Storming the Capitol Network: Nation-State Ops Against the USA Government

Red | Attack
Download Now
Storming the Capitol Network: Nation-State Ops Against the USA Government (TA2026192) — 76 Weaponized CVEs, Qilin Ransomware, APT41

Threat Advisory • Attack Report • TA2026192

Storming the Capitol Network: Nation-State Ops Against the USA Government

HiveForce Labs tracked 18 months of sustained cyber-threat telemetry against the USA Government sector — federal, state, local, tribal, and territorial (SLTT) agencies. The dataset spans 76 weaponized CVEs (87% CISA KEV, 45% zero-day), a Qilin-led ransomware wave, and persistent nation-state espionage from APT41, Silk Typhoon, Salt Typhoon, Star Blizzard, and Kimsuky.

ATTACK REPORT ADMIRALTY: A1 RANSOMWARE NATION-STATE ESPIONAGE 76 CVEs TRACKED 87% CISA KEV
TA Number
TA2026192
Date
July 9, 2026
Admiralty Code
A1
Region
United States
Sector
Government — Federal; SLTT; public-safety agencies
Primary Attack Surface
Internet-facing VPN/firewall/remote-access appliances, web/collaboration apps
Top Threat-Actor Nexus
China (Salt/Silk Typhoon, APT41), Iran, Russia (Star Blizzard)
Dominant Ransomware
Qilin — runaway leader in victim posts
Most-Exploited Vendors
Microsoft, Cisco, Fortinet, Ivanti, VMware

Summary

76
CVEs Weaponized
87%
Listed in CISA KEV
34
Zero-Day Exploited
156
Malware/Campaign Advisories
175+
Ransomware Victim Posts

The USA Government sector faces one of the world’s most persistent and diverse cyber-threat surfaces. Between January 2025 and July 2026, HiveForce Labs tracked 76 vulnerabilities weaponized against federal, state, local, tribal, and territorial (SLTT) government targets — 87% of which are listed in CISA KEV. Ransomware activity dominates the current picture, with Qilin, INC, Safepay, and Medusa accounting for the majority of victim postings. State-aligned actors from China (APT41, Silk/Salt Typhoon), Russia (Star Blizzard, Cold River), Iran, and North Korea (Kimsuky) continue espionage, while criminal groups exploit legacy on-premises infrastructure — particularly Exchange, FortiOS, Ivanti Connect Secure, and BeyondTrust.

Key Observations
  • Legacy on-premises Exchange, Fortinet, Ivanti, and BeyondTrust products remain the most targeted entry points.
  • 87% CISA KEV coverage indicates adversaries are exploiting vulnerabilities the U.S. government itself has flagged as actively exploited.
  • Qilin alone posted 43 USA government victims — 39% of Data Leak Site posts across the top six tracked groups.
  • 72% of malware/campaign advisories remain unattributed, reflecting the complexity of contemporary intrusion-set overlap.

Attack Details

Over eighteen months, HiveForce Labs tracked 156 distinct malware and campaign advisories targeting the USA Government sector — a volume unmatched by any other vertical. The intrusion set spans China-nexus espionage groups (APT41, Silk Typhoon, Salt Typhoon, FishMonger, PlushDaemon, ToddyCat, ToyMaker), Russian operators (Star Blizzard, Cold River), Iranian/DPRK-linked actors (Kimsuky, Water Gamayun), independent groups (TeamPCP, Mora_001, UAT-6382), and a sprawling ransomware-as-a-service criminal ecosystem.

The exploitation surface is disturbingly consistent. Of the 76 CVEs weaponized, five vendors — Microsoft, Cisco, Fortinet, Ivanti, VMware — account for 42% of volume, and the top-seven exploited products (Exchange, FortiOS, Ivanti Connect Secure, BeyondTrust PRA/RS, SimpleHelp, VMware vCenter, Cisco IOS-XE) map onto mail, VPN, remote-support, virtualization, and network fabric. 87% of exploited CVEs are CISA KEV, and 45% were zero-day — adversaries operate at the exact edge where known criticality meets a documented patch.

Ransomware defines the picture: 50 of 156 advisories (32%) are ransomware families. Qilin alone posted 43 U.S. government victims (~39% of the top-six total), peaking at five posts/month across September–November 2025. INC (20), Safepay (12), Medusa (10), DragonForce (8), Ransom House (8), InterLock (7), and Rhysida (5) round out a top tier posting a new victim roughly every three days.

