Weekly threat intelligence roundup covering breaches, ransomware, and emerging AI-enabled tradecraft
Reporting during the week of Feb. 23 highlighted multiple unrelated security incidents and research findings rather than a single cohesive event. France’s Ministry of Economy disclosed unauthorized access to the national bank account registry FICOBA, exposing data tied to ~1.2 million accounts (e.g., names, addresses, account identifiers, and in some cases tax-related identifiers), with officials attributing access to compromised government credentials. Separately, Advantest reported a ransomware intrusion following third-party unauthorized access, University of Mississippi Medical Center experienced a ransomware event that disrupted clinics and electronic medical records, and Ukraine’s National Bank reported a supply-chain exposure at a contractor supporting its collectible coin online store (customer registration data exposed; payment data reportedly unaffected). In Taiwan, Taipei Grand Hotel said a third party accessed internal systems without authorization during the Lunar New Year period; the hotel took networks offline for forensics and warned customers to be cautious of suspicious messages.
Threat-actor and technique reporting also described ongoing campaigns and emerging tradecraft. MuddyWater (Iran-aligned) was reported targeting MENA organizations in “Operation Olalampo,” using phishing lures with malicious Office documents/macros to deploy tooling including GhostFetch, HTTP_VIP, a Rust backdoor CHAR, and an implant dubbed GhostBackDoor, with one chain also deploying AnyDesk for remote access. Separately, reporting on DPRK-linked crypto operations described sustained, social-engineering-led targeting of the crypto ecosystem following the Bybit theft, including AI-assisted persona and communication crafting and laundering via mixing/OTC pathways. Additional research noted internet-wide scanning telemetry involving OAST/Interactsh callback domains and shifts toward cookie-based injection, while another item profiled PRC-attributed Lotus Blossom as an espionage actor (including discussion of the Notepad++ ecosystem incident) and a separate post provided general reconnaissance methodology rather than incident-specific intelligence.
Related Entities
Vulnerabilities
Threat Actors
Sources
2 more from sources like taiwannews.com.tw and socradar blog
Related Stories
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
3 weeks ago
Mixed Threat Reporting: Cloud Worm Campaigns, Tor-Enabled Espionage, and GitHub Supply-Chain Malware
The provided items do not describe a single cohesive cybersecurity event; they are a mix of unrelated threat reporting and one executive opinion piece. Reported activity includes: **TeamPCP** (aka *DeadCatx3/PCPcat/ShellForce*) running a worm-driven campaign against cloud-native environments by abusing exposed Docker and Kubernetes APIs, Ray dashboards, Redis, and the critical **React2Shell** vulnerability `CVE-2025-55182` to build distributed criminal infrastructure used for proxying/scanning, follow-on compromise, data theft/extortion, and cryptomining. Separately, BI.ZONE-described **Vortex Werewolf** targeted Russian government/defense entities via phishing lures that lead to Tor-routed remote access over **RDP/SMB/SFTP/SSH**, using legitimate utilities and Windows persistence (e.g., scheduled tasks) to maintain covert access. Additional reporting describes a GitHub-focused supply-chain campaign targeting IT and OSINT professionals: attackers revived dormant GitHub accounts, published AI-generated “legitimate-looking” repositories, then introduced malicious “maintenance” commits delivering a backdoor dubbed **PyStoreRAT** (JavaScript/HTA), used as a loader for follow-on payloads including **Rhadamanthys** stealer and capable of spreading via removable media. A weekly threat bulletin also lists multiple ransomware disruptions (including an attack claimed by **Qilin** against Romania’s oil pipeline operator Conpet) and an AI-assisted cloud intrusion scenario involving exposed credentials in public S3 buckets, rapid privilege escalation via Lambda/IAM abuse, and **LLMjacking** via Amazon Bedrock; however, these are separate incidents rather than one unified story. One CSO Online item is general CISO/compliance commentary and does not add incident-specific intelligence.
1 months ago
Security Research Roundup: Supply-Chain Malware, Phishing Operations, and Evolving Social Engineering
Multiple security reports and investigations highlighted active threats spanning software supply chain abuse, phishing operations, and commodity malware delivery. Socket identified **four malicious NuGet packages** (e.g., *NCryptYo*, *DOMOAuth2_*, *IRAOAuth2.0*, *SimpleWriter_*) published by `hamzazaheer` that targeted **ASP.NET** developers by exfiltrating ASP.NET Identity data (users/roles/permissions) and manipulating authorization to maintain persistence; the campaign used a staged loader that set up a local proxy on `localhost:7152` to relay traffic to dynamically resolved C2 infrastructure. Separately, investigators disrupted a logistics-focused **phishing-as-a-service** operation (“**Diesel Vortex**”) tied to Russian/Armenian operators, which used dozens of domains to target users of platforms such as **DAT**, **Truckstop**, **Penske Logistics**, **EFS**, and **Timocom**, resulting in theft of over **1,600 credentials** and attempted **EFS check fraud**. Fortinet also detailed a **multi-stage Agent Tesla** infection chain delivered via phishing with RAR attachments leading to `.jse` and PowerShell stages, culminating in in-memory execution and process hollowing into `C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe`. Threat intelligence and ecosystem reporting also underscored how attackers are scaling operations and bypassing traditional controls. Group-IB reported **MuddyWater** (“Operation Olalampo”) targeting the **MENA** region with new tooling including **GhostFetch** and a Rust backdoor (**CHAR**) controlled via **Telegram**, plus variants that deploy **AnyDesk**; the report noted indicators consistent with **AI-assisted development**. Dark Reading described the rise of **telephone-oriented attack delivery (TOAD)** emails—messages containing only a phone number—which accounted for a significant share of gateway-bypassing detections in StrongestLayer’s dataset, reflecting a shift toward social-engineering paths that evade link/attachment scanning. Confiant reported disrupting **D-Shortiez** malvertising operations after discovering exposed internal testing/admin infrastructure, attributing **59 million** malicious ad impressions (primarily US-targeted) to scam campaigns, while Interpol-backed **Operation Red Card 2.0** reported **651 arrests** and **$4.3M** recovered across 16 African countries in actions against fraud rings and cybercrime syndicates.
2 weeks ago