Weekly Threat Intel Report — 2026-W28
TL;DR
Week 28 delivered a study in contrasts: proven adversaries executing well-worn playbooks against still-unpatched software, alongside a wave of AI-abetted and AI-adjacent attacks that hint at what the next 12 months will look like. Huntress documented a repeatable chain that starts with CitrixBleed 2 (CVE-2025-5777) exploitation and ends in DragonForce ransomware. Check Point Research exposed a new modular command-and-control framework wielded by Iran-nexus 'Cavern Manticore,' which overlaps with OilRig. A new data-extortion group called Helix surfaced with an identity-first approach against SharePoint. Unit 42 profiled 'The Gentlemen' ransomware operation. Microsoft dissected GigaWiper, a destructive backdoor built from parts of several prior malware families. And multiple vendors reported AI-driven intrusion tradecraft — including what DarkReading described as the first end-to-end LLM-driven ransomware attack. Meanwhile, Progress Software urged emergency shutdown of ShareFile Storage Zone Controllers, and active exploitation was reported against Gitea's Docker image and Zimbra's Classic Web Client.
Notable Activity by Actor
DragonForce — CitrixBleed 2 to ransomware in seven steps
Huntress published a detailed writeup on 9 July describing a set of "strikingly similar" intrusions in which affiliates chained exploitation of CitrixBleed 2 (CVE-2025-5777) against internet-exposed NetScaler devices, employed a novel local privilege escalation technique, and finished with DragonForce ransomware deployment. The recurrence of the same sequence across multiple victims suggests a documented playbook shared inside the DragonForce affiliate ecosystem. Any organization still running an unpatched or misconfigured NetScaler Gateway should treat this as the working assumption for how it will be attacked.
OilRig / Cavern Manticore — new modular C2 framework
Check Point Research disclosed on 6 July that an Iran-nexus cluster it tracks as Cavern Manticore, linked to Iran's Ministry of Intelligence and Security and overlapping with OilRig, has been operating a new modular command-and-control framework since early 2026. Targeting has concentrated on Israeli IT providers and government entities. The modularity of the framework is notable: it points to sustained in-house engineering investment and a preference for supply-chain footholds (IT providers) that scale espionage access across downstream customers.
Emerging Threats
Helix — vishing crew hunting SharePoint
BleepingComputer reported on 9 July that a new data-extortion group calling itself Helix is stealing data from SharePoint environments using voice phishing (vishing), device-code phishing, and multi-factor authentication (MFA) fatigue. There is no confirmed ransomware payload; the business model appears to be pure data extortion. Helix belongs to the broader Scattered Spider–style lineage of identity-first intruders that treat the help desk, not the firewall, as the perimeter.
The Gentlemen ransomware
Unit 42 profiled 'The Gentlemen' ransomware operation on 10 July, describing an affiliate model behind its rapid growth. Public reporting has not attributed the group to a nation state; the tradecraft and monetization pattern look conventional, but the growth velocity warrants tracking.
GigaWiper — a Frankenstein destructive backdoor
Microsoft Threat Intelligence published analysis on 9 July of GigaWiper, a destructive backdoor that combines wiping and ransomware-like encryption in a single platform. Microsoft notes the malware incorporates code from multiple previously distinct families, an assembly pattern that is becoming more common as offensive developers scavenge public repositories and leaked source.
The AI-driven intrusion wave
Three items this week suggest a real inflection point. DarkReading reported on 6 July an incident branded 'JadePuffer,' described as the first largely LLM-driven ransomware attack, in which an 'agentic threat actor' exploited a Langflow flaw to steal data and encrypt systems. On 8 July, DarkReading covered a lone attacker who reportedly leveraged AI workflows, chained cloud misconfigurations, and stolen credentials to breach an AWS environment in roughly 72 hours. And Huntress published an analysis of 'vibe-coded' AD enumeration scripts — custom PowerShell generated on demand by LLMs. Even discounting hype, the direction of travel is unmistakable: AI reduces the marginal cost of custom tooling, and defenders will see more one-off malware.
UAT-7810 — an ORB network in the making
Cisco Talos on 7 July updated coverage of UAT-7810, a tracked-but-unattributed actor continuing to develop custom malware and build operational relay box (ORB) networks. ORB infrastructure is increasingly the norm for stealthy espionage operators, offering resilient traffic obfuscation and complicating attribution.
Rival espionage on the same target
SentinelLabs and The Record independently reported this week that Chinese and Indian espionage actors ran parallel campaigns against the same Pakistani provincial police force between February 2024 and April 2026 — in some cases breaching identical systems. It is a useful reminder that a single victim can host multiple, uncoordinated intrusions with different strategic drivers.
Vulnerability and platform urgency
- ShareFile: Progress Software emailed ShareFile Storage Zone Controller customers on 10 July urging them to shut down servers over a "credible external security threat" (BleepingComputer).
- Gitea: Active exploitation of a critical authentication bypass in the official Gitea Docker image was reported on 10 July (BleepingComputer).
- Zimbra: A critical XSS in the Classic Web Client requires immediate patching (BleepingComputer, 10 July).
- CMS platforms: Australia's ACSC warned on 11 July of a global campaign targeting vulnerable content-management systems and plugins.
- npm supply chain: The Injective Labs SDK GitHub was compromised and a malicious npm package published to steal crypto wallet keys and seed phrases (BleepingComputer, 9 July).
