O RLY CYBER

(proofpoint.com) State-Aligned Threat Actors Exploit Iran Conflict as Lure in Targeted Campaigns Against Middle Eastern Governments

Proofpoint identified six phishing and espionage campaigns targeting Middle Eastern government, diplomatic, and thinktank organizations, all leveraging the Iran conflict as lure content. The campaigns were attributed to actors linked to China (UNKInnerAmbush), Hamas (TA402), Pakistan (UNKRobotDreams), Belarus (TA473), Iran (TA453), and one unattributed group. Techniques ranged from DLL sideloading of Cobalt Strike and a Rust backdoor delivered via geofenced Azure infrastructure to OWA credential harvesting and multi stage rapport building phishing. Several campaigns used compromised government email accounts to increase credibility.

IOCs in the article.

Source: https://www.proofpoint.com/us/blog/threat-insight/iran-conflict-drives-heightened-espionage-activity-against-middle-east-targets

Fediverse: Not known :-(

#ThreatIntel #Cybersecurity

(sygnia.co) SafePay Ransomware Group Leverages Microsoft OneDrive for Covert Data Exfiltration in Double Extortion Campaign

Sygnia documented a double extortion ransomware operation by SafePay, active since September 2024, in which the attackers exploited a misconfigured FortiGate SSL VPN and a weak administrative account lacking MFA to gain initial access. After escalating to domain administrator via RDP, the group enumerated the environment using native Windows utilities and open source tools, then exfiltrated data over seven days by installing the OneDrive sync client on a compromised server and synchronizing staged archives to an attacker controlled Microsoft 365 tenant, blending exfiltration traffic with legitimate Microsoft cloud communications. The ransomware payload locker.dll was executed via regsvr32.exe for network wide encryption.

IOCs in the article.

Source: https://www.sygnia.co/blog/safepay-onedrive-exfiltration-technique/

Fediverse: Not known :-(

#ThreatIntel #Cybersecurity

(checkpoint.com) Iranian MOIS-Linked Cyber Actors Increasingly Leverage Criminal Ecosystems for State-Directed Operations

Iranian threat actors linked to MOIS, including MuddyWater and Void Manticore, are actively integrating criminal ecosystem resources into state directed operations, employing commercial infostealers like Rhadamanthys, RaaS affiliate programs such as Qilin, and shared MaaS infrastructure like CastleLoader. Shared code signing certificates tying FakeSet, StageComp, and DinDoor variants suggest a common procurement source across these groups. The attack on Israel's Shamir Medical Center illustrates this convergence, where operators appeared to use the Qilin RaaS model to disguise a strategically motivated attack as criminal activity.

IOCs in the article.

Source: https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/

Fediverse: Not known :-(

#ThreatIntel #Cybersecurity

(sentinelone.com) FortiGate NGFW Appliances Exploited as Entry Points for Credential Theft and Network Compromise

SentinelOne's DFIR team reports multiple incidents where FortiGate appliances were compromised through exploitation of CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 to gain unauthenticated administrative access, decrypt configuration files, and harvest embedded Active Directory service account credentials. Threat actors used stolen credentials to join rogue workstations to victim domains, deploy RMM tools such as Pulseway and MeshAgent, execute DLL sideloading payloads beaconing to attacker controlled infrastructure, and exfiltrate NTDS.dit databases via shadow copy extraction. Both investigations were hindered by insufficient FortiGate log retention.

IOCs in the article.

Source: https://www.sentinelone.com/blog/fortigate-edge-intrusions/

Fediverse: @SentinelOne@infosec.exchange

#ThreatIntel #Cybersecurity

(welivesecurity.com) Sednit APT28 Resurfaces with Modern BeardShell and Covenant Implants Rooted in 2010s Codebase

ESET researchers document the reemergence of Sednit (APT28/GRU Unit 26165) with a new toolkit targeting Ukrainian military personnel in prolonged espionage operations. The group deployed BeardShell, a .NET implant using Icedrive's API for C2, and a modified Covenant framework leveraging pCloud, Koofr, and Filen as command and control channels. A keylogger named SlimAgent was traced as a direct descendant of the group's Xagent backdoor through shared code structures. A specific Diophantine equation obfuscation technique links these tools to Sednit's older Xtunnel implant, reinforcing attribution to the group's development team, largely dormant since 2019.

IOCs in the article.

Source: https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/

Fediverse: @ESETresearch@infosec.exchange @ESET@infosec.exchange

#ThreatIntel #Cybersecurity

(huntress.com) MuddyWater Iranian APT Intrusion: RDP Access, SSH Tunneling, and DLL Side-Loading Targeting Israeli Organization

Huntress has documented an intrusion by MuddyWater, an Iranian linked APT group, targeting an Israeli organization. The attack began with RDP access, followed by domain and network reconnaissance using native Windows tools, establishment of reverse SSH tunnels to a known MuddyWater associated IP (162.0.230.185), and deployment of a DLL side loading technique leveraging the legitimate Fortemedia binary FMAPP.exe to execute a malicious DLL communicating with a C2 server at 157.20.182.49. Command typos observed during the intrusion suggest manual, interactive operator activity.

IOCs in the article.

Source: https://www.huntress.com/blog/muddywater-attack-chain

Fediverse: @huntress@infosec.exchange

#ThreatIntel #Cybersecurity

(ctrlaltintel.com) MuddyWater Exposed: Inside an Iranian MOIS-Linked APT Operation Targeting Israel, Egypt, Jordan, UAE, and Beyond

Ctrl-Alt-Intel researchers accessed an exposed VPS in the Netherlands operated by MuddyWater (MOIS), revealing three custom C2 frameworks (KeyC2, PersianC2, ArenaC2), operational logs, and victim data from organizations across Israel, Jordan, Egypt, the UAE, Portugal, and the United States. Notable targets included Israeli healthcare providers and EgyptAir. The server also hosted a Tsundere Botnet variant leveraging Ethereum smart contracts for C2 resolution, a modified CVE-2024-55591 PoC for FortiOS admin account creation, password spraying tooling, and exfiltration infrastructure using Wasabi S3, put.io, and AWS EC2. Infrastructure overlaps corroborate prior Group-IB and ESET reporting.

IOCs in the article.

Source: http://ctrlaltintel.com/threat%20research/MuddyWater/

Fediverse: Not known :-(

#ThreatIntel #Cybersecurity

(checkpoint.com) Iran-Nexus Threat Actors Target IP Cameras Across Middle East and Gulf Region to Support Cyber-Enabled Intelligence Operations

Check Point Research reports an ongoing campaign by Iranian threat actors exploiting five known CVEs in Hikvision and Dahua IP cameras across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus. The operation, tracked since at least January, leverages vulnerabilities including CVE-2021-36260, CVE-2017-7921, and CVE-2021-33044 to compromise surveillance devices assessed to support battle damage assessment and target correction for kinetic operations. Activity spikes correlate with geopolitical escalation, and attackers use commercial VPN services and VPS infrastructure to obscure attribution. Patches exist for all exploited CVEs but widespread unpatched deployments persist.

Source: https://research.checkpoint.com/2026/interplay-between-iranian-targeting-of-ip-cameras-and-physical-warfare-in-the-middle-east/

Fediverse: Not known :-(

#ThreatIntel #Cybersecurity

(domaintools.com) Doppelgänger/RRN Disinformation Ecosystem: Infrastructure Analysis of a Persistent Russian-Aligned Influence Operation

DomainTools research maps the Doppelgänger/RRN disinformation ecosystem, attributed to Russia's Social Design Agency, detailing its infrastructure across 48 domains resolving to 34 unique IPs on Google Cloud and AWS backends fronted by Cloudflare CDN. The operation impersonates Western media brands using automated domain generation with TLD substitution, typosquatting, and semantic suffixes, while centralized WordPress deployments with role segmented accounts and Yandex linked provisioning reveal unified operational control. Geographic targeting focuses on Germany, France, the US, UK, and Italy, with domain registration bursts aligned to geopolitical events and registrar diversification enabling enforcement evasion.

