<p> <strong> Threat Assessment Level: ELEVATED </strong>
</p>
<p> <em> Unchanged from prior cycle. Two CVSS-critical vulnerabilities now on CISA's Known Exploited Vulnerabilities catalog, a new commoditized phishing platform targeting Microsoft 365, and fresh APT28 command-and-control infrastructure collectively sustain an elevated posture for state government networks. </em>
</p>
<h2> <strong> Executive Summary </strong>
</h2>
<p> State government IT leaders face a convergence of threats this week that demand coordinated, time-bound action. A maximum-severity Adobe ColdFusion vulnerability (CVE-2026-48282, CVSS 10.0) is being actively exploited and sits squarely in the legacy application stack many state agencies still maintain. Simultaneously, a new phishing-as-a-service kit called <strong> Forg365 </strong> has lowered the barrier for Microsoft 365 credential theft to $400/month on Telegram — making every state employee's Entra ID account a viable target for low-skill operators. Russian military intelligence (APT28) has refreshed its command-and-control infrastructure, confirming continued interest in government targets. And seven ICS/OT advisories in three days signal elevated risk to state-managed critical infrastructure.
</p>
<p> This is not a theoretical threat landscape. These are active exploitation campaigns with confirmed victims, public proof-of-concept code, and commodity tooling that puts sophisticated attacks within reach of criminal affiliates.
</p>
<h2> <strong> What Changed </strong>
</h2>
<table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Significance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 2026-07-07 </strong> </p> </td> <td> <p> CISA added CVE-2026-48282 (Adobe ColdFusion, CVSS 10.0) to the KEV catalog </p> </td> <td> <p> Active exploitation confirmed; federal BOD compliance deadline triggered </p> </td> </tr> <tr> <td> <p> <strong> 2026-07-07 </strong> </p> </td> <td> <p> CISA added CVE-2026-48908 (SP Page Builder for Joomla, CVSS 9.8) to the KEV catalog </p> </td> <td> <p> Unauthenticated RCE on state Joomla-based public portals; active exploitation confirmed </p> </td> </tr> <tr> <td> <p> <strong> 2026-07-09 </strong> </p> </td> <td> <p> Three CISA ICS advisories published: Schneider Electric PowerChute, Schneider Easergy MiCOM Px40, OpenPLC v3 </p> </td> <td> <p> State-managed data centers (UPS) and power substations affected </p> </td> </tr> <tr> <td> <p> <strong> 2026-07-09 </strong> </p> </td> <td> <p> CVE-2026-50656 "RoguePlanet" patched by Microsoft </p> </td> <td> <p> Defender privilege escalation with public PoC enabling SYSTEM access; patch validation required </p> </td> </tr> <tr> <td> <p> <strong> 2026-07-10 </strong> </p> </td> <td> <p> Forg365 PhaaS platform disclosed by ZeroBEC researchers </p> </td> <td> <p> Device-code phishing + AiTM session hijacking packaged for mass operator adoption </p> </td> </tr> <tr> <td> <p> <strong> 2026-07-10 </strong> </p> </td> <td> <p> APT28 C2 IP 152.32.174[.]171 confirmed active (confidence 96%) </p> </td> <td> <p> Russian government-targeting infrastructure refreshed in Hong Kong </p> </td> </tr> <tr> <td> <p> <strong> 2026-07-10 </strong> </p> </td> <td> <p> "HalluSquatting" technique disclosed — AI hallucinated package names weaponized </p> </td> <td> <p> New supply chain vector affecting agencies using AI coding assistants </p> </td> </tr> <tr> <td> <p> <strong> 2026-07-10 </strong> </p> </td> <td> <p> ModHeader browser extension (1.6M installs) flagged as malware </p> </td> <td> <p> Credential/session data exfiltration risk on managed state endpoints </p> </td> </tr> </tbody>
</table>
<h2> <strong> Threat Timeline </strong>
</h2>
