When 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks

Public Sector

Published on

April 3, 2026

Table of Contents

Threat Assessment Level: ELEVATED Sustained from the prior cycle. The convergence of a CVSS 10.0 mass exploitation campaign actively compromising web applications, an updated ransomware group posting government-adjacent victims, a new malware-as-a-service platform lowering the barrier to credential theft, and unpatched ICS vulnerabilities in water and wastewater infrastructure collectively sustain the ELEVATED posture. No single event warrants escalation to HIGH, but the compounding of simultaneous risks across web applications, endpoints, OT systems, and the email channel leaves no margin for delayed response. <h2>Introduction                              </h2> State government IT leaders face a threat environment this week that is simultaneously broad and acute. A critical-severity vulnerability in a widely deployed web framework is being exploited at industrial scale — 766 systems compromised within a single day. A prolific ransomware group with 457 victims and a clear appetite for government targets posted a new victim today. A new credential-stealing service now packages sophisticated social engineering into a point-and-click operator panel. And two ICS advisories landed for systems commonly found in state water treatment and building management infrastructure. This is not a theoretical risk briefing. These are active campaigns, active exploits, and active adversaries — and they are scanning your networks right now. <h2>What Changed                         </h2> Since our last assessment on April 2, 2026, six material developments have shifted the operational picture: <ol> <li>React2Shell mass exploitation went live. Cisco Talos published details on UAT-10608’s automated campaign exploiting CVE-2025-55182 (CVSS 10.0) in React Server Components. The campaign is indiscriminate, automated, and fast — 766 confirmed compromises in 24 hours. Any state agency running citizen-facing portals on Next.js with React 19.0.0–19.2.0 is directly exposed.</li> <li>DragonForce ransomware updated its victim roster. The group posted a new victim — a government contracts law firm — bringing its total to 457 victims, with 191 in the United States alone. Government, healthcare, education, and energy are all named target sectors.</li> <li>Venom Stealer launched as a turnkey credential theft platform. Priced at $250/month, this malware-as-a-service integrates ClickFix social engineering templates (fake CAPTCHAs, fake OS updates) directly into its operator console. It bypasses Chrome’s password encryption without triggering a UAC prompt — meaning no alert, no pop-up, no warning to the user.</li> <li>CISA published ICS advisories for Siemens SICAM A8000 and Yokogawa CENTUM VP — both systems commonly deployed in state water/wastewater SCADA environments and building management systems.</li> <li>Phorpiex botnet is delivering LockBit Black ransomware to domain-joined systems. The Phorpiex/Trik botnet has refined its targeting to confirm domain membership before deploying LockBit Black, maximizing impact against enterprise and government environments. Mass spam campaigns targeting millions of addresses — including publicly listed state government emails — are the delivery mechanism.</li> <li>A malicious Chrome extension is actively exfiltrating sensitive data. The “ChatGPT Ad Blocker” extension (developer: krittinkalra) has been identified exfiltrating data — including AI conversation logs — to external services via Discord webhooks. State employees using AI tools for policy drafting or legal research are directly exposed.