Florida Critical Infrastructure Cybersecurity Intelligence

This bulletin is produced by USF’s Strategic and Cyber Intelligence Program, in collaboration with Cyber Florida, to deliver timely, actionable insights and recommendations to help Critical Infrastructure owners and operators better protect Florida’s Critical Infrastructure.

Situational Awareness Bulletin
Cyber Threat Outlook

Florida’s critical infrastructure operators continue to face a threat environment driven by three trends: (1) attackers moving fast on newly disclosed and known-exploited vulnerabilities, (2) cloud identity systems (Microsoft 365, Azure, Entra) becoming a primary target, and (3) AI tools being used on both sides — attackers using AI to write malware and phishing lures faster, and AI development platforms themselves becoming new, unpatched attack surfaces. Over the next six to nine months, expect continued exploitation of CISA-listed vulnerabilities within days of disclosure, more credential-theft campaigns aimed at cloud accounts (including voice-phishing calls that trick employees into approving account changes), and more attacks that target software supply chains — the vendors, code repositories, and AI coding tools organizations rely on rather than the organizations themselves. Because Florida’s critical infrastructure sectors share cloud platforms, collaboration tools, and vendor relationships, the most effective near-term defenses remain the fundamentals: patch known-exploited vulnerabilities quickly, require multi-factor authentication everywhere (configured to cover every login method, not just the main portal), and verify that vendors and subsidiaries are not the weak link.

Confidence Assessment: High

Executive Summary
  • All Sectors: Cyber threat actors relied on three main entry points this period: exploiting internet-facing software before organizations could patch it, reusing stolen administrator passwords from earlier breaches, and tricking employees into running malicious commands through fake error messages or “verify yourself” prompts (a technique called ClickFix, now confirmed spreading to Mac computers as well as Windows). Automated password-guessing attacks against cloud accounts, phone-based social engineering, and destructive malware designed to permanently wipe systems all remained active threats across sectors.
  • Commercial Facilities: Hospitality organizations were targeted with remote-access malware hidden in fake guest-complaint emails, using blockchain infrastructure to keep its control servers moving and hard to block. Separately, the vendor Ubiquiti patched seven critical flaws in its UniFi building-management software — including one with a perfect severity score that lets an attacker on the network take over connected smart lighting and EV-charging systems — so facilities running any UniFi product should update the full lineup, not just one component.
  • Communications: Cisco confirmed that an unauthenticated attacker — someone with no valid login at all — can remotely trigger a flaw in Unified Communications Manager that writes files to the server and can lead to full administrative control. The vulnerability is now on CISA’s list of confirmed exploited vulnerabilities. Because this platform runs voice systems for emergency services, public safety agencies, and healthcare providers, it should be treated as an urgent patch; where immediate patching isn’t possible, disabling the affected WebDialer feature blocks the attack path.
  • Defense Industrial Base: A suspected China-linked group broke into university physics and engineering department mail servers by exploiting known, already-patched flaws in Roundcube webmail software that the schools simply hadn’t updated — a reminder that email servers need the same patching discipline as VPNs and firewalls. Separately, attackers exploited abandoned GitHub developer accounts to clone private code repositories, and researchers disclosed a new way to trick AI coding assistants connected to GitHub into leaking private source code just by asking nicely.
  • Energy: Two unrelated nation-state-linked groups targeted the energy sector using different methods. One group used legitimate cloud storage services (like Zoho WorkDrive) to disguise its malware traffic as normal file-sharing activity. A separate, newly identified group used a Windows shortcut-file vulnerability that Microsoft patched in November 2025 — meaning any organization still exposed to it has gone eight months without applying an available fix.
  • Financial Services: A ransomware attack against a parent company’s network spread into a subsidiary lender’s systems, showing how shared corporate infrastructure can turn one breach into several. Separately, a new low-cost “malware rental” service is letting less-skilled criminals run Android banking malware that steals one-time passcodes and bypasses two-factor authentication on mobile banking apps.
  • Government Services and Facilities: Attackers used firewall administrator credentials stolen in a previous, unrelated breach to break into government network perimeters months later — proof that a credential leak isn’t a closed issue once it’s discovered elsewhere. Because Fortinet firewalls are widely deployed across Florida state and local government, this is a reminder to rotate credentials on a schedule rather than only after a known incident.
  • Information Technology: Attackers moved fast on newly disclosed vulnerabilities in widely used remote-access and web-hosting software, while a separate and growing set of stories involved weaknesses in AI platforms themselves — AI coding assistants tricked into running unauthorized commands, an AI writing platform patched after a flaw let one company’s employee take over another company’s account through a shared preview link, and AI chatbot platforms with gaps that could expose customer data. Software supply-chain attacks — poisoned open-source code packages and hijacked developer accounts — also continued to be a common way in.
  • Transportation Systems: Maritime shipping and logistics organizations were targeted by phishing and business-email-compromise schemes aimed at stealing login credentials. Separately, the U.S. Coast Guard’s annual report found that off-the-shelf AI security tools often failed to catch simulated attacks unless specifically configured for a port’s own network traffic, and flagged unmonitored “dark fleet” vessels using spoofable tracking systems as a growing risk to Florida’s ports.
All Sectors

CISA Adds One Known Exploited Vulnerability to Catalog CISA added CVE-2026-45659, a Microsoft SharePoint Server deserialization-of-untrusted-data vulnerability, to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. This vulnerability type is a frequent vector for full server compromise. Florida organizations running on-premises SharePoint Server should apply Microsoft’s patch immediately, and per CISA’s BOD 26-04, should treat internet-facing SharePoint instances as high-priority remediation targets.

FortiBleed Credential Theft Campaign Linked to Lynx Ransomware Cyber threat actors are actively leveraging previously stolen Fortinet administrative credentials to facilitate ransomware intrusions associated with the Lynx operation. Rather than exploiting newly disclosed vulnerabilities, the campaign demonstrates how historical credential theft continues to provide persistent access into enterprise networks months after the initial compromise. Researchers linked stolen credentials from an estimated 430,000 compromised FortiGate firewalls — captured via a custom credential-sniffing tool — to both the INC Ransom and Lynx ransomware operations. Because Fortinet firewalls and Virtual Private Network (VPN) gateways remain widely deployed across Florida government agencies and critical infrastructure sectors, organizations should check FortiGate devices for a local account named ‘adminin,’ a known indicator of compromise, in addition to rotating credentials and enforcing MFA.

Veil#Drop Uses Google Blogspot to Deliver PureLog Stealer Researchers identified Veil#Drop, a fileless malware delivery framework that abuses Google Blogspot pages to deploy the PureLog credential stealer entirely in memory. The campaign minimizes traditional malware artifacts by relying on malicious JavaScript and PowerShell execution to harvest credentials and evade conventional antivirus detection. Because credential theft campaigns affect every critical infrastructure sector, Florida organizations should strengthen endpoint detection capabilities, monitor for anomalous browser and PowerShell activity, and restrict execution of untrusted scripts to reduce enterprise risk.

