Platform
Arbis AI
Solutions
About
Book a Demo
Dropdown

Threat Advisories

Expert threat advisories published daily by HiveForce Labs, covering ransomware campaigns, advanced persistent threats (APTs), critical vulnerabilities, and malware analysis. Each advisory provides detailed intelligence on threat characteristics, potential impact, and recommended remediation steps to help security teams take immediate, informed action.
Amber | Attack
DoubleClick Deception: Malspam Campaign Delivers Stealthy .NET Malware
June 9, 2026
Read More
Amber | Attack
New CMD Organization Ransomware Hits U.S. Healthcare with Auction Extortion
June 9, 2026
Read More
Red | Vulnerability
Cisco Unified CM Flaw Exposes Systems to Root-Level Compromise
June 9, 2026
Read More
Red | Attack
Qilin Rising: Continued Global Dominance and Expanded Tradecraft
June 9, 2026
Read More
Amber | Attack
Vibe-Coding the Kill Chain: The GREYVIBE Story
TA2026153 — GREYVIBE Actor Report: Vibe-Coding the Kill Chain | HiveForce Labs

01 — Summary

GREYVIBE — vibe-coding the kill chain

Threat level: Amber Actor: GREYVIBE Origin: Russia-nexus Platform: Windows · Android Active since: August 2025 GenAI-assisted tooling Admiralty: A1
Attack commenced
August 2025
TA number
TA2026153
Motive
Information theft · Espionage
Targeted regions
Ukraine · Moldova · Romania · Brazil · Venezuela · Guinea
Targeted industries
Military · Government · Defense · Energy · NGOs · Software suppliers
Campaigns
PhantomMail · PhantomClick · PrincessClub · DroneLink · Nebo

GREYVIBE is a Russia-nexus threat group that has targeted Ukraine and Ukraine-related entities since at least August 2025, with development and testing dating back to April 2025. WithSecure assesses with high confidence that its operators are Russian-speaking, working in the Moscow time zone, with lures, victimology, and objectives aligned with Russian state interests — chiefly intelligence collection tied to the Russia-Ukraine conflict.

The group's defining characteristic is the systematic use of generative AI — Ideogram AI, ChatGPT, and Google Gemini — for lure imagery, site building, obfuscator and full-stack RAT development, infrastructure setup, and post-compromise scripting. GREYVIBE operates five concurrent campaigns using PhantomRelay (PowerShell RAT), LegionRelay (lightweight PowerShell RAT), and FallSpy (Android spyware), all obfuscated with a suite of custom obfuscators including LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP.

02 — Actor details

GREYVIBE — profile and tradecraft

Name Origin Target countries Target industries Motive
GREYVIBE Russia Ukraine, Moldova, Romania, Brazil, Venezuela, Guinea Military, Government, Defense, Energy, Civilian individuals, NGOs, Business entities, Software supplier Information theft, Espionage

Active campaigns and malware families:

PhantomMail PhantomClick PrincessClub DroneLink Nebo PhantomRelay / Lite / V1 / V2 FallSpy LegionRelay LOOKVALPS · LOOKVALJS · DAYLIGHT · TEASOUP
01
Attribution — Russia-nexus, Moscow time zone, state-aligned objectives

GREYVIBE has targeted Ukraine and Ukraine-related entities since at least August 2025, with development and testing observable from April 2025. WithSecure assesses with high confidence that operators are Russian-speaking and active in the Moscow time zone. The group's lures, victimology, and collection objectives align with Russian state interests, primarily intelligence gathering tied to the Russia-Ukraine conflict. Targeting has since expanded to Moldova, Romania, Brazil, Venezuela, and Guinea — consistent with broader Russian intelligence interest areas.

02
Five initial access vectors across concurrent campaigns

GREYVIBE operates five simultaneous campaigns with distinct delivery mechanisms. PhantomMail delivers malicious ZIP/RAR archives via spear-phishing links to Google Drive and 4sync. PhantomClick uses ClickFix fake-CAPTCHA pages impersonating Zoom and LAPAS. PrincessClub combines fake Ukrainian social-club websites with fake female Telegram personas to lure targets into downloading malware. DroneLink uses drone-themed fake charity sites to deliver payloads. Nebo employs a Russian-language "SPO NEBO" lure targeting military-adjacent personnel.

03
Unified Windows infection chain — lure → bundle → loader → payload → decoy

Every campaign follows the same Windows execution chain: a lure triggers a bundle that runs a loader showing a decoy — a PDF, a fake error pop-up, or a lure site — while the infection proceeds silently. In the script-based chain, a VBScript launcher fires a hidden PowerShell script. Both paths deploy the primary Windows payloads: PhantomRelay, a PowerShell RAT using a two-stage fingerprint-then-client model over WebSockets, and LegionRelay, a lightweight PowerShell RAT communicating over a REST API. FallSpy is the Android spyware used in the PrincessClub and Nebo campaigns. PhantomRelay also achieves lateral spread via USB using hidden files and malicious shortcuts.

04
Custom obfuscation suite — AMSI patching and ETW tampering

All payloads are obfuscated with GREYVIBE's custom obfuscator suite: LOOKVALPS (PowerShell), LOOKVALJS (JavaScript), DAYLIGHT, and TEASOUP. The PhantomRelayLite base variant adds SAWDUST and CRUDEDUST components which patch AMSI and tamper with the ETW provider to blind Windows telemetry and bypass script-block logging. Persistence is maintained primarily through scheduled tasks driven by a watchdog script, with a short-lived Startup folder shortcut variant as a secondary mechanism.

05
Privilege escalation and lateral movement — UAC bypass, RDP, hidden accounts

GREYVIBE achieves privilege escalation through three techniques: shortcut hijacking that fires a UAC prompt from a trusted icon; a CMSTP-based UAC bypass (cmstp.exe with a custom .INF file); and a custom .NET component masquerading as "Windows Update" that baits a UAC approval to re-register LegionRelay's scheduled task as SYSTEM. For lateral movement, operators enable persistent RDP, create hidden local administrator accounts concealed via the SpecialAccounts\UserList registry key, and share local disks over SMB.

06
C2 infrastructure and GenAI-assisted development — the defining GREYVIBE trait

PhantomRelay C2 has rotated across EDIS Global, KVMka, Cloudzy, and the suspected bulletproof host Global Connectivity Solutions LLP. FallSpy and LegionRelay C2 infrastructure remained on Baxet Group Inc. servers with Russian-language admin panels. The defining characteristic of GREYVIBE is its systematic use of generative AI: Ideogram AI for lure imagery and site design, ChatGPT and Google Gemini for obfuscator and full-stack RAT development, infrastructure provisioning guidance, and post-compromise scripting — representing an operational maturity shift enabled by commercial AI tooling.

03 — Recommendations

What to do now

Four prioritised defensive actions for security and operations teams, ordered by detection impact.

1
Restrict archive and script execution from email and file-sharing links

Treat ZIP/RAR archives delivered via links to Google Drive, 4sync, and similar services as high-risk. Block or sandbox execution of double-extension files (e.g., .pdf.js, .XLS.js, .Docx.rar). Disable or tightly control the Windows Script Host (wscript.exe / cscript.exe) for JavaScript loaders. Apply mail gateway rules to flag messages with archive links to consumer file-sharing services targeting government or military recipients.

2
Constrain PowerShell and LOLBIN abuse

Enable PowerShell Constrained Language Mode, script block and module logging, and transcription. Hunt for conhost.exe launched with the --headless parameter spawning PowerShell, for Invoke-Expression on remotely fetched content, and for command-history suppression via Set-PSReadlineOption -HistorySaveStyle SaveNothing and Remove-Module PSReadline — both GREYVIBE tradecraft signatures for covering post-execution tracks.

3
Hunt for watchdog and scheduled-task persistence

Alert on creation of scheduled tasks that re-execute scripts on short intervals (e.g., one minute after creation, then every three minutes). Hunt for tasks or loaders masquerading as vendor utilities — Razer, AMD, Adobe, "System Health Service," "Windows Check Updater." Inspect %ProgramData% and %LOCALAPPDATA% staging directories and Startup folder shortcuts for dropped .ps1 payloads, including SysCheckupService.ps1, RzUpdateManager.ps1, and WUDFHost.ps1.

4
Enforce strong UAC and privilege controls

Set UAC to always prompt and monitor for cmstp.exe invoked with custom .INF files. Watch for unexpected runas / RunAsInvoker shortcut modifications and treat sudden "Windows Update"-themed UAC prompts as suspicious. Audit creation of new local administrator accounts and accounts hidden via the SpecialAccounts\UserList registry key — a persistence mechanism GREYVIBE uses to conceal operator-created admin accounts from the Windows login screen.

04 — Indicators of compromise

IoCs — GREYVIBE / PhantomRelay / FallSpy / LegionRelay

Block or monitor all indicators below. All domains, IPs, emails, and URLs are defanged. The complete IoC set is also available via the WithSecure GitHub repository linked in References.

SHA-256 file hashes (selected)
  • 476334f9254ef0277b3462b6086655f38358a983b95991cfe4dcdd787740906a
  • 78773eb9738bc3306a56bf39adc8212226479c24af8bf453be9d57103a91a904
  • 62b585f36d4b14fa1e036feed692267aa098e7fc6cabb468a07997a025309299
  • d60dd96ef92b43e2e4f955dd76448fc320c3f8445b661d9a4a3c40caca0aa8a5
  • 687629ca9dc5b9b4bdf6c06fb1405449638b905f3a0c08bccac1c519ef22964d
  • 8a7401444dd7c85b36ff7b1d0b36c5953692ef32dbeac7642fb7c1034bd8a726
  • e81af6ae6862d905d8634a1f6e0a8893ba28e3ce61d12ccac020ef6fae802e8b
  • 93111e523c38d98247a78a0d1d9ae163e9874acb70721f6fe0bf451c62fff283
  • c823a315c2c78d2fd345c9b38bb7fc31a8cbff96c534ce9cc66c4e54bc7935a2
  • 5115eca388860371d994457793f3a3c2c3d106da48ca12ecccb9432522c56cc3
  • bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f
  • 2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327
  • e8d0943042e34a37ae8d79aeb4f9a2fa07b4a37955af2b0cc0e232b79c2e72f3
  • 42464c188cb8116b63938b3236504ec4ae31c7cadb9063085b30dd468d88860f
  • 7ac06aaf0cdc1c1f0f14b0e8ccc550f9df20e79f3ce321207ec7a1867d6227ef
  • f79b9d14b93d4c509386684f2aeebe53ab088e704b38b359db3ee7991942aec6
  • 08eba15964cae61156a99d7ac33eedebdd6e9f3465dc77b5d8dc17dbedc2194a
  • 18db95f2ae20a4ea86b3296f409eb3fc1131d2758c5bfdbda16a424a64e97d18
  • e9634032df81334e9e960ab8b88ff05a0f7ec9c034dc012f816f09e23c18d41b
  • 40f9399ea067d69c0985aecdc54beddbcb585d7f660606e5bb4be981811c28ba
  • 9e443d773df5adf0ab9e622bb8179ce899f46b2166f2faa09d54a4622a9ac5cc
  • 296932373f9c54fcf4eb285f81a17b1b93c5a96e5ff6dfa097b4d8c4b8f53b81
  • 89e052bd182df8de5960784c663f962d44e058c8920a437f54ab75d03a7da3bd
  • 9b7008c43814c7bf18375774bd2ed5f3bda9316dbef20b7e086fe921838f1186
Domains (selected)
  • lapas[.]live
  • zoomconference[.]click
  • zoomconference[.]app
  • princess-mens[.]fun
  • princess-mens-club[.]com
  • princessclub[.]click
  • princessclub[.]best
  • princessclub[.]online
  • princessclub[.]cyou
  • clubprincess[.]click
  • frontforce[.]org
  • ukrguard[.]org
  • ukrbezpeka[.]online
  • ironbrave[.]online
  • ukrvarta[.]online
  • edbo[.]linkpc[.]net
  • edbo[.]publicvm[.]com
  • edbo[.]work[.]gd
  • dsszzi[.]linkpc[.]net
  • declaration[.]linkpc[.]net
  • goodhillsenterprise[.]com
  • doct0rsim[.]com
  • routinesyscheckup[.]com
  • serotoninenterprise[.]com
  • newstarcommunity[.]com
  • jackscommunications[.]com
  • fasterscommunications[.]com
  • bsnowcommunications[.]com
  • highfleetenterprise[.]com
  • flyskyenterprise[.]com
  • newsolutionsxsenterprise[.]icu
  • nycpartnersenterprise[.]com
  • chiselworksenterprise[.]com
  • bluelagoonaenterprise[.]com
  • neuromancersolutionsenterprise[.]icu
  • aerobionix[.]com
  • prosearium[.]net
  • red-viper[.]com
  • xpertlearninghub[.]com
Email addresses (spoofed / actor-controlled)
  • centrenergo[.]ukr[@]gmail[.]com
  • centrenergo[.]ua[@]gmail[.]com
  • office[.]dsns[.]dp[@]gmail[.]com
  • kanc[.]kh[.]dsns[@]gmail[.]com
  • office[.]cip[.]ua[.]gov[@]gmail[.]com
  • office[.]gov[.]cips[@]gmail[.]com
Filenames
  • SysCheckupService.ps1
  • SystemHealthSvc.ps1
  • Configuration.ps1
  • Configurate.ps1
  • WUDFHost.ps1
  • razer_update.log
  • RzUpdateManager.ps1
  • RzTelemetry.ps1
File paths
  • %ProgramData%\WindowSystem
  • %ProgramData%\Microsoft Windows
  • C:\ProgramData\AMD\amd.ps1
  • C:\ProgramData\BackUp\backup.ps1
  • C:\ProgramData\Adobe\dfDgrr3.ps1
  • %LOCALAPPDATA%\Razer Update (staging directory)
IPv4 addresses
  • 188[.]124[.]59[.]120
  • 193[.]233[.]23[.]81
IPv4:Port (C2 listeners)
  • 89[.]37[.]185[.]60[:]14000
  • 74[.]112[.]102[.]120[:]14000
  • 194[.]87[.]128[.]243[:]8000
  • 194[.]87[.]108[.]110[:]8000
  • 89[.]125[.]189[.]118[:]8000
  • 89[.]125[.]189[.]85[:]8000
  • 91[.]149[.]221[.]124[:]8000
Scheduled task names
  • System Health Service
  • Microsoft System Health Service
  • Razer Synapse Service Helper
  • Adobe working
  • BackUp checker
  • AMD Checker
Actor usernames (PrincessClub personas)
  • vikagogogo111
  • nastyaa2001lov
  • lilymihalyk
URLs
  • hxxps[:]//storage[.]vlasiuk[.]kiev[.]ua/SW90D0qhta/матеріали_конференції[.]zip
  • hxxps[:]//share[.]secureinfo[.]eu/get/ypMXMG58xH/Матеріали_конференції_доп[.]zip
  • hxxps[:]//www[.]4sync[.]com/web/directDownload/tcqtmocL/MyE7HPqt[.]11b47e3a02edac898638b1906774210d
  • hxxps[:]//drive[.]google[.]com/file/d/1RDXHPZtCzOXn6GN7UidXPo4qqZOA_UGd
  • hxxps[:]//drive[.]google[.]com/file/d/12ffiBTWHm6GW8chJNIXuOeALPI82VnNs
  • hxxps[:]//drive[.]google[.]com/file/d/1wkgvtTw_g5CvK84rWiHCr6HPZZb_OeKd
  • hxxps[:]//drive[.]google[.]com/file/d/1aSIXJgZUT7AQEp5B_D7gyHRq74EFUxoz
  • t[.]me/s/sdgsersergser

05 — MITRE ATT&CK TTPs

Tactics, techniques & sub-techniques

Full MITRE ATT&CK mapping for GREYVIBE across all five campaigns and both Windows and Android platforms.

ID Tactic Technique / sub-technique
T1583.001Resource dev.Acquire infrastructure — domains
T1584.001Resource dev.Compromise infrastructure — domains
T1585.001Resource dev.Establish accounts — social media accounts (fake Telegram personas)
T1585.002Resource dev.Establish accounts — email accounts
T1587.001Resource dev.Develop capabilities — malware (GenAI-assisted RAT development)
T1588.002Resource dev.Obtain capabilities — tool
T1608.001Resource dev.Stage capabilities — upload malware
T1566.002Initial accessPhishing — spearphishing link (Google Drive / 4sync archives)
T1566.001Initial accessPhishing — spearphishing attachment
T1566.003Initial accessPhishing — spearphishing via service (Telegram personas)
T1091Initial accessReplication through removable media (PhantomRelay USB spread)
T1204.001ExecutionUser execution — malicious link
T1204.002ExecutionUser execution — malicious file
T1204.004ExecutionUser execution — malicious copy and paste (ClickFix)
T1059.001ExecutionCommand and scripting interpreter — PowerShell (PhantomRelay / LegionRelay)
T1059.007ExecutionCommand and scripting interpreter — JavaScript (LOOKVALJS)
T1053.005ExecutionScheduled task/job — scheduled task (watchdog tasks)
T1202ExecutionIndirect command execution
T1053.005PersistenceScheduled task/job — scheduled task (watchdog re-registration)
T1547.001PersistenceBoot or logon autostart execution — registry run keys / startup folder
T1136.001PersistenceCreate account — local account (hidden admin accounts)
T1548.002Priv. escalationAbuse elevation control mechanism — bypass UAC (CMSTP, fake Windows Update)
T1547.009Priv. escalationBoot or logon autostart execution — shortcut modification (UAC hijacking)
T1027.006Defense evasionObfuscated files or information — HTML smuggling
T1140Defense evasionDeobfuscate/decode files or information (LOOKVALPS / DAYLIGHT / TEASOUP)
T1562.001Defense evasionImpair defenses — disable or modify tools (SAWDUST AMSI patch)
T1070.003Defense evasionIndicator removal — clear command history (PSReadline removal)
T1497Defense evasionVirtualization/sandbox evasion
T1564.001Defense evasionHide artifacts — hidden files and directories (USB spread)
T1564.002Defense evasionHide artifacts — hidden users (SpecialAccounts\UserList)
T1218.003Defense evasionSystem binary proxy execution — CMSTP (UAC bypass)
T1036.005Defense evasionMasquerading — match legitimate name or location (Razer, AMD, Adobe task names)
T1480Defense evasionExecution guardrails
T1003.002Credential accessOS credential dumping — Security Account Manager
T1555.003Credential accessCredentials from password stores — credentials from web browsers
T1539Credential accessSteal web session cookie
T1056.001Credential accessInput capture — keylogging
T1082DiscoverySystem information discovery
T1033DiscoverySystem owner/user discovery
T1083DiscoveryFile and directory discovery
T1016DiscoverySystem network configuration discovery
T1518DiscoverySoftware discovery
T1113CollectionScreen capture
T1005CollectionData from local system
T1119CollectionAutomated collection
T1560.001CollectionArchive collected data — archive via utility
T1123CollectionAudio capture (FallSpy — Android)
T1125CollectionVideo capture (FallSpy — Android)
T1636.003CollectionProtected user data — contact list (FallSpy — Android)
T1636.002CollectionProtected user data — call log (FallSpy — Android)
T1430CollectionLocation tracking (FallSpy — Android)
T1071.001C2Application layer protocol — web protocols (WebSocket / REST API)
T1102.001C2Web service — dead drop resolver
T1132.001C2Data encoding — standard encoding
T1572C2Protocol tunneling
T1090C2Proxy
T1219C2Remote access software (persistent RDP)
T1021.001Lateral movementRemote services — Remote Desktop Protocol
T1021.002Lateral movementRemote services — SMB/Windows admin shares (local disk sharing)
T1041ExfiltrationExfiltration over C2 channel
T1496.001ImpactResource hijacking — compute hijacking

06 — References

Sources

[1] withsecure.com/en/resources-hub/w-labs/greyvibe/
[2] withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf
[3] github.com/WithSecureLabs/iocs/blob/master/GREYVIBE/greyvibe_iocs.csv
TA2026153 · HiveForce Labs · © 2026 Hive Pro Report generated — June 03, 2026 · 11:00 AM
June 9, 2026
Read More
Amber | Atack
Operation Dragon Weave Spins a Web of Espionage Through Microsoft Azure
TA2026152 — Operation Dragon Weave: AZUREVEIL & RUSTCLOAK | HiveForce Labs

01 — Summary

Operation Dragon Weave — espionage through Microsoft Azure

Threat level: Amber Campaign: Operation Dragon Weave Malware: AZUREVEIL · RUSTCLOAK Platform: Windows Regions: Czech Republic · Taiwan Admiralty: A1
First seen
March 2026
TA number
TA2026152
C2 mechanism
Azure Blob Storage dead-drop
Targeted industries
Government · Research · Technology · Finance
Initial access
Spear-phishing ZIP · LNK or Rust dropper
SAS token validity
March 2026 – March 2027

Operation Dragon Weave is a targeted cyber-espionage campaign aimed at government officials and citizens in the Czech Republic and Taiwan. It begins with a spear-phishing email carrying a ZIP attachment whose contents masquerade as official government correspondence. The archive delivers malware through one of two interchangeable infection paths — a malicious LNK shortcut or a self-contained Rust-based executable dropper — both converging on DLL sideloading of a malicious UnityPlayer.dll.

