Bharat Threat FeedGlobal threats, decoded for Indian defenders
Nirad Bharat Threat Feed

India-first threat intelligence

Global threats, decoded for Indian defenders — weekly briefs, sector editions, and AI Threat Watch. Every claim source-attributed.

Weekly Latest Weekly Brief 12 July 2026 Open issue →

Weekly Brief — 12 July 2026

This week: ransomware claimed against a government research lab; the first assessed fully autonomous AI-agent extortion campaign; and critical flaws in ERP, mobile gateway, and web platforms used across India's public sector and IT industry under active exploitation.
1

The Gentlemen (Storm-2697) Claim Attack on CSIR-SERC

India exposureThe ransomware group The Gentlemen posted CSIR Structural Engineering Research Centre (CSIR-SERC), Chennai, as a victim on 6 July 2026. CSIR-SERC operates under India's Council of Scientific and Industrial Research (Ministry of Science and Technology). Microsoft tracks the group as Storm-2697; Halcyon assesses it as the fastest-scaling ransomware operation on record, with over 400 claimed victims across 70-plus countries. Its Go-based locker targets Windows, Linux, NAS, and ESXi. The group uses double extortion with payment deadlines as short as 48 hours. India features alongside the US, France, and Thailand among its primary target countries.
ActionCSIR's 37 national laboratories should audit remote access paths, enforce MFA on VPN and administrative accounts, and verify that offline backups and restoration procedures cover virtualised and NAS workloads. Treat this claim as a network-wide signal.
SourceDeXpose, 6 July 2026; ransomware.live victim listing; Halcyon threat assessment on The Gentlemen, 2026; Microsoft Storm-2697 tracking.
2

JADEPUFFER: First Assessed Fully Autonomous AI-Agent Ransomware — CVE-2025-3248

India exposureSysdig's Threat Research Team documented on 2 July 2026 what it assesses as the first case of fully agentic ransomware. The operator, designated JADEPUFFER, gained initial access through CVE-2025-3248, a missing-authentication flaw in Langflow's code validation endpoint. An LLM agent then drove the entire attack — reconnaissance, credential theft, lateral movement, privilege escalation, database encryption, and extortion — without human involvement. The agent corrected a failed authentication step in 31 seconds. The encryption key was generated once, shown briefly, and not preserved; paying the ransom cannot recover data. CVE-2025-3248 was patched in April 2025 and entered CISA's KEV catalog in May 2025. Langflow is widely deployed at Indian AI startups, IT services firms, and MNC India development centres.
ActionUpgrade Langflow to version 1.1.0 or later. Remove admin interfaces from public exposure. Monitor LLM API credentials for anomalous usage indicative of LLMjacking. In SIEM: flag rapid adaptive command sequences that re-attempt failed actions in sub-minute windows.
SourceSysdig Threat Research Team, "JADEPUFFER: Agentic ransomware for automated database extortion," 2 July 2026; BleepingComputer, 7 July 2026; The Register, 2 July 2026.
3

Adobe ColdFusion Path Traversal Exploited Within Two Hours — CVE-2026-48282

India exposureCVE-2026-48282, an unauthenticated path traversal in Adobe ColdFusion leading to arbitrary code execution, was actively exploited within two hours of public technical disclosure on 2 July 2026 (per KEVIntel honeypots). CISA added it to the Known Exploited Vulnerabilities Catalog on 7 July 2026 with a BOD 26-04 remediation deadline of 10 July 2026 for US federal agencies. Affected versions: ColdFusion 2025 Update 9 and earlier, ColdFusion 2023 Update 20 and earlier. ColdFusion underpins a significant portion of Indian government web portals, public sector bank applications, and university systems.
ActionApply ColdFusion 2025 Update 10 or 2023 Update 21 immediately. For internet-facing instances in the past ten days: audit the web root and /CFIDE/ directories for unauthorised files and review server logs for path traversal patterns.
SourceCISA KEV alert, 7 July 2026 (cisa.gov); Help Net Security, 7 July 2026; BleepingComputer, July 2026; SecurityWeek, July 2026.
4CriticalCVSS 9.8

Oracle E-Business Suite Payments Module Under Active Exploitation — CVE-2026-46817

