LIVE: Cyber Threat Intelligence Feed

Our Teams are Here to Support You

This feed provides organizations with timely, actionable updates on the evolving cyber threat landscape. It highlights observed threat activity, indicators of compromise (IoCs), active campaigns, targeted sectors, and emerging vulnerabilities, along with recommended actions to help organizations proactively reduce risk. The intelligence is compiled and curated by Help AG’s CTI team using insights from internal monitoring, trusted partner sources, and industry threat and vulnerability feeds.

Threat Intel

Apr 28, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
APT / Financially Motivated Intrusion (Social Engineering + Multi-Stage Malware)	“uu03webzoom[.]us 83[.]136[.]208[.]246 83[.]136[.]209[.]22 104[.]145[.]210[.]107 check02id[.]com thriddata[.]com hxxps://83[.]136[.]209[.]22:8444/download?id=8766ceb975cadedca38aad72091017cdb5d3e4c8f8af0441 hxxps://83[.]136[.]209[.]22:8444/download?id=b1a87ab536188b10f02b3d84d03c0a45ed38f948a338d8f4 ee4807a19e432cf370f860f7b4deb84b04349143f921ac62fb0f6ef9eb3e6123 0fdac2d4f5fe127eec1754ceebfb67131a03e0271d5e128db2084665cac88533 29fb6b49e33d8b6dc967a0b11d1225ec5a9f30faf6bde341bf3545298656fe6b 2acf6335315f7ba1270d7cfaaa7e420794ce0f7c8f5c1ba41be5075ced19e537 bc94f02c97af6761f9dc21d39ea4564a209f087c3441a33872e68742f468a9c5 841444082ae59707aeb47b597282e17d5d9af37c00f146745d88baac308dc8e3 4aa85fabfe717b3c31e0b24afb4a07008305e0a9faedf295d4e74a49e0ec3b40 8a7273889c3fedf81ffe2dcfc1a321771620d71cd0d98125a0a237842d79f35e 96ab701c444d9922802fe20adfc81f3476e014f8c4ba0b951714127ecac58edf d498013b6f27debf027352a5c8b481ade180541443c027afdc1c3634ca7f2a1f f391954378707e8b471c785ee792efacf97e7be80d4200966cbb176d531f0721 345b3497d5c7945c9c2e47663926f0dcdd931be3df12c4f7d10d6356a3b5bc7c a37cb38b178833f15bf13fd5fa622b694c2244230ac0be33e75680c71dc08a08 17158cd6490a2b3c672d087f3d69107643d6a6f7c67345461b10ae18f27e28d1 db446f0e1d18b43805bfefe1af934ae4b0879e376904635cc7e14eae2d7fc682 dd1c72823f933952619cbb86aaeaea43057a259e9a0c9e3b11c82225ec3faaa1 E598EB0078A3C6D887135518EDA1424E59F2B6CBF5A902FFE1063C34E03E3ED8 EDD0301FFB793169B1314C59C0EF3A98D5793C0441DD43A7C484D61DEB4F107F 6030338469819129924C6E01E110145A128CA3D944CD4B696ABC7925A1840001”	Highly targeted Web3/crypto campaign using fake Zoom invites, typo-squatted domains, and multi-stage malware to steal credentials, hijack sessions, and exfiltrate sensitive data	PowerShell-based payloads, browser credential stealers, Telegram session hijacking tools, clipboard-based loaders	United States, Singapore, United Arab Emirates, United Kingdom, Europe, Israel, Canada	BlueNoroff (APT38 / Lazarus subgroup)	Finance, Cryptocurrency	T1566.002, T1204.001, T1059.001, T1055, T1105, T1071.001, T1041, T1555, T1552.001, T1547.001, T1113, T1125, T1082, T1057, T1518	Critical	Enforce MFA across all accounts; implement advanced email and phishing protection; restrict PowerShell execution and monitor anomalies; deploy EDR with behavior-based detection; monitor for suspicious domains and outbound traffic; secure crypto wallets with hardware protection; conduct executive-focused phishing awareness training
Supply Chain Attack – elementary-data compromise	“31ecc5939de6d24cf60c50d4ca26cf7a8c322db82a8ce4bd122ebd89cf634255 igotnofriendsonlineorirl-imgonnakmslmao[.]skyhanni[.]cloud hxxps://litter[.]catbox[.]moe/iqesmbhukgd2c7hq[.]sh”	Global (developers using PyPI & container images)	Credential Stealer (multi-stage via .pth execution)	None	Unknown	None	T1195.002, T1059.004, T1552.001, T1552.006, T1071.001, T1041	High	Implement dependency verification and scanning, audit CI/CD pipelines, enforce MFA, isolate environments, and monitor for unusual outbound traffic
Infostealer Campaign – Vidar resurgence	” 03acfc32bb897deee78c9a103e7921334fc97d9fdac944523ae3e95e5e867676 d586d192b0d5c050a03698753d9754ec0f5ce0b0791e0c2919a46284bf3b3c14 chi[.]botick[.]top gpu[.]orca-trade[.]com my-vidar[.]ru v-new[.]cloud v-tamin[.]lol vidar[.]su vidars[.]su vidmn[.]top wto[.]mir-massage[.]kiev[.]ua hxxps://steamcommunity[.]com/profiles/76561198761022496 hxxps://steamcommunity[.]com/profiles/76561198763098204 hxxps://steamcommunity[.]com/profiles/76561198754004827 hxxps://vidars[.]su/files/instructions/cripto_en[.]pdf 193[.]233[.]198[.]22 65[.]109[.]242[.]143 95[.]216[.]181[.]234″	Global (enterprise & individual users)	Vidar Stealer (v2.0)	None	Multiple / Commodity Threat Actors	None	T1566.001, T1566.002, T1204.002, T1574.002, T1036.005, T1555.003, T1552.001, T1071.001, T1102.002, T1041, T1568.003	High	Strengthen user awareness, enforce MFA, block malicious domains/IPs via threat intel, deploy secure web gateways & DNS filtering, sandbox downloads, and monitor outbound traffic for anomalies
Targeted Spear-Phishing Campaign (Safe Jail Project lure)	“ff892c71475c71eccf3ab3f650d7aea30b61c9dc0c39a89b7f3f434469aa8d8b 49f304eb2772bf194e21c90bf5f1783770020538c80c0ca71afc5f1adcd19e86 763ea284945c83e7649eb87938514ed782c01c03f6482347680485b50a283006 ecfe3c552907e73a4f4b0e27f27be34c hxxps://adobe-pdfreader[.]b-cdn[.]net/code[.]exe hxxps://adobe-pdfreader[.]b-cdn[.]net/Adobe[.]application hxxps://adobe-pdfreader[.]b-cdn[.]net/adobe[.]application agha[.]hassan@psca[.]gop[.]pk”	Targeted (Government entities – PSCA & PPIC3)	Custom malware via VBA macro & ClickOnce delivery	Pakistan	Unknown (custom tooling, targeted intrusion)	Government, Administration	T1566.001, T1204.002, T1059.005, T1105, T1102.002, T1041, T1036.005, T1564.007, T1057	High	Exercise caution with macro-enabled documents and fake update prompts, block untrusted CDN domains, monitor VS Code tunnel usage, detect Discord webhook activity, and strengthen email security, user awareness, and EDR capabilities
Tax-Themed Phishing Campaign (Income Tax impersonation)	” googlevip[.]shop dadasf[.]qpon googleaxc[.]shop zyisykm[.]shop”	Targeted (Multinational organizations with ties to India)	XRed Remote Access Trojan (RAT)	India, United Kingdom, United States	Unknown	Finance	T1566.002, T1204.002, T1059.005, T1547.001, T1105, T1082, T1056.001, T1071.001, T1041	High	Exercise caution with unsolicited tax-related communications, verify authenticity via official channels, implement strong email filtering and user awareness training, keep systems updated, and encourage reporting of suspicious emails
Cyber Espionage Campaign (TrueConf exploitation + phishing)	“ec8e7c3ce38e0ead9acbcb0d9b8eeaedc386e52a1c7341dcf3373b431dcae5ed 77b49d4b8572fba988416fef76b030751951e3388b1a5fc0d173feda1cffaaca d7d6894c2fbce3d91af8de50e7cd649f12627d94a1a9b430f6e583714d48be29 2a1d08d8c86b4e513c8767facb49762085594a788e4a84eb85833aa532f969f1 8fff3933562ea21ec51b4926026522de775e3f45d4c37b18e391c531aa76892d 41f5f2dab504b9464be9bfc3c19ebfc307330d8c2aae6755b34253b0665b4ee1 00a23d49a73ce754b604f720814821a45dbcc153c6d2ce63266653ca8504538c a3508cfa2ae935325aa5d74cf53537b59169890b52b9fab81121263074bb1db6 ad9d248b580a7b46bc083ddf56c164d69236d43388b1a6a40a70d90e6fa6fa9b 97044babdf67eb7ef17fc6578f0811d31a0cd5199e239e305917540f5c18b895 fa1dfc23e3fa8e8174db208bc178910123e79e05d1c0714f2e3e9351f051a409 6ec6007db0e16e4de7a8344c7da2b4222cb452ac3d91d385e70300087c2424da 639bf088bcd9a1ac21afbac3438fe84eb1d686c24fccfc8968ed0f9ede2540cf 42d128ac1171ea28753ca623fe32031da0a6efe466111bd703edc3f1ef17806b C01CDC8D7C506831D3A6911DBC8C782388E3434385BE60149E20423BD570D3DA 15d5e71ce278bb21842ac64b7a654b61832e3703fddb1307a8a2ea9ab1da60c0 93e9f3e656967220642484ade21387c08f682562 9123ddf27ffc8eb1a4e5f9d78a8226d2a148b5d9 5fe6ae13ed4d0b3302a023cd81eed28252b8e166 d37ec845c8b1e9756cb586aa6791b782cc04db3f b11ba850524c608df62b0e1b192d829975811ee9 d74b9bb45936a373f5753f4ad1f945f7b022b15a 9c4c6b7e98e974d3903eaa9df5b8d64af840c84c f04554c5a24dd609478814799dbe18448c33d557 2456adde2e3740609388f92e4d282a688ed9380e 3ff8732f802f049b37a02a5d902026582bdb8d30 518d2bf2afc4d1841ba0d093370d3c3e81fd434b dadefb6493bc374983131923910318c84520c65b f402d5baea487df61a68e4008d2109d7a7e84cbc cbcfd3c45d91c5d0959f140d38f7902646a537aa d91f8fb7ee4ec98bd80bad69d7667842 486faa9e2efbf78d4c03ba5dfe72eb1d 2dc957cf3f0f6c5c5e6fc865f8bbce42 cd915c6d6cb455fb2786cb4e2debdafc b09cdccc08e702b28c0fd45b20660844 7346809cdf85b476b4c170c4d473475f 2bf231028463eca661b0fd78184020fd 1bc7a6056d5b35a938d67e3bf81da5e8 9a0cb8b002a8cae40fabcfe5e1d62c3e 286bd098de67fd675e230878dffa7284 f0afcb3bd7f00356c4f8ada2c27d8c79 ea84158992c0c202b2e5c68013e6decc 741cedd889a4a50ebc8010cf83ca3d60 dce7182b0cd8d23271e2cb806be138c2 01f67bb1d852622476496d991c59d3b4 7672760fdef08bcf7ea44d9896aae15e 148[.]222[.]186[.]65 188[.]127[.]227[.]46 194[.]116[.]214[.]233 194[.]36[.]170[.]104 194[.]36[.]170[.]33 217[.]144[.]185[.]92 217[.]60[.]36[.]79 217[.]60[.]37[.]108 31[.]56[.]227[.]100 31[.]57[.]105[.]56 31[.]57[.]106[.]171 31[.]57[.]109[.]226 31[.]59[.]105[.]51 46[.]8[.]64[.]90 79[.]137[.]194[.]216 87[.]245[.]178[.]172 94[.]183[.]187[.]205 95[.]182[.]115[.]153 1c-dev[.]it[.]com 1cbit-dev[.]com analize-team[.]help analytisec[.]space appcleaner[.]it[.]com brightshield[.]space cloud-home[.]casa cyberposi[.]space defentry[.]online e-marketdrive[.]ru hr-resourse[.]com infonixsecurity[.]online ironshieldsecurity[.]space itbase-soft[.]store itflow-engine[.]com kavfs-update[.]cloud ksc-update[.]com master-cloud[.]team monta-s-s[.]ru obsidianshield[.]space optivault[.]space primeinfosec[.]space safebloom[.]space shibargan[.]ru solution-itspace[.]online telecom-connect[.]cloud trustbeam[.]space xbox-updater[.]online”	Targeted (Government organizations via TrueConf exploitation)	MacTunnelRAT, PhantomSscp, PhantomProxyLite, PhantomPxPigeon, LockBit	Russia	PhantomCore	Government, Administration	T1190, T1566.001, T1059.001, T1505.003, T1021.006, T1021.001, T1003.001, T1003.003, T1078, T1098, T1053.005, T1543.003, T1572	Critical	Immediately patch TrueConf servers, restrict public exposure of conferencing systems, enforce network segmentation, monitor for web shells, review RDP/WinRM usage, deploy WAF protections, and conduct continuous threat hunting for credential dumping and persistence mechanisms
Spear-phishing + Fileless Multi-stage Campaign	” 717da2804144e9759c4e6409f18b7b4b 07aa715f8a6f56a96476aae0ebca17c7 d0d17a50422e3d4a0a50fed0878a47d6 ca002f49f3d5ee36ded21e235e8d04e7 9c0409be11a6c4433896db58e7095464″	Targeted (multi-sector espionage campaign using cloud abuse + steganography)	Fileless C# loader, Excel macro payload, Telegram Bot C2, steganography modules	Middle East, United States, Europe	APT-C-49 (OilRig / APT34 / Helix Kitten)	Government, Finance, Energy, Telecoms, Chemical	T1566.001, T1204.002, T1059.005, T1027.003, T1053.005, T1105, T1102.001, T1102.002, T1041	High	Block macro-enabled attachments, disable Office macros by default, restrict scripting engines (VBA/C# compilation abuse), monitor scheduled tasks, limit cloud service abuse (GitHub/Google Drive/Telegram), deploy EDR for fileless detection, enforce least privilege, and strengthen email security controls
Large-scale phishing + domain impersonation campaign (Operation TrustTrap)	” www[.]mass[.]gov-suc[.]cc www[.]mass[.]gov-ypk[.]cc www[.]mass[.]gov-wkg[.]cc www[.]mass[.]gov-odb[.]cc www[.]mass[.]gov-icw[.]cc www[.]mass[.]gov-hjc[.]cc www[.]mass[.]gov-emz[.]cc www[.]gov-lzk[.]cc www[.]az[.]gov-lzk[.]cc www[.]az[.]gov-huv[.]cc www[.]az[.]gov-ocq[.]cc www[.]az[.]gov-cgt[.]cc www[.]az[.]gov-swy[.]cc www[.]mass[.]gov-raj[.]cc www[.]mass[.]gov-kzc[.]cc www[.]mass[.]gov-bza[.]cc www[.]mass[.]gov-yta[.]cc www[.]mass[.]gov-cen[.]cc www[.]gov-tda[.]cc www[.]mass[.]gov-btx[.]cc www[.]mass[.]gov-ktx[.]cc nh[.]gov-nde[.]cc mass[.]gov-xct[.]cc www[.]mass[.]gov-ufa[.]cc www[.]mass[.]gov-iua[.]cc www[.]mass[.]gov-nha[.]cc www[.]mass[.]gov-uva[.]cc www[.]mass[.]gov-ngx[.]cc www[.]gov-cbv[.]cc www[.]gov-wyx[.]cc www[.]mass[.]gov-bjw[.]cc www[.]mass[.]gov-uce[.]cc www[.]mass[.]gov-hva[.]cc wv[.]gov-hng[.]cc wv[.]gov-hna[.]cc wv[.]gov-hnd[.]cc az[.]gov-nci[.]cc www[.]gov-jyd[.]cc www[.]gov-ckw[.]bond az[.]gov-ncq[.]cc az[.]gov-nco[.]cc www[.]gov-iop[.]cc www[.]gov-hxi[.]cc www[.]gov-ejx[.]bond www[.]mass[.]gov-xct[.]cc mass[.]gov-raj[.]cc www[.]mass[.]gov-kse[.]cc www[.]mass[.]gov-uca[.]cc mass[.]gov-ucq[.]cc mass[.]gov-nka[.]cc wv[.]gov-qwd[.]cc mass[.]gov-wjd[.]cc az[.]gov-sxa[.]cc www[.]mass[.]gov-nka[.]cc www[.]mass[.]gov-wmc[.]cc wv[.]gov-nvk[.]cc az[.]gov-sxs[.]cc www[.]michigan[.]gov-nju[.]cc mass[.]gov-ktx[.]cc mass[.]gov-wmc[.]cc mass[.]gov-cre[.]cc www[.]mass[.]gov-ucq[.]cc ri[.]gov-jhd[.]cc ncdot[.]gov-stmv[.]cc ncdot[.]gov-stmn[.]cc az[.]gov-sxb[.]cc az[.]gov-sxc[.]cc mass[.]gov-kzc[.]cc az[.]gov-sxv[.]cc az[.]gov-ncp[.]cc mass[.]gov-tvz[.]cc www[.]mass[.]gov-wjd[.]cc www[.]mass[.]gov-tvz[.]cc wv[.]gov-nvf[.]cc mass[.]gov-uva[.]cc mass[.]gov-ngx[.]cc mass[.]gov-iua[.]cc mass[.]gov-uce[.]cc az[.]gov-sxz[.]cc az[.]gov-sxm[.]cc www[.]mass[.]gov-cre[.]cc mass[.]gov-hva[.]cc mass[.]gov-bjw[.]cc az[.]gov-ncr[.]cc mass[.]gov-kse[.]cc az[.]gov-sxn[.]cc www[.]gov-yex[.]cc www[.]az[.]gov-txb[.]bond www[.]gov-gva[.]cc www[.]gov-uxs[.]bond www[.]gov-gos[.]cc www[.]gov-tca[.]cc ncdot[.]gov-stwt[.]cc www[.]gov-hxw[.]cc www[.]gov-jdz[.]bond www[.]gov-lnx[.]bond mass[.]gov-btx[.]cc mass[.]gov-uca[.]cc az[.]gov-nct[.]cc mass[.]gov-nha[.]cc mass[.]gov-aun[.]cc michigan[.]gov-nju[.]cc www[.]gov-twh[.]bond mass[.]gov-yta[.]cc mass[.]gov-ufa[.]cc mass[.]gov-bza[.]cc mass[.]gov-cen[.]cc wv[.]gov-tqj[.]cc ncdot[.]gov-kfo[.]cc wv[.]gov-hns[.]cc ncdot[.]gov-kfy[.]cc ncdot[.]gov-uji[.]cc ncdot[.]gov-tgy[.]cc ncdot[.]gov-stwi[.]cc ncdot[.]gov-stms[.]cc ncdot[.]gov-stmf[.]cc ncdot[.]gov-stmd[.]cc ncdot[.]gov-stmb[.]cc ncdot[.]gov-stma[.]cc ncdot[.]gov-olp[.]cc ncdot[.]gov-kfw[.]cc ncdot[.]gov-stmc[.]cc ncdot[.]gov-kfe[.]cc ncdot[.]gov-yhu[.]cc ncdot[.]gov-stmx[.]cc ncdot[.]gov-kft[.]cc ncdot[.]gov-iko[.]cc ncdot[.]gov-dcf[.]cc ncdot[.]gov-rfd[.]cc ncdot[.]gov-kfr[.]cc ncdot[.]gov-saz[.]cc ncdot[.]gov-kfp[.]cc wv[.]gov-hny[.]cc wv[.]gov-hno[.]cc wv[.]gov-hni[.]cc www[.]mass[.]gov-tia[.]cc wv[.]gov-qwg[.]cc www[.]gov-zsr[.]bond wv[.]gov-qwk[.]cc wv[.]gov-qwc[.]cc utah[.]gov-aps[.]cc www[.]gov-icw[.]cc www[.]gov-odb[.]cc www[.]gov-lzp[.]cc www[.]gov-emj[.]cc www[.]gov-enu[.]cc www[.]gov-hjc[.]cc www[.]gov-emz[.]cc www[.]gov-ypk[.]cc www[.]gov-wkg[.]cc www[.]gov-aix[.]cc www[.]gov-suc[.]cc ncdot[.]gov-stda[.]cc ncdot[.]gov-stds[.]cc ncdot[.]gov-vro[.]cc ncdot[.]gov-stdm[.]cc wv[.]gov-hyj[.]cc wv[.]gov-tlo[.]cc wv[.]gov-cmi[.]cc ncdot[.]gov-stdb[.]cc ncdot[.]gov-mip[.]cc ncdot[.]gov-gop[.]cc az[.]gov-hae[.]cc ncdot[.]gov-cqo[.]cc ncdot[.]gov-stnz[.]cc ncdot[.]gov-cqa[.]cc ncdot[.]gov-stdx[.]cc ncdot[.]gov-stdn[.]cc ncdot[.]gov-cqr[.]cc ncdot[.]gov-iop[.]cc ncdot[.]gov-stdz[.]cc ncdot[.]gov-stdc[.]cc ncdot[.]gov-cqw[.]cc co[.]gov-uji[.]cc ncdot[.]gov-stdv[.]cc utah[.]gov-apd[.]cc www[.]mass[.]gov-wtb[.]cc www[.]mass[.]gov-qht[.]cc www[.]mass[.]gov-xmj[.]cc www[.]mass[.]gov-khw[.]cc expresstoll[.]gov-dmre[.]cc ncdot[.]gov-gjk[.]cc www[.]ut[.]gov-eny[.]cc www[.]gov-lrq[.]bond www[.]gov-poy[.]bond www[.]gov-tuo[.]bond ut[.]gov-eny[.]cc mass[.]gov-nve[.]cc www[.]mass[.]gov-bjk[.]cc www[.]gov-nka[.]cc www[.]gov-uca[.]cc www[.]gov-laq[.]bond www[.]gov-lil[.]bond www[.]gov-opr[.]bond www[.]gov-ltv[.]bond www[.]gov-btx[.]cc www[.]gov-lrm[.]bond www[.]gov-imk[.]bond www[.]gov-bjk[.]cc www[.]gov-nha[.]cc”	Mass phishing infrastructure targeting government service impersonation portals	Credential harvesting phishing infrastructure (no specific malware family identified)	United States, India, Vietnam, United Kingdom	APT36 / Transparent Tribe (cluster overlap observed)	Government, Administration, Transport	T1566.002, T1598.003, T1036.005, T1583.001, T1584.001, T1071.001, T1041	High	Enforce MFA, implement DNS filtering and domain intelligence blocking, monitor newly registered domains, train users to verify URLs carefully, deploy advanced email/web filtering, and enforce reporting of phishing attempts
Spear-phishing campaign (Excel + PowerShell-based intrusion)	“5c3bf036ab8aadddb2428d27f3917b86 e9c16aa2e322a65fc2621679ca8e7414ebcf89c0 d4c184f4389d710c8aefe296486d4d3e430da609d86fa6289a8cea9fde4a1166”	Targeted pharmaceutical and life sciences organizations (IP theft focus)	Weaponized Excel documents, PowerShell payloads	North Korea	Kimsuky	Pharmaceutical, Life Sciences	T1566.001, T1204.002, T1059.001, T1027, T1005, T1041	High	Deploy advanced email filtering and phishing detection, enforce application allowlisting, restrict PowerShell usage via policy controls, apply regular patching, implement network segmentation, and monitor for data exfiltration and unusual PowerShell activity
Social engineering + fileless C2 intrusion campaign	” bdb1b9e37f6467b5f98d151a43f280f319bacf18198b22f55722292a832933ab 83AC38FB389A56A6BD5EB39ABF2AD81FAB84A7382DA296A855F62F3CDD9D629D 19c174f74b9de744502cdf47512ff10bba58248aa79a872ad64c23398e19580b 750b29ca6d52a55d0ba8f13e297244ee8d1b96066a9944f4aac88598ae000f41 b81aa37867f0ec772951ac30a5616db4d23ea49f7fd1a07bb1f1f45e304fc625 df0d4ba2e0799f337daac2b0ad7a64d80b7bcd68b7b57d2a26e47b2f520cc260 AD96A3DAB7F201DD7C9938DCF70D6921849F92C1A20A84A28B28D11F40F0FB06 tech-system[.]online protoflint[.]com novelumbsasa[.]art picasosoftai[.]shop dtt[.]alux[.]cc moldostonesupplies[.]pro x6iye[.]site buenohuy[.]live firetrue[.]live lokipoki[.]live veryspec[.]live mautau[.]live muatay[.]live nicepliced[.]live nissi[.]bg express1solutions[.]com doamin[.]cc regonalone[.]com	Finance sector organizations targeted via fake IT support (Microsoft Teams) social engineering leading to post-exploitation control and data theft	AdaptixC2 (open-source C2 framework abused in real attacks), PowerShell loaders, fileless shellcode execution	Global / not specified	Unattributed threat actors using AdaptixC2 (criminal + opportunistic intrusion usage)	Finance	T1566, T1059.001, T1055, T1547.001, T1574.002, T1105, T1041	High	Implement application allowlisting, restrict PowerShell execution and logging, deploy EDR with memory protection, enforce MFA, monitor outbound C2 traffic, block known malicious domains, and strengthen user awareness against Teams-based impersonation scams
Supply chain compromise (PyPI package poisoning – Xinference)	“hxxps://whereisitat[.]lucyatemysuperbox[.]space/ whereisitat[.]lucyatemysuperbox[.]space fe17e2ea4012d07d90ecb7793c1b0593a6138d25a393192263e751660ec3cd0 077d49fa708f498969d7cdffe701eb64675baaa4968ded9bd97a4936dd56c21c e1e007ce4eab7774785617179d1c01a9381ae83abfd431aae8dba6f82d3ac127 c6ce4e25f7fe3e3bb1eea2e9052483bf 484067fd6232f7cdd7b664b33857fc2c e291734d46c313a23d676681499f8846 9b3257e45b27a6bbe4e240e41a3a306f 3ee893ae46530b92e0d26435fb979d82 971670c10eff28339a085ca50a600e35”	IT sector organizations using compromised Xinference Python package versions 2.6.0–2.6.2	Malicious Python package (Xinference trojanized builds), Base64 obfuscated loader, credential stealer	Global / not specified	Unattributed supply chain attacker (PyPI maintainer credential compromise)	IT / Software Development	T1195.001, T1059.006, T1140, T1552.001, T1552.004, T1552.005, T1005, T1041	Critical	Immediately downgrade to safe version (≤2.5.0), rotate all exposed credentials (cloud, SSH, API, DB), block malicious domain at DNS/firewall level, enforce signed/verified package usage, adopt private PyPI registry, enable MFA, and monitor for credential exfiltration behavior

Apr 24, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Exploitation Campaign (Network Device Backdoor Deployment)	CVE-2025-20333; CVE-2025-20362	Targeting Cisco Firepower and ASA devices via exploitation of FXOS vulnerabilities to deploy persistent FIRESTARTER backdoor, enabling remote code execution within the LINA process and long-term unauthorized access	FIRESTARTER	None	UAT-4356	None	T1190; T1055; T1547.014; T1105; T1059	Critical	Upgrade Cisco devices to patched versions, apply fixes for CVEs, monitor for suspicious processes (e.g., lina_cs), check for unauthorized files, reimage compromised devices, restrict management access, monitor WebVPN/API traffic, deploy IDS/IPS signatures, segment networks, and review logs continuously
Social Engineering–Driven Intrusion Campaign	“2fa987b9ed6ec6d09c7451abd994249dfaba1c5a7da1c22b8407c461e62f7e49 c8940de8cb917abe158a826a1d08f1083af517351d01642e6c7f324d0bba1eb8 7f1d71e1e079f3244a69205588d504ed830d4c473747bb1b5c520634cc5a2477 ca390b86793922555c84abc3b34406da2899382c617f9dcf83a74ac09dd18190 6e6dab993f99505646051d2772701e3c4740096ff9be63c92713bcb7fcddf9f7 de200b79ad2bd9db37baeba5e4d183498d450494c71c8929433681e848c3807f”	Multi-stage enterprise intrusion leveraging phishing, Teams impersonation, and fake updates to deploy modular malware, establish persistence, conduct reconnaissance, dump credentials, and access domain controllers for data exfiltration	SNOWBELT; SNOWGLAZE; SNOWBASIN; AutoHotKey	None	UNC6692	None	T1566; T1204; T1059.001; T1059.003; T1053.005; T1547.001; T1056.001; T1003.001; T1021.001; T1041	Critical	Enforce MFA, validate helpdesk interactions, restrict script execution (e.g., AutoHotKey), block unauthorized browser extensions, monitor LS
Supply Chain Attack (Malicious npm Package)	33401580619ae79bf3f87aab16208f169a44a038f18671b1def7836fb2682c9a; b505f1d1ca3dca8cb7e2b2dd99991b5a929ec9387f3de31ad36549823af07dfd; 2fec04f2985510654d9656d57f6817de1ca0d6ae49e7085b1e33abb38f89cc55; 457a3323fe0cfa82d6e102074c6f07a399f55c7e0ce2d3b40643d9cfde0cf220; f2c754a7f7b56e0e2a6dd429f06c42a1860c52c37b25d0a8e91c67d1239fa577; 46b9522ba2dc757ac00a513dbd98b28babb018eae92347f2cbc3c7a5020872b5; 1c83019b52be6da9583d28fe934441a74eacef0cd7dbb9d71017122de6fe7cfc; hxxps://huggingface[.]co/Lordplay/system-releases/resolve/main/MicrosoftSystem64-win[.]exe; hxxps://huggingface[.]co/Lordplay/system-releases/resolve/main/MicrosoftSystem64-darwin-x64; hxxps://huggingface[.]co/Lordplay/system-releases/resolve/main/MicrosoftSystem64-darwin-arm64; hxxps://huggingface[.]co/Lordplay/system-releases/resolve/main/MicrosoftSystem64-linux; hxxps://huggingface[.]co/Lordplay/system-releases/resolve/main/version[.]txt; 195[.]201[.]194[.]107	Malicious npm package (js-logger-pack) delivering a cross-platform implant via postinstall script, downloading disguised binaries, establishing persistence, collecting sensitive data (keystrokes, clipboard, system info), and exfiltrating data via Hugging Face infrastructure while enabling remote command execution	js-logger-pack@1.1.27; Cross-platform implant; Hugging Face infrastructure	None	Unknown	None	T1195.002; T1056.001; T1115; T1041	Critical	Implement software composition analysis (SCA); audit and pin dependencies; monitor for unusual Hugging Face traffic; deploy EDR; restrict execution of postinstall scripts; review builds for unauthorized changes
Supply Chain Attack	33401580619ae79bf3f87aab16208f169a44a038f18671b1def7836fb2682c9a; b505f1d1ca3dca8cb7e2b2dd99991b5a929ec9387f3de31ad36549823af07dfd; 2fec04f2985510654d9656d57f6817de1ca0d6ae49e7085b1e33abb38f89cc55; 457a3323fe0cfa82d6e102074c6f07a399f55c7e0ce2d3b40643d9cfde0cf220; f2c754a7f7b56e0e2a6dd429f06c42a1860c52c37b25d0a8e91c67d1239fa577; 46b9522ba2dc757ac00a513dbd98b28babb018eae92347f2cbc3c7a5020872b5; 1c83019b52be6da9583d28fe934441a74eacef0cd7dbb9d71017122de6fe7cfc; hxxps://huggingface[.]co/Lordplay/system-releases/resolve/main/MicrosoftSystem64-win[.]exe; hxxps://huggingface[.]co/Lordplay/system-releases/resolve/main/MicrosoftSystem64-darwin-x64; hxxps://huggingface[.]co/Lordplay/system-releases/resolve/main/MicrosoftSystem64-darwin-arm64; hxxps://huggingface[.]co/Lordplay/system-releases/resolve/main/MicrosoftSystem64-linux; hxxps://huggingface[.]co/Lordplay/system-releases/resolve/main/version[.]txt; 195[.]201[.]194[.]107	Malicious npm package (js-logger-pack@1.1.27) delivering a cross-platform implant via postinstall script, abusing trusted platforms (Hugging Face) for payload hosting and data exfiltration, enabling persistence, surveillance (keylogging, clipboard capture), and remote command execution across Windows, macOS, and Linux systems	js-logger-pack@1.1.27; Cross-platform implant	None	Unknown	None	T1195.002; T1056.001; T1115; T1041	Critical	Implement software composition analysis (SCA); audit and pin dependencies; monitor for abnormal outbound connections to Hugging Face; deploy EDR solutions; restrict execution of postinstall scripts; continuously review dependencies for compromise
Insider Threat / Social Engineering Campaign (Fraudulent Remote Workforce)	163[.]245[.]219[.]19; 216[.]158[.]225[.]144; luckyguys[.]site	Coordinated DPRK-linked operation leveraging fake remote IT worker identities to infiltrate organizations, gain legitimate access, exfiltrate data, and generate revenue via freelance platforms while evading sanctions using VPNs, proxy infrastructure, and residential IP masking	Astrill VPN; Mullvad VPN; Proton VPN; Workana platform	None	North Korea (DPRK)	Finance; IT	T1583.001; T1583.004; T1090.003; T1585.001; T1078; T1567; T1588.005	High	Audit network logs for IoCs; treat Astrill VPN and similar services as high-risk indicators; validate identities of remote workers and freelancers; implement behavioral monitoring beyond IoC detection; scrutinize residential IP activity and proxy-like behavior; strengthen hiring and access control processes
Fraud / Social Engineering (IRSF – SMS Toll Fraud)	colnsdital[.]com; d[.]herbosfinx[.]com; d[.]zerrotmamil[.]com; d[.]vistertransit[.]com; d[.]marraheltin[.]com; r[.]transitcaxip[.]com; zawsterris[.]com; hotnow[.]sweeffg[.]online	Large-scale IRSF campaign leveraging fake CAPTCHA pages delivered via traffic distribution systems (TDS) to trick users into sending SMS messages to premium international numbers, generating fraudulent telecom revenue through multi-step social engineering and browser manipulation techniques	Traffic Distribution Systems (TDS); Fake CAPTCHA Pages	None	Unknown	Telecoms	T1566; T1204; T1071.001	High	Educate users to avoid interacting with suspicious CAPTCHA prompts or sending SMS messages; implement anti-phishing and web filtering controls; monitor for abnormal SMS traffic patterns; collaborate with telecom providers to detect and block IRSF activity; enforce strong security awareness practices
Supply Chain Attack (Software Dependency Compromise)	hxxps://whereisitat[.]lucyatemysuperbox[.]space/	Malicious versions (2.6.0, 2.6.1, 2.6.2) of the Xinference Python package on PyPI were backdoored with an obfuscated infostealer embedded in __init__.py , executing on import. The malware exfiltrates extensive sensitive data including cloud credentials (AWS, GCP), Kubernetes tokens, SSH keys, API keys, cryptocurrency wallets, database credentials, environment variables, and system metadata to a remote C2 server. The compromise was introduced via a bot account (“XprobeBot”), with attribution claims to “TeamPCP” (denied publicly), and confirmed by the Xinference maintainers.	Xinference (malicious PyPI package versions); Python runtime	None	Suspected: TeamPCP (unconfirmed)	Development; IT	T1195.001; T1059.006; T1552.001; T1552.004; T1082; T1005; T1041; T1027	Critical	Immediately downgrade to version 2.5.0; rotate all exposed secrets (cloud credentials, API keys, SSH keys); enforce 2FA; pin dependencies to verified versions; audit CI/CD pipelines and cloud environments for unauthorized access; implement software composition analysis (SCA) tools for dependency monitoring
Supply Chain / GitHub Repository Poisoning	“2273702dfbcfd96a6ed7bdb42ba130291b653869256ec1325bc7fe30e8d9b70a 2d72abb33b8428a3a73fb64a03e6ac84595c4b1636f190f2936fadec3c8792f6 b04db6cae604d2ab1542e3c0cf1a4a3bb8d76562556f7275efe25bb90fc1da19 d92ac938494c2c74c73f3ca28c5c7148d0a03024b46630192a9348259b7b3665 3299b85734e03cbb767d10f89384f666c35d6863198a7c6c0004ef19fcc76bc3 c324560d4310849fd6b86e126514b20512905eee7ee94a2152f4314bb4055649 2c3c4f1e3401c7baa804c21164b17a2ab50b3462ab09fcdccec35c8faa8e17fb 58b98acb7dc26d8130c20b38ad040e5e7042eac38f12205248595697143c4297 10cbcb3fb25205a53ea9fe4fad46f45a349f7da8de22dd53a1ce16a920059720 bc95563880f17f4c3fc0fd8d3f7abc37b14ffb3daa627f92d5bd0b4f457d54e2 13690a008d375908399e7f0bf8d1b4733498f1145166c7788fb9966c3b551b2f 12a09f9425cd4058956214b237ec82577c7b9ae15f323c28d3b4ad846d0d2f6b b599a00d1226f6e0d433bf9be89958d6d4600a365c8e16bd86b4603e2552bf37 998e14a100d1f541f9fd59f4e58dd86e76fe7a105b02646d3487f18583d46c42 ebe63bd7715e7b2ff0b25c9bb6540a904f7195fb9fb2d405bd0cb5c0c4d34476 3217ae928395e00d873cccdf2adfa7828fe319fc84501453e702af91a0af2596 e12e7d4d7c5ccf825c9c0ba3af32a9d575d1624ad6e3998e7a71c3e0939c0d61 012b49c7f60bbe0501e61fc62c9b7dd69be9bbf15cb36a840a293b3cb066b865 275275b5099a63724b6f525c1e9de082829e710078e8605c0286998b5a02e75d 7e107cc2db66be4c9a90c2ef81f21ae2893962e1040531dff0305d9283f27387 768c28bff5e2ccd991a4a5cbfe3331015e3262cbc007829631483b46aa582cbc 6b518855404b7281246aab93a46288b25f0cb0f09cdeb820e677ef615bf3fda4 572acf0d7a3801b9bc41f626bac781d75ea1f99770b176079ae5f9a347c09b78 4b3231da6ba13aa1e1eb8dd371e287bc18505273bca5bda80065c60b024549b8 1aacc8cb9694293dc152891fc26de64a2061b31a066d297373cdc87da54b6fd8 d142be1fc9a7eec7ec26aeea75e5f7a175c4ab9b2ee36b958280873bc3861b2e a50c4c26597cb4dc3ce340e1de0ec929b4a7ab0954a6ba214a32f158f01d6a8a 9de5dc4192a9dea43d9ff6289bb276bb3f2c244c15821b6d31fab90258b23149 2149a0c948d87f6a80ebb4abddf742c2383f59c7558a313caa0c0fd3bd3cdeef a6fce76371d8b950b22bbea5a94d5688c19368979d06b2ef3c41f18ce6ada4c3 a90898926236de8b574b50ef8c6c0411b193383d6db2214d73ead27c65867fd5 44d5de84ee0c31517d114640ba9b9b307ea9e1ec4e591de42cbb4d07ceb5e6c3 f5bdf3d6c1376476b0d9eb0e74aa5aa8ccc7378068531c8346d76fbef04c6a6e 5b09803d2acbec734d9c88496f9590bb7cbaf5392607ef0f20f79fe177f7fd83 d8469b109bb22ad367c19971e1065074527af144d4c1e7d7a4cfb0f2d6e12767 9f6368bccedd005075fe991719719b0df5af22df697cab76aa6b4392d38394b1 0a4bce0f0461335585550598ff33c40a389465f7d0094212bee40b7f525de123 f6d10e879324c36914002ebd989e1a6fdc50e29257078a95e975f18b42f69836 fad3d429172932b72e50f52af169a80439464e3538d97810509090e2e6cdf32a bff0904456e3151221d29ed1d7c88fc31587efbdfb28817cdcb7ec7f20cade21 bbd438d3d7a59152f1dd5e45bb8d22ee1c07f95cfe42cebbe756aaf4feadc875 d1557bc3f5d8542f9b7f8e80b02283397d2e437386a6662251c4fc7342167cda 167b166e26dd44f580a00f2c879089c5362eff5120ac88e0701b11b1eb320ca9 8b42ca9d05badf0e7327d816a56e5516431ae34627da68e12ae9347f365b2668 d56213d08fb10c880f17e1a262bf1176cf234d1fc591188171e7be9cd856eb12 3595a6b226ce4daa0a28edea152b3a887c01f6323db1d082f6568c995cdefb55 e69873a3ef03b289aba8a0ec7130247dc5f2a3ce8c3b647b44518a899f39f789 f3e34c9e36f3be065d80d456281d31dd1cc85eb4980db7fa8c1b0eb6f29c25d8 09e0f7616dfd2f7eb2876f6ef7331d6dbc78775acd594a94b0397a56717d1fcc 440ceb0dc5911faca54ed9a4dd186dad3d006ae4f52d0bb7d1e4b4edd8c3693a e450152d8dd9f7d2d92dbd53461a38ee8f154b69b2558ed43b5d3f603a43240a 76afe60e675e68906a2de61d45c46aa6502fe7f9c298260c226a4382744f4212 25aff351f5b4195f33e2fb862f71e3668e699f2311e7844e277b8256a6cb47c0 54bbd79ed1ee26d3e7aa079963ba26c36aa683c01cc8b05b6d255da8634df006 830ec7352972fd1eb24fcaf72349ef9a27dd9f26f24552d6b68b87ffeada1212 f9436ccb986760ca379d6cd2f00726e032a1d9c250a9bd261d40d98b914e7ef9 3989cdf958d258244f3a72bac594214112ffe1008d4d81233a5911482dd302ca c7b71a992c6ca1467164b643136d986c0eec28548f30533456a3ea0f442c85a8 59c2115caf3104184de6cbc64c4029886b7302e1fa58acc910a2c567222e8616 8cede35b80b1deaf732c2b178d908f91b3e7a0c114d06dfae9075b8a9bf78b8f d067cacea4ec623dc715c27ff7568d14988af0be1f3db32d332f27744114f9ba a93ac4fb3f9dadc22f7b7f1877bc99b84a77fe3bbe560bdd20bbd7c4b6f9c1d6 3658fc38c10867e30e3c5c98a7a392e452a4ba497c8a674ff26554bc09f032b0 b0f0b6e38f77c518ebfaf691d729636d82cc59dc2a329d7454e11f74a2cb2d3f cd4d2b6dc9c764c3f2b2b003bce035053a8ce81420c7ea886c76611219cae4ae 7e8bd9ba64fcbd1cb753baa2f7bc8d5d7f3e91552bcdc9ec1ec04edd4916ff33 af6f59bd3caee5daa2d6765dd8c1bc167060a9681617ee1e2aff32f1eda3477c a91b3308a7e9aa9fa660c72d27f226d8f50bfac2629f79a828fbecff323c0fe0 c3b56d68c80c4a6a9879c45a7761a538e3546644623af1ee469d3b70130fa0cd ce1e33483d353200a266b3bc383ccf500e5a760c6dcd8218747260f5bbe39509 212C76DAF355EDE116EB04D4F9D08A112D07940A14DC248BC568FF1BA0A64E18 87de3e5a8ef669589c421220cd392ae8027a8f8d3cd97d35ac339f87dcff12c8 144[.]31[.]57[.]67 144[.]31[.]57[.]65 213[.]176[.]73[.]149 hxxps://raw[.]githubusercontent[.]com/deepanshugoel99/long/refs/heads/main/long/long/message1[.]txt hxxps://raw[.]githubusercontent[.]com/deepanshugoel99/long/refs/heads/main/long/long/message2[.]txt hxxps://github[.]com/stcitlab1/PyrsistenceSniper/ hxxps://github[.]com/Shonpersus/founders-kit hxxps://github[.]com/therajeshpatil/home-assistant-global-health-score hxxps://github[.]com/Cherishpolyploid691/One-Player hxxps://github[.]com/eltayep2/india-district-nightlights-viirs hxxps://github[.]com/jayed50/cpp-dumper hxxps://github[.]com/Arlinablind800/qclaw-wechat-client hxxps://github[.]com/amosshadowy76/ai-product-skills hxxps://github[.]com/anubhavsingh-0218/uncodixify-skill hxxps://github[.]com/AlexSilgidzhiyan/agent-commerce hxxps://github[.]com/somya-droid/Pirate-LLM-Server hxxps://github[.]com/ashiskumarnanda/symphony-ts hxxps://github[.]com/rakibul3790/mdexplore hxxps://github[.]com/Cobras1934/task-calendar-dashboard hxxps://github[.]com/mohadesehfllh/whispr hxxps://github[.]com/FILDA007/TokenStream hxxps://github[.]com/halim2023/Ninja-Ripper-2[.]13-Full-Download hxxps://github[.]com/pandu1992/agent-workspace hxxps://github[.]com/freefire2chyko-a11y/openclaw-autotrader hxxps://github[.]com/silent-whisper/Hades-Stealer hxxps://github[.]com/Lyrothanak20/Impacket_Reference hxxps://github[.]com/sabalearning01/OpenClaw-RL hxxps://github[.]com/minullaksen/Amazon_Sales_Product_-_Revenue_Analysis_Excel hxxps://github[.]com/shripadk1999/EVOKORE-MCP hxxps://github[.]com/viktor820/AudioAuditor hxxps://github[.]com/arnautoff1/smart-money-miner hxxps://github[.]com/CobraZero969/EU-Gov-Tracker-Blocklist-by-madnesscc hxxps://github[.]com/hayate001/GliderUI hxxps://github[.]com/wtfhanin/Enhance-Prompt hxxps://github[.]com/jakariyaox-dot/mango-waf hxxps://github[.]com/AdebSamra/Delta-Clopix-Ultra hxxps://github[.]com/shmilymaria/VesperAIApp hxxps://github[.]com/AdebSamra/marketmuse-premium-access-hub hxxps://github[.]com/hayate001/Zygisk-Il2CppDumper hxxps://github[.]com/arnautoff1/pump-fun-dashboard hxxps://github[.]com/sabalearning01/bread-run-simulator-toolkit hxxps://github[.]com/eltayep2/hoshan-vehicles hxxps://github[.]com/mohadesehfllh/gatsby-ecommerce-theme hxxps://github[.]com/Casheu1/perplexity-2api-python hxxps://github[.]com/usernamedoxelghk/WindsurfSwitch hxxps://github[.]com/GamerX3560/Aria-V-7[.]1 hxxps://github[.]com/oliverkanda254/medusa-mobile-react-native hxxps://github[.]com/haren2312/medusa-mobile-react-native hxxps://github[.]com/Jonaskouame/Phone-Number-Tracker hxxps://github[.]com/h4vzz/awesome-ai-agent-skills hxxps://github[.]com/Sriv4/insta-hack-termux hxxps://github[.]com/renny2020/Open-UI hxxps://github[.]com/YahiaGrdh/vibe-agents hxxps://github[.]com/abuferas1262/yandex-speedtest-cli hxxps://github[.]com/CuddlyPaws22/codeclaw hxxps://github[.]com/jessevanwyk1/claude-scholar hxxps://github[.]com/ejfhgo/hacker-Toolkit hxxps://github[.]com/Ksalazar29/deepseek-claw hxxps://github[.]com/Pr-E/openclaw-master-skills hxxps://github[.]com/mreshuu/STForensicMacOS hxxps://github[.]com/phongdshh-debug/Ghost-MSG hxxps://github[.]com/TalangoJames/fractals hxxps://github[.]com/GH8ST007/llms_with_google_cloud hxxps://github[.]com/mohamedfaro7/Chuks-YT-Live_AI hxxps://github[.]com/mrizky214/task-runner-1771921051-1 hxxps://github[.]com/sidiishan/soul[.]py hxxps://github[.]com/Xhtira20/scraped hxxps://github[.]com/Always15dppk/register hxxps://github[.]com/omkargundle/claude-usage-bar hxxps://github[.]com/fajarsm14/epic-games hxxps://github[.]com/JoOdSy/mini-apps hxxps://github[.]com/MPB0828/Greenhouse-Gas-Emissions-Forecasting-with-ARIMA-LSTM hxxps://github[.]com/twinklew9/notes2latex hxxps://github[.]com/Sawyer60/Dataset_HealthHub hxxps://github[.]com/vlsienthusiast00x/Spodrue hxxps://github[.]com/IvannGonzzalez/hve-core hxxps://github[.]com/Aditya923-c/xpoz-agent-skills hxxps://github[.]com/Shavan889/minisforum-ms-s1-max-bios hxxps://github[.]com/DarkSliceYT/ai-infra-index hxxps://github[.]com/Seragatia/DocGenie hxxps://github[.]com/whydixit/cursor-starter hxxps://github[.]com/Tawhidhere/OneRec-Think hxxps://github[.]com/rushikeshjaware/DiffusionDriveV2 hxxps://github[.]com/Abisheak250402/cloakbrowser-human hxxps://github[.]com/Loune3213/Wazuh-Openclaw-Autopilot hxxps://github[.]com/Ragulrajtcestd/LSTM-Optuna hxxps://github[.]com/Tod-weenieroast366/coding-plan-mask hxxps://github[.]com/KemalFasa/discord-adapter-meme hxxps://github[.]com/Bhin4787/AI-Powered-Ticket-Routing-SLA-Breach-Prediction-in-JIRA hxxps://github[.]com/Jacksonsmg/SoftwareTesting-Cunit hxxps://github[.]com/linhkat3057/Valthrun hxxps://github[.]com/DIMANANDEZ/refrag hxxps://github[.]com/MichaelQDLe/CodeHive hxxps://github[.]com/VantageSolutions/ShadowTool hxxps://github[.]com/Pataterustiche/tonconnect hxxps://github[.]com/cristiancctlv/recaptcha-botguard hxxps://github[.]com/marciunyielding712/openage hxxps://github[.]com/Ali-Shady/claude-agent-desktop hxxps://github[.]com/2aryanZ/paper-submission-check hxxps://github[.]com/Hosk9612/venutian-antfarm hxxps://github[.]com/MohamedSamiHdj/realtime-data-pipeline hxxps://github[.]com/alvfpinedo/go-prometheus-exporter hxxps://github[.]com/MrKillerq/Mini-o3 hxxps://github[.]com/vickykumar11062/Replication-package-for-gender-and-regional-differences-in-scientific-mobility-and-immobility hxxps://github[.]com/nonunion-loasa895/codapter hxxps://github[.]com/WILLIAM86-CAPTAIN/gooey-search-tabs hxxps://github[.]com/hama1981/ROBLOX-MACRO-V3[.]0[.]0 hxxps://github[.]com/syedabdullahuddin/n8n-workflow-sdk-mcp hxxps://github[.]com/wanderconnect01/ika-network-skill hxxps://github[.]com/okoid721/chloroDAG hxxps://github[.]com/Valentin6595/WhatDreamsCost-ComfyUI hxxps://github[.]com/virginiadiom2000-ai/osv-ui hxxps://github[.]com/gage6903/son-of-claude hxxps://github[.]com/Milan-sisodia-27/idl-pu3”	Large-scale campaign abusing cloned GitHub repositories to distribute trojanized projects. Malicious ZIPs include a LuaJIT-based loader (SmartLoader) that executes obfuscated Lua payloads, performs system fingerprinting, screenshot capture, and exfiltration. C2 infrastructure is dynamically resolved via Polygon blockchain smart contracts, enabling resilient and rotating communication channels. Persistence achieved via scheduled tasks, with second-stage payloads (StealC) executed in memory for stealthy credential and data theft.	SmartLoader; StealC	None	Unknown	None	T1566.002; T1204.002; T1036; T1059.009; T1105; T1140; T1053.005; T1005; T1113; T1041; T1071.001	Critical	Enforce strict validation of open-source code and repositories before use; block or monitor access to suspicious GitHub repositories; deploy static and dynamic malware analysis tools; monitor for LuaJIT execution and abnormal scheduled task creation; inspect outbound traffic for unusual or blockchain-resolved C2 communication; enforce MFA and least privilege; regularly audit developer environments and GitHub access; educate users on risks of downloading code from unverified sources

