Critical Cisco VoIP Flaw, Nation-State Recruitment Campaigns, and AI-Powered Account Takeovers: What State Government CISOs Must Act On This Week

<p> <strong> Threat Assessment Level: ELEVATED </strong> </p> <p> <em> Unchanged from the prior cycle. Three critical vulnerabilities demand immediate action, two nation-states are actively targeting government personnel through job-platform social engineering, and a novel AI chatbot exploitation technique signals an emerging class of authentication bypass risk. No active ransomware incidents targeting state/local government were observed this cycle, but the 30% year-over-year surge in government-targeted ransomware remains an active concern &mdash; absence of incidents does not equal absence of threat. </em> </p> <h2> <strong> Introduction </strong> </h2> <p> State government IT leaders face a convergence of threats this week that span the full spectrum: from a publicly-exploitable vulnerability in Cisco Unified Communications Manager &mdash; the backbone of many state agency phone systems &mdash; to coordinated nation-state campaigns using LinkedIn and Indeed to recruit (and compromise) cleared government personnel. Meanwhile, a first-of-its-kind attack demonstrates that AI-powered helpdesk chatbots can be socially engineered to reset passwords and grant account access, raising urgent questions about any state agency deploying automated IT support. </p> <p> This brief synthesizes intelligence collected through June 4, 2026, and provides prioritized, actionable guidance for state agency CIOs and CISOs. </p> <h2> <strong> What Changed </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Significance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 30 May 2026 </strong> </p> </td> <td> <p> CVE-2026-41089 (Microsoft Netlogon RCE, CVSS 9.8) confirmed actively exploited </p> </td> <td> <p> Active Directory domain controllers vulnerable to unauthenticated SYSTEM access </p> </td> </tr> <tr> <td> <p> <strong> 1 Jun 2026 </strong> </p> </td> <td> <p> APT28 (Russian GRU) refreshes C2 infrastructure with US-hosted node to bypass geo-IP filtering </p> </td> <td> <p> Russian espionage infrastructure positioned to evade common state network defenses </p> </td> </tr> <tr> <td> <p> <strong> 2 Jun 2026 </strong> </p> </td> <td> <p> CVE-2026-35616 (FortiClient EMS, CVSS 9.8) exploitation confirmed delivering credential stealers </p> </td> <td> <p> Endpoint management platform weaponized as ransomware initial access vector </p> </td> </tr> <tr> <td> <p> <strong> 3 Jun 2026 </strong> </p> </td> <td> <p> <strong> Cisco discloses CVE-2026-20230 (CVSS 8.6, upgraded to CRITICAL) &mdash; unauthenticated SSRF in Unified CM WebDialer enabling root-level compromise. Public exploit code available. </strong> </p> </td> <td> <p> State VoIP infrastructure at immediate risk if WebDialer is enabled </p> </td> </tr> <tr> <td> <p> <strong> 3 Jun 2026 </strong> </p> </td> <td> <p> CISA adds CVE-2026-45247 (Mirasvit Magento Cache Warmer, CVSS 9.8) to Known Exploited Vulnerabilities catalog &mdash; active exploitation confirmed </p> </td> <td> <p> <strong> Supply chain awareness for vendor portals; low direct state impact </strong> </p> </td> </tr> <tr> <td> <p> <strong> 4 Jun 2026 </strong> </p> </td> <td> <p> CISA confirms active exploitation of CVE-2025-48595 (Android Framework integer overflow) &mdash; federal remediation deadline <strong> 5 Jun 2026 </strong> </p> </td> <td> <p> State mobile device fleets require immediate patch compliance verification </p> </td> </tr> <tr> <td> <p> <strong> 4 Jun 2026 </strong> </p> </td> <td> <p> Five Eyes joint advisory: Chinese state actors (APT40/GADOLINIUM/TEMP.Periscope) using fake job postings on LinkedIn, Indeed, and Upwork to target cleared government/military personnel </p> </td> <td> <p> Direct threat to state employees with security clearances or sensitive system access </p> </td> </tr> <tr> <td> <p> <strong> 4 Jun 2026 </strong> </p> </td> <td> <p> <strong> FAMOUS CHOLLIMA (DPRK/Lazarus sub-group) refreshes InvisibleFerret RAT infrastructure &mdash; new high-confidence IOCs confirmed </strong> </p> </td> <td> <p> Fake-interview malware delivery