ClickFix Becomes Cybercriminals’ Favorite Initial Access Technique Cyber threat actors continue adopting the ClickFix social engineering technique to trick users into manually executing malicious commands that bypass traditional endpoint protections. Rather than exploiting software vulnerabilities, the campaign relies on user interaction through trusted operating system interfaces to initiate compromise. ReliaQuest specifically notes that ClickFix has expanded to macOS for the first time via a fake Script Editor prompt, and states plainly that “macOS must no longer be treated as lower risk. Because this technique targets human behavior rather than technical weaknesses, Florida CI organizations should extend ClickFix user-awareness training and command-line monitoring to macOS endpoints, not just Windows.

GigaWiper Combines Multiple Malware Families for System-Level Sabotage Researchers identified GigaWiper, a destructive malware platform that combines backdoor functionality with data-wiping capabilities to maximize operational disruption following a successful compromise. Unlike traditional ransomware, destructive malware seeks to permanently disable systems and hinder recovery efforts rather than generate financial gain. Because destructive malware poses a severe threat to government, energy, manufacturing, and other critical infrastructure sectors in Florida, organizations should validate offline backups, strengthen endpoint protections, and routinely exercise business continuity and disaster recovery procedures.

BlueHammer Vulnerability Exploited in Ransomware Attacks Microsoft Defender vulnerability CVE-2026-33825, known as BlueHammer, has been exploited in ransomware attacks after initially being used as a zero-day before Microsoft released patches. The authenticated privilege-escalation flaw was publicly disclosed on April 02, 2026, patched on April 14, 2026, and later added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog. Although the specific ransomware group remains unidentified, successful exploitation could allow an attacker with existing access to obtain elevated privileges and advance an intrusion. Florida critical infrastructure operators using Microsoft Defender should verify that April 2026 security updates were deployed and investigate endpoints for evidence of prior compromise.

Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts Between June 12 and June 26, 2026, an automated password-spraying campaign generated more than 81 million login attempts against Microsoft’s Azure Command-Line Interface (CLI), compromising at least 78 accounts across 64 organizations. The campaign used previously breached credentials and a deprecated OAuth authentication flow to bypass inadequately configured Conditional Access and multifactor authentication policies. Because Microsoft cloud services support organizations across every critical infrastructure sector in Florida, operators should enforce multifactor authentication for all users, applications, and client types, restrict unnecessary Azure CLI access, rotate exposed credentials, and monitor activity originating from the identified LSHIY LLC IPv6 range.

GodDamn Ransomware Uses PoisonX Driver to Disable EDR Before Encryption Cybersecurity researchers identified a new ransomware variant, known as GodDamn, that employs the PoisonX kernel driver to disable endpoint detection and response (EDR) solutions before encrypting victim systems. By abusing a signed kernel-mode driver, the malware can bypass security controls, terminate defensive processes, and significantly reduce an organization’s ability to detect or stop ransomware activity during the early stages of an attack. This technique demonstrates the continued evolution of ransomware groups toward more sophisticated defense-evasion capabilities targeting enterprise environments. Because organizations across all Florida critical infrastructure sectors rely on EDR platforms to detect and respond to cyber threats, defenders should validate kernel driver integrity, monitor for unauthorized driver loading, implement tamper protection for security software, and investigate attempts to disable endpoint protection prior to ransomware deployment.

Entra Passkey Enrollment Vishing Targets Microsoft 365 Users Researchers identified an active voice-phishing (vishing) campaign, tracked as O-UNC-066 (‘Pink’), targeting Microsoft 365 users since April 2026. Attackers impersonate IT support and direct victims to a fake Entra passkey-enrollment site, using the enrollment process itself as a distraction while registering an attacker-controlled passkey on the victim’s real account. Florida organizations should strengthen help desk identity verification procedures and deny access requests from locations where the organization does not operate. Because Okta reports that this actor moves quickly to exfiltrate data from SharePoint and OneDrive after account takeover, organizations should also review SharePoint and OneDrive access logs for unusual activity following any suspected passkey enrollment incident.UNK

Writer AI Flaw Could Let Agent Previews Take Over Enterprise AI Platforms Security researchers disclosed a critical vulnerability known as WriteOut affecting the Writer enterprise artificial intelligence (AI) platform. The flaw could allow attackers to exploit agent preview functionality to execute unauthorized actions, compromise cross-tenant environments, and potentially gain control of organizational AI workspaces. The research highlights the growing security risks associated with enterprise AI platforms as organizations increasingly integrate generative AI into business operations. Because Writer has already deployed a fix, Florida organizations using the Writer AI platform should confirm with their account team that the patch is applied to their tenant, review AI platform session and access logs for the period before disclosure, and audit AI agent permission models generally, since this is the second cross-tenant AI-platform flaw reported this cycle.

Foxit Patches PDF Reader/Editor Vulnerabilities Foxit released security updates addressing multiple vulnerabilities affecting Foxit PDF Reader and Foxit PDF Editor, including flaws that could allow remote code execution, information disclosure, and application crashes if a user opens a specially crafted PDF document. Successful exploitation could enable attackers to execute arbitrary code with the logged-in user’s privileges, making malicious PDF files an effective delivery mechanism for malware and other cyber threats. Because PDF documents remain one of the most common file formats exchanged across government, healthcare, financial services, education, and private industry, unpatched vulnerabilities present a broad risk to organizations across all critical infrastructure sectors. Florida organizations should promptly apply Foxit security updates, restrict the execution of untrusted PDF files, educate users on the risks of opening unsolicited email attachments, and monitor endpoints for suspicious activity associated with malicious document exploitation.

CISA Adds Three Known Exploited Vulnerabilities to Catalog The Cybersecurity and Infrastructure Security Agency (CISA) added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including flaws affecting JoomShaper, Langflow, and other internet-facing technologies used in government and commercial environments. CISA directed organizations to prioritize remediation of CVE-2026-48908, CVE-2026-55255, and CVE-2026-56290, emphasizing that confirmed in-the-wild exploitation significantly increases the risk of remote system compromise. The advisory reinforces the importance of prioritizing vulnerability management based on active exploitation rather than severity scores alone. Because organizations across all Florida critical infrastructure sectors rely on internet-facing web applications and artificial intelligence development platforms, administrators should immediately apply vendor patches, review exposed systems for indicators of compromise, and prioritize remediation of all vulnerabilities listed in the CISA KEV Catalog.

New Oracle E-Business Suite Flaw Now Exploited in Attacks Researchers warned that cyber threat actors are actively exploiting a newly disclosed vulnerability affecting Oracle E-Business Suite, specifically the Oracle Payments component. The unauthenticated flaw, tracked as CVE-2026-46817, could allow remote attackers to compromise exposed systems by exploiting the file-transmission component over Hypertext Transfer Protocol (HTTP), potentially resulting in unauthorized access to enterprise financial and business operations. Because Oracle E-Business Suite supports finance, procurement, and business management functions across government agencies and private-sector organizations, successful exploitation could significantly disrupt critical business processes. Florida organizations using Oracle E-Business Suite should immediately apply Oracle’s security updates, restrict external access to vulnerable services, review Oracle Payments environments for signs of compromise, and continuously monitor application logs for unauthorized activity.

