SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefThursday, July 02, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Active Exploitation of Kemp LoadMaster and Oracle EBS | CRITICAL |
|
5 C2 IPs | 95 OTX IOCs | 38 ARTICLES |
|
■ ANALYST TLDR Today's threat landscape is dominated by active exploitation of critical infrastructure flaws and widespread credential-harvesting campaigns. Key developments include active exploitation of Progress Kemp LoadMaster and Oracle E-Business Suite vulnerabilities, alongside a massive 81-million attempt password-spraying campaign targeting Microsoft 365 and Azure CLI. Additionally, Adobe, Google, Apple, and Citrix released major security updates addressing critical remote code execution and information disclosure vulnerabilities. |
|
■ CRITICAL STORIES Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Threat actors are actively attempting to exploit a critical pre-authentication remote code execution vulnerability in Progress Kemp LoadMaster, putting enterprise load balancers at immediate risk. |
Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic Adobe released urgent patches fixing seven maximum-severity (CVSS 10.0) vulnerabilities in ColdFusion and Campaign Classic that allow unauthenticated arbitrary code execution and privilege escalation. |
FortiBleed credential-theft campaign linked to Lynx ransomware Stolen Fortinet credentials from the massive FortiBleed campaign are being funneled to ransomware operations like INC and Lynx, indicating imminent network intrusions across targeted sectors. |
Massive Password Spray Campaign Targeting Azure CLI and M365 An aggressive password-spraying campaign originating from hosting provider LSHIY generated over 81 million login attempts targeting Microsoft 365 and Azure CLI environments. |
|
■ CVEs IDENTIFIED [CVE-TBD] Progress Kemp LoadMaster — Pre-Authentication Remote Code Execution |
[CVE-TBD] Adobe ColdFusion — Arbitrary Code Execution and Privilege Escalation |
[CVE-TBD] Adobe Campaign Classic — Arbitrary Code Execution and Privilege Escalation |
[CVE-TBD] Citrix NetScaler — HTTP/2 Bomb Denial of Service and Information Disclosure |
|
■ THREAT ACTORS Linked to FortiBleed credential theft for future network intrusions. |
Linked to FortiBleed credential theft for future network intrusions. |
Scattered Spider | Cybercrime Group |
Member Peter Stokes extradited to the US for computer intrusion and fraud. |
|
|
|
■ ATT&CK TTPs | T1110.003 | | Password Spraying | Used in massive 81 million login attempt campaign targeting M365 and Azure CLI. |
| T1566.001 | | Spearphishing Attachment | Ousaban banking trojan using fake corrupted PDF lures. |
| T1189 | | Drive-by Compromise | SEO-poisoned software installer sites delivering ScreenConnect and AsyncRAT. |
| T1204.002 | | User Execution: Malicious File | Researchers targeted with weaponized PoC exploits on GitHub delivering ChocoPoC RAT. |
| T1102 | | Web Service | VEIL#DROP campaign abusing the Blogger platform to host and deliver PureLogs Stealer. |
| T1133 | | External Remote Services | Stolen Fortinet credentials from FortiBleed campaign used for network intrusion. |
|
■ PATCH PRIORITY Adobe ColdFusion — 7 CVSS 10.0 vulnerabilities allowing RCE and privilege escalation — [THN] |
Progress Kemp LoadMaster — Pre-auth RCE under active exploitation — [THN] |
Google Chrome — 382 vulnerabilities resolved, including 15 critical flaws — [MWB] |
Citrix NetScaler — HTTP/2 Bomb and critical information disclosure vulnerabilities — [SW] |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Immediately patch Progress Kemp LoadMaster to block active exploitation attempts targeting the pre-auth RCE vulnerability [CVE-TBD]. |
| 2 | [P1] Apply urgent security patches for Adobe ColdFusion and Campaign Classic to remediate 7 CVSS 10.0 RCE flaws. |
| 3 | [P1] Update Google Chrome to the latest version to patch 382 vulnerabilities, including 15 critical flaws. |
| 4 | [P1] Apply Citrix NetScaler patches to mitigate the HTTP/2 Bomb and information disclosure vulnerabilities. |
| 5 | [P2] Audit and restrict access to the Argo CD Repo-Server internal network port to prevent unauthenticated RCE exploitation. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |