Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1880+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Weekly Recap: ShareFile Threat, Citrix Bleed 2 Ransomware, and AI Coding Attacks
Weekly Recap: ShareFile Threat, Citrix Bleed 2 Ransomware, and AI Coding Attacks
NEWS

Weekly Recap: ShareFile Threat, Citrix Bleed 2 Ransomware, and AI Coding Attacks

This week's biggest threats: Progress Software orders ShareFile shutdown over an undisclosed zero-day-level risk, ransomware groups weaponize Citrix Bleed 2 to bypass MFA across 91+ victims, and five AI coding assistants fall to a shared attack pattern.

Dylan H.

News Desk

July 13, 2026
4 min read

Somewhere right now, a security tool is quietly finding bugs faster than any human can fix them. That's supposed to be the good news. The catch is that attackers have the same tools — and this week, they used them across three distinct frontiers at once.

ShareFile: Shutdown Order, No Patch

Progress Software issued an urgent advisory directing all ShareFile customers to immediately shut down their self-hosted Storage Zone Controller servers. The company temporarily disabled cloud-side access to affected accounts while working with internal and external security researchers.

Notably, no CVE was assigned — suggesting an unpatched zero-day or a non-software threat such as stolen keys or a compromised supply chain. The advisory became public when a customer posted the internal Progress email to Reddit's r/sysadmin on July 10, 2026.

Progress Software has form here: they also owned MOVEit, whose 2023 zero-day was exploited by the Clop ransomware group across more than 2,700 organizations. Any organization running internet-facing ShareFile Storage Zone Controllers should treat this shutdown order as mandatory until a patch or full disclosure is available.

What to do: Shut down Storage Zone Controller servers now. Monitor the Progress Security Advisory page for updates. Do not restore service until a fix is confirmed.

Citrix Bleed 2: Ransomware Groups Share a Seven-Step Playbook

Ransomware groups are actively exploiting CVE-2025-5777 ("Citrix Bleed 2") to hijack MFA-protected NetScaler sessions and deploy ransomware at scale. Two distinct threat actor clusters — DragonForce and Anubis — have been documented using this vulnerability in the wild.

A cybersecurity firm documented six separate intrusions in H1 2026 following a near-identical seven-step attack chain, suggesting the playbook is being shared or sold across criminal groups:

  1. Exploit CVE-2025-5777 to hijack an authenticated NetScaler session (bypasses MFA entirely)
  2. Escalate to SYSTEM via a registry-symlink / AppMgmt privilege escalation trick
  3. Create rogue local admin accounts
  4. Establish persistence via legitimate RMM tools (ScreenConnect, Zoho Assist)
  5. Perform lateral movement across the network
  6. Conduct credential access operations
  7. Deploy ransomware

Anubis alone has claimed 91 victims on its leak site as of July 2026, with 11 new victims in June alone. Targeted sectors span healthcare, business services, manufacturing, technology, and financial services — with more than 50% of victims in the United States.

What to do: Patch exposed NetScaler appliances immediately. Terminate all outstanding sessions. Audit logs for unauthorized account creation and unexpected RMM tooling.

AI Coding Assistants: Five Tools, One Shared Exploit

The attack surface for AI-assisted development tooling expanded dramatically this week. Researchers demonstrated that Claude Desktop's Personal Preferences sync feature can be weaponized as a covert prompt-injection command-and-control channel, chaining to remote code execution on the victim's machine.

Critically, this was not an isolated issue — the same underlying attack pattern compromised five major AI coding assistants simultaneously, pointing to foundational architectural weaknesses shared across the category.

Beyond coding tools, a new phishing-as-a-service platform called Forg365 ($400/month, distributed via Telegram) combines AI-assisted lure creation, device code phishing, adversary-in-the-middle tactics, and antibot evasion to target Microsoft 365 accounts. Delivery infrastructure leverages Amazon SES and Twilio SendGrid to bypass email reputation filters.

Additionally, thousands of MCP (Model Context Protocol) servers were found publicly exposed to the internet, creating a broad new attack surface as MCP adoption grows.

What to do: Keep AI tooling updated. Treat prompt-injection risk as equivalent to XSS for AI-integrated applications. Audit any exposed MCP server endpoints.

Other Notable CVEs This Week

CVE / AdvisoryProductNotes
CVE-2025-5777Citrix NetScalerCitrix Bleed 2 — active exploitation
—Roundcube 1.7.2Zero-click stored XSS + SSRF bypass
—BeyondTrust Remote SupportPrivileged access tool impacted
—U-Boot, Ubiquiti UniFiFirmware/network device issues
—Linux Kernel KVM/x86Hypervisor-level flaw
—PHP, OWASP ModSecurityWeb stack vulnerabilities
—OpenAI Codex for macOSAI tooling exposure
—Google Chrome, Microsoft EdgeBrowser patch week
—IBM WebSphereEnterprise middleware flaw

Source: The Hacker News Weekly Recap, July 2026. Keep your stack patched and your perimeter monitored.

#Ransomware#Citrix#ShareFile#AI Security#Weekly Recap

Related Articles

Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware

This week's threat roundup covers residential proxy botnets hiding in streaming boxes, browser-based ransomware campaigns, AI agent abuse techniques, and...

6 min read

JadePuffer: The First Fully Autonomous LLM-Driven Ransomware Attack

Security researchers at Sysdig have documented JadePuffer — an agentic threat actor powered entirely by a large language model that independently...

4 min read

AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack

Sysdig researchers documented the first fully autonomous AI-driven ransomware campaign, where threat actor JADEPUFFER used an AI agent to chain Langflow...

3 min read
Back to all News