Abyss Locker Ransomware Maps Directly to State Government Infrastructure: What CISOs Must Do This Week

<p> <strong> Threat Assessment Level: ELEVATED </strong> <em> (trending toward HIGH) </em> </p> <p> The threat level remains ELEVATED, consistent with the prior assessment period. Escalation toward HIGH is driven by newly published attack chain analysis confirming that the Abyss Locker ransomware group is actively exploiting technology stacks identical to those deployed across state government agencies &mdash; SonicWall VPN appliances, Veeam Backup &amp; Replication, and VMware ESXi hypervisors. Simultaneously, Russian and Iranian nation-state actors have refreshed their government-targeting toolkits this week. </p> <h2> <strong> Introduction </strong> </h2> <p> State government IT leaders face a convergence of threats this week that demands immediate attention. A detailed technical teardown of the <strong> Abyss Locker </strong> ransomware operation reveals an attack chain that reads like a blueprint against standard state agency infrastructure. At the same time, <strong> COZY BEAR </strong> (APT29/Midnight Blizzard) &mdash; Russia's SVR-affiliated cyber espionage group &mdash; has refreshed indicators targeting government entities, and a newly surfaced Iranian actor, <strong> WARLORD KITTEN </strong> , is deploying implants against government and telecom targets. </p> <p> State and local government remains the #1 ransomware target sector in the United States. The intelligence in this brief is not theoretical &mdash; it describes active campaigns exploiting the exact systems your agencies operate today. </p> <h2> <strong> What Changed This Week </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Why It Matters to State Government </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> Abyss Locker full kill chain published </strong> (Sygnia, 28 May) </p> </td> <td> <p> Confirms active exploitation of SonicWall CVE-2021-20038, Veeam credential theft, and ESXi encryption &mdash; all standard state gov components </p> </td> </tr> <tr> <td> <p> <strong> COZY BEAR IOCs refreshed </strong> (28 May) </p> </td> <td> <p> Russia's premier government-targeting espionage group has re-validated active infrastructure; government remains primary target </p> </td> </tr> <tr> <td> <p> <strong> WARLORD KITTEN enters collection </strong> (28 May) </p> </td> <td> <p> New Iranian threat actor deploying OtakuKit malware against government and telecom &mdash; first appearance in state-relevant feeds </p> </td> </tr> <tr> <td> <p> <strong> CISA adds 3 new KEVs </strong> (27 May) </p> </td> <td> <p> New actively exploited vulnerabilities with mandatory federal patch deadlines; state agencies on shared infrastructure face same exposure </p> </td> </tr> <tr> <td> <p> <strong> OAuth device code phishing documented </strong> (28 May) </p> </td> <td> <p> Technique bypasses MFA entirely against Microsoft 365/Azure AD &mdash; the identity platform most state agencies depend on </p> </td> </tr> <tr> <td> <p> <strong> 6 ABB ICS advisories issued </strong> (27 May) </p> </td> <td> <p> Vulnerabilities in industrial control systems (AC500 V2, Terra AC, Zenon) relevant to state-operated water, facilities, and transportation </p> </td> </tr> <tr> <td> <p> <strong> FBI seizes "First VPN Service" infrastructure </strong> (26 May) </p> </td> <td> <p> Temporary disruption to ~25 ransomware groups; adversary migration to new infrastructure expected within 7&ndash;14 days </p> </td> </tr> <tr> <td> <p> <strong> Nimbus Manticore (IRGC-affiliated) AI-assisted malware campaigns documented </strong> (26 May) </p> </td> <td> <p> Iranian government-targeting operations confirmed active using AI-assisted tooling </p> </td> </tr> </tbody> </table> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Relevance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 7 May 2026 </p> </td> <td> <p> Ghost CMS SQL injection campaign (CVE-2026-26980) begins compromising 700+ sites with ClickFix lures </p> </td> <td> <p> State agency websites running CMS platforms at risk of watering-hole compromise </p> </td> </tr> <tr> <td> <p> 26 May 2026 </p> </td> <td> <p> FBI seizes "First VPN Service" infrastructure used by ~25 ransomware groups </p> </td> <td> <p> Temporary