Re | Vulnerability

Oracle PeopleSoft Under Siege: Zero-Day CVE-2026-35273 Fuels ShinyHunters Intrusions

CVE-2026-35273: Oracle PeopleSoft Zero-Day Exploited by ShinyHunters | Threat Advisory TA2026165

HiveForce Labs · Threat Advisory · Vulnerability Report

Oracle PeopleSoft Under Siege: Zero-Day CVE-2026-35273 Fuels ShinyHunters Intrusions

A critical zero-day remote code execution vulnerability — CVE-2026-35273 — in Oracle PeopleSoft Enterprise PeopleTools was actively exploited in the wild by the ShinyHunters (UNC6240) threat actor before Oracle's June 10, 2026 security patch. Classified under CWE-306 (Missing Authentication for Critical Function), the flaw requires no credentials and allows full system takeover over HTTP. More than 100 organizations were targeted, with breaches confirmed across the higher education sector, stolen data exfiltrated, and extortion messages deployed. Patch immediately via Oracle's Security Alert.

⚠ Threat Level: Red CVE-2026-35273 Zero-Day · Exploited in Wild RCE · No Auth Required CWE-306 · Missing Auth Threat Actor: ShinyHunters / UNC6240 Oracle PeopleSoft PeopleTools 8.61 / 8.62 Patch: Oracle Security Alert Jun 10, 2026 Published: June 12, 2026

CVE ID

CVE-2026-35273

TA Number

TA2026165

Threat Level

Red

Zero-Day

Yes

Affected Versions

PeopleTools 8.61, 8.62

CWE

CWE-306

Threat Actor

ShinyHunters (UNC6240)

First Seen

May 27, 2026

Admiralty Code

A1

100+

Organizations Alerted
after internet scan

14 days

Zero-Day Window
May 27 – June 9, 2026

0

Credentials Required
for exploitation via HTTP

High

CIA Impact Rating
Confidentiality · Integrity · Availability

01 — Overview

Summary

CVE-2026-35273 is a critical zero-day remote code execution (RCE) vulnerability in Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, affecting the Updates Environment Management component. Classified as CWE-306 (Missing Authentication for Critical Function), the flaw can be exploited remotely over HTTP with no valid credentials required, enabling an unauthenticated threat actor to gain full control of a vulnerable PeopleTools instance and achieve complete system compromise.

The vulnerability was actively exploited as a zero-day between May 27 and June 9, 2026 — a 14-day window before Oracle released its security alert on June 10, 2026. The campaign has been attributed to the ShinyHunters threat actor group (also tracked as UNC6240). More than 100 organizations with vulnerable internet-facing PeopleSoft systems were identified and alerted, with a significant concentration in the higher education sector. While some organizations successfully blocked the intrusion attempts, others suffered confirmed data breaches, with stolen data subsequently published on the ShinyHunters data leak site.

The campaign highlights how a single exposed Oracle PeopleSoft instance with the Environment Management Hub (PSEMHUB) or Integration Broker endpoints accessible from the internet can serve as the entry point for a full-scale enterprise compromise — including lateral movement via SSH credential spraying, data exfiltration, and extortion operations.

02 — CVE Reference

CVE Details

CVE ID	Vulnerability Name	Affected Products	Affected CPE	CWE ID	Zero-Day	CISA KEV	Patch
`CVE-2026-35273`	Oracle PeopleSoft PeopleTools Remote Code Execution Vulnerability	Oracle PeopleSoft Enterprise PeopleTools (versions `8.61`, `8.62`)	`cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools::::::::`	`CWE-306`	✓ Yes	✗ No	✓ Yes

03 — Technical Analysis

Vulnerability Details

The five stages below document the complete technical anatomy of CVE-2026-35273 — from the authentication bypass flaw in Oracle PeopleSoft's Updates Environment Management component through to the full post-exploitation intrusion chain attributed to ShinyHunters (UNC6240).

#1

Critical RCE via Missing Authentication — CWE-306 in Updates Environment Management

CVE-2026-35273 is a critical remote code execution vulnerability affecting the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools. Classified as CWE-306 (Missing Authentication for Critical Function), it can be exploited remotely over HTTP without any valid credentials. A successful attack allows an unauthenticated attacker to gain control of the vulnerable PeopleTools instance, potentially resulting in complete system compromise with high impact across confidentiality, integrity, and availability.

#2

Attack Chain — SSRF Bypass via PSEMHUB and Integration Broker Endpoints

Real-world attack analysis confirms that threat actors specifically targeted the Environment Management Hub (PSEMHUB) and Integration Broker Listening Connector endpoints. The attack chain leverages Server-Side Request Forgery (SSRF) techniques to bypass access controls by manipulating internal or loopback addresses through request headers and parameters. In some observed cases, attackers triggered outbound SMB connections to capture Windows NetNTLM credential hashes. Persistence was established by planting malicious XML files that execute through XMLDecoder when the PeopleSoft application restarts.

#3

Affected Scope — PeopleTools 8.61 and 8.62; Older Unsupported Versions Likely Vulnerable

The vulnerability directly affects supported Oracle PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. Oracle has indicated that older, unsupported releases are also likely vulnerable. Oracle PeopleSoft Enterprise Applications customers may additionally be impacted. Despite the CVSS scope remaining unchanged, the flaw carries severe consequence ratings across all three CIA pillars — confidentiality, integrity, and availability — enabling attackers to fully compromise targeted PeopleSoft environments without restriction.

#4

Zero-Day Exploitation by ShinyHunters (UNC6240) — 100+ Organizations Targeted

Evidence confirms active zero-day exploitation before Oracle's June 10, 2026 security alert. The campaign is attributed to ShinyHunters (UNC6240), which targeted organizations between May 27 and June 9, 2026 — a 14-day unpatched window. More than 100 organizations were alerted after internet scanning identified vulnerable exposed systems, with a significant concentration in the higher education sector. While some organizations blocked the attacks, others sustained confirmed breaches. Stolen data was subsequently published on the ShinyHunters data leak site in support of the group's extortion operations.

#5

Post-Exploitation — MeshCentral RAT, SSH Spraying, Data Exfiltration & Extortion

Post-exploitation activity reveals a highly organized intrusion operation. Attackers deployed multiple staging servers hosting customized MeshCentral remote management tools disguised as legitimate Microsoft Azure services (filenames: meshagent32-azure-ops.exe, meshagent64-azure-ops.exe, meshagent64-v2.exe). Using these systems, they enumerated Oracle PeopleSoft environments, gathered configuration data, mapped internal networks, and executed lateral movement. Automated scripts sprayed SSH credentials against internal systems, deployed extortion ransom notes (README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT), and collected sensitive data that was compressed and exfiltrated to infrastructure linked to the ShinyHunters public leak site.

04 — Mitigations

Recommendations

The following prioritized mitigations must be applied immediately to all Oracle PeopleSoft deployments. Given active exploitation by ShinyHunters (UNC6240) and confirmed breaches, patching via Oracle's Security Alert is the only complete remediation for CVE-2026-35273.

01

Apply Oracle's Security Alert for CVE-2026-35273 Without Delay

Install the mitigations and patches referenced in Oracle's Security Alert for CVE-2026-35273 via the PeopleSoft Patch Availability Document immediately. Because this vulnerability is remotely exploitable without authentication and can result in full system takeover, Oracle classifies remediation as a high-priority risk reduction measure. Maintain actively supported PeopleTools versions and apply all Critical Patch Updates, Critical Security Patch Updates, and Security Alerts as they are released to prevent future zero-day exposure.

02

Disable or Remove the Environment Management Hub (PSEMHUB)

In multi-server configurations, disable the Environment Management Hub (EMHub) service. In single-server configurations, completely remove the PSEMHUB application as advised by Oracle's guidance. Restricting these endpoints is non-breaking for standard end-user operations — EMHub and the Integration Broker Listening Connector are administrative or system-to-system components not required for core user-facing PeopleSoft Internet Architecture browser sessions.

03

Block External Network Access to Vulnerable Endpoints at the Perimeter

If disabling the EMHub service is not immediately possible, block external network access to /PSEMHUB/ (specifically /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the network perimeter or firewall level. Do not rely solely on Web Application Firewall body-inspection rules to enforce this restriction — the SSRF techniques used in real-world CVE-2026-35273 exploitation can bypass WAF controls.

04

Monitor Logs and Network Telemetry for Active Exploitation Indicators

Audit PIA WebLogic access logs for HTTP POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector originating from external or untrusted source IPs. Analyze listening connector requests for loopback addresses (127.0.0.1, localhost, ::1) or internal IP ranges in headers or parameters, which signal SSRF exploitation attempts. Monitor outbound firewall logs and NetFlow data for outbound SMB traffic on TCP port 445 from PeopleSoft hosts to untrusted external destinations, which may indicate NetNTLM hash-capture attempts linked to ShinyHunters (UNC6240) TTPs.

05 — Threat Intelligence

Indicators of Compromise (IoCs)

The following indicators are associated with the ShinyHunters (UNC6240) exploitation campaign targeting Oracle PeopleSoft CVE-2026-35273. Block these across endpoint, network, and DNS controls immediately.

Type	Value
IPv4	`142[.]11[.]200[.]186` `142[.]11[.]200[.]187` `142[.]11[.]200[.]188` `142[.]11[.]200[.]189` `142[.]11[.]200[.]190`
Domain	`azurenetfiles[.]net`
SHA256	`2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35` `f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc` `d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f` `c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f` `68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309`
Filenames	`.bash_history` `meshagent32-azure-ops.exe` `meshagent64-azure-ops.exe` `meshagent64-v2.exe` `meshagent` `README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT` `[victim_abbreviation]_fanout.sh`

06 — MITRE ATT&CK Framework

MITRE ATT&CK TTPs

The following MITRE ATT&CK tactics, techniques, and sub-techniques are associated with the ShinyHunters (UNC6240) exploitation of CVE-2026-35273 against Oracle PeopleSoft Enterprise PeopleTools.

Tactic	Technique ID	Sub-technique ID	Description
Initial Access	`T1190`	—	Exploit Public-Facing Application — unauthenticated RCE via `CVE-2026-35273` targeting internet-exposed `PSEMHUB` and Integration Broker endpoints in Oracle PeopleSoft Enterprise PeopleTools
Execution	`T1059`	`T1059.004` — Unix Shell	Command and Scripting Interpreter — automated scripts including `[victim_abbreviation]_fanout.sh` used to spray SSH credentials against internal systems, deploy extortion messages, and collect data
Defense Evasion	`T1036`	`T1036.005` — Match Legitimate Name or Location	Masquerading — MeshCentral remote access tools disguised as legitimate Microsoft Azure services using filenames `meshagent32-azure-ops.exe` and `meshagent64-azure-ops.exe` and the domain `azurenetfiles[.]net`
Discovery	`T1018`	—	Remote System Discovery — internal network mapping and Oracle PeopleSoft environment enumeration performed post-compromise to support lateral movement
Discovery	`T1083`	—	File and Directory Discovery — configuration details gathered from compromised PeopleSoft systems to support data collection and lateral movement operations
Lateral Movement	`T1021`	`T1021.004` — SSH	Remote Services — automated SSH credential spraying against internal systems across compromised enterprise infrastructure to expand attacker access
C2	`T1219`	—	Remote Access Software — customized MeshCentral remote management tools deployed on staging servers to maintain persistent command-and-control access across compromised networks
C2	`T1071`	`T1071.001` — Web Protocols	Application Layer Protocol — MeshCentral C2 communications using web protocols, with infrastructure masquerading as Microsoft Azure services via `azurenetfiles[.]net`
Collection	`T1560`	`T1560.001` — Archive via Utility	Archive Collected Data — stolen data compressed using archive utilities prior to exfiltration from compromised Oracle PeopleSoft environments
Exfiltration	`T1048`	—	Exfiltration Over Alternative Protocol — compressed stolen data transferred to ShinyHunters-controlled infrastructure linked to the group's public data leak site for extortion and public disclosure
Impact	`T1491`	`T1491.001` — Internal Defacement	Defacement — extortion ransom note `README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT` deployed on compromised systems as part of ShinyHunters' extortion campaign
Impact	`T1657`	—	Financial Theft — exfiltrated sensitive organizational data leveraged for extortion demands; stolen data published on ShinyHunters data leak site to pressure victims into compliance

07 — Patch Resources

Patch Links

08 — Sources

References

June 15, 2026

Red | Vulnerability

HTTP/2 Bomb CVE-2026-49975: A Flaw Detonates Apache HTTP Server

CVE-2026-49975: HTTP/2 Bomb — Apache HTTP Server DoS Vulnerability | Threat Advisory TA2026164

HiveForce Labs · Threat Advisory

HTTP/2 Bomb CVE-2026-49975: A Flaw Detonates Apache HTTP Server

A remote, unauthenticated denial-of-service vulnerability in Apache HTTP Server's mod_http2 module — tracked as CVE-2026-49975 — combines an HPACK compression bomb with a flow-control stall to exhaust server memory at a 4,000:1 amplification ratio. A single attacker on a 100 Mbps connection can consume 32 GB of server memory in approximately 18 seconds, rendering internet-facing Apache instances inaccessible. Proof-of-concept code is already public. Patch to mod_http2 v2.0.41 immediately.

⚠ Threat Level: Red CVE-2026-49975 CWE-400 · Uncontrolled Resource Consumption Apache HTTP Server · mod_http2 DoS · Memory Exhaustion Patch Available: mod_http2 v2.0.41 PoC Public: June 2, 2026 Published: June 12, 2026

CVE ID

CVE-2026-49975

TA Number

TA2026164

Threat Level

Red

Affected Product

Apache HTTP Server mod_http2

Fixed Version

mod_http2 v2.0.41

CWE

CWE-400

Attack Type

DoS · Memory Exhaustion

First Seen

June 2, 2026

Admiralty Code

A1

4,000:1

Memory Amplification Ratio
per empty cookie stream

~18 sec

Time to exhaust 32 GB
Apache httpd 2.4.67 (single client)

100 Mbps

Minimum connection needed
to render server inaccessible

01 — Overview

Summary

CVE-2026-49975 represents a direct and immediate threat to the availability of internet-facing Apache HTTP Server deployments with HTTP/2 enabled. The vulnerability, classified under CWE-400 (Uncontrolled Resource Consumption), is not a misconfiguration — it abuses default HTTP/2 protocol behavior, meaning any exposed Apache instance running mod_http2 prior to version v2.0.41 is potentially vulnerable with no additional preconditions.

The most damaging operational outcome is not necessarily an outright server crash. An attacker can deliberately hold memory pressure just below the out-of-memory kill threshold to push the host into swap thrashing, degrading every workload on the machine rather than triggering a clean worker respawn. With proof-of-concept code publicly available since June 2, 2026, the barrier to exploitation is critically low. The resulting outages of public websites, APIs, and gateways carry meaningful service-disruption, reputational, and financial consequences.

The sibling vulnerabilities affecting other HTTP/2 implementations have received separate identifiers: Envoy (CVE-2026-47774) and Microsoft IIS (CVE-2026-49160). Cloudflare reports its existing architecture already mitigates the attack. This advisory covers only the Apache HTTP Server (mod_http2) variant, CVE-2026-49975, disclosed to Apache on May 27, 2026.

02 — CVE Details

CVE Reference

CVE ID	Vulnerability Name	Affected Products	Affected CPE	CWE ID	Zero-Day	CISA KEV	Patch
`CVE-2026-49975`	HTTP/2 Bomb (Apache HTTP Server Denial-of-Service Vulnerability)	Apache HTTP Server (`httpd`) with `mod_http2` and HTTP/2 enabled, prior to `mod_http2 v2.0.41` (e.g., `2.4.67`)	`cpe:2.3:a:apache:http_server::::::::`	`CWE-400`	✗ No	✗ No	✓ Yes

03 — Technical Analysis

Vulnerability Details

The HTTP/2 Bomb attack combining HPACK compression exploitation with a flow-control stall creates a novel and highly efficient memory-exhaustion vector in Apache HTTP Server. The five stages below document the complete attack mechanics of CVE-2026-49975.

#1

The HTTP/2 Bomb — HPACK Compression Bomb + Flow-Control Stall

The HTTP/2 Bomb, discovered via the OpenAI Codex agent, combines two known techniques into a single efficient memory-exhaustion attack against Apache HTTP Server. The first component is an HPACK compression bomb: HTTP/2's HPACK scheme allows a client to reference a stored header with a single wire byte, which the server must expand into a full allocated header copy — so one wire byte becomes one full server-side allocation, repeated thousands of times per request. The second component is a flow-control stall: the client advertises a zero-byte flow-control window, preventing the server from ever completing a response, then drips one-byte WINDOW_UPDATE frames to keep the connection alive and hold all allocated memory in place indefinitely. The flaw affects the default HTTP/2 configuration of most major web servers including nginx, Apache, Microsoft IIS, Envoy, and Cloudflare Pingora.

#2

CVE-2026-49975 Scope — Apache mod_http2 and Sibling CVEs

This advisory focuses specifically on CVE-2026-49975, the Apache HTTP Server (mod_http2) instance of the HTTP/2 Bomb flaw, which was disclosed to Apache on May 27, 2026. Related implementations of the same class of vulnerability received separate CVE identifiers: Envoy received CVE-2026-47774 and Microsoft IIS received CVE-2026-49160. Cloudflare has stated its existing infrastructure architecture already blocks the attack without a patch. Organizations running any of these products should verify the relevant advisory for their specific environment.

#3

Novel Amplification Mechanism — Empty Header Per-Entry Overhead Bypass

What distinguishes this attack from prior HPACK compression bombs is the source of amplification. Earlier HPACK bomb techniques stored a large header value and referenced it repeatedly — a known pattern that servers mitigated by capping total decoded header size. This attack inverts that approach: the referenced header is nearly empty, and memory damage comes from the per-entry overhead the server allocates around each reference. Because there is almost nothing to decode, the existing decoded-header size cap never triggers, rendering the established defense ineffective against CVE-2026-49975.

#4

Apache-Specific Severity — Cookie Crumb Handling & LimitRequestFields Bypass

The impact on Apache HTTP Server is especially severe due to its cookie handling behavior. HTTP/2 allows a cookie to be split into many small fragments called "crumbs." Apache rebuilds the entire merged cookie string on every individual crumb received, while leaving each older in-progress copy in memory until the stream closes. Critically, these cookie crumbs are not counted against the LimitRequestFields limit — the exact control designed to stop the original HPACK bomb — creating a complete bypass. The result is approximately 4,000:1 memory amplification even with an empty cookie. In testing against Apache httpd 2.4.67, a single attacker client consumed and held approximately 32 GB of server memory in roughly 18 seconds.

#5

Exploitation Status — Public PoC Available, Short Gap to Active Exploitation

As of this advisory, there is no confirmed evidence of exploitation in the wild, and no specific threat actor or malware family has been attributed to CVE-2026-49975. However, working proof-of-concept code became publicly available on June 2, 2026, and the public fix commits in the Apache repository directly reveal the exploit technique. The gap between public disclosure and a deployable weapon is now critically short. The official fix ships in mod_http2 v2.0.41, which enforces that cookie crumbs count against the LimitRequestFields limit, closing the bypass that enables the 4,000:1 amplification.

04 — Mitigations

Recommendations

The following prioritized mitigations should be applied to all Apache HTTP Server instances with HTTP/2 enabled. Patching is the only complete remediation for CVE-2026-49975; all other measures are partial stopgaps.

01

Update mod_http2 to v2.0.41 Immediately — Only Complete Remediation

Upgrade to mod_http2 v2.0.41 or later, available from the standalone mod_http2 releases. This version contains the official fix that makes cookie headers count against the LimitRequestFields limit, closing the amplification bypass. Patching is the only complete remediation for CVE-2026-49975 and must be treated as a priority for any Apache HTTP Server terminating HTTP/2 traffic from the internet — especially given that proof-of-concept code is already public.

02

Disable HTTP/2 Where Immediate Patching Is Not Possible

If upgrading mod_http2 cannot be completed in the short term, mitigate exposure immediately by setting Protocols http/1.1 in the Apache server configuration to disable HTTP/2. This removes the HTTP/2 Bomb attack surface entirely, at the cost of HTTP/2 performance benefits. This measure should be treated strictly as a temporary stopgap until mod_http2 v2.0.41 is deployed.

03

Apply Partial Hardening on Unpatched Servers via Memory Caps and Stream Limits

Lowering LimitRequestFieldSize reduces the per-stream blast radius by capping the merged cookie size and therefore the usable crumb count. This is a partial mitigation only — an attacker can still multiply the effect across many streams and connections. As a supplemental safety net, cap per-worker memory using cgroups, ulimit -v, or container resource limits tight enough that a bombed worker is OOM-killed and respawned before it drags the host into swap thrashing. Ensure stalled streams have a bounded lifetime regardless of WINDOW_UPDATE activity. Note: lowering LimitRequestFields alone provides no protection on unpatched versions, since duplicate cookie crumbs are not counted against it.

04

Front Internet-Facing Apache Servers with a Reverse Proxy or WAAP Layer

Place internet-facing Apache HTTP Server instances behind a reverse proxy, gateway, web application and API protection (WAAP) service, or Layer 7 load balancer that terminates public HTTP/2 sessions and enforces a hard cap on the number of header fields per request — including cookie crumbs — independent of their total decoded size. Combine this architecture with strict access controls that prevent direct connections to the origin Apache server from the public internet.

05 — MITRE ATT&CK Framework

MITRE ATT&CK TTPs

The following MITRE ATT&CK tactics, techniques, and sub-techniques are associated with exploitation of CVE-2026-49975 in Apache HTTP Server.

Tactic	Technique ID	Sub-technique ID	Description
Initial Access	`T1190`	—	Exploit Public-Facing Application — attacker sends crafted HTTP/2 requests to internet-exposed Apache HTTP Server instances with `mod_http2` enabled
Execution	`T1059`	—	Command and Scripting Interpreter — publicly available proof-of-concept scripts used to send HPACK compression bomb requests with flow-control stalls against vulnerable Apache targets
Impact	`T1499`	`T1499.003` — Application Exhaustion Flood	Endpoint Denial of Service — HTTP/2 HPACK compression bomb with cookie crumb amplification exhausts Apache worker memory; 4,000:1 ratio achieved with a single client connection
Impact	`T1499`	`T1499.001` — OS Exhaustion Flood	Endpoint Denial of Service — sustained memory pressure via zero-byte flow-control windows and `WINDOW_UPDATE` drip pushes host into swap thrashing, degrading all system workloads

06 — Patch Resources

Patch Links

07 — Sources

References

June 15, 2026

Amber | Attack

MLTBackdoor: ClickFix to Ransomware Foothold

MLTBackdoor: ClickFix to Ransomware Foothold | Threat Advisory TA2026163

HiveForce Labs · Threat Advisory · Attack Report ·

MLTBackdoor: ClickFix to Ransomware Foothold

A newly identified post-exploitation backdoor, MLTBackdoor, is being deployed by a likely ransomware-linked threat actor via a multi-stage ClickFix social engineering chain. The malware sideloads through a legitimate Microsoft Defender binary, uses RC4-encrypted payloads, a date-based Domain Generation Algorithm for resilient C2 communications, and a built-in Beacon Object File (BOF) loader for fileless in-memory post-exploitation — targeting Windows systems globally.

⚠ Threat Level: Amber Malware: MLTBackdoor Attack Type: ClickFix · DLL Sideload · BOF Platform: Windows Scope: Worldwide First Seen: 2026 Admiralty Code: A1 Published: June 11, 2026

TA Number

TA2026163

First Seen

2026

Threat Level

Amber

Target Platform

Windows

Target Regions

Worldwide

Malware Family

MLTBackdoor

C2 Protocol

TLS / Port 443

Encryption

RC4 · AES-256-GCM

Admiralty Code

A1

01 — Overview

Summary

MLTBackdoor is a sophisticated post-exploitation malware family first identified in 2026, believed to be operated by a ransomware-linked threat actor targeting Windows systems on a global scale. The malware is notable for its multi-stage ClickFix infection chain, heavy anti-analysis capabilities, and a built-in Beacon Object File (BOF) loader that enables fileless, in-memory execution of additional post-exploitation modules — a hallmark of ransomware pre-staging operations.

The MLTBackdoor infection chain begins with a social engineering lure hosted on an automotive-themed website. Victims are deceived into manually copying and pasting malicious commands, which triggers a headless conhost.exe process. This process downloads a compressed archive from a domain generated by a daily Domain Generation Algorithm (DGA), decrypts an RC4-encrypted payload (data.bin), and sideloads the backdoor through the legitimate, signed Microsoft Defender executable mpextms.exe — a sophisticated DLL sideloading technique designed to evade detection.

Once active, MLTBackdoor communicates with its command-and-control (C2) server over TLS on port 443, disguising traffic as legitimate Microsoft telemetry using the Microsoft-DeliveryOptimization/10.1 User-Agent. It employs ECDH key exchange and AES-256-GCM encryption, with a date-based DGA generating fresh C2 domains daily to maintain resilient infrastructure. The malware's BOF loader capability allows ransomware-linked operators to deploy custom modules directly in memory, leaving minimal forensic artifacts on disk.

02 — Attack Details

Attack Details

The MLTBackdoor attack chain unfolds across five distinct stages, combining social engineering, encrypted payload delivery, DLL sideloading, and in-memory execution to establish a persistent, stealthy ransomware foothold on Windows systems.

#1

Social Engineering via ClickFix — No Software Exploit Required

MLTBackdoor is delivered entirely through user interaction rather than a software vulnerability. The malware relies on social engineering via a ClickFix lure, demonstrating how ransomware-linked threat actors continue to exploit human behavior for initial access to Windows environments. The absence of a CVE-based exploit makes conventional patch-based defenses insufficient.

#2

ClickFix Infection Chain — DGA Delivery & DLL Execution

The infection originates on an automotive-themed website hosting the ClickFix lure. Victims are tricked into copying and executing malicious content, which spawns a headless conhost.exe process. This process creates a temporary directory, retrieves a compressed archive from a DGA-generated domain, extracts data.bin and endpointdlp.dll, and executes the malicious DLL via rundll32. The DLL acts as a first-stage loader for the MLTBackdoor payload.

#3

RC4 Decryption, Self-Update & DLL Sideloading via mpextms.exe

endpointdlp.dll decrypts the RC4-encrypted data.bin to deploy MLTBackdoor. The malware performs a self-update, then disguises itself by sideloading through the legitimate, signed Microsoft Defender binary mpextms.exe. To defeat analysis, it employs Mixed Boolean-Arithmetic (MBA) and Control Flow Flattening (CFF) obfuscation, dynamically resolves APIs and system calls using DJB2 hashing, and leverages Hell's Gate-style indirect syscalls to bypass user-mode API hooks and evade security monitoring.

#4

Anti-Analysis Evasion & BOF Loader for In-Memory Post-Exploitation

MLTBackdoor incorporates extensive anti-analysis routines that check for virtual machines, debuggers, sandbox artifacts, low-memory environments, and other analysis system indicators. Uniquely, rather than halting upon detection, it reports these findings back to its C2 server. Its most significant capability is a built-in Beacon Object File (BOF) loader, enabling operators to execute custom post-exploitation modules entirely in memory — without writing files to disk — a technique directly consistent with ransomware pre-staging and lateral movement operations.

#5

Encrypted C2 Communications — DGA Resilience & Microsoft Telemetry Masquerade

MLTBackdoor communicates with its C2 infrastructure via a custom encrypted protocol over TLS on port 443, masquerading as Microsoft telemetry traffic using the Microsoft-DeliveryOptimization/10.1 User-Agent and the fixed URL path /api/v1/telemetry. Communications are secured with ECDH key exchange and AES-256-GCM encryption. A date-based DGA generates fresh domains daily to ensure C2 continuity if primary infrastructure is disrupted. In one observed case, the same DGA domain served both as a malware delivery endpoint and a C2 channel, highlighting the tightly integrated and resilient nature of MLTBackdoor's infrastructure.

03 — Mitigations

Recommendations

Security teams should implement the following prioritized mitigations to detect, disrupt, and prevent MLTBackdoor infections and ClickFix-based ransomware delivery chains across Windows environments.

01

Block Known MLTBackdoor Indicators Immediately

Immediately block all SHA256 hashes, C2 domains, and the update URL identified in the Indicators of Compromise section across endpoint, network, and DNS controls. This stops active beaconing and halts payload retrieval from MLTBackdoor-associated infrastructure.

02

Disrupt ClickFix Social Engineering at the User Layer

Educate users that legitimate websites never require copying and pasting commands into the Windows Run dialog or a terminal. Deploy technical controls that flag or block clipboard-to-shell execution patterns. Treat any clipboard-initiated shell execution as a high-risk behavior warranting immediate investigation.

03

Monitor for DLL Sideloading Abuse via Microsoft Defender Binaries

Watch specifically for mpextms.exe sideloading a DLL named endpointdlp.dll. Broaden monitoring to detect any trusted Microsoft Defender binaries loading DLLs from user-writable or temporary directories — a strong indicator of DLL sideloading abuse characteristic of MLTBackdoor's execution technique.

04

Inspect Outbound TLS Traffic on Port 443 for MLTBackdoor C2 Patterns

Flag TLS connections to the fixed URL path /api/v1/telemetry and outbound requests using the Microsoft-DeliveryOptimization/10.1 User-Agent to atypical or newly registered domains. MLTBackdoor specifically uses these patterns to disguise malicious C2 traffic as legitimate Microsoft telemetry.

05

Counter the Domain Generation Algorithm with Proactive DGA Detection

Because the MLTBackdoor DGA generates a new C2 domain daily, static domain blocklists alone are insufficient. Supplement with detection logic for newly registered and algorithmically generated domains. Integrate the published DGA tooling into proactive blocking workflows where operationally feasible to stay ahead of the daily rotation.

06

Prioritize Kernel-Level & ETW-Based Detection Over API Hooking

Since MLTBackdoor uses Hell's Gate-style indirect system calls to bypass user-mode API hooks, endpoint detection that relies solely on inline API hooking will be ineffective. Prioritize kernel-level telemetry, ETW (Event Tracing for Windows)-based detection, and behavioral analytics to surface MLTBackdoor's evasive execution patterns despite its active evasion techniques.

04 — Threat Intelligence

Indicators of Compromise (IoCs)

The following indicators are associated with MLTBackdoor infrastructure, payload delivery, and C2 communications. Block these across endpoint, network, and DNS controls immediately.

Type	Value
SHA256	`1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984` `46b2155c1e71b840d4b7a2e94410b89a61e2446523e6f497206d402eb02e0e93` `9e52cc90cff150abe21f0a6440e86e0a99ff383b81061b96def8948e21d0ac66` `ced6b0f44410f6133ad63b61e04613a8b56cc3338d7b34497540e9541163e7ec` `1d09357b6a096fdc35cd5c873eed15665d6b3c879d20c8cf01e6bca0005512cf` `2cd88d5280a61714836f5f07a16df190911c5b952af2998dbbcda910b3b1c494` `d34e4038c5c80728f9648ba84833f69bc1ccea82e2e8e748b7b7f02fb687b92b`
Domains	`hrs2y15sungu[.]com` `carrolc[.]com` `cwrtwright[.]com` `thomphon[.]com`
URL	`hxxps[:]//powwowski[.]com/payloads/update[.]zip`

05 — MITRE ATT&CK Framework

MITRE ATT&CK TTPs

The following MITRE ATT&CK tactics, techniques, and sub-techniques have been identified in association with the MLTBackdoor ClickFix ransomware foothold campaign.