campaign actively evolving </p> </td> </tr> <tr> <td> <p> <strong> 4 Jun 2026 </strong> </p> </td> <td> <p> Novel technique documented: attackers socially engineer Meta's AI support chatbot to reset passwords and grant account access </p> </td> <td> <p> Signals emerging risk for any AI-powered IT helpdesk automation </p> </td> </tr> <tr> <td> <p> <strong> 2 Jun 2026 </strong> </p> </td> <td> <p> CISA/partners issue hardening advisory for Automatic Tank Gauge (ATG) systems at fuel storage facilities </p> </td> <td> <p> Directly relevant to state DOT and fleet fueling infrastructure </p> </td> </tr> </tbody> </table> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Actor/Source </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Impact to State Government </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 30 May 2026 </p> </td> <td> <p> Unknown (criminal/state) </p> </td> <td> <p> CVE-2026-41089 (Microsoft Netlogon RCE, CVSS 9.8) confirmed actively exploited </p> </td> <td> <p> Active Directory domain controllers vulnerable to unauthenticated SYSTEM access </p> </td> </tr> <tr> <td> <p> 1 Jun 2026 </p> </td> <td> <p> APT28 (Russian GRU) </p> </td> <td> <p> Refreshed C2 infrastructure with US-hosted node to bypass geo-IP filtering </p> </td> <td> <p> Russian espionage infrastructure positioned to evade common state network defenses </p> </td> </tr> <tr> <td> <p> 2 Jun 2026 </p> </td> <td> <p> Criminal/state-nexus </p> </td> <td> <p> CVE-2026-35616 (FortiClient EMS, CVSS 9.8) exploitation delivering credential stealers </p> </td> <td> <p> Endpoint management platform weaponized as ransomware initial access vector </p> </td> </tr> <tr> <td> <p> 2 Jun 2026 </p> </td> <td> <p> CISA/Partners </p> </td> <td> <p> ATG hardening advisory issued </p> </td> <td> <p> State fuel infrastructure (DOT, fleet services) requires immediate inventory </p> </td> </tr> <tr> <td> <p> 3 Jun 2026 </p> </td> <td> <p> Cisco </p> </td> <td> <p> CVE-2026-20230 disclosed with public PoC </p> </td> <td> <p> State VoIP systems exploitable for root access </p> </td> </tr> <tr> <td> <p> 4 Jun 2026 </p> </td> <td> <p> Five Eyes </p> </td> <td> <p> Chinese fake-job recruitment advisory </p> </td> <td> <p> State cleared personnel targeted for espionage </p> </td> </tr> <tr> <td> <p> 4 Jun 2026 </p> </td> <td> <p> FAMOUS CHOLLIMA (DPRK) </p> </td> <td> <p> InvisibleFerret RAT IOC refresh </p> </td> <td> <p> Fake-interview malware campaign active and evolving </p> </td> </tr> <tr> <td> <p> 4 Jun 2026 </p> </td> <td> <p> Novel </p> </td> <td> <p> AI chatbot social engineering for account takeover </p> </td> <td> <p> Any AI-powered helpdesk automation is a potential bypass vector </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. Cisco Unified Communications Manager &mdash; CVE-2026-20230 (Root-Level Compromise) </strong> </h3> <p> <strong> Why this matters to state agencies: </strong> Cisco Unified CM is the telephony backbone for many state government agencies. The vulnerability exists in the WebDialer service &mdash; a click-to-dial feature commonly enabled in enterprise deployments. An unauthenticated attacker can exploit a Server-Side Request Forgery (SSRF) flaw to write arbitrary files and escalate to root privileges on the call manager server. </p> <p> <strong> Critical context: </strong> Public exploit code is already available. A related vulnerability (CVE-2026-20045) was exploited as a zero-day in January 2026, demonstrating that threat actors are actively researching this attack surface. VoIP systems are frequently managed by telecom teams outside core security governance, creating a visibility gap. </p> <p> <strong> ATT&amp;CK Techniques: </strong> T1190 (Exploit Public-Facing Application), T1068 (Exploitation for Privilege Escalation) </p> <h3> <strong> 2. Nation-State Job-Platform Social Engineering &mdash; Two Distinct Campaigns </strong> </h3> <p> <strong> China (APT40 / GADOLINIUM / TEMP.Periscope): </strong> The Five Eyes advisory documents a sophisticated HUMINT collection operation using fake profiles on LinkedIn, Indeed, and Upwork. Targets include government personnel with security clearances, military staff (Indo-Pacific