India exposureCVE-2026-46817 (CVSS 9.8) in Oracle E-Business Suite's Payments File Transmission component permits unauthenticated remote code execution via a POST to the ibytransmit HTTP endpoint. First exploitation was observed on 27 June 2026 — six weeks after the May 2026 Oracle Critical Patch Update and before any public proof-of-concept. Shadowserver identified roughly 950 internet-reachable EBS instances globally; the DriveSurge initial access broker group has been attributed as an active exploiting actor. India has one of the largest Oracle EBS footprints globally — PSUs including NTPC, ONGC, SAIL, and Indian Oil, major nationalised banks, and state government bodies all run EBS.
ActionApply Oracle's May 2026 Critical Patch Update without delay. Restrict /OA_HTML/ibytransmit to internal networks. Review server access logs for suspicious POST requests to that endpoint from late June onward.
SourceSecurity Affairs, 30 June 2026; BleepingComputer, "Hackers now exploit critical Oracle E-Business flaw"; SecurityWeek, "Exploitation of Recent Oracle E-Business Suite Vulnerability Begins"; Help Net Security, 30 June 2026.
5

Ivanti Sentry Pre-Auth Root RCE — CVE-2026-10520

Not covered in prior NBTF editions. Included under catch-up policy.

India exposureCVE-2026-10520 is an OS command injection flaw in Ivanti Sentry (formerly MobileIron Sentry) that allows an unauthenticated remote attacker to execute arbitrary commands with root privileges. CVSS base score: 10.0. Ivanti disclosed the vulnerability on 10 June 2026; exploitation was confirmed within 24 hours. CISA added it to KEV on 11 June 2026 and issued BOD 26-04, giving US federal agencies three days to patch. UNC6240 (reported in some sources under the ShinyHunters brand) has been attributed to active exploitation. Shadowserver confirmed two internet-facing instances with active backdoors. Ivanti Sentry manages and encrypts traffic between mobile devices and enterprise back-end systems (ActiveSync, SharePoint, file servers). Indian banks, IT/BPO companies, and government agencies deploy it for mobile device management, often still under the legacy MobileIron name.
ActionUpgrade to Ivanti Sentry R10.5.2, R10.6.2, or R10.7.1. Treat compromised instances as a breach-response priority: restrict management port access, inspect for persistent backdoors, and rotate all credentials that transited Sentry-managed endpoints.
SourceCISA KEV, 11 June 2026; Help Net Security, 10 June 2026; Dark Reading, "Max-Severity Ivanti Sentry Flaw Exploited Within 24 Hours"; Rapid7 ETR on CVE-2026-10520; SC Media, "CISA gives agencies 3 days to patch maximum severity Ivanti vulnerability."

Each item this week reflects the same operational pressure: the gap between patch and exploit continues to narrow. ColdFusion was weaponised within two hours; Ivanti Sentry was backdoored within a day; Oracle EBS was exploited six weeks after patching and before any public PoC. Indian organisations with Oracle EBS and Ivanti Sentry in the public sector, and Langflow or ColdFusion in the technology sector, should treat unpatched internet-facing deployments as compromised pending forensic review.

Nirad Threat Research

Sector Latest Sector Edition July 2026 Open issue →

Critical Infrastructure Sector Edition — July 2026

Nation-state adversaries targeting operational technology have moved from reconnaissance to active pre-positioning. Waterfall Security's 2026 OT Threat Report documents cyber incidents with physical consequences doubling from seven in 2024 to fourteen in 2025, driven by state and hacktivist actors. Dragos corroborates: 119 ransomware groups targeted 3,300 industrial organisations in 2025 — a 64% year-on-year rise — and three newly tracked groups now explicitly target engineering workstations rather than IT perimeters. For India's power utilities, petroleum operators, and telecom carriers, the primary entry point this cycle is the IT-OT boundary device: SD-WAN controllers, VPN gateways, and firewall management planes where multiple actively-exploited vulnerabilities now sit.