<table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Actor / Campaign </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Impact to State Gov </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 2026-06-12 </p> </td> <td> <p> VOID MANTICORE (Iran/IRGC) </p> </td> <td> <p> Confirmed breach of California water utility </p> </td> <td> <p> <strong> Demonstrated destructive capability against U.S. critical infrastructure </strong> </p> </td> </tr> <tr> <td> <p> 2026-07-07 </p> </td> <td> <p> Unknown (multiple actors) </p> </td> <td> <p> CVE-2026-48282 added to CISA KEV </p> </td> <td> <p> <strong> Legacy ColdFusion applications in state agencies at critical risk </strong> </p> </td> </tr> <tr> <td> <p> 2026-07-07 </p> </td> <td> <p> Unknown </p> </td> <td> <p> CVE-2026-48908 added to CISA KEV </p> </td> <td> <p> State Joomla-based public portals vulnerable to unauthenticated RCE </p> </td> </tr> <tr> <td> <p> 2026-07-09 </p> </td> <td> <p> N/A (vendor disclosure) </p> </td> <td> <p> Schneider Electric + OpenPLC ICS advisories </p> </td> <td> <p> State data center UPS systems and power grid relays require patching </p> </td> </tr> <tr> <td> <p> 2026-07-09 </p> </td> <td> <p> Microsoft </p> </td> <td> <p> CVE-2026-50656 "RoguePlanet" patched </p> </td> <td> <p> Defender privilege escalation with public PoC — SYSTEM access </p> </td> </tr> <tr> <td> <p> 2026-07-10 </p> </td> <td> <p> APT28 (Russia/GRU) </p> </td> <td> <p> Fresh C2 infrastructure confirmed active </p> </td> <td> <p> Continued Russian targeting of government networks </p> </td> </tr> <tr> <td> <p> 2026-07-10 </p> </td> <td> <p> Criminal (Telegram-distributed) </p> </td> <td> <p> Forg365 PhaaS platform launched </p> </td> <td> <p> M365 credential theft commoditized at $400/month </p> </td> </tr> <tr> <td> <p> 2026-07-10 </p> </td> <td> <p> UNATTRIBUTED </p> </td> <td> <p> HalluSquatting technique published </p> </td> <td> <p> AI-assisted development pipelines become supply chain attack surface </p> </td> </tr> </tbody>
</table>
<h2> <strong> Key Threat Analysis </strong>
</h2>
<h3> <strong> 1. CVE-2026-48282 — Adobe ColdFusion Path Traversal to RCE (CVSS 10.0) </strong>
</h3>
<p> This is the highest-priority vulnerability for state agencies this cycle. Adobe ColdFusion remains embedded in legacy state government applications — citizen portals, permitting systems, and internal workflow tools built over the past two decades. CVE-2026-48282 allows unauthenticated remote code execution via path traversal with no user interaction required.
</p>
<ul> <li> <strong> Affected versions: </strong> ColdFusion 2025.9 and earlier, ColdFusion 2023.20 and earlier </li> <li> <strong> Exploitation status: </strong> Active — confirmed in CISA KEV catalog </li> <li> <strong> Patch: </strong> APSB26-68 (ColdFusion 2025.10+ or 2023.21+) </li> <li> <strong> CISA BOD compliance deadline: </strong> Approximately July 21, 2026 (14 days from KEV listing) </li>
</ul>
<p> <strong> Why this matters for state government: </strong> Many agencies maintain ColdFusion applications that cannot be quickly patched due to custom code dependencies, change management processes, or vendor support constraints. If patching is not feasible within 72 hours, network isolation or WAF virtual patching must be authorized as interim controls.
</p>
<h3> <strong> 2. Forg365 — Commoditized Microsoft 365 Credential Theft </strong>
</h3>
<p> Forg365 represents the maturation of the phishing-as-a-service ecosystem into a single-console platform that combines:
</p>
<ul> <li> <strong> Device-code phishing </strong> — abuses Microsoft's OAuth device authorization flow to capture tokens without triggering traditional phishing page detection </li> <li> <strong> Adversary-in-the-middle (AiTM) </strong> — real-time session hijacking that defeats standard MFA </li> <li> <strong> AI-generated lures </strong> — automated creation of convincing phishing content </li> <li> <strong> Token vaulting </strong> — persistent access via stolen OAuth tokens and a browser extension ("ForgCookie") that refreshes Microsoft SSO cookies </li>
</ul>
<p> At $400/month on Telegram, this puts nation-state-grade credential theft capability in the hands of any criminal affiliate. State agencies running Microsoft 365 and Entra ID — which is effectively all of them — face a direct threat.