That DLL is a Rust loader (RUSTCLOAK) which decrypts and executes the final payload, AZUREVEIL — a 64-bit AdaptixC2 agent notable for using Microsoft Azure Blob Storage as a dead-drop command-and-control channel, blending its encrypted traffic with legitimate cloud activity. AZUREVEIL supports 36 post-exploitation commands including in-memory Beacon Object File (BOF) execution. A hardcoded Shared Access Signature (SAS) token valid through March 2027 indicates the infrastructure was built for long-term persistent access.

02 — Attack details

How the attack unfolded

Operation Dragon Weave demonstrates sophisticated tradecraft: dual infection paths, anti-analysis checks, Azure cloud C2 blending, and infrastructure designed to sustain access for a full year.

01
Spear-phishing delivery — government-themed ZIP lure

Operation Dragon Weave targets government officials and citizens in Taiwan and the Czech Republic using spear-phishing emails disguised as legitimate government communications — such as project review notices or appointment notifications. Victims receive a ZIP archive delivering malware through one of two methods: a malicious Windows shortcut (LNK) disguised as a PDF document, or a Rust-based dropper that extracts the required components onto the system. The use of Traditional Chinese filenames and Czech-language decoy documents underscores the campaign's precision targeting. The earliest known sample was uploaded from Taiwan in March 2026.

02
Dual infection chains — VBScript/PowerShell and Rust dropper converge on RUSTCLOAK

In the script-based infection chain, a VBScript launches a hidden PowerShell script that decrypts and reconstructs a malicious executable named RuntimeBroker_update.exe while displaying a decoy document to distract the victim. Both infection methods — the LNK path and the Rust dropper path — ultimately execute RuntimeBroker_update.exe, which uses DLL sideloading to load a malicious library called UnityPlayer.dll, also known as RUSTCLOAK. Before running its payload, RUSTCLOAK performs sandbox and analysis-environment detection checks. A developer oversight also exposed a Rust build path and the username dell2 within the malware binary.

03
RUSTCLOAK → AZUREVEIL — decryption, evasion, and full AdaptixC2 deployment

RUSTCLOAK decrypts and launches its final payload, AZUREVEIL, using multiple encryption and evasion techniques. AZUREVEIL is a fully featured AdaptixC2 agent supporting file operations, command execution, shell access, network tunneling, and in-memory execution of additional tools including Beacon Object Files (BOFs). These 36 post-exploitation capabilities give the attacker flexibility for espionage, lateral movement, and sustained access within compromised environments.

04
Azure Blob Storage C2 — dead-drop channel with hardcoded SAS token

Rather than traditional command-and-control servers, AZUREVEIL uses Microsoft Azure Blob Storage (note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net) as a dead-drop C2 channel. HTTPS traffic blends the malware's communications with legitimate cloud activity. The implant periodically uploads encrypted beacons, retrieves encrypted commands, and returns encrypted results through the same storage container. Researchers identified a hardcoded Shared Access Signature (SAS) token with broad permissions to the Azure storage account, valid from March 2026 through March 2027 — indicating the infrastructure was deliberately designed to support long-term espionage operations and persistent victim network access.

03 — Recommendations

What to do now

Six prioritised response actions for security and operations teams. Action 1 should be deployed immediately across all network egress controls.

1
Block the Azure Blob Storage C2 endpoint

Block and alert on all outbound connections to the identified dead-drop storage account note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net. Treat all listed file hashes as high-priority detections across endpoint and network tooling, and configure SIEM alerts for any connection attempts to this domain.

2
Restrict LNK and script execution

Block execution of unexpected LNK shortcut files and unsigned binaries delivered via email. Constrain wscript.exe and PowerShell so that script-based dropper chains cannot run silently from user-writable directories. Apply WDAC or AppLocker policies to enforce these restrictions.

3
Constrain PowerShell execution-policy bypass

Restrict or closely monitor PowerShell invocations that use execution-policy bypass and hidden-window flags (-ExecutionPolicy Bypass, -WindowStyle Hidden). This pattern is the campaign's primary mechanism for running its decryption stage without user visibility and is the earliest scriptable detection point.

4
Hunt for DLL sideloading of UnityPlayer.dll

Hunt across endpoints for RuntimeBroker_update.exe and BrowserViewUtility.exe loading a UnityPlayer.dll from non-standard, user-writable paths. This DLL sideloading pattern is the convergence point for both the LNK and Rust dropper infection chains and represents a high-confidence detection indicator for RUSTCLOAK.

5
Monitor suspicious file creation in %LOCALAPPDATA% and %TEMP%

Detect creation of campaign-staged artifacts — 1.dat, Com.dat, RuntimeBroker_update.exe, and related components — in %LOCALAPPDATA%\WebViewFixUtility and %TEMP%. Isolate hosts where these patterns appear and treat them as confirmed compromises pending investigation.

6
Strengthen spear-phishing defenses

Reinforce email filtering to block ZIP attachments containing LNK or executable files. Deliver targeted user-awareness training for government, research, technology, and financial-services staff in the affected regions on double-extension lures and fake official-document themes consistent with Operation Dragon Weave's delivery methodology.

04 — Indicators of compromise

IoCs — Operation Dragon Weave / AZUREVEIL / RUSTCLOAK

Block or monitor all indicators below across network controls, endpoint detection, and SIEM pipelines. The Azure domain is defanged.

SHA-256 file hashes
  • 096372d19b4787e989f44e04c5ecc29885aa927c34ae8666628d6c0eb20bb447
  • 1c56228cbd1bdebb9e5ea55c2749150fee06c865ede4a3754e8bd6843e51d2d4
  • 080ab9bc2893ba7bad354551604a667af40ed2ae2d042d2323c2bd9ad3122192
  • 5ed14c2b7f7433a1a72dd6b668413f935a217ba10b69d89b774a82990fa12fe1
  • 61f7d9cd2d8ce7df950639b23ce90085b300b0c6dd0d8d934bba8fdecb670f15
  • 24aa4e780ccd66cef13da9ef98c32954105cf2a32ec643efab0ba1aa2d6352f4
  • 02542a49b3bd6bd2795afb67840acb4557b17e017f7503dd03ebe3aeeb28720e
  • 8ae7c82a3e4f742777e590b25a1c563d19bd9bcba2a387d004aae72c4b2828f9
  • 047687548605734348792e2a9d771b6cba42facd0d0d7d44d778290a25848574
  • a4e9f9919d62589b57cfa08c9ccb89e386b09f683271373413cd8e8c8c7d1c5a
  • 823d5969db3f3b72ebbdce1b78752717ea849884a0fb40d86146416c38e128de
  • 783661d0f7edb338d2d50be087764d82dbbc9ee7989ddc57db1801e4ec9045b0
Domain — Azure Blob Storage C2
  • note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net

05 — MITRE ATT&CK TTPs

Tactics, techniques & sub-techniques

Full MITRE ATT&CK mapping for Operation Dragon Weave / AZUREVEIL / RUSTCLOAK campaign.

ID Tactic Technique / sub-technique
T1566.001 Initial access Phishing — spearphishing attachment (ZIP with LNK or Rust dropper)
T1204.002 Execution User execution — malicious file
T1059.001 Execution Command and scripting interpreter — PowerShell (hidden decryption stage)
T1059.005 Execution Command and scripting interpreter — Visual Basic (VBScript launcher)
T1574.001 Defense evasion Hijack execution flow — DLL sideloading (UnityPlayer.dll / RUSTCLOAK)
T1027 Defense evasion Obfuscated files or information (multi-layer encrypted payloads)
T1497.001 Defense evasion Virtualization/sandbox evasion — system checks (RUSTCLOAK pre-execution)
T1620 Defense evasion Reflective code loading (in-memory BOF execution via AZUREVEIL)
T1055 Defense evasion Process injection
T1083 Discovery File and directory discovery
T1057 Discovery Process discovery
T1016 Discovery System network configuration discovery
T1082 Discovery System information discovery
T1102.001 C2 Web service — dead drop resolver (Azure Blob Storage)
T1573 C2 Encrypted channel (HTTPS beacon / command / result cycle)
T1090 C2 Proxy
T1105 C2 Ingress tool transfer
T1041 Exfiltration Exfiltration over C2 channel (Azure Blob Storage)

06 — References

Sources

[1] seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/
TA2026152 · HiveForce Labs · © 2026 Hive Pro Report generated — June 03, 2026 · 07:30 AM
June 9, 2026
Read More
Red | Attack
Iranian-Nexus Intrusion Targeting Oman's Government
TA2026151 — Iranian-Nexus Intrusion Targeting Oman's Government | HiveForce Labs

01 — Summary

What happened

An active Iranian-aligned cyber espionage operation targeted twelve Omani government ministries, with the Ministry of Justice and Legal Affairs (MJLA) as the primary victim. The campaign was uncovered after the threat actor inadvertently left an attacker-controlled staging VPS (172.86.76[.]127, resolving to dubai-10.vaermb[.]com, UAE-hosted) publicly exposed — revealing the complete operator toolkit, command-and-control source code, session logs, and exfiltrated victim data in plaintext. Operator sessions were observed between April 8–10, 2026.

Initial access against MJLA most likely came through CVE-2025-32372, an SSRF flaw in DotNetNuke versions prior to 9.13.8. Secondary vectors included the ProxyShell chain (CVE-2021-34473 / 34523 / 31207) against Microsoft Exchange servers. The operator deployed a custom ASPX webshell, a Python C2 with PowerShell beacon, Chisel for encrypted tunneling, and GodPotato for privilege escalation, ultimately exfiltrating over 26,000 MJLA user records, judicial case data, citizen IDs, and SAM/SYSTEM registry hives. No definitive group-level attribution has been made, though TTPs strongly overlap with MOIS-linked clusters APT34 (OilRig) and MuddyWater (Mango Sandstorm).

02 — Vulnerability details

Exploited CVEs

Four vulnerabilities were exploited or leveraged across this intrusion campaign. All have available patches — prioritise immediate remediation.

CVE Name / description Affected product CISA KEV Patch
CVE-2021-34473 ProxyShell — Exchange Server Remote Code Execution Microsoft Exchange Server KEV ✓ Patch ✓
CVE-2021-34523 ProxyShell — Exchange Server Privilege Escalation Microsoft Exchange Server KEV ✓ Patch ✓
CVE-2021-31207 ProxyShell — Exchange Server Security Feature Bypass Microsoft Exchange Server KEV ✓ Patch ✓
CVE-2025-32372 DotNetNuke Server-Side Request Forgery (SSRF) DotNetNuke (DNN) Platform KEV — Patch ✓

03 — Attack details

How the intrusion unfolded

The operation reflects a deliberate, intelligence-driven campaign against Omani government infrastructure, underpinned by opportunistic OPSEC failures that exposed the full operator toolkit to researchers.

01
Discovery — exposed staging VPS reveals full operator toolkit

The campaign was uncovered after the threat actor left their attacker-controlled staging VPS (172.86.76[.]127, resolving to dubai-10.vaermb[.]com, UAE-hosted) publicly accessible. The exposed server contained the complete operator toolkit, C2 source code, session logs, and exfiltrated victim data in plaintext. Operator sessions were logged between April 8–10, 2026. The targeting builds on a 2025 incident attributed to the Homeland Justice persona (Void Manticore), in which Oman's Ministry of Foreign Affairs mailbox in Paris was hijacked to spear-phish embassies worldwide.

02
Initial access — CVE-2025-32372 SSRF and ProxyShell across 12 ministries

The operation targeted twelve Omani government bodies: MJLA, Royal Oman Police, Royal Fleet of Oman, Tax Authority of Oman, State Audit Institution, Royal Court Affairs, Authority for Public Services Regulation, Civil Aviation Authority, Information Technology Authority, Ministry of Finance, MTCIT, and the Office of Public Prosecution. Initial access against MJLA most likely came through CVE-2025-32372, an SSRF flaw in DotNetNuke versions prior to 9.13.8. Secondary vectors included the ProxyShell chain (CVE-2021-34473 / 34523 / 31207) against Exchange servers — tradecraft previously associated with MuddyWater in regional intrusions — alongside credential brute-force attempts against the eVisa portal and the State Audit Institution training platform.

03
Execution and persistence — ASPX webshell, Python C2, Chisel, GodPotato

The operator deployed a custom ASPX webshell (hc2.aspx, health_check_t.aspx) through the DotNetNuke /Portals/0/ directory, providing persistent remote command execution. A host-level persistence attempt using a scheduled task named MicrosoftEdgeUpdate was blocked by Microsoft Defender. The operator then deployed a Python HTTP C2 paired with a PowerShell beacon polling every 30 seconds, returning base64-encoded results in 1,500-character chunks. Chisel was staged on port 7777 for encrypted tunneling. GodPotato — later replaced by a reflective in-memory variant — abused SeImpersonatePrivilege for local privilege escalation, tradecraft consistent with APT34's documented Gulf-targeted kernel-level operations.

04
Exfiltration — 26,000+ MJLA records, judicial data, SAM/SYSTEM hives

On April 10, 2026 at 03:00 UTC, the operator exfiltrated over 26,000 MJLA user records — including staff emails and credentials — alongside judicial judgments, case session attachments, committee decisions, and queries against the eGov_Person table targeting national IDs, names, birthdates, and nationality data. SAM and SYSTEM registry hives were staged in C:\Windows\Temp for exfiltration via port 9002, effectively compromising all local-machine secrets and cached domain credentials in the MJLA environment.

05
Attribution — Iranian state-nexus overlap with APT34 and MuddyWater

No definitive group-level attribution has been made. However, TTPs strongly overlap with MOIS-linked clusters APT34 (OilRig) and MuddyWater (Mango Sandstorm). The activity continues a broader pattern of Iranian state-nexus targeting against GCC critical infrastructure, alongside the Handala destructive wiper campaign and MOIS-aligned dissident espionage operations targeting the region.

04 — Recommendations

What to do now

Six prioritised response actions for security and operations teams. Actions 4 and 5 are critical for any organisation sharing identity infrastructure with MJLA.

1
Patch Microsoft Exchange against the ProxyShell chain

Apply Microsoft Exchange Server security updates addressing CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Any internet-facing Exchange server that has not received the May 2021 cumulative update or later remains vulnerable to the full ProxyShell exploit chain demonstrated in this campaign.

2
Upgrade DotNetNuke to 9.13.8 or later

Update all DotNetNuke (DNN) Platform instances to version 9.13.8 or newer to remediate CVE-2025-32372. Pay particular attention to ministry and government portals that expose DNN as a public-facing CMS, including those sharing identity-provider infrastructure such as SimpleSAMLphp federation.

3
Audit and restrict the /Portals/0/ path on DotNetNuke

Inspect the DotNetNuke /Portals/0/ directory for unauthorized ASPX files matching webshell patterns such as health_check_t.aspx or hc2.aspx. Restrict write permissions to the path and configure the IIS handler mapping so that arbitrary ASPX files placed in content directories cannot be served as executable script.

4
Reset MJLA and DotNetNuke application credentials

For MJLA and any organisation sharing federation with MJLA's SimpleSAMLphp identity provider, force-reset all DotNetNuke application accounts — with priority to superuser and aspnet_Membership-backed accounts — invalidate active sessions, and rotate any service-account passwords accessible from compromised hosts.

5
Rotate domain credentials and re-secure SAM/SYSTEM material

Because both SAM and SYSTEM registry hives were extracted from the MJLA environment, treat all local-machine secrets, cached domain credentials, and machine-account secrets as compromised. Reset them, force a krbtgt double-rotation if Active Directory was reachable, and audit Kerberos ticket lifetimes for anomalies.

6
Adopt network segmentation between ministry portals

Because ITA and MTCIT portals share the /ITAPortal_AR/ URL structure and likely a common codebase, and because MJLA's SimpleSAMLphp identity provider could federate authentication across ministries, segment ministry portals from one another, isolate the identity provider in a dedicated security zone, and apply per-ministry boundary controls so that a single portal compromise cannot pivot horizontally.

05 — Indicators of compromise

IoCs — Iranian-nexus Oman intrusion

Block or monitor all indicators below across network controls, endpoint detection, and SIEM pipelines. All domains and IPs are defanged.

IPv4 addresses
  • 172[.]86[.]76[.]127
  • 172[.]86[.]76[.]101
  • 172[.]86[.]76[.]94
  • 172[.]86[.]76[.]108
  • 172[.]86[.]76[.]112
  • 172[.]86[.]76[.]120
  • 172[.]86[.]76[.]121
  • 172[.]86[.]76[.]124
  • 172[.]86[.]76[.]129
  • 172[.]86[.]76[.]130
  • 45[.]59[.]114[.]60
  • 104[.]21[.]27[.]95
  • 172[.]67[.]142[.]35
Domains
  • dubai-10.vaermb[.]com
  • dubai-1.vaermb[.]com
  • dubai-2.vaermb[.]com
  • dubai-3.vaermb[.]com
  • dubai-4.vaermb[.]com
  • dubai-5.vaermb[.]com
  • dubai-6.vaermb[.]com
  • dubai-7.vaermb[.]com
  • dubai-8.vaermb[.]com
  • dubai-9.vaermb[.]com
  • regorixa[.]com
  • myjitsi.exceptionnotfound[.]ir
  • shop.exceptionnotfound[.]ir
  • price.exceptionnotfound[.]ir
  • tools.exceptionnotfound[.]ir
  • myjitsi.mrnajafipour[.]ir
  • s5.sideliner[.]ir
  • suanefllix[.]com
  • brnettlix[.]com
  • brttfrixx[.]com
  • realprimefix[.]com
  • identificara[.]com
Filenames
  • hc2.aspx
  • health_check_t.aspx
  • proxyshell_01.sh
  • evisa_cookies.txt
  • c2_fixed.py
  • c2_fixed_v2.py
  • c2_json_v2.py
  • new_beacon.ps1
  • gp_v6_exec.py
File paths
  • /Portals/0/health_check_t.aspx
  • /opt/c2/loot/
  • /opt/c2/payloads/
  • C:\Windows\Temp (registry hive staging)
SHA-256
  • ECC3611F7DCBAA53ACF44E67DE2F10D78A26E03B3C77BA28BBD3EE16B2E66437
Ports
  • 8001 — C2 beacon listener
  • 7777 — Chisel host
  • 9002 — Registry hive exfiltration
  • 9003 — Reverse SOCKS5 listener

06 — MITRE ATT&CK TTPs

Tactics, techniques & sub-techniques

Full MITRE ATT&CK mapping for the Iranian-nexus Oman government intrusion campaign.