Multiple Cyberattacks Disrupt Major Japanese Critical Infrastructure Organizations Multiple major Japanese organizations spanning the financial services, communications, critical manufacturing, and food and agriculture sectors experienced significant cyber incidents during the reporting period, including ransomware attacks, data breaches, and operational disruptions affecting Aflac, KDDI, Nidec, and Sapporo. The campaign includes a confirmed ransomware/extortion attack on Nidec’s Taiwanese subsidiary (BlackField group, approximately $2 million demanded), a third-party software vulnerability at KDDI that exposed email accounts for five partner internet service providers, and suspected unauthorized access incidents at Aflac Japan and Sapporo’s overseas subsidiaries. Collectively, the incidents demonstrate how attacks against third-party software, enterprise networks, and shared technology platforms can simultaneously affect multiple critical infrastructure sectors. The concentration of high-profile compromises underscores the continued threat posed by ransomware groups, software supply chain weaknesses, and interconnected business systems supporting essential services. Because Florida critical infrastructure operators maintain similar interdependent technology environments and third-party relationships, organizations should strengthen supply chain risk management, validate ransomware recovery capabilities, monitor vendors for security incidents, and continuously assess interconnected business systems for potential cascading cyber risks.

CrownX Ransomware Uses Avalon Malware Framework to Target Enterprise Networks Cybersecurity researchers identified a new ransomware operation that uses the Avalon malware framework to deploy the CrownX ransomware payload through a sophisticated multi-stage infection chain. The campaign relies on phishing emails disguised as legal or business-related documents to deliver modular malware capable of establishing persistence, evading detection, and ultimately encrypting victim systems. Avalon specifically searches for and targets backup and recovery infrastructure (Veeam, Acronis, NetApp, Synology, Hyper-V, vCenter) before deploying ransomware, and disables Windows Volume Shadow Copy to prevent recovery. Researchers observed fileless execution techniques and staged payload delivery designed to complicate detection and incident response. Because phishing remains one of the primary initial access vectors across every critical infrastructure sector, Florida organizations should strengthen email security controls, educate employees to recognize legal-themed phishing lures, monitor for suspicious PowerShell and script execution, and ensure backup infrastructure is on a segmented network with credentials that are not reusable from the general Windows domain.

Kazuar Backdoor Uses DLL Side-Loading to Evade Detection Cybersecurity researchers observed the Turla advanced persistent threat (APT) group reviving its Kazuar backdoor through a sophisticated DLL side-loading technique that enables malware to execute within trusted Windows processes while evading traditional security controls. The campaign also leverages PowerShell-based execution and trusted host processes to establish persistence and reduce the likelihood of detection during post-compromise operations. The renewed use of Kazuar demonstrates the continued evolution of nation-state tradecraft targeting enterprise and government networks through stealthy, persistent mechanisms. Because state-sponsored actors routinely target organizations across Florida’s critical infrastructure sectors, defenders should monitor for unauthorized DLL side-loading activity, investigate anomalous PowerShell execution, validate application integrity, and strengthen endpoint detection capabilities to identify advanced persistence techniques before attackers can establish long-term access.

Phishing Poses as Big Brand Job Interview to Steal Google Accounts Cybersecurity researchers identified a widespread phishing campaign that impersonates well-known companies through fraudulent job interview invitations to steal Google account credentials. The attackers abuse trusted cloud services, including PeopleForce and Salesforce Marketing Cloud, to distribute convincing phishing emails that bypass traditional email filtering and create a false sense of legitimacy. Victims who follow the embedded links are directed to counterfeit authentication pages designed to harvest Google account credentials and facilitate account takeover. Because organizations across Florida’s critical infrastructure sectors rely extensively on cloud-based productivity and collaboration platforms, organizations should strengthen phishing awareness training, verify the legitimacy of unsolicited employment-related communications, enforce phishing-resistant multi-factor authentication (MFA), and continuously monitor authentication logs for suspicious login attempts and unauthorized account activity.

China-Linked UAT-7810 Expands ORB Network Using SHORTLEASH Malware Cybersecurity researchers identified an active campaign by the China-linked threat group UAT-7810 to expand operational relay box (ORB) networks using custom malware known as SHORTLEASH. By compromising internet-facing systems and converting them into proxy infrastructure, the group can conceal the origin of later espionage operations and route malicious traffic through seemingly legitimate organizations. This activity increases the risk that compromised infrastructure will be used to support secondary attacks against government, defense, and other critical targets. Florida critical infrastructure operators should patch internet-facing systems promptly, monitor for SHORTLEASH indicators and unexplained proxy traffic, investigate unusual outbound connections, and prevent compromised devices from being used as relay infrastructure for nation-state operations.

All Sectors Recommendations:

  • Apply vendor security patches for known exploited vulnerabilities and enterprise web software immediately.
  • Enforce phishing-resistant multi-factor authentication across all cloud, single sign-on, and remote management portals.
  • Verify the behavioral integrity of endpoint processes and restrict command-line execution for unprivileged accounts.
  • Validate immutable offline configuration backups to guarantee operational resilience against destructive data-wiping malware.
Chemical Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this reporting period.

Commercial Facilities Sector

Japan Hotel Industry Targeted With TONResolver RAT and Guest Complaint Phishing Emails Beginning in late May 2026, cyber threat actors targeted Booking.com partner hotels in Japan with phishing emails that impersonated guest complaints and review requests. The messages directed employees to download a ZIP file containing a malicious shortcut that launched a multi-stage PowerShell infection and installed the Node.js-based TONResolver remote access trojan. TONResolver uses the Open Network blockchain to retrieve changing command-and-control infrastructure, enabling remote command execution, persistence, and follow-on credential theft. Because Florida’s hospitality sector relies heavily on online booking platforms, operators should treat unexpected guest-complaint links as high risk, restrict unauthorized execution of PowerShell and Node.js, and monitor endpoints for suspicious LNK files, WebSocket traffic, and blockchain-related communications.

Ubiquiti Warns of New Max Severity UniFi OS Vulnerability On July 8, 2026, Ubiquiti released security updates addressing seven critical vulnerabilities in UniFi OS, including CVE-2026-50746, a maximum-severity command-injection flaw affecting UniFi Connect Application versions 3.4.16 and earlier. Ubiquiti also patched six additional critical-severity flaws (CVSS 9.0–9.9) affecting UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS Server; commercial facilities running any UniFi product line should update the full stack, not just UniFi Connect. The UniFi Connect software is used to manage commercial building operations such as smart lighting and electric vehicle chargers, and exploitation requires network access to the affected environment. Ubiquiti advised customers to update UniFi Connect to version 3.4.20 or later. Because Florida commercial facilities increasingly rely on connected building management systems, operators should identify affected deployments, apply the update, restrict management access, and monitor for unauthorized configuration changes.

Commercial Facilities Sector Recommendations:

  • Train hospitality staff to verify unsolicited guest complaints before opening attachments or compressed shortcuts.
  • Apply the July 2026 security updates to UniFi Connect applications to remediate command injection flaws.
  • Isolate connected building automation systems and smart charging networks behind segmented firewall boundaries.
Communications Sector

Cisco Confirms In-the-Wild Exploitation of Unified CM Vulnerability Cisco confirmed that cyber threat actors are actively exploiting CVE-2026-20230, a high-severity server-side request forgery (SSRF) vulnerability (CVSS 8.6) in Cisco Unified Communications Manager. An unauthenticated, remote attacker can send a crafted request to write files to the underlying operating system, which can then be used to escalate to root-level access. The flaw has been added to CISA’s Known Exploited Vulnerabilities Catalog. Exploitation requires the WebDialer service to be enabled (disabled by default); operators unable to patch immediately should disable WebDialer as an interim mitigation.

Communications Sector Recommendations:

  • Patch Cisco Unified Communications Manager environments immediately to address active, high-severity command execution flaws.
  • Audit gateway event logs to detect unauthorized system modifications or atypical terminal connection requests.
  • Incorporate critical emergency communication infrastructure and voice network dependencies into organizational continuity testing.
Critical Manufacturing Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this reporting period.

Dams Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this reporting period.

Defense Industrial Base Sector

One Email Closer to the Edge: UNK_MassTraction Targets Academic Research Networks Proofpoint identified a suspected China-aligned threat cluster, tracked as UNK_MassTraction, exploiting known, already-patched vulnerabilities in Roundcube webmail software (CVE-2024-42009, CVE-2025-49113) to compromise mail servers at U.S. and Canadian university physics and engineering departments since May 2026, focused on institutions with national-security-relevant or astrophysics/particle-physics research. Attackers steal credentials and deploy a web shell or the VShell backdoor. Because Florida’s universities, aerospace companies, and defense contractors collaborate extensively on federally funded research and national security programs, Defense Industrial Base organizations should patch Roundcube webmail servers to the latest version and remove legacy installations immediately — this is the confirmed entry point in this campaign.

Indra Group Ransomware Attack Puts Sensitive Data at Risk Spanish defense contractor Indra Group disclosed a ransomware attack attributed to the Gentlemen ransomware group, which claimed to have exfiltrated sensitive corporate data and threatened to publish the information if ransom demands were not met. Although the incident did not reveal novel exploitation techniques, it highlights the ongoing targeting of major defense contractors by ransomware and data extortion operations. The compromise underscores the importance of protecting sensitive defense-related information and maintaining resilient business operations against increasingly sophisticated cybercriminal groups. Because Florida hosts a significant concentration of defense, aerospace, and military contractors, organizations should validate ransomware recovery plans, strengthen network segmentation, monitor for unauthorized data exfiltration, and assess third-party supply chain security to reduce operational and national security risks.

Dormant GitHub Accounts Help Attackers Clone Private Repositories Researchers identified a campaign in which cyber threat actors exploited dormant GitHub accounts to gain unauthorized access to private repositories and organizational development environments. By leveraging inactive or abandoned accounts, attackers were able to enumerate repositories, clone proprietary source code, and collect sensitive development data without immediately attracting attention. The campaign highlights the importance of identity governance within software development platforms, particularly where inactive accounts retain unnecessary access privileges. Because Florida’s defense, aerospace, and technology organizations rely heavily on GitHub for collaborative software development, organizations should regularly audit dormant accounts, enforce least-privilege access controls, require multi-factor authentication, and monitor repository activity for unauthorized cloning or anomalous access patterns.

GitHub AI Agent Leaks Private Repositories When Asked Nicely (GitLost) Security researchers disclosed a prompt-injection vulnerability known as GitLost, which could allow untrusted content in GitHub issues or comments to manipulate artificial intelligence agents connected to private repositories. An attacker could use crafted instructions to cause an overly privileged AI agent to retrieve and expose proprietary source code or other sensitive repository information without directly compromising a developer account. The finding demonstrates how AI agents integrated into software development and continuous integration/continuous deployment environments can create new paths for the software supply chain and intellectual property theft. Florida defense contractors and aerospace organizations should enforce least-privilege permissions for AI agents, sanitize untrusted issue and comment content, restrict agent access to private repositories, and monitor repositories for unauthorized cloning, data retrieval, or disclosure activity.

China-Nexus Actor Spies on US Researchers Undetected for a Year The Google Threat Intelligence Group (GTIG) disclosed that UNC6508, a China-nexus cyber threat actor, conducted a year-long cyber espionage campaign against North American medical and military research institutions. The attackers exploited externally facing Research Electronic Data Capture (REDCap) servers to deploy custom malware named INFINITERED. This malware captured credentials, enabling lateral movement and the covert exfiltration of advanced defense technology and medical data. Furthermore, attackers are spoofing recruitment portals for targeted social engineering. This sustained espionage campaign directly threatens Florida’s extensive defense industrial base and academic medical centers, highlighting the critical exposure of vulnerable research applications.

Defense Industrial Base Sector Recommendations:

  • Revoke inactive development profiles and continuously monitor source code repositories for automated access anomalies.
  • Restrict connected generative artificial intelligence assistants to low-privilege environments and sanitize untrusted user comments.
  • Audit public-facing research application servers for web shells and enforce code provenance checks across pipelines.
Emergency Services Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this reporting period.

Energy Sector

Mustang Panda Targets India’s Government and Energy Sectors Researchers identified a cyber espionage campaign by the China-linked cyber threat group Mustang Panda targeting government agencies and energy organizations in India. The campaign employed SHARDLOADER to establish initial access and MINIRECON to conduct reconnaissance while abusing legitimate cloud services, including Zoho WorkDrive, to stage malicious payloads and obscure command-and-control communications. The use of trusted cloud platforms demonstrates the continued evolution of state-sponsored tradecraft designed to evade traditional security controls. Because Florida’s electric utilities and energy operators rely on cloud-based collaboration and administrative services, organizations should monitor for unauthorized use of trusted cloud platforms, strengthen endpoint detection capabilities, and review network activity for indicators of reconnaissance or persistence associated with advanced persistent threat (APT) operations.

New APT Group Targets Power Grids in Three Countries With AI-Crafted Malware Researchers identified a newly tracked advanced persistent threat (APT) group, Armored Likho, conducting cyber espionage operations against electric power providers and government organizations in multiple countries. The campaign deployed the AI-assisted BusySnake information-stealing malware while exploiting CVE-2025-9491 to gain initial access and establish persistence within targeted environments. The activity demonstrates the continued evolution of nation-state tradecraft targeting critical energy infrastructure through advanced malware and stealthy persistence mechanisms. Because Florida’s electric utilities and energy providers operate essential infrastructure that supports public safety and economic stability, organizations should promptly remediate known vulnerabilities, monitor scheduled tasks and endpoint activity for indicators of compromise, and strengthen detection capabilities to detect advanced persistent threat activity targeting operational and enterprise networks.