</li> </ol> Continuity from prior cycle: The threats identified on April 2 remain active and unresolved. COLDRIVER’s (TA446) GHOSTBLADE iOS exploitation campaign targeting government continues. CVE-2026-20093 (Cisco IMC, CVSS 9.8) still has no vendor workaround. The Iran-linked Handala/Void Manticore group remains active following the DOJ’s March 19 seizure of Iranian cyber infrastructure. MuddyWater credential harvesting and Qilin/REVENANT SPIDER ransomware operations persist. None of these threats have been mitigated by new patches or takedowns. <h2>Threat Timeline                             </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Severity </th> <th> Relevance to State Government </th> </tr> </thead> <tbody> <tr> <td> 2026-03-17 </td> <td> Exchange Online mailbox access failures begin (EX1268771) </td> <td> Moderate </td> <td> Affects Outlook mobile/macOS users statewide; now entering week 3 with no root cause </td> </tr> <tr> <td> 2026-03-19 </td> <td> DOJ seizes Iranian cyber infrastructure </td> <td> High </td> <td> Provokes retaliatory cyber operations from IRGC-affiliated groups </td> </tr> <tr> <td> 2026-03-27 </td> <td> Handala/Void Manticore claims FBI Director email breach </td> <td> High </td> <td> Demonstrates Iranian actors’ willingness to target U.S. government officials </td> </tr> <tr> <td> 2026-03-30 </td> <td> CISA adds vulnerability to KEV catalog </td> <td> High </td> <td> Continued acceleration of known-exploited vulnerability disclosures </td> </tr> <tr> <td> 2026-04-01 </td> <td> CISA adds another KEV entry; Qilin and Akira ransomware profiles updated </td> <td> High </td> <td> Ransomware groups refreshing tooling and victim lists </td> </tr> <tr> <td> 2026-04-02 </td> <td> COLDRIVER deploys GHOSTBLADE via DarkSword iOS exploit kit; Cisco CVE-2026-20093 disclosed (CVSS 9.8); CISA ICS advisories for Siemens SICAM & Yokogawa CENTUM; Iran conflict cyber campaign updated </td> <td> Critical–High </td> <td> Zero-click mobile exploitation of government targets; unpatched network infrastructure; OT exposure </td> </tr> <tr> <td> 2026-04-03 </td> <td> React2Shell mass exploitation (CVE-2025-55182, 766 victims in 24h); DragonForce posts gov-adjacent victim (#457); Venom Stealer MaaS launches with ClickFix integration; Phorpiex delivering LockBit Black to domain-joined systems </td> <td> Critical–High </td> <td> Direct exposure for Next.js portals; ransomware targeting government; new credential theft at scale </td> </tr> </tbody> </table> <h2>Key Threat Analysis                      </h2> <h3>1. React2Shell: A CVSS 10.0 Web Application Crisis (CVE-2025-55182)</h3> What it is: A pre-authentication remote code execution vulnerability in React Server Components (versions 19.0.0–19.2.0) that allows an attacker to execute arbitrary code on the server without any credentials, user interaction, or authentication. Who is exploiting it: A threat actor tracked as UAT-10608 has automated the entire attack chain — scanning via Shodan and Censys, exploiting vulnerable servers, and exfiltrating credentials using a framework called Nexus Listener. The campaign is indiscriminate: every internet-facing Next.js application running a vulnerable React version is a target. What they are stealing: AWS access keys, GitHub tokens, Kubernetes service account tokens, SSH private keys, and database credentials. This is not just a website defacement risk — it is a keys-to-the-kingdom credential harvesting operation. A single compromised citizen portal could yield credentials that unlock cloud infrastructure, code repositories, and backend databases across an agency. Why state government should care: Many state agencies have modernized citizen-facing services using Next.js and React. If any of those portals run React Server Components 19.x, they are exposed to automated exploitation that is already underway at scale. The 766 confirmed compromises in 24 hours demonstrate that scanning is faster than most patch cycles. ATT&CK techniques: T1190 (Exploit Public-Facing Application), T1552.001 (Credentials in Files), T1059.007 (JavaScript Execution), T1041 (Exfiltration Over C2 Channel) <h3>2. DragonForce Ransomware: 457 Victims and Counting</h3> What it is: DragonForce is a ransomware operation that has rapidly scaled to 457 confirmed victims, with the United States as its primary target (191 victims). The group explicitly targets government, government-public-services, healthcare, education, energy, financial services, and construction — a near-perfect overlap with state government agency portfolios. Latest activity: On April 3, DragonForce posted a new victim: a government contracts law firm. While not a state agency directly, law firms handling government contracts hold sensitive procurement