Tactic	Technique ID	Sub-technique ID	Description
Initial Access	`T1566`	—	Phishing — ClickFix lure on automotive-themed website delivers initial infection
Execution	`T1204`	`T1204.001` — Malicious Link	User Execution — victim manually copies and executes malicious clipboard content
Execution	`T1059`	`T1059.003` — Windows Command Shell	Command and Scripting Interpreter — headless `conhost.exe` and `rundll32` used to execute the DLL payload
Execution	`T1106`	—	Native API — direct system calls used via Hell's Gate-style indirect syscalls
Defense Evasion	`T1574`	`T1574.001` — DLL	Hijack Execution Flow — `endpointdlp.dll` sideloaded via legitimate signed `mpextms.exe` Microsoft Defender binary
Defense Evasion	`T1027`	`T1027.007` — Dynamic API Resolution	Obfuscated Files or Information — MBA, Control Flow Flattening, and DJB2-based dynamic API resolution used to hinder analysis
Defense Evasion	`T1106`	—	Native API — indirect syscalls bypass user-mode security hooks
Defense Evasion	`T1497`	—	Virtualization/Sandbox Evasion — checks for VM, sandbox, and low-memory indicators; results reported to C2
Defense Evasion	`T1622`	—	Debugger Evasion — active anti-debugging routines deployed to hinder reverse engineering
Defense Evasion	`T1620`	—	Reflective Code Loading — BOF loader executes post-exploitation modules in memory without touching disk
C2	`T1071`	`T1071.001` — Web Protocols	Application Layer Protocol — C2 traffic sent over TLS port `443` masquerading as Microsoft telemetry
C2	`T1573`	`T1573.002` — Asymmetric Cryptography	Encrypted Channel — ECDH key exchange used to establish encrypted C2 sessions
C2	`T1573`	`T1573.001` — Symmetric Cryptography	Encrypted Channel — AES-256-GCM symmetric encryption used for C2 payload confidentiality
C2	`T1568`	`T1568.002` — Domain Generation Algorithms	Dynamic Resolution — date-based DGA generates daily C2 domains; same DGA domain observed for both delivery and C2
C2	`T1105`	—	Ingress Tool Transfer — compressed payload archive downloaded from DGA-generated delivery domains
Discovery	`T1057`	—	Process Discovery — malware enumerates running processes as part of anti-analysis and environment fingerprinting
Discovery	`T1082`	—	System Information Discovery — system info gathered to detect VMs, sandboxes, and analysis environments
Discovery	`T1083`	—	File and Directory Discovery — malware performs file system enumeration as part of post-exploitation reconnaissance
Exfiltration	`T1041`	—	Exfiltration Over C2 Channel — data and anti-analysis findings exfiltrated via the existing encrypted C2 connection
Impact	`T1486`	—	Data Encrypted for Impact — consistent with ransomware-linked operations; BOF loader enables in-memory ransomware module deployment

06 — Sources

References

https://www.zscaler.com/blogs/security-research/technical-analysis-mltbackdoor

June 15, 2026

Red | Vulnerability

Microsoft’s June 2026 Patch Tuesday

Microsoft June 2026 Patch Tuesday | HiveForce Labs TA2026162

HiveForce Labs · Threat Advisory · Vulnerability Report

Microsoft's June 2026 Patch Tuesday

Microsoft's June 2026 Patch Tuesday addresses 206 vulnerabilities (204 Microsoft + 2 non-Microsoft) including 39 critical and 167 important severity issues. Fifteen CVEs are at risk of active exploitation. The headline flaw is CVE-2026-47291 — an unauthenticated HTTP.sys remote code execution bug with CVSS 9.8 triggerable by a single crafted packet. Three publicly disclosed zero-days are included: an HTTP/2 denial-of-service, a CTFMON privilege escalation matching the public "GreenPlasma" exploit, and a BitLocker bypass matching "YellowKey."

Threat Level: Red 206 CVEs Patched 39 Critical 3 Publicly Disclosed Zero-Days 15 CVEs at Exploitation Risk Published: June 10, 2026 Admiralty Code: A1

Total CVEs206 (204 MS + 2 non-MS)

Critical39

Important167

At Exploitation Risk15 CVEs

Zero-Days (Disclosed)3

Headline FlawCVE-2026-47291 (CVSS 9.8)

Top ImpactRCE, EoP, DoS, SFB, Spoofing

Named ExploitsGreenPlasma, YellowKey

PublishedJune 10, 2026

Section 01

Summary

206Total Vulnerabilities

39Critical Severity

55Remote Code Execution

65Elevation of Privilege

27Spoofing

15At Exploitation Risk

Microsoft's June 2026 Patch Tuesday is one of the largest releases of the year, addressing 204 Microsoft vulnerabilities and 2 non-Microsoft CVEs across Windows, Office, SharePoint, Exchange, Azure, Visual Studio Code, and .NET. The 206 total include 39 critical and 167 important severity issues spanning 65 Elevation of Privilege, 55 Remote Code Execution, 30 Information Disclosure, 27 Spoofing, 19 Security Feature Bypass, 7 Denial of Service, and 3 Tampering categories. Notably, 15 CVEs are considered at risk of active exploitation, and functional proof-of-concept code is already publicly available for several issues, underscoring the urgency of immediate patch deployment.

Vulnerability Category Breakdown

Elevation of Privilege

65 31%

Remote Code Execution

55 27%

Information Disclosure

30 15%

Spoofing

27 13%

Security Feature Bypass

19 9%

Denial of Service

7 3%

Tampering

3 1%

Section 02

Vulnerability Details

#1

CVE-2026-47291 — HTTP.sys RCE (CVSS 9.8, Most Dangerous)

The most dangerous flaw in this release is an integer overflow in the Windows HTTP Protocol Stack (HTTP.sys). An unauthenticated attacker can trigger remote code execution with a single crafted packet, putting every internet-facing service built on HTTP.sys at risk — including IIS. No authentication, no user interaction required. Rated "more likely" to be exploited; treat as emergency-priority for all internet-facing servers.

#2

CVE-2026-49160 — HTTP/2 Bomb DoS (Publicly Disclosed Zero-Day)

The first of three publicly disclosed zero-days, CVE-2026-49160 maps to the "HTTP/2 Bomb" technique: a trivial amount of data forces a server to reserve enormous memory blocks via flow-control manipulation. Testing reportedly drained 64 GB of RAM from an IIS server in ~45 seconds. Microsoft's fix adds a MaxHeadersCount registry setting to cap HTTP/2 and HTTP/3 request headers as an interim mitigation where immediate patching is not possible.

#3

CVE-2026-44803 & CVE-2026-44812 — Win32K GRFX RCE (Critical, "More Likely")

Both flaws stem from an integer overflow in the Windows Win32K GRFX subsystem (graphics). Microsoft rates both "more likely" to be exploited. CVE-2026-42985 completes the graphics/RDP RCE cluster — a network-exploitable heap-based buffer overflow (CWE-122) in the Windows Remote Desktop Client, allowing a malicious RDP server to run code on any victim who connects.

#4

CVE-2026-45586 — CTFMON EoP "GreenPlasma" (Publicly Disclosed Zero-Day)

The second publicly disclosed zero-day escalates privileges in the Windows Collaborative Translation Framework (CTFMON) via link following. It matches the public "GreenPlasma" exploit, which can spawn a SYSTEM shell from a standard user account. Four additional EoP flaws rated "more likely" give attackers with any foothold a clean path to SYSTEM: CVE-2026-42980 (NT OS Kernel), CVE-2026-42986 (Graphics), CVE-2026-42989 (Winlogon), and CVE-2026-42905 (DWM Core Library).

#5

CVE-2026-50507 — BitLocker Bypass "YellowKey" (Publicly Disclosed Zero-Day, CVSS 6.8)

The third publicly disclosed zero-day is a protection-mechanism failure allowing an attacker with physical access to defeat BitLocker using the "YellowKey" exploit — crafted files on USB/EFI media plus the Recovery Environment to open a shell over encrypted drives. Primarily affects TPM-only setups on Windows 11 and Server 2022/2025; TPM+PIN was Microsoft's earlier interim mitigation. CVE-2026-45658 is a second BitLocker bypass in the same release.

#6

SharePoint, NTLM & Exchange Spoofing Cluster

Three spoofing flaws carry elevated risk: CVE-2026-45481 and CVE-2026-47634 in SharePoint Server (both "more likely"), and CVE-2026-50508 in Windows NTLM. These typically enable content forgery, credential relay, or social-engineering attacks. Exchange Server carries additional spoofing, information disclosure, EoP, and one RCE (CVE-2026-45583). As of the release date, none of the three publicly disclosed zero-days are known to be actively exploited.

Exploitable CVEs — Priority Patch Targets

CVE ID	Name	Affected Product	Zero-Day	Impact	Patch
CVE-2026-47291	HTTP.sys Remote Code Execution (CVSS 9.8 — integer overflow, unauthenticated)	Windows HTTP.sys; Server 2012–2025; Win 10/11	–	RCE	✓
CVE-2026-49160	HTTP.sys DoS — "HTTP/2 Bomb" (publicly disclosed)	Windows 11 23H2, 10 22H2; Server 2016–2025	✓	DoS	✓
CVE-2026-45586	CTFMON Elevation of Privilege — "GreenPlasma" (publicly disclosed)	Windows Server 2012–2025; Win 10/11	✓	EoP → SYSTEM	✓
CVE-2026-50507	BitLocker Security Feature Bypass — "YellowKey" (publicly disclosed, CVSS 6.8)	Windows Server 2012–2025; Win 10/11	✓	SFB	✓
CVE-2026-45658	BitLocker Security Feature Bypass	Windows Server 2012–2025; Win 10/11	–	SFB	✓
CVE-2026-42985	Remote Desktop Client RCE (heap-based buffer overflow, CWE-122)	Windows Server 2012–2022; Win 10/11; Windows App	–	RCE	✓
CVE-2026-44803	Windows Graphics Component RCE — Win32K GRFX integer overflow ("more likely")	Windows 10/11; Server 2012–2025; Word/PPT Android	–	RCE	✓
CVE-2026-44812	Windows Graphics Component RCE — Win32K GRFX integer overflow ("more likely")	Windows 10/11; Server 2012–2025; PPT/Excel Android	–	RCE	✓
CVE-2026-42980	NT OS Kernel Elevation of Privilege ("more likely")	Windows Server 2025; Win 10 1607; Win 11 24H2	–	EoP → SYSTEM	✓
CVE-2026-42986	Microsoft Graphics Component Elevation of Privilege ("more likely")	Windows Server 2012–2025; Win 10/11	–	EoP	✓
CVE-2026-42989	Winlogon Elevation of Privilege ("more likely")	Windows Server 2012–2025; Win 10/11	–	EoP	✓
CVE-2026-42905	Windows DWM Core Library Elevation of Privilege	Windows 10 21H2/22H2; Win 11; Server 2012–2025	–	EoP	✓
CVE-2026-45481	Microsoft SharePoint Server Spoofing ("more likely")	SharePoint Subscription Ed.; 2019; Enterprise 2016	–	Spoofing	✓
CVE-2026-47634	Microsoft SharePoint Server Spoofing ("more likely")	SharePoint Subscription Ed.; 2019	–	Spoofing	✓
CVE-2026-50508	Windows NTLM Spoofing Vulnerability	Windows Server 2012–2022; Win 10/11	–	Spoofing	✓

Section 03

Recommendations

01

Apply June 2026 Security Updates Immediately

Deploy the June 9, 2026 Microsoft security updates across all affected Windows clients, servers, Remote Desktop clients, and SharePoint Server instances without delay. These updates remediate all fifteen exploitable vulnerabilities including the three publicly disclosed zero-days and the CVSS 9.8 HTTP.sys RCE flaw. Functional proof-of-concept code is already public for several issues — patching is the single most effective control.

02

Prioritise Internet-Facing HTTP.sys Systems

Treat servers running IIS or any service built on the Windows HTTP Protocol Stack as top-priority patch targets for CVE-2026-47291 and CVE-2026-49160 — both reachable over the network with no authentication. Where immediate patching is not possible for the HTTP/2 DoS issue, apply the new MaxHeadersCount registry setting to limit headers in HTTP/2 and HTTP/3 requests as an interim mitigation.

03

Harden BitLocker-Protected Endpoints

For devices relying on TPM-only BitLocker — particularly Windows 11 and Server 2022/2025 — apply fixes for CVE-2026-50507 and CVE-2026-45658, and enable TPM+PIN authentication to raise the bar against physical-access attacks such as the "YellowKey" technique. Enforce boot-environment and recovery-environment controls to prevent untrusted USB or EFI media from subverting encryption.

04

Constrain Privilege-Escalation Exposure

CVE-2026-42980, CVE-2026-42985, CVE-2026-42986, CVE-2026-42989, CVE-2026-45586, and CVE-2026-42905 all enable an attacker with any foothold to elevate to SYSTEM. Enforce least privilege, restrict local admin rights, and monitor for anomalous process creation, unexpected SYSTEM-level shells, and RDP connections to untrusted servers until patching is complete.

Section 04

MITRE ATT&CK TTPs

Initial AccessT1190
T1189

T1190 – Exploit Public-Facing Application: CVE-2026-47291 enables unauthenticated remote code execution against any internet-facing HTTP.sys service with a single crafted packet.

T1189 – Drive-by Compromise: Graphics component RCE flaws (CVE-2026-44803, CVE-2026-44812) can be triggered via malicious content rendering in client applications.

ExecutionT1059
T1203
T1204 / T1204.001
T1204.002

Command and Scripting Interpreter, Exploitation for Client Execution, User Execution (Malicious Link / Malicious File): Office RCE vulnerabilities (multiple Excel, Word, SharePoint CVEs) execute code via malicious files or links consistent with phishing delivery, while kernel and service flaws execute attacker-controlled code in privileged contexts.

Defense EvasionT1036 / T1218
T1553 / T1553.005
T1548 / T1548.002

Masquerading, System Binary Proxy Execution, Mark-of-the-Web Bypass (CVE-2026-45595), Bypass UAC: Security feature bypass flaws across Secure Boot, MOTW, and Windows Administrator Protection allow attackers to evade detection controls and bypass trust boundaries.

Privilege EscalationT1068
T1078
T1543 / T1543.003

Exploitation for Privilege Escalation: Six "more likely" EoP flaws (NT OS Kernel, Graphics, Winlogon, DWM, CTFMON) provide SYSTEM escalation from any user foothold. Windows Service creation (T1543.003) is a persistence/escalation path via multiple kernel-mode driver vulnerabilities.

Credential AccessT1552

Unsecured Credentials: NTLM spoofing (CVE-2026-50508) and BitLocker bypasses (CVE-2026-50507, CVE-2026-45658) expose credential material and encrypted data to attackers with local or network access, enabling credential relay and offline credential harvesting.

Lateral MovementT1021 / T1021.001

Remote Services / Remote Desktop Protocol: Multiple RDC RCE vulnerabilities (CVE-2026-42985, CVE-2026-42909, CVE-2026-42913 and others) enable attackers to execute code on victim systems connecting to malicious RDP servers — a classic lateral-movement enabler.

ImpactT1499 / T1499.004

Endpoint Denial of Service / Application or System Exploitation: CVE-2026-49160 (HTTP/2 Bomb) can exhaust server memory in under 60 seconds. Windows Kerberos DoS (CVE-2026-42903, CVE-2026-42914) and TCP/IP DoS (CVE-2026-42915) provide additional denial-of-service attack paths against authentication and network services.

Section 05

References

Microsoft Security Response Center — June 2026 Release Notes https://msrc.microsoft.com/update-guide/releaseNote/2026-Jun

June 15, 2026

Red | Vulnerability

Google Rushes Patch for In-the-Wild Chrome V8 Zero-Day (CVE-2026-11645)

Google Rushes Patch for In-the-Wild Chrome V8 Zero-Day CVE-2026-11645 | HiveForce Labs TA2026161

HiveForce Labs · Threat Advisory · Vulnerability Report

Google Rushes Patch for In-the-Wild Chrome V8 Zero-Day (CVE-2026-11645)

Google has patched an actively exploited zero-day in the Chrome V8 JavaScript engine — CVE-2026-11645 — an out-of-bounds read/write vulnerability that can enable memory corruption, information disclosure, and potentially arbitrary code execution. A victim visiting a malicious web page is all that is required. All Chrome versions before 149.0.7827.103 on Windows, macOS, and Linux are affected. Update immediately.

Threat Level: Red Zero-Day — Actively Exploited CISA KEV Listed Drive-By Compromise First Seen: April 27, 2026 Admiralty Code: A1 Patch Available — Chrome 149

CVECVE-2026-11645

ComponentChrome V8 Engine

CWECWE-125 / CWE-787

Affected VersionsBefore 149.0.7827.103

Fixed (Win/Linux)149.0.7827.102

Fixed (macOS)149.0.7827.103

PlatformsWindows, macOS, Linux

First SeenApril 27, 2026

PublishedJune 10, 2026

Section 01

Summary

Google has released an emergency patch for CVE-2026-11645, a high-severity zero-day in the V8 JavaScript and WebAssembly engine powering Google Chrome and all Chromium-based browsers. The vulnerability is an out-of-bounds read/write flaw (CWE-125 / CWE-787) in Chrome's JavaScript execution component, enabling memory corruption, sensitive data exposure, and potentially arbitrary code execution — all without any user interaction beyond visiting a malicious web page. Google has confirmed active in-the-wild exploitation. No information has been disclosed regarding threat actors, targeted sectors, geographic focus, or post-exploitation activity.

The fix ships as Chrome 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for macOS, released as part of a broader emergency security rollout. Because V8 is shared across all Chromium-based browsers — including Microsoft Edge, Brave, Opera, and Vivaldi — organisations must audit and update all derivative browsers in addition to Chrome itself.

CVE

CVE ID	Name	Affected Product	Zero-Day	CISA KEV	Patch
CVE-2026-11645	Google Chromium V8 Out-of-Bounds Read and Write Vulnerability	Google Chrome (all versions before `149.0.7827.103`)	✓	✓	✓

Section 02

Vulnerability Details

#1

Root Cause: Out-of-Bounds Memory Access in V8 (CWE-125 / CWE-787)

The V8 engine is the open-source JavaScript and WebAssembly runtime responsible for compiling and executing JavaScript code within web pages in Chrome and all Chromium-based browsers. CVE-2026-11645 stems from an out-of-bounds memory access issue that permits unauthorized read and write operations beyond allocated memory boundaries — classified as both CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write). V8 remains a prime target for attackers seeking reliable browser exploitation paths.

#2

Impact: Memory Corruption to Arbitrary Code Execution

Out-of-bounds read/write flaws in browser engines are particularly dangerous because they can enable attackers to corrupt neighboring memory objects, expose sensitive information from process memory, and build arbitrary read/write primitives. These primitives provide significant control over browser memory — making this class of bug a recurring feature in sophisticated browser exploitation chains used by both nation-state actors and cybercriminal groups.

#3

Zero-Click Drive-By: Single Page Visit Sufficient

Exploitation requires only that an attacker host or compromise a malicious web page crafted to trigger the vulnerable code path in V8. Once a victim visits the page, the flaw can be exploited without any further user interaction. This zero-click drive-by delivery model makes CVE-2026-11645 especially high-risk for any organisation where users browse the web on Chrome or any Chromium-based browser.

#4

Active Exploitation Confirmed — Attribution Withheld

Google has confirmed that CVE-2026-11645 has been exploited in the wild, with the earliest known exploitation dating to April 27, 2026. At present, no information has been disclosed regarding the threat actors involved, targeted sectors, geographic focus, or post-exploitation activity — consistent with Google's standard practice of withholding attribution details until patching reaches sufficient rollout coverage.

Affected Product & CPE

CVE ID	Affected Product	Affected CPE	CWE
CVE-2026-11645	Google Chrome before `149.0.7827.103` (Windows, macOS, Linux)	cpe:2.3:a:google:chrome::::::::	`CWE-125`, `CWE-787`

Section 03

Recommendations

01

Update Chrome Immediately

Apply the Chrome 149 stable channel update without delay. Patched versions are 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for macOS. Use enterprise endpoint management or browser management policies to push updates across all managed endpoints, and verify deployment via software inventory reporting.

02

Force Browser Relaunch After Update

Chrome downloads updates in the background, but the patched binary does not take effect until the browser restarts. In managed environments, enforce relaunch policies or maintenance window prompts to ensure users are actually running the patched version. Track patch deployment and relaunch compliance as distinct metrics.

03

Restrict High-Risk Browsing While Patches Propagate

For endpoints where immediate patching is not possible — kiosk devices, VDI golden images, or systems with change management constraints — temporarily increase controls around high-risk web browsing. Consider limiting access to uncategorized URL categories, enforcing web isolation for untrusted content, or deploying browser-level exploit protection mechanisms.

04

Monitor for Suspicious Browser-Derived Activity

Even with patching underway, monitor endpoints for anomalous behaviours indicating exploitation attempts. Watch for unexpected child processes spawned by Chrome, unusual network beacons shortly after browsing events, abnormal crash patterns in Chrome renderer processes, or signs of lateral movement originating from endpoints with active browser sessions.

05

Audit Chromium-Based Browser Inventory

V8 is shared across all Chromium-based browsers — Microsoft Edge, Brave, Opera, and Vivaldi. Ensure all Chromium-derivative browsers in the environment are updated to versions incorporating the V8 fix. Maintain an accurate inventory of all browser types and versions deployed across the organisation, treating each as a patching obligation equal to Chrome itself.

Section 04

MITRE ATT&CK TTPs

Initial AccessT1189

Drive-By Compromise: Exploitation of CVE-2026-11645 requires only that a victim visits a malicious or attacker-controlled web page. The out-of-bounds V8 flaw is triggered silently during JavaScript execution, with no further user interaction needed — the defining characteristic of a drive-by compromise attack.

ExecutionT1203

Exploitation for Client Execution: The V8 out-of-bounds read/write vulnerability enables arbitrary code execution within the Chrome renderer process. Successful exploitation provides attackers with code execution in the context of the browser, serving as a foothold for sandbox escape and further post-exploitation activity.

Defense EvasionT1211

Exploitation for Defense Evasion: Memory corruption primitives built from the out-of-bounds read/write access can be leveraged to bypass browser security boundaries — including sandbox restrictions and memory integrity controls — enabling attackers to evade detection mechanisms while expanding their access within the compromised process.

Resource Dev.T1588 / T1588.006

T1588.006 – Vulnerabilities: The active exploitation of CVE-2026-11645 in the wild indicates that threat actors — nation-state or criminal — acquired and weaponised this V8 vulnerability prior to public disclosure, consistent with the systematic identification and operationalisation of browser engine vulnerabilities for use in targeted or broad campaigns.

Section 05

References & Patch Links

Chrome 149 Patch Download https://www.google.com/intl/en/chrome/?standalone=1
Chrome Stable Channel Release Notes https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html

June 15, 2026

Red | Vulnerability

From Zero-Day to Ransomware: Check Point VPN Bug Fuels Real-World Attacks

From Zero-Day to Ransomware: Check Point VPN Bug Fuels Real-World Attacks | HiveForce Labs TA2026160

HiveForce Labs · Threat Advisory · Vulnerability Report

From Zero-Day to Ransomware: Check Point VPN Bug Fuels Real-World Attacks

A critical zero-day in Check Point's Remote Access VPN and Mobile Access products (CVE-2026-50751) is under active exploitation, allowing unauthenticated attackers to bypass authentication via a legacy IKEv1 certificate validation flaw. At least one post-compromise intrusion has been attributed to a Qilin ransomware affiliate. A related vulnerability, CVE-2026-50752, was also disclosed — not yet exploited but equally urgent to patch.

Threat Level: Red Zero-Day — Actively Exploited CISA KEV Listed Qilin Ransomware Linked First Seen: May 7, 2026 Admiralty Code: A1 Patch Available

Primary CVECVE-2026-50751

Related CVECVE-2026-50752

CWE (Primary)CWE-287

CWE (Related)CWE-295

CVSS (Related)7.4 High

MalwareQilin Ransomware

Root CauseLegacy IKEv1 Cert Validation

First ExploitedMay 7, 2026

PublishedJune 10, 2026

Section 01

Summary

Check Point's Remote Access VPN and Mobile Access products are under active zero-day exploitation via CVE-2026-50751 — a logic error in the legacy IKEv1 certificate validation process classified as CWE-287 (Improper Authentication). An unauthenticated remote attacker can exploit this flaw to bypass authentication and establish a VPN connection without valid credentials. The earliest confirmed attacks date to May 7, 2026; activity intensified in early June and has impacted dozens of organizations worldwide. In at least one incident, post-compromise activity was attributed to a Qilin ransomware affiliate.

A second vulnerability, CVE-2026-50752 (CWE-295, CVSS 7.4), was identified in the same deprecated IKEv1 component via Check Point's BLAST AI-powered code security platform. It could enable a man-in-the-middle attacker to interfere with site-to-site VPN communications. No active exploitation has been observed, but patching is equally urgent. The campaign underscores the systemic risk of retaining legacy VPN protocols in production environments.

CVEs

CVE ID	Name	Affected Product	Zero-Day	CISA KEV	Patch
CVE-2026-50751	Check Point Security Gateway Improper Authentication Vulnerability	Check Point Mobile Access / SSL VPN, Remote Access VPN, Spark Firewall	✓	✓	✓
CVE-2026-50752	Check Point Security Gateway Certificate Validation Vulnerability	Check Point Security Gateways, Spark Firewall	–	–	✓

Section 02

Vulnerability Details

#1

Root Cause: IKEv1 Logic Error (CWE-287)

CVE-2026-50751 stems from a logic error in the certificate validation process used by Check Point Remote Access VPN and Mobile Access when the legacy IKEv1 key exchange protocol is enabled. An unauthenticated remote attacker can bypass authentication and establish a full VPN connection without valid credentials. The flaw primarily impacts environments that allow legacy Remote Access client connections and do not enforce machine certificate authentication.

#2

Scope: Affected Firmware Versions

The vulnerability affects Check Point Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall deployments running firmware versions R80.20.X, R80.40, R81, R81.10, R81.10.X, R81.20, R82, R82.00.X, and R82.10. Organisations on end-of-support releases (R80.20.X, R80.40, R81, R81.10) face elevated risk as patches may be limited beyond the dedicated hotfix.

#3

Active Exploitation & Qilin Ransomware Link

Check Point confirmed in-the-wild exploitation from May 7, 2026, with activity intensifying in early June across dozens of organisations worldwide. In at least one incident, post-compromise activity was linked to a Qilin ransomware affiliate. Investigators observed attackers operating from dedicated VPS infrastructure — including Kaupo Cloud HK, Shock Hosting, and Vultr Holdings — and cross-targeting similar VPN weaknesses in Palo Alto Networks, Fortinet, and F5 products.

#4

Related Flaw: CVE-2026-50752 (CWE-295, CVSS 7.4)

Identified during a broader security review of the same deprecated IKEv1 component using Check Point's BLAST AI-powered code security platform, CVE-2026-50752 could enable a man-in-the-middle attacker to interfere with site-to-site VPN communications under specific conditions. No active exploitation has been observed, but the shared vulnerable component means patching both CVEs with the same hotfix release is strongly recommended.

Affected Products & CPE Strings

CVE ID	Affected Versions	Affected CPE	CWE
CVE-2026-50751	R80.20.X, R80.40, R81, R81.10, R81.10.X, R81.20, R82, R82.00.X, R82.10	cpe:2.3:a:checkpoint:remote_access_vpn:::::::: cpe:2.3:a:checkpoint:security_gateway::::::::	`CWE-287`
CVE-2026-50752	R80.20.X, R80.40, R81, R81.10, R81.10.X, R81.20, R82, R82.00.X, R82.10	cpe:2.3:a:checkpoint:security_gateway::::::::	`CWE-295`

Section 03

Recommendations

01

Apply Security Hotfixes Immediately

Update all affected Check Point Security Gateways to the vendor-released hotfix without delay. This is the most direct mitigation for both CVE-2026-50751 and CVE-2026-50752. Refer to Check Point SK articles sk185033 and sk185035 for exact upgrade guidance and affected configurations.

02

Disable Deprecated IKEv1 Key Exchange

Configure global properties for Remote Access VPN authentication to use IKEv2 only, removing support for the deprecated IKEv1 protocol. This eliminates the vulnerable code path entirely and prevents exploitation even on unpatched systems — an immediate risk-reduction action independent of patch scheduling.

03

Remove Legacy Remote Access Client Support

Disable support for legacy Remote Access client connections and enforce Machine Certificate Authentication as mandatory for all VPN connections. This ensures only authorized, certificate-validated devices can establish VPN sessions, closing the attack surface exploited by CVE-2026-50751.

04

Conduct Forensic Log Audits

IR teams should review VPN authentication logs and gateway configurations from May 7, 2026 onward. Prioritise identifying unauthorized VPN sessions, unusual connection patterns, or connections originating from VPS providers including Kaupo Cloud HK, Shock Hosting, and Vultr Holdings.

05

Enable IPS & Download Latest Signatures

Activate Check Point's Intrusion Prevention System (IPS) on all affected gateways and ensure the latest signature updates are deployed. This provides an additional detection layer for exploitation attempts targeting CVE-2026-50751 while patch deployment is in progress.

06

Upgrade End-of-Support Firmware

Organisations on end-of-support firmware (R80.20.X, R80.40, R81, R81.10) should plan an accelerated migration to a currently supported release. End-of-support products receive limited security updates and represent ongoing risk even after the dedicated hotfix is applied.

Section 04

Indicators of Compromise (IoCs)

The following IP addresses, MD5 hashes, and SHA256 hashes are associated with the active exploitation campaign targeting Check Point VPN deployments via CVE-2026-50751. Block at firewall, endpoint, and SIEM controls immediately.

IPv4

45[.]77[.]149[.]152 · 209[.]182[.]225[.]136 · 38[.]60[.]157[.]139 · 162[.]33[.]177[.]101 · 45[.]76[.]26[.]42 · 144[.]208[.]127[.]155 · 38[.]54[.]88[.]201 · 38[.]54[.]107[.]167 · 66[.]42[.]99[.]200 · 45[.]63[.]104[.]106 · 45[.]61[.]136[.]173 · 146[.]71[.]81[.]184 · 208[.]123[.]119[.]167 · 64[.]176[.]228[.]109 · 158[.]247[.]195[.]147 · 144[.]208[.]127[.]134

MD5

52fda5c1b9704544f32ee98d9060e689
51d39aa39478beeac94f2d12f682ecce

SHA256

76842bcd75b4429e2c92636274ab0395d91c441c6aea9b76fe8a051659b0c1fc

Section 05

MITRE ATT&CK TTPs

Initial AccessT1190

Exploit Public-Facing Application: Unauthenticated remote exploitation of internet-exposed Check Point VPN gateways via the CVE-2026-50751 IKEv1 authentication bypass to gain unauthorized network access without valid credentials.

Credential AccessT1556

Modify Authentication Process: The IKEv1 certificate validation logic error effectively nullifies the authentication requirement, enabling credential-free VPN session establishment by bypassing the authentication check at the protocol level.

Command & ControlT1572
T1071

T1572 – Protocol Tunneling: Attackers establish unauthorized VPN tunnels through exploited Check Point gateways to blend malicious traffic within legitimate encrypted VPN sessions.

T1071 – Application Layer Protocol: C2 communications conducted via standard application-layer protocols traversing the established VPN tunnel.

Resource Dev.T1583 / T1583.003
T1588 / T1588.006

T1583.003 – Virtual Private Server: Attackers leveraged dedicated VPS infrastructure (Kaupo Cloud HK, Shock Hosting, Vultr Holdings) for exploitation operations and post-compromise activity.

T1588.006 – Vulnerabilities: The campaign demonstrates systematic acquisition and weaponisation of VPN vulnerabilities across multiple vendors (Check Point, Palo Alto Networks, Fortinet, F5).

Section 06

References & Patch Links

CVE-2026-50751 — Patch (sk185033) https://support.checkpoint.com/results/sk/sk185033
CVE-2026-50752 — Patch (sk185035) https://support.checkpoint.com/results/sk/sk185035
Check Point Security Blog https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/

June 15, 2026

Red | Attack

Code Blue: U.S. Healthcare Under Cyber Siege

Code Blue: U.S. Healthcare Under Cyber Siege | HiveForce Labs TA2026159

HiveForce Labs · Threat Advisory · Attack Report

Code Blue: U.S. Healthcare Under Cyber Siege

A comprehensive threat analysis of U.S. healthcare from January 2025 to June 2026 — tracking 35 disclosed breaches, 37 exploited CVEs, and ~233 million exposed records. Ransomware crews including Interlock, Medusa, and Anubis industrialised double-extortion across hospitals, dialysis chains, and blood banks while nation-state actor Lazarus adopted Medusa RaaS. Change Healthcare alone exposed 190 million individuals — the largest health-data breach ever recorded.

Threat Level: Red Attack Report ≈233M Records Exposed 35 Breaches Tracked 37 Exploited CVEs Jan 2025 – Jun 2026 Admiralty Code: A1 Published: June 9, 2026

RegionUnited States

SectorHealthcare

Top ActorTeamPCP

Top RansomwareInterlock, Medusa, Anubis

Top Malware TypeInfo Stealers (24%)

Top MalwareLumma, Stealc, AsyncRAT, Rhadamanthys

Top CVECVE-2024-55591

CISA KEV29 / 37 CVEs

Patch Available34 / 37 CVEs

Section 01

Summary

The U.S. healthcare sector remained the most relentlessly targeted slice of American critical infrastructure across the reporting window. The Change Healthcare breach (ALPHV/BlackCat) produced the largest health-data breach on record — 190 million individuals' PHI and ~6 TB of data exfiltrated — while Interlock, Medusa, and Anubis industrialised double-extortion against hospitals, dialysis chains, and blood banks. Exploitation gravitated to the exposed perimeter: VPNs, firewalls, and gateways accounted for the largest share of weaponised CVEs (12 of 37), with medical IoT and supply-chain compromises widening the blast radius. Critically, 78% of exploited CVEs were already in CISA's KEV catalogue and 92% had a patch available — the damage stems from patch lag, not novel zero-days.