1. Sector snapshot

2. Threats targeting Critical Infrastructure

1CriticalCVSS 10.0

Cisco Catalyst SD-WAN CVE-2026-20182 (CVSS 10.0) — WAN fabric takeover

An authentication bypass in the vdaemon DTLS service on UDP 12346 lets an unauthenticated attacker gain administrative access to Cisco Catalyst SD-WAN Controller and Manager, then open NETCONF to reconfigure the entire overlay. Cisco Talos tracks active exploitation under UAT-8616, a highly sophisticated actor with ORB-network infrastructure overlap. Confirmed post-exploitation: SSH key injection, fabric reconfiguration, root escalation via version-downgrade (CVE-2022-20775), and forensic log erasure.

India exposurestate electricity boards, petroleum pipeline operators, and NCIIPC-designated telecom carriers running Cisco Catalyst SD-WAN.
Actionpatch immediately; deploy anomaly detection on DTLS/UDP 12346 and NETCONF; hunt SSH key additions and version downgrades since March 2026.
SourceCisco Talos; Help Net Security (15 May 2026); CISA KEV (May 2026).
2

FortiBleed — 75,000–86,000 FortiGate credentials circulated, India among most-affected

Working admin credentials for internet-facing FortiGate and SSL-VPN devices across 194 countries were extracted and publicly circulated; India is documented among the most-affected nations, with critical infrastructure named among exposed sectors. Contributing flaw: CVE-2026-24858 (FortiOS FortiCloud SSO bypass).

India exposurepower utilities, petroleum operators, and government telecom providers running FortiGate for branch connectivity and remote management.
Actiontreat all Fortinet VPN and admin credentials as compromised — rotate immediately, enforce phishing-resistant MFA, restrict management access, and audit for rogue accounts.
SourceCISA; Arctic Wolf; CSA Labs (20 Jun 2026).
3

PAN-OS CVE-2026-0257 — GlobalProtect authentication bypass, actively exploited

An authentication bypass in PAN-OS GlobalProtect portal and gateway components allows unauthorised VPN sessions without credentials; active exploitation confirmed from 17 May 2026 across multiple customer environments.

India exposurepower-sector substations, government data centres, and telecom peering facilities using GlobalProtect as the remote-access perimeter.
Actionpatch immediately per CISA KEV order; hunt for unauthenticated VPN sessions since mid-May 2026.
SourceUnit 42/Palo Alto Networks; Rapid7; CISA KEV (29 May 2026).
4

Oil and gas ransomware: 935% year-on-year surge, OT physical-consequence risk

Zscaler's ThreatLabz 2025 Ransomware Report documents a 935% YoY increase in attacks against oil and gas, driven by automation of rigs, pipelines, and terminal systems expanding the OT attack surface. Events reaching a DCS or safety instrumented system carry physical and environmental consequences beyond data loss.

India exposureOT-dependent operations across refineries, pipelines, and offshore platforms; third-party IT-OT integration is a common ransomware escalation path.
Actionsegment IT from OT at all boundary points; tabletop a ransomware-to-OT escalation scenario with manual-operations fallback included.
SourceZscaler ThreatLabz; Cybersecurity Dive (Jul 2025); Dragos (17 Feb 2026).

3. Sector tech & exposures

- ICS vulnerability record: Forescout documented 508 ICS advisories in 2025 — first year above 500 — with 82% rated high or critical and average CVSS above 8.0. Level 1 (PLCs, RTUs, IEDs) and Level 2 (SCADA, DCS, BMS) are most-affected. Critical gap: only 22% of high/critical ICS CVEs carried a CISA advisory. New high-risk OT device classes flagged: PDUs, I/O modules, BACnet routers. - India-targeted APT: Seqrite's India Cyber Threat Report 2026 documents a Pakistan-nexus campaign (APT36/SideCopy) using MSI-packaged malware, DLL sideloading, and open-source RATs — Xeno RAT, Spark RAT, CurlBack RAT — targeting India's CI and defence sector; 265 million detections in Oct 2024–Sep 2025. - AI-accelerated exploitation: CERT-In advisory CIAD-2026-0020 (Apr 2026) warns that frontier AI now enables autonomous vulnerability discovery and exploit generation within hours of disclosure — a window most OT maintenance schedules cannot match.