data, contract terms, and communications with state officials. Tooling: DragonForce operators use Mimikatz for credential dumping, Advanced IP Scanner and PingCastle for Active Directory reconnaissance, and SoftPerfect NetScan for network discovery. Their playbook includes disabling endpoint security tools before deploying encryption — a technique that has proven effective against organizations relying solely on EDR without additional monitoring layers. ATT&CK techniques: T1486 (Data Encrypted for Impact), T1562.001 (Disable or Modify Tools), T1083 (File and Directory Discovery), T1003 (OS Credential Dumping) <h3>3. Venom Stealer: ClickFix Social Engineering Goes Turnkey</h3> What it is: Venom Stealer is a new malware-as-a-service platform ($250/month to $1,800 lifetime) that bundles persistent credential theft with built-in social engineering templates. Unlike commodity stealers that grab credentials once and exit, Venom Stealer maintains persistent access and continuously exfiltrates new credentials as users log into additional services. The ClickFix problem: Venom Stealer ships with four ready-made ClickFix templates — fake Cloudflare CAPTCHA pages, fake OS update prompts, fake SSL certificate errors, and fake font installation dialogs. These lures trick users into copying and pasting a malicious PowerShell command into their terminal. Because the user initiates the execution, this technique bypasses application whitelisting, email gateway scanning, and endpoint detection that keys on automated execution. Chrome password bypass: Venom Stealer defeats Chrome’s v10/v20 password encryption using CMSTPLUA COM privilege escalation — without triggering a UAC prompt. Users see nothing. No dialog box, no elevation request, no warning. Why this matters for state agencies: State employees are trained to recognize phishing emails. They are not trained to recognize a fake Cloudflare CAPTCHA that asks them to “verify you’re human” by pasting a command. This is a training gap that technical controls alone cannot close. ATT&CK techniques: T1204.001 (User Execution — Malicious Link), T1059.001 (PowerShell), T1555.003 (Credentials from Web Browsers), T1548.002 (Bypass UAC), T1539 (Steal Web Session Cookie) <h3>4. Phorpiex Botnet: Domain-Aware LockBit Black Delivery</h3> What it is: The Phorpiex/Trik botnet — commanding 70,000–80,000 active devices daily and 1.7 million unique IPs over 90 days — has evolved to deliver LockBit Black ransomware specifically to machines that are confirmed to be joined to a Windows domain. This is a deliberate targeting refinement: the botnet checks whether the victim is inside a corporate or government network before deploying ransomware, maximizing impact and ransom leverage. Scale: Each Phorpiex spam campaign targets 2–6 million email addresses. A January 2026 campaign hit 21 countries including the United States. State government email addresses are publicly available in directories, FOIA responses, and agency websites — they are already in Phorpiex’s targeting lists. ATT&CK techniques: T1566.001 (Phishing: Spearphishing Attachment), T1486 (Data Encrypted for Impact), T1562.001 (Impair Defenses) <h3>5. ICS/OT: Siemens SICAM and Yokogawa CENTUM Advisories</h3> Siemens SICAM A8000 — Multiple vulnerabilities enabling denial of service in the SICAM 8 product family, used for power grid protection and automation. State agencies coordinating with utilities or operating their own power distribution should assess exposure. Yokogawa CENTUM VP — A vulnerability allowing an attacker to log in as the PROG user and modify system permissions. CENTUM VP is a distributed control system used in water treatment, chemical processing, and industrial facilities. State water and wastewater authorities running Yokogawa systems face a direct risk of unauthorized control manipulation. These advisories arrive alongside a broader trend: three ICS advisories in a single day (including Hitachi Energy Ellipse and Anritsu), suggesting vendors are accelerating vulnerability disclosure. State OT environments cannot treat these as routine IT patch items. ATT&CK (ICS) techniques: T0831 (Manipulation of Control), T0836 (Modify Parameter), T1078 (Valid Accounts) <h3>6. Persistent