Apr 23, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Ransomware / Data Exfiltration Campaign	“0ce7badb26174b6129fb13d7e255e582f84d8aaedeabcd02c80d84a609144068 1433aa8210b287b8d463d958fc9ceeb913644f550919cfb2c62370773799e5a5 1588023393eb6b4d9433d539d303ecb56b6c3630e860f94d1a137834bdedf2bd 205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964 207b11f7dc4f17e4e5a9c25dbfb6a785a7456d7c381ecea7c729d8d924be1fb9 274ca13168b38590c230bddc2d606bbe8c26de8a6d79156a6c7d07265efe0fdf 2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32 35f28a31a47b0bcd92722265473d66ffef6c4bd460c71c36b57df2ac0d02f671 396aa1f8f308010a3c76a53965d0eddd35e41176eacd1194745d9542239ca8dc 48f3d66492a494965e7039079158e2fee552aaab517d1a55352209c9eedcb765 49a7b3cf426d1f35a2138c0a6cec397688d223d7f2bcbbeed53b511a328a97be 4a44d0c6cf5de515dd296f05ff6674d1a340fccf6b4c11612d27be2d3baa82b0 4adbb1906762c757764ffc5fa64af96e091966f4f5a43aae12fcc4f05f1c26b5 598555a7e053c7456ee8a06a892309386e69d473c73284de9bbc0ba73b17e70a 5be325905df8aab7089ab2348d89343f55a2f88dadd75de8f382e8fa026451bd 647b2f12486343fe065dc4abbb11e2338589eb099c72792b5a05e64a5e2937fc 6688fb3039ad6df606d76a897ef1072cdc78b928335c6bfa691d99498caf5c4b 6bac99f56e54d5195783513ae6954a4a8509d7bc397c94f405266b5df9cd96cb 6c31dd44b29b5f87030caececc616cf366badeff5a7e4c9933aa5fa6445a0c7a 6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc 72fc3d03065922b9a03774bbd1873e5e7f3a5a2abf5dcf7bfb2e98aceed53a9d 73cd405b5bfc99ec5cf33467d4be7fc7e39ae18337568ee10173c17ba6e8f0d7 771de264c5d7e1e5ac85f00c42e9fe3b439bcbd4f9aa11e4fd7bc0d87fa2344e 7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26 816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019 8a2f4907159a68867b22bc772590ebcafcfa656a23951228ecd89e4f598472b0 99c4775ed813f354c9e53f42797226d82b26f44d19e81036c9e55222d1744189 a18555c1ca53d4826191a30889d82205a304932f997baec755c98ddad4326cb8 b3774ba01a3096348fd76a7072407b9f07bb9589e0f5ba31ca576689bbbe94e4 c41216eee9756a1dcc546df4fe97defc05513eed64ce6ac05f1501b50e6f96cc c64964944b4c1f649ae8f694964b3a212dc1028341ab71836306a456fba0b3f4 c7d994eb2042633172bd8866c9f163be531444ce3126d5f340edd25cbdb473d4 d4339a5b9d15211dbc85424cf7fa8ff825033ea3378506d8ecb19b016db5b4ff d833e8fc97b3c865ebfb96a48da9ec446148cb5ad7e66ca5c47cd693f7923888 df5a574254637d2880633b0582e956b23f66efc6781e825c65e1ccfaa6c58809 e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 eee885e5dae750848d0903d179cacd81149ceecec83c2ec4ad4545531de3cfdf f27eab3157451e31db71169e71f76d28325193218f9dc8f421136d4a20165feb f5390674f0f49fe8af116396828c3de6729347ebc3c772d87618e55629aec06c 163[.]172[.]105[.]82”	Targeted enterprise networks using invoice/document-focused data theft and post-compromise credential harvesting	uploader_client.exe, Mimikatz, Nirsoft tools, AnyDesk, BYOVD kernel utilities	Not specified	Rhantus Group (Trigona ransomware affiliates)	Finance, Enterprise IT	T1486, T1048, T1560, T1003, T1555, T1562.001, T1543.003, T1068, T1134, T1548, T1219, T1041	High	Block outbound traffic to unknown IPs on port 1080; detect BYOVD tools; restrict AnyDesk; monitor credential dumping tools; deploy kernel tamper protection; enable DLP for invoice/PDF shares
APT / Espionage Campaign	“barrantaya[.]1010@outlook[.]com C72E7540D6F12D74D8E737B02F31568385F575D7 039EB329A173FCE7EFECA18611A8F2C0F7D24609 716554DC580A82CC17A1035ADD302C0766590964 57C2490E4DB194D3503EE85635FB1D6F26E8C534 AD7E264EB08415871617E45F21D03F7D71E4C36F FA9E65E58EB8FA41FDE0A0A870B7D24B298026D9 5A1BBB40C442B12594A913431F8C6757A3A66E8F 926974FACFD0383C65458D6EF1F31FBB7C769E18 43[.]231[.]113[.]50”	Targeted intrusion against Mongolian government entity using multi-stage Go-based modular toolset and SaaS C2 infrastructure (Slack, Discord, Microsoft 365, file.io)	LaxGopher, RatGopher, BoxOfFriends, JabGopher, FriendDelivery, CompactGopher, SSLORDoor	Mongolia	GopherWhisper (China-aligned APT)	Government, Public Administration	T1587.001, T1583.006, T1106, T1129, T1543.003, T1574.002, T1055.002, T1055.012, T1036, T1140, T1083, T1518, T1005, T1119, T1105, T1071.001, T1020, T1041, T1567	High	Monitor abuse of SaaS platforms (Slack, Discord, Microsoft 365, file.io) for C2; detect Go-based malware on endpoints; hunt DLL sideloading (JabGopher); inspect Graph API misuse; monitor encrypted non-standard HTTPS traffic on port 443; audit API token exposure
Infostealer Distribution Campaign (Fake AI Trading Site)	“95dcac62fc15e99d112d812f7687292e34de0e8e0a39e4f12082f726fa1b50ed 0d10a6472facabf7d7a8cfd2492fc990b890754c3d90888ef9fe5b2d2cca41c0 Tradingclaw[.]pro Chrocustumapp[.]com Chrocustomreversal[.]com google-services[.]cc Coretest[.]digital Reisen[.]work 178[.]16[.]55[.]234 37[.]221[.]66[.]27 2[.]56[.]179[.]16 178[.]16[.]54[.]109 37[.]221[.]66[.]27 209[.]17[.]118[.]17”	Fake TradingView AI trading assistant website delivering multi-stage infection chain via ZIP download and DLL side-loading leading to credential theft and crypto wallet exfiltration	Needle Stealer, iviewers.dll (loader), RegAsm.exe (process injection target)	Not specified	Not attributed	Finance, Cryptocurrency Users	T1189, T1204.002, T1574.002, T1055.012, T1555.003, T1113, T1005	High	Restrict software downloads to verified vendors; monitor and remove malicious browser extensions; enforce MFA; deploy EDR with focus on DLL sideloading + process hollowing detection; monitor C2 traffic and suspicious API endpoints; reset credentials and revoke sessions if compromised
APT / Targeted Espionage Campaign (Spearphishing + Multi-stage Loader)	“3238d2f6b9ea9825eb61ae5e80e7365c 2c65433696037f4ce0f8c9a1d78bdd6835c1b94d a4f2131eb497afe5f78d8d6e534df2b8d75c5b9b565c3ec17a323afe5355da26 67fcf5c21474d314aa0b27b0ce8befb2 19e3c4df728e3e657cb9496cd4aaf69648470b63 47c7ce0e3816647b23bb180725c7233e505f61c35e7776d47fd448009e887857 89daa54fada8798c5f4e21738c8ea0b4 bd618c9e1e10891fe666839650fa406833d70afd aeec65bac035789073b567753284b64ce0b95bbae62cf79e1479714238af0eb7 e2dc48ef24da000b8fc1354fa31ca9ae 6c68dc2e33780e07596c3c06aa819ea460b3d125 7a95ce0b5f201d9880a6844a1db69aac7d1a0bf1c88f85989264caf6c82c6001 2d7cc3646c287d6355def362916c6d26 adb47733c224fc8c0f7edc61becb578e560435ab 3936f522f187f8f67dda3dc88abfd170f6ba873af81fc31bbf1fdbcad1b2a7fb 71fa755b6ba012e1713c9101c7329f8d c2051635ccfdc0b48c260e7ceeee3f96bf026fea 6eaea92394e115cd6d5bab9ae1c6d088806229aae320e6c519c2d2210dbc94fe c620b4671a5715eec0e9f3b93e6532ba 343be0f2077901ea5b5b9fb97d97892ac1a907e6 b92a3a1cf5786b6e08643483387b77640cd44f84df1169dd00efde7af46b5714 9a69b717ec4e8a35ae595aa6762d3c27 401cc16d79d94c32da3f66df21d66ffd71603c14 3c29c72a59133dd9eb23953211129fd8275a11b91a3b8dddb3c6e502b6b63edb 158[.]247[.]193[.]100 hxxps://47[.]76[.]236[.]58:4430/Originate/contacts/CX4YJ5JI7RZ hxxps://47[.]76[.]236[.]58:4430/Divide/developement/GIZWQVCLF hxxps://stg[.]lsmartv[.]com:8443/Originate/contacts/CX4YJ5JI7RZ hxxps://stg[.]lsmartv[.]com:8443/Divide/developement/GIZWQVCLF”	Multi-stage intrusion campaign using malicious ZIP attachments and trojanized PDF reader to deploy in-memory C2 beaconing and persistent remote access	TOSHIS loader, AdaptixC2 Beacon, Cobalt Strike Beacon, EntryShell, trojanized SumatraPDF	Taiwan, South Korea, Japan	Tropic Trooper (Earth Centaur / Pirate Panda)	Military, Defense, Government, Public Administration	T1566.001, T1204.002, T1059.001, T1036.005, T1105, T1219, T1071.001	High	Block and monitor malicious attachment-based phishing; detect trojanized PDF readers; monitor PowerShell execution anomalies; restrict unsigned binaries; deploy EDR with in-memory beacon detection; monitor outbound HTTPS tunnels to unknown infrastructure; enforce MFA and least privilege access

Apr 22, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Targeted Spear-Phishing / Cyber Espionage Campaign	” 7beede15ecdc7d3f01db4b699e5fe5f4f2e7c79cd7ef0e918ed0583bf621de7d 9bf2f3b15a621789f898f9bd7710ba857e3f238a4937b64fdc47ef9a92e0b05d 18bc0e0f627d90fb283aa243055b46d0bfb5d85a7240d8f63ec2d1c8a2c15893 6d22d50634c2c2fc853bfd2b564e1837d51087aa684a9c4415634c8c13c44135 editor[.]gleeze[.]com www[.]cosmosmusic[.]com victorcha707@gmail[.]com”	Dual campaign targeting banking sector and policy/diplomatic individuals using themed lures and shared malware infrastructure	LOTUSLITE v1.1, Microsoft_DNX.exe (DLL sideloading), CHM loader (hh.exe abuse)	India, South Korea, United States	Mustang Panda (UNC6384)	Banking, Government, Diplomacy, Finance, High-Value Individuals	T1566.001, T1566.002, T1574.002, T1059.007, T1547.001, T1071.001, T1568.001, T1036.005, T1027, T1082, T1105, T1583.001, T1586.002, T1608.001	High	Monitor for DLL sideloading via signed binaries, restrict CHM execution, detect abnormal hh.exe activity, block suspicious dynamic DNS traffic, monitor registry Run key persistence, enforce EDR and user awareness against spear-phishing and impersonation
Infostealer Campaign (Fileless / macOS-targeted)	” ffb79953b8d822a5433f08e1e3958a0c7e9e856749a6d90c83b9e4ef5813a03a eb66a20468f701f2ec5f018a0fd9b8551aefa25124c6a04517b873da9ca724ff terafolt[.]com res2erch-sl0ut[.]com hxxps://terafolt[.]com/api/bot/heartbeat hxxps://terafolt[.]com/gate”	Multi-stage macOS infostealer campaign leveraging fileless AppleScript execution, targeting credentials, crypto wallets, and browser data with persistence via wallet backdooring	SHub Stealer v2.0	None	Suspected Russian-speaking operators	IT; eCommerce; Digi	T1059.002; T1555.001; T1555.003; T1056.002; T1041; T1547; T1027; T1195; T1033; T1083; T1176	High	Monitor osascript-based execution chains, enforce file integrity checks on wallet apps, detect abnormal credential access and browser data harvesting, monitor large outbound POST traffic, and validate wallet application integrity
Malware Loader Campaign (Masquerading / C2-based)	” 94[.]232[.]46[.]16 94[.]232[.]46[.]202 94[.]232[.]46[.]15″	Multi-stage loader campaign using decoy application (Slack) to deliver second-stage payload and establish C2 communication over non-standard ports	Slack (decoy), BORZ C2 Panel	None	Unknown (possible false-flag / multi-layered attribution)	None	T1204.002, T1036.005, T1105, T1571	High	Implement strong email/messaging security controls, monitor for connections to suspicious C2 infrastructure, enhance EDR detection, analyze geopolitical lures for deception indicators, and maintain updated threat intelligence feeds
Trojanized Software Distribution / Infostealer Campaign	google-antigravity[.]com opus-dsn[.]com”	Malicious distribution of trojanized installer via typosquatted domain delivering staged payloads and credential-stealing malware	.NET Stealer, PowerShell loader, Trojanized Antigravity Installer	None	Unknown	None	T1204.002, T1059.001, T1053.005, T1562.001, T1112, T1027, T1620, T1056.001, T1115, T1555, T1041	High	Scan systems immediately, terminate active sessions and reset credentials, consider full OS reinstallation, enforce MFA, educate users on trusted download sources, and monitor network traffic for suspicious activity
Ransomware Campaign (Multi-Platform / ESXi & Windows)	“6ccacb7567b6c0bd2ca8e68ff59d5ef21e8f47fc1af70d4d88a421f1fc5280fc 45bff0df2c408b3f589aed984cc331b617021ecbea57171dac719b5f545f5e8d 4ed176edb75ae2114cda8cfb3f83ac2ecdc4476fa1ef30ad8c81a54c0a223a29”	Coordinated ransomware deployment targeting both VMware ESXi environments and Windows systems, impacting virtual infrastructure and enterprise endpoints simultaneously	Kyber Ransomware	None	Unknown	None	T1486; T1489; T1070.001; T1021.004; T1562.001	Critical

Apr 21, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Phishing / Social Engineering Campaign (Ransomware Delivery)	“1c715cd40331ba2ca6559d2fdb958e7f44053080f9ffd3d90bd1916978d336cb 5cdec83048aba45a5a635f470c602c0f29fadeef5d3d5e7dc88291b1588b8dcc 755cc133ae0519accbcfdd5f8f0d9fe1aa08cbcb306c3e5f29ebcb6ac12d9323 8445652beedba94a586e23bfc6af49d98d76845d178314212058258e68e51500 8976e76450bfb8af45f3c9ebc24a8f6a3df912d87a10b5625774fa6aace7fc19 ac38fb51937c123a7a52da7243ec2d25c8120158c31dc94bcd94e8935513f7b7 eaa63d074eb82c5d798b944e7e2b6ead1617508c8413845a81ba5ebd08a00b93 02room[.]us 02web-zoom[.]us 05webus[.]meet[.]05uk[.]us 07web[.]zoom[.]uk07[.]pro 07webus[.]zoom[.]us07[.]sbs ccx[.]capital cdsx[.]capital chaincapx[.]com coindeepseax[.]com godlike-visit[.]online gogoschip[.]online lumax[.]capital meet-05[.]sbs meet[.]googleapps[.]eu[.]org meet05[.]sbs megabitcapital[.]com solidbitcapital[.]com teamsupport[.]live uk03[.]web-zoom[.]uk uk07[.]pro us02[.]us us02web[.]zoom[.]us02[.]us us03[.]meet-web[.]us us03[.]zoom[.]meet-web[.]us us05[.]zoom[.]web04[.]us us05web[.]zoom[.]us05[.]us us07[.]web-zoom[.]uk usweb[.]02room[.]us usweb[.]07-web[.]us w3bitcapital[.]com walleyecapital[.]org walleyevc[.]capital walleyeventure[.]xyz web-lives[.]com web05meet[.]us web07us[.]uk07[.]us weventure[.]capital www[.]web05meet[.]us zoom[.]02euweb[.]us zoom[.]05ukweb[.]uk zoom[.]us07-web[.]us zoom[.]web02meet[.]com zoom[.]web05meet[.]us 108[.]174[.]198[.]11 144[.]172[.]114[.]220 144[.]172[.]116[.]9 23[.]254[.]167[.]21 45[.]61[.]129[.]29 45[.]61[.]157[.]248”	Long-running, high-volume opportunistic campaign targeting individuals and SMBs	Adwind, JanaWare Ransomware	Turkey	Unknown	N/A	T1566 (Phishing), T1204 (User Execution), T1027 (Obfuscation), T1071.001 (Web Protocols), T1041 (Exfiltration Over C2)	High	Implement EDR with behavioral analysis; monitor process and network anomalies; update threat intelligence feeds; enforce application control; conduct user awareness training on phishing
Infostealer-as-a-Service campaign leveraging dead-drop C2 via Telegram and code-signed malware	“185[.]56[.]45[.]235 cebolinhaburger[.]com blogdospesados[.]com[.]br”	Multi-affiliate global campaign using dynamic C2 infrastructure and compromised web services	Vidar Stealer (Go-based variants)	None specified	Unknown (multi-affiliate ecosystem)	None specified	T1553.002, T1027, T1102.002, T1071.001, T1041	High	Enforce strict certificate validation, monitor Telegram-based C2 patterns, deploy EDR for Go-based malware detection, block known IoCs, and enhance threat intelligence monitoring for evolving infrastructure
Supply Chain Compromise / Credential Harvesting Campaign	“95c17869073bff8a045083315c97583cb0d4f4c19165e657ed584ef7e16868a1 107[.]189[.]23[.]185 86[.]54[.]25[.]202 86[.]54[.]25[.]204 scan-tron[.]link”	Targeted compromise of macOS stealer infrastructure (Odyssey panels), including backdoored operator panel for credential theft	Odyssey (AMOS) macOS Stealer	None specified	Unknown	None specified	T1556 (Modify Authentication Process), T1056 (Input Capture), T1041 (Exfiltration Over C2 Channel)	High	Enforce supply chain integrity checks, monitor outbound traffic to suspicious domains, deploy EDR to detect browser/API hooking and credential harvesting, audit access controls, and enforce MFA across sensitive systems

Apr 20, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
SEO Poisoning / Malware Distribution Campaign	“193[.]42[.]11[.]108 directdownload[.]icu direct-download[.]gleeze[.]com testdisk[.]dev hxxps://www[.]testdisk[.]dev/download[.]html 1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5”	Targets users searching for TestDisk via search engines; broad opportunistic distribution	ScreenConnect (trojanized), DLL sideloading payload (autorun.dll)	None	Unknown	None	T1189 (Drive-by Compromise), T1574.002 (DLL Side-Loading), T1218 (System Binary Proxy Execution), T1543.003 (Windows Service), T1556 (Modify Authentication Process), T1133 (External Remote Services), T1071.001 (Web Protocols)	High	Implement EDR with behavioral detection, block malicious domains, restrict unauthorized RMM tools, monitor for DLL sideloading activity, and conduct user awareness on SEO poisoning risks

Apr 17, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Financially motivated intrusion campaign (cargo theft / freight fraud) using RMM abuse	“1f89a432471ec2efe58df788c576007d6782bbdf5b572a5fbf5da40df536c9f5 hxxps://carrier-packets-docs[.]com/FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING[.]vbs hxxps://qto12q[.]top/pdf[.]ps1 f4977bfeae2a957add1aaf01804d2de2a5a5f9f1338f719db661ac4f53528747 nq251os[.]top d9832d9208b2c4a34cf5220b1ebaf11f0425cf638ac67bf4669b11c80e460f58 7f54cf5e2beb3f1f5d2b3ba1c6a16ce1927ffecd20a9d635329b1e16cb74fb14 officcee404[.]com de30bb1e367d8c9b8b7d5e04e5178f2758157302638f81480ba018331a6f853e b861e3682ca3326d6b29561e4b11f930f4a9f10e9588a3d48b09aa6c36a8ea80 147[.]45[.]218[.]0 82d603c0b387116b7effdee6f361ca982c188de0c208e681e942300a0139c03f 8a3d6a6870b64767ad2cc9ad4db728abf08bae84726b06be6cb97faac6c14ae4 screlay[.]amtechcomputers[.]net 3dcb89430bae8d89b9879da192351506f4fdb7c67e253a27f58b3bf52101cd4c signer[.]bulbcentral[.]com services-sc-files[.]s3[.]us-east-2[.]amazonaws[.]com”	Transportation and logistics organizations; prolonged post-compromise access for fraud and asset theftTransportation and logistics organizations; prolonged post-compromise access for fraud and asset theft	ScreenConnect, Pulseway, SimpleHelp (RMM tools), VBS payloads, PowerShell scripts	Not specified	Financially motivated threat actor	Transport, Logistics	T1566.001, T1059.001, T1219, T1105, T1087, T1083, T1041	High	Apply strong email filtering and attachment controls, restrict unauthorized RMM tools, monitor PowerShell execution, enforce MFA, segment networks, and monitor for abnormal remote access tool behavior and certificate misuse
Large-scale IoT botnet propagation and exploitation campaign targeting EoL TP-Link routers (Mirai variant activity)	“3fbd2a2e82ceb5e91eadbad02cb45ac618324da9b1895d81ebe7de765dca30e7, 4caaa18982cd4056fead54b98d57f9a2a1ddd654cf19a7ba2366dfadbd6033da, 9df711c3aef2bba17b622ddfd955452f8d8eb55899528fbc13d9540c52f13402, 7bbb21fec19512d932b7a92652ed0c8f0fedea89f34b9d6f267cf39de0eb9b20, 534b654531a6a540a144da9545ee343e1046f843d7de4c1091b46c3ee66a508b, 919f292a07a37f163f88527e725406187c8ecc637387ad24853fe49ce4e6ddf4, 56f21f412e898ad9e3ee05d5f44c44d9d7bcb9ecbfbdb9de11b8fa5a637aeef6, bot[.]ddosvps[.]cc, 51[.]38[.]137[.]113, cnc[.]vietdediserver[.]shop3fbd2a2e82ceb5e91eadbad02cb45ac618324da9b1895d81ebe7de765dca30e7 4caaa18982cd4056fead54b98d57f9a2a1ddd654cf19a7ba2366dfadbd6033da 9df711c3aef2bba17b622ddfd955452f8d8eb55899528fbc13d9540c52f13402 7bbb21fec19512d932b7a92652ed0c8f0fedea89f34b9d6f267cf39de0eb9b20 534b654531a6a540a144da9545ee343e1046f843d7de4c1091b46c3ee66a508b 919f292a07a37f163f88527e725406187c8ecc637387ad24853fe49ce4e6ddf4 56f21f412e898ad9e3ee05d5f44c44d9d7bcb9ecbfbdb9de11b8fa5a637aeef6 hxxp://bot[.]ddosvps[.]cc/top1hbt[.]arm hxxp://bot[.]ddosvps[.]cc/top1hbt[.]arm5 hxxp://bot[.]ddosvps[.]cc/top1hbt[.]arm6 hxxp://bot[.]ddosvps[.]cc/top1hbt[.]arm7 hxxp://bot[.]ddosvps[.]cc/top1hbt[.]mips hxxp://bot[.]ddosvps[.]cc/top1hbt[.]mpsl hxxp://bot[.]ddosvps[.]cc/top1hbt[.]x86_64 hxxp://bot[.]ddosvps[.]cc/top1hbt[.]sh4 hxxp://51[.]38[.]137[.]113/arm hxxp://51[.]38[.]137[.]113/arm5 hxxp://51[.]38[.]137[.]113/arm6 hxxp://51[.]38[.]137[.]113/arm7 hxxp://51[.]38[.]137[.]113/x86_64 hxxp://51[.]38[.]137[.]113/mips hxxp://51[.]38[.]137[.]113/sh4 51[.]38[.]137[.]113 cnc[.]vietdediserver[.]shop bot[.]ddosvps[.]cc”	End-of-life TP-Link routers (TL-WR940N, TL-WR740N, TL-WR841N); global internet-exposed devices	Mirai-like botnet malware (Condi variant)	None specified	Opportunistic botnet operators	Telecommunications / Networking devices	T1190, T1059.004, T1078, T1105, T1071.001	High	Patch router firmware immediately, disable remote administration, segment IoT devices, monitor outbound traffic, and deploy IDS/IPS rules to detect command injection attempts and botnet C2 communication
macOS targeted social engineering campaign distributing fake Zoom SDK update leading to multi-stage infostealer deployment	” 2075fd1a1362d188290910a8c55cf30c11ed5955c04af410c481410f538da419 05e1761b535537287e7b72d103a29c4453742725600f59a34a4831eafc0b8e53 5fbbca2d72840feb86b6ef8a1abb4fe2f225d84228a714391673be2719c73ac7 5e581f22f56883ee13358f73fabab00fcf9313a053210eb12ac18e66098346e5 95e893e7cdde19d7d16ff5a5074d0b369abd31c1a30962656133caa8153e8d63 8fd5b8db10458ace7e4ed335eb0c66527e1928ad87a3c688595804f72b205e8c a05400000843fbad6b28d2b76fc201c3d415a72d88d8dc548fafd8bae073c640 uw04webzoom[.]us check02id[.]com 188[.]227[.]196[.]252 83[.]136[.]210[.]180 83[.]136[.]208[.]246 83[.]136[.]209[.]22 104[.]145[.]210[.]107″	macOS users in cryptocurrency and finance-related environments	AppleScript-based malware chain, curl-based downloader, launch daemons persistence	Not specified	Sapphire Sleet (North Korea-linked threat actor)	Finance	T1566, T1204.002, T1059.002, T1105, T1543.004, T1555, T1005, T1041	High	Train users on fake update/social engineering risks, enforce MFA, deploy macOS EDR, restrict script execution (AppleScript), monitor Launch Daemons, and validate software updates via trusted sources only
Rust-based multi-stage RAT deployment campaign using DLL loader, process injection, and WebSocket C2 over Windows living-off-the-land binaries	“45[.]131[.]214[.]132 f0afbbb3c80e5347191452f2f3b147627e9d1ae4d60b61d6da900a60b35eec95”	Enterprise Windows environments (post-compromise persistence and remote control operations)	SpankRAT, SpankLoader	None specified	None attributed	None specified	T1055, T1055.001, T1053.005, T1059.001, T1105, T1071.001	High	Detect DLL injection into explorer.exe, monitor suspicious scheduled tasks, block PowerShell execution policy bypass, inspect WebSocket-based C2 traffic, and enhance EDR behavioral detection for process hollowing and in-memory execution
Adversary abuse of legitimate virtualization software (QEMU) to host covert virtual machines for stealth operations and credential theft	” CVE-2025-26399 CVE-2025-5777 7ae413b76424508055154ee262c7567705dc1ac00607f5ac2e43d032221b34b3 25e4d0eacff44f67a0a9d13970656cf76e5fd78c f7a11aeaa4f0c748961bbebb2f9e12b6 f3194018d60645e43afabac33ceb4e852f95241b410cd726b1c40e3021589937 6c09b0d102361888daa7fa4f191f603a19af47cb b752ebfc1004f2c717609145e28243f3 c6b848c6a61685724fa9e2b3f6e3a118323ee0c165d1aa8c8a574205a4c4be59 66dc383e9e0852523fe50def0851b9268865f779 61c14c01460810f6f5f760daf8edbda82eea908b1a95052f8e0f9c4162c2900c 144[.]208[.]127[.]190 194[.]110[.]172[.]152 vtps[.]us”	Enterprise environments with compromised hosts running hidden virtual machines for persistence and lateral movement	QEMU abuse, reverse SSH tunneling, scheduled task persistence, Active Directory enumeration tools	None specified	STAC4713, STAC3725	IT / Enterprise Infrastructure	T1053.005, T1021.004, T1041, T1003.003, T1087	High	Detect unauthorized virtualization activity, monitor for hypervisor anomalies, enforce strict patching for known exploited vulnerabilities, restrict SSH tunneling, segment networks, and deploy behavioral EDR to identify credential dumping and hidden VM activity
Social engineering-driven ransomware intrusion campaign leveraging spam bombing, phishing, vishing, Microsoft Teams abuse, and Quick Assist for remote access leading to ransomware deployment	“335ad12a950f885073acdfebb250c93fb28ca3f374bbba5189986d9234dcbff4 d68ce82e82801cd487f9cd2d24f7b30e353cafd0704dcdf0bb8f12822d4227c2”	Enterprise users and organizations targeted via remote social engineering and helpdesk impersonation tactics	Payouts King ransomware	None specified	Payouts King (possibly former BlackBasta affiliates)	None specified	T1566, T1566.004, T1053.005, T1486, T1490, T1070.001	High	Enforce MFA, restrict remote assistance tools like Quick Assist, monitor for abnormal Teams activity and helpdesk impersonation attempts, improve phishing/vishing awareness training, deploy EDR with ransomware behavior detection, and ensure immutable/offline backups are in place

Apr 15, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Ransomware-as-a-Service campaign (NightSpire)	CVE-2024-55591 94dd3315fca4c31ef61b7865c3b8983f f5da096e2ae6079c4670ddd6566244618056a22e c5f526cc62688cf34c49d098dab81e24e4294f832ada57433ef505d5ac6da8f3 c75070ecb9a77e07975664675174c84b 289fd2f98bcb6e9d27798c9fea572dfcf10931f5 8f58870a3e5df1d904940c7ef2ad160b90ba739c7e5e21e4c908945e0a6f3f60	Multi-sector global targeting of SMBs across multiple industries	NightSpire ransomware (Go-based)	Global	NightSpire RaaS group (financially motivated)	Manufacturing, IT, Health, Finance, Government, Administration	T1566, T1190, T1003, T1021.002, T1047, T1059.001, T1486	High	Use threat intelligence for TTP mapping, conduct red teaming and attack path testing, enforce phishing resilience, maintain offline backups and recovery plans, continuously update security controls and user awareness training
Phishing campaign (malware delivery → ransomware)	” 4f0444e11633a331eddb0deeec17fd69 fe9cc76ea60473d615b5858d5b511b2c9d22bce5 fb5fe19c28f8f44026b0c46939068480f9f005b252961ea782e1ce59b8f5dc59 b2d5bbf7746c2cb87d5505ced8d6c4c6″	Long-running campaign targeting home users and SMBs with geofencing and Tor-based C2 communication	Adwind (custom variant), JanaWare ransomware	Turkey	Unknown	None	T1566, T1204, T1027, T1071.001, T1041	High	Implement EDR with behavioral detection, monitor abnormal process and network activity, update threat intelligence feeds, enforce application control, and conduct phishing awareness training