35Healthcare Breaches Tracked

~233MIndividual Records Exposed

37Exploited CVEs Tracked

29CISA KEV-Listed Vulns

Quantified Financial Loss

UnitedHealth / Change Healthcare: ~$22M ransom paid; total breach impact escalated past ~$2.45B.

Medusa (Spearwing): Ransom demands of $100,000–$15,000,000 per victim.

Section 02

Attack Details

U.S. healthcare was compromised through two recurring routes: its exposed network perimeter and its web of third-party partners. The overwhelming majority of disclosed damage came from ransomware crews running double-extortion playbooks and from breaches at the vendors, clearinghouses, and business associates that healthcare providers depend on.

#1

Change Healthcare: The Defining Incident

ALPHV/BlackCat struck UnitedHealth's claims-clearing subsidiary, exfiltrating 190M individuals' PHI and ~6 TB of data — the largest healthcare breach on record. A ~$22M ransom was paid; RansomHub re-extorted the same data. Total impact exceeded $2.45B. Because Change Healthcare processes a large share of U.S. medical claims, a single intrusion disrupted pharmacy and provider payments nationwide.

#2

Interlock, Medusa & Anubis: Industrial-Scale Ransomware

Interlock — 5 appearances — hit DaVita (~2.7M records, ~1.5 TB stolen), Kettering Health (system-wide outage, 14 centers), and Brockton and Legacy community health orgs. Medusa (Spearwing) claimed 40+ victims in early 2025 with demands of $100K–$15M. Anubis combined encryption with file destruction, making data recovery impossible even after ransom payment.

#3

Supply-Chain Blast Radius

BPO provider Conduent disclosed 15.5M (TX) and 10.5M (OR) individuals affected. Episource lost 5.4M records including downstream client Sharp Healthcare. TriZetto (Cognizant) exposed 3.4M; Oracle Health saw EHR data stolen from multiple hospitals. Ascension was breached via Black Basta (~5.6M) and a former business partner — illustrating how risk extends beyond an org's own walls.

#4

Perimeter & Credential Theft

Internet-facing Fortinet, Ivanti, Citrix, and Palo Alto appliances were the dominant initial-access vector. CVE-2024-55591 (Fortinet auth-bypass) was the single most-referenced CVE. RMM tools (SimpleHelp, AnyDesk, MeshAgent) were repeatedly abused for hands-on-keyboard access. Information stealers — Lumma, StealC, Rhadamanthys — accounted for 24% of malware and harvested the credentials seeding later intrusions.

#5

Medical IoT & Unmanaged Devices

7 of 37 CVEs targeted cameras, DVRs, and embedded firmware. CISA flagged a Contec CMS8000 patient monitor backdoor beaconing to a China-linked IP. Hikvision devices (4 CVEs) were among the most-exploited products — a perimeter problem compounded by unmanaged devices sitting deep in clinical environments.

#6

Emerging Signals: Nation-State & SEC Materiality

Lazarus Group's adoption of Medusa RaaS marked a convergence of nation-state tradecraft with criminal ransomware infrastructure. The FBI warned of social-engineering campaigns impersonating fraud investigators. West Pharmaceutical's breach was declared "material" in an SEC filing. Sinobi went from unknown to 54 claimed healthcare victims in early 2026.

Most Recurring Threats

Most Recurring Actor

TeamPCP

2 sector incidents

Most Recurring Ransomware

Interlock

5 appearances

Most Recurring Malware

Lumma Stealer

4 incidents (tied AsyncRAT, Rhadamanthys)

Most Recurring CVE

CVE-2024-55591

5 mentions — Fortinet auth-bypass

Timeline of Major Events

Feb 2024

Change Healthcare

ALPHV/BlackCat — 190M records, largest healthcare breach on record.

Jul 2024

OneBlood

Ransomware disrupts major blood-supply network; donation logistics offline.

Late 2024

Interlock Emerges

Systematic targeting of U.S. healthcare providers begins (Brockton, Legacy).

Jan 2025

Contec CMS8000

CISA flags embedded firmware backdoor in patient monitors beaconing to China-linked IP.

Mar–Apr 2025

DaVita

Interlock exfiltrates ~2.7M records / ~1.5 TB from the dialysis giant.

May 2024–2025

Ascension

Black Basta intrusion; ~5.6M individuals, clinical disruption across hospitals.

Oct 2025

Conduent

BPO breach cascades — 10.5M+ (OR) / 15.5M+ (TX) individuals affected.

Feb 2026

Lazarus × Medusa

Nation-state actor adopts Medusa RaaS against U.S. healthcare & non-profits.

May 2026

West Pharmaceutical

Data theft + encryption; declared 'material' in an SEC filing.

Vulnerability Posture

29/37Listed in CISA KEV

16/37Exploited as Zero-Days

34/37Have a Vendor Patch

78% of weaponised CVEs are in CISA's KEV catalogue and 92% have a patch available — most damage stems from patch lag. The 16 zero-days cluster in edge appliances (Fortinet, Ivanti, Citrix, Palo Alto), underscoring why perimeter devices demand the fastest patch SLAs.

Tracked CVEs (37 Total)

CVE ID	Vulnerability	Product	0-Day	KEV	Patch
CVE-2026-22769	Hard-coded Credentials	Dell RecoverPoint VMs	✓	✓	✓
CVE-2019-0604	Remote Code Execution	Microsoft SharePoint	–	✓	✓
CVE-2022-42475	Heap-Based Buffer Overflow	Fortinet FortiOS	✓	✓	✓
CVE-2024-23113	Format String Vulnerability	Fortinet Multiple Products	–	✓	✓
CVE-2024-55591	Authorization Bypass	FortiOS / FortiProxy	✓	✓	✓
CVE-2026-24858	Auth Bypass via Alternate Path	Fortinet Multiple Products	✓	✓	✓
CVE-2024-21887	Command Injection	Ivanti Connect Secure / Policy Secure	✓	✓	✓
CVE-2025-0282	Stack-Based Buffer Overflow	Ivanti Connect Secure / Policy Secure / ZTA	✓	✓	✓
CVE-2026-1281	Code Injection	Ivanti EPMM	✓	✓	✓
CVE-2025-5777	Out-of-Bounds Read (CitrixBleed 2)	Citrix NetScaler Gateway	✓	✓	✓
CVE-2024-24919	Information Disclosure	Check Point Security Gateway	✓	✓	✓
CVE-2024-3400	Command Injection	Palo Alto PAN-OS	✓	✓	✓
CVE-2026-1731	OS Command Injection	BeyondTrust RS / PRA	–	✓	✓
CVE-2017-7921	Improper Authentication	Hikvision Multiple Products	✓	✓	✓
CVE-2021-36260	Improper Input Validation	Hikvision Multiple Products	–	✓	✓
CVE-2023-6895	Command Injection	Hikvision Intercom System	–	–	✓
CVE-2025-34067	Remote Command Execution	Hikvision ISMP	–	–	✓
CVE-2021-33044	Authentication Bypass	Dahua IP Camera Firmware	–	✓	✓
CVE-2024-3721	OS Command Injection	TBK DVR-4104 / DVR-4216	–	–	–
CVE-2026-20131	Deserialization of Untrusted Data	Cisco Secure FMC	✓	✓	✓
CVE-2025-31324	Unrestricted File Upload	SAP NetWeaver	✓	✓	✓
CVE-2025-61882	Unspecified RCE	Oracle E-Business Suite	✓	✓	✓
CVE-2021-35587	Unspecified Vulnerability	Oracle Fusion Middleware / Access Manager	–	✓	✓
CVE-2024-37085	Authentication Bypass	VMware ESXi	–	✓	✓
CVE-2023-27532	Missing Authentication	Veeam Backup & Replication Cloud Connect	–	✓	✓
CVE-2025-34291	Origin Validation Error	Langflow	–	✓	✓
CVE-2026-33017	Code Injection	Langflow	–	✓	✓
CVE-2025-29927	Middleware Bypass	Next.js	–	–	✓
CVE-2025-55182	Remote Code Execution	React Server Components (Meta)	–	✓	✓
CVE-2025-54068	Code Injection	Laravel Livewire	–	✓	✓
CVE-2025-68613	Dynamically-Managed Code Control	n8n	–	✓	✓
CVE-2025-52691	Unrestricted File Upload	SmarterTools SmarterMail	–	✓	✓
CVE-2026-33634	Embedded Malicious Code	Aquasecurity Trivy / setup-trivy	–	✓	✓
CVE-2025-9316	Unauthenticated SessionID Generation	N-able N-central	–	–	✓
CVE-2017-17215	Remote Code Execution	Huawei HG532	✓	–	–
CVE-2025-7771	Privilege Escalation	TechPowerUp ThrottleStop.sys	✓	–	–
CVE-2026-45321	Embedded Malicious Code	TanStack Router npm Packages	–	–	✓

Section 03

Recommendations

01

Prioritise Edge & Perimeter Patching

12 of 37 CVEs hit VPNs, firewalls, and gateways (Fortinet, Ivanti, Citrix, Palo Alto). Patch internet-facing appliances on an emergency cadence and retire EOL devices. CVE-2024-55591 is the most-referenced entry point into healthcare networks.

02

Govern RMM and Third-Party Access

Breaches trace repeatedly to business associates and RMM tooling (SimpleHelp, AnyDesk, MeshAgent). Inventory RMM tools, enforce allow-listing and phishing-resistant MFA, and contractually mandate breach SLAs from vendors handling PHI.

03

Harden Against Double-Extortion Ransomware

Interlock, Medusa, and Anubis exfiltrate before encrypting. Maintain offline immutable backups, segment clinical networks, and rehearse downtime procedures. Anubis also destroys files — backups are non-negotiable.

04

Defend Medical IoT and Devices

7 of 37 CVEs affect cameras, DVRs, and firmware (Hikvision, Dahua, Contec). Place medical/IoT devices on isolated VLANs, monitor egress for anomalous beaconing, and validate firmware integrity regularly.

05

Counter the Supply-Chain Blast Radius

Single vendor compromises (Change Healthcare, Conduent, Episource, TriZetto) cascaded to tens of millions. Map fourth-party dependencies, require SBOMs from critical SaaS and BPO providers, and treat your supply chain as an extension of your own attack surface.

Section 04

Indicators of Compromise (IoCs)

Representative SHA256, SHA1, and MD5 hashes associated with confirmed malware samples across the ransomware families and information-stealer campaigns targeting U.S. healthcare. Block at endpoint, email, and network controls.

Attack / Malware	Type	Hash Values (representative sample)
Interlock	SHA256	28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f 4a97599ff5823166112d9221d0e824af7896f6ca40cd3948ec129533787a3ea9 33dc991e61ba714812aa536821b073e4274951a1e4a9bc68f71a802d034f4fb9 b85586f95412bc69f3dceb0539f27c79c74e318b249554f0eace45f3f073c039 a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f
Medusa	SHA256	4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6 657c0cce98d6e73e53b4001eeea51ed91fdcf3d47a18712b6ba9c66d59677980 7d68da8aa78929bb467682ddb080e750ed07cd21b1ee7a9f38cf2810eeb9cb95 9144a60ac86d4c91f7553768d9bef848acd3bd9fe3e599b7ea2024a8a3115669 736de79e0a2d08156bae608b2a3e63336829d59d38d61907642149a566ebd270 1bad2b6e8ab16c5a692b2d05f68f7924a73a5818ddf3a9678ca8caab3568a78e
Anubis	SHA256	98a76aacbaa0401bac7738ff966d8e1b0fe2d8599a266b111fdc932ce385c8ed
The Gentlemen	SHA1 / SHA256	SHA1: c12c4d58541cc4f75ae19b65295a52c559570054 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235
ELENOR-corp (Mimic)	SHA256	5b2274daaabb293187b0a75c15247474511524850384ce2cfa5f0ba01344bea5
Vect	SHA256	a7eadcf81dd6fda0dd6affefaffcb33b1d8f64ddec6e5a1772d028ef2a7da0f2 58e17dd61d4d55fa77c7f2dd28dd51875b0ce900c1e43b368b349e65f27d6fdd e1fc59c7ece6e9a7fb262fc8529e3c4905503a1ca44630f9724b2ccc518d0c06
ALPHV / BlackCat	MD5 / SHA256 / SHA1	MD5: 944153fb9692634d6c70899b83676575, efc80697aa58ab03a10d02a8b00ee740, c90abb4bbbfe7289de6ab1f374d0bcbe SHA256: 1f5e4e2c78451623cfbf32cf517a92253b7abfe0243297c5ddf7dd1448e460d5 af28b78c64a9effe3de0e5ccc778527428953837948d913d64dbd0fa45942021 SHA1: 3dd0f674526f30729bced4271e6b7eb0bb890c52, d6d442e8b3b0aef856ac86391e4a57bcb93c19ad
Lumma Stealer	SHA256	515ad6ad76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196b dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd 01a23f8f59455eb97f55086c21be934e6e5db07e64acb6e63c8d358b763dab4f 65e1a8e550df1000eb91a7b679cf586efab0f24385b810f50349d50eb80ae806
AsyncRAT	SHA256	0054a0b839de6c8261a2f7ec0bd0efdcf2eb28161db6e6354ef94709c99b40c3 398bf921701c72139dfa6d11b2eb41810170eaf847cc73f16ff00c8f86d6d30a 7afcf780cb130e2d294e7eca704cb2914d50c738748da431ee275dacc3e5344e 6d240a48b5e2d1cf761a8b48b146d20729d0a7a3a557e31e75ed4c120ce71aea
Rhadamanthys	SHA256	0054a0b839de6c8261a2f7ec0bd0efdcf2eb28161db6e6354ef94709c99b40c3 7afcf780cb130e2d294e7eca704cb2914d50c738748da431ee275dacc3e5344e b9ad234abeb1490f2c2d28dd2387f0575ba5128ebb799741b1f3179622204175 c7ca2f9065557a6d8fb0c02c75804d386b77ffca4466678b201c09e916afa096
Sinobi	SHA256	1b2a1e41a7f65b8d9008aa631f113cef36577e912c13f223ba8834bbefa4bd14
Akira	SHA256	d5558ec7979a96fe1ddcb1f33053a1ac3416a9b65d4f27b5cc9fd0a816296184 2db4a15475f382e34875b37d7b27c3935c7567622141bc203fde7fe602bc8643 99c1cd740fa749a163ce8cdf93722191c4ba5d97de81576623a8bbcb622473d6 678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33
INC	SHA256	fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced

Section 05

MITRE ATT&CK TTPs

Initial AccessT1190

Exploit Public-Facing Application: Internet-exposed VPN, firewall, and gateway appliances (Fortinet, Ivanti, Citrix, Palo Alto) were the primary initial-access vector. CVE-2024-55591 was the most-referenced CVE.

PersistenceT1505.003
T1543.003
T1547.001

T1505.003 – Web Shell planted for persistent re-entry. T1543.003 – Windows Service for reboot survival. T1547.001 – Registry Run Keys / Startup Folder for auto-execution on logon.

ExecutionT1569.002
T1059.001

T1569.002 – Service Execution: Ransomware executed via Windows services. T1059.001 – PowerShell: Used for payload delivery, lateral movement, and data exfiltration.

Defense EvasionT1574.002
T1140 / T1562
T1027 / T1055
T1014 / T1036.005

DLL Side-Loading, Deobfuscation, Impair Defenses, Obfuscated Files, Process Injection, Rootkit, Masquerading — full suite of evasion techniques observed across Interlock, Medusa, and ALPHV campaigns targeting healthcare environments.

Credential AccessT1078.002

Domain Accounts: Information stealers (Lumma, StealC, Rhadamanthys) harvested credentials enabling domain account takeovers and lateral movement across clinical networks.

Lateral MovementT1021.001
T1021.002

T1021.001 – Remote Desktop Protocol for post-access lateral movement. T1021.002 – SMB/Windows Admin Shares for internal network traversal.

DiscoveryT1016

System Network Configuration Discovery: Attackers mapped internal topology prior to lateral movement and targeting of high-value clinical and administrative systems.

Resource Dev.T1583.001

Acquire Domains: Infrastructure domains acquired for C2 operations and phishing campaigns targeting healthcare employees.

Command & ControlT1071.001
T1573.002

Web Protocols used to blend C2 traffic with legitimate HTTP/HTTPS. Asymmetric Cryptography used to obscure C2 communications channel.

ExfiltrationT1041

Exfiltration Over C2 Channel: Patient records and financial data exfiltrated before ransomware deployment — the defining characteristic of double-extortion across all major campaigns.

ImpactT1486 / T1490
T1489 / T1485

Data Encrypted for Impact disrupted EHR and billing systems. Inhibit System Recovery — shadow copies deleted. Service Stop — procedures cancelled, ambulances diverted. Data Destruction (Anubis) — irreversible even with ransom paid.

Section 06

References

June 15, 2026

Red | Vulnerability

Cisco Catalyst SD-WAN Manager Zero-Day Actively Exploited in the Wild

Cisco Catalyst SD-WAN Manager Zero-Day CVE-2026-20245 Actively Exploited | HiveForce Labs Threat Advisory

HiveForce Labs · Threat Advisory · Vulnerability Report

Cisco Catalyst SD-WAN Manager Zero-Day Actively Exploited in the Wild

A critical zero-day vulnerability in Cisco Catalyst SD-WAN Manager (CVE-2026-20245) is under active exploitation, enabling authenticated attackers to gain root access on the management plane and push unauthorized configuration changes fleet-wide. All deployment types are affected. Patch to release 20.18.3.1 immediately.

Threat Level: Red CVSS 7.8 High Zero-Day CISA KEV Listed Patch Available Admiralty Code: A1 First Seen: June 4, 2026

Primary CVE CVE-2026-20245

CVSS Score 7.8 (High)

CWE CWE-116

Affected Versions 20.18.2.1 and earlier

Fixed Release 20.18.3.1

Disclosed June 4, 2026

Suspected Actor UAT-8616

Attack Vector Local (CLI)

Exploitation In-the-Wild Confirmed

Section 01

Summary

Cisco disclosed CVE-2026-20245 on June 4, 2026 — an actively exploited, unpatched zero-day in the Cisco Catalyst SD-WAN Manager CLI affecting all versions 20.18.2.1 and earlier. Rated CVSS 7.8 and classified as CWE-116 (Improper Encoding or Escaping of Output), the vulnerability allows an authenticated attacker with netadmin privileges to upload a crafted file, trigger command injection, and gain root access on the SD-WAN management plane.

The netadmin precondition can be satisfied by chaining two earlier authentication-bypass flaws — CVE-2026-20182 and CVE-2026-20127 — converting this into a high-value privilege-escalation node in a broader SD-WAN intrusion chain. All deployment types are affected: On-Prem, Cisco SD-WAN Cloud-Pro, Cisco-Managed Cloud, and FedRAMP (Government). Cisco has observed limited cases where exploitation resulted in unauthorized configuration pushes to managed edge devices, enabling fleet-wide impact across enterprise and government networks.

A fix is available in Cisco Catalyst SD-WAN release 20.18.3.1. Organizations must upgrade immediately and verify all edge device configurations for unauthorized changes.

CVEs Addressed in This Advisory

CVE ID	Name	Affected Product	Zero-Day	CISA KEV	Patch
CVE-2026-20245	Cisco Catalyst SD-WAN Manager Authenticated Privilege Escalation	Cisco Catalyst SD-WAN Manager	✓	✓	✓
CVE-2026-20182	Cisco Catalyst SD-WAN Controller Authentication Bypass	Cisco Catalyst SD-WAN Controller	✓	✓	✓
CVE-2026-20127	Cisco Catalyst SD-WAN Controller & Manager Authentication Bypass	Cisco Catalyst SD-WAN Controller & Manager	✓	✓	✓

Section 02

Vulnerability Details

The Cisco Catalyst SD-WAN Manager zero-day exploitation chain involves multiple interconnected vulnerabilities. The following five technical findings collectively define the attack surface, risk, and broader threat context of CVE-2026-20245.

#1

Root Cause: Command Injection via Improper Output Escaping (CWE-116)

CVE-2026-20245, disclosed on June 4, 2026, is a high-severity zero-day in the command-line interface of Cisco Catalyst SD-WAN Manager (formerly vManage). The flaw carries a CVSS score of 7.8 and is classified as CWE-116 (Improper Encoding or Escaping of Output). The underlying cause is insufficient validation of user-supplied file input subsequently consumed by privileged shell helpers. An authenticated local attacker uploads a crafted file to trigger command injection and elevate privileges to root. All deployment types are affected: On-Prem, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).

#2

Chained Authentication Bypass Enables Fleet-Wide Impact

Exploitation requires netadmin privileges, obtainable via valid credentials or by chaining the earlier authentication-bypass flaws CVE-2026-20182 and CVE-2026-20127 — making this a privilege-escalation node in a broader SD-WAN intrusion chain rather than a standalone initial-access vector. Cisco has observed limited cases where exploitation pushed unauthorized configuration changes to edge devices. Because Cisco Catalyst SD-WAN Manager is the orchestration plane for the managed edge fleet, root access on Manager translates directly into fleet-wide impact: traffic redirection, backdoor configurations, persistence, and lateral movement across enterprise and government networks.

#3

Patch Released — Precursor Fix Alone Is Insufficient

Cisco has released a dedicated fix in Catalyst SD-WAN release 20.18.3.1; releases 20.18.2.1 and earlier are affected. Customers should upgrade to 20.18.3.1 and verify edge device configurations. Importantly, upgrading only to the May 14, 2026 releases for CVE-2026-20182 addresses the precursor authentication-bypass but does not fix CVE-2026-20245 itself. Cisco confirmed in-the-wild exploitation in June 2026, suggesting that disclosure was accelerated by active threat actor activity.

#4

Threat Actor Attribution: UAT-8616

Cisco's advisory contains no official attribution, but exploitation of the two precursor CVEs has been publicly clustered under UAT-8616 with high confidence — a sophisticated actor active since at least 2023. Attribution of CVE-2026-20245 to UAT-8616 is plausible and operationally compelling, given it serves as a drop-in replacement for the cluster's prior root-escalation step (CVE-2022-20775), reflecting strategic continuity in targeting Cisco SD-WAN management infrastructure.

#5

Sustained Year-Long Targeting Pattern Against Cisco SD-WAN

CVE-2026-20245 is the seventh Cisco Catalyst SD-WAN vulnerability flagged as actively exploited in 2026, following CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, and CVE-2022-20775. This reflects a sustained, year-long targeting pattern against Cisco SD-WAN management infrastructure. Internet-exposed Manager instances are at heightened risk and should be prioritized for immediate log review. Note: CVE-2022-20775 originated in 2022 but was actively exploited again in 2026.

Affected Products & CPE Strings

CVE ID	Affected Versions	Affected CPE	CWE
CVE-2026-20245	Cisco Catalyst SD-WAN `20.18.2.1` and earlier	cpe:2.3:a:cisco:catalyst_sd-wan_manager::::::::	`CWE-116`
CVE-2026-20182	Before `20.9.9.1`, `20.12.7.1`, `20.12.5.4`, `20.12.6.2`, `20.15.5.2`, `20.15.4.4`, `20.18.2.2`, `26.1.1.1`	cpe:2.3:a:cisco:catalyst_sd-wan_controller:::::::: cpe:2.3:a:cisco:catalyst_sd-wan_manager::::::::	`CWE-287`
CVE-2026-20127	Before `20.9.8.2`, `20.12.5.3`, `20.12.6.1`, `20.15.4.2`, `20.18.2.1`	cpe:2.3:a:cisco:catalyst_sd-wan_controller:::::::: cpe:2.3:a:cisco:catalyst_sd-wan_manager::::::::	`CWE-287`

Section 03

Recommendations

Organizations running Cisco Catalyst SD-WAN Manager must take the following prioritized actions immediately to remediate the CVE-2026-20245 zero-day and reduce exposure from the broader SD-WAN intrusion chain.

01

Preserve Forensic Evidence Before Any Upgrade

Issue the request admin-tech command from each control component (Manager, Controller, Validator) in the SD-WAN deployment and collect the resulting admin-tech bundle before initiating any software upgrade. Cisco specifically warns that if a system is confirmed compromised, applying the software update alone will not resolve the vulnerability — the Cisco TAC will need the admin-tech file to provide tailored remediation steps. Retain all relevant logs (scripts.log, auth.log, control-connection state changes) prior to upgrade so that post-upgrade verification can confirm whether indicators of compromise are present.

02

Upgrade to the Fixed Release for CVE-2026-20245

Cisco has released 20.18.3.1 as the first fixed release for CVE-2026-20245; all Catalyst SD-WAN Manager versions 20.18.2.1 and earlier are affected and must be upgraded. Important: upgrading only to the May 14, 2026 releases for CVE-2026-20182 addresses the precursor authentication-bypass that satisfies the netadmin precondition, but does not fix CVE-2026-20245 itself. Customers should plan a two-stage or direct upgrade to 20.18.3.1.

03

Verify Edge Device Configurations Post-Upgrade

Because Cisco has observed exploitation resulting in unauthorized configuration pushes to edge devices, every edge device that may have received configuration from a potentially compromised Manager must be inspected for unauthorized changes. This includes routing policy, security policy, certificates, and any recently modified configuration objects. Treat any unverified configuration object received during the suspected exposure window as untrusted until reconciled against change-management records.

04

Restrict Management Plane Exposure

Per Cisco's hardening guidance for the February 2026 advisory, restrict inbound access to ports 22 and 830 on Catalyst SD-WAN Control Components to known controller and authorized management IP ranges using access control lists, security group rules, or firewall rules. Place control components behind a filtering device — ideally a two-layer firewall — and disable any non-required services including HTTP and FTP. Disable HTTP for the Catalyst SD-WAN Manager web UI administrator portal and obtain a CA-signed certificate for SSL/TLS.

05

Enforce Continuous Vulnerability Management for the SD-WAN Stack

Maintain a current inventory of all Catalyst SD-WAN Control Component versions, subscribe to Cisco Security Notifications, and integrate Catalyst SD-WAN release tracking into the patch-management cadence. Cisco has issued multiple SD-WAN advisories in 2026 (including CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) with several flagged in CISA's Known Exploited Vulnerabilities catalogue. Treat the SD-WAN management plane as a high-priority asset class with elevated monitoring and accelerated patch SLAs.

Section 04

MITRE ATT&CK TTPs

The following MITRE ATT&CK tactics, techniques, and sub-techniques are associated with the Cisco Catalyst SD-WAN Manager zero-day exploitation chain. These TTPs reflect the observed and probable threat actor behaviors aligned with UAT-8616's modus operandi.

Initial Access T1190
T1078

T1190 – Exploit Public-Facing Application: Attackers exploit internet-exposed Cisco Catalyst SD-WAN Manager instances as an entry point.

T1078 – Valid Accounts: Authentication bypass via CVE-2026-20182 / CVE-2026-20127 enables use of valid or bypassed netadmin credentials.

Defense Evasion T1601
T1601.001

T1601 – Modify System Image / T1601.001 – Patch System Image: Threat actors may modify the SD-WAN system image to maintain persistence and evade detection after gaining root access.

Execution T1059

T1059 – Command and Scripting Interpreter: Crafted file upload triggers command injection via privileged shell helpers in the Cisco Catalyst SD-WAN Manager CLI.

Privilege Escalation T1068

T1068 – Exploitation for Privilege Escalation: Core mechanism of CVE-2026-20245 — authenticated attacker escalates from netadmin to root on the SD-WAN management plane.

Lateral Movement T1021
T1021.004

T1021 – Remote Services / T1021.004 – SSH: With root access on Manager, actors move laterally to edge devices using SSH, pushing unauthorized configurations across the managed fleet.

Persistence T1098
T1098.004

T1098 – Account Manipulation / T1098.004 – SSH Authorized Keys: Attackers plant SSH authorized keys to maintain persistent access even after credential rotation.

Impact T1565

T1565 – Data Manipulation: Unauthorized configuration pushes to managed edge devices constitute data manipulation — altering routing policy, security policy, and certificates across the enterprise network.

Section 05

References & Patch Links

Official Cisco Security Advisories

CVE-2026-20245 — Primary Advisory https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx
CVE-2026-20182 — Authentication Bypass https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
CVE-2026-20127 — Authentication Bypass https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
Cisco Catalyst SD-WAN Remediation TechNote https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/225842-remediate-catalyst-sd-wan-security.html

June 15, 2026

Amber | Attack

DoubleClick Deception: Malspam Campaign Delivers Stealthy .NET Malware

June 9, 2026

Amber | Attack

New CMD Organization Ransomware Hits U.S. Healthcare with Auction Extortion

June 9, 2026

Red | Vulnerability

Cisco Unified CM Flaw Exposes Systems to Root-Level Compromise

June 9, 2026

Red | Attack

Qilin Rising: Continued Global Dominance and Expanded Tradecraft

June 9, 2026

Amber | Attack

Vibe-Coding the Kill Chain: The GREYVIBE Story

TA2026153 — GREYVIBE Actor Report: Vibe-Coding the Kill Chain | HiveForce Labs

01 — Summary

GREYVIBE — vibe-coding the kill chain

Threat level: Amber Actor: GREYVIBE Origin: Russia-nexus Platform: Windows · Android Active since: August 2025 GenAI-assisted tooling Admiralty: A1

Attack commenced

August 2025

TA number

TA2026153

Motive

Information theft · Espionage

Targeted regions

Ukraine · Moldova · Romania · Brazil · Venezuela · Guinea

Targeted industries

Military · Government · Defense · Energy · NGOs · Software suppliers

Campaigns

PhantomMail · PhantomClick · PrincessClub · DroneLink · Nebo

GREYVIBE is a Russia-nexus threat group that has targeted Ukraine and Ukraine-related entities since at least August 2025, with development and testing dating back to April 2025. WithSecure assesses with high confidence that its operators are Russian-speaking, working in the Moscow time zone, with lures, victimology, and objectives aligned with Russian state interests — chiefly intelligence collection tied to the Russia-Ukraine conflict.

The group's defining characteristic is the systematic use of generative AI — Ideogram AI, ChatGPT, and Google Gemini — for lure imagery, site building, obfuscator and full-stack RAT development, infrastructure setup, and post-compromise scripting. GREYVIBE operates five concurrent campaigns using PhantomRelay (PowerShell RAT), LegionRelay (lightweight PowerShell RAT), and FallSpy (Android spyware), all obfuscated with a suite of custom obfuscators including LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP.

02 — Actor details

GREYVIBE — profile and tradecraft

Name Origin Target countries Target industries Motive

GREYVIBE Russia Ukraine, Moldova, Romania, Brazil, Venezuela, Guinea Military, Government, Defense, Energy, Civilian individuals, NGOs, Business entities, Software supplier Information theft, Espionage

Active campaigns and malware families:

PhantomMail PhantomClick PrincessClub DroneLink Nebo PhantomRelay / Lite / V1 / V2 FallSpy LegionRelay LOOKVALPS · LOOKVALJS · DAYLIGHT · TEASOUP

01

Attribution — Russia-nexus, Moscow time zone, state-aligned objectives

GREYVIBE has targeted Ukraine and Ukraine-related entities since at least August 2025, with development and testing observable from April 2025. WithSecure assesses with high confidence that operators are Russian-speaking and active in the Moscow time zone. The group's lures, victimology, and collection objectives align with Russian state interests, primarily intelligence gathering tied to the Russia-Ukraine conflict. Targeting has since expanded to Moldova, Romania, Brazil, Venezuela, and Guinea — consistent with broader Russian intelligence interest areas.

02

Five initial access vectors across concurrent campaigns

GREYVIBE operates five simultaneous campaigns with distinct delivery mechanisms. PhantomMail delivers malicious ZIP/RAR archives via spear-phishing links to Google Drive and 4sync. PhantomClick uses ClickFix fake-CAPTCHA pages impersonating Zoom and LAPAS. PrincessClub combines fake Ukrainian social-club websites with fake female Telegram personas to lure targets into downloading malware. DroneLink uses drone-themed fake charity sites to deliver payloads. Nebo employs a Russian-language "SPO NEBO" lure targeting military-adjacent personnel.

03

Unified Windows infection chain — lure → bundle → loader → payload → decoy

Every campaign follows the same Windows execution chain: a lure triggers a bundle that runs a loader showing a decoy — a PDF, a fake error pop-up, or a lure site — while the infection proceeds silently. In the script-based chain, a VBScript launcher fires a hidden PowerShell script. Both paths deploy the primary Windows payloads: PhantomRelay, a PowerShell RAT using a two-stage fingerprint-then-client model over WebSockets, and LegionRelay, a lightweight PowerShell RAT communicating over a REST API. FallSpy is the Android spyware used in the PrincessClub and Nebo campaigns. PhantomRelay also achieves lateral spread via USB using hidden files and malicious shortcuts.

