Threat Radar: Top 10 Active Threats, APTs & Dark Web Alerts (This Week)

1/autojack-attack-l1. FortiBleed Mass Credential Campaign — INC Ransom & Lynx RaaS (Global, Including Gulf Region)

The FortiBleed campaign — a large-scale credential-harvesting operation targeting internet-facing Fortinet FortiGate SSL-VPN management interfaces — has been formally attributed this week to threat actors with dual access to INC Ransom and Lynx RaaS negotiation infrastructure. Researchers at SOCRadar and Bitsight confirmed over 86,000 FortiGate devices across 194 countries have verified working credentials in the dataset, with at least 12 confirmed ransomware deployments; a parallel Golang-based traffic sniffer was also found installed on thousands of FortiGate devices, mapping to MITRE ATT&CK T1557 (Adversary-in-the-Middle). UAE and Gulf energy and government sector organizations with internet-exposed FortiGate management interfaces should treat their environments as potentially compromised until credentials are fully rotated and MFA is enforced.cyberinfos
Source: SOCRadar / CyberInfos — https://www.cyberinfos.in/cybersecurity-weekly-report-june-29-july-5-2026/


2. ToddyCat APT — Umbrij “Shadow Token via Remote Debug” (STRD) Gmail OAuth Attack

Kaspersky disclosed this week that the ToddyCat APT group has deployed a new malware tool called Umbrij that steals Gmail OAuth access tokens by exploiting Chromium-based browsers’ remote debugging ports — without requiring any password theft, MFA bypass, or OAuth consent phishing. The technique, named Shadow Token via Remote Debug (STRD), launches Chrome or Edge in headless mode, connects to an authenticated Gmail session via the debug port, and silently mints OAuth tokens granting full access to Gmail, Drive, Contacts, Calendar, and Tasks via Google APIs. ToddyCat, assessed as a China-nexus APT active since at least 2020, has historically targeted government and military entities across Southeast Asia, Central Asia, and Europe.thehackernews+2
Source: The Hacker News — https://thehackernews.com/2026/07/toddycat-linked-umbrij-malware-abuses.html


3. Anubis RaaS — Exploiting Citrix Bleed 2 (CVE-2025-5777) with BYOVD Lateral Movement

The Anubis ransomware-as-a-service operation was confirmed this week to be exploiting the Citrix Bleed 2 vulnerability (CVE-2025-5777) for initial access, then using living-off-the-land techniques with legitimate RMM tools — ScreenConnect, Zoho Assist, and UltraVNC — for lateral movement. Bring-your-own-vulnerable-driver (BYOVD) techniques are being employed to blind fully patched and mitigated endpoints, while Anubis remains active on dark-web leak sites posting new victims throughout the June 29–July 5 reporting period. Anubis is among the most active data-leak-site operators this week alongside INC Ransom, Bashe, and WorldLeaks.commonwealthsentinel+1
Source: The Hacker News — https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html


4. Iran-Linked Hacktivist and APT Surge — UAE Among Top Targets (DieNet, 313 Team, Handala)

Across the reporting period, Iran-linked hacktivist and APT groups including DieNet, 313 Team (Cyber Islamic Resistance), and Handala continued coordinated operations against UAE government portals, financial institutions, aviation systems, and law enforcement-linked platforms. UAE cybersecurity chief Mohamed Al Kuwaiti previously disclosed that cyberattacks on UAE digital infrastructure tripled from 200,000 to 600,000 since the start of regional conflict, with automation and AI accelerating both the speed and scope of attacks. As of May 2026, UAE authorities were recording between 500,000 and 700,000 cyberattack attempts daily, with a reported 340% increase in AI-driven breaches in the six months preceding that period.thenationalnews+2
Source: The National — https://www.thenationalnews.com/future/technology/2026/04/10/iranian-cyber-attacks-move-from-disruptive-to-complex-threats-in-gulf/


5. New “Avalon” Modular Malware Framework with AI-Assisted EDR Evasion and CrownX Ransomware

Researchers disclosed a previously undocumented modular malware framework named Avalon that integrates credential harvesting, lateral movement, remote access, backup disruption, and ransomware deployment (internally named CrownX) into a single unified toolkit. Delivery leverages spoofed legal-document phishing lures pointing to password-protected Proton Drive archives with ISO-packaged payloads to evade email-layer detection; the framework shows signs of AI-assisted development with specific evasion routines built against Defender, SentinelOne, and CrowdStrike. The framework reportedly remained on VirusTotal with zero detections for months before researchers flagged it.cyberinfos+1
Source: The Hacker News — https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html


