steps
- SEO poisoning is being purpose-built to target AI agent queries, not just human searchers

AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers
Analyzing a week of endpoint telemetry, Sophos found that legitimate AI coding agents (Claude Code, Cursor, OpenAI Codex) routinely trip behavioral detections designed for human intruders — decrypting browser credentials via DPAPI, enumerating Windows Credential Manager, downloading files with LOLBins like certutil and bitsadmin, and writing to startup folders. Credential access made up 56% of blocked activity. The same behaviors also appear in attacker-run and hijacked agents, muddying signals defenders rely on.
Key Takeaways:
- Expect endpoint alerts from developer machines running AI agents; scope execution-noise rules by agent parent process and workspace paths
- Hold the line on credential-store access — it doesn't become safe just because an agent did it
- Disable risky agent modes (e.g., permission-skipping flags) via managed settings
- Behavioral detection alone is losing fidelity as benign, malicious, and hijacked agents generate identical telemetry

New Helix Vishing Group Emerges in SharePoint Data Theft Attacks
ReliaQuest profiled Helix, a new data-extortion group using voice phishing (including manager impersonation with caller ID spoofing), device-code phishing, and MFA abuse to compromise Microsoft 365 accounts and steal SharePoint data. After access, operators register their own MFA authenticator for persistence, enumerate SharePoint with automated wildcard searches, and bulk-download files. Researchers see likely lineage from ShinyHunters and the defunct BlackFile group based on overlapping infrastructure and playbooks.
Key Takeaways:
- Disable device-code authentication where possible — the highest-impact defense against this playbook
- Restrict SharePoint access to managed devices and block traffic to newly registered domains
- Watch for consistent exfiltration fingerprints: automated SharePoint enumeration followed by bulk downloads from a single IP/user-agent
- Train employees on vishing that impersonates their own managers

Scattered Spider's Structure More Like a Cybercrime Collective Than a Unified Gang
Group-IB analysis reclassifies Scattered Spider as a decentralized collective of independent clusters sharing tactics, tools, and online communities — comparable to Anonymous — rather than a single coordinated gang. This explains why activity persists despite arrests. Some incidents previously attributed to the group (including the M&S/Co-op attacks) may have been carried out by unrelated actors. Social engineering (IT/HR impersonation, identity-provider phishing pages, SIM swapping, insider recruitment) remains the common thread.
Key Takeaways:
- Arrests of individual members are unlikely to eliminate the broader threat — defend against the shared TTPs instead
- Prioritize defenses against identity-based attacks and help-desk/IT-impersonation social engineering
- Phishing pages impersonating Okta, Microsoft, Citrix, and Google are recurring lures across clusters

Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks
Check Point detailed Cavern Manticore, an Iran-linked (MOIS-affiliated, possibly tied to OilRig subgroup Lyceum) APT targeting Israeli government entities and IT providers with a modular .NET C&C framework — likely built with AI assistance but with substantial human involvement. The framework uses mixed compilation formats as an anti-analysis layer, isolates modules in disposable AppDomains, and cleans up after itself. Attackers abused SysAid's update feature for DLL sideloading and moved through multi-hop IT supplier chains (RMM tools, browser-based remote desktop, remote printing for exfiltration) to reach final targets.
Key Takeaways:
- IT service providers are the stepping stones — the actor demonstrated deep knowledge of Israel's IT supply chain, moving through two provider hops to reach targets
- Monitor RMM tooling and software-update mechanisms for abuse
- Modular, per-victim-tailored malware complicates signature-based detection; behavioral monitoring of module load/unload activity is more effective

Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT
Seqrite Labs detailed Operation DragonReturn, a multi-stage campaign timed to India's tax filing season targeting taxpayers, tax professionals, and corporate finance teams. Spear-phishing emails impersonating the Income Tax Department lead victims to download a fake tax utility that sideloads a malicious DLL, hides a secondary payload inside a JPG image, establishes persistence via a Windows service, disables AMSI, and deploys DCRat for data theft. Infrastructure ties to ChinaNet and tactical overlaps with the Silver Fox group suggest China-aligned attribution.
Key Takeaways:
- Seasonal, government-themed lures (tax deadlines) remain highly effective — expect precision-crafted bilingual lures with real legal citations
- DLL sideloading and image-based payload concealment (steganography) bypass many email/endpoint filters
- Watch for UAC prompts from recently downloaded "official utilities" and unexpected new Windows services