</p>
<p> <strong> Key insight: </strong> The convergence of device-code phishing (previously seen in DEBULL campaigns) and AiTM techniques into a single commodity platform means that <strong> conditional access policies restricting device-code flows are now the single most important control </strong> for protecting state M365 environments. If device-code flows are unrestricted, MFA provides no protection against this class of attack.
</p>
<h3> <strong> 3. APT28 Infrastructure Refresh — Continued Russian Government Targeting </strong>
</h3>
<p> A high-confidence (96%) APT28-attributed IP address was confirmed active on July 10:
</p>
<ul> <li> <strong> IP: </strong> 152.32.174[.]171 </li> <li> <strong> ASN: </strong> 135377 (UCloud Information Technology, Hong Kong) </li> <li> <strong> Tags: </strong> Phishing, Command Injection, Invalid File Access </li>
</ul>
<p> This infrastructure refresh, combined with a confirmed Russian attack on a UK local government council (also reported July 10), reinforces that Russian military intelligence continues to actively target government IT systems at all levels. State agencies managing election infrastructure, law enforcement databases, and critical infrastructure oversight are priority targets.
</p>
<h3> <strong> 4. ICS/OT Advisory Surge — Seven Advisories in Three Days </strong>
</h3>
<p> The July 7–9 period saw an above-average volume of ICS advisories affecting products commonly deployed in state-managed facilities:
</p>
<table> <thead> <tr> <th> <p> <strong> Advisory </strong> </p> </th> <th> <p> <strong> Product </strong> </p> </th> <th> <p> <strong> Relevance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> ICSA-26-190-02 </p> </td> <td> <p> Schneider Electric PowerChute Serial Shutdown </p> </td> <td> <p> State data center UPS management </p> </td> </tr> <tr> <td> <p> ICSA-26-190-03 </p> </td> <td> <p> Schneider Electric Easergy MiCOM Px40 </p> </td> <td> <p> Power grid substation protective relays </p> </td> </tr> <tr> <td> <p> ICSA-26-190-01 </p> </td> <td> <p> OpenPLC v3 </p> </td> <td> <p> Open-source PLC runtime in smaller utilities </p> </td> </tr> <tr> <td> <p> Additional </p> </td> <td> <p> Siemens SINEC OS, Hitachi PROMOD V, Hydro-Québec, Labcenter Proteus </p> </td> <td> <p> <strong> Various critical infrastructure applications </strong> </p> </td> </tr> </tbody>
</table>
<p> Combined with the confirmed VOID MANTICORE breach of a California water utility on June 12, this advisory volume underscores that state-managed OT environments face both vulnerability exposure and demonstrated adversary intent.
</p>
<h3> <strong> 5. HalluSquatting — AI Development Tools as Supply Chain Attack Surface </strong>
</h3>
<p> A newly disclosed technique called "HalluSquatting" weaponizes a known weakness in AI coding assistants: when tools like GitHub Copilot or ChatGPT hallucinate package names that don't exist, attackers can register those names and populate them with malicious code. Any developer who follows the AI's recommendation and runs pip install or npm install unknowingly pulls attacker-controlled code into their application.
</p>
<p> <strong> State government relevance: </strong> As agencies adopt AI coding assistants to accelerate development and address staffing shortages, this creates a new supply chain attack surface that bypasses traditional security controls. No phishing, no social engineering — just a developer trusting their AI tool's recommendation.