ID Tactic Technique / sub-technique
T1595.002 Reconnaissance Active scanning — vulnerability scanning
T1583.003 Resource dev. Acquire infrastructure — virtual private server
T1588.002 Resource dev. Obtain capabilities — tool
T1190 Initial access Exploit public-facing application (CVE-2025-32372, ProxyShell)
T1110.001 Initial access Brute force — password guessing
T1059.001 Execution Command and scripting interpreter — PowerShell
T1059.003 Execution Command and scripting interpreter — Windows command shell
T1059.006 Execution Command and scripting interpreter — Python
T1505.003 Persistence Server software component — web shell
T1053.005 Persistence Scheduled task/job — scheduled task (MicrosoftEdgeUpdate)
T1134.001 Priv. escalation Access token manipulation — token impersonation/theft (GodPotato / SeImpersonatePrivilege)
T1562.001 Defense evasion Impair defenses — disable or modify tools
T1620 Defense evasion Reflective code loading (in-memory GodPotato variant)
T1027 Defense evasion Obfuscated files or information (base64-encoded C2 results)
T1036.004 Defense evasion Masquerading — masquerade task or service
T1036.005 Defense evasion Masquerading — match legitimate name or location
T1003.002 Credential access OS credential dumping — Security Account Manager (SAM)
T1110.002 Credential access Brute force — password cracking
T1555 Credential access Credentials from password stores
T1539 Credential access Steal web session cookie
T1082 Discovery System information discovery
T1016 Discovery System network configuration discovery
T1033 Discovery System owner/user discovery
T1083 Discovery File and directory discovery
T1046 Discovery Network service discovery
T1005 Collection Data from local system
T1213 Collection Data from information repositories (eGov_Person table)
T1560 Collection Archive collected data
T1071.001 C2 Application layer protocol — web protocols (Python HTTP C2)
T1090 C2 Proxy
T1572 C2 Protocol tunneling (Chisel on port 7777)
T1132.001 C2 Data encoding — standard encoding (base64)
T1041 Exfiltration Exfiltration over C2 channel

07 — Patch links & references

Sources

[1] msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-34473
[2] msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-34523
[3] msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-31207
[4] github.com/dnnsoftware/Dnn.Platform/releases/
[5] hunt.io/blog/iranian-nexus-oman-government-intrusion
[6] hivepro.com/threat-advisory/void-manticore-irans-evolving-cyber-warfare-model/
[7] hivepro.com/threat-advisory/muddywater-is-taking-advantage-of-old-vulnerabilities/
[8] hivepro.com/threat-advisory/apt34-tightens-cyber-espionage-grip-on-gulf-with-kernel-exploitation/
[9] hivepro.com/threat-advisory/prolonged-pursuit-of-oilrig-apt-targeting-middle-east-government/
[10] hivepro.com/threat-advisory/muddywater-irans-adaptive-cyber-espionage-machine/
[11] hivepro.com/threat-advisory/handala-claims-destructive-wiper-attack-on-gcc-nations-critical-infrastructure/
[12] hivepro.com/threat-advisory/iranian-mois-leverages-telegram-based-c2-in-espionage-campaign-targeting-dissidents/
TA2026151 · HiveForce Labs · © 2026 Hive Pro Report generated — June 02, 2026 · 11:40 AM
June 9, 2026
Read More
Amber | Attack
Operation XENOFISCAL: SideCopy Adopts XenoRAT to Target Afghan Finance
TA2026150 — Operation XENOFISCAL: SideCopy & XenoRAT | HiveForce Labs

Attack Report · Threat Advisory · Amber · June 02, 2026

Operation XENOFISCAL: SideCopy adopts XenoRAT to target Afghan finance

Pakistan-linked APT SideCopy executed a precision spear-phishing campaign against Afghanistan's Ministry of Finance and its 34 provincial revenue directorates, deploying the open-source XenoRAT v1.8.7 remote access trojan through a fileless, multi-stage loader chain.

Threat level: Amber Threat actor: SideCopy APT Malware: XenoRAT v1.8.7 Platform: Windows Region: Afghanistan Admiralty: A1
First seen
2019
Campaign
Operation XENOFISCAL
TA number
TA2026150
Targeted industries
Government · Finance · Public admin
Initial access
Spear-phishing LNK in ZIP
C2 infrastructure
Bulletproof European hosting

01 — Summary

What happened

SideCopy — a Pakistan-linked advanced persistent threat cluster also tracked as UNC2269, White Dev 55, Mocking Draco, and TAG-140 — executed Operation XENOFISCAL, a targeted spear-phishing campaign directed at Afghanistan's Ministry of Finance and its provincial revenue and finance directorates across all 34 Mustoufiats. The attack delivered a malicious Windows shortcut (LNK) file inside a ZIP archive, using a Pashto-language lure themed around an intellectual and psychological warfare seminar to deceive provincial finance officials.

Execution of the LNK abused the legitimate Windows binary mshta.exe to kick off a multi-stage, largely fileless loader chain that ultimately deployed XenoRAT v1.8.7 — an open-source remote access trojan. The XenoRAT implant beaconed to bulletproof European hosting infrastructure kept deliberately separate from the Afghan-hosted delivery layer, providing the SideCopy APT with encrypted command-and-control, comprehensive surveillance capability, and long-term persistent access to compromised Windows hosts.

02 — Attack details

How the attack unfolded

Operation XENOFISCAL is a deliberate, intelligence-led operation underpinned by precise knowledge of Afghan administrative structure, a stealthy fileless delivery path, and a surveillance-capable implant engineered for quiet, persistent access.

01
Spear-phishing delivery — socially engineered LNK lure

SideCopy initiated the Operation XENOFISCAL campaign with a targeted spear-phishing message delivering a ZIP archive containing a malicious Windows shortcut (LNK) file. The LNK was disguised with a PDF icon and a carefully crafted Pashto-language filename referencing an employee list for an intellectual and psychological warfare seminar — a lure tailored precisely to provincial finance officials. The level of organisational specificity across all 34 Afghan Mustoufiats indicates prior intelligence gathering by the SideCopy APT group against Afghan government finance targets.

02
Fileless execution via mshta.exe — living-off-the-land binary abuse

When the victim opens the LNK, it silently launches mshta.exe from the System32 directory and directs it at a remote PHP resource hosted on a compromised Afghan education domain (abimj.edu.af). This living-off-the-land binary (LOLBIN) technique executes externally hosted script content directly in memory without writing an executable to disk. The URL was padded with excessive comma obfuscation to defeat static and signature-based detection. While the malicious chain proceeds in the background, the victim is shown a convincing decoy — an Afghan Ministry of Finance provincial staff directory covering all 34 provinces, written in Dari and Pashto — whose organisational depth confirms prior SideCopy intelligence collection.

03
XenoRAT v1.8.7 deployment — encrypted C2, mutex, and persistence

The final payload is XenoRAT v1.8.7, an open-source remote access trojan. On execution, XenoRAT establishes an encrypted TCP command-and-control channel to a hard-coded IP address and enforces single-instance execution via a mutex named clouda. The implant supports SOCKS5 proxy tunnelling and dynamic in-memory DLL loading through Assembly.Load. Persistence is reinforced via a scheduled task named XenoUpdateManager running at the highest available privileges, with a non-admin fallback writing to HKCU\Software\Microsoft\Windows\CurrentVersion\Run under value Edgre. The implant can cleanly self-delete via a hidden cmd.exe routine when instructed by the operator.

04
Post-exploitation — surveillance, host reconnaissance, and long-term access

XenoRAT's post-exploitation capability set is built for comprehensive surveillance and host reconnaissance: keylogging, screen capture, clipboard monitoring, webcam and microphone capture, file upload/download/deletion, antivirus enumeration via WMI, and arbitrary command execution. C2 infrastructure is hosted on bulletproof European servers kept entirely separate from the Afghan-hosted delivery layer, providing operational compartmentalisation and long-term resilience for the SideCopy campaign against Afghan Ministry of Finance targets.

03 — Actor details

SideCopy APT — threat actor profile

SideCopy is a Pakistan-linked advanced persistent threat cluster active since at least 2019, conducting precision spear-phishing campaigns against South Asian government, defence, and finance sectors.

SideCopy UNC2269 White Dev 55 Mocking Draco TAG-140
Actor attributes
  • Attribution — Pakistan-linked
  • Active since — 2019
  • Targeted regions — Afghanistan (confirmed); South Asia (broader)
  • Targeted sectors — Government, Finance, Public administration, Defence
  • Known capabilities — Spear-phishing, LOLBIN abuse, fileless loaders, open-source RAT adoption, bulletproof C2 infrastructure

04 — Recommendations

What to do now

Prioritised response actions for security and operations teams. Action 1 should begin immediately on any suspected host.

1
Eradicate the persistence footprint

On suspected hosts, remove the registry value Edgre under HKCU\Software\Microsoft\Windows\CurrentVersion\Run and delete the scheduled task XenoUpdateManager. Inspect and clear the staging directories C:\Users\Public\USOShared-1de48789-1285 and C:\Users\Public\firefx-1de87eec8-1241. Remove residual artifacts: zuidrt.hta, noway.bat, ayui.vmxx, and ayhui.vmxx.

2
Detect mshta.exe fetching remote content

Alert on mshta.exe executing with HTTP or HTTPS URL arguments — particularly remote index.php endpoints — and on mshta.exe spawned by explorer.exe or as a child of an LNK execution. This process lineage is the earliest reliable detection point for the Operation XENOFISCAL spear-phishing chain.

3
Hunt for fileless .NET loader behaviour

Build detection content for the loader tradecraft in this XenoRAT chain: RWX memory allocation via VirtualAlloc followed by CreateThread, .NET BinaryFormatter deserialization, AmsiScanBuffer patching, COMPLUS_Version environment-variable manipulation, and reflective Assembly.Load of in-memory payloads.

4
Constrain LOLBIN and script-host abuse

Deploy WDAC or AppLocker rules to restrict or block execution of mshta.exe and HTA files where not operationally required. Disable or tightly limit Windows Script Host, ActiveX, and legacy Internet Explorer script-host functionality that the JScript loader chain depends on to execute XenoRAT's fileless delivery.

05 — Indicators of compromise

IoCs — Operation XENOFISCAL / XenoRAT

Block or monitor all indicators below across network controls, endpoint detection, and SIEM pipelines. All domains and IPs are defanged.

SHA-256 file hashes
  • 194B912C242604D6F9A79369F22338C58A13CE0CC2ED280CE505075808BC2F14
  • 3B4194BDFE40D94031A94B30397FFD8A4B09D0A4057668E897B8BDCD1703DD01
  • DF9173A28C0B0B878C10A53D35CD7CE6F6ED66D207B6B7C4FF723721F1C027AB
  • A63E90EE57A1F213A8FE76EF1A6CFF5AE9ED7EBCEDA258431533825E648C0C67
  • 5833917BD137804F5A021D2CB37ADFE5C4B7B67DBB06D59C3B9C5CF393835E45
  • 99127C8C67D90E2776BEEB85281F9C68399BF4567B07A6B638D68B760212E88D
  • 8F2D979EF33B2900351C94C7335275A9342C75189E1A901998E90A539E944A1A
  • 0019212F25EB04BBB33BB194879C095265DB7855D6003BDD777CF0CBB90EB772
  • 9AE3D785486022AF82EA92E51B26E3F55C1BBA88A7BE2AD9790F4240E8499D14
Domain
  • abimj[.]edu[.]af
IPv4 addresses
  • 185[.]235[.]137[.]106
  • 103[.]132[.]98[.]224
  • 103[.]132[.]98[.]226
CIDR
  • 103[.]132[.]98[.]0/23
URLs
  • hxxp[:]//abimj[.]edu[.]af/index[.]php
  • hxxp[:]//abimj[.]edu[.]af/institute/cloudiyaf/document[.]pdf
  • hxxp[:]//abimj[.]edu[.]af/institute/cloudiya/
  • hxxps[:]//abimj[.]edu[.]af/institute/10/
  • hxxps[:]//abimj[.]edu[.]af/institute/7/
Malicious filenames
  • ugayt.hta
  • noway.bat
  • zuidrt.hta
  • WayBroad.dll
  • Aotestpass.dll
  • ayui.vmxx
  • ayhui.vmxx
File paths
  • C:\Users\Public\USOShared-1de48789-1285\zuidrt.hta
  • C:\Users\Public\firefx-1de87eec8-1241
Mutex · Registry · Scheduled task
  • Mutex — clouda
  • Registry — HKCU\Software\Microsoft\Windows\CurrentVersion\Run · value: Edgre
  • Scheduled task — XenoUpdateManager

06 — MITRE ATT&CK TTPs

Tactics, techniques & sub-techniques

Full MITRE ATT&CK mapping for Operation XENOFISCAL / SideCopy XenoRAT campaign.

ID Tactic Technique / sub-technique
T1566.001 Initial access Phishing — spearphishing attachment
T1218.005 Execution System binary proxy execution — mshta
T1059.003 Execution Command and scripting interpreter — Windows command shell
T1059.007 Execution Command and scripting interpreter — JavaScript
T1129 Execution Shared modules
T1106 Execution Native API
T1547.001 Persistence Boot or logon autostart execution — registry run keys / startup folder
T1053.005 Persistence Scheduled task/job — scheduled task
T1140 Defense evasion Deobfuscate/decode files or information
T1027.011 Defense evasion Obfuscated files or information — fileless storage
T1620 Defense evasion Reflective code loading
T1564.001 Defense evasion Hide artifacts — hidden files and directories
T1055 Defense evasion Process injection
T1562.001 Defense evasion Impair defenses — disable or modify tools
T1070.004 Defense evasion Indicator removal — file deletion
T1012 Discovery Query registry
T1082 Discovery System information discovery
T1518.001 Discovery Software discovery — security software discovery
T1056.001 Collection Input capture — keylogging
T1113 Collection Screen capture
T1115 Collection Clipboard data
T1123 Collection Audio capture
T1125 Collection Video capture
T1071.001 C2 Application layer protocol — web protocols
T1095 C2 Non-application layer protocol
T1573.001 C2 Encrypted channel — symmetric cryptography
T1090.002 C2 Proxy — external proxy (SOCKS5)
T1568 C2 Dynamic resolution
T1583.001 Resource dev. Acquire infrastructure — domains
T1584 Resource dev. Compromise infrastructure

07 — References

Sources

[1] seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/
TA2026150 · HiveForce Labs · © 2026 Hive Pro Report generated — June 02, 2026 · 09:00 AM
June 8, 2026
Read More
Red | Vulnerability
CVE-2026-0257 Fuels GlobalProtect Authentication Bypass Attacks
CVE-2026-0257 Security Advisory

Security Advisory · Active Exploitation

PAN-OS GlobalProtect
Authentication Bypass

Attackers can forge authentication cookies to access internal networks without valid credentials. Patches are available. Exploitation has been active since May 17, 2026.

Critical Actively Exploited CISA KEV Listed Patch Available
CVE ID
CVE-2026-0257
First seen
May 13, 2026
Exploitation began
May 17, 2026
CWE
CWE-565
Zero-day
No
Affected
PAN-OS 10.2–12.1 · Prisma Access 10.2, 11.2

How the attack works

01
Feature is on, but unguarded
GlobalProtect's authentication override feature lets users skip re-entering credentials by issuing encrypted cookies that act as bearer tokens. Off by default — but commonly enabled in production deployments.
02
Decrypted cookies are trusted blindly
When a cookie arrives at /ssl-vpn/login.esp, the appliance decrypts it — but never verifies a digital signature. Whatever the decrypted payload claims, the server accepts.
03
The encryption key is exposed publicly
In misconfigured deployments, the same certificate handles both HTTPS and cookie encryption. Its public key is visible during the standard TLS handshake — retrievable by anyone who connects.
04
Forged cookie grants full access
An attacker retrieves the public key, crafts a fake cookie, and submits it. The appliance accepts it as legitimate — sometimes granting a full VPN IP and access to internal resources. A public proof-of-concept exists.

Attack timeline

May 13
Vulnerability identified
CVE-2026-0257 first observed. Proof-of-concept exploit published publicly.
May 17
Active exploitation begins
First wave of attacks. Forged cookies used to authenticate as local admin accounts from Vultr-hosted infrastructure. Spoofed MAC aa:bb:cc:dd:ee observed across incidents.
May 21
Second wave
Second campaign from Dromatics Systems infrastructure. Same spoofed MAC. 8 of 10 affected MDR customers showed cookie-auth only; 2 received full VPN IP assignments. No confirmed lateral movement beyond the VPN layer.

What to do — in order of priority

01
Patch immediately
Apply the hotfix for your branch:
  • PAN-OS 10.210.2.7-h34 · 10.2.10-h36 · 10.2.13-h21 · 10.2.16-h7 · 10.2.18-h6
  • PAN-OS 11.111.1.4-h33 · 11.1.6-h32 · 11.1.7-h6 · 11.1.10-h25 · 11.1.13-h5 · 11.1.15
  • PAN-OS 11.211.2.4-h17 · 11.2.7-h14 · 11.2.10-h7 · 11.2.12
  • PAN-OS 12.112.1.4-h6 · 12.1.7
  • Prisma AccessBeing upgraded per schedule by Palo Alto Networks

After patching, GlobalProtect users will need to re-authenticate once due to cookie regeneration logic in the fix.

02
Can't patch yet? Isolate the certificate
Generate a dedicated certificate for cookie encryption/decryption only. Do not share it with the portal or gateway HTTPS service or any other feature. This removes the public-key exposure path.
03
Or disable the feature entirely
In the GlobalProtect portal and gateway config, uncheck both Generate cookie for authentication override and Accept cookie for authentication override. This removes the attack surface completely.
04
Audit your configuration
Navigate to Network → GlobalProtect → Portals → Agent Configuration → Authentication tab. Confirm whether cookie generation and acceptance are enabled, and whether the certificate is shared with the HTTPS service. Repeat for gateway settings.
05
Hunt for signs of compromise
Review GlobalProtect authentication logs for cookie-based logins to local admin accounts from unfamiliar IPs or hosting providers. Any such event is a confirmed compromise indicator requiring immediate incident response. Cross-reference the IoCs below.

Indicators of compromise

IP Addresses
104[.]207[.]144[.]154
146[.]19[.]216[.]119
146[.]19[.]216[.]120
146[.]19[.]216[.]125
Hostnames & MAC
GP-CLIENT
DESKTOP-GP01
Spoofed MAC: aa:bb:cc:dd:ee

MITRE ATT&CK

T1190
Exploit public-facing application
T1550.004
Web session cookie (alternate authentication material)
T1021.005
VPN lateral movement
T1588.006
Obtain capabilities — vulnerabilities

References

Palo Alto Networks — Official Security Advisory
https://security.paloaltonetworks.com/CVE-2026-0257
Rapid7 ETR — Observed Exploitation Report
https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/
CVE-2026-0257 PAN-OS · Prisma Access · GlobalProtect May 2026
June 8, 2026
Read More
Amber | Attack Report
Operation TrustTrap: APT36 Weaponizes 16,800 Spoofed Domains

Summary

Operation TrustTrap represents a massive coordinated phishing infrastructure campaign comprising more than 16,800 malicious domains active since early 2026 that impersonates government services across the United States, India, Vietnam, and the United Kingdom. Operation TrustTrap targets government, defense, diplomatic, transportation, Department of Motor Vehicles (DMV), toll payment, and healthcare sectors through sophisticated domain spoofing techniques rather than relying on traditional technical exploits. The Operation TrustTrap campaign weaponizes the visual trust of the ".gov" string by embedding government labels as non-root subdomain components, combined with hyphen manipulation and benign-word insertion to defeat regex-based detection while remaining legible to human readers who believe they are visiting legitimate government websites.

Operation TrustTrap spoofed portals resolve to infrastructure concentrated in Tencent Cloud and Alibaba Cloud APAC ASNs (Autonomous System Numbers), indicating centralized hosting infrastructure supporting the massive phishing campaign. A distinct cluster within the Operation TrustTrap dataset, including domains impersonating the National Investigation Agency (NIA) of India, exhibits tactics, techniques, and procedures (TTPs) consistent with the Pakistan-nexus threat actor APT36 (also known as Transparent Tribe, ProjectM, TEMP.Lapis, Mythic Leopard, Copper Fieldstone, Earth Karkaddan, STEPPY-KAVACH, Green Havildar, APT-C-56, Storm-0156, and Opaque Draco).

The Operation TrustTrap campaign begins with bulk-registration of thousands of domains on cheap, disposable top-level domains (TLDs), holding many dormant as a pre-provisioned reserve until campaign waves are triggered. Operation TrustTrap lures are distributed through SMS, email, and adjacent social-engineering vectors, with each link engineered to look like an authentic government URL. Once Operation TrustTrap victims click a lure, they are redirected to spoofed portals hosted on Tencent Cloud and Alibaba Cloud infrastructure that replicate the visual identity of impersonated agencies, presenting fake DMV, toll, or citizen-services payment forms designed to harvest personally identifiable information, payment-card data, and credentials at scale.

