Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes APT28 activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via INCLUDEPICTURE to webhook[.]site and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, MuddyWater (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a Char backdoor using a Telegram bot for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing.
Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of Apache ActiveMQ CVE-2023-46604 to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy LockBit-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used Session for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including GrayCharlie injecting malicious JavaScript into WordPress sites to push NetSupport RAT, Stealc, and SectopRAT via fake updates/ClickFix-style CAPTCHAs, and a separate ClickFix campaign delivering a custom C++ RAT (MIMICRAT) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a NuGet supply-chain attack (typosquatted NCryptYo plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “Promise Bomb” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
Related Entities
Threat Actors
Malware
Affected Products
Sources
2 more from sources like dark reading and annex.security
Related Stories
Mixed Threat Reporting: Cloud Worm Campaigns, Tor-Enabled Espionage, and GitHub Supply-Chain Malware
The provided items do not describe a single cohesive cybersecurity event; they are a mix of unrelated threat reporting and one executive opinion piece. Reported activity includes: **TeamPCP** (aka *DeadCatx3/PCPcat/ShellForce*) running a worm-driven campaign against cloud-native environments by abusing exposed Docker and Kubernetes APIs, Ray dashboards, Redis, and the critical **React2Shell** vulnerability `CVE-2025-55182` to build distributed criminal infrastructure used for proxying/scanning, follow-on compromise, data theft/extortion, and cryptomining. Separately, BI.ZONE-described **Vortex Werewolf** targeted Russian government/defense entities via phishing lures that lead to Tor-routed remote access over **RDP/SMB/SFTP/SSH**, using legitimate utilities and Windows persistence (e.g., scheduled tasks) to maintain covert access. Additional reporting describes a GitHub-focused supply-chain campaign targeting IT and OSINT professionals: attackers revived dormant GitHub accounts, published AI-generated “legitimate-looking” repositories, then introduced malicious “maintenance” commits delivering a backdoor dubbed **PyStoreRAT** (JavaScript/HTA), used as a loader for follow-on payloads including **Rhadamanthys** stealer and capable of spreading via removable media. A weekly threat bulletin also lists multiple ransomware disruptions (including an attack claimed by **Qilin** against Romania’s oil pipeline operator Conpet) and an AI-assisted cloud intrusion scenario involving exposed credentials in public S3 buckets, rapid privilege escalation via Lambda/IAM abuse, and **LLMjacking** via Amazon Bedrock; however, these are separate incidents rather than one unified story. One CSO Online item is general CISO/compliance commentary and does not add incident-specific intelligence.
1 months ago
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
1 weeks ago
Security Research Roundup: Supply-Chain Malware, Phishing Operations, and Evolving Social Engineering
Multiple security reports and investigations highlighted active threats spanning software supply chain abuse, phishing operations, and commodity malware delivery. Socket identified **four malicious NuGet packages** (e.g., *NCryptYo*, *DOMOAuth2_*, *IRAOAuth2.0*, *SimpleWriter_*) published by `hamzazaheer` that targeted **ASP.NET** developers by exfiltrating ASP.NET Identity data (users/roles/permissions) and manipulating authorization to maintain persistence; the campaign used a staged loader that set up a local proxy on `localhost:7152` to relay traffic to dynamically resolved C2 infrastructure. Separately, investigators disrupted a logistics-focused **phishing-as-a-service** operation (“**Diesel Vortex**”) tied to Russian/Armenian operators, which used dozens of domains to target users of platforms such as **DAT**, **Truckstop**, **Penske Logistics**, **EFS**, and **Timocom**, resulting in theft of over **1,600 credentials** and attempted **EFS check fraud**. Fortinet also detailed a **multi-stage Agent Tesla** infection chain delivered via phishing with RAR attachments leading to `.jse` and PowerShell stages, culminating in in-memory execution and process hollowing into `C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe`. Threat intelligence and ecosystem reporting also underscored how attackers are scaling operations and bypassing traditional controls. Group-IB reported **MuddyWater** (“Operation Olalampo”) targeting the **MENA** region with new tooling including **GhostFetch** and a Rust backdoor (**CHAR**) controlled via **Telegram**, plus variants that deploy **AnyDesk**; the report noted indicators consistent with **AI-assisted development**. Dark Reading described the rise of **telephone-oriented attack delivery (TOAD)** emails—messages containing only a phone number—which accounted for a significant share of gateway-bypassing detections in StrongestLayer’s dataset, reflecting a shift toward social-engineering paths that evade link/attachment scanning. Confiant reported disrupting **D-Shortiez** malvertising operations after discovering exposed internal testing/admin infrastructure, attributing **59 million** malicious ad impressions (primarily US-targeted) to scam campaigns, while Interpol-backed **Operation Red Card 2.0** reported **651 arrests** and **$4.3M** recovered across 16 African countries in actions against fraud rings and cybercrime syndicates.
2 weeks ago