State Government Cyber Threat Brief: LockBit Infrastructure Actively Scanning Government Networks as AI Attack Surface Explodes

Public Sector

Published on

May 12, 2026

Table of Contents

Threat Assessment Level: ELEVATED(unchanged from prior cycle; trending toward HIGH) Rationale: Active LockBit-affiliated reconnaissance against government targets with 99% confidence IOCs, a CISA-mandated critical firewall patch, three simultaneous AI supply-chain attack vectors, and a new social engineering actor explicitly adding government to its target list. The level remains ELEVATED rather than HIGH because no confirmed intrusion or data loss event has been attributed to these indicators against state entities — yet. <h2>Introduction</h2> State government IT leaders face a convergence of threats this week that demands immediate attention. In the past 72 hours, LockBit-affiliated infrastructure has been confirmed actively scanning U.S. government networks, a critical Palo Alto Networks firewall vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog, and three distinct attack vectors targeting AI tooling emerged in a single intelligence cycle. Meanwhile, a Russian social engineering group — CHATTY SPIDER — has formally expanded its targeting to include government organizations, using phone-based tactics that bypass every technical email security control in your stack. This is not a theoretical risk briefing. The IOCs in this report were updated within hours of publication. The CVE discussed carries a 9.8 CVSS score with confirmed in-the-wild exploitation. And the social engineering threat requires no malware at all — just a convincing phone call. <h2>What Changed</h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 2026-05-12 </td> <td> LockBit-Gang IOCs updated targeting government (confidence 99%) </td> <td> Active reconnaissance against state/local government infrastructure confirmed within hours of this report </td> </tr> <tr> <td> 2026-05-12 </td> <td> MistralAI PyPI package compromised (Microsoft warning) </td> <td> Supply-chain injection targeting organizations using Mistral AI libraries </td> </tr> <tr> <td> 2026-05-12 </td> <td> Claude Chrome extension vulnerability disclosed </td> <td> Cross-extension attack enables Gmail/Google Drive data theft </td> </tr> <tr> <td> 2026-05-12 </td> <td> CHATTY SPIDER (Luna Moth) adds government to target list </td> <td> Russian callback phishing group now explicitly targeting government employees </td> </tr> <tr> <td> 2026-05-10 </td> <td> APT41 (China) updates targeting of U.S. state .NET web applications </td> <td> Active exploitation attempts against state government web infrastructure </td> </tr> <tr> <td> 2026-05-09 </td> <td> Shai-Hulud campaign expands — government in target industries </td> <td> npm/SAP supply chain attacks listing government, defense, energy, healthcare </td> </tr> <tr> <td> 2026-05-09 </td> <td> TeamPCP backdoors Checkmarx Jenkins plugin with "Shai Hulud" malware </td> <td> All CI/CD runner secrets compromised in affected environments </td> </tr> <tr> <td> 2026-05-11 </td> <td> "Dirty Frag" Linux privilege escalation confirmed exploited in-the-wild </td> <td> CVE-2026-43284/CVE-2026-43500 — deterministic root on RHEL/Ubuntu </td> </tr> <tr> <td> 2026-05-11 </td> <td> Chaos ransomware linked to MuddyWater (Iranian MOIS) </td> <td> Nation-state using ransomware as false flag to conceal espionage </td> </tr> <tr> <td> 2026-05-06 </td> <td> CVE-2026-0300 (PAN-OS) added to CISA KEV </td> <td> CVSS 9.8 — unauthenticated RCE on PA-Series/VM-Series firewalls </td> </tr> <tr> <td> 2026-05-05 </td> <td> Volt Typhoon (China) updated activity indicators </td> <td> Continued pre-positioning in U.S. critical infrastructure, including state-managed systems </td> </tr> </tbody> </table> <h2>Threat Timeline</h2> <table> <thead> <tr> <th> Date </th> <th> Actor / Campaign </th> <th> Activity </th> <th> Target </th> </tr> </thead> <tbody> <tr> <td> 2026-05-05 </td> <td> Volt Typhoon (China) </td> <td> Updated activity indicators </td> <td> U.S. critical infrastructure </td> </tr> <tr> <td> 2026-05-06 </td> <td> — </td> <td> CISA adds CVE-2026-0300 to KEV </td> <td> PAN-OS firewall operators </td> </tr> <tr> <td> 2026-05-08 </td> <td> PRIMITIVE BEAR / Gamaredon (Russia) </td> <td> New Htrackyx downloader deployed </td> <td> Ukraine-adjacent targets </td> </tr> <tr> <td> 2026-05-09 </td> <td> TeamPCP </td> <td> Jenkins AST Plugin backdoor ("Shai Hulud") </td> <td> CI/CD environments globally </td> </tr> <tr> <td> 2026-05-09 </td> <td> Unknown (financially motivated) </td> <td> Shai-Hulud npm/SAP campaign — gov targeting confirmed </td> <td> Government, defense, energy, healthcare </td> </tr> <tr> <td> 2026-05-10 </td> <td> APT41 (China) </td> <td> Updated targeting of U.S. state .NET web applications </td> <td> State government web apps </td> </tr> <tr> <td> 2026-05-11 </td> <td> — </td> <td> "Dirty Frag" Linux privesc confirmed in-the-wild </td> <td> RHEL/Ubuntu servers </td> </tr> <tr> <td> 2026-05-11 </td> <td> MuddyWater / Seedworm (Iran/MOIS) </td> <td> Chaos ransomware as espionage cover </td> <td> Government entities </td> </tr> <tr> <td> 2026-05-12 </td> <td> LockBit-Gang affiliates </td> <td> Active scanning of government networks </td> <td> U.S. state/local government </td> </tr> <tr> <td> 2026-05-12 </td> <td> CHATTY SPIDER / Luna Moth (Russia) </td> <td> Government added to target industries </td> <td> Government employees </td> </tr> <tr> <td> 2026-05-12 </td> <td> Unknown </td> <td> MistralAI PyPI package compromised </td> <td> AI/ML developers </td> </tr> </tbody> </table> <h2>Key Threat Analysis</h2> <h3>1. LockBit Infrastructure Actively Targeting Government</h3> Despite law enforcement disruption in 2024, LockBit-affiliated operators continue active operations. Fresh IOCs updated within hours of this report show scanning, command injection attempts, and C2 infrastructure directed at government networks — all at 99% confidence. Notable: One IP in this cluster (101.96.200.105) is hosted on Beijing Volcano Engine infrastructure, suggesting affiliate diversity or deliberate infrastructure laundering across jurisdictions. Actors: LockBit-Gang affiliates, SAMBASPIDER/Mispadu (related C2 domain) Techniques:T1595 (Active Scanning), T1190 (Exploit Public-Facing Application), T1071 (Application Layer Protocol C2) <h3>2. PAN-OS CVE-2026-0300 — Your Firewalls May Be the Entry Point</h3> CVE-2026-0300 is a buffer overflow in the PAN-OS User-ID Authentication Portal (Captive Portal) that allows unauthenticated remote code execution with root privileges. CVSS 9.8. CISA added it to the KEV catalog on May 6, meaning federal agencies have a mandatory patch deadline — and state agencies should treat it with equal urgency. Why this matters for state government: Palo Alto firewalls are widely deployed across state agencies. If the Captive Portal or User-ID Authentication Portal is exposed to untrusted networks, attackers can achieve root access without credentials. Both Volt Typhoon and APT41 have been linked to exploitation of this vulnerability. <h3>3. AI Tooling Under Multi-Vector Attack</h3> Three independent AI-related security events in a single cycle represents a pattern, not coincidence: <ul> <li>MistralAI PyPI package — compromised at the dependency level, targeting any organization installing Mistral AI libraries</li> <li>Claude Chrome extension vulnerability — allows malicious browser extensions to steal Gmail and Google Drive data from users with Claude installed</li> <li>Shai-Hulud via Claude Code — supply chain attack targeting SAP Cloud Application Programming environments through AI coding tools</li> </ul> State agencies experimenting with AI/LLM integration — even in development environments — face compounding supply-chain risk from multiple vectors simultaneously. The CISA guidance on Agentic AI adoption (published May 1) provides a defensible framework for managing this risk. <h3>4. CHATTY SPIDER: The Threat Your Email Security Can't Stop</h3> CHATTY SPIDER (also known as Luna Moth, Silent Ransom Group, UNC3753, Storm-0252) is a Russian-origin group that has now explicitly added government to its target industries. Their technique is deceptively simple: <ul> <li>Send a legitimate-looking subscription cancellation or invoice email</li> </ul> <ul> <li>Victim calls the phone number in the email</li> </ul> <ul> <li>Operator talks the victim into installing AnyDesk or TeamViewer</li> </ul> <ul> <li>Attacker gains full remote access — no malware delivered, no links clicked</li> </ul> This bypasses DMARC, email sandboxing, URL filtering, and endpoint detection. The only defenses are user awareness and policy controls on remote access tool installation. This is a governance gap, not a technology gap. <h3>5. Nation-State Actors Using Ransomware as Cover</h3> MuddyWater (Seedworm), an Iranian MOIS-affiliated actor, has been confirmed deploying Chaos ransomware as a false flag to conceal espionage operations. This means that what appears to be a criminal ransomware incident may actually be a nation-state intelligence operation — with very different implications for response, attribution, and recovery. Implication for incident response: Any ransomware event should now trigger a parallel espionage investigation. Data exfiltration may have occurred before encryption, and the attacker's true objective may be persistent access rather than payment. <h2>Predictive Analysis</h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> Additional AI supply chain compromises targeting developer packages </td> <td> >70% (HIGH) </td> <td> 7 days </td> <td> Three events in one cycle; attackers exploiting AI adoption rush </td> </tr> <tr> <td> CHATTY SPIDER executes callback phishing against a U.S. government entity </td> <td> 40–60% (MODERATE) </td> <td> 30 days </td> <td> Explicit targeting addition; proven TTP effectiveness </td> </tr> <tr> <td> PAN-OS CVE-2026-0300 exploitation attempts against state firewalls </td> <td> 40–60% (MODERATE) </td> <td> 14 days </td> <td> KEV-listed, CVSS 9.8, nation-state interest confirmed </td> </tr> <tr> <td> LockBit affiliate achieves initial access to a state/local government network </td> <td> 40–60% (MODERATE) </td> <td> 30 days </td> <td> Active scanning confirmed; historical success rate against government </td> </tr> <tr> <td> Nation-state ransomware false-flag operation against a U.S. state agency </td> <td> 20–40% (LOW-MODERATE) </td> <td> 60 days </td> <td> MuddyWater precedent established; state agencies are high-value espionage targets </td> </tr> <tr> <td> Shai-Hulud campaign directly compromises a state government npm dependency </td> <td> <30% (LOW) </td> <td> 30 days </td> <td> Most state apps use enterprise frameworks, not bleeding-edge npm </td> </tr> </tbody> </table> <h2>SOC Operational Guidance</h2> <h3>Immediate Blocking Actions</h3> The following IOCs were collected at 92–99% confidence and are associated with LockBit-Gang government-targeting infrastructure. Block at perimeter and add to SIEM watchlists for retrospective hunting: <table> <thead> <tr> <th> Type </th> <th> Indicator </th> <th> Context </th> <th> Confidence </th> </tr> </thead> <tbody> <tr> <td> IPv4 </td> <td> 92.118.39[.]86 </td> <td> Scanner, government-targeting </td> <td> 99% </td> </tr> <tr> <td> IPv4 </td> <td> 176.65.139[.]64 </td> <td> Command injection, phishing, malware </td> <td> 98% </td> </tr> <tr> <td> IPv4 </td> <td> 101.96.200[.]105 </td> <td> Command injection, invalid file access </td> <td> 99% </td> </tr> <tr> <td> IPv4 </td> <td> 87.121.84[.]16 </td> <td> Command injection </td> <td> 99% </td> </tr> <tr> <td> IPv4 </td> <td> 158.120.255[.]246 </td> <td> Invalid file access </td> <td> 98% </td> </tr> <tr> <td> IPv4 </td> <td> 45.227.254[.]156 </td> <td> Scanner, government-local targeting </td> <td> 92% </td> </tr> <tr> <td> Domain </td> <td> s3wct4p1.viewdns[.]net </td> <td> SAMBASPIDER/Mispadu C2 </td> <td> 90% </td> </tr> </tbody> </table> Additional IOCs for the campaigns discussed in this report are available through Anomali ThreatStream Next-Gen and partner feeds. <h3>Detection