Nevada Shuts Down State Offices After Major Cyberattack Disrupts IT Systems
The State of Nevada has entered its third day of disruption following a large-scale cyberattack that began early Sunday morning and has forced the closure of all state offices. The Governor’s Technology Office reported the first signs of trouble around 1:52 AM PT, describing it initially as a “network issue” before later confirming it as a cybersecurity incident. The attack has caused widespread outages across government websites, phone systems, and online platforms, preventing residents from accessing services and interrupting daily operations in multiple departments. Emergency services, including 911, remain unaffected, but critical state-facing resources continue to be degraded. The nature of the disruptions—forcing systems offline to contain spread and requiring extensive restoration—aligns with patterns typically associated with ransomware operations. However, officials have not formally attributed the incident. Governor Joe Lombardo’s office confirmed that recovery teams are working around the clock, supported by local, tribal, and federal partners, to investigate the breach and restore safe functionality to impacted systems. While Nevada has stated there is no current evidence of stolen personal or financial data, investigators caution that prolonged adversary access may have provided opportunities for credential harvesting, network reconnaissance, or silent exfiltration. Past incidents involving ransomware campaigns against state and municipal governments often show attackers using data theft as leverage, even when encryption is prevented or remediated. The FBI and federal cybersecurity agencies are now engaged, and residents have been advised to remain vigilant for phishing attempts, unsolicited calls, or fraudulent messages that could attempt to exploit the incident. Analysts note that Nevada’s experience highlights systemic risks for governments that depend on aging IT infrastructure and underscores the importance of modernizing defenses, ensuring backup availability, and rehearsing continuity plans for extended outages. As of today, state recovery teams continue to validate systems before bringing them back online, emphasizing a cautious approach to prevent reinfection or further compromise.
Silk Typhoon Campaign Uses Captive Portal Hijacking to Deliver PlugX Variant Against Diplomats
Google’s Threat Intelligence Group (GTIG) uncovered an espionage operation attributed to UNC6384, a cluster linked to Silk Typhoon. The attackers hijacked Chrome’s captive portal detection, likely by compromising an edge device, and redirected victims to a fake Adobe plugin update page. Victims were lured into downloading a signed file called “AdobePlugins[.]exe,” which appeared legitimate but instead deployed a disguised MSI package containing a Canon printer tool, a malicious DLL named CANONSTAGER, and an RC4-encrypted PlugX variant dubbed SOGU[.]SEC. Once executed, CANONSTAGER decrypted the payload into memory, providing attackers with capabilities for reconnaissance, file theft, and remote shell access. The campaign also included step-by-step instructions to bypass Windows security prompts, reflecting a deliberate focus on usability and higher infection success against carefully chosen targets. Further analysis revealed that the malicious binaries were signed using certificates from Chengdu Nuoxin Times Technology Co., Ltd., a company associated with at least 25 other malware samples linked to Chinese espionage campaigns since 2023. While it remains unclear whether the organization was compromised or complicit, GTIG recommended treating all certificates from this issuer as untrusted. Google has blocked malicious domains and file hashes through Safe Browsing, issued targeted alerts, and released YARA rules and IoCs to aid defenders. The campaign highlights Silk Typhoon’s evolving PlugX delivery methods, relying on DLL side-loading, code-signing abuse, and traffic hijacking at the network level. Analysts assess that the group will likely pivot quickly to new infrastructure and binaries following exposure, underscoring the need for organizations—particularly in diplomatic and government sectors—to closely monitor captive portal behavior, verify code-signing certificates, and enforce strict endpoint defenses.
Blind Eagle Expands Operations With Five Distinct Clusters Targeting Colombia
Recorded Future Insikt Group has tracked Blind Eagle (TAG-144), an established South American threat actor active since at least 2018, conducting five distinct but overlapping activity clusters between May 2024 and July 2025. The group’s primary focus remains Colombian government entities at the local, municipal, and federal levels, though operations extended to education, defense, retail, healthcare, oil, and financial sectors, as well as Spanish-speaking communities in Ecuador, Chile, Panama, and the U.S. Blind Eagle relies on spear-phishing as its entry point, using compromised accounts to impersonate government or financial institutions and distributing malicious links through shorteners. SVG lures loaded JavaScript from Discord CDN, which fetched PowerShell from Paste[.]ee, ultimately retrieving a JPG on the Internet Archive containing an embedded [.]NET assembly. This enabled deployment of RATs, including AsyncRAT, Remcos, Lime RAT, DCRat, and XWorm. Infrastructure was reinforced through Colombian ISP ranges, VPS services including Proton666, VPNs including TorGuard and FrootVPN, and dynamic DNS providers including duckdns[.]org, ip-ddns[.]com, and noip[.]com, while payloads were staged on trusted platforms, including Dropbox, GitHub, and Google Drive. Cluster analysis shows Blind Eagle’s diversity while underscoring its reliance on proven tools. Cluster 1 (Feb–Jul 2025) targeted Colombian government agencies with DCRat, AsyncRAT, and Remcos RAT. Cluster 2 (Sep–Dec 2024) expanded its scope to defense, education, and retail, utilizing AsyncRAT and XWorm, whereas Cluster 3 (Sep 2024–Jul 2025) concentrated on sustaining AsyncRAT and Remcos infections. Cluster 4 (May 2024–Feb 2025) centered on phishing infrastructure impersonating major Colombian banks. Cluster 5 (Mar–Jul 2025) leveraged Lime RAT and cracked AsyncRAT builds, the latter tied to Red Akodon and Shadow Vector, indicating tool sharing within the regional ecosystem. Roughly 60% of observed activity impacted government organizations, with secondary targeting of financial and energy sectors. The continued use of commodity RATs, cracked malware, and dynamic DNS reflects a pragmatic approach—recycling reliable techniques while refining infrastructure for persistence. While financial gain is evident, the persistent focus on government and critical entities raises concerns of state-aligned espionage. Defenders should prioritize detection of these RAT families, monitor dynamic DNS traffic, and strengthen phishing resilience across impacted sectors.
