Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. Check Point reported on Silver Dragon, a Chinese-aligned activity cluster assessed as operating under the broader APT41 umbrella, targeting organizations in Southeast Asia and Europe (notably government) via exploitation of public-facing servers and phishing, then deploying Cobalt Strike, DNS tunneling, and a new Google Drive–based backdoor (GearDoor) alongside custom tools (SSHcmd and SliverScreen) for remote access and screen capture. Microsoft detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and EV code-signed malware (certificate issued to TrustConnect Software PTY LTD) masquerading as common workplace apps (e.g., msteams.exe, adobereader.exe, zoomworkspace.clientsetup.exe) to install legitimate RMM tooling (ScreenConnect, Tactical RMM, Mesh Agent) for persistent access and lateral movement.
Other reporting highlighted additional, unrelated campaigns and tradecraft: ClearSky described a Russian-aligned operation targeting Ukraine using a phishing-delivered ZIP/HTA chain that drops a .NET loader (BadPaw) and backdoor (MeowMeow) with .NET Reactor obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to APT28). Cofense-reported activity (via SC Media) showed phishing that weaponizes Windows File Explorer + WebDAV using URL/LNK shortcuts to pull payloads (notably AsyncRAT, XWorm, DcRAT) and infrastructure including Cloudflare Tunnel domains hosting WebDAV servers. Cisco Talos-reported Dohdoor activity (UAT-10027) targeted US education and healthcare, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., Fondue.exe, mblctr.exe, ScreenClippingHost.exe) and DNS-over-HTTPS to Cloudflare for C2 discovery and tunneling. Separately, Zscaler reported ScarCruft’s Ruby Jumper campaign using Zoho WorkDrive for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed Dust Specter targeting Iraqi government officials with password-protected RAR delivery and modular implants. Qianxin XLab assessed sanctioned infrastructure provider Funnull resurfacing to support scam/criminal supply chains and potential MacCMS-related supply-chain activity, and F5 Labs summarized APT42’s TAMECAT PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
18 events from the most recent confirmed update back to the earliest known activity.
Check Point links Silver Dragon to the APT41 umbrella
Check Point Research published details on Silver Dragon, describing three infection chains, custom tools including GearDoor, SilverScreen, and SSHcmd, and persistent use of Cobalt Strike and DNS tunneling. The company assessed with high confidence that the cluster is linked to a Chinese-nexus actor under the APT41 umbrella.
ClearSky reveals BadPaw and MeowMeow campaign against Ukraine
ClearSky disclosed a phishing campaign targeting Ukraine that used a ZIP-delivered HTA lure to install the BadPaw loader and MeowMeow backdoor. The firm attributed the activity with high confidence to a Russian state-aligned actor and with low confidence to APT28.
Qianxin exposes Funnull's RingH23 and MacCMS attacks
Qianxin XLab reported that Funnull had resurfaced with the RingH23 server-side compromise framework and MacCMS supply-chain attacks. The report detailed compromise of GoEdge CDN management nodes, SSH-based lateral movement, rootkit and Nginx-module deployment, and large-scale malicious JavaScript redirection affecting mobile users.
Cisco Talos discloses Dohdoor malware campaign details
Reporting on March 2, 2026 described the ongoing Dohdoor campaign against U.S. schools and healthcare, including its anti-forensics, process hollowing, and Cloudflare DoH-based C2 techniques. Talos said attribution remained uncertain despite low-confidence overlaps with Lazarus Group tradecraft.
Zscaler publishes Dust Specter campaign targeting Iraqi officials
Zscaler ThreatLabz disclosed the Dust Specter APT campaign targeting government officials in Iraq using two related malware chains: SPLITDROP/TWINTASK/TWINTALK and GHOSTFORM. The campaign used password-protected archives, DLL sideloading, file-based inter-process tasking, and a Google Forms lure impersonating an Iraqi Ministry of Foreign Affairs survey.
F5 reports mass exploitation of Magento SessionReaper zero-day
F5 Labs reported that the Magento zero-day CVE-2025-54236, dubbed SessionReaper, was being mass-exploited and had compromised more than 200 stores. The bulletin also highlighted active exploitation of Ivanti EPMM zero-days and other critical flaws requiring urgent patching.