Nation-State Threats</h3> The following nation-state actors remain active from prior cycles and continue to pose risk to state government networks: <table> <thead> <tr> <th> Actor </th> <th> Affiliation </th> <th> Activity </th> <th> Status </th> </tr> </thead> <tbody> <tr> <td> COLDRIVER (TA446) </td> <td> Russian FSB </td> <td> GHOSTBLADE data stealer via DarkSword iOS zero-click exploit; targeting government </td> <td> Active-Critical </td> </tr> <tr> <td> Handala / Void Manticore </td> <td> IRGC (Iran) </td> <td> Claimed FBI Director email breach; retaliatory operations following DOJ infrastructure seizure </td> <td> Active-Critical </td> </tr> <tr> <td> MuddyWater </td> <td> MOIS (Iran) </td> <td> Credential harvesting campaigns against government and critical infrastructure </td> <td> Active </td> </tr> <tr> <td> Kimsuky </td> <td> DPRK </td> <td> ConnectWise/PowerShell campaign targeting government; currently quiet but not downgraded </td> <td> Monitoring </td> </tr> <tr> <td> APT27 </td> <td> China </td> <td> Refreshed IOCs in intelligence feeds; Emotet/Carbanak tooling overlap </td> <td> Active </td> </tr> </tbody> </table> Notable absence: No new Volt Typhoon or Salt Typhoon (China) activity was detected this cycle. Given the current geopolitical environment and these groups’ documented focus on pre-positioning within U.S. critical infrastructure, this silence should not be interpreted as inactivity. It may indicate operational security improvements or a shift to infrastructure not covered by current collection. <h2>Predictive Analysis                        </h2> Based on current threat trajectories, targeting patterns, and the pace of exploitation: <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> React2Shell automated scanning hits state government web infrastructure </td> <td> >70% (HIGH) </td> <td> 0–7 days </td> <td> Campaign is automated, indiscriminate, and already at 766 victims in 24 hours. Any internet-facing Next.js app on React 19.x will be found. </td> </tr> <tr> <td> DragonForce or Qilin posts a state/local government victim </td> <td> 50–70% (MODERATE-HIGH) </td> <td> 7–14 days </td> <td> DragonForce added 3 victims in the past week; government is an explicit target sector; 191 US victims demonstrates sustained US focus. </td> </tr> <tr> <td> ClickFix-based credential theft campaign targets state employees </td> <td> 50–70% (MODERATE-HIGH) </td> <td> 7–14 days </td> <td> Venom Stealer’s turnkey templates lower the barrier; ClickFix has been adopted by multiple actor groups including nation-states. </td> </tr> <tr> <td> Iran-linked cyber retaliation escalates against U.S. government targets </td> <td> 50–70% (MODERATE) </td> <td> 7–30 days </td> <td> Handala/Void Manticore remain active post-DOJ seizure; Iran conflict cyber campaign updated April 2; historical pattern shows retaliatory operations within 30 days of infrastructure takedowns. </td> </tr> <tr> <td> Phorpiex delivers LockBit Black to state employee endpoints via mass spam </td> <td> 30–50% (LOW-MODERATE) </td> <td> 7–14 days </td> <td> Phorpiex campaigns target millions of addresses; state government emails are publicly available; domain-aware delivery specifically targets enterprise/government environments. </td> </tr> <tr> <td> Exploitation of Siemens SICAM or Yokogawa CENTUM in state OT environments </td> <td> 20–30% (LOW) </td> <td> 30–90 days </td> <td> Advisories are fresh; no known exploitation in the wild yet; however, Iran OT pre-positioning activity remains active-critical. </td> </tr> </tbody> </table> <h2>SOC Operational Guidance              </h2> <h3>Priority Detections to Deploy Now</h3> <ol> <li> React2Shell Exploitation (CVE-2025-55182) - Hunt hypothesis: Adversaries are scanning for and exploiting Next.js applications using React Server Components 19.x to harvest credentials from server-side environment variables and configuration files. - Detection: Monitor WAF/reverse proxy logs for anomalous POST requests to React Server Component endpoints, particularly requests containing serialized payloads targeting __next internal routes. Alert on any outbound connections from web servers to unknown external IPs carrying JSON payloads containing strings matching AWS key patterns (AKIA*), SSH key headers (-----BEGIN), or Kubernetes token formats. - ATT&CK: T1190, T1552.001, T1041 - Action: If Next.js is deployed, conduct immediate version audit. If React Server Components 19.0.0–19.2.0 are in use, patch to 19.2.1+ or implement WAF rules to block exploitation patterns within 48 hours.