Research Highlights Multiple Enterprise Security Control Bypasses and Abuse Paths
Multiple reports describe ways attackers or testers can abuse trusted enterprise features to evade controls. Researchers reported that Palo Alto Networks Cortex XDR Live Terminal can be repurposed as a stealthy command-and-control (C2) channel because its WebSocket-based protocol lacks command signing; an attacker who can intercept the initial WebSocket message can redirect an endpoint to an attacker-controlled server/tenant, leveraging the trusted cortex-xdr-payload.exe component to execute commands in a “living off the land” manner. Separately, a tutorial showed Microsoft Defender for Cloud Apps (reverse-proxy *.mcas.ms) download restrictions for unmanaged devices can be bypassed by spoofing specific browser user-agent strings, allowing direct access to services like Outlook/SharePoint and enabling successful downloads that would otherwise be blocked.
Other material in the set covers adjacent but distinct execution and delivery risks rather than the same product-specific bypasses. CVE-2026-27615 affects ADB-Explorer on Windows: allowing ManualAdbPath to be set to a UNC path in a settings file can lead to remote code execution by pointing the app to an attacker-controlled network share, fixed in Beta 0.9.26022. Cofense also documented ongoing campaigns abusing Windows File Explorer WebDAV handling to deliver malware without a browser download flow, including use of trycloudflare[.]com tunnels to host WebDAV servers and multi-stage script chains to deliver RATs—highlighting a persistent social-engineering and delivery vector that can bypass some browser-centric controls.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Researchers publicly disclose Cortex XDR Live Terminal C2 abuse paths
Research published publicly described two ways to abuse Cortex XDR Live Terminal for command-and-control, including a cross-tenant method using a valid session token and a custom server emulating the WebSocket protocol.
Cofense publishes WebDAV malware delivery research and mitigations
Cofense publicly detailed ongoing abuse of Windows File Explorer and WebDAV for malware delivery, including use of Cloudflare Tunnel demo instances and .url/.lnk files, and recommended user education and detection for suspicious shortcut and network activity.
ADB Explorer RCE issue is fixed in Beta 0.9.26022
ADB Explorer fixed a remote code execution vulnerability in Beta 0.9.26022 involving the ManualAdbPath setting, which previously allowed execution of an attacker-hosted ADB binary from a UNC path.
User-Agent bypass of O365 unmanaged-device download restrictions is disclosed
A Project Black blog post disclosed that Microsoft Defender for Cloud Apps app-enforced restrictions for unmanaged devices can be bypassed by changing the browser User-Agent, allowing downloads from Outlook on the web and SharePoint.
Research finds Cortex XDR Live Terminal bypass still works on 8.9.1
Researchers said testing in February 2026 showed the Cortex XDR Live Terminal redirection bypass still worked on version 8.9.1 despite Palo Alto Networks stating versions 8.7 through 8.9 contained a fix.
Palo Alto Networks is notified of Cortex XDR Live Terminal abuse
Researchers notified Palo Alto Networks in late 2025 that Cortex XDR's Live Terminal feature could be abused as a stealthy command-and-control channel through weak server validation and lack of command signing.
WebDAV malware campaigns surge in volume
Cofense reported that abuse of File Explorer and WebDAV increased significantly in September 2024 and remained persistent, with campaigns often delivering multiple RAT families such as XWorm, AsyncRAT, and DcRAT.
Threat actors begin abusing File Explorer WebDAV delivery
Cofense observed threat actors using Windows File Explorer and WebDAV as a malware delivery technique as early as February 2024, relying on file:// links, UNC paths, and shortcut files to retrieve payloads from remote servers.