Energy Sector Recommendations:

  • Harden perimeter gateways against advanced persistent threat actors targeting power grid routing infrastructure.
  • Monitor commercial cloud synchronization utilities for anomalous data collection patterns or payload staging attempts.
  • Isolate internal energy management operations from administrative corporate networks using strict network segmentation rules.
Financial Services Sector

Billion-Dollar Lender Suffers Data Breach, Warns Unauthorized Threat Actor Launched Ransomware Attack A U.S. financial institution disclosed that an unauthorized cyber threat actor launched a ransomware attack against its parent company’s network, potentially exposing sensitive customer information and disrupting business operations. Although investigators continue assessing the full scope of the incident, the breach highlights how compromises affecting parent organizations can cascade into subsidiary financial institutions through shared infrastructure and interconnected business systems. Because Florida’s financial institutions frequently rely on centralized corporate networks and shared technology services, organizations should review network segmentation between parent and subsidiary environments, strengthen ransomware preparedness, and continuously monitor for unauthorized access and potential data exfiltration across interconnected systems.

RedWing MaaS Packages Android Banking Trojan With 2FA Interception Security researchers identified RedWing, a new Android Malware-as-a-Service (MaaS) platform that enables cybercriminals to deploy banking malware capable of credential theft, intercepting one-time passwords (OTPs), and bypassing two-factor authentication (2FA). By lowering the technical barrier to entry, the service allows less-skilled cyber threat actors to conduct sophisticated financial fraud campaigns against mobile banking users. The malware also supports remote device control and credential harvesting, increasing the likelihood of account compromise. Because financial institutions and their customers increasingly rely on mobile banking applications, Florida organizations should strengthen mobile device management (MDM) policies, educate users about the risks of sideloading applications, monitor for suspicious authentication activity, and encourage the use of phishing-resistant authentication methods where available.

Financial Services Sector Recommendations:

  • Review network segmentation points connecting parent architectures to local financial infrastructure to prevent cascading compromises.
  • Enforce robust mobile device management settings to block untrusted application sideloading on corporate hardware.
  • Audit single sign-on logs for anomalous session tracking markers indicating multi-factor authentication bypass attempts.
Food and Agriculture Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this reporting period.

Government Services and Facilities Sector

Hackers Breach Foreign Office Systems Using Stolen Fortinet Credentials The United Kingdom’s Foreign, Commonwealth & Development Office and multiple local government organizations experienced unauthorized access after cyber threat actors used previously stolen Fortinet firewall credentials to compromise government systems. The incident demonstrates how administrative credentials stolen during earlier campaigns can continue to provide attackers with access to sensitive government networks long after the initial compromise. Because Fortinet appliances are widely deployed across Florida state agencies and local governments, organizations should immediately audit firewall administrative accounts, rotate exposed or legacy credentials, enforce multi-factor authentication (MFA), and monitor for unauthorized remote access attempts associated with compromised perimeter devices.

Government Services and Facilities Sector Recommendations:

  • Rotate perimeter firewall administrative credentials immediately to mitigate exposure from legacy data leaks.
  • Enforce multi-factor authentication requirements strictly across all privileged remote access and virtual private networks.
  • Review security logs for unauthorized configuration adjustments on edge defense appliances or internet-facing gateways.
Healthcare and Public Health Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this reporting period.

Information Technology Sector

Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer Cybersecurity researchers identified two hijacked npm packages and 16 compromised Go packages designed to infect Windows, Linux, and macOS developer systems. The malware hides execution inside a Microsoft Visual Studio Code task that activates when a trusted project folder is opened, retrieves encrypted JavaScript through blockchain transaction data, establishes a Socket.io backdoor, and deploys a Python information stealer. The campaign targets browser credentials, password managers, cloud tokens, GitHub data, cryptocurrency wallets, and developer artifacts. Florida organizations should remove affected packages, inspect developer systems for hidden folder-open tasks, and rotate potentially exposed credentials, tokens, application programming interface keys, and cloud secrets.

Critical Dell Wyse Management Suite Vulnerabilities Could Let Attackers Compromise Systems Multiple critical vulnerabilities were identified in Dell Wyse Management Suite (WMS) that could allow attackers to compromise enterprise thin-client management environments through remote exploitation. The flaws affect the software used to administer Dell thin clients centrally and, if left unpatched, could grant attackers elevated privileges and unauthorized control over managed endpoints. Because Wyse Management Suite is commonly deployed to manage enterprise endpoint infrastructure across government, healthcare, education, and commercial environments, successful exploitation could disrupt centralized device management and expose sensitive enterprise systems. Florida organizations using Dell Wyse Management Suite should immediately apply the latest security updates, restrict administrative access to management servers, monitor for unauthorized administrative activity, and review endpoint management systems for indicators of compromise.

Critical SimpleHelp Vulnerability Exploited for Malware Delivery Security researchers confirmed that cyber threat actors are actively exploiting CVE-2026-48558, a critical authentication-bypass vulnerability affecting SimpleHelp Remote Monitoring and Management (RMM) software, to deliver the Djinn Stealer malware. Successful exploitation allows attackers to forge OpenID Connect identity tokens, bypass authentication, and compromise managed systems through trusted remote administration infrastructure. Because SimpleHelp and similar RMM platforms are widely used by managed service providers supporting critical infrastructure, a successful compromise can provide attackers with broad access across multiple client environments. Florida organizations should immediately apply vendor security updates, monitor RMM servers for unauthorized authentication events, investigate suspicious OpenID Connect token activity, and review managed endpoints for indicators of Djinn Stealer infection.

Adobe Patches Seven Max-Severity ColdFusion Vulnerabilities Adobe released security updates addressing seven maximum-severity vulnerabilities affecting ColdFusion and Adobe Campaign Classic, including flaws that could allow pre-authentication remote code execution with minimal attacker interaction. Researchers observed active threat interest in these vulnerabilities, prompting Adobe to recommend Priority 1 patching within 72 hours for affected systems. Because ColdFusion continues to support enterprise web applications across government, education, healthcare, and commercial organizations, exploitation could provide attackers with an initial foothold into critical business environments. Florida organizations should immediately apply Adobe security updates, identify internet-facing ColdFusion servers, restrict unnecessary external access, and monitor web application logs for indicators of attempted exploitation.

Progress Kemp LoadMaster Flaw Could Let Attackers Execute Commands Remotely Researchers warned that cyber threat actors are actively exploiting CVE-2026-8037, a pre-authentication command injection vulnerability affecting Progress Kemp LoadMaster load balancers following the public release of proof-of-concept exploit code. Successful exploitation could enable attackers to execute arbitrary commands on vulnerable devices, granting unauthorized access to enterprise network infrastructure at the perimeter of critical environments. Because LoadMaster appliances are widely deployed to manage traffic across enterprise applications and critical infrastructure services, Florida organizations should immediately apply vendor security updates, restrict access to management interfaces, review administrative logs for suspicious requests, and continuously monitor perimeter devices for indicators of compromise.