6. EKZ Stealer — Deployed via CVE-2026-35616 Fortinet FortiClient EMS in Energy Sector

eSentire observed active exploitation of CVE-2026-35616, a critical flaw in Fortinet FortiClient Enterprise Management Server (CVSS 9.1), this week, resulting in deployment of the EKZ Stealer information-stealing malware against an energy-sector customer. The malware targets saved credentials from Chromium-based browsers and Firefox, then exfiltrates the data via PowerShell, mapping to MITRE ATT&CK T1555.003 (Credentials from Web Browsers) and T1059.001 (PowerShell execution). For UAE energy and utilities operators, credential theft from management endpoints represents a direct path toward operational technology exposure.cyberinfos
Source: CyberInfos / eSentire — https://www.cyberinfos.in/cybersecurity-weekly-report-june-29-july-5-2026/


7. Fake Interpol Ransomware Campaign Targeting SMBs Across Middle East, US, Europe, Asia

Bitdefender’s Antispam Lab flagged an active campaign impersonating Interpol’s cybercrime unit, delivering a custom ransomware payload via phishing emails instructing recipients to download “evidence” related to a fabricated law enforcement investigation. Unlike major RaaS operations, this campaign skips dark-web negotiation portals entirely — victims are directed to negotiate ransoms via Tox messaging with amounts set individually, reflecting a low-cost, high-volume model targeting SMBs across pharmaceuticals, food, legal services, media, and technology sectors globally. CrowdStrike research cited in conjunction indicates 29% of companies with fewer than 25 employees have already been hit by ransomware, with many still believing they are “too small to target”.cyberinfos
Source: CyberInfos — https://www.cyberinfos.in/cybersecurity-weekly-report-june-29-july-5-2026/


8. TaskWeaver Loader Deployed via SimpleHelp CVSS 10.0 Authentication Bypass (CVE-2026-48558)

Following CISA’s addition of CVE-2026-48558 to its KEV catalog on June 29, threat actors have been observed deploying the TaskWeaver loader immediately after exploitation of the SimpleHelp RMM authentication bypass, which allows unauthenticated attackers to forge OIDC tokens and obtain fully authenticated technician sessions — bypassing MFA in some configurations. Arctic Wolf and Horizon3.ai confirmed active exploitation across managed endpoints; with approximately 14,000 SimpleHelp servers internet-facing and roughly 1,000 directly vulnerable, MSP supply-chain compromise is the primary risk surface. One exploited SimpleHelp instance can cascade access to every downstream customer network the MSP manages.hivepro+1
Source: Hive Pro / CISA KEV — https://hivepro.com/threat-digests/cisa-known-exploited-vulnerability-catalog-june-2026


9. Salt Typhoon (China-Nexus) Continued Telecom and Edge Device Targeting in Gulf Region

EclecticIQ and Chambers & Partners researchers confirm that Salt Typhoon, a China-linked APT, continues to prioritize telecommunications infrastructure and edge devices across the Middle East and Gulf as primary targets — leveraging living-off-the-land techniques and zero-day exploitation to minimize detection. Network appliances and VPN infrastructure lacking EDR remain the primary initial-access vector, with pre-positioning assessed as persistent and disruption capability likely reserved for direct conflict contingencies. UAE telecom operators and Gulf financial services firms are specifically highlighted as priority targets in current intelligence assessments.eclecticiq+1
Source: EclecticIQ Blog — https://blog.eclecticiq.com/the-escalating-cyber-risk-landscape-in-regional-conflicts-strategic-actions-for-2026


10. Salesforce Klue App OAuth Token Abuse — Supply Chain Exposure Across Multiple SaaS Platforms

Salesforce disabled its Klue app integration this week after OAuth token abuse was discovered exposing customer data across multiple downstream companies, including previously reported exposure at HackerOne and LastPass tied to the same supply chain incident. The incident highlights how OAuth token abuse within interconnected SaaS platforms creates cascading supply-chain exposure that can affect security-critical vendors — a risk vector that directly impacts organizations relying on integrated SaaS ecosystems common in UAE enterprise deployments. Token scope auditing and third-party app OAuth access reviews are recommended as immediate defensive actions.cyberinfos
Source: CyberInfos — https://www.cyberinfos.in/cybersecurity-weekly-report-june-29-july-5-2026/ets-one-web-page.html