Multiple Unrelated Cybersecurity Reports: Iranian Spear-Phishing, Alleged Mexican Government Data Leak, and Lazarus ‘Contagious Interview’ Findings
The provided items do not describe a single cohesive cybersecurity event; they cover separate incidents and research. Dark Reading reported an Iran-linked credential theft and surveillance effort targeting people of interest abroad (including Iranian expats and regional targets) using spear-phishing and social engineering, including lures delivered via WhatsApp and phishing infrastructure that was rapidly stood up and taken down as campaigns shifted targets.
Separately, Dark Reading covered allegations that the Chronus Group leaked 2.3TB of data purportedly sourced from 25+ Mexican government institutions, claiming exposure affecting 36 million people; Mexico’s ATDT disputed that it represented a new breach, stating it appeared to be aggregated data from prior incidents and that impacted systems were largely obsolete, third-party administered state-level platforms. In parallel, Red Asgard published new technical findings on the Lazarus-linked “Contagious Interview” activity targeting developers/freelancers via fake recruiting, reporting recovery of 241,764 plaintext credentials from unauthenticated endpoints, identification of an AnyDesk-based RAT with persistent remote access and hardcoded attacker credentials, and additional detection content (e.g., YARA and Snort rules).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Researchers expose credential database in Iranian-linked phishing infrastructure
Analysis of the phishing infrastructure uncovered a path traversal flaw that exposed a database containing hundreds of stolen credentials and two-factor authentication codes. The same infrastructure also served fake Gmail login pages and phone-number collection pages.
Second wave adds Telegram and X impersonation lures
A follow-on wave of the same espionage campaign expanded to new social-engineering themes, including a fake Telegram bot threatening account deletion and an X impersonation of activist Fatema Al Harbi sending fake Google Meet invitations for credential theft. Researchers noted the infrastructure appeared to support both espionage and cybercrime use cases.
Iran-linked phishing campaign targets expatriates and activists
A highly targeted spear-phishing campaign attributed with varying confidence to Iranian-linked operators began targeting people of interest outside Iran, including expatriates, Syrians, and Israelis. Early lures used WhatsApp-themed messages and DuckDNS-hosted credential-harvesting pages to steal logins and attempt account takeovers.
Mexico's ATDT disputes breach scale and begins containment actions
Mexico's Agencia de Transformación Digital y Telecomunicaciones said its analysis indicated the dataset was largely an aggregation of information from prior breaches and that no sensitive data publication had been identified. The agency was described as taking initial containment steps such as revoking credentials and supporting remediation.
Chronus Group claims 2.3TB leak from Mexican government institutions
A hacktivist collective calling itself Chronus Group claimed to have leaked 2.3TB of data allegedly affecting 36 million Mexicans and sourced from at least 25 government institutions. The purportedly exposed information included names, phone numbers, addresses, dates of birth, and IMSS Bienestar registration data.
Red Asgard publishes detections and reports findings to authorities
Following its investigation, Red Asgard released community detections including 16 YARA rules and 88 Snort rules. The firm also reported the incident to the FBI's IC3 and later to CISA.
Red Asgard identifies AnyDesk RAT and backend flaws in campaign infrastructure
Researchers identified a fourth malware family, a custom AnyDesk RAT that silently installs and configures AnyDesk for persistent attacker access. They also mapped the backend infrastructure, found an IDOR flaw in the /allinfo endpoint, enumerated operator accounts, and decrypted a custom XOR-based protocol used for beacon scheduling.
Red Asgard confirms Lazarus-linked C2 is live and leaking victim data
In its continued investigation of the 'Contagious Interview' campaign, Red Asgard determined the command-and-control infrastructure was operational rather than a honeypot. Researchers retrieved 241,764 plaintext credentials tied to 857 victims across 90 countries from unauthenticated HTTP endpoints.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Protests Don't Impede Iranian Spying on Expats, Syrians, Israelis
darkreading.com
Open sourceBig Breach or Nada de Nada? Mexican Gov't Faces Leak Allegations
darkreading.com
Open sourceHunting Lazarus Part IV: Real Blood on the Wire ? Red Asgard Blog
redasgard.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
Mar 21, 2026
Weekly threat intelligence roundup covering breaches, ransomware, and emerging AI-enabled tradecraft
Reporting during the week of Feb. 23 highlighted multiple unrelated security incidents and research findings rather than a single cohesive event. **France’s Ministry of Economy** disclosed unauthorized access to the national bank account registry **FICOBA**, exposing data tied to **~1.2 million accounts** (e.g., names, addresses, account identifiers, and in some cases tax-related identifiers), with officials attributing access to **compromised government credentials**. Separately, **Advantest** reported a **ransomware** intrusion following third-party unauthorized access, **University of Mississippi Medical Center** experienced a ransomware event that disrupted clinics and electronic medical records, and **Ukraine’s National Bank** reported a **supply-chain** exposure at a contractor supporting its collectible coin online store (customer registration data exposed; payment data reportedly unaffected). In Taiwan, **Taipei Grand Hotel** said a third party accessed internal systems without authorization during the Lunar New Year period; the hotel took networks offline for forensics and warned customers to be cautious of suspicious messages. Threat-actor and technique reporting also described ongoing campaigns and emerging tradecraft. **MuddyWater** (Iran-aligned) was reported targeting **MENA** organizations in “Operation Olalampo,” using phishing lures with malicious Office documents/macros to deploy tooling including **GhostFetch**, **HTTP_VIP**, a Rust backdoor **CHAR**, and an implant dubbed **GhostBackDoor**, with one chain also deploying *AnyDesk* for remote access. Separately, reporting on **DPRK-linked** crypto operations described sustained, social-engineering-led targeting of the crypto ecosystem following the **Bybit** theft, including AI-assisted persona and communication crafting and laundering via mixing/OTC pathways. Additional research noted internet-wide scanning telemetry involving **OAST/Interactsh** callback domains and shifts toward cookie-based injection, while another item profiled PRC-attributed **Lotus Blossom** as an espionage actor (including discussion of the *Notepad++* ecosystem incident) and a separate post provided general reconnaissance methodology rather than incident-specific intelligence.
Mar 21, 2026
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
Mar 21, 2026