DragonForce Abuses Teams, INC Ransomware Surge, Evil Corp Botnet Hit
Summary
Today's intelligence reveals a threat landscape defined by operational evolution and persistent targeting of critical infrastructure. The disruption of Evil Corp's SocGholish botnet signals law enforcement's continued focus on initial access brokers, while the emergence of INC Ransomware as a dominant RaaS player and DragonForce's novel abuse of Microsoft Teams for C2 highlight how adversaries are adapting their tooling and infrastructure. Defenders should prioritize patching the critical NGINX vulnerabilities and scrutinizing third-party scripts on checkout pages, as both represent high-probability attack vectors.
Today's developments
Ransomware and Initial Access Landscape Shifts. Industry researchers have charted the evolution of INC Ransomware into one of the most prolific cybercrime groups of 2026, claiming over 830 victims since August 2023. The disruption of LockBit and BlackCat created a vacuum that INC has aggressively filled, absorbing displaced affiliates. Separately, security reporters detail that DragonForce ransomware affiliates have been observed using a custom Go-based backdoor called Backdoor.Turn to conceal command-and-control traffic inside Microsoft Teams relay infrastructure, targeting a major U.S. services firm. This technique leverages trusted SaaS platforms to evade network detection.
Law Enforcement and Industry Action. Authorities have disrupted Evil Corp's SocGholish botnet, taking down 106 servers and remediating nearly 15,000 infected sites. SocGholish has been a primary initial access vector for ransomware deployments. In a major industry move, Accenture has announced a $4.18 billion push into industrial cybersecurity, acquiring a majority stake in Dragos and purchasing runZero and NetRise. This signals growing investment in OT security amid rising threats to critical infrastructure.
Critical Vulnerabilities and Exposures. F5 has patched two critical NGINX Open Source flaws (CVE-2026-42530, CVSS 9.2) that enable remote code execution via a use-after-free vulnerability in the HTTP/3 module. Separately, Microsoft has detailed a Windows clipper malware campaign using USB LNK worms and Tor-based C2, targeting cryptocurrency users since February 2026.
Notable Data Exposure Incidents. Today's 40 critical data exposure events include several high-value targets:
- An actor claims to have breached the Central Bank of Venezuela, targeting a sovereign financial institution.
- An actor claims to have compromised Pakistan Military Intelligence, a sensitive government entity.
- An actor claims to have breached SeNaSa, a major insurance provider in the Dominican Republic.
- An actor claims to have compromised the Ministerio de Salud (Ministry of Health) in Argentina.
- Multiple actors claim to have breached French real estate firms, including Ma Gestion Locative, TIMER IMMOBILIER, and TakTikimmo.
- An actor claims to have data from Renta Nacional, a Chilean financial services firm.
- An actor claims to have breached Central Polytechnic College in India.
- A series of alleged leaks from actor Mosad Leaks claims to target Indian, Russian, and U.S. government entities.
- An actor claims to have compromised Mackay Sugar, an Australian sugar producer, with the incident disrupting harvesting and milling operations.
Threat landscape signals
Actor Concentration and Shifting Tactics. The top five threat actors account for 51 of today's 163 tracked events, indicating high concentration. Dark Storm Team leads with 18 events, followed by The Gentlemen (11) and EXADOS (8). The Gentlemen's claim against Mackay Sugar aligns with a broader trend of ransomware groups targeting agricultural and food processing sectors, where operational downtime has immediate financial and supply-chain consequences.
Geographic and Sectoral Targeting. The United States remains the most targeted country (26 events), followed by France (17) and Thailand (15). The high number of French real estate breaches suggests a coordinated campaign against that sector. Government administration (India, Pakistan, Argentina, Venezuela) and financial services remain prime targets. The alleged sale of credit card data from multiple countries and bank leads from the USA indicates continued underground market activity in financial fraud.
Ransomware Dominance and DDoS Persistence. Ransomware accounts for 43 of today's events, while DDoS attacks total 29. The INC Ransomware analysis confirms that affiliate migration following major takedowns is reshaping the RaaS ecosystem. Defenders should monitor for affiliates moving from disrupted groups to INC, DragonForce, or other emerging operations. The persistence of DDoS activity, particularly from groups like Dark Storm Team, suggests that hacktivist-motivated disruption remains a parallel threat to data extortion.