Stealthy Linux Backdoors, Critical MDM Exploits, and ICS Vulnerabilities Converge on Government Networks

<p> <strong> Threat Assessment Level: ELEVATED </strong> </p> <p> <em> The threat level remains ELEVATED, unchanged from the prior cycle. Two high-priority findings &mdash; active exploitation of mobile device management infrastructure and the discovery of a years-long undetected Linux backdoor in government networks &mdash; demand immediate leadership attention alongside an accelerating cadence of industrial control system advisories. </em> </p> <h2> <strong> Introduction </strong> </h2> <p> State government IT leaders face a compounding threat picture this week. A critical unauthenticated remote code execution campaign is actively targeting government mobile device management platforms. Simultaneously, researchers have disclosed a sophisticated Linux backdoor that operated undetected inside government IT infrastructure for over six years &mdash; masquerading as the very monitoring tools defenders rely on. And five new industrial control system advisories affect equipment commonly deployed in state-overseen utilities. </p> <p> This is not a theoretical risk briefing. These are active campaigns with confirmed government targeting. The window for defensive action is measured in days, not weeks. </p> <h2> <strong> What Changed </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Significance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 2026-06-10 </p> </td> <td> <p> FAMOUS CHOLLIMA (DPRK) refreshes C2 infrastructure via verceljs-kappa.vercel[.]app </p> </td> <td> <p> Active espionage infrastructure targeting government; abuse of legitimate hosting platforms complicates blocking </p> </td> </tr> <tr> <td> <p> 2026-06-09 </p> </td> <td> <p> Ivanti EPMM exploitation campaign updated &mdash; CVE-2026-1281 &amp; CVE-2026-1340 (CVSS 9.8) confirmed targeting government </p> </td> <td> <p> Unauthenticated RCE against mobile device management; no credentials required for exploitation </p> </td> </tr> <tr> <td> <p> 2026-06-09 </p> </td> <td> <p> CISA adds CVE-2026-7473 (Arista EOS) to KEV catalog </p> </td> <td> <p> Network infrastructure tunnel bypass vulnerability now confirmed exploited in the wild </p> </td> </tr> <tr> <td> <p> 2026-06-09 </p> </td> <td> <p> Schneider Electric EcoStruxure Panel Server &amp; Modicon switch advisories published </p> </td> <td> <p> Credential derivation and authentication bypass in building automation/industrial equipment </p> </td> </tr> <tr> <td> <p> 2026-06-08 </p> </td> <td> <p> Solar 4RAYS publishes GoblinRAT analysis &mdash; Golang backdoor in government infrastructure since 2020 </p> </td> <td> <p> Unattributed, nation-state-caliber Linux implant masquerading as Zabbix and other monitoring services </p> </td> </tr> <tr> <td> <p> 2026-06-04&ndash;09 </p> </td> <td> <p> Hitachi Energy RTU500, ITT600, MACH HiDraw &amp; Siemens KACO advisories </p> </td> <td> <p> Substation RTUs and solar inverters vulnerable to remote exploitation </p> </td> </tr> <tr> <td> <p> 2026-06-08 </p> </td> <td> <p> CVE-2026-42271 (LiteLLM AI gateway, CVSS 8.8) remains on CISA KEV </p> </td> <td> <p> First AI infrastructure zero-day in KEV; relevant to agencies deploying AI services </p> </td> </tr> </tbody> </table> <p> <strong> Continuity from prior cycle: </strong> UNC5475 (China-nexus) Cisco zero-day exploitation (last confirmed activity 2026-05-21), REVENANT SPIDER/Qilin ransomware operations (active, 90+ countries), and APT42/Charming Kitten OAuth phishing campaigns all remain active threats with no change in status. Their operational quiet is assessed as potential pre-positioning, not cessation. </p> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Actor / Campaign </strong> </p> </th> <th> <p> <strong> Target </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 2020&ndash;2026 </p> </td> <td> <p> GoblinRAT (Unattributed, nation-state caliber) </p> </td> <td> <p> Government IT service providers (Linux) </p> </td> <td> <p> Persistent backdoor discovered after 6+ years of undetected operation </p> </td> </tr> <tr> <td> <p> 2026-05-21 </p> </td> <td> <p> UNC5475 (China-nexus) </p> </td> <td> <p> <strong> Government &amp; critical infrastructure (Cisco devices) </strong> </p> </td> <td> <p> Last confirmed zero-day exploitation; 20-day silence is concerning </p> </td> </tr> <tr> <td> <p> 2026-06-04 </p> </td> <td> <p> Hitachi Energy </p> </td> <td> <p> Energy sector (substations) </p> </td> <td> <p> RTU500/ITT600/MACH HiDraw advisories published </p> </td> </tr> <tr> <td> <p> 2026-06-08 </p> </td> <td> <p> GoblinRAT disclosure </p> </td> <td> <p> Government Linux infrastructure </p> </td> <td> <p> Solar 4RAYS publishes full technical analysis </p> </td> </tr> <tr> <td> <p> 2026-06-08 </p> </td> <td> <p> LiteLLM CVE-2026-42271 </p> </td> <td> <p> AI infrastructure </p> </td> <td> <p> CISA KEV addition confirmed </p> </td> </tr> <tr> <td> <p> 2026-06-09 </p> </td> <td> <p> Unknown actor(s) </p> </td> <td> <p> Government, financial, transportation (6 countries) </p> </td> <td> <p> Ivanti EPMM active exploitation campaign </p> </td> </tr> <tr> <td> <p> 2026-06-09 </p> </td> <td> <p> CISA </p> </td> <td> <p> Network infrastructure </p> </td> <td> <p> CVE-2026-7473 Arista EOS added to KEV </p> </td> </tr> <tr> <td> <p> 2026-06-09 </p> </td> <td> <p> Schneider Electric </p> </td> <td> <p> Building automation / industrial </p> </td> <td> <p> EcoStruxure &amp; Modicon advisories </p> </td> </tr> <tr> <td> <p> 2026-06-09 </p> </td> <td> <p> REVENANT SPIDER / Qilin </p> </td> <td> <p> Government (90+ countries) </p> </td> <td> <p> Operational indicators refreshed; no new victims disclosed </p> </td> </tr> <tr> <td> <p> 2026-06-10 </p> </td> <td> <p> FAMOUS CHOLLIMA (DPRK) </p> </td> <td> <p> Government / espionage targets </p> </td> <td> <p> New C2 domain activated </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. Ivanti EPMM: Your MDM Platform Is Now a Front Door </strong> </h3> <p> <strong> CVE-2026-1281 and CVE-2026-1340 </strong> are both scored CVSS 9.8 &mdash; the maximum practical severity. They allow unauthenticated remote code execution against Ivanti Endpoint Manager Mobile (EPMM), the platform many state agencies use to manage government mobile devices. </p> <p> An active exploitation campaign confirmed by Google Threat Intelligence is targeting government, financial services, manufacturing, and transportation sectors across at least six countries. No credentials are required. If your EPMM instance is internet-facing and unpatched, assume it is being probed. </p> <p> <strong> Why this matters for state government: </strong> MDM platforms hold device certificates, VPN configurations, email credentials, and network access policies. Compromising EPMM gives an attacker a blueprint of your mobile fleet and potentially direct access to internal networks. </p> <p> <strong> ATT&amp;CK Techniques: </strong> T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter), T1078 (Valid Accounts) </p> <h3> <strong> 2. GoblinRAT: Six Years Undetected in Government Networks </strong> </h3> <p> A Golang-based Linux backdoor dubbed <strong> GoblinRAT </strong> was discovered operating inside at least four government-serving IT infrastructure providers &mdash; with evidence of activity dating back to 2020. This implant represents a masterclass in evasion: </p> <ul> <li> <strong> Masquerades as trusted monitoring tools </strong> &mdash; Zabbix agent, rhsmcertd, memcached, chronyd </li> <li> <strong> Per-host unique persistence </strong> &mdash; no two deployments use the same file names or service configurations, defeating signature-based detection </li> <li> <strong> RAM-only staging </strong> &mdash; operates from /dev/shm, leaving no disk artifacts </li> <li> <strong> Anti-forensic capabilities </strong> &mdash; uses shred to destroy logs, hooks authentication functions </li> <li> <strong> Compromised legitimate websites for C2 </strong> &mdash; defeats domain reputation blocking </li> </ul> <p> No attribution has been established, but the sophistication level &mdash; particularly the per-host customization and six-year operational lifespan &mdash; is consistent with nation-state tradecraft. </p> <p> <strong> Why this matters for state government: </strong> State agencies commonly run RHEL/CentOS Linux servers with Zabbix or similar monitoring tools. GoblinRAT specifically targets this exact configuration. If you trust your monitoring infrastructure implicitly, you may be trusting the adversary's persistence mechanism. </p> <p> <strong> ATT&amp;CK Techniques: </strong> T1036.004 (Masquerade Task or Service), T1070.002 (Clear Linux System Logs), T1543.002 (Systemd Service), T1071.001 (Web Protocols C2), T1055 (Process Injection) </p> <h3> <strong> 3. ICS/OT Advisory Surge: Five Advisories in One Week </strong> </h3> <p> Five industrial control system advisories were published between June 4&ndash;9 affecting vendors commonly deployed in state-overseen utility infrastructure: </p> <table> <thead> <tr> <th> <p> <strong> Vendor </strong> </p> </th> <th> <p> <strong> Product </strong> </p> </th> <th> <p> <strong> Risk </strong> </p> </th> <th> <p> <strong> Advisory </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Schneider Electric </p> </td> <td> <p> EcoStruxure Panel Server </p> </td> <td> <p> Credential derivation in edge gateways </p> </td> <td> <p> ICSA-26-160-03 </p> </td> </tr> <tr> <td> <p> Schneider Electric </p> </td> <td> <p> Modicon Network Managed Switches </p> </td> <td> <p> RADIUS authentication bypass </p> </td> <td> <p> ICSA-26-160-01 </p> </td> </tr> <tr> <td> <p> Hitachi Energy </p> </td> <td> <p> RTU500 </p> </td> <td> <p> Remote exploitation of substation RTUs </p> </td> <td> <p> ICSA-26-155-04 </p> </td> </tr> <tr> <td> <p> Hitachi Energy </p> </td> <td> <p> ITT600 Explorer </p> </td> <td> <p> SCADA engineering tool compromise </p> </td> <td> <p> ICSA-26-155-02 </p> </td> </tr> <tr> <td> <p> Siemens </p> </td> <td> <p> KACO Blueplanet Inverters </p> </td> <td> <p> Credential derivation in solar inverters </p> </td> <td> <p> ICSA-26-160-02 </p> </td> </tr> </tbody> </table> <p> The Hitachi Energy RTU500 is particularly concerning &mdash; these remote terminal units are deployed in electrical substations and water treatment facilities. Exploitation could enable manipulation of physical processes. </p> <p> <strong> ATT&amp;CK Techniques: </strong> T0831 (Manipulation of Control), T0836 (Modify Parameter), T1552.001 (Credentials in Files), T1556 (Modify Authentication Process) </p> <h3> <strong> 4. Nation-State Activity: Quiet Periods Are Not Safe Periods </strong> </h3> <p> <strong> UNC5475 (China-nexus): </strong> Last confirmed activity exploiting Cisco ASA/FTD zero-days was May 21 &mdash; a 20-day silence. This actor targets government and critical infrastructure networks globally. Their operational pause likely indicates retooling or successful establishment of persistent access that no longer generates detectable traffic. State agencies running Cisco edge appliances should assume they are targets. </p> <p> <strong> FAMOUS CHOLLIMA (DPRK): </strong> Refreshed C2 infrastructure today via verceljs-kappa.vercel[.]app. This actor conducts espionage operations using fake job recruitment lures and the InvisibleFerret RAT. Their abuse of legitimate hosting platforms (Vercel) makes network-level blocking challenging. </p> <p> <strong> APT42 / Charming Kitten (Iran/IRGC-IO): </strong> Continues OAuth consent phishing campaigns against government, energy, and healthcare cloud environments. Current quiet period assessed as potential pre-positioning rather than cessation. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Assessment </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 70% </strong> </p> </td> <td> <p> Additional Ivanti EPMM exploitation reports will emerge within 7 days as the campaign expands. Unpatched government instances face near-certain targeting. </p> </td> </tr> <tr> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> GoblinRAT variants or similar Linux backdoors will be reported by additional security vendors now that indicators are public. Expect copycat adoption of monitoring-tool masquerade techniques. </p> </td> </tr> <tr> <td> <p> <strong> 40% </strong> </p> </td> <td> <p> CISA will add Ivanti EPMM CVEs (CVE-2026-1281, CVE-2026-1340) to the KEV catalog within 7 days given active exploitation and CVSS 9.8 severity. </p> </td> </tr> <tr> <td> <p> <strong> 35% </strong> </p> </td> <td> <p> A state or local government ransomware incident will be disclosed within 14 days. REVENANT SPIDER/Qilin's operational tempo and confirmed government targeting make this a persistent risk. </p> </td> </tr> <tr> <td> <p> <strong> 30% </strong> </p> </td> <td> <p> UNC5475 will resurface with new Cisco zero-day exploitation. Their operational tempo suggests retooling, not retirement. </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Immediate Detection Priorities </strong> </h3> <p> <strong> Hunt for GoblinRAT (CLU-207) </strong> </p> <table> <thead> <tr> <th> <p> <strong> Detection Type </strong> </p> </th> <th> <p> <strong> Guidance </strong> </p> </th> <th> <p> <strong> ATT&amp;CK </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Network blocking </p> </td> <td> <p> Alert/block connections to 37.120.247[.]182, 5.63.154[.]23, qfilling[.]instanthq[.]com, chronyd[.]tftpd[.]net </p> </td> <td> <p> T1071.001 </p> </td> </tr> <tr> <td> <p> Process anomaly </p> </td> <td> <p> Hunt for processes named zabbix_agent (note: legitimate is zabbix_agentd with trailing 'd') </p> </td> <td> <p> T1036.004 </p> </td> </tr> <tr> <td> <p> Systemd audit </p> </td> <td> <p> Review /usr/lib/systemd/system/ for services mimicking monitoring tools where ExecStart binary path doesn't match expected installation directory </p> </td> <td> <p> T1543.002 </p> </td> </tr> <tr> <td> <p> Memory forensics </p> </td> <td> <p> Check /dev/shm on Linux servers for unexpected executables or shared memory segments </p> </td> <td> <p> T1055 </p> </td> </tr> <tr> <td> <p> DNS monitoring </p> </td> <td> <p> Alert on queries to instanthq[.]com and tftpd[.]net subdomains </p> </td> <td> <p> T1071.001 </p> </td> </tr> </tbody> </table> <p> <strong> Hunting Hypothesis: </strong> <em> If GoblinRAT or a similar implant is present in our Linux monitoring infrastructure, we would observe: (a) systemd services with names matching monitoring tools but binary paths in non-standard locations; (b) processes with manipulated argv[0] strings; (c) outbound HTTPS connections from monitoring servers to domains not in our approved monitoring vendor list. </em> </p> <p> <strong> Hunt for UNC5475 Cisco Persistence </strong> </p> <table> <thead> <tr> <th> <p> <strong> Detection Type </strong> </p> </th> <th> <p> <strong> Guidance </strong> </p> </th> <th> <p> <strong> ATT&amp;CK </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> AAA audit </p> </td> <td> <p> Check for unauthorized modifications to AAA configurations on all Cisco ASA/FTD </p> </td> <td> <p> T1556 </p> </td> </tr> <tr> <td> <p> Syslog integrity </p> </td> <td> <p> Verify syslog forwarding is active and unmodified; disabled syslog is a key UNC5475 indicator </p> </td> <td> <p> T1562.001 </p> </td> </tr> <tr> <td> <p> Crash analysis </p> </td> <td> <p> Review crash dump behavior &mdash; anomalous crashes may indicate exploitation attempts </p> </td> <td> <p> T1190 </p> </td> </tr> </tbody> </table> <p> <strong> Hunting Hypothesis: </strong> <em> If UNC5475 