Threat IntelligenceEmerging Threats

US Cyber Command Warns of Election Interference Threats

Analyst 207||Source: GovInfoSecurity
Formal hearing room with officials seated at a table, daylight through tall windows, and a podium in the scene.

"Reasonable to expect based on what we've seen in the past," Army Gen. Joshua Rudd told the Senate Armed Services Committee — a succinct warning that foreign interference is likely around the U.S. midterm elections, and one that folded into a week of breaches, arrests and active exploitation detailed by security researchers and law enforcement.

Gen. Joshua Rudd, U.S. Cyber Command, and the election threat

Gen. Joshua Rudd, testifying alongside the National Security Agency head, told senators foreign interference attempts are likely. The testimony reiterated longstanding concerns among U.S. cyber leadership that countries including Russia, China and Iran are focused on undermining confidence in democratic processes through digital means. The warning followed accounts that Russian influence networks behind 2024 troll farm operations have continued producing content, with one network setting up more than 200 fake websites since March 2025.

The record of Cyber Command action includes the Election Security Group — a Cyber Command and NSA task force active since 2018 — which previously coordinated with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI and other agencies on election defense. In the weeks before the 2024 presidential election, Cyber Command operators targeted servers used by at least two Russian companies spreading propaganda into swing states; that operation disrupted but did not halt the influence activity before Election Day.

Election pressure meets budget politics: White House proposal and agency roles

The testimony came against a backdrop of shifting federal engagement on election defense. The report notes the Trump administration has been skeptical of efforts to secure elections from cybersecurity risk and that the White House budget proposal for the coming federal fiscal year, which begins in November, "would completely the CISA election security program." That line in the record links operational concerns about interference with a policy debate over how federal resources for election cybersecurity are allocated.

Active exploits and high-risk CVEs: ScreenConnect, Windows Shell, and Hugging Face LeRobot

Practical risk to enterprise and election-related infrastructure is not merely theoretical. The U.S. Cybersecurity and Infrastructure Security Agency added two actively exploited flaws to its Known Exploited Vulnerabilities catalog: a path traversal flaw in ConnectWise ScreenConnect tracked as CVE-2024-1708 and a Windows Shell protection mechanism failure, CVE-2026-32202. The ScreenConnect flaw is frequently chained with an authentication bypass, CVE-2024-1709, enabling threat actors to bypass authentication and execute arbitrary code — potentially leading to full compromise or ransomware deployment. The Windows Shell issue can coerce victim machines into authenticating to attacker-controlled servers and expose NTLMv2 hashes after a user opens a folder.

Separately, security researcher Valentin Lobstein (handle "chocapikk") reported a critical deserialization flaw in Hugging Face's LeRobot framework, tracked as CVE-2026-25874. Lobstein found LeRobot used Python's pickle.loads() on network-received data before validation, and typical deployments expose unauthenticated, unencrypted gRPC endpoints — effectively creating network-reachable paths to remote code execution.

Stryker outage, LofyStealer, and other active criminal campaigns

Operational disruptions and criminal campaigns ran in parallel with nation-state influence concerns. On March 11, an Iranian hacktivist attack disrupted Stryker's manufacturing and distribution for three weeks, wiping more than 40,000 laptops and other devices. Stryker executives said the outage had a "big impact" on first-quarter results, limiting the company's ability to give its "usual level of details" and affecting made-to-order med-surgical lines that could not be manufactured during the outage. The manufacturer reported consolidated net sales of $6.0 billion, with net earnings of $745 million; Stryker said manufacturing and other affected operations were fully restored by the first week of April and that it recovered "100%" of its data through backups, with leaders expecting results to "normalize" for the year.

Threat actors targeting consumers and gamers also continued to evolve. ZenoX researchers described a Brazil-linked campaign delivering LofyStealer via a trojanized Minecraft cheat called "Slinky." The loader chain abuses GitHub Actions and Vercel packaging to evade detection, injects a native payload into browser processes, and harvests cookies, passwords, session tokens, payment cards and IBANs from major browsers before exfiltrating data to a command-and-control server using the User-Agent string "GrabBot/1.0."