</p>
<h3> <strong> 6. Notable Absences — What's Missing Is Also Signal </strong>
</h3>
<ul> <li> <strong> Volt Typhoon / Salt Typhoon (China): </strong> No new indicators this cycle despite active clusters tracking Chinese pre-positioning in U.S. government networks. Silence from a known active adversary warrants continued vigilance, not complacency. </li> <li> <strong> Play ransomware: </strong> No new government victim disclosures since July 7. A 3-day gap is within normal operational tempo but bears monitoring given Play's confirmed government targeting. </li> <li> <strong> SCATTERED SPIDER (UNC3944/Octo Tempest): </strong> Extended quiet period (60+ days). This group's social engineering and vishing capabilities against Entra ID environments remain a latent threat that may resurface under new aliases. </li> <li> <strong> Ransomware ecosystem broadly: </strong> The anomalous quiet period in ransomware victim claims noted in prior cycles persists. This may indicate active pre-encryption dwell time rather than reduced threat activity — organizations should not lower their guard. </li>
</ul>
<h2> <strong> Predictive Analysis </strong>
</h2>
<table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Exploitation attempts against CVE-2026-48282 accelerate against state ColdFusion instances </p> </td> <td> <p> <strong> HIGH (85%) </strong> </p> </td> <td> <p> 7–14 days </p> </td> <td> <p> KEV listing publicizes vulnerability; active exploitation already confirmed; state agencies known to run legacy ColdFusion </p> </td> </tr> <tr> <td> <p> Forg365 adopted by criminal affiliates for state government credential theft campaigns </p> </td> <td> <p> <strong> HIGH (75%) </strong> </p> </td> <td> <p> 14–30 days </p> </td> <td> <p> $400/month Telegram distribution model enables rapid adoption; M365 is universal target </p> </td> </tr> <tr> <td> <p> APT28 phishing campaign leveraging 152.32.174[.]171 infrastructure targets U.S. government entities </p> </td> <td> <p> <strong> MODERATE (60%) </strong> </p> </td> <td> <p> 7–21 days </p> </td> <td> <p> Fresh infrastructure typically deployed ahead of campaigns; government targeting confirmed </p> </td> </tr> <tr> <td> <p> HalluSquatting technique used in targeted supply chain attack against government developer </p> </td> <td> <p> <strong> MODERATE (45%) </strong> </p> </td> <td> <p> 30–90 days </p> </td> <td> <p> Technique is public; requires attacker to identify hallucinated packages specific to government tooling </p> </td> </tr> <tr> <td> <p> Ransomware operator (Play, AiLock, or successor) deploys against state agency after extended dwell </p> </td> <td> <p> <strong> MODERATE (55%) </strong> </p> </td> <td> <p> 14–30 days </p> </td> <td> <p> <strong> Quiet period in claims may indicate active operations; state government remains high-value target </strong> </p> </td> </tr> <tr> <td> <p> VOID MANTICORE or affiliated Iranian actor targets additional U.S. water/energy utility </p> </td> <td> <p> <strong> MODERATE (50%) </strong> </p> </td> <td> <p> 30–60 days </p> </td> <td> <p> Demonstrated capability (June 12 breach); geopolitical tensions sustained </p> </td> </tr> </tbody>
</table>
<h2> <strong> SOC Operational Guidance </strong>
</h2>
<h3> <strong> Immediate Detection Priorities </strong>
</h3>
<ol> <li> <strong> Adobe ColdFusion Exploitation (CVE-2026-48282) </strong> </li>
</ol>
<ul> <li> <strong> ATT&CK: </strong> T1190 (Exploit Public-Facing Application), T1059.003 (Windows Command Shell), T1083 (File and Directory Discovery) </li> <li> <strong> Hunt hypothesis: </strong> Adversaries are scanning for and exploiting ColdFusion instances via path traversal payloads. Look for unusual child processes spawned by coldfusion.exe or cfusion.exe, unexpected file writes outside webroot, and directory traversal patterns (../) in web server logs. </li> <li> <strong> Detection: </strong> Alert on any cmd.exe or powershell.exe process spawned by ColdFusion service accounts. Monitor WAF logs for path traversal attempts targeting /CFIDE/ and /cf_scripts/ paths. </li>
</ul>