Engineering Priorities</h3> <table> <thead> <tr> <th> ATT&CK Technique </th> <th> Detection Approach </th> <th> Priority </th> </tr> </thead> <tbody> <tr> <td> T1190 — Exploit Public-Facing Application </td> <td> Monitor PAN-OS Captive Portal logs for anomalous authentication attempts; alert on any inbound traffic to User-ID portal from non-whitelisted IPs </td> <td> CRITICAL </td> </tr> <tr> <td> T1195.001 — Supply Chain: Compromise Software Dependencies </td> <td> Implement package integrity verification in CI/CD; alert on unexpected package version changes in requirements.txt / package.json </td> <td> HIGH </td> </tr> <tr> <td> T1219 — Remote Access Software </td> <td> Alert on AnyDesk, TeamViewer, ScreenConnect, or Splashtop installation by non-IT users; block unsigned remote access binaries </td> <td> HIGH </td> </tr> <tr> <td> T1071 — Application Layer Protocol (C2) </td> <td> Hunt for beaconing patterns to the IOCs above; monitor for DNS queries to viewdns[.]net subdomains </td> <td> HIGH </td> </tr> <tr> <td> T1185 — Browser Session Hijacking </td> <td> Audit Chrome extension inventory; alert on extensions requesting Gmail/Drive API scopes that are not on approved whitelist </td> <td> MEDIUM </td> </tr> <tr> <td> T1059.006 — Python Execution </td> <td> Monitor for unexpected Python process execution on servers, especially in CI/CD runners; alert on pip install of unverified packages </td> <td> MEDIUM </td> </tr> <tr> <td> T1068 — Exploitation for Privilege Escalation </td> <td> Deploy detection for "Dirty Frag" exploitation (CVE-2026-43284/CVE-2026-43500) — monitor for anomalous ip_frag kernel activity on Linux hosts </td> <td> HIGH </td> </tr> </tbody> </table> <h3>Hunting Hypotheses</h3> <ul> <li>Hypothesis: LockBit pre-positioning. Hunt for any successful connections from the blocked IPs above in the past 30 days. Check firewall logs, VPN concentrators, and web application logs. If any connection succeeded, escalate immediately — initial access may already be established.</li> </ul> <ul> <li>Hypothesis: Unauthorized remote access tools. Query EDR for AnyDesk, TeamViewer, Splashtop, or ScreenConnect installations in the past 14 days that were not deployed by IT. Correlate with help desk ticket data — CHATTY SPIDER victims typically call a fake support number before installation.</li> </ul> <ul> <li>Hypothesis: Compromised AI packages in dev environments. Scan all Python virtual environments and Docker images for the mistralai package. Check version history and compare hashes against known-good releases. Expand to any AI/ML packages installed in the past 30 days.</li> </ul> <ul> <li>Hypothesis: PAN-OS exploitation. Review Captive Portal authentication logs for the past 14 days. Look for buffer overflow signatures, crash dumps, or unexpected root-level process spawning on firewall appliances.</li> </ul> <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services (State Treasury, Revenue, Benefits Systems)</h3> <ul> <li>Primary threat: LockBit affiliates and SAMBASPIDER/Mispadu targeting financial transaction systems</li> <li>Action: Verify that all citizen-facing payment portals have WAF rules blocking command injection patterns from the IOCs listed above; audit SAP financial management systems for Shai-Hulud npm dependencies</li> <li>Detection focus:T1190 (exploit public-facing app), T1071 (C2 beaconing from financial system subnets)</li> </ul> <h3>Energy (State-Coordinated Grid, Water/Wastewater SCADA)</h3> <ul> <li>Primary threat: Volt Typhoon pre-positioning in critical infrastructure; Siemens SIPROTEC 5 and ABB B&R Automation Runtime vulnerabilities disclosed this cycle</li> <li>Action: Verify OT/IT network segmentation; confirm SCADA systems are not reachable from networks where the LockBit scanning IPs could route; patch Siemens/ABB/Hitachi Energy systems per vendor advisories</li> <li>Detection focus:T1595 (active scanning of OT-adjacent networks), anomalous traffic crossing IT/OT boundaries</li> </ul> <h3>Healthcare (State Health Agencies, Medicaid Systems)</h3> <ul> <li>Primary