has established persistence on our Cisco edge appliances, we would observe: (a) AAA configuration changes not matching change management records; (b) gaps in syslog forwarding; (c) unexpected process restarts or crash dumps on ASA/FTD devices. </em> </p> <p> <strong> Monitor for Ivanti EPMM Exploitation </strong> </p> <table> <thead> <tr> <th> <p> <strong> Detection Type </strong> </p> </th> <th> <p> <strong> Guidance </strong> </p> </th> <th> <p> <strong> ATT&amp;CK </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Exposure verification </p> </td> <td> <p> Confirm whether Ivanti EPMM is deployed; if yes, verify patch status immediately </p> </td> <td> <p> T1190 </p> </td> </tr> <tr> <td> <p> Web logs </p> </td> <td> <p> Review EPMM access logs for anomalous unauthenticated API calls or unexpected administrative actions </p> </td> <td> <p> T1190 </p> </td> </tr> <tr> <td> <p> Post-compromise </p> </td> <td> <p> If EPMM was unpatched and internet-facing, assume compromise &mdash; hunt for credential harvesting and lateral movement </p> </td> <td> <p> T1078 </p> </td> </tr> </tbody> </table> <p> <strong> FAMOUS CHOLLIMA C2 Monitoring </strong> </p> <table> <thead> <tr> <th> <p> <strong> Detection Type </strong> </p> </th> <th> <p> <strong> Guidance </strong> </p> </th> <th> <p> <strong> ATT&amp;CK </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> DNS/proxy </p> </td> <td> <p> Alert on connections to verceljs-kappa.vercel[.]app </p> </td> <td> <p> T1583.001 </p> </td> </tr> <tr> <td> <p> Email/HR </p> </td> <td> <p> Brief recruiting teams on fake job interview lures &mdash; verify all coding challenge repositories before execution </p> </td> <td> <p> T1566.003 </p> </td> </tr> </tbody> </table> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Retirement Systems) </strong> </h3> <ul> <li> <strong> Priority 1: </strong> Ivanti EPMM patch verification &mdash; financial agencies managing mobile access to payment systems and taxpayer data are high-value targets in the confirmed campaign </li> <li> <strong> Priority 2: </strong> Review OAuth consent grants in M365/Azure AD for anomalous application permissions (APT42 technique) </li> <li> <strong> Priority 3: </strong> Ensure SWIFT/ACH transaction monitoring is not dependent on Linux servers running Zabbix without EDR coverage </li> </ul> <h3> <strong> Energy (State Energy Office, Utility Coordination) </strong> </h3> <ul> <li> <strong> Priority 1: </strong> Inventory all Hitachi Energy RTU500 units in state-overseen substations and coordinate vendor patching per ICSA-26-155-04 </li> <li> <strong> Priority 2: </strong> Assess Schneider Electric EcoStruxure Panel Server and Modicon switch deployments in building automation and grid coordination systems </li> <li> <strong> Priority 3: </strong> Verify network segmentation between IT and OT &mdash; credential derivation vulnerabilities in OT equipment mean IT-side credential theft could pivot to physical process control </li> <li> <strong> Priority 4: </strong> Audit Siemens KACO Blueplanet solar inverter installations for default or derivable credentials </li> </ul> <h3> <strong> Healthcare (Health &amp; Human Services, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Priority 1: </strong> Ivanti EPMM is widely deployed in healthcare for clinician mobile device management &mdash; verify patch status with extreme urgency </li> <li> <strong> Priority 2: </strong> Linux servers hosting health information exchanges (HIEs) and Medicaid Management Information Systems (MMIS) should be included in GoblinRAT hunting scope </li> <li> <strong> Priority 3: </strong> APT42 OAuth phishing specifically targets healthcare cloud environments &mdash; enforce conditional access policies requiring compliant devices for all clinical application access </li> </ul> <h3> <strong> Government (All Executive Branch Agencies) </strong> </h3> <ul> <li> <strong> Priority 