Attack Details

Operation TrustTrap Infrastructure and Domain Registration

Operation TrustTrap is a coordinated phishing infrastructure of more than 16,800 malicious domains, active since early 2026, that impersonates government services across the United States, India, Vietnam, and the United Kingdom. The Operation TrustTrap campaign begins not with a technical exploit but with domain registration. Operation TrustTrap operators bulk-register thousands of domains on cheap, disposable TLDs, holding many of them dormant as a pre-provisioned reserve until a campaign wave is triggered.

Operation TrustTrap lures are then distributed through SMS, email, and adjacent social-engineering vectors, with each link engineered to look like an authentic government URL through sophisticated subdomain manipulation. The Operation TrustTrap campaign weaponizes how humans interpret URLs rather than how machines parse them, exploiting the visual trust associated with government identifiers embedded within domain names to bypass both automated detection systems and human scrutiny.

Operation TrustTrap Credential Harvesting Infrastructure

Once an Operation TrustTrap victim clicks a lure, they are redirected to a spoofed portal hosted on infrastructure concentrated within Tencent Cloud and Alibaba Cloud APAC ASN ranges. Active Operation TrustTrap phishing URLs across the infrastructure consistently use a double-query-string parameter pattern that serves as a session-tracking mechanism, assigning unique identifiers to individual victims and monitoring engagement throughout the phishing workflow.

The uniformity of this double-query-string pattern (format: ?var1=xxxxx?var2=xxxxx) across hundreds of Operation TrustTrap URLs confirms a kit-driven, centrally managed operation rather than ad hoc phishing activity. Operation TrustTrap cloned portals replicate the visual identity of the impersonated government agency, often presenting fake DMV, toll, or citizen-services payment forms designed to harvest personally identifiable information, payment-card data, and credentials from victims who believe they are interacting with legitimate government services.

APT36 Attribution and India-Targeted Cluster

The attribution-significant cluster within the Operation TrustTrap dataset narrows the focus to Indian government targets and aligns operationally with APT36, a Pakistan-nexus advanced persistent threat actor with a documented record of targeting Indian government entities, defense personnel, and diplomatic infrastructure. The Operation TrustTrap cluster includes APT36 impersonation domains, such as one masquerading as the National Investigation Agency (NIA) of India, demonstrating the campaign's focus on high-value intelligence targets.

The random suffix characters in Operation TrustTrap domains mirror the automated domain-generation behavior documented in prior APT36 bulk-registration events, and the shared hosting IPs in Tencent Cloud and Alibaba APAC overlap with APT36 staging infrastructure observed in 2024 and 2025 campaigns. Attribution of the India-targeted Operation TrustTrap cluster to APT36 is assessed at moderate-to-high confidence based on the convergence of campaign overlap, infrastructure reuse, TLD and registrar patterns, India-specific trust-injection cues in the URL structure, and subdomain construction logic consistent with documented APT36 tradecraft.

Operation TrustTrap Operational Objectives

The operational endgame across the broader Operation TrustTrap dataset is credential and payment-data theft at scale, with secondary potential for follow-on intrusion against high-value targets in the APT36 sub-cluster. Because the Operation TrustTrap campaign relies on cognitive deception rather than payload execution, traditional binary-focused detection layers see little to act on during the initial compromise phase.

The Operation TrustTrap kit's session-tracking parameters and shared cloud-hosting infrastructure are the most reliable pivots for threat hunting and takedown operations across the campaign cluster. The massive scale of Operation TrustTrap, with over 16,800 registered domains, demonstrates significant investment in infrastructure by the threat actors and suggests ongoing campaign operations targeting government service users across multiple countries.

Recommendations

Hunt by eTLD+1, Not by Substring

Reconfigure URL inspection to evaluate the registered eTLD+1 (effective top-level domain plus one level) of every link rather than substring-matching for ".gov" or ".gov.in" strings. Treat any URL where a government label appears as a subdomain of a non-government registered domain as high-risk by default. This fundamental shift in detection logic is necessary to identify Operation TrustTrap domains that embed government identifiers in subdomain positions rather than legitimate top-level domain positions.

Detect the Kit's Session-Tracking Pattern

Author proxy and SIEM rules that flag URLs containing the characteristic double-query-string pattern ?var1=xxxxx?var2=xxxxx, which has been observed consistently across hundreds of Operation TrustTrap phishing URLs and provides a high-confidence campaign signature. This session-tracking mechanism is a distinctive technical indicator of Operation TrustTrap infrastructure that can be used to identify newly registered domains associated with the campaign.

Strengthen Domain Takedown Workflows

Establish or expand relationships with abuse contacts at Gname.com Pte. Ltd., the .bond and .cc registry operators, and Tencent Cloud and Alibaba Cloud abuse desks to accelerate takedowns of newly identified Operation TrustTrap infrastructure as the campaign continues to evolve. The massive scale of Operation TrustTrap requires coordinated takedown efforts across multiple registrars and hosting providers to disrupt the phishing infrastructure.

Enforce Email and Messaging Authentication on Brand Properties

Government bodies and impersonated brands should enforce DMARC, SPF, and DKIM authentication on official communication channels and publish clear citizen-facing reference URLs to reduce the success rate of look-alike-domain lures used in Operation TrustTrap campaigns. Public awareness campaigns should educate citizens to verify government URLs by checking the registered domain portion of the URL rather than relying on the presence of government keywords anywhere in the hostname.

Deploy eTLD+1-Aware Detection Tooling

Replace legacy substring-based phishing filters with detection logic that operates on the public-suffix-list-resolved registered domain, ensuring that subdomain spoofing of government labels is treated as suspicious regardless of how the rest of the hostname is constructed. This technical control addresses the core evasion technique employed by Operation TrustTrap to bypass traditional URL filtering systems.

MITRE ATT&CK TTPs
Resource Development
  • T1583: Acquire Infrastructure
    • T1583.001: Domains
    • T1583.006: Web Services
    • T1583.003: Virtual Private Server
  • T1587: Develop Capabilities
  • T1608: Stage Capabilities
    • T1608.001: Upload Malware
    • T1608.005: Link Target
Initial Acces
  • T1566: Phishing
    • T1566.002: Spearphishing Link
    • T1566.003: Spearphishing via Service
  • T1189: Drive-by Compromise
Defense Evasion
  • T1036: Masquerading
    • T1036.005: Match Legitimate Resource Name or Location
  • T1027: Obfuscated Files or Information
  • T1656: Impersonation
Credential Access
  • T1056: Input Capture
    • T1056.003: Web Portal Capture
Collection
  • T1185: Browser Session Hijacking
Command and Control
  • T1071: Application Layer Protocol
    • T1071.001: Web Protocols
Indicators of Compromise (IoCs)

Representative Domain Samples (from 16,800+ total domains):

Massachusetts State Government Impersonation

  • www[.]mass[.]gov-suc[.]cc
  • www[.]mass[.]gov-ypk[.]cc
  • www[.]mass[.]gov-wkg[.]cc
  • www[.]mass[.]gov-odb[.]cc
  • www[.]mass[.]gov-icw[.]cc

Arizona State Government Impersonation

  • www[.]az[.]gov-lzk[.]cc
  • www[.]az[.]gov-huv[.]cc
  • www[.]az[.]gov-ocq[.]cc
  • www[.]az[.]gov-cgt[.]cc

North Carolina DOT Impersonation

  • ncdot[.]gov-stmv[.]cc
  • ncdot[.]gov-stmn[.]cc
  • ncdot[.]gov-kfo[.]cc
  • ncdot[.]gov-kfy[.]cc

Generic Government Impersonation

  • www[.]gov-lzk[.]cc
  • www[.]gov-tda[.]cc
  • www[.]gov-cbv[.]cc
  • www[.]gov-wyx[.]cc

Session-Tracking Pattern

  • URL parameter format: ?var1=xxxxx?var2=xxxxx (consistent across Operation TrustTrap infrastructure)

Hosting Infrastructure

  • Tencent Cloud APAC ASNs
  • Alibaba Cloud APAC ASNs

Note: This represents a small sample of the 16,800+ domains identified in Operation TrustTrap. The complete IoC list is available on the Uni5Xposure platform.

References

https://cyble.com/blog/operation-trusttrap-domain-spoofing-campaign/

April 28, 2026
Read More
Red | Attack Report
Patched but Not Cured: FIRESTARTER Backdoor Survives Cisco Firewall Upgrades

Summary

The UAT-4356 threat actor (also known as Storm-1849 and the operator behind the ArcaneDoor campaign) has deployed a sophisticated persistence backdoor called FIRESTARTER that targets Cisco Adaptive Security Appliance (ASA) Software, Cisco Firepower Threat Defense (FTD) Software, and Cisco Firepower eXtensible Operating System (FXOS) across government, critical infrastructure, and telecommunications organizations worldwide. First observed in September 2025 with active exploitation commencing in March 2026, the FIRESTARTER backdoor campaign represents a critical evolution in network appliance compromise techniques, as the malware survives firmware updates, security patches, and graceful reboots on compromised Cisco firewall devices.

UAT-4356 actors exploited two zero-day vulnerabilities, CVE-2025-20333 (Cisco Secure Firewall buffer overflow vulnerability) and CVE-2025-20362 (Cisco Secure Firewall missing authorization vulnerability), in the VPN web server of Cisco Secure Firewall ASA and FTD software to gain unauthenticated remote access and remote code execution as root on internet-facing devices. After initial compromise through these FIRESTARTER vulnerabilities, the UAT-4356 actors deployed the LINE VIPER user-mode shellcode loader to establish illegitimate VPN sessions and harvest device configuration, administrative credentials, certificates, and private keys from compromised Cisco firewalls.

Subsequently, UAT-4356 implanted FIRESTARTER, a Linux ELF backdoor that hooks into the LINA process on the Cisco firewall and modifies the Cisco Service Platform mount list (CSP_MOUNT_LIST) to maintain persistence across reboots and firmware upgrades. Critically, FIRESTARTER backdoor survives firmware updates, security patches, and graceful reboots, allowing the UAT-4356 threat actor to retain access to compromised Cisco devices long after remediation actions are taken. The FIRESTARTER persistence mechanism intercepts graceful shutdown signals, copies itself to a secondary location, rewrites the Cisco Service Platform mount list to ensure re-execution on next boot, then restores the original mount list after boot, leaving minimal forensic trace and enabling indefinite access to patched devices.

FIRESTARTER backdoor operates in a dormant state, generating no outbound traffic, no log events, and no behavioral anomalies until activated by a crafted WebVPN authentication request containing a "magic packet" payload with embedded XML-based shellcode. This activation mechanism requires no re-exploitation of any CVE, meaning a fully patched Cisco device compromised before the patch window remains accessible indefinitely to UAT-4356 actors. Confirmed dwell time at one breached organization exceeded six months, and CISA issued advisory AR26-113A warning that patching is now necessary but insufficient, requiring forensic hunting and complete device reimaging to evict the UAT-4356 threat actor from compromised Cisco firewall infrastructure.

Attack Details

UAT-4356 Threat Actor and FIRESTARTER Campaign Origins

A sophisticated state-sponsored threat actor tracked as UAT-4356, also known as Storm-1849 and the operator behind the ArcaneDoor campaign, has returned with an evolved attack chain targeting Cisco Secure Firewall ASA, Firepower Threat Defense, and Firepower platforms globally. The UAT-4356 threat actor specializes in long-term compromise of internet-facing perimeter devices for espionage purposes, exploiting the limited visibility and infrequent patching cycles typical of network appliances to maintain persistent access.

The 2026 FIRESTARTER campaign evolution introduces a previously undocumented backdoor named FIRESTARTER, which materially changes the threat landscape for any organization that operated exposed Cisco firewall infrastructure prior to September 2025. The FIRESTARTER backdoor represents a significant advancement in persistence techniques, as it survives standard remediation procedures including firmware updates and security patches that would typically eliminate malware from compromised network devices.

FIRESTARTER Initial Access Through CVE-2025-20333 and CVE-2025-20362

The FIRESTARTER attack chain begins with chained exploitation of CVE-2025-20333 (buffer overflow vulnerability) and CVE-2025-20362 (missing authorization vulnerability) against internet-facing WebVPN interfaces on Cisco Secure Firewall ASA and FTD devices, yielding unauthenticated remote code execution as root. These FIRESTARTER initial access vulnerabilities were zero-day vulnerabilities at the time of exploitation and have since been added to the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation by UAT-4356 threat actors in the wild.

Following successful exploitation of the FIRESTARTER initial access vulnerabilities, the UAT-4356 actor deploys LINE VIPER, a user-mode shellcode loader providing command execution capabilities, packet capture functionality, credential theft, and bypass of authentication, authorization, and accounting policies on compromised Cisco devices. On legacy Cisco devices, RayInitiator bootkit malware is additionally deployed by UAT-4356 as a supplementary persistence mechanism. Across all supported Cisco platforms, FIRESTARTER backdoor is dropped as the primary persistence implant following LINE VIPER deployment.

FIRESTARTER Persistence Mechanism and CSP_MOUNT_LIST Modification

FIRESTARTER is a Linux ELF binary that hooks the LINA process on Cisco firewalls to establish persistence. During graceful shutdown of the compromised Cisco device, FIRESTARTER intercepts the termination signal, copies itself to a secondary location on the device filesystem, and rewrites the Cisco Service Platform mount list (CSP_MOUNT_LIST) located at /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST to ensure re-execution on next boot. After the Cisco device boots, FIRESTARTER restores the original mount list configuration, leaving minimal forensic trace of the persistence mechanism.

This FIRESTARTER persistence routine survives reboots, reload commands, and firmware upgrades on Cisco ASA and FTD devices. Only a hard power cycle interrupts the FIRESTARTER persistence mechanism, and even that is not a recommended remediation approach due to data corruption risks on Cisco firewall devices. The FIRESTARTER persistence technique exploits the Cisco Service Platform architecture to maintain presence across software upgrades that would typically eliminate malware from network appliances.

FIRESTARTER Dormant Operation and Magic Packet Activation

Once installed on a compromised Cisco device, FIRESTARTER backdoor lies dormant, generating no outbound traffic, no log events, and no behavioral anomalies that would alert security monitoring systems to the compromise. FIRESTARTER waits for a crafted WebVPN authentication request containing a "magic packet" payload, then parses an embedded XML-based shellcode and executes the UAT-4356 operator's payload, typically redeploying LINE VIPER for hands-on-keyboard operations.

Critically, this FIRESTARTER re-entry path requires no re-exploitation of any CVE vulnerability: a fully patched Cisco device compromised before the patch window remains accessible indefinitely to UAT-4356 actors through the FIRESTARTER magic packet activation mechanism. Confirmed dwell time at one breached organization exceeded six months, demonstrating the long-term persistence capabilities of FIRESTARTER backdoor on Cisco firewall infrastructure. Patching CVE-2025-20333 and CVE-2025-20362 is now necessary but insufficient to evict UAT-4356 from compromised environments; forensic hunting and complete device reimaging are required to fully remove FIRESTARTER backdoor.

Recommendations

Apply Cisco Fixed Software Releases for ASA and FTD

Upgrade all Cisco Secure Firewall ASA and FTD devices to the fixed software releases listed in Cisco's security advisory for CVE-2025-20333 and CVE-2025-20362 to close the initial access vulnerabilities exploited by UAT-4356 actors to deploy FIRESTARTER backdoor. Devices that are not yet patched, or that were updated to a still-vulnerable software version, must be moved to the explicitly listed fixed releases in the Cisco security advisory to prevent new FIRESTARTER compromises.

Reimage Devices to Remove FIRESTARTER

It is strongly recommended that organizations reimage and upgrade any Cisco device suspected of compromise by FIRESTARTER backdoor. Reimaging is the only fully reliable method to remove the FIRESTARTER persistence mechanism on confirmed-compromised devices, and Cisco recommends reimaging for both compromised and non-compromised cases where devices were exposed to the internet during the vulnerability window. Standard patching and firmware upgrades will not remove FIRESTARTER backdoor from devices compromised prior to patch application.

Hard-Power-Cycle Compromised Devices When Reimage Is Not Immediately Possible

Physically unplug the affected Cisco device from all power sources (including redundant power supplies) for at least one minute to interrupt FIRESTARTER persistence. The shutdown, reboot, and reload CLI commands will not clear the in-memory FIRESTARTER implant — only complete power loss will interrupt the backdoor. This hard power cycle is a temporary mitigation; complete device reimaging must still follow to fully remove FIRESTARTER backdoor from compromised Cisco infrastructure.

Hunt for FIRESTARTER on Cisco ASA and Firepower Devices

Run show kernel process | include lina_cs on every Cisco ASA, Firepower, and Secure Firewall device in the environment. Any output from this command should be treated as a confirmed FIRESTARTER compromise. Also inspect the Cisco device disk for the files /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log, noting that UAT-4356 attackers can rename these FIRESTARTER artifacts to evade detection. Organizations should hunt for modifications to /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST and /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp as indicators of FIRESTARTER persistence mechanism deployment.

MITRE ATT&CK TTPs
Initial Access
  • T1190: Exploit Public-Facing Application
  • T1133: External Remote Services
Defense Evasion
  • T1070: Indicator Removal
  • T1222: File and Directory Permissions Modification
  • T1564: Hide Artifacts
  • T1070: Indicator Removal
    • T1070.004: File Deletion
    • T1070.006: Timestomp
  • T1036: Masquerading
    • T1036.005: Match Legitimate Resource Name or Location
  • T1055: Process Injection
    •  
  • T1562: Impair Defenses
    • T1562.001: Disable or Modify Tools
Persistence
  • T1543: Create or Modify System Proces
  • T1078: Valid Accounts
  • T1546: Event Triggered Execution
    • T1546.004: Unix Shell Configuration Modification
  • T1547: Boot or Logon Autostart Execution
Discovery
  • T1082: System Information Discovery
  • T1057: Process Discovery
Credential Access
  • T1552: Unsecured Credentials
    • T1552.001: Credentials In Files
Command and Control
  • T1219: Remote Access Software
  • T1071: Application Layer Protocol
    • T1071.001: Web Protocols
    • T1070.004: File Deletion
Execution
  • T1059: Command and Scripting Interpreter
Collection
  • T1005: Data from Local System
Indicators of Compromise (IoCs)
File Paths
  • /usr/bin/lina_cs
  • /opt/cisco/platform/logs/var/log/svc_samcore.lo
  • /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST
  • /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp
Detection Command
  • show kernel process | include lina_cs (Any output indicates confirmed compromise)
References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03

https://www.cisa.gov/news-events/news/cisa-warns-firestarter-malware-targeting-cisco-asa-including-firepower-and-secure-firewall-products

https://www.cisa.gov/news-events/analysis-reports/ar26-113a

https://blog.talosintelligence.com/uat-4356-firestarter/

https://www.ncsc.govt.nz/alerts/firestarter-malware-affecting-cisco-asa-and-ftd/

April 28, 2026
Read More
Red | Attack Report
The Gentlemen Ransomware: A Rapidly Scaling RaaS Threat

Summary

The Gentlemen ransomware emerged as a formidable Ransomware-as-a-Service (RaaS) operation in June 2025 and has rapidly escalated into a global cyber threat, claiming over 320 victims by April 2026, with approximately 240 victims compromised in the first months of 2026 alone. The Gentlemen RaaS operation targets organizations worldwide across Windows, Linux, NAS, BSD, and VMware ESXi platforms, excluding CIS countries in accordance with Russian-speaking ransomware group operational norms.

The Gentlemen ransomware operation is led by a Russian-speaking threat actor using the alias "hastalamuerte" (also tracked as LARVA-368), who previously operated as an affiliate crew leader called ArmCorp within the Qilin RaaS program before launching The Gentlemen as an independent ransomware brand following a payment dispute in July 2025. The Gentlemen RaaS supplies affiliates with a multi-OS Go-based ransomware locker for Windows, Linux, NAS, and BSD environments, plus a dedicated C-based locker specifically designed for ESXi hypervisors, enabling coordinated ransomware attacks across heterogeneous enterprise environments.