North Korean Hackers Target Open Source Developers in Supply Chain Attacks
Socket reported on PolinRider, a North Korea-linked supply chain campaign (tied to the broader Contagious Interview operation) active since December 2025. Attackers compromise maintainer accounts across npm, Packagist, Go modules, and Chrome extensions, injecting obfuscated JavaScript loaders that fetch encrypted payloads via blockchain/RPC infrastructure to deliver the DEV#POPPER RAT and OmniStealer. So far: 162 malicious release artifacts across 108 packages, with Git history rewriting used to disguise the changes as old.
Key Takeaways:
- Treat any environment that installed affected packages as potentially compromised — and remediate from a clean machine
- Developer environments expose registry, source code, cloud, and CI/CD credentials, making them high-value targets
- Git history rewriting means "the change looks old" is not evidence of legitimacy
- Enforce MFA and hardware keys on maintainer accounts for anything your org publishes

Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Organization
Datadog Security Labs is tracking overlapping campaigns systematically enumerating corporate GitHub organizations, repos, and users via the GitHub API. Operators use automated scrapers, more than 50 "ghost" accounts (created 2–5 years ago and deliberately left dormant to appear legitimate), and dozens of compromised OAuth tokens/PATs from real users. Most activity targets public data, but in select cases attackers escalated to cloning private repositories.
Key Takeaways:
- Individually unremarkable API requests become significant in aggregate — look for synchronized enumeration patterns across your org
- Audit and rotate personal access tokens and OAuth grants; exposed PATs are actively harvested
- Account age is no longer a trust signal — aged, dormant accounts are being weaponized specifically to evade heuristics
- Public GitHub metadata (members, followers, repo activity) is being systematically mapped for reconnaissance

U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case
A Ransom-ISAC case study built on a leaked negotiation chat and blockchain analysis revealed a U.S. government entity — evidence strongly points to Union County, Ohio — paid roughly $1 million (9.44 BTC) in June 2025 to the Kairos group to prevent publication of ~2TB of stolen data. Notably, no encryption occurred: Kairos ran pure data-theft extortion. The negotiation ran a month, dropping from a $3M demand, and the payment was traced through wallets toward Bybit, OKX, and a Russian exchange. The "proof of deletion" provided was essentially worthless.
Key Takeaways:
- Encryption-free extortion is now mainstream — roughly half of "ransomware" attacks no longer involve encryption at all
- A deletion promise from a thief proves nothing; assume stolen data remains at risk after payment
- Kairos claimed initial access via simple password guessing — MFA and login-failure monitoring are basic but decisive controls
- Segment legal, HR, and citizen records; monitor for large outbound transfers and burner file-sharing services

AdaptHealth: Crooks Stole Our Passwords, Patient Health Data
Home medical equipment provider AdaptHealth disclosed to the SEC that attackers used social engineering to compromise a third-party contractor's user session, gaining access to its cloud environment, patient management systems, document storage platforms, and external EHR portals. Stolen data includes a password file tied to insurance billing plus patient PII and protected health information. The attacker contacted the company on June 15 claiming the theft; AdaptHealth deemed the incident material on June 27, and its statement about "mitigating dissemination risk" hints a payment may have been made.
Key Takeaways:
- Third-party contractor access remains a top healthcare attack vector — apply least privilege and session monitoring to vendor accounts
- Stored password files are catastrophic when exfiltrated; vault credentials rather than keeping password files in business systems
- SEC materiality disclosures are increasingly how breaches surface — scope, victim counts, and extortion details often lag behind