disruption; adversary migration to new infrastructure expected within 7&ndash;14 days </p> </td> </tr> <tr> <td> <p> 26 May 2026 </p> </td> <td> <p> Nimbus Manticore (IRGC-affiliated) documented conducting AI-assisted malware campaigns targeting government </p> </td> <td> <p> Iranian government-targeting operations confirmed active </p> </td> </tr> <tr> <td> <p> 27 May 2026 </p> </td> <td> <p> CISA adds 3 new actively exploited vulnerabilities to KEV catalog </p> </td> <td> <p> Patch deadlines apply to federal and state .gov systems </p> </td> </tr> <tr> <td> <p> 28 May 2026 </p> </td> <td> <p> Sygnia publishes Abyss Locker VPN-to-ransomware technical deep dive </p> </td> <td> <p> Attack chain maps precisely to state government technology stack </p> </td> </tr> <tr> <td> <p> 28 May 2026 </p> </td> <td> <p> <strong> COZY BEAR (APT29) IOCs refreshed with high-confidence government targeting </strong> </p> </td> <td> <p> Active Russian espionage threat to state government </p> </td> </tr> <tr> <td> <p> 28 May 2026 </p> </td> <td> <p> WARLORD KITTEN (Iranian) surfaces with OtakuKit implant targeting government/telecom </p> </td> <td> <p> New actor in state government threat aperture </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. Abyss Locker: A Ransomware Playbook Written Against Your Infrastructure </strong> </h3> <p> The Abyss Locker group's documented attack chain is alarming in its specificity to state government environments: </p> <p> <strong> Kill Chain: </strong> </p> <ol> <li> <strong> Initial Access: </strong> Exploit unpatched SonicWall VPN (CVE-2021-20038) </li> <li> <strong> Credential Theft: </strong> Harvest Veeam Backup &amp; Replication service account credentials using custom PowerShell scripts </li> <li> <strong> Persistence: </strong> Deploy SSH reverse tunnels masquerading as Windows services (WMI Helper Agent, UpdateSVC) </li> <li> <strong> Defense Evasion: </strong> Bring-Your-Own-Vulnerable-Driver (BYOVD) to kill EDR &mdash; using signed Zemana and Process Explorer drivers </li> <li> <strong> Lateral Movement: </strong> PsExec and Impacket across the domain </li> <li> <strong> Exfiltration: </strong> Rclone to cloud storage (AWS S3, BackBlaze) </li> <li> <strong> Impact: </strong> Encrypt ESXi hypervisors hosting all agency virtual machines </li> </ol> <p> <strong> Why this matters: </strong> Most state agencies run SonicWall VPN for remote access, Veeam for backup, and ESXi for virtualization. This is not a hypothetical &mdash; it is a documented, active campaign exploiting the exact stack you operate. </p> <p> <strong> Key ATT&amp;CK Techniques: </strong> T1190, T1003.002, T1562.001, T1572, T1570, T1567, T1486 </p> <h3> <strong> 2. COZY BEAR (APT29) &mdash; Persistent Government Espionage </strong> </h3> <p> Russia's SVR-affiliated group refreshed active indicators on 28 May targeting government, defense, NGOs, and universities. The ATI-Agent malware family uses web protocol C2, obfuscated payloads, and stolen credentials for persistence. State government agencies &mdash; particularly those handling policy, elections, or federal coordination &mdash; remain squarely in COZY BEAR's targeting aperture. </p> <p> <strong> Key ATT&amp;CK Techniques: </strong> T1071.001, T1027, T1078, T1566.001 </p> <h3> <strong> 3. WARLORD KITTEN &mdash; New Iranian Actor Targeting Government </strong> </h3> <p> A previously uncollected Iranian-nexus actor has surfaced deploying <strong> OtakuKit </strong> malware against government and telecom targets. Iranian actors have historically targeted state government for strategic intelligence &mdash; voter registration data, policy documents, and inter-agency communications. OtakuKit operates as an installation-phase implant suggesting long-dwell espionage operations rather than smash-and-grab. </p> <p> <strong> Key ATT&amp;CK Techniques: </strong> T1059, T1105, T1547, T1036 </p> <h3> <strong> 4. OAuth Device Code Phishing &mdash; MFA Is Not Enough </strong> </h3> <p> Attackers are exploiting legitimate Microsoft OAuth authorization flows to steal access tokens that bypass MFA entirely. No fake infrastructure is required &mdash; attackers reuse legitimate Microsoft client IDs, and stolen tokens refresh indefinitely. This technique targets the Microsoft 365 and Azure AD environments that virtually all state agencies depend on for email, collaboration, and identity. </p> <p> <strong> Key ATT&amp;CK Techniques: </strong> T1528, T1550.001, T1539, T1078.004 </p> <h3> <strong> 5. ICS/SCADA Exposure &mdash; ABB Advisories </strong> </h3> <p> Six new CISA ICS advisories cover ABB products (AC500 V2, Terra AC wallbox, Zenon, Camera Connect, B&amp;R Runtime, LVS MConfig). State agencies operating water treatment, building automation, transportation management, or EV charging infrastructure using ABB components must assess exposure immediately. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Abyss Locker (or copycat) compromises a state/local government entity via unpatched SonicWall VPN </p> </td> <td> <p> <strong> HIGH (75%) </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> Published playbook + confirmed active exploitation + state gov is #1 target sector </p> </td> </tr> <tr> <td> <p> Ransomware groups migrate to new VPN infrastructure following FBI seizure of First VPN Service </p> </td> <td> <p> <strong> HIGH (80%) </strong> </p> </td> <td> <p> 7&ndash;14 days </p> </td> <td> <p> Historical pattern: infrastructure seizures cause 1&ndash;2 week disruption, then full resumption </p> </td> </tr> <tr> <td> <p> OAuth/device-code phishing campaign targets state M365 tenants </p> </td> <td> <p> <strong> MODERATE-HIGH (65%) </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> <strong> Technique publicly documented; state gov M365 tenants are high-value targets with large user populations </strong> </p> </td> </tr> <tr> <td> <p> COZY BEAR spearphishing campaign targets state agencies involved in federal coordination </p> </td> <td> <p> <strong> MODERATE (50%) </strong> </p> </td> <td> <p> 60 days </p> </td> <td> <p> Refreshed IOCs + historical targeting pattern + geopolitical tensions </p> </td> </tr> <tr> <td> <p> WARLORD KITTEN conducts espionage against state government systems </p> </td> <td> <p> <strong> LOW-MODERATE (30%) </strong> </p> </td> <td> <p> 90 days </p> </td> <td> <p> Single-source intelligence; Iranian actors historically prefer federal targets but state gov is opportunistic target </p> </td> </tr> <tr> <td> <p> Exploitation of ABB ICS vulnerabilities in state-operated facilities </p> </td> <td> <p> <strong> LOW (20%) </strong> </p> </td> <td> <p> 60 days </p> </td> <td> <p> Advisories published but ICS exploitation requires specialized access and motivation </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Immediate Detection Priorities </strong> </h3> <p> <strong> Hunt Hypothesis 1: Abyss Locker VPN-to-Ransomware Chain </strong> </p> <ul> <li> <strong> Monitor: </strong> Outbound SSH connections on port 443 from Windows hosts (T1572). Legitimate HTTPS does not use SSH protocol &mdash; any SSH handshake on 443 is anomalous. </li> <li> <strong> Detect: </strong> Process execution of wmihelper.exe, deploy443.ps1, or veeam11.ps1 on any endpoint (T1059). Service creation named WMI Helper Agent or UpdateSVC (T1547). </li> <li> <strong> Investigate: </strong> Any loading of UpdateDrv.sys, ped.sys, or 3ware.sys drivers &mdash; these are BYOVD payloads used to kill EDR (T1562.001). </li> <li> <strong> Block: </strong> C2 IPs 64.95.12[.]57 and 64.95.12[.]70 at perimeter firewall. </li> </ul> <p> <strong> Hunt Hypothesis 2: COZY BEAR Spearphishing </strong> </p> <ul> <li> <strong> Monitor: </strong> Email attachments delivering obfuscated payloads to government-facing mailboxes (T1566.001). </li> <li> <strong> Detect: </strong> Execution of binaries matching SHA256 12e1139ef422c2c0884fb5b1786a8489c1769a96880a30406e4a28b76ea4a73a (T1027). </li> <li> <strong> Investigate: </strong> Any use of valid accounts from unusual locations or devices following phishing delivery (T1078). </li> </ul> <p> <strong> Hunt Hypothesis 3: OAuth Token Theft </strong> </p> <ul> <li> <strong> Monitor: </strong> Azure AD sign-in logs for device code flow authentications (grant_type=urn:ietf:params:oauth:grant-type:device_code) from unmanaged devices (T1528). </li> <li> <strong> Detect: </strong> OAuth consent grants to applications with unusual scopes (Mail.Read, Files.ReadWrite.All) from unrecognized client IDs (T1550.001). </li> <li> <strong> Investigate: </strong> Refresh token