1: </strong> Conduct enterprise-wide inventory of Ivanti EPMM deployments across all agencies within 24 hours </li> <li> <strong> Priority 2: </strong> Authorize and execute Linux threat hunt on all RHEL/CentOS servers, prioritizing those running Zabbix, Nagios, or similar monitoring platforms </li> <li> <strong> Priority 3: </strong> Validate Cisco ASA/FTD configurations against known-good baselines &mdash; any deviation requires forensic investigation </li> <li> <strong> Priority 4: </strong> Review systemd service inventory on all Linux hosts for unauthorized or suspicious service definitions </li> </ul> <h3> <strong> Aviation / Logistics (DOT, Airport Authorities, Port Systems) </strong> </h3> <ul> <li> <strong> Priority 1: </strong> Transportation SCADA systems may use Hitachi Energy or Schneider Electric components &mdash; coordinate with OT teams on advisory applicability </li> <li> <strong> Priority 2: </strong> Ivanti EPMM exploitation campaign explicitly targets transportation sector &mdash; verify MDM patch status for field worker mobile devices </li> <li> <strong> Priority 3: </strong> FAMOUS CHOLLIMA has historically targeted logistics and transportation for revenue generation &mdash; monitor for fake job lures targeting IT staff </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Verify whether Ivanti EPMM is deployed anywhere in the state environment. If yes, apply emergency patch for CVE-2026-1281 and CVE-2026-1340 (CVSS 9.8, active exploitation, government targeting confirmed). If patching is not immediately possible, restrict internet-facing access to EPMM administrative interfaces. </p> </td> </tr> <tr> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> Deploy GoblinRAT network IOCs to all detection platforms: block/alert on 37.120.247[.]182, 5.63.154[.]23, qfilling[.]instanthq[.]com, chronyd[.]tftpd[.]net. Add verceljs-kappa.vercel[.]app (FAMOUS CHOLLIMA C2) to watchlist. </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> Initiate Linux threat hunt on all monitoring servers &mdash; search for processes named zabbix_agent (without trailing 'd'), unexpected services in /usr/lib/systemd/system/, and executables in /dev/shm. </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> CISO </p> </td> <td> <p> Brief agency CIOs on Ivanti EPMM risk &mdash; any agency running unpatched EPMM with internet exposure should treat this as a potential compromise, not just a vulnerability. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> Conduct proactive threat hunt on all Cisco ASA/FTD appliances for UNC5475 persistence indicators: unauthorized AAA modifications, disabled syslog forwarding, anomalous crash dumps. Reference CVE-2025-20333, CVE-2025-20362, CVE-2025-20363. </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> IT Ops / OT </p> </td> <td> <p> Inventory all Schneider Electric EcoStruxure Panel Servers, Modicon switches, and Hitachi Energy RTU500 units in state-overseen utility infrastructure. Coordinate vendor patching per ICSA-26-160-01, ICSA-26-160-03, ICSA-26-155-04. </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> Deploy Sigma detection rule for Linux process masquerading: alert when argv[0] contains known service names (zabbix_agentd, memcached, rhsmcertd, vmtoolsd) but the binary path does not match the expected installation directory. </p> </td> </tr> <tr> <td> <p> <strong> MEDIUM </strong> </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Audit Arista EOS switches for tunnel decapsulation configurations (VXLAN, GRE). If decap-groups are configured, apply vendor patch per CVE-2026-7473 KEV listing. </p> </td> </tr> <tr> <td> <p> <strong> MEDIUM </strong> </p> </td> <td> <p> IR Team </p> </td> <td> <p> Update incident response playbooks to include Linux-specific forensic procedures &mdash; current playbooks likely assume Windows-centric compromise scenarios. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> CISO </p> </td> <td> <p> Evaluate procurement of additional open-source intelligence feeds to restore corroboration capability. Current single-source dependency has degraded threat validation for 12 consecutive days. </p> </td> </tr> <tr> <td> <p> <strong> MEDIUM </strong> </p> </td> <td> <p> CISO </p> </td> <td> <p> Commission assessment of Linux endpoint detection coverage across the enterprise. GoblinRAT demonstrates that Windows-focused EDR strategies leave Linux infrastructure as a blind spot. </p> </td> </tr> <tr> <td> <p> <strong> MEDIUM </strong> </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Evaluate adding Microsoft Defender for Cloud Apps telemetry or equivalent cloud-native detection to address persistent gap in cloud/SaaS threat visibility. </p> </td> </tr> <tr> <td> <p> <strong> MEDIUM </strong> </p> </td> <td> <p> CISO </p> </td> <td> <p> Initiate tabletop exercise simulating a combined MDM compromise (Ivanti EPMM) and Linux persistence scenario &mdash; test whether current IR procedures can detect and contain both simultaneously. </p> </td> </tr> <tr> <td> <p> <strong> MEDIUM </strong> </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Review all SolarWinds Serv-U legacy deployments &mdash; while no new vulnerability was disclosed this cycle, the platform remains in the technology stack and has a history of exploitation. </p> </td> </tr> </tbody> </table> <h2> <strong> IOC Blocking Table </strong> </h2> <p> The following indicators should be added to network detection and blocking platforms immediately: </p> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Attribution </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 37.120.247[.]182 </p> </td> <td> <p> GoblinRAT (Unattributed) </p> </td> <td> <p> C2 server, port 443 </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 5.63.154[.]23 </p> </td> <td> <p> GoblinRAT (Unattributed) </p> </td> <td> <p> Resolved from C2 domain </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> qfilling[.]instanthq[.]com </p> </td> <td> <p> GoblinRAT (Unattributed) </p> </td> <td> <p> C2, port 443 </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> chronyd[.]tftpd[.]net </p> </td> <td> <p> GoblinRAT (Unattributed) </p> </td> <td> <p> C2 </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> test[.]pink-apple[.]ru </p> </td> <td> <p> GoblinRAT (Unattributed) </p> </td> <td> <p> PassiveDNS association </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> verceljs-kappa.vercel[.]app </p> </td> <td> <p> FAMOUS CHOLLIMA (DPRK) </p> </td> <td> <p> Active C2, espionage </p> </td> </tr> </tbody> </table> <p> Additional IOCs for the campaigns discussed in this report are available through Anomali ThreatStream Next-Gen and partner feeds. </p> <h2> <strong> Bottom Line </strong> </h2> <p> The threat landscape facing state government IT this week is defined by a dangerous convergence: critical vulnerabilities in the platforms we use to manage devices (Ivanti EPMM), sophisticated implants hiding inside the tools we use to monitor our own infrastructure (GoblinRAT), and a steady drumbeat of ICS advisories affecting the physical systems our agencies oversee. </p> <p> The adversary's playbook is clear &mdash; target trust. Trust in your MDM platform. Trust in your monitoring tools. Trust in your network edge appliances. Each of these trust relationships is under active assault. </p> <p> The 24-hour actions in this report are not optional. Verify your Ivanti EPMM exposure. Hunt your Linux monitoring servers. Validate your Cisco edge configurations. The actors behind these campaigns have demonstrated patience measured in years. Our response window is measured in days. </p> <p> <em> Anomali CTI Desk | 2026-06-10 </em> </p> <p> <em> For questions or additional IOC feeds, contact your Anomali account team. </em> </p>