threat: Ransomware (LockBit, Chaos/MuddyWater false-flag); supply chain compromise of health IT applications</li> <li>Action: Ensure offline backups of Medicaid enrollment and claims databases; verify that health IT vendor software is not pulling from compromised PyPI/npm packages; brief clinical staff on CHATTY SPIDER vishing tactics</li> <li>Detection focus:T1486 (Data Encrypted for Impact), T1219 (remote access tool installation on clinical workstations)</li> </ul> <h3>Government (Executive Branch Agencies, Election Systems)</h3> <ul> <li>Primary threat: APT41 targeting state .NET web applications; MuddyWater espionage disguised as ransomware; CHATTY SPIDER social engineering</li> <li>Action: Audit all .NET web applications for known APT41 exploitation patterns; update IR playbooks to include espionage investigation track for any ransomware event; implement mandatory IT approval for remote access tool installation</li> <li>Detection focus:T1190 (.NET deserialization attacks), T1219 (unauthorized remote access), T1078 (valid account abuse post-compromise)</li> </ul> <h3>Aviation / Logistics (State DOT, Transportation Management)</h3> <ul> <li>Primary threat: Volt Typhoon targeting transportation infrastructure; LockBit scanning of government networks that include DOT systems</li> <li>Action: Verify that traffic management and ITS (Intelligent Transportation Systems) networks are segmented from general government IT; confirm PAN-OS firewalls protecting DOT infrastructure are patched against CVE-2026-0300</li> <li>Detection focus:T1190 (firewall exploitation), lateral movement from IT to OT transportation networks</li> </ul> <h2>Prioritized Defense Recommendations</h2> <h3>IMMEDIATE (Within 24 Hours)</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> SOC / Network Ops </td> <td> Block LockBit-Gang IOCs at all perimeter firewalls and proxy servers. Add to SIEM for 30-day retrospective hunt. Specifically: 92.118.39[.]86, 176.65.139[.]64, 101.96.200[.]105, 87.121.84[.]16, 158.120.255[.]246, 45.227.254[.]156, s3wct4p1.viewdns[.]net </td> </tr> <tr> <td> 2 </td> <td> IT Ops / Network Ops </td> <td> Verify PAN-OS CVE-2026-0300 patch status on all PA-Series and VM-Series firewalls. If unpatched, restrict Captive Portal / User-ID Authentication Portal access to trusted internal IPs only. Emergency patch window if needed. </td> </tr> <tr> <td> 3 </td> <td> SOC </td> <td> Hunt for prior connections from the blocked IPs in the past 30 days of firewall/proxy logs. Any successful connection = potential compromise requiring IR activation. </td> </tr> <tr> <td> 4 </td> <td> Linux Admins </td> <td> Patch "Dirty Frag" (CVE-2026-43284/CVE-2026-43500) on all RHEL/Ubuntu servers. Confirmed exploited in-the-wild for deterministic root escalation. </td> </tr> </tbody> </table> <h3>7-DAY Actions</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 5 </td> <td> DevOps </td> <td> Audit Python environments for the mistralai PyPI package. Pin all AI/ML dependencies to verified version hashes. Implement pip --require-hashes for all production and development environments. </td> </tr> <tr> <td> 6 </td> <td> SOC + HR / Security Awareness </td> <td> Issue CHATTY SPIDER vishing alert to all state employees. Key message: "If you receive an unexpected subscription cancellation email with a phone number, do NOT call it. Report to IT security. Never install remote access software without IT approval." </td> </tr> <tr> <td> 7 </td> <td> CISO </td> <td> Review CISA Agentic AI Guidance and assess applicability to active or planned AI deployments. Use as framework for AI security policy that agencies must follow before deploying AI tools. </td> </tr> <tr> <td> 8 </td> <td> SOC </td> <td> Deploy remote access tool detection — alert on AnyDesk, TeamViewer, ScreenConnect, Splashtop installation by non-IT users across all endpoints. </td> </tr> <tr> <td> 9 </td> <td> IR Team </td> <td> Update ransomware IR playbook to include parallel espionage investigation track. Any ransomware event must now trigger data exfiltration