focus), academics, and government-adjacent freelancers. The methodology progresses from fake job postings &rarr; CV screening &rarr; video interviews &rarr; pressure for non-public information &rarr; payment via PayPal, Wise, or cryptocurrency. The end-state is information elicitation, not malware delivery. </p> <p> <strong> DPRK (FAMOUS CHOLLIMA / Lazarus sub-group): </strong> A parallel but technically distinct campaign uses fake job interviews to deliver the InvisibleFerret RAT &mdash; a Python-based remote access trojan that harvests credentials and browser session cookies. Fresh IOCs were confirmed on June 4, 2026, indicating active infrastructure rotation. The end-state is malware implantation and credential theft. </p> <p> <strong> Key distinction for defenders: </strong> China's campaign is social engineering without malware (harder to detect technically); DPRK's campaign delivers actual malware (detectable at endpoint). Both use the same platforms. State employees must be warned about both simultaneously. </p> <p> <strong> ATT&amp;CK Techniques: </strong> T1598.003 (Phishing for Information via Service), T1566.003 (Phishing via Service), T1059.006 (Python execution), T1555 (Credentials from Password Stores) </p> <h3> <strong> 3. Android Zero-Day Under Active Exploitation &mdash; CVE-2025-48595 </strong> </h3> <p> An integer overflow in the Android Framework core enables local privilege escalation to arbitrary code execution without user interaction. CISA has confirmed active exploitation (likely in spyware chains) and set a federal remediation deadline of <strong> June 5, 2026 </strong> &mdash; tomorrow. Any state-managed Android device not running the June 2026 security patch level is vulnerable. </p> <p> <strong> ATT&amp;CK Techniques: </strong> T1203 (Exploitation for Client Execution), T1548.002 (Abuse Elevation Control Mechanism) </p> <h3> <strong> 4. AI Chatbot as Authentication Bypass &mdash; Novel Attack Vector </strong> </h3> <p> Documented on June 4, 2026: attackers successfully convinced Meta's AI-powered support chatbot to reset passwords and grant account access by combining VPN location spoofing with social engineering of the AI bot itself. This represents the first confirmed weaponization of AI customer support agents as an authentication bypass mechanism. </p> <p> <strong> Implications for state IT: </strong> Any agency deploying AI-powered helpdesk automation (Microsoft Copilot in Service, ServiceNow Virtual Agent, chatbot-based password reset) faces this risk. AI bots that can execute privileged actions (password resets, MFA changes, account unlocks) without out-of-band human verification are functionally equivalent to an unprotected admin interface. </p> <h3> <strong> 5. ICS/SCADA &mdash; Automatic Tank Gauge Systems Exposed </strong> </h3> <p> CISA's joint advisory highlights that Automatic Tank Gauge systems &mdash; used at gas stations, airports, military fuel depots, and state fleet fueling facilities &mdash; are routinely internet-exposed and lack authentication. State Departments of Transportation and fleet management operations should treat this as a direct infrastructure risk. </p> <p> <strong> ATT&amp;CK Techniques: </strong> T0831 (ICS: Manipulation of Control), T1190 (Exploit Public-Facing Application) </p> <h3> <strong> 6. Microsoft Netlogon RCE &mdash; CVE-2026-41089 </strong> </h3> <p> Confirmed active exploitation of a critical unauthenticated remote code execution vulnerability in Microsoft Netlogon (CVSS 9.8) was observed as of May 30, 2026. Successful exploitation grants SYSTEM-level access to domain controllers, enabling full Active Directory domain compromise. This vulnerability is particularly dangerous in state government environments where legacy domain controller configurations may not enforce secure channel requirements. </p> <p> <strong> ATT&amp;CK Techniques: </strong> T1210 (Exploitation of Remote Services), T1078.002 (Valid Accounts: Domain Accounts) </p> <h3> <strong> 7. FortiClient EMS &mdash; CVE-2026-35616 </strong> </h3> <p> Active exploitation of a critical vulnerability (CVSS 9.8) in Fortinet's FortiClient Endpoint Management Server has been confirmed