Infostealers are the second-largest malware category (18%) — Rhadamanthys, StealC, Lumma, Vidar — feeding harvested credentials to Initial Access Brokers who sell to Qilin, INC, and Medusa affiliates. Backdoors/RATs represent 19%: AsyncRAT and ValleyRAT dominate commodity use, while BRICKSTORM, MemFun, and Getpass anchor higher-tier espionage. State actors increasingly wrap commodity payloads with custom loaders (MimicRAT, SilentPrism, DarkWisp), while criminal affiliates borrow nation-state tradecraft (DLL sideloading, ClickFix, LOLBins).

Most uncomfortably: 78% of weaponized CVEs are 2+ years old, 21% are 6+ years old, and 89% have vendor patches available. Adversaries are largely exploiting known, patchable, KEV-listed vulnerabilities that government tenants have failed to remediate — a remediation-velocity failure, not a disclosure failure.

Top Threat Actor — APT41

Chinese state-sponsored group (also Wicked Panda, Brass Typhoon, Winnti Group) running multiple parallel campaigns against USA federal and SLTT targets — the single most active named actor in the tracking window.

Top CVE — CVE-2023-3519 (Citrix NetScaler ADC/Gateway)

CVE-2023-3519 is an unauthenticated RCE, CISA KEV-listed, weaponized by multiple actors including state-nexus groups — representative of the network-edge appliance flaws dominating USA government exposure.

Top Malware Family — AsyncRAT

An open-source RAT reused across affiliate ecosystems, frequently paired with Rhadamanthys and Lumma Stealer in multi-stage intrusions; its lineage complicates attribution.

Top Ransomware Group — Qilin

Highest USA-government victim-posting RaaS group (43 posts, peaking at 5/month Sep–Nov 2025). Formerly Agenda; runs Rust/Go payloads; 24.6% of all USA-government ransomware Data Leak Site posts tracked.

Malware Type Distribution
  • Ransomware: 32% — the criminal ecosystem's continued high-pressure focus on government.
  • Infostealers: 18% — increasingly feed ransomware pipelines via Initial Access Brokers.
  • Backdoors + RATs: 19% — consistent with sustained state-sponsored espionage.
  • Botnets: 6.4% — skew toward IoT-based DDoS against municipal websites.
  • Loader/Dropper: 5.1% — wraps commodity payloads with custom evasion.
CVE Age & Exposure Surface
  • Only 22% of CVEs are ≤1 year old; 78% target vulnerabilities disclosed 2+ years ago.
  • 21% of tracked CVEs are 6+ years old, indicating systemic legacy patching gaps.
  • 89% patch availability + 87% CISA KEV membership: most compromises occur on officially flagged, patchable vulnerabilities.
  • ~30% of exploited CVEs sit on VPN/firewall/remote-access appliances; ~29% on public web/collaboration/middleware — ~60% combined internet-facing exposure. Edge/IoT/firmware adds 17%.

CVEs — Top Priority

Highest-priority vulnerabilities weaponized against the USA Government sector. Per-row zero-day/KEV status was not distinguishable from the source extraction and is omitted — see aggregate figures in Section 02 (87% CISA KEV, 45% zero-day).