Microsoft observes signed malware phishing campaigns using workplace lures
In February 2026, Microsoft Defender Experts observed multiple phishing campaigns using meeting and document lures to deliver malware disguised as workplace software. The payloads were signed with an EV certificate issued to TrustConnect Software PTY LTD and deployed RMM tools including ScreenConnect, Tactical RMM, and MeshAgent.
ThreatLabz identifies ScarCruft's Ruby Jumper campaign
Zscaler ThreatLabz first identified the North Korea-linked Ruby Jumper campaign in December 2025. The operation used malicious LNK files, multiple malware families, Zoho WorkDrive-based C2, and removable media to bridge air-gapped environments.
Dohdoor campaign begins targeting U.S. schools and healthcare
Cisco Talos said a campaign attributed to UAT-10027 had been active since at least December 2025, primarily targeting U.S. education and healthcare organizations. The operation used phishing, DLL sideloading, and a new Windows backdoor called Dohdoor that relied on DNS-over-HTTPS for C2.
Funnull expands into MacCMS supply-chain poisoning
Researchers reported that Funnull poisoned the official update channel of the maccms.la edition of MacCMS/AppleCMS in 2025 to deliver PHP backdoors. The backdoors injected Funnull-style JavaScript loaders and redirectors using short-lived payload URLs to hinder forensics.
Funnull-linked RingH23 activity is first detected
Researchers detected a Linux ELF downloader from download.zhw[.]sh on July 9, 2025, marking the start of observed RingH23 activity attributed to Funnull. Infrastructure such as client.110[.]nz also showed unusually high DNS resolution volume.
Suspicious CDN1.AI infrastructure is created
Researchers reported that CDN1.AI, a suspicious infrastructure layer later assessed as possibly Funnull-controlled, was created in June 2025. It was later linked to migration of malicious JavaScript hosting used in redirection activity.
OFAC sanctions Funnull Technology Inc. and Fangneng CDN
The U.S. Treasury's OFAC sanctioned Funnull Technology Inc. and Fangneng CDN for their role in enabling large-scale pig-butchering scams and related infrastructure abuse. The sanctions became a key reference point in later reporting on Funnull's re-emergence.
WebDAV malware campaigns escalate sharply
Cofense reported a notable escalation in the WebDAV abuse campaigns in September 2024, with phishing emails—often German-language fake invoices—targeting European corporate networks. Malicious infrastructure included Cloudflare Tunnel domains hosting WebDAV servers.
Silver Dragon activity starts targeting Europe and Southeast Asia
Check Point assessed the Chinese-aligned Silver Dragon cluster had been active since at least mid-2024 against organizations in Southeast Asia and Europe, especially government entities. The group used exploitation of public-facing servers and phishing to deliver Cobalt Strike and custom tooling.
Funnull-linked GoEdge poisoning incidents occur
May 2024 GoEdge poisoning incidents were later cited as sharing strong code and tradecraft overlap with the RingH23 and JavaScript injection activity attributed to Funnull. These earlier incidents helped support the later attribution assessment.
Polyfill.io supply-chain attack later tied to Funnull-style JS
A February 2024 Polyfill.io supply-chain attack used JavaScript later assessed as nearly identical to code seen in Funnull-linked operations. This similarity was cited as part of later attribution to Funnull.
