
Threat Advisory • Attack Report • TA2026192
HiveForce Labs tracked 18 months of sustained cyber-threat telemetry against the USA Government sector — federal, state, local, tribal, and territorial (SLTT) agencies. The dataset spans 76 weaponized CVEs (87% CISA KEV, 45% zero-day), a Qilin-led ransomware wave, and persistent nation-state espionage from APT41, Silk Typhoon, Salt Typhoon, Star Blizzard, and Kimsuky.
Section 01
The USA Government sector faces one of the world’s most persistent and diverse cyber-threat surfaces. Between January 2025 and July 2026, HiveForce Labs tracked 76 vulnerabilities weaponized against federal, state, local, tribal, and territorial (SLTT) government targets — 87% of which are listed in CISA KEV. Ransomware activity dominates the current picture, with Qilin, INC, Safepay, and Medusa accounting for the majority of victim postings. State-aligned actors from China (APT41, Silk/Salt Typhoon), Russia (Star Blizzard, Cold River), Iran, and North Korea (Kimsuky) continue espionage, while criminal groups exploit legacy on-premises infrastructure — particularly Exchange, FortiOS, Ivanti Connect Secure, and BeyondTrust.
Section 02
Over eighteen months, HiveForce Labs tracked 156 distinct malware and campaign advisories targeting the USA Government sector — a volume unmatched by any other vertical. The intrusion set spans China-nexus espionage groups (APT41, Silk Typhoon, Salt Typhoon, FishMonger, PlushDaemon, ToddyCat, ToyMaker), Russian operators (Star Blizzard, Cold River), Iranian/DPRK-linked actors (Kimsuky, Water Gamayun), independent groups (TeamPCP, Mora_001, UAT-6382), and a sprawling ransomware-as-a-service criminal ecosystem.
The exploitation surface is disturbingly consistent. Of the 76 CVEs weaponized, five vendors — Microsoft, Cisco, Fortinet, Ivanti, VMware — account for 42% of volume, and the top-seven exploited products (Exchange, FortiOS, Ivanti Connect Secure, BeyondTrust PRA/RS, SimpleHelp, VMware vCenter, Cisco IOS-XE) map onto mail, VPN, remote-support, virtualization, and network fabric. 87% of exploited CVEs are CISA KEV, and 45% were zero-day — adversaries operate at the exact edge where known criticality meets a documented patch.
Ransomware defines the picture: 50 of 156 advisories (32%) are ransomware families. Qilin alone posted 43 U.S. government victims (~39% of the top-six total), peaking at five posts/month across September–November 2025. INC (20), Safepay (12), Medusa (10), DragonForce (8), Ransom House (8), InterLock (7), and Rhysida (5) round out a top tier posting a new victim roughly every three days.
Infostealers are the second-largest malware category (18%) — Rhadamanthys, StealC, Lumma, Vidar — feeding harvested credentials to Initial Access Brokers who sell to Qilin, INC, and Medusa affiliates. Backdoors/RATs represent 19%: AsyncRAT and ValleyRAT dominate commodity use, while BRICKSTORM, MemFun, and Getpass anchor higher-tier espionage. State actors increasingly wrap commodity payloads with custom loaders (MimicRAT, SilentPrism, DarkWisp), while criminal affiliates borrow nation-state tradecraft (DLL sideloading, ClickFix, LOLBins).
Most uncomfortably: 78% of weaponized CVEs are 2+ years old, 21% are 6+ years old, and 89% have vendor patches available. Adversaries are largely exploiting known, patchable, KEV-listed vulnerabilities that government tenants have failed to remediate — a remediation-velocity failure, not a disclosure failure.
Chinese state-sponsored group (also Wicked Panda, Brass Typhoon, Winnti Group) running multiple parallel campaigns against USA federal and SLTT targets — the single most active named actor in the tracking window.
CVE-2023-3519 is an unauthenticated RCE, CISA KEV-listed, weaponized by multiple actors including state-nexus groups — representative of the network-edge appliance flaws dominating USA government exposure.
An open-source RAT reused across affiliate ecosystems, frequently paired with Rhadamanthys and Lumma Stealer in multi-stage intrusions; its lineage complicates attribution.
Highest USA-government victim-posting RaaS group (43 posts, peaking at 5/month Sep–Nov 2025). Formerly Agenda; runs Rust/Go payloads; 24.6% of all USA-government ransomware Data Leak Site posts tracked.