<ol start="2"> <li> <strong> Device-Code Phishing / Forg365 (M365 Token Theft) </strong> </li>
</ol>
<ul> <li> <strong> ATT&CK: </strong> T1566.002 (Spearphishing Link), T1539 (Steal Web Session Cookie), T1528 (Steal Application Access Token), T1111 (MFA Interception) </li> <li> <strong> Hunt hypothesis: </strong> Operators using Forg365 will generate device-code authentication requests from residential ISPs (Comcast/Xfinity observed) targeting administrative accounts. Look for Microsoft Authentication Broker events where the requesting IP geolocation doesn't match the user's normal location. </li> <li> <strong> Detection: </strong> Monitor Entra ID sign-in logs for deviceCode authentication flows. Alert when device-code grants occur from ISPs inconsistent with organizational VPN/office ranges. Flag any OAuth token refresh activity from browser extensions not in the approved inventory. </li>
</ul>
<ol start="3"> <li> <strong> APT28 C2 Communication </strong> </li>
</ol>
<ul> <li> <strong> ATT&CK: </strong> T1071.001 (Web Protocols), T1566 (Phishing), T1059 (Command and Scripting Interpreter) </li> <li> <strong> Hunt hypothesis: </strong> Compromised endpoints may beacon to APT28 infrastructure. Search network logs (firewall, proxy, DNS) for any connection to 152.32.174[.]171 or ASN 135377 (UCloud HK). </li> <li> <strong> Detection: </strong> Block and alert on the IOC. Retroactively search 90 days of network telemetry for historical connections. Any hit warrants full incident investigation. </li>
</ul>
<ol start="4"> <li> <strong> Joomla Web Shell Deployment (CVE-2026-48908) </strong> </li>
</ol>
<ul> <li> <strong> ATT&CK: </strong> T1190 (Exploit Public-Facing Application), T1505.003 (Web Shell), T1059.001 (PowerShell) </li> <li> <strong> Hunt hypothesis: </strong> Attackers exploiting SP Page Builder upload arbitrary PHP files that function as web shells. Look for new .php files in Joomla upload directories, unexpected outbound connections from web servers, and PHP processes spawning system commands. </li> <li> <strong> Detection: </strong> File integrity monitoring on Joomla webroot directories. Alert on any PHP file creation in /media/, /tmp/, or plugin upload paths. </li>
</ul>
<ol start="5"> <li> <strong> Malicious Browser Extensions (ModHeader) </strong> </li>
</ol>
<ul> <li> <strong> ATT&CK: </strong> T1176 (Browser Extensions) </li> <li> <strong> Hunt hypothesis: </strong> The ModHeader extension (1.6 million installs) has been flagged as malware. State endpoints with this extension installed may be exfiltrating session data. </li> <li> <strong> Detection: </strong> Query endpoint management (Intune, SCCM, Chrome Enterprise) for extension IDs idgpnmonknjnojddfkpgkljpfnnfcklj (Chrome) and opgbiafapkbbnbnjcdomjaghbckfkglc (Edge). Remove and investigate any endpoints where found. </li>
</ul>
<h3> <strong> Hunting Queries to Prioritize </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Hunt </strong> </p> </th> <th> <p> <strong> Data Source </strong> </p> </th> <th> <p> <strong> ATT&CK </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> Critical </strong> </p> </td> <td> <p> ColdFusion child process anomalies </p> </td> <td> <p> EDR telemetry </p> </td> <td> <p> T1190, T1059.003 </p> </td> </tr> <tr> <td> <p> <strong> Critical </strong> </p> </td> <td> <p> Device-code auth from residential ISPs to admin accounts </p> </td> <td> <p> Entra ID sign-in logs </p> </td> <td> <p> T1528, T1111 </p> </td> </tr> <tr> <td> <p> <strong> High </strong> </p> </td> <td> <p> Connections to 152.32.174[.]171 </p> </td> <td> <p> Firewall/proxy logs </p> </td> <td> <p> T1071.001 </p> </td> </tr> <tr> <td> <p> <strong> High </strong> </p> </td> <td> <p> New PHP files in Joomla upload directories </p> </td> <td> <p> File integrity monitoring </p> </td> <td> <p> T1505.003 </p> </td> </tr> <tr> <td> <p> <strong> High </strong> </p> </td> <td> <p> ModHeader extension presence </p> </td> <td> <p> Endpoint management </p> </td> <td> <p> T1176 </p> </td> </tr> <tr> <td> <p> Medium </p> </td> <td> <p> Unusual pip install or npm install of unrecognized packages </p> </td> <td> <p> Developer workstation logs </p> </td> <td> <p> T1195.001 </p> </td> </tr> </tbody>