delivering credential stealers as of June 2, 2026. This vulnerability is a confirmed ransomware initial access vector &mdash; threat actors are using compromised EMS servers to push malicious "vendor patch" executables to managed endpoints at scale. </p> <p> <strong> ATT&amp;CK Techniques: </strong> T1190 (Exploit Public-Facing Application), T1072 (Software Deployment Tools) </p> <h3> <strong> 8. APT28 C2 Infrastructure Refresh </strong> </h3> <p> Russian GRU-affiliated APT28 refreshed its command-and-control infrastructure on June 1, 2026, incorporating US-hosted nodes specifically to defeat geo-IP-based network filtering &mdash; a common defensive control in state government environments. This repositioning indicates active operational preparation. Geo-IP blocking alone is insufficient; behavioral and protocol-based detection is required. </p> <p> <strong> ATT&amp;CK Techniques: </strong> T1583.003 (Acquire Infrastructure: Virtual Private Server), T1090 (Proxy) </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Cisco UCM CVE-2026-20230 exploitation attempts appear in the wild </p> </td> <td> <p> <strong> 70% </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> <strong> Public PoC available; prior related CVE was exploited as zero-day; critical severity </strong> </p> </td> </tr> <tr> <td> <p> Additional Five Eyes nations release supplementary guidance with specific IOCs for Chinese recruitment operations </p> </td> <td> <p> <strong> 60% </strong> </p> </td> <td> <p> 7&ndash;14 days </p> </td> <td> <p> Multi-agency coordination pattern; initial advisory typically followed by technical annex </p> </td> </tr> <tr> <td> <p> FAMOUS CHOLLIMA InvisibleFerret campaign expands targeting to state government IT contractors </p> </td> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> 14&ndash;30 days </p> </td> <td> <p> Consistent with DPRK fake-interview evolution from tech companies &rarr; government supply chain </p> </td> </tr> <tr> <td> <p> Ransomware group targets a U.S. state/local government entity </p> </td> <td> <p> <strong> 65% </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> 30% YoY surge trend; Qilin and INC Ransom explicitly targeting government; current quiet period may indicate dwell-time </p> </td> </tr> <tr> <td> <p> AI chatbot exploitation technique is replicated against enterprise helpdesk platforms </p> </td> <td> <p> <strong> 55% </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> Technique is simple, transferable, and now publicly documented </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Immediate Detection Priorities </strong> </h3> <p> <strong> Hunt Hypothesis 1: Cisco UCM WebDialer Exploitation </strong> </p> <ul> <li> Monitor HTTP traffic to Cisco UCM WebDialer endpoints for anomalous SSRF patterns (crafted requests to internal metadata services or file-write paths) </li> <li> Alert on any new file creation or modification on UCM servers outside scheduled maintenance windows </li> <li> <strong> ATT&amp;CK: </strong> T1190, T1068 </li> <li> <strong> Detection: </strong> Web application firewall logs, UCM audit logs, file integrity monitoring on UCM servers </li> </ul> <p> <strong> Hunt Hypothesis 2: InvisibleFerret RAT Activity </strong> </p> <ul> <li> Deploy the following hashes to EDR block lists immediately: </li> <ul> <li> MD5: 1c756638b7bd11b665bef1265583c8a2 </li> <li> MD5: 568214443347a6af440e47ea47b1c28b </li> <li> SHA-1: f259bf16078862711cfbfea18d2ddef4b3f84887 </li> <li> SHA-1: 5d2c27c1ff8a116540eab4dc842f9ee8cedd55df </li> </ul> <li> <em> Note: Additional SHA-256 hashes associated with this campaign are available via Anomali ThreatStream Next-Gen. Contact your Anomali account team for the complete indicator set. </em> </li> <li> Hunt for Python-based processes making outbound connections to uncommon destinations, especially from developer workstations or contractor endpoints </li> <li> <strong> ATT&amp;CK: </strong> T1059.006, T1555, T1539 </li> <li> <strong> Detection: </strong> EDR hash matching, behavioral analysis for Python credential harvesting, browser cookie access by non-browser processes </li> </ul> <p> <strong> Hunt Hypothesis 3: Android Exploitation