</li> <li> DragonForce Ransomware Indicators - Hunt hypothesis: DragonForce operators have gained initial access and are conducting Active Directory reconnaissance using PingCastle and credential dumping using Mimikatz prior to ransomware deployment. - Detection: Alert on execution of PingCastle.exe, Advanced_IP_Scanner*.exe, or netscan.exe on any endpoint. Monitor for lsass.exe memory access by non-system processes (T1003). Detect attempts to disable or uninstall EDR agents (T1562.001) — specifically, monitor for sc stop, sc delete, or taskkill commands targeting security service names. - IOC blocking: Block IP 45.135.232[.]195 at perimeter firewall. Add all DragonForce MD5 hashes (listed in IOC table below) to EDR blocklist. Monitor for connections to z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid[.]onion via Tor exit node detection. - ATT&CK: T1486, T1562.001, T1003, T1083</li> <li> ClickFix / Venom Stealer Execution Chain - Hunt hypothesis: Users are being tricked into executing PowerShell commands via fake CAPTCHA or update pages, leading to Venom Stealer installation and persistent credential exfiltration. - Detection: Monitor for PowerShell execution initiated from browser processes (chrome.exe → powershell.exe or cmd.exe → powershell.exe). Alert on CMSTPLUA COM object instantiation outside of legitimate software installation contexts (T1548.002). Detect clipboard-to-PowerShell execution patterns: powershell.exe launched within 10 seconds of browser focus change. - ATT&CK: T1204.001, T1059.001, T1548.002, T1555.003</li> <li> Phorpiex/LockBit Black Email Delivery - Hunt hypothesis: Mass spam campaigns are delivering ZIP archives containing executables that check for domain membership before deploying LockBit Black ransomware. - Detection: Email gateway rules should quarantine inbound messages with ZIP attachments containing PE executables, particularly those using COVID-19, invoice, or shipping lure themes. Monitor for newly executed processes that query USERDOMAIN or LOGONSERVER environment variables immediately after execution from a user’s Downloads or Temp directory. - ATT&CK: T1566.001, T1486, T1082 (System Information Discovery)</li> <li> Malicious Chrome Extension Data Exfiltration - Hunt hypothesis: Unauthorized Chrome extensions are exfiltrating sensitive data (including AI conversation logs) to external services via Discord webhooks or GitHub-hosted configuration. - Detection: Audit Chrome extension installations across managed endpoints. Alert on any extension communicating with Discord webhook URLs (discord.com/api/webhooks/*) or fetching configuration from GitHub raw content URLs. Specifically block the “ChatGPT Ad Blocker” extension (developer: krittinkalra). - ATT&CK: T1176 (Browser Extensions), T1041 (Exfiltration Over C2 Channel)</li> <li> Nation-State Mobile Exploitation (COLDRIVER/GHOSTBLADE) - Hunt hypothesis: Russian intelligence-linked actors are deploying zero-click iOS exploits via watering-hole sites to install data-stealing implants on government officials’ mobile devices. - Detection: Monitor MDM/Ivanti EPMM for iOS devices exhibiting anomalous network connections, unexpected profile installations, or jailbreak indicators. Review web proxy logs for state-managed devices connecting to newly registered domains or domains with suspicious TLS certificates. - ATT&CK: T1189 (Drive-by Compromise), T1437 (Application Layer Protocol — Mobile)</li> </ol> <h3>Hunting Priorities This Week</h3> <table> <thead> <tr> <th> Priority </th> <th> Hypothesis </th> <th> Data Source </th> <th> ATT&CK </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> React Server Component exploitation attempts against state web apps </td> <td> WAF logs, web server access logs </td> <td> T1190 </td> </tr> <tr> <td> 2 </td> <td> PowerShell execution from browser parent processes (ClickFix pattern) </td> <td> EDR telemetry, Sysmon Event ID 1 </td> <td> T1059.001, T1204.001 </td> </tr> <tr> <td> 3 </td> <td> EDR/AV tampering via service stop/delete commands </td> <td> EDR telemetry, Windows Event 7045 </td> <td> T1562.001 </td> </tr> <tr> <td> 4 </td> <td> Mimikatz/LSASS credential dumping </td> <td> EDR telemetry, Sysmon Event ID 10 </td> <td> T1003 </td> </tr> <tr> <td> 5 </td> <td> Unauthorized Chrome extensions with external C2 </td> <td> Chrome enterprise reporting, proxy logs </td> <td> T1176 </td> </tr> </tbody> </table> <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services (State Treasury, Revenue, Pension Systems)</h3> State financial agencies process tax payments, manage pension funds, and handle inter-agency fiscal transfers — making them prime targets for both ransomware (data encryption for extortion) and credential theft (fraudulent wire transfers). <ul> <li>Immediate: Audit all web-facing financial portals (tax filing, payment processing) for React Server Components vulnerability (CVE-2025-55182). Financial portals handling PII and payment data are the highest-value targets for credential harvesting.</li> <li>7-Day: Review MFA enforcement on all treasury and pension fund management systems. Venom Stealer’s ability to steal web session cookies (T1539) means MFA alone is insufficient — implement session token binding and anomalous session detection.</li> <li>30-Day: Conduct tabletop exercise simulating a DragonForce ransomware attack against the state’s financial management system. Test whether backup restoration can meet the Recovery Time Objective for payroll and vendor payment processing.</li> </ul> <h3>Energy (State Energy Office, Utility Coordination, Grid Operations)</h3> State energy offices coordinate with utilities, manage grid resilience programs, and in some cases operate generation or distribution assets. The Siemens SICAM advisory directly affects power grid protection systems. <ul> <li>Immediate: Inventory all Siemens SICAM A8000 deployments in state-managed or state-coordinated energy infrastructure. Determine firmware versions and assess exposure to the denial-of-service vulnerabilities disclosed April 2.</li> <li>7-Day: Verify network segmentation between IT and OT environments at state-operated energy facilities. Iran-linked OT pre-positioning activity (Handala/Void Manticore) remains active-critical — ensure OT networks are not reachable from compromised IT endpoints.</li> <li>30-Day: Establish or update mutual aid agreements with neighboring states for energy grid cyber incident response. The combination of ICS vulnerabilities and active nation-state OT targeting warrants cross-state coordination.</li> </ul> <h3>Healthcare (State Health Department, Medicaid Systems, Public Health Labs)</h3> State health agencies manage Medicaid enrollment, public health surveillance, and laboratory information systems containing highly sensitive PII and PHI. DragonForce explicitly lists healthcare as a target sector. <ul> <li>Immediate: Verify that Medicaid enrollment portals and public health reporting systems are not running vulnerable React Server Components versions. These systems process Social Security numbers, medical records, and financial data.</li> <li>7-Day: Deploy email gateway rules to quarantine Phorpiex-pattern spam (ZIP > EXE attachments with COVID-19/health lure themes) targeting health department email addresses, which are widely published for public health reporting purposes.</li> <li>30-Day: Review data backup and recovery procedures for Medicaid claims processing systems. A ransomware attack disrupting Medicaid processing would affect the state’s most vulnerable residents and trigger federal compliance scrutiny.</li> </ul> <h3>Government (Central IT, Secretary of State, Courts, Law Enforcement)</h3> Central IT organizations, election infrastructure, court systems, and law enforcement agencies are the backbone of state operations and the most visible targets for both ransomware operators and nation-state actors. <ul> <li>Immediate: Block DragonForce IOCs (IP, hashes, Tor address) across all state network perimeters and endpoint protection platforms. DragonForce’s posting of a government contracts law firm today signals active interest in the government supply chain.