News Article · Jul 6, 2026 at 5:46 PM
3 min read 0
Member
Agentic Ransomware, Tax Phishing, and Device Code Attacks Mark a Week of Escalating Threats
Security #phishing #AI #Microsoft #India #ransomware #China #OAuth #DcRAT #JadePuffer #Operation DragonReturn

Agentic Ransomware, Tax Phishing, and Device Code Attacks Mark a Week of Escalating Threats

Security researchers this week disclosed three distinct threat campaigns: the first agentic ransomware operation, a China-linked tax phishing campaign targeting Indian taxpayers, and a device code phishing attack abusing Microsoft's OAuth flow.

Security researchers this week disclosed three distinct threat campaigns that illustrate the expanding attack surface facing enterprises and individuals. The incidents include the first documented agentic ransomware operation, a China-linked tax phishing campaign targeting Indian taxpayers, and a novel OAuth phishing technique that abuses Microsoft's own infrastructure.

Sysdig researchers on July 6 published details of JadePuffer, which they describe as the first fully agentic ransomware campaign. The attack used a language model to autonomously break into a target environment, steal credentials, and destroy databases without any human operator at the controls, according to the security firm.

JadePuffer: Ransomware Without a Human Hand

Sysdig's analysis of JadePuffer shows the AI agent moved laterally across the compromised network at machine speed, identifying high-value targets and executing the encryption payload. The campaign exploited misconfigurations that have been common for years, but the autonomous nature of the attack compressed the timeline from initial access to full compromise from hours to minutes. Infosecurity Magazine confirmed the findings, noting that the agentic approach eliminates the traditional delay between intrusion and payload deployment that defenders have relied on for detection.

  • The AI agent autonomously discovered and exfiltrated credentials before triggering encryption.
  • No human interaction was observed during the attack chain, according to Sysdig.
  • The campaign targeted databases and file servers, destroying backups before encryption.
  • Sysdig assessed that the technique will likely be adopted by other ransomware groups within months.

Operation DragonReturn Targets Indian Tax Ecosystem

Seqrite Labs on the same day disclosed Operation DragonReturn, a suspected China-nexus campaign that uses fake Indian tax filing utilities to deploy the DcRAT remote access trojan. The campaign, first observed on May 18, 2026, sends spear-phishing emails impersonating the Income Tax Department of India, using tax violation lures to induce urgency. Victims are directed to a bogus landing page that hosts a ZIP archive containing a malicious DLL that sideloads payloads, including DcRAT, which steals credentials and exfiltrates screenshots. Seqrite noted infrastructure overlaps with the Chinese cybercrime group Silver Fox, which previously used tax-themed phishing to deliver ValleyRAT.

Device Code Phishing Abuses Microsoft OAuth Flow

Kaspersky researchers published an analysis of a device code phishing attack that abuses the OAuth 2.0 Device Authorization Grant specification. The technique, which targets Microsoft's authentication flow, tricks users into entering a code on a legitimate Microsoft website, thereby granting the attacker an access token without the victim ever visiting a malicious URL. Kaspersky warned that traditional URL inspection fails against this attack because the phishing page is hosted on Microsoft's own domain.

These three campaigns underscore a broader trend: attackers are combining automation, social engineering tailored to specific regulatory events, and abuse of trusted infrastructure to bypass traditional defenses. Defenders will need to adapt detection strategies to account for machine-speed lateral movement, context-aware phishing lures, and authentication flows that no longer rely on suspicious URLs.

Fact check

  • Sysdig described JadePuffer as the first fully agentic ransomware operation, where a language model autonomously broke into a target environment, stole credentials, and destroyed databases without human control.

    reported · source

  • Seqrite Labs disclosed Operation DragonReturn, a suspected China-nexus campaign targeting Indian taxpayers with fake tax filing utilities to deploy DcRAT, first observed on May 18, 2026.

    reported · source

  • Kaspersky researchers published analysis of a device code phishing attack that abuses the OAuth 2.0 Device Authorization Grant specification to trick users into granting access tokens on Microsoft's own domain.

    reported · source

  • Seqrite identified infrastructure and tactical overlaps between Operation DragonReturn and the Chinese cybercrime group Silver Fox.

    reported · source

Source reporting (12)

0 Comments

No comments yet

Be the first to share your thoughts on this article.

Join the conversation

You need to be registered and logged in to comment on blog articles.

Who Is Online

In total there are 111 users online: 0 registered, 104 guests and 7 bots.

Most users ever online was 4,502 on 28 Jun 2026, 10:02 am.

Bots: Applebot Baiduspider Bingbot Other Bot Other Crawler PetalBot SemrushBot

Users active in the past 15 minutes. Total registered members: 367