assessment and nation-state attribution analysis (MuddyWater precedent). </td> </tr> </tbody> </table> <h3>30-DAY Actions</h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 10 </td> <td> DevOps </td> <td> Audit npm/SAP dependency trees across all state application codebases for Shai-Hulud campaign indicators. Implement SBOM generation in CI/CD pipelines. </td> </tr> <tr> <td> 11 </td> <td> IT Ops </td> <td> Deploy browser extension controls via Intune/GPO. Whitelist approved extensions only. Block any extension requesting Gmail/Drive API access that is not explicitly approved. </td> </tr> <tr> <td> 12 </td> <td> IT Ops </td> <td> Audit Jenkins environments for TeamPCP backdoor (Shai Hulud malware in Checkmarx AST Plugin v2026.5.09). Rotate all CI/CD secrets if the compromised plugin version was ever installed. </td> </tr> <tr> <td> 13 </td> <td> CISO / Procurement </td> <td> Diversify intelligence collection — procure secondary OSINT capability or establish manual daily triage of key sources (Krebs, BleepingComputer, The Record, StateScoop) to eliminate single-point-of-failure in threat monitoring. </td> </tr> <tr> <td> 14 </td> <td> CISO </td> <td> Commission AI security assessment — inventory all AI tools, packages, extensions, and cloud services in use across state agencies. Apply supply-chain security controls equivalent to any third-party software. </td> </tr> </tbody> </table> <h3>Executive / IR Preparedness</h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> <th> Timeframe </th> </tr> </thead> <tbody> <tr> <td> Approve emergency patch window for PAN-OS if not already applied </td> <td> CIO </td> <td> Immediate </td> </tr> <tr> <td> Direct security awareness team to issue CHATTY SPIDER vishing alert statewide </td> <td> CISO </td> <td> 48 hours </td> </tr> <tr> <td> Brief Governor's office / agency heads on nation-state ransomware false-flag risk </td> <td> CISO </td> <td> 7 days </td> </tr> <tr> <td> Review cyber insurance policy for coverage of nation-state attacks disguised as ransomware </td> <td> Legal / Risk </td> <td> 14 days </td> </tr> <tr> <td> Establish AI tool adoption security review gate — no agency deploys AI tools without CISO office approval </td> <td> CIO / CISO </td> <td> 30 days </td> </tr> </tbody> </table> <h2>Bottom Line</h2> Adversaries are operating across every layer of the stack simultaneously this week: firewall exploitation (CVE-2026-0300), supply chain poisoning (MistralAI PyPI, Shai-Hulud, Jenkins), active network reconnaissance (LockBit affiliates), and social engineering that requires no technology at all (CHATTY SPIDER). Nation-states are hiding behind ransomware brands. Criminal groups are scanning government networks with infrastructure updated hours ago. Volt Typhoon and APT41 continue to demonstrate persistent interest in state government systems. Every threat identified in this report has a specific, actionable defense. But the window between active scanning and initial access is measured in days, not weeks. Three decisions that cannot wait: <ul> <li>Is your PAN-OS Captive Portal patched? If you don't know the answer within the hour, assume it isn't.</li> </ul> <ul> <li>Can your employees install AnyDesk without IT approval? If yes, CHATTY SPIDER already has a path in.</li> </ul> <ul> <li>Do you know what AI packages are running in your dev environments? If not, you may already be hosting compromised code.</li> </ul> Act today. The adversaries already did. <h2>Closing</h2> The threat landscape facing state government IT is not getting simpler. The convergence of threats documented in this cycle — from nation-state pre-positioning to criminal ransomware operations to AI supply-chain attacks — demands sustained vigilance and coordinated defensive action across all agency tiers. Published by the Anomali CTI Desk — May 12, 2026 For questions or additional IOC feeds, contact your Anomali representative or access indicators directly via Anomali ThreatStream Next-Gen.

FEATURED RESOURCES

May 12, 2026

Anomali Cyber Watch

Public Sector