One Door, Every Crew: This Week Ransomware, Iranian Intelligence, and a Data-Extortion Gang All Walked Through the Same Pre-Auth Enterprise Edge. The Convergence Is the Pattern.

We published seven threat-intelligence posts this week about seven different vulnerabilities, attributed across three completely unrelated kinds of adversary, and somewhere around the fifth one a pattern stopped being a coincidence and became the story. The actors do not know each other. Their motives have nothing in common. Their tradecraft, historically, looked nothing alike. And this week they all walked through the same door. This post is about that door, because when criminal ransomware crews, a nation-state intelligence service, and a financially-motivated data-extortion gang independently converge on one class of attack surface in a single week, the convergence is a more useful thing to defend than any one of the bugs.

The Week, Laid Out

Start with what actually happened, actor by actor, because the pattern only lands when you see how different these groups are. Qilin, the most active ransomware operation by volume right now, was caught burning a Check Point VPN zero-day — CVE-2026-50751, an IKE authentication bypass that lets an attacker establish a remote-access VPN connection with no valid password. Akira, the second most active crew, has spent the period doing the same thing by a different vendor, treating SSL VPN appliances as its favorite initial-access surface. Cisco Catalyst SD-WAN Manager grew a fresh zero-day, CVE-2026-20245, in the same chain we mapped in May, and the proof-of-concept hit GitHub within days. Iran's MuddyWater weaponized a Langflow flaw, CVE-2026-5027, an unauthenticated remote code execution in the open-source AI-agent builder we have tracked as a serial target since March. ShinyHunters, a data-extortion crew that built its entire reputation on phoning help desks for MFA resets, picked up an Oracle PeopleSoft zero-day — CVE-2026-35273, CVSS 9.8, unauthenticated — and breached more than a hundred organizations with it. And underneath all of it, Microsoft's record 208-CVE Patch Tuesday shipped a wormable kernel TCP/IP bug, CVE-2026-45657, that needs no credential and no click to reach SYSTEM, plus a Defender flaw, CVE-2026-41091, already exploited in the wild.

Three motives. Criminal extortion, state intelligence, commercial data theft. One surface: an internet-facing enterprise system with an unauthenticated remote code execution or authentication bypass in it. A VPN gateway, a network manager, an AI builder, an ERP backend, the kernel's own network stack. Not a phishing lure. Not a malicious attachment. Not a help-desk phone call. The pre-auth door.

Sub-Pattern One: Capability Is Being Acquired, Not Just Refined

The cleanest tell in the whole week is ShinyHunters, because we have two months of their history in our index and it does not include software exploitation. Their signature was social engineering — a confident voice, a help desk, an MFA reset, a Salesforce export. That is a human-in-the-loop technique. This week they were chaining an Oracle zero-day against three hundred PeopleSoft instances, which is not a refinement of phoning help desks, it is a different weapon entirely. Threat-actor profiles are sticky in defenders' heads, and that stickiness is the vulnerability: if your model of ShinyHunters ends at the help desk, your defenses end one move too early, because the crew reads its own press, sees which doors are being watched, and buys a new key. An actor is not a fixed set of techniques. It is an organization that acquires them, and the market for unauthenticated RCE is liquid enough now that a crew known for phone calls can be running a 9.8 by Tuesday.

Sub-Pattern Two: The Gap From Disclosure to Weapon Is Collapsing

Our exploit harvester watches GitHub for proof-of-concept code, and this week it logged eighty-one unique CVE proof-of-concepts in seven days — roughly a dozen a day, spiking to eighteen and twenty on the heaviest days. More important than the volume is the latency. The Check Point, Cisco SD-WAN, and Langflow proof-of-concepts went from advisory to working public exploit in hours to days, not the weeks defenders used to be able to count on. The window between a vulnerability becoming known and a vulnerability becoming trivially exploitable by anyone is the window every defender actually lives inside, and it is shrinking toward zero. That is why the wormable kernel bug is the one to fast-lane out of the 208: there is no public exploit for it yet, but the patch-diffing has already started, and the harvester is watching the exact repositories where the proof-of-concept will land. When it does, the only number that will matter is how many of your machines are still reachable and unpatched.

Sub-Pattern Three: Takedowns Remove Infrastructure, Not Capability

The third thread ran in parallel all month and it is the one defenders most want to be untrue. First VPN, the anonymization service used by at least twenty-five ransomware groups since 2014, was seized in a French-and-Dutch-led operation — and the demand it served did not evaporate, it relocated. LockBit, dismantled with great fanfare in 2024, posted fresh victims this week as LockBit 5.0 with cross-platform encryptors. ShinyHunters had its Salesforce leak site shuttered by federal law enforcement on June 5 — and the exploitation window for their PeopleSoft campaign, per Google's threat intelligence, runs May 27 to June 9, which means they were running a hundred-victim zero-day campaign during and after the takedown of their own infrastructure. None of this makes the takedowns worthless; the agents earned their days and the disruption imposed real cost. It makes them incomplete. A takedown removes servers. It does not remove the capability that just walked through the pre-auth door, and capability is the thing that reconstitutes next week on new infrastructure.

Why The Convergence Is The Defensible Thing

Here is the argument, and we want to be precise about it because precision is the product. We are not claiming these actors are coordinating; they are not. We are claiming something more useful for the person who has to defend a network: when three unrelated classes of adversary independently arrive at the same attack surface in the same week, that surface is where you should be spending, regardless of which specific CVE or which specific crew is in the headline on any given day. The motive-agnostic convergence on the unauthenticated enterprise edge is the pattern, and it reorders your priorities cleanly. Inventory everything internet-facing that speaks an enterprise protocol — VPN concentrators, network managers, application servers, ERP and HR backends, AI tooling someone stood up without telling security — and treat each one as a pre-auth door that three different kinds of attacker are actively trying this week. Patch the unauthenticated RCEs on the fast lane. Get the ones you cannot patch immediately off the open internet behind authentication. And stop modeling threats by who the actor is and what they did last quarter, because this week proved the actor is interchangeable and the door is the constant. Defend the door. Everyone is using it.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register