Phantom Squatting: Hallucinated Web Domains Target AI-Assisted Developers Palo Alto Networks Unit 42 researchers identified a new supply chain threat known as Phantom Squatting, in which cyber threat actors register internet domains generated by artificial intelligence (AI) hallucinations to deceive developers using AI coding assistants. When AI tools reference nonexistent software packages, repositories, or websites, attackers can register those domains and distribute malicious code or phishing content to unsuspecting users. The technique exploits trust in AI-generated recommendations rather than software vulnerabilities, creating a new attack vector against software development environments. Because Florida government agencies, defense contractors, and technology organizations increasingly rely on AI-assisted development tools, they should validate AI-generated package references, verify repository authenticity before downloading software, monitor newly registered domains that resemble development resources, and implement software supply chain verification practices throughout development pipelines.

JADEPUFFER: First Agentic Ransomware Operation Targets Langflow AI Servers Security researchers identified JADEPUFFER, the first documented autonomous, agentic ransomware operation capable of conducting multiple stages of an attack with minimal human intervention. The campaign targets internet-exposed Langflow artificial intelligence middleware, allowing attackers to gain initial access, automate reconnaissance, execute malicious actions, and deploy ransomware through AI-assisted workflows. The emergence of autonomous ransomware represents a significant evolution in cyber threat capabilities by reducing attacker workload and accelerating intrusion timelines. Because Florida organizations are increasingly integrating AI development platforms into enterprise environments, they should identify and secure exposed Langflow instances, promptly apply vendor security updates, restrict unnecessary internet exposure, and continuously monitor AI infrastructure for indicators of unauthorized access and malicious automation activity.

New ChocoPoC RAT Targets Vulnerability Researchers Through Fake GitHub Exploits Cybersecurity researchers identified a new remote access trojan (RAT) known as ChocoPoC, which targets security researchers, vulnerability analysts, and DevSecOps personnel by embedding malware within fraudulent GitHub proof-of-concept repositories. Rather than exploiting software vulnerabilities directly, attackers rely on trusted research workflows to convince users to execute malicious code disguised as legitimate exploit demonstrations. Once installed, the malware enables credential theft, remote access to systems, and delivery of additional payloads while compromising systems used for vulnerability research. Because Florida government agencies, managed service providers, defense contractors, and enterprise security teams routinely evaluate proof-of-concept exploit code, organizations should isolate malware testing environments, verify repository authenticity before execution, restrict the use of untrusted code on production systems, and monitor developer workstations for suspicious outbound connections and unauthorized access to credentials.

Citrix Patches NetScaler Vulnerabilities Including New HTTP/2 Bomb Attack Citrix released security updates addressing multiple high-severity vulnerabilities affecting NetScaler ADC and NetScaler Gateway, including protections against the newly identified HTTP/2 Bomb denial-of-service attack. The vulnerabilities, including CVE-2026-10816 and CVE-2026-8451, could allow attackers to exhaust system resources, disrupt remote access services, or trigger memory-related failures in internet-facing appliances. Because NetScaler products are widely deployed to provide secure remote access across government agencies, healthcare organizations, educational institutions, and commercial enterprises, successful exploitation could significantly impact critical business operations. Florida organizations should immediately apply Citrix security updates, review internet-facing NetScaler deployments, monitor gateway logs for unusual HTTP/2 traffic and denial-of-service activity, and validate remote access resilience as part of business continuity planning.

FBI Warns TeamPCP Targets Software Supply Chains and Cloud Secrets The Federal Bureau of Investigation (FBI) issued a FLASH advisory warning that the TeamPCP cybercriminal group is conducting large-scale software supply chain attacks targeting developers and organizations supporting critical infrastructure. The campaign focuses on stealing cloud access tokens, Secure Shell (SSH) keys, Kubernetes secrets, and application programming interface (API) credentials to compromise development environments and enable lateral movement across enterprise cloud infrastructure. By targeting trusted software development and continuous integration/continuous deployment (CI/CD) pipelines, TeamPCP increases the risk of downstream compromises affecting multiple organizations. Because Florida’s defense contractors, government agencies, and technology providers rely heavily on cloud-native development environments, organizations should secure cloud credentials, rotate exposed access tokens and SSH keys, implement least-privilege access controls, and continuously monitor CI/CD pipelines for unauthorized access to credentials and suspicious repository activity.

Cavern Manticore: Exposing an Iran-Linked Modular C2 Framework Check Point Research identified Cavern Manticore, an Iran-linked advanced persistent threat (APT) campaign employing a highly modular command-and-control (C2) framework designed to target information technology providers and government networks. The operation incorporates mixed-mode C++/CLI and .NET Native AOT compilation techniques to improve stealth, evade traditional detection methods, and maintain persistent access within compromised environments. Researchers observed sophisticated modular tooling that enables flexible payload deployment and long-term espionage operations against enterprise networks. Because information technology providers frequently serve as trusted partners supporting Florida government agencies and critical infrastructure organizations, defenders should monitor for anomalous compilation artifacts, reconstruct metadata during malware analysis, strengthen endpoint detection capabilities, and investigate suspicious command-and-control communications indicative of state-sponsored activity.

Hackers Can Use 9 of the Most Popular AI Tools to Assemble Massive Botnets Security researchers demonstrated a new attack technique known as HalluSquatting, in which cyber threat actors exploit hallucinations generated by artificial intelligence (AI) coding assistants to distribute malicious software and assemble large-scale botnets. By exploiting AI-generated references to nonexistent software packages and repositories, attackers can register fraudulent resources that developers may unknowingly trust and install. The research highlights how AI-assisted development workflows can introduce software supply chain risks without exploiting traditional software vulnerabilities. Because Florida government agencies, defense contractors, and technology organizations are increasingly integrating AI-assisted development tools into their software engineering processes, organizations should validate AI-generated package references, verify repository authenticity before installation, implement software supply chain controls, and require human review of AI-generated code recommendations.

Dialogflow CX Rogue Agent Flaw Enabled AI Chatbot Data Theft Security researchers disclosed a critical “Rogue Agent” vulnerability affecting Google Dialogflow CX, demonstrating how improperly secured AI chatbot environments could be manipulated to execute unauthorized code, maintain persistence, and facilitate data theft. The flaw exploits weaknesses in permission boundaries and conversational AI workflows, allowing attackers to inject malicious logic into enterprise chatbot environments and potentially access sensitive organizational information. As AI-powered customer service and automated business applications become more common, weaknesses in conversational AI platforms present an expanding enterprise attack surface. Because Florida government agencies, healthcare organizations, financial institutions, and private-sector critical infrastructure operators increasingly rely on AI-driven customer interaction platforms, organizations should review Dialogflow CX deployments, validate permission boundaries, implement strict input validation, and continuously monitor AI agents for unauthorized code execution and abnormal data access.

Critical Gitea Flaw Under Active Exploitation, Researchers Warn Security researchers warned that cyber threat actors are actively exploiting CVE-2026-20896, a critical vulnerability (CVSS 9.8) affecting Gitea, a widely used self-hosted Git repository management platform. Successful exploitation could enable attackers to remotely compromise vulnerable Gitea instances, granting unauthorized access to source code repositories and the development infrastructure that supports enterprise software development and CI/CD operations. Because many organizations rely on self-hosted code repositories to manage proprietary software and operational technology projects, exploitation could lead to intellectual property theft and compromise of the software supply chain. Florida organizations using Gitea should immediately apply the latest security updates, restrict administrative access through source IP allowlisting, review repository activity for unauthorized access, and monitor development infrastructure for indicators of compromise.

AI Coding Tools Tricked into Hacking Developer Machine via Decades-Old Technique Security researchers demonstrated a new attack technique known as GhostApproval, showing how widely used AI coding assistants—including Claude, Cursor, and Amazon Q Developer—can be manipulated through a long-standing symbolic link (symlink) vulnerability to perform unauthorized actions on a developer’s workstation. By exploiting weaknesses in file approval workflows, attackers can deceive AI coding tools into modifying or accessing unintended files, potentially leading to remote code execution and compromise of development environments. The research highlights emerging risks associated with integrating AI assistants into software development workflows without sufficient security controls. Because Florida’s technology companies, government agencies, and defense contractors increasingly rely on AI-assisted software development, organizations should promptly apply vendor security updates, audit AI coding assistant permissions, strengthen sandbox protections, and require human validation of file operations initiated by AI development tools.

Threat Actor Uses Agentic AI to Compromise AWS Cloud in 72 Hours Security researchers analyzed a real-world attack in which a single cyber threat actor used agentic artificial intelligence (AI) tools to compromise an Amazon Web Services (AWS) cloud environment in approximately 72 hours. The incident demonstrated how AI-assisted automation can dramatically accelerate reconnaissance, privilege escalation, and lateral movement within cloud infrastructures, reducing the time required to compromise enterprise environments. Researchers noted that the attack highlighted the growing capability of AI to enhance offensive cyber operations rather than introducing new software vulnerabilities. Because Florida government agencies, critical infrastructure operators, and private-sector organizations increasingly rely on AWS cloud services, organizations should strengthen identity and access management (IAM), enforce least-privilege permissions, continuously monitor cloud activity for automated privilege escalation, and update incident response procedures to address AI-assisted attack techniques.

Large-Scale Exploitation Campaign Targeting Website Content Management Systems (CMS) The Australian Cyber Security Centre (ACSC) warned of a large-scale campaign targeting vulnerable content management systems (CMS) through unauthenticated file upload and deserialization vulnerabilities. Cyber threat actors have been exploiting internet-facing CMS platforms to deploy web shells, establish persistent access, and facilitate follow-on ransomware and data extortion operations. Researchers observed attackers leveraging these techniques to compromise publicly accessible websites that support government, commercial, and critical infrastructure organizations. Because Florida organizations rely extensively on CMS platforms to host public-facing services and operational websites, administrators should immediately apply security updates, review web servers for unauthorized file uploads and web shells, restrict unnecessary administrative access, and continuously monitor web application logs for indicators of exploitation.

AI Gateways Are the Keys to the Kingdom Security researchers highlighted the growing security risks associated with artificial intelligence (AI) gateways, demonstrating how a real-world compromise of an enterprise AI gateway enabled attackers to gain unauthorized access to cloud-hosted AI infrastructure and consume cloud computing resources. The research emphasizes that AI gateways have become high-value targets because they broker authentication, application programming interface (API) requests, and communications between enterprise applications and large language models (LLMs). A successful compromise could enable attackers to carry out lateral movement, access unauthorized data, and abuse cloud-based AI services. Because Florida government agencies, healthcare organizations, financial institutions, and critical infrastructure operators are rapidly adopting enterprise AI platforms, organizations should strengthen identity and access management (IAM) controls around AI gateways, continuously monitor AI service activity for anomalous API usage, restrict unnecessary permissions, and regularly audit AI infrastructure for unauthorized access.

Information Technology Sector Recommendations:

  • Patch internet-facing applications, remote management platforms, and enterprise technologies to remediate actively exploited vulnerabilities.
  • Verify software packages and code repositories to reduce supply chain risks from malicious dependencies.
  • Rotate exposed cloud credentials and application programming interface keys to secure development infrastructure.
  • Restrict permissions for generative artificial intelligence assistants and validate all automated code recommendations.
  • Enhance endpoint detection capabilities to identify command-and-control communications, unauthorized authentication, and credential theft.
Nuclear Reactors, Materials, and Waste Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this reporting period.

Transportation Systems Sector

Maritime Phishing Campaign Targets South Korean Shipping and Logistics Organizations Researchers identified a cyber campaign targeting South Korean maritime organizations through phishing emails and business email compromise (BEC) infrastructure designed to steal credentials and gain unauthorized access to shipping and logistics networks. The operation leveraged the RedLine Stealer malware and supporting command-and-control infrastructure to compromise organizations involved in maritime transportation and global supply chain operations. The campaign demonstrates the continued targeting of shipping organizations as high-value entry points into international logistics networks supporting critical infrastructure. Because Florida’s seaports and maritime transportation systems play a vital role in domestic and international commerce, transportation organizations should strengthen phishing awareness training, implement multi-factor authentication (MFA) for business email accounts, monitor for unauthorized credential use, and continuously review network activity for indicators associated with RedLine Stealer and business email compromise campaigns.

2025 CTIME Report Highlights Growing Maritime Cyber Threats The U.S. Coast Guard released its 2025 Cyber Trends and Insights in the Marine Environment (CTIME) report, revealing a 17% year-over-year increase in maritime cyber incidents. Phishing drove 43% of initial access events, representing an 18-point rise. The Coast Guard also warned that out-of-the-box artificial intelligence cybersecurity platforms failed to detect simulated attacks unless explicitly tuned for the operating environment. Additionally, “Dark Fleet” vessels presented severe network risks, including unattended remote access tools and hardware designed for Automatic Identification System (AIS) spoofing. These vulnerabilities present a severe, escalating risk to Florida’s massive commercial port and maritime logistics network.

Transportation Systems Sector Recommendations:

  • Train maritime logistics personnel to isolate unverified freight communications and prevent credential harvesting schemes.
  • Tune cloud-hosted artificial intelligence security monitoring platforms specifically to match local port infrastructure traffic baselines.
  • Establish redundant, out-of-band communication workflows to protect local delivery tracking fleets from tracking vulnerabilities.
Water and Wastewater Systems Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this reporting period.

