CTIWATCH Weekly Threat Report·June 29 – July 5, 2026

Qilin Leads Ransomware Activity as 9 KEVs with In-the-Wild Exploitation Added This Week (2026-06-29 to 2026-07-05)

Ransomware activity saw a 8.3% increase this week, with Qilin emerging as the most active group. Nine new CVEs, all with critical severity and confirmed in-the-wild exploitation, were added to the KEV catalog, demanding immediate patching. Geopolitical tensions remain elevated in key regions, particularly concerning North Korean financial targeting.

182
Ransomware victims
9
KEV updates
20
Notable CVEs
40.364
New IOCs

Key Takeaways

  • Prioritize patching the 9 new critical KEVs, especially those enabling Remote Code Execution, as they are actively exploited in the wild.
  • Implement robust defenses against ransomware, particularly if operating in Business Services, Healthcare, or Manufacturing sectors, given Qilin's increased activity.
  • Enhance monitoring for domain and IP-based IOCs, leveraging community feeds and honeypot data for early detection.
  • Be aware of ongoing North Korean financial targeting, specifically supply chain attacks involving npm packages.
  • Review and secure ColdFusion, WordPress, and Joomla installations for recently disclosed critical vulnerabilities.

Ransomware Activity

Ransomware activity increased this week, with 182 victims reported, an 8.3% rise from the previous week's 168 victims. This indicates a sustained or slightly escalating threat from ransomware groups.

Qilin was the most active ransomware group, claiming 23 victims. Other notable groups included TheGentlemen (19 victims), Krybit (11 victims), and IncRansom (11 victims). The Business Services sector was the most heavily targeted, accounting for 23 victims, followed by Healthcare and Manufacturing, both with 14 victims. Geographically, the United States continued to be the most affected country with 34 reported victims, followed by Germany (12 victims) and Brazil (8 victims).

Vulnerabilities & Exploitation

This week saw the addition of nine new CVEs to the Known Exploited Vulnerabilities (KEV) catalog, all of which are rated CRITICAL and are being actively exploited in the wild. These include CVE-2026-48282, a path traversal vulnerability in ColdFusion; CVE-2026-57624, an unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro; and CVE-2024-14037, an arbitrary file upload leading to RCE in Redsea Cloud eHR.

Other critical KEVs with in-the-wild exploitation include CVE-2026-5524 (Divi Form Builder plugin RCE), CVE-2026-56290 (Joomla Page Builder CK RCE), and CVE-2022-50973 (Yonyou KSOA unauthenticated arbitrary file upload). Two high-severity KEVs, CVE-2026-8451 affecting NetScaler ADC/Gateway and CVE-2024-58352 in Landray OA, also require attention due to active exploitation. Immediate patching of all these KEVs, especially those enabling RCE or arbitrary file uploads, is critical to mitigate active threats.

Threat Actor & Geopolitical Highlights

Geopolitical tensions remain elevated across several key regions. The China/Taiwan Strait continues to be a focal point for advanced espionage, with a very high volume of Chinese-origin actors like MUSTANG PANDA and Volt Typhoon demonstrating persistent and sophisticated activity against Taiwan.

The Russia/Ukraine conflict zone also maintains an elevated threat status, driven by advanced espionage capabilities from Russian and Belarusian actors such as MoustachedBouncer and FrostyNeighbor. While the number of actors specifically targeting Ukraine is low, the overall landscape is influenced by these sophisticated groups. North Korea's financial targeting remains an elevated concern, with recent intelligence indicating the use of npm packages mimicking Rollup Polyfills to steal developer secrets, highlighting ongoing supply chain targeting for financial gain. Iran also has a notable number of advanced espionage actors, contributing to a medium threat status in the Iran/Israel/US region, though specific recent activity against Israel or the US is not detailed in the provided data.

IOC & Infrastructure Trends

New indicators of compromise (IOCs) observed this week show a significant volume across various types. Domains accounted for the largest share with 24,374 new indicators, followed by IP addresses (8,779) and URLs (6,854). Hash-based IOCs (SHA256, MD5, SHA1) were present in much smaller numbers, indicating a focus on network-level indicators.

The top sources for these IOCs highlight a blend of community-driven intelligence and automated collection. MISP contributed the highest number of IOCs with 15,494. Honeypot-derived data from T-Pot Honeypot was a significant source, providing 6,099 IOCs, underscoring the value of deception technologies in threat intelligence. Other notable sources included Phishing Army, ThreatFox, and Abuse.ch URLhaus, emphasizing the prevalence of phishing and malicious URL activity.

Outlook

Based on current trends, organizations should anticipate continued high volumes of ransomware activity, with Qilin likely to remain a prominent threat actor. The consistent targeting of Business Services, Healthcare, and Manufacturing sectors suggests these industries will continue to be primary targets. Proactive defense against common ransomware entry vectors, such as exploiting known vulnerabilities and phishing, will be crucial.

The high number of critical KEVs with in-the-wild exploitation added this week, particularly those involving RCE and arbitrary file uploads in widely used software like ColdFusion, WordPress plugins, and Joomla extensions, indicates that threat actors are actively leveraging these vulnerabilities. Expect continued exploitation of these newly identified KEVs. Monitoring for and patching these specific vulnerabilities, especially those impacting web applications and enterprise software, should be a top priority for the coming week. The ongoing geopolitical tensions and North Korean financial targeting also suggest a persistent threat from state-sponsored actors, particularly through supply chain compromises and espionage.

Generated from CTIWATCH platform data (June 29 – July 5, 2026): honeypot sensors, ransomware leak-site monitoring, CISA KEV, NVD and OSINT feeds. Published July 4, 2026.