CVE IDNameProductPatch
CVE-2024-8956PTZOptics Cameras Auth BypassPTZOptics IP Cameras
CVE-2024-8957PTZOptics Cameras OS Command InjectionPTZOptics IP Cameras
CVE-2022-42475FortiOS Heap-Based Buffer OverflowFortinet FortiOS
CVE-2024-55591FortiOS Authorization BypassFortinet FortiOS
CVE-2025-5777NetScaler Gateway Out-of-Bounds ReadCitrix NetScaler/ADC
CVE-2026-1281Ivanti EPMM Code InjectionIvanti EPM
CVE-2021-26855ProxyLogon — Exchange RCEMicrosoft Exchange Server
CVE-2021-26857ProxyLogon — Exchange RCEMicrosoft Exchange Server
CVE-2021-26858ProxyLogon — Exchange RCEMicrosoft Exchange Server
CVE-2021-27065ProxyLogon — Exchange RCEMicrosoft Exchange Server
CVE-2021-44228Log4Shell — Apache Log4j RCEApache Log4j
CVE-2023-3519NetScaler ADC/Gateway Code InjectionCitrix NetScaler/ADC
CVE-2024-12356BeyondTrust PRA/RS Command InjectionBeyondTrust PRA/RS
CVE-2024-12686BeyondTrust PRA/RS OS Command InjectionBeyondTrust PRA/RS
CVE-2024-3400PAN-OS Command InjectionPalo Alto PAN-OS
CVE-2025-0282Ivanti Connect Secure Stack Buffer OverflowIvanti Connect Secure
CVE-2022-26134Confluence Server/Data Center RCEAtlassian Confluence
CVE-2023-46805Ivanti Connect Secure Auth BypassIvanti Connect Secure
CVE-2024-21412Windows Internet Shortcut Security BypassMicrosoft Windows
CVE-2024-21887Ivanti Connect Secure Command InjectionIvanti Connect Secure
CVE-2024-21893Ivanti Connect Secure SSRFIvanti Connect Secure
CVE-2023-34048vCenter Server Out-of-Bounds WriteVMware vCenter
CVE-2023-20198Cisco IOS XE Web UI Privilege EscalationCisco IOS-XE
CVE-2023-20273Cisco IOS XE Web UI Command InjectionCisco IOS-XE
CVE-2024-21762FortiOS SSL-VPN Out-of-Bounds WriteFortinet FortiOS
CVE-2025-31324SAP NetWeaver Unrestricted File UploadSAP NetWeaver
CVE-2025-61882Oracle E-Business Suite Unspecified VulnOracle E-Business Suite
CVE-2025-20333Cisco ASA/FTD Buffer OverflowCisco Secure Firewall ASA/FTD
CVE-2025-20362Cisco ASA/FTD Missing AuthorizationCisco Secure Firewall ASA/FTD
CVE-2025-29824Windows CLFS Driver Use-After-FreeMicrosoft Windows
CVE-2025-0994Trimble Cityworks DeserializationTrimble Cityworks
CVE-2017-17215Huawei HG532 RCEHuawei HG532
CVE-2024-12856Four-Faith OS Command InjectionFour-Faith
CVE-2025-7771ThrottleStop Privilege EscalationTechPowerUp ThrottleStop

Patch column reflects confirmed availability where indicated in the source.


Recommendations

01

Prioritize CISA KEV Remediation

87% of observed CVEs are on CISA KEV. Patch internet-facing perimeter appliances within 24 hours of KEV listing, consistent with CISA's Binding Operational Directive 26-04 (June 10, 2026, superseding BOD 22-01), which sets a 3-day maximum for federal civilian agencies on KEV-listed, automatable-exploit assets — a floor, not a ceiling. Non-federal entities: 24h perimeter, 72h other public KEV assets, 14 days internal KEV, 30 days high-severity non-KEV.

02

Harden Exchange, Fortinet, Ivanti Edge

The four most-exploited families are Exchange, FortiOS, Ivanti Connect Secure, and BeyondTrust PRA/RS. Migrate Exchange to M365 where possible; segment appliances behind zero-trust access; require MFA on all admin planes.

03

Constrain Remote-Support Tool Trust

BeyondTrust, SimpleHelp, and similar platforms are increasingly exploited via MSP compromise. Restrict outbound RMM traffic, log remote-support sessions, and audit MSP access quarterly.

04

Age-Out Legacy Vulnerable Infrastructure

78% of exploited CVEs are 2+ years old. Maintain an aged-CVE report and enforce a hard EOL policy; any CVE 5+ years old still deployed is an immediate priority.

05

Detect Infostealer-to-Ransomware Pipelines

Rhadamanthys, StealC, Lumma, and Vidar feed harvested credentials to Initial Access Brokers selling to Qilin, INC, and Medusa affiliates. Deploy EDR/XDR tuned for non-browser credential-store access, LSASS reads, and browser SQLite exfiltration.


Potential MITRE ATT&CK TTPs

T1190
Initial Access
Exploit Public-Facing Application
T1505.003
Persistence
Server Software Component: Web Shell
T1543.003
Persistence
Create/Modify System Process: Windows Service
T1547.001
Persistence
Boot/Logon Autostart: Registry Run Keys/Startup Folder
T1569.002
Execution
System Services: Service Execution
T1059.001
Execution
Command/Scripting Interpreter: PowerShell
T1574.001
Defense Evasion
Hijack Execution Flow: DLL
T1140
Defense Evasion
Deobfuscate/Decode Files or Information
T1562
Defense Evasion
Impair Defenses
T1027
Defense Evasion
Obfuscated Files or Information
T1055
Defense Evasion
Process Injection
T1014
Defense Evasion
Rootkit
T1036.005
Defense Evasion
Masquerading: Match Legitimate Resource Name/Location
T1078.002
Credential Access
Valid Accounts: Domain Accounts
T1021.001
Lateral Movement
Remote Services: RDP
T1021.002
Lateral Movement
Remote Services: SMB/Windows Admin Shares
T1016
Discovery
System Network Configuration Discovery
T1583.001
Resource Development
Acquire Infrastructure: Domains
T1071.001
Command and Control
Application Layer Protocol: Web Protocols
T1573.002
Command and Control
Encrypted Channel: Asymmetric Cryptography
T1041
Exfiltration
Exfiltration Over C2 Channel
T1486
Impact
Data Encrypted for Impact
T1490
Impact
Inhibit System Recovery
T1489
Impact
Service Stop
T1485
Impact
Data Destruction