</li> <li>Immediate: Push Chrome browser policy to block the malicious “ChatGPT Ad Blocker” extension statewide. State employees using AI tools for policy drafting or legal research could be exposing sensitive deliberations.</li> <li>7-Day: Brief all agency IT liaisons on the ClickFix social engineering technique. Provide specific examples of the four Venom Stealer lure templates (fake CAPTCHA, fake OS update, fake SSL error, fake font install) so help desk staff can recognize and report incidents.</li> <li>30-Day: Audit browser extension policies across all agencies. Enforce an allowlist-only model for Chrome and Edge extensions to prevent installation of unauthorized extensions that exfiltrate data.</li> </ul> <h3>Aviation / Logistics (State DOT, Airport Authorities, Port Operations)</h3> State departments of transportation, airport authorities, and port operations manage physical infrastructure with increasing digital dependencies — from traffic management systems to cargo logistics platforms. <ul> <li>Immediate: Assess whether any transportation management or logistics platforms use Next.js with React Server Components. Modern fleet tracking, cargo management, and citizen-facing transit apps increasingly use React-based frameworks.</li> <li>7-Day: Review Yokogawa CENTUM VP deployments in any state-managed port or industrial facility. The PROG user authentication bypass could allow unauthorized modification of process control parameters.</li> <li>30-Day: Evaluate the cybersecurity posture of third-party logistics and managed service providers with VPN or remote access to state DOT systems. Supply chain compromise via MSP tools (ConnectWise, BeyondTrust) remains a persistent threat vector — BeyondTrust CVE-2026-1731 (CVSS 9.8) was disclosed this cycle.</li> </ul> <h2>Prioritized Defense Recommendations</h2> <h3>🔴 IMMEDIATE (Within 24–48 Hours)</h3> <table> <thead> <tr> <th> Action </th> <th> Responsible Team </th> <th> Threat Reference </th> </tr> </thead> <tbody> <tr> <td> Emergency audit of all Next.js deployments on citizen-facing portals for React Server Components versions 19.0.0–19.2.0. Patch to 19.2.1+ or deploy WAF mitigation rules for CVE-2025-55182. </td> <td> Application Development / Web Operations </td> <td> React2Shell (CVE-2025-55182) </td> </tr> <tr> <td> Push Chrome browser policy to block the “ChatGPT Ad Blocker” extension (developer: krittinkalra) across all managed endpoints. Audit Chrome extension inventory for unauthorized AI-related extensions. </td> <td> Endpoint Management / SOC </td> <td> Malicious Chrome Extension </td> </tr> <tr> <td> Restrict PowerShell execution for standard user accounts to Constrained Language Mode. Alert on PowerShell execution initiated from browser parent processes. </td> <td> Endpoint Management / SOC </td> <td> Venom Stealer / ClickFix </td> </tr> <tr> <td> Verify Cisco IMC patch status for CVE-2026-20093 (CVSS 9.8). If no patch is available, restrict IMC management interface access to dedicated management VLANs only — no internet exposure. </td> <td> Network Operations </td> <td> Cisco IMC RCE </td> </tr> </tbody> </table> <h3>🟠 7-DAY</h3> <table> <thead> <tr> <th> Action </th> <th> Responsible Team </th> <th> Threat Reference </th> </tr> </thead> <tbody> <tr> <td> Verify Siemens SICAM A8000 firmware versions in water/wastewater SCADA environments and apply vendor patches per CISA advisory ICSA-26-092-01. </td> <td> OT/ICS Security / Facilities </td> <td> Siemens SICAM Advisory </td> </tr> <tr> <td> Verify Yokogawa CENTUM VP PROG account permissions per CISA advisory ICSA-26-092-02. Reset PROG credentials and restrict access to authorized engineering workstations only. </td> <td> OT/ICS Security </td> <td> Yokogawa CENTUM Advisory </td> </tr> <tr> <td> Deploy email gateway rules to quarantine attachments matching Phorpiex spam patterns (ZIP containing EXE, COVID/invoice/shipping lure subjects). Add Phorpiex P2P network indicators to NDR watchlist. </td> <td> Email Security / SOC </td> <td> Phorpiex / LockBit Black </td> </tr> <tr> <td> Brief help desk and agency IT liaisons on ClickFix social engineering — provide visual examples of the four Venom Stealer lure