</table>
<h2> <strong> Sector-Specific Defensive Priorities </strong>
</h2>
<h3> <strong> Financial Services (State Treasury, Revenue, Payroll Systems) </strong>
</h3>
<ul> <li> <strong> Primary threat: </strong> Forg365 credential theft targeting finance team M365 accounts for BEC/payment redirection </li> <li> <strong> Action: </strong> Enforce conditional access policies that block device-code authentication flows for accounts with access to financial systems. Require phishing-resistant MFA (FIDO2/Windows Hello) for all treasury and payroll administrators. </li> <li> <strong> Monitor: </strong> Entra ID sign-in logs for finance department accounts authenticating via device-code flow or from unexpected geolocations. </li>
</ul>
<h3> <strong> Energy (State-Regulated Utilities, Grid Oversight) </strong>
</h3>
<ul> <li> <strong> Primary threat: </strong> Schneider Electric Easergy MiCOM Px40 vulnerabilities in substation protective relays; VOID MANTICORE demonstrated destructive capability against water utility </li> <li> <strong> Action: </strong> Coordinate with regulated utilities to confirm Schneider advisory (ICSA-26-190-03) patch status. Verify network segmentation between IT and OT environments. Ensure protective relay firmware is current. </li> <li> <strong> Monitor: </strong> Anomalous commands to protective relay systems; unexpected remote access to SCADA/EMS networks. </li>
</ul>
<h3> <strong> Healthcare (Medicaid, Public Health, State Hospitals) </strong>
</h3>
<ul> <li> <strong> Primary threat: </strong> Ransomware operators (Play, AiLock) targeting healthcare data; ColdFusion vulnerabilities in legacy health portal applications </li> <li> <strong> Action: </strong> Prioritize ColdFusion patching for any health-related applications processing PHI. Validate offline backup integrity for Medicaid enrollment and claims systems. Review ransomware playbook with 4-hour RTO requirement for patient-facing systems. </li> <li> <strong> Monitor: </strong> Unusual data staging or exfiltration patterns from health databases; ColdFusion exploitation indicators. </li>
</ul>
<h3> <strong> Government (Executive Agencies, Law Enforcement, Elections) </strong>
</h3>
<ul> <li> <strong> Primary threat: </strong> APT28 credential theft and espionage; Forg365 targeting government M365 tenants; ransomware targeting government for political leverage </li> <li> <strong> Action: </strong> Block APT28 IOC immediately. Restrict device-code flows in Entra ID conditional access. Brief election security teams on Russian infrastructure refresh. Ensure law enforcement database access requires phishing-resistant MFA. </li> <li> <strong> Monitor: </strong> All authentication anomalies for privileged accounts; any connection to known APT28 infrastructure; lateral movement indicators in Active Directory. </li>
</ul>
<h3> <strong> Aviation / Logistics (State DOT, Port Authorities, Transit) </strong>
</h3>
<ul> <li> <strong> Primary threat: </strong> Chinese pre-positioning (Volt Typhoon/Salt Typhoon) in transportation infrastructure; ICS vulnerabilities in traffic management and transit SCADA systems </li> <li> <strong> Action: </strong> Conduct network segmentation audit between corporate IT and operational technology in transit/DOT environments. Review remote access policies for third-party maintenance of traffic management systems. Confirm no OpenPLC v3 deployments in traffic signal or transit control systems. </li> <li> <strong> Monitor: </strong> Unusual outbound connections from OT network segments; living-off-the-land techniques (LOLBins) on systems managing transportation infrastructure. </li>
</ul>
<h2> <strong> Prioritized Defense Recommendations </strong>
</h2>