Indicators of Compromise (IOCs)

Representative indicators by attack/malware name, covering ransomware groups, malware families, and espionage implants observed against the USA Government sector: Qilin, INC, Safepay, Medusa, DragonForce, InterLock, Rhysida, AsyncRAT, Rhadamanthys, Lumma, StealC, Vidar, ValleyRAT, BRICKSTORM, MemFun, Getpass, and MimicRAT. Lists below are truncated to representative samples per family.

Attack NameTypeValue
QilinSHA25673b1fffd35d3a72775e0ac4c836e70efefa0930551a2f813843bdfb32df4579a
e4cbee73bb41a3c7efc9b86a58495c5703f08d4b36df849c5bebc046d4681b70
+3 more
QilinIPv4184[.]174[.]96[.]70
180[.]131[.]145[.]73
QilinTor Leak Siteijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd[.]onion
QilinFilenameREADME-RECOVER-[rand].txt
[Unique ID]-RECOVER-README.txt
INCSHA256fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced
SafepaySHA256a0dc80a37eb7e2716c02a94adc8df9baedec192a77bde31669faed228d9ff526
4fe8c6ccdfbcbf6714472e805447fd727d3e46525bd44baf08e5887f890ffb88
+10 more
SafepayTOR Addresssafepaypfxntwixwjrlcscft433ggemlhgkkdupi2ynhtcmvdgubmoyd[.]onion
MedusaSHA2564d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6
657c0cce98d6e73e53b4001eeea51ed91fdcf3d47a18712b6ba9c66d59677980
+15 more
MedusaMD5d54bae930b038950c2947f5397c13f84
MedusaSHA1e164bbaf848fa5d46fa42f62402a1c55330ef562
DragonForceSHA2561250ba6f25fd60077f698a2617c15f89d58c1867339bfd9ee8ab19ce9943304b
DragonForceTor Addressz3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid[.]onion
+1 more
DragonForceTox ID1C054B722BCBF41A918EF3C485712742088F5C3E81B2FDD91ADEA6BA55F4A856D90A65E99D20
+1 more
InterLockSHA25628c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f
4a97599ff5823166112d9221d0e824af7896f6ca40cd3948ec129533787a3ea9
+9 more
RhysidaSHA25686e75af22f702ba1aaa545708e04cb54468a388e899e259510af9c95b34d80cc
8061bb999a0f5d3165742283001a7a68e7905718c928172343bf8456b69f268d
+3 more
AsyncRATSHA2567bb7c893fdf7f7ccd998610969d23993c50fc0b693e67930b6f98d8dbd003ee3
ececf197bee885791a9b13cd48c131eec76d8431f1907f9d55b6c9330b57a85e
+17 more
RhadamanthysSHA256aae017e7a36e016655c91bd01b4f3c46309bbe540733f82cce29392e72e9bd1f
0054a0b839de6c8261a2f7ec0bd0efdcf2eb28161db6e6354ef94709c99b40c3
+45 more
LummaSHA25677460056386f07d96908455241b15091c3edecd9fd55fbf6ce7f3a061c7ac5cd
3f86ca59335214a918870d86a47b21cc77f941dfcb32b7ba97620021621e7444
+23 more
StealCSHA2565dda23dea89feea09086361d99a9dc1c04f1a2e552a2f5f52cb83d2d8e4e11f8
9bc696c7c68c2c31cd431ed0af9264fe056942923399b1adb4c55241639bc835
+3 more
VidarSHA256d1258b4c2b9849833651d1e844d1a99a5bc7febbb751548f960e92525afe6c26
bfee57d9e1b68c5c5aa63792b4e67b94f3361749e186531bd01609d9382672f3
+2 more
ValleyRATSHA256b14996c4a93ff7d09795b113fb916c9588eb7efb4d64a1dbe190cfe937912209
+2 more
BRICKSTORMSHA256320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759
+2 more
MemFunSHA256ad25b40315dad0bda5916854e1925c1514f8f8b94e4ee09a43375cc1e77422ad
GetpassSHA256ee4d4b7340b3fa70387050cd139b43ecc65d0cfd9e3c7dcb94562f5c9c91f58f
MimicRATSHA256a508d0bb583dc6e5f97b6094f8f910b5b6f2b9d5528c04e4dee62c343fce6f4b

References