04

Custom obfuscation suite — AMSI patching and ETW tampering

All payloads are obfuscated with GREYVIBE's custom obfuscator suite: LOOKVALPS (PowerShell), LOOKVALJS (JavaScript), DAYLIGHT, and TEASOUP. The PhantomRelayLite base variant adds SAWDUST and CRUDEDUST components which patch AMSI and tamper with the ETW provider to blind Windows telemetry and bypass script-block logging. Persistence is maintained primarily through scheduled tasks driven by a watchdog script, with a short-lived Startup folder shortcut variant as a secondary mechanism.

05

Privilege escalation and lateral movement — UAC bypass, RDP, hidden accounts

GREYVIBE achieves privilege escalation through three techniques: shortcut hijacking that fires a UAC prompt from a trusted icon; a CMSTP-based UAC bypass (cmstp.exe with a custom .INF file); and a custom .NET component masquerading as "Windows Update" that baits a UAC approval to re-register LegionRelay's scheduled task as SYSTEM. For lateral movement, operators enable persistent RDP, create hidden local administrator accounts concealed via the SpecialAccounts\UserList registry key, and share local disks over SMB.

06

C2 infrastructure and GenAI-assisted development — the defining GREYVIBE trait

PhantomRelay C2 has rotated across EDIS Global, KVMka, Cloudzy, and the suspected bulletproof host Global Connectivity Solutions LLP. FallSpy and LegionRelay C2 infrastructure remained on Baxet Group Inc. servers with Russian-language admin panels. The defining characteristic of GREYVIBE is its systematic use of generative AI: Ideogram AI for lure imagery and site design, ChatGPT and Google Gemini for obfuscator and full-stack RAT development, infrastructure provisioning guidance, and post-compromise scripting — representing an operational maturity shift enabled by commercial AI tooling.

03 — Recommendations

What to do now

Four prioritised defensive actions for security and operations teams, ordered by detection impact.

1

Restrict archive and script execution from email and file-sharing links

Treat ZIP/RAR archives delivered via links to Google Drive, 4sync, and similar services as high-risk. Block or sandbox execution of double-extension files (e.g., .pdf.js, .XLS.js, .Docx.rar). Disable or tightly control the Windows Script Host (wscript.exe / cscript.exe) for JavaScript loaders. Apply mail gateway rules to flag messages with archive links to consumer file-sharing services targeting government or military recipients.

2

Constrain PowerShell and LOLBIN abuse

Enable PowerShell Constrained Language Mode, script block and module logging, and transcription. Hunt for conhost.exe launched with the --headless parameter spawning PowerShell, for Invoke-Expression on remotely fetched content, and for command-history suppression via Set-PSReadlineOption -HistorySaveStyle SaveNothing and Remove-Module PSReadline — both GREYVIBE tradecraft signatures for covering post-execution tracks.

3

Hunt for watchdog and scheduled-task persistence

Alert on creation of scheduled tasks that re-execute scripts on short intervals (e.g., one minute after creation, then every three minutes). Hunt for tasks or loaders masquerading as vendor utilities — Razer, AMD, Adobe, "System Health Service," "Windows Check Updater." Inspect %ProgramData% and %LOCALAPPDATA% staging directories and Startup folder shortcuts for dropped .ps1 payloads, including SysCheckupService.ps1, RzUpdateManager.ps1, and WUDFHost.ps1.

4

Enforce strong UAC and privilege controls

Set UAC to always prompt and monitor for cmstp.exe invoked with custom .INF files. Watch for unexpected runas / RunAsInvoker shortcut modifications and treat sudden "Windows Update"-themed UAC prompts as suspicious. Audit creation of new local administrator accounts and accounts hidden via the SpecialAccounts\UserList registry key — a persistence mechanism GREYVIBE uses to conceal operator-created admin accounts from the Windows login screen.

04 — Indicators of compromise

IoCs — GREYVIBE / PhantomRelay / FallSpy / LegionRelay

Block or monitor all indicators below. All domains, IPs, emails, and URLs are defanged. The complete IoC set is also available via the WithSecure GitHub repository linked in References.

SHA-256 file hashes (selected)

476334f9254ef0277b3462b6086655f38358a983b95991cfe4dcdd787740906a
78773eb9738bc3306a56bf39adc8212226479c24af8bf453be9d57103a91a904
62b585f36d4b14fa1e036feed692267aa098e7fc6cabb468a07997a025309299
d60dd96ef92b43e2e4f955dd76448fc320c3f8445b661d9a4a3c40caca0aa8a5
687629ca9dc5b9b4bdf6c06fb1405449638b905f3a0c08bccac1c519ef22964d
8a7401444dd7c85b36ff7b1d0b36c5953692ef32dbeac7642fb7c1034bd8a726
e81af6ae6862d905d8634a1f6e0a8893ba28e3ce61d12ccac020ef6fae802e8b
93111e523c38d98247a78a0d1d9ae163e9874acb70721f6fe0bf451c62fff283
c823a315c2c78d2fd345c9b38bb7fc31a8cbff96c534ce9cc66c4e54bc7935a2
5115eca388860371d994457793f3a3c2c3d106da48ca12ecccb9432522c56cc3
bd3f35b91bf83427e953d4cf531a0ee4b5ec9fc76b91700274effe0eba22510f
2abb318455960b446d034967c8403ec4339ba248b946f02cb1307ed7e6f4e327
e8d0943042e34a37ae8d79aeb4f9a2fa07b4a37955af2b0cc0e232b79c2e72f3
42464c188cb8116b63938b3236504ec4ae31c7cadb9063085b30dd468d88860f
7ac06aaf0cdc1c1f0f14b0e8ccc550f9df20e79f3ce321207ec7a1867d6227ef
f79b9d14b93d4c509386684f2aeebe53ab088e704b38b359db3ee7991942aec6
08eba15964cae61156a99d7ac33eedebdd6e9f3465dc77b5d8dc17dbedc2194a
18db95f2ae20a4ea86b3296f409eb3fc1131d2758c5bfdbda16a424a64e97d18
e9634032df81334e9e960ab8b88ff05a0f7ec9c034dc012f816f09e23c18d41b
40f9399ea067d69c0985aecdc54beddbcb585d7f660606e5bb4be981811c28ba
9e443d773df5adf0ab9e622bb8179ce899f46b2166f2faa09d54a4622a9ac5cc
296932373f9c54fcf4eb285f81a17b1b93c5a96e5ff6dfa097b4d8c4b8f53b81
89e052bd182df8de5960784c663f962d44e058c8920a437f54ab75d03a7da3bd
9b7008c43814c7bf18375774bd2ed5f3bda9316dbef20b7e086fe921838f1186

Domains (selected)

lapas[.]live
zoomconference[.]click
zoomconference[.]app
princess-mens[.]fun
princess-mens-club[.]com
princessclub[.]click
princessclub[.]best
princessclub[.]online
princessclub[.]cyou
clubprincess[.]click
frontforce[.]org
ukrguard[.]org
ukrbezpeka[.]online
ironbrave[.]online
ukrvarta[.]online
edbo[.]linkpc[.]net
edbo[.]publicvm[.]com
edbo[.]work[.]gd
dsszzi[.]linkpc[.]net
declaration[.]linkpc[.]net
goodhillsenterprise[.]com
doct0rsim[.]com
routinesyscheckup[.]com
serotoninenterprise[.]com
newstarcommunity[.]com
jackscommunications[.]com
fasterscommunications[.]com
bsnowcommunications[.]com
highfleetenterprise[.]com
flyskyenterprise[.]com
newsolutionsxsenterprise[.]icu
nycpartnersenterprise[.]com
chiselworksenterprise[.]com
bluelagoonaenterprise[.]com
neuromancersolutionsenterprise[.]icu
aerobionix[.]com
prosearium[.]net
red-viper[.]com
xpertlearninghub[.]com

Email addresses (spoofed / actor-controlled)

centrenergo[.]ukr[@]gmail[.]com
centrenergo[.]ua[@]gmail[.]com
office[.]dsns[.]dp[@]gmail[.]com
kanc[.]kh[.]dsns[@]gmail[.]com
office[.]cip[.]ua[.]gov[@]gmail[.]com
office[.]gov[.]cips[@]gmail[.]com

Filenames

SysCheckupService.ps1
SystemHealthSvc.ps1
Configuration.ps1
Configurate.ps1
WUDFHost.ps1
razer_update.log
RzUpdateManager.ps1
RzTelemetry.ps1

File paths

%ProgramData%\WindowSystem
%ProgramData%\Microsoft Windows
C:\ProgramData\AMD\amd.ps1
C:\ProgramData\BackUp\backup.ps1
C:\ProgramData\Adobe\dfDgrr3.ps1
%LOCALAPPDATA%\Razer Update (staging directory)

IPv4 addresses

188[.]124[.]59[.]120
193[.]233[.]23[.]81

IPv4:Port (C2 listeners)

89[.]37[.]185[.]60[:]14000
74[.]112[.]102[.]120[:]14000
194[.]87[.]128[.]243[:]8000
194[.]87[.]108[.]110[:]8000
89[.]125[.]189[.]118[:]8000
89[.]125[.]189[.]85[:]8000
91[.]149[.]221[.]124[:]8000

Scheduled task names

System Health Service
Microsoft System Health Service
Razer Synapse Service Helper
Adobe working
BackUp checker
AMD Checker

Actor usernames (PrincessClub personas)

vikagogogo111
nastyaa2001lov
lilymihalyk

URLs

hxxps[:]//storage[.]vlasiuk[.]kiev[.]ua/SW90D0qhta/матеріали_конференції[.]zip
hxxps[:]//share[.]secureinfo[.]eu/get/ypMXMG58xH/Матеріали_конференції_доп[.]zip
hxxps[:]//www[.]4sync[.]com/web/directDownload/tcqtmocL/MyE7HPqt[.]11b47e3a02edac898638b1906774210d
hxxps[:]//drive[.]google[.]com/file/d/1RDXHPZtCzOXn6GN7UidXPo4qqZOA_UGd
hxxps[:]//drive[.]google[.]com/file/d/12ffiBTWHm6GW8chJNIXuOeALPI82VnNs
hxxps[:]//drive[.]google[.]com/file/d/1wkgvtTw_g5CvK84rWiHCr6HPZZb_OeKd
hxxps[:]//drive[.]google[.]com/file/d/1aSIXJgZUT7AQEp5B_D7gyHRq74EFUxoz
t[.]me/s/sdgsersergser

05 — MITRE ATT&CK TTPs

Tactics, techniques & sub-techniques

Full MITRE ATT&CK mapping for GREYVIBE across all five campaigns and both Windows and Android platforms.

ID Tactic Technique / sub-technique

T1583.001Resource dev.Acquire infrastructure — domains

T1584.001Resource dev.Compromise infrastructure — domains

T1585.001Resource dev.Establish accounts — social media accounts (fake Telegram personas)

T1585.002Resource dev.Establish accounts — email accounts

T1587.001Resource dev.Develop capabilities — malware (GenAI-assisted RAT development)

T1588.002Resource dev.Obtain capabilities — tool

T1608.001Resource dev.Stage capabilities — upload malware

T1566.002Initial accessPhishing — spearphishing link (Google Drive / 4sync archives)

T1566.001Initial accessPhishing — spearphishing attachment

T1566.003Initial accessPhishing — spearphishing via service (Telegram personas)

T1091Initial accessReplication through removable media (PhantomRelay USB spread)

T1204.001ExecutionUser execution — malicious link

T1204.002ExecutionUser execution — malicious file

T1204.004ExecutionUser execution — malicious copy and paste (ClickFix)

T1059.001ExecutionCommand and scripting interpreter — PowerShell (PhantomRelay / LegionRelay)

T1059.007ExecutionCommand and scripting interpreter — JavaScript (LOOKVALJS)

T1053.005ExecutionScheduled task/job — scheduled task (watchdog tasks)

T1202ExecutionIndirect command execution

T1053.005PersistenceScheduled task/job — scheduled task (watchdog re-registration)

T1547.001PersistenceBoot or logon autostart execution — registry run keys / startup folder

T1136.001PersistenceCreate account — local account (hidden admin accounts)

T1548.002Priv. escalationAbuse elevation control mechanism — bypass UAC (CMSTP, fake Windows Update)

T1547.009Priv. escalationBoot or logon autostart execution — shortcut modification (UAC hijacking)

T1027.006Defense evasionObfuscated files or information — HTML smuggling

T1140Defense evasionDeobfuscate/decode files or information (LOOKVALPS / DAYLIGHT / TEASOUP)

T1562.001Defense evasionImpair defenses — disable or modify tools (SAWDUST AMSI patch)

T1070.003Defense evasionIndicator removal — clear command history (PSReadline removal)

T1497Defense evasionVirtualization/sandbox evasion

T1564.001Defense evasionHide artifacts — hidden files and directories (USB spread)

T1564.002Defense evasionHide artifacts — hidden users (SpecialAccounts\UserList)

T1218.003Defense evasionSystem binary proxy execution — CMSTP (UAC bypass)

T1036.005Defense evasionMasquerading — match legitimate name or location (Razer, AMD, Adobe task names)

T1480Defense evasionExecution guardrails

T1003.002Credential accessOS credential dumping — Security Account Manager

T1555.003Credential accessCredentials from password stores — credentials from web browsers

T1539Credential accessSteal web session cookie

T1056.001Credential accessInput capture — keylogging

T1082DiscoverySystem information discovery

T1033DiscoverySystem owner/user discovery

T1083DiscoveryFile and directory discovery

T1016DiscoverySystem network configuration discovery

T1518DiscoverySoftware discovery

T1113CollectionScreen capture

T1005CollectionData from local system

T1119CollectionAutomated collection

T1560.001CollectionArchive collected data — archive via utility

T1123CollectionAudio capture (FallSpy — Android)

T1125CollectionVideo capture (FallSpy — Android)

T1636.003CollectionProtected user data — contact list (FallSpy — Android)

T1636.002CollectionProtected user data — call log (FallSpy — Android)

T1430CollectionLocation tracking (FallSpy — Android)

T1071.001C2Application layer protocol — web protocols (WebSocket / REST API)

T1102.001C2Web service — dead drop resolver

T1132.001C2Data encoding — standard encoding

T1572C2Protocol tunneling

T1090C2Proxy

T1219C2Remote access software (persistent RDP)

T1021.001Lateral movementRemote services — Remote Desktop Protocol

T1021.002Lateral movementRemote services — SMB/Windows admin shares (local disk sharing)

T1041ExfiltrationExfiltration over C2 channel

T1496.001ImpactResource hijacking — compute hijacking

06 — References

Sources

[1] withsecure.com/en/resources-hub/w-labs/greyvibe/

[2] withsecure.com/content/dam/labs/docs/WithSecure_GREYVIBE.pdf

[3] github.com/WithSecureLabs/iocs/blob/master/GREYVIBE/greyvibe_iocs.csv

June 9, 2026

Amber | Atack

Operation Dragon Weave Spins a Web of Espionage Through Microsoft Azure

TA2026152 — Operation Dragon Weave: AZUREVEIL & RUSTCLOAK | HiveForce Labs

01 — Summary

Operation Dragon Weave — espionage through Microsoft Azure

Threat level: Amber Campaign: Operation Dragon Weave Malware: AZUREVEIL · RUSTCLOAK Platform: Windows Regions: Czech Republic · Taiwan Admiralty: A1

First seen

March 2026

TA number

TA2026152

C2 mechanism

Azure Blob Storage dead-drop

Targeted industries

Government · Research · Technology · Finance

Initial access

Spear-phishing ZIP · LNK or Rust dropper

SAS token validity

March 2026 – March 2027

Operation Dragon Weave is a targeted cyber-espionage campaign aimed at government officials and citizens in the Czech Republic and Taiwan. It begins with a spear-phishing email carrying a ZIP attachment whose contents masquerade as official government correspondence. The archive delivers malware through one of two interchangeable infection paths — a malicious LNK shortcut or a self-contained Rust-based executable dropper — both converging on DLL sideloading of a malicious UnityPlayer.dll.

That DLL is a Rust loader (RUSTCLOAK) which decrypts and executes the final payload, AZUREVEIL — a 64-bit AdaptixC2 agent notable for using Microsoft Azure Blob Storage as a dead-drop command-and-control channel, blending its encrypted traffic with legitimate cloud activity. AZUREVEIL supports 36 post-exploitation commands including in-memory Beacon Object File (BOF) execution. A hardcoded Shared Access Signature (SAS) token valid through March 2027 indicates the infrastructure was built for long-term persistent access.

02 — Attack details

How the attack unfolded

Operation Dragon Weave demonstrates sophisticated tradecraft: dual infection paths, anti-analysis checks, Azure cloud C2 blending, and infrastructure designed to sustain access for a full year.

01

Spear-phishing delivery — government-themed ZIP lure

Operation Dragon Weave targets government officials and citizens in Taiwan and the Czech Republic using spear-phishing emails disguised as legitimate government communications — such as project review notices or appointment notifications. Victims receive a ZIP archive delivering malware through one of two methods: a malicious Windows shortcut (LNK) disguised as a PDF document, or a Rust-based dropper that extracts the required components onto the system. The use of Traditional Chinese filenames and Czech-language decoy documents underscores the campaign's precision targeting. The earliest known sample was uploaded from Taiwan in March 2026.

02

Dual infection chains — VBScript/PowerShell and Rust dropper converge on RUSTCLOAK

In the script-based infection chain, a VBScript launches a hidden PowerShell script that decrypts and reconstructs a malicious executable named RuntimeBroker_update.exe while displaying a decoy document to distract the victim. Both infection methods — the LNK path and the Rust dropper path — ultimately execute RuntimeBroker_update.exe, which uses DLL sideloading to load a malicious library called UnityPlayer.dll, also known as RUSTCLOAK. Before running its payload, RUSTCLOAK performs sandbox and analysis-environment detection checks. A developer oversight also exposed a Rust build path and the username dell2 within the malware binary.

03

RUSTCLOAK → AZUREVEIL — decryption, evasion, and full AdaptixC2 deployment

RUSTCLOAK decrypts and launches its final payload, AZUREVEIL, using multiple encryption and evasion techniques. AZUREVEIL is a fully featured AdaptixC2 agent supporting file operations, command execution, shell access, network tunneling, and in-memory execution of additional tools including Beacon Object Files (BOFs). These 36 post-exploitation capabilities give the attacker flexibility for espionage, lateral movement, and sustained access within compromised environments.

04

Azure Blob Storage C2 — dead-drop channel with hardcoded SAS token

Rather than traditional command-and-control servers, AZUREVEIL uses Microsoft Azure Blob Storage (note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net) as a dead-drop C2 channel. HTTPS traffic blends the malware's communications with legitimate cloud activity. The implant periodically uploads encrypted beacons, retrieves encrypted commands, and returns encrypted results through the same storage container. Researchers identified a hardcoded Shared Access Signature (SAS) token with broad permissions to the Azure storage account, valid from March 2026 through March 2027 — indicating the infrastructure was deliberately designed to support long-term espionage operations and persistent victim network access.

03 — Recommendations

What to do now

Six prioritised response actions for security and operations teams. Action 1 should be deployed immediately across all network egress controls.

1

Block the Azure Blob Storage C2 endpoint

Block and alert on all outbound connections to the identified dead-drop storage account note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net. Treat all listed file hashes as high-priority detections across endpoint and network tooling, and configure SIEM alerts for any connection attempts to this domain.

2

Restrict LNK and script execution

Block execution of unexpected LNK shortcut files and unsigned binaries delivered via email. Constrain wscript.exe and PowerShell so that script-based dropper chains cannot run silently from user-writable directories. Apply WDAC or AppLocker policies to enforce these restrictions.

3

Constrain PowerShell execution-policy bypass

Restrict or closely monitor PowerShell invocations that use execution-policy bypass and hidden-window flags (-ExecutionPolicy Bypass, -WindowStyle Hidden). This pattern is the campaign's primary mechanism for running its decryption stage without user visibility and is the earliest scriptable detection point.

4

Hunt for DLL sideloading of UnityPlayer.dll

Hunt across endpoints for RuntimeBroker_update.exe and BrowserViewUtility.exe loading a UnityPlayer.dll from non-standard, user-writable paths. This DLL sideloading pattern is the convergence point for both the LNK and Rust dropper infection chains and represents a high-confidence detection indicator for RUSTCLOAK.

5

Monitor suspicious file creation in %LOCALAPPDATA% and %TEMP%

Detect creation of campaign-staged artifacts — 1.dat, Com.dat, RuntimeBroker_update.exe, and related components — in %LOCALAPPDATA%\WebViewFixUtility and %TEMP%. Isolate hosts where these patterns appear and treat them as confirmed compromises pending investigation.

6

Strengthen spear-phishing defenses

Reinforce email filtering to block ZIP attachments containing LNK or executable files. Deliver targeted user-awareness training for government, research, technology, and financial-services staff in the affected regions on double-extension lures and fake official-document themes consistent with Operation Dragon Weave's delivery methodology.

04 — Indicators of compromise

IoCs — Operation Dragon Weave / AZUREVEIL / RUSTCLOAK

Block or monitor all indicators below across network controls, endpoint detection, and SIEM pipelines. The Azure domain is defanged.

SHA-256 file hashes

096372d19b4787e989f44e04c5ecc29885aa927c34ae8666628d6c0eb20bb447
1c56228cbd1bdebb9e5ea55c2749150fee06c865ede4a3754e8bd6843e51d2d4
080ab9bc2893ba7bad354551604a667af40ed2ae2d042d2323c2bd9ad3122192
5ed14c2b7f7433a1a72dd6b668413f935a217ba10b69d89b774a82990fa12fe1
61f7d9cd2d8ce7df950639b23ce90085b300b0c6dd0d8d934bba8fdecb670f15
24aa4e780ccd66cef13da9ef98c32954105cf2a32ec643efab0ba1aa2d6352f4
02542a49b3bd6bd2795afb67840acb4557b17e017f7503dd03ebe3aeeb28720e
8ae7c82a3e4f742777e590b25a1c563d19bd9bcba2a387d004aae72c4b2828f9
047687548605734348792e2a9d771b6cba42facd0d0d7d44d778290a25848574
a4e9f9919d62589b57cfa08c9ccb89e386b09f683271373413cd8e8c8c7d1c5a
823d5969db3f3b72ebbdce1b78752717ea849884a0fb40d86146416c38e128de
783661d0f7edb338d2d50be087764d82dbbc9ee7989ddc57db1801e4ec9045b0

Domain — Azure Blob Storage C2

note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net

05 — MITRE ATT&CK TTPs

Tactics, techniques & sub-techniques

Full MITRE ATT&CK mapping for Operation Dragon Weave / AZUREVEIL / RUSTCLOAK campaign.

ID Tactic Technique / sub-technique

T1566.001 Initial access Phishing — spearphishing attachment (ZIP with LNK or Rust dropper)

T1204.002 Execution User execution — malicious file

T1059.001 Execution Command and scripting interpreter — PowerShell (hidden decryption stage)

T1059.005 Execution Command and scripting interpreter — Visual Basic (VBScript launcher)

T1574.001 Defense evasion Hijack execution flow — DLL sideloading (UnityPlayer.dll / RUSTCLOAK)

T1027 Defense evasion Obfuscated files or information (multi-layer encrypted payloads)

T1497.001 Defense evasion Virtualization/sandbox evasion — system checks (RUSTCLOAK pre-execution)

T1620 Defense evasion Reflective code loading (in-memory BOF execution via AZUREVEIL)

T1055 Defense evasion Process injection

T1083 Discovery File and directory discovery

T1057 Discovery Process discovery

T1016 Discovery System network configuration discovery

T1082 Discovery System information discovery

T1102.001 C2 Web service — dead drop resolver (Azure Blob Storage)

T1573 C2 Encrypted channel (HTTPS beacon / command / result cycle)

T1090 C2 Proxy

T1105 C2 Ingress tool transfer

T1041 Exfiltration Exfiltration over C2 channel (Azure Blob Storage)

06 — References

Sources

[1] seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/

June 9, 2026

Red | Attack

Iranian-Nexus Intrusion Targeting Oman's Government

TA2026151 — Iranian-Nexus Intrusion Targeting Oman's Government | HiveForce Labs

01 — Summary

What happened

An active Iranian-aligned cyber espionage operation targeted twelve Omani government ministries, with the Ministry of Justice and Legal Affairs (MJLA) as the primary victim. The campaign was uncovered after the threat actor inadvertently left an attacker-controlled staging VPS (172.86.76[.]127, resolving to dubai-10.vaermb[.]com, UAE-hosted) publicly exposed — revealing the complete operator toolkit, command-and-control source code, session logs, and exfiltrated victim data in plaintext. Operator sessions were observed between April 8–10, 2026.

Initial access against MJLA most likely came through CVE-2025-32372, an SSRF flaw in DotNetNuke versions prior to 9.13.8. Secondary vectors included the ProxyShell chain (CVE-2021-34473 / 34523 / 31207) against Microsoft Exchange servers. The operator deployed a custom ASPX webshell, a Python C2 with PowerShell beacon, Chisel for encrypted tunneling, and GodPotato for privilege escalation, ultimately exfiltrating over 26,000 MJLA user records, judicial case data, citizen IDs, and SAM/SYSTEM registry hives. No definitive group-level attribution has been made, though TTPs strongly overlap with MOIS-linked clusters APT34 (OilRig) and MuddyWater (Mango Sandstorm).

02 — Vulnerability details

Exploited CVEs

Four vulnerabilities were exploited or leveraged across this intrusion campaign. All have available patches — prioritise immediate remediation.

CVE Name / description Affected product CISA KEV Patch

CVE-2021-34473 ProxyShell — Exchange Server Remote Code Execution Microsoft Exchange Server KEV ✓ Patch ✓

CVE-2021-34523 ProxyShell — Exchange Server Privilege Escalation Microsoft Exchange Server KEV ✓ Patch ✓

CVE-2021-31207 ProxyShell — Exchange Server Security Feature Bypass Microsoft Exchange Server KEV ✓ Patch ✓

CVE-2025-32372 DotNetNuke Server-Side Request Forgery (SSRF) DotNetNuke (DNN) Platform KEV — Patch ✓

03 — Attack details

How the intrusion unfolded

The operation reflects a deliberate, intelligence-driven campaign against Omani government infrastructure, underpinned by opportunistic OPSEC failures that exposed the full operator toolkit to researchers.

01

Discovery — exposed staging VPS reveals full operator toolkit

The campaign was uncovered after the threat actor left their attacker-controlled staging VPS (172.86.76[.]127, resolving to dubai-10.vaermb[.]com, UAE-hosted) publicly accessible. The exposed server contained the complete operator toolkit, C2 source code, session logs, and exfiltrated victim data in plaintext. Operator sessions were logged between April 8–10, 2026. The targeting builds on a 2025 incident attributed to the Homeland Justice persona (Void Manticore), in which Oman's Ministry of Foreign Affairs mailbox in Paris was hijacked to spear-phish embassies worldwide.

02

Initial access — CVE-2025-32372 SSRF and ProxyShell across 12 ministries

The operation targeted twelve Omani government bodies: MJLA, Royal Oman Police, Royal Fleet of Oman, Tax Authority of Oman, State Audit Institution, Royal Court Affairs, Authority for Public Services Regulation, Civil Aviation Authority, Information Technology Authority, Ministry of Finance, MTCIT, and the Office of Public Prosecution. Initial access against MJLA most likely came through CVE-2025-32372, an SSRF flaw in DotNetNuke versions prior to 9.13.8. Secondary vectors included the ProxyShell chain (CVE-2021-34473 / 34523 / 31207) against Exchange servers — tradecraft previously associated with MuddyWater in regional intrusions — alongside credential brute-force attempts against the eVisa portal and the State Audit Institution training platform.

03

Execution and persistence — ASPX webshell, Python C2, Chisel, GodPotato

The operator deployed a custom ASPX webshell (hc2.aspx, health_check_t.aspx) through the DotNetNuke /Portals/0/ directory, providing persistent remote command execution. A host-level persistence attempt using a scheduled task named MicrosoftEdgeUpdate was blocked by Microsoft Defender. The operator then deployed a Python HTTP C2 paired with a PowerShell beacon polling every 30 seconds, returning base64-encoded results in 1,500-character chunks. Chisel was staged on port 7777 for encrypted tunneling. GodPotato — later replaced by a reflective in-memory variant — abused SeImpersonatePrivilege for local privilege escalation, tradecraft consistent with APT34's documented Gulf-targeted kernel-level operations.

04

Exfiltration — 26,000+ MJLA records, judicial data, SAM/SYSTEM hives

On April 10, 2026 at 03:00 UTC, the operator exfiltrated over 26,000 MJLA user records — including staff emails and credentials — alongside judicial judgments, case session attachments, committee decisions, and queries against the eGov_Person table targeting national IDs, names, birthdates, and nationality data. SAM and SYSTEM registry hives were staged in C:\Windows\Temp for exfiltration via port 9002, effectively compromising all local-machine secrets and cached domain credentials in the MJLA environment.

05

Attribution — Iranian state-nexus overlap with APT34 and MuddyWater

No definitive group-level attribution has been made. However, TTPs strongly overlap with MOIS-linked clusters APT34 (OilRig) and MuddyWater (Mango Sandstorm). The activity continues a broader pattern of Iranian state-nexus targeting against GCC critical infrastructure, alongside the Handala destructive wiper campaign and MOIS-aligned dissident espionage operations targeting the region.

04 — Recommendations

What to do now

Six prioritised response actions for security and operations teams. Actions 4 and 5 are critical for any organisation sharing identity infrastructure with MJLA.

1

Patch Microsoft Exchange against the ProxyShell chain

Apply Microsoft Exchange Server security updates addressing CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Any internet-facing Exchange server that has not received the May 2021 cumulative update or later remains vulnerable to the full ProxyShell exploit chain demonstrated in this campaign.

2

Upgrade DotNetNuke to 9.13.8 or later

Update all DotNetNuke (DNN) Platform instances to version 9.13.8 or newer to remediate CVE-2025-32372. Pay particular attention to ministry and government portals that expose DNN as a public-facing CMS, including those sharing identity-provider infrastructure such as SimpleSAMLphp federation.

3

Audit and restrict the /Portals/0/ path on DotNetNuke

Inspect the DotNetNuke /Portals/0/ directory for unauthorized ASPX files matching webshell patterns such as health_check_t.aspx or hc2.aspx. Restrict write permissions to the path and configure the IIS handler mapping so that arbitrary ASPX files placed in content directories cannot be served as executable script.

4

Reset MJLA and DotNetNuke application credentials

For MJLA and any organisation sharing federation with MJLA's SimpleSAMLphp identity provider, force-reset all DotNetNuke application accounts — with priority to superuser and aspnet_Membership-backed accounts — invalidate active sessions, and rotate any service-account passwords accessible from compromised hosts.

5

Rotate domain credentials and re-secure SAM/SYSTEM material

Because both SAM and SYSTEM registry hives were extracted from the MJLA environment, treat all local-machine secrets, cached domain credentials, and machine-account secrets as compromised. Reset them, force a krbtgt double-rotation if Active Directory was reachable, and audit Kerberos ticket lifetimes for anomalies.

6

Adopt network segmentation between ministry portals

Because ITA and MTCIT portals share the /ITAPortal_AR/ URL structure and likely a common codebase, and because MJLA's SimpleSAMLphp identity provider could federate authentication across ministries, segment ministry portals from one another, isolate the identity provider in a dedicated security zone, and apply per-ministry boundary controls so that a single portal compromise cannot pivot horizontally.

05 — Indicators of compromise

IoCs — Iranian-nexus Oman intrusion

Block or monitor all indicators below across network controls, endpoint detection, and SIEM pipelines. All domains and IPs are defanged.