usage patterns &mdash; tokens refreshing from IP addresses that differ from the original authentication (T1539). </li> </ul> <p> <strong> Hunt Hypothesis 4: WARLORD KITTEN Implant </strong> </p> <ul> <li> <strong> Monitor: </strong> Execution of unknown binaries that establish persistence via autostart registry keys or scheduled tasks (T1547). </li> <li> <strong> Detect: </strong> SHA256 054736b827e07d5e461b0a900ad54b0bcb58bdc23a5c607697a1e6c452b3570d in EDR telemetry (T1036). </li> <li> <strong> Investigate: </strong> Ingress tool transfer from external infrastructure to internal hosts (T1105). </li> </ul> <h3> <strong> SIEM Correlation Rules to Create </strong> </h3> <ol> <li> <strong> SSH-over-443: </strong> Outbound connection on TCP/443 where process name contains "ssh", "chisel", "wmihelper", or "putty" &rarr; HIGH alert </li> <li> <strong> BYOVD Driver Load: </strong> Any loading of known vulnerable drivers (UpdateDrv.sys, ped.sys, 3ware.sys) &rarr; CRITICAL alert </li> <li> <strong> Veeam Credential Access: </strong> PowerShell accessing Veeam credential stores or executing scripts with "veeam" in filename &rarr; HIGH alert </li> <li> <strong> Device Code Flow Anomaly: </strong> Azure AD device code authentication from non-compliant device &rarr; MEDIUM alert, auto-escalate if followed by data access </li> </ol> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Benefits) </strong> </h3> <ul> <li> <strong> Priority: </strong> Protect citizen financial data (tax records, benefits payments, banking information) </li> <li> <strong> Action: </strong> Ensure Veeam backup service accounts for financial databases use dedicated PAM-managed credentials with no domain admin privileges. Monitor for Rclone or similar exfiltration tools targeting financial data stores. </li> <li> <strong> Rationale: </strong> Abyss Locker specifically targets backup credentials to prevent recovery; financial data exfiltration maximizes extortion leverage. </li> </ul> <h3> <strong> Energy (State-Operated Utilities, Building Automation) </strong> </h3> <ul> <li> <strong> Priority: </strong> Assess ABB ICS device exposure across state facilities </li> <li> <strong> Action: </strong> Inventory all ABB AC500 V2, Terra AC, Zenon, and B&amp;R Runtime deployments. Segment ICS networks from IT networks. Apply patches per CISA advisories where operationally feasible. For devices that cannot be patched immediately, implement compensating network monitoring. </li> <li> <strong> Rationale: </strong> Six simultaneous ABB advisories indicate systemic vendor vulnerability; state-operated water treatment and building automation systems are exposed. </li> </ul> <h3> <strong> Healthcare (State Health &amp; Human Services, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Priority: </strong> Protect PHI/PII and ensure system availability for benefits processing </li> <li> <strong> Action: </strong> Prioritize OAuth device code flow restrictions for health agency M365 tenants &mdash; these agencies handle the most sensitive citizen data and are prime targets for credential theft. Implement data loss prevention (DLP) policies on health data repositories. </li> <li> <strong> Rationale: </strong> Healthcare data commands premium prices on criminal markets; OAuth token theft provides persistent, MFA-resistant access to email and file shares containing PHI. </li> </ul> <h3> <strong> Government (All Executive Branch Agencies) </strong> </h3> <ul> <li> <strong> Priority: </strong> Defend against nation-state espionage (COZY BEAR, WARLORD KITTEN) and ransomware (Abyss Locker) </li> <li> <strong> Action: </strong> Immediately verify SonicWall VPN patch status across all agencies. Deploy COZY BEAR and WARLORD KITTEN IOCs to all EDR/SIEM instances. Brief agency IT directors on the Abyss Locker kill chain with specific indicators to watch for. </li> <li> <strong> Rationale: </strong> State government is simultaneously targeted by espionage actors (for policy intelligence) and ransomware actors (for extortion leverage from public pressure). </li> </ul> <h3> <strong> Aviation/Logistics (State DOT, Airport Authorities, Port Systems) </strong> </h3> <ul> <li> <strong> Priority: </strong> Protect operational technology and logistics coordination systems </li> <li> <strong> Action: </strong> Review VPN access to transportation management systems &mdash; Abyss Locker's SonicWall exploitation could provide access to DOT operational networks. Ensure ICS/SCADA systems for traffic management and port operations are segmented from compromised IT networks. </li> <li> <strong> Rationale: </strong> Nimbus Manticore (IRGC-affiliated) has specifically targeted aviation; transportation systems use the same VPN and virtualization infrastructure vulnerable to Abyss Locker. </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IMMEDIATE </p> </td> <td> <p> IT Ops </p> </td> <td> <p> <strong> Verify all SonicWall VPN appliances are patched against CVE-2021-20038. </strong> Abyss Locker is actively exploiting unpatched instances. Confirm firmware version across all agencies. Any unpatched device is an open door. </p> </td> </tr> <tr> <td> <p> IMMEDIATE </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Block Abyss Locker C2 infrastructure: </strong> IPs 64.95.12[.]57 and 64.95.12[.]70 at perimeter firewalls. Create SIEM alert for any historical connections to these IPs. </p> </td> </tr> <tr> <td> <p> IMMEDIATE </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Deploy nation-state IOCs to EDR/SIEM: </strong> COZY BEAR SHA256 12e1139ef422c2c0884fb5b1786a8489c1769a96880a30406e4a28b76ea4a73a; WARLORD KITTEN SHA256 054736b827e07d5e461b0a900ad54b0bcb58bdc23a5c607697a1e6c452b3570d </p> </td> </tr> <tr> <td> <p> IMMEDIATE </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Create detection rule for SSH tunneling on port 443 </strong> from Windows endpoints &mdash; any SSH protocol handshake on 443 is malicious in a state government environment </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 7-DAY </p> </td> <td> <p> IT Ops </p> </td> <td> <p> <strong> Audit Veeam Backup &amp; Replication service accounts. </strong> Restrict to least-privilege. Remove domain admin rights. Implement PAM for Veeam credentials. Create PowerShell execution alerts for scripts accessing Veeam credential stores. </p> </td> </tr> <tr> <td> <p> 7-DAY </p> </td> <td> <p> Identity/IAM </p> </td> <td> <p> <strong> Restrict OAuth device code flow in Azure AD Conditional Access. </strong> Limit device code authentication to managed/compliant devices only. Alert on device code grant requests from unrecognized client IDs. </p> </td> </tr> <tr> <td> <p> 7-DAY </p> </td> <td> <p> IT Ops </p> </td> <td> <p> <strong> Inventory ABB ICS devices </strong> across all state facilities (water, buildings, transportation). Cross-reference against 6 new CISA advisories. Prioritize patching for any internet-accessible or DMZ-adjacent devices. </p> </td> </tr> <tr> <td> <p> 7-DAY </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Deploy BYOVD detection: </strong> Alert on loading of UpdateDrv.sys, ped.sys, or 3ware.sys drivers. These are signed but vulnerable drivers abused to kill endpoint protection. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 30-DAY </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Evaluate ZTNA alternatives to VPN. </strong> SonicWall VPN is a recurring single point of failure across multiple threat clusters (Abyss Locker, Gen6 MFA bypass, nation-state exploitation). Zero-trust network access reduces the attack surface permanently. </p> </td> </tr> <tr> <td> <p> 30-DAY </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Mandate FIDO2/passkey authentication for privileged accounts. </strong> OAuth token theft and device code phishing bypass all traditional MFA. Hardware-bound credentials are the only durable mitigation. </p> </td> </tr> <tr> <td> <p> 30-DAY </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Publish employee advisory on AI tool downloads. </strong> Fake ChatGPT campaigns (delivering credential stealers via domains like openew[.]app) target employees searching for AI tools. Whitelist official download URLs in web proxy. </p> </td> </tr> <tr> <td> <p> 30-DAY </p> </td> <td> <p> Executive </p> </td> <td> <p> <strong> Fund replacement for degraded OSINT collection capability. </strong> 89 days of degraded open-source intelligence has created a structural blind spot, particularly for cybersecurity legislation monitoring. Request emergency procurement for a commercial threat