 

 

Supplement:

Adversary Watch (Early July 2026)

This is a periodic operational intelligence analytic product for Florida’s Critical Infrastructure (CI) Managers, Planners, and CISOs to provide an integrated synthesis of recent CI-focused Threat Actor Campaigns, IT/OT TTPs, and Defensive Posturing. This issue covers trends in the period July 1-July 14 2026

1. Threat Actor & Campaign Matrix

Russia-Nexus (FSB Centre 16 / Turla, NoName, Armored Likho)

• Strategic Intentions: Espionage and prepositioning for CI sabotage. Operations specifically target power grids to disrupt communications between renewable energy assets and central power distribution networks. The GRU and Russian military are also actively testing CI response times via drone incursions and projecting continental-scale electronic warfare (GPS/PNT jamming).

• Sustained Capabilities: FSB Centre 16 exploits poorly configured edge routing devices, IP cameras, and legacy management protocols (SNMP) to monitor physical logistics and establish footholds. Armored Likho utilizes the evasive, Python-based BusySnake Stealer to target electric power operators.

• Targeted CISA Sectors: Energy, Water/Wastewater, Transportation Systems (Maritime), and Government Facilities.

China-Nexus (PLA/MSS / Salt Typhoon, UAT-7810)

• Strategic Intentions: Expanding Military-Civil Fusion doctrine to embed stealthy intelligence collection within global telecommunications and edge hardware for potential wartime disruption. Operations also heavily target the U.S. innovation base to steal AI product roadmaps.

• Sustained Capabilities: UAT-7810 relies heavily on custom malware (“SHORTLEASH”) to convert unpatched enterprise edge devices and network-attached storage into Operational Relay Box (ORB) networks, enabling obfuscated secondary attacks.

• Targeted CISA Sectors: Telecommunications, Defense Industrial Base (DIB), Energy, and Information Technology.

Autonomous AI & High-Tier Cybercriminals (JADEPUFFER, The Gentlemen, Hyadina, TeamPCP)

• Strategic Intentions: Rapid scaling of extortion, data theft, and supply chain compromise.

• Sustained Capabilities: JADEPUFFER represents a severe escalation: an “agentic” LLM actor autonomously navigating the kill chain from initial access to destructive database encryption without human operators. The Gentlemen have rapidly scaled to account for 17% of global ransomware attacks. Hyadina neutralizes EDR via kernel drivers, while TeamPCP extracts cloud access tokens and Kubernetes secrets via supply chain compromises.

• Targeted CISA Sectors: Cross-sector (heavy focus on Healthcare, IT, and Commercial Facilities).

2. Integrated TTP & Vulnerability Analysis

Primary Initial Access Vectors

• Edge Device & Perimeter Exploitation: Edge infrastructure remains the primary ingress vector. Threat actors are actively exploiting Citrix NetScaler SAML identity providers (CVE-2026-8451), Gitea reverse-proxy authentication (CVE-2026-20896), and Ubiquiti UniFi OS command injection (CVE-2026-50746). The “FortiBleed” campaign harvested configurations from over 73,000 Fortinet devices, currently facilitating INC and Lynx ransomware deployments.

• Supply Chain Poisoning: Lazarus Group and APT37 are compromising legitimate developer accounts to inject obfuscated loaders into open-source ecosystems (npm, Packagist).

Specific IT-to-OT Pivot Techniques

• Centralized Platform Hijacking: Threat actors are breaching IT/OT boundaries by compromising centralized management and middleware. Active exploitation of SimpleHelp RMM (CVE-2026-48558) grants administrative control over OT networks. Similarly, exploitation of Oracle E-Business Suite (CVE-2026-46817) and SharePoint (CVE-2026-45659) directly threatens logistics and DIB supply chains.

• Embedded Local Exploitation: Vulnerabilities in the FatFs filesystem library (embedded in millions of industrial controllers) allow threat actors with physical access to execute arbitrary code on OT assets via compromised USB/SD media.

• EDR Blinding: The Hyadina ransomware operation uses the PoisonX kernel driver to neutralize conventional endpoint detection mechanisms prior to execution.

3. Cross-Source Trends

• Convergence of Cyber and Physical Threats: Ransomware affiliates are escalating digital extortion by issuing credible threats of physical violence against organizational leadership and their families. Simultaneously, the maritime sector is experiencing a resurgence in physical piracy and drone incursions layered with tailored RedLine infostealer/BEC campaigns against logistics providers.

• Widespread PNT/GPS Degradation: Geopolitical electronic warfare (primarily Russian-led) is causing severe positioning, navigation, and timing (PNT) failures on a continental scale, resulting in critical dependencies for commercial aviation and maritime networks.

• IoT Botnets Threatening Adjacent OT: The rapid proliferation of Golang-based malware (Apex2, c2c/meow) targeting exposed Linux and IoT devices for DDoS botnets presents a high spillover risk to physically adjacent OT environments across Water and Agricultural sectors.

4. Defensive Implications

Immediate Prioritized Defensive Controls

• Edge & Middleware Triage: Florida CI operators must immediately patch or isolate Citrix NetScaler, Gitea instances, Oracle E-Business Suite, and SimpleHelp RMM interfaces.

• Fortinet Credential Rotation: Operators utilizing Fortinet firewalls must assume compromise if historical patching was delayed; CISOs must mandate absolute credential rotation and audit VPN configurations for unauthorized persistence.

• Disable Vulnerable On-Premises File Sharing: Isolate or completely disable on-premises Progress ShareFile Storage Zone Controllers facing active exploitation.

CI/OT Tailored Mitigation & Detection

• Zero-Trust for Distributed OT: Florida energy planners must mandate strict zero-trust segmentation between central distribution networks and remote renewable generation hardware (e.g., solar arrays) to block Russian FSB sabotage efforts.

• PNT Resilience: Florida maritime ports and aerospace corridors must immediately audit backup navigation mechanisms and implement resilient, non-GPS-dependent timing synchronization protocols.

• IoT Air-Gapping: Sectors relying on distributed sensors must strictly isolate IoT networks from core OT environments, disabling public-facing administrative ports and enforcing strict egress filtering.

• Physical Media Policies: Disable AutoRun and ban unvetted USB/SD cards near industrial controllers to mitigate the unpatched FatFs library vulnerabilities.

5. Intelligence Gaps

• Unverified Physical OT Manipulation: The Russian-linked hacktivist group NoName publicly claims they breached a Quebec water treatment plant with the capability to covertly manipulate physical OT assets (pumps, chlorine dosing). However, precise telemetry confirming successful physical manipulation downstream remains unverified.

• Decentralized Cybercriminal Infrastructure: While a key member of Scattered Spider was arrested, the collective has shifted to a decentralized model. The operational readiness, command structure, and remaining shared infrastructure of these independent clusters lack clear definition.

• Initial Intrusion Vectors: The specific vulnerability exploited by the “Breach Boyz” to steal sensitive PII at the Rogers County Jail remains unconfirmed by third-party auditors, limiting the ability to establish preventative indicators for other emergency services facilities.