Apr 14, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Supply chain attack (trojanized installer)	“5627c24dd7661df4d4c8617a9a68c8bf 7eb1a6495269e8faf6b0faecd5dfcf58 8367920fc34144d57b385276a8b3ecbcc0696475 a6c802b8d2b7351ddcd3dd50b17d5aaa36bc7937a41445cd4797363c0efe95ff”	Compromise of official installer for a cloud phone/virtual mobile service, distributing trojanized software that deploys a multi-stage in-memory loader delivering GGBond RAT across multiple sectors	GGBond RAT, multi-stage loader, in-memory execution techniques	None identified	Unknown	Government, Administration, IT, Education, Finance, Energy	T1195.002 (Supply Chain Compromise) T1574.002 (DLL Side-Loading) T1620 (Reflective Code Loading) T1055 (Process Injection) T1082 (System Information Discovery) T1071.001 (Web Protocols) T1041 (Exfiltration Over C2 Channel)	Critical	Reinstall software from verified sources only Validate installer integrity (hash/signature) Monitor abnormal DLL loading and in-memory execution Block suspicious outbound communications Deploy EDR for behavioral detection Restrict execution from writable directories Segment networks to limit spread Conduct full scans and isolate affected systems
Software supply chain attack (malicious NPM packages)	“d780fe3b635ff099682677f3c93e42d789e572926fd0db076c27e775bb109b06 d70e7e37dfa4cf501cbd0ef6a236c84b 18e8742fb6fb5e70c0c91823d72f5d9074be1d1cba1cbfc0eca75b5427e544da 43f446a86f1fbee74a486185c6dc1d51 646f3904ff03e64229f938ac23fa8bb79ed1658ee5aa0bee4aa8909f38f763cd 823f13d45fe0dd05d2f1ac4344d8ae75”	Large-scale campaign involving 200+ malicious NPM packages impersonating AI tools, brands, and organizations, delivering cross-platform infostealer malware via post-install scripts with widespread distribution via mirrors and CDNs	Stardrop malware (infostealer), malicious NPM packages, JavaScript post-install scripts	None identified	Unknown	None identified	T1195.001 (Supply Chain Compromise – Dependencies) T1059.007 (JavaScript Execution) T1105 (Ingress Tool Transfer) T1552.001 (Credentials in Files) T1552.005 (Cloud Metadata API)	Critical	Enforce strict dependency vetting and management practices Use static and dynamic analysis tools for package inspection Regularly audit and update dependencies Educate developers on supply chain risks Implement SBOM for full visibility of software components
Exploitation of critical vulnerability (WordPress plugin)	CVE-2026-3584 130[.]12[.]182[.]154 157[.]15[.]40[.]74″	Active exploitation of Kali Forms WordPress plugin vulnerability enabling unauthenticated RCE, with over 312,000 attack attempts observed, leading to potential website compromise, admin access, and malicious code deployment	Kali Forms WordPress Plugin (RCE vulnerability exploitation)	None identified	Unknown	None identified	T1190 (Exploit Public-Facing Application) T1059.007 (PHP Execution) T1078 (Valid Accounts) T1505.003 (Web Shell)	Critical	Update Kali Forms to version 2.4.10 or later immediately Monitor logs for suspicious activity and IoCs Deploy WAF to block exploitation attempts Regularly update plugins and themes Strengthen access controls for WordPress environments
Social engineering campaign (malicious plugin abuse)	” 70bbb38b70fd836d66e8166ec27be9aa8535b3876596fc80c45e3de4ce327980 33dacf9f854f636216e5062ca252df8e5bed652efd78b86512f5b868b11ee70f panel[.]fefea22134[.]net 0x666[.]info hxxp://t[.]me/ax03bot hxxps://t[.]me/ax03bot”	Sophisticated cross-platform campaign (REF6598) targeting finance and crypto users by abusing Obsidian plugins to execute hidden commands, delivering PHANTOMPULSE RAT via in-memory loaders with blockchain-based C2 infrastructure	PHANTOMPULSE RAT, PHANTOMPULL loader, Obsidian (legitimate tool abuse), PowerShell, AppleScript	None identified	Unknown	Finance	T1566.003 (Spearphishing via Service) T1204.002 (User Execution – Malicious File) T1059.001 (PowerShell) T1059.002 (AppleScript) T1620 (Reflective Code Loading) T1055 (Process Injection) T1105 (Ingress Tool Transfer)	High	Enforce strict plugin policies for applications like Obsidian Monitor anomalous child process execution Deploy and tune EDR for behavioral detection Educate users on social engineering risks Implement MFA to reduce account compromise risk Continuously review and update security controls
Phishing & Living-off-the-Land attack (MSBuild abuse)	“769687f93869a70511aac1ef7c752455 ad833604d230b241e180950980ea462b3812f82a 46314092c8d00ab93cbbdc824b9fc39dec9303169163b9625bae3b1717d70ebc 7a75e713db41c28378e823322fdea0fd d1a86ed06b18efef5ce724d2129cf1583b779b44 de8ddc2451fb1305d76ab20661725d11c77625aeeaa1447faf3fbf56706c87f1 hxxps://onedown[.]gesecole[.]net/download/a3693kfa836 hxxps://onedown[.]gesecole[.]net/download/a3696kfa836 hxxps://onedown[.]gesecole[.]net/download/a3699kfa836”	Campaign leveraging phishing emails to deliver disguised archives containing malicious MSBuild project files, enabling fileless execution of embedded C# payloads, downloading additional malware, and abusing DLL sideloading for stealthy persistence	MSBuild.exe (LOLBin abuse), C# in-memory payloads, DLL sideloading	None identified	Unknown	None identified	T1218.005 (MSBuild Proxy Execution) T1566.001 (Spearphishing Attachment) T1204.002 (User Execution – Malicious File) T1105 (Ingress Tool Transfer) T1574.002 (DLL Side-Loading)	High	Deploy EDR with behavioral detection capabilities Monitor abnormal use of MSBuild and child processes Enforce application control policies Strengthen phishing defenses and user awareness Apply least privilege principles Continuously update detection rules for LOLBins
DragonForce ransomware intrusion	“38[.]146[.]28[.]93 38[.]135[.]54[.]24 CarryingItAll[.]com 185[.]174[.]101[.]69 104[.]238[.]61[.]144 88[.]119[.]175[.]65 92[.]118[.]112[.]208 173[.]44[.]141[.]226 185[.]174[.]101[.]240 108[.]181[.]115[.]171 162[.]252[.]173[.]12 108[.]181[.]182[.]143 23[.]227[.]193[.]172 88[.]119[.]175[.]70 193[.]203[.]49[.]90 185[.]33[.]86[.]15 37[.]1[.]212[.]18 38[.]180[.]81[.]153 45[.]66[.]248[.]150 158[.]255[.]213[.]22 162[.]248[.]224[.]223 chateaugalicia[.]com 104[.]238[.]60[.]108 185[.]233[.]166[.]124 185[.]72[.]8[.]65 92[.]118[.]112[.]143 45[.]82[.]85[.]50 185[.]72[.]8[.]121 joealdana[.]com 185[.]180[.]198[.]3 185[.]72[.]8[.]137 0212a0e0b6454fec8382268bf888c7f3a9716ba30d4ca34f2babe6e8ceaf2a7c 05c61e9a8a7e8a3548afd765786f45181746c8e846912ca40aa5b7fa62262dc5 097d59852cdb90b68794c6554a89d11244f99375e1fd58ee594e30cd600fe66b 0f0db5079a9fbd760bb24ee979e2e808b2dc089c17033310838474a53a267f04 1633832a753c8537cb099e431bed4e33e65652ffa4bfaa23afdce71b05651b7d 1b7109ba3b20ece0b456fc03614f65548877d4743453dd10f7e810f1d6ac6ceb 1cc59f160255a97f68567369540134d6583ea732af843842c7123a84d317c784 2d8ce4136f47ebded2ea489ea452cdc99b7638c94f56a6096e0c47897652f01a 319939aaefb0c306c5dcbd9104f9d21a1f227dab06f7aa451e6fc9c747874fe9 3207127b0190eaddf9092e9b01a031f64c3bc3af6744d3b8bdd2e5ee048e5478 32e1103fbebc2da104b86665f3d05543ee6bf1c9858bc9010499f051cf1963bf 35cc1e3d3a157fd46799847391d88f80e1d9215b63f2d5ac5322579d932c1412 3ef9f3f8741b00c812d1e33d28d0e86837147ae6eb441b2095a368d338501ebc 3f72ffff5ff4969f3d03def9a886ac900b449fa65f6e98d4610e013e01f43193 4da5c9487bf85133a1fd56c3d793ce4eca2c7a88c72843a88c15bcec1599aa9a 57fe27bde73ac2e5cec527971f7026d11f0db8ebf566db0ffec15b7c4a6f3f83 6277a5119de4163805a07c63bce65772e158ee2164cadadb92a2815fcf8fb571 68a9afcf6be360cbe63b22238ab342f2038738af7571304d5b9e7894a83bd04d 6a4e87bec6da6001a53fef2feb5bc6f81b461370da8abc9a9912721071c24300 6b560ab85dfb47603f67b7978572bb23bcea303d98c9624a7fe51aacddcadaa3 6b784c8731cc964f6029ead93a50769f2dbe4812c19fea88ecec7b4744c340c9 6d5949612708c2a125020731eb82f930b1d70fca58109072c77fdded65b02c6d 74f5309915bbf53ccf3048bdb66d357a7939ffbcc972cc239d5ff49c3e0a2bbe 74f7193876493c068a1b308fa5620ff9f5e0322925f195338cbe0abb4f132fd0 7aa0f3fd45c8b1e8c5ae9c06041f24f4c71cb247587dfea6440b10e67ebb5f30 7cc2aac1a47457c1aa06510de58b539a8b1b6df0817374c8330d928c6daa70f2 7e7841189912f875db543ca9941790782ba4d0d30d85c7ba484a1aa908a64b5f 906f80a485832dbdc663aa4873728d6d3291931031c7a53e2080a6b337c26341 a03752027416bcee647881535a5c055a770d9c25630a2792495d042632ed81c0 af2fb6c99b3c2b2311a619a76dd51cf928ba8e9a7a4c74d79642bef7217e2bcd afd77ee76b93e0377ca4d075409b41a772a66758ca8ed9894d4228028c4367c6 b13ceeb14f707fabc7a689aee41005d7f1ff526223d6a43701dc1ca3513a0895 b7efa6daa471c34e4753f9eb09e70de013077bedf62972449afe9ea0185abe1c baa412223f945dcb24a7f55a90709ddf7a228c8e5726a5b145a2c6220b6837c5 bef0a83fb7c7600984a3dc4ea3276f5031bd029b734988b6fa742b57c48d4e1b ccfa2a85c2ca12cafb6819c9521be8c886d970dcf65a3d19529984676d1eca9c d63b5e4634dde2aa02970501b3fe45fb52953951432232d8167d31cf9a2f7fcc d97d8544dcfd573a88123c4c5ccb76dd1560bbefdba6db473b66cac96f4cbb0d daca113fa439b50c2b91099c47932a16853fe0c8728b6fa00cba3066b0986503 e7bbf40533fd939c0aa64446671209bb70a85e5b7ea4aab1923e37034cb3b996 eb15f77924658bb33300a93ee9a4fc07e874e8324d986452c673928ea85681b7 fb9b46f942d1f06a6176ecd6e4dae0d5b7b692682c978bbc479f7f903851b53a”	Large-scale ransomware intrusion leveraging Python-based persistence and SOCKS5 proxy backdoor	VIPERTUNNEL, ShadowCoil, Pyramid C2, PyOBFUSCATE	None	UNC2165 (affiliated with EvilCorp)	Multiple / Not specified	T1053.005, T1059.006, T1027, T1140, T1090, T1071.001, T1041, T1572	High	Monitor scheduled tasks and Python execution, restrict unauthorized scripts, inspect outbound traffic (port 443), detect SOCKS5 tunneling, deploy EDR for in-memory execution, enforce network segmentation and egress filtering

Apr 13, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Social Engineering / Spearphishing Campaign (Trojanized Software Delivery via Social Media)	“c681fe3f42e82e9240afe97c23971cbc d44a22d2c969988a65c7d927e22364c8 28d0143718153bf04c1919a26bb70c2d 36be2cbb59cd1c3f745d5f80f9aee21c 38[.]32[.]68[.]195”	Targeted (Government, Military, Administration sectors)	RokRAT malware (via trojanized Wondershare PDFelement installer)	Not explicitly specified	APT37	Government, Military, Administration	T1566.002: Spearphishing Link; T1204.002: User Execution; T1055: Process Injection; T1027: Obfuscation; T1140: Deobfuscation; T1105: Ingress Tool Transfer; T1071.001: Web Protocols; T1102.002: Web Services C2; T1567.002: Exfiltration to Cloud Storage; T1113: Screen Capture; T1082: System Discovery	High
AI-assisted cyber espionage	” 165[.]22[.]184[.]26 159[.]65[.]202[.]204 54E16777EF0EAEFC066277B96A40B4673B8694CEA68CF347862C1DBBC2365820 b84450974bd3f1fc5dc09ec0edeec50647df81716e305ef391c9115c751aab17 2c9bddd6a1a4ec66c1078ea97dacb61eb66d1c41aec7b6d21e3c72214ce170f1 91eda7b1e7bf2b2642f7060ccc018e5d4399936c53e714adf2ddf6e104b2df01 44e83f84a5d5219e2f7c3cf1e4f02489cae81361227f46946abe4b8d8245b879 9a8e9d587b570d4074f1c8317b163aa8d0c566efd88f294d9d85bc7776352a28 ea92c50ffa228da28a9de6a56cdfcc0611f12695ab6a05c65865d6b3ed19e634 28b2e77316ff4c3480c68a5a63e4e649c7ae5bc0d74f3a0f3dcfc5c10bf92c8b 465be0967690da93bec5dcc7f36fbdf0ae15f1e943a4374bb2fcb4cbbacc5900 d174b9b182bf09f0e1c91f69e8e50c74e22faa0e1b5e3a7b4b01ec79f53c3b5d 538309d7b74fd481bc1ac95c7c7ff09bfa48a7a58e9b0a3c2e02c37d5e4d2b1f 9b0dbeacaccff663533c2dc5cd570c1d3538dbf8b2eb9fc1f1e07514545744a4 386f15e9dd3d234af02194d9d0b9b87ee8d7bbaec3b479042dbcf12df29fa73c 2a5656426de9ddb7d807464dd6568b8d8bd2332976e8ede93f711aae16c96339 ae8f5ba0fdb8ec27890966e705c4fbc09ab390c6b41b38d4c14665572eaa779a 85706359974fabd8b673ad2ea07ee459a45bd3cc5a24ade7311e427925a10637 ae4ba9d99188d0a386dfc0c84a225dd31d145e4813fdb4a3fa62087dcbf40592 f30bd7a155853b712da7a7c68ed30c4afd0944c0ac7009f0c9331148aff56bce 75e671f01ccc197145e9c74d03416d23a30bb0b89efe5656fe392779ec06f4b3 00c5f829d64723bed0f0fcc48161d014a022ee218af11dbfd324fc8ddec16922 a8e4c0371fc45f05c69f3f70e2775260bd848fbec301b03af6bce2ded4f48b76 1844558373581ab1daa1b482807527b1caf8348572c46e1ddc8d925630b17156 8b93e2661350507e962ef37da57507b6dbeb7900eaea7912ed5efca414ccabf8 0ede4e8200c095a4c13859ac8824edcb7b5363808773fb086077d172ded0213c 03e9e297a6366c711f41a5bdd1d056609172e3ada43b055d1679e097b1a345a3 e8744a07fd5f623f2e477c0f311f749a807982b647c412b034e5bee3482bda17 2a8a35869e2bf7739b7514784c0b07c19d5fda1a7c7579b05fc38d82aa1a13d2 4bd146f48b684ee4c5e81e534e8ac46bfa76f083d5758ac5a0ea0acc5b5496fe bf42b3bcecb01c9d4cbf530896d91815f7d433ed384a7b2c40c92638776c02b4 2c0be4d8fac2ab483a467b30a30a75c54e72d2b4b09d46d91967406c6d61f092 daa36a12d6e86cf5ce3a7ee7d489d698ec8f9980a36c800a8502b82381c1736b f1e15fc72729a41d59e9300711df67501daa314fe583d6795c527dc001305603 2f3845353cdf8d007d6d0a199abeb2c56c96736eb79146b6ee3d43d919863b85 226c2478b5ddfd97a39f29424c03d2bd13b855dd9ab4195e4a1a6227ff2ecadb 22d4c6f8299a61fccac44c06e0b8b4789271548b69443ab554e67bd7a4bcb964 ddebe9d942b9417dcc6fb9b6abf813a0660d70b331b72e8112f809c9acd4bb11 6fcc30696d002992f0b259ffce50ad7c2b4c9caf407e9c44a975cf026b091167 4003dede86877a5654df5dbb242631b4bc120fa43dc864a61349780fa2a751cc 36a2b4a5fb22eb5c118b1f2c7bd5f76ba1e5669b950639e22abb0c1ea8ce3151 11bdcd85c794a5e1452a17e60db0d9ed44efa4ac48281864831b79942ccc337f f338b730adb4b8e12582aad55b544a9fb91802d5e991de6ec20848c215808827 d259419e52b9d602e884ce8313797169807d9bccc16089764e2f314a71818336 7c00b30ca5c2f81cc7b9c36c0d9c103c2292a0826a5601225ed3384d159eb065 aabe9c8fe4352be93deddebafcdb44e6d416f61ad20bd2cad300eb42ab0e4340 e70c4c5c41075c45907327e495d64b7d162f1c0e1f3459b57e2147f33d3e2eeb dc24b55130a9f78d45e18979c03ccd8db938e11459b14d2b6d9e4b42993f04a6 28c528eda62f5767c10ef9dc9e9ab3fe82dbf665ba35f979f45722dab5ce87af 4fb1908492ee45cf9b5ef3577e0c6b28f57763f7d5adbb8b5693554d1cd4ad26 23c2f059da85101d2ba8b2c60c5f74d0b60d0a9b3c1a5d2f7e8b4c6d9e0f1a2b 93e72961c148c0da8d13da8d3d38cb0ff18c6c506d33f75509eb4b7b9f37cd32 a5c00451eb50fbafd0440d629fe153ed3e833d9df10d9932a273628438b8088d 1e4cfc64c82c2257ab6738ef3901282a6b813a6b058a19dd344de524037e2b49 e5b187a158dc8940f7b905c7de78d08132447075d761f90629307b9095451afe 4a4cb95fc70d0ce9a084e52de5bce7079cf35f991c76cf0ee2a563cb6c5da99b 05ac9eafeece2f45bdeb49413bcb41a20edfbe700a1bcd160663d4d131f24d21 ad693bbefe342d787b98e244c15a95dc3c62bc35a04385cacffcf42d93c46021 e8702684bdf221811a99c5af9c00b8cce17256e0afe4a8548ff0b3e78d74085f cc612f33a93143e143b85691ac50eb749b0d85be73123d693ac72e575a63a911 3f44002ac3d6129cda249912c2310b503c23151d948650730d7cce92095ad8ee 8fbbe7af07cbd440a96a872463fe5e3610ead2cafc13857250cb5e800eadd214 0904e809a0cc2e97429ab5275a2122a713dc81e658df58b8a435db58c24dec29 ca600bacdac7a8a24861b6f66747952714a99c870c1510ef57db5a0284b29e85 60079c91b15fb3002e48579f956b3fb6c5f50f5dace53902c96cc8b92ffed883 3fa243ff472f334b4527053100d4549c0d840cf53c5503c5fb1db87695aee3f5 2811c4f8bc2f859a2dc5fdb1473dece4aa5231a02478b8d5b77f0c15b1f526a1 6340a8e1d6aee8d527173acc88540a6b1674cb9193da52d088d89fb865dd734a d281cbcc921e7039647d2991c24a100d6ec8504e15f1d4b02dd6b3d2e8f65d9b 52b0bb7d7748f37f3725422444689ced67afed6d74af3670e512431066f1cbe7 4d108b390bff0641342272dcce486aebeef161fd47e7f33a8e12df3ab9fe5d5b d206b8abbab71d3dcd4b76cd7cfa49714a63825a9f79449163c7c33ea1bcbba7 ab83dbfe73db42aaf18e8166cbcdc2816633a3b4f7b5c86b4a5f0032b74fd4b2 f14d3ba09deafc365627d00aa02d50e5f43f8ab37c38452ffc3af93fec069aad fc91bf7f163e353a4c122739ff49f44722425c8bd63e100c7e35c177b50897f4 a471238f23d450bb662888af8af0060f45c6f07aac58853c34a740443830dabe edc6b272bbbd8bb651433d76c69814bc7a774ebde468d30445e64d8f617b80bd 56efca03c82f55ce7376d72ff694eaf187ddd0ac246fe9fe13e84f490608c39c 8d629aa099cda2d61568a5309abb68dcf7eb825c43e96dfcf98176cec39f25f8 de1e501383bb4baaa2f77e6a2d0164d3be04c0b326fd8e00e50ed90e633db471 7faf27729b85177982ece41a790243de66f9a61001630f1e548db45cfecd43bd 02b041a002380fc4f19249cc18905e879f90b863cc154c878450663662a3507e 386ea9b16cef9734e3f413fd82ed1d14e1aa7922e94c169db275b7933d041bd1 3a394c300371f107a045b734dfea4bf3dabf3cec0963ed4da673a2013b65b3ae b164cde58c696e39c47127f1941070e83e2cbddcf89d316dcad61e5d533b7cd5 1765df3d42ac5c3378d7911816a43d2c31ad05210d64f702ca1e61b82c283983 bd97e34e2d5bfde708cbcff2a4308f8153bae8c39d6a1bd1b3fd7f9a81c141db 630cddc8b849b78803fb3c5b43d4c7f65fe3e537c6f1ae655b7f7114015e763f 52a63fddb9be598535425cbbc01ff4b1aa635eaa115ab0eefa3578ff873c0e56 e64f4fe49580d45115665b3d6fdd39f627345430d8224bf75ab84af2e6afcd63 3c856099dba6d5f6b4018b00215eedba85dd1a943f816088c12d7dbf0fa6f08f c57c97e7ce5a36b749ebe69b72ab6a00a0640b9db70e59e2933eb403d2658063 36ad087fcadb32d4d35b91d49de93f33ff257d95ba115f10c3f94868061bf001 a716d31b15ca63a1bddcdb48d29e21310b90193b68d036a89ded9995fce06eb2 573b6bd3ef425f1d798e38fa7b5c571c873fc2324cabd22b2255303341669f53 0b9f2eeb159bdedbf9d5a596b61daf96ca99e4b0ab3da6afa01cab889e6135ea 63332ccc5f588be0901a1443abb8b4ce9ab988a85d7789a6f64ce6293adabad0 2ad65c1e609efa25ba34267f44dd79f272e5e5fd6b252589c0dc6666c909fa8a cd9441b2503151f28d7f5a231d0b3db95d93da882979f314d5394256d3782cbf 4df561219a3cdf1806557900d20212ce61ae192165532622e57efd327c984030 45aa8c3a22ab17868f8177d520035aff7443edc7dd22952232e0705f89e71ea9 5fed04a7c07fd89572cbbf5a3f3ab652071b077d3539d78220580d5d446b520e 8e3a6e914588bc39fae3c04eab2a1fb34640ee1c9fe875e8df93251904f1b0cb eae7dc42451223c5cf2c6b8d384ded82f1fbeae70439e09d5ecaf42d16f1de95 01a1ae66f9a104d91878638d27e8244ebfb8409576b949e347ff5f5b398769f3 fd3b4937765eeb147352e51f8f3d8b5392ae4177d50e8f111758de830e6d9777 fb49ef9da12f85972913db2a86050ba79d5e71cbf1eb9cf580f28c43417fe66e b69b0779e4de5e05001b629b680023cc030a5d1d603767caa3d176f504baacf3 676aed5533923a443a662a9243c370568ba33a5c0c040cf0dacf354269a148cb 0ad55270a166050f76a02813256ed21a368b9e873894dfb5236c432b195b7692 a2b11c970c285c2df2c1101dc141c1a5ae7ef6e5ef6cd7856756c8863ab2f86d 889c8c29e1bcc83457292fcf27174c726c306177c20943e63251870422e48440 ee95561681807fde086dee4b2200c2c301358c102d0654778876678147b9b5e5 46b3efe9877f9d3e4fc4b9547ec213e75938397fdc30828857155238335973e7 8e2d84abb8b68c9fb6de9b62b12483c1727bddf781808e8fd140c6bf422b026c 825bf8f912b7c9095b2f78510acf3b882e15177dad6ea4231aba6a3c5b84f1ed 0ed4c8a47a2feb3f29dd2cec50eb24c96069be119f01676795027332a0326d84 6b5979709984e5a500f3be45630597214bf77f98b8b1961ee627938a86848e47 c25413774b0a5d9e760cf1189c0b22dfa12942929c24cb6a494ee678ec9fb611 ff262ec65ebde39e8cacf41e47d99397b84c2c6db73226a32351a08de44bc5d6 58fc29379a34310e841038a18460d043837b88be2375806dbf04b3fb124ca26c d440bd329a74fa845a927c2011a6d8f9b119de1a326f725936014cbb7e302c92 70baa964acf6c75d765b4538f37fdc4426358c582acaf8131777117b285e246b c7805997d6bfc44de25af07e87308c05d9fa787575d377dae4faac73cbcb814d 9fbe1a19344a13db061705e747437ffd4acca0f734588e207b04efd6e8fa0b52 7927e98a9a8ca9b2f24c7ef944f7a6c244e992837c95e4d5f66c350a70e812cd a6185fc27b54c0bc86ba9d39613d967caf819f3910507ea52f21d40eceaa93e4 bac90c918bfeebdc4a06c27166d8da7643739eba09a8c661152eeadae5bc8dc5 9f01390b9aab2645a1d08a505f4ec9c5c32e1b6b490537bf9e78b38acd46b072 1900764e9eacedff3bbfa48e9dc1b95bec192e942ff0e4c239d91a2369c1e75c 45553aef63801ece82fe971f31d710f6135a0885afa88f10c61871f280a8ca4d 491e785903f88e03a71973a1e08b1ace97486e86d60e6b062189f2f8ce354a14 a0dce59ca18604c93d84864a31848c74563f287dde71f7a58293514ab29ffa4c 7a69a95f5fefe67897c54290a6cd1a41250aeee77f2ba31a0cb7751757ae2d3d 7404bee858fae8b58cd545dd3a6400726242403802a59d5870fa3afdc5b81c9e 6315de4cc1195508ce910b5be536b98e3297505465c68ab9d2223357606c0ba1 cb21ae8556710999971a006ffd7b59b7a8d1568eb2bfdc0fcbc4fa43b08b33a9 a0c82a28b270a540a9d4caf4e43be45fa7ef5ab930e02393ce6c0e303c1e9439 9e3d1044be273d34bf9c3ab2caed2979fbbf58f5d7b34ee664922a43b3aa12a2 dd5f178278cd347f24df5ec556c25f8e505006ebc86751b7c475e92cb70b0126 3f9cf1a8751db2dd578491bdc670c148f5bc3b9749389a2caff0dd100bbf7072 92e7296bfb77f60db1e01445136246e86fe4daab431f9341307c7826cc49187f 621c1591ff91f66dbc40b5fad16fdb9c8e30bc023f1e55f2458f891336f5c267 9a8ca2ffd8a240044f3febd7657f38f3b0166e26c1aef2113ad99f11f7b2f99c cbe76edeb64031446170857edfa2e34ec53c42fa9c2c4e8d2a026cdcc751d4df 77c6734ce1cbf5a424afa450c6fb5c2b793ec0fefa4030d56607fd2ae29734a8 a68bcf3a4bcfedac4cf381fe2907a7c3420d8f8dcf8e85f8a918015345624781 8a9ee1fec6a6b2c71b7ea2557f89fd23eba2a0cda6aaa458caba667a98a18434 f49f13aff4a88a8d0db8a122510f2cf2bfdc69593336feb3e20b19e17afae570 e5ea1a5a122e4f0a8dd19ffdab580201e26c056e8f8bbead6ff3c2708a1906ec 376877d0ee00c59d7c51e5cab07edc4200839635029134556c4a55f64cebe04c 8cbaa34976cfb9617badf3d0f4a0d0f0f5612dcab478ee9f94ebe04422851531 2a32272d5f829d8d266b2f491fbf6e6c4831aba67eee3e1523825a889ee280ed 6f40ffd5282b2aefaa3df3886af29275a67907a621d6d8177b41fc908c654cc5 9c087fc66b3e23613ff0550ca936b0521847f78656a542d8e3d2aa0c88a0865d 952f5f4ed62e83818513b764d68265a16e8d90348c952e4e5e93302fe95e225b 42dca53c8754ec91ee459ebd6672ab1a12c6dea3765e05276599dc8620b63717 9fa6960053f1511e953cbbf5a3fb0858133d8dcdf4421031862577f42582ff81 8e27ebaa46afb0e03ba435581c2b654797d1beedad530e8c77583c8bba3a297c c851ca08bb9ee438f7c58a84c577268f054402803ceeeb6782ba05b4012af3de 24d5a9066f898f0e71f4c551df62faad81800234e718ad6f80d3e3bc2b09e2e0 abcc58eeff286dcaaf842dc18190780645d192567439074f156f74fb5ba0f6c1 f54e0031edc6270d3dbc2c9b67243981920660f3933575e12ddefddc31d73004 308087670b971ed6a794bbf1bc884c6d59699d68d4450a9928557b7f3dd1538e 9ea805fa8579a7098f4facfac086a4a38a640186b98d33ed0a585bc76c027ded c00b84a01de7905dfe44518219739edbc9431d105a898d1612bde7088adbbde0 08413428cfbf122ee0e5188e8b1e3b94f02e1789bd43c006974fb91b1ad37a49 84e0b90827b6e53b4acd4924537dbdb43b8b8e67dc11529fc67c0ae160d67765 5e5efbe54e60adbc27e5137be286075a90b31e30bb7dd6aaede1878f9d454dd6 ba08e40a745b97ff2c1a9d1997acb5fb5039a9d39974d4a5e5216d086ef5a204 66aaff1b8798d65451d5bfede3bf82e272723b636168ffa65abb837009d83b55 baa3f08b26e422f7ce84823078687d02bd80a7f8d14574d33699300a85ea7eb1 0df97535e7b9f615b9c8f8800e5c888e55d68ab3614512943493397b5b57ccf0 0dc75fc30065417bba3b9966f094dc9ed33a9f859eb70ef096f10a446ff035e0 6fa5666ae90c89c8d6634383daac1d80eb9d0aa91ec3272edc2462a39da4da17 4ccf4b51fffe69b9b8582b960239383391d19a262bf437774856339d4aa46bf5 c3b23c712aafb682debb2fc69ce1f0daf3fc51e9f68a97c00b84c9bda7ecdd89 9ce91435b0464aada43ac379e61d0038394e00d55f804090bb5e8a83d2ade624 42ec7f88c8a2f163c8b8bd9eed22ef9b45cf087f843285dbcf93626e51dba2f2 ec08acadcce37b4221c497609a1026ae0ae85df3096b712d727f3bd98ab291e1 9bf22275cb64758e2607a059cf7cd4085960f25dc2f259da1fd8cce993c8be14 8172f66a82af800479999b573b3d436a91a059dba3ce2c681a4ce91c167513c7 3c7c9d930026366b6ebda78f06fb280d0a4480e10ee38d455d6fe61bebc7ed76 946a02244cbb0ec15ee64a8479e756a9462e8defe3c37a7853a06131bb5debef 4f3fa3a5c7a4d71b1dc04fa2347bb076cf5e8dae3cd4e42a0c41590c212e6957 46eaef5bbe9c75aba0748b44433beef7abfa28af574dd1add35c02442640fe26 f0a2e2cbd03db4573184d5211d77e81cde4458458bea8506de3f56c668883d1a d7863bafc25e9fcda946ab813ad7d2313d60027f796d48b3229d904305c9ba7f 6ae957969a404ee54f31aedffdcd9a7b474006beefc0bdbce5c65e2c4a862abf 2a0406c45c366a5556d63ff81fc282f3c9b8250b187a2ff7ae4fa0a1993b3f03 68d976838cc7a67a6d80aa48f0df0e6318ffa1f6a74bd905feb07a659330b89f 566d9ef0e57aa11cea2585c39340dd6306d9c462457e8db1d02a0bff45aaa83f 37af84ad732df31886439c0411a63a82ebdc7a6b6a4c1298ede6ef28bd48237f 5409aaf8ae24e9148a08b5d70d375d610119b7e82fb28fd9dbbcc134e82d6188 c9dce5d676f7c0ad8ac6dfe9322a0b6fe4f394797b61724120b3dda9109d8e56 8f66e730be2f3b9db4b6bd79a62c1b94cbdd0178bb28556b10a0ae590b40f0e4 7602e35043a875c0bada43a40941a7d61e0a5570c7872dfac13305be5dfd18a9 42acd12eeaf196c8c5cba533c2320faa3a5851feecc4366b28c9826a4653f41c a3b352285e258e103a2adad264c3134404454a323693f189b73e0b5e81e799a6 a263d1ad77791b474c9dae61d836aca39e3f6da4926216dd57476db25573716e 91b90c8176e4a85d7ffd7d873471803e5bb7043f99512f9b2d88599e0dc22798 0d9156b0f271175b01a217f44cfff2d8c20e0561e0b06248bfe73c0695ad702a 39c9b707a0b08b21bf90d5032d10d6254f733a5f675ccfd3626703899ac27a08 6cb7995ce1201e2594d92eb71038603a26df09365f4d541f6a09d1883b55b7f9 8817c43ed346c568148a020bae24d7cfbfc2e88a50a8043cdd98a4790306082a e79f192e2a916792c04996339f0e64f6585d9e6498d2f088c70dade6318fdd18 fe752acb087730afa7bb71cd400e3dd793f3f959b542ee07e5438c1edb05fedd 064b71bebe13a1f9051a5789ea2c83b5b8cc203d9664a79c1260c76d2adc6d39 92f0150c2e39dc4f9740be8f166979ad741a9b4d07d6f10629453d5064b891b3 23a40453ca9502fffd95de93a197961cbca47260579ace0bb69b7a3415828248 5d744e7bd47f80730569b5344c3675baf064f04b16badc54318635901e1c502d 7e6bd9cb6458db236b6989b6b93a2157270e0c7d74135218a342cf0a7be293b4 a714be6965f6d90df2be5e6e897eb7262830a5ba8fdc314605341a55c6667f52 4b345131769f66c28192799682a5ae053fa4c887a85d95fa2568f4b0238ca842 870ee164b7441102488886fd23655f35600bdbf69d619371a785f5b1c6428c37 97f09c69101a78f69fad863da7197539ab2b6594084f98657226bdcb0830cdef c061e00d8f0300368e431cf964d57a6e623f42d888e32864076b65b76171b516 358af3fd58d5a8e85c90795ffb5bc5a974d5faff161253063f4576489ed5fc53 90526be3bdad7cc461e800ce9f9c83c5ac1c64ccaa955b14c2fcd7e893025968 902915e60435a0f8409d73e41fbb79404f56bb44800f1a62e09205e664a9a8ae 3ff77a17dd8cd9b07f9527f2c42d3fadbc3ef746e76e9f811c881a34c4b0920e 62f699cb302bb8881660a5c858869b80100a2cd58e64314ec72785a75a03c448 e6895f6820059809811003d4dd71aab1c201061377b8fd6d449303dc5d7d8052 ac4292c0d60861fb9848615bb964533b35a48f6a881340db136a84ed2d0aab07 70d96e00e91294b980b3cbea0be92f2300a527b35ca860d79a47b1f25f35b0c5 af6c54d9552b05678ee3ec5e1bd1bd341040e6b2b2f220b3373cfcc2c26b3da1 90775cd213e2e502729bfc3c04d19c08fb06f5230f173546fce737b2b1744d0d 2fa132aa46f8ac5daa8ab98d933bccc191ff66446b33a3cc18e9e4b49983552e e998afe8e2ea8c4311e3ce3b2730ee7f8c683761888d4b9b8b6eaf5c85ac7218 58092fda89eafecd33ae5f23f3e2a2b4eb6db6f554d39cf27ea9549628da78d8 7da3176f348a5cf79c4884cba63f1d792dde5734b7156c91e62833d2c2fb84e8 6354cdaeb8386a1d76fac38b0dbfd9db205a244a6c57e052ea604215e5e78922 ac573f63f15d4322732d5e18bfbd9161bf07d823002afc147030d358c172de5b 4800648954ba959fae92961858a9437aac2f17aa7f55c1a4156a75020d80960c 6d39d897be24c72bd59f163edf22f7a649c33a3bac3b85eaf048a68e12520ce8 0bdeb1afccdcc6997a1aa7a37b3602c24ef44ebbe1fede1ce9b8878138116f01 a09f9622a2a8f59f1d24f96a902124314adde7c1014e7a372ddf40d006126b95 aaf46444c080b042e15957b86f2629312a7bacaa9bd68243310493b5b2efded5 27fef7ebdd018cb284b768e1e640f3fc3160a5121073dee9cce939ec76c91c64 0cac9fe1bf3719f71117c41adb9f2bde2fd846ebf86608aa5c7079826627a8b5 d5f52028962f0916b3654665eae807bce9aa5495c2701f6c5a0de466ec8a2382 a54f287e649c41512d581a81f9b41eb774642ac875face5c54b019ba6b802bdc 73ce11d88bf97bc6d18f15f65f12d73e878a89e492edfa53842cd66037a9d30a c052f8964c30d4fac0d831f72b57192db36ecc50eccc2c32c9d65dbdb4cd4246 79c6f60255099ed4356a476895ff4decb4314e7a051ff9e2604ae6c3f707dfc3 ea4a27a7702d67666e4ba4327a1e9bd688bf02e908374749d2ac0268f5f2b8e6 2f64dac0a2b0affa43f2b4d609d2fcc67b486c0989b4bd61766eee478b4668fc 707335d194c70b55cb53d28f24415059be3684187c7e566731db3d1e3011055e c906ef286a8c2db62fc2b2f509f56b17899f5fd62b978f1d82ae5a716803ae0b d283ba770f371a1fd5fb6fc75b43b7479588b38b7ee0769c1c483c126d2d92b0 c3bca149a276b989b7f4717d46ba09154bc3d7cfa669ccb9340ca682299bfddc e2a5ce5152494c46cf92c00e3a5a0d7143a1009e644b19f501288239af252529 2b39be0c9406d6ea3e5041442184341925365e7d22246698244c47490e15e4cd 51e6b5af37417185b9b082a84d7b92b1d0bafc90ca6c81b656d27fd607c51fcd 39b6c945fcdd2a6515a31c716ea4e12d37213523bdee3f004610f88447004ffb b462b40b89ae89e24b64e4361bcf61327d0da5055f5f6e958e99df1c3da7c51a 4262272daa3e4ee8afe3a12204ccf851dc8e48005bb19afc97ab34210be7e2cc 3e33e307438a45c8dd118060aa76f08f9f3596821621598cd1923a300d0f3c43 9e5f362ce718d1f6feab3e7b19f83eaa576e0fcd3a3e4c2c02e8c47050829ab5 b04f615745abffc2175a3eb321582e76af4162e00e99ce87a51f48a745464697 1d1bd97b4b78865980a7f7de6a864adfe570cc20bc5b9b1148e31aeee0cb6991 71d1325aaf4bf95ef4ef3dec9b55f4b71067a36fcecaf18534c09703bca39f9c 9b42e0ad64ef19741879e944ca6d2599636ea8668c7842d5f24a11afc036af6b 2e0b0c8b35a0018c9825dd2b6cb65a4bb7ce9c19f32fef74b66b78e18c512f35 f942d075bbc657798880ad7fd86707aaae3a5778451c246fbf10bedea3fe06cc 8e9a9461ffe7586852d9d25a14b990ecbd30d128a460f28f77aec4b81e7f9e6c eaf589fe6693c5ac4a6ab66fbabb7e21728330e8f47cffd5a82627e8d8a3eefa 48ed2ea6b50cb638923c0b5fd06ef0c7696d0f109e86ef98c8c7985f789431e5 ac8ad1efb3b74259a30434f4bb553adab086e4ce13165710c5726053eec07a8a 8ece74a64ecc5b07fcd0bb0cd6ae48d6a67b094e5a88b16bc627de0822493788 93076cb62cfe29d9a91ab918d8a05660b30593ec093551cf1aea283d0c0dd619 8cdc68ff6f7ac4b960535d6efe7b2ab5eb814fdd4aa0de08bfdc4d4eb1722e5f d3ba916a47597950f7f1cbdca7ecc4afe3126a5365f49c3f8acd283bfca66219 f12d0e729da16e6b98a00a3f7bc7e87acb6af00d3343f0d8c560c3645bc03267 e1c1409daeedf85ff7b663143269cea71d9bea07beefc60b0fb67a4f6bad3ce2 52cb917bd09c7465ebe0308dcb35be4c5c353493f343731d64e3b754cb93b155 52c7547c0091ada68eb08f00c1bdda841c6668672e089d6801038d3628170e08 76913d76a0020cfdad6e4b4334c0f8ee82b2597a09d4022dbbde4194b4a6c0e8 c6f8eecfffa294f9a7d9a1cf4fbb9f23fc31ce34e8371414a6cde681988e950d 5b6fd55cfcb350c2fea690fbe3137773d7c017996d57c6d9c6da5ce63da76272 b1ae104759ef393e646ced41530881e70dfbdb8df0dcf949b90b3e6ba4338683 631319466c4981e4b0ea4f0e7da47deb9f44ea172ec759e375198ec1edeeb6b7 8dcb2c662760f345aac80191fec06a768a45d068aba5bbf005dfab56649c8c3a 74493e08d1f2987519eef1af0b2cd75a1f76c9637e2c682367c94ff8c2741d1c 00ff43bb39964a2c08256b4f96fa42d92895ca303d1341ef5d17e543b4753089 55fd0e1b003f66fc33c0ddfab81446e1c7d097b417dce8271a1a0a939dcad82e c09eb982efc539be71e9c9e194c060a484c436aa964e29a888faaf5b0bdf5ca1 424af728e0e78d0ebbb9370808f47940508c34b3af95a0281227b91e3d1ce9f3 a7b453b9d6439cf902b68e24edd753b964a51d9efcd8a0c53522ed913887c5cc 80c3180e13ebcca47bb5af595c52997814ace74fea5f7d71a9df83cbbe3eb9b8 29878003c75c917134ac89651f39cd1ecd5dce4193de1b0fa219907fd3941962″	Large-scale compromise of government systems leveraging AI for reconnaissance, exploitation, lateral movement, and data exfiltration	AI tools (e.g., GPT-4.1, Claude Code), custom scripts/APIs	Mexico	Unknown	Government, Administration	T1190 (Exploit Public-Facing Application) T1059 (Command and Scripting Interpreter) T1078 (Valid Accounts) T1552 (Unsecured Credentials) T1021 (Remote Services) T1041 (Exfiltration Over C2 Channel)	High	Implement MFA and strong access controls Enable continuous monitoring and anomaly detection Conduct user awareness training Update security policies for AI-driven threats Deploy DLP solutions
Crypto pump-and-dump manipulation via bot farm	195[.]123[.]240[.]41 198[.]44[.]140[.]78″	Large-scale Twitter/X bot farm leveraging 100+ fake accounts, automated content, and proxy infrastructure to manipulate cryptocurrency market sentiment	FastAPI panel, BT-Panel, bot automation scripts, rotating proxies	None identified	Suspected Chinese-speaking operators	Finance	T1585.001 (Establish Accounts – Social Media Accounts) T1090.003 (Proxy – Multi-hop Proxy)	Medium	Monitor for coordinated social media activity and abnormal account growth Implement API traffic monitoring for anomalies Track and disrupt financial flows linked to manipulation schemes Educate users on risks of unsolicited crypto investment advice
Fake AI software distribution (Fake Claude website)	” d5590802bf0926ac30d8e31c0911439c35aead82bf17771cfd1f9a785a7bf143 8ac88aeecd19d842729f000c6ab732261cb11dd15cdcbb2dd137dc768b2f12bc”	Malicious campaign distributing trojanized installer via fake Claude website, deploying PlugX malware using DLL sideloading, VBScript dropper, and persistence via Startup folder while maintaining legitimate-looking functionality	PlugX malware, VBScript dropper, DLL sideloading via signed G DATA executable	None identified	Unknown	None identified	T1204.002 (User Execution – Malicious File) T1574.002 (Hijack Execution Flow – DLL Side-Loading) T1547.001 (Boot or Logon Autostart Execution – Startup Folder) T1071.001 (Application Layer Protocol – Web Protocols)	High	Download software only from official sources Avoid unofficial or modified versions Verify installer file names and paths for anomalies Monitor Startup folders for suspicious files Detect DLL sideloading and VBScript execution Monitor suspicious process execution from temp directories Perform full endpoint security scans
Banking fraud campaign (ClickFix-based social engineering)	” test1[.]amanur[.]com xpie348[.]online protocolovirtual[.]org 144[.]126[.]140[.]33 b68eefb10e2c304681532bc0c812c7905888e6b8e47448f1e4bc1edfe7ac193d hxxp://xpie348[.]online/instalador/update[.]xml hxxp://test1[.]amanur[.]com hxxp://protocolovirtual[.]org hxxp://xpie348[.]online/instalador/update[.]xml hxxp://xpie348[.]online/instalador/get_token[.]ps1 hxxp://144[.]126[.]140[.]33:3000/admin hxxp://144[.]126[.]140[.]33:3000/api/users hxxp://144[.]126[.]140[.]33:3000/openapi[.]json hxxp://144[.]126[.]140[.]33:5000″	Large-scale banking fraud operation targeting financial institutions in Brazil using ClickFix social engineering, PowerShell payload execution, and malicious Chrome extension deployment via enterprise policy abuse	PowerShell payload, malicious Chrome extension (browser session stealer), C2 web panel infrastructure	Brazil	Unknown	Finance, Banking	T1204.001 (User Execution – Malicious Link) T1059.001 (PowerShell) T1176 (Browser Extensions) T1185 (Browser Session Hijacking) T1539 (Steal Web Session Cookie) T1056.001 (Keylogging) T1113 (Screen Capture) T1071.001 (Web Protocols)	High	Block malicious domains and IPs across perimeter Prevent unauthorized PowerShell execution Restrict Chrome extension installations via policy Remove malicious browser extensions and revoke cloud enrollment Monitor for session hijacking and abnormal browser activity Reset affected user credentials and investigate persistence mechanisms