intelligence supplement. </p> </td> </tr> <tr> <td> <p> 30-DAY </p> </td> <td> <p> IR Team </p> </td> <td> <p> <strong> Conduct tabletop exercise using the Abyss Locker kill chain. </strong> Scenario: SonicWall VPN compromised &rarr; Veeam credentials stolen &rarr; ESXi encrypted. Test: Can your team detect at each stage? Can you recover without paying ransom? </p> </td> </tr> </tbody> </table> <h2> <strong> IOC Blocking Table </strong> </h2> <p> The following IOCs are confirmed from intelligence collection and should be deployed to defensive systems immediately: </p> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 64.95.12[.]57 </p> </td> <td> <p> Abyss Locker C2 (SSH reverse tunnel) </p> </td> <td> <p> Block at firewall; alert on historical connections </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 64.95.12[.]70 </p> </td> <td> <p> Abyss Locker C2 (ESXi SSH tunnel) </p> </td> <td> <p> Block at firewall; alert on historical connections </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 12e1139ef422c2c0884fb5b1786a8489c1769a96880a30406e4a28b76ea4a73a </p> </td> <td> <p> COZY BEAR / ATI-Agent </p> </td> <td> <p> Block in EDR; hunt in telemetry </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> 6e00b86a2480abc6dbd971c0bf6495d81ed1b629 </p> </td> <td> <p> COZY BEAR / ATI-Agent </p> </td> <td> <p> Block in EDR </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> 556b9eca4a85f52e2f3176c306e18661 </p> </td> <td> <p> COZY BEAR / ATI-Agent </p> </td> <td> <p> Block in EDR </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 054736b827e07d5e461b0a900ad54b0bcb58bdc23a5c607697a1e6c452b3570d </p> </td> <td> <p> WARLORD KITTEN / OtakuKit </p> </td> <td> <p> Block in EDR; hunt in telemetry </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> 33e4aa4f25e2e3991291edc1e1697ab5 </p> </td> <td> <p> WARLORD KITTEN / OtakuKit </p> </td> <td> <p> Block in EDR </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> discordapp[.]com </p> </td> <td> <p> Potential C2 exfiltration channel </p> </td> <td> <p> Monitor (do not block without business impact assessment) </p> </td> </tr> <tr> <td> <p> File Name </p> </td> <td> <p> wmihelper.exe </p> </td> <td> <p> Abyss Locker SSH tunnel service </p> </td> <td> <p> Alert on execution </p> </td> </tr> <tr> <td> <p> File Name </p> </td> <td> <p> UpdateDrv.sys </p> </td> <td> <p> Abyss Locker BYOVD (Zemana driver) </p> </td> <td> <p> Alert on driver load </p> </td> </tr> <tr> <td> <p> File Name </p> </td> <td> <p> ped.sys </p> </td> <td> <p> Abyss Locker BYOVD (Process Explorer) </p> </td> <td> <p> Alert on driver load </p> </td> </tr> </tbody> </table> <p> Additional IOCs for the campaigns discussed in this report are available through Anomali ThreatStream Next-Gen and partner feeds. </p> <h2> <strong> Bottom Line </strong> </h2> <p> The intelligence this week delivers an uncomfortable message: a ransomware group has published &mdash; through their operational activity &mdash; a step-by-step guide to encrypting state government infrastructure. The Abyss Locker kill chain is not a future threat. It is an active campaign exploiting the exact technology stack that state agencies operate today. </p> <p> The window between vulnerability disclosure and exploitation has collapsed. The window between ransomware infrastructure disruption (the FBI's VPN seizure) and adversary reconstitution is measured in days, not months. And nation-state actors &mdash; Russian and Iranian &mdash; continue to refresh their government-targeting capabilities on a daily basis. </p> <p> <strong> Three decisions require executive action this week: </strong> </p> <ol> <li> <strong> Confirm SonicWall patch status across every agency. </strong> One unpatched appliance is all it takes. </li> <li> <strong> Approve OAuth device code flow restrictions in Azure AD. </strong> MFA alone does not protect your M365 environment. </li> <li> <strong> Fund OSINT collection replacement. </strong> You cannot defend against threats you cannot see &mdash; and an 89-day intelligence blind spot is unacceptable. </li> </ol> <p> The threat actors are not waiting. Neither should you. </p> <p> <em> Anomali CTI Desk | 2026-05-28 </em> </p> <p> <em> For questions or IOC feeds, contact your Anomali account team. </em> </p>