The Gentlemen ransomware affiliates have been observed combining the ransomware payload with SystemBC proxy malware and Cobalt Strike frameworks, establishing covert SOCKS5 tunnels for command-and-control communications, harvesting credentials with Mimikatz, and deploying ransomware domain-wide through weaponized Group Policy Objects. The Gentlemen ransomware operation follows a classic double-extortion model, exfiltrating hundreds of gigabytes to multiple terabytes of sensitive data per victim before encryption, then publishing stolen data on a dedicated Tor-based leak site and applying public pressure via a branded X/Twitter account if ransom demands remain unpaid. The Gentlemen ransomware has impacted manufacturing, technology, healthcare, retail, business services, transportation, financial services, education, government, real estate, agriculture, energy, insurance, pharmaceutical, food service, media, hospitality, charitable organizations, telecommunications, and legal sectors globally.

Attack Details

The Gentlemen RaaS Operation Origins and Business Model

The Gentlemen ransomware is a Ransomware-as-a-Service operation that publicly surfaced in September 2025, though malware samples and forensic evidence trace The Gentlemen ransomware development activity back to at least mid-July 2025, with its earliest confirmed victim, a Peruvian steel manufacturer, compromised as early as June 30, 2025. The Gentlemen ransomware operation is run by a Russian-speaking threat actor using the alias "hastalamuerte" (also tracked as LARVA-368), who previously led an affiliate crew called ArmCorp inside the Qilin RaaS program before launching The Gentlemen as an independent ransomware brand.

After a public payment dispute with Qilin on the RAMP underground forum in July 2025, hastalamuerte formalized an already-planned departure and launched The Gentlemen ransomware as an independent brand, reusing proven tooling and infrastructure from previous operations. The Gentlemen RaaS was formally advertised on underground forums on September 12, 2025 under the alias "Zeta88," promoting a minimal-infrastructure model consisting of a leak site plus Tox messenger and a cross-platform locker initially covering Windows and Linux, with NAS, BSD, and ESXi support added in later iterations.

Consisting of roughly 20 members, The Gentlemen ransomware group offers affiliates an aggressive 90/10 revenue split, well above the ransomware industry norm of 80/20, along with full control over victim negotiations, which has fueled rapid recruitment of seasoned operators from competing ransomware programs. This favorable affiliate split has contributed to The Gentlemen ransomware's explosive growth trajectory across global targets.

The Gentlemen Ransomware Rapid Scaling and Victim Impact

The Gentlemen ransomware group has scaled dramatically in under a year, growing from approximately 30 claimed victims across 17 countries in autumn 2025 to 48 by October 2025, roughly 130 by early February 2026, and over 320 publicly listed victims by April 2026, with 240 of those victims claimed in the first months of 2026 alone. Independent telemetry from a command-and-control server tied to a Gentlemen ransomware affiliate revealed a SystemBC botnet of more than 1,570 likely corporate victims, indicating the true scale of The Gentlemen ransomware operation exceeds the leak-site count significantly.

Manufacturing, technology, healthcare, and financial services are the most impacted sectors by The Gentlemen ransomware, and the group shows no self-imposed restraint regarding hospitals or critical services, unlike some ransomware groups. The heaviest geographic concentrations of The Gentlemen ransomware attacks are the United States, Thailand, United Kingdom, Germany, Brazil, and France. Consistent with Russian-speaking ransomware norms, The Gentlemen affiliate rules explicitly prohibit targeting organizations in Russia and other CIS states.

The Gentlemen Ransomware Initial Access and Reconnaissance

Initial access for The Gentlemen ransomware is predominantly achieved through exploitation of internet-facing edge devices, most notably FortiGate appliances via CVE-2024-55591, an authentication bypass vulnerability in FortiOS/FortiProxy. The Gentlemen ransomware operators maintain a curated database of roughly 14,700 already-compromised FortiGate devices and 969 validated brute-forced VPN credentials, enabling affiliates to skip the reconnaissance phase entirely and immediately access victim networks.

Infostealer-sourced credentials and exposed administrative panels serve as secondary initial access vectors for The Gentlemen ransomware affiliates. Once inside victim networks, The Gentlemen ransomware affiliates conduct structured reconnaissance using Advanced IP Scanner, Nmap, and Active Directory enumeration scripts to map the environment and identify high-value targets for encryption and data exfiltration.

The Gentlemen Ransomware Defense Evasion and Privilege Escalation

The Gentlemen ransomware affiliates pivot to defense evasion through a Bring-Your-Own-Vulnerable-Driver (BYOVD) technique abusing the ThrottleStop.sys driver (renamed ThrottleBlood.sys by attackers) to exploit CVE-2025-7771, granting kernel-level code execution for The Gentlemen ransomware operations. Custom utilities such as All.exe and Allpatch2.exe are deployed by The Gentlemen ransomware affiliates to terminate EDR and antivirus processes at the kernel level.

The Gentlemen ransomware defense evasion is supplemented by PowerShell commands that disable Windows Defender, add broad path and process exclusions, and purge Defender support files to ensure ransomware deployment proceeds undetected. These comprehensive defense evasion techniques enable The Gentlemen ransomware to operate in enterprise environments even with security controls nominally in place.

The Gentlemen Ransomware Lateral Movement and Credential Harvesting

Lateral movement for The Gentlemen ransomware relies on living-off-the-land utilities including PsExec, WMI, WinRM, PowerRun.exe for UAC bypass and SYSTEM escalation, and remote scheduled tasks or services created across reachable hosts. Credentials are harvested from memory using Mimikatz by The Gentlemen ransomware affiliates, and AnyDesk is typically installed with a hardcoded password as a fallback remote access channel for persistent access.

Command-and-control for The Gentlemen ransomware is established through Cobalt Strike beacons and SystemBC SOCKS5 proxies using an RC4-encrypted protocol, while data exfiltration is performed over encrypted channels via WinSCP. The Gentlemen ransomware affiliates exfiltrate stolen data, often ranging from hundreds of gigabytes to multiple terabytes per victim, which is staged before encryption and published on a Tor-based leak site if ransom demands go unmet.

The Gentlemen Ransomware Group Policy Weaponization and Encryption

The defining impact technique of The Gentlemen ransomware is the built-in Group Policy deployment mode, which, once a Domain Controller is compromised, copies the locker to the NETLOGON share, creates a malicious GPO with an immediate scheduled task, and forces policy refresh to trigger near-simultaneous encryption across every domain-joined system in the victim environment. This Group Policy weaponization enables The Gentlemen ransomware to achieve enterprise-wide encryption within minutes of final payload deployment.

The Gentlemen ransomware Go-based locker targets Windows, Linux, NAS, and BSD environments, with a companion C-based variant specifically designed for ESXi hypervisors. The Gentlemen ransomware requires a per-build password argument to prevent sandbox detonation and uses hybrid cryptography combining X25519 key exchange with XChaCha20 stream encryption, generating a unique ephemeral key per file to ensure recovery without the attacker-controlled decryption key is effectively impossible.

The Gentlemen Ransomware Anti-Forensics and Double-Extortion

Configurable speed modes in The Gentlemen ransomware encrypt only 1 to 9 percent of large files for throughput while retaining destructive impact, and operators can optionally wipe free disk space to defeat forensic recovery attempts. Before encryption, The Gentlemen ransomware malware terminates dozens of backup, database, virtualization, and security services, deletes shadow copies, clears Windows event logs, and removes prefetch and RDP artifacts to frustrate incident response and forensic analysis.

Following a double-extortion model, stolen data exfiltrated by The Gentlemen ransomware affiliates is published on a Tor-based leak site if ransom demands go unmet, with negotiations conducted through Tox and Session messengers and additional public pressure applied via a branded social media account. The Gentlemen ransomware operation has demonstrated consistent follow-through on data leak threats, publishing sensitive victim data to maximize pressure for ransom payment.

Recommendations

Patch Internet-Facing Services

Prioritize timely patching of any exposed VPN appliances, RDP gateways, and remote-access infrastructure, since affiliates of The Gentlemen ransomware rely heavily on opportunistic exploitation of exposed services and stolen credentials for initial access. Organizations should immediately apply patches for CVE-2024-55591 (Fortinet FortiOS authorization bypass), CVE-2023-27532 (Veeam Backup & Replication missing authentication), and CVE-2024-37085 (VMware ESXi authentication bypass) to close critical initial access vectors exploited by The Gentlemen ransomware.

Harden and Monitor Domain Controllers

Treat Domain Controllers as the crown jewel of The Gentlemen ransomware kill chain. Restrict interactive and network logons to Domain Controllers, monitor for unusual ADMIN$ writes, abnormal RPC-launched binaries, and PowerShell sessions spawned under scheduled-task contexts on DCs. The Gentlemen ransomware Group Policy weaponization technique requires Domain Controller compromise, making DC hardening a critical defensive control.

Block and Detect Group Policy Weaponization

Alert on the creation of new GPOs, changes to NETLOGON or SYSVOL scheduled-task XML files, and bulk Invoke-GPUpdate or gpupdate /force activity executed across domain-joined systems. The Gentlemen ransomware --gpo deployment path is the single most impactful deployment mechanism in this ransomware operation and must be detectable in near real time to prevent enterprise-wide encryption.

Hunt for SystemBC Proxy Activity

Instrument EDR and NetFlow for unexpected SOCKS5 traffic, particularly from corporate hosts that should never act as proxies. Outbound connections to 45[.]86[.]230[.]112 or anomalous encrypted tunnels from workstations to low-reputation hosts should be investigated as potential pre-ransomware staging by The Gentlemen ransomware affiliates. The SystemBC proxy malware is a consistent component of The Gentlemen ransomware attack chain.

Conduct Regular Data Backups and Test Restoration

Regularly backup critical data and systems, store them securely offline in immutable or air-gapped storage. Test restoration processes to ensure backup integrity and availability. In case of a The Gentlemen ransomware attack, up-to-date backups enable recovery without paying the ransom. The Gentlemen ransomware specifically targets and attempts to destroy backup infrastructure, making offline backup storage essential.

Protect Windows Defender Tamper Controls

Enable Tamper Protection, restrict who can run Set-MpPreference, and alert on any execution of Set-MpPreference -DisableRealtimeMonitoring, Add-MpPreference -ExclusionPath 'C:', or Add-MpPreference -ExclusionProcess commands, as all are explicit behaviors of The Gentlemen ransomware locker during defense evasion operations. Monitoring for Windows Defender manipulation provides early warning of The Gentlemen ransomware deployment.

MITRE ATT&CK TTPs
Initial Access
  • T1078: Valid Accounts
  • T1133: External Remote Services
Execution
  • T1059: Command and Scripting Interpreter
    • T1059.003: Windows Command Shell
    • T1059.001: PowerShell
  • T1047: Windows Management Instrumentation
  • T1053: Scheduled Task/Job
    • T1053.005: Scheduled Task
  • T1569: System Services
    • T1569.002: Service Execution
  • 1106: Native API
  • T1204: User Execution
    • T1204.002: Malicious File
Persistence
  • T1053: Scheduled Task/Job
    • T1053.005: Scheduled Task
    • T1053.003: Cron
  • T1547: Boot or Logon Autostart Execution
    • T1547.001: Registry Run Keys / Startup Fold
    • T1037.004: RC Scripts
  • T1543: Create or Modify System Process
    • T1543.003: Windows Service
Privilege Escalation
  • T1078: Valid Accounts
Defense Evasion
  • T1562: Impair Defenses
    • T1562.001: Disable or Modify Tools
    • T1562.004: Disable or Modify System Firewall
  • T1070: Indicator Removal
    • T1070.001: Clear Windows Event Logs
    • T1070.004: File Deletion
  • T1036: Masquerading
    • T1036.004: Masquerade Task or Service
    • T1036.005: Match Legitimate Name or Location
  • T1564: Hide Artifacts
    • T1564.001: Hidden Files and Directories
  • T1027: Obfuscated Files or Information
Credential Access
  • T1003: OS Credential Dumping
  • T1555: Credentials from Password Stores
Discovery
  • T1082: System Information Discovery
  • T1033: System Owner/User Discovery
  • T1087: Account Discovery
    • T1087.002: Domain Account
  • T1482: Domain Trust Discovery
  • T1018: Remote System Discovery
  • T1135: Network Share Discovery
  • T1083: File and Directory Discovery
  • T1518: Software Discovery
    • T1518.001: Security Software Discovery
Lateral Movement
  • T1021: Remote Services
    • T1021.002: SMB/Windows Admin Shares
    • T1021.001: Remote Desktop Protocol
    • T1021.006: Windows Remote Management
  • T1570: Lateral Tool Transfer
Command and Control
  • T1090: Proxy
    • T1090.003: Multi-hop Proxy
  • T1105: Ingress Tool Transfer
  • T1071: Application Layer Protocol
    • T1071.001: Web Protocols
  • T1573: Encrypted Channel
    • T1573.002: Asymmetric Cryptography
Exfiltration
  • T1041: Exfiltration Over C2 Channel
Impact
  • T1486: Data Encrypted for Impact
  • T1490: Inhibit System Recovery
  • T1489: Service Stop
  • T1491: Defacement
    • T1491.001: Internal Defacement
  • T1657: Financial Theft
Indicators of Compromise (IoCs)
IPv4 Addresses
  • 194[.]87[.]31[.]69
  • 91[.]107[.]247[.]163
  • 45[.]86[.]230[.]112
SHA256 Hashes (Selected samples)
  • 992c951f4af57ca7cd8396f5ed69c2199fd6fd4ae5e93726da3e198e78bec0a5
  • 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a
  • 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67
  • 2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d
  • 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235
  • 48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd
  • 62c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8
  • 860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923
  • 87d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c
  • 8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892db
Ransom Note Filename
  • README-GENTLEMEN.txt
Tor Leak Site
  • Tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad[.]onion
Tox IDs
  • D527959A7BC728CB272A0DB683B547F079C98012201A48DD2792B84604E8BC29F6E6BDB8003F
  • F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
  • D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69
File Paths
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GupdateU
  • /bin/.vmware-authd
  • /etc/rc.local.d/local.sh
References

https://research.checkpoint.com/2026/dfir-report-the-gentlemen/

https://www.broadcom.com/support/security-center/protection-bulletin/cross-platform-and-coordinated-the-gentlemen-raas-targets-windows-linux-and-esxi

https://www.group-ib.com/blog/hastalamuerte-gentlemen-raas-ttps/

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

https://www.veeam.com/kb4424

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505

April 28, 2026
Read More
Red | Attack Report
LOTUSLITE v1.1: Enhanced Evasion Meets Banking-Themed Social Engineering

Summary

The LOTUSLITE v1.1 backdoor malware represents an evolved cyber espionage threat targeting India and South Korea's banking and financial services sectors, as well as government, diplomatic, and policy organizations. First observed in March 2026, this LOTUSLITE campaign leverages sophisticated banking-themed social engineering tactics to infiltrate Windows-based systems. The LOTUSLITE v1.1 attack is attributed with medium confidence to Mustang Panda (also tracked as Bronze President, Earth Preta, Stately Taurus, TEMP.Hex, HoneyMyte, Red Lich, Camaro Dragon, PKPLUG, Twill Typhoon, Hive0154), a known advanced persistent threat actor.

The LOTUSLITE v1.1 campaign begins with a deceptively simple CHM file disguised as a support request, triggering a hidden JavaScript loader that abuses trusted Windows components to deploy the LOTUSLITE payload. By sideloading a malicious DLL through a legitimate Microsoft-signed binary, the LOTUSLITE malware executes under the radar while employing advanced API resolution techniques to evade detection and analysis. Once the LOTUSLITE backdoor is established, it secures persistence, blends its network traffic with normal HTTPS communications, and enables full backdoor capabilities across targeted systems.

The LOTUSLITE v1.1 campaign's overlap with parallel operations targeting geopolitical policy experts highlights a broader, coordinated cyber espionage effort by Mustang Panda. This underscores LOTUSLITE's continued evolution into a stealthy and adaptable cyber espionage tool specifically designed to compromise India's banking sector and South Korea's policy organizations while evading modern security controls.

Attack Details

Initial Infection Through Banking-Themed Social Engineering

The LOTUSLITE v1.1 campaign introduces an updated variant of the LOTUSLITE malware, cleverly packaged around a theme tied to India's banking sector to enhance its credibility and increase successful compromise rates. The LOTUSLITE attack chain begins with a well-crafted spear-phishing email delivering a Compiled HTML Help (CHM) file titled "Request for Support.chm," a name deliberately chosen by Mustang Panda to mimic legitimate helpdesk or ticketing workflows commonly seen in financial institutions across India and South Korea.

Once the LOTUSLITE CHM file is opened, the file displays a seemingly benign prompt urging the user to click "Yes," but this interaction quietly triggers the download and execution of a malicious JavaScript payload named music.js, hosted on a remote domain controlled by the Mustang Panda threat actor. This LOTUSLITE script acts as the orchestrator of the infection, abusing trusted Windows utilities like hh.exe and leveraging ActiveX components such as ShortcutCommand, alongside Scriptlet.TypeLib, to bypass built-in security controls and initiate LOTUSLITE execution without raising suspicion in India's banking environments.

DLL Sideloading and Enhanced Evasion Techniques

Once the LOTUSLITE JavaScript is executed, the script extracts embedded payloads into a public directory on the system, including a legitimate Microsoft-signed binary (Microsoft_DNX.exe) and a malicious DLL (dnx.onecore.dll), which constitutes the LOTUSLITE v1.1 implant. The Mustang Panda attackers exploit DLL sideloading by relying on the signed binary's behavior of dynamically loading libraries at runtime without strict path validation or authenticity checks, allowing the malicious LOTUSLITE DLL to execute under the guise of a trusted application.

Notably, LOTUSLITE v1.1 introduces enhanced anti-analysis techniques that distinguish it from earlier LOTUSLITE versions. Rather than statically importing APIs, LOTUSLITE v1.1 dynamically resolves them at runtime via ntdll.dll, using functions like LdrLoadDll and RtlInitUnicodeString. This LOTUSLITE approach minimizes detectable indicators in the import table, significantly complicating static analysis and reverse engineering efforts by security researchers attempting to analyze Mustang Panda malware targeting India's banking sector and South Korean government organizations.

Persistence Mechanisms and Banking-Themed Disguise

To maintain persistence, the LOTUSLITE v1.1 malware modifies the Windows Registry under the HKCU Run key, again using obfuscated API resolution techniques to evade detection by security tools deployed in India's banking and South Korea's government infrastructure. LOTUSLITE copies itself into C:\ProgramData\Microsoft_DNX* and leverages a modified command-line argument to control execution flow, either establishing persistence or initiating communication with its command-and-control (C2) server. A mutex named "mdseccoUk" ensures only a single LOTUSLITE instance runs at a time on compromised systems.

The LOTUSLITE DLL's export table has been expanded to include functions such as HDFCBankMain, which displays a decoy message box referencing "HDFC Bank Limited" to reinforce the banking-themed disguise and deceive victims in India's financial sector. Meanwhile, legacy artifacts such as KugouMain persist in LOTUSLITE v1.1, providing strong evidence of lineage from earlier LOTUSLITE versions and confirming the malware's evolution under Mustang Panda's development.

Command-and-Control Infrastructure and Backdoor Capabilities

On the network side, the LOTUSLITE v1.1 implant communicates with a hardcoded C2 endpoint hosted on a dynamic DNS subdomain controlled by Mustang Panda, using TCP port 443 to blend seamlessly with normal HTTPS traffic in India's banking networks and South Korea's government systems. The LOTUSLITE communication protocol relies on a custom binary TLV structure, updated with a new magic header value (0xB2EBCFDF), signaling iterative development by Mustang Panda. Functionally, the LOTUSLITE backdoor retains its core capabilities, including remote shell access, file manipulation, and session control, mirroring the command structure of earlier LOTUSLITE versions.

Coordinated Targeting Across Multiple Sectors

Further investigation reveals that this LOTUSLITE v1.1 activity is not isolated to India's banking sector. Mustang Panda is also targeting policy experts and individuals engaged in Korean Peninsula and Indo-Pacific security discussions in South Korea. In this parallel campaign, Mustang Panda threat actors employed a spoofed Gmail account impersonating a well-known U.S.-Korea policy figure to distribute malicious files via Google Drive. This overlap in targeting and tooling suggests a broader, coordinated cyber espionage effort by Mustang Panda, with LOTUSLITE continuing to evolve both technically and operationally to support targeted cyber espionage campaigns against India's banking sector and South Korea's diplomatic organizations.