IOCs in the article.

Source: https://dti.domaintools.com/research/doppelganger-rrn-disinformation-infrastructure-ecosystem

Fediverse: @DomainTools@infosec.exchange

#ThreatIntel #Cybersecurity

(arcticwolf.com) Critical Path Traversal and SSRF Vulnerabilities Discovered in mcp-atlassian (CVE-2026-27825 and CVE-2026-27826)

Two critical vulnerabilities, CVE-2026-27825 and CVE-2026-27826, have been patched in mcp-atlassian, an open source MCP integration for Atlassian Confluence and Jira. CVE-2026-27825 allows unauthenticated remote attackers to write files to arbitrary paths via missing directory confinement in attachment download tools, enabling privilege escalation and remote code execution. CVE-2026-27826 is a related SSRF flaw exploitable through unvalidated HTTP headers. A public proof of concept exists. No active exploitation has been reported, but organizations running versions prior to 0.17.0 should patch immediately.

Source: https://arcticwolf.com/resources/blog/cve-2026-27825/

Fediverse: Not known :-(

#Cybersecurity

(zscaler.com) Dust Specter APT: Iran-Nexus Threat Actor Deploys Novel Malware Against Iraqi Government Officials

Zscaler ThreatLabz uncovered "Dust Specter," a suspected Iran nexus campaign targeting Iraqi government officials by impersonating Iraq's Ministry of Foreign Affairs. The operation deployed four previously undocumented malware families, SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM, delivered through password protected archives and ClickFix style lures hosted on compromised Iraqi government infrastructure. The malware uses DLL sideloading, AES 256 CBC encryption, JWT based bot identification, and randomized C2 URI paths with embedded checksums to evade detection. Evidence of generative AI use in malware development was also identified.

IOCs in the article.

Source: https://www.zscaler.com/blogs/security-research/dust-specter-apt-targets-government-officials-iraq

Fediverse: Not known 😞

#ThreatIntel #Cybersecurity

(qianxin.com) Funnull Cybercriminal Group Returns: RingH23 Arsenal and MacCMS Supply Chain Attacks Exposed

The Funnull group, previously linked to the Polyfill.io supply chain compromise, has resurfaced with RingH23, a self owned server side attack framework targeting CDN infrastructure. Researchers at QiAnXin XLab identified two infection vectors: compromise of GoEdge CDN management nodes with SSH lateral movement to edge nodes, and poisoning of the official maccms.la update channel to deliver PHP backdoors. The modular toolkit includes an Nginx filter module for JavaScript injection, a WebSocket based backdoor with DNS tunneling fallback, and an LD_PRELOAD rootkit. An estimated 10,748+ websites are infected, redirecting mobile users to gambling platforms.

IOCs in the article.

Source: https://blog.xlab.qianxin.com/funnull-resurfaces-exposing-ringh23-arsenal-and-maccms-supply-chain-attacks/

Fediverse: Not known :-(

#ThreatIntel #Cybersecurity

(huntress.com) Modified Havoc C2 Framework Deployed via Fake Tech Support Campaign Linked to Black Basta TTPs

Huntress identified a campaign across five organizations where coordinated email spam and fake IT support vishing calls directed victims to a fraudulent Outlook Antispam portal, delivering a heavily modified Havoc C2 Demon agent. The intrusion chain uses DLL sideloading with two loader variants employing indirect syscalls, trampoline obfuscation, and ChaCha20 encryption, along with a custom registry fallback C2 mechanism for storing encrypted host and port pairs. Lateral movement reached nine additional endpoints within eleven hours using scheduled tasks and legitimate RMM tools for persistence. The campaign shares significant tactical overlap with documented Black Basta and FIN7 activity.

IOCs in the article.

Source: https://www.huntress.com/blog/fake-tech-support-havoc-command-control

Fediverse: @huntress@infosec.exchange

#ThreatIntel #Cybersecurity

(socket.dev) Compromised Aqua Trivy VS Code Extension on OpenVSX Leverages AI Coding Assistants for Credential Theft and Exfiltration

Socket identified malicious code in versions 1.8.12 and 1.8.13 of the Aqua Trivy VS Code extension on the OpenVSX registry, injected during a broader bot campaign targeting Aqua's GitHub assets. The payload executes on workspace activation, spawning locally installed AI coding assistants, including Claude Code, Codex, Gemini, Copilot CLI, and Kiro, in fully permissive unattended modes via detached child processes. Version 1.8.12 instructs agents to perform broad credential and data reconnaissance with exfiltration across all available channels, while 1.8.13 narrows the objective to harvesting tokens and pushing them to an attacker controlled GitHub repository. Affected versions were removed within approximately 36 hours.

Source: https://socket.dev/blog/unauthorized-ai-agent-execution-code-published-to-openvsx-in-aqua-trivy-vs-code-extension

Fediverse: @SocketSecurity@fosstodon.org

(krebsonsecurity.com) Unmasking Dort: The Threat Actor Behind the Kimwolf Botnet

OSINT investigators have linked the operator of the Kimwolf botnet, known as "Dort," to Jacob Butler, a young Canadian from Ottawa, following a sustained retaliation campaign of doxing, swatting, and DDoS attacks against the researcher and journalist who publicly exposed the botnet. Kimwolf exploited vulnerabilities in residential proxy services to infect consumer IoT devices on internal networks. The attribution pivoted across breach tracking data from Constella Intelligence and Spycloud, domain records via DomainTools, cybercrime forum accounts indexed by Intel 471, and Telegram posts indexed by Flashpoint. Butler's prior activity includes ties to LAPSUS$, SIM swapping services, and CAPTCHA bypass tooling.

Source: https://krebsonsecurity.com/2026/02/who-is-the-kimwolf-botmaster-dort/

@briankrebs@infosec.exchange

#Cybersecurity #ThreatIntel

(zscaler.com) APT37 Ruby Jumper Campaign: New Malware Toolkit Targets Air-Gapped Networks via Removable Media

Zscaler ThreatLabz has detailed a campaign by DPRK backed group APT37 (ScarCruft), tracked as Ruby Jumper, deploying five previously undocumented malware families: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE. The infection chain uses malicious LNK files to deliver multi stage payloads, with THUMBSBD notably using removable media as a bidirectional C2 relay to bridge air gapped networks. The campaign abuses Zoho WorkDrive for cloud based C2 and bundles a Ruby 3.3.0 runtime to disguise execution, while FOOTWINE provides surveillance capabilities including keylogging and audio/video capture over custom encrypted TCP channels.

IOCs in the article.

Source: https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks

(socket.dev) StegaBin: North Korean-Linked npm Supply Chain Campaign Uses Pastebin Steganography to Deploy Nine-Module Infostealer and RAT

Socket researchers identified 26 malicious npm packages tied to North Korea's Contagious Interview campaign (FAMOUS CHOLLIMA / Lazarus Group), using a technique dubbed "StegaBin" that embeds C2 addresses via character level steganography in Pastebin pastes. The typosquatted packages deploy an RC4 encrypted loader that resolves C2 infrastructure through 31 Vercel deployments, ultimately delivering a WebSocket RAT and a nine module infostealer toolkit targeting developer credentials, SSH keys, browser passwords, cryptocurrency wallets, and VSCode configurations, with FTP based exfiltration on a secondary port.

IOCs in the article.