templates. Update phishing reporting procedures to include “paste this command” scenarios. </td> <td> Security Awareness / Help Desk </td> <td> Venom Stealer / ClickFix </td> </tr> <tr> <td> Review BeyondTrust Privileged Remote Access deployment for CVE-2026-1731 (CVSS 9.8). Apply vendor patch from BeyondTrust Trust Center advisory BT26-02. </td> <td> IT Operations / Vendor Management </td> <td> BeyondTrust RCE </td> </tr> <tr> <td> Document Exchange Online service disruptions for Microsoft support escalation under incident EX1268771. Assess impact on agency operations and SLA compliance. </td> <td> Cloud Operations </td> <td> Exchange Online Disruption </td> </tr> </tbody> </table> <h3>🔵 30-DAY</h3> <table> <thead> <tr> <th> Action </th> <th> Responsible Team </th> <th> Threat Reference </th> </tr> </thead> <tbody> <tr> <td> Commission audit of browser extension policies across all state agencies. Enforce allowlist-only model for Chrome and Edge to prevent unauthorized extension installation. </td> <td> CISO Office / Endpoint Management </td> <td> Malicious Extensions / Venom Stealer </td> </tr> <tr> <td> Establish a web application vulnerability management program covering citizen-facing portals. React2Shell demonstrates that web application layer exploitation is now as automated and fast as network edge scanning — the state needs continuous web app scanning, not just annual penetration tests. </td> <td> Application Security / CISO Office </td> <td> React2Shell (CVE-2025-55182) </td> </tr> <tr> <td> Conduct ransomware tabletop exercise simulating a DragonForce attack against a high-value state system (Medicaid, payroll, or tax processing). Test backup restoration timelines, communication plans, and decision authority for ransom payment. </td> <td> CISO Office / Agency Leadership </td> <td> DragonForce / Qilin / Phorpiex </td> </tr> <tr> <td> Establish dedicated OT patching cadence for state water/wastewater and building management systems. Three ICS advisories in a single day signals accelerating vendor disclosure — OT patching cannot remain ad hoc. </td> <td> OT/ICS Security / Facilities </td> <td> Siemens / Yokogawa / Hitachi Energy </td> </tr> <tr> <td> Review and update incident response plans to address the convergence of nation-state mobile exploitation (COLDRIVER/GHOSTBLADE), credential theft at scale (Venom Stealer), and ransomware. Ensure plans cover scenarios where an adversary holds both endpoint credentials and mobile device access simultaneously. </td> <td> CISO Office / IR Team </td> <td> Multi-vector threat convergence </td> </tr> </tbody> </table> <h2>Bottom Line                                    </h2> The threat environment facing state government networks is defined by speed and convergence. React2Shell demonstrates that a critical web application vulnerability can go from disclosure to 766 compromises in a single day — faster than most organizations can schedule a change window. DragonForce and Phorpiex/LockBit Black are actively targeting the government sector through complementary channels: targeted intrusion and mass spam delivery. Venom Stealer has commoditized a social engineering technique that bypasses every technical control by making the user the execution mechanism. And ICS advisories for systems in state water infrastructure arrive against a backdrop of active Iranian OT pre-positioning. The common thread across every threat in this report is that the window between disclosure and exploitation has collapsed. The organizations that will avoid becoming the next victim posting on a ransomware leak site are the ones that treat “immediate” as a 24-hour SLA, not a calendar placeholder. Audit your Next.js deployments today. Block the DragonForce IOCs today. Push the Chrome extension policy today. Brief your help desk on ClickFix today. The scanning is already underway.

FEATURED RESOURCES

April 3, 2026

Anomali Cyber Watch

Iran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now

April 3, 2026

Public Sector

Anomali Cyber Watch

When 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks

April 2, 2026

Anomali Cyber Watch

The Iran Cyber Threat Machine Isn’t Slowing Down — Here’s What CISOs Need to Know Now

Explore All