Security Research Roundup: Supply-Chain Malware, Phishing Operations, and Evolving Social Engineering
Multiple security reports and investigations highlighted active threats spanning software supply chain abuse, phishing operations, and commodity malware delivery. Socket identified four malicious NuGet packages (e.g., NCryptYo, DOMOAuth2_, IRAOAuth2.0, SimpleWriter_) published by hamzazaheer that targeted ASP.NET developers by exfiltrating ASP.NET Identity data (users/roles/permissions) and manipulating authorization to maintain persistence; the campaign used a staged loader that set up a local proxy on localhost:7152 to relay traffic to dynamically resolved C2 infrastructure. Separately, investigators disrupted a logistics-focused phishing-as-a-service operation (“Diesel Vortex”) tied to Russian/Armenian operators, which used dozens of domains to target users of platforms such as DAT, Truckstop, Penske Logistics, EFS, and Timocom, resulting in theft of over 1,600 credentials and attempted EFS check fraud. Fortinet also detailed a multi-stage Agent Tesla infection chain delivered via phishing with RAR attachments leading to .jse and PowerShell stages, culminating in in-memory execution and process hollowing into C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe.
Threat intelligence and ecosystem reporting also underscored how attackers are scaling operations and bypassing traditional controls. Group-IB reported MuddyWater (“Operation Olalampo”) targeting the MENA region with new tooling including GhostFetch and a Rust backdoor (CHAR) controlled via Telegram, plus variants that deploy AnyDesk; the report noted indicators consistent with AI-assisted development. Dark Reading described the rise of telephone-oriented attack delivery (TOAD) emails—messages containing only a phone number—which accounted for a significant share of gateway-bypassing detections in StrongestLayer’s dataset, reflecting a shift toward social-engineering paths that evade link/attachment scanning. Confiant reported disrupting D-Shortiez malvertising operations after discovering exposed internal testing/admin infrastructure, attributing 59 million malicious ad impressions (primarily US-targeted) to scam campaigns, while Interpol-backed Operation Red Card 2.0 reported 651 arrests and $4.3M recovered across 16 African countries in actions against fraud rings and cybercrime syndicates.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
15 events from the most recent confirmed update back to the earliest known activity.
Fortinet publishes technical analysis of multi-stage Agent Tesla campaign
Fortinet detailed a high-severity Agent Tesla campaign using phishing emails with RAR attachments, JScript loaders, encrypted PowerShell, and process hollowing to execute the stealer in memory. The report also published indicators of compromise and described anti-analysis and SMTP-based data exfiltration behavior.
Research reveals malicious NuGet and npm supply-chain packages
Security researchers publicly disclosed the NuGet campaign targeting ASP.NET developers and the npm package ambar-src, warning that affected systems may be fully compromised. The NuGet packages had been downloaded more than 4,500 times before removal, while the npm package exceeded 50,000 downloads.
Interpol reports 651 arrests and $4.3 million recovered in Red Card 2.0
Interpol announced that Operation Red Card 2.0 resulted in 651 arrests and recovery of more than $4.3 million. The operation disrupted fraud rings in countries including Nigeria, Kenya, and Côte d’Ivoire, as well as a Nigerian group that compromised a major telecommunications provider.
Researchers disrupt Diesel Vortex phishing infrastructure
Investigators from Have I Been Squatted and Ctrl-Alt-Int3l disrupted the months-long Diesel Vortex phishing-as-a-service operation after an exposed .git directory revealed source code, victim data, and internal communications. The campaign used 52 phishing domains to target about 57,000 freight and logistics users, stealing more than 1,600 credentials and enabling 35 attempted EFS check-fraud cases.
Group-IB exposes new MuddyWater malware in Operation Olalampo
Group-IB reported that Operation Olalampo introduced new malware families including GhostFetch, GhostBackDoor, and the Rust-based CHAR backdoor, along with an updated HTTP_VIP downloader. The firm also assessed that CHAR may have been AI-assisted based on development artifacts.
Confiant reports D-Shortiez served 59 million malicious ad impressions
Confiant disclosed that D-Shortiez delivered 59 million malicious ad impressions during 2025, with about 95% aimed at U.S. users. The company said it shared indicators with ad platforms to support takedowns and broader ecosystem mitigation.
Malicious npm package ambar-src is uploaded
In February 2026, attackers uploaded the npm package ambar-src, which was later found to execute OS-specific malware through a preinstall hook. The package was downloaded more than 50,000 times and delivered payloads for Windows, Linux, and macOS systems.
MuddyWater launches Operation Olalampo in the MENA region
Group-IB observed the Iranian-linked threat actor MuddyWater begin a new campaign called Operation Olalampo on January 26, 2026. The operation used phishing documents and exploitation of recently disclosed server vulnerabilities to target organizations and individuals across the MENA region.
StrongestLayer tracks surge in gateway-bypassing phishing techniques
From December 2025 to late February 2026, StrongestLayer analyzed about 5,000 email threats that bypassed secure email gateways across enterprise environments. The study found TOAD emails accounted for nearly 28% of detections and documented more than 1,400 unique evasion combinations.
Operation Red Card 2.0 is conducted across 16 African countries
During December 2025 and January 2026, law enforcement agencies in 16 African countries carried out Operation Red Card 2.0 with Interpol and private-sector support. The coordinated action targeted cybercriminal operations involved in fraud, telecom compromise, and other transnational cyber-enabled crimes.
Second D-Shortiez campaign cluster is identified
In late November 2025, Confiant identified a second campaign cluster with similar fingerprints and exposed origin infrastructure through another test page and historical Censys data. The infrastructure included a Hong Kong IP and SSL certificate references to the Baota/Pagoda administration panel.
Confiant discovers exposed D-Shortiez testing page
In late June 2025, Confiant found an exposed internal testing page used by D-Shortiez. The access allowed Confiant to automate collection of newly staged domains and block infrastructure before campaigns went live.
D-Shortiez expands into Windows tech support scam malvertising
In 2025, Confiant observed D-Shortiez broaden its activity from giveaway scams into Microsoft Windows-branded tech support scams. The new scam line reused the same domains, URL paths, and Binom TDS tooling, supporting attribution to the same operator.
Malicious NuGet packages are published to target ASP.NET developers
Four malicious NuGet packages — NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ — were published in August 2024 by the user “hamzazaheer.” The packages were designed to exfiltrate ASP.NET Identity data and manipulate authorization rules to create persistent backdoors in affected applications.
D-Shortiez begins forced-redirect malvertising activity
Confiant had tracked the malvertising actor D-Shortiez since 2022, when it was associated with forced-redirect ads leading to fake Google gift card and Amazon giveaway scams. This establishes the earliest known activity for the operator later tied to broader scam infrastructure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware
thehackernews.com
Open sourceOperation Red Card 2.0 Leads to 651 Arrests in Africa
darkreading.com
Open sourceWhy 'Call This Number' TOAD Emails Beat Gateways
darkreading.com
Open sourceUnmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign | FortiGuard Labs
feeds.fortinet.com
Open sourcePhishing Platform Targeting Trucking and Logistics Disrupted
bankinfosecurity.com
Open sourceMuddyWater APT launches Operation Olalampo with new malware targeting MENA region | brief | SC Media
scworld.com
Open sourceDisrupting 59M Malicious Impressions: Inside D-Shortiez Testing Infrastructure and Campaign Management
blog.confiant.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
Mar 21, 2026
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
Mar 21, 2026
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
Mar 21, 2026