<h3> <strong> IMMEDIATE (Within 24 Hours) </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Patch or isolate all Adobe ColdFusion instances. </strong> CVE-2026-48282 (CVSS 10.0) is actively exploited and on CISA KEV. Target versions: 2025.10+ or 2023.21+ per APSB26-68. If patching is blocked by dependencies, implement WAF virtual patching rules blocking path traversal patterns and/or network-isolate ColdFusion servers from internet-facing access. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Block APT28 C2 IP </strong> 152.32.174[.]171 at perimeter firewall, proxy, and DNS sinkhole. Add to EDR watchlist. Retroactively search 90 days of network logs for any historical connection. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> Identity/SOC </p> </td> <td> <p> <strong> Create detection for OAuth device-code phishing </strong> in Entra ID. Alert on device-code authentication grants from residential ISPs or geolocations inconsistent with user profiles, especially for privileged accounts. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Decision required: </strong> If ColdFusion cannot be patched within 72 hours, authorize emergency network isolation or WAF virtual patching. Document risk acceptance if neither is feasible. </p> </td> </tr> </tbody>
</table>
<h3> <strong> 7-DAY </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 5 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Audit and patch all Joomla instances </strong> running SP Page Builder. CVE-2026-48908 (CVSS 9.8) enables unauthenticated RCE. Remove the plugin if not actively required. </p> </td> </tr> <tr> <td> <p> 6 </p> </td> <td> <p> IT Operations / OT </p> </td> <td> <p> <strong> Review Schneider Electric deployments </strong> — PowerChute Serial Shutdown (data center UPS) and Easergy MiCOM Px40 (substations). Apply patches per ICSA-26-190-02 and ICSA-26-190-03. Coordinate with utility partners. </p> </td> </tr> <tr> <td> <p> 7 </p> </td> <td> <p> SOC / Endpoint </p> </td> <td> <p> <strong> Audit and block malicious browser extensions. </strong> Remove ModHeader (Chrome ID: idgpnmonknjnojddfkpgkljpfnnfcklj, Edge ID: opgbiafapkbbnbnjcdomjaghbckfkglc) from all managed endpoints. Investigate any endpoints where it was present. </p> </td> </tr> <tr> <td> <p> 8 </p> </td> <td> <p> Identity </p> </td> <td> <p> <strong> Restrict device-code authentication flows </strong> in Entra ID conditional access policies. Limit to managed devices only, or block entirely for administrative accounts. This is the single highest-leverage control against Forg365 and similar PhaaS platforms. </p> </td> </tr> <tr> <td> <p> 9 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Validate Microsoft Defender patching </strong> for CVE-2026-50656 "RoguePlanet." Confirm all endpoints have received the July update that addresses this privilege escalation vulnerability with public PoC. </p> </td> </tr> </tbody>
</table>
<h3> <strong> 30-DAY </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 10 </p> </td> <td> <p> DevOps / AppSec </p> </td> <td> <p> <strong> Implement package verification policy for AI-assisted development. </strong> Require manual review of any AI-suggested package name not already in the approved internal registry before installation. Address the HalluSquatting supply chain vector. </p> </td> </tr> <tr> <td> <p> 11 </p> </td> <td> <p> CISO / IR </p> </td> <td> <p> <strong> Update ransomware incident response playbook </strong> to account for extended dwell-time scenarios. The current quiet period in ransomware claims may indicate pre-encryption positioning. Validate that detection covers data staging (T1074), credential dumping (T1003), and lateral movement (T1021) — not just encryption events. </p> </td> </tr> <tr> <td> <p> 12 </p> </td> <td> <p> OT Security </p> </td> <td> <p> <strong> Conduct network segmentation validation between IT and OT environments in all state-managed facilities (data centers, utilities, transportation). Confirm that ICS advisory patching cadence meets a 30-day SLA for non-critical advisories. </strong> </p> </td> </tr> <tr> <td> <p> 13 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Commission phishing simulation </strong> using device-code flow technique to baseline organizational susceptibility. Use results to justify conditional access policy tightening and user awareness training focused on OAuth consent prompts. </p> </td> </tr> <tr> <td> <p> 14 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Develop ColdFusion application modernization roadmap. CVE-2026-48282 is the second critical ColdFusion vulnerability this year. Legacy ColdFusion applications represent persistent, recurring risk that patching alone cannot sustainably address. </strong> </p> </td> </tr> </tbody>