Chain </strong> </p> <ul> <li> Query MDM/UEM for devices not running June 2026 Android security patch level </li> <li> Monitor for anomalous privilege escalation events on Android devices connected to state networks </li> <li> <strong> ATT&amp;CK: </strong> T1203, T1548.002 </li> <li> <strong> Detection: </strong> MDM compliance reporting, anomalous app installation patterns </li> </ul> <p> <strong> Hunt Hypothesis 4: AI Helpdesk Abuse </strong> </p> <ul> <li> If AI-powered support automation is deployed, audit all password reset and account unlock actions performed by AI agents in the past 30 days </li> <li> Look for patterns: VPN-sourced sessions, rapid escalation from chatbot to account change, geographic anomalies </li> <li> <strong> ATT&amp;CK: </strong> T1078 (Valid Accounts &mdash; obtained via social engineering of AI) </li> <li> <strong> Detection: </strong> IAM audit logs, chatbot action logs, correlation of password resets with VPN session origins </li> </ul> <h3> <strong> Ongoing Monitoring </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Threat </strong> </p> </th> <th> <p> <strong> What to Monitor </strong> </p> </th> <th> <p> <strong> Alert Threshold </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Netlogon RCE (CVE-2026-41089) </p> </td> <td> <p> Anomalous Netlogon authentication traffic to DCs </p> </td> <td> <p> Any unauthenticated Netlogon RPC from non-DC sources </p> </td> </tr> <tr> <td> <p> FortiClient EMS (CVE-2026-35616) </p> </td> <td> <p> FortiClient EMS patch compliance; suspicious "vendor patch" downloads </p> </td> <td> <p> Any EMS server not at patched version; unsigned executables masquerading as Forti updates </p> </td> </tr> <tr> <td> <p> APT28 C2 </p> </td> <td> <p> Outbound connections to US-hosted infrastructure on non-standard ports </p> </td> <td> <p> Geo-IP alone is insufficient &mdash; monitor for beaconing patterns and JA3/JA4 anomalies </p> </td> </tr> <tr> <td> <p> Chinese recruitment </p> </td> <td> <p> Employee reports of unsolicited job offers requesting sensitive information </p> </td> <td> <p> Any report triggers insider threat review </p> </td> </tr> <tr> <td> <p> Ransomware pre-positioning </p> </td> <td> <p> Lateral movement indicators, credential dumping, shadow copy deletion </p> </td> <td> <p> Standard ransomware precursor detection rules </p> </td> </tr> </tbody> </table> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Tax Systems) </strong> </h3> <ul> <li> <strong> Priority: </strong> Credential theft via InvisibleFerret and Chinese recruitment operations. State tax and revenue employees with access to citizen financial data are high-value targets. </li> <li> <strong> Action: </strong> Enforce hardware MFA tokens (not SMS) for all personnel with access to tax/revenue databases. Brief finance staff on fake-job recruitment TTPs. Monitor for Python-based credential harvesting on finance workstations. </li> <li> <strong> Relevant CVE: </strong> CVE-2026-41089 (Netlogon) &mdash; treasury Active Directory infrastructure is a prime target for domain-level compromise. </li> </ul> <h3> <strong> Energy (State Energy Office, Grid Interfaces, Fuel Infrastructure) </strong> </h3> <ul> <li> <strong> Priority: </strong> Automatic Tank Gauge systems at state-managed fueling facilities and any SCADA/OT interfaces with the energy grid. </li> <li> <strong> Action: </strong> Conduct immediate inventory of all ATG systems. Verify network segmentation between OT and IT networks. Disable internet-facing management interfaces on all ICS devices. Review Volt Typhoon/Salt Typhoon pre-positioning indicators on energy-adjacent networks (absence of reporting &ne; absence of threat). </li> <li> <strong> Relevant Advisory: </strong> CISA ATG Hardening Guidance (2 Jun 2026) </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Priority: </strong> Ransomware remains the dominant threat to healthcare-adjacent state systems. Qilin and INC Ransom have explicitly targeted government health entities. </li> <li> <strong> Action: </strong> Validate offline backup integrity for Medicaid and public health databases. Ensure FortiClient EMS is patched against CVE-2026-35616 (confirmed