Apr 10, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
MaaS-enabled APT Campaign (ChainShell)	” 23[.]94[.]145[.]120 157[.]20[.]182[.]49 172[.]86[.]123[.]222 ttrdomennew[.]com serialmenot[.]com sharecodepro[.]com mazafakaerindahouse[.]info”	Global (targeted intrusion operations)	ChainShell	None	MuddyWater	None	T1598: Phishing; T1105: Ingress Tool Transfer; T1078: Valid Accounts; T1059: Command and Scripting Interpreter	High	Monitor IoCs linked to MuddyWater and ChainShell; implement network segmentation; enforce EDR monitoring; apply timely patching; conduct phishing awareness training
Remote Access Trojan Campaign	“147[.]45[.]178[.]61 799b29f409578c79639c37ea4c676475fd88f55251af28eb49f8199b904a51f3 95[.]216[.]51[.]236 yu7sbzk2tgm4vv56qgvsq44wnwgct6sven4akbb2n3onp46f42fcstid[.]onion a57683ae49dd24256dab0dd21ca83c4a08892fda92e83206447380a2b6c80221 0e9c8e5ce94641e0b07607647a55c162adb18048f9c1e1e3dbe859cd08b2a797 77eea991e5c11da46e10c208fb8920a08a9bbdd8ffd72d0d6548fd8e45aa4647 52862b538459c8faaf89cf2b5d79c2f0030f79f80a68f93d65ec91f046f05be6 da65c30f4dee13d3c85c6a31386018d101d635e28eeb65ac73699787fecc20e0 abd003ab1172cda83731dbe76d20a43c35a452d683d628a4e59eac8aadc68ffa ca3bd6f8f4c8170c60896493b0bbfc4629bf94a3d0c5bd3f32397e869e98fb3d b59ac3088a58ebafdcdf00a5597c0de156de667d498bb8eccdaad5c8ba380e99 2b0d8c8e86dd372b44b99f8be4e4a7cbbfe5ce78bc10b714fc0735c15b7ddb32 3511e2bb89f64555acdef3b486717fd517f500c8c630e02e9c6fa0ac5bed8950 a1ac7046e99181fe46edd62c00ca53602e7cd4430365307d0b3a47ddd1e9e670 2d2073ee0404dba0de7e248dc50f60258ca85e493be9021657e325a9bbd7cb01 f04b0c3a53e3af7699c30ab9adb4d60a71a7da6945cf0ae287a9f67675433a67 d122d6c2ccc69594bbfbca82315aa0803b3b93972a6ab83699797812b35d9679 f431ff7bc59df48c137ef63839a5a2af520e0d3b28429468398e3b291f30d1e6 3455ec49b8dc3743398a20c271194682eba40a67ee3b10549d3e6f837f7499ca 64adf1715483f63fc47283393f89857f0545a45d9e7382417189b5084d19c37b f74d052337110c6282f4d9738263b89056d0c89d131b329d5d4e3189b67206ae 0a60ccf29f89019b1eebbbb8ad9bf0302dba399a26a62449078dda919bbd247b c4a5223bcf57b32e036c33c4d0e41aa44ff3eb4632c2fb4ed9c9bd593a04c3ee 17fb97a117cb684c82d522e65c0958c4c1267401317cda53c77035189546ebba f81e14ac7309019208529599a848c2287789f0ccbcd2f7609e9f239f52376763 66a155f6672fbbb041cb754c143db91b30084f98e9102c280ba95ffda156123b 8c812fa14a4c5ac63dd1dce47232b45bea95f93dcc5cac40bb12fa6f1961e1bc 5168eae0ee183575b9a2d2c0c21a23400125502fb78f41b20db27a0bea58324d 3763b9e6eeb9a18875c45ba7d1a4f9fbfd6e80d1aea434e88ad99ee5b1bbd790 a2d703265d61b78837e86527aa2e31994a934c72b6c073db0c4d9c0c59a4e401 b3f21d0843fa7106b466c590c97b1b8b201a79ae82ed46b46d2422dd252d7836 84c2f3b13f5251cf87d1a2c95ac7ca111238f61d56358b2c4228c84ef9ed1ae7 da65c30f4dee13d3c85c6a31386018d101d635e28eeb65ac73699787fecc20e0 ac97a49e17bf2a315205a30cf39a68c264b1dc4395b88e3997ec506c778159b0 5c37b35929dac5c640d1d14e6dc74009c5072536d7fbe0c58822bf2387a8a22d ca3bd6f8f4c8170c60896493b0bbfc4629bf94a3d0c5bd3f32397e869e98fb3d aab1f1bdba7083a25d7c841cd2dc3588cc0f3e28e29260bea5c2fd5b033697fb af7a76820a42c4cadfc7ff5fd372c99e9c5fd96ee9d14e07bde0902fec1881ab 8b28c0568baa7da10200a012a70ff735ccec557678a40d1b3fb16f5c0a31f6b7 d32455fc430ffc13e8a89db9198f17184fd27001fc11a7e9531d6055932853db 9eeef204645391b9c9e3d5b54f3541b8e52440d2a288873749398741182ce7de b7d64d6a9c641855f400949c8c000e1b53b9355fbe3663e41f01e4b80f8eab60 58460f8009df7ca5d2a9b2e9346d940388472cd4cd808ac6c797942824bde299”	Global (financial sector targeting)	STX RAT	None	Unknown	Finance	T1059: Command and Scripting Interpreter; T1059.005: PowerShell; T1055: Process Injection; T1105: Ingress Tool Transfer; T1027: Obfuscated Files; T1497: Sandbox Evasion; T1555: Credentials from Password Stores; T1112: Modify Registry; T1071.001: Web Protocols; T1573: Encrypted Channel; T1564: Hide Artifacts; T1219: Remote Access Software	Critical	Block script execution (.js/.vbs/.hta/.wsf); restrict PowerShell; deploy EDR; monitor C2 traffic incl. Tor; enforce MFA; restrict privileges; enable logging and registry monitoring
Phishing Campaign (FakeMeeting / ClickFix)	“googlomeeting[.]com googlomeetings[.]com googlemeet-meetings[.]us googlemeetmenow[.]us googlemeetinterview[.]help google-meetingsnow[.]click googlemeeting[.]click ggooggllemeetmeetingggn[.]com ggoooglemeettinggninvit[.]click googgleemeetinginterviiew[.]live goggllemmeettiingnc[.]com 9goooglemeetts[.]live cloud04meet[.]com fritchat[.]xyz meeting-live[.]site qkltt28zm3bxw[.]live sec3viewing[.]live zoom-meetingnow[.]us hxxps://googlomeeting[.]com/meeting/invite[.]php hxxps://fritchat[.]xyz/googlemeet/invite[.]php hxxps://fritchat[.]xyz/googlemeet/microsoft-store[.]php hxxps://googlemeet-meetings[.]us/update/GoogleMeetInstaller[.]zip hxxps://sec3viewing[.]live/install-guide[.]php hxxps://sec3viewing[.]live/microsoft-store[.]php johnseamus89@gmail[.]com”	Global	Teramind RAT	None	Unknown	None	T1566.002: Phishing Link; T1204.002: User Execution; T1036: Masquerading; T1105: Ingress Tool Transfer; T1071.001: Web Protocols	High	Enable email filtering; user awareness training; monitor network traffic; enforce MFA; leverage threat intelligence feeds
Trojanized Software Supply Chain (Proxifier)	“hxxps://pastebin[.]com/raw/FmpsDAtQ hxxps://snippet[.]host/aaxniv/raw hxxps://chiaselinks[.]com/raw/nkkywvmhux hxxps://rlim[.]com/55Dfq32kaR/raw hxxps://paste[.]kealper[.]com/raw/k3K5aPJQ hxxps://git[.]parat[.]swiss/rogers7/dev-api/raw/master/cpzn hxxps://pinhole[.]rootcode[.]ru/rogers7/dev-api/raw/master/cpzn 34a0f70ab100c47caaba7a5c85448e3d 7528bf597fd7764fcb7ec06512e073e0”	Global (crypto users)	ClipBanker	India, Vietnam	Unknown	None	T1204.002: User Execution; T1059.001: PowerShell; T1055: Process Injection; T1053.005: Scheduled Task; T1112: Registry Modification; T1105: Ingress Tool Transfer; T1027: Obfuscation; T1115: Clipboard Data	High	Block unofficial software sources; enforce application control; monitor clipboard activity; deploy EDR; restrict PowerShell; monitor C2 traffic; maintain updated OS and software
Supply Chain Attack (WordPress/Joomla Plugin)	wpjs1[.]com kiziltxt2@gmail[.]com”	Global (CMS websites)	Smart Slider 3 Pro backdoored version	None	Unknown	None	None	High	Update Smart Slider 3 Pro to latest clean version or rollback to known safe version; enable file integrity monitoring; deploy WAF; restrict admin access; regularly scan for malware and vulnerabilities
WordPress Supply Chain / TDS Attack (ErrTraffic)	“microloh[.]bond mygoodblog[.]bond mygoodblog[.]cfd cloudflare-check[.]cfd microblogver[.]bond productionmaza[.]sbs productionmaza[.]bond productionmaza[.]cyou productionmaza[.]cfd myverifhouse[.]sbs sitepromclop[.]click d14066075079d3bed64a548bca1dfc50944eed99c8d0d14e737c2ff0e24b402a 90252f369724fc90be3e55f5c1fdf6e39c0693c0061af8c3cf69b77d4f8ac2a7 bc83a4e4b8d579cfca1258d52c1023958bf1f49052544fb25140ffbcfa0781c1 webanalytics-cdn[.]sbs b5335e7e28f8c8533ad1c199151a3a37aaba56a79cd343945c1c9eeb13fcfeab 5b15dde0557c4c53c7d827c56992304514b4371cebd391741445415866e4b413 webanalytics-cdn[.]cyou webanalytics-cdn[.]icu webanalytics-cdn[.]cfd suspendvector[.]in[.]net dysenteryphysics[.]in[.]net skyhub[.]digital 2be8ce644fd8e4d3da7f63c190ffb4e312801fb1da2fd8711bOdab20f37f0e26”	Global (WordPress sites)	ErrTraffic PHP Backdoor / ClickFix TDS	None	Unknown	None	None	High	Deploy WAF and IDS/IPS; scan and harden WordPress installs; enforce MFA for admins; monitor redirects and traffic anomalies; remove malicious MU-plugins; maintain continuous patching and security plugin usage
Phishing Campaign (Fake Windows Update / Infostealer)	“13c97012b0df84e6491c1d8c4c5dc85f35ab110d067c05ea503a75488d63be60 c94de13f548ce39911a1c55a5e0f43cddd681deb5a5a9c4de8a0dfe5b082f650 microsoft-update[.]support datawebsync-lvmv[.]onrender[.]com sync-service[.]system-telemetry[.]workers[.]dev”	Global (French-speaking users)	Python-based Infostealer (Electron + VBS + Python 3.10 chain)	France	Unknown	None	None	High	Avoid downloading updates from unsolicited sources; verify software authenticity; enforce MFA; deploy anti-malware; restrict application execution; monitor network traffic; educate users on phishing; keep systems patched
AiTM Phishing Campaign (Payroll Pirate / Microsoft 365 impersonation)	bluegraintours.com	Global (Canada-focused users)	AiTM phishing infrastructure (Microsoft 365 fake sign-in, OAuth/session token theft)	Canada	Storm-2755	Finance	T1566: Phishing; T1557: Adversary-in-the-Middle; T1539: Steal Web Session Cookie; T1078: Valid Accounts; T1114: Email Collection	High	Implement phishing-resistant MFA; enforce Conditional Access policies; block legacy authentication; monitor anomalous user-agents (e.g., Axios); enable CAE; detect suspicious inbox rules; secure payroll/HR systems; conduct phishing simulations
Ransomware Campaign (Pay2Key re-emergence / Geopolitical targeting)	1c70d4280835f18654422cec1b209eec856f90344b8f02afca82716555346a55, 27a46c36224bb23d5efd9de51a0545fa634d0661ae7dbfa17ae4fecaa53d2585, 30f166d91cec5a2858d93c77fe1599c8fce9938706d8ce99030faaeaf3a18b06, 3ac68f46c3dcb95d942c4022dc136208fae8daa594c82743d29ef6a178f9c57a, 4aaed616518f6680b37464e6cde4edc98fb1b2033540eb938b9288162a52a322, 4ba297022edd35683783d291ac7c32e087db5a6fc72e7256c2f158cd009191da, 68a95a0a5d0868eb3868426287feb38450a690aca60169828d7bc00166e4f014, a8bfa1389c49836264cfa31fc4410b88897a78d9c2152729d28eca8c12171b9e, e09912faa93808ca7de4cb858102d7647a0a6feb43dbcef7f9dd0b1948902f54, e245db1b683a111fd2315eb29e68f77e3efa8c335862ce44e225a7fceaf4ce5a, 243797257450ffce3137de7b542547083c4e040c, 9b5fbf95622bb90cb35e06479f9405290a4d2361, d154bd39ca3069491b6e31e54cf95e4dd2db27ab, d2500ea6564c1b297d8d3f724a7f925fc2d58194	Targeted (United States, Israel)	Pay2Key Ransomware + Mimikatz, LaZagne, ExtPassword	United States, Israel	Pay2Key	Health	T1078: Valid Accounts; T1133: External Remote Services; T1003: Credential Dumping; T1018: Remote Discovery; T1562.001: Defense Evasion; T1490: Inhibit Recovery; T1486: Data Encryption; T1070.001: Log Clearing	Critical	Enforce MFA on admin accounts; restrict remote access tools; apply least privilege; monitor lateral movement; segment networks; maintain offline immutable backups; enable EDR; monitor ransomware behavior and backup deletion attempts; restrict PowerShell execution

Apr 09, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Claude Code lure malware distribution campaign	“52e83c718ca96a12b98c5b31af177204145837f4208b0ee0c8e9c2b454795a64 7d5e84dd59165422f31a5a0e53aabba657a6fbccc304e8649f72d49e468ae91a 17145a933525ca8a6f29a818cf0fd94c37f20836090791bec349ae6e705670d4 80920e8843ead75c58d56f55d351dbff01ccf9f28090e401479f21d651190b41 f96d80f7702cb1d5a340ab774e759e3357790c131cfac14a018716813dbc54dd b73bd2e4cb16e9036aa7125587c5b3289e17e62f8831de1f9709896797435b82 44d40a9e59f08252a22939f76c92362c15a1ffab0dd3a4e3414bf4a5adc5d7c4 96db6133e7ca04264ffdf18928c394376323c283a82e8106feec2ac28ee21eeb 18467faa4fa10ea30fef2012fbd2c36f31407d0466b4e880dd1b6e1e37c9aff6 789835888a76eca8cc9e8625004607be99a90ec9f7a4db06c568a69ccb76bd60 36c4bb55b7e4c072e0cbc344d85b3530aca8f0237cc4669aecdd4dd8f67ab43a 30be8190db0627a363927be8b8c8f38f31891fb8958b3691944b69533f6770b3 537243230e14fb0f82bee8f51cac2e1d7ae955bb497c78b109972df51690edcf 0b6ed577b993fd81e14f9abbef710e881629b8521580f3a127b2184685af7e05 518ff5fbfa4296abf38dfc342107f70e1491a7460978da6315a75175fb70e2b3 0f69513905b9aeca9ad2659ae16f4363ac03a359abeac9ac05cab70a50f17b65 87133e737b2892cebee006068b341012e2c07db1526c08d0a13d0e0cf11d25d1 249058ce8dc6e74cff9fb84d4d32c82e371265b40d02bb70b7955dceea008139 cce96b39831ce36b9fd1262a7cf4024218dbb3e2c7f1829c261cf79e5c9b50a8 8090c3ecad7e4559ead21be02c564d20329e21fe3f449bcd9dbd8734f041aebd 385d00d5dcefa918858e1d2d6623e7d1155f972b694f48944f98fcceb2624211 2a4a8f58ad259bde54e9d37cc4a86563797c99a5dc31a0ae39a92f7807b846b9 0a6b9410fd80f731699de51ecc4819555ef5051cf4cdf794d479deec08129873 f03e38e1c39ac52179e43107cf7511b9407edf83c008562250f5f340523b4b51 40fc240febf2441d58a7e2554e4590e172bfefd289a5d9fa6781de38e266b378 d5dffba463beae207aee339f88a18cfcd2ea2cd3e36e98d27297d819a1809846 a22ddb3083b62dae7f2c8e1e86548fc71b63b7652b556e50704b5c8908740ed5 e13d9304f7ebdab13f6cb6fae3dff3a007c87fed59b0e06ebad3ecfebf18b9fd b4554c85f50c56d550d6c572a864deb0442404ddefe05ff27facb3cbfb90b4d6 3d85ed30ec30155a8812ddf0fa9a57fc8e239215c6f30c989a28018548827e41 623c2e578d3323a07268dafa6d2da21abb1356fa6e28acb6bbeca28420ffd392 5a4033aa864e8c6e3cf8c973b426aff8128a3397feb65fc5de4e3a9fb41ebb6e c3eede99459a16ca90f7cc62cdae861967413dc1cb5d6393e86f146beaef734f fd67063ffb0bcde44dca5fea09cc0913150161d7cb13cffc2a001a0894f12690 923f9794f6e1539a1f46babb10675063b00dced03f6502b8000c90f11e1620ac bbdfa2ddefb09f82e5c69f48d274228ef77ad84f61ae78b500ba71d525afaaff 62c3d4f915d6ad5a01931e11af9ebdd95ca81477eaa57d4e3fcb45662f606008 c1507974fc395aad7e9c5fdd09787f3a892d900d7dceaf530c2d4f9b3450f2df 8b874a8526dbcb34091bfd5465f1445ae3c197119f9b531dcaf41817b42c2b92 b17dcbf03d2e8900b5f2c0c2cb87964a503d348d742e4d8758d515d37ccd4eda e747aff851ff6a22ad6e89babc6546b9a5e3fbf427624fb2d5df3052f5e01bae 5024896b56a330f58408df1b403ddaf82532f4a93bd8d7596aa135d489e55309 76634b6da10e3a2208fb892b4b3e0997647429d0c535f3f1b5efd92c95f706bd 517a61670a01418a3cc1210cab0e7d16801d2dbd31084f1a55a9d7829de028f8 6abeeadef5fbed1bc90690029973dc9302a5a809594f468fe3905c61ad0c4cb2 2bb52f410261e4e710f25f8a891ae9f50692d83f99b000da4bb08b5e238ed995 cd66ea6beacf831741c4bbdc34b73ca2b6bda318c0037f2075aaaa71505bff3a df91075f0544dc68ac67efcac55ccc59f818c9c404f8baf1fa5b1dfb840b7189 2e93982a0591ffc5cf5d44a509c70593ac4d8ce0f09ec5c5777b265b5adc6e15 a73f9f5c1a25b9308c2f4771f3b83342137d56dfe846fc5c9b51b462e9c4fdc4 8ad9a81150a2554a028bf7b291adaa347c7b512a151f00984229dfb124c4a73a 8dae77a6107f0c2523fc0b348855ae59f92543582921eedd841182641cfac63a 7e0faef3a44beda4d281dea185647393b0bd1be9d64be2d27be57193e3e48ec4 130b3ca8f09bdb8275702b589b2c83e37865ddbd976509f289096a1ff8f8ac60 fc68b5f82116711d864ccf82710ff772a53a5666a519584d3b61af63feff43a5 13fd41551e7913c2fd9c111705ed566f106cba12d7d63fc7374aa5f0199626c0 7ab14d43b40c96f4e5d0f09aa982a5fb9f703315804b634f972f37591fc82b31 d82c1f704e91f7fa66e3abc97a7ba67b8b4ad1d321260d3cbfa16427d537f7d0 0d48454eb8c4c12b61ec75d6dadb9e7e680337e4635e30dd810dd79da66d1ff6 dd36c854da1ce3cd218a217d54af91b944be5cf4c05f9772c8828f15ed682716 d3c4359892798c67b4ad7d694d9c787eb24b2237972c2f7ca88bffc19522504d d9b5acb8f429093166448437236a58c409b81565c8da0bd4556ade71bc508cbd 8acfc35ce2d1e0ae44a9a322eccb42f82e8ffa0152ac19695442dca800367844 53cca55872e96ccf0b623c0c235b9431e53aafcb8f4a0d35f8c53bc22069328f a779b50e608e90b5c81495ed16089dfff7455319d3df71345659442f45ed390c 2fc550769875f9f368f9e9a91f53945d9a9fd6c35eb48e3990902dd994e74bb3 6635a51c7ec5e0caf9331c2c83bfc8b2096a4bb7234eb946cc4f5119b30d5b34 e5885fbeb2f34906230c584c1ebbc7fb9cc44eb130b5b86f604557ec7a644417 fdbc1df49ed7db75ff6b597d533bb307bcf78adcea48798eddc836116857477b ae951519179b5f3e44b17d098a583c8562c7b2d638756aba5f178e0e22526117 47f7d06750f2e3119a6d5797dbc2aaa6005d49c73d89cdb7d1df4764ac368b78 753b303973168c299f18023a946dd0771efddebc484f4c0f91cf0351ec5d23dd dba75edd71698a6b223d7ff6eed0a8bdd1324dc26e0383f25e576cecdc662f59 2d499700e1319d9203e322cb1e8a8cfec4aa997f86d1fcf76156cfaa0a72054c 81430ab4717bfcdb07219f6a7669f836302467fa9f648a873db551713c59ed20 0c9d2af6352826aa2381f5c4912f9b3fb421246ddfa457a4568f72eda5f4294d a3a9b4b7b501210bdadc7db6dec6b596abfcd57e824ee09bb4c1ce5160ce0695 9fc2d2a42b6a06a018c8d503e7830964caefbad1fc57ce6db18530a9849249fb 4c60fced6025136e8bf448c294999837da5eb42005ecb2faa1d66c3518fd2b51 e6b639ba11eb665d2351789f1965e2faa19af9cbec6c9b54f14061df49055871 8539f83c96a0aee219a8277444a3a50c1137772aea2db845447e33009b36d88f 46a9b249a70d194437c8f2d655003fe582aa4c108861448b34b6f9fdb8a80614 d71b41928d37a1e1b8ae65878a99b37e590ad2a6274696cdbe9f8219b80ac4c0 b3953cde0e9990ba2ba72c21a5d524a88e2f88fd4b9168bd47b301cf38683f23 b5ace0a4ab7869372841875d9f592422c2f70f106fef3d2f594c4a686e3cfc7a 0b12a1e35c4d8464ba592c140726330cded2375cc975cd536e439edefdf9727b 984e415b8002eab2bc3a75f8f5fa6c1107f547a6644ead3703cecf7426a19c70 b3bd9f32d03f233304e1789495503f4a813bf8b91c806c77796d488ff56eb3fa eb5d04a14e0bbf650f8be0370436ec4765272cd02dac634c9ccc23a36eb3a372 13c1b45a3724375d519909b32e08cc3e016d1c3ed9d48f649cdbee44e90e2089 06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf afa34c71a45f21d599c0bd90ac9026f68727aab0019c3b378956401475180c9c a91db63f47be1a86e7b67eb9245ec673bd916c136614d1bbe3ad224fd2e56e81 a181785b9f4e5b7186bf70aa23c8cabd5cc853d023c9a16225de882a7a1a737d a803e68ba6c00cd435d2f8c13087d778552f13ebc3354dc91b4638efdf1d03b0 839ec43959d298599c05bb20003487a76ceefed9fb0bdfae780f14009d5cd47d 802355ad0d78f9a33ac7cee8f3b2bd09a0c0258bddfab502ed284e4a1b0b97ea bebfe4ad683680d4fc433fa8d418e9bbd8e5c3468e5c4a6827a7eaab81f19a5f c9486f3249f9fd37073142bea47debb9aa11a4de5cfeb12078a59749a5a12407 4c1577d5fb6e36ad863ac0168a82bb40db707d5427a16bc5510ce7d8f17a54b0 81abcdbad6597af9edd4c1b5de6af94f288609a4238033e8c7d703ca4fe5118e 6c446cd445e76874c2606b5cb355e033a61514f8ea0fe94f0c0c31ee702ea8f2 905f5697b42d00081c7f564631506f891fea3babc639655df9a3979c983abe00 8595715812ca39aefe2eba284aee8036463c35b594e528f9372386c1db7ad813 54d69b135e557bebf9bb6c837544d057194d53b695aa9c73013196501894df3b 879430b25ffdc2ff52e083bace983e6915c2c74e0825c6e52d2c7436ab8d64a9 9644f44d3f7d25bc91c74d52c76ef48e2a74e5e0c07d78892f708266129e7dcc 1fe8a6df98ac1984daaba257504ba00b2932021ba264a49ff70e797d1a8b83e6 4adb51eb159b99cba7dc3749325348836827f43cedc45672df16c408d864f28c 192f893bad1b188f6a95b59ce92170dd037bf8a0b9b271557f8add0bea09b1e4 7b072c13bae667ee4a077b48e3572468672b8593fb9b7adcf93230daf2c69e87 9b8ce5fb1572d76340886e04d0e8d3318ef01ffe55d6efa5e8fb5c4ae4980b3c 03a0a9948a220b635ba3dbf71e64a5dfcc0a4a4efcce76ff9f3d664faef68a3e bef345a58bead10b9b556a64788a4ee948e86403af142223659f7add09ec6779 e29ad19eb8558def511aeb450287b80bbf92a2ff5d92401df200863ce25631db aa5823a9338dddc56ed8512605e5c25b2b1c030f8fcc27594604e3c3611412c5 96384813d1fa06eb4cf98b0ae4c91817d540014dc7b2be645c6c43acec0f8e53 80d6b8d37d86543ff72614f63a6dab5828e4dd54a1af5836c157bde764f5a865 65953a2916844c386fea0b3399618e1b1d5ee8d0cc7d5a1de0ac7e35ea02b90d 92ea932a9fde49bffe94442c956df51d5e24b790dce0987413dcfd2bd6533006 4183fa32ceee134369924cf1124e7db0fda8d748511b6d3b327ae35e990f54e9 b285d84ac95b277fd9518a25793536f17a053f18ec4bf4b7bd0143c0eec6c1b4 41da828ea46eb6623a39a7fa8ac737fd2b4c3266b1dca1665c9ba4cd311f3948 889d24c726ea28e38e8c5428ad24d58270e775bc3c32385f97396f490a8b3335 b0f6fd80a4005e8109a606c9064771d9c6287136c7a09e7f98e456b6eae85f1b 8d4415559f51d63b11f3fb562c9b4ad6cbd728481d0127662d0dd9a5f85ca24d bcdc3100e9792c5f928523d0851c5b5c211d66d667a00060891dc44651bcf69b 9f09c239f9f5b89e985e88a5fbe6ebebcc5567a8d9cecca439a2f9f44aa50fd7 4301e099d379d4d8b1e10e851f22fcdce41aad0d7f1712293b03359c4a6242db 9a4abc6a44e4cfaef36af81ae674d57331a13ac909d3dbcde37cd60eb12e8bd2 7c393cbd41af3f9ad788ca26ccbb17ff286916b62dca9a6c23a0f34b3820f3b1 b8c78d6cbcdba2db20e87e5751184ec183d2cb976c532daddb1abd574ed34c7c b41b85a062b69f077879ee38bce1fd69c4ddac217c86f60f816ccba1279cace9 fbc483ac9098751faf2c5627804283dffce8ec05bf97652aca00a4ed6c1c2427 b3668936adf5134b8329e1ae06f45b55ff5253fd45a6e7ae35662b6179a6c6c9 c904775ad1df8c593f504d7760a7af022ec4da8dba726e81e691013c55a1e01d c8d38a6665940916fb2dba67a22689623e728ab012184fadc34b34bf012040a1 d9c92a9af18e125993963d88b6a9dd9524b03369b09bc9e26f8d7ae1fdf2343f 014c7f79e92406ba2a3d57c5d76b1b79844c4ec66504ced8376a9ba21dbadcae b6eb8d7724fdf1233c8c2ebae72b25d58191e0239566c942f244e41ac3c61e77 dcbc56179bad314654eea69b7700f108f16c338502d48fa2e78ccd946eb1c21e 8abb3b803c254255642bb0d1cee169e739f977bf93d14f565a4e070755d451f6 8300ecd19c11ca23ed4b6cc16185d1093098d7784ede3db05c94bfeeaa2cf712 110bd392d2522a5e44ca9b38bd123a0b808da47e11341f9ecce165690f464ffd 75e25f11a5490aa3223c366ab0b4a0d8eff05aa725420c6b4fb02e444b62d4bc 8c916aa01d6644a1e909bf28e0aa87571d47e4a25a46b3f331e7ac951e5f8ac0 795156987ee21dffc5ff9d3f6bdc3ae97636e5a4e9833ae06284be2a05d4f8f6 063069d839487e61f468d659fe7c1ca9c99aa596d12a36889738844da88ac9b4 6be243d8d40854b038ef82a46b8b5aa89b2cb9e02e5c471a8a85fd96f131b794 b3e9fe7c0c85fa3ba19ad484ea201b7045c8d9016ac76c37ca3902c368b73ff6 e4a990e858271178d1f16e17b827ceddadb677a873e69a203a89298e13e0aeca 557887b1b153b5a2f6255340315eb5e44ecb6028eb3cc328d7f2cb179cce8d8f 98e9d3d48732c08bdae41cb73da04e9ebdbf648f43b87c2d06378f4ec96c1f90 dcd1c591016c6e56f3185abeba50b56a3425aac89fba0beec6ee86e2dc704dbb 82e5fe24d9572a73baf344371813d903ce6047ff74706f1868a05690d7c59803 e21f6f9a36cf764f1cda851b90b74d455307c12b58af0d20dc0a0fdfaae16145 b82f2a80018aa567f29be96cadb9d42465edb279ba1dc9f1b63f8350bbcf2739 5fae328ead381b5e6903e6655d6c0c9cfab75c017d1aaf457e0f45a5ddb8b28e 66ba90526e257d507dd235e7b0664035cdeea530adc7e90c4ef2319e9ba1b48e 8c11a761cd1766c4f9ec8a27a514627bcbae07be278a29d50784692f83694017 324c4dc689907e117ea3be41c651b480ac7c81c4870c4154b1403be5ff3ecc37 ee42c4591a16a6c1f5b96494e585037bc1e4b21d3484103805716738cd1b85ef d9bd6b9ce6cacaa51367cc1b882b87d345ae3210291bbc463218f159ae13a5ee bd13b3d7b061026ba43156d5afee5fabc875aef2103e88af04414e79b952bfe2 0f1a302c81bf7eac45ef0b6f808628ff0df07a002b9a6360056a0a7c0ed393f8 7dc4090b8b1efc4cfd2ee281122329f4585def443aa32013213d9981034660dc 33b5c9371ea6a2dcb9416836d2bc8d1200473ff8763fbe8580c56dfd8a2b71e0 46c6f9ee0ea20a3be34a52f82ec38569bb1ed0b9204e4872444326c96110540c 4d6ab5bc3e29fdf84efccaa43a787eab4b13343fc685fccfa7e1ca70d877b2fd 6c44b5ff2d402fb3d15d5c3916fa9029ddc3cb29f7f143b4b4bf15b9f3ef3da5 4ac245d09844befa4e69f274216c26fa53a30fea5785941cbe5d5204ab516f52 2ae7585898faa546f46a4e05b9e4436f93c1603d7fbe5c20c6f7d7be5f240ac9 3c28fdcd29cedcc6e393991e477f7f0a9abe58b052dc73295df88cdfb8b4ccfc df01ec79aab4b851cc5f4144a36396d639db776fb3491c243e1ea1f92a6bd79a bd3ff737405986ed62f826cba1935fe49c164ee2e8a9a41ffa434126468fe94b 2910882bfcedc7dc610699a1718fe0dbe624b43700603ded52ba5d6750b86d42 00ec51f61161cf00e9e8e617234f8e170a92f0f2159fda61201f40ec4d45d186 c4452f7ccc0a2f5abebdd6d735fcb8faa0cec00eda76e903e4bcd9e4fb021d11 3787096d9b571e041013088804d79cf24b3fc8c2d6a1f4b45072bedd14c140b7 ebcecbcec3f1ad8c81877b93aa864038ff448a419d47b2db9ec218202b9731ec 409a8da9a1bb01e5d119e70aa6af7cfb041435f4ee821331ddaee51126415888 68d61f1728b7dfbbf796e2a4bb2b02191b5f2f2ad162e9b6f71734aa0d7d2936 3ff7e18f8e34e0563e392dbad3dbc1f19a7b0156997dc2df6ed2615baf0539fe 65b9761fb1c894fd867b81c663cb041235faadab06739c3a7abae38a0eefc1be 25ae81f20fca96991cdeac986c21a601a738c6950b77d03e6d6199e77f76f573 fa03dd9e3f355b283c638544e5b606371eaffc323cf23818632ea9ee30a3bb5a f3bb5494a29087d1802f3d97832772040238613c3d4c691af8f702dce7bac3a3 hxxps://rti[.]cargomanbd[.]com hxxps://steamcommunity[.]com/profiles/76561198721263282 hxxps://telegram[.]me/g1n3sss serverconect[.]cc steamhostserver[.]cc hxxps://snippet[.]host/ hxxps://telegram[.]me/dikkh0k hxxps://steamcommunity[.]com/profiles/76561198742377525 hxxps://socifiapp[.]com/api/reports/upload hxxps://snippet[.]host/efguhk/raw 45[.]55[.]35[.]48 147[.]45[.]197[.]92:443 94[.]228[.]161[.]88:443 185[.]196[.]9[.]98 121[.]127[.]33[.]212 144[.]31[.]123[.]157 144[.]31[.]139[.]201 144[.]31[.]139[.]203 144[.]31[.]204[.]136 144[.]31[.]204[.]145 147[.]45[.]197[.]92 172[.]245[.]112[.]202 193[.]143[.]1[.]155 193[.]143[.]1[.]160 193[.]23[.]211[.]29 194[.]28[.]225[.]230 206[.]245[.]157[.]177 64[.]188[.]70[.]194 77[.]239[.]120[.]249 77[.]239[.]121[.]3 84[.]201[.]4[.]120 87[.]251[.]87[.]137 93[.]185[.]159[.]90 94[.]228[.]161[.]88 hxxps://github[.]com/leaked-claude-code/leaked-claude-code hxxps://github[.]com/my3jie/leaked-claude-code hxxps://github[.]com/idbzoomh1”	Global (opportunistic via social engineering)	Vidar, GhostSocks, PureLog Stealer	None	Unknown	None	T1204.002: User Execution – Malicious File; T1105: Ingress Tool Transfer; T1041: Exfiltration Over C2 Channel	High	Review dependencies for suspicious packages; implement dependency scanning tools; enforce strict version control; secure software supply chain; educate developers on supply chain risks
Credential Harvesting Campaign (FrostArmada)	79[.]141[.]173[.]211 185[.]237[.]166[.]55″	Global (network edge device compromise)	Authentic Antics	None	Forest Blizzard (APT28 / Fancy Bear)	Government, Administration, IT	T1557: Adversary-in-the-Middle; T1071.004: Application Layer Protocol – DNS; T1041: Exfiltration Over C2 Channel	High	Update MikroTik and TP-Link routers to latest firmware; enable MFA; implement network monitoring; audit configurations; educate users; apply network segmentation
Supply Chain Attack (Contagious Interview)	“hxxp://server-check-genimi[.]vercel[.]app/defy/v3 hxxps://server-check-genimi[.]vercel[.]app/defy/v3 216[.]126[.]237[.]71 d26da2d0f14d8a160f2f937a6081dae0c4b31bb4e5539187a56d658372f33b22”	Global (developer-focused npm ecosystem)	OtterCookie	None	Suspected DPRK-linked actors	None	T1195.001: Compromise Software Dependencies; T1059.007: JavaScript Execution; T1105: Ingress Tool Transfer; T1071.001: Web Protocols; T1041: Exfiltration	High	Verify npm packages before use; monitor outbound connections; secure AI tool directories; report suspicious packages; implement supply chain security controls
ClickFix Variant (macOS Social Engineering)	“dryvecar[.]com hxxps://dryvecar[.]com/curl/04566d1d3f9717b2e7e6b643775d9ca72cef942f6df9ce075cf8c73a1bd2565a hxxps://storage-fixes[.]squarespace[.]com/?gad_source=1 hxxps://cleanupmac[.]mssg[.]me/?gad_source=1&gad_campaignid=23708793071&gbraid=0AAAABBS8jKrbkIiVdpqodGRoYiYNaByHP&gclid=EAIaIQobChMI2uaJ-_TJkwMVpqJQBh1N6yRoEAAYBCAAEgLXrfD_BwE 3d3c91ee762668c85b74859e4d09a2adfd34841694493b82659fda77fe0c2c44”	Global (macOS users)	Atomic Stealer	None	Unknown	None	T1204.002: User Execution; T1059.002: AppleScript; T1059.004: Unix Shell; T1105: Ingress Tool Transfer; T1027: Obfuscation; T1140: Deobfuscation; T1071.001: Web Protocols	High	Implement email filtering; educate users; restrict applescript:// usage; deploy EDR; update macOS; monitor processes and network activity

Apr 08, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Phishing / RMM Abuse Campaign	“mastorpasstop[.]top evitereview[.]de evitesecured[.]top aceheritagehouse[.]top hxxps://relay[.]aceheritagehouse[.]top:8041 hxxp://relay[.]aceheritagehouse[.]top:8041”	Users receive invitation-themed emails that trick them into installing legitimate remote management tools (LogMeIn Resolve, ScreenConnect), giving attackers unattended remote access; some incidents include additional payloads (infostealer, RAT)	Infostealer, Remote Access Tools	United States	Unknown	Multiple	T1566.002 – Phishing: Spearphishing Link; T1204.002 – User Execution: Malicious File; T1219 – Remote Access Software; T1555.003 – Credentials from Web Browsers; T1082 – System Information Discovery; T1119 – Automated Collection	Medium-High	Enable MFA for RMM access; audit RMM usage; educate users on phishing; monitor RMM-related network activity; enforce least privilege for RMM accounts; patch/update RMM software
Supply Chain / Multi-Ecosystem Malware	“9a541dffb7fc18dc71dbc8523ec6c3a71c224ffeb518ae3a8d7d16377aebee58 bb2a89001410fa5a11dea6477d4f5573130261badc67fe952cfad1174c2f0edd 7c5adef4b5aee7a4aa6e795a86f8b7d601618c3bc003f1326ca57d03ec7d6524 hxxps://github[.]com/golangorg hxxps://github[.]com/aokisasakidev hxxps://github[.]com/maxcointech1010 hxxps://github[.]com/maxcointech0000 hxxps://github[.]com/golangorg/formstash hxxps://github[.]com/aokisasakidev/mit-license-pkg 66[.]45[.]225[.]94 aokisasaki1122@gmail[.]com shiningup1996@gmail[.]com”	Hundreds of malicious packages across npm, PyPI, Go, Rust, and PHP ecosystems; act as loaders to deploy RATs and infostealers; obfuscated functions to evade detection	Remote Access Trojans (RATs), Infostealers	None	North Korea	None	T1195.001 – Compromise Software Dependencies T1036.005 – Masquerading T1105 – Ingress Tool Transfer T1027.013 – Obfuscated Files T1140 – Deobfuscate/Decode Files T1555.003 – Credentials from Web Browsers T1555.005 – Credentials from Password Managers T1041 – Exfiltration Over C2	High	Pin dependencies; review low-download/new packages; sandbox suspicious packages; monitor child processes; use threat intelligence feeds; segment networks; audit systems for compromise; educate developers on supply chain security
APT / OT Targeting	” 135[.]136[.]1[.]133 185[.]82[.]73[.]162 185[.]82[.]73[.]164 185[.]82[.]73[.]165 185[.]82[.]73[.]167 185[.]82[.]73[.]168 185[.]82[.]73[.]170 185[.]82[.]73[.]171″	Internet-exposed PLCs (Allen-Bradley), HMI, SCADA across multiple critical infrastructure sectors in the U.S.	Unauthorized access, project file manipulation, data tampering	United States	Iranian-affiliated APT	Government, Administration, Energy	T0883 – Internet Accessible Device T0885 – Commonly Used Port T1219 – Remote Access Tools T1565 – Data Manipulation	High	Remove PLCs from direct internet exposure; monitor OT network traffic; review logs for suspicious connections; enforce MFA and VPN access; disable unused services; apply vendor patches; enforce strict access control; maintain secure offline backups
Ransomware	“1de1ccc61334d6d17a8525f9ce3daac3 0734316d5623824edfdb02b17fd46369a3c5459a d0c78ca7251fd3cba4387d1e3af8837ea55115be8dbb4ce0efc74a75372f5749”	Global / Unspecified	TorBrowserTor	None	Unknown	None	T1486: Data Encrypted for Impact, T1204: User Execution	High	Implement robust EDR solutions; back up critical data offline; educate users on phishing/malicious attachments; employ application whitelisting; maintain updated antivirus and OS patches; monitor network traffic

Apr 07, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Hacktivism / Cyber Espionage Campaign	” 132404F2B1C1F5A4D76BD38D1402BDFA D1C927C3668C16DB3C8D716F9B935790 B201A94E80F8CC1AD7CC2448AE5B9259 D77A015F022D8A0CBF00204AC3AE496D 46AC6CDA371B83CE910C404A08059B25 CA5B677820C0CD1B65697DF3A6843593 61D8073566892D3E010E3F745B0237DF DDFA9440FCCCBA572FB800C8D14400D1 F9AF6743D3BD7E084810C70F8D9B10F6 CCFED1DC8D319A0EB55082D91243A332 64942A8EC9B2796C8F9522D6E7F2C248 8DE3B8AC5FA4CC80FBA51AA1DCA9F953 150618981088B0B6BEBA03B459B34940 90261F729F296A8A65488286F9C52DF1 142EE417E051FF1205FB11E4CC94DEA4 93[.]185[.]167[.]95 45[.]59[.]104[.]152″	Targeted campaigns against government and critical sectors; phishing and drive-by compromise used to deploy worm; data theft and public leaks; lateral movement and persistent access with evolving evasion techniques	CMoon worm, WhiteSnake, DarkBuilder	Russia	RGB-Team (Pro-Ukraine hacktivist group)	Government, Administration, Chemical, Energy	T1566.001 – Spearphishing Attachment; T1189 – Drive-by Compromise; T1204.002 – User Execution; T1027 – Obfuscated Files; T1055 – Process Injection; T1547.001 – Startup Persistence; T1041 – Exfiltration Over C2	High	Implement strong email security and phishing protection; deploy EDR solutions; monitor network traffic for anomalies; conduct security awareness training; patch systems regularly; enforce application control; adopt layered security approach
Ransomware Campaign / Exploitation Activity	“0cefeb6210b7103fd32b996beff518c9b6e1691a97bb1cda7f5fb57905c4be96 e57ba1a4e323094ca9d747bfb3304bd12f3ea3be5e2ee785a3e656c3ab1e8086 5ba7de7d5115789b952d9b1c6cff440c9128f438de933ff9044a68fff8496d19 185[.]135[.]86[.]149 134[.]195[.]91[.]224 85[.]155[.]186[.]121”	Rapid exploitation of internet-facing vulnerabilities (including zero-day/N-day); fast progression from initial access to ransomware deployment; credential theft, lateral movement, defense evasion, and data exfiltration for double extortion	Medusa ransomware	United Kingdom, United States, Australia	Storm-1175	Healthcare, Education, Finance	T1190 – Exploit Public-Facing Application; T1078 – Valid Accounts; T1003.001 – LSASS Credential Dumping; T1021.001 – RDP; T1562.001 – Disable Security Tools; T1041 – Exfiltration Over C2; T1486 – Data Encrypted for Impact	Critical	Patch internet-facing systems immediately;
Supply Chain Attack / CI/CD Compromise	” testedbefore@proton[.]me testedbefore+89@proton[.]me testedbefore+55@proton[.]me testedbefore+99@proton[.]me elzotebo@proton[.]me elzotebo+88@proton[.]me”	Large-scale automated campaign abusing GitHub pull_request_target workflows; injection of malicious CI code to access secrets; token harvesting, cloud metadata probing, and exfiltration via logs/comments; compromise of downstream npm packages	Malicious CI/CD payloads (AI-assisted scripts)	None	Unknown	None	T1195.002 – Software Supply Chain Compromise; T1552.001 – Credentials in Files; T1530 – Data from Cloud Storage; T1041 – Exfiltration Over C2	Critical	Enforce
Phishing Campaign / SMS (Smishing)	ny[.]gov-skd[.]org ny[.]ofkhv[.]life”	Large-scale phishing campaign using fake traffic violation SMS messages; QR-code-based redirection to CAPTCHA-protected phishing pages impersonating government agencies; collection of personal and financial data via fake payment portals	Phishing infrastructure (QR-based smishing)	United States	Unknown	None	T1566.002 – Spearphishing Link; T1204 – User Execution; T1036 – Masquerading; T1056 – Input Capture	High	Educate users on SMS phishing risks; avoid scanning unknown QR codes; verify government communications via official channels; enable MFA; encourage reporting of suspicious messages
Malware Distribution / Social Engineering Campaign	“ghatreh[.]co techadapt[.]io qwayglobalventures[.]com 9867207751793bcf7ebcba467b16b61cd79bbb8cd90c6f33e55141770c967a43 af547cdc1b7a9dfa507257ee416a9f2b20b85444b5d6f2f080019250426e4394 61191267f2d8625268cd7e488a16ab5c7b67765fb2b9bc76e4d2d97def83395a 217[.]119[.]139[.]117 135[.]181[.]233[.]224”	Large-scale campaign leveraging Reddit to distribute malware disguised as cracked TradingView Premium; uses hijacked/new accounts, fake engagement, and compromised websites to deliver password-protected archives; payloads deploy infostealers targeting credentials, crypto wallets, and system data	Vidar (Windows), AMOS (macOS)	None	Unknown	Retail	T1204 – User Execution; T1036 – Masquerading; T1027 – Obfuscated Files; T1105 – Ingress Tool Transfer; T1555 – Credentials from Password Stores; T1041 – Exfiltration Over C2	High	Avoid downloading pirated software; block malicious domains;