Source: https://socket.dev/blog/stegabin-26-malicious-npm-packages-use-pastebin-steganography

#ThreatIntel #Cybersecurity

(greynoise.io) Coordinated SonicWall SSL VPN Reconnaissance Campaign Signals Imminent Credential-Based Ransomware Attacks

GreyNoise identified a coordinated four day reconnaissance campaign targeting SonicWall SonicOS infrastructure, comprising 84,142 scanning sessions from 4,305 unique IPs across four distinct clusters systematically mapping SSL VPN enabled devices. The activity, routed through ByteZero commercial proxy infrastructure with over 4,100 rotating exit IPs, aligns with documented precursor tradecraft for Akira and Fog ransomware initial access via VPN compromise. CVE exploitation attempts were negligible, confirming pre exploitation target enumeration. With over 430,000 SonicWall firewalls publicly exposed, defenders should prioritize MFA enforcement and patching of CVE-2024-53704.

IOCs in the article.

Source: https://www.greynoise.io/blog/active-reconnaissance-campaign-targets-sonicwall-firewalls-through-commercial-proxy-infrastructure

#ThreatIntel #Cybersecurity

(paloaltonetworks.com) Active Exploitation of Critical BeyondTrust Remote Support CVE-2026-1731 Pre-Authentication RCE Vulnerability

Unit 42 is tracking active exploitation of CVE-2026-1731, a critical unauthenticated remote code execution vulnerability (CVSS 9.9) in BeyondTrust remote support software, affecting over 10,600 exposed instances globally. The flaw is an OS command injection in the thin-scc-wrapper component allowing attackers to execute arbitrary commands via unsanitized WebSocket parameters. Observed activity includes deployment of PHP webshells, SparkRAT and VShell backdoors, DNS tunneling for C2 communications, and PostgreSQL database exfiltration, impacting financial services, legal, healthcare and technology sectors. CISA has added the vulnerability to its KEV catalog.

IOCs in the article.

Source: https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/

(proofpoint.com) TrustConnect: New Malware-as-a-Service Masquerades as Legitimate RMM Tool

Proofpoint identified TrustConnect, a malware as a service (MaaS) platform operating as a remote access trojan disguised as a legitimate remote monitoring and management tool, sold at $300/month with a web based C2 dashboard, automated payload generation using EV certificates, and branded installers impersonating trusted software. Multiple threat actors distributed TrustConnect via email campaigns with varied lures. Following collaborative disruption that revoked the EV certificate, the operator transitioned to new infrastructure called DocConnect, showing operational resilience and likely ties to the Redline stealer ecosystem.

IOCs in the article.

Source: https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat

(elastic.co) MIMICRAT: Custom Remote Access Trojan Delivered Through Multi-Stage ClickFix Campaign Targeting Compromised Legitimate Websites

Elastic Security Labs identified an active ClickFix campaign delivering MIMICRAT, a custom C++ remote access trojan, through compromised legitimate websites including bincheck.io and investonline.in. The multistage attack chain begins with PowerShell execution from the clipboard, followed by ETW and AMSI patching, then a Lua 5.4.7 loader that XOR decrypts shellcode to reflectively load the final payload. MIMICRAT supports 22 commands including token impersonation, shellcode injection, and SOCKS5 tunneling, communicating over HTTPS with RC4, RSA 1024, and AES encryption while relaying C2 traffic through CloudFront infrastructure mimicking web analytics requests.

IOCs in the article.

Source: https://www.elastic.co/security-labs/mimicrat-custom-rat-mimics-c2-frameworks

(jamf.com) Technical Analysis: How Predator Spyware Bypasses iOS Recording Indicators Through Objective-C Exploitation

Jamf Threat Labs has published an analysis of how Predator commercial spyware, developed by Intellexa/Cytrox, bypasses iOS camera and microphone recording indicators introduced in iOS 14. The spyware hooks SBSensorActivityDataProvider in SpringBoard, setting the self pointer to NULL to exploit Objective C nil messaging behavior, which silently suppresses both green and orange sensor indicators with a single instruction. The technique requires full device compromise with kernel access. The research also documents Predator's modular architecture, ARM64 pattern matching for function discovery, and PAC bypass methods used for camera access.

https://www.jamf.com/blog/predator-spyware-ios-recording-indicator-bypass-analysis/

(wiz.io) OAuth Apps Scout: Detecting Malicious OAuth Applications Through Multi-Stage Analysis Pipeline

Wiz Research identified multiple malicious OAuth application campaigns in Microsoft Entra ID environments affecting over 20 organizations, involving brand impersonation of services such as Adobe, DocuSign, and Microsoft. Attackers exploit OAuth consent mechanisms using techniques including homoglyph character substitution, redirect URIs hosted on free platforms like ClickFunnels and GitHub Pages, and unverified publishers to gain persistent access that survives credential resets and MFA. The research reveals tactical evolution from direct Microsoft spoofing in 2019 to third party SaaS impersonation in 2025, with cross environment pivoting through shared reply URLs and ownership domains enabling coordinated campaign identification.

Source: https://www.wiz.io/blog/detecting-malicious-oauth-applications

(levelblue.com) Threat Actors Exploit Microsoft Application Registration Redirect URIs for Phishing Campaigns

LevelBlue SpiderLabs identified a phishing technique abusing Microsoft Application Registration Redirect URIs to bypass spam filters and steal credentials. Threat actors register applications in controlled tenants with redirect URIs pointing to malicious infrastructure, leveraging legitimate OAuth 2.0 authentication flows through login.microsoftonline.com to create trusted URLs. The attacks use the prompt=none parameter to silently redirect victims through intermediary workers.dev domains and CAPTCHA challenges to phishing pages that relay credentials to Microsoft servers via man in the middle attacks, capturing valid sessions and MFA tokens. All analyzed samples shared a single client ID, enabling Business Email Compromise operations.

IOCs in the article.

Source: https://www.levelblue.com/blogs/spiderlabs-blog/phishing-with-oauth-redirect

(paloaltonetworks.com) Active Exploitation of Critical Ivanti EPMM Zero-Day Vulnerabilities CVE-2026-1281 and CVE-2026-1340

Two critical zero day vulnerabilities in Ivanti Endpoint Manager Mobile, CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8), are under active exploitation allowing unauthenticated remote code execution. Unit 42 observed widespread attacks targeting government, healthcare, manufacturing, and technology sectors across multiple countries. The flaws exploit bash arithmetic expansion in Apache RewriteMap scripts, requiring no authentication and granting full server control. Attackers are deploying JSP web shells, reverse shells, cryptominers, and persistent backdoors. CISA has added CVE-2026-1281 to its KEV catalog, and over 4,400 EPMM instances have been identified as exposed. Organizations should apply vendor patches immediately.

IOCs in the article.

Source: https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/

#ThreatIntel #Cybersecurity

(infoblox.com) Hybrid Investment Scam Campaigns Combine Malvertising with AI-Driven Pig Butchering Targeting Asia

Infoblox researchers identified cryptocurrency investment scam campaigns targeting users in Japan and Asia that combine malvertising with pig butchering techniques at industrial scale. The operations use over 23,000 RDGA generated domains with shared infrastructure patterns suggesting an as a service model, deploying social media ads on Meta platforms to lure victims. Targets are transitioned to messaging apps such as LINE, KakaoTalk, and WhatsApp, where AI driven chatbots conduct sustained social engineering across time zones. Analysis revealed over 100 distinct domain clusters with consistent TTPs and multilingual targeting, with individual losses reaching ¥10 million.

Source: https://www.infoblox.com/blog/threat-intelligence/banners-bots-and-butchers-an-automated-long-con-targeting-japan-asia-and-beyond/

#Cybersecurity #ThreatIntel