Section 03
Highest-priority vulnerabilities weaponized against the USA Government sector. Per-row zero-day/KEV status was not distinguishable from the source extraction and is omitted — see aggregate figures in Section 02 (87% CISA KEV, 45% zero-day).
| CVE ID | Name | Product | Patch |
|---|---|---|---|
CVE-2024-8956 | PTZOptics Cameras Auth Bypass | PTZOptics IP Cameras | ✓ |
CVE-2024-8957 | PTZOptics Cameras OS Command Injection | PTZOptics IP Cameras | ✓ |
CVE-2022-42475 | FortiOS Heap-Based Buffer Overflow | Fortinet FortiOS | ✓ |
CVE-2024-55591 | FortiOS Authorization Bypass | Fortinet FortiOS | ✓ |
CVE-2025-5777 | NetScaler Gateway Out-of-Bounds Read | Citrix NetScaler/ADC | ✓ |
CVE-2026-1281 | Ivanti EPMM Code Injection | Ivanti EPM | ✓ |
CVE-2021-26855 | ProxyLogon — Exchange RCE | Microsoft Exchange Server | ✓ |
CVE-2021-26857 | ProxyLogon — Exchange RCE | Microsoft Exchange Server | ✓ |
CVE-2021-26858 | ProxyLogon — Exchange RCE | Microsoft Exchange Server | ✓ |
CVE-2021-27065 | ProxyLogon — Exchange RCE | Microsoft Exchange Server | ✓ |
CVE-2021-44228 | Log4Shell — Apache Log4j RCE | Apache Log4j | ✓ |
CVE-2023-3519 | NetScaler ADC/Gateway Code Injection | Citrix NetScaler/ADC | ✓ |
CVE-2024-12356 | BeyondTrust PRA/RS Command Injection | BeyondTrust PRA/RS | ✓ |
CVE-2024-12686 | BeyondTrust PRA/RS OS Command Injection | BeyondTrust PRA/RS | ✓ |
CVE-2024-3400 | PAN-OS Command Injection | Palo Alto PAN-OS | ✓ |
CVE-2025-0282 | Ivanti Connect Secure Stack Buffer Overflow | Ivanti Connect Secure | ✓ |
CVE-2022-26134 | Confluence Server/Data Center RCE | Atlassian Confluence | ✓ |
CVE-2023-46805 | Ivanti Connect Secure Auth Bypass | Ivanti Connect Secure | ✓ |
CVE-2024-21412 | Windows Internet Shortcut Security Bypass | Microsoft Windows | ✓ |
CVE-2024-21887 | Ivanti Connect Secure Command Injection | Ivanti Connect Secure | ✓ |
CVE-2024-21893 | Ivanti Connect Secure SSRF | Ivanti Connect Secure | ✓ |
CVE-2023-34048 | vCenter Server Out-of-Bounds Write | VMware vCenter | ✓ |
CVE-2023-20198 | Cisco IOS XE Web UI Privilege Escalation | Cisco IOS-XE | ✓ |
CVE-2023-20273 | Cisco IOS XE Web UI Command Injection | Cisco IOS-XE | ✓ |
CVE-2024-21762 | FortiOS SSL-VPN Out-of-Bounds Write | Fortinet FortiOS | ✓ |
CVE-2025-31324 | SAP NetWeaver Unrestricted File Upload | SAP NetWeaver | ✓ |
CVE-2025-61882 | Oracle E-Business Suite Unspecified Vuln | Oracle E-Business Suite | ✓ |
CVE-2025-20333 | Cisco ASA/FTD Buffer Overflow | Cisco Secure Firewall ASA/FTD | ✓ |
CVE-2025-20362 | Cisco ASA/FTD Missing Authorization | Cisco Secure Firewall ASA/FTD | ✓ |
CVE-2025-29824 | Windows CLFS Driver Use-After-Free | Microsoft Windows | ✓ |
CVE-2025-0994 | Trimble Cityworks Deserialization | Trimble Cityworks | |
CVE-2017-17215 | Huawei HG532 RCE | Huawei HG532 | ✓ |
CVE-2024-12856 | Four-Faith OS Command Injection | Four-Faith | |
CVE-2025-7771 | ThrottleStop Privilege Escalation | TechPowerUp ThrottleStop |
Patch column reflects confirmed availability where indicated in the source.
Section 04
Prioritize CISA KEV Remediation
87% of observed CVEs are on CISA KEV. Patch internet-facing perimeter appliances within 24 hours of KEV listing, consistent with CISA's Binding Operational Directive 26-04 (June 10, 2026, superseding BOD 22-01), which sets a 3-day maximum for federal civilian agencies on KEV-listed, automatable-exploit assets — a floor, not a ceiling. Non-federal entities: 24h perimeter, 72h other public KEV assets, 14 days internal KEV, 30 days high-severity non-KEV.
Harden Exchange, Fortinet, Ivanti Edge
The four most-exploited families are Exchange, FortiOS, Ivanti Connect Secure, and BeyondTrust PRA/RS. Migrate Exchange to M365 where possible; segment appliances behind zero-trust access; require MFA on all admin planes.
Constrain Remote-Support Tool Trust
BeyondTrust, SimpleHelp, and similar platforms are increasingly exploited via MSP compromise. Restrict outbound RMM traffic, log remote-support sessions, and audit MSP access quarterly.