Apr 06, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Supply Chain Attack / Malicious npm Packages	” 144[.]31[.]107[.]231 hxxp://144[.]31[.]107[.]231:9999/ hxxp://144[.]31[.]107[.]231:4444/ hxxp://144[.]31[.]107[.]231:8888/”	Highly targeted supply chain attack against Strapi CMS environments; credential harvesting, reverse shells, Docker/K8s escape, PostgreSQL exploitation, persistent implants via cron and fileless execution	Malicious npm packages (strapi-plugin-* variants)	None	Unknown (targeted at Guardarian)	Development, Digital Services, eCommerce, Finance	T1195.001 – Supply Chain Compromise; T1059.004 – Unix Shell; T1059.006 – Python; T1059.007 – JavaScript; T1053.003 – Cron; T1105 – Ingress Tool Transfer; T1041 – Exfiltration Over C2; T1552.001 – Credentials in Files; T1552.007 – Container API; T1611 – Escape to Host; T1543 – Modify System Process; T1571 – Non-Standard Port; T1082 – System Info Discovery; T1083 – File Discovery; T1046 – Network Service Discovery; T1005 – Data from Local System; T1049 – Network Connections Discovery; T1078 – Valid Accounts; T1505.003 – Web Shell; T1565.001 – Data Manipulation	Critical	Immediately audit and remove malicious npm packages; treat affected systems as compromised; rotate all credentials and secrets; revoke/reissue keys and tokens; remove persistence mechanisms; block outbound traffic to malicious IPs; enforce npm security policies and lockfile integrity; deploy SCA tooling; restrict container/network access; audit Docker/Kubernetes and database permissions
Credential Harvesting / Exploitation Campaign	” CVE-2025-55182 144[.]172[.]102[.]88 172[.]86[.]127[.]128 144[.]172[.]112[.]136 144[.]172[.]117[.]112″	Large-scale automated exploitation of Next.js vulnerability enabling pre-auth RCE; multi-stage scripts harvest credentials, cloud metadata, SSH keys, API tokens; data exfiltrated via “NEXUS Listener”; 766+ hosts compromised globally	NEXUS Listener	None	UAT-10608	None	T1059.004 – Unix Shell; T1552.001 – Credentials in Files; T1552.005 – Cloud Metadata API; T1082 – System Info Discovery; T1087 – Account Discovery; T1005 – Data from Local System; T1119 – Automated Collection; T1071.001 – Web Protocols; T1041 – Exfiltration Over C2; T1021.004 – SSH	Critical	Audit Next.js applications (especially getServerSideProps / getStaticProps); rotate all credentials; enforce IMDSv2; implement cloud secret scanning; segment SSH keys and enforce least privilege; deploy RASP/WAF protections; monitor for abnormal processes and network activity
Phishing / Social Engineering Campaign	onlivemeet[.]com”	Fake Microsoft Teams meeting lures delivering RAT/info-stealer; multi-channel social engineering via Telegram, LinkedIn, Slack; abuse of Calendly; credential harvesting, session hijacking, and potential lateral movement	Remote Access Trojan (RAT), Info-stealer	None	UNC1069 (DPRK-aligned)	None	T1566.002 – Spearphishing Link; T1204.002 – User Execution; T1036.005 – Masquerading; T1071.001 – Web Protocols; T1105 – Ingress Tool Transfer; T1555 – Credentials from Password Stores; T1539 – Steal Web Session Cookie; T1078 – Valid Accounts; T1021 – Remote Services; T1219 – Remote Access Software; T1583.001 – Acquire Infrastructure	High	Block malicious domain; monitor DNS and proxy logs; enforce URL inspection; implement messaging/email filtering; educate users on fake Teams updates; enforce MFA; verify meeting links; audit Calendly and third-party integrations
Advanced Persistent Threat (APT) / Backdoor	” f1403192ad7a762c235d670e13b703c3 f4d2c26f24eec22e439507103cb019dc6c7d6b15 0fca9dae54a7a55f0805a864e9d2911d727a6e274f4ddc9b5673078130e0f9e1 ai[.]aliyuncs[.]help ai[.]qianxing[.]co qianxing[.]co aliyuncs[.]help 43[.]99[.]48[.]196″	Sophisticated Linux backdoor targeting cloud environments; metadata harvesting across AWS, GCP, Azure, Alibaba Cloud; lateral movement via stolen credentials; stealth C2 via SMTP; long-term undetected infrastructure	Custom Linux backdoor (Winnti lineage: PWNLNX, RedXOR, AzazelFork, etc.)	None	APT41 / Winnti (Wicked Panda / BARIUM / Double Dragon)	None	T1027 – Obfuscated Files; T1041 – Exfiltration over C2 (SMTP); T1005 – Data from Local System; T1018 – Remote System Discovery; T1071 – Application Layer Protocol (SMTP); T1133 – External Remote Services	Critical	Monitor DNS queries and outbound traffic to identified domains/IP; deploy YARA rules for detection; audit cloud metadata access; enforce least privilege IAM roles; monitor UDP broadcasts (port 6006); inspect SMTP traffic via DLP; patch Linux systems; enable MFA and review cloud security logs regularly

Apr 03, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Ransomware Campaign	“7787da25451f5538766240f4a8a2846d0a589c59391e15f188aa077e8b888497 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0 bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56 12fcde06ddadf1b48a61b12596e6286316fd33e850687fe4153dfd9383f0a4a0”	Increasing ransomware activity with expanding operations and delayed execution tactics	Qilin Ransomware	Japan	Qilin	Manufacturing, IT, Automotive, Education, Health	T1078 – Valid AccountsT1562.001 – Impair Defenses: Disable or Modify ToolsT1486 – Data Encrypted for ImpactT1059 – Command and Scripting Interpreter	High	Organizations should prioritize early detection by correlating events and monitoring anomalous account activity.Implement Sigma rules and leverage threat intelligence platforms for updated IoCs.Strengthen credential security and deploy EDR solutions.Regularly review security controls and apply geo-fencing where applicable.
Malware / Botnet Campaign	” 007fe05132e429ff57393163354f4c90 06d491b70f369b2672fce5a7b59a5c93 0a4e197044ad59116f0a1c2776125065 126b1c224e8635d9571f9d769d7b55e2 1c8c17ef978bd4f03db672c0b2d51d00 1f970f5eb9cbef8dba11e2aed72373ba 22c5849855878f331d7bbf07e7ec7e41 232fdd85e07f74ea232cadafdb095d31 2a646682ee7f0f853605c78bb9126ed5 327c1ca93321705027e0bf47658b5f53 32f1f238da09f1ebc1385317d50e94b4 37c78c8a8f1d4b260dfff9aa11a429e779927222fed922c0cb071768ba15d346 3bfc273e5592825443ded9c28f50cd5d 3d43f5b3b2c9142ca0c5cdc4a82f9088e090d077ef61c2297c51b4ccd3085d78 3f83790a150a6bf71b908289fd230014 444138b1d805808a06c4b908c7b73d96 4651d6a90d24cf57c83a76ab160abf85 48374bfb610280c48086817cfb2bb310 48cc6040c15e556bb5827417dcaab74f6059b62ff2ba4800ee2f9c261d2fd993 48ef5c2a62d1ae95ea37d165e8a1be26 4943e8c2a29ad616ec12cd7a507c612c 4a884070ea340d89756be6575676ce85 4d63235fdd3e0ace207d8fdbe19d63e0 53437d28fdf92c09821f56140c67aaca 53f02fdf9c375c1837a31edf68694380 5aed40bccde5a7646c6fea17f7dd2083 5f6f52fd4ece5918ee7979036a49bca3 6501a2d2ed60b85b1080ac9edaf39b70 667ae41f4a6201071b8cc3f88e3e02c7 6a389a89a6da7433210d9a52fc72589c 6a6619b4b9a53233ca0a56606c484f9a 6e9540f68507580a3f495e9ff58dbd4e 6ec7063f03f95499b6c1821f90bda7e6 70c2317f40de5b28f42d640488910140 74e5514cdd3ef6f703483700f04b5812 7d4c60c77a7d74cc3d9af4dabbecdbb8 7fe57eca60841291cdd8ef1bb5c27de9 8a978017496adb02eb368f3b28bc4ccd 8ad3f40fd8fcf2c7ee04d1219017cfe3 920534d235204ced7ad2c76c1af7b3f8 963354b60552af16408cf4d82a827832 9752ac893640a027bea5a6df48ceb396 9dfba3b92850a74135925e524e7b4748 9f2df912212f67adcb64dbae8bfa2ca9 a3e31f70b7a6abf3de15ca6646d16bfe b1a32a442cdb34901f1f7ffbe47749f0 b5ad7f7e10f5d0401a2ad6b737724ff6 bb5e9faa666e6d96eb95e358524213b6 bd24f43084b33f13a835f661bf48b5e2 bd4a12d4de4e42c4d9246aa92ddb86b8 bf0183b2d18341c47576ba8e0d36fdff c32ac3f6cba0772de7737da60f9170c0 c53397dc47ddc38a8c6daa3a02116518 cfd3d123595fba37ec414b90cfa834753ad9ab2149651d48948e04875aecac98 d5d63db439bb1dba080ab27555b03a2a db3a48697e0dc96054a64e689f45f99a9f21e946c2c5e155b1efd292aecee3e2 de86b12800919ce8b213b51354d28ab8 ef7f3f7cb4f3f1a90a2028d44c4fe702 efb8b73d59a805e1fd9ebf0d3540b0e8 f0d1852065c498c3bdaec3de8e6cd626 f143b44d3b8d835c09bf2c346d90ec22 f18ddb10b3f9044fa2f9d1bb5152e388d4f68c2209165b117135fb2490243d2b f3cf4a369e5fb451db250c31776ba84e f74c8bd1701746cce8b4bad819cdd148 f774fcbf889a8a629004f31e8b962b63 fb9d610a2b535dde194c05c099f0b307 ffaa0890eb9a38307477157c02f63583 advstat[.]cc atable[.]cc backdump[.]cc cleandone[.]cc critlan[.]cc dzero[.]cc fpride[.]cc lups[.]cc meterstrack[.]cc netjunk[.]cc plxz[.]cc regul[.]cc startsun[.]cc utcp[.]cc vdem[.]cc zeroback[.]cc zeroback2[.]cc zeroback3[.]cc zeroback4[.]cc zerophone[.]cc zorc[.]cc 175[.]110[.]114[.]65 176[.]120[.]22[.]67 185[.]162[.]128[.]133 185[.]163[.]204[.]198 188[.]116[.]22[.]153 188[.]138[.]125[.]163 212[.]118[.]38[.]30 213[.]202[.]230[.]95 37[.]77[.]150[.]19 37[.]77[.]150[.]77 38[.]180[.]91[.]47 45[.]137[.]213[.]88 5[.]149[.]250[.]171 5[.]149[.]250[.]54 5[.]149[.]254[.]109 62[.]138[.]0[.]10 62[.]138[.]0[.]211 62[.]138[.]14[.]209 77[.]246[.]106[.]198 79[.]141[.]160[.]92 85[.]25[.]100[.]30 91[.]215[.]85[.]178 91[.]245[.]255[.]112″	Large-scale targeting of routers & IoT devices exploiting unpatched vulnerabilities	AVrecon	United States	Unknown	Not specified	T1190 – Exploit Public-Facing ApplicationT1210 – Exploitation of Remote ServicesT1105 – Ingress Tool TransferT1071.001 – Application Layer Protocol (Web Protocols)T1090 – Proxy	High	Apply firmware updates and replace EOL devices.Disable remote access & change default credentials.Monitor traffic to known C2 infrastructure.Implement IDS and network segmentation.
Ransomware Campaign	“3bad8c0cab145cea190697f9a168a1a9 f9afeff0369dad36f5db6e1613b847376c1b2584 0e61914162fd1f7ea2bd553c8e6cebc05d6913be1fb81eeb1a8d2b649ab7a5c6”	Likely distributed via phishing, malicious attachments, and compromised software targeting general users and organizations	BASANAI (MedusaLocker family)	Not specified	Unknown	Not specified	T1486 – Data Encrypted for ImpactT1566.001 – Phishing: Spearphishing AttachmentT1204.002 – User Execution: Malicious File	High	Implement EDR solutions.Maintain regular offline backups and test recovery.Educate users on phishing risks.Keep systems and antivirus updated.Apply application whitelisting controls.
Web Skimming / Magecart Campaign	” bundle-feedback[.]com doubleclickcache[.]com analyticsgctm[.]com hotjarcdn[.]com firefoxcaptcha[.]com solutionjquery[.]com jquerybootstrap[.]com assetsbundle[.]com bundle-referrer[.]com categorywishlist[.]com cachesecure[.]com securedata-ns[.]com newassetspro[.]com explorerpros[.]com redsysgate[.]com”	Large-scale, multi-year campaign targeting e-commerce platforms and financial ecosystems	Magecart (Web Skimming Scripts)	Spain, United Kingdom, United States, France, Denmark	Magecart Group	Retail, Banking, eCommerce, Finance	T1056.003 – Input Capture (Web Portal Capture); T1189 – Drive-by Compromise; T1190 – Exploit Public-Facing Application; T1071.001 – Application Layer Protocol (Web Protocols); T1041 – Exfiltration Over C2 Channel; T1027 – Obfuscated Files or Information	High	Implement monitoring for outbound WebSocket traffic; enforce CSP and script integrity controls; conduct third-party script audits; enhance fraud detection for card-not-present transactions; continuously update security measures
Phishing / Fileless RAT	“75b7ed9f524cdb1c6f044864c4d3353c a739d0c4821d2bc1b8a226a5d8846c28 a5c70d896526146238a15a93dfdb2f97 hxxps://almacensantangel[.]com/ENCRYPT[.]Ps1 d79dbfab8af7a6f19b6abf934a90c1b7 957b2710fef66141707064c76f1dd1a9 508c092eaf1c1a178195aadfa1b7ecae 192[.]3[.]27[.]141 0a9728de22d85c6a2b375924bfb643dc”	Multi-stage phishing attack with fileless execution and RAT deployment	Remcos RAT	None specified	Unknown	None	T1566.001 – Phishing (Spearphishing Attachment); T1059.007 – Command and Scripting Interpreter (JavaScript); T1059.001 – Command and Scripting Interpreter (PowerShell); T1105 – Ingress Tool Transfer; T1027 – Obfuscated Files or Information; T1620 – Reflective Code Loading; T1218 – System Binary Proxy Execution	High	Implement email filtering and security awareness training; deploy EDR solutions for fileless malware detection; patch systems and update security software; restrict untrusted script/binary execution; monitor suspicious processes and network activity
Botnet / Multifunctional Malware	“0104e0b13130dfa08e3b021b85ed80399ce15afbcbcf00d672750b3fe5465795 b855c274bf842d39949c3512bfb20a488def51042992e7c53565328083a8f9e8 c3d3d4f456e13d5c3090c91541673adc7a936e24e65ade6e452d944cbca84653 e59a409261efe2d5cacd0a58ca1f92cae85bbf45d6c7b63c123e6c2c069a139c fa27981befc05c8ff74d9b796b30525c6cb048b0a91bcd134941c50db7c56ddb 2e893562114e5fafa195fb09e0db323f4c41f6a327196f98fccdfeb18e887e6c 02816012e5b60a4dd35390137f9bceb33752abd5a4cd5ec5794bdd3ffb7899c5 d2ba9777e8d8415b5b9361571c7fa3b6f12303c3f81738a23b66ce258cf025bb 70f9597fe726f00a69383919f1d86c30001195d0c655640f94cba9729e20c0ab 54b55b164fef227508f635391c37d23daaf6af7c599a83b3ee17c74263f9d4db a0f9d89853963fa2ead2a079952d1d321a60058a3e1198f445162489fa656615 54cfdf2acd14277aa6841d227580ff8e4ea5b733a27c80eb5d74cdc828595192 6d9f17932c1736527b80db9f3bb6ccc693ef22695a349fbc1d96e845ae5930c6 68666eec45ae5f29e414dbcca1a99d2a767c45f934c7490d3464f0ce7e8cd833 71744a88ccca712ad9b74087ba046be05625b4ac83e1c65a1fd5259584aa109d 1589fc5bd6b430feec62c625914d94f73e261e45655f98f8553fdda708d12800 67acb73457262a41508e41e7777113937594ce158e6a8e73eef2c5a2b16ce384 3ab171a4fe9b095f4bc79b88b6425a88e6962cbba0d763117a01918829fe59fb 80d42d9d8d97f4245bf6a279a8f83668385812337d39e0282068c8e344dc755d 0ff637682614ed66cdc76643efc709b6af08351dd701f92604a406ccbb3bf045 2212b78bedb274dd6be7bbebdeeffe9406197cb065fedb370b302b720573fb25 8fb06ea350e49fa9ef38c56e731adf6713a47c8de714fe55aee6519cfd6b4da3 b6ffdb84f61503fa0b8cead54a5479af317d3adec7fd375f3df2337575981b6f 8540b955e851488606b3508211167daf280af7b6fc11caea4aa7f4cccda8e307 83313da4c33e6c413933e577f94e86c575b54a4a2480cba90c3407c99c27113f e3a3d9e668fa8c144c48299206d7eff67a7dbbf3410ddc2aefc440b6e072bf6f 0f14a05d458d8645c63e666c96ff0314fe2461daf81a19feae74ef748378f60e 4be3266e0c7427823adb0b3b5136bb89d9f59bc1eff9e89456cb9517f585e52a 2322908792f3bd634a139411d42474c93951599c5356195b6f1f7f09bd455023 c2e8cdd98f0d5c1882920816ff19adaaf0961462d117ca47ea0cd00545dd3ad9 99ac02e76e50e0a053e19611e97965105796f0da7fa1959e59d7b5327869e19d 46bb3df9a85c89c546cf5a01f5b8d7e9ae0d6bf4d92372c82d0764bb89dd5421 267df6cfd790b8c9dfd48f518f5cad435df3158344f7f5adb8b6ab1e0a6aa251 56dab61397e1cbea1d8dfe7cf728ca9d61c0040881780b5f45cfe68fcd47ed6d 48975e8570cc778b5b94e51237d1c67f923047d0c90e5f9a0eb8b8da04fe04bc 857a902aeaa351e72676fb764543e2e8fc5c332b5881ea8dfe407ff257f913e7 3bb10edb151f0b54ea11de5b216a0f7e4c6b899bcae54da97b3ec87b5b862359 b67e5f6e9fb2273ac8ae5dd3b49c7695bc680686cf93a729bbdef2669f18d429 7ba1caff23d3a218037c59ac9ec7228af4a8db03577292404b1cfea6bb79023c 55cc603248b4c0858d18c029c500c2663394102b6b63b06cb147eab2168448ae 6e549de24c05fcf0c5c66111e9ab8686bb9ec02677fcdc219d994cd6857f5891 a28e55a948927ae556de391674d88cde33a4ad9700f7e5e21a94d8d3755ebe70 7744909ba1357e348376c7dcd1bc097d63d6d018e6da04287ebb763f073d60f1 da9b344bd9920b1d403a0d62f94881acf5d65b6fea495b04855aba40188e6e36 68863b0942c76880c9e9abb4c93ea235501974af3d04fa82228068878d0f4bae 5a3e61eab1551f1459ec1a0303f5b37b981161c21bf7d1818893415711e52cc1 023280288a154681b1652c24289acc49e44beb65e1f12948aee25dad981b3e0e db176add8daa4f1b68ad74b7ed6a123003a7705badcd119086f4f5d9f4083469 6c0127433f689c0861355352460f7dc6b6ae3d86aa7db0747e60b3b9a18c4a87 41fb6be80f588c9e7823f862baf7b43dff49206a1c45f8a03e3dbd5f15678e14 1d218f810f262659fc2b6fa8a42b2fe217580666546ff802840a1350624766f0 08aeadb7453ab5762b51609871c7b15782af7025a349516a4b4f905d6c7be871 21f13ddfa4edaf7ae54a076e6f9fff2e9d8233581b610960934d35235b52071a cc57c7cfed94cb9e9a894e236cab91920c80a3d91631e87803aebf71538e7cd4 18b0a373fee639afec0052399177599f32f4b70bcfecc5ae0a34d82e400310a1 6b7c767694aa1cdf7429f364c0c104b32f738203c8c60b5f25a6e2f6a66a71fa 74fcf1e27180d840b8de78ec4cfbb48e5b7a43f13c579c9afbef17fc2b47ac02 37b08b5131a17565009d980f1b3c2a6879383040528d73d34e149f8078282ab9 359c1e71740dd3ee3556e1c392a72b943960c4f46cf003cd4671775e71788287 766f430544751677d52fb8602a6eb27a8fea7513826aa99319017209c1970029 3be21ac37d8c817b71ea520d2f4354f0c606fca4cc6a48742b2de87f358af79c 5d414a6cb575b89d11cf5cf37c554c29189130e3d8841e9f60ae5b5c08a2d5e7 d6283822fc330342132cf753d3ff0dda6bf30946af6251259e6f98141a1eec0d 5b872f26adfff2b63bd91ca50847e3fd19a6c612ee089a6953bdad00214f8df2 c62850ec00e38c48999b2cf8fdd1f256d71dfb24c103bfdfb32e045b7f693990 62715d8a00ed60ebf4736d825628a2c0c6faaa3f9b567b393343f79caff1c965 8ae4a61d7dff97b03be346edad80a6f9dbf91d00a505e100fe5a27070c809ab7 1582320a0c27d70bde7a97cbe53682dab83efc95124f5e2449bd066960c7e5b9 8d49e40a0d85cb05aeaa152977bcd5e34e9219e3cf4b1a25e1e968888616aadb 40dbcc2249f5c32ff8aaa62dfa0b9e6df34c2bdd0fbc1348fca4a0f014995756 a950a8fdd0d8f7f6e86bd475c3f71381ef4536539e7c50e2aeb6304ae56570e7 a0d8032ea8d64e4a7bb6ff292b236955d8239c5826fdcc76b32dbf96cb824acc dace0ace114449ffb03a07902681e2502a507b2968d0d72436fd50f1fbdad9cb 553972250e6766defd1125152eef38c0b8024e9ba2d65c5ca83ef1d04a1685eb b9b52cc15fa1c03663a49c10af56e8f7aaa786d7688a75176d6fbfb779e8faca 26b441b6ac06968d8029babb90fba7927e1d21c9cb84b0492c4890bca5dd2660 a030ac4b770f87ded6b1c7c051171f02708c2d63680a9ee01afab2f2fa8c2b3e 90e6104462a969029a7c5b023ce811ef0c3ff93eb6bc72b0a0bf9e1baa722795 99ed96d48e99828077d807f342cf13244af232c190088f12f548199a8ece8d97 c6def8e8fb6eaa582f7c5dc88a85723d4a868b04c4ea8f8584bb828417a4ab86 b1a0fd0c9c72e68f74b654988423acb2a953427e83990c26c91e5e908ec66387 770df171362179564bb433aa4c82502926c420482b7e6b8441a857c5934377ac 38b9825abef45b2fb9e0efbfae7124499af85b9f328d4619ac8a37af274e7b4e 823da032a4b7f64d6f3706f207d0f2a0cd44cd45b602193c4580403c2d4e8342 23437efc7bf2f691678472e0080f4b22fa8e327d41781f95912ff6722a62f5fb 4013d5545b490d4bdea2fbfc31cad82cd73e9d617ef5946ae9b9df19d6eada48 8baadd5caf6014222b98656e875382126e719f53342591a47c29c408e10fbd60 e7ba958cac186815f76fbc5809e479000a5a569034fd0425bf0fb512ac523639 5b0684dde84168b41eb1d7022f490f0036a90ea3d00a37e35d69323887826628 17c40dc8cfe53fc24d01df2ff4aad1d4914dd592b00d053762f12daec16c7035 a858bbbfe1332816b23c8d46443b63f318958e6748c54e4b4040fd908d175d62 43a000847d155da05e5c080587b4eb97cbeed61bf6b5d6a4062e5f459f387888 4fc29cee350f69681728c009449f12682d90db8541459c505a2830a278be809b 26c4a28e9bdd3f85433ced68c48d60ac89e44ff0bde47326d3d19bddc9399a83 8ebb428ad35eceea596ffffc9bbf23b7ef3f09e4493eb894dade07eadb9f9652 70cc64fb4dc5e32b9a8973be10e7e2d4378479f3521b5ab9bb044f76d1e2379b f6f7a37b49310287a253dbdf81e22f0593f44111215ca9308e46d2c68516196f 55f3a2d89485bb40ea45e5fa1f24828f71a81ef4ccc541b6657fc7a861ef3add 3a2dcd6c86a8b789c5f07eec531fd9a3d9268288d8cf47e9f324dacd55bb6cfc 6fbd1d2192865099bd3772f6b77f269ab44be19a44ae41475486dbaf52ecba72 75e5535a7b6aa384097fcb990c3ea85f8cbd1db87593dbf4f3d7fe7a619ba3ca e3648ed09ab275376cd8a111f3a8c32e254ee9739263d4f2ae3344037bdcca10 04537e704df71330b1e7f1a3147796a5d0277fbe6922a2a304a9a526cdbfe059 3bfe06669545cf2b91a149149cc23073d631e237f5aaac237dbe7da67b227477 724e7d651f8d44249798db1a58ef9535ac956ac5e882c367475199c724a07c57 ec05957677d0f2ab66da08278729b1849b8f926a9f3f8c9c33222b63d20afb7c 51455bce4f49061e859cb4cc830f9d4b3478f9c7082b7b9f55febc68234a06f7 bd9f942b1082ef254f72b9b82a04c196a6029c9cf900c034b4657719b191e4a8 c77304e40bc3afc5e5b5b1f94395b4b64fc17b8fcd255970bdcf0c7cc0a507b2 7436220538e6cded0c499167424975a2aacf93217dca40c683f0610b4f3eb3b7 c44375c99dd2886d0438f3c088439072604168cb53b90216f9a6f1b8d18db2fb 805db6f001167b526485cfb9bd6fac5dbe7737af6a46100cc69348c9145bee4a fe345c884a521223ec9482d7dc7e3583c080fb6c2fafd8c761fc4963240a9b2b 7f7ff6e97841e9cb49976b93e493ad04bf51cc3138f7b756e1d41ce3faf2b6dc ebd465cbb6b7718f33aac20528ffa75ae4ac433d8ab7c5c7a734c472f1c16a87 c525acd224ed52353591c0924e60e84c051c10970ddbe6c87ae15ec15da97ec2 85bf5ff6c1f1fcfbe5cd999dd4ca71c0c26f40b624c810fab29788aa275c09cb 926e7a5fc2df14280ddb9fad2a6a3a8101c4024cbce128f9feacb0f0c1e2070e e1c102d81d89d3d406917553c421c6b23cbd3333953a050d650f5394bfd6a73f 8ac7bf6ead6c0068502f6473f7377239cdc44c6af728d5952500b8d5ae0ff157 586a29bab56e5d7be8b7a783256b0458a4eca167c7d519fdbc8467ba2331e7e8 hxxp://91[.]92[.]243[.]29/3 hxxp://91[.]92[.]243[.]29/1 hxxp://91[.]92[.]243[.]29/2 hxxp://91[.]92[.]243[.]29/bnoda hxxp://178[.]16[.]54[.]109/grolo hxxp://195[.]178[.]136[.]19/4 hxxp://195[.]178[.]136[.]19/2 hxxp://195[.]178[.]136[.]19/1 hxxp://195[.]178[.]136[.]19/3 hxxp://195[.]178[.]136[.]19/40[.]exe hxxp://195[.]178[.]136[.]19/39[.]exe hxxp://195[.]178[.]136[.]19/38[.]exe hxxp://195[.]178[.]136[.]19/37[.]exe hxxp://195[.]178[.]136[.]19/36[.]exe hxxp://195[.]178[.]136[.]19/35[.]exe hxxp://195[.]178[.]136[.]19/34[.]exe hxxp://195[.]178[.]136[.]19/33[.]exe hxxp://195[.]178[.]136[.]19/31[.]exe hxxp://195[.]178[.]136[.]19/30[.]exe hxxp://195[.]178[.]136[.]19/29[.]exe hxxp://195[.]178[.]136[.]19/28[.]exe hxxp://195[.]178[.]136[.]19/27[.]exe hxxp://195[.]178[.]136[.]19/26[.]exe hxxp://195[.]178[.]136[.]19/25[.]exe hxxp://195[.]178[.]136[.]19/24[.]exe hxxp://195[.]178[.]136[.]19/23[.]exe hxxp://195[.]178[.]136[.]19/22[.]exe hxxp://195[.]178[.]136[.]19/21[.]exe hxxp://195[.]178[.]136[.]19/20[.]exe hxxp://195[.]178[.]136[.]19/19[.]exe hxxp://195[.]178[.]136[.]19/18[.]exe hxxp://195[.]178[.]136[.]19/17[.]exe hxxp://195[.]178[.]136[.]19/16[.]exe hxxp://195[.]178[.]136[.]19/15[.]exe hxxp://195[.]178[.]136[.]19/14[.]exe hxxp://195[.]178[.]136[.]19/13[.]exe hxxp://195[.]178[.]136[.]19/12[.]exe hxxp://195[.]178[.]136[.]19/11[.]exe hxxp://195[.]178[.]136[.]19/10[.]exe hxxp://195[.]178[.]136[.]19/9[.]exe hxxp://195[.]178[.]136[.]19/8[.]exe hxxp://195[.]178[.]136[.]19/7[.]exe hxxp://195[.]178[.]136[.]19/6[.]exe hxxp://195[.]178[.]136[.]19/5[.]exe hxxp://195[.]178[.]136[.]19/4[.]exe hxxp://195[.]178[.]136[.]19/3[.]exe hxxp://195[.]178[.]136[.]19/2[.]exe hxxp://195[.]178[.]136[.]19/1[.]exe hxxp://195[.]178[.]136[.]19/forg hxxp://178[.]16[.]54[.]109/l15[.]exe hxxp://178[.]16[.]54[.]109/l14[.]exe hxxp://178[.]16[.]54[.]109/l13[.]exe hxxp://178[.]16[.]54[.]109/l11[.]exe hxxp://178[.]16[.]54[.]109/l10[.]exe hxxp://178[.]16[.]54[.]109/l9[.]exe hxxp://178[.]16[.]54[.]109/l8[.]exe hxxp://178[.]16[.]54[.]109/l7[.]exe hxxp://178[.]16[.]54[.]109/l6[.]exe hxxp://178[.]16[.]54[.]109/l5[.]exe hxxp://178[.]16[.]54[.]109/l4[.]exe hxxp://178[.]16[.]54[.]109/l3[.]exe hxxp://178[.]16[.]54[.]109/l2[.]exe hxxp://178[.]16[.]54[.]109/l1[.]exe hxxp://195[.]178[.]136[.]19/5 hxxp://178[.]16[.]54[.]109/lfucky[.]exe hxxp://178[.]16[.]54[.]109/v[.]exe hxxp://178[.]16[.]54[.]109/l12[.]exe hxxp://178[.]16[.]54[.]109/lfuck[.]exe hxxp://195[.]178[.]136[.]19/gnul hxxp://194[.]38[.]20[.]95/3 hxxp://194[.]38[.]20[.]95/1 hxxp://194[.]38[.]20[.]95/mono hxxp://176[.]46[.]158[.]64/1 hxxp://176[.]46[.]158[.]64/plop hxxp://178[.]16[.]54[.]109/molop hxxp://178[.]16[.]54[.]109/5 hxxp://178[.]16[.]54[.]109/lk[.]exe hxxp://178[.]16[.]54[.]109/4 hxxp://178[.]16[.]54[.]109/stata hxxp://178[.]16[.]54[.]109/newtpp[.]exe hxxp://178[.]16[.]54[.]109/2 hxxp://178[.]16[.]54[.]109/1 hxxp://178[.]16[.]54[.]109/32[.]exe”	Highly persistent botnet leveraging HTTP + P2P for clipboard hijacking, ransomware distribution, sextortion campaigns, and credential theft	Phorpiex/Trik, LockBit Black, Global ransomware	Iran, China, Uzbekistan, Luxembourg, Switzerland, Norway, Qatar, Singapore, UAE, UK, US, Canada, France, Denmark, Germany, Austria, Finland, Italy, Spain	Unknown / Multiple	None	T1566.001 – Spearphishing Attachment; T1059.001 – PowerShell; T1105 – Ingress Tool Transfer; T1091 – Replication Through Removable Media; T1112 – Modify Registry; T1547.001 – Boot/Logon Autostart Execution; T1071.001 – Web Protocols; T1496 – Resource Hijacking	High	Implement endpoint security with botnet detection and P2P traffic monitoring; educate users on phishing; enforce application control and removable media restrictions; monitor registry changes and suspicious process activity; strengthen network segmentation and monitoring for crypto hijacking or ransomware behaviors
Node.js backdoor / Remote Access Trojan	” jariosos[.]com hayesmed[.]com regancontrols[.]com salinasrent[.]com justtalken[.]com mebeliotmasiv[.]com euclidrent[.]com o-parana[.]com palshona[.]com aurineuroth[.]com 185[.]218[.]19[.]162 294c597c89023093e1e175949f5104f887b89cd8e1cf1d3192ee9032739f259e 5623f4f8942872b2b7cb6d2674c126a42bdf6ed5d1f37c1afc348529e4697d73 03c4e54cc775ab819752dc5d420ab2fed03bd445c3ce398d021031100b334fb4 7dd1bf7a58774a081062f5c8f183d24f95c433805e0bf73280c0adba1c71390d 83b1f11c6a0bd267e415136440559131d2d4ace9a65dc221ea3b144fe0e7199b www-flow-submission-management[.]shepherdsestates[.]uk”	Retail environment; remote command execution, system reconnaissance, credential & cryptocurrency theft; persistent via registry keys; C2 dynamically retrieved from Ethereum smart contracts	EtherRAT, Tsundere	None specified	North Korean-aligned activity	Retail	T1218.005 – Mshta execution; T1202 – Indirect Command Execution; T1059.007 – JS interpreter; T1059.005 – VBScript interpreter; T1547.001 – Registry Run Keys; T1105 – Ingress Tool Transfer; T1071.001 – Web Protocols; T1573 – Encrypted Channel; T1082 – System Info Discovery; T1614.001 – System Language Discovery	High	Disable mshta.exe and pcalua.exe via AppLocker / WDAC; restrict Run prompt via Group Policy; employee training on IT support scams / ClickFix; block crypto RPC endpoints; deploy NGAV/EDR; monitor systems for suspicious activity