4. Regulatory & compliance watch

- CERT-In CIAD-2026-0020 (high severity, 26 Apr 2026): Mandates 24-hour critical patch cycle for internet-facing CI systems; continuous monitoring, Zero Trust, MFA, and hard IT-OT segmentation required. An emergency-patch track separate from regular maintenance windows is now a regulatory expectation for designated CI operators. - NCIIPC: CII protection framework requires nominated CISOs and registered asset inventories across power, telecom, transport, and strategic enterprises; over 9,700 CERT-In audits were conducted in FY2024-25, signalling intensifying supervisory scrutiny. - CERT-In incident reporting: Mandatory 6-hour notification for CI operators should be reviewed against the hours-scale exploitation windows documented in CIAD-2026-0020; SOC runbooks must be validated at this interval.

5. Actor in focus

UAT-8616 — Cisco Talos designation; confidence HIGH on TTP set; MEDIUM on nation-state attribution. UAT-8616 has targeted Cisco Catalyst SD-WAN infrastructure since at least 2023, with exploitation tempo markedly increasing in May 2026. The attack chain is consistent: DTLS exploitation on UDP 12346, NETCONF fabric manipulation, SSH key persistence, root escalation via version-downgrade (CVE-2022-20775), firmware restoration to conceal the attack path, and systematic log erasure. Infrastructure overlap with ORB networks is consistent with state-level resources, though formal attribution has not been published. Compromise of an Indian state electricity board's or major telecom carrier's SD-WAN fabric would grant adversary-controlled routing and policy across geographically distributed CI sites.

Source (with date): Cisco Talos; Help Net Security (15 May 2026); Tenable; CISA KEV (May 2026).

6. IOC pack

Only public, attributed indicators; pull exact values from primary advisories and defang before operational use.

- CVE-2026-20182 (Cisco SD-WAN): Anomalous DTLS/UDP 12346 traffic; unexpected NETCONF sessions; SSH key additions outside provisioning records; unexplained version downgrades; cleared syslog, wtmp, lastlog, bash_history. (Cisco Talos advisory.) - CVE-2026-0257 (PAN-OS): Attacker IPs and file hashes in Unit 42 and Rapid7 advisories; alert on unauthenticated GlobalProtect session initiations. - FortiBleed / CVE-2026-24858: Indicators in CISA alert and Arctic Wolf advisory; detect cross-device FortiOS SSO login anomalies not matching provisioning records. - Seqrite APT RAT cluster: Defanged IOCs in Seqrite blog "Goodbye HTA, Hello MSI" (Jan 2026); detect behaviourally via MSI-spawned DLL-sideloading chains and PowerShell reflective-load patterns.

7. Recommended actions

Board: Treat edge-device and OT-network exposure as enterprise risk equal to physical security; confirm NCIIPC CISO designations and commission an emergency estate review of Cisco SD-WAN, Fortinet, and PAN-OS deployments against CVE-2026-20182, CVE-2026-24858, and CVE-2026-0257 this quarter.

CISO: Emergency-patch CVE-2026-20182 (CVSS 10.0) and CVE-2026-0257; rotate all Fortinet and Cisco SD-WAN admin and VPN credentials immediately; deploy DTLS/UDP 12346 and NETCONF anomaly detection; inventory ICS Level 1 and Level 2 devices with a vendor-co-ordinated emergency-patch track for critical OT CVEs; apply CERT-In CIAD-2026-0020 requirements: 24-hour patch cycle and hard IT-OT segmentation.

SOC: Hunt for SD-WAN version downgrades, NETCONF changes, SSH key additions, and cleared logs (wtmp, lastlog, bash_history, cli-history) since March 2026; alert on unauthenticated GlobalProtect sessions and cross-device FortiOS SSO anomalies; monitor MSI-to-DLL-sideloading chains consistent with Seqrite APT TTPs; run a ransomware-to-OT escalation tabletop for at least one oil, gas, or power facility.

8. Source index

Cisco Talos, CVE-2026-20182 / UAT-8616 (May 2026) · Help Net Security (15 May 2026) · CISA KEV (May 2026; 29 May 2026) · Tenable · CISA, FortiBleed alert (18 Jun 2026) · Arctic Wolf (Jun 2026) · CSA Labs (20 Jun 2026) · Unit 42/Palo Alto Networks, CVE-2026-0257 · Rapid7, CVE-2026-0257 · Zscaler ThreatLabz 2025 Ransomware Report (Jul 2025) · Dragos 2026 OT Year in Review (17 Feb 2026) · Waterfall Security 2026 OT Threat Report · Seqrite India Cyber Threat Report 2026 (Jan 2026) · Forescout (Feb 2026) · IT Security Guru (19 Feb 2026) · CERT-In CIAD-2026-0020 (26 Apr 2026) · Qualys blog (24 Jun 2026) · PIB, Government of India (2026).