- BYOVD: A ransomware family called 'GodDamn' is abusing a Microsoft-signed malicious kernel driver to disable security tools (DarkReading, 9 July).
Law enforcement wins
One Ryuk operator pleaded guilty in a US federal court and faces up to 15 years in prison; a former incident-response employee who conspired with BlackCat/ALPHV received a 70-month sentence (BleepingComputer and The Record, 10 July). These outcomes do not reduce short-term risk, but they degrade the operator pool.
Defender Takeaways
- Verify CitrixBleed 2 posture. Patch and reboot NetScaler devices for CVE-2025-5777, invalidate active sessions, and hunt for the DragonForce playbook Huntress described — particularly novel local privilege escalation immediately following gateway access.
- Assume MFA is not enough against identity-first crews. Helix-style vishing plus MFA fatigue requires number matching, phishing-resistant MFA (FIDO2), device-code login restrictions, and a hardened help-desk verification process.
- Emergency-triage the exposed-app list. ShareFile Storage Zone Controllers, Gitea Docker deployments, Zimbra Classic Web Client, and any exposed CMS instances all need attention this week.
- Treat AI agents as identities. Non-human identities tied to LLM agents are proliferating faster than IAM governance. Inventory them, scope their permissions tightly, and monitor them as you would service accounts on steroids.
- Watch for BYOVD. The 'GodDamn' ransomware pattern of abusing signed drivers to kill EDR is now common. Enable Microsoft's vulnerable driver blocklist and monitor for kernel-driver load events.
- Supply-chain vigilance. The trojanized Injective SDK on npm is a reminder that dependency provenance and lockfile discipline are baseline hygiene, not a maturity milestone.
Sources
- Huntress — CitrixBleed 2 (CVE-2025-5777) 7 Steps to DragonForce Ransomware: https://www.huntress.com/blog/citrixbleed-2-dragonforce-ransomware
- Check Point Research — Cavern Manticore: Exposing Iran-Linked Modular C2 Framework: https://research.checkpoint.com/2026/cavern-manticore-exposing-iran-linked-modular-c2-framework/
- BleepingComputer — New Helix vishing group emerges in SharePoint data theft attacks: https://www.bleepingcomputer.com/news/security/new-helix-vishing-group-emerges-in-sharepoint-data-theft-attacks/
- Unit 42 — No Manners Here: The Ruthless Rise of The Gentlemen Ransomware: https://unit42.paloaltonetworks.com/the-gentlemen-ransomware/
- Microsoft Threat Intelligence — GigaWiper: Anatomy of a destructive backdoor: https://www.microsoft.com/en-us/security/blog/2026/07/09/gigawiper-anatomy-of-a-destructive-backdoor-assembled-from-multiple-malware/
- DarkReading — JadePuffer: The First Complete LLM-Driven Ransomware Attack: https://www.darkreading.com/cyberattacks-data-breaches/jadepuffer-first-complete-llm-driven-ransomware-attack
- DarkReading — Lone Attacker Uses AI to Breach AWS Cloud Environment in 72 Hours: https://www.darkreading.com/cloud-security/lone-attacker-ai-breach-aws-cloud-environment
- Huntress — AI-Coded Malware | Analyzing Vibe-Coded AD Enumeration: https://www.huntress.com/blog/ai-coded-malware-vibe-coding-active-directory
- Cisco Talos — UAT-7810 continues building ORB networks using new malware: https://blog.talosintelligence.com/uat-7810/
- SentinelLabs — One Target, Two Flags: Rival Espionage Actors Converge On Pakistani Law Enforcement: https://www.sentinelone.com/labs/one-target-china-india-espionage-converge-on-pakistani-law-enforcement/
- BleepingComputer — Progress urges ShareFile admins to shut down servers over 'credible' threat: https://www.bleepingcomputer.com/news/security/progress-urges-sharefile-customers-to-shut-down-servers-over-credible-threat/
- BleepingComputer — Hackers exploit critical auth bypass in Gitea Docker image: https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-auth-bypass-in-gitea-docker-image/
- BleepingComputer — Zimbra urges customers to patch critical web client XSS flaw: https://www.bleepingcomputer.com/news/security/zimbra-urges-customers-to-patch-critical-web-client-xss-flaw/
- BleepingComputer — Australia warns of global campaign targeting vulnerable CMS platforms: https://www.bleepingcomputer.com/news/security/australia-warns-of-global-campaign-targeting-vulnerable-cms-platforms/
- BleepingComputer — Injective SDK on npm infected with cryptocurrency wallet stealer: https://www.bleepingcomputer.com/news/security/injective-sdk-on-npm-infected-with-cryptocurrency-wallet-stealer/
- DarkReading — 'GodDamn' Ransomware Uses BYOVD to Smite US Companies: https://www.darkreading.com/cyberattacks-data-breaches/goddamn-ransomware-byovd-smite-companies
- BleepingComputer — Ryuk ransomware member pleads guilty in the US, faces 15 years in prison: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-member-pleads-guilty-in-the-us-faces-15-years-in-prison/
- The Record — Ryuk operator pleads guilty; Blackcat/AlphV conspirator gets nearly 6-year sentence: https://therecord.media/ryuk-operator-pleads-guilty-alphv-conspirator-sentenced