With moderate confidence, this LOTUSLITE v1.1 activity is attributed to Mustang Panda based on shared code lineage, overlapping infrastructure, residual build artifacts, and consistent behavioral patterns observed across all three campaigns targeting India and South Korea.

Recommendations

Block Known C2 Infrastructure

Immediately block network communication to the domains editor[.]gleeze[.]com and www[.]cosmosmusic[.]com at the firewall, proxy, and DNS levels to prevent LOTUSLITE v1.1 command-and-control communications. Add the associated LOTUSLITE IoC hashes to endpoint detection blocklists to prevent execution of known LOTUSLITE v1.1 artifacts across India's banking networks and South Korean government systems.

Restrict CHM File Execution

Deploy Group Policy restrictions to prevent the execution of Compiled HTML (.chm) files from untrusted sources, particularly those arriving via email attachments or web downloads in banking and government environments. Monitor for unexpected invocations of hh.exe, which is abused in this LOTUSLITE campaign as a file extraction mechanism by Mustang Panda.

Harden DLL Sideloading Defenses

Implement application control policies that prevent unsigned or untrusted DLLs from being loaded alongside legitimate signed executables. Monitor for the execution of Microsoft_DNX.exe and kwpswnsserver.exe outside of expected development contexts, as these legitimate binaries are abused for sideloading in this LOTUSLITE v1.1 campaign targeting India's banking sector.

Monitor Registry Persistence Mechanisms

Deploy detection rules for registry modifications under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, specifically watching for entries pointing to executables staged in C:\ProgramData\ subdirectories. Alert on the creation of the mutexes "mdseccoUkFuiCkTrump" and "1ac5e7ee1a107499" as direct indicators of LOTUSLITE activity on systems across India and South Korea.

Deploy Network Detection Signatures

Create network intrusion detection rules to identify the LOTUSLITE custom binary packet structure, specifically monitoring for the magic value 0xB2EBCFDF in packet headers on TCP port 443. Also retain detection for the legacy magic value 0x8899AABB from LOTUSLITE v1.0 to ensure coverage across both variants deployed by Mustang Panda.

Implement JavaScript Execution Controls

Restrict the execution of JavaScript files (.js) via Windows Script Host in environments where such functionality is not operationally required. Monitor for the creation and execution of JavaScript files in user-writable directories, particularly those triggered by CHM file interactions in India's banking sector and South Korean government organizations.

Implement Network Segmentation for Financial Systems

Isolate banking and financial application servers from general-purpose endpoints to limit lateral movement opportunities if a LOTUSLITE implant achieves initial compromise. Ensure that sensitive financial systems in India are accessible only through hardened jump servers with multi-factor authentication to prevent Mustang Panda lateral movement.

MITRE ATT&CK TTPs
Initial Access
  • T1566: Phishing
    • T1566.001: Spear-Phishing Attachment
Execution
  • T1059: Command and Scripting Interpreter
    • T1059.007: JavaScript
  • T1218: System Binary Proxy Execution
    • T1218.001: Compiled HTML File
  • T1204: User Execution
Persistence
  • T1547: Boot or Logon Autostart Execution
    • T1547.001: Registry Run Keys / Startup Folder
Defense Evasion
  • T1574: Hijack Execution Flow
    • T1574.001: DLL
  • T1036: Masquerading
    • T1036.005: Match Legitimate Name or Location
  • T1106: Native API
  • T1027: Obfuscated Files or Information
Command and Control
  • T1071: Application Layer Protocol
    • T1071.001: Web Protocols
  • T1095: Non-Application Layer Protocol
Exfiltration
  • T1041: Exfiltration Over C2 Channel
Indicators of Compromise (IoCs)
SHA256 Hashes
  • af31ebe9085df408bedcf8f027fb60389897e5c8d3b0e9695fea29774f9d3aec
  • cc0ff7e25ea686171919575916e2d9ebaeb5800a063f370a6980ea791f8851b8
  • 7beede15ecdc7d3f01db4b699e5fe5f4f2e7c79cd7ef0e918ed0583bf621de7d
  • 9bf2f3b15a621789f898f9bd7710ba857e3f238a4937b64fdc47ef9a92e0b05d
  • 18bc0e0f627d90fb283aa243055b46d0bfb5d85a7240d8f63ec2d1c8a2c15893
  • 6d22d50634c2c2fc853bfd2b564e1837d51087aa684a9c4415634c8c13c44135
Domains
  • editor[.]gleeze[.]com
  • www[.]cosmosmusic[.]com
Mutex
  • mdseccoUkFuiCkTrump
  • 1ac5e7ee1a107499
File Path
  • C:\ProgramData\Microsoft_DNX\
References

https://www.acronis.com/en/tru/posts/same-packet-different-magic-mustang-panda-hits-indias-banking-sector-and-korea-geopolitics/

April 28, 2026
Read More
Amber | Attack Report
Lotus Wiper: Silent Sabotage Targeting Venezuela’s Energy Sector

Summary

The Lotus Wiper malware represents a sophisticated destructive cyber attack campaign targeting Venezuela's energy and utilities sector. This previously undocumented wiper malware was first observed in mid-December 2025, though compiled in late September 2025, indicating a prolonged preparation phase for this destructive operation. Lotus Wiper attacks specifically targeted Windows-based systems within Venezuelan energy organizations during a period of heightened geopolitical tensions in the Caribbean region during late 2025 and early 2026.

The Lotus Wiper attack chain employs batch scripts and destructive malware to systematically disable system defenses, destroy disk contents, and render targeted systems permanently unrecoverable. The multi-stage attack begins with batch scripts that weaken system security, disable user accounts, and prepare the environment for the Lotus Wiper payload execution. Once deployed, Lotus Wiper removes recovery mechanisms, overwrites physical drives with zeros, clears USN journals, and systematically deletes all files across affected systems. Importantly, this destructive wiper campaign showed no ransomware or extortion mechanisms, confirming that Lotus Wiper attacks are purely destructive operations with no financial motivation behind the targeting of Venezuela's critical energy infrastructure.

Attack Details

Initial Attack Stage and Environment Preparation

The Lotus Wiper attack begins with a batch script named OhSyncNow.bat that serves as the initial trigger for the destructive chain targeting Venezuelan energy organizations. This Lotus Wiper batch script establishes a local working directory at C:\lotus and immediately attempts to disable the Interactive Services Detection (UI0Detect) service, effectively suppressing visible security alerts that could expose the ongoing Lotus Wiper attack activity to system administrators.

The Lotus Wiper attack chain then checks for the presence of an XML flag file (OHSync.xml) hosted on a NETLOGON share, using a hardcoded organization name to construct the network path. This external XML file functions as a covert control signal for the Lotus Wiper operation; once detected, it triggers Lotus Wiper execution across domain-joined systems, resembling a backdoor mechanism dependent on network-accessible resources. If the Lotus Wiper trigger file is absent, execution halts; if the share is temporarily unreachable, the Lotus Wiper script introduces a randomized delay of up to 20 minutes before retrying, adding resilience and stealth to the destructive operation.

System Destruction and User Account Compromise

Once the Lotus Wiper attack is activated, a secondary script named notesreg.bat executes a one-time destructive routine. This Lotus Wiper component first checks for a marker file to avoid re-execution, deleting itself if the Lotus Wiper operation has already been performed on the target system. The Lotus Wiper script then systematically targets user accounts, excluding specific predefined names likely tied to IT personnel, by resetting passwords to random values, disabling accounts, and restricting login hours across the compromised Venezuelan energy infrastructure.

The Lotus Wiper attack further disrupts system access by disabling cached credentials through registry modification and forcibly logging off all active sessions using qwinsta. Network isolation is achieved when Lotus Wiper disables all network interfaces via netsh, effectively cutting off external communication. From there, the Lotus Wiper script escalates into full-scale destruction: it enumerates all logical drives and leverages diskpart clean all to overwrite disks with zeros, recursively overwrites directory contents using robocopy, and exhausts remaining disk space with fsutil, ensuring complete system inoperability across targeted Venezuelan energy organizations.

Payload Decryption and Wiper Deployment

The final stage of the Lotus Wiper attack introduces a binary named nstats.exe, which masquerades as a legitimate HCL Domino server component. This Lotus Wiper executable accepts two arguments: nevent.exe (an XOR-encrypted payload) and ndesign.exe (the output file), and decrypts the payload to produce the actual Lotus Wiper binary. The requirement to pre-stage these Lotus Wiper components strongly indicates that the attackers had already established a foothold within Venezuelan energy infrastructure before Lotus Wiper detonation.

Additionally, the deliberate targeting of legacy Windows features by Lotus Wiper, such as UI0Detect, suggests the attackers possessed detailed understanding of the victim's infrastructure. Timeline analysis reveals that the Lotus Wiper malware was compiled in late September 2025 but only deployed months later against Venezuelan energy targets, pointing to a carefully planned and staged intrusion operation.

Multi-Phase Destruction Process

Once executed, the Lotus Wiper malware escalates its privileges to gain full administrative control and begins a multi-phase destruction process targeting Venezuelan energy systems. Lotus Wiper first removes all system restore points by dynamically loading srclient.dll and invoking the System Restore API, ensuring that recovery options are eliminated from compromised energy infrastructure systems.

Lotus Wiper then wipes physical drives by querying disk geometry via IOCTL_DISK_GET_DRIVE_GEOMETRY_EX and overwriting all sectors with zeros. Between these Lotus Wiper wipe cycles, the malware enumerates mounted volumes and spawns parallel threads to erase USN journal entries and delete files at scale across Venezuelan energy systems. Individual file destruction by Lotus Wiper involves zeroing data regions, renaming files to random hexadecimal strings to obscure their identity, and deleting them using native Windows APIs.

In cases where files are locked, Lotus Wiper defers deletion until reboot using MoveFileExW. This Lotus Wiper destruction process is repeated in multiple passes, with additional restore point removal after each cycle, ensuring irrecoverable damage to targeted Venezuelan energy infrastructure. The Lotus Wiper operation concludes with a system-level update call to reflect disk changes, leaving the compromised machine effectively unusable.

Recommendations

Audit NETLOGON and Domain Shares

Organizations should review permissions and file activity on domain shares, specifically monitoring the NETLOGON share for unauthorized file additions or modifications. The Lotus Wiper attack chain uses shared XML files as trigger mechanisms to coordinate wiper execution across domain-joined hosts in Venezuelan energy infrastructure, making NETLOGON share monitoring critical for detecting Lotus Wiper deployment attempts.

Monitor for Unauthorized Service Manipulation

Deploy detection rules for attempts to query, stop, or disable system services such as UI0Detect using sc.exe. This behavior was used during the Lotus Wiper attack to suppress visible warnings during the initial attack phase against Venezuelan energy organizations, making service manipulation monitoring essential for early Lotus Wiper detection.

Detect Mass Account Manipulation

Alert on bulk password changes and account deactivation events (Windows Event 4724) across local user accounts, particularly when performed in rapid succession by scripted processes rather than administrative workflows. The Lotus Wiper campaign systematically disabled user accounts across Venezuelan energy infrastructure, making account manipulation detection a critical indicator of Lotus Wiper activity.

Block Living-off-the-Land Abuse

Monitor and restrict unusual use of built-in system utilities including fsutil, robocopy, diskpart, netsh, and qwinsta, especially when invoked from non-standard directories or batch scripts. The Lotus Wiper attackers relied on these legitimate tools for disk destruction and network isolation within Venezuelan energy systems, making detection of abnormal system utility usage vital for preventing Lotus Wiper attacks.

Restrict Network Interface Changes

Implement controls to alert on or prevent unauthorized disabling of network interfaces via netsh. Lotus Wiper used this technique to isolate compromised Venezuelan energy systems from external communication and impede incident response, making network interface monitoring essential for detecting Lotus Wiper lateral movement and isolation tactics.

Harden Cached Credential Policy

Enforce group policy settings for CachedLogonsCount and monitor for unauthorized registry modifications to the Winlogon key. The Lotus Wiper attack manipulated this value to prevent domain users from logging in without network connectivity across Venezuelan energy infrastructure, making credential policy hardening critical for resilience against Lotus Wiper attacks.

Implement Immutable and Offline Backups

Maintain air-gapped or immutable backup copies of critical systems and data, and regularly test restoration procedures. Wiper attacks like Lotus Wiper are specifically designed to render systems permanently unrecoverable, making resilient backup strategies the primary recovery mechanism for organizations facing destructive Lotus Wiper campaigns targeting critical infrastructure like Venezuela's energy sector.

MITRE ATT&CK TTPs
Execution
  • T1059: Command and Scripting Interpreter
    • T1059.003: Windows Command Shell

Persistence

  • T1078: Valid Accounts
    • T1078.002: Domain Accounts

Defense Evasion

  • T1036: Masquerading
    • T1036.005: Match Legitimate Name or Location
  • T1140: Deobfuscate/Decode Files or Information
  • T1562: Impair Defenses
    • T1562.001: Disable or Modify Tools

Discov

  • T1082: System Information Discovery
  • T1083: File and Directory Discovery
  • T1049: System Network Connections Discovery

Lateral Movement

  • T1080: Taint Shared Content

Credential Access

  • T1098: Account Manipulation

Impact

  • T1561: Disk Wipe
    • T1561.001: Disk Content Wipe
    • T1561.002: Disk Structure Wipe
  • T1485: Data Destruction
  • 1490: Inhibit System Recovery
  • T1489: Service Stop
  • T1531: Account Access Removal
Indicators of Compromise (IoCs)

MD5 Hashes

  • 0b83ce69d16f5ecd00f4642deb3c5895
  • c6d0f67db6a7dbf1f9394d98c1e13670
  • b41d0cd22d5b3e3bdb795f81421a11cb

SHA256 Hashes

  • 405177294F6F9268432A43998049AD0D4A61C6909216533B8713C911BC430755
  • 9D05854C95C6AFA68911BD28AF12282185E0FE34F2E58FDDBC503AB22D1508
  • 1D6F374087087738B7699EBF91F1CFDB3B2A65C2E9BE72E106EE7C9814BE3274
References

https://securelist.com/tr/lotus-wiper/119472/

April 28, 2026
Read More
Red | Vulnerability Report
From Advisory to Attack in Under 10 Hours: Marimo's Critical RCE Flaw

Summary

CVE-2026-39987 represents a critical pre-authenticated remote code execution vulnerability affecting Marimo, an open-source reactive Python notebook platform widely used for data science, analysis, and interactive coding workflows.

This vulnerability, carrying a CVSS score of 9.3, impacts all Marimo versions prior to 0.23.0 and stems from a complete absence of authentication validation on the /terminal/ws WebSocket endpoint. This authentication bypass allows any unauthenticated remote attacker to obtain a full PTY (pseudo-terminal) shell and execute arbitrary system commands on vulnerable Marimo instances through a single WebSocket connection, without requiring any credentials, user interaction, or prior compromise.

The vulnerability was publicly disclosed on April 8, 2026, through a security advisory that detailed the technical root cause and exploitation methodology. Remarkably, active exploitation in the wild was observed within just 9 hours and 41 minutes of the advisory's publication, demonstrating the rapidly shrinking window between vulnerability disclosure and weaponization.

This extremely brief time-to-exploit window occurred without any public proof-of-concept code being available, indicating that attackers crafted working exploits directly from the advisory's technical description alone.

Security researchers operating honeypot infrastructure detected the first exploitation attempt when an attacker connected to the unauthenticated terminal WebSocket endpoint and conducted manual reconnaissance activities across four distinct sessions spanning approximately 90 minutes.

The attacker's activities focused primarily on credential harvesting and data collection rather than deployment of persistent malware, cryptominers, or backdoors. Specific attacker objectives included:

  • Harvesting credentials from .env environment files commonly used in Python development workflows
  • Searching for SSH private keys that could enable lateral movement
  • Conducting comprehensive file system exploration to identify valuable data repositories

The vulnerability's root cause lies in inconsistent security control implementation across Marimo's WebSocket endpoints. While other endpoints such as /ws properly invoke the validate_auth() authentication function, the /terminal/ws endpoint completely bypasses this validation step.

The impact severity extends significantly beyond simple server compromise. Marimo environments frequently store sensitive API keys for Large Language Model providers (OpenAI, Anthropic, Cohere, etc.) as well as cloud service credentials for AWS, Google Cloud Platform, and Azure infrastructure.

Exfiltration of these credentials could enable:

  • Lateral movement into cloud infrastructure hosting production workloads
  • Unauthorized abuse of expensive AI services
  • Exposure of proprietary datasets or machine learning artifacts
  • Compromise of interconnected development and production environments

The observed exploitation pattern suggests professional threat actor involvement rather than opportunistic scanning. The attacker demonstrated:

  • Methodical manual reconnaissance
  • Focus on high-value credential theft
  • Operational security discipline (no persistent backdoors)

Organizations running Marimo face immediate risk requiring emergency remediation.

Vulnerability Details

Technical Root Cause and Authentication Bypass Mechanism

CVE-2026-39987 exists due to architectural inconsistency in authentication enforcement across Marimo's WebSocket endpoint implementations.

  • Most endpoints (e.g., /ws) invoke validate_auth() before granting access
  • The /terminal/ws endpoint omits authentication entirely

This allows unauthenticated attackers to establish WebSocket connections and gain full terminal access.

Upon connection, attackers receive a full PTY shell with the privileges of the Marimo process user, enabling:

  • Arbitrary command execution
  • File system navigation
  • Sensitive file access
  • System configuration modification
Exploitation Timeline and Attacker Methodology
  • Disclosure Date: April 8, 2026
  • First Exploit Observed: 9 hours 41 minutes later

No public proof-of-concept code was available during initial exploitation.

The attacker:

  • Conducted 4 sessions over ~90 minutes
  • Performed systematic file enumeration
  • Harvested .env credentials
  • Searched for SSH keys
  • Explored project directories

Notably, the attacker did NOT:

  • Deploy malware
  • Install cryptominers
  • Establish persistence
  • Perform destructive actions

This indicates targeted credential harvesting.

Impact Scope and Credential Exposure Risk

The impact extends beyond server compromise due to sensitive data stored in Marimo environments.

At-Risk Data Includes:
  • LLM API keys (OpenAI, Anthropic, Cohere, Gemini, etc.)
  • Cloud credentials (AWS, GCP, Azure)
  • Database connection strings
  • SSH private keys
  • Proprietary datasets and ML models
Potential Consequences
  • Abuse of AI services (cost exploitation, prompt injection)
  • Lateral movement into cloud environments
  • Data exfiltration
  • Deployment of additional attack infrastructure
Patch Availability and Remediation

Marimo version 0.23.0 fixes the vulnerability by enforcing authentication on /terminal/ws.

If Immediate Upgrade Is Not Possible:
  • Restrict access via firewall or reverse proxy
  • Disable terminal functionality
  • Deploy only in private networks
Recommendations
1. Upgrade Marimo to Version 0.23.0 Immediately

All organizations must upgrade without delay.

If not possible

  • Restrict /terminal/ws access
  • Apply firewall/WAF rules
  • Disable terminal feature
2. Audit and Rotate All Potentially Exposed Credentials

Audit all accessible credentials:

  • .env files and environment variables
  • SSH keys (.ssh directories)
  • Config files with tokens
  • Hardcoded secrets in repositories

Action: Rotate all credentials—even without confirmed compromise.

3. Restrict Network Exposure of Notebook Environments

Notebook platforms should never be exposed without protection.

Recommended Controls:
  • VPN access
  • Private subnets
  • Authenticated reverse proxies (SSO, OAuth, MFA)
  • Avoid binding to 0.0.0.0 unless secured
4. Implement Container Security Hardening

For containerized deployments:

  • Run as non-root user
  • Use read-only filesystems
  • Minimize Linux capabilities
  • Apply resource limits
5. Deploy WebSocket Monitoring and Anomaly Detection

Monitor for:

  • Unexpected /terminal/ws connections
  • Unusual shell process spawning
  • Abnormal process trees
  • Suspicious outbound traffi
  • Bulk access to sensitive files

Key Insight: Any external /terminal/ws access is a high-confidence indicator of compromise.