Age-Out Legacy Vulnerable Infrastructure
78% of exploited CVEs are 2+ years old. Maintain an aged-CVE report and enforce a hard EOL policy; any CVE 5+ years old still deployed is an immediate priority.
Detect Infostealer-to-Ransomware Pipelines
Rhadamanthys, StealC, Lumma, and Vidar feed harvested credentials to Initial Access Brokers selling to Qilin, INC, and Medusa affiliates. Deploy EDR/XDR tuned for non-browser credential-store access, LSASS reads, and browser SQLite exfiltration.
Section 05
Section 06
Representative indicators by attack/malware name, covering ransomware groups, malware families, and espionage implants observed against the USA Government sector: Qilin, INC, Safepay, Medusa, DragonForce, InterLock, Rhysida, AsyncRAT, Rhadamanthys, Lumma, StealC, Vidar, ValleyRAT, BRICKSTORM, MemFun, Getpass, and MimicRAT. Lists below are truncated to representative samples per family.
| Attack Name | Type | Value |
|---|---|---|
| Qilin | SHA256 | 73b1fffd35d3a72775e0ac4c836e70efefa0930551a2f813843bdfb32df4579ae4cbee73bb41a3c7efc9b86a58495c5703f08d4b36df849c5bebc046d4681b70+3 more |
| Qilin | IPv4 | 184[.]174[.]96[.]70180[.]131[.]145[.]73 |
| Qilin | Tor Leak Site | ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd[.]onion |
| Qilin | Filename | README-RECOVER-[rand].txt[Unique ID]-RECOVER-README.txt |
| INC | SHA256 | fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced |
| Safepay | SHA256 | a0dc80a37eb7e2716c02a94adc8df9baedec192a77bde31669faed228d9ff5264fe8c6ccdfbcbf6714472e805447fd727d3e46525bd44baf08e5887f890ffb88+10 more |
| Safepay | TOR Address | safepaypfxntwixwjrlcscft433ggemlhgkkdupi2ynhtcmvdgubmoyd[.]onion |
| Medusa | SHA256 | 4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6657c0cce98d6e73e53b4001eeea51ed91fdcf3d47a18712b6ba9c66d59677980+15 more |
| Medusa | MD5 | d54bae930b038950c2947f5397c13f84 |
| Medusa | SHA1 | e164bbaf848fa5d46fa42f62402a1c55330ef562 |
| DragonForce | SHA256 | 1250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b |
| DragonForce | Tor Address | z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid[.]onion+1 more |
| DragonForce | Tox ID | 1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20+1 more |
| InterLock | SHA256 | 28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f4a97599ff5823166112d9221d0e824af7896f6ca40cd3948ec129533787a3ea9+9 more |
| Rhysida | SHA256 | 86e75af22f702ba1aaa545708e04cb54468a388e899e259510af9c95b34d80cc8061bb999a0f5d3165742283001a7a68e7905718c928172343bf8456b69f268d+3 more |
| AsyncRAT | SHA256 | 7bb7c893fdf7f7ccd998610969d23993c50fc0b693e67930b6f98d8dbd003ee3ececf197bee885791a9b13cd48c131eec76d8431f1907f9d55b6c9330b57a85e+17 more |
| Rhadamanthys | SHA256 | aae017e7a36e016655c91bd01b4f3c46309bbe540733f82cce29392e72e9bd1f0054a0b839de6c8261a2f7ec0bd0efdcf2eb28161db6e6354ef94709c99b40c3+45 more |
| Lumma | SHA256 | 77460056386f07d96908455241b15091c3edecd9fd55fbf6ce7f3a061c7ac5cd3f86ca59335214a918870d86a47b21cc77f941dfcb32b7ba97620021621e7444+23 more |
| StealC | SHA256 | 5dda23dea89feea09086361d99a9dc1c04f1a2e552a2f5f52cb83d2d8e4e11f89bc696c7c68c2c31cd431ed0af9264fe056942923399b1adb4c55241639bc835+3 more |
| Vidar | SHA256 | d1258b4c2b9849833651d1e844d1a99a5bc7febbb751548f960e92525afe6c26bfee57d9e1b68c5c5aa63792b4e67b94f3361749e186531bd01609d9382672f3+2 more |
| ValleyRAT | SHA256 | b14996c4a93ff7d09795b113fb916c9588eb7efb4d64a1dbe190cfe937912209+2 more |
| BRICKSTORM | SHA256 | 320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759+2 more |
| MemFun | SHA256 | ad25b40315dad0bda5916854e1925c1514f8f8b94e4ee09a43375cc1e77422ad |
| Getpass | SHA256 | ee4d4b7340b3fa70387050cd139b43ecc65d0cfd9e3c7dcb94562f5c9c91f58f |
| MimicRAT | SHA256 | a508d0bb583dc6e5f97b6094f8f910b5b6f2b9d5528c04e4dee62c343fce6f4b |
Section 07