Law enforcement moves: HexDex, Black Axe, and Vastaamo appeal

Police and prosecutors reported notable enforcement outcomes. French authorities arrested a 21-year-old suspect using the alias "HexDex" on April 20 and charged him with six offenses, four with an "organized gang" aggravator, after investigations linked the alias to breaches affecting roughly 100 reported incidents including a French Ministry of Education trainee management system exposing some 243,000 employees. Swiss and German police arrested 10 suspected members of the Black Axe network in a coordinated probe into romance scams and money laundering; Europol identified one arrested person as the Black Axe "regional head" for Southern Europe. And in Finland, convicted Vastaamo hacker Julius Aleksanteri Kivimäki filed for leave to appeal his seven‑year sentence with the Supreme Court; judges had imposed the seven‑year maximum but reduced it by one month citing compensation agreements Kivimäki reached with numerous victims.

How technologists, policymakers, and affected enterprises are positioned

  • Technologists and security teams: will track and patch the actively exploited CVEs named by CISA (CVE-2024-1708, CVE-2026-32202) and assess deployments of frameworks such as LeRobot for CVE-2026-25874 exposure, while watching malware like LofyStealer for new delivery techniques that abuse developer tooling.
  • Policymakers and election officials: must weigh Cyber Command testimony on likely interference, the operational history of the Election Security Group, and the White House budget proposal that affects CISA's election program as they decide how to resource defense and interagency coordination ahead of midterm contests.
  • Affected enterprises and vendors: face immediate incident-response tasks — Stryker restored operations and recovered via backups after a wipe of more than 40,000 devices — and will need to prioritize supply-chain and remote-access resilience given exploitation patterns against ScreenConnect and Windows Shell.

Gen. Rudd's remark encapsulates the week's pattern: visible, persistent foreign influence activity sitting alongside a thriving criminal ecosystem and multiple technical weaknesses being actively exploited. The record leaves concrete follow-ups: will federal budgeting alter the operational partnerships that produced prior Cyber Command interventions, and can defenders patch and reconfigure exposed services quickly enough to blunt both state-linked influence operations and opportunistic criminals? Those are questions with deadlines measured in months — and in some cases, in days.

Source: govinfosecurity.com — Breach Roundup: US Cyber Command Flags Election Threats

ChinaEmerging ThreatsIranNation-StateNational SecurityRussiaForeign InterferenceElection InterferenceUS Midterm ElectionsCyber Command
Related Intelligence

Continue Reading

Software development workstation with laptop, coding tools, and notes in a brightly-lit neutral environment.

Malicious npm Packages Deliver Windows RAT via PostCSS Tooling

Beware of malicious npm packages masquerading as popular tools like PostCSS - researchers have uncovered three fake packages that have racked up over 1,000 downloads and deliver a sneaky Windows remote access trojan. These lookalike packages, published just over a month ago, have been cleverly designed to fly under the radar.

Analyst 207
Two handcuffed teenagers sit somberly in a courtroom with a judge's bench and law enforcement officer in the background.

Scattered Spider Teens Plead Guilty to TfL Cyberattack

Two British teenagers, Thalha Jubair and Owen Flowers, have pleaded guilty to infiltrating Transport for London's systems, causing a £29m hit and disrupting public services in a stark reminder that cybercrime has very real-world consequences. The breach, which occurred in late August 2024, highlights the significant impact of cyberattacks on everyday life.

Analyst 207
Modern briefing room with podium and large window, suggesting a technological focus.

Five Eyes Agencies Warn of AI-Driven Cyber Threat Surge

The Five Eyes cybersecurity agencies are sounding the alarm: AI-driven cyber threats are no longer a future threat, but a present danger that businesses and governments must tackle urgently. Frontier AI will revolutionize the threat landscape in months, not years, and malicious actors are already seizing the advantage.

Analyst 207
Smartphone with WhatsApp conversation on screen sits on cluttered desk near open file folder, with cityscape in background.

WhatsApp Targeted in VBScript Campaign Installing ManageEngine RMM Tool

Malicious actors are using WhatsApp to trick victims into downloading and executing a Visual Basic Script (VBScript) file, disguised as a business or financial document, which ultimately installs a legitimate Remote Monitoring and Management (RMM) tool. The campaign has been detected in multiple countries worldwide, with Malaysia being the hardest hit.

Analyst 207