IPv4 addresses

172[.]86[.]76[.]127
172[.]86[.]76[.]101
172[.]86[.]76[.]94
172[.]86[.]76[.]108
172[.]86[.]76[.]112
172[.]86[.]76[.]120
172[.]86[.]76[.]121
172[.]86[.]76[.]124
172[.]86[.]76[.]129
172[.]86[.]76[.]130
45[.]59[.]114[.]60
104[.]21[.]27[.]95
172[.]67[.]142[.]35

Domains

dubai-10.vaermb[.]com
dubai-1.vaermb[.]com
dubai-2.vaermb[.]com
dubai-3.vaermb[.]com
dubai-4.vaermb[.]com
dubai-5.vaermb[.]com
dubai-6.vaermb[.]com
dubai-7.vaermb[.]com
dubai-8.vaermb[.]com
dubai-9.vaermb[.]com
regorixa[.]com
myjitsi.exceptionnotfound[.]ir
shop.exceptionnotfound[.]ir
price.exceptionnotfound[.]ir
tools.exceptionnotfound[.]ir
myjitsi.mrnajafipour[.]ir
s5.sideliner[.]ir
suanefllix[.]com
brnettlix[.]com
brttfrixx[.]com
realprimefix[.]com
identificara[.]com

Filenames

hc2.aspx
health_check_t.aspx
proxyshell_01.sh
evisa_cookies.txt
c2_fixed.py
c2_fixed_v2.py
c2_json_v2.py
new_beacon.ps1
gp_v6_exec.py

File paths

/Portals/0/health_check_t.aspx
/opt/c2/loot/
/opt/c2/payloads/
C:\Windows\Temp (registry hive staging)

SHA-256

ECC3611F7DCBAA53ACF44E67DE2F10D78A26E03B3C77BA28BBD3EE16B2E66437

Ports

8001 — C2 beacon listener
7777 — Chisel host
9002 — Registry hive exfiltration
9003 — Reverse SOCKS5 listener

06 — MITRE ATT&CK TTPs

Tactics, techniques & sub-techniques

Full MITRE ATT&CK mapping for the Iranian-nexus Oman government intrusion campaign.

ID Tactic Technique / sub-technique

T1595.002 Reconnaissance Active scanning — vulnerability scanning

T1583.003 Resource dev. Acquire infrastructure — virtual private server

T1588.002 Resource dev. Obtain capabilities — tool

T1190 Initial access Exploit public-facing application (CVE-2025-32372, ProxyShell)

T1110.001 Initial access Brute force — password guessing

T1059.001 Execution Command and scripting interpreter — PowerShell

T1059.003 Execution Command and scripting interpreter — Windows command shell

T1059.006 Execution Command and scripting interpreter — Python

T1505.003 Persistence Server software component — web shell

T1053.005 Persistence Scheduled task/job — scheduled task (MicrosoftEdgeUpdate)

T1134.001 Priv. escalation Access token manipulation — token impersonation/theft (GodPotato / SeImpersonatePrivilege)

T1562.001 Defense evasion Impair defenses — disable or modify tools

T1620 Defense evasion Reflective code loading (in-memory GodPotato variant)

T1027 Defense evasion Obfuscated files or information (base64-encoded C2 results)

T1036.004 Defense evasion Masquerading — masquerade task or service

T1036.005 Defense evasion Masquerading — match legitimate name or location

T1003.002 Credential access OS credential dumping — Security Account Manager (SAM)

T1110.002 Credential access Brute force — password cracking

T1555 Credential access Credentials from password stores

T1539 Credential access Steal web session cookie

T1082 Discovery System information discovery

T1016 Discovery System network configuration discovery

T1033 Discovery System owner/user discovery

T1083 Discovery File and directory discovery

T1046 Discovery Network service discovery

T1005 Collection Data from local system

T1213 Collection Data from information repositories (eGov_Person table)

T1560 Collection Archive collected data

T1071.001 C2 Application layer protocol — web protocols (Python HTTP C2)

T1090 C2 Proxy

T1572 C2 Protocol tunneling (Chisel on port 7777)

T1132.001 C2 Data encoding — standard encoding (base64)

T1041 Exfiltration Exfiltration over C2 channel

07 — Patch links & references

Sources

[1] msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-34473

[2] msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-34523

[3] msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-31207

[4] github.com/dnnsoftware/Dnn.Platform/releases/

[5] hunt.io/blog/iranian-nexus-oman-government-intrusion

[6] hivepro.com/threat-advisory/void-manticore-irans-evolving-cyber-warfare-model/

[7] hivepro.com/threat-advisory/muddywater-is-taking-advantage-of-old-vulnerabilities/

[8] hivepro.com/threat-advisory/apt34-tightens-cyber-espionage-grip-on-gulf-with-kernel-exploitation/

[9] hivepro.com/threat-advisory/prolonged-pursuit-of-oilrig-apt-targeting-middle-east-government/

[10] hivepro.com/threat-advisory/muddywater-irans-adaptive-cyber-espionage-machine/

[11] hivepro.com/threat-advisory/handala-claims-destructive-wiper-attack-on-gcc-nations-critical-infrastructure/

[12] hivepro.com/threat-advisory/iranian-mois-leverages-telegram-based-c2-in-espionage-campaign-targeting-dissidents/

June 9, 2026

Amber | Attack

Operation XENOFISCAL: SideCopy Adopts XenoRAT to Target Afghan Finance

TA2026150 — Operation XENOFISCAL: SideCopy & XenoRAT | HiveForce Labs

Attack Report · Threat Advisory · Amber · June 02, 2026

Operation XENOFISCAL: SideCopy adopts XenoRAT to target Afghan finance

Pakistan-linked APT SideCopy executed a precision spear-phishing campaign against Afghanistan's Ministry of Finance and its 34 provincial revenue directorates, deploying the open-source XenoRAT v1.8.7 remote access trojan through a fileless, multi-stage loader chain.

Threat level: Amber Threat actor: SideCopy APT Malware: XenoRAT v1.8.7 Platform: Windows Region: Afghanistan Admiralty: A1

First seen

2019

Campaign

Operation XENOFISCAL

TA number

TA2026150

Targeted industries

Government · Finance · Public admin

Initial access

Spear-phishing LNK in ZIP

C2 infrastructure

Bulletproof European hosting

01 — Summary

What happened

SideCopy — a Pakistan-linked advanced persistent threat cluster also tracked as UNC2269, White Dev 55, Mocking Draco, and TAG-140 — executed Operation XENOFISCAL, a targeted spear-phishing campaign directed at Afghanistan's Ministry of Finance and its provincial revenue and finance directorates across all 34 Mustoufiats. The attack delivered a malicious Windows shortcut (LNK) file inside a ZIP archive, using a Pashto-language lure themed around an intellectual and psychological warfare seminar to deceive provincial finance officials.

Execution of the LNK abused the legitimate Windows binary mshta.exe to kick off a multi-stage, largely fileless loader chain that ultimately deployed XenoRAT v1.8.7 — an open-source remote access trojan. The XenoRAT implant beaconed to bulletproof European hosting infrastructure kept deliberately separate from the Afghan-hosted delivery layer, providing the SideCopy APT with encrypted command-and-control, comprehensive surveillance capability, and long-term persistent access to compromised Windows hosts.

02 — Attack details

How the attack unfolded

Operation XENOFISCAL is a deliberate, intelligence-led operation underpinned by precise knowledge of Afghan administrative structure, a stealthy fileless delivery path, and a surveillance-capable implant engineered for quiet, persistent access.

01

Spear-phishing delivery — socially engineered LNK lure

SideCopy initiated the Operation XENOFISCAL campaign with a targeted spear-phishing message delivering a ZIP archive containing a malicious Windows shortcut (LNK) file. The LNK was disguised with a PDF icon and a carefully crafted Pashto-language filename referencing an employee list for an intellectual and psychological warfare seminar — a lure tailored precisely to provincial finance officials. The level of organisational specificity across all 34 Afghan Mustoufiats indicates prior intelligence gathering by the SideCopy APT group against Afghan government finance targets.

02

Fileless execution via mshta.exe — living-off-the-land binary abuse

When the victim opens the LNK, it silently launches mshta.exe from the System32 directory and directs it at a remote PHP resource hosted on a compromised Afghan education domain (abimj.edu.af). This living-off-the-land binary (LOLBIN) technique executes externally hosted script content directly in memory without writing an executable to disk. The URL was padded with excessive comma obfuscation to defeat static and signature-based detection. While the malicious chain proceeds in the background, the victim is shown a convincing decoy — an Afghan Ministry of Finance provincial staff directory covering all 34 provinces, written in Dari and Pashto — whose organisational depth confirms prior SideCopy intelligence collection.

03

XenoRAT v1.8.7 deployment — encrypted C2, mutex, and persistence

The final payload is XenoRAT v1.8.7, an open-source remote access trojan. On execution, XenoRAT establishes an encrypted TCP command-and-control channel to a hard-coded IP address and enforces single-instance execution via a mutex named clouda. The implant supports SOCKS5 proxy tunnelling and dynamic in-memory DLL loading through Assembly.Load. Persistence is reinforced via a scheduled task named XenoUpdateManager running at the highest available privileges, with a non-admin fallback writing to HKCU\Software\Microsoft\Windows\CurrentVersion\Run under value Edgre. The implant can cleanly self-delete via a hidden cmd.exe routine when instructed by the operator.

04

Post-exploitation — surveillance, host reconnaissance, and long-term access

XenoRAT's post-exploitation capability set is built for comprehensive surveillance and host reconnaissance: keylogging, screen capture, clipboard monitoring, webcam and microphone capture, file upload/download/deletion, antivirus enumeration via WMI, and arbitrary command execution. C2 infrastructure is hosted on bulletproof European servers kept entirely separate from the Afghan-hosted delivery layer, providing operational compartmentalisation and long-term resilience for the SideCopy campaign against Afghan Ministry of Finance targets.

03 — Actor details

SideCopy APT — threat actor profile

SideCopy is a Pakistan-linked advanced persistent threat cluster active since at least 2019, conducting precision spear-phishing campaigns against South Asian government, defence, and finance sectors.

SideCopy UNC2269 White Dev 55 Mocking Draco TAG-140

Actor attributes

Attribution — Pakistan-linked
Active since — 2019
Targeted regions — Afghanistan (confirmed); South Asia (broader)
Targeted sectors — Government, Finance, Public administration, Defence
Known capabilities — Spear-phishing, LOLBIN abuse, fileless loaders, open-source RAT adoption, bulletproof C2 infrastructure

04 — Recommendations

What to do now

Prioritised response actions for security and operations teams. Action 1 should begin immediately on any suspected host.

1

Eradicate the persistence footprint

On suspected hosts, remove the registry value Edgre under HKCU\Software\Microsoft\Windows\CurrentVersion\Run and delete the scheduled task XenoUpdateManager. Inspect and clear the staging directories C:\Users\Public\USOShared-1de48789-1285 and C:\Users\Public\firefx-1de87eec8-1241. Remove residual artifacts: zuidrt.hta, noway.bat, ayui.vmxx, and ayhui.vmxx.

2

Detect mshta.exe fetching remote content

Alert on mshta.exe executing with HTTP or HTTPS URL arguments — particularly remote index.php endpoints — and on mshta.exe spawned by explorer.exe or as a child of an LNK execution. This process lineage is the earliest reliable detection point for the Operation XENOFISCAL spear-phishing chain.

3

Hunt for fileless .NET loader behaviour

Build detection content for the loader tradecraft in this XenoRAT chain: RWX memory allocation via VirtualAlloc followed by CreateThread, .NET BinaryFormatter deserialization, AmsiScanBuffer patching, COMPLUS_Version environment-variable manipulation, and reflective Assembly.Load of in-memory payloads.

4

Constrain LOLBIN and script-host abuse

Deploy WDAC or AppLocker rules to restrict or block execution of mshta.exe and HTA files where not operationally required. Disable or tightly limit Windows Script Host, ActiveX, and legacy Internet Explorer script-host functionality that the JScript loader chain depends on to execute XenoRAT's fileless delivery.

05 — Indicators of compromise

IoCs — Operation XENOFISCAL / XenoRAT

Block or monitor all indicators below across network controls, endpoint detection, and SIEM pipelines. All domains and IPs are defanged.

SHA-256 file hashes

194B912C242604D6F9A79369F22338C58A13CE0CC2ED280CE505075808BC2F14
3B4194BDFE40D94031A94B30397FFD8A4B09D0A4057668E897B8BDCD1703DD01
DF9173A28C0B0B878C10A53D35CD7CE6F6ED66D207B6B7C4FF723721F1C027AB
A63E90EE57A1F213A8FE76EF1A6CFF5AE9ED7EBCEDA258431533825E648C0C67
5833917BD137804F5A021D2CB37ADFE5C4B7B67DBB06D59C3B9C5CF393835E45
99127C8C67D90E2776BEEB85281F9C68399BF4567B07A6B638D68B760212E88D
8F2D979EF33B2900351C94C7335275A9342C75189E1A901998E90A539E944A1A
0019212F25EB04BBB33BB194879C095265DB7855D6003BDD777CF0CBB90EB772
9AE3D785486022AF82EA92E51B26E3F55C1BBA88A7BE2AD9790F4240E8499D14

Domain

abimj[.]edu[.]af

IPv4 addresses

185[.]235[.]137[.]106
103[.]132[.]98[.]224
103[.]132[.]98[.]226

CIDR

103[.]132[.]98[.]0/23

URLs

hxxp[:]//abimj[.]edu[.]af/index[.]php
hxxp[:]//abimj[.]edu[.]af/institute/cloudiyaf/document[.]pdf
hxxp[:]//abimj[.]edu[.]af/institute/cloudiya/
hxxps[:]//abimj[.]edu[.]af/institute/10/
hxxps[:]//abimj[.]edu[.]af/institute/7/

Malicious filenames

ugayt.hta
noway.bat
zuidrt.hta
WayBroad.dll
Aotestpass.dll
ayui.vmxx
ayhui.vmxx

File paths

C:\Users\Public\USOShared-1de48789-1285\zuidrt.hta
C:\Users\Public\firefx-1de87eec8-1241

Mutex · Registry · Scheduled task

Mutex — clouda
Registry — HKCU\Software\Microsoft\Windows\CurrentVersion\Run · value: Edgre
Scheduled task — XenoUpdateManager

06 — MITRE ATT&CK TTPs

Tactics, techniques & sub-techniques

Full MITRE ATT&CK mapping for Operation XENOFISCAL / SideCopy XenoRAT campaign.

ID Tactic Technique / sub-technique

T1566.001 Initial access Phishing — spearphishing attachment

T1218.005 Execution System binary proxy execution — mshta

T1059.003 Execution Command and scripting interpreter — Windows command shell

T1059.007 Execution Command and scripting interpreter — JavaScript

T1129 Execution Shared modules

T1106 Execution Native API

T1547.001 Persistence Boot or logon autostart execution — registry run keys / startup folder

T1053.005 Persistence Scheduled task/job — scheduled task

T1140 Defense evasion Deobfuscate/decode files or information

T1027.011 Defense evasion Obfuscated files or information — fileless storage

T1620 Defense evasion Reflective code loading

T1564.001 Defense evasion Hide artifacts — hidden files and directories

T1055 Defense evasion Process injection

T1562.001 Defense evasion Impair defenses — disable or modify tools

T1070.004 Defense evasion Indicator removal — file deletion

T1012 Discovery Query registry

T1082 Discovery System information discovery

T1518.001 Discovery Software discovery — security software discovery

T1056.001 Collection Input capture — keylogging

T1113 Collection Screen capture

T1115 Collection Clipboard data

T1123 Collection Audio capture

T1125 Collection Video capture

T1071.001 C2 Application layer protocol — web protocols

T1095 C2 Non-application layer protocol

T1573.001 C2 Encrypted channel — symmetric cryptography

T1090.002 C2 Proxy — external proxy (SOCKS5)

T1568 C2 Dynamic resolution

T1583.001 Resource dev. Acquire infrastructure — domains

T1584 Resource dev. Compromise infrastructure

07 — References

Sources

[1] seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/

June 8, 2026

Red | Vulnerability

CVE-2026-0257 Fuels GlobalProtect Authentication Bypass Attacks

CVE-2026-0257: PAN-OS GlobalProtect Authentication Bypass | Threat Advisory TA2026149

HiveForce Labs · Threat Advisory · Vulnerability Report

CVE-2026-0257 Fuels GlobalProtect Authentication Bypass Attacks

Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability in PAN-OS and Prisma Access affecting the GlobalProtect portal and gateway when the authentication override cookie feature is enabled. Attackers forge trusted authentication cookies — requiring no valid credentials — to gain unauthorized access to internal networks via VPN. Exploitation was observed across multiple MDR customer environments beginning May 17, 2026, with proof-of-concept code publicly available. Patch all affected PAN-OS and Prisma Access versions immediately.

⚠ Threat Level: Red CVE-2026-0257 Auth Bypass · Cookie Forgery CWE-565 · Cookie without HMAC Actively Exploited · CISA KEV Listed PAN-OS 10.2 / 11.1 / 11.2 / 12.1 · Prisma Access 10.2 / 11.2 Patch Available: All Branches First Seen: May 13, 2026 Published: June 02, 2026

CVE ID

CVE-2026-0257

TA Number

TA2026149

Threat Level

Red

CISA KEV

Yes

CWE

CWE-565

Zero-Day

No

Attack Vector

Remote · No Auth

First Seen

May 13, 2026

Admiralty Code

A1

First Seen

May 13, 2026

CVE-2026-0257 first identified affecting PAN-OS GlobalProtect authentication override cookie feature

Wave 1 — Active Exploitation

May 17, 2026

Attackers used forged cookies to access local administrator accounts from Vultr-hosted infrastructure; spoofed MAC aa:bb:cc:dd:ee

Wave 2 — Second Campaign

May 21, 2026

Second exploitation wave from Dromatics Systems infrastructure; same spoofed MAC pattern observed; 8/10 MDR environments compromised via cookie-only auth

01 — Overview

Summary

Palo Alto Networks has confirmed that CVE-2026-0257 — a critical authentication bypass vulnerability affecting PAN-OS GlobalProtect portal and gateway components — is being actively exploited across multiple organizations. The flaw is triggered when the authentication override cookie feature is enabled, a non-default configuration requiring manual activation. When deployed incorrectly, this feature allows attackers to forge encrypted authentication cookies that PAN-OS accepts as legitimate, granting full VPN access without requiring valid user credentials.

The vulnerability stems from a fundamental design flaw classified under CWE-565 (Reliance on Cookies without Validation and Integrity Checking): the GlobalProtect appliance decrypts submitted authentication override cookies and automatically trusts the resulting content without performing any digital signature verification or integrity check. When administrators reuse the HTTPS service certificate for cookie encryption — exposing the public key during TLS handshakes — an attacker can trivially retrieve that key and craft fully accepted forged cookies. A public proof-of-concept exploit has been demonstrated.

Active exploitation was confirmed in two distinct waves beginning May 17, 2026, with attackers successfully authenticating to local administrator accounts across MDR customer environments using forged cookies. Both campaigns shared the spoofed MAC address aa:bb:cc:dd:ee, indicating a common operational playbook. In 8 of 10 affected environments, authentication succeeded without even establishing a complete VPN session; in the remaining cases, VPN IP addresses were assigned, providing direct internal network access.

02 — CVE Reference

CVE Details

CVE ID	Vulnerability Name	Affected Products	Affected CPE	CWE ID	Zero-Day	CISA KEV	Patch
`CVE-2026-0257`	Palo Alto Networks PAN-OS Authentication Bypass Vulnerability	Palo Alto Networks PAN-OS / Prisma Access (GlobalProtect with auth override cookies enabled)	`cpe:2.3:o:paloaltonetworks:panos::::::::`	`CWE-565`	✗ No	✓ Yes	✓ Yes

03 — Technical Analysis

Vulnerability Details

The four stages below document the complete technical anatomy of CVE-2026-0257 — from the authentication override cookie design flaw through the public certificate exploitation path and the confirmed active exploitation campaigns observed across MDR environments.

#1

Authentication Override Cookie Feature — Bearer Token Abuse in GlobalProtect

CVE-2026-0257 is a critical authentication bypass affecting the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS and Prisma Access. The flaw activates only when the authentication override cookie feature is enabled — a non-default setting requiring manual configuration. This feature allows authenticated users to receive encrypted cookies reusable in place of credentials, effectively functioning as bearer tokens. When deployed incorrectly, this convenience feature creates a serious, remotely exploitable attack surface.

#2

Root Cause — No Integrity Check After Cookie Decryption (CWE-565)

The vulnerability stems from how GlobalProtect processes authentication override cookies. When a request containing a portal-userauthcookie or portal-prelogonuserauthcookie value is submitted to the /ssl-vpn/login.esp endpoint, the appliance decrypts the supplied cookie and automatically trusts the resulting content. Critically, after decryption the cookie's authenticity is never verified through a digital signature or integrity check — classified as CWE-565. This design flaw allows any attacker with access to the public encryption key to generate a forged cookie that the appliance accepts as legitimate.

#3

Exploitation Path — Public TLS Certificate Key Retrieval Enables Cookie Forgery

Exploitation becomes particularly straightforward when administrators configure the appliance to reuse the same HTTPS service certificate for authentication override cookie encryption and decryption. Because the certificate's public key is exposed during the normal TLS handshake process, an attacker can easily retrieve it from the appliance. Using this public key, a malicious actor can craft forged authentication cookies and submit them to the GlobalProtect portal or gateway. If the correct key is used, the appliance accepts the forged cookie, grants authentication without valid credentials, and in some deployments assigns a VPN IP address providing direct access to internal network resources. This attack path has been publicly demonstrated via a proof-of-concept exploit.

#4

Active Exploitation — Two Attack Waves, Spoofed MAC aa:bb:cc:dd:ee, 8/10 MDR Environments Compromised

Active exploitation was confirmed on May 17, 2026 when attackers used forged authentication cookies to access local administrator accounts from Vultr-hosted infrastructure. A second exploitation wave followed on May 21, 2026 from Dromatics Systems infrastructure. Investigators observed that both campaigns used the spoofed MAC address aa:bb:cc:dd:ee, indicating a shared operational pattern. In 8 out of 10 affected MDR customer environments, attackers successfully authenticated using forged cookies without establishing a complete VPN session. The remaining 2 incidents resulted in VPN IP address assignments, providing direct internal network access. No confirmed lateral movement beyond VPN appliances was observed, though the active weaponization of this flaw presents serious risk to exposed GlobalProtect deployments.

04 — Patch Versions

Affected & Fixed Versions

Palo Alto Networks has released patched builds across all affected PAN-OS branches. Apply the appropriate fixed version for your deployment immediately.

Product Branch	Fixed Versions (upgrade to one of the following)
PAN-OS `10.2`	`10.2.7-h34` · `10.2.10-h36` · `10.2.13-h21` · `10.2.16-h7` · `10.2.18-h6`
PAN-OS `11.1`	`11.1.4-h33` · `11.1.6-h32` · `11.1.7-h6` · `11.1.10-h25` · `11.1.13-h5` · `11.1.15`
PAN-OS `11.2`	`11.2.4-h17` · `11.2.7-h14` · `11.2.10-h7` · `11.2.12`
PAN-OS `12.1`	`12.1.4-h6` · `12.1.7`
Prisma Access `10.2`	`10.2.10-h36` — Prisma Access customers being actively upgraded per schedule
Prisma Access `11.2`	`11.2.7-h13` — Prisma Access customers being actively upgraded per schedule

05 — Mitigations

Recommendations

The following mitigations must be applied immediately to all PAN-OS and Prisma Access deployments with GlobalProtect authentication override cookies enabled. Patching is the only complete remediation for CVE-2026-0257; all other measures reduce exploitability in the interim only.

01

Apply Vendor Patches Immediately — One-Time Re-Authentication Required Post-Upgrade

Palo Alto Networks has released patched versions across all affected PAN-OS branches. Upgrade immediately to the appropriate fixed version for your branch (see the Affected & Fixed Versions table above). Prisma Access customers on versions 10.2 and 11.2 are being actively upgraded per schedule. Note: following the upgrade, GlobalProtect users will be required to re-authenticate once as a one-time consequence of the cookie regeneration logic introduced in the fix.

02

Apply Immediate Workarounds if Patching Cannot Be Done Immediately

Two vendor-recommended interim mitigations are available. Option A: generate a new certificate dedicated exclusively to authentication override cookie encryption and decryption, ensuring it is not shared with the portal or gateway HTTPS service or any other feature — this prevents attackers from retrieving the encryption key via the TLS handshake. Option B (more decisive): disable the authentication override feature entirely by unchecking the "Generate cookie for authentication override" and "Accept cookie for authentication override" options in both the GlobalProtect portal and gateway configuration. Either workaround substantially reduces exploitability until the patched version is deployed.

03

Audit GlobalProtect Configuration for Authentication Override Cookie Exposure

Administrators must audit GlobalProtect portal and gateway configurations to determine whether authentication override cookies are enabled and whether the relevant certificate is shared with the HTTPS service. On the portal, navigate to Network > GlobalProtect > Portals, select the Agent Configuration profile, and review the Authentication tab for the "Generate cookie for authentication override" and "Accept cookie for authentication override" options. On the gateway, check the Authentication Override tab within the Client Settings profile under the Agent tab. Any environment with both options enabled and the HTTPS certificate shared must be treated as actively at risk.

04

Hunt for Signs of Active Exploitation in Authentication Logs

Review GlobalProtect authentication logs for cookie-based authentications to local administrator accounts, particularly those originating from unfamiliar source IPs or hosting provider ranges (e.g., Vultr, Dromatics Systems). Look for the spoofed MAC address aa:bb:cc:dd:ee in connection records as a strong indicator of campaign activity. Treat any successful cookie authentication event from atypical or external infrastructure as a confirmed compromise indicator requiring immediate incident response activation — do not wait for additional confirmation before escalating.

06 — Threat Intelligence

Indicators of Compromise (IoCs)

The following indicators are associated with active exploitation of CVE-2026-0257 in Palo Alto Networks PAN-OS GlobalProtect environments. Block these at the network perimeter and correlate against authentication logs immediately.

Type	Value
IPv4	`104[.]207[.]144[.]154` `146[.]19[.]216[.]119` `146[.]19[.]216[.]120` `146[.]19[.]216[.]125`
Hostname	`GP-CLIENT` `DESKTOP-GP01`
Spoofed MAC	`aa:bb:cc:dd:ee` — observed in both May 17 and May 21 exploitation waves; shared operational pattern indicator

07 — MITRE ATT&CK Framework

MITRE ATT&CK TTPs

The following MITRE ATT&CK tactics, techniques, and sub-techniques are associated with the active exploitation of CVE-2026-0257 against Palo Alto Networks PAN-OS GlobalProtect deployments.

Tactic	Technique ID	Sub-technique ID	Description
Initial Access	`T1190`	—	Exploit Public-Facing Application — unauthenticated exploitation of GlobalProtect portal and gateway via forged authentication override cookies submitted to `/ssl-vpn/login.esp`
Defense Evasion	`T1550`	`T1550.004` — Web Session Cookie	Use Alternate Authentication Material — forged `portal-userauthcookie` and `portal-prelogonuserauthcookie` values submitted to bypass credential-based authentication entirely; appliance accepts without integrity verification
Lateral Movement	`T1021`	`T1021.005` — VPN	Remote Services — in incidents where VPN IP addresses were assigned after successful cookie-based authentication, attackers gained direct access to internal network resources via the GlobalProtect VPN infrastructure
Resource Development	`T1588`	`T1588.006` — Vulnerabilities	Obtain Capabilities — attackers weaponized the publicly disclosed `CVE-2026-0257` vulnerability and publicly available proof-of-concept exploit code to operationalize cookie forgery attacks across multiple MDR customer environments

08 — Patch Resource

Patch Link

https://security.paloaltonetworks.com/CVE-2026-0257

09 — Sources

References

June 8, 2026

Amber | Attack Report

Operation TrustTrap: APT36 Weaponizes 16,800 Spoofed Domains

Summary

Operation TrustTrap represents a massive coordinated phishing infrastructure campaign comprising more than 16,800 malicious domains active since early 2026 that impersonates government services across the United States, India, Vietnam, and the United Kingdom. Operation TrustTrap targets government, defense, diplomatic, transportation, Department of Motor Vehicles (DMV), toll payment, and healthcare sectors through sophisticated domain spoofing techniques rather than relying on traditional technical exploits. The Operation TrustTrap campaign weaponizes the visual trust of the ".gov" string by embedding government labels as non-root subdomain components, combined with hyphen manipulation and benign-word insertion to defeat regex-based detection while remaining legible to human readers who believe they are visiting legitimate government websites.

Operation TrustTrap spoofed portals resolve to infrastructure concentrated in Tencent Cloud and Alibaba Cloud APAC ASNs (Autonomous System Numbers), indicating centralized hosting infrastructure supporting the massive phishing campaign. A distinct cluster within the Operation TrustTrap dataset, including domains impersonating the National Investigation Agency (NIA) of India, exhibits tactics, techniques, and procedures (TTPs) consistent with the Pakistan-nexus threat actor APT36 (also known as Transparent Tribe, ProjectM, TEMP.Lapis, Mythic Leopard, Copper Fieldstone, Earth Karkaddan, STEPPY-KAVACH, Green Havildar, APT-C-56, Storm-0156, and Opaque Draco).

The Operation TrustTrap campaign begins with bulk-registration of thousands of domains on cheap, disposable top-level domains (TLDs), holding many dormant as a pre-provisioned reserve until campaign waves are triggered. Operation TrustTrap lures are distributed through SMS, email, and adjacent social-engineering vectors, with each link engineered to look like an authentic government URL. Once Operation TrustTrap victims click a lure, they are redirected to spoofed portals hosted on Tencent Cloud and Alibaba Cloud infrastructure that replicate the visual identity of impersonated agencies, presenting fake DMV, toll, or citizen-services payment forms designed to harvest personally identifiable information, payment-card data, and credentials at scale.

Attack Details

Operation TrustTrap Infrastructure and Domain Registration

Operation TrustTrap is a coordinated phishing infrastructure of more than 16,800 malicious domains, active since early 2026, that impersonates government services across the United States, India, Vietnam, and the United Kingdom. The Operation TrustTrap campaign begins not with a technical exploit but with domain registration. Operation TrustTrap operators bulk-register thousands of domains on cheap, disposable TLDs, holding many of them dormant as a pre-provisioned reserve until a campaign wave is triggered.

Operation TrustTrap lures are then distributed through SMS, email, and adjacent social-engineering vectors, with each link engineered to look like an authentic government URL through sophisticated subdomain manipulation. The Operation TrustTrap campaign weaponizes how humans interpret URLs rather than how machines parse them, exploiting the visual trust associated with government identifiers embedded within domain names to bypass both automated detection systems and human scrutiny.

Operation TrustTrap Credential Harvesting Infrastructure

Once an Operation TrustTrap victim clicks a lure, they are redirected to a spoofed portal hosted on infrastructure concentrated within Tencent Cloud and Alibaba Cloud APAC ASN ranges. Active Operation TrustTrap phishing URLs across the infrastructure consistently use a double-query-string parameter pattern that serves as a session-tracking mechanism, assigning unique identifiers to individual victims and monitoring engagement throughout the phishing workflow.

The uniformity of this double-query-string pattern (format: ?var1=xxxxx?var2=xxxxx) across hundreds of Operation TrustTrap URLs confirms a kit-driven, centrally managed operation rather than ad hoc phishing activity. Operation TrustTrap cloned portals replicate the visual identity of the impersonated government agency, often presenting fake DMV, toll, or citizen-services payment forms designed to harvest personally identifiable information, payment-card data, and credentials from victims who believe they are interacting with legitimate government services.

APT36 Attribution and India-Targeted Cluster

The attribution-significant cluster within the Operation TrustTrap dataset narrows the focus to Indian government targets and aligns operationally with APT36, a Pakistan-nexus advanced persistent threat actor with a documented record of targeting Indian government entities, defense personnel, and diplomatic infrastructure. The Operation TrustTrap cluster includes APT36 impersonation domains, such as one masquerading as the National Investigation Agency (NIA) of India, demonstrating the campaign's focus on high-value intelligence targets.

The random suffix characters in Operation TrustTrap domains mirror the automated domain-generation behavior documented in prior APT36 bulk-registration events, and the shared hosting IPs in Tencent Cloud and Alibaba APAC overlap with APT36 staging infrastructure observed in 2024 and 2025 campaigns. Attribution of the India-targeted Operation TrustTrap cluster to APT36 is assessed at moderate-to-high confidence based on the convergence of campaign overlap, infrastructure reuse, TLD and registrar patterns, India-specific trust-injection cues in the URL structure, and subdomain construction logic consistent with documented APT36 tradecraft.

Operation TrustTrap Operational Objectives

The operational endgame across the broader Operation TrustTrap dataset is credential and payment-data theft at scale, with secondary potential for follow-on intrusion against high-value targets in the APT36 sub-cluster. Because the Operation TrustTrap campaign relies on cognitive deception rather than payload execution, traditional binary-focused detection layers see little to act on during the initial compromise phase.

The Operation TrustTrap kit's session-tracking parameters and shared cloud-hosting infrastructure are the most reliable pivots for threat hunting and takedown operations across the campaign cluster. The massive scale of Operation TrustTrap, with over 16,800 registered domains, demonstrates significant investment in infrastructure by the threat actors and suggests ongoing campaign operations targeting government service users across multiple countries.

