| New Threat Protection | 797 |
| Newly Detected Threats | 5 |
Device Code Phishing
As most people nowadays rely on simple sign-in methods such as tapping on the “Approved” button from their phone, scanning a QR code, or entering a short code instead of typing long passwords. Attackers have also taken advantage of this and are using new techniques to exploit this such as Device Code Phishing.
Device code phishing is a type of attack that abuses legitimate device OAuth 2.0 flow. This is for the attacker to trick their victims to complete a legitimate Microsoft authentication process that permits the attacker’s device. This type of attack does not rely on stealing passwords or breaking into your account.
How the attack works:
- The attacker initiates a legitimate device‑code login request with a service (e.g., Microsoft Entra ID, Google, or other OAuth‑based systems).
- A phishing lure (email, QR code in a PDF, chat message, fake IT/HR notification) delivers a URL or the code itself to the victim.
- By entering the code provided by the attacker, the victim is unknowingly authorising the attacker's session, granting them access without sharing your password or going through the usual authentication process.
Why it’s dangerous
- Bypasses password and MFA-based defences entirely; nothing is "stolen" in the traditional sense; a token is authorised.
- Verification takes place on the real Microsoft domain, so standard "check the URL" phishing training doesn't catch it (https[:]//microsoft[.]com/devicelogin).
- Newer kits generate the code on-demand when the victim clicks the link, removing the old 15-minute expiry limitation that made earlier device-code phishing unreliable.
- Access can persist depending on token lifetime/refresh settings, enabling BEC, lateral movement, data theft, or ransomware follow-on.
How to protect yourself
- Enforcing conditional access policies and restricting device-code flows
- Monitor unusual device sign-in or token activity.
Below are few sample campaigns utilising this type of attack:
- DEBULL – This tricks victim to enter the attacker generated codes and then uses various tools to pull data from Microsoft 365 accounts. This is a toolkit that is patterned after Storm-2372's style of device code phishing
- EvilTokens - a prominent PhaaS kit advertised on Telegram since Feb 2026, offering Microsoft/Adobe/DocuSign-themed landing pages and a "Portal Browser" for managing compromised accounts at scale.
- Forg365 – This is a new phishing-as-a-service that uses a combination of device-code phishing and adversary-in-the-middle (AitM). This is usually delivered via Telegram.
- Tycoon 2FA – pivoted into device-code PhaaS offerings following disruption of its AiTM infrastructure in Feb 2026.
- Ghost Phishing – This type of campaign relies on real Microsoft verification pages using multiple toolkits. This focuses on stealing the tokens which bypass traditional email security instead of stealing the passwords.
|
Known Exploited Vulnerabilities (Week 2 - July 2026)
For more information, please visit the Red Piranha Forum:
https://forum.redpiranha.net/t/known-exploited-vulnerabilities-catalog-2nd-week-of-july-2026/676.
|
Vulnerability
|
CVSS
|
Description | Affected Version | Fixed Version | |
|
9.8
|
Unauthenticated Arbitrary File Upload - Balbooa Forms contains a vulnerability that can allow an unauthenticated remote attacker to upload and execute arbitrary files. Exploitation of this vulnerability can enable an attacker to upload and execute arbitrary PHP code such as a WebShell which can provide access to the underlying system.
|
<= 2.4.0
|
2.4.1
|
||
|
9.8
|
Unauthenticated Arbitrary File Upload - iCagenda contains a vulnerability that can allow an unauthenticated remote attacker to upload and execute arbitrary files. Exploitation of this vulnerability can enable an attacker to upload and execute arbitrary PHP code such as a WebShell which can provide access to the underlying system.
|
3.2.1 - 3.9.14
4.0.0 - 4.0.7 |
3.9.15
4.0.8 |
||
|
9.8
|
Unauthenticated Arbitrary File Upload - JoomShaper SP Page Builder contains a vulnerability that can allow an unauthenticated remote attacker to upload arbitrary files. Exploitation of this vulnerability can enable an attacker to upload and execute arbitrary PHP code such as a WebShell which can provide access to the underlying system.
|
<= 6.6.1
|
6.6.2
|
||
|
8.4
|
Authenticated IDOR - Langflow contains a vulnerability that can allow an authenticated remote attacker to execute a flow of another user that can result in the disclosure of sensitive information.
|
<= 1.9.0
|
1.9.1
|
||
|
9.8
|
Unauthenticated Arbitrary File Upload - Joomlack Page Builder contains a vulnerability that can allow an unauthenticated remote attacker to upload and execute arbitrary files. Exploitation of this vulnerability can enable an attacker to upload and execute arbitrary PHP code such as a WebShell which can provide access to the underlying system.
