Daily Security Intel

Archives
Log in
Subscribe
July 2, 2026

[SecurityIntel] 02 Jul | Active Exploitation of Kemp LoadMaster and Oracle EBS

SECURITYINTEL DAILY BRIEF

■ ThreatIntel Brief

Thursday, July 02, 2026

INTEL CONFIDENCE  100%

THREAT LEVEL

CRITICAL

THREAT OF THE DAY

Active Exploitation of Kemp LoadMaster and Oracle EBS

CRITICAL

5

C2 IPs

95

OTX IOCs

38

ARTICLES

■ ANALYST TLDR

Today's threat landscape is dominated by active exploitation of critical infrastructure flaws and widespread credential-harvesting campaigns. Key developments include active exploitation of Progress Kemp LoadMaster and Oracle E-Business Suite vulnerabilities, alongside a massive 81-million attempt password-spraying campaign targeting Microsoft 365 and Azure CLI. Additionally, Adobe, Google, Apple, and Citrix released major security updates addressing critical remote code execution and information disclosure vulnerabilities.

■ CRITICAL STORIES

CRITICAL#1

Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation

Threat actors are actively attempting to exploit a critical pre-authentication remote code execution vulnerability in Progress Kemp LoadMaster, putting enterprise load balancers at immediate risk.

CRITICAL#2

Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic

Adobe released urgent patches fixing seven maximum-severity (CVSS 10.0) vulnerabilities in ColdFusion and Campaign Classic that allow unauthenticated arbitrary code execution and privilege escalation.

HIGH#3

FortiBleed credential-theft campaign linked to Lynx ransomware

Stolen Fortinet credentials from the massive FortiBleed campaign are being funneled to ransomware operations like INC and Lynx, indicating imminent network intrusions across targeted sectors.

HIGH#4

Massive Password Spray Campaign Targeting Azure CLI and M365

An aggressive password-spraying campaign originating from hosting provider LSHIY generated over 81 million login attempts targeting Microsoft 365 and Azure CLI environments.

■ CVEs IDENTIFIED

[CVE-TBD]

Progress Kemp LoadMaster — Pre-Authentication Remote Code Execution

Critical

[CVE-TBD]

Adobe ColdFusion — Arbitrary Code Execution and Privilege Escalation

Critical

[CVE-TBD]

Adobe Campaign Classic — Arbitrary Code Execution and Privilege Escalation

Critical

[CVE-TBD]

Citrix NetScaler — HTTP/2 Bomb Denial of Service and Information Disclosure

Critical

■ THREAT ACTORS

Lynx

Ransomware Group

Linked to FortiBleed credential theft for future network intrusions.

INC

Ransomware Group

Linked to FortiBleed credential theft for future network intrusions.

Scattered Spider

Cybercrime Group

Member Peter Stokes extradited to the US for computer intrusion and fraud.

■ ATT&CK TTPs

T1110.003
Password Spraying | Used in massive 81 million login attempt campaign targeting M365 and Azure CLI.
T1566.001
Spearphishing Attachment | Ousaban banking trojan using fake corrupted PDF lures.
T1189
Drive-by Compromise | SEO-poisoned software installer sites delivering ScreenConnect and AsyncRAT.
T1204.002
User Execution: Malicious File | Researchers targeted with weaponized PoC exploits on GitHub delivering ChocoPoC RAT.
T1102
Web Service | VEIL#DROP campaign abusing the Blogger platform to host and deliver PureLogs Stealer.
T1133
External Remote Services | Stolen Fortinet credentials from FortiBleed campaign used for network intrusion.

■ PATCH PRIORITY

[P1 PATCH NOW]≤24h

Adobe ColdFusion — 7 CVSS 10.0 vulnerabilities allowing RCE and privilege escalation — [THN]

[P1 PATCH NOW]≤24h

Progress Kemp LoadMaster — Pre-auth RCE under active exploitation — [THN]

[P1 PATCH NOW]≤24h

Google Chrome — 382 vulnerabilities resolved, including 15 critical flaws — [MWB]

[P1 PATCH NOW]≤24h

Citrix NetScaler — HTTP/2 Bomb and critical information disclosure vulnerabilities — [SW]

■ RECOMMENDED ACTIONS TODAY

1[P1] Immediately patch Progress Kemp LoadMaster to block active exploitation attempts targeting the pre-auth RCE vulnerability [CVE-TBD].
2[P1] Apply urgent security patches for Adobe ColdFusion and Campaign Classic to remediate 7 CVSS 10.0 RCE flaws.
3[P1] Update Google Chrome to the latest version to patch 382 vulnerabilities, including 15 critical flaws.
4[P1] Apply Citrix NetScaler patches to mitigate the HTTP/2 Bomb and information disclosure vulnerabilities.
5[P2] Audit and restrict access to the Argo CD Repo-Server internal network port to prevent unauthenticated RCE exploitation.
LIVE IOC FEED

C2 IP BLOCKLIST  ·  AbuseCH Feodo  ·  Showing 5 of 5

IP ADDRESS

162.243.103.246

PORT

8080

STATUS

OFFLINE

MALWARE

Emotet

COUNTRY

US

IP ADDRESS

50.16.16.211

PORT

443

STATUS

ONLINE

MALWARE

QakBot

COUNTRY

US

IP ADDRESS

34.204.119.63

PORT

443

STATUS

OFFLINE

MALWARE

QakBot

COUNTRY

US

IP ADDRESS

178.62.3.223

PORT

443

STATUS

OFFLINE

MALWARE

QakBot

COUNTRY

GB

IP ADDRESS

27.133.154.218

PORT

443

STATUS

OFFLINE

MALWARE

QakBot

COUNTRY

JP

FULL IOC EXPORT — GOOGLE SHEET

All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools

■  Open Full IOC Sheet  →

IOC SOURCES: AbuseCH Feodo  ·  AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB

Don't miss what's next. Subscribe to Daily Security Intel:
Older → [SecurityIntel] 01 Jul | Zero-Day BlueHammer Exploded in Ransomware Attacks
Powered by Buttondown, the easiest way to start and grow your newsletter.