Recommendations

Hunt by eTLD+1, Not by Substring

Reconfigure URL inspection to evaluate the registered eTLD+1 (effective top-level domain plus one level) of every link rather than substring-matching for ".gov" or ".gov.in" strings. Treat any URL where a government label appears as a subdomain of a non-government registered domain as high-risk by default. This fundamental shift in detection logic is necessary to identify Operation TrustTrap domains that embed government identifiers in subdomain positions rather than legitimate top-level domain positions.

Detect the Kit's Session-Tracking Pattern

Author proxy and SIEM rules that flag URLs containing the characteristic double-query-string pattern ?var1=xxxxx?var2=xxxxx, which has been observed consistently across hundreds of Operation TrustTrap phishing URLs and provides a high-confidence campaign signature. This session-tracking mechanism is a distinctive technical indicator of Operation TrustTrap infrastructure that can be used to identify newly registered domains associated with the campaign.

Strengthen Domain Takedown Workflows

Establish or expand relationships with abuse contacts at Gname.com Pte. Ltd., the .bond and .cc registry operators, and Tencent Cloud and Alibaba Cloud abuse desks to accelerate takedowns of newly identified Operation TrustTrap infrastructure as the campaign continues to evolve. The massive scale of Operation TrustTrap requires coordinated takedown efforts across multiple registrars and hosting providers to disrupt the phishing infrastructure.

Enforce Email and Messaging Authentication on Brand Properties

Government bodies and impersonated brands should enforce DMARC, SPF, and DKIM authentication on official communication channels and publish clear citizen-facing reference URLs to reduce the success rate of look-alike-domain lures used in Operation TrustTrap campaigns. Public awareness campaigns should educate citizens to verify government URLs by checking the registered domain portion of the URL rather than relying on the presence of government keywords anywhere in the hostname.

Deploy eTLD+1-Aware Detection Tooling

Replace legacy substring-based phishing filters with detection logic that operates on the public-suffix-list-resolved registered domain, ensuring that subdomain spoofing of government labels is treated as suspicious regardless of how the rest of the hostname is constructed. This technical control addresses the core evasion technique employed by Operation TrustTrap to bypass traditional URL filtering systems.

MITRE ATT&CK TTPs

Resource Development

T1583: Acquire Infrastructure
- T1583.001: Domains
- T1583.006: Web Services
- T1583.003: Virtual Private Server
T1587: Develop Capabilities
T1608: Stage Capabilities
- T1608.001: Upload Malware
- T1608.005: Link Target

Initial Acces

T1566: Phishing
- T1566.002: Spearphishing Link
- T1566.003: Spearphishing via Service
T1189: Drive-by Compromise

Defense Evasion

T1036: Masquerading
- T1036.005: Match Legitimate Resource Name or Location
T1027: Obfuscated Files or Information
T1656: Impersonation

Credential Access

T1056: Input Capture
- T1056.003: Web Portal Capture

Collection

T1185: Browser Session Hijacking

Command and Control

T1071: Application Layer Protocol
- T1071.001: Web Protocols

Indicators of Compromise (IoCs)

Representative Domain Samples (from 16,800+ total domains):

Massachusetts State Government Impersonation

www[.]mass[.]gov-suc[.]cc
www[.]mass[.]gov-ypk[.]cc
www[.]mass[.]gov-wkg[.]cc
www[.]mass[.]gov-odb[.]cc
www[.]mass[.]gov-icw[.]cc

Arizona State Government Impersonation

www[.]az[.]gov-lzk[.]cc
www[.]az[.]gov-huv[.]cc
www[.]az[.]gov-ocq[.]cc
www[.]az[.]gov-cgt[.]cc

North Carolina DOT Impersonation

ncdot[.]gov-stmv[.]cc
ncdot[.]gov-stmn[.]cc
ncdot[.]gov-kfo[.]cc
ncdot[.]gov-kfy[.]cc

Generic Government Impersonation

www[.]gov-lzk[.]cc
www[.]gov-tda[.]cc
www[.]gov-cbv[.]cc
www[.]gov-wyx[.]cc

Session-Tracking Pattern

URL parameter format: ?var1=xxxxx?var2=xxxxx (consistent across Operation TrustTrap infrastructure)

Hosting Infrastructure

Tencent Cloud APAC ASNs
Alibaba Cloud APAC ASNs

Note: This represents a small sample of the 16,800+ domains identified in Operation TrustTrap. The complete IoC list is available on the Uni5Xposure platform.

References

https://cyble.com/blog/operation-trusttrap-domain-spoofing-campaign/

April 28, 2026

Red | Attack Report

Patched but Not Cured: FIRESTARTER Backdoor Survives Cisco Firewall Upgrades

Summary

The UAT-4356 threat actor (also known as Storm-1849 and the operator behind the ArcaneDoor campaign) has deployed a sophisticated persistence backdoor called FIRESTARTER that targets Cisco Adaptive Security Appliance (ASA) Software, Cisco Firepower Threat Defense (FTD) Software, and Cisco Firepower eXtensible Operating System (FXOS) across government, critical infrastructure, and telecommunications organizations worldwide. First observed in September 2025 with active exploitation commencing in March 2026, the FIRESTARTER backdoor campaign represents a critical evolution in network appliance compromise techniques, as the malware survives firmware updates, security patches, and graceful reboots on compromised Cisco firewall devices.

UAT-4356 actors exploited two zero-day vulnerabilities, CVE-2025-20333 (Cisco Secure Firewall buffer overflow vulnerability) and CVE-2025-20362 (Cisco Secure Firewall missing authorization vulnerability), in the VPN web server of Cisco Secure Firewall ASA and FTD software to gain unauthenticated remote access and remote code execution as root on internet-facing devices. After initial compromise through these FIRESTARTER vulnerabilities, the UAT-4356 actors deployed the LINE VIPER user-mode shellcode loader to establish illegitimate VPN sessions and harvest device configuration, administrative credentials, certificates, and private keys from compromised Cisco firewalls.

Subsequently, UAT-4356 implanted FIRESTARTER, a Linux ELF backdoor that hooks into the LINA process on the Cisco firewall and modifies the Cisco Service Platform mount list (CSP_MOUNT_LIST) to maintain persistence across reboots and firmware upgrades. Critically, FIRESTARTER backdoor survives firmware updates, security patches, and graceful reboots, allowing the UAT-4356 threat actor to retain access to compromised Cisco devices long after remediation actions are taken. The FIRESTARTER persistence mechanism intercepts graceful shutdown signals, copies itself to a secondary location, rewrites the Cisco Service Platform mount list to ensure re-execution on next boot, then restores the original mount list after boot, leaving minimal forensic trace and enabling indefinite access to patched devices.

FIRESTARTER backdoor operates in a dormant state, generating no outbound traffic, no log events, and no behavioral anomalies until activated by a crafted WebVPN authentication request containing a "magic packet" payload with embedded XML-based shellcode. This activation mechanism requires no re-exploitation of any CVE, meaning a fully patched Cisco device compromised before the patch window remains accessible indefinitely to UAT-4356 actors. Confirmed dwell time at one breached organization exceeded six months, and CISA issued advisory AR26-113A warning that patching is now necessary but insufficient, requiring forensic hunting and complete device reimaging to evict the UAT-4356 threat actor from compromised Cisco firewall infrastructure.

Attack Details

UAT-4356 Threat Actor and FIRESTARTER Campaign Origins

A sophisticated state-sponsored threat actor tracked as UAT-4356, also known as Storm-1849 and the operator behind the ArcaneDoor campaign, has returned with an evolved attack chain targeting Cisco Secure Firewall ASA, Firepower Threat Defense, and Firepower platforms globally. The UAT-4356 threat actor specializes in long-term compromise of internet-facing perimeter devices for espionage purposes, exploiting the limited visibility and infrequent patching cycles typical of network appliances to maintain persistent access.

The 2026 FIRESTARTER campaign evolution introduces a previously undocumented backdoor named FIRESTARTER, which materially changes the threat landscape for any organization that operated exposed Cisco firewall infrastructure prior to September 2025. The FIRESTARTER backdoor represents a significant advancement in persistence techniques, as it survives standard remediation procedures including firmware updates and security patches that would typically eliminate malware from compromised network devices.

FIRESTARTER Initial Access Through CVE-2025-20333 and CVE-2025-20362

The FIRESTARTER attack chain begins with chained exploitation of CVE-2025-20333 (buffer overflow vulnerability) and CVE-2025-20362 (missing authorization vulnerability) against internet-facing WebVPN interfaces on Cisco Secure Firewall ASA and FTD devices, yielding unauthenticated remote code execution as root. These FIRESTARTER initial access vulnerabilities were zero-day vulnerabilities at the time of exploitation and have since been added to the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation by UAT-4356 threat actors in the wild.

Following successful exploitation of the FIRESTARTER initial access vulnerabilities, the UAT-4356 actor deploys LINE VIPER, a user-mode shellcode loader providing command execution capabilities, packet capture functionality, credential theft, and bypass of authentication, authorization, and accounting policies on compromised Cisco devices. On legacy Cisco devices, RayInitiator bootkit malware is additionally deployed by UAT-4356 as a supplementary persistence mechanism. Across all supported Cisco platforms, FIRESTARTER backdoor is dropped as the primary persistence implant following LINE VIPER deployment.

FIRESTARTER Persistence Mechanism and CSP_MOUNT_LIST Modification

FIRESTARTER is a Linux ELF binary that hooks the LINA process on Cisco firewalls to establish persistence. During graceful shutdown of the compromised Cisco device, FIRESTARTER intercepts the termination signal, copies itself to a secondary location on the device filesystem, and rewrites the Cisco Service Platform mount list (CSP_MOUNT_LIST) located at /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST to ensure re-execution on next boot. After the Cisco device boots, FIRESTARTER restores the original mount list configuration, leaving minimal forensic trace of the persistence mechanism.

This FIRESTARTER persistence routine survives reboots, reload commands, and firmware upgrades on Cisco ASA and FTD devices. Only a hard power cycle interrupts the FIRESTARTER persistence mechanism, and even that is not a recommended remediation approach due to data corruption risks on Cisco firewall devices. The FIRESTARTER persistence technique exploits the Cisco Service Platform architecture to maintain presence across software upgrades that would typically eliminate malware from network appliances.

FIRESTARTER Dormant Operation and Magic Packet Activation

Once installed on a compromised Cisco device, FIRESTARTER backdoor lies dormant, generating no outbound traffic, no log events, and no behavioral anomalies that would alert security monitoring systems to the compromise. FIRESTARTER waits for a crafted WebVPN authentication request containing a "magic packet" payload, then parses an embedded XML-based shellcode and executes the UAT-4356 operator's payload, typically redeploying LINE VIPER for hands-on-keyboard operations.

Critically, this FIRESTARTER re-entry path requires no re-exploitation of any CVE vulnerability: a fully patched Cisco device compromised before the patch window remains accessible indefinitely to UAT-4356 actors through the FIRESTARTER magic packet activation mechanism. Confirmed dwell time at one breached organization exceeded six months, demonstrating the long-term persistence capabilities of FIRESTARTER backdoor on Cisco firewall infrastructure. Patching CVE-2025-20333 and CVE-2025-20362 is now necessary but insufficient to evict UAT-4356 from compromised environments; forensic hunting and complete device reimaging are required to fully remove FIRESTARTER backdoor.

Recommendations

Apply Cisco Fixed Software Releases for ASA and FTD

Upgrade all Cisco Secure Firewall ASA and FTD devices to the fixed software releases listed in Cisco's security advisory for CVE-2025-20333 and CVE-2025-20362 to close the initial access vulnerabilities exploited by UAT-4356 actors to deploy FIRESTARTER backdoor. Devices that are not yet patched, or that were updated to a still-vulnerable software version, must be moved to the explicitly listed fixed releases in the Cisco security advisory to prevent new FIRESTARTER compromises.

Reimage Devices to Remove FIRESTARTER

It is strongly recommended that organizations reimage and upgrade any Cisco device suspected of compromise by FIRESTARTER backdoor. Reimaging is the only fully reliable method to remove the FIRESTARTER persistence mechanism on confirmed-compromised devices, and Cisco recommends reimaging for both compromised and non-compromised cases where devices were exposed to the internet during the vulnerability window. Standard patching and firmware upgrades will not remove FIRESTARTER backdoor from devices compromised prior to patch application.

Hard-Power-Cycle Compromised Devices When Reimage Is Not Immediately Possible

Physically unplug the affected Cisco device from all power sources (including redundant power supplies) for at least one minute to interrupt FIRESTARTER persistence. The shutdown, reboot, and reload CLI commands will not clear the in-memory FIRESTARTER implant — only complete power loss will interrupt the backdoor. This hard power cycle is a temporary mitigation; complete device reimaging must still follow to fully remove FIRESTARTER backdoor from compromised Cisco infrastructure.

Hunt for FIRESTARTER on Cisco ASA and Firepower Devices

Run show kernel process | include lina_cs on every Cisco ASA, Firepower, and Secure Firewall device in the environment. Any output from this command should be treated as a confirmed FIRESTARTER compromise. Also inspect the Cisco device disk for the files /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log, noting that UAT-4356 attackers can rename these FIRESTARTER artifacts to evade detection. Organizations should hunt for modifications to /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST and /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp as indicators of FIRESTARTER persistence mechanism deployment.

MITRE ATT&CK TTPs

Initial Access

T1190: Exploit Public-Facing Application
T1133: External Remote Services

Defense Evasion

T1070: Indicator Removal
T1222: File and Directory Permissions Modification
T1564: Hide Artifacts
T1070: Indicator Removal
- T1070.004: File Deletion
- T1070.006: Timestomp
T1036: Masquerading
- T1036.005: Match Legitimate Resource Name or Location
T1055: Process Injection
T1562: Impair Defenses
- T1562.001: Disable or Modify Tools

Persistence

T1543: Create or Modify System Proces
T1078: Valid Accounts
T1546: Event Triggered Execution
- T1546.004: Unix Shell Configuration Modification
T1547: Boot or Logon Autostart Execution

Discovery

T1082: System Information Discovery
T1057: Process Discovery

Credential Access

T1552: Unsecured Credentials
- T1552.001: Credentials In Files

Command and Control

T1219: Remote Access Software
T1071: Application Layer Protocol
- T1071.001: Web Protocols
- T1070.004: File Deletion

Execution

T1059: Command and Scripting Interpreter

Collection

T1005: Data from Local System

Indicators of Compromise (IoCs)

File Paths

/usr/bin/lina_cs
/opt/cisco/platform/logs/var/log/svc_samcore.lo
/opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST
/opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp

Detection Command

show kernel process | include lina_cs (Any output indicates confirmed compromise)

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03

https://www.cisa.gov/news-events/news/cisa-warns-firestarter-malware-targeting-cisco-asa-including-firepower-and-secure-firewall-products

https://www.cisa.gov/news-events/analysis-reports/ar26-113a

https://blog.talosintelligence.com/uat-4356-firestarter/

https://www.ncsc.govt.nz/alerts/firestarter-malware-affecting-cisco-asa-and-ftd/

April 28, 2026

Red | Attack Report

The Gentlemen Ransomware: A Rapidly Scaling RaaS Threat

Summary

The Gentlemen ransomware emerged as a formidable Ransomware-as-a-Service (RaaS) operation in June 2025 and has rapidly escalated into a global cyber threat, claiming over 320 victims by April 2026, with approximately 240 victims compromised in the first months of 2026 alone. The Gentlemen RaaS operation targets organizations worldwide across Windows, Linux, NAS, BSD, and VMware ESXi platforms, excluding CIS countries in accordance with Russian-speaking ransomware group operational norms.

The Gentlemen ransomware operation is led by a Russian-speaking threat actor using the alias "hastalamuerte" (also tracked as LARVA-368), who previously operated as an affiliate crew leader called ArmCorp within the Qilin RaaS program before launching The Gentlemen as an independent ransomware brand following a payment dispute in July 2025. The Gentlemen RaaS supplies affiliates with a multi-OS Go-based ransomware locker for Windows, Linux, NAS, and BSD environments, plus a dedicated C-based locker specifically designed for ESXi hypervisors, enabling coordinated ransomware attacks across heterogeneous enterprise environments.

The Gentlemen ransomware affiliates have been observed combining the ransomware payload with SystemBC proxy malware and Cobalt Strike frameworks, establishing covert SOCKS5 tunnels for command-and-control communications, harvesting credentials with Mimikatz, and deploying ransomware domain-wide through weaponized Group Policy Objects. The Gentlemen ransomware operation follows a classic double-extortion model, exfiltrating hundreds of gigabytes to multiple terabytes of sensitive data per victim before encryption, then publishing stolen data on a dedicated Tor-based leak site and applying public pressure via a branded X/Twitter account if ransom demands remain unpaid. The Gentlemen ransomware has impacted manufacturing, technology, healthcare, retail, business services, transportation, financial services, education, government, real estate, agriculture, energy, insurance, pharmaceutical, food service, media, hospitality, charitable organizations, telecommunications, and legal sectors globally.

Attack Details

The Gentlemen RaaS Operation Origins and Business Model

The Gentlemen ransomware is a Ransomware-as-a-Service operation that publicly surfaced in September 2025, though malware samples and forensic evidence trace The Gentlemen ransomware development activity back to at least mid-July 2025, with its earliest confirmed victim, a Peruvian steel manufacturer, compromised as early as June 30, 2025. The Gentlemen ransomware operation is run by a Russian-speaking threat actor using the alias "hastalamuerte" (also tracked as LARVA-368), who previously led an affiliate crew called ArmCorp inside the Qilin RaaS program before launching The Gentlemen as an independent ransomware brand.

After a public payment dispute with Qilin on the RAMP underground forum in July 2025, hastalamuerte formalized an already-planned departure and launched The Gentlemen ransomware as an independent brand, reusing proven tooling and infrastructure from previous operations. The Gentlemen RaaS was formally advertised on underground forums on September 12, 2025 under the alias "Zeta88," promoting a minimal-infrastructure model consisting of a leak site plus Tox messenger and a cross-platform locker initially covering Windows and Linux, with NAS, BSD, and ESXi support added in later iterations.

Consisting of roughly 20 members, The Gentlemen ransomware group offers affiliates an aggressive 90/10 revenue split, well above the ransomware industry norm of 80/20, along with full control over victim negotiations, which has fueled rapid recruitment of seasoned operators from competing ransomware programs. This favorable affiliate split has contributed to The Gentlemen ransomware's explosive growth trajectory across global targets.

The Gentlemen Ransomware Rapid Scaling and Victim Impact

The Gentlemen ransomware group has scaled dramatically in under a year, growing from approximately 30 claimed victims across 17 countries in autumn 2025 to 48 by October 2025, roughly 130 by early February 2026, and over 320 publicly listed victims by April 2026, with 240 of those victims claimed in the first months of 2026 alone. Independent telemetry from a command-and-control server tied to a Gentlemen ransomware affiliate revealed a SystemBC botnet of more than 1,570 likely corporate victims, indicating the true scale of The Gentlemen ransomware operation exceeds the leak-site count significantly.

Manufacturing, technology, healthcare, and financial services are the most impacted sectors by The Gentlemen ransomware, and the group shows no self-imposed restraint regarding hospitals or critical services, unlike some ransomware groups. The heaviest geographic concentrations of The Gentlemen ransomware attacks are the United States, Thailand, United Kingdom, Germany, Brazil, and France. Consistent with Russian-speaking ransomware norms, The Gentlemen affiliate rules explicitly prohibit targeting organizations in Russia and other CIS states.

The Gentlemen Ransomware Initial Access and Reconnaissance

Initial access for The Gentlemen ransomware is predominantly achieved through exploitation of internet-facing edge devices, most notably FortiGate appliances via CVE-2024-55591, an authentication bypass vulnerability in FortiOS/FortiProxy. The Gentlemen ransomware operators maintain a curated database of roughly 14,700 already-compromised FortiGate devices and 969 validated brute-forced VPN credentials, enabling affiliates to skip the reconnaissance phase entirely and immediately access victim networks.

Infostealer-sourced credentials and exposed administrative panels serve as secondary initial access vectors for The Gentlemen ransomware affiliates. Once inside victim networks, The Gentlemen ransomware affiliates conduct structured reconnaissance using Advanced IP Scanner, Nmap, and Active Directory enumeration scripts to map the environment and identify high-value targets for encryption and data exfiltration.

The Gentlemen Ransomware Defense Evasion and Privilege Escalation

The Gentlemen ransomware affiliates pivot to defense evasion through a Bring-Your-Own-Vulnerable-Driver (BYOVD) technique abusing the ThrottleStop.sys driver (renamed ThrottleBlood.sys by attackers) to exploit CVE-2025-7771, granting kernel-level code execution for The Gentlemen ransomware operations. Custom utilities such as All.exe and Allpatch2.exe are deployed by The Gentlemen ransomware affiliates to terminate EDR and antivirus processes at the kernel level.

The Gentlemen ransomware defense evasion is supplemented by PowerShell commands that disable Windows Defender, add broad path and process exclusions, and purge Defender support files to ensure ransomware deployment proceeds undetected. These comprehensive defense evasion techniques enable The Gentlemen ransomware to operate in enterprise environments even with security controls nominally in place.

The Gentlemen Ransomware Lateral Movement and Credential Harvesting

Lateral movement for The Gentlemen ransomware relies on living-off-the-land utilities including PsExec, WMI, WinRM, PowerRun.exe for UAC bypass and SYSTEM escalation, and remote scheduled tasks or services created across reachable hosts. Credentials are harvested from memory using Mimikatz by The Gentlemen ransomware affiliates, and AnyDesk is typically installed with a hardcoded password as a fallback remote access channel for persistent access.

Command-and-control for The Gentlemen ransomware is established through Cobalt Strike beacons and SystemBC SOCKS5 proxies using an RC4-encrypted protocol, while data exfiltration is performed over encrypted channels via WinSCP. The Gentlemen ransomware affiliates exfiltrate stolen data, often ranging from hundreds of gigabytes to multiple terabytes per victim, which is staged before encryption and published on a Tor-based leak site if ransom demands go unmet.

The Gentlemen Ransomware Group Policy Weaponization and Encryption

The defining impact technique of The Gentlemen ransomware is the built-in Group Policy deployment mode, which, once a Domain Controller is compromised, copies the locker to the NETLOGON share, creates a malicious GPO with an immediate scheduled task, and forces policy refresh to trigger near-simultaneous encryption across every domain-joined system in the victim environment. This Group Policy weaponization enables The Gentlemen ransomware to achieve enterprise-wide encryption within minutes of final payload deployment.

The Gentlemen ransomware Go-based locker targets Windows, Linux, NAS, and BSD environments, with a companion C-based variant specifically designed for ESXi hypervisors. The Gentlemen ransomware requires a per-build password argument to prevent sandbox detonation and uses hybrid cryptography combining X25519 key exchange with XChaCha20 stream encryption, generating a unique ephemeral key per file to ensure recovery without the attacker-controlled decryption key is effectively impossible.

The Gentlemen Ransomware Anti-Forensics and Double-Extortion

Configurable speed modes in The Gentlemen ransomware encrypt only 1 to 9 percent of large files for throughput while retaining destructive impact, and operators can optionally wipe free disk space to defeat forensic recovery attempts. Before encryption, The Gentlemen ransomware malware terminates dozens of backup, database, virtualization, and security services, deletes shadow copies, clears Windows event logs, and removes prefetch and RDP artifacts to frustrate incident response and forensic analysis.

Following a double-extortion model, stolen data exfiltrated by The Gentlemen ransomware affiliates is published on a Tor-based leak site if ransom demands go unmet, with negotiations conducted through Tox and Session messengers and additional public pressure applied via a branded social media account. The Gentlemen ransomware operation has demonstrated consistent follow-through on data leak threats, publishing sensitive victim data to maximize pressure for ransom payment.

Recommendations

Patch Internet-Facing Services

Prioritize timely patching of any exposed VPN appliances, RDP gateways, and remote-access infrastructure, since affiliates of The Gentlemen ransomware rely heavily on opportunistic exploitation of exposed services and stolen credentials for initial access. Organizations should immediately apply patches for CVE-2024-55591 (Fortinet FortiOS authorization bypass), CVE-2023-27532 (Veeam Backup & Replication missing authentication), and CVE-2024-37085 (VMware ESXi authentication bypass) to close critical initial access vectors exploited by The Gentlemen ransomware.

Harden and Monitor Domain Controllers

Treat Domain Controllers as the crown jewel of The Gentlemen ransomware kill chain. Restrict interactive and network logons to Domain Controllers, monitor for unusual ADMIN$ writes, abnormal RPC-launched binaries, and PowerShell sessions spawned under scheduled-task contexts on DCs. The Gentlemen ransomware Group Policy weaponization technique requires Domain Controller compromise, making DC hardening a critical defensive control.

Block and Detect Group Policy Weaponization

Alert on the creation of new GPOs, changes to NETLOGON or SYSVOL scheduled-task XML files, and bulk Invoke-GPUpdate or gpupdate /force activity executed across domain-joined systems. The Gentlemen ransomware --gpo deployment path is the single most impactful deployment mechanism in this ransomware operation and must be detectable in near real time to prevent enterprise-wide encryption.

Hunt for SystemBC Proxy Activity

Instrument EDR and NetFlow for unexpected SOCKS5 traffic, particularly from corporate hosts that should never act as proxies. Outbound connections to 45[.]86[.]230[.]112 or anomalous encrypted tunnels from workstations to low-reputation hosts should be investigated as potential pre-ransomware staging by The Gentlemen ransomware affiliates. The SystemBC proxy malware is a consistent component of The Gentlemen ransomware attack chain.

Conduct Regular Data Backups and Test Restoration

Regularly backup critical data and systems, store them securely offline in immutable or air-gapped storage. Test restoration processes to ensure backup integrity and availability. In case of a The Gentlemen ransomware attack, up-to-date backups enable recovery without paying the ransom. The Gentlemen ransomware specifically targets and attempts to destroy backup infrastructure, making offline backup storage essential.

Protect Windows Defender Tamper Controls

Enable Tamper Protection, restrict who can run Set-MpPreference, and alert on any execution of Set-MpPreference -DisableRealtimeMonitoring, Add-MpPreference -ExclusionPath 'C:', or Add-MpPreference -ExclusionProcess commands, as all are explicit behaviors of The Gentlemen ransomware locker during defense evasion operations. Monitoring for Windows Defender manipulation provides early warning of The Gentlemen ransomware deployment.

MITRE ATT&CK TTPs

Initial Access

T1078: Valid Accounts
T1133: External Remote Services

Execution

T1059: Command and Scripting Interpreter
- T1059.003: Windows Command Shell
- T1059.001: PowerShell
T1047: Windows Management Instrumentation
T1053: Scheduled Task/Job
- T1053.005: Scheduled Task
T1569: System Services
- T1569.002: Service Execution
1106: Native API
T1204: User Execution
- T1204.002: Malicious File

Persistence

T1053: Scheduled Task/Job
- T1053.005: Scheduled Task
- T1053.003: Cron
T1547: Boot or Logon Autostart Execution
- T1547.001: Registry Run Keys / Startup Fold
- T1037.004: RC Scripts
T1543: Create or Modify System Process
- T1543.003: Windows Service

Privilege Escalation

T1078: Valid Accounts

Defense Evasion

T1562: Impair Defenses
- T1562.001: Disable or Modify Tools
- T1562.004: Disable or Modify System Firewall
T1070: Indicator Removal
- T1070.001: Clear Windows Event Logs
- T1070.004: File Deletion
T1036: Masquerading
- T1036.004: Masquerade Task or Service
- T1036.005: Match Legitimate Name or Location
T1564: Hide Artifacts
- T1564.001: Hidden Files and Directories
T1027: Obfuscated Files or Information

Credential Access

T1003: OS Credential Dumping
T1555: Credentials from Password Stores

Discovery

T1082: System Information Discovery
T1033: System Owner/User Discovery
T1087: Account Discovery
- T1087.002: Domain Account
T1482: Domain Trust Discovery
T1018: Remote System Discovery
T1135: Network Share Discovery
T1083: File and Directory Discovery
T1518: Software Discovery
- T1518.001: Security Software Discovery

Lateral Movement

T1021: Remote Services
- T1021.002: SMB/Windows Admin Shares
- T1021.001: Remote Desktop Protocol
- T1021.006: Windows Remote Management
T1570: Lateral Tool Transfer

Command and Control

T1090: Proxy
- T1090.003: Multi-hop Proxy
T1105: Ingress Tool Transfer
T1071: Application Layer Protocol
- T1071.001: Web Protocols
T1573: Encrypted Channel
- T1573.002: Asymmetric Cryptography

Exfiltration

T1041: Exfiltration Over C2 Channel

Impact

T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery
T1489: Service Stop
T1491: Defacement
- T1491.001: Internal Defacement
T1657: Financial Theft

Indicators of Compromise (IoCs)

IPv4 Addresses

194[.]87[.]31[.]69
91[.]107[.]247[.]163
45[.]86[.]230[.]112

SHA256 Hashes (Selected samples)

992c951f4af57ca7cd8396f5ed69c2199fd6fd4ae5e93726da3e198e78bec0a5
025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a
22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67
2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d
3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235
48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd
62c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8
860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923
87d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c
8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892db

Ransom Note Filename

README-GENTLEMEN.txt

Tor Leak Site

Tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad[.]onion

Tox IDs

D527959A7BC728CB272A0DB683B547F079C98012201A48DD2792B84604E8BC29F6E6BDB8003F
F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69

File Paths

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GupdateU
/bin/.vmware-authd
/etc/rc.local.d/local.sh

References

https://research.checkpoint.com/2026/dfir-report-the-gentlemen/

https://www.broadcom.com/support/security-center/protection-bulletin/cross-platform-and-coordinated-the-gentlemen-raas-targets-windows-linux-and-esxi

https://www.group-ib.com/blog/hastalamuerte-gentlemen-raas-ttps/

https://fortiguard.fortinet.com/psirt/FG-IR-24-535

https://www.veeam.com/kb4424

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505

April 28, 2026

Red | Attack Report

LOTUSLITE v1.1: Enhanced Evasion Meets Banking-Themed Social Engineering

Summary

The LOTUSLITE v1.1 backdoor malware represents an evolved cyber espionage threat targeting India and South Korea's banking and financial services sectors, as well as government, diplomatic, and policy organizations. First observed in March 2026, this LOTUSLITE campaign leverages sophisticated banking-themed social engineering tactics to infiltrate Windows-based systems. The LOTUSLITE v1.1 attack is attributed with medium confidence to Mustang Panda (also tracked as Bronze President, Earth Preta, Stately Taurus, TEMP.Hex, HoneyMyte, Red Lich, Camaro Dragon, PKPLUG, Twill Typhoon, Hive0154), a known advanced persistent threat actor.

The LOTUSLITE v1.1 campaign begins with a deceptively simple CHM file disguised as a support request, triggering a hidden JavaScript loader that abuses trusted Windows components to deploy the LOTUSLITE payload. By sideloading a malicious DLL through a legitimate Microsoft-signed binary, the LOTUSLITE malware executes under the radar while employing advanced API resolution techniques to evade detection and analysis. Once the LOTUSLITE backdoor is established, it secures persistence, blends its network traffic with normal HTTPS communications, and enables full backdoor capabilities across targeted systems.

The LOTUSLITE v1.1 campaign's overlap with parallel operations targeting geopolitical policy experts highlights a broader, coordinated cyber espionage effort by Mustang Panda. This underscores LOTUSLITE's continued evolution into a stealthy and adaptable cyber espionage tool specifically designed to compromise India's banking sector and South Korea's policy organizations while evading modern security controls.

Attack Details

Initial Infection Through Banking-Themed Social Engineering

The LOTUSLITE v1.1 campaign introduces an updated variant of the LOTUSLITE malware, cleverly packaged around a theme tied to India's banking sector to enhance its credibility and increase successful compromise rates. The LOTUSLITE attack chain begins with a well-crafted spear-phishing email delivering a Compiled HTML Help (CHM) file titled "Request for Support.chm," a name deliberately chosen by Mustang Panda to mimic legitimate helpdesk or ticketing workflows commonly seen in financial institutions across India and South Korea.

Once the LOTUSLITE CHM file is opened, the file displays a seemingly benign prompt urging the user to click "Yes," but this interaction quietly triggers the download and execution of a malicious JavaScript payload named music.js, hosted on a remote domain controlled by the Mustang Panda threat actor. This LOTUSLITE script acts as the orchestrator of the infection, abusing trusted Windows utilities like hh.exe and leveraging ActiveX components such as ShortcutCommand, alongside Scriptlet.TypeLib, to bypass built-in security controls and initiate LOTUSLITE execution without raising suspicion in India's banking environments.

DLL Sideloading and Enhanced Evasion Techniques

Once the LOTUSLITE JavaScript is executed, the script extracts embedded payloads into a public directory on the system, including a legitimate Microsoft-signed binary (Microsoft_DNX.exe) and a malicious DLL (dnx.onecore.dll), which constitutes the LOTUSLITE v1.1 implant. The Mustang Panda attackers exploit DLL sideloading by relying on the signed binary's behavior of dynamically loading libraries at runtime without strict path validation or authenticity checks, allowing the malicious LOTUSLITE DLL to execute under the guise of a trusted application.

Notably, LOTUSLITE v1.1 introduces enhanced anti-analysis techniques that distinguish it from earlier LOTUSLITE versions. Rather than statically importing APIs, LOTUSLITE v1.1 dynamically resolves them at runtime via ntdll.dll, using functions like LdrLoadDll and RtlInitUnicodeString. This LOTUSLITE approach minimizes detectable indicators in the import table, significantly complicating static analysis and reverse engineering efforts by security researchers attempting to analyze Mustang Panda malware targeting India's banking sector and South Korean government organizations.

Persistence Mechanisms and Banking-Themed Disguise

To maintain persistence, the LOTUSLITE v1.1 malware modifies the Windows Registry under the HKCU Run key, again using obfuscated API resolution techniques to evade detection by security tools deployed in India's banking and South Korea's government infrastructure. LOTUSLITE copies itself into C:\ProgramData\Microsoft_DNX* and leverages a modified command-line argument to control execution flow, either establishing persistence or initiating communication with its command-and-control (C2) server. A mutex named "mdseccoUk" ensures only a single LOTUSLITE instance runs at a time on compromised systems.

The LOTUSLITE DLL's export table has been expanded to include functions such as HDFCBankMain, which displays a decoy message box referencing "HDFC Bank Limited" to reinforce the banking-themed disguise and deceive victims in India's financial sector. Meanwhile, legacy artifacts such as KugouMain persist in LOTUSLITE v1.1, providing strong evidence of lineage from earlier LOTUSLITE versions and confirming the malware's evolution under Mustang Panda's development.

Command-and-Control Infrastructure and Backdoor Capabilities

On the network side, the LOTUSLITE v1.1 implant communicates with a hardcoded C2 endpoint hosted on a dynamic DNS subdomain controlled by Mustang Panda, using TCP port 443 to blend seamlessly with normal HTTPS traffic in India's banking networks and South Korea's government systems. The LOTUSLITE communication protocol relies on a custom binary TLV structure, updated with a new magic header value (0xB2EBCFDF), signaling iterative development by Mustang Panda. Functionally, the LOTUSLITE backdoor retains its core capabilities, including remote shell access, file manipulation, and session control, mirroring the command structure of earlier LOTUSLITE versions.

Coordinated Targeting Across Multiple Sectors

Further investigation reveals that this LOTUSLITE v1.1 activity is not isolated to India's banking sector. Mustang Panda is also targeting policy experts and individuals engaged in Korean Peninsula and Indo-Pacific security discussions in South Korea. In this parallel campaign, Mustang Panda threat actors employed a spoofed Gmail account impersonating a well-known U.S.-Korea policy figure to distribute malicious files via Google Drive. This overlap in targeting and tooling suggests a broader, coordinated cyber espionage effort by Mustang Panda, with LOTUSLITE continuing to evolve both technically and operationally to support targeted cyber espionage campaigns against India's banking sector and South Korea's diplomatic organizations.

With moderate confidence, this LOTUSLITE v1.1 activity is attributed to Mustang Panda based on shared code lineage, overlapping infrastructure, residual build artifacts, and consistent behavioral patterns observed across all three campaigns targeting India and South Korea.

Recommendations

Block Known C2 Infrastructure

Immediately block network communication to the domains editor[.]gleeze[.]com and www[.]cosmosmusic[.]com at the firewall, proxy, and DNS levels to prevent LOTUSLITE v1.1 command-and-control communications. Add the associated LOTUSLITE IoC hashes to endpoint detection blocklists to prevent execution of known LOTUSLITE v1.1 artifacts across India's banking networks and South Korean government systems.

Restrict CHM File Execution

Deploy Group Policy restrictions to prevent the execution of Compiled HTML (.chm) files from untrusted sources, particularly those arriving via email attachments or web downloads in banking and government environments. Monitor for unexpected invocations of hh.exe, which is abused in this LOTUSLITE campaign as a file extraction mechanism by Mustang Panda.

Harden DLL Sideloading Defenses

Implement application control policies that prevent unsigned or untrusted DLLs from being loaded alongside legitimate signed executables. Monitor for the execution of Microsoft_DNX.exe and kwpswnsserver.exe outside of expected development contexts, as these legitimate binaries are abused for sideloading in this LOTUSLITE v1.1 campaign targeting India's banking sector.

Monitor Registry Persistence Mechanisms

Deploy detection rules for registry modifications under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, specifically watching for entries pointing to executables staged in C:\ProgramData\ subdirectories. Alert on the creation of the mutexes "mdseccoUkFuiCkTrump" and "1ac5e7ee1a107499" as direct indicators of LOTUSLITE activity on systems across India and South Korea.

Deploy Network Detection Signatures

Create network intrusion detection rules to identify the LOTUSLITE custom binary packet structure, specifically monitoring for the magic value 0xB2EBCFDF in packet headers on TCP port 443. Also retain detection for the legacy magic value 0x8899AABB from LOTUSLITE v1.0 to ensure coverage across both variants deployed by Mustang Panda.

Implement JavaScript Execution Controls

Restrict the execution of JavaScript files (.js) via Windows Script Host in environments where such functionality is not operationally required. Monitor for the creation and execution of JavaScript files in user-writable directories, particularly those triggered by CHM file interactions in India's banking sector and South Korean government organizations.

Implement Network Segmentation for Financial Systems

Isolate banking and financial application servers from general-purpose endpoints to limit lateral movement opportunities if a LOTUSLITE implant achieves initial compromise. Ensure that sensitive financial systems in India are accessible only through hardened jump servers with multi-factor authentication to prevent Mustang Panda lateral movement.

MITRE ATT&CK TTPs

Initial Access

T1566: Phishing
- T1566.001: Spear-Phishing Attachment

Execution

T1059: Command and Scripting Interpreter
- T1059.007: JavaScript
T1218: System Binary Proxy Execution
- T1218.001: Compiled HTML File
T1204: User Execution

Persistence

T1547: Boot or Logon Autostart Execution
- T1547.001: Registry Run Keys / Startup Folder

Defense Evasion

T1574: Hijack Execution Flow
- T1574.001: DLL
T1036: Masquerading
- T1036.005: Match Legitimate Name or Location
T1106: Native API
T1027: Obfuscated Files or Information

Command and Control

T1071: Application Layer Protocol
- T1071.001: Web Protocols
T1095: Non-Application Layer Protocol

Exfiltration

T1041: Exfiltration Over C2 Channel

Indicators of Compromise (IoCs)

SHA256 Hashes

af31ebe9085df408bedcf8f027fb60389897e5c8d3b0e9695fea29774f9d3aec
cc0ff7e25ea686171919575916e2d9ebaeb5800a063f370a6980ea791f8851b8
7beede15ecdc7d3f01db4b699e5fe5f4f2e7c79cd7ef0e918ed0583bf621de7d
9bf2f3b15a621789f898f9bd7710ba857e3f238a4937b64fdc47ef9a92e0b05d
18bc0e0f627d90fb283aa243055b46d0bfb5d85a7240d8f63ec2d1c8a2c15893
6d22d50634c2c2fc853bfd2b564e1837d51087aa684a9c4415634c8c13c44135

Domains

editor[.]gleeze[.]com
www[.]cosmosmusic[.]com

Mutex

mdseccoUkFuiCkTrump
1ac5e7ee1a107499

File Path

C:\ProgramData\Microsoft_DNX\

References

https://www.acronis.com/en/tru/posts/same-packet-different-magic-mustang-panda-hits-indias-banking-sector-and-korea-geopolitics/

April 28, 2026

Amber | Attack Report

Lotus Wiper: Silent Sabotage Targeting Venezuela’s Energy Sector

Summary

The Lotus Wiper malware represents a sophisticated destructive cyber attack campaign targeting Venezuela's energy and utilities sector. This previously undocumented wiper malware was first observed in mid-December 2025, though compiled in late September 2025, indicating a prolonged preparation phase for this destructive operation. Lotus Wiper attacks specifically targeted Windows-based systems within Venezuelan energy organizations during a period of heightened geopolitical tensions in the Caribbean region during late 2025 and early 2026.

The Lotus Wiper attack chain employs batch scripts and destructive malware to systematically disable system defenses, destroy disk contents, and render targeted systems permanently unrecoverable. The multi-stage attack begins with batch scripts that weaken system security, disable user accounts, and prepare the environment for the Lotus Wiper payload execution. Once deployed, Lotus Wiper removes recovery mechanisms, overwrites physical drives with zeros, clears USN journals, and systematically deletes all files across affected systems. Importantly, this destructive wiper campaign showed no ransomware or extortion mechanisms, confirming that Lotus Wiper attacks are purely destructive operations with no financial motivation behind the targeting of Venezuela's critical energy infrastructure.

Attack Details

Initial Attack Stage and Environment Preparation

The Lotus Wiper attack begins with a batch script named OhSyncNow.bat that serves as the initial trigger for the destructive chain targeting Venezuelan energy organizations. This Lotus Wiper batch script establishes a local working directory at C:\lotus and immediately attempts to disable the Interactive Services Detection (UI0Detect) service, effectively suppressing visible security alerts that could expose the ongoing Lotus Wiper attack activity to system administrators.

The Lotus Wiper attack chain then checks for the presence of an XML flag file (OHSync.xml) hosted on a NETLOGON share, using a hardcoded organization name to construct the network path. This external XML file functions as a covert control signal for the Lotus Wiper operation; once detected, it triggers Lotus Wiper execution across domain-joined systems, resembling a backdoor mechanism dependent on network-accessible resources. If the Lotus Wiper trigger file is absent, execution halts; if the share is temporarily unreachable, the Lotus Wiper script introduces a randomized delay of up to 20 minutes before retrying, adding resilience and stealth to the destructive operation.

System Destruction and User Account Compromise

Once the Lotus Wiper attack is activated, a secondary script named notesreg.bat executes a one-time destructive routine. This Lotus Wiper component first checks for a marker file to avoid re-execution, deleting itself if the Lotus Wiper operation has already been performed on the target system. The Lotus Wiper script then systematically targets user accounts, excluding specific predefined names likely tied to IT personnel, by resetting passwords to random values, disabling accounts, and restricting login hours across the compromised Venezuelan energy infrastructure.

The Lotus Wiper attack further disrupts system access by disabling cached credentials through registry modification and forcibly logging off all active sessions using qwinsta. Network isolation is achieved when Lotus Wiper disables all network interfaces via netsh, effectively cutting off external communication. From there, the Lotus Wiper script escalates into full-scale destruction: it enumerates all logical drives and leverages diskpart clean all to overwrite disks with zeros, recursively overwrites directory contents using robocopy, and exhausts remaining disk space with fsutil, ensuring complete system inoperability across targeted Venezuelan energy organizations.

Payload Decryption and Wiper Deployment

The final stage of the Lotus Wiper attack introduces a binary named nstats.exe, which masquerades as a legitimate HCL Domino server component. This Lotus Wiper executable accepts two arguments: nevent.exe (an XOR-encrypted payload) and ndesign.exe (the output file), and decrypts the payload to produce the actual Lotus Wiper binary. The requirement to pre-stage these Lotus Wiper components strongly indicates that the attackers had already established a foothold within Venezuelan energy infrastructure before Lotus Wiper detonation.

Additionally, the deliberate targeting of legacy Windows features by Lotus Wiper, such as UI0Detect, suggests the attackers possessed detailed understanding of the victim's infrastructure. Timeline analysis reveals that the Lotus Wiper malware was compiled in late September 2025 but only deployed months later against Venezuelan energy targets, pointing to a carefully planned and staged intrusion operation.

Multi-Phase Destruction Process

Once executed, the Lotus Wiper malware escalates its privileges to gain full administrative control and begins a multi-phase destruction process targeting Venezuelan energy systems. Lotus Wiper first removes all system restore points by dynamically loading srclient.dll and invoking the System Restore API, ensuring that recovery options are eliminated from compromised energy infrastructure systems.

Lotus Wiper then wipes physical drives by querying disk geometry via IOCTL_DISK_GET_DRIVE_GEOMETRY_EX and overwriting all sectors with zeros. Between these Lotus Wiper wipe cycles, the malware enumerates mounted volumes and spawns parallel threads to erase USN journal entries and delete files at scale across Venezuelan energy systems. Individual file destruction by Lotus Wiper involves zeroing data regions, renaming files to random hexadecimal strings to obscure their identity, and deleting them using native Windows APIs.

In cases where files are locked, Lotus Wiper defers deletion until reboot using MoveFileExW. This Lotus Wiper destruction process is repeated in multiple passes, with additional restore point removal after each cycle, ensuring irrecoverable damage to targeted Venezuelan energy infrastructure. The Lotus Wiper operation concludes with a system-level update call to reflect disk changes, leaving the compromised machine effectively unusable.

Recommendations

Audit NETLOGON and Domain Shares

Organizations should review permissions and file activity on domain shares, specifically monitoring the NETLOGON share for unauthorized file additions or modifications. The Lotus Wiper attack chain uses shared XML files as trigger mechanisms to coordinate wiper execution across domain-joined hosts in Venezuelan energy infrastructure, making NETLOGON share monitoring critical for detecting Lotus Wiper deployment attempts.

Monitor for Unauthorized Service Manipulation

Deploy detection rules for attempts to query, stop, or disable system services such as UI0Detect using sc.exe. This behavior was used during the Lotus Wiper attack to suppress visible warnings during the initial attack phase against Venezuelan energy organizations, making service manipulation monitoring essential for early Lotus Wiper detection.

Detect Mass Account Manipulation

Alert on bulk password changes and account deactivation events (Windows Event 4724) across local user accounts, particularly when performed in rapid succession by scripted processes rather than administrative workflows. The Lotus Wiper campaign systematically disabled user accounts across Venezuelan energy infrastructure, making account manipulation detection a critical indicator of Lotus Wiper activity.

Block Living-off-the-Land Abuse

Monitor and restrict unusual use of built-in system utilities including fsutil, robocopy, diskpart, netsh, and qwinsta, especially when invoked from non-standard directories or batch scripts. The Lotus Wiper attackers relied on these legitimate tools for disk destruction and network isolation within Venezuelan energy systems, making detection of abnormal system utility usage vital for preventing Lotus Wiper attacks.

Restrict Network Interface Changes

Implement controls to alert on or prevent unauthorized disabling of network interfaces via netsh. Lotus Wiper used this technique to isolate compromised Venezuelan energy systems from external communication and impede incident response, making network interface monitoring essential for detecting Lotus Wiper lateral movement and isolation tactics.

Harden Cached Credential Policy

Enforce group policy settings for CachedLogonsCount and monitor for unauthorized registry modifications to the Winlogon key. The Lotus Wiper attack manipulated this value to prevent domain users from logging in without network connectivity across Venezuelan energy infrastructure, making credential policy hardening critical for resilience against Lotus Wiper attacks.

Implement Immutable and Offline Backups

Maintain air-gapped or immutable backup copies of critical systems and data, and regularly test restoration procedures. Wiper attacks like Lotus Wiper are specifically designed to render systems permanently unrecoverable, making resilient backup strategies the primary recovery mechanism for organizations facing destructive Lotus Wiper campaigns targeting critical infrastructure like Venezuela's energy sector.

MITRE ATT&CK TTPs

Execution

T1059: Command and Scripting Interpreter
- T1059.003: Windows Command Shell

Persistence

T1078: Valid Accounts
- T1078.002: Domain Accounts

Defense Evasion

T1036: Masquerading
- T1036.005: Match Legitimate Name or Location
T1140: Deobfuscate/Decode Files or Information
T1562: Impair Defenses
- T1562.001: Disable or Modify Tools

Discov

T1082: System Information Discovery
T1083: File and Directory Discovery
T1049: System Network Connections Discovery

Lateral Movement

T1080: Taint Shared Content

Credential Access

T1098: Account Manipulation

Impact

T1561: Disk Wipe
- T1561.001: Disk Content Wipe
- T1561.002: Disk Structure Wipe
T1485: Data Destruction
1490: Inhibit System Recovery
T1489: Service Stop
T1531: Account Access Removal

Indicators of Compromise (IoCs)

MD5 Hashes

0b83ce69d16f5ecd00f4642deb3c5895
c6d0f67db6a7dbf1f9394d98c1e13670
b41d0cd22d5b3e3bdb795f81421a11cb

SHA256 Hashes

405177294F6F9268432A43998049AD0D4A61C6909216533B8713C911BC430755
9D05854C95C6AFA68911BD28AF12282185E0FE34F2E58FDDBC503AB22D1508
1D6F374087087738B7699EBF91F1CFDB3B2A65C2E9BE72E106EE7C9814BE3274

References

https://securelist.com/tr/lotus-wiper/119472/

April 28, 2026

Red | Vulnerability Report

From Advisory to Attack in Under 10 Hours: Marimo's Critical RCE Flaw

Summary

CVE-2026-39987 represents a critical pre-authenticated remote code execution vulnerability affecting Marimo, an open-source reactive Python notebook platform widely used for data science, analysis, and interactive coding workflows.

This vulnerability, carrying a CVSS score of 9.3, impacts all Marimo versions prior to 0.23.0 and stems from a complete absence of authentication validation on the /terminal/ws WebSocket endpoint. This authentication bypass allows any unauthenticated remote attacker to obtain a full PTY (pseudo-terminal) shell and execute arbitrary system commands on vulnerable Marimo instances through a single WebSocket connection, without requiring any credentials, user interaction, or prior compromise.

The vulnerability was publicly disclosed on April 8, 2026, through a security advisory that detailed the technical root cause and exploitation methodology. Remarkably, active exploitation in the wild was observed within just 9 hours and 41 minutes of the advisory's publication, demonstrating the rapidly shrinking window between vulnerability disclosure and weaponization.

This extremely brief time-to-exploit window occurred without any public proof-of-concept code being available, indicating that attackers crafted working exploits directly from the advisory's technical description alone.

Security researchers operating honeypot infrastructure detected the first exploitation attempt when an attacker connected to the unauthenticated terminal WebSocket endpoint and conducted manual reconnaissance activities across four distinct sessions spanning approximately 90 minutes.

The attacker's activities focused primarily on credential harvesting and data collection rather than deployment of persistent malware, cryptominers, or backdoors. Specific attacker objectives included:

Harvesting credentials from .env environment files commonly used in Python development workflows
Searching for SSH private keys that could enable lateral movement
Conducting comprehensive file system exploration to identify valuable data repositories

The vulnerability's root cause lies in inconsistent security control implementation across Marimo's WebSocket endpoints. While other endpoints such as /ws properly invoke the validate_auth() authentication function, the /terminal/ws endpoint completely bypasses this validation step.

The impact severity extends significantly beyond simple server compromise. Marimo environments frequently store sensitive API keys for Large Language Model providers (OpenAI, Anthropic, Cohere, etc.) as well as cloud service credentials for AWS, Google Cloud Platform, and Azure infrastructure.

Exfiltration of these credentials could enable:

Lateral movement into cloud infrastructure hosting production workloads
Unauthorized abuse of expensive AI services
Exposure of proprietary datasets or machine learning artifacts
Compromise of interconnected development and production environments

The observed exploitation pattern suggests professional threat actor involvement rather than opportunistic scanning. The attacker demonstrated:

Methodical manual reconnaissance
Focus on high-value credential theft
Operational security discipline (no persistent backdoors)

Organizations running Marimo face immediate risk requiring emergency remediation.

Vulnerability Details

Technical Root Cause and Authentication Bypass Mechanism

CVE-2026-39987 exists due to architectural inconsistency in authentication enforcement across Marimo's WebSocket endpoint implementations.

Most endpoints (e.g., /ws) invoke validate_auth() before granting access
The /terminal/ws endpoint omits authentication entirely

This allows unauthenticated attackers to establish WebSocket connections and gain full terminal access.

Upon connection, attackers receive a full PTY shell with the privileges of the Marimo process user, enabling:

Arbitrary command execution
File system navigation
Sensitive file access
System configuration modification

Exploitation Timeline and Attacker Methodology

Disclosure Date: April 8, 2026
First Exploit Observed: 9 hours 41 minutes later

No public proof-of-concept code was available during initial exploitation.

The attacker:

Conducted 4 sessions over ~90 minutes
Performed systematic file enumeration
Harvested .env credentials
Searched for SSH keys
Explored project directories

Notably, the attacker did NOT:

Deploy malware
Install cryptominers
Establish persistence
Perform destructive actions

This indicates targeted credential harvesting.

Impact Scope and Credential Exposure Risk

The impact extends beyond server compromise due to sensitive data stored in Marimo environments.

At-Risk Data Includes:

LLM API keys (OpenAI, Anthropic, Cohere, Gemini, etc.)
Cloud credentials (AWS, GCP, Azure)
Database connection strings
SSH private keys
Proprietary datasets and ML models

Potential Consequences

Abuse of AI services (cost exploitation, prompt injection)
Lateral movement into cloud environments
Data exfiltration
Deployment of additional attack infrastructure

Patch Availability and Remediation

Marimo version 0.23.0 fixes the vulnerability by enforcing authentication on /terminal/ws.

If Immediate Upgrade Is Not Possible:

Restrict access via firewall or reverse proxy
Disable terminal functionality
Deploy only in private networks

Recommendations

1. Upgrade Marimo to Version 0.23.0 Immediately

All organizations must upgrade without delay.

If not possible

Restrict /terminal/ws access
Apply firewall/WAF rules
Disable terminal feature

2. Audit and Rotate All Potentially Exposed Credentials

Audit all accessible credentials:

.env files and environment variables
SSH keys (.ssh directories)
Config files with tokens
Hardcoded secrets in repositories

Action: Rotate all credentials—even without confirmed compromise.

3. Restrict Network Exposure of Notebook Environments

Notebook platforms should never be exposed without protection.

Recommended Controls:

VPN access
Private subnets
Authenticated reverse proxies (SSO, OAuth, MFA)
Avoid binding to 0.0.0.0 unless secured

4. Implement Container Security Hardening

For containerized deployments:

Run as non-root user
Use read-only filesystems
Minimize Linux capabilities
Apply resource limits

5. Deploy WebSocket Monitoring and Anomaly Detection

Monitor for:

Unexpected /terminal/ws connections
Unusual shell process spawning
Abnormal process trees
Suspicious outbound traffi
Bulk access to sensitive files

Key Insight: Any external /terminal/ws access is a high-confidence indicator of compromise.

MITRE ATT&CK TTPs

Initial Access

T1190: Exploit Public-Facing Application

Execution

T1059: Command and Scripting Interpreter
- T1059.004: Unix Shell
- T1059.006: Python

Discovery

T1083: File and Directory Discovery
T1016: System Network Configuration Discovery
T1082: System Information Discovery

Credential Access

T1552: Unsecured Credentials
- T1552.001: Credentials in Files

Collection

T1005: Data from Local System

Lateral Movement

T1021: Remote Services
- T1021.004: SSH

References

April 15, 2026

Red | Vulnerability Report

Microsoft's April 2026 Patch Tuesday

Summary

Microsoft's April 2026 Patch Tuesday addresses 165 critical security vulnerabilities across Microsoft's product ecosystem, marking one of the most extensive security update releases in the company's history. This Patch Tuesday vulnerability release includes 8 Critical, 153 Important, 1 Low, and 3 Moderate severity vulnerabilities spanning multiple Microsoft products including Microsoft SQL Server, Windows Kernel, Windows Server Update Service, Microsoft Office, Microsoft SharePoint, and Google Chromium-based Microsoft Edge.

Microsoft Patch Tuesday vulnerabilities impact multiple categories including 93 Elevation of Privilege (EoP) vulnerabilities, 20 Remote Code Execution (RCE) vulnerabilities, 20 Information Disclosure vulnerabilities, 12 Security Feature Bypass vulnerabilities, 9 Denial of Service (DoS) vulnerabilities, 10 Spoofing vulnerabilities, and 1 Tampering vulnerability. Elevation of Privilege vulnerabilities account for over 56% of this month's patches, reflecting continued attacker focus on post-compromise privilege escalation vulnerabilities.

The total number of CVEs addressed reaches 247 when including 82 non-Microsoft vulnerabilities. Of critical concern are 21 CVEs assessed as either actively exploited or at increased risk of exploitation, including 1 actively exploited zero-day vulnerability and 1 publicly disclosed vulnerability prior to patching.

Vulnerability Details

Actively Exploited Zero-Day Vulnerabilities

CVE-2026-32201 is a critical Microsoft SharePoint Server Spoofing Vulnerability (CVSS 6.5) actively exploited in the wild. This SharePoint vulnerability stems from improper input validation and manifests as cross-site scripting (XSS), allowing attackers to view and modify sensitive organizational data. Despite its moderate CVSS score, confirmed wild exploitation and SharePoint's role as a central collaboration platform make this SharePoint vulnerability the top remediation priority. This SharePoint zero-day follows a pattern of SharePoint vulnerabilities being leveraged in ransomware and cyberespionage campaigns.

CVE-2026-5281, a Chromium Use After Free in Dawn vulnerability affecting Microsoft Edge (Chromium-based), is confirmed exploited in the wild. This zero-day vulnerability targeting the Dawn graphics component poses significant remote code execution risks.

Publicly Disclosed Vulnerabilities

CVE-2026-33825 is a publicly disclosed Microsoft Defender Elevation of Privilege vulnerability (CVSS 7.8). While no active exploitation has been confirmed, the vulnerability description closely matches "BlueHammer," a proof-of-concept exploit published on GitHub on April 3. Systems with Microsoft Defender disabled are not vulnerable.

Critical Remote Code Execution Vulnerabilities

CVE-2026-33824 (Windows IKE Service Extensions, CVSS 9.8) and CVE-2026-33827 (Windows TCP/IP, CVSS 8.1) are both unauthenticated, network-exploitable RCE vulnerabilities with wormable characteristics. The IKE vulnerability targets systems with IKE v2 enabled, while the TCP/IP vulnerability affects IPv6/IPsec environments via a race condition.

CVE-2026-33826 (Windows Active Directory, CVSS 8.0) enables authenticated RCE on domain controllers via crafted RPC calls, presenting serious domain compromise risks.

Three Critical RCE vulnerabilities in Microsoft Word and Office (CVE-2026-33115, CVE-2026-33114, CVE-2026-32190) are exploitable through the Preview Pane without opening files, continuing a dangerous pattern from March 2026.

CVE-2026-32157 (Remote Desktop Client, CVSS 8.8) targets users connecting to malicious RDP servers. CVE-2026-23666 (.NET Framework) is a rare Critical-rated Denial of Service vulnerability capable of crippling network-facing .NET applications.

Security Feature Bypass Vulnerabilities

The Secure Boot and BitLocker bypass vulnerabilities are particularly urgent given the Secure Boot certificate expiration deadline on June 26, 2026. Organizations should prioritize validating Secure Boot certificate status across their fleet before this deadline.

Chromium Vulnerabilities

Among Chromium-based Edge vulnerabilities, two additional Chromium flaws (CVE-2026-5858 and CVE-2026-5859), both in the WebML API, are rated Critical by Google with $43,000 bounties each and could allow remote code execution via crafted HTML pages.

Extended Security Updates End

This release marks the end of Extended Security Updates for Exchange Server 2016 and 2019, leaving on-premises Exchange environments without security coverage moving forward.

Recommendations

Conduct an extensive service exposure evaluation to identify vulnerable services that may be publicly accessible, particularly SharePoint Server, IKE/IPsec endpoints, and IPv6-enabled systems. Take immediate action to address identified vulnerabilities through essential patch deployment or interim security measures such as firewall rules for UDP ports 500 and 4500.

Keep systems up to date by implementing the most recent security updates from Microsoft Patch Tuesday. Follow security rules adapted to unique devices to avoid introducing new vulnerabilities. Thoroughly review configurations of internet-exposed devices and applications, including Secure Boot certificate status verification ahead of the June 26, 2026 expiration deadline.

Prioritize patching the actively exploited and critical vulnerabilities: CVE-2026-32201, CVE-2026-5281, CVE-2026-33825, CVE-2026-33824, CVE-2026-33827, CVE-2026-33826, CVE-2026-33115, CVE-2026-33114, and CVE-2026-32190. These vulnerabilities pose significant exploitation risks including wormable network RCEs and Preview Pane-based Office attacks.

Implement network segmentation to restrict unauthorized access and reduce the impact of potential attacks. This is especially critical given the wormable IKE and TCP/IP vulnerabilities and the Active Directory RCE vulnerability that can enable lateral movement across domain-joined environments.

Adhere to the principle of "least privilege" by giving users only essential permissions needed for their tasks. With Elevation of Privilege vulnerabilities accounting for over 56% of this month's patches, this strategy is critical to reducing the impact of privilege escalation vulnerabilities.

MITRE ATT&CK TTPs

Initial Access: T1190 (Exploit Public-Facing Application), T1189 (Drive-by Compromise), T1566 (Phishing), T1566.001 (Spearphishing Attachment), T1566.002 (Spearphishing Link)

Execution: T1203 (Exploitation for Client Execution), T1059 (Command and Scripting Interpreter), T1059.001 (PowerShell), T1204 (User Execution), T1204.001 (Malicious Link), T1204.002 (Malicious File)

Defense Evasion: T1562 (Impair Defenses), T1562.001 (Disable or Modify Tools), T1553 (Subvert Trust Controls), T1553.005 (Mark-of-the-Web Bypass), T1553.006 (Code Signing Policy Modification)

Privilege Escalation: T1068 (Exploitation for Privilege Escalation), T1542 (Pre-OS Boot), T1542.003 (Bootkit)

Credential Access: T1552 (Unsecured Credentials), T1556 (Modify Authentication Process)

Lateral Movement: T1021 (Remote Services), T1021.001 (Remote Desktop Protocol), T1210 (Exploitation of Remote Services)

Impact: T1499 (Endpoint Denial of Service)

References

https://msrc.microsoft.com/update-guide/releaseNote/2026-apr

https://hivepro.com/threat-advisory/cve-2026-5281-chrome-dawn-flaw-sparks-in-the-wild-zero-day-attacks/

April 20, 2026

Red | Attack Report

Storm-2755's Silent Payroll Heist Targeting Canada

Summary

Storm-2755 represents a sophisticated cybersecurity attack targeting Canadian employees through a financially motivated payroll diversion campaign that exploits Microsoft 365 and Microsoft Entra ID vulnerabilities. First observed in April 2026, the Storm-2755 attack campaign leverages advanced adversary-in-the-middle (AiTM) phishing techniques and exploits CVE-2025-27152, an Axios SSRF and credential leakage vulnerability, to silently compromise corporate accounts and redirect employee salary payments.

The Storm-2755 threat actor orchestrates this payroll theft attack by deploying fake Microsoft 365 login pages through malicious advertisements and search engine manipulation, capturing active session tokens to bypass multi-factor authentication (MFA) protections. Once inside compromised accounts, the Storm-2755 campaign maintains persistent access through session token refresh techniques, searches for payroll and human resources data, establishes inbox rules to hide malicious activity, and ultimately manipulates direct deposit information either through social engineering of HR teams or direct modification of payroll systems like Workday.

Attack Details

Initial Access and Credential Compromise

The Storm-2755 attack begins with sophisticated initial access tactics targeting Canadian employees through malicious advertisements and search engine manipulation that promote fraudulent Microsoft 365 login pages. These phishing pages deployed by Storm-2755 are carefully crafted to appear legitimate while serving as adversary-in-the-middle (AiTM) proxy servers. When victims authenticate through these fake Microsoft 365 portals, Storm-2755 intercepts and captures active session tokens rather than simple username-password combinations, enabling the threat actor to bypass traditional multi-factor authentication security controls.

The Storm-2755 campaign specifically exploits CVE-2025-27152, a critical vulnerability in Axios versions prior to 1.8.2 that allows SSRF and credential leakage through absolute URL bypass mechanisms. By leveraging this Axios vulnerability in version 1.7.9, Storm-2755 relays stolen session tokens and OAuth cookies from the AiTM phishing infrastructure to legitimate Microsoft 365 services, enabling authenticated session replay that circumvents non-phishing-resistant MFA implementations.

Persistence and Stealth Operations

Once initial access is established, Storm-2755 maintains persistent access to compromised accounts through continuous session token refresh operations that avoid triggering typical security alerts. The Storm-2755 threat actor employs a malware-free approach, relying exclusively on legitimate authentication mechanisms and stolen session credentials to remain undetected within victim environments. In certain cases, Storm-2755 strengthens its foothold by modifying account passwords or authentication settings, ensuring continued access even if victims become suspicious.

Storm-2755 conducts extensive reconnaissance within compromised Microsoft 365 accounts, systematically searching emails and internal collaboration platforms for payroll data, direct deposit forms, HR contact information, and financial system access credentials. To maintain operational security, Storm-2755 creates inbox rules that automatically filter and hide messages containing financial keywords such as "direct deposit," "bank," "payroll," and similar terms, routing these communications to hidden folders where victims cannot observe the attacker's activities or any resulting alerts about account changes.

Financial Theft Execution

The final stage of the Storm-2755 attack involves executing the actual payroll diversion through multiple potential methods. Storm-2755 frequently sends convincing spearphishing emails to HR departments and finance teams using compromised employee accounts, requesting changes to direct deposit banking information under plausible pretenses. These internal phishing messages from Storm-2755 carry inherent credibility because they originate from legitimate employee accounts, making HR personnel more likely to process the fraudulent banking updates without additional verification.

When social engineering proves unsuccessful or infeasible, Storm-2755 directly accesses HR management platforms such as Workday using the compromised employee credentials, manually modifying direct deposit information to redirect salary payments into attacker-controlled bank accounts. This Storm-2755 attack methodology results in actual financial theft when the next payroll cycle executes, transferring legitimate employee wages to the threat actor while victims and organizations remain unaware until employees discover missing payments.

Recommendations

Immediate Incident Response Actions

Organizations must immediately revoke all active tokens and sessions for accounts exhibiting Storm-2755 indicators of compromise, particularly sign-ins associated with the Axios user-agent string or connections to the bluegraintours[.]com domain. Conduct comprehensive audits of all mailbox rules across the organization, specifically searching for rules that filter on financial keywords including "direct deposit," "bank," and "payroll" that route messages to hidden folders, removing any unauthorized Storm-2755-created rules and restoring suppressed emails. Reset credentials and all registered MFA methods for affected accounts to prevent Storm-2755 from maintaining access through previously established persistent authentication mechanisms.

Identity and Access Management Hardening

Enforce Conditional Access policies within Microsoft Entra ID to mandate device compliance requirements, restrict sign-ins from unmanaged devices, and apply session lifetime controls that limit token validity periods and force reauthentication at shorter intervals to disrupt Storm-2755 persistence techniques. Enable Continuous Access Evaluation (CAE) in Microsoft Entra to ensure access tokens are re-evaluated and revoked in near real-time when risk conditions change, such as user risk elevation or session anomaly detection that might indicate Storm-2755 activity. Block legacy authentication protocols that do not support modern security controls, reducing the attack surface available for Storm-2755 token replay and session hijacking techniques.

Detection and Monitoring Enhancements

Create detection rules in SIEM and XDR platforms to generate alerts on sign-in events where the user-agent string contains "Axios" or "axios/1.7.9," particularly when associated with non-interactive sign-ins to the OfficeHome application, which represents a key Storm-2755 attack indicator. Implement behavioral analytics to identify unusual patterns such as inbox rule creation immediately following authentication events, access to payroll-related documents from unusual locations or times, or sudden changes to direct deposit information that may signal Storm-2755 compromise. Monitor for connections to the bluegraintours[.]com domain and establish threat intelligence feeds to detect emerging Storm-2755 infrastructure.

Vulnerability Remediation and Application Security

Organizations using the Axios HTTP client in their applications must urgently upgrade to version 1.8.2 or later (or version 0.30.0 for legacy branches) to remediate CVE-2025-27152 and eliminate the SSRF and credential leakage vulnerabilities exploited by Storm-2755. Conduct comprehensive inventories of all applications and services utilizing Axios to ensure no unpatched instances remain that could be leveraged in future Storm-2755 attacks or similar campaigns exploiting this Axios vulnerability.

Indicators of Compromise (IoCs)

Domain: bluegraintours[.]com

User-Agent: axios/1.7.9

These Storm-2755 indicators of compromise should be immediately incorporated into security monitoring tools, proxy blacklists, and threat intelligence platforms to detect and block ongoing Storm-2755 attack activity.

MITRE ATT&CK TTPs

Storm-2755 demonstrates sophisticated use of multiple MITRE ATT&CK techniques across the attack lifecycle. During Resource Development, Storm-2755 employs T1608.005 (Link Target) to stage malicious Microsoft 365 login pages and T1583.001 (Domains) to acquire infrastructure including the bluegraintours[.]com domain. For Initial Access, Storm-2755 utilizes T1566.003 (Spearphishing via Service) and T1189 (Drive-by Compromise) through malicious search advertisements.

Storm-2755 credential access techniques include T1557 (Adversary-in-the-Middle) phishing proxies and T1539 (Steal Web Session Cookie) to capture authentication tokens. Persistence is established through T1078.004 (Valid Cloud Accounts) using stolen credentials and T1098 (Account Manipulation) by modifying authentication settings. Storm-2755 conducts T1087 (Account Discovery) and T1114.002 (Remote Email Collection) during reconnaissance phases.

For Defense Evasion, Storm-2755 implements T1564.008 (Email Hiding Rules) to conceal malicious activities. The campaign employs T1534 (Internal Spearphishing) for lateral movement within organizations, ultimately achieving its financial theft objectives through T1657 (Financial Theft) by manipulating payroll systems.

References

Microsoft Security Blog: Investigating Storm-2755 Payroll Pirate Attacks Targeting Canadian Employees https://www.microsoft.com/en-us/security/blog/2026/04/09/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees/

GitHub Security Advisory: GHSA-jr5f-v2jv-69x6 (CVE-2025-27152) https://github.com/advisories/GHSA-jr5f-v2jv-69x6

Axios Security Patch Release v1.8.2 https://github.com/axios/axios/releases/tag/v1.8.2

April 20, 2026

Red | Vulnerability Report

Handala Claims Destructive Wiper Attack on GCC Nation's Critical Infrastructure

Summary

On April 12, 2026, the Iran-affiliated threat group Handala Hack Team, also tracked as Void Manticore, HomeLand Justice, Karma, Storm-0842, and Banished Kitten, publicly claimed responsibility for a destructive cyberattack allegedly targeting critical government infrastructure in a major Gulf Cooperation Council financial hub. The group, assessed with high confidence by the FBI and U.S. Department of Justice to be a state-directed persona operated by Iran's Ministry of Intelligence and Security, claims to have compromised multiple government entities overseeing the country's legal, economic, and transportation sectors, destroying approximately 6 petabytes of data using wiper malware while simultaneously exfiltrating 149 terabytes of classified documents.

This claimed operation represents the continuation of Handala's established attack methodology combining destructive data wiping with large-scale exfiltration in a hack-and-leak operational model engineered for maximum disruption and psychological impact against targets perceived as aligned against Iranian interests during the ongoing 2026 regional conflict. The targeting of a GCC nation's critical infrastructure aligns with Iranian strategic objectives during the current geopolitical escalation, with Handala explicitly framing the operation as retaliation against the targeted nation's perceived alignment against the Iranian-led resistance axis.

As of this writing, none of the allegedly targeted entities or the host government have publicly confirmed the attack, and independent verification of the claimed scope remains pending. However, this absence of official confirmation should not be interpreted as definitive evidence against compromise occurrence. Government entities facing destructive cyberattacks frequently delay public acknowledgment during incident response and forensic investigation, and GCC nations historically maintain information security regarding cybersecurity incidents affecting critical national infrastructure.

Handala has a well-documented history of exaggerating operational impact, frequently overstating the scale of data destruction and exfiltration to amplify perceived success and maximize psychological warfare effects. The claimed 6 petabytes of destroyed data and 149 terabytes of exfiltrated documents likely represent significant inflation beyond actual compromise scope. However, the group's demonstrated destructive capabilities throughout 2026 across healthcare, government, defense, and critical infrastructure sectors indicate they likely achieved some level of unauthorized access and impact, though substantially below claimed magnitudes.

Evidence shared alongside the compromise claim includes screenshots of storage management interfaces showing bulk volume deletions, administrative dashboards resembling email security platforms, and system-level access indicators suggesting privileged administrative control over compromised systems. These proof-of-access materials align with Handala's standard practice of publishing technical evidence to substantiate claims, though such screenshots can be manipulated, staged, or represent access to less critical systems than claimed.

The claimed attack aligns with Handala's known operational playbook and technical capabilities. Likely initial access vectors include compromised VPN credentials obtained through credential stuffing or brute-force attacks, administrative accounts harvested through infostealer malware distributed via phishing or watering hole attacks, and targeted spear-phishing operations against privileged users with access to critical systems. These techniques are consistent with Handala's prior 2026 operations, including a reported attack against a major U.S.-based corporation where the group allegedly wiped over 200,000 devices across 79 countries by weaponizing a legitimate cloud-based endpoint management platform.

The potential impact, if claims prove accurate, would be severe across multiple critical sectors. Destruction of legal sector data could affect judicial records, case files, legal proceedings, and citizen legal documentation. Economic sector compromise could impact financial databases, regulatory information, corporate records, and economic planning documentation. Transportation sector disruption could affect urban mobility infrastructure, transit scheduling systems, logistics coordination, and transportation safety systems. The simultaneous exfiltration of classified government documents creates ongoing intelligence exposure and potential for future information warfare operations.

The geopolitical context significantly elevates threat severity. The ongoing 2026 regional conflict involving Iran creates heightened motivation for cyber operations against adversary nations. Recent law enforcement actions against Handala operators, including arrests and infrastructure seizures, provide additional retaliatory motivation. The targeting of a GCC financial hub during active conflict represents deliberate strategic messaging regarding Iranian cyber capabilities and willingness to target critical infrastructure of nations supporting adversary coalitions.

Given Handala's demonstrated credible destructive capability throughout 2026, their operational history of combining wiping with hack-and-leak tactics, the current escalated threat landscape involving ongoing kinetic and cyber conflict, and the potential for retaliatory escalation following law enforcement disruption attempts, organizations across the GCC region should treat this threat actor as a high-severity, actionable threat requiring immediate defensive validation regardless of whether the specific April 12 claims are fully substantiated.

Attack Details

[Due to space constraints, I'll provide the complete analysis in the slide summaries and recommendations format as requested]

Recommendations

Immediate Administrative Account and Cloud Platform Audit

Organizations operating in GCC government and critical infrastructure sectors must immediately audit all administrative accounts with access to endpoint management platforms including Microsoft Intune, Entra ID (formerly Azure AD), and Mobile Device Management solutions. Handala's 2026 operations demonstrated capability to weaponize legitimate cloud-based management platforms to execute mass wiper deployments across enterprise environments. Security teams should enforce phishing-resistant multi-factor authentication on all privileged accounts, implement just-in-time access models with zero standing permissions for global and device administrator roles, and enable multi-administrator approval requirements for sensitive bulk operations, particularly remote wipe commands, to prevent single compromised credentials from triggering enterprise-wide destruction.

Identity and Credential Exposure Management

Given Handala's documented reliance on infostealer-harvested credentials and VPN brute-force attacks for initial access, organizations must implement comprehensive credential exposure monitoring. Security teams should scan for credential exposure across dark web marketplaces and infostealer logs, immediately rotating any exposed credentials discovered through these channels. Conditional access policies should block authentication attempts from anomalous geolocations, commercial VPN nodes, and Starlink IP ranges, which Handala operators have been observed using during Iran's domestic internet blackouts to maintain operational connectivity.

Network Defense and IOC Blocking

All known Handala-associated indicators of compromise must be blocked at network boundaries. This includes command-and-control IP address 107[.]189[.]19[.]52, Telegram bot API traffic to api.telegram[.]org utilized for data exfiltration and operator communications, and all domains associated with Handala operations. Security teams should monitor for unauthorized deployment of legitimate tunneling tools such as NetBird used by Handala for covert communications, anomalous RDP lateral movement patterns inconsistent with normal administrative activity, LSASS credential dumping attempts via comsvcs.dll, ADRecon active directory reconnaissance tool execution, and PowerShell-based bulk file deletion or disk encryption activity indicative of wiper malware deployment.

Data Protection and Recovery Validation

Organizations must ensure all critical data, particularly government records, financial databases, and critical infrastructure configurations, are backed up to offline, network-segmented, and immutable storage locations. Wiper attacks render data permanently unrecoverable, making backup integrity the sole recovery path following successful destructive operations. Security teams should validate backup restoration procedures immediately through test recoveries, implement data loss prevention controls to detect bulk data exfiltration patterns consistent with the 149 terabyte extraction claimed in this attack, and ensure backup storage is architected to prevent compromise through the same vectors used to access production systems.

MITRE ATT&CK TTPs

(Full TTP mapping provided in the PDF)

Indicators of Compromise (IOCs)

Note: All indicators listed are associated with Handala's broader 2026 campaign operations. No IOCs specific to the April 12, 2026 claimed GCC attack have been publicly disclosed at time of writing.

Domains

api.telegram[.]org
handala-hack[.]to
handala-redwanted[.]to
handala-alert[.]to
justicehomeland[.]org
karmabelow80[.]org
handala[.]ps

IP Addresses

107[.]189[.]19[.]52
82[.]25[.]35[.]25
31[.]57[.]35[.]223
146[.]185[.]219[.]235

Telegram Channels

t.me/handala_hack26
t.me/handala_channel
t.me/HANDALA_INTEL

References

https://www.presstv.ir/Detail/2026/04/12/766723/Handala-hacking-group-cyberattack

https://x.com/DailyDarkWeb/status/2043525184494182696

https://hivepro.com/threat-advisory/void-manticore-irans-evolving-cyber-warfare-model/

April 14, 2026

Red | Vulnerability Report

Active Exploitation of Critical Adobe Prototype Pollution Flaw

Summary

CVE-2026-34621 represents a critical prototype pollution vulnerability affecting Adobe Acrobat DC, Adobe Acrobat Reader DC, and Adobe Acrobat 2024 across Windows and macOS platforms. This vulnerability, categorized under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes), is being actively exploited in the wild, transforming seemingly innocuous PDF documents into sophisticated attack vectors capable of local file access, data exfiltration, and potential arbitrary code execution. Evidence suggests this vulnerability may have been exploited as a zero-day since at least late November 2025, operating stealthily for approximately four months before public disclosure and patch availability in April 2026.

The vulnerability stems from insufficient input sanitization within Adobe Acrobat and Reader's embedded JavaScript processing engine. JavaScript's prototype-based inheritance system allows objects to inherit properties from shared prototypes such as Object.prototype. When user-controlled input is not adequately validated during PDF processing, attackers can manipulate these fundamental prototypes, effectively altering how objects behave across the entire application runtime. This prototype pollution enables serious security consequences including control-flow manipulation, security control bypass, and ultimately arbitrary code execution within the context of the PDF viewer application.

The exploitation chain begins when victims open specially crafted malicious PDF files, typically delivered through targeted spear-phishing campaigns or watering hole attacks. Upon opening the weaponized document, malicious JavaScript embedded within the PDF exploits the prototype pollution vulnerability to interact with privileged internal Adobe APIs that should be inaccessible to untrusted PDF content. Specifically, attackers leverage functions including util.readFileIntoStream() to access and read arbitrary files from the victim's local filesystem, enabling exfiltration of sensitive data including credentials, configuration files, private keys, and proprietary documents.

Following initial file access, the exploit utilizes the RSS.addFeed() function to exfiltrate collected data to attacker-controlled remote servers. This RSS feed subscription mechanism, intended for legitimate document updates and content syndication, is abused to establish command-and-control communications. The attacker server responds with additional malicious JavaScript payloads, enabling dynamic attack evolution and multi-stage compromise. This bidirectional communication channel allows threat actors to profile victim environments, selectively escalate to more sophisticated attacks based on target value, and potentially achieve full system compromise through sandbox escape techniques.

The vulnerability affects multiple Adobe product lines and deployment tracks. Acrobat DC and Acrobat Reader DC on the Continuous update track are vulnerable up to version 26.001.21367, while Acrobat 2024 on the Classic 2024 track is vulnerable up to version 24.001.30356. Both Windows and macOS installations are affected, creating a broad attack surface across enterprise and consumer environments. While exploitation requires user interaction to open malicious PDF files, the low attack complexity and absence of authentication requirements make this vulnerability highly effective in social engineering scenarios where users routinely open PDF attachments.

Adobe initially assigned CVE-2026-34621 a CVSS v3.1 score of 9.6, reflecting a network-based attack vector classification. However, on April 12, 2026, Adobe revised the advisory, reclassifying the attack vector from Network to Local and adjusting the CVSS score to 8.6. Despite this numerical reduction, Adobe maintains the vulnerability's classification as Critical with Priority 1 remediation urgency, acknowledging confirmed active exploitation and the severity of potential impacts.

The timeline of exploitation reveals concerning indicators of prolonged zero-day abuse. The earliest known exploit sample appeared on VirusTotal on November 28, 2025, though this upload does not definitively establish the initial exploitation date. Analysis suggests active exploitation likely began in December 2025. The vulnerability remained undetected by major security vendors until March 23, 2026, when EXPMON threat intelligence detected a malicious sample. A second distinct exploit sample surfaced on March 26, 2026. Adobe released emergency security patches on April 8, 2026, followed by a second exploit discovery on April 11, 2026, suggesting multiple threat actors may possess working exploits.

This extended zero-day exploitation window of approximately four months allowed attackers to operate with minimal detection, compromising potentially thousands of victims before public awareness and patch availability. The low initial detection rates and stealthy operational characteristics suggest sophisticated threat actor involvement, potentially including state-sponsored advanced persistent threat groups or well-resourced cybercriminal organizations with access to vulnerability research and exploit development capabilities.

Vulnerability Details

Prototype Pollution Fundamentals

CVE-2026-34621 represents a prototype pollution vulnerability, a class of security flaw specific to JavaScript and prototype-based programming languages. In JavaScript, virtually all objects inherit properties and methods from prototype objects, with Object.prototype serving as the base prototype for most objects. When JavaScript code allows user-controlled input to modify prototype properties without adequate validation, attackers can inject malicious properties into shared prototypes, causing these properties to propagate across all objects inheriting from the polluted prototype.

Prototype pollution enables various exploitation techniques including property injection attacks where attackers add unexpected properties to objects that should not possess them, behavior modification where existing object methods are overridden with malicious implementations, security control bypass through pollution of properties used in access control decisions, and control-flow manipulation by altering properties that govern application logic flow. In the context of Adobe Acrobat and Reader, prototype pollution within the PDF JavaScript engine allows attackers to escape the intended security sandbox and interact with privileged APIs designed exclusively for trusted code.

The vulnerability exists within Adobe's implementation of JavaScript execution for PDF documents. PDFs can embed JavaScript code for legitimate purposes including form validation, dynamic content generation, and interactive features. However, Adobe's JavaScript implementation must carefully sanitize all user-controlled input to prevent untrusted PDF content from accessing privileged system operations. CVE-2026-34621 represents a failure in this input validation, allowing specially crafted PDF JavaScript to pollute critical prototypes and subsequently leverage the polluted state to invoke privileged functions.

Exploitation Technique and Attack Chain

The exploitation process begins when victims open malicious PDF files containing carefully crafted JavaScript code. This JavaScript exploits insufficient input sanitization in Adobe's PDF processing engine to pollute fundamental object prototypes. By injecting specific properties into these prototypes, attackers manipulate how the application processes subsequent operations, particularly those involving privileged API access controls.

Once prototype pollution is achieved, the exploit leverages util.readFileIntoStream(), a privileged Adobe JavaScript API function designed for internal use by trusted code. Under normal circumstances, untrusted PDF JavaScript should not be able to invoke this function due to API access controls. However, the prototype pollution vulnerability allows attackers to bypass these restrictions, gaining unauthorized access to file system read capabilities. The util.readFileIntoStream() function enables reading arbitrary files from the local system, limited only by the permissions of the user account running Adobe Acrobat or Reader.

Attackers utilize this file read capability to exfiltrate sensitive information including credential files, SSH private keys, browser saved passwords, application configuration files containing API keys or database credentials, proprietary documents, intellectual property, and system configuration information useful for privilege escalation or lateral movement. The breadth of accessible data depends on the victim user's file system permissions and the contents of their home directory and accessible system locations.

Following data collection, the exploit utilizes RSS.addFeed(), another Adobe JavaScript API function intended for subscribing to RSS feeds for document updates. By specifying an attacker-controlled server as the RSS feed URL, the malware establishes a covert exfiltration channel. The stolen data is transmitted to the attacker server disguised as legitimate RSS feed subscription requests, potentially evading network security monitoring configured to detect obvious data exfiltration patterns.

The attacker-controlled server responds to the RSS feed request with additional malicious JavaScript code disguised as RSS feed content. Adobe's PDF JavaScript engine processes this response, executing the attacker-provided JavaScript and enabling multi-stage attack progression. This bidirectional communication establishes a rudimentary command-and-control channel, allowing attackers to dynamically adapt their operations based on victim environment reconnaissance.

Victim Profiling and Selective Escalation

Analysis of known exploit samples suggests the vulnerability serves primarily as an initial reconnaissance and data exfiltration mechanism rather than immediate full system compromise. The exploit appears designed to profile victim environments, collecting system information, installed software, user privileges, network configuration, and security software presence. This intelligence enables attackers to make informed decisions about subsequent attack stages.

For high-value targets meeting specific criteria such as presence within targeted organizations, elevated user privileges, absence of robust endpoint security, or valuable accessible data, attackers may selectively escalate to more sophisticated attack stages including sandbox escape exploits enabling arbitrary code execution outside the PDF viewer's security context, privilege escalation attempts leveraging system vulnerabilities identified during reconnaissance, persistent backdoor installation for long-term access, or deployment of additional malware payloads tailored to the specific victim environment.

This selective escalation approach provides operational security benefits for attackers by limiting exposure of sophisticated exploitation techniques to only valuable targets, reducing detection likelihood by avoiding mass deployment of advanced malware, and preserving zero-day exploits by not deploying them against low-value or well-monitored systems. The staged approach suggests professional threat actor operations rather than opportunistic criminal activity.

Affected Product Versions and Patch Timeline

The vulnerability affects multiple Adobe product lines across two distinct update tracks. The Continuous track, which receives frequent feature updates and is the default for most consumer and enterprise deployments, includes vulnerable versions of Acrobat DC and Acrobat Reader DC up to and including version 26.001.21367. The Classic track, which receives less frequent updates focused on stability, includes vulnerable Acrobat 2024 versions up to 24.001.30356. Both Windows and macOS installations are affected across all vulnerable versions.

Adobe released emergency security patches on April 8, 2026, following confirmation of active in-the-wild exploitation. Patched versions include Acrobat DC and Acrobat Reader DC version 26.001.21411 for the Continuous track, and Acrobat 2024 version 24.001.30362 for Windows and version 24.001.30360 for macOS on the Classic 2024 track. These patches address the prototype pollution vulnerability through improved input validation and sanitization in the JavaScript processing engine.

CVSS Scoring Revision and Risk Classification

Adobe's initial CVSS v3.1 assessment assigned CVE-2026-34621 a score of 9.6 based on a network attack vector classification. This scoring reflected an interpretation where the vulnerability could be triggered remotely through network delivery of malicious PDF files. However, on April 12, 2026, Adobe revised the advisory, reclassifying the attack vector from Network (AV:N) to Local (AV:L), resulting in an adjusted CVSS score of 8.6.

This revision reflects a more precise interpretation of CVSS attack vector definitions. While the malicious PDF is delivered via network mechanisms (email, web download), actual exploitation requires local user interaction to open the file, meeting the CVSS definition of a local attack vector. Despite the numerical score reduction, Adobe continues to classify CVE-2026-34621 as Critical severity with Priority 1 remediation urgency, reflecting confirmed active exploitation and significant potential impact including data exfiltration, privacy violation, and potential system compromise.

Evidence of Zero-Day Exploitation

Multiple indicators suggest CVE-2026-34621 was exploited as a zero-day vulnerability for several months before patch availability. The earliest known malicious sample appeared on VirusTotal on November 28, 2025, suggesting exploitation potentially began in late November or early December 2025. The exploit operated with low detection rates across major antivirus vendors, indicating sophisticated evasion techniques and limited security community awareness.

Independent researchers at EXPMON identified a malicious exploit sample on March 23, 2026, marking the first public detection and analysis of active exploitation. A second distinct exploit sample surfaced on March 26, 2026, shortly before Adobe's April 8 emergency patch release. The discovery of a third sample on April 11, 2026, three days after patch availability, suggests multiple distinct threat actors possess working exploits, or that a single actor continues operations against unpatched systems.

The approximately four-month window between suspected initial exploitation and patch availability represents a significant zero-day exposure period during which attackers operated with minimal risk of detection or disruption. This extended exploitation window enabled potentially widespread compromise across enterprise and consumer environments, with the full scope of victimization likely remaining unknown due to the exploit's stealthy operational characteristics.

Recommendations

Apply Emergency Security Update Immediately

Organizations must treat CVE-2026-34621 patching as an emergency priority given confirmed active exploitation. IT administrators should deploy Adobe's emergency security patches without delay across all Windows and macOS endpoints running Adobe Acrobat DC, Adobe Acrobat Reader DC, or Adobe Acrobat 2024. For Acrobat DC and Reader DC on the Continuous track, systems should be updated to version 26.001.21411. For Acrobat 2024 on the Classic track, Windows systems require version 24.001.30362 while macOS systems require version 24.001.30360.

End users can initiate updates manually through the application menu by selecting Help > Check for Updates. IT administrators managing enterprise deployments should leverage centralized update distribution mechanisms including Adobe's AIP-GPO (Adobe Installer Package - Group Policy Objects) for Windows domain environments, Microsoft SCUP/SCCM (System Center Updates Publisher / System Center Configuration Manager) for enterprise Windows patch management, Apple Remote Desktop for managed macOS environments, or SSH-based deployment tools for scripted mass distribution across macOS systems. Patch deployment should be prioritized above routine update cycles and tracked for complete coverage verification.

Block and Quarantine Suspicious PDF Files

Email security gateways, web proxies, and endpoint protection platforms should implement enhanced scrutiny of inbound PDF attachments and downloads. Security teams should configure these systems to automatically sandbox PDF files in isolated analysis environments before delivery to end users, quarantine PDFs exhibiting suspicious characteristics including embedded JavaScript, outbound network connections, or obfuscated content, and implement temporary restrictions on automatic opening of PDF files from untrusted or external sources until organizational patching reaches completion.

Organizations should communicate clearly to users that this temporary restriction serves as a precautionary measure during emergency patching and will be lifted following verification of complete patch deployment across the environment. Security operations centers should establish expedited review procedures for quarantined legitimate business-critical PDF documents requiring immediate access.

Disable JavaScript in Adobe Reader and Acrobat

For systems that cannot be immediately patched due to operational constraints, testing requirements, or compatibility concerns, organizations should implement interim mitigation through JavaScript disablement in Adobe applications. This configuration change significantly reduces attack surface for CVE-2026-34621 and similar JavaScript-based PDF exploits. Users can disable JavaScript by navigating to Edit > Preferences > JavaScript and unchecking "Enable Acrobat JavaScript."

IT administrators can enforce JavaScript disablement across managed endpoints through Group Policy on Windows domains or configuration profile deployment on managed macOS systems. Security teams should document which systems operate with JavaScript disabled and prioritize these systems for expedited patching, as JavaScript disablement may impact legitimate PDF functionality including interactive forms, dynamic content, and certain document workflows.

Educate Users on PDF-Based Threats

Security awareness programs should incorporate specific training regarding PDF-based threats, particularly emphasizing that PDF files can contain active executable content including JavaScript that runs automatically upon document opening. Users should be instructed to exercise caution when opening PDF attachments from unknown senders, unexpected PDF files received via email or messaging platforms, PDFs requiring unusual permissions or prompting security warnings, and PDF files downloaded from untrusted websites or file-sharing services.

Training should encourage users to report suspicious PDF files to security operations teams rather than attempting to determine safety independently. Security teams should establish clear reporting procedures and ensure rapid response to user reports during the active exploitation period.

Vulnerability Management and Monitoring

Organizations must integrate CVE-2026-34621 into vulnerability management workflows with highest priority classification. Security teams should maintain comprehensive inventory of all Adobe Acrobat and Reader installations including version numbers, update track assignments (Continuous vs. Classic), platform designations (Windows vs. macOS), and deployment locations. This inventory enables targeted patch verification and identification of any systems inadvertently missed during initial deployment.

Security teams should monitor for potential addition of CVE-2026-34621 to CISA's Known Exploited Vulnerabilities catalog. If added, federal civilian executive branch agencies face binding remediation deadlines, and all organizations should interpret KEV catalog inclusion as additional signal to prioritize comprehensive remediation verification.

MITRE ATT&CK TTPs

Initial Access

T1566: Phishing

T1566.001: Spearphishing Attachment

Execution

T1203: Exploitation for Client Execution

T1059: Command and Scripting Interpreter

T1059.007: JavaScript

Discovery

T1083: File and Directory Discovery

Collection

T1005: Data from Local System

Exfiltration

T1041: Exfiltration Over C2 Channel

Resource Development

T1588: Obtain Capabilities

T1588.006: Vulnerabilities

Indicators of Compromise (IOCs)

IP Addresses with Ports

169[.]40[.]2[.]68:45191
188[.]214[.]34[.]20:34123

File Hashes (SHA256)

65dca34b04416f9a113f09718cbe51e11fd58e7287b7863e37f393ed4d25dde7
54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f

References

https://helpx.adobe.com/security/products/acrobat/apsb26-43.html

https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html

April 14, 2026

Threat Advisories

Oracle PeopleSoft Under Siege: Zero-Day CVE-2026-35273 Fuels ShinyHunters Intrusions

Oracle PeopleSoft Under Siege: Zero-Day CVE-2026-35273 Fuels ShinyHunters Intrusions

Summary

CVE Details

Vulnerability Details

Recommendations

Indicators of Compromise (IoCs)

MITRE ATT&CK TTPs

Patch Links

References

HTTP/2 Bomb CVE-2026-49975: A Flaw Detonates Apache HTTP Server

HTTP/2 Bomb CVE-2026-49975: A Flaw Detonates Apache HTTP Server

Summary

CVE Reference

Vulnerability Details

Recommendations

MITRE ATT&CK TTPs

Patch Links

References

MLTBackdoor: ClickFix to Ransomware Foothold

MLTBackdoor: ClickFix to Ransomware Foothold

Summary

Attack Details

Recommendations

Indicators of Compromise (IoCs)

MITRE ATT&CK TTPs

References

Microsoft’s June 2026 Patch Tuesday

Microsoft's June 2026 Patch Tuesday

Summary

Vulnerability Category Breakdown

Vulnerability Details

Exploitable CVEs — Priority Patch Targets

Recommendations

MITRE ATT&CK TTPs

References

Google Rushes Patch for In-the-Wild Chrome V8 Zero-Day (CVE-2026-11645)

Google Rushes Patch for In-the-Wild Chrome V8 Zero-Day (CVE-2026-11645)

Summary

CVE

Vulnerability Details

Affected Product & CPE

Recommendations

MITRE ATT&CK TTPs

References & Patch Links

From Zero-Day to Ransomware: Check Point VPN Bug Fuels Real-World Attacks

From Zero-Day to Ransomware: Check Point VPN Bug Fuels Real-World Attacks

Summary

CVEs

Vulnerability Details

Affected Products & CPE Strings

Recommendations

Indicators of Compromise (IoCs)

MITRE ATT&CK TTPs

References & Patch Links

Code Blue: U.S. Healthcare Under Cyber Siege

Code Blue: U.S. Healthcare Under Cyber Siege

Summary

Attack Details

Most Recurring Threats

Timeline of Major Events

Vulnerability Posture

Tracked CVEs (37 Total)

Recommendations

Indicators of Compromise (IoCs)

MITRE ATT&CK TTPs

References

Cisco Catalyst SD-WAN Manager Zero-Day Actively Exploited in the Wild

Cisco Catalyst SD-WAN Manager Zero-Day Actively Exploited in the Wild

Summary

CVEs Addressed in This Advisory

Vulnerability Details

Affected Products & CPE Strings

Recommendations

MITRE ATT&CK TTPs

References & Patch Links

Official Cisco Security Advisories

DoubleClick Deception: Malspam Campaign Delivers Stealthy .NET Malware

New CMD Organization Ransomware Hits U.S. Healthcare with Auction Extortion

Threat `Advisories`