Content 

01. News Bites
  • CISA adds 4 actively exploited flaws to KEV

  • China-associated hackers target Indian taxpayers with malicious tax filing tool delivering DcRAT

  • U.S. public sector organisation reportedly pays $1 million in Kairos Data Breach extortion

  • Ubiquiti fixes multiple critical UniFi vulnerabilities affecting core platform components

  • Threat actors abuse npm and PyPI with fraudulent payment packages

02. Conclusion

Quick News Bites

CISA adds 4 actively exploited flaws to KEV

CISA has added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting an elevated threat landscape affecting Adobe ColdFusion, Joomla extensions, and the AI workflow platform Langflow. The most critical issue, CVE-2026-48282 (CVSS 10.0), is a path traversal flaw in Adobe ColdFusion that can lead to remote code execution and was reportedly exploited within hours of public disclosure. Additionally, two Joomla component vulnerabilities CVE-2026-56290 in Page Builder CK and CVE-2026-48908 in SP Page Builder—are being leveraged by threat actors to upload web shells and achieve unauthenticated remote code execution, providing persistent access to compromised web servers. The inclusion of Langflow vulnerability CVE-2026-55255 further demonstrates the growing attacker focus on AI infrastructure, with observed exploitation enabling cross-tenant access, theft of cloud and LLM API credentials, and facilitating follow-on attacks involving RCE, cryptojacking, and malware deployment.

Organisations operating these technologies should prioritise patching, conduct threat hunting for web shells and unauthorised administrator accounts, review exposed AI applications, and monitor for suspicious credential access activity, as active exploitation indicates these vulnerabilities are already being weaponised in real-world attacks.

China-associated hackers target Indian taxpayers with malicious tax filing tool delivering DcRAT

A suspected China-aligned threat actor has been observed conducting a targeted phishing campaign against Indian taxpayers, tax professionals, and corporate finance personnel using fake Income Tax Department notices to distribute the DcRAT remote access trojan. The operation, dubbed DragonReturn, employs highly tailored tax-related lures, malicious PDF attachments, and fraudulent tax-filing utility downloads to initiate a multi-stage infection chain involving DLL sideloading, privilege escalation, sandbox evasion, persistence mechanisms, and in-memory malware execution.

Researchers identified the deployment of DcRAT alongside data theft capabilities, enabling credential harvesting, screenshot capture, and potential intelligence collection. Infrastructure links to ChinaNet IP space, Chinese-language management panels, and overlaps with previously observed Silver Fox tradecraft suggest a possible China nexus, although attribution remains unconfirmed. The campaign demonstrates a high degree of operational maturity through the use of polyglot image-based payload concealment, redundant RAT deployments, and multiple command-and-control channels designed to enhance persistence and evade detection.

U.S. public sector organisation reportedly pays $1 million in Kairos data breach extortion

A recently disclosed case study has highlighted the growing shift from traditional ransomware to data-theft extortion, after a U.S. government entity reportedly paid approximately $1 million (9.44 BTC) to the threat group Kairos to prevent the public release of stolen data. Unlike conventional ransomware operations, researchers found no evidence that Kairos deployed file-encrypting malware or disrupted systems; instead, the group relied solely on the theft of sensitive information as leverage during a month-long extortion negotiation. Analysis of leaked negotiation chats and blockchain transactions suggests the victim may have been Union County, Ohio, with attackers claiming to have exfiltrated more than 2 TB of data comprising 1.6 million files, including highly sensitive government records.

The incident draw attention to an evolving threat landscape in which cybercriminals increasingly favour low-noise, high-impact data exfiltration over encryption, reducing operational complexity while maintaining significant pressure on victims. The case also reinforces the limited assurance provided by ransom payments, as there is no reliable mechanism to verify the deletion of stolen data once transferred to threat actors.

Ubiquiti fixes multiple critical UniFi vulnerabilities affecting core platform components

Ubiquiti has released security updates to address seven critical vulnerabilities affecting multiple UniFi products, including UniFi Connect, Talk, Access, Protect, and UniFi OS, with several flaws carrying CVSS scores between 9.0 and 10.0. The vulnerabilities could enable attackers with network access to achieve remote command execution, privilege escalation, SQL injection, SSRF exploitation, and unauthorised device modifications, potentially resulting in full compromise of affected systems. Of particular concern are command injection vulnerabilities in UniFi Connect, UniFi Access, and UniFi OS that could allow arbitrary code execution on host devices, as well as privilege escalation flaws impacting UniFi Talk, Access, and Protect deployments. While there is currently no evidence of active exploitation, the severity of these vulnerabilities, combined with the historical targeting of Ubiquiti infrastructure by threat actors and recent exploitation of other UniFi-related flaws, makes prompt remediation essential.

Organisations using affected UniFi products should prioritise applying the latest security updates and monitor for unusual activity that could indicate attempted exploitation

Threat actors abuse npm and PyPI with fraudulent payment packages

A newly identified software supply chain campaign has targeted developers through 17 malicious packages published on npm and PyPI, masquerading as legitimate SDKs for Paysafe, Skrill, and Neteller payment platforms. The packages were designed to imitate genuine payment integration libraries while secretly harvesting sensitive information, including API keys, AWS credentials, GitHub tokens, npm tokens, usernames, and system metadata, and exfiltrating the data to attacker-controlled infrastructure hosted on AWS. Researchers found that the malicious packages exposed expected APIs and returned fake success responses, making detection difficult for developers integrating payment services into their applications.

The campaign demonstrates a growing threat to the software development ecosystem, where threat actors increasingly leverage trusted open-source repositories to compromise developer environments and gain access to valuable credentials that could enable further cloud, source code, and financial service compromises.

It is recommended that organisations remove any affected packages, rotate exposed credentials and review CI/CD logs for any signs of compromise.

Closing Summary

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.