MITRE ATT&CK TTPs
Initial Access
  • T1190: Exploit Public-Facing Application
Execution
  • T1059: Command and Scripting Interpreter
    • T1059.004: Unix Shell
    • T1059.006: Python
Discovery
  • T1083: File and Directory Discovery
  • T1016: System Network Configuration Discovery
  • T1082: System Information Discovery
Credential Access
  • T1552: Unsecured Credentials
    • T1552.001: Credentials in Files
Collection
  • T1005: Data from Local System
Lateral Movement
  • T1021: Remote Services
    • T1021.004: SSH
References
April 15, 2026
Read More
Red | Vulnerability Report
Microsoft's April 2026 Patch Tuesday

Summary

Microsoft's April 2026 Patch Tuesday addresses 165 critical security vulnerabilities across Microsoft's product ecosystem, marking one of the most extensive security update releases in the company's history. This Patch Tuesday vulnerability release includes 8 Critical, 153 Important, 1 Low, and 3 Moderate severity vulnerabilities spanning multiple Microsoft products including Microsoft SQL Server, Windows Kernel, Windows Server Update Service, Microsoft Office, Microsoft SharePoint, and Google Chromium-based Microsoft Edge.

Microsoft Patch Tuesday vulnerabilities impact multiple categories including 93 Elevation of Privilege (EoP) vulnerabilities, 20 Remote Code Execution (RCE) vulnerabilities, 20 Information Disclosure vulnerabilities, 12 Security Feature Bypass vulnerabilities, 9 Denial of Service (DoS) vulnerabilities, 10 Spoofing vulnerabilities, and 1 Tampering vulnerability. Elevation of Privilege vulnerabilities account for over 56% of this month's patches, reflecting continued attacker focus on post-compromise privilege escalation vulnerabilities.

The total number of CVEs addressed reaches 247 when including 82 non-Microsoft vulnerabilities. Of critical concern are 21 CVEs assessed as either actively exploited or at increased risk of exploitation, including 1 actively exploited zero-day vulnerability and 1 publicly disclosed vulnerability prior to patching.

Vulnerability Details

Actively Exploited Zero-Day Vulnerabilities

CVE-2026-32201 is a critical Microsoft SharePoint Server Spoofing Vulnerability (CVSS 6.5) actively exploited in the wild. This SharePoint vulnerability stems from improper input validation and manifests as cross-site scripting (XSS), allowing attackers to view and modify sensitive organizational data. Despite its moderate CVSS score, confirmed wild exploitation and SharePoint's role as a central collaboration platform make this SharePoint vulnerability the top remediation priority. This SharePoint zero-day follows a pattern of SharePoint vulnerabilities being leveraged in ransomware and cyberespionage campaigns.

CVE-2026-5281, a Chromium Use After Free in Dawn vulnerability affecting Microsoft Edge (Chromium-based), is confirmed exploited in the wild. This zero-day vulnerability targeting the Dawn graphics component poses significant remote code execution risks.

Publicly Disclosed Vulnerabilities

CVE-2026-33825 is a publicly disclosed Microsoft Defender Elevation of Privilege vulnerability (CVSS 7.8). While no active exploitation has been confirmed, the vulnerability description closely matches "BlueHammer," a proof-of-concept exploit published on GitHub on April 3. Systems with Microsoft Defender disabled are not vulnerable.

Critical Remote Code Execution Vulnerabilities

CVE-2026-33824 (Windows IKE Service Extensions, CVSS 9.8) and CVE-2026-33827 (Windows TCP/IP, CVSS 8.1) are both unauthenticated, network-exploitable RCE vulnerabilities with wormable characteristics. The IKE vulnerability targets systems with IKE v2 enabled, while the TCP/IP vulnerability affects IPv6/IPsec environments via a race condition.

CVE-2026-33826 (Windows Active Directory, CVSS 8.0) enables authenticated RCE on domain controllers via crafted RPC calls, presenting serious domain compromise risks.

Three Critical RCE vulnerabilities in Microsoft Word and Office (CVE-2026-33115, CVE-2026-33114, CVE-2026-32190) are exploitable through the Preview Pane without opening files, continuing a dangerous pattern from March 2026.

CVE-2026-32157 (Remote Desktop Client, CVSS 8.8) targets users connecting to malicious RDP servers. CVE-2026-23666 (.NET Framework) is a rare Critical-rated Denial of Service vulnerability capable of crippling network-facing .NET applications.

Security Feature Bypass Vulnerabilities

The Secure Boot and BitLocker bypass vulnerabilities are particularly urgent given the Secure Boot certificate expiration deadline on June 26, 2026. Organizations should prioritize validating Secure Boot certificate status across their fleet before this deadline.

Chromium Vulnerabilities

Among Chromium-based Edge vulnerabilities, two additional Chromium flaws (CVE-2026-5858 and CVE-2026-5859), both in the WebML API, are rated Critical by Google with $43,000 bounties each and could allow remote code execution via crafted HTML pages.

Extended Security Updates End

This release marks the end of Extended Security Updates for Exchange Server 2016 and 2019, leaving on-premises Exchange environments without security coverage moving forward.

Recommendations

Conduct an extensive service exposure evaluation to identify vulnerable services that may be publicly accessible, particularly SharePoint Server, IKE/IPsec endpoints, and IPv6-enabled systems. Take immediate action to address identified vulnerabilities through essential patch deployment or interim security measures such as firewall rules for UDP ports 500 and 4500.

Keep systems up to date by implementing the most recent security updates from Microsoft Patch Tuesday. Follow security rules adapted to unique devices to avoid introducing new vulnerabilities. Thoroughly review configurations of internet-exposed devices and applications, including Secure Boot certificate status verification ahead of the June 26, 2026 expiration deadline.

Prioritize patching the actively exploited and critical vulnerabilities: CVE-2026-32201, CVE-2026-5281, CVE-2026-33825, CVE-2026-33824, CVE-2026-33827, CVE-2026-33826, CVE-2026-33115, CVE-2026-33114, and CVE-2026-32190. These vulnerabilities pose significant exploitation risks including wormable network RCEs and Preview Pane-based Office attacks.

Implement network segmentation to restrict unauthorized access and reduce the impact of potential attacks. This is especially critical given the wormable IKE and TCP/IP vulnerabilities and the Active Directory RCE vulnerability that can enable lateral movement across domain-joined environments.

Adhere to the principle of "least privilege" by giving users only essential permissions needed for their tasks. With Elevation of Privilege vulnerabilities accounting for over 56% of this month's patches, this strategy is critical to reducing the impact of privilege escalation vulnerabilities.

MITRE ATT&CK TTPs

Initial Access: T1190 (Exploit Public-Facing Application), T1189 (Drive-by Compromise), T1566 (Phishing), T1566.001 (Spearphishing Attachment), T1566.002 (Spearphishing Link)

Execution: T1203 (Exploitation for Client Execution), T1059 (Command and Scripting Interpreter), T1059.001 (PowerShell), T1204 (User Execution), T1204.001 (Malicious Link), T1204.002 (Malicious File)

Defense Evasion: T1562 (Impair Defenses), T1562.001 (Disable or Modify Tools), T1553 (Subvert Trust Controls), T1553.005 (Mark-of-the-Web Bypass), T1553.006 (Code Signing Policy Modification)

Privilege Escalation: T1068 (Exploitation for Privilege Escalation), T1542 (Pre-OS Boot), T1542.003 (Bootkit)

Credential Access: T1552 (Unsecured Credentials), T1556 (Modify Authentication Process)

Lateral Movement: T1021 (Remote Services), T1021.001 (Remote Desktop Protocol), T1210 (Exploitation of Remote Services)

Impact: T1499 (Endpoint Denial of Service)

References

https://msrc.microsoft.com/update-guide/releaseNote/2026-apr

https://hivepro.com/threat-advisory/cve-2026-5281-chrome-dawn-flaw-sparks-in-the-wild-zero-day-attacks/

April 20, 2026
Read More
Red | Attack Report
Storm-2755's Silent Payroll Heist Targeting Canada

Summary  

Storm-2755 represents a sophisticated cybersecurity attack targeting Canadian employees through a financially motivated payroll diversion campaign that exploits Microsoft 365 and Microsoft Entra ID vulnerabilities. First observed in April 2026, the Storm-2755 attack campaign leverages advanced adversary-in-the-middle (AiTM) phishing techniques and exploits CVE-2025-27152, an Axios SSRF and credential leakage vulnerability, to silently compromise corporate accounts and redirect employee salary payments.  

The Storm-2755 threat actor orchestrates this payroll theft attack by deploying fake Microsoft 365 login pages through malicious advertisements and search engine manipulation, capturing active session tokens to bypass multi-factor authentication (MFA) protections. Once inside compromised accounts, the Storm-2755 campaign maintains persistent access through session token refresh techniques, searches for payroll and human resources data, establishes inbox rules to hide malicious activity, and ultimately manipulates direct deposit information either through social engineering of HR teams or direct modification of payroll systems like Workday.  

Attack Details  

Initial Access and Credential Compromise  

The Storm-2755 attack begins with sophisticated initial access tactics targeting Canadian employees through malicious advertisements and search engine manipulation that promote fraudulent Microsoft 365 login pages. These phishing pages deployed by Storm-2755 are carefully crafted to appear legitimate while serving as adversary-in-the-middle (AiTM) proxy servers. When victims authenticate through these fake Microsoft 365 portals, Storm-2755 intercepts and captures active session tokens rather than simple username-password combinations, enabling the threat actor to bypass traditional multi-factor authentication security controls.  

The Storm-2755 campaign specifically exploits CVE-2025-27152, a critical vulnerability in Axios versions prior to 1.8.2 that allows SSRF and credential leakage through absolute URL bypass mechanisms. By leveraging this Axios vulnerability in version 1.7.9, Storm-2755 relays stolen session tokens and OAuth cookies from the AiTM phishing infrastructure to legitimate Microsoft 365 services, enabling authenticated session replay that circumvents non-phishing-resistant MFA implementations.  

Persistence and Stealth Operations  

Once initial access is established, Storm-2755 maintains persistent access to compromised accounts through continuous session token refresh operations that avoid triggering typical security alerts. The Storm-2755 threat actor employs a malware-free approach, relying exclusively on legitimate authentication mechanisms and stolen session credentials to remain undetected within victim environments. In certain cases, Storm-2755 strengthens its foothold by modifying account passwords or authentication settings, ensuring continued access even if victims become suspicious.  

Storm-2755 conducts extensive reconnaissance within compromised Microsoft 365 accounts, systematically searching emails and internal collaboration platforms for payroll data, direct deposit forms, HR contact information, and financial system access credentials. To maintain operational security, Storm-2755 creates inbox rules that automatically filter and hide messages containing financial keywords such as "direct deposit," "bank," "payroll," and similar terms, routing these communications to hidden folders where victims cannot observe the attacker's activities or any resulting alerts about account changes.  

Financial Theft Execution  

The final stage of the Storm-2755 attack involves executing the actual payroll diversion through multiple potential methods. Storm-2755 frequently sends convincing spearphishing emails to HR departments and finance teams using compromised employee accounts, requesting changes to direct deposit banking information under plausible pretenses. These internal phishing messages from Storm-2755 carry inherent credibility because they originate from legitimate employee accounts, making HR personnel more likely to process the fraudulent banking updates without additional verification.  

When social engineering proves unsuccessful or infeasible, Storm-2755 directly accesses HR management platforms such as Workday using the compromised employee credentials, manually modifying direct deposit information to redirect salary payments into attacker-controlled bank accounts. This Storm-2755 attack methodology results in actual financial theft when the next payroll cycle executes, transferring legitimate employee wages to the threat actor while victims and organizations remain unaware until employees discover missing payments.  

Recommendations  
Immediate Incident Response Actions  

Organizations must immediately revoke all active tokens and sessions for accounts exhibiting Storm-2755 indicators of compromise, particularly sign-ins associated with the Axios user-agent string or connections to the bluegraintours[.]com domain. Conduct comprehensive audits of all mailbox rules across the organization, specifically searching for rules that filter on financial keywords including "direct deposit," "bank," and "payroll" that route messages to hidden folders, removing any unauthorized Storm-2755-created rules and restoring suppressed emails. Reset credentials and all registered MFA methods for affected accounts to prevent Storm-2755 from maintaining access through previously established persistent authentication mechanisms.  

Identity and Access Management Hardening  

Enforce Conditional Access policies within Microsoft Entra ID to mandate device compliance requirements, restrict sign-ins from unmanaged devices, and apply session lifetime controls that limit token validity periods and force reauthentication at shorter intervals to disrupt Storm-2755 persistence techniques. Enable Continuous Access Evaluation (CAE) in Microsoft Entra to ensure access tokens are re-evaluated and revoked in near real-time when risk conditions change, such as user risk elevation or session anomaly detection that might indicate Storm-2755 activity. Block legacy authentication protocols that do not support modern security controls, reducing the attack surface available for Storm-2755 token replay and session hijacking techniques.  

Detection and Monitoring Enhancements  

Create detection rules in SIEM and XDR platforms to generate alerts on sign-in events where the user-agent string contains "Axios" or "axios/1.7.9," particularly when associated with non-interactive sign-ins to the OfficeHome application, which represents a key Storm-2755 attack indicator. Implement behavioral analytics to identify unusual patterns such as inbox rule creation immediately following authentication events, access to payroll-related documents from unusual locations or times, or sudden changes to direct deposit information that may signal Storm-2755 compromise. Monitor for connections to the bluegraintours[.]com domain and establish threat intelligence feeds to detect emerging Storm-2755 infrastructure.  

Vulnerability Remediation and Application Security  

Organizations using the Axios HTTP client in their applications must urgently upgrade to version 1.8.2 or later (or version 0.30.0 for legacy branches) to remediate CVE-2025-27152 and eliminate the SSRF and credential leakage vulnerabilities exploited by Storm-2755. Conduct comprehensive inventories of all applications and services utilizing Axios to ensure no unpatched instances remain that could be leveraged in future Storm-2755 attacks or similar campaigns exploiting this Axios vulnerability.  

Indicators of Compromise (IoCs)  

Domain: bluegraintours[.]com  

User-Agent: axios/1.7.9  

These Storm-2755 indicators of compromise should be immediately incorporated into security monitoring tools, proxy blacklists, and threat intelligence platforms to detect and block ongoing Storm-2755 attack activity.  

MITRE ATT&CK TTPs  

Storm-2755 demonstrates sophisticated use of multiple MITRE ATT&CK techniques across the attack lifecycle. During Resource Development, Storm-2755 employs T1608.005 (Link Target) to stage malicious Microsoft 365 login pages and T1583.001 (Domains) to acquire infrastructure including the bluegraintours[.]com domain. For Initial Access, Storm-2755 utilizes T1566.003 (Spearphishing via Service) and T1189 (Drive-by Compromise) through malicious search advertisements.  

Storm-2755 credential access techniques include T1557 (Adversary-in-the-Middle) phishing proxies and T1539 (Steal Web Session Cookie) to capture authentication tokens. Persistence is established through T1078.004 (Valid Cloud Accounts) using stolen credentials and T1098 (Account Manipulation) by modifying authentication settings. Storm-2755 conducts T1087 (Account Discovery) and T1114.002 (Remote Email Collection) during reconnaissance phases.  

For Defense Evasion, Storm-2755 implements T1564.008 (Email Hiding Rules) to conceal malicious activities. The campaign employs T1534 (Internal Spearphishing) for lateral movement within organizations, ultimately achieving its financial theft objectives through T1657 (Financial Theft) by manipulating payroll systems.  

References  

Microsoft Security Blog: Investigating Storm-2755 Payroll Pirate Attacks Targeting Canadian Employees https://www.microsoft.com/en-us/security/blog/2026/04/09/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees/  

GitHub Security Advisory: GHSA-jr5f-v2jv-69x6 (CVE-2025-27152) https://github.com/advisories/GHSA-jr5f-v2jv-69x6  

Axios Security Patch Release v1.8.2 https://github.com/axios/axios/releases/tag/v1.8.2  

April 20, 2026
Read More
Red | Vulnerability Report
Handala Claims Destructive Wiper Attack on GCC Nation's Critical Infrastructure

Summary

On April 12, 2026, the Iran-affiliated threat group Handala Hack Team, also tracked as Void Manticore, HomeLand Justice, Karma, Storm-0842, and Banished Kitten, publicly claimed responsibility for a destructive cyberattack allegedly targeting critical government infrastructure in a major Gulf Cooperation Council financial hub. The group, assessed with high confidence by the FBI and U.S. Department of Justice to be a state-directed persona operated by Iran's Ministry of Intelligence and Security, claims to have compromised multiple government entities overseeing the country's legal, economic, and transportation sectors, destroying approximately 6 petabytes of data using wiper malware while simultaneously exfiltrating 149 terabytes of classified documents.

This claimed operation represents the continuation of Handala's established attack methodology combining destructive data wiping with large-scale exfiltration in a hack-and-leak operational model engineered for maximum disruption and psychological impact against targets perceived as aligned against Iranian interests during the ongoing 2026 regional conflict. The targeting of a GCC nation's critical infrastructure aligns with Iranian strategic objectives during the current geopolitical escalation, with Handala explicitly framing the operation as retaliation against the targeted nation's perceived alignment against the Iranian-led resistance axis.

As of this writing, none of the allegedly targeted entities or the host government have publicly confirmed the attack, and independent verification of the claimed scope remains pending. However, this absence of official confirmation should not be interpreted as definitive evidence against compromise occurrence. Government entities facing destructive cyberattacks frequently delay public acknowledgment during incident response and forensic investigation, and GCC nations historically maintain information security regarding cybersecurity incidents affecting critical national infrastructure.

Handala has a well-documented history of exaggerating operational impact, frequently overstating the scale of data destruction and exfiltration to amplify perceived success and maximize psychological warfare effects. The claimed 6 petabytes of destroyed data and 149 terabytes of exfiltrated documents likely represent significant inflation beyond actual compromise scope. However, the group's demonstrated destructive capabilities throughout 2026 across healthcare, government, defense, and critical infrastructure sectors indicate they likely achieved some level of unauthorized access and impact, though substantially below claimed magnitudes.

Evidence shared alongside the compromise claim includes screenshots of storage management interfaces showing bulk volume deletions, administrative dashboards resembling email security platforms, and system-level access indicators suggesting privileged administrative control over compromised systems. These proof-of-access materials align with Handala's standard practice of publishing technical evidence to substantiate claims, though such screenshots can be manipulated, staged, or represent access to less critical systems than claimed.

The claimed attack aligns with Handala's known operational playbook and technical capabilities. Likely initial access vectors include compromised VPN credentials obtained through credential stuffing or brute-force attacks, administrative accounts harvested through infostealer malware distributed via phishing or watering hole attacks, and targeted spear-phishing operations against privileged users with access to critical systems. These techniques are consistent with Handala's prior 2026 operations, including a reported attack against a major U.S.-based corporation where the group allegedly wiped over 200,000 devices across 79 countries by weaponizing a legitimate cloud-based endpoint management platform.

The potential impact, if claims prove accurate, would be severe across multiple critical sectors. Destruction of legal sector data could affect judicial records, case files, legal proceedings, and citizen legal documentation. Economic sector compromise could impact financial databases, regulatory information, corporate records, and economic planning documentation. Transportation sector disruption could affect urban mobility infrastructure, transit scheduling systems, logistics coordination, and transportation safety systems. The simultaneous exfiltration of classified government documents creates ongoing intelligence exposure and potential for future information warfare operations.

The geopolitical context significantly elevates threat severity. The ongoing 2026 regional conflict involving Iran creates heightened motivation for cyber operations against adversary nations. Recent law enforcement actions against Handala operators, including arrests and infrastructure seizures, provide additional retaliatory motivation. The targeting of a GCC financial hub during active conflict represents deliberate strategic messaging regarding Iranian cyber capabilities and willingness to target critical infrastructure of nations supporting adversary coalitions.

Given Handala's demonstrated credible destructive capability throughout 2026, their operational history of combining wiping with hack-and-leak tactics, the current escalated threat landscape involving ongoing kinetic and cyber conflict, and the potential for retaliatory escalation following law enforcement disruption attempts, organizations across the GCC region should treat this threat actor as a high-severity, actionable threat requiring immediate defensive validation regardless of whether the specific April 12 claims are fully substantiated.