Apr 02, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Malware-as-a-Service (RAT Campaign)	“webcrystal[.]lol webcrystal[.]sbs crystalxrat[.]top 47ACCB0ECFE8CCD466752DDE1864F3B0 2DBE6DE177241C144D06355C381B868C 49C74B302BFA32E45B7C1C5780DD0976 88C60DF2A1414CBF24430A74AE9836E0 E540E9797E3B814BFE0A82155DFE135D 1A68AE614FB2D8875CB0573E6A721B46”	MaaS campaign distributing CrystalX RAT via Telegram, enabling full system compromise including credential theft, surveillance, and crypto targeting	CrystalX RAT / Webcrystal RAT / WebRAT (Salat Stealer)	Russia	Unknown	None	T1059.003, T1105, T1041, T1071.001, T1056.001, T1115, T1555.003, T1185, T1027, T1497, T1219	High	Monitor Telegram for MaaS activity; deploy EDR solutions; educate users on risks of untrusted downloads; keep systems updated; implement network segmentation
Supply Chain Attack / Zero-Day Exploitation	“CVE-2026-3502 22e32bcf113326e366ac480b077067cf 9b435ad985b733b64a6d5f39080f4ae0 248a4d7d4c48478dcbeade8f7dba80b3 43[.]134[.]90[.]60 43[.]134[.]52[.]221 47[.]237[.]15[.]197”	“Operation TrueChaos” campaign exploiting a TrueConf zero-day to deliver malicious updates and deploy Havoc C2 framework across government entities	Havoc C2 Framework	Southeast Asia	Unknown	Government, Administration	T1195, T1574.002, T1105, T1548.002, T1547.001	High	Update TrueConf to version 8.5.3 or later; monitor file execution in TrueConf directories; review logs for suspicious activity; implement application control; strengthen endpoint security; verify authenticity of software updates
Multi-Stage Malware Campaign (Social Engineering via WhatsApp)	” a773bf0d400986f9bcd001c84f2e1a0b614c14d9088f3ba23ddc0c75539dc9e0  22b82421363026940a565d4ffbb7ce4e7798cdc5f53dda9d3229eb8ef3e0289a  91ec2ede66c7b4e6d4c8a25ffad4670d5fd7ff1a2d266528548950df2a8a927a  1735fcb8989c99bc8b9741f2a7dbf9ab42b7855e8e9a395c21f11450c35ebb0c    07c6234b02017ffee2a1740c66e84d1ad2d37f214825169c30c50a0bc2904321 630dfd5ab55b9f897b54c289941303eb9b0e07f58ca5e925a0fa40f12e752653 07c6234b02017ffee2a1740c66e84d1ad2d37f214825169c30c50a0bc2904321 df0136f1d64e61082e247ddb29585d709ac87e06136f848a5c5c84aa23e664a0 1f726b67223067f6cdc9ff5f14f32c3853e7472cebe954a53134a7bae91329f0 57bf1c25b7a12d28174e871574d78b4724d575952c48ca094573c19bdcbb935f 5eaaf281883f01fb2062c5c102e8ff037db7111ba9585b27b3d285f416794548 613ebc1e89409c909b2ff6ae21635bdfea6d4e118d67216f2c570ba537b216bd c9e3fdd90e1661c9f90735dc14679f85985df4a7d0933c53ac3c46ec170fdcfd dc3b2db1608239387a36f6e19bba6816a39c93b6aa7329340343a2ab42ccd32d a2b9e0887751c3d775adc547f6c76fea3b4a554793059c00082c1c38956badc8  15a730d22f25f87a081bb2723393e6695d2aab38c0eafe9d7058e36f4f589220 hxxps://bafauac[.]s3[.]ap-southeast-1[.]amazonaws[.]com  hxxps://yifubafu[.]s3[.]ap-southeast-1[.]amazonaws[.]com  hxxps://9ding[.]s3[.]ap-southeast-1[.]amazonaws[.]com  hxxps://f005[.]backblazeb2[.]com/file/bsbbmks  Neescil[.]top  velthora[.]top”	WhatsApp-delivered VBS malware campaign leveraging cloud platforms and LOLBins for multi-stage infection, persistence, and remote access	VBS Malware, LOLBins, MSI Payloads	None	Unknown	None	T1566.002, T1204.002, T1059.005, T1218, T1036, T1105, T1548.002	High	Strengthen endpoint controls and restrict script execution; monitor cloud traffic; track registry/UAC changes; deploy EDR and ASR rules; enable network protection; conduct user awareness training
Malvertising / Traffic Distribution System (TDS) Abuse	“tds11111[.]com subiz[.]tds11111[.]com scyphoserippleepidosite[.]com apiexplorerzone[.]com blessedwirrow[.]org rednosehorse[.]com digdonger[.]org fetchapiutility[.]com rapiddevapi[.]com ryptosell[.]shop tonamlchecks[.]com juxysij[.]hkjhsuies[.]com[.]es sunpetalra[.]com 185[.]184[.]123[.]58 62[.]60[.]246[.]29”	Large-scale abuse of Keitaro Tracker for traffic redirection, cloaking, phishing, scam delivery, and malvertising campaigns using dynamic filtering and domain rotation	Keitaro Tracker, SocGholish	None	TA2726	None	T1566.002, T1189, T1071.001, T1102, T1027	High	Monitor Keitaro instances and detect unauthorized/cracked usage; implement strong security controls including MFA; conduct regular audits; collaborate with threat intelligence communities; track domain rotation and suspicious traffic patterns
Financially Motivated Operation (REF1695)	“hxxps://tommysbakescodes[.]cv/CNB/gate[.]php hxxps://tabbysbakescodes[.]ws/CNB/gate[.]php hxxps://tinyurl[.]com/cmvt944y hxxps://unlockcontent[.]net/cl/i/me9mn2 hxxps://softwaredlfast[.]top/files/n71fGbs2b7XceW3op71aQsrx41Rkeydl/ win64autoupdates[.]top unlockcontent[.]net tommysbakescodes[.]cv tabbysbakescodes[.]ws softappsbase[.]top rapidfilesbaze[.]top autoupdatewinsystem[.]top c32bdee0ec38c7821d026ecb4332082d3cfba71650424d853635828ed5a50fce 6d1b2527b1739a3fb62120722ed9c9111574b4077da43b892ba0940f8d028336 03d85c4472b08db3da18423284a72e6a315172d72dd1c6ba872fc0e78b4b6135 6b60813635717e89b5c122b1607d45c8730ddfae86c4dbff7f625328082c8ea8 0aab0d10bf0592fbe2c7bd7867fac31d44228a8321bddf00d9e67031f2db162d 406bd174b4f6773c496a8b8bb8dd65428bacc5db0f84654360c319e97c1e7d57 86d89c68b57ffff141d8bca41efcac59188c9b70d314a1bb81272eb96e932262 27db41f654b53e41a4e1621a83f2478fa46b1bbffc1923e5070440a7d410b8d3 fbc0e4ee9167fa137e0e4a43eb903066e299007d26d3e6869be1ffaee6451f6b 460203070b5a928390b126fcd52c15ed3a668b77536faa6f0a0282cf1c157162 e19fe80b68b0fa2c39ec9282641294e4fbc3db2dfa5befa792131416dbb9f410 9231e59452c8297ff346a2a6280fde4937c6fd33d333c3151414169f8bfe0177 7576a22aada711e4a6bb71be740e31a2b303fbae1882af1be2fe2a5e4582e0d7 9977b9185472c7d4be22c20f93bc401dd74bb47223957015a3261994d54c59fc b8b7aecce2a4d00f209b1e4d30128ba6ef0f83bbdc05127f6f8ba97e7d6df291 9fa23382820b1e781f3e05e9452176a72529395643f09080777fab7b9c6b1f5c 78619458a4cc2bd00c4a58745d262d7c3fd89f0e4126e97bf24d428ab9944cf2 664248d9fea57ef0114ec3465ffd3e76a8d75d78ed0eec336e0f588cd13e7bd9 8cd1cf28115cc9fd33d759737b171baaf5cb562922c242fe361cbc4283f8fb26 e051fd042368a3dbdda8ba75ff1730eb828577b0295e82e90c19ca2a1f44051c e4cd18efdf6cf4bb745064ba90b01b2c40921b0c1ebd623a07352f26ed5f2aa1 a613798fdc7273f0988567ef87661d425f45e677f54f8e7c82bf4f1722566a91 4ec12a8139c5996df385817bfc42b438ae44879fc37287d56eeb2abe12c54cee 5d42601a51e3c123115dc22561ebcea6759a5761ecdb449ee990e73aeabe3910 82c03866670b70047209c39153615512f7253f125a252fe3dcd828c6598fdf86 8cc33b236283ad46365f32d58943e78224dc29f26e6403837e9631e0e47d626e 542d2267b40c160b693646bc852df34cc508281c4f6ed2693b98147dae293678 a96bf1e54f3076a7acc5b8084fc38cfb1cc2e1546b7ed0b95502c4b1e932c2df 882702f617ae2a2a4de604f41f8508e028d5fcc40ecc3e40b40f123f9b9199af c3f669143e43bc2d22fbe35d064590c1dbb7e91e34ccaa5b0c0891b0795fade5 1794b59096b7bf0ddc87a53f5f5969e5bf8e54119a84c43f39715b8dd941caaa 9409f9c398645ddac096e3331d2782705b62e388a8ecb1c4e9d527616f0c6a9e 7d2c24fada44767f8fbb667620dbfdbcd00b1c5b14eae8b506d4d08b092dbb25 4ee5cb58d6348606f30066a12f4775cf23fa64ef48566b2994e8c429c7d0fc1f 805287780c0e7712b403518b0a7efdda9c6f05a467aad85fced565aae8de6462 bbc6cb417e0b3cb47117dba21e14c2ab2ed7b4eb92da24e91de37c7170223e02 f2086735fff00e1af668aa5db904f934af341d594f5a20cd76f5a4e823e75d75 738fa612d316861b80795d0102b4f36ae4c5e1459d422e395c8101659fe44f06 36c62638b9e1bdaa57e6c452a164d09fece81e7c0b5e943280305d38488652a7 43d5c766949ac52a728006b6e535946bd6b5d4a6b4653fd61601dfa0979c2d03 6b38fad2d7e178c88a7de742fa6088aaed9dfc2a8b066ff87be3d6d92d6036e2 0868721110361293acd1520dbf28417175e022c18e93f1d074d709006f56fc4c dd683616fcaed94ce8c5b756558d258ccdcafabea9d091130503d24eca46379a 6d4a910d7bac52431e010b08f3ff69af09f7cc71d28dfe3483ea1c360679b83c e3c19a3289dbf844801be1fe1c361248b06b33210ef1f8aec98743190aacee19 0d83301aae4af98108f42ccbc7d9b4e3abcd65c91162fc0bfa8d4e3c86733560 e0794663cee379c725f990335ae53c954ee904d18ab87671dd1a5aed5d7bb7e0 8785ec5d8eb7b77009f4ba0d116b00ab7abf88e05b6746a46dd4d91a5eb27fc6 8d901cc81b791b2c4da68e6983343abc06b8610570ee1f878a30661b3bd64208 4b79eb8c08484a07dc70133202778972c90b78d1a19f94477dc46c5c2e3ed5bf 7674763dc6f3ac9ccc2d2669e703681bfda908d626931dc5925c1f574c9e57ce 468441d32f62520020d57ff1f24bb08af1bc10e9b4d4da1b937450f44e80a9be 1f7441d72eff2e9403be1d9ce0bb07792793b2cb963f2601ecfdf8c91cd9af73 ce90cb3a9bfb8a276cb50462be932e063ed408af8c5591dd2c50f1c6d18c394c 4e6b8fdd819293ca3fe8f8add6937bf6531a936955d9ac974a6b231823c7330e cb74c88d57e9ada9e108bc54cf9830ab1df3247b2865b42025da6a849855c80f cc7c0661040afb7c115defbd24e4d35a7f484139a89a959d34abbff95d21b1db 6492e50e79b979254314988228a513d5acbdaa950346414955dc052ae77d2988 81514760ffc68f7eca2bdf88f0b02561c86a14c2c322d1593c9dd7551dadc96d 3b5bca472122acc85d5b8eb999609e162adfa1a855bbfa953365d3282b95a736 41444279183b21fcae701c4f80fb5051afd34a44bc9ea24782def1fe3e67f0f6 77c430fa1cbd4962aed0c15ee9cc1bde40dc38a33c7fbb68cd22987fed9e6e42 8ff504b7178a64fe07d147a903993668ddaf8ed2207f75633652417004aa2ccf 595890db0d6f653a0060fdabbaa07d365a3e7879a8910ed24c73d7362663af69 42591b9e2b41636c7d1b1e0b686fc7bb74c9b1f672793b77b8de238962c11137 a10431e4f4bd7db38916b4199ec5edc89aee72b67e866410d5e96622c476e355 6f94fd8a8d4e58c4e5bed084048be5c6aab1b6e66a2f394c1014a8230c6e833f 0b748328aeac96bc1959640520108cae7c411abdf7f907d016098287871c73e2 a10c0efe8ef1633ca9ec42d5de61249453f40503417ff64ee1f4e14ce557ea1d fcabe65ae4af6a1a9d5d16596fd590d18ef398b09d7746a3b8d55eb62d84a7ac b66eda54c8d7e54fb30c634897018ff55809c2eff3828cef766288fd8998ec60 e5157decb8d0400cd0231d0279731f59340ed6c06fc7ba6c2cde340b0747befe 907a427fea015c5e23e86c746e8194e912de3471482a6b341ba3e1ef7f1c1678 6e4ad17678e923eb1d5a660f9a3baa5e65660e9bf781dcb01fef653233dac02c c952577ddfffa6c898acf23517751854ad7174c0cec4d6240f407adc3dbf7718 bf4271252226be312d158c924141e887d26228c47d5759a7260f15047dfc3f0e aac61dc6455e1fe0ae7c4051b4ac813cd39718de6a517d1f23378a73e204ad28 f86c0decc324137abd9773d0277c91c55b47327acf930d8d7030e62f30531495 39393740cb0d32b830958dd5bf27d6e028965fd54b63f0bee9cbeaa9b58405bb 44855c130e3f72207f2728aeb48455befff28d0f44a03f6a584861c247e88c22 32d8d74892b98a5da32262fc7cb6305dfe33ca1ec9f6003a83e1a81b7630da84 703ffe450d328187b86162675d07eb6655529e0d24e644341032e613896c8bc6 09ced8c78d7e10314f8cc46227a7f583af3a28f0446883fee15dd3d416c8721d a78037b357f48676c3bdef0bc88bb8ed8bbeaabb1eb7e27469ccb04f8e6cc5f7 901c6655e6297900362e8383e59a3da748cd30d0f38a794842b615f44cd891e9 9340d19a39e699e358c7ea1fe4bea30eb4dcb22074b910127d8c362ead280c51 ea90fbe1334bc1f7c0afd31a1b0a2905aaf64547a666b29a4be3746672526ace c4221f209388564911861f4feedbacccb0c241aceb02eb15d39c49e794189887 dd84de0f59e7ba9b2065df6824ab2f1f3a9e4e6babec546f9f299814e5362f48 aad9cb4486db41c4341099ee45be64b6ca7c5d34ea8bdee81e65dceee6376d29 d4775210002d69a60bde8e68b7eb00acb2a4ec8d0be7eb3b07fd4806d7f5b93c 5f3dd533ffcbf03d9cd1fac55727686428040beeb47721376994609185827f77 d80bf295b8e8a4e3520255f03b94d5736b1e3e5c341ae590ef48ccdca1e69c12 f7f64ee42f34b6539fbf1b96489ef17280038e7b4cb8e0935077fe9b6891af67 1a19023b02b0bf18b0190ee7052476ca5ebe0d32656ce9ed06ab5cbabe3cfd7b 88373582c6abcde2ddbe7bd31ff8aaaf710e5968760642078b946a661bd3cf29 809d78464136fde906ee337dcd9cc32a78b7a6d6f4a9a2d3121fa15139249aee 8c3e9deafe560badb18037b3ac1b26a964b231a13ee286d541c4b2b781e15572 6b3214ade492f1c1009a56638c162346fecfdc5400f676a40e022b48ce6508af f5f2f0420cd167ce21dd7a7209abc39fab3675de485ac8c6766bf4a7955abdf0 6f62224f2ba969a0acb27550ec5728430f95d0d6d720187147f7e4ee7366c2a4 06b664ceb49ed3de45ac6b32b047e99047ae17d1cf4db0d6da42dcc6e4da8068 e07eed7b546ae6d5f9d6d0c07ee1857fc34c46a7c3bfb0ae25e4e8fa9b2d2c03 ae390332db30a28eb21b597547eb618e612ff165e33cfde9910828b4fe134d9b a231af9cc406139d2d0bda4f51713c35eebb2e4930a4fc0eae49d6d7cf6cf34f 73037145070d6075329d053d8b8bd6722d804b96db8b49c6f424e6ac5f372368 4781ee8023ed81256809e14ed0377f2fb99c0671b44978d1206b7de6d4aaf99b 8410b02a36687e861409e20f0dae797d012988d1bc4f95a644bb7c8f2a5ce443 215fd445bb85ac88f52a7e6ab82792a70256cfa3a475f217bbad5b6c8fb2730b 06d7f49007ab204703772361ecaf410cec34d179942874c8c0d29e80627f9275 33cf64e328deb763c23d4b7365337af405c0a0d79a9af35d8992fd876544f23d a692937a97b723e160ca4b9da749a6250e8303d38bb4dbd72cc887d6e18c9cc5 17ff50c567bec22413aac79f6bdd455ca4c4ace33997d0326325433a6831c231 9e04687b16aaa86ad48080e91a0840679584d9cf4a532b3437b2b2bc88f71fc9 b35455cad92986d46a0122a606d621c856af5cfe16a755163c38ab24a62938a2 463af62143bf75a01cb56f889935634f4907dc552fc474b93c99add370aa5dc7 6eaa2f1b9e49f42c90ab87ad1ff292458a59b14d23d9b213b63289809a51dcfa 5869800f1b89f51a4473df2c9f4958c1d2949624f0034a79954b9820b30ec8a5 4a9b422f7fe36d929a32cc0143b1279b47c66aafecde77c3d31292060aededb8 f853f30444d1cad2d3f58aed61f9bae209567cac2a5239fa194b78752d6f53be 7ccd2819be2614e8b5691b711494a7f999196dfdef3812cd24c86b4dcf8c25e1 57fd172b02578a4d7cdc70806f5c01496fb7e9c1e80934dce2f5bffcfea681c1 5c5f02d909569ed4ee9113b38891dddcbbe32a8533314a9fef422f6b29a2976e e2ed435e84573f29752e10064598c74fac2ec9ef5650cb2d5c4659df6ebc25ad 4c7e015df53977d856f292ee12372d09645204b071d5f85c7aa5c344f20c9b4d e56de1264f2dac8144190de39a8e38e3bf2c706a9c423995b38d570df226611f c67862f51bf594c54b106afd5c61495f01321c6e172c05d17d797e71fc70c55e fe617a4a3a289267733f391bffc66961e21f36f9fe799f75aba1f092af9f5f14 6d488634c2b997f5ecaad73f5b968c277b90a73c206725547e0ad78830f538f9 e596be6b652562b0dabb83c96b9b3f2fe2d75635cb83eadfa249dffb62198ac5 4c5e9b4dd6cdb849cd8eaa87992aa7d9f00c8a385b6ca1b946193a091c138050 b2403c26bc686ce092cacd6fbb6b820b9ec227e906067ef68c40125f50e915cf 00ea4f21d597885b57039fba6143f6587ce4651f3e1e8285597405e070f1b977 5fe433ab4e7817610000a81b88e32683c391c9cc4296eae3d54a3b3cbb25bafd 1c4c62d52d18d8d23b1d618965aa55858137c2c9a6eb2061d83b3e77a6993ada 37eb5bcbd88dc6bc232db9e3b40784237dcecde9e6e1402d19944e3a2de4c76e 79f5cdc62944eb3d0d5f88ff3fa0781ea9378b2dde4744c8d9c71a44814e9359 d5278f0081336031a3bc76d2b6c021f06cc0279be4c3d886f69b955517de1495 60cf405c219adc1190819cf7508e53a5ab10dd9b5b6117fc38a7ccd562e85346 e87b87cfe377366971630a8a4a985eabdd7198bbe87fd72131e678249fa3b09f fe8bffc7e038a9c54345366b278ce342eac9288dd17c57b3b68ce608a2711710 dd595194b3904bd16c42c38ef4805c950cdfc96a58b0f436a86127b93f45130c 493923e197b6d33d3f5450d17361aa283ff5bb82ca19914f8fa67590e44626e4 013ef2beb2dc7ca378d82f077866e204fa974bb6f2610296bc58ffeaba1f26ca ec4faee436165b190806bb6f072ec7dfcbcf05a5b38caf07ee3be537c2017780 9df133674e413fa98663011abf27d56f2fa5271bc097b0d51b72f6145a8d9859 f200685dbb70841820e86ecde3cbf600fd5676a88b8de74163e93916797e2780 1511fc85aacb507756a189bcf0d000f1e9330709dc8fce2dab021bc9bf880fd4 f1655dcf1837e72bdeaae8e9390fce5759360acc818181cd6196895f834789e5 7649ac9d2ec827869bba6cb1b641b5c0d199fb04a1d7c33b21fc254daf83b094 7c81459ad55bbbb3f3932b04b213c3bbfa113cb3fb68637c942bf9e5eb62460e 08be9bc40fd28b3d495d9db2bdd99c97bb8f8d594631ce1879e2422556bb17ed 22b50031557ab01188549890fd08176ee08b12e2aeea882c92cd98153805a7d9 a612a59048cb090b7a89eff6ca596c8d2b52e5d1ee92e5d1e1ff3bc994bc12a5 0261cc298b79e78d3347cc1ce9974f349f4611fddaab067e27c447a211cd06d7 4eb64d7445c3e4f1577b81bf624c2f6846d3514363fbe75d9746d12aa0e657a1 fc012c6b31061a31794aec018280f6c952ac787e22ceae6d210b0287c3af1891 b0c14c049d671189d0c86feeb6fc6044bc6d447acd41b6d68c30fd7dcff3c258 c557ab32542646ba392c447916c724d9135ad3d533dc3ae2aa69bae642242ae6 6eee36f7d13ce9945f6fea167caf65cdf0fee366813547023cd5a64c9847cc9d c6df10c1b8e3538efb1a786b71e569cf5920a59bc131beb5bbe0edd8df67a6b8 eba32a07adf4a424f44d99b8dc4abf9cb1c7f4c771c6312e07d3fb92fc4b4c84 4d2da94e32806070b5b613d347bbdd0eba514163b0125d5a42823c305c82e00b 988a73c36d469c08efacac7e414d096480f783e1b8fc975e9e7b91ed1755231e bc3201cd2d98bc1bf0793bf6337e6b3f7e3afe1b06d0c7ebd5a7846b744e40f1 70899b5db2a29ddb727436c93de60bae06839a517fc69c1e31bafb6039a7df50 a8e6afc848ee28230477d0762c73c9c87afedf2cc3f9375a53825b002113a9f8 2db280ee71162e140b33fd8d3f5c78932fbb3077b241acb4010e9c36e88328fe 20f9f78cd790f4ab03cea9e4782e1d594d3789cf138f6ce56edf87e1607d9e3e ad9fde9f450310042c7cd3e0d89a4d56873e7f0beda83e1d4eb2292179be71e7 37b4c624be16904e9e6a866fe87e597b0daa1085d835451427af4ffe12e6583c ca984a5fc4464a6171549f78ca1e7bd94c305a3f73759baa579ad8d0ffba96cd 3de21aa5d95ab5ac6f5a1edaac8198a081c8cf70acd775361c741a4e400b3b2b 9e1276ec34170e5b81c10f20312a628d0ccd2d7f6351111e9ee4a3e8e009288d 7b26711424f7d537f76f7b1aea20071b1e17178a024210dabe17e91a3bf6d5cb 84a9925e69ad0fd4a3c16e0f371ac1dffaee09ac88b9f199a6fbc3de4cf77449 3c68f729bc7c13959be46abbc0e3263c53e5e5b7a2aa1a010110bd88941357bd d5be0de92c5660b629787fd9b1eda5fb119366315a94bd527065f82ac123de64 a5479a10332e61a8c80e4f8a495aa8b0a35370b66a2adaa181d799d3e35efc47 0a6d8187d726b604c0b8b1d62d248fdbc38eafdd7a40cddacf2c9aefb895cff9 0c95671d130e1a6aade551b1b0bd2e18e099dd750eaf9dc7d1de33d195e2e0a2 d911aea099d171c20ec4e29f6c47330d16f01c34d9b9c71d70ff913d7fef1a9d 929768a1e0b02f4cb4625c3fa4bba44dc599eabbc0e8f5c4b0ff1fd6639df642 08d90a151deaeb0bc892cf3c2734767540e736afdc40fadc7e208b9cf53014ad 80b53aac281dd3dde41bffde4b5bea721cade8223f0c6d4868bb57ab4a0d54bc 1d65b17172998ec1dbbdea7947f3fff2ef103d769e66f5c6d0b35af81a0c98ec f9a6fa310bd121a3c0764b15c0fd14c10eaef637a440d92c8078490e24d45cac 65a950601d22b7afae7c41f34b03f6032125b399f4586edd0552e851c256d7c6 8775ac6a9fe8c2ba80d674178efbefb7ed6361a345d62fcd5ab4b8df39cf7e36 68bd8d15528b50b356ed0635e7b9475da01534ee578f5b2bf87e0685d5e3cbf6 f85861b702639fe7e2f5cb7a4f367cc7e8c04f3a9a3792f616c14917e243461f fd037d7be38488b37150eeb45c5d2c04e1ddbcd0676ce698d425ee72b44c6a3a 6314ccc20bb119f6e9a6e785a445fd4132719651cc793205f14afa7ef2e81841 f4a9651380d433fc2d3371274561b62b198bdc62d487a53541ad1c6406989655 a2db4ebd2810ca00d1d9c1ceb112267e3271fbd59b0f5a3b1699d7ad96a6dbe6 45995e015ff32fcf33a793304d1cf1df12287377a7ed7411545947680bb432de 165ba5677606b69fd732f4cdf36c056c36da53a4427f769730b6fb6ec4a8ea15 a0c1492bf04c4625ef21c589004242970e409afebfc844ab63dde071de701ebd 0157eb0ad4a5fc98303b9f9f9060e06722cbe5d6409e49c399b6b462223f22ae ec6420640cc085f476902aa4497185ec7551a1a824320eda52e3e71d51d34118 27b564df5fdf0bb661c74b69887c31b1e542a51537bf5cb1b4fad46cd43be45a a49f906b3fb779bc43ea3c42fa27fe9d95563383d3b0ab1e17f82424890f96e2 245aa111a0e6425e63e6505cb1d49fb6916540638ce0c3a5392c006d92a5b3c1 b0f10632aba09a09434e61704b8e771ca6b3141e73a0bfc007dd23a30090d07a 334aabf42fe7ce880e8d68fcfae8d1c74055e487c2160da27e093327d3983343 1ec25ff53ed00bc6d9bdbe33e9a5af6631e47855910ac6afdb22410dfdfa4783 51511f87c14318be762f850e4e997e6680697e8667b49219637018fa78e80c07 8e24eee3d1262aee120c23e8d7d2eb5b6792e1f0efe41b629d1ef073e10cb999 5881e40155292f60a6c53ddd40dee76f2c4fc8c0c2c96d04f08d5b0ea84c93d6 42421a9da8b72a3d1c07cf3154c7a1133f5778733d49d0cd7941879efe3fe8c5 951bf002b63ba10261781fdd19f483bcd7bb93a2b1c203a74e4eb1ae55601ac1 de18b986a43e2e32f160db020b3247212335c981b06019e430c14e10077dd867 7ff44967c4459f0a7b836a4aa650e199b9076abe16ca53ad22e7fc7dfcad7252 07de86de57f2d53185ac620dce26cb3c6827696261d5aad3b2ea2279e66f52d2 313e87df007efe0cceacd042d2267946e93b0a00f9ee4e1b5e6b1457706927a7 f5f977688fe5ab1c569958d0ccb27d8c35ffde7d03b6b175bf47990eae18c747 27ef79910b2e1a356bc5aaed0a6fe1db4a94a039089eb1266a99195f9a7e60f1 f0710070f4f4dafd69df92daced560d6540428bea7c2d49e0e8cc0292ec7d97d 145ea7bd2fcd8b5eba09afe9beec2cbf96100a0efc437c7a0cf82c7f5f40e2e0 23211cc5c51e8a3d1c0c8a99e5d726e232dd54f8dac7ca28ff11abaca76e864c 08fab81476bf7a011da377ada5609521c48dd2d9f42cf4f0e6f78fb3b3d5c364 5df273cba8ed15b81b400eb73097332f780525036bc5c6fa6a48782d29632362 e84bbb15a73d86153a38c03fc446c1c7410fee250b2f18936a2f98f2f0b0f776 f26df89b194371e2d7ef65ab8069adf57ad284e234330f996a70afb4d5a08403 0400f1d1e955bf333db84f262445171940fa67fb44bb75e2a18abbd08793724c 16f4093005588054cf83619869f799f5fcd55ee87d723bdad8d11a8db30eaa30 6df2c73d74ec7b30be945d228f26d502df41d73865f7523b1129a87c4902a9ae fd0f8b789f7375c7101319463fb290a43f34240fb9f05d8fde2845c3ec547d10 885e224fb1485b2bb4610fb44bf9f288018f69e66627bddad7f6a30210dbd7df 0de127d3493d3484d2c818d8f5bf2db0845fa3d47c10688b7eb75c145e24f0cc feb9d5e9402bd4b4108a5cb53196d5b5511509cf4dbf68c9a1194d63475c4633 b7ef3125f373effaa52b34082b357770d02d054a25a7987b5a92903b9b21c7aa c7951246f2ad336848b61462fd82dd59770b6e8ac3e808e5a2348a5040b27b88 dca5c4d2ec291884459285a30af90052b01ab9af2a97ad144014d5e47f4a7464 6b45b08514460836157e73016ef06df897f6bd24b3798992aef085c9d2b41043 807c7e6552a3b156f16c7250f608ae4a5c30f3dc326be9bc37c5eb44d499f94f 38a3631d3d4858d80cbbf18752618ac2c19776a4e69850f2bb5efd5192753b22 5dc2ead649115c2f4b36517afaca8f61bc3cfdb260e9d72d13fd59f211fbe9d1 2104ade0ab5b69ce8349db22ca1f5feb9889f366cce587c6d1a8ec1af286d631 f6f17bed5d7cc4bb369994b8c4b7c180a4af00c4d38bb4f17af62ca5808ae0cb 5fe127918bc8402b14cf958d8cecc193525f71f6f29e5bd6c1d575330444d948 4caf960d038c2eb6bcc30e54dab7b1475b3597ef86ec2379500a4a10394cd63e 03ef68258ad1a529d24df4c0d3c1bbef63705055997fbd080ccd2f843f4f8f9c 8210230c8cdd62c7e3939b9559be035772cf9e2241fda875fbe066b7bb5555c9 5c438357a6fdbead83e04e710909b0a74d8632f4077ec870cdf7e7c1deaee7fb 27dd30525e0be342fc3b931194c0edb06a9f3eff6e03aba8582d4d30432db386 15677075b789688ce1e275059ffa60558113512418585628dd4f2af3414e8896 f7b105f0b07b4ee27f33cbe478e1f114118f8ff5c6cca9a33d65ca1a7e523746 ab6e4de0d2e1e90b3a9ad4ac709266d6bda979b059d8f53daee0ce545480f1db 42b7598f20176e630bbad8ecce58beb84d892c35c85e6781eaef638d9ea16aef 294f1af51f6fc74b23f052c7ddabf9bad27d536930090c5ee37e1e7704991c76 784f6cba2945539395fe8e7711e2a19bad9f58c87efafa68c25c3e46555f974e 6014e6a5f81c9fb8e7847ada16ea3518930be5f27363e938218a164983054270 3b682eb5bb341b04183ea7345d8a6911879fc987e5dde5859b8ea3e164d45c71 fa87b94d71d89388b3182709a0f7daa9791a7b8282d9cb5aee182dd96a73ee0b 0cdab098fb3d8a465623746bb584d8451854ebe69515fec7e77728d583960517 786c7c3bb619c92f02552d0ac0673ed1538d98e3ce5418109eb21778d544462e 2dc339a62149d82f86bfd8d8928d34aaa965839739542c182f553959c046d93b 1078029a07d60a93729720c2cea6f128ed3ae10811b21851c3ca87739477a70a e56748a675a4408e9b9bf337e5faaf172356c2400026b84fff84f2c7dbdfbd7f f796c2de2a598ac5438fc4e6334d65acc90b672654c131878b0fe96e040a439f ec0340c6a988fa791ac8ab7fa1a5aef67853f688913759cc2631e44de2ebbbd7 29695cbf114e57f662e553096f7a3777d4af2415abe035759a58ade569cafe7d 0769bc2606709ae776d7a821a3783c576884f0f2919bce4ed7f5464611d65572 8726f5a635adbcabe6d095f1ba7b0a905075f2e91b1ea0db6ae0fa763dab2cc8 bec4b88152d730e032be39a3acceedba1b11d08e7304ad33f50f3a558a33694e dcea609cb69bd1bccfc36388551fbdc7958106d247f583f13f282a8df9a20b9b 0aae6e97aba569faf358ed616ae8c02f0311b67a40ec4035f6158b2853d47dfd df8ed77ab36d29a0c76f4dd66a036cbfa407f9a291ef3eb68be636399d7778c7 0296d9897035399e5a56b74b39caeff0f97aa726bac82d98d46ffd1074b285c5 b46cf246d46ebae6f68609a7616af2567d7547c74b723b5aeee06fe600194107 0176ffaf278b9281aa207c59b858c8c0b6e38fdb13141f7ed391c9f8b2dc7630 1526708fd54e0b0518919be65b61539b7e4eb247aceeb7906f910fb9766e0de9 59df77cbccda2a0c631b6e7a9cf5c724e91adc058d88bd26af5e0009b5b8672f bbb3596cc5a02bfc76aa4fb0bf6f9572a4729e697b8010aa976a6a7b239e13c9 4b313e6f648ce8befcaa4c5ecf0eb8a7d5a28285f4050c41bc8d5e957568031f db0d2c1fc72609236ee0a4ede6437c7367352eb491174acedc05c24b75af04ef 7bb0e91558244bcc79b6d7a4fe9d9882f11d3a99b70e1527aac979e27165f1d7 ee3c8d2e25ee9d472f8e3d6edd171a9293243a4fc8022b9a560ab3502fd708dc d47b60b80ea7f57df1469e4bf8ef6e41d333fe03c3a96156399dd80a420011e9 9ca5992b418105db6b82d9133b036d7a1cb95c6f73f0d0027c7bbf3106362510 a12b41c72c1750a0fdbd7d0b20cda104df190fd48cb2361f51a33d7d7138551b 1a6af0334b88007940c2ae95d53f290bed28f92afe7e3b14d43f37f385fb51f9 89a58f1306481d92473b6e341923120184d027a3225515508575867add689a9d 6327b2bea4a0bb0f47b1634ff7bb5544f09aab3fd3c14d0c9012f7d09592a210 e92e48d23c9a4b9b777b483eca903115ddffde879d3d9563227947112e36c55c 4cb48cea48035090aed61958a56dabdb021985bca6fa24f100bed98d619eb220 7f63c99f2e4f2c940b4d3efb978722e9a3387b6f8b96aeb391f2927cfef8ea51 a3f84aa1d15fd33506157c61368fd602d0b81f69aff6c69249bf833d217308bb 60adfc6c5de06cc0771dd6afdfaa41da17f3136194012028e1f810d8b3c7e4c6 169cd1b77143c07c81455e58bb67a6ae75404e5cc8a39afaaf3e0e32dd5d415a 64f646ce14ec3ad95cbbd5ba0e63e0793fc8819fd7fde6ee7bf3fa05f185c71a 01b4d2a7089129cf8346c66108b51be612fa005407a5fc5dd04ee98cca27dd70 fa9753b026b7b6a9447e3b4460107d045d2042650831ee345f8027e20dad6912 0ab37041821e7040ad1f5a79d57373cf10d2f966377a0b00192b6c368a3f91d7 efe5890303a4def301b37034377cfcd7da63c992bdded574e91388dbcd6c8130 02c382657ee7a21d0b3a149bc56ca0d3b3f4dd9b39677a7f110d50d5fe257694 d08adb863dda5113e68b1b27844959b84210c06f7bbfc1419e3cd072d4308a0f 408906cdb3ffa68d975a99ed32e1beb79d22ad8ddeabba9ac25946fe0848751b a82d3b7ea74249ae793ddd397c52492540fbb2858e87ea7a8bea6af313b92bbe 05cd552f37d96f4a9d27d456d5226f079b69106ff369299f320192110129aa76 c82b37d36f7a555c7294787b815df61f14c7abb4d7e67110d45436d6a5b220d2 7b180e232ac075fad7ebe3754801ac2b591b795fbb0f842912b978ee391a114b 32da4b6ca91967ba76a0896ce840df9141d75bbebda1b171a052f3999501049a 84afbffcf78eb94daadf5f7b98f56f7843234ed3eb5fac1273f53b48a190223c 648d0236bfaa89ef4eec24b9d1cbef2d53d7d5d9a9cadf789946d55fc3d50e3f 5e6edd1c21f6dcc912e5bd99d8bbe3fa7462b544a55554ca900e9afbd5955d8c 10cf11079471461505072f01069592cfea3a0169d51597fe12bcd882c1c689b8 ee142d6cbd14b64da305cce0d9e8333d2fd02ff225b05725e7ae9b94063899c8 1febd6d6062675f9400c55de95dd62215bea8391dfe48257337c5f7ab50a1eea 26cc77e484e350a756b02171f15fc18890f1451035231cf0128ecd3d99eb1310 b35a8c9c7ad78b622fdbb9bc0e5b8b9ba830e55a277e14126ac03f3892097048 15581e8775ded16409d6f5e8ae90ac1c38d0aa9dfc04195015758e6288b2eb81 f7a448e819af9fa4ac58ff828352d7cbefc55383c26d7c24b3e1241650932b4c 54e19843358cf7c92eb34d40bf072933e590c04b64dc4172b03a6de9342a5a69 3ce5eca406064efcb738f9af4ea1ad2a3e4d8f7dc66db3d47aef7965449edac7 bfe491debe9527d607324bbecd6bb9b454843ec0bf30fe69f5649bdaf942f6a2 3319ad2f4df539ef5c7914f71c0fa141592a5ba549b0e0dd3278e8ae844c3c82 b5ba16d2cc8a912ed00c91a0b988d4aca973cf6481f89cc3a87ae28b35a5ba9c aad7d6925577c727f5833ffdf42c7486ac360f6470ed5caab6e5870ee7e296f7 d35c58eea54a16c8b4470d0d5777956e585ea7ae2ee21f0277b0b5ee09a09a39 4ee92c47731a544d850dd3fdaa4952a70c07c3a42c6b2fbe71c498b93e36e2f5 806f40a3fd9e7a91cbcdbad4a59fac06af368ab7739a08e11d042380befe020a 1f34c9bd6005bb4b98334325b81456acc113467e0d893abc615b3422165acf04 081855a70f59a560b4b78ab17eb2d704dbf66acc1d829efc1a96ccd7092b0c68 5c5b27e839d3a005fe1ac44cb3911b3bea4305ca94ba26aed8be2079f84d67b3 0d6d72a1725455e6a2cb88b18f1382de798d9d443cc245829fd9eea81b603c34 a76722b36aa7eaf02e844d1bf1cb8ff40a9e5bad269ae25a706b3fc0a69c7ed7 05d80ae171ff74d9f4bd83fa1cafee73395b5b0618054aba79bddf9fc8cdf973 bb8004c647073b6850eeddb791aca821ec6a818a0f11bb7bec39978c5e43ad43 4a53076b923402a7e167d5cffc8688bab7c38999457c4bd0eff974a48f7ad6d7 a111021ae9ad6079db6028cbcaead30788de3175a7f5bbeb4deab7a79aa78edf 8e5c46378b48972e6c39eacb17d1b1f68d51654a429dd96920f6cbfd6bd52083 d3ae94c08c33098e99b3b1f699636565a35d570a13c3db42f101458e77248695 536efc627a763e760b20f7b0393a8ba2b7b2c367338c54437110545139cbef86 cf25452f82732cea143773f2a941ff80f54fc268bc1dbdf6f1e7926b17390965 e1a807763568bc003cc4691ef9f891c637b367bac61879f31ddf1b52d081b3cb fa17f7d9cb1a5370e359e74e6fe027b3ff69789293b8d0a0d5f5fc07d2995326 a4a3813b0805ef1a6796051809c8070bb977d7eefe30e410d196c5099439e999 07e67e1cd53b7a35f2b3d62beb86d1446e14e347a8f67da90cf68dfc7b3258ac 4f678f5e46ade79efe0af3e294ef2dd4f6148902317c9c90989770a886a503ad fca74f78029be76a64d23ec9902588c23e3618ccc3e4630ef6d311fd20aec5e9 60c828eca73b5e3ce12f3cb6e2fbc0169dbbe3cbd198b0ab2cbbdac976cb8ea1 98dc5becde61c7c14e76559efa0e8d6077920144ce1095cf107ca3e32d5b02aa 9cdf9d91ab097b99980551cf99a11d697d40898befdf033935aa816e242058b5 2e695cadf6da3215a926d99eb3c6b9e9de63d9c4b30d6ffeef52b01a91bb69af 69cfc3aaceccd9d381aad7e6c9366feb06c8e32cbb831b0b69cd22f201c0967d 15f2e5e3a580db699e63cc8f3a738a2cd00eda1c8b5510ceb2c57a8cf9261443 63738bbc9a53eba02f0c7b1cf802431b2937829214147c1cb6b178704dd6dcca b611169798e9fcd66d22f6eb904ba71e75d35d43a2602213dbbbbcc3be253906 3bb0823d2b851023800974fc5a09f6b2cccf7f551cbca1c037a3683172350aa0 44edf60f6bfba97630d4dc15bdbd173cde7fe70115fc4a7b46e616e7ec2399fe 67414664dce202ee2fac6de24195f2233116a4df6fa5488b8b99182228dd93c5 40db75285f8bce5ed6eae2b1e55b3a7231beb1ff530aa15942c4ed017774b3ed 2a5ae7fd6ec38885d8b627e3e6d43445c2c90cf3c4ec4a31cb9fdad16400182d e9a87486cbdcd670b7c7cd057df77815231996b5aab1fb3cf61b59e7ab4ce2b9 20f1646a1587e0b608cc6aae969e15f04bc3efe960fc95befad0d387faefa45a 4a6473c7bb614fcc43a61ca9ccbbf7a18a170e80d474b74ba203927fb6d441d7 64531f68ccd6411914d6870cb6c79f975bb54306fe692c3ae5bae901d90cb3c6 d96f60e2b97cafd7f271107b25bd1a44349265e55c2a971fe8d4162d64bb3047 d2118324ad36c8887208abef0f353b25b74d18c8fd79fc705bfc56d92922d763 71feb64af3aa8fe4da079d1370cd7c4e152e1ef700cc8755045f4d138c4f5da1 b718af6e8c3d18bc4c11949b299780bf7052946a75f8fb5ecaad39a67446bf15 c0f21f6f26b67d2654f1542c89127fad6343e019c040e743e2332dc13e40e719 01fa3f0905fa062bdae3c030579f7f614706ac1a2cd60161294f49f3ea22a073 39ca9b0b82c0ece0bdd5cf03306496b755e0d6decdecf2372a170fc7c38f13b7 d426ded1de84fce1fd639e53da66775369e14afa82bba4d8ef18370056eee5b3 b4bbd384d5739204e5f1423adf6b75cb175331678ece842db8f02458e8b8fe75 c6c3791fc7f47159202e6f1ff819283e0ec1078b227993dd08427fb9050b81b7 7eddae4ed70fec20b44428c09b622488b813df95e94af52f5e410cefc5449a87 3ff6298924e78bac38a761815ca73ff063ee169b5576c8d5820fbcbd37abc768 527953f49e451777b763719a45d4498a1ce5b1f9bdc30e45d1b7c6f6bb201580 fc169683d7e70154c24b733f6e7b2b4fe01b92de4047026d09e623f5050191aa a9837ed0ad9e29206cad7a9f85eac63c20bc4ccbd15ce3f89075cae507aefbf6 e377c86196db088780c34073f582972cdb236fc22d39a0b3085b83cd38c70939 50300750786bebdead0bb17dde4efc78bade3c1d6cf7a4505a414d7f6babec4e 1af723e1e327563c0772ae99aacb6d84a425fc11dc8543f3ba2f5c15772f3c66 10dab927bc99ab5cf04d1764e1c943ee85b53e1101b0ed2083d827b81dd23f22 0ba7f0237ba46090911f37d556b7c3aaf27ef50edcaa46532993a25bb48b3a4e 58f4c1cdb3b09c0b0558d821df70db25483d6469679fabf06803450fb2dae149 f2b503b50c8e51a7391f8eaa2dcef6adda77bb9e90bdbd588aabd774c60a1737 de68e1218ba3b96d9c171bad4b18d8c0c5c96a00c064bfa9431a35b64b012242 b10ca7e1d658444af17eadd532bab683e0dff7cb2b1dc35ed12675dd216d1b72 67298def67eb8b13b8944fdf64ae73b479f6b5c3a59a8b1000c9e850007fc924 155713f28c8ddb04005519f13b11059f6155e3b5052a47d06cc9ac322a83ef9a b1d84c653cadcd0ddb07b7aa8d891772da750d9578ac5c2449420341d708f360 8cc2ea802a1849ca52fd1580f3a1b4932dbae9e888257014d3226c8eb05a1984 e1e87d11079d33ec1a1c25629cbb747e56fe17071bde5fd8c982461b5baa80a4 257df0dd33f9d337e75fa3a18d743b5ab0497cf41f4e195a1dc4b02a23dfee18 3c90b27ce547cb267420baeb2d9c5f21f02366f08d55a841a66eb2607b49e4a0 9f21327a1cd3a6eee504b49797d854bdccd39c0274f59777868bc482a216d4f3 e82fa23fef0cf4d945edf0c6fb2385f059d67112a0e839188089b819282a8108 e509ff6ea4510c0996df4692c5cefcd98df664c489735750b1155b200ba83f3c 20c82ae0b76c27f953358c68724b41880d87fb61eaf0d9df045a5f5a09bd4266 bb8ae191bdafd5e59be740e4f9271453007dd866cf4e9537a93a5b2f0989ea8c f23ecfc012cb6d26f7041f160a288015ed09d6e418def109389a04a59d5def1c d37c114f73bdac845ce4da3f1c45570a351d8ee4f7f36970cf0a07750dd65cbd ac21b4977773240b84f0780da82e032f4f93f9ed78f14520c471bdcddd9f3f78 2c5aad038b97b23e2f80133229bbfa2006128cabf4029926a571e8c3df70be3e 6a01cc61f367d3bae34439f94ff3599fcccb66d05a8e000760626abb9886beac 985aa54895240ec554ae1d6d1eca550a24c550379f6a73c6777dc121e7663bf8 a3567d09a745924df70c7635d2be5208d47e9a01a53ded00b241a1edfd1dd306 97cfdbb506ebff637ec2793c2e082549785978b974531cc12fda4aab16eaa9d9 cdc813b640e85f6c4a1f34924e89aee6432b943f0b35eb68c9bdc9da5ceff4c1 f16d71fbacaeeb0f2ca388efc71d9f1008c4f6b916c3043e8eacb98ea794e4e7 04dc7b93a6682b22fa73e68ade83c249bb4cb88c8bf0a5c7c64e499d21fcddff 3e5da0a75e68671aa0739f1713ec0df1ce616ce5e6468d195c0bbcbc7bd9e291 80720920d0e5c939ca7aa47ce2c312b3cc7d133905686a91ac960068022d9a8f 72a71502fb0b5df1cbf95ff69743e0f5218d3cdb1e61f75f74071f83598979f6 3c1c3d1382dd679fd7e5fb400e0ddeb2c1b8c7b96ea2793df2db6c6a83844ee5 91c5fa9ea0462f8c149fc8a4413f58846d4c65390c624b1663c1199e6b8d120d 520b2e3ecc06f4624a2699c71f1a3b656cf4bff4ee1db6198993aa1ddd3c89c1 325bb4391ee2b970d86f10906a877e3d9dcc9fbe6bfa8d839f44c842e5e393a7 c9cb2659867924b48c2943be4640b31a72a335aa1568405ca49ee080913e13fd 92c4c36f7c0f7203fe17b8806186bf125b5f2bba2b696c21d5e61ec8c5ce993b fc2bd857ff20fe0d0c96a310b6c47b0970c350ec19943e633039a41f334d41f8 30f9b61ba8dccf834caf0f9e3d11b8ea688f674196ce675b3d7d1b3b4fa5f3ac e4e55a40dbfec3a86fe1c5927585723641cca441fb72eeee5c9e3a304e5b797f 7a8532d76493ce4072b5f29e9d4a2dd482968c0edd472e06b4988271e68f7927 5f2dd009bdd7ec95ecf6692e9b49af38ef86a06d6dea1f5fc9e3b3972a435e9c c96b21aa1298617a3be584c0e5b0b1157b83746195795a393b62aebb637c8df4 db3ccef8c62241c5531c39fabb6351b358132c39ce4df674907bc67a260f5af9 a8d67355f155e58f1aae277b7c72c4e77d76529c9cb7e25c6f70b601953ac971 a4db5b62ef4df75187182fbe4fff341d7372f45c37fe71b073f68f8234a670cf ccbebe42fbf3e4226fdc3bed338986f8753afe95833f10732f29e76cb8e33915 8b5076a466d507d24cde4884d9f696d46bb167b6d88baa891fa7fa9c7d0a3ccd 9fe24fe587110ea3a19b75456f16d160b8e57f89dd9b57e0f29951b0c915da79 d9062e9f1361f284ed2171d79a88624f224886e2eb2328e1bfd72ddcf01babbf d58f7307d528aa78d04a1ffb5bb4d9e0d4fe154fdafaa8fa6b597661873796cd ed377cd10e637af7c0f079d3b2b0c6a474d56d89f165403fcb90e3557055a03e 2af97adb11fec6ed6b6e1079cd5531d1bad4b8cad8fe49c6e1f28bf501ba667d 4dcccde5e5a2280cd0e151e7e8d5c99864690c2454cce02c97d35754f4048ea6 1d03a953a0aad8dcdb8782b55c499b93c6233833b32d62ee987b5cdf565ee244 4d605b3f85215af207942e66b5a69c51300b95a34e441799464ec0d228b42f97 47aa26cfd1bb707f47acfd776ec70185bec00c26bec1c4546e36945f039ced7e 7a76b65b41537daf8c73cd1b46f9293a51067a28f8aea061ec903e42a4232294 ed1a6858cc27c06ccecd5ff2f793e8889bc0036c2d758382c4b4751ebc2ab2e8 21fee68347cb480a1f2f69b1cc9c9321320274ca3db5081984c01e833c26bb01 aaa76b057da2a86d139d86a8c23a3afdefd0e9daba1b6b3ffdcb13d241a41df8 5023d1743e96bf5a0f57b9a67fd4868b1e263e763569581d228565bd2ae16d79 104d08a04a78fcb958fd7ae05445214c1ea4e3763b437fe532dbbc948847c507 7c305c48fedd4f1377e1fa989911bcc752eeb85f5cd47faf7e17e4c08b5b1c3f 261bc614e365790a5ec8730be061dc5d7256031cb333a3d864ce34b9c2fc3595 926d76334dcb041818c5886e656d742929639e1c2cd84c056ab24b9f3be1d48d b9c84e04ee67698f106876a3abd4882bce3045239f59f049d1d3c6e24e7db2a9 2d5650be1511554032d551636c1bddd3c66d3e2e5631e53eedf2a30848ea52be 6c549ca812beb5aeee8fa0c6120865f00113d2c26581e74d9cf7315ffeb77111 9fd24ed37487732939cad59db0cf44c46b1cad06724a9dcb28c5c33fcfc56709 6161588cd971b37d704d0d0d1fa4a7811c55f2270b04e5a481d3920536226d9d 8cafc8bef991aa21060b9e9ded1d0de9dca0fa835daf53a28f2e3d94ccfe95fd 60f91711822a2fe2babd5edda502bc250e7571e23147dab119cf9e860b1b7a5d 45d591ff1f81651c387aed90ed9c5c410a298c30b9f8942b958823dc875ec202 ec404e9f2fcbe073601a463f5f2e0365e0fddbe6cf41bcf1548d8ea57e3deefe 1ba0669ea82d7bf1d58351099e92764a8062e673906f3d7df893bdf9b24ac3b8 8b4d07fe12c44445d93b3876ea0f2e1451748319add6e05ed2013358b771af54 346037394c9aa25e783ccf397cfb6ffede88e0d5630d26eeae5722a0e6ca9834 d0978435d5f992301075e496e5e3ffda365f14d1f0ade6fb0d7aa687ca121b80 f3c20762993d21ddcf0bd3d03e6c77739fb2636427dbeb591a651f1614a81922 b8fe7c89ec429e7c4b300435691498427941d77fcf9d32bf11c83c318f145bbf b091138df1950dd6504ae610fb63780344cb5df60ca0ddaf959ecfc8448c98e9 9ab44a25c808bf6f585d895edd0b74b2a5d971a26945a59cbc19eac1269792ba b28511b01f591abc45120cb71539c85684fa0d06d0f4c9a71450573c4f4dc1ca e23da146770e8fbe4a0a7e2949d33c52196e3581d2d697bf994e2e84a2d0207d e4bfe430f5ffb32f2bdd484b33f736e98fe9d3f00aa5c24b3b0b61b3923450b6 9bd12c080aea6e9682f770a5cd5997b8134b40d062225a5c1bc7eb32cad03e1e ba81d6a3a1b71ff8290fa007c781958979b6638d1f6164ce2e70d443895f5317 0bb8f8d2a23b8911c8d5ff43353c3f5c8b293ad12903471d01cf6e2559f4da4b c0a559af5e24c1da644fef71626a37913a2f5c0e8a17feb06f41be8714299680 caf5eb87ac7339cf4e32d4f0b6ab350a148b48664bcb60a5dba46256d807d658 b591eeb3c05b0f6cda724f2b72e0e7d09410ce8dd8f60835bcdb1769a1fc99b1 aa4770bb8e6c726e45312467a13d7511f8833615b7f55d68679d6348e6fcd160 f499ff6f78bfa3b5f1feafb6c6e8455c1aa005dce6b30ee2b82a8773d6bbfef3 208fb5dfb1b81d23d9499cec4c26e0fb4a1eb68c6310c03a2f06bb270d610d90 5e6c3453404a64535c601b70448b150010f0a0505f27f9183fa63606e0711cd6 e7e6dc5108412dc0842b5bac103b83b683900917dedf5a2fee2350f89c7c8c2b 5fe049f88a4b3348af6b8d6327d6d0fa47a5f512c0e5dbc5ad4da87cc89e36a7 939556c8c2e6c25bb139562e882c2de7af712cd0ff32233fced983ebd94c40f7 a9f70ead69e738244d9f12eb117fa94a025df126fa7991a7114bfbf2e96b64b3 430faa3079eaeb1aed0239b87160275ca5e695e1155b17ca8958b50271e7bef7 4dab81d9ba0f55efae13ed98ccc1b8f26ea72bef19f2f6213c4f90e37fd1cf67 6bd1048941261267d57fa46451fc596a9a1598c28d25aee4c3561d203cb8bf5a 75207dd4aae34bc23d43ce6e05ee9c9284e1672c0b88a8dbcefb960e48a74298 f90465d2314ce86e0c814d10d9fbb678054ff85a566540b124b0996f53a347bc f78e8b2f05c248d3e808b5fa373cb31f9e1334a0ece019e1e051b0d10e2ab1c6 d277cfa236924fe4001877a8a59fa1a9e781fce2da02b069c7015b8cd714f48e 7217b7bf0d170bf64c9cad9129896180cbd8cecae988c71c6ac0c02f669cecfe 5ea6f20728c3abc2c7b36e15e2167eeaae7e40e6a5af3f8285cce4aa27c0b24f d453f99b2996b9d6d5497d2c1638c5d546a9eb03b655321076492a443376176f 77054ca66239fb8c6644e5d939c04605a4d4cee3e1e04a624a492c1e36daea31 4adb815d163a68c8be53808d40ac8381fa0f64d87abc5d63cd5f9f6ab72586d7 91045150d046f4b063212381ed9a1d2b0b5361e2e5c22dd8148deec8a4244250 076c3c5cb76f6715c363a4ba713e9a66b7a19f08b29cec98bd3c00361c2fa291 f59d4e8fee70b9cb54beb553f3a84d01b48a05b4ff37cba05f52eb33f073f7e8 31635a4acc731421415b0dc8393860870cc73f1dbc0febef4e7417eea22031bc 796e14a400aa2d514c7ef7e230477f96b4c01c6996fa6b6f1855ae242483ebab 910c8df1094f166227ff01a911453b00a612d4927e219f77bff10ef2a306dee8 bfbb8e03435261cd515dbcf066e2d0baca0f019d437b0e415d29a33cecf80ddf bb48a52bae2ee8b98ee1888b3e7d05539c85b24548dd4c6acc08fbe5f0d7631a 738bc5dd4540e3”	Global / Multi-sector	CNB Bot, Custom Loaders, RATs, XMRig-based Cryptominer	Multiple (Global)	Unknown / financially motivated	Multi-sector (Corporate, Finance, Tech)	Execution: T1059.001 (PowerShell), T1106 (Execution through API); Persistence: T1547 (Boot or Logon Autostart Execution), T1053 (Scheduled Task/Job); Defense Evasion: T1027 (Obfuscated Files/Information), T1140 (Deobfuscate/Decode Files/Information); Credential Access: T1081 (Credentials in Files); Command & Control: T1071.001 (Web Protocols), T1090 (Proxy); Impact / Resource Abuse: T1496 (Resource Hijacking), T1132 (Data Encoding)	High	• Block identified IoCs on network perimeter.• Monitor abnormal Monero mining activity.• Apply endpoint detection with behavioral analytics for obfuscation techniques.• Conduct password audits and credential hygiene.• Educate users on fraudulent installer packages.• Segment and isolate affected endpoints.• Review scheduled tasks and persistence mechanisms.