|
<= 3.5.10
|
3.6.0
|
||
|
10
|
Unauthenticated RCE - Adobe ColdFusion contains a path traversal vulnerability that can allow an unauthenticated remote attacker to execute code on the system in the context of the current user.
|
<= 2025.9
<= 2023.20 |
2025.10
2023.21 |
Updated Malware Signature (Week 2 - July 2026)
|
Threat
|
Description | |
|
XWorm
|
XWorm is a rapidly updated Windows RAT sold on cybercrime forums, giving attackers remote control, data theft,XWorm is a rapidly updated Windows Remote Access Trojan (RAT) sold as Malware-as-a-Service, giving attackers remote control, data theft, credential harvesting, and ransomware-style capabilities. It spreads mainly through phishing and malicious loaders, with frequent new variants that help it evade detection. |
| Ransomware Report | |
|
The Red Piranha Team conducts continuous surveillance across the dark web and other threat intelligence channels to identify global organisations impacted by ransomware attacks. In the past week, this monitoring revealed multiple ransomware incidents spanning a diverse range of threat groups, underscoring the persistent and widespread nature of today's cyber threat landscape. Presented below is a detailed breakdown of ransomware group activity, victim geographies, and targeted industries observed during this period. Ransomware Hits Last WeekLast week’s ransomware activity shows that The Gentlemen was the most active ransomware group, impacting 39 countries, which accounted for 21.91% of the total ransomware hits. This made The Gentlemen the leading ransomware actor during the reporting period. Qilin recorded the second-highest activity, attacking 27 countries and contributing 15.17% of the total ransomware activity. Deadlock followed 12 countries impacted, representing 6.74%. Lockbit5 also showed significant activity, affecting 10 countries and accounting for 5.62%. A moderate level of activity was observed from Genesis and SafePay, each impacting 9 countries and contributing 5.06% individually. Akira and Crpx0 each affected 6 countries, representing 3.37% of total ransomware activity. Play impacted 5 countries, accounting for 2.81%. Several ransomware groups showed lower but notable activity. Wallstreet, Eraleign (APT73), and Chaos each impacted 4 countries, contributing 2.25% individually. Payload, Space Bears, Ailock, Inc Ransom, Krybit, Settra, and Gunra each affected 3 countries, representing 1.69% individually. Groups with limited activity, impacting 2 countries, including ShinyHunters, CMD Organisation, DragonForce, Interlock, and Brain Cipher, each accounting for 1.12% of the total ransomware activity. The remaining ransomware groups, including Titan, Ransomhouse, Arcus Media, Morpheus, Bravox, 3AM, Nightspire, Pear, Money Message, Doommageddon, Nova, and Blackwater, each impacted 1 country, contributing 0.56% individually. Overall, ransomware activity last week was highly concentrated among a few major groups, particularly The Gentlemen and Qilin, which together accounted for a significant portion of global ransomware activity. The continued presence of multiple smaller groups indicates that the ransomware ecosystem remains diverse, with both established and emerging threat actors actively targeting organisations across different regions. |
Wallstreet Ransomware
During the requested reporting window of 04 July 2026 to 10 July 2026, Wallstreet was observed as an active ransomware/data - extortion threat actor in public ransomware tracking and vendor reporting.
SOCRadar and multiple dark - web monitoring feeds listed four organisations as alleged Wallstreet victims on 04 July 2026: Asisken (Ecuador - medical assistance & health insurance), Gold Standard Automotive (United States - automotive/vehicle service contracts), Baraga County Memorial Hospital (United States - healthcare), and Edgewood Police Department (United States - municipal law enforcement). SOCRadar records Wallstreet targeting across Healthcare, Insurance, Manufacturing, Automotive, and Government sectors, with victims spread across the United States, Ecuador, and India. [1][3][5][6]
Wallstreet first became publicly trackable in the second half of June 2026 and began populating its Tor data - leak site at the start of July 2026. It is assessed as a small, emerging data - extortion operation with a short but active track record. [5][6]
Overall, Wallstreet should be treated as an active ransomware/extortion threat for the reporting window. However, public technical reporting for the actor remains very limited. As of this report there is not publicly available encryptor sample, file hash, STIX bundle, or command - and - control indicator attributable to Wallstreet on ANY.RUN, VirusTotal, or AlienVault OTX. The only hard technical indicator is the group’s leak - site onion address. This distinction is important for attribution and blocking decisions. [4]
Threat Actor Description
Origin and Profile
Wallstreet presents as a stand - alone data - extortion brand operating a dedicated Tor data - leak site (DLS). It emerged during a 2026 landscape in which named ransomware groups increasingly behave as disposable brands - rebranding quickly, reusing commodity access, and prioritising public data - leak pressure over reliable encryption. Observed activity is opportunistic and multi - sector rather than focused on a single vertical. [5]
No confirmed code lineage, affiliate structure, or rebrand relationship to a prior ransomware family has been established for Wallstreet in open sources. The technical TTPs and IOCs below are mapped at the cohort level from the broader emerging - extortion actor class and from Wallstreet’s observed leak - site behaviour. They should be treated as assessed, not confirmed 2026 actor tooling unless internal telemetry confirms the same samples. [5]
Encryption is unconfirmed for Wallstreet - no encryptor has been recovered or analysed publicly - so exfiltration - first (possibly encryption - less) extortion cannot be ruled out. Defenders should plan for data theft as the primary risk while retaining file encryption in the threat model.