Attack Details

[Due to space constraints, I'll provide the complete analysis in the slide summaries and recommendations format as requested]

Recommendations

Immediate Administrative Account and Cloud Platform Audit

Organizations operating in GCC government and critical infrastructure sectors must immediately audit all administrative accounts with access to endpoint management platforms including Microsoft Intune, Entra ID (formerly Azure AD), and Mobile Device Management solutions. Handala's 2026 operations demonstrated capability to weaponize legitimate cloud-based management platforms to execute mass wiper deployments across enterprise environments. Security teams should enforce phishing-resistant multi-factor authentication on all privileged accounts, implement just-in-time access models with zero standing permissions for global and device administrator roles, and enable multi-administrator approval requirements for sensitive bulk operations, particularly remote wipe commands, to prevent single compromised credentials from triggering enterprise-wide destruction.

Identity and Credential Exposure Management

Given Handala's documented reliance on infostealer-harvested credentials and VPN brute-force attacks for initial access, organizations must implement comprehensive credential exposure monitoring. Security teams should scan for credential exposure across dark web marketplaces and infostealer logs, immediately rotating any exposed credentials discovered through these channels. Conditional access policies should block authentication attempts from anomalous geolocations, commercial VPN nodes, and Starlink IP ranges, which Handala operators have been observed using during Iran's domestic internet blackouts to maintain operational connectivity.

Network Defense and IOC Blocking

All known Handala-associated indicators of compromise must be blocked at network boundaries. This includes command-and-control IP address 107[.]189[.]19[.]52, Telegram bot API traffic to api.telegram[.]org utilized for data exfiltration and operator communications, and all domains associated with Handala operations. Security teams should monitor for unauthorized deployment of legitimate tunneling tools such as NetBird used by Handala for covert communications, anomalous RDP lateral movement patterns inconsistent with normal administrative activity, LSASS credential dumping attempts via comsvcs.dll, ADRecon active directory reconnaissance tool execution, and PowerShell-based bulk file deletion or disk encryption activity indicative of wiper malware deployment.

Data Protection and Recovery Validation

Organizations must ensure all critical data, particularly government records, financial databases, and critical infrastructure configurations, are backed up to offline, network-segmented, and immutable storage locations. Wiper attacks render data permanently unrecoverable, making backup integrity the sole recovery path following successful destructive operations. Security teams should validate backup restoration procedures immediately through test recoveries, implement data loss prevention controls to detect bulk data exfiltration patterns consistent with the 149 terabyte extraction claimed in this attack, and ensure backup storage is architected to prevent compromise through the same vectors used to access production systems.

MITRE ATT&CK TTPs

(Full TTP mapping provided in the PDF)

Indicators of Compromise (IOCs)

Note: All indicators listed are associated with Handala's broader 2026 campaign operations. No IOCs specific to the April 12, 2026 claimed GCC attack have been publicly disclosed at time of writing.

Domains
  • api.telegram[.]org
  • handala-hack[.]to
  • handala-redwanted[.]to
  • handala-alert[.]to
  • justicehomeland[.]org
  • karmabelow80[.]org
  • handala[.]ps
IP Addresses
  • 107[.]189[.]19[.]52
  • 82[.]25[.]35[.]25
  • 31[.]57[.]35[.]223
  • 146[.]185[.]219[.]235
Telegram Channels
  • t.me/handala_hack26
  • t.me/handala_channel
  • t.me/HANDALA_INTEL
References

https://www.presstv.ir/Detail/2026/04/12/766723/Handala-hacking-group-cyberattack

https://x.com/DailyDarkWeb/status/2043525184494182696

https://hivepro.com/threat-advisory/void-manticore-irans-evolving-cyber-warfare-model/

April 14, 2026
Read More
Red | Vulnerability Report
Active Exploitation of Critical Adobe Prototype Pollution Flaw

Summary

CVE-2026-34621 represents a critical prototype pollution vulnerability affecting Adobe Acrobat DC, Adobe Acrobat Reader DC, and Adobe Acrobat 2024 across Windows and macOS platforms. This vulnerability, categorized under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), is being actively exploited in the wild, transforming seemingly innocuous PDF documents into sophisticated attack vectors capable of local file access, data exfiltration, and potential arbitrary code execution. Evidence suggests this vulnerability may have been exploited as a zero-day since at least late November 2025, operating stealthily for approximately four months before public disclosure and patch availability in April 2026.

The vulnerability stems from insufficient input sanitization within Adobe Acrobat and Reader's embedded JavaScript processing engine. JavaScript's prototype-based inheritance system allows objects to inherit properties from shared prototypes such as Object.prototype. When user-controlled input is not adequately validated during PDF processing, attackers can manipulate these fundamental prototypes, effectively altering how objects behave across the entire application runtime. This prototype pollution enables serious security consequences including control-flow manipulation, security control bypass, and ultimately arbitrary code execution within the context of the PDF viewer application.

The exploitation chain begins when victims open specially crafted malicious PDF files, typically delivered through targeted spear-phishing campaigns or watering hole attacks. Upon opening the weaponized document, malicious JavaScript embedded within the PDF exploits the prototype pollution vulnerability to interact with privileged internal Adobe APIs that should be inaccessible to untrusted PDF content. Specifically, attackers leverage functions including util.readFileIntoStream() to access and read arbitrary files from the victim's local filesystem, enabling exfiltration of sensitive data including credentials, configuration files, private keys, and proprietary documents.

Following initial file access, the exploit utilizes the RSS.addFeed() function to exfiltrate collected data to attacker-controlled remote servers. This RSS feed subscription mechanism, intended for legitimate document updates and content syndication, is abused to establish command-and-control communications. The attacker server responds with additional malicious JavaScript payloads, enabling dynamic attack evolution and multi-stage compromise. This bidirectional communication channel allows threat actors to profile victim environments, selectively escalate to more sophisticated attacks based on target value, and potentially achieve full system compromise through sandbox escape techniques.

The vulnerability affects multiple Adobe product lines and deployment tracks. Acrobat DC and Acrobat Reader DC on the Continuous update track are vulnerable up to version 26.001.21367, while Acrobat 2024 on the Classic 2024 track is vulnerable up to version 24.001.30356. Both Windows and macOS installations are affected, creating a broad attack surface across enterprise and consumer environments. While exploitation requires user interaction to open malicious PDF files, the low attack complexity and absence of authentication requirements make this vulnerability highly effective in social engineering scenarios where users routinely open PDF attachments.

Adobe initially assigned CVE-2026-34621 a CVSS v3.1 score of 9.6, reflecting a network-based attack vector classification. However, on April 12, 2026, Adobe revised the advisory, reclassifying the attack vector from Network to Local and adjusting the CVSS score to 8.6. Despite this numerical reduction, Adobe maintains the vulnerability's classification as Critical with Priority 1 remediation urgency, acknowledging confirmed active exploitation and the severity of potential impacts.

The timeline of exploitation reveals concerning indicators of prolonged zero-day abuse. The earliest known exploit sample appeared on VirusTotal on November 28, 2025, though this upload does not definitively establish the initial exploitation date. Analysis suggests active exploitation likely began in December 2025. The vulnerability remained undetected by major security vendors until March 23, 2026, when EXPMON threat intelligence detected a malicious sample. A second distinct exploit sample surfaced on March 26, 2026. Adobe released emergency security patches on April 8, 2026, followed by a second exploit discovery on April 11, 2026, suggesting multiple threat actors may possess working exploits.

This extended zero-day exploitation window of approximately four months allowed attackers to operate with minimal detection, compromising potentially thousands of victims before public awareness and patch availability. The low initial detection rates and stealthy operational characteristics suggest sophisticated threat actor involvement, potentially including state-sponsored advanced persistent threat groups or well-resourced cybercriminal organizations with access to vulnerability research and exploit development capabilities.

Vulnerability Details

Prototype Pollution Fundamentals

CVE-2026-34621 represents a prototype pollution vulnerability, a class of security flaw specific to JavaScript and prototype-based programming languages. In JavaScript, virtually all objects inherit properties and methods from prototype objects, with Object.prototype serving as the base prototype for most objects. When JavaScript code allows user-controlled input to modify prototype properties without adequate validation, attackers can inject malicious properties into shared prototypes, causing these properties to propagate across all objects inheriting from the polluted prototype.

Prototype pollution enables various exploitation techniques including property injection attacks where attackers add unexpected properties to objects that should not possess them, behavior modification where existing object methods are overridden with malicious implementations, security control bypass through pollution of properties used in access control decisions, and control-flow manipulation by altering properties that govern application logic flow. In the context of Adobe Acrobat and Reader, prototype pollution within the PDF JavaScript engine allows attackers to escape the intended security sandbox and interact with privileged APIs designed exclusively for trusted code.

The vulnerability exists within Adobe's implementation of JavaScript execution for PDF documents. PDFs can embed JavaScript code for legitimate purposes including form validation, dynamic content generation, and interactive features. However, Adobe's JavaScript implementation must carefully sanitize all user-controlled input to prevent untrusted PDF content from accessing privileged system operations. CVE-2026-34621 represents a failure in this input validation, allowing specially crafted PDF JavaScript to pollute critical prototypes and subsequently leverage the polluted state to invoke privileged functions.

Exploitation Technique and Attack Chain

The exploitation process begins when victims open malicious PDF files containing carefully crafted JavaScript code. This JavaScript exploits insufficient input sanitization in Adobe's PDF processing engine to pollute fundamental object prototypes. By injecting specific properties into these prototypes, attackers manipulate how the application processes subsequent operations, particularly those involving privileged API access controls.

Once prototype pollution is achieved, the exploit leverages util.readFileIntoStream(), a privileged Adobe JavaScript API function designed for internal use by trusted code. Under normal circumstances, untrusted PDF JavaScript should not be able to invoke this function due to API access controls. However, the prototype pollution vulnerability allows attackers to bypass these restrictions, gaining unauthorized access to file system read capabilities. The util.readFileIntoStream() function enables reading arbitrary files from the local system, limited only by the permissions of the user account running Adobe Acrobat or Reader.

Attackers utilize this file read capability to exfiltrate sensitive information including credential files, SSH private keys, browser saved passwords, application configuration files containing API keys or database credentials, proprietary documents, intellectual property, and system configuration information useful for privilege escalation or lateral movement. The breadth of accessible data depends on the victim user's file system permissions and the contents of their home directory and accessible system locations.

Following data collection, the exploit utilizes RSS.addFeed(), another Adobe JavaScript API function intended for subscribing to RSS feeds for document updates. By specifying an attacker-controlled server as the RSS feed URL, the malware establishes a covert exfiltration channel. The stolen data is transmitted to the attacker server disguised as legitimate RSS feed subscription requests, potentially evading network security monitoring configured to detect obvious data exfiltration patterns.

The attacker-controlled server responds to the RSS feed request with additional malicious JavaScript code disguised as RSS feed content. Adobe's PDF JavaScript engine processes this response, executing the attacker-provided JavaScript and enabling multi-stage attack progression. This bidirectional communication establishes a rudimentary command-and-control channel, allowing attackers to dynamically adapt their operations based on victim environment reconnaissance.

Victim Profiling and Selective Escalation

Analysis of known exploit samples suggests the vulnerability serves primarily as an initial reconnaissance and data exfiltration mechanism rather than immediate full system compromise. The exploit appears designed to profile victim environments, collecting system information, installed software, user privileges, network configuration, and security software presence. This intelligence enables attackers to make informed decisions about subsequent attack stages.

For high-value targets meeting specific criteria such as presence within targeted organizations, elevated user privileges, absence of robust endpoint security, or valuable accessible data, attackers may selectively escalate to more sophisticated attack stages including sandbox escape exploits enabling arbitrary code execution outside the PDF viewer's security context, privilege escalation attempts leveraging system vulnerabilities identified during reconnaissance, persistent backdoor installation for long-term access, or deployment of additional malware payloads tailored to the specific victim environment.

This selective escalation approach provides operational security benefits for attackers by limiting exposure of sophisticated exploitation techniques to only valuable targets, reducing detection likelihood by avoiding mass deployment of advanced malware, and preserving zero-day exploits by not deploying them against low-value or well-monitored systems. The staged approach suggests professional threat actor operations rather than opportunistic criminal activity.

Affected Product Versions and Patch Timeline

The vulnerability affects multiple Adobe product lines across two distinct update tracks. The Continuous track, which receives frequent feature updates and is the default for most consumer and enterprise deployments, includes vulnerable versions of Acrobat DC and Acrobat Reader DC up to and including version 26.001.21367. The Classic track, which receives less frequent updates focused on stability, includes vulnerable Acrobat 2024 versions up to 24.001.30356. Both Windows and macOS installations are affected across all vulnerable versions.

Adobe released emergency security patches on April 8, 2026, following confirmation of active in-the-wild exploitation. Patched versions include Acrobat DC and Acrobat Reader DC version 26.001.21411 for the Continuous track, and Acrobat 2024 version 24.001.30362 for Windows and version 24.001.30360 for macOS on the Classic 2024 track. These patches address the prototype pollution vulnerability through improved input validation and sanitization in the JavaScript processing engine.

CVSS Scoring Revision and Risk Classification

Adobe's initial CVSS v3.1 assessment assigned CVE-2026-34621 a score of 9.6 based on a network attack vector classification. This scoring reflected an interpretation where the vulnerability could be triggered remotely through network delivery of malicious PDF files. However, on April 12, 2026, Adobe revised the advisory, reclassifying the attack vector from Network (AV:N) to Local (AV:L), resulting in an adjusted CVSS score of 8.6.

This revision reflects a more precise interpretation of CVSS attack vector definitions. While the malicious PDF is delivered via network mechanisms (email, web download), actual exploitation requires local user interaction to open the file, meeting the CVSS definition of a local attack vector. Despite the numerical score reduction, Adobe continues to classify CVE-2026-34621 as Critical severity with Priority 1 remediation urgency, reflecting confirmed active exploitation and significant potential impact including data exfiltration, privacy violation, and potential system compromise.

Evidence of Zero-Day Exploitation

Multiple indicators suggest CVE-2026-34621 was exploited as a zero-day vulnerability for several months before patch availability. The earliest known malicious sample appeared on VirusTotal on November 28, 2025, suggesting exploitation potentially began in late November or early December 2025. The exploit operated with low detection rates across major antivirus vendors, indicating sophisticated evasion techniques and limited security community awareness.

Independent researchers at EXPMON identified a malicious exploit sample on March 23, 2026, marking the first public detection and analysis of active exploitation. A second distinct exploit sample surfaced on March 26, 2026, shortly before Adobe's April 8 emergency patch release. The discovery of a third sample on April 11, 2026, three days after patch availability, suggests multiple distinct threat actors possess working exploits, or that a single actor continues operations against unpatched systems.

The approximately four-month window between suspected initial exploitation and patch availability represents a significant zero-day exposure period during which attackers operated with minimal risk of detection or disruption. This extended exploitation window enabled potentially widespread compromise across enterprise and consumer environments, with the full scope of victimization likely remaining unknown due to the exploit's stealthy operational characteristics.

Recommendations

Apply Emergency Security Update Immediately

Organizations must treat CVE-2026-34621 patching as an emergency priority given confirmed active exploitation. IT administrators should deploy Adobe's emergency security patches without delay across all Windows and macOS endpoints running Adobe Acrobat DC, Adobe Acrobat Reader DC, or Adobe Acrobat 2024. For Acrobat DC and Reader DC on the Continuous track, systems should be updated to version 26.001.21411. For Acrobat 2024 on the Classic track, Windows systems require version 24.001.30362 while macOS systems require version 24.001.30360.

End users can initiate updates manually through the application menu by selecting Help > Check for Updates. IT administrators managing enterprise deployments should leverage centralized update distribution mechanisms including Adobe's AIP-GPO (Adobe Installer Package - Group Policy Objects) for Windows domain environments, Microsoft SCUP/SCCM (System Center Updates Publisher / System Center Configuration Manager) for enterprise Windows patch management, Apple Remote Desktop for managed macOS environments, or SSH-based deployment tools for scripted mass distribution across macOS systems. Patch deployment should be prioritized above routine update cycles and tracked for complete coverage verification.

Block and Quarantine Suspicious PDF Files

Email security gateways, web proxies, and endpoint protection platforms should implement enhanced scrutiny of inbound PDF attachments and downloads. Security teams should configure these systems to automatically sandbox PDF files in isolated analysis environments before delivery to end users, quarantine PDFs exhibiting suspicious characteristics including embedded JavaScript, outbound network connections, or obfuscated content, and implement temporary restrictions on automatic opening of PDF files from untrusted or external sources until organizational patching reaches completion.

Organizations should communicate clearly to users that this temporary restriction serves as a precautionary measure during emergency patching and will be lifted following verification of complete patch deployment across the environment. Security operations centers should establish expedited review procedures for quarantined legitimate business-critical PDF documents requiring immediate access.

Disable JavaScript in Adobe Reader and Acrobat

For systems that cannot be immediately patched due to operational constraints, testing requirements, or compatibility concerns, organizations should implement interim mitigation through JavaScript disablement in Adobe applications. This configuration change significantly reduces attack surface for CVE-2026-34621 and similar JavaScript-based PDF exploits. Users can disable JavaScript by navigating to Edit > Preferences > JavaScript and unchecking "Enable Acrobat JavaScript."

IT administrators can enforce JavaScript disablement across managed endpoints through Group Policy on Windows domains or configuration profile deployment on managed macOS systems. Security teams should document which systems operate with JavaScript disabled and prioritize these systems for expedited patching, as JavaScript disablement may impact legitimate PDF functionality including interactive forms, dynamic content, and certain document workflows.

Educate Users on PDF-Based Threats

Security awareness programs should incorporate specific training regarding PDF-based threats, particularly emphasizing that PDF files can contain active executable content including JavaScript that runs automatically upon document opening. Users should be instructed to exercise caution when opening PDF attachments from unknown senders, unexpected PDF files received via email or messaging platforms, PDFs requiring unusual permissions or prompting security warnings, and PDF files downloaded from untrusted websites or file-sharing services.

Training should encourage users to report suspicious PDF files to security operations teams rather than attempting to determine safety independently. Security teams should establish clear reporting procedures and ensure rapid response to user reports during the active exploitation period.

Vulnerability Management and Monitoring

Organizations must integrate CVE-2026-34621 into vulnerability management workflows with highest priority classification. Security teams should maintain comprehensive inventory of all Adobe Acrobat and Reader installations including version numbers, update track assignments (Continuous vs. Classic), platform designations (Windows vs. macOS), and deployment locations. This inventory enables targeted patch verification and identification of any systems inadvertently missed during initial deployment.

Security teams should monitor for potential addition of CVE-2026-34621 to CISA's Known Exploited Vulnerabilities catalog. If added, federal civilian executive branch agencies face binding remediation deadlines, and all organizations should interpret KEV catalog inclusion as additional signal to prioritize comprehensive remediation verification.

MITRE ATT&CK TTPs
Initial Access
T1566: Phishing
  • T1566.001: Spearphishing Attachment
Execution
T1203: Exploitation for Client Execution
T1059: Command and Scripting Interpreter
  • T1059.007: JavaScript
Discovery

T1083: File and Directory Discovery

Collection

T1005: Data from Local System

Exfiltration

T1041: Exfiltration Over C2 Channel

Resource Development

T1588: Obtain Capabilities

  • T1588.006: Vulnerabilities
Indicators of Compromise (IOCs)
IP Addresses with Ports
  • 169[.]40[.]2[.]68:45191
  • 188[.]214[.]34[.]20:34123
File Hashes (SHA256)
  • 65dca34b04416f9a113f09718cbe51e11fd58e7287b7863e37f393ed4d25dde7
  • 54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f
References

https://helpx.adobe.com/security/products/acrobat/apsb26-43.html

https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html

April 14, 2026
Read More

HiveForce Labs Research At Your Fingertips

Stay informed with HiveForce Labs as they provide comprehensive insights into the latest vulnerabilities, threats, and threat actor activities.

Subscribe below to receive in-depth weekly and monthly updates, along with daily and weekly advisories designed to help you proactively manage and mitigate cybersecurity risks.

hive pro logo
Agentic AI for Exposure Management. Security operations that think, prioritize, and act autonomously.
twitterLinkdeinYoutubeEmail
© 2026
Hive Pro.
All rights reserved.
Privacy Policy