Mount Royal University Confirms Breach as Hackers Claim Attack
Calgary's Mount Royal University confirmed that attackers who breached its network on June 17 stole data from its shared "H drive" (affecting current/former students and employees) and then wiped it, along with a separate departmental "J drive," to hinder recovery. The CMD Organization extortion group claimed the attack, demanded 30 BTC (~$1.9M), published samples including passport scans, and runs an auction-style leak site listing 30 victim organizations. Full recovery may take months and may not be complete.
Key Takeaways:
- Destructive deletion paired with theft is a growing pressure tactic — immutable, offline backups are the only real counter
- The wipe makes it hard to even determine what was stolen, complicating breach notification obligations
- Higher education remains heavily targeted; shared network drives holding sensitive documents are prime exfiltration targets

Max Severity Adobe ColdFusion Flaw Now Exploited in Attacks
Attackers began exploiting CVE-2026-48282, a maximum-severity unauthenticated RCE in Adobe ColdFusion (versions 2025.9, 2023.20 and earlier), within two hours of public disclosure, according to KEVIntel honeypot data. Adobe patched the flaw on Tuesday, urging deployment within 72 hours, and Canada's Cyber Centre echoed the warning. Shadowserver tracks nearly 800 ColdFusion instances exposed online. This follows Adobe's patches for six other max-severity ColdFusion/Campaign flaws the prior week.
Key Takeaways:
- Exploitation-within-hours is the new normal — patch windows for internet-facing critical flaws are now measured in hours, not weeks
- Inventory and, where possible, remove ColdFusion from direct internet exposure
- Unauthenticated, low-complexity RCE with no user interaction: assume compromise if patching was delayed and hunt accordingly

Researchers Spot Exploitation of Another Critical Oracle Defect (Oracle EBS)
Threat intelligence firm Defused observed exploitation of CVE-2026-46817 (CVSS 9.8), a critical flaw in the payments processing feature of Oracle E-Business Suite, patched in late May. Six exploitation attempts from a single IP hit honeypots before any public PoC existed — likely reconnaissance and weaponization testing. Shadowserver counts roughly 950 potentially vulnerable internet-exposed EBS instances, more than half in the U.S. The concern: Oracle EBS was the vector for Clop's mass extortion spree last year, and PeopleSoft was recently hit by ShinyHunters.
Key Takeaways:
- Patch Oracle EBS now — the single-source activity pattern often precedes broad campaigns (as seen with Clop)
- Oracle business applications are proven mass-extortion targets with an established attacker playbook
- Remove EBS from direct internet exposure wherever possible; ~950 exposed instances are a ready-made target list

NetNut Proxy Network Disrupted, 2 Million Infected Devices Cut Off
A joint operation involving Google, the FBI, Lumen, and Shadowserver disrupted NetNut (aka Popa), one of the world's largest residential proxy networks, built on at least 2 million compromised Android devices (including smart TVs and streaming boxes) infected via trojanized apps and botnets like Badbox 2.0. In one week, Google observed 316 distinct threat clusters — criminal and espionage — routing traffic through NetNut exit nodes. The FBI seized domains, and Google disabled C2-supporting accounts and pushed Play Protect warnings.
Key Takeaways:
- Residential proxies remain core criminal infrastructure for hiding password spraying and victim access behind legitimate home IPs
- The proxy economy is interconnected — disruption may push operators to resell capacity from competitors, so IP reputation alone is unreliable
- Consumer IoT/Android devices from untrusted supply chains often ship pre-compromised; enterprises should treat residential IP traffic patterns with appropriate suspicion

Opera Rolls Out Paste Protect Feature to Fight ClickFix Attacks
Opera introduced Paste Protect, enabled by default, to counter ClickFix social engineering — attacks that trick users into copying and executing malicious commands under the guise of verification steps or troubleshooting fixes. The feature scans clipboard content against platform-specific rules (Windows, macOS, Linux), blocks suspicious copies, shows a warning with the first 120 characters of the blocked script, and allows override only after a 5-second timeout. It complements Apple's recent Terminal warning for the same threat.
Key Takeaways:
- Browser and OS vendors are converging on clipboard-level defenses — a sign of how prevalent ClickFix has become as an infostealer delivery method
- User guidance still matters: never run commands you don't understand, regardless of how "official" the instructions look
- Developers who copy scripts regularly can allow-list trusted sites, reducing friction while keeping protection on

IBM and Red Hat Have Moved Project Lightwell From Vision to Product
IBM and Red Hat commercially launched Lightwell on July 8, converting May's $5 billion open source security pledge into purchasable products in about ten weeks. Lightwell Network is generally available with 6,500+ remediated, digitally signed components across Java and Python, pairing an AI remediation engine with 20,000+ human engineers who validate fixes and backport patches to in-production versions (no forced upgrades). Lightwell Clearinghouse Premier adds member-specific remediation and disclosure handling, initially limited to financial services firms including major U.S. banks.
Key Takeaways:
- AI-accelerated vulnerability discovery is outpacing human patching capacity — commercial "remediation-as-a-service" models are emerging in response
- Backported, signed patches for existing production versions address a real enterprise pain point: fixing CVEs without disruptive upgrades
- Watch this space if you carry a large open source dependency backlog; the model's success hinges on AI find-rates staying high and validated

France to Stop Certifying Products Without Quantum-Safe Encryption
France's cybersecurity agency ANSSI announced it will stop certifying security products that lack quantum-resistant encryption starting in 2027, with businesses expected to buy only quantum-safe products by 2030. Because ANSSI certification is mandatory for French government agencies and critical infrastructure, this amounts to a de facto phase-out of legacy cryptography — driven largely by "harvest now, decrypt later" concerns. It's among the most aggressive PQC timelines globally (NIST targets deprecation of RSA/ECDSA by 2030, disallowance by 2035).
Key Takeaways:
- If you sell into French government or critical infrastructure markets, PQC support is now a 2027 product requirement
- Start crypto inventory and migration planning now — cryptographic transitions take years, and long-lived sensitive data is already at "harvest now" risk
- Expect other national regulators to convert PQC guidance into binding certification requirements clustered around 2028–2030

Launch of UK's National Cyber Action Plan Delayed
Britain's National Cyber Action Plan — the government's strategy for defending the wider economy against state-backed and criminal hacking — was postponed again following Prime Minister Keir Starmer's resignation and the resulting Labour leadership contest. The plan had been due Monday. The delay continues a pattern: the Cyber Security and Resilience Bill took over four years to reach Parliament and won't be enforced until 2028. The NCSC reported handling 200+ incidents affecting critical national infrastructure between June 2024 and May 2026, 75% linked to state actors.
Key Takeaways:
- UK cyber policy continues to be treated as low political priority, with experts warning that major legislation repeatedly slips amid political turbulence
- Organizations in the UK should not wait for regulation — voluntary measures (Cyber Essentials, NCSC Early Warning) remain the operative baseline
- The 75% state-actor share of CNI incidents underscores that the threat environment isn't waiting for the policy process

UK Cyber Pledge Draws Limited Partners Despite Ministerial Appeal
The UK's voluntary Cyber Resilience Pledge launched with just 70 founding signatories — and 20 of those were strategic government suppliers signed via a separate charter, leaving only ~50 truly voluntary participants across the wider economy despite ministers writing to hundreds of firms including all FTSE 350 companies. Signatories (including Aviva, LSEG, and M&S) commit to board-level cyber responsibility, joining NCSC's Early Warning service, and risk-based Cyber Essentials requirements in supply chains. Analysts suggest weak uptake may become the government's justification for future regulation.
Key Takeaways:
- Voluntary pledges with no enforcement mechanism are drawing limited corporate buy-in — regulation may follow if uptake stays low
- The pledge's three asks (board accountability, Early Warning enrollment, supply-chain Cyber Essentials) are sensible baselines worth adopting regardless of signing
- The UK pattern of consultation → voluntary pledge → regulation suggests firms should prepare for eventual mandatory requirements