Microsoft deprecates native WebDAV support in File Explorer
Microsoft deprecated native WebDAV support in Windows File Explorer, though the capability remained available on many systems afterward and continued to be abused by threat actors.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Hackers Abuse Windows File Explorer and WebDAV for Stealthy Malware Delivery
cybersecuritynews.com
Open sourceHackers Can Abuse Cortex XDR Live Terminal Feature for C2 Communications
cybersecuritynews.com
Open sourceCVE-2026-27615 - ADB-Explorer: UNC Path Support in ManualAdbPath Leads to Remote Code Execution (RCE)
cvefeed.io
Open sourceAbusing Windows File Explorer and WebDAV for Malware Delivery
cofense.com
Open sourcePreventing Downloads from Unmanaged Devices in O365
projectblack.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
Mar 21, 2026
Weekly Cyber Threat Roundups Highlight Linux Fileless Malware, Office Zero-Day Exploitation, and Multiple Breach Claims
Multiple weekly threat roundups and research posts reported a mix of active exploitation, new malware tradecraft, and breach claims. Ukraine’s CERT reported **APT28** rapidly weaponized a Microsoft Office zero-day (**CVE-2026-21509**) within roughly a day of Microsoft’s disclosure, using spearphishing emails with malicious DOC lures to deliver **Covenant** backdoors against Ukrainian government targets and EU-related entities. Separately, researchers described **ShadowHS**, a stealthy **fileless Linux** post-exploitation framework that runs in-memory (e.g., via `memfd`-style execution), uses encrypted multi-stage loading (AES-256-CBC), fingerprints defensive tooling (including major EDR agents), and retains operator-driven capabilities such as credential theft, lateral movement, and covert tunneling for exfiltration. Other reporting highlighted incident and exposure claims and defensive takeaways. Check Point described a **supply-chain compromise** affecting *eScan* (MicroWorld Technologies) in which malicious updates were pushed through the legitimate updater, prompting an emergency shutdown of global update services; it also noted **Crunchbase** confirmed a breach affecting **2M+ records** claimed by **ShinyHunters**, and cited extortion/leak claims involving **Qilin** (Tulsa International Airport) and **WorldLeaks** (Nike). Google’s legal/technical disruption of the **IPIDEA** residential proxy network was also cited as reducing available proxy nodes by millions and cutting off C2 domains used to route attacker traffic. Additional coverage described a phishing chain using a fake DHL invoice to abuse a signed Java utility via **DLL sideloading** (malicious `jli.dll`) and **process hollowing** into `AddInProcess32.exe` to run **Phantom Stealer**; detection-engineering updates emphasized new rules for Windows defense-evasion (e.g., tampering with Credential Guard/HVCI, disabling AMSI and the vulnerable driver blocklist) and expanded Kubernetes and Linux post-exploitation detections.
Mar 21, 2026
Exploitation of Managed File Transfer and Messaging Server Vulnerabilities for Remote Code Execution and Ransomware Deployment
Threat actors continue to prioritize internet-facing infrastructure that provides high-leverage initial access, with multiple reports highlighting **active exploitation of remote code execution (RCE) paths** in widely deployed services. A DFIR case study described attackers exploiting **Apache ActiveMQ** `CVE-2023-46604` by sending a crafted OpenWire command that forced the broker to load a remote Spring XML configuration, leading to payload retrieval via `certutil`, rapid privilege escalation to **SYSTEM**, credential dumping from **LSASS**, and eventual **LockBit** ransomware deployment via **RDP** after re-entry using previously stolen privileged credentials. Separately, incident-response reporting warned of ongoing exploitation against **Managed File Transfer (MFT)** products, including Gladinet *CentreStack* (an LFI issue `CVE-2025-11371` used in an exploit chain culminating in RCE, patched as `CVE-2025-30406`) and Fortra *GoAnywhere MFT* (`CVE-2025-10035`, improper deserialization leading to RCE), with observed activity linked to a threat group associated with **Medusa** ransomware. Broader telemetry and research reinforced that edge and externally exposed services remain the primary battleground for initial access at scale. GreyNoise reported nearly **3 billion** malicious sessions against edge infrastructure in 2H 2025, with heavy targeting of enterprise VPNs (notably **Palo Alto GlobalProtect**) and continued exploitation attempts for older issues such as `CVE-2020-2034`, alongside pervasive scanning of **SSH** and remote access services. In parallel, financially motivated and cybercrime-enabling ecosystems are improving their ability to reach victims: Varonis detailed **1Campaign**, a cloaking service that helps malicious **Google Ads** evade review by serving benign pages to scanners while directing real users to phishing/crypto-drainer content, and Have I Been Squatted documented **Diesel Vortex**, a logistics-focused credential-phishing operation using dozens of domains and an exposed backend repository to support industrialized theft. These trends align with reporting that attackers are increasingly using **AI-assisted social engineering and tooling** (including deepfakes and AI-generated phishing) and with law-enforcement actions such as Interpol-backed **Operation Red Card 2.0**, which resulted in **651 arrests** and $4.3M recovered from cyber-enabled fraud activity across 16 African countries.
Mar 21, 2026