9. Byline

Nirad Threat Research

Nirad Bharat Threat Feed — Critical Infrastructure Edition | Bharat-first threat intelligence
AI Watch Latest AI Threat Watch 9 July 2026 Open issue →

AI Threat Watch — 9 July 2026

This issue covers four developments from the past three weeks sharing a common failure mode: AI developer tools — workflow platforms, coding assistants, and IDE extensions — are being exploited by subverting the trust they extend to authenticated sessions, external tool output, and workspace configuration files. A Langflow IDOR is under active exploitation and on CISA KEV; CrowdStrike's adversary prompt injection toolkit has exceeded 200 documented methods; AI coding agents are being hijacked through Sentry error events; and Amazon Q Developer auto-started untrusted server configurations from cloned repositories.
1CriticalCVSS 9.9

CVE-2026-55255 (CVSS 9.9): Langflow cross-tenant IDOR on CISA KEV; attacker-controlled workflows being used to extract embedded API keys and cloud credentials

An insecure direct object reference in Langflow's /api/v1/responses endpoint allows any authenticated user to execute another user's AI workflow by supplying its UUID — the flow-resolution function queries the database without checking ownership. Sysdig Threat Research observed active exploitation from 25 June 2026; CISA added CVE-2026-55255 to its Known Exploited Vulnerabilities catalog on 7 July with a federal agency remediation deadline of 10 July. The documented attack pattern: enumerate flow UUIDs via the /api/v1/flows/ listing endpoint, replay them at the responses endpoint, then inject prompts into the hijacked workflow to surface API keys and secrets stored in the victim's flows. Fixed in Langflow 1.9.1.

Why it matters for IndiaIndian GCCs, AI startups, and data engineering teams using Langflow for RAG pipelines, internal automation, or SOC workflows face a direct tenant-isolation failure. A single authenticated account — including one obtained through credential compromise — is sufficient to enumerate and exploit other users' workflows on the same deployment. This is the third distinct Langflow vulnerability to reach active exploitation in rapid succession, reflecting sustained adversary focus on AI workflow infrastructure.
ActionUpgrade to Langflow 1.9.1 or later immediately. Rotate all API keys and cloud credentials accessible from Langflow flows or environments. Review /api/v1/flows/ and /api/v1/responses access logs for UUID enumeration patterns across user boundaries. Restrict all Langflow instances to authenticated, network-segmented deployments with no direct internet exposure.
SourceSysdig Threat Research (26 June 2026); Help Net Security (8 July 2026); CISA KEV catalog (7 July 2026).
2

CrowdStrike documents five new prompt injection techniques; adversary taxonomy of AI agent attacks now exceeds 200 methods

CrowdStrike published an expansion to its prompt injection taxonomy on 7 July 2026, adding 18 new techniques to a catalogue that now documents more than 200 distinct methods. Five are of particular operational relevance to enterprise AI environments: a delayed-trigger technique that embeds a dormant instruction that activates only when a specified keyword or condition appears later in context; vocabulary suppression that blocks safety-related tokens to steer the model away from standard refusal responses; payload fragmentation that splits a malicious instruction across components appearing innocuous individually but reassembling on processing; insertion of counterfeit system-delimiter tokens to promote untrusted content to directive-level priority; and injection through trusted data sources — documents, CRM records, issue tracker entries, or knowledge-base articles — introduced to the AI context by the user rather than by the attacker directly.

Why it matters for IndiaIndian organisations deploying AI agents over business documents, customer records, ticketing systems, and ERP data are running on precisely the surfaces this structured adversary toolkit targets. Prompt injection is no longer improvised: adversaries have a documented, indexed discipline with named techniques. CrowdStrike's 2026 Global Threat Report confirmed prompt injection campaigns hitting more than 90 organisations in 2025 for credential and cryptocurrency theft.
ActionTreat every data source an AI agent ingests — documents, database records, support tickets, retrieved web content — as potentially hostile input, regardless of how it arrived. Apply structured validation before agent-generated outputs drive automated or financial actions. Log all tool calls and model-driven decisions with sufficient context to reconstruct which instruction drove each action.
SourceCrowdStrike blog (7 July 2026); Cybersecurity News (8 July 2026); GBHackers (July 2026).
3

Agentjacking: Tenet Security confirms 85% success rate hijacking Claude Code, Cursor, and Codex through fake Sentry error events

Sentry's data source name (DSN) is intentionally public and embedded in client-side JavaScript for legitimate error ingestion. Tenet Security published research on 17 June 2026 demonstrating that an attacker can craft fake Sentry error events containing hidden prompt injection instructions; when the Sentry MCP server delivers these to an AI coding agent, the agent processes the attacker's instructions as authoritative diagnostic guidance and executes them. Testing across 100-plus agent deployments confirmed an 85% success rate; Tenet identified 2,388 organisations with injectable DSNs, including a confirmed Fortune 100 enterprise. Affected agents include Claude Code, Cursor, and Codex. Tenet has open-sourced a hardening tool, agent-jackstop, with drop-in configurations for Cursor and Claude Code.

Why it matters for IndiaDevelopment teams and GCCs using AI coding assistants alongside Sentry for error monitoring face a combined-surface exposure. The attack requires no access to internal systems — only the public DSN, which is discoverable from any deployed frontend — and converts the organisation's own observability pipeline into an agent injection channel.
ActionTreat MCP tool output from external observability services as untrusted input rather than authoritative system context. Restrict coding agent permissions in CI pipelines to the minimum required for the task. Apply Tenet Security's agent-jackstop hardening configuration for Claude Code and Cursor. Audit which agents have Sentry MCP integration enabled and disable it where not operationally required.
SourceTenet Security (17 June 2026); The Hacker News (June 2026); Cloud Security Alliance Research Note (12–14 June 2026).
4

CVE-2026-12957: Amazon Q Developer extension registered MCP server configurations from workspace files without developer confirmation, exposing AWS credentials

Wiz Research reported on 26 June 2026 that the Amazon Q Developer Extension for VS Code automatically loaded and started MCP server configurations found in project workspace directories when a repository was opened, without presenting a trust confirmation step. An attacker who places a malicious configuration file in a repository can start an attacker-controlled server the moment a developer opens the project; that server runs with access to the developer's active AWS credentials and environment variables. AWS patched the flaw in Language Server version 1.69.0, released before public disclosure; the language server updates automatically in most network environments.

Why it matters for IndiaGCC development teams open and review external repositories as routine practice — for code review, dependency evaluation, and vendor assessment. In AWS-heavy GCC environments running Amazon Q Developer, a single repository clone on an unpatched workstation is a potential AWS credential exposure event. Where outbound auto-update traffic is restricted at the network perimeter, manual update verification is necessary.
ActionVerify AWS Language Server 1.69.0 or later is deployed across all developer workstations. In environments with restricted outbound connectivity, confirm the auto-update completed; push the update through internal software distribution if not. Audit recently cloned repositories for unexpected MCP configuration files. Restrict Amazon Q Developer MCP features to trusted, internal workspace contexts until update status is confirmed organisation-wide.
SourceWiz Research (26 June 2026); AWS security bulletin 2026-047-AWS; GitHub advisory GHSA-xhcr-j4j9-3gh7 (23 June 2026); The Register (26 June 2026).
AI defender tip: The four items in this issue share a structural pattern: AI tools with access to credentials or execution rights that extend implicit trust to their data inputs without explicit verification. A workflow platform trusts session authentication as sufficient for data access. A coding agent trusts Sentry MCP output as system instruction. An IDE extension trusts workspace configuration files as if they were local. None of these trust assumptions required a technical exploit to subvert — each required only an attacker reaching the trusted channel. Before deploying any AI component with access to credentials, cloud environments, or command execution, identify what it implicitly trusts and verify that each trust relationship is enforced by an explicit check — authentication, ownership verification, or human confirmation — rather than an architectural assumption.

Nirad Threat Research

Nirad AI Threat Watch | Bharat-first threat intelligence