WebDAV-based malware delivery campaigns begin
Campaigns abusing Windows File Explorer and the WebDAV protocol to deliver malware such as AsyncRAT, XWorm RAT, and DcRAT were active by February 2024. The attacks used direct links, URL shortcut files, and LNK files to trigger remote WebDAV access from phishing lures.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
Silver Dragon APT Group Targets Europe, Asia Using Google Drive for Covert Communication
cybersecuritynews.com
Open sourceAPT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2
thehackernews.com
Open sourceSilver Dragon Targets Organizations in Southeast Asia and Europe - Check Point Research
research.checkpoint.com
Open sourceExposing a Russian Campaign Targeting Ukraine Using New Malware Duo: BadPaw and MeowMeow - ClearSky Cyber Security
clearskysec.com
Open sourceDohdoor Malware Targets U.S. Schools and Healthcare In Multi-Stage Campaign
cyberpress.org
Open sourceDust Specter APT Targets Gov’t Officials in Iraq | ThreatLabz
zscaler.com
Open sourceFunnull Resurfaces: Exposing RingH23 Arsenal and MacCMS Supply Chain Attacks
blog.xlab.qianxin.com
Open sourceWeekly Threat Bulletin - February 4th, 2026 | F5 Labs
f5.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Stealthy Malware Campaigns Abuse Windows and Office Features for Initial Access and Evasion
Multiple early-2026 campaigns highlight increasingly **low-noise initial access** and **living-off-the-land** execution on Windows endpoints. CyStack reported activity attributed to **APT-Q-27 (GoldenEyeDog)** targeting financial institutions via a corporate support workflow: a user clicked a malicious link delivered through a **Zendesk ticket**, leading to download of an executable masquerading as an image/`.pif` file (aided by Windows’ hidden-extension defaults). The malware was signed with a **revoked certificate** that still appeared trusted due to a valid timestamp, and its modular backdoor/C2 infrastructure overlapped with prior APT-Q-27 activity, enabling stealthy persistence and control without triggering common endpoint alerts. Separately, Securonix described the **Dead#Vax** multistage campaign using phishing links to **VHD files hosted on IPFS**, where mounting/opening the VHD triggers **Windows Script Files**, obfuscated batch, and **PowerShell** loaders to support encrypted data theft and conceal execution logic, culminating in **AsyncRAT** deployment for credential theft, surveillance, and follow-on intrusion. In another targeted operation, Zscaler ThreatLabz linked **Operation Neusploit** to **APT28**, exploiting **CVE-2026-21509** (Microsoft Office/365 **OLE** bypass) via crafted **RTF** documents to drop payloads including **MiniDoor** (Outlook-focused collection and mailbox manipulation, including exfiltration to attacker-controlled email accounts) and **PixyNetLoader** (reported to use steganography). A separate “ThreatsDay” bulletin is a multi-story roundup and does not provide additional, specific corroboration on these same campaigns beyond mentioning adjacent themes (e.g., AsyncRAT/C2) in a broader news digest.
Apr 10, 2026
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
Mar 21, 2026
Multiple Malware Campaigns Abuse Phishing and Legitimate Cloud Services to Compromise Windows and Linux Systems
Reporting describes several unrelated but contemporaneous malware operations targeting both Windows and Linux environments. In Taiwan, FortiGuard Labs observed targeted phishing using tax and e-invoice lures to deliver **Winos 4.0 (ValleyRat)** and plugins, with delivery chains including malicious `.LNK` files, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud-hosted infrastructure that reduces the effectiveness of static blocklists. Separately, Cato CTRL reported a new Windows loader, **Foxveil**, that stages and retrieves shellcode via trusted platforms (**Cloudflare Pages**, **Netlify**, and **Discord attachments**) and executes payloads using techniques including **Early Bird APC injection** (often into a fake `svchost.exe`) or self-injection, while persisting via Windows services or masqueraded binaries dropped into `SysWOW64`. Additional reporting covers distinct campaigns in other regions and platforms. A LATAM-focused intrusion chain uses fake bank receipt lures (double-extension such as `.pdf.js`) to deliver **XWorm v5.6**, employing oversized/obfuscated JavaScript, WMI-based process creation (`Win32_Process`) to launch hidden PowerShell, and abuse of a hardcoded **Cloudinary** URL for staging—capabilities consistent with credential theft and enabling follow-on ransomware. Trellix analysis described a separate **Monero** cryptomining operation distributed via pirated software installers that propagates through **USB/external drives** to reach even air-gapped systems, using multi-component “watchdog” self-healing behavior and aggressive defense-evasion. On Linux, LevelBlue detailed a new **SysUpdate** variant (packed `ELF64`) that performs host reconnaissance and uses strong C2 encryption; researchers built a **Unicorn Engine**-based emulation tool to reproduce key generation/encryption routines and decrypt captured C2 traffic for investigation and detection engineering.
Mar 21, 2026