Tactics, Techniques, and Procedures (TTPs)
Attribution Framework
|
Tactic
|
Technique ID
|
Technique
|
Evidence/Observed Behaviour
|
|
Impact
|
T1657
|
Financial Theft/Extortion
|
public DLS listing with threatened data release to coerce payment. [1][5]
|
|
Impact
|
T1486
|
Data Encrypted for Impact
|
NOT confirmed for Wallstreet;
|
Attack Lifecycle
The following reconstructs a Wallstreet - style intrusion based on the group’s observed leak - site extortion and the behaviour of the wider emerging - extortion cohort. Current Wallstreet reporting confirms extortion activity but does not yet provide enough public malware - level telemetry to confirm the specific tooling used. [5]
INITIAL ACCESS - Valid Accounts/Exposed Remote Services
Entry is assessed to occur through stolen or valid credentials and internet - facing remote - access services (VPN/RDP/remote - admin), the dominant vectors for this class of actor in 2026. Phishing/credential harvesting is a plausible alternate path. No Wallstreet - specific access artefact has been published.
Observable artefacts: RDP/VPN authentication failures followed by successful login; unfamiliar source IPs on remote - access services; new executable creation after remote login; anomalous or impossible - travel authentication.
DISCOVERY & LATERAL MOVEMENT - Internal Enumeration
After access, the actor is assessed to enumerate file shares, hosts and backup repositories, then move laterally using valid credentials over SMB/RDP to reach high - value data stores.
Observable artefacts: Share and host enumeration; east - west SMB/RDP sweeps; new privileged group membership; service - account misuse; access to backup shares.
COLLECTION & EXFILTRATION
Data is assessed to be staged, compressed and exfiltrated over a web or cloud channel. The theft itself is confirmed by Wallstreet’s subsequent extortion claim, even though the exact channel is not publicly documented. [1]
Observable artefacts: Large archive creation; anomalous outbound data volume; suspicious POST/cloud - upload traffic; egress to anonymised or unusual destinations.
IMPACT - Extortion via Leak Site
Wallstreet lists the victim on its Tor data - leak site and threatens to release sensitive data unless negotiations begin. This double/data - leak extortion behaviour is directly observed. File encryption is not confirmed for Wallstreet and should not be assumed present. [1][5][6]
Observable artefacts: Victim appearing on the Wallstreet DLS; extortion/ransom communications; outbound Tor connectivity; (if encryption occurs) mass file - rename and ransom - note creation - unconfirmed for this actor.
Indicators of Compromise (IOCs)
Leak Site/Network Indicators
|
Type
|
Indicator/Value
|
Description
|
|
Tor DLS (onion)
|
4dwiv37h7hhuhjpvtn72hme4ylcv3qoe65arfc6mbweal7als6ma7pyd[.]onion
|
Wallstreet data - leak site (OSINT, usually reliable). [6]
|
File Hashes
|
Type
|
Indicator/Value
|
|
SHA256/SHA1/MD5
|
None publicly available or attributable to Wallstreet at time of writing (no encryptor recovered).
|
Host - Based Indicators
|
Type
|
Indicator/Value
|
Description
|
|
File Extension
|
None published
|
No encrypted - file extension confirmed - encryption unverified for this actor.
|
|
Ransom Note
|
None published
|
No ransom - note filename attributable to Wallstreet.
|
Associated Email Addresses
|
Type
|
Indicator/Value
|
|
Email
|
None published/attributable to Wallstreet at time of writing.
|
Mitigation - Crystal Eye 5.5 Controls
All Crystal Eye XDR 5.5 controls referenced below are mapped to Wallstreet’s assessed lifecycle and the broader ransomware/extortion kill chain. Because Wallstreet is exfiltration - led, priority is weighted toward identity hardening, egress control (including Tor), and detection of bulk collection and exfiltration - not solely anti - encryption measures.
CE Secure Web Gateway + Anti - phishing
Enable Anti-phishing with Signature Engine, Heuristic Engine, Block SSL Mismatch, and Block Cloaked URLs to block phishing and malware - delivery URLs used for credential theft or payload staging.
CE Advanced Firewall + IDPS
Segment user, server, backup, and remote - access networks and restrict RDP/SMB to explicit administrative sources only.
CE SIEM + CESOC Escalation
Use CE SIEM to correlate IDPS, SWG, DLP, endpoint, and network events, and ingest the Wallstreet leak - site indicator.
CE Vulnerability Scanning
Run vulnerability scans against internet - facing systems, RDP hosts, VPN services, and Windows endpoints
CE Backup Integrity & Resilience
Verify immutable, offline, tested backups and alert on mass file modification and shadow - copy deletion.
Source References
[1] SOCRadar - Wallstreet Ransomware Group Profile - https://socradar.io/free - tools/ransomware - intelligence/groups/wallstreet.
[2] SOCRadar - Asisken Ransomware Attack by Wallstreet (victim record) - https://socradar.io/free - tools/ransomware - intelligence/victims/asisken - wallstreet - 1934fc53.
[3] DeXpose - Wallstreet Ransomware Breaches Gold Standard Automotive - https://www.dexpose.io/wallstreet - ransomware - breaches - gold - standard - automotive/. Gold Standard Automotive (goldstandardautomotive.com) listed 04 July 2026; USA automotive.
[4] HackerFeeds - Edgewood Police Department listed by Wallstreet - https://hackerfeeds.com/ransomware/edgewood - police - department - by - wallstreet - 1cawj. Public threat - intel feed corroborating the Edgewood listing; actor - claimed, unverified.
[5] Securelist (Kaspersky) - State of Ransomware in 2026 - https://securelist.com/state - of - ransomware - in - 2026/119761/. Cohort context: 2026 shift toward encryption - less / data - leak extortion by small emerging groups.
[6] Bitshadow (X) - New Wallstreet Ransomware Leak Site - https://x.com/fbgwls245/status/2069382800034386169. First public disclosure of the Wallstreet Tor leak - site onion address.
Worldwide Ransomware Victims
Worldwide ransomware victim distribution shows that the United States was the most affected country, with 80 victims, accounting for 44.94% of the total ransomware activity. This indicates that nearly half of all reported ransomware victims were located in the United States, making it the primary target region during this period.
Germany recorded the second-highest number of victims, with 12 cases, representing 6.74% of the total. The United Kingdom and Canada each reported 7 victims, contributing 3.93% individually. Australia and Argentina followed with 6 victims each, accounting for 3.37% of total ransomware activity.
Other countries with notable ransomware impact included India, Italy, and Spain, each recording 5 victims, representing 2.81% individually. China recorded 4 victims, contributing 2.25% of the total.
Moderate activity was observed in Brazil, France, Austria, Mexico, and Singapore, each with 3 victims, accounting for 1.69% individually. Kenya and Switzerland each reported 2 victims, representing 1.12% of the total.
The remaining countries recorded 1 victim each, accounting for 0.56% individually. These included Ecuador, Poland, Pakistan, Iran, Paraguay, Taiwan, Denmark, Oman, Czechia, Bolivia, Saint Lucia, Mayotte, Turkey, Finland, Greece, Brunei Darussalam, Dominican Republic, Netherlands, Thailand, Bangladesh, Venezuela, and Uruguay.
Industry-wide Ransomware Impact
Industry-wide ransomware victim data shows that Business Services was the most affected sector, with 31 victims, accounting for 17.42% of total ransomware activity. This indicates that business service organisations remained the primary targets during this period.
Manufacturing recorded the second-highest number of victims, with 26 cases representing 14.61% of the total. Construction followed with 22 victims, contributing 12.36%, while Retail accounted for 17 victims, representing 9.55% of overall ransomware activity.
The Healthcare sector also experienced a significant impact, with 13 victims, accounting for 7.30% of the total. IT recorded 9 victims, contributing 5.06%, while Insurance and Transportation each reported 6 victims, representing 3.37% individually.
Moderate ransomware activity was observed across several sectors, including Federal and Hospitality, each with 5 victims, accounting for 2.81% individually. Architecture, Finance, Organisations, Electronics, Consumer Services, and Law Firms each recorded 4 victims, contributing 2.25% each.
Lower levels of ransomware activity were observed in Agriculture and Real Estate, each reporting 3 victims, representing 1.69% individually. Media & Internet recorded 2 victims, accounting for 1.12%, while Telecommunications had the lowest impact with 1 victim, representing 0.56% of the total.