Apr 01, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Phishing / Infostealer Campaign	“scxzswx[.]lovestoblog[.]com exczx[.]com 108[.]171[.]108[.]248 216[.]131[.]75[.]250 195[.]177[.]94[.]6 213[.]209[.]157[.]187 185[.]147[.]214[.]250 216[.]131[.]77[.]250 216[.]131[.]112[.]239 104[.]36[.]180[.]119”	Coordinated campaign targeting organizations	Phantom Stealer	Europe	Unknown	Logistic, Manufacturing, IT	T1566.001, T1204.002, T1555, T1041	High	Implement strong email security controls, conduct user awareness training, enforce MFA, and regularly review email security policies
ClickFix / Social Engineering Campaign	“a2569c5739bee6c4a18789e2ca42d66e4686b52d1c9d82fc3a543cbc316ccbef 68b9ebbdad21e0b94c958fc1cc1d23dcc43429ea254087c3fb30ad9901d65915 178[.]16[.]53[.]137     141[.]98[.]234[.]27 46[.]149[.]73[.]60 hxxp://91[.]219[.]23[.]145/skimokeep hxxp://darkboll[.]in[.]net/”	Multi-stage infection via social engineering (ClickFix)	SkimokKeep	None	Unknown	None	T1204.002, T1566.002, T1218.011, T1105, T1059.001	High	Conduct user awareness training, monitor rundll32.exe activity (especially WebDAV usage), restrict outbound WebDAV traffic, block malicious IoCs, enhance EDR for in-memory detection, and implement application control
Supply Chain Attack	“142[.]11[.]206[.]73 sfrclak[.]com hxxp://sfrclak[.]com:8000 hxxp://sfrclak[.]com:8000/6202033 23[.]254[.]167[.]216 fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd 58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668”	Widespread risk due to popular dependency usage	WAVESHAPER.V2, SILKBELL	None	UNC1069	None	T1195.002, T1059.007, T1105, T1071.001	Critical	Avoid affected axios versions, audit dependencies for malicious packages, rotate credentials, block IoCs, clear package caches, enforce version pinning, monitor Node.js activity, and secure developer accounts with MFA
Ransomware / Exposed Infrastructure	176[.]120[.]22[.]127	Exposure of ransomware toolkit infrastructure linked to Proton66, enabling full attack lifecycle including credential harvesting, persistence, and pre-encryption activities	Mimikatz, Ransomware Toolkit	None	TheGentlemen Ransomware Group	None	T1003.001, T1562.001, T1134, T1021.001, T1219, T1490, T1489, T1070.001, T1059.003	High	Secure exposed servers and audit public-facing assets; implement MFA and IDS; monitor for IoCs; strengthen incident response capabilities
Phishing Campaign (Credential Harvesting)	“hxxps://notifcation[.]inedin[.]digital/?xgsrdh=12602024008489914930&provider=__cmppbWVuZXpAaWJlcmRyb2xhLmNvbQ==__xvpji__lkkd hxxps://singletoncop[.]info/webxr[.]php”	LinkedIn-themed phishing campaign using spoofed emails and fake login pages to harvest user credentials via lookalike domains	Phishing Kit	None	Unknown	None	T1566.002, T1204.001, T1036	Medium	Implement email security controls and phishing detection; conduct user awarenes

Mar 31, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Remote Access Toolkit	194[.]33[.]61[.]36 109[.]107[.]168[.]18 146[.]19[.]213[.]155 hui228[.]ru 5d009f6f46979fbc170ede90fca15f945d6dae5286221cca77fa26223a5fe931″	Targeted, limited scope, private operator	CTRL RAT	None	Russian-speaking operator	None	T1566.001, T1204.002, T1059.001, T1056.001, T1021.001, T1053.005, T1112, T1548.002	High	Implement EDR, user education on untrusted files, application control, monitor network for reverse tunnels, enforce MFA
Spearphishing / Exploit Kit Campaign	5fa967dbef026679212f1a6ffa68d575 motorbeylimited[.]com”	Targeted campaign with expanding scope	DarkSword	None	TA446	None	T1566.002, T1189, T1203, T1090.003	High	Avoid clicking links in unsolicited emails, keep iOS devices updated, monitor network traffic, block malicious domains, and implement strong email filtering and awareness training

Mar 30, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Malware Campaign / Remote Access Trojan (RAT)	” 7d09d90d62933d39fed10886140559fea3bfc5720375d6053245da24c9d713e9 7a1d6c969e34ea61b2ea7a714a56d143 hxxps://api[.]telegram[.]org/bot8679995457:AAHiI3UDWmJaj4etgI4fAZK_wo4KJfhXLWc/getUpdates?offset=1 hxxps://api[.]telegram[.]org/bot8679995457:AAHiI3UDWmJaj4etgI4fAZK_wo4KJfhXLWc/sendMessage?chat_id=8558596408&text=??%20RESOKER%20activated%20(hidden%20mode)&parse_mode=HTML hxxps://api[.]telegram[.]org/bot8679995457:AAHiI3UDWmJaj4etgI4fAZK_wo4KJfhXLWc/sendMessage?chat_id=8558596408″	Telegram-based C2 RAT enabling remote command execution, persistence, privilege escalation, keylogging, and stealth data exfiltration on Windows systems	ResokerRAT	None	Unknown	Finance	T1059.001 – PowerShell, T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, T1134 – Access Token Manipulation, T1202 – Indirect Command Execution, T1562.001 – Impair Defenses: Disable or Modify Tools, T1564.003 – Hide Artifacts: Hidden Window, T1057 – Process Discovery, T1056.001 – Input Capture: Keylogging, T1071 – Application Layer Protocol, T1573 – Encrypted Channel, T1112 – Modify Registry, T1105 – Ingress Tool Transfer	Critical	Block Telegram API abuse at network level where not required; monitor registry changes and persistence mechanisms; deploy EDR to detect RAT behavior and keylogging; restrict PowerShell execution; monitor abnormal process termination and privilege escalation attempts; implement least privilege and application control policies.
Malware Campaign / RAT (MaaS)	72c08e044dd427964bc14339f95838e3d45f51f6a586330c683fbb59ea374b1d, 7B57628329827948FD8BE903B028B4E619E59ABE03DD1AB2DAD0939BE9707A10, BDEA1D91191344FF48FD20DDD8ECFE21, hxxp://43[.]228[.]157[.]123/, hxxp://46[.]151[.]182[.]216:8443/, 43[.]228[.]157[.]123, 46[.]151[.]182[.]216	Multi-stage PowerShell infection chain delivering PureHVNC RAT with credential theft, crypto wallet harvesting, VPN data theft, and resilient C2 via DGA fallback	PureHVNC	None	PureCoder	Finance	T1566 – Phishing, T1027 – Obfuscated Files or Information, T1059.001 – PowerShell, T1059.003 – Windows Command Shell, T1059.010 – AutoHotKey/AutoIT, T1140 – Decode/Deobfuscate, T1071.001 – Web Protocols, T1573 – Encrypted Channel, T1041 – Exfiltration Over C2, T1005 – Data from Local System, T1539 – Steal Web Session Cookie, T1555.003 – Credentials from Browsers, T1083 – File Discovery, T1057 – Process Discovery, T1012 – Query Registry, T1112 – Modify Registry, T1543 – Modify System Process, T1036.007 – Masquerading, T1219 – Remote Access Software, T1568 – Dynamic Resolution, T1102 – Web Service	Critical	Block identified IPs at firewall and endpoint level; implement EDR/SIEM detection for suspicious PowerShell, RegAsm.exe, AutoIt3.exe activity and registry tampering; monitor DNS for DGA patterns; enable TLS inspection where feasible; rotate browser credentials and audit crypto/VPN data upon compromise; raise user awareness on suspicious file execution.
Phishing / Info Stealer	“8de1c5a66deab8bd4f59b2801a66f503f087345ccb0598c5ca8185f1edb2092b d30a4d0249b5417af02a4e7ffb5b456efd8cd5eb8da6532329ae071f643e5079 10955134b4e8dc41b2a116ab41d17b0ef0985bea99bdc5f0e5a11a07728905ec 100a7674ece92dae0dc0bfde15dfb524939a8dd0c295ff2e232895a07e21342f e1f6c80aae41feed9acfc62f1e1d83077ce6fda4bed56ffb448fe132a1c97afe 2255735d78b9ca0a20cbd2834876f4d1 7d68cfe4d7a83608490e6c3c8291ec9b 79471f93e15e04e6b7879a09de79d35b 0a5b50ca9beb5b740fdae5d783d5616d 61a163ae3cac1255c852a37c675edd5d 696c710f62e3a7f7c618c4733d67cc13 47b4c3dd3bc58037de31f3ee218d4ea1 6b6ee7e492e4c573381393dedbfec94d 386981b3cd77df33b60cd9b9d93a7812 edee9e57699eea7371234acd40a34cac a534676c0dcf8d63eb1f7cbcd0bd5f35 0f1939d88e38cc825dfe5c50926344d6 6f5a040c83d490e30ea9b242c962d179 57ee3e3e7b106727b77ce98bf80c0e1b 3324c1c827428a212e2c9898d082037e 4b14ef9a1a69b3d39a8dda04e1d119bf 5991a68b994e76d48212b098ac599560 fd50bc23272f3704762218ba43ce068b 00d68afd8a75ce8c194ab3bb4c64c152 d240282856829133ec8f5ddd712fb49c 88528f1c4df15e1d4c92d71fe1223761 5d7d338c4cdd706a01de1ec32a08c5f4 690dcef7d7e265096010b276649fb529 fd5fd153bded23ffac1a4dd2bbb38c78 d85b44735555d96c6c763c4d466e074f 151[.]243[.]109[.]125 hxxps://downloadtheproject[.]xyz/Pumaproject[.]zip hxxps://downloadtheproject[.]xyz/Puma-job[.]zip hxxps://downloadtheproject[.]xyz/Marketing-Puma![.]zip”	Targeting financial institutions via phishing emails and malicious ZIP downloads	PXA Stealer	None	None	Finance	T1566.002 – Spearphishing Link, T1204.002 – User Execution: Malicious File, T1105 – Ingress Tool Transfer, T1059.006 – Python, T1140 – Deobfuscate/Decode Files, T1027 – Obfuscated Files, T1055 – Process Injection, T1547.001 – Boot/Logon Autostart: Registry, T1041 – Exfiltration Over C2	High	Block/filter phishing emails with suspicious links; train users to avoid unknown ZIP/executables; restrict execution from temp/download directories; monitor certutil and renamed binaries; detect process injection; monitor registry for persistence; inspect outbound traffic to Telegram/unknown domains; use EDR/XDR for infostealer detection; update threat feeds/rules; regularly scan systems for IoCs.
Contagious Interview – Multi-stage Supply Chain Attack	5a2c042b086a475dca4c7dcec62693c1 699cd6c292b8a5933dabee63c74a9a3069ed6432c3433ab945ab46fe816d9e2c 153e2f27e035252d5f7ace69948e80b2 1c8c1a693209c310e9089eb2d5713dc00e8d19f335bde34c68f6e30bccfbe781 95[.]216[.]37[.]186 95[.]164[.]17[.]24″	Malicious npm package (tailwindcss-forms-kit) delivering multi-stage payloads including InvisibleFerret backdoor	InvisibleFerret	None	Lazarus Group	Development	T1566.002, T1195.002, T1059.007, T1105, T1555, T1552.001, T1056.001, T1547.001, T1041	High	Verify integrity of downloaded packages; educate developers on social engineering; employ static/dynamic analysis of packages; monitor network traffic for suspicious C2 activity; keep security tools/software up to date
Tax-themed phishing campaigns	“Aubrey162243her@hotmail[.]com Baerg536714qrr@hotmail[.]com Belinda319932ywa@hotmail[.]com Brenda26111993bbs@hotmail[.]com Brett77124cnd@hotmail[.]com Clint15032004ye@hotmail[.]com Dan0600ups@hotmail[.]com Darryl658773qfs@hotmail[.]com Elmer445637xqd@hotmail[.]com Genet868615mfd@hotmail[.]com Gilana406avh@hotmail[.]com Gilbert6704ysw@hotmail[.]com Glenn0045bnk@hotmail[.]com Greg2505880dbq@hotmail[.]com Hilda2441790ajg@hotmail[.]com Kaitlyn135452qyw@hotmail[.]com Kayla383537cau@hotmail[.]com Kelly5906byn@hotmail[.]com Mattie9227fdx@hotmail[.]com Quirita42462vpp@hotmail[.]com Rafael0746881jxk@hotmail[.]com Sabah30035vrj@hotmail[.]com Tanisha535486nyg@hotmail[.]com Violet82113vbv@hotmail[.]com Violet900048ege@hotmail[.]com Yvette20071993pgc@hotmail[.]com Yvonne8544809axa@hotmail[.]com YObutler[.]jonasd8nC29@yahoo[.]com hxxps://www[.]upsystems[.]one/Alex[.]exe d338a7f85737cac1a7b4b5a1cca94e33d0aa8260548667c6733225d4c20cb848 121[.]127[.]232[.]253 Bella1987Jenny8927@outlook[.]com Cedric1985Mattie70601@outlook[.]com Chappel1994Sunkel79549@outlook[.]com Chris1987Juanita79531@hotmail[.]com Elisa1966Tamara82159@hotmail[.]com Ellis1986Akihito92@hotmail[.]com Garrett2003Jaime3246@outlook[.]com GhaemmaghamiBorg2909@outlook[.]com Iris2003Francis43001@hotmail[.]com Jo1990Nelson506@hotmail[.]com Kamiisa1962Eunice52@outlook[.]com KatsaounisSetlak6267@outlook[.]com Lathrop1966Alice63@hotmail[.]com Lucia1968Sheryl4254@outlook[.]com LucinaMcnear6104@outlook[.]com Morris1965Cruz7189@hotmail[.]com Nabila2004Eunice770@hotmail[.]com NicholWollan4783@outlook[.]com Peony1982Jamila936@outlook[.]com Quirita1980Laraine303@hotmail[.]com SablanLoretz4374@outlook[.]com Sheryl1993Sabah3812@outlook[.]com SteadfastSeefried8443@outlook[.]com Terrell1980Dawn020@hotmail[.]com Vanessa1991Gretel73372@outlook[.]com WaffleMehta9842@outlook[.]com Wendell1988Lovice46@hotmail[.]com 844202972ff19afa760447fc87963de0fbbc0ebc69d50164f03ecf5d4e67952f bksgcefzqyb[.]com whghfpytehu[.]com gyglowcq[.]com iuzndfqr[.]com nirbsff[.]com”	Global / Multiple regions	Winos4.0/ValleyRAT	United States, Japan, Canada, Australia, Switzerland, India, Taiwan, Indonesia, Malaysia, Italy	TA4922, TA2730	Finance	T1566.002, T1566.001, T1204.001, T1204.002, T1219, T1041	High	Prioritize user education on phishing; implement robust email filtering; enforce MFA; update security software; allow-list trusted RMM tools and monitor for unauthorized access; verify authenticity of tax communications; review incident response plans

Mar 29, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Phishing / RAT Deployment	“panel[.]creepy[.]ltdhiddify[.]creepy[.]ltd creepy[.]ltd cert-ua[.]tech 54[.]36[.]237[.]92 hxxps://files[.]fm/u/7nxvfbmf46 hxxps://files[.]fm/u/cmr9kspbs5 2f8f3e2860f76a630f514f435049764c d42df7073f59c52b4450338c868c6cf58bc4c5bde1230dbcc046f4d80a36c43c 4d210550b3073cff2a7fc2979a64277c 5f16463f5c463f5f2f69f31c6ce7d3040d07876156a265b5521737f1c7a2a9b3 afbabb90e761451bb66a753ffd1ca92d 0d7147a08c70cf15428f4b3ed2f16587ec6f57b0d0be9e3197968ac44d43cfe4 e4fa3e55f77419c8d718d11e663a614c 468e0919ffb6c12444b77570e5cb68b1fe1e7d7a1aea2193b1760085323fec91 37631c6c5fce72ce0f75bf70c6f521b9 98f8ffdb5abc0b0bf11de72d7d904bacbc1834d3290d92f8f7cd9aaae723e938 0e86fe5ea183a582e4cb8ffa39d3f14b 342cf215d7599a65b23398038f943f516b0bd649926e21427d8e028fffec93d7 incidents@cert-ua[.]tech”	Targeted Ukrainian organizations across multiple sectors including government, education, health, finance, IT, and defense	AGEWHEEZE RAT	Ukraine	UAC-0255	Education, Government, Administration, Health, Finance, IT, Defense	T1566.001, T1566.002, T1036.005, T1204.002, T1059.003, T1547.001, T1053.005, T1548.002, T1021.001, T1113, T1115, T1057, T1007, T1083, T1105, T1071.001, T1573, T1070.004, T1078, T1608.006	High	Block IoCs at perimeter, DNS, email security; enforce application whitelisting; warn users against unsolicited downloads; hunt for persistence artifacts (SvcHelper/CoreService, %APPDATA%); monitor outbound WebSocket connections; ensure EDR visibility; prioritize hunting in critical sectors; block new suspicious domains; communicate safe practices regarding software distribution from file-sharing platforms.
Infostealer / Phishing & Malware Distribution	” 268d12a71b7680e97a4223183a98b565cc73bbe2ab99dfe2140960cc6be0fc87 ac36b970704881c7656e8fdd7e8c532e22896b97a47acef5ca624d7701bf991″	Global IT, Finance, and Gaming users targeted via phishing, cracked software, Discord archives, fake GitHub repos	BlankGrabber / XWorm	None	Unknown	IT, Finance, Gaming	T1027, T1497.001, T1589, T1082, T1047, T1125, T1217, T1115, T1113, T1070.004, T1016.002, T1562.006, T1629.003, T1548.002, T1547.001, T1012, T1005, T1560.001, T1048	High	Block certutil.exe from decoding content in untrusted directories; alert on WinRAR/rar.exe execution from non-standard paths; monitor DNS queries to api.telegram.org from non-Telegram processes; block/alert on file-sharing platforms (gofile.io, pastebin.com, anonfiles.com); detect PowerShell disabling Defender; alert on non-standard hosts file access; monitor registry queries to SoftwareProtectionPlatform; restrict WMIC execution; educate users on risks of cracked software and unknown repos; monitor %TEMP% for SFX archive drops and suspicious binaries.
APT / Spear-Phishing / iOS Exploit	” escofiringbijou[.]com siekeltd[.]com”	Targeted spear-phishing of high-value individuals, government, finance, education, legal, and civil society sectors; iOS devices	GHOSTBLADE, MAYBEROBOT, DarkSword	None	TA446 / Callisto / COLDRIVER / Star Blizzard	Political party, Diplomacy, Executive & High-Value Individuals, Government, Administration, Finance, Education, Legal, Civil society	T1566.001, T1566.002, T1027, T1036, T1071, T1189, T1203, T1555, T1119, T1041, T1497, T1588.005	High	Enforce iOS/iPadOS updates; block/monitor escofiringbijou[.]com; implement email gateway rules to detect/quarantine spear-phishing emails; scan/quarantine password-protected ZIP attachments; update TI platforms and EDR/MTD with GHOSTBLADE/MAYBEROBOT indicators; enforce MDM compliance for device versions; review and harden iCloud security for high-value individuals.

Mar 27, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Cyberespionage / Multi-Stage Infection	“05995284b59ad0066350f43517382228f7eee63cd297e787b2a271f69ecf2dfc 07bd506d2a8db98c2478ac11bb6c46d84f1aa84f4a9af643804ed857ad7399c3 11c7728697d5ea11c592fee213063c6369340051157f71ddc7ca891f5f367720 1aa37a477c539edf25656a300002a28d4246ec83344422dd705b42d3443a2623 21fe238c462b2f22a7e97f1f06e4f12e8c6e5f3a6fffe671b671909b501fa537 2616dfadf8aa222303269eb7202c75e2a8fc5b05b6b63ae2cb7576b9a27733f9 29d4cc64c7c9b7ecd16d96e9c6dcde1fe22a4c2d202074aadf41cbcef494bc19 34bf325492614dd4d842ec24f22a402ab73908cb91a74846945eae4775290ff2 4b29b74798a4e6538f2ba245c57be82953383dc91fe0a91b984b903d12043e92 4e26aa1bb28874f0897ab9a08e61d4b99caaa395fe63cbe4398f7297371e388c 58ed0463d4cb393cd09198a6409591b39cae06bb0ba5f5d760186de88410f6b8 6745422717f0ccdf2ae3330d133945268d4cd21215adcf982400d82b38ebeeca 6caa78943939bd7518f5e7eaa44fa778d0db8b822e260d7fe281cf45513f82d9 6f4f76c7a2638087a0da6002cd2c76d1673305b1e850a1f4068f14755f59d45b 74e7093615da36b28effb3aa6eef5a31e7ea59627bd619b488f087091e8d65e9 835795aa494021752f21fbef63c81227c1b934437a02aa1f2a258c9f60b0b7a3 83f06fa37f1136f765f799851812f11060ab34df3b34bc61777acc59a30b4c6e 84e37e42312b9a502c40cf1f3fc181e3ebd4f3e35c58bbf182740dfe38d3b6b9 851d57a2bf514202f54dafa1eb83a862653be7512b6e9535914b8d1d719d495f c47d55ad95a6c6ffac45c2b205e03bddadf5e36f55988599053b1fd0e49448a5 d4d753c6ea5c86a44c9a65cd0d4eaeabb072b19e0ef68ef7da3a879f689772c9 e1672dab0daf1c84f14f7bb827851c27753da067490e10cd6144fe7873892fec e61a1f4269e934481f6cb19576b3dbc434952b01445fd4e1ebc6906a1b449ef8 e9b52577091c8e25e91c485216de34d5a26ab707a10b1e5cd31ed7aa055939d3 f07b2af21e3fab6af5166a44ca77ed0ebc7c9a3e623202a63d4c4492abce8d65 f62223c9750fb2edfd979a8cae204cb9ce5e0950b52a47b62f195cd05dd3e2fb 103[.]15[.]29[.]17 103[.]131[.]95[.]107 103[.]122[.]164[.]106 109[.]248[.]24[.]177 120[.]89[.]46[.]135 distrilyy[.]net fikksvex[.]com laichingte[.]net popnike-share[.]com shepinspect[.]com theuklg[.]com webmail[.]homesmountain[.]com webmail[.]rpcthai[.]com”	Targeted spear-phishing and USB-propagated malware to achieve persistent access, credential theft, and data exfiltration	USBFect, HIUPAN, PUBLOAD, EggStremeFuel, Masol, Gorem, TrackBak, FluffyGh0st, Hypnosis	Asia	Stately Taurus (similar to Crimson Palace, Earth Estries)	Government, Administration	T1566, T1059.001, T1105, T1078, T1027	High	Disable AutoRun for removable storage; enforce strict USB access policies; monitor for unusual DLL loading and in-memory shellcode execution; maintain updated endpoint telemetry; regularly review and update security protocols.
Spearphishing / Seasonal Phishing	“149[.]104[.]24[.]24 103[.]115[.]56[.]156 47[.]238[.]232[.]44 8[.]210[.]242[.]115 43[.]160[.]214[.]122 43[.]160[.]220[.]53 47[.]76[.]86[.]151 103[.]210[.]238[.]29 103[.]236[.]63[.]138 154[.]36[.]152[.]151 206[.]206[.]77[.]224 1a38c444240870c5641cc45b510c08dd52f35483c74690db6f0e767ec1b7cb9b 53bd1add0d364ef57993eaad0a84adefac9bb44d5047e17018468a069420913e 354fcbc4a16a8b47424bed435da1c040218b13ed9fa5392a5917a411b6947f4f a23640778b836420eecb5461938a98ad3588d2044359daf6b4b25ecaf35c996e 71698b56c0c4d0cab0913a33a1683261f00a97d2b31553f840eb2e22608e07c2 1ee51eb5fc850655dd25f92ef43bb619684b266a7b5782aeac7759e289615d01 167d317883b647fd7d91c8e4a2ac09f821049037b1998b3d67c6852aff2284af a4f09289b1b9a7a698a7880a2d306de19a60ede45c2abb3cebe84fabda989a74 7a3fb43f828f046c64c94c86533c324f2c2f4e16da2adee90e2e363b8771f990 a13fa1073ad96cf8a9d4a09ea1730ca7927df4e8b03ee3dd080be46d342efb6a 4ac19c722ebaf1fd8ec091bc288d2c587a71bbc3c8801a071a9aa4057c69ec8c 46d7cc620fd3650ad70b0ba964e3837d38a2f48fcef8d3e177bfb89f5d547b29 ad05eeb70dc7ab34926e31da2be97d3503ce4ef96084df74db9e9c102923d3ff 244a2f4dc256f6d1c3710a2d27656a6bc21ffadca8f3236d63b327ff2f0b33db 647ee8eeb990daab642a2179583217b95fc80ee57e03c699555605704f2e1769 283971ee133699d518e88bf633b8164579e31ea5c00251eeebd9a39e0292ea35 c9418a82ac4f63ed7b1e9ffb9e43e0d5b58535fe6b21bd4b2ea09020093caef0 29295a9e79f39157af74c74c63f8a0156f94721ec7a29a51330b9ea2c9dee820 5adb91edb8a2c4a9a948a2dba85f787a179ec98b6432682df196c6356d50b23d 55b99f0d438800cad8288d81d2808728ce1bec8c22c5346a38a513dc6728b4ba 6bd4cce1b7e4d305d4667850f1d071ee1f2785ecf52e1bc1032087a35dd4791b a21e0b5ebc1cd7c5443aa01a155895cc2ce95e48fc3bb1f78d19c3e7406c4515 cb427b629d9046737bb940664122fbb76ed5586032101be61ac856ef2554178d 49afd1ff926b1ea8ff1d7316ea9aba50c4e4e771030f03fbfcb465b78efaee48 3f0a6ff46a68260250ccc9cb811855939ab56519c54cc0873640b1565d384052 8c4386cecc89f5f2dee323f2a1e0d9f42a28905be812de14173ca7ee9fc64e72 690213bf93e06e34a00a58006eb677e42583f6e5c0fcc88571bb82eae0f78710 45b0bc5a2fa319b9d3013ef22c002b1d359d45f943f0a93d05836652acb286c1 acca258713692d82ea4b9bdf72dfa6dadc65083b1d37828bac0d2e6af6ba1712 35b9acf7f217534c178f2b2afbe6d9ae9cfc431829aa11157aecb2d084ca83cb 9d7f8e321082b46dcf625d7b24dcb9c72710e87a1a66cccd265cdbe926e78813 6a66f0540fc7717e48bbec0235dd4128794b0cfee9d58e5907e9f39e65023c17 677e42b1d3d7bfc87e5dddd1c7aad2c7142afb26e7ac0ace53f2996c3005ff90 02b9ce681a92c9f64ebe30f6dc3637a90fd4d1d1a182c0be3708525939fb75e7 b1398d15d45d439a2abd5f7341b870de0818df357ebc78e7410465b74409dfa5 521b4fd2a98630b782b897793da025845029d80696b871620f731eeaf4ff950a f5b4cb8dbec6da40f54025b8cdb298110af2c9f118862db968a9e1e58f7af2d3 a83eca305b9b682f2f3eb7d130b8c8e68743cf5eaa8704ff136fb3659a086822 f8a32e98f1f7be4b2b301ad0e0fa7eef819aa1916d33480c61964ee1ca8cf9a2 90f7e2a7779a30598dc22bfbfcf40fe0d3b77387d5b239c2a0bbdf716d823e36 7c186e7e55b9eee9bc5a0b68310dadd1e06681983cb0efa27542a3a22964f5bf ca11ac11dc9dd8d2c6b95bc422a4c2f3d986f8dd5e508fb8d6e2b8aa7b4d5a31 012a7d8b63e6dec27ab39e6296584f03457e7a2997cecca69211124dfc06e55d 31557fdfc5a091fae4e366cb826f33927f671b0fedef71bb4b381d33a111586d 516dd5f495d697b199a9e7cc71f686c992b65d14b57c55d91068c0909bcc7b00 78a7fb189e0d4cb91ff0bada8a92f14bede6dd80eccc1403bee13ea0c19b20d5 b3abf2663b48daadfbf959e1edd337026e6a59df4592fbf76e7d034c3de82c19 incometax[.]biz[.]id lolpartyanimals[.]com escaperoomhub[.]com tyjmbeexa[.]cn sjxcrojzkn[.]com government1[.]icu govbrk[.]shop govbr[.]icu ywdtwss[.]icu frehf[.]oss-cn-hongkong[.]aliyuncs[.]com”	Targeted spearphishing timed with tax and corporate restructuring communications to exploit high-volume financial/HR emails	N/A (no malware specified)	Japan	Silver Fox	Finance, Manufacturing	N/A	Medium	Reinforce phishing awareness training; implement MFA for critical accounts; update email security filters; encourage prompt reporting of suspicious emails.
Phishing / AiTM Campaign	” welcome[.]careerscrews[.]com welcome[.]careersengage[.]com welcome[.]careersgrower[.]com welcome[.]careersstaffgrid[.]com welcome[.]careersupskill[.]com welcome[.]careersworkflow[.]com”	Targeting TikTok for Business accounts using reverse proxy phishing and adversary-in-the-middle techniques	N/A	None	N/A	Marketing	T1566.002, T1556.002, T1539, T1185, T1078	Medium	Enforce MFA on all accounts; educate users on phishing; use URL reputation & sandboxing; monitor for suspicious account activity; review security policies regularly.
Supply Chain Attack	” models[.]litellm[.]cloud checkmarx[.]zone 85ED77A21B88CAE721F369FA6B7BBBA3 2E3A4412A7A487B32C5715167C755D08 0FCCC8E3A03896F45726203074AE225D F5560871F6002982A6A2CC0B3EE739F7 CDE4951BEE7E28AC8A29D33D34A41AE5 05BACBE163EF0393C2416CBD05E45E74″	Trojanized Python package LiteLLM	LiteLLM	Russia, China, Brazil, United Arab Emirates	N/A	N/A	T1195.001, T1552.001, T1552.004, T1059.006, T1041, T1071.001, T1105, T1036	High	Implement supply chain security monitoring; scan systems for malicious files; rotate credentials; enforce access controls; use EDR/XDR; proactive threat hunting and continuous monitoring.
Cyber Espionage / APT	“CVE-2026-21509 CVE-2026-21513 5a88a15a1d764e635462f78a0cd958b17e6d22c716740febc114a408eef66705 cbea5c7d71a5a6cb9153b00d2d27e6a3579004c27f5e817f317eeebdce7f805f c87be2f30cc974d0859526b9dd104e015f0e5d04bc43198305537f276705691e 57357655a62e3a8b1f4b78e1d3ed7e0f6d59a9bac213087294f91bb7847b2a8f 92a56faf6eccfad8281213393fad584cbd7b9e04db875dfb8fc01e1dbf4cbdd1 de2b24d08e795ad9cdd1b74882a3626febefadafaf8ff0ae76cba16dcaa0f8bc 71ef7438d785f3102735ed9d9233ac366507c82fc4fac4de88f687a105c84df6 dbf33417e40f0fe8078a11d81f7d323bfed1912f5cb62d765c1be72561474659 ffca9d56feb5ec8844b42f513cecd67a554a2ddb3408dbc6942e2fd60453aee1 36f5e04213d446c4208864f32a6af18d5184bbbb628808ef0a876ea6c31ea0b3 e3f9519a21a16ff2c8f989034e47fbc91a2d019e09a1d7d17ff751e52a09d15b 8f4bca3c62268fff0458322d111a511e0bcfba255d5ab78c45973bd293379901 970e68e8b68e0c5f3f18cd55e0c82304e81547f8ebf349390db1c8a0681699fa 92697d518e72a30800e96b63cf875573bd536c9b993d22014238f6a9f0e19e0f 144bddb48890fa680dfd226e36c0ef2c6d6f98a365aea48399edd0d0388711a1 9aa8b46d62eb426842b8ff0fc28e64719494f0f64d516253caa71a6fd86e9ad3 0bb0d54033767f081cae775e3cf9ede7ae6bea75f35fbfb748ccba9325e28e5e 2822c72a59b58c00fc088aa551cdeeb92ca10fd23e23745610ff207f53118db9 3f446d316efe2514efd70c975d0c87e12357db9fca54a25834d60b28192c6a69 40c2e559992a7f595c593b419930a3f216516c3042ad86fb985348d53b6e01b9 52b6fb40e7efb09c2bebe8550178e7e30009600bdedd1acae085d753761b7598 5c2a2c49e200a2d048f477440da75ff4a99c676943f6f7cac1ce70190520f998 7ccf7e8050c66eed69f35159042d8043032f8afe48ae1f51fce75ce2c51395f2 8c1dc9732884c6078b23953b78314a8d0d8b8d9fe42e5f97a7cd09b8ace943a9 968756e62052f9af80934b599994addbab29f8dc2615c47cda512bae48771019 9f4672c1374034ac4556264f0d4bf96ee242c0b5a9edaa4715b5e61fe8d55cc8 a876f648991711e44a8dcf888a271880c6c930e5138f284cd6ca6128eca56ba1 b7342b03d7642c894ebad639b9b53fd851d7958298f454283c18748051946585 baad1153e58c86aa1dc9346cdd06be53b5dd2a6cf76202536d6721c934008f8e c4389cc34b672c4f885547f413bf38575e6ee2b23a0ddfdd306a69c1775db6fc d213b5079462e737eb940ac46c59e386eb6ca7f8decc95a594b3d8f3b6940010 e792adf4dff54faca5b9f5b32c1a2df3a6a955e722f1be8df2451c03ed940e41 ff310202cbff28b47f03b4b0129a5b925a4b7b065af002072a3796920720c34e aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa a1b86c8957f460b78d906e1bdede829c4f3b5500d6449e8eba3ae5c302be2b86 64f2d135603220b47dd430be5e059dcedd80ad2bc3c17500816ec5d07e39d3d1 8d09eb897f2bc98035ef88152e2b5d571a7b61878dd12b451e0437089487a417 0148c79cdfb21d87731f8e45d38c27242863ec4ea9621c59e537f59ed501c119 0366b9bc02b00fda8ea28929b7159a038a43da0aa0299b8279bffc2d7e73892a 0ab301b3e43ac2394ec25c5d1caf79aa0785a2eaca801b0b1b6d4621f5e8c736 948f109756cba0b01f11fd3db9c47a76125c4b1d9467ff1bd9c5013d214c933f 0db5bd9cb832618c60e0f3c0dfad719403473b85a82253dc0f6a8391800c0d0b ce2c475461d57f222a6aa22f49420f804a43c2eb29abf8553457a7d30f7cb024 a95ee15e8ccf84521df2c80b1525fd89e205fc0280c3f6cbc24751080ea29206 003cd35535ab9350a407a7dcd016c305fb8dbac03d41d5b7d3917c804b66dd2a ba01a2355414dfedda9ac5ce0d7a2d8edfb89ec3ae3e68fc81db035caa741854 ea4679d1c05bef0c38b4d910a87f79070ca2e661779a255f523d57ef1921a1c7 1565934e529b5a9b6af7e60800a91f7ac3a6ec2e24b4f6df0f808d253b45cf42 3b411e9f282ba97feb56cb5a8bf3e9a1d1e9a5f8406e72213dfb140166a54012 eb187ff574ab25dffa12dd05ff5f9716f4fc489e2de457c4a50aa0d3cb0f1479 9dad95985eea3b299c387e663a6edfbbf057cc634f2ca99c410238480bcd4e17 eec4122a1262579806888d8a6a215b333d5e4eec600b5caba91e187b7b468e22 8858ee314c4db60a3f097ede38cbe64ce4e4b1e67041bad1e0580953011dfec1 15b99e8b30ce0b57fe030243aa795b74b0d7dcd773f28f677f629f132bce1ff8 8438a4cd675c81cefd6a8d96b9e48b2730cc9086b4c531883f966a8818cccbef 1d27a5ca6703f6e757d30adc8d4d703c2e99316d1eaaaf5c68635c47e8e0396e d6b75d496e28692dd02c6336ac5c5a42ac88da7ad315d3e508963cf8d46926b3 84464879c2ced71ff6a30277252af70a20e18c563b8e45f4a92e004f41fe3e01 be859b4f4576ec09b69a2ef2d119939f7eb31de121aa01d38e1f0b2290f5a15e 969d2776df0674a1cca0f74c2fccbc43802b4f2b62ecccecc26ed538e9565eae f7bda19543074c788c321aed42d955b4d50b7b0a2c3ca83b7f45b5e8b9a10491 18f9c08e60bb88891f5bb5dd133ae804703c0797bebdde397c01513a67b86a1e 5f397327aeb20718e364bef61e8bad507772708a7d1bf55d8b845170c69f3de0 3cb09154a839a5de6e8ef4a04a933b7362afb56cdc4e91368b237e9bcb1cd7b9 1ed863a32372160b3a25549aad25d48d5352d9b4f58d4339408c4eea69807f50 d944abab1481457eacf9f1d08f835980c2146ec91513e2eb94714c6abaec5f34 5a17cfaea0cc3a82242fdd11b53140c0b56256d769b07c33757d61e0a0a6ec02 b2ba51b4491da8604ff9410d6e004971e3cd9a321390d0258e294ac42010b546 c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f fd3f13db41cd5b442fa26ba8bc0e9703ed243b3516374e3ef89be71cbf07436b e8889528e2114a700438f73da09449cfdde655a29da6794d0449b5e8aa4dbf2a f0d443055143cbd6bce8ef96b52d430e2db321b37b8b93a2a9d0354651702790 14acfaca5fc59d5ee9592399e51636ec47fbea36623555635a1361fcd2f50dfa bbfd93dbf43236b7f64017ad20f72dd611de1acb4b15e02569e42887467b34d4 dubravka[.]jovanovic2024@proton[.]me a[.]matti444@proton[.]me TeoAbarquero@tutamail[.]com UffeTroelsen@atomicmail[.]io dbca10b5-63e0-42ec-ad10-de13be96dc42[.]dnshook[.]site freefoodaid[.]com longsauce[.]com wellnesscaremed[.]com wellnessmedcare[.]org hxxps://ingest[.]filen-6[.]net/ 193[.]187[.]148[.]169 23[.]227[.]202[.]14 72[.]62[.]185[.]31”	Modular malware targeting defense supply chain and supporting infrastructure	PRISMEX (PrismexDrop, PrismexLoader, PrismexStager, PrismexSheet), Covenant	Ukraine, Romania, Turkey	Pawn Storm / APT28 / Fancy Bear / Forest Blizzard / UAC-0001	Defense, Military, Government, Administration, Logistic	T1566.001, T1059.001, T1059.005, T1204.001, T1546.015, T1053.005, T1574.002, T1027.003, T1562.001, T1055, T1553.005, T1114.001, T1071.001, T1102, T1048.003	Critical	Implement advanced email security; enhance EDR/XDR; scan and remediate cloud vulnerabilities; phishing awareness training; monitor network traffic; enforce strict access control and least privilege.

Mar 26, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Social Engineering / Malware Delivery	“urotypos[.]com fresicrto[.]top 212d8007a7ce374d38949cf54d80133bd69338131670282008940f1995d7a720 6e26ff49387088178319e116700b123d27216d98ba3ae1ce492544cb9acd38f0 a6a748c0606fb9600fdf04763523b7da20b382b054b875fdd1ef1c36fc16079a a7b9be1211c6de76bab31dbcd3a1c99861cf18e3230ea9f634e07d22c179d1ca c90435370728d48cba1c00d92cc3bf99e85f01aa52ecd6c6df2e8137db964796 89[.]46[.]38[.]100 195[.]85[.]115[.]11 95[.]142[.]45[.]231 185[.]163[.]47[.]220”	Malicious scripts injected into compromised websites redirect users to fake CAPTCHA pages	Remcos RAT, NetSupport RAT, StealC, Sectop RAT	None	SmartApeSG / ZPHP / HANEYMANEY	None	None	Medium	Block malicious domains/IPs; employee phishing & HTA execution awareness training; monitor DLL side-loading & unusual HTA execution; update EDR; implement endpoint monitoring.
ClickFix Social Engineering / Malware Delivery	“45[.]144[.]233[.]192 mac-os-helper[.]com stormac[.]it[.]com macos-storageperf[.]com apple[.]assistance-tools[.]com apple[.]diagnostic[.]wiki macintosh-hub[.]com”	Impersonation of legitimate brands (Intuit QuickBooks, Booking.com) to trick users into executing commands via Windows Run or macOS Terminal	Not specified (malware deployed via command execution)	Not Specified	Unknown	None	T1566, T1566.002, T1059, T1059.001, T1059.004, T1204, T1204.001, T1204.002, T1027, T1027.002, T1027.010, T1140, T1218, T1547, T1547.001, T1547.009, T1071, T1071.001, T1105, T1082	Medium	Exercise caution with unexpected prompts/links; restrict execution of unknown software; enforce MFA; educate users on phishing/social engineering; monitor command-line activity.
Ghost npm Supply Chain Attack	“1ac0d6fac272903eb83a885a40c6ce5b2656b6f3 1b4916fd65934f2f9efa7125335a85c104e1e17c 1d92c73a859096cf107d11c4acd089f7b4e61a5b 22ada4f5a95fd9b5edb76426b7dddb168145fda7 2a8c625660ad6bb7d7c953a147c84c0fcc75794b 32d6b0b70ba825456471fab82119980de01e57d0 34ba816adda6ab74d0f4bbb04fdb8ed49b1137bb 43a361eec666edab60f0e95740cf9e51c06106bc 4439720f0722d3c92615114f1099471efd280feb 46e034baab242c110355eba0937d9e505232e8dc 56b78d2027cbf7b40dcbd10f17462cd029d13dda 5928e3121f12f3c5d690bc7968b28b2f67835ef5 59ca6306e77eb7f93528016dca14964968556310 60c88674128680b7e474607ba0fb8020c141ac71 6169a0bc69c94f3a5c13d899ac612d2fabe98611 63783f6e59d20e2c664123b349f22dd53d1293d4 6c17eccf82c7d85a883dfa7feac0be835f827fe3 6d115186018b396ea62afce46d6616957bf3d7c0 729fbce89101f8f79a57189e89a7e63ee7d61388 7562690617de6eafe29c3f1d83c029ee73b9f50b 84aab614cf6ad92b5498398e914a8f22056722d8 870636bcf3d2c0b9c4c12809a19af153ef154260 874919fbd4e23da4f959447acf394a619cc23f72 963b79f59fb2c070a06b9a2af9db2b5512c1ed74 a1cff6b52b7bfc61d08360af364ff7a4b4b2c504 a5d4a4dbf036e4d7a5453db191f6e4320f604446 b70a40b199d9a3cbbebfb0c1148b110acf3ec4eb b75fc27053819cd2e7f5cfe193a91844c199c285 bc3c787cf2b768f0a021fc3ca4fde65658a3f9e5 bdffc2f98ff422db9f9ddc190401cfcb686e3c32 be10e30cf25d57385c31281219daf87dc7921da6 befa10ca40c2923390db04eb34391c32aa29e611 c02624f8cefe790b6dee529c7a0e97f4241d79ed c486f9be10e6db40b8c30c8053dd44a6b2ac867e cb9208d756dc4d4674801611d8d5f5ba79e76366 cbe7c87293de7ab5853e2aef3f638d54c45f5c9f d1a1f76cce48be58e5d72f31ba54e4e2372848ea d22eb34facf13b5c1e820d9e6358eb4cd3797eaa d5ade32ac52140e6c25f50780dc4ff4d466faddb dc8ee405dd4402addae67ba6546f4f3781d7bdec e6cfaef4b50d2a4ddd8453bf5a91e81a092d6e09 e91baf3d270a21948833c50da1f0345d20ee1ec7 f579b2d0b65a3a3cb52be535a591bc8d0f1077b7 f9400843b42f0187e826e4c7a9786b0f09ab8992 fb147ad540ae975228f8fe7d7fb557ff0670f69f fe6ee1104c4b02be39819822ed959039ea313e67”	Malicious npm packages with fake installation logs to phish sudo passwords and deploy RATs retrieving payloads from Telegram or Web3 contracts	Ghost RAT	None	North Korea	IT, Development, Digital Services, Finance	T1059.003, T1204.002, T1555.003, T1105, T1056.001	High	Block npm installs from unverified authors; enforce strict sudo policies; use automated package scanning; monitor network connections to Telegram/Web3 endpoints; educate developers on dev tool phishing; review installed dependencies and lockfile integrity regularly

Mar 25, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Social Engineering / Fraudulent App Distribution	” ihavefriendseverywhere[.]xyz valor[.]bet wikis[.]lifestyle”	Large-scale “FriendlyDealer” campaign leveraging thousands of domains to impersonate legitimate app stores (e.g. Google Play, Apple App Store). Users are tricked into installing Progressive Web Apps (PWAs) that mimic real applications and redirect to gambling platforms via affiliate links. Activity includes data collection and behavioural telemetry.	Progressive Web Apps (PWA), Browser-based techniques	Not Specified	Unknown	Cross-sector (consumer-focused)	T1566 (Phishing); T1656 (Impersonation); T1204 (User Execution)	Medium	Exercise caution when installing applications from unofficial sources. Validate app authenticity via trusted platforms. Monitor for suspicious domains and anomalous activity. Implement web filtering and user awareness training. Maintain up-to-date security controls.
Malware Distribution / SEO Poisoning Campaign	“vlc-media[.]com studio-obs[.]net kms-tools[.]com crosshairx[.]pro obs-studio[.]site vlc-media[.]net vlc-player[.]net km-player[.]pro crosshairx[.]site fileget[.]loseyourip[.]com direct-download[.]giize[.]com cutt[.]ly/AtvY9HpI R[.]servermanagemen[.]xyz 45[.]145[.]41[.]205 r[.]manage-server[.]xyz manageserver[.]xyz ehostservers[.]xyz hone32[.]work[.]gd mora1987[.]work[.]gd 67[.]210[.]97[.]27 45[.]133[.]180[.]162 37[.]72[.]172[.]58 172[.]111[.]233[.]102 164[.]68[.]120[.]30 91[.]92[.]241[.]103 91[.]92[.]241[.]142 172[.]111[.]151[.]97 191[.]93[.]118[.]254 85[.]239[.]237[.]148 158[.]94[.]208[.]111 172[.]94[.]18[.]103 165[.]232[.]45[.]1 136[.]0[.]213[.]192 104[.]243[.]248[.]63 155[.]94[.]163[.]103 94[.]154[.]35[.]73 154[.]53[.]50[.]197 144[.]126[.]149[.]104 f9110e7efce392bd4c4fbc9b8b2fb0f225f50fcdeeaa8528075c03146245b4fd e38773bcf571e6990aca317c9d0140726fde741d5deb7f82e57659ffff54468a 9d4c0655ea8d75440415f221ab0cc115ad51674a29b8a17cad21e688740d951a 9cda5edf3b9565edb38da39b88c7c27d322b9fab2eb3a792bd047a311a3a93cd 8311e7365be53fd8a75ca313046e65ffe54d98a209d382b8f110e39ca706900c 2bb85af314d77c45704b350cd475dff8286c571a32d71b9f62cacd316a53576c”	Ongoing multi-stage campaign leveraging SEO poisoning to redirect users searching for popular software to impersonation websites. Victims download trojanised installers that deploy legitimate remote management software (ScreenConnect) for initial access, followed by AsyncRAT via DLL sideloading, scripting, and in-memory execution. Activity enables persistent access, credential and clipboard monitoring, and cryptocurrency theft, supported by evolving infrastructure using tokenised delivery links to evade detection.	AsyncRAT, ScreenConnect, DLL sideloading, PowerShell, VB scripts	Not Specified	Unknown	Cross-sector (user-driven compromise)	T1608.006 (SEO Poisoning); T1204.002 (User Execution); T1574.001 (DLL Side-Loading); T1059.001 (PowerShell); T1059.005 (VB Script); T1055 (Process Injection); T1105 (Ingress Tool Transfer); T1053.005 (Scheduled Task); T1547 (Autostart Execution); T1056.001 (Keylogging); T1115 (Clipboard Data); T1071.001 (Web Protocols)	High	Exercise caution when downloading software from search results or unofficial websites. Validate sources before installation. Monitor for unauthorised remote access tools and abnormal script execution. Restrict scripting environments and apply application controls. Implement endpoint detection capable of identifying RAT behaviour and persistence mechanisms. Maintain updated systems and security tooling.
Software Supply Chain Compromise / Malicious Package	“models[.]litellm[.]cloud checkmarx[.]zone”	Two malicious versions of the widely used Python package litellm (1.82.7, 1.82.8) were briefly published to PyPI, introducing a multi-stage payload. The package enables credential harvesting across cloud, DevOps, and development environments, followed by encrypted exfiltration and persistence via a system service. The activity includes active credential validation against cloud services and evasion techniques to avoid sandbox detection.	Malicious Python package (litellm), Python scripts, system service persistence	Not specifically targeted (Global)	Suspected (TeamPCP, under investigation)	IT, Development, Financial Services, Digital Services, eCommerce, Managed Services	T1195.002 (Supply Chain Compromise); T1059.006 (Python Execution); T1027 (Obfuscation); T1140 (Deobfuscation); T1552.001 (Credentials in Files); T1005 (Local Data Collection); T1041 (Exfiltration); T1573 (Encrypted Channel); T1543.003 (System Service); T1071.001 (Web Protocols); T1497 (Sandbox Evasion); T1078 (Valid Accounts)	Critical	Immediately remove affected package versions and treat impacted systems as compromised. Rotate all exposed credentials across cloud, DevOps, and application environments. Audit network logs for suspicious outbound connections. Remove persistence mechanisms and rebuild affected systems from trusted baselines where possible. Validate dependencies against trusted sources and implement controls to prevent malicious package ingestion.
Malvertising / Initial Access Campaign	” anukitax[.]com bringetax[.]com fioclouder[.]com friugrime[.]com hxxps://grinvan[.]com/vims/browser/ hxxp://grinvan[.]com/vims/browser/ gripsmonga[.]sbs jcibj[.]com bjtrck[.]com rpc[.]adspect[.]net 8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531 7509365935fc1bfadba20656698d3a29051031635419043bc2bc45116106e026 2b409a265f571dccde6ef4860831c1b03d5418d1951f97925315dc5b0891da04 0821661e715fe64bb39f4fece277737a48fd6839edd40ec8a4a39bf04cea8524 033f42102362a8d8d4bdba870599eb5e0c893d8fd8dd4bc2a4b446cbbeb59b99 28278b8c85c832417f9860fe8ea3ddbb9ff1d5860317db4813227a3a52b7c7cc”	Large-scale malvertising campaign leveraging sponsored search results to impersonate legitimate tax-related resources. Users are redirected through cloaked infrastructure to download rogue ScreenConnect installers, enabling initial access. The attack chain incorporates multiple evasion layers and BYOVD techniques to disable security controls at the kernel level, followed by credential dumping, lateral movement, and broader network access — consistent with pre-ransomware or access brokerage activity.	ScreenConnect (RMM), AsyncRAT, HwAudKiller, FatMalloc, FleetDeck, BYOVD techniques	United States (primarily)	Unknown	Finance	T1566.002 (Spearphishing Link); T1583.006 (Web Services); T1204.002 (User Execution); T1219 (Remote Access Sof
Malware Distribution / Supply Chain (GitHub-based)	” c655c2d410e6b36d9ef1359aef67183bf76c193c609697492e41d30622f7ebd4 b54ea465f77f1eb726d3244aa52d13c103ad9c4fc5a15061b7067347896b433c 357cd0a1601d24bbb7949637b352b0ace1f30f51f788a03cafa98316068938e0 30694a0101abfeea642cb9de7fb7eb66789eea74d8d7257b39822d7dab59445d 11c06aab7aa3f1857cc9add05b392ba6bd62a7fd2d168e41d9ba5557a96c78f0 b1d3e7e81016561faddf7b0a6cb9a3bd0174064b3b309c6948f5f1e6688a1381 b1f9c4d82eb5f73b9081c3d414b3c053c1550e46fa21d30079134be3c0040ddb 8e322af81744217427abef3cab949aee1de70f1506f40e4e2d672af9e1f6ef0b c58720dcb30e5c887ff5bfd41bb46a611f2655128f1ef1a771e1745f24349dfe b1d3e7e81016561faddf7b0a6cb9a3bd0174064b3b309c6948f5f1e6688a1381 3fc5816afde3e58bf9fcaa1b3873f2d4bc8629ee7a8341a4a4979d2729cad5e6 39d39e6726408e778c8ad3d85010e1db0a686ebec1f8807f96cf80be59dfdd59 5343326fb0b4f79c32276f08ffcc36bd88cde23aa19962bd1e8d8b80f5d33953 398ea394f9a4242ebe9fd67a5ca62445fc4a34b1731d4f99b8eea5e65a98ddcb 357cd0a1601d24bbb7949637b352b0ace1f30f51f788a03cafa98316068938e0 30694a0101abfeea642cb9de7fb7eb66789eea74d8d7257b39822d7dab59445d b6e81d95c0c336e8b8bde3889f4df4ee17639f6ff055c631de19cab3c7efb63b 39d39e6726408e778c8ad3d85010e1db0a686ebec1f8807f96cf80be59dfdd59 b5c571363632a6887c6e9471435ab0fdcbf16bae6dbdf28d0fc755a9d467e859 c7a657af5455812fb215a8888b7e3fd8fa1ba27672a3ed9021eb6004eff271ac 5343326fb0b4f79c32276f08ffcc36bd88cde23aa19962bd1e8d8b80f5d33953 28d09366dc7842fe42f44a27cb54c6e1ba6769f42a27b99f5d455efb1e6de454 c7a657af5455812fb215a8888b7e3fd8fa1ba27672a3ed9021eb6004eff271ac 5343326fb0b4f79c32276f08ffcc36bd88cde23aa19962bd1e8d8b80f5d33953 66ee4143e50c42b26f1059a33860d49513194c6b049245c9a68a45dbefa40ec1 b54ea465f77f1eb726d3244aa52d13c103ad9c4fc5a15061b7067347896b433c 357cd0a1601d24bbb7949637b352b0ace1f30f51f788a03cafa98316068938e0 30694a0101abfeea642cb9de7fb7eb66789eea74d8d7257b39822d7dab59445d 213[.]176[.]73[.]159 217[.]119[.]129[.]122 217[.]119[.]129[.]76 89[.]169[.]12[.]241 217[.]119[.]129[.]121″	Large-scale campaign leveraging hundreds of GitHub repositories to distribute trojanised packages disguised as developer tools, gaming cheats, and crypto utilities. The operation uses a LuaJIT-based loader with anti-analysis techniques and staged execution to evade detection. Once executed, malware captures screenshots, performs geolocation, disables proxy detection, and communicates with a centralised C2 infrastructure, consistent with credential theft and data exfiltration activity.	LuaJIT-based loader, RedLine Stealer, Lumma Stealer	Not specifically targeted (Global)	TroyDen (suspected)	Development, Gaming, Civil Society	T1204.002 (User Execution); T1189 (Drive-by Compromise); T1059.006 (Python); T1027 (Obfuscation); T1497 (Sandbox Evasion); T1622 (Debugger Evasion); T1113 (Screen Capture); T1041 (Exfiltration); T1555 (Credential Access)	High	Exercise caution when downloading code or tools from untrusted repositories. Validate sources before execution. Monitor for abnormal scripting activity and outbound connections. Implement application controls and network segmentation. Leverage threat intelligence feeds and behavioural detection to identify malicious activity. Maintain updated security controls.

Mar 23, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Mobile Exploitation Campaign / Zero-Day Exploit Chain	2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35 snapshare[.]chat 62[.]72[.]21[.]10 72[.]60[.]98[.]48 sahibndn[.]io e5[.]malaymoil[.]com static[.]cdncounter[.]net sqwas[.]shapelie[.]com”	A highly advanced iOS exploit chain, DarkSword, leverages multiple zero-day vulnerabilities to compromise devices running iOS 18.4 to 18.7. Delivered via web-based techniques such as watering hole sites and themed decoy pages, the campaign enables remote code execution, sandbox escape, and full kernel-level access. Post-exploitation, malware is deployed to collect sensitive data including messages, credentials, and device information while maintaining stealth through obfuscation and log removal.	GHOSTKNIFE, GHOSTSABER, GHOSTBLADE, Coruna iOS exploit kit	Saudi Arabia, Turkey, Malaysia, Ukraine	UNC6748, UNC6353	N/A	T1189; T1203; T1068; T1041	Critical	Update all iOS devices immediately to the latest patched version. Enable Lockdown Mode on high-risk or sensitive devices. Avoid visiting unknown or suspicious links and websites. Use mobile threat detection solutions where possible. Monitor devices for unusual behaviour such as battery drain or unknown processes. Restrict access to sensitive data on mobile devices when not required. Keep browsers and apps fully updated. Educate users about watering hole and targeted web-based attacks. Use network-level protections to block known malicious domains. Regularly review and enforce mobile device security policies.

Mar 22, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Mobile Exploitation Campaign / Zero-Day Exploit Chain	2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35 snapshare[.]chat 62[.]72[.]21[.]10 72[.]60[.]98[.]48 sahibndn[.]io e5[.]malaymoil[.]com static[.]cdncounter[.]net sqwas[.]shapelie[.]com”	A highly advanced iOS exploit chain, DarkSword, leverages multiple zero-day vulnerabilities to compromise devices running iOS 18.4 to 18.7. Delivered via web-based techniques such as watering hole sites and themed decoy pages, the campaign enables remote code execution, sandbox escape, and full kernel-level access. Post-exploitation, malware is deployed to collect sensitive data including messages, credentials, and device information while maintaining stealth through obfuscation and log removal.	GHOSTKNIFE, GHOSTSABER, GHOSTBLADE, Coruna iOS exploit kit	Saudi Arabia, Turkey, Malaysia, Ukraine	UNC6748, UNC6353	N/A	T1189; T1203; T1068; T1041	Critical	Update all iOS devices immediately to the latest patched version. Enable Lockdown Mode on high-risk or sensitive devices. Avoid visiting unknown or suspicious links and websites. Use mobile threat detection solutions where possible. Monitor devices for unusual behaviour such as battery drain or unknown processes. Restrict access to sensitive data on mobile devices when not required. Keep browsers and apps fully updated. Educate users about watering hole and targeted web-based attacks. Use network-level protections to block known malicious domains. Regularly review and enforce mobile device security policies.

Mar 18, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Phishing Campaign / Smishing (Fake Shipment Tracking)	posties[.]icu estafmox[.]help nrcsnap[.]com pkgov[.]shop	A large-scale phishing campaign uses fake shipment tracking SMS messages to exploit the widespread use of e-commerce and courier services. Attackers use spoofed sender identities or local-looking numbers to create urgency and lure victims into clicking malicious links leading to phishing pages designed to steal personal and financial data, including card details and one-time passwords. The campaign leverages real-time WebSocket connections for immediate data exfiltration and appears coordinated, using shared infrastructure, phishing templates, and phishing-as-a-service platforms to target multiple sectors across the MEA region.	Darcula Phishing Kit	Middle East, Africa	Unknown	Finance, Telecoms, eCommerce, Transport	T1566.002; T1204; T1056; T1041	High	Individuals should avoid clicking tracking links in SMS messages and instead visit official courier websites directly. Businesses should publish alerts about phishing campaigns, implement email authentication protocols (DMARC, DKIM, SPF), and partner with mobile carriers to filter fraudulent SMS messages. Regularly educate users about phishing tactics and promote a culture of security awareness. Implement multi-factor authentication wherever possible to add an extra layer of security.
Ransomware Campaign / Double Extortion	1ca67af90400ee6cbbd42175293274a0f5dc05315096cb2e214e4bfe12ffb71f e0fd8ff6d39e4c11bdaf860c35fd8dc0 51da4b9aa541a6fc636a97d44ee265b4 bed8d1752a12e5681412efbb8283910857f7c5c431c2d73f9bbc5b379047a316 f91cbdd91e2daab31b715ce3501f5ea0 payloadynyvabjacbun4uwhmxc7yvdzorycslzmnleguxjn7glahsvqd[.]onion payloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd[.]onion	The Payload ransomware group is targeting organizations across multiple sectors using a Babuk-derived ransomware with enhanced capabilities. The malware operates without command-and-control communication, encrypting files using Curve25519 and ChaCha20 while employing double extortion via Tor-based portals. It includes Windows and Linux/ESXi variants, enabling attacks on virtualized environments. The campaign leverages anti-forensic techniques such as disabling security services, deleting shadow copies, wiping logs, patching ETW, and self-deletion to evade detection and hinder recovery.	Payload Ransomware (Babuk-derived)	Bahrain	Payload Ransomware Group	Energy, Health, Telecoms, Agriculture	T1486; T1490; T1562.001; T1070.001; T1070.004; T1489; T1057; T1083; T1027; T1106	High	Organizations should prioritize robust backup and recovery solutions, implement multi-factor authentication, regularly patch systems, and monitor for unusual network activity. Focus on endpoint detection and response (EDR) solutions capable of detecting and blocking ransomware behavior. Employee security awareness training is crucial to prevent initial infection vectors like phishing.

Mar 14, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Operation CamelClone – Cyber Espionage / Spear-Phishing Campaign	” 31f1a97c72f596162f0946df74838d3bef89289ce630adba8791c0f3220980ee 51af876b0f7fde362c69219f7dec39f7fb667fb53dc5fe2cbdf841d6c5951460 27d7a398a58c12093bc49f7144dac2f079232768096d0558c226ea5c53782e29 4a0e2649f89e11121ffe55546ee081ac07472db650d094314414ebf26fcb7a8e 92962bfa6df48ec0f13713c437af021f4138dc5a419bc92bc8a376d625a6519a 1d0ea66d347325902e20a12e1f2f084be45d3d6045264e513dcc420b9928013c 2671e1f43b2e5911310c5b3f124c076055eec5dee4e596854332ffcf791fd740 2902cdee050a60c3129b4bb84e74ddda7b129c3473556f689d83609d9a5981a7 630ac67d8db777ae0b93e066bd13b21908e79f23a41a64448f0a4ea38c063a44 230a22a1f1800f11718b43a7ce9390d2ef0fa9dc212d954c8fafbfbe997bbbef 62c477c0827752ffeb8ea243497eef1c666fc41025d287909d021bceb5b8e699 2dcaaedfad798dad87f27aef39885d2879825c4c8bed1dcd9e863aba0d463103 hxxps://filebulldogs[.]com/uploads/AVQB61TVOX/f[.]js hxxps://filebulldogs[.]com/uploads/OKW5RN48ZJ/f[.]js hxxps://filebulldogs[.]com/uploads/F1OQY9GU84/f[.]js hxxps://filebulldogs[.]com/uploads/82WX5GP8CI/f[.]js hxxps://filebulldogs[.]com/uploads/AVQB61TVOX/document[.]pdf hxxps://filebulldogs[.]com/uploads/OKW5RN48ZJ/document[.]pdf hxxps://filebulldogs[.]com/uploads/F1OQY9GU84/document[.]pdf hxxps://filebulldogs[.]com/uploads/82WX5GP8CI/document[.]pdf hxxps://filebulldogs[.]com/uploads/AVQB61TVOX/a[.]zip hxxps://filebulldogs[.]com/uploads/OKW5RN48ZJ/a[.]zip hxxps://filebulldogs[.]com/uploads/F1OQY9GU84/a[.]zip hxxps://filebulldogs[.]com/uploads/82WX5GP8CI/a[.]zip oliwiagibbons@onionmail[.]org theresaunderwood@onionmail[.]org keatonwalls@onionmail[.]org coreyroberson@onionmail[.]org”	Spear-phishing emails deliver ZIP archives containing malicious LNK files impersonating official institutions. Executing the shortcut triggers PowerShell to download the HOPPINGANT JavaScript loader from file-sharing platforms. The loader retrieves additional payloads including decoy documents and archives containing Rclone, which connects to attacker-controlled MEGA cloud storage to exfiltrate sensitive files such as documents and Telegram session data. The campaign uses public file-sharing services instead of traditional C2 infrastructure to evade detection and conduct intelligence collection.	HOPPINGANT, Rclone	Algeria, Ukraine, Kuwait	Unknown (suspected intelligence-focused actors)		T1566.001; T1204.002; T1059.001; T1059.007; T1027; T1218; T1071.001; T1105; T1005; T1213; T1567.002	High	Implement robust email security and phishing detection; conduct user awareness training; regularly patch systems; deploy EDR solutions; enforce MFA; segment networks to limit lateral movement; monitor outbound connections and investigate anomalies.

Mar 13, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Handala Hack – Destructive Malware / Wiper Campaign	5986ab04dd6b3d259935249741d3eff2 3cb9dea916432ffb8784ac36d1f2d3cd 82[.]25[.]35[.]25 31[.]57[.]35[.]223 107[.]189[.]19[.]52 146[.]185[.]219[.]235	Ongoing destructive intrusion campaign conducted by the Handala persona associated with the Void Manticore threat cluster. Operations rely on compromised VPN credentials and trusted service provider access to infiltrate victim environments, followed by reconnaissance, credential harvesting, and privilege escalation to Domain Administrator level. Lateral movement is conducted via RDP and tunneling tools, after which coordinated destructive actions are executed through custom wipers, PowerShell-based deletion scripts, encryption tools, and manual file destruction to maximize operational disruption and psychological impact through hack-and-leak propaganda.	Handala Wiper, NetBird, VeraCrypt	N/A	Void Manticore (aka Red Sandstorm / Banished Kitten) – persona: Handala	Government, Telecommunications, Technology, Critical Infrastructure	T1133 – VPN Access; T1078.002 – Stolen Credentials; T1199 – Trusted Vendor Access; T1110 – Password Brute Force; T1003.001 – LSASS Credential Dumping; T1003.002 – SAM Credential Extraction; T1087.002 – Domain Account Discovery; T1021.001 – RDP Lateral Movement; T1572 – Network Tunneling; T1105 – Tool Downloading; T1047 – WMI Command Execution; T1484.001 – Group Policy Abuse; T1037.003 – Logon Script Execution; T1053.005 – Scheduled Task Execution; T1059.001 – PowerShell Execution; T1561.002 – Disk Wiping; T1485 – Data Destruction; T1486 – Disk Encryption Attack	Critical	Enforce MFA for VPN and privileged accounts; monitor authentication logs for anomalous access; restrict RDP exposure; detect LSASS credential dumping attempts; monitor tunneling tools such as NetBird; restrict unauthorized encryption utilities; deploy strong endpoint detection; maintain secure offline backups and tested recovery procedures; conduct threat hunting for abnormal administrative activity and destructive file operations.

Mar 12, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Conflict-Themed Phishing Campaign – Cyber Espionage / Credential Harvesting	uzbembish@elcat[.]kg fed6ebb87f7388adf527076b07e81dfa432bac4e899b0d7af17b85cc0205ffad a9de383c6a1b00c9bd5a09ef87440d72ec7fc4bcd781207b3cace2f246788d4d dfaaaf75147afbd57844382c953ec7ef36f68a9c17c66a47a847279a6b1109c9 4b9661092051839496c04169ccb52b659c0f65cefd14a990e23565a0c0e8eeaf d518262dd687a48f273966853f3ed4eb7404eb918b165bb71ff83f75962c0104 b58ec14b0119182aef12d153280962ad76c30e3cd67533177d55481704eba705 7b6d69a249fe2adf43eefc31cdeca62cf48ab428fcbf199322feeb99d24fb001 a8acb9864e6f64323ed75e69038ca9bfe76f7b1b0d24ec7df8ac07b6dbd641a3 14efa1194cc4c6aa5585d63c032268794364123d41a01121cbd5e56f7c313399 support[.]almersalstore[.]com almersalstore[.]com ban[.]ali@mofa[.]gov[.]iq nqandeel04@gmail[.]com iwsmailserver[.]com maria[.]tomasik@denika[.]se unityprogressall[.]org war[.]analyse[.]ltd@outlook[.]com ali[.]mo@med[.]gov[.]sy hxxps://iran[.]dashboard[.]1drvms[.]store/errors/sessionerrors/expire?client= jscop[.]mea[.]gov[.]in@outlook[.]com hxxps://defenceprodindia[.]site/server[.]php?file=Reader_en_install defenceprodindia[.]site 9477d9cd1435dc465b4047745e9c71103a114d65ed0d5f02ac3c97ac3f1dbf47 a9f4f4bc12896d0f0d2eeff02dd3e3e1c1406d8a6d22d59aa85f151d806ba390 ea1d98a41ad9343d017fa72f4baeeca0daa688bec6e0508e266c5e37e9d330de McManus[.]Michael@hotmail[.]com hxxps://1drv[.]ms/b/c/cbec61ab8028f986/IQDa9igU3D3BRqiyNtth76AzAbOM6jUpa8apnuRl-zKXKow?e=E8bIfd 16db04b632668dae081359fc07c97e5a9b79dad61713642e48b494aa6b7828be transfergocompany[.]com	Multiple threat groups launched coordinated phishing campaigns targeting government and diplomatic organizations during heightened geopolitical tensions. The campaigns leveraged conflict-themed lures, compromised or spoofed government email accounts, and credential harvesting pages impersonating services such as Microsoft Outlook Web App and OneDrive. Malicious attachments containing LNK loaders triggered DLL sideloading to deploy Cobalt Strike beacons and .NET loaders delivering Rust-based backdoors. In several cases, attackers used geofencing, tracking pixels, and compromised infrastructure to improve targeting and campaign effectiveness.	Cobalt Strike, Rust Backdoor	United States, India, Middle East, Europe	TA453 (APT42 / Charming Kitten / Mint Sandstorm), TA402 (Frankenstein / Cruel Jackal), TA473 (Winter Vivern), UNK_InnerAmbush, UNK_RobotDreams, UNK_NightOwl	Government, Administration, Diplomacy	T1566.002 – Phishing Link; T1566.001 – Phishing Attachment; T1566.003 – Phishing via Service; T1059.001 – PowerShell Execution; T1574.002 – DLL Side-Loading; T1105 – Payload Download; T1071.001 – Web C2 Communication; T1036 – Masquerading	High	Implement robust email filtering and phishing detection controls; enforce MFA for all remote access and email services; conduct user awareness training to identify phishing attempts; monitor network traffic and authentication logs for suspicious activity; enforce strong password policies; regularly update systems and security software; review and test incident response plans; leverage threat intelligence feeds to track emerging indicators.

Mar 11, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Social Media Influence Operation – Information Manipulation / Psychological Influence	No technical IoCs reported. The activity involved coordinated fake Instagram personas and social media accounts used to establish contact with targets.	Coordinated influence operation using fake personas on Instagram to build relationships with users before introducing politically themed messaging. The operation relied on long-term social engineering tactics to gain trust and gradually influence public opinion. The campaign was identified and disrupted by Meta, which removed the associated accounts and content linked to the activity.	N/A	United States	Unknown state-linked influence operators	Political / Public Discourse	T1562.001 – Identity Impersonation; T1598 – Social Engineering for Information; T1606.001 – Relationship-Based Phishing	Medium	Exercise caution with unsolicited messages or connection requests on social media platforms; verify the authenticity of accounts before engaging; cross-check information shared online with trusted sources; enable multi-factor authentication for social media accounts; platforms should continue monitoring and removing coordinated inauthentic behavior and influence campaigns.
Conflict-Driven Espionage Campaign – Cyber Espionage / Phishing Operations	No specific IoCs publicly disclosed in this advisory. Indicators referenced include phishing email infrastructure, malicious URLs, and file hashes associated with malware delivery observed across multiple campaigns.	Multiple threat actors increased cyber espionage activity targeting government and diplomatic entities during the regional conflict. Campaigns leveraged conflict-themed phishing emails, compromised accounts, and deceptive URLs to deliver malicious payloads and harvest credentials. Activity involved malicious attachments, compromised infrastructure, and impersonation of trusted services such as Microsoft Outlook Web App and OneDrive to gain initial access and collect intelligence from targeted networks.	Reader_en_install Loader, Malicious VLCMediaPlayer (masquerading payload)	India, Iran, Syria, Iraq, Europe, Middle East	TA453 (Charming Kitten), TA402 (Frankenstein), TA473 (Winter Vivern), UNK_InnerAmbush, UNK_RobotDreams, UNK_NightOwl	Government, Diplomacy	T1566 – Phishing Emails; T1189 – Malicious Websites; T1078 – Compromised Accounts; T1190 – Web Application Exploitation; T1059 – Script Execution; T1204 – User Execution; T1555 – Credential Harvesting; T1105 – Payload Download; T1071 – Web-Based C2 Communication	High	Deploy advanced email filtering and phishing detection controls; enforce MFA across remote access and email services; conduct user awareness training to identify conflict-themed phishing lures; monitor authentication logs and network traffic for anomalies; maintain strong password policies; regularly update security software; review and test incident response plans; leverage threat intelligence feeds to track emerging indicators and campaigns.
Operation Rising Lion – Psychological Cyber Warfare / Social Engineering Campaign	No technical IoCs publicly reported. Activity involves spoofed phone calls impersonating the Israel Defense Forces Home Front Command number and fraudulent SMS messages mimicking the official OREFAlert emergency alert system.	Psychological influence campaign using spoofed emergency alerts and social engineering to create panic and erode trust in official warning systems. Attackers distributed fake emergency calls and SMS alerts warning of missile attacks or fuel shortages to manipulate civilian responses during conflict conditions. The activity forms part of broader hybrid operations combining cyber activity with psychological influence and targeted phishing attempts against key individuals and institutions.	N/A	Israel	State-linked influence operators	Government, Civilian	T1566 – Targeted Phishing; T1598 – Social Engineering for Information; T1195 – Supply Chain Trust Abuse; T1270 – Psychological Operations	High	Verify emergency alerts and communications through official government channels or verified applications; avoid acting on unsolicited emergency messages; organizations should implement verification procedures for critical communications; conduct awareness training on social engineering tactics; monitor for suspicious messaging campaigns during crisis situations.
State-Linked Cybercrime Integration – Ransomware & Infostealer Operations	077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888 2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6 64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1 74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d 94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377 64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb a8c380b57cb7c381ca6ba845bd7af7333f52ee4dc4e935e98b48bb81facad72b 24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14 a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 aae017e7a36e016655c91bd01b4f3c46309bbe540733f82cce29392e72e9bd1f	Threat actors associated with state-linked cyber operations increasingly leveraging the cybercrime ecosystem to support intelligence collection and disruptive campaigns. Groups such as Void Manticore (Handala) and MuddyWater have been observed using commercially available malware, botnets, loaders, and ransomware infrastructure typically associated with financially motivated cybercrime. The activity demonstrates a convergence between state-sponsored operations and criminal tooling, enabling actors to improve operational effectiveness, obscure attribution, and conduct targeted attacks aligned with strategic objectives.	Rhadamanthys Infostealer, Tsundere / DinDoor Botnet, CastleLoader, FakeSet, StageComp, Qilin Ransomware	Israel	Void Manticore (Handala), MuddyWater	Health, Defense, Energy, IT, Telecommunications, Government	T1566.001 – Phishing Attachment; T1566.002 – Phishing Link; T1588.001 – Malware Acquisition; T1588.002 – Tool Acquisition; T1071 – Web-based Communication; T1486 – Ransomware Encryption	High	Conduct proactive threat hunting for known indicators; deploy strong endpoint detection and response (EDR); implement network segmentation and MFA; monitor network traffic and authentication logs for suspicious activity; restrict execution of unauthorized software through application control; enhance user awareness training for phishing threats; regularly review security policies and incident response procedures.
APT Intrusion Campaign – Critical Infrastructure Targeting	No specific IoCs publicly reported in this advisory.	Reported cyber intrusions targeting critical infrastructure organizations including a U.S. airport, a financial institution, and a software company. The activity is attributed to an advanced persistent threat (APT) group conducting operations aimed at operational disruption and intelligence collection. While technical details regarding malware or intrusion techniques remain limited, the targeting pattern indicates sustained pressure on high-value organizations during heightened geopolitical tensions.	N/A	United States	State-linked APT group (not publicly identified)	Finance, IT, Transportation	T1190 – External Service Exploitation; T1078 – Stolen Account Access; T1133 – Remote Access Abuse	High	Implement strong network segmentation to limit lateral movement; enforce multi-factor authentication for all remote access and privileged accounts; conduct regular vulnerability assessments and penetration testing; monitor network and authentication logs for anomalous activity; perform proactive threat hunting; ensure incident response plans are updated and regularly tested.

Mar 10, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
State-Linked Cybercrime Integration – Ransomware & Infostealer Operations	No specific IoCs publicly reported in this advisory.	Security researchers report increased collaboration between state-linked cyber actors and cybercriminal ecosystems. The activity involves leveraging ransomware-as-a-service (RaaS), infostealers, and malware-as-a-service (MaaS) platforms to support intelligence collection, disruptive operations, and attribution evasion. Rather than using cybercrime purely as a cover, the actors are integrating criminal infrastructure, tools, and affiliate networks into state-aligned cyber operations to expand capabilities and operational reach.	Ransomware variants, Infostealers, Malware-as-a-Service platforms	N/A	State-linked cyber actors	Multi-sector (potentially government, enterprise, and infrastructure targets)	T1566.001 – Phishing Attachment; T1078.004 – Compromised Account Access; T1486 – Ransomware Encryption	High	Strengthen threat detection and monitoring capabilities to identify activity associated with criminal tooling; enforce multi-factor authentication and strong credential policies; apply regular patching and system updates; conduct security awareness training focused on phishing and social engineering; implement network segmentation and least privilege access controls; share threat intelligence to improve collective defense.
State-Linked Cybercrime Integration – Use of Criminal Infrastructure	No specific IoCs publicly reported in this advisory. Indicators referenced include shared malware infrastructure, code-signing certificates, and tools used across multiple campaigns.	Threat actors associated with state-linked operations increasingly leveraging cybercrime ecosystems to support state-directed cyber operations. Groups such as Void Manticore (Handala) and MuddyWater have been observed using commercially available malware, botnets, loaders, and ransomware infrastructure typically associated with financially motivated cybercrime. The integration of criminal services such as ransomware-as-a-service and infostealers allows these actors to enhance operational capability, obscure attribution, and conduct targeted operations against strategic organizations, including healthcare and government institutions.	Rhadamanthys Infostealer, Tsundere / DinDoor Botnet, CastleLoader, FakeSet, StageComp, Qilin Ransomware	Israel, Albania	Void Manticore (Handala), MuddyWater	Healthcare, Government, Defense	T1566 – Phishing Emails; T1078 – Stolen Account Access; T1105 – Malware Download; T1059 – Script Execution; T1204 – User Execution; T1547 – Persistence Mechanism; T1027 – Obfuscated Malware; T1133 – Remote Access Abuse; T1555 – Credential Theft	High	Conduct proactive threat hunting for indicators related to known malware families; deploy strong endpoint detection and response (EDR); enforce multi-factor authentication and network segmentation; monitor network traffic and authentication logs for anomalies; restrict execution of unauthorized software through application control; strengthen user awareness training against phishing; maintain updated security policies and incident response procedures.
Telegram Hacktivist Activity Timeline – Coordinated Hacktivism / Multi-Vector Cyber Activity	No specific IoCs publicly reported in this advisory. Activity primarily coordinated through Telegram channels used by hacktivist groups to claim attacks and share operational updates.	Coordinated hacktivist activity emerging during the Iran–Israel–US conflict beginning March 2026. Multiple groups formed alliances and claimed attacks targeting government portals, financial services, energy infrastructure, aviation services, healthcare institutions, and educational organizations. Operations included DDoS attacks, attempted data breaches, ransomware activity, website exploitation, and alleged operational technology (OT) intrusions. The campaign expanded geographically across the Middle East, Europe, and allied regions, demonstrating an increase in politically motivated cyber operations and hacktivist coordination through messaging platforms.	DDoS tools, ransomware variants (unspecified)	Israel, United States, Kuwait, Jordan, Saudi Arabia, UAE, Cyprus, UK	Cyber Islamic Resistance, 313 Team, Keymous Plus, NoName057(16), DieNet, Nation of Saviors, Team Fearless, Cyb3rDrag0nz, Moroccan Black Cyber Army	Finance, Government, Energy, Aviation, Healthcare, Education, Defense	T1499 – DDoS Service Disruption; T1566 – Phishing Initial Access; T1190 – Web Application Exploitation; T1486 – Ransomware Encryption; T1560 – Data Exfiltration Archives; T1189 – Drive-by Compromise	High	Implement strong DDoS mitigation strategies and web application protections; monitor critical infrastructure systems for suspicious activity; patch exposed public-facing services; deploy strong access controls and continuous monitoring; conduct proactive threat hunting and vulnerability management; monitor for potential data exfiltration and misinformation campaigns; participate in threat intelligence sharing initiatives to track evolving hacktivist activity.
State Cyber Strategy – Offensive Cyber Planning	No technical IoCs reported.	Strategic policy shift outlining expanded offensive cyber capabilities and defensive resilience measures in response to escalating geopolitical tensions. The strategy focuses on disrupting adversarial networks before breaches occur, strengthening critical infrastructure protection, implementing zero trust architecture across federal systems, enhancing encryption standards, and increasing collaboration with private sector cybersecurity providers. It also emphasizes investments in emerging technologies such as AI and post-quantum cryptography while preparing cyber operations to play a central role in modern geopolitical conflict.	N/A	United States, Israel, Iran	(External) Government-led cyber strategy	Energy, Finance, IT, Healthcare, Utilities	T1562.001 – Defense Evasion / Security Hardening Context	Medium	Implement zero trust architecture across critical systems; strengthen encryption and identity security controls; improve public-private cyber defense collaboration; enhance continuous monitoring and threat intelligence sharing; invest in workforce development and incident response capabilities to strengthen organizational cyber resilience.
BoryptGrab Campaign – Multi-Stage Infostealer / Credential Theft		Malware campaign distributing the BoryptGrab information stealer through fake GitHub repositories and deceptive download portals offering free software tools, cheats, or utilities. Victims are redirected to malicious pages that deliver ZIP archives containing the payload. Execution triggers a multi-stