Threat Newsletter July 13, 2026

Share
Threat Newsletter July 13, 2026
Photo by FlyD / Unsplash

AI-driven attacks dominated this week: the first fully agentic ransomware (JadePuffer), a 72-hour AI-assisted AWS breach, an AI-powered phishing platform (Forg365), and prompt injection tricking AI agents into crypto payments. Identity-based social engineering continued with the new Helix vishing group and a reclassification of Scattered Spider as a decentralized collective, while nation-state actors from Iran, China, and North Korea ran supply chain and espionage campaigns. Critical Adobe ColdFusion and Oracle EBS flaws were exploited within hours of disclosure, and several extortion cases reinforced that data theft — not encryption — is now the main pressure tactic. Bright spots included the NetNut proxy botnet takedown, Opera's anti-ClickFix protections, the launch of IBM/Red Hat's Lightwell, and France's 2027 post-quantum certification deadline.


JadePuffer Ransomware Used AI Agent to Automate Entire Attack

Sysdig researchers documented what they believe is the first ransomware operation run end-to-end by an autonomous LLM agent. JadePuffer exploited a known Langflow RCE flaw (CVE-2025-3248) for initial access, then autonomously performed reconnaissance, credential theft, lateral movement, persistence, privilege escalation, and encryption of over 1,300 Nacos configuration items. The agent adapted to failures in real time — in one case turning a failed login into a working fix in 31 seconds.

Key Takeaways:

  • "Agentic threat actors" are now a documented reality, dramatically lowering the skill floor for damaging attacks
  • Patch internet-exposed Langflow and Nacos instances; the flaws exploited were long-patched
  • LLM-generated payloads carry telltale artifacts (natural-language code comments, rapid error-aware iteration) that create new detection opportunities
JadePuffer ransomware used AI agent to automate entire attack
Researchers identified what they believe is the first documented case of a ransomware operation, JadePuffer, conducted entirely by a large language model (LLM) agent.

New Forg365 Phishing Platform Uses AI to Target Microsoft 365 Accounts

ZeroBEC exposed Forg365, a new phishing-as-a-service (PhaaS) operation targeting Microsoft 365 accounts. The platform combines adversary-in-the-middle (AiTM) and device-code phishing with AI-assisted lure generation built directly into its operator dashboard. It also ships a browser extension ("ForgCookie") that silently refreshes stolen Microsoft SSO cookies for persistent access, and abuses legitimate services (Amazon SES, SendGrid, Cloudflare Pages) to blend into normal traffic.

Key Takeaways:

  • Restrict or disable Microsoft device-code authentication unless genuinely required
  • Monitor Entra logs for device-code auth events, unexpected OAuth grants, new device sign-ins, and mailbox rule changes
  • AI integration is lowering the cost of building and running PhaaS platforms — expect more of these
  • If compromise is suspected, revoke and refresh all tokens and sessions immediately
New Forg365 phishing platform uses AI to target Microsoft 365 accounts
A new phishing-as-a-service (PhaaS) operation called Forg365 focuses on stealing Microsoft 365 accounts by combining adversary-in-the-middle (AiTM) and device code methods with AI-assisted lure generation.

Prompt Injection Attacks Trick AI Agents Into Making Crypto Payments

Zscaler uncovered two campaigns using indirect prompt injection embedded in malicious websites to exploit autonomous AI agents browsing the web. One used SEO poisoning around a fake Python library to hide payment instructions in schema markup and hidden HTML, coaxing agents into sending cryptocurrency to attacker wallets. The other typosquatted the DeBank DeFi platform and used injected prompts to convince agents the fake site was legitimate. In Zscaler's testing, 4 of 26 LLMs were manipulated into making a payment.

Key Takeaways:

  • Web content itself is becoming an attack surface as AI agents increasingly act on users' behalf
  • Agents with payment or transaction capabilities need strict guardrails, spending controls, and human approval steps
  • SEO poisoning is being purpose-built to target AI agent queries, not just human searchers
Prompt Injection Attacks Trick AI Agents Into Making Crypto Payments
Zscaler found attackers using SEO poisoning and hidden prompts in malicious websites to manipulate AI agents into making cryptocurrency payments.

AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers

Analyzing a week of endpoint telemetry, Sophos found that legitimate AI coding agents (Claude Code, Cursor, OpenAI Codex) routinely trip behavioral detections designed for human intruders — decrypting browser credentials via DPAPI, enumerating Windows Credential Manager, downloading files with LOLBins like certutil and bitsadmin, and writing to startup folders. Credential access made up 56% of blocked activity. The same behaviors also appear in attacker-run and hijacked agents, muddying signals defenders rely on.

Key Takeaways:

  • Expect endpoint alerts from developer machines running AI agents; scope execution-noise rules by agent parent process and workspace paths
  • Hold the line on credential-store access — it doesn't become safe just because an agent did it
  • Disable risky agent modes (e.g., permission-skipping flags) via managed settings
  • Behavioral detection alone is losing fidelity as benign, malicious, and hijacked agents generate identical telemetry
AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers
Sophos says Claude Code, Cursor, and Codex triggered Windows endpoint rules for credential access, LOLBin downloads, and persistence.

New Helix Vishing Group Emerges in SharePoint Data Theft Attacks

ReliaQuest profiled Helix, a new data-extortion group using voice phishing (including manager impersonation with caller ID spoofing), device-code phishing, and MFA abuse to compromise Microsoft 365 accounts and steal SharePoint data. After access, operators register their own MFA authenticator for persistence, enumerate SharePoint with automated wildcard searches, and bulk-download files. Researchers see likely lineage from ShinyHunters and the defunct BlackFile group based on overlapping infrastructure and playbooks.

Key Takeaways:

  • Disable device-code authentication where possible — the highest-impact defense against this playbook
  • Restrict SharePoint access to managed devices and block traffic to newly registered domains
  • Watch for consistent exfiltration fingerprints: automated SharePoint enumeration followed by bulk downloads from a single IP/user-agent
  • Train employees on vishing that impersonates their own managers
New Helix vishing group emerges in SharePoint data theft attacks
A new data-extortion group called Helix is using identity-focused tactics such as voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to steal data from SharePoint environments.

Scattered Spider's Structure More Like a Cybercrime Collective Than a Unified Gang

Group-IB analysis reclassifies Scattered Spider as a decentralized collective of independent clusters sharing tactics, tools, and online communities — comparable to Anonymous — rather than a single coordinated gang. This explains why activity persists despite arrests. Some incidents previously attributed to the group (including the M&S/Co-op attacks) may have been carried out by unrelated actors. Social engineering (IT/HR impersonation, identity-provider phishing pages, SIM swapping, insider recruitment) remains the common thread.

Key Takeaways:

  • Arrests of individual members are unlikely to eliminate the broader threat — defend against the shared TTPs instead
  • Prioritize defenses against identity-based attacks and help-desk/IT-impersonation social engineering
  • Phishing pages impersonating Okta, Microsoft, Citrix, and Google are recurring lures across clusters
Scattered Spider’s Structure More Like a Cybercrime Collective
Group-IB analysis argued Scattered Spider is a decentralized collective of independent clusters

Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks

Check Point detailed Cavern Manticore, an Iran-linked (MOIS-affiliated, possibly tied to OilRig subgroup Lyceum) APT targeting Israeli government entities and IT providers with a modular .NET C&C framework — likely built with AI assistance but with substantial human involvement. The framework uses mixed compilation formats as an anti-analysis layer, isolates modules in disposable AppDomains, and cleans up after itself. Attackers abused SysAid's update feature for DLL sideloading and moved through multi-hop IT supplier chains (RMM tools, browser-based remote desktop, remote printing for exfiltration) to reach final targets.

Key Takeaways:

  • IT service providers are the stepping stones — the actor demonstrated deep knowledge of Israel's IT supply chain, moving through two provider hops to reach targets
  • Monitor RMM tooling and software-update mechanisms for abuse
  • Modular, per-victim-tailored malware complicates signature-based detection; behavioral monitoring of module load/unload activity is more effective
Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks
Iran-linked Cavern Manticore hackers used a modular C&C framework, likely built with AI assistance, to target Israeli government entities and IT providers.

Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT

Seqrite Labs detailed Operation DragonReturn, a multi-stage campaign timed to India's tax filing season targeting taxpayers, tax professionals, and corporate finance teams. Spear-phishing emails impersonating the Income Tax Department lead victims to download a fake tax utility that sideloads a malicious DLL, hides a secondary payload inside a JPG image, establishes persistence via a Windows service, disables AMSI, and deploys DCRat for data theft. Infrastructure ties to ChinaNet and tactical overlaps with the Silver Fox group suggest China-aligned attribution.

Key Takeaways:

  • Seasonal, government-themed lures (tax deadlines) remain highly effective — expect precision-crafted bilingual lures with real legal citations
  • DLL sideloading and image-based payload concealment (steganography) bypass many email/endpoint filters
  • Watch for UAC prompts from recently downloaded "official utilities" and unexpected new Windows services
Suspected China-Nexus Hackers Use Fake Indian Tax Filing Utility to Deploy DcRAT
Researchers link the India-focused operation to ChinaNet infrastructure and tactical overlaps with Silver Fox, but attribution remains suspected.

North Korean Hackers Target Open Source Developers in Supply Chain Attacks

Socket reported on PolinRider, a North Korea-linked supply chain campaign (tied to the broader Contagious Interview operation) active since December 2025. Attackers compromise maintainer accounts across npm, Packagist, Go modules, and Chrome extensions, injecting obfuscated JavaScript loaders that fetch encrypted payloads via blockchain/RPC infrastructure to deliver the DEV#POPPER RAT and OmniStealer. So far: 162 malicious release artifacts across 108 packages, with Git history rewriting used to disguise the changes as old.

Key Takeaways:

  • Treat any environment that installed affected packages as potentially compromised — and remediate from a clean machine
  • Developer environments expose registry, source code, cloud, and CI/CD credentials, making them high-value targets
  • Git history rewriting means "the change looks old" is not evidence of legitimacy
  • Enforce MFA and hardware keys on maintainer accounts for anything your org publishes
North Korean Hackers Target Open Source Developers in Supply Chain Attacks
North Korean hackers are targeting open source software developers with a backdoor and an information stealer as part of a broad supply chain campaign dubbed PolinRider.

Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Organization

Datadog Security Labs is tracking overlapping campaigns systematically enumerating corporate GitHub organizations, repos, and users via the GitHub API. Operators use automated scrapers, more than 50 "ghost" accounts (created 2–5 years ago and deliberately left dormant to appear legitimate), and dozens of compromised OAuth tokens/PATs from real users. Most activity targets public data, but in select cases attackers escalated to cloning private repositories.

Key Takeaways:

  • Individually unremarkable API requests become significant in aggregate — look for synchronized enumeration patterns across your org
  • Audit and rotate personal access tokens and OAuth grants; exposed PATs are actively harvested
  • Account age is no longer a trust signal — aged, dormant accounts are being weaponized specifically to evade heuristics
  • Public GitHub metadata (members, followers, repo activity) is being systematically mapped for reconnaissance
Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs
GitHub ghost accounts and exposed PATs scrape corporate orgs through the API, with select cases cloning private repos.

U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case

A Ransom-ISAC case study built on a leaked negotiation chat and blockchain analysis revealed a U.S. government entity — evidence strongly points to Union County, Ohio — paid roughly $1 million (9.44 BTC) in June 2025 to the Kairos group to prevent publication of ~2TB of stolen data. Notably, no encryption occurred: Kairos ran pure data-theft extortion. The negotiation ran a month, dropping from a $3M demand, and the payment was traced through wallets toward Bybit, OKX, and a Russian exchange. The "proof of deletion" provided was essentially worthless.

Key Takeaways:

  • Encryption-free extortion is now mainstream — roughly half of "ransomware" attacks no longer involve encryption at all
  • A deletion promise from a thief proves nothing; assume stolen data remains at risk after payment
  • Kairos claimed initial access via simple password guessing — MFA and login-failure monitoring are basic but decisive controls
  • Segment legal, HR, and citizen records; monitor for large outbound transfers and burner file-sharing services
U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case
The case study found no encryptor or locked machines, only stolen files used as leverage in a month-long negotiation ending June 13, 2025.

AdaptHealth: Crooks Stole Our Passwords, Patient Health Data

Home medical equipment provider AdaptHealth disclosed to the SEC that attackers used social engineering to compromise a third-party contractor's user session, gaining access to its cloud environment, patient management systems, document storage platforms, and external EHR portals. Stolen data includes a password file tied to insurance billing plus patient PII and protected health information. The attacker contacted the company on June 15 claiming the theft; AdaptHealth deemed the incident material on June 27, and its statement about "mitigating dissemination risk" hints a payment may have been made.

Key Takeaways:

  • Third-party contractor access remains a top healthcare attack vector — apply least privilege and session monitoring to vendor accounts
  • Stored password files are catastrophic when exfiltrated; vault credentials rather than keeping password files in business systems
  • SEC materiality disclosures are increasingly how breaches surface — scope, victim counts, and extortion details often lag behind
AdaptHealth says attackers sweet-talked their way into cloud systems and stole patient data
Third-party contractor compromise exposed health information and insurance billing passwords

Mount Royal University Confirms Breach as Hackers Claim Attack

Calgary's Mount Royal University confirmed that attackers who breached its network on June 17 stole data from its shared "H drive" (affecting current/former students and employees) and then wiped it, along with a separate departmental "J drive," to hinder recovery. The CMD Organization extortion group claimed the attack, demanded 30 BTC (~$1.9M), published samples including passport scans, and runs an auction-style leak site listing 30 victim organizations. Full recovery may take months and may not be complete.

Key Takeaways:

  • Destructive deletion paired with theft is a growing pressure tactic — immutable, offline backups are the only real counter
  • The wipe makes it hard to even determine what was stolen, complicating breach notification obligations
  • Higher education remains heavily targeted; shared network drives holding sensitive documents are prime exfiltration targets
Mount Royal University confirms breach as hackers claim attack
Mount Royal University in Calgary says hackers stole and then deleted data from its file storage systems after breaching the university’s network.

Max Severity Adobe ColdFusion Flaw Now Exploited in Attacks

Attackers began exploiting CVE-2026-48282, a maximum-severity unauthenticated RCE in Adobe ColdFusion (versions 2025.9, 2023.20 and earlier), within two hours of public disclosure, according to KEVIntel honeypot data. Adobe patched the flaw on Tuesday, urging deployment within 72 hours, and Canada's Cyber Centre echoed the warning. Shadowserver tracks nearly 800 ColdFusion instances exposed online. This follows Adobe's patches for six other max-severity ColdFusion/Campaign flaws the prior week.

Key Takeaways:

  • Exploitation-within-hours is the new normal — patch windows for internet-facing critical flaws are now measured in hours, not weeks
  • Inventory and, where possible, remove ColdFusion from direct internet exposure
  • Unauthenticated, low-complexity RCE with no user interaction: assume compromise if patching was delayed and hunt accordingly
Max severity Adobe ColdFusion flaw now exploited in attacks
Attackers are now exploiting a maximum-severity Adobe ColdFusion vulnerability tracked as CVE-2026-48282, according to vulnerability intelligence company KEVIntel.

Researchers Spot Exploitation of Another Critical Oracle Defect (Oracle EBS)

Threat intelligence firm Defused observed exploitation of CVE-2026-46817 (CVSS 9.8), a critical flaw in the payments processing feature of Oracle E-Business Suite, patched in late May. Six exploitation attempts from a single IP hit honeypots before any public PoC existed — likely reconnaissance and weaponization testing. Shadowserver counts roughly 950 potentially vulnerable internet-exposed EBS instances, more than half in the U.S. The concern: Oracle EBS was the vector for Clop's mass extortion spree last year, and PeopleSoft was recently hit by ShinyHunters.

Key Takeaways:

  • Patch Oracle EBS now — the single-source activity pattern often precedes broad campaigns (as seen with Clop)
  • Oracle business applications are proven mass-extortion targets with an established attacker playbook
  • Remove EBS from direct internet exposure wherever possible; ~950 exposed instances are a ready-made target list
Researchers spot exploitation of another critical Oracle defect
The defect impacts a popular collection of business applications that attackers have hit before in widespread attack sprees.

NetNut Proxy Network Disrupted, 2 Million Infected Devices Cut Off

A joint operation involving Google, the FBI, Lumen, and Shadowserver disrupted NetNut (aka Popa), one of the world's largest residential proxy networks, built on at least 2 million compromised Android devices (including smart TVs and streaming boxes) infected via trojanized apps and botnets like Badbox 2.0. In one week, Google observed 316 distinct threat clusters — criminal and espionage — routing traffic through NetNut exit nodes. The FBI seized domains, and Google disabled C2-supporting accounts and pushed Play Protect warnings.

Key Takeaways:

  • Residential proxies remain core criminal infrastructure for hiding password spraying and victim access behind legitimate home IPs
  • The proxy economy is interconnected — disruption may push operators to resell capacity from competitors, so IP reputation alone is unreliable
  • Consumer IoT/Android devices from untrusted supply chains often ship pre-compromised; enterprises should treat residential IP traffic patterns with appropriate suspicion
NetNut proxy network disrupted, 2 million infected devices cut off
A joint operation involving Google has disrupted NetNut, a residential proxy network that gave access to millions of compromised Android devices, including smart TVs and streaming boxes.

Opera Rolls Out Paste Protect Feature to Fight ClickFix Attacks

Opera introduced Paste Protect, enabled by default, to counter ClickFix social engineering — attacks that trick users into copying and executing malicious commands under the guise of verification steps or troubleshooting fixes. The feature scans clipboard content against platform-specific rules (Windows, macOS, Linux), blocks suspicious copies, shows a warning with the first 120 characters of the blocked script, and allows override only after a 5-second timeout. It complements Apple's recent Terminal warning for the same threat.

Key Takeaways:

  • Browser and OS vendors are converging on clipboard-level defenses — a sign of how prevalent ClickFix has become as an infostealer delivery method
  • User guidance still matters: never run commands you don't understand, regardless of how "official" the instructions look
  • Developers who copy scripts regularly can allow-list trusted sites, reducing friction while keeping protection on
Opera rolls out Paste Protect feature to fight ClickFix attacks
Opera has introduced Paste Protect, a security feature designed to block ClickFix-style attacks that trick users into executing malicious commands through social engineering.

IBM and Red Hat Have Moved Project Lightwell From Vision to Product

IBM and Red Hat commercially launched Lightwell on July 8, converting May's $5 billion open source security pledge into purchasable products in about ten weeks. Lightwell Network is generally available with 6,500+ remediated, digitally signed components across Java and Python, pairing an AI remediation engine with 20,000+ human engineers who validate fixes and backport patches to in-production versions (no forced upgrades). Lightwell Clearinghouse Premier adds member-specific remediation and disclosure handling, initially limited to financial services firms including major U.S. banks.

Key Takeaways:

  • AI-accelerated vulnerability discovery is outpacing human patching capacity — commercial "remediation-as-a-service" models are emerging in response
  • Backported, signed patches for existing production versions address a real enterprise pain point: fixing CVEs without disruptive upgrades
  • Watch this space if you carry a large open source dependency backlog; the model's success hinges on AI find-rates staying high and validated
IBM and Red Hat launch Lightwell to defend open-source code from AI attacks
Their plan to protect open-source projects from AI-discovered security holes has led to the launch of two commercial offerings: Lightwell Network and Lightwell Clearinghouse Premier.

France to Stop Certifying Products Without Quantum-Safe Encryption

France's cybersecurity agency ANSSI announced it will stop certifying security products that lack quantum-resistant encryption starting in 2027, with businesses expected to buy only quantum-safe products by 2030. Because ANSSI certification is mandatory for French government agencies and critical infrastructure, this amounts to a de facto phase-out of legacy cryptography — driven largely by "harvest now, decrypt later" concerns. It's among the most aggressive PQC timelines globally (NIST targets deprecation of RSA/ECDSA by 2030, disallowance by 2035).

Key Takeaways:

  • If you sell into French government or critical infrastructure markets, PQC support is now a 2027 product requirement
  • Start crypto inventory and migration planning now — cryptographic transitions take years, and long-lived sensitive data is already at "harvest now" risk
  • Expect other national regulators to convert PQC guidance into binding certification requirements clustered around 2028–2030
France accelerates transition to post-quantum encryption
France’s cybersecurity agency, ANSSI, announced it will stop certifying security products lacking quantum-resistant encryption starting in 2027.

Launch of UK's National Cyber Action Plan Delayed

Britain's National Cyber Action Plan — the government's strategy for defending the wider economy against state-backed and criminal hacking — was postponed again following Prime Minister Keir Starmer's resignation and the resulting Labour leadership contest. The plan had been due Monday. The delay continues a pattern: the Cyber Security and Resilience Bill took over four years to reach Parliament and won't be enforced until 2028. The NCSC reported handling 200+ incidents affecting critical national infrastructure between June 2024 and May 2026, 75% linked to state actors.

Key Takeaways:

  • UK cyber policy continues to be treated as low political priority, with experts warning that major legislation repeatedly slips amid political turbulence
  • Organizations in the UK should not wait for regulation — voluntary measures (Cyber Essentials, NCSC Early Warning) remain the operative baseline
  • The 75% state-actor share of CNI incidents underscores that the threat environment isn't waiting for the policy process
Launch of UK’s National Cyber Action Plan delayed amid Labour leadership crisis
The plan had been due for publication on Monday, the sources said. It has been postponed amid the uncertainty over the governing Labour Party’s leadership contest, which opens July 9.

UK Cyber Pledge Draws Limited Partners Despite Ministerial Appeal

The UK's voluntary Cyber Resilience Pledge launched with just 70 founding signatories — and 20 of those were strategic government suppliers signed via a separate charter, leaving only ~50 truly voluntary participants across the wider economy despite ministers writing to hundreds of firms including all FTSE 350 companies. Signatories (including Aviva, LSEG, and M&S) commit to board-level cyber responsibility, joining NCSC's Early Warning service, and risk-based Cyber Essentials requirements in supply chains. Analysts suggest weak uptake may become the government's justification for future regulation.

Key Takeaways:

  • Voluntary pledges with no enforcement mechanism are drawing limited corporate buy-in — regulation may follow if uptake stays low
  • The pledge's three asks (board accountability, Early Warning enrollment, supply-chain Cyber Essentials) are sensible baselines worth adopting regardless of signing
  • The UK pattern of consultation → voluntary pledge → regulation suggests firms should prepare for eventual mandatory requirements
UK cyber pledge draws only a handful of top firms despite ministerial appeal
Those that did sign include large firms such as Aviva, the London Stock Exchange Group and Marks & Spencer, which lost hundreds of millions of pounds in a cyberattack last year, as well as small cybersecurity consultancies.