ransomware initial access vector). Test incident response playbooks for healthcare data breach notification timelines. </li> <li> <strong> Relevant CVE: </strong> CVE-2026-35616 (FortiClient EMS) &mdash; endpoint management compromise enables mass ransomware deployment. </li> </ul> <h3> <strong> Government (All Executive Branch Agencies) </strong> </h3> <ul> <li> <strong> Priority: </strong> The convergence of Chinese HUMINT recruitment and DPRK malware delivery via job platforms creates a dual-threat to all state employees, particularly those with elevated access or security clearances. </li> <li> <strong> Action: </strong> Issue agency-wide advisory on fake-job recruitment (both Chinese and DPRK variants). Implement DLP monitoring for employees who access sensitive data after contact with suspicious recruiters. Audit AI-powered helpdesk automation for authentication bypass risks. Enforce Android patch compliance by June 5 deadline. </li> <li> <strong> Relevant Actors: </strong> APT40, GADOLINIUM, TEMP.Periscope (China); FAMOUS CHOLLIMA (DPRK) </li> </ul> <h3> <strong> Aviation/Logistics (State DOT, Airport Authorities, Fleet Management) </strong> </h3> <ul> <li> <strong> Priority: </strong> ATG systems at airport fuel depots and state fleet fueling facilities. Cisco UCM systems supporting dispatch and operations centers. </li> <li> <strong> Action: </strong> Inventory all ATG systems at DOT and fleet facilities &mdash; verify they are not internet-accessible. Immediately check Cisco UCM WebDialer status on all dispatch/operations VoIP systems. If WebDialer is enabled, disable it pending patch availability (14SU6/15SU5). </li> <li> <strong> Relevant CVE: </strong> CVE-2026-20230 (Cisco UCM), CISA ATG Advisory </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Responsible Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Ops / Telecom </p> </td> <td> <p> <strong> Verify Cisco Unified CM WebDialer status. </strong> If enabled, disable immediately. Validate no unauthorized file writes on UCM servers. Do not wait for patches (14SU6/15SU5). (CVE-2026-20230) </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC / Endpoint </p> </td> <td> <p> <strong> Block InvisibleFerret hashes </strong> at EDR layer across all managed endpoints. See IOC table below. (FAMOUS CHOLLIMA) </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> IT Ops / Mobile </p> </td> <td> <p> <strong> Enforce Android June 2026 security patch level </strong> on all state-managed devices. Quarantine non-compliant devices from network access by June 5 deadline. (CVE-2025-48595) </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> SOC / Network </p> </td> <td> <p> <strong> Validate Netlogon RCE mitigations </strong> &mdash; confirm all domain controllers are patched against CVE-2026-41089 and that secure Netlogon channel enforcement is active. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Responsible Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 5 </p> </td> <td> <p> HR / Security Awareness </p> </td> <td> <p> <strong> Issue employee advisory </strong> on Chinese fake-job recruitment operations (LinkedIn, Indeed, Upwork). Include specific indicators and reporting procedures. Brief all personnel with security clearances or sensitive system access. </p> </td> </tr> <tr> <td> <p> 6 </p> </td> <td> <p> CISO / IAM </p> </td> <td> <p> <strong> Audit AI-powered helpdesk automation </strong> (ServiceNow Virtual Agent, M365 Copilot in Service, any chatbot-based password reset). Ensure no AI agent can execute password resets or MFA changes without out-of-band human verification. </p> </td> </tr> <tr> <td> <p> 7 </p> </td> <td> <p> IT Ops / ICS </p> </td> <td> <p> <strong> Inventory Automatic Tank Gauge systems </strong> at all state-managed fueling facilities (DOT, fleet services, airport authorities). Verify network segmentation. Disable internet-facing management interfaces per CISA guidance. </p> </td> </tr> <tr> <td> <p> 8 </p> </td> <td> <p> IT Ops / Endpoint </p> </td> <td> <p> <strong> Confirm FortiClient EMS patch status </strong> against CVE-2026-35616. Any unpatched EMS server is a confirmed ransomware initial access vector. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Responsible Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 9 </p> </td> <td> <p> CISO / Insider Threat </p> </td> <td> <p> <strong> Develop insider threat detection playbook </strong> for nation-state social engineering recruitment. Integrate with DLP monitoring &mdash; flag employees accessing sensitive data after contact with suspicious recruiters on job platforms. </p> </td> </tr> <tr> <td> <p> 10 </p> </td> <td> <p> CISO / Architecture </p> </td> <td> <p> <strong> Conduct security assessment of all AI-powered automation </strong> with privileged capabilities. Treat AI bots with account-modification permissions as privileged service accounts requiring equivalent controls (PAM, audit logging, session recording). </p> </td> </tr> <tr> <td> <p> 11 </p> </td> <td> <p> CISO / IR </p> </td> <td> <p> <strong> Update incident response playbooks </strong> to include VoIP infrastructure compromise scenarios (Cisco UCM root access) and AI chatbot exploitation. Tabletop exercise recommended. </p> </td> </tr> <tr> <td> <p> 12 </p> </td> <td> <p> CIO / Governance </p> </td> <td> <p> <strong> Establish cross-team coordination </strong> between telecom/VoIP teams and security operations for vulnerability management of communications infrastructure. Eliminate governance gaps where VoIP systems fall outside standard patch management. </p> </td> </tr> </tbody> </table> <h2> <strong> IOC Blocking Table </strong> </h2> <p> The following indicators are confirmed associated with FAMOUS CHOLLIMA's InvisibleFerret RAT campaign (refreshed June 4, 2026). Deploy to EDR, SIEM, and network detection platforms immediately. </p> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> MD5 </p> </td> <td> <p> 1c756638b7bd11b665bef1265583c8a2 </p> </td> <td> <p> InvisibleFerret RAT </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> 568214443347a6af440e47ea47b1c28b </p> </td> <td> <p> InvisibleFerret RAT </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> f259bf16078862711cfbfea18d2ddef4b3f84887 </p> </td> <td> <p> InvisibleFerret RAT </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> 5d2c27c1ff8a116540eab4dc842f9ee8cedd55df </p> </td> <td> <p> InvisibleFerret RAT </p> </td> </tr> </tbody> </table> <p> <em> Additional indicators for this campaign &mdash; including SHA-256 hashes, C2 IP addresses, and associated domains &mdash; are available via Anomali ThreatStream Next-Gen. Contact your Anomali account team or query ThreatStream Next-Gen directly for the complete InvisibleFerret IOC set. </em> </p> <h2> <strong> Bottom Line </strong> </h2> <p> The threat environment facing state government IT this week demands action on multiple fronts simultaneously. A publicly-exploitable vulnerability in your phone system. Two nation-states recruiting your employees on LinkedIn. An AI chatbot that can be talked into resetting passwords. A mobile device zero-day with a federal deadline tomorrow. Active exploitation of your domain controllers and endpoint management platform. </p> <p> None of these threats are theoretical. All have confirmed active exploitation or documented proof-of-concept. The window between disclosure and exploitation continues to compress &mdash; for Cisco UCM, we assess a 70% probability of in-the-wild exploitation within seven days. </p> <p> <strong> Three decisions are needed this week: </strong> </p> <ol> <li> <strong> Today: </strong> Is Cisco UCM WebDialer enabled in your environment? If yes, disable it now. </li> <li> <strong> Today: </strong> Are your Android devices at June 2026 patch level? If not, quarantine them. </li> <li> <strong> This week: </strong> Have your employees been warned about nation-state recruitment operations on job platforms? </li> </ol> <p> The absence of ransomware incidents this cycle is not reassurance &mdash; it may indicate adversaries in dwell-time. Maintain heightened monitoring and ensure your backups are tested and offline. </p> <p> <em> Anomali CTI Desk &mdash; June 4, 2026 </em> </p> <p> <em> For questions or additional IOC feeds, contact your Anomali account team or access indicators directly via ThreatStream Next-Gen. </em> </p>