</table>
<h2> <strong> IOC Blocking Table </strong>
</h2>
<p> The following IOCs are confirmed from intelligence collection and should be actioned immediately:
</p>
<p> <strong> <em> Editor's note: </em> </strong> <em> Two SHA-256 hashes attributed to LIGHTNINGSPIDER/Satacom that appeared in a prior draft were removed — both were malformed (63 hex characters rather than the required 64) and could not be verified against source intelligence. The remaining IOCs below are confirmed valid. </em>
</p>
<table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 152.32.174[.]171 </p> </td> <td> <p> APT28 C2 infrastructure (ASN 135377, UCloud HK) </p> </td> <td> <p> Block at firewall, proxy, DNS; add to EDR watchlist </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> f852a611076dc58dd89e7871581782a220c2991b </p> </td> <td> <p> Associated malware sample </p> </td> <td> <p> Block in EDR/AV policy </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> d3a22c5ab83fa414add7b431b2d39a92d3783751 </p> </td> <td> <p> Associated malware sample </p> </td> <td> <p> Block in EDR/AV policy </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> 74f71baadfd62df36698019a639e3d89 </p> </td> <td> <p> Associated malware sample </p> </td> <td> <p> Block in EDR/AV policy </p> </td> </tr> <tr> <td> <p> Browser Ext </p> </td> <td> <p> idgpnmonknjnojddfkpgkljpfnnfcklj (Chrome) </p> </td> <td> <p> ModHeader — flagged as malware (1.6M installs) </p> </td> <td> <p> Block via browser management policy </p> </td> </tr> <tr> <td> <p> Browser Ext </p> </td> <td> <p> opgbiafapkbbnbnjcdomjaghbckfkglc (Edge) </p> </td> <td> <p> ModHeader — flagged as malware </p> </td> <td> <p> Block via browser management policy </p> </td> </tr> </tbody>
</table>
<p> Additional IOCs for the campaigns discussed in this report are available through Anomali ThreatStream Next-Gen and partner feeds.
</p>
<h2> <strong> Bottom Line </strong>
</h2>
<p> The threat environment facing state government IT systems this week is defined by <strong> speed of commoditization </strong> . What required nation-state resources two years ago — AiTM phishing, device-code token theft, ICS exploitation — is now available as a service for $400/month or published as proof-of-concept code within days of patch release. The window between vulnerability disclosure and active exploitation against government targets continues to compress.
</p>
<p> Three actions will determine whether your agency is ahead of or behind the threat curve this week:
</p>
<ol> <li> <strong> Patch ColdFusion now. </strong> Not next sprint. Not after change advisory board. Now — or isolate it today and patch tomorrow. CVSS 10.0 with active exploitation and a CISA deadline is not a risk acceptance conversation; it's an incident prevention conversation. </li> <li> <strong> Restrict device-code flows in Entra ID. </strong> This single conditional access policy change neutralizes Forg365, DEBULL, and the entire class of device-code phishing attacks that bypass MFA. It costs nothing and can be implemented in hours. </li> <li> <strong> Confirm your OT segmentation is real. </strong> Seven ICS advisories in three days, plus a confirmed Iranian destructive attack on a U.S. water utility, means the question is not whether state-managed infrastructure will be targeted — it's whether your segmentation will hold when it is. </li>
</ol>
<p> The adversaries are not waiting. Neither should you.
</p>
<p> <em> Anomali CTI Desk | July 10, 2026 </em>
</p>
<p> <em> For questions or additional context on any finding in this report, contact your Anomali intelligence team. </em>
</p>