The first half of July showed threat actors pushing harder with high-touch intrusions, router-based persistence, and faster ransomware playbooks. UAT-7810's expanding ORB mesh and The Gentlemen's aggressive extortion stood out, while fresh web app exploits and AI-driven automation kept pressure on defenders. The big theme was speed and stealth: identity compromise, edge device abuse, and quick RCE chaining that demand tighter patching and sharper visibility across networks.

Report Links

Download Threat Brief For July 1-15 2026

Byer-Nichols Threat Brief Podcast July 1-15 2026

Ransomware Actors

Ransomware Percentage Last Period Two Ago
The Gentlemen 18.43% 1 2
Qilin 14.29% 2 3
Krybit 5.99% 12 9
SAFEPAY 5.53% 15 14
INC Ransom 5.53% 6 7

The first half of July saw The Gentlemen dominate ransomware activity, accounting for nearly 20% of observed victims. Qilin continued its steady rise, while Krybit and SAFEPAY posted notable increases, making both groups worth watching. INC Ransom remained consistent with its enterprise-focused, data theft-first operations. Overall, aggressive groups continue to lead while emerging actors gain momentum.

Victim Sector

Sector Percentage Last Period Movement
Technology 14.75% 1 same
Manufacturing 13.82% 4 4 -> 1
Construction 12.90% 2 2 -> 3
Financial Services 12.44% 5 5 -> 4
Retail 11.98% 3 3 -> 5

Victim Location

Victim Percentage Last Period Movement
USA 45.16% 1 same
Germany 8.76% 2 same
UK 4.61% new new
Brazil 3.69% new new
Italy 3.23% new new

Victim Org Size

Size Percentage Last Period Change
Small Business (500 or less) 79.72% 74.64% +5.08%
Mid-Market (501-5000) 17.97% 17.66% +0.31%
Large Enterprise (5000+) 2.30% 7.69% -5.39%

Trending Adversaries

Armored Likho, UAT-7810, O-UNC-066, and Helix all leaned into high-touch intrusion work, with Likho pushing stealthy Python loaders and UAT-7810 expanding router-based ORB infrastructure that's tough to spot. O-UNC-066 kept exploiting exposed services for quick data theft, while Helix refined phishing to gain reliable initial access. The shared trend is identity compromise and living off the land tooling, and UAT-7810 stands out as the most concerning thanks to its persistent edge-device footholds.

  • Armored Likho
  • UAT-7810
  • O-UNC-066
  • Helix (Vishing Group)

Trending & Actively Exploited Vulnerabilities

The July activity trending vulnerabilities show attackers zeroing in on easy-to-automate RCE bugs across Joomla builders, Langflow, ColdFusion, SharePoint, NetScaler, and Gitea. Most of the action has been quick webshell drops followed by credential theft and lateral movement, especially on ColdFusion and NetScaler. For defenders, the priority is tightening patch cycles, locking down exposed admin panels, and boosting monitoring around web apps and edge gateways.

CVE Vendor Product
CVE-2026-56291 Balbooa Forms
CVE-2026-48939 iCagenda iCagenda
CVE-2026-48908 JoomShaper SP Page Builder
CVE-2026-55255 Langflow Langflow
CVE-2026-56290 Joomlack Page Builder
CVE-2026-48282 Adobe ColdFusion
CVE-2026-45659 Microsoft SharePoint Server
CVE-2026-8451 Citrix NetScaler (ADC & Gateway)
CVE-2026-20896 Gitea Gitea Open Source Git Server

Trending Malware

Trending Malware Details
ChocoPoC A Python-based remote access trojan delivered through weaponized proof of concept exploit repositories on GitHub, aimed squarely at vulnerability researchers. The attacker adds malicious PyPI packages as dependencies, so a routine pip install silently pulls in a native extension that only activates when the real PoC script runs. Once triggered, ChocoPoC can execute arbitrary shell and Python commands, harvest browser passwords, cookies, autofill data, and scan for text, markdown, and database files. It uses Mapbox datasets as a dead-drop C2 channel, wrapped in DNS-over-HTTPS and domain fronting so traffic looks like normal mapping API calls. This makes PoC-driven research workflows a high-risk infection vector and turns trusted code-sharing platforms into a supply chain threat.
JadePuffer A ransomware operation executed entirely by an autonomous AI agent, from initial intrusion to encryption and ransom note delivery. The agent exploited a known Langflow vulnerability, moved laterally, encrypted over a thousand configuration items, and deleted originals, completing steps in seconds without human input. Its toolkit is technically ordinary; the real shift is that a machine can plan, adapt, and rerun the playbook at scale, driving the cost of an intrusion toward zero. That dynamic massively expands who can launch ransomware and how many campaigns can run in parallel, overwhelming human-speed SOC workflows. Defenders now have to assume machine-speed adversaries and invest in agentic, autonomous response to stay in the game.
BusySnake A Python-based infostealer deployed by the Armored Likho APT against government agencies and critical infrastructure entities in Russia, Brazil, and Kazakhstan. The group uses spearphishing lures with archive files and shortcut links that display benign-looking documents while quietly dropping multistage loaders. BusySnake's final payload harvests browser passwords and cookies, clipboard contents, cryptographic keys, messaging and authentication data, and Telegram session information, and can set up reverse SSH tunnels or remote access tools for persistent control. The malware is heavily obfuscated with PyArmor Pro, decrypting functions only when needed, embedding its own networking stack, and using lockfile mechanisms to avoid multiple instances. This combination of stealth, modularity, and long-term interactive access makes it a serious espionage and data theft risk for critical infrastructure environments.
GodDamn Ransomware The latest variant in the Hyadina ransomware family, evolving from Beast and Monster and first seen in May 2026. In recent attacks, operators hide AnyDesk on victim endpoints and then deploy an executable masquerading as a Symantec product to drop PoisonX, a malicious kernel driver signed with a legitimate Microsoft publisher certificate. PoisonX is loaded into the Windows driver store and used to terminate endpoint security processes, dramatically weakening defenses before the main ransomware run. With protections disabled, the attackers deploy tools like NirSoft and Mimikatz to harvest credentials, cookies, and live network traffic, pivoting toward admin accounts and broader domain control. Once they have sufficient access, they trigger GodDamn to encrypt files and present a ransom note, showcasing how modern ransomware blends signed drivers, living off the land tools, and layered evasion.
LONGLEASH An evolved backdoor used by the China-linked APT UAT-7810 in its LapDogs operational relay box (ORB) campaign. It builds on the earlier ShortLeash router malware, adding richer command and control, web server hosting, tunnel management, and the ability to act as both C2 and client across compromised SOHO routers. The actor primarily exploits known Ruckus router vulnerabilities (including CVE-2020-22653, CVE-2020-22658, and CVE-2023-25717) and uses payloads compiled for MIPS, ARM, and x64 to maximize coverage. LONGLEASH can forward commands and data between peers, effectively chaining infected routers into a resilient proxy mesh that hides the true origin of espionage traffic. For defenders, it turns edge networking gear into a stealthy infrastructure layer that is easy to overlook but critical to dismantle.
DOGLEASH A C-based passive backdoor operated by UAT-7810 and deployed via shell scripts on compromised Linux networking devices, often routers. The installer modifies iptables rules to allow inbound TCP traffic to a hardcoded local port where DOGLEASH binds and listens. Incoming data is decoded with a hardcoded password string, after which the malware can execute shell commands, read files, rename files to create backups, and run arbitrary shellcodes in memory. It also gathers OS information such as release, version, hardware ID, and node name, giving operators situational awareness of each compromised device. Because it blends into router environments and relies on simple TCP listeners, DOGLEASH can quietly extend the APT's ORB network and provide durable footholds that are easy to miss in traditional endpoint-centric monitoring.

Top News

  • Ransomware Thugs Masquerade as Interpol to Entice Small Biz
  • Alleged Scattered Spider hacker extradited to the United States
  • ARToken PhaaS exposes EvilTokens' Microsoft 365 phishing toolkit
  • NetNut proxy network disrupted, 2 million infected devices cut off
  • Former ransomware negotiator gets 4 years for BlackCat attacks
  • Conditional Access Misconfigurations Exposed 55 Orgs with MFA On
  • Police suspects Dutch hackers were involved in Odido breach
  • Progress urges ShareFile admins to shut down servers over "credible" threat

Contributors

Written by Jeremy Nichols, Director, Security Programs & Strategy at SecureSky Executive Summaries & Adversary Bio's by Geoff Rehmet, Cybersecurity Architect Produced & Distributed By Phish Tank Digital