📋 Top Headlines at a Glance

  1. BKA identifies leaders of notorious REvil ransomware group behind 130 attacks on German targets
  2. How residential proxies are undermining IP-based cybersecurity defenses
  3. Fortinet CVE-2026-35616 Exploited in Active Attacks — Patch Immediately
  4. QR code traffic violation phishing scams expand to more U.S. cities

Executive Summary: Today’s intelligence highlights a multi-faceted threat landscape characterized by the active exploitation of critical vulnerabilities, sophisticated evasion techniques leveraging residential proxies, and persistent ransomware operations with significant real-world impact. The identification of REvil leaders marks a key law enforcement achievement, while the exploitation of Fortinet’s CVE-2026-35616 demands immediate patching. Simultaneously, the growing use of residential proxies is eroding IP-based defenses, and QR code phishing campaigns are expanding their geographic reach, targeting unsuspecting citizens with convincing social engineering.

🌍 Technical Intelligence Breakdown

⚖️ BKA identifies leaders of notorious REvil ransomware group behind 130 attacks on German targets

Germany’s Federal Criminal Police Office (BKA) has successfully identified the leaders of the notorious REvil ransomware group.

  • Achievement: Key leaders of REvil have been identified by German law enforcement.
  • Impact: The REvil group was responsible for at least 130 ransomware attacks targeting German organizations.
  • Significance: This identification represents a major step in attributing and potentially disrupting one of the most impactful ransomware operations in recent history.
  • Broader Context: REvil (also known as Sodinokibi) has been linked to numerous high-profile attacks globally, including the Kaseya VSA supply chain attack.
  • Defensive Actions:
    • Continue to implement robust anti-ransomware defenses, including offline backups, network segmentation, and endpoint detection and response (EDR).
    • Monitor for any resurgence or rebranding of REvil-affiliated threat actors.
    • Leverage threat intelligence feeds that track ransomware group activities and indicators of compromise.

🌐 How residential proxies are undermining IP-based cybersecurity defenses

The increasing availability and use of residential proxies are fundamentally undermining traditional IP-based cybersecurity defenses.

  • Evasion Technique: Threat actors use residential proxies to route malicious traffic through legitimate residential IP addresses, making it appear as normal user activity.
  • Impact on Defenses: Traditional IP reputation systems, geo-blocking, and rate limiting become significantly less effective when attackers masquerade behind trusted IP ranges.
  • Scale: The market for residential proxies is vast, often fueled by unwitting users whose devices are enrolled in proxy networks.
  • Defensive Actions:
    • Transition from purely IP-based defenses to behavioral analysis and anomaly detection.
    • Implement user and entity behavior analytics (UEBA) to identify suspicious patterns regardless of source IP.
    • Deploy bot management solutions capable of distinguishing between human and automated traffic even from residential IPs.
    • Utilize multi-layered authentication and authorization mechanisms.

🔥 Fortinet CVE-2026-35616 Exploited in Active Attacks — Patch Immediately

A critical vulnerability in Fortinet products, tracked as CVE-2026-35616, is being actively exploited in the wild.

  • CVE: CVE-2026-35616
  • Status: Actively exploited in the wild.
  • Affected Vendor: Fortinet
  • Severity: Critical — requires immediate patching.
  • Defensive Actions:
    • Immediately apply the vendor-provided patch for CVE-2026-35616 on all affected Fortinet devices.
    • If patching is not immediately possible, implement vendor-recommended mitigations and closely monitor affected systems for indicators of compromise.
    • Verify that all Fortinet devices are running the latest supported firmware versions.
    • Conduct a thorough review of firewall rules and access policies on affected devices.

📱 QR code traffic violation phishing scams expand to more U.S. cities

Phishing campaigns utilizing QR codes embedded in fake traffic violation notices are expanding their reach to additional U.S. cities.

  • Attack Vector: Physical mailers or stickers with QR codes that redirect victims to malicious websites.
  • Social Engineering: The scam impersonates official traffic violation notices, creating urgency and compelling victims to scan the QR code.
  • Objective: Typically aims to harvest personal and financial information, including credit card details and driver’s license numbers.
  • Expansion: The campaign has been observed spreading to new geographic areas, indicating its perceived success by threat actors.
  • Defensive Actions:
    • Educate the public about QR code phishing scams, advising caution when scanning codes from unsolicited sources.
    • Verify any traffic violation notices through official city or municipality websites or phone numbers, not via QR codes.
    • Implement QR code scanning security features on mobile devices that preview URLs before navigating.
    • Report suspected phishing attempts to local law enforcement and the FTC.

📉 Threat Landscape & Trends

  • Ransomware Persistence: Despite law enforcement successes in identifying group leaders (REvil), ransomware remains a pervasive and highly impactful threat.
  • Erosion of Traditional Defenses: The widespread use of residential proxies is fundamentally challenging the effectiveness of IP-based security controls, forcing a shift towards behavioral analysis.
  • Critical Vulnerability Exploitation: Actively exploited vulnerabilities in widely deployed security infrastructure (Fortinet) demand immediate and decisive patching action.
  • Social Engineering Innovation: Phishing tactics continue to evolve, with QR code-based campaigns exploiting physical trust and expanding geographically.
  • Law Enforcement Attribution: Identification of cybercriminal leaders, while significant, does not immediately eliminate the threat, as groups often rebrand or new actors emerge.

📌 Strategic Takeaway

Organizations must urgently patch actively exploited vulnerabilities in critical security infrastructure, transition from IP-dependent to behavior-based detection models, and maintain comprehensive ransomware resilience strategies. Simultaneously, public awareness campaigns are essential to counter expanding social engineering threats like QR code phishing, while law enforcement continues its critical role in attribution and deterrence.

🔗 References

  1. BKA identifies leaders of notorious REvil ransomware group behind 130 attacks on German targets
  2. How residential proxies are undermining IP-based cybersecurity defenses
  3. Fortinet CVE-2026-35616 Exploited in Active Attacks — Patch Immediately
  4. QR code traffic violation phishing scams expand to more U.S. cities