This week: ransomware claimed against a government research lab; the first assessed fully autonomous AI-agent extortion campaign; and critical flaws in ERP, mobile gateway, and web platforms used across India's public sector and IT industry under active exploitation.
1
The Gentlemen (Storm-2697) Claim Attack on CSIR-SERC
India exposureThe ransomware group The Gentlemen posted CSIR Structural Engineering Research Centre (CSIR-SERC), Chennai, as a victim on 6 July 2026. CSIR-SERC operates under India's Council of Scientific and Industrial Research (Ministry of Science and Technology). Microsoft tracks the group as Storm-2697; Halcyon assesses it as the fastest-scaling ransomware operation on record, with over 400 claimed victims across 70-plus countries. Its Go-based locker targets Windows, Linux, NAS, and ESXi. The group uses double extortion with payment deadlines as short as 48 hours. India features alongside the US, France, and Thailand among its primary target countries.
ActionCSIR's 37 national laboratories should audit remote access paths, enforce MFA on VPN and administrative accounts, and verify that offline backups and restoration procedures cover virtualised and NAS workloads. Treat this claim as a network-wide signal.
SourceDeXpose, 6 July 2026; ransomware.live victim listing; Halcyon threat assessment on The Gentlemen, 2026; Microsoft Storm-2697 tracking.
2
JADEPUFFER: First Assessed Fully Autonomous AI-Agent Ransomware — CVE-2025-3248
India exposureSysdig's Threat Research Team documented on 2 July 2026 what it assesses as the first case of fully agentic ransomware. The operator, designated JADEPUFFER, gained initial access through CVE-2025-3248, a missing-authentication flaw in Langflow's code validation endpoint. An LLM agent then drove the entire attack — reconnaissance, credential theft, lateral movement, privilege escalation, database encryption, and extortion — without human involvement. The agent corrected a failed authentication step in 31 seconds. The encryption key was generated once, shown briefly, and not preserved; paying the ransom cannot recover data. CVE-2025-3248 was patched in April 2025 and entered CISA's KEV catalog in May 2025. Langflow is widely deployed at Indian AI startups, IT services firms, and MNC India development centres.
ActionUpgrade Langflow to version 1.1.0 or later. Remove admin interfaces from public exposure. Monitor LLM API credentials for anomalous usage indicative of LLMjacking. In SIEM: flag rapid adaptive command sequences that re-attempt failed actions in sub-minute windows.
SourceSysdig Threat Research Team, "JADEPUFFER: Agentic ransomware for automated database extortion," 2 July 2026; BleepingComputer, 7 July 2026; The Register, 2 July 2026.
3
Adobe ColdFusion Path Traversal Exploited Within Two Hours — CVE-2026-48282
India exposureCVE-2026-48282, an unauthenticated path traversal in Adobe ColdFusion leading to arbitrary code execution, was actively exploited within two hours of public technical disclosure on 2 July 2026 (per KEVIntel honeypots). CISA added it to the Known Exploited Vulnerabilities Catalog on 7 July 2026 with a BOD 26-04 remediation deadline of 10 July 2026 for US federal agencies. Affected versions: ColdFusion 2025 Update 9 and earlier, ColdFusion 2023 Update 20 and earlier. ColdFusion underpins a significant portion of Indian government web portals, public sector bank applications, and university systems.
ActionApply ColdFusion 2025 Update 10 or 2023 Update 21 immediately. For internet-facing instances in the past ten days: audit the web root and /CFIDE/ directories for unauthorised files and review server logs for path traversal patterns.
SourceCISA KEV alert, 7 July 2026 (cisa.gov); Help Net Security, 7 July 2026; BleepingComputer, July 2026; SecurityWeek, July 2026.
4CriticalCVSS 9.8
Oracle E-Business Suite Payments Module Under Active Exploitation — CVE-2026-46817
India exposureCVE-2026-46817 (CVSS 9.8) in Oracle E-Business Suite's Payments File Transmission component permits unauthenticated remote code execution via a POST to the ibytransmit HTTP endpoint. First exploitation was observed on 27 June 2026 — six weeks after the May 2026 Oracle Critical Patch Update and before any public proof-of-concept. Shadowserver identified roughly 950 internet-reachable EBS instances globally; the DriveSurge initial access broker group has been attributed as an active exploiting actor. India has one of the largest Oracle EBS footprints globally — PSUs including NTPC, ONGC, SAIL, and Indian Oil, major nationalised banks, and state government bodies all run EBS.
ActionApply Oracle's May 2026 Critical Patch Update without delay. Restrict /OA_HTML/ibytransmit to internal networks. Review server access logs for suspicious POST requests to that endpoint from late June onward.
SourceSecurity Affairs, 30 June 2026; BleepingComputer, "Hackers now exploit critical Oracle E-Business flaw"; SecurityWeek, "Exploitation of Recent Oracle E-Business Suite Vulnerability Begins"; Help Net Security, 30 June 2026.
5
Ivanti Sentry Pre-Auth Root RCE — CVE-2026-10520
Not covered in prior NBTF editions. Included under catch-up policy.
India exposureCVE-2026-10520 is an OS command injection flaw in Ivanti Sentry (formerly MobileIron Sentry) that allows an unauthenticated remote attacker to execute arbitrary commands with root privileges. CVSS base score: 10.0. Ivanti disclosed the vulnerability on 10 June 2026; exploitation was confirmed within 24 hours. CISA added it to KEV on 11 June 2026 and issued BOD 26-04, giving US federal agencies three days to patch. UNC6240 (reported in some sources under the ShinyHunters brand) has been attributed to active exploitation. Shadowserver confirmed two internet-facing instances with active backdoors. Ivanti Sentry manages and encrypts traffic between mobile devices and enterprise back-end systems (ActiveSync, SharePoint, file servers). Indian banks, IT/BPO companies, and government agencies deploy it for mobile device management, often still under the legacy MobileIron name.
ActionUpgrade to Ivanti Sentry R10.5.2, R10.6.2, or R10.7.1. Treat compromised instances as a breach-response priority: restrict management port access, inspect for persistent backdoors, and rotate all credentials that transited Sentry-managed endpoints.
SourceCISA KEV, 11 June 2026; Help Net Security, 10 June 2026; Dark Reading, "Max-Severity Ivanti Sentry Flaw Exploited Within 24 Hours"; Rapid7 ETR on CVE-2026-10520; SC Media, "CISA gives agencies 3 days to patch maximum severity Ivanti vulnerability."
Each item this week reflects the same operational pressure: the gap between patch and exploit continues to narrow. ColdFusion was weaponised within two hours; Ivanti Sentry was backdoored within a day; Oracle EBS was exploited six weeks after patching and before any public PoC. Indian organisations with Oracle EBS and Ivanti Sentry in the public sector, and Langflow or ColdFusion in the technology sector, should treat unpatched internet-facing deployments as compromised pending forensic review.