Weekly review

ThreatNoir Afternoon Brief — July 2

2026-07-02Afternoon4 articles
Audio
Listen to the episode

Afternoon Review in IT Security — July 2, 2026

The cybersecurity landscape continues to evolve with active exploitation campaigns, emerging AI-driven threats, and significant law enforcement actions. Today's briefing covers critical vulnerabilities under active attack, the first documented agentic ransomware operation, an international extradition case, and a coordinated credential theft campaign linked to major ransomware groups.

CISA: Microsoft SharePoint RCE flaw now actively exploited

The Cybersecurity and Infrastructure Security Agency has issued a warning regarding active exploitation of a high-severity remote code execution vulnerability in Microsoft SharePoint. The vulnerability, tracked as CVE-2026-45659, was patched by Microsoft in May 2026 but attackers have now begun leveraging it in the wild. Source: CISA: Microsoft SharePoint RCE flaw now actively exploited

Organizations running affected SharePoint instances should prioritize patching immediately to prevent unauthorized code execution and potential system compromise. The active exploitation status elevates the urgency for remediation across enterprise environments.

Sysdig Details JADEPUFFER, the First Documented Agentic Ransomware Operation

Security researchers at Sysdig have documented JADEPUFFER, marking the first known ransomware operation powered by a large language model agent. The threat actor exploited a critical flaw in Langflow (CVE-2025-3248) to abuse an LLM agent, which subsequently stole credentials, gained access to production MySQL databases, and destroyed Nacos configuration data within minutes. The campaign also leveraged CVE-2021-29441 and involved the IP address 64.20.53.230. Source: Sysdig Details JADEPUFFER, the First Documented Agentic Ransomware Operation

This operation represents a significant shift in ransomware tactics, demonstrating how artificial intelligence can accelerate attack chains and increase the speed of lateral movement and data destruction. The rapid compromise timeline underscores the need for organizations to secure AI-powered applications and implement robust access controls on critical infrastructure.

Alleged Scattered Spider hacker extradited to the United States

A dual United States and Estonian citizen has been extradited to the United States to face charges related to membership in the Scattered Spider hacking collective. The extradition represents a major law enforcement success in pursuing members of the sophisticated threat group known for social engineering and credential compromise attacks. Source: Alleged Scattered Spider hacker extradited to the United States

Scattered Spider has been linked to the DragonForce malware and has historically employed techniques including valid account abuse (MITRE ATT&CK T1078) and Office application startup techniques (MITRE ATT&CK T1137). The extradition signals increased international cooperation in combating organized cybercriminal activity and may lead to further disruption of the group's operations.

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

The FortiBleed campaign, a financially-motivated credential theft operation targeting FortiGate firewalls, has been directly attributed to the INC and Lynx ransomware operations. Analysis revealed that an operator managing FortiBleed's infrastructure was actively working negotiation panels for both ransomware groups, establishing a clear connection between mass credential theft and ransomware deployment. The campaign exploits CVE-2026-35616 in FortiGate devices. Source: FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

This attribution demonstrates how credential theft operations serve as initial access vectors for ransomware campaigns, with stolen FortiGate credentials enabling attackers to establish persistence and move laterally within victim networks. Organizations operating FortiGate appliances should apply patches for CVE-2026-35616 and implement credential rotation protocols immediately.

As threats continue to evolve from traditional malware to AI-augmented attacks and coordinated ransomware operations, security teams must maintain vigilance across patching schedules, credential management, and emerging attack methodologies. The convergence of active exploits, agentic AI threats, and international law enforcement actions underscores both the severity of the current threat environment and the growing global response to cybercriminal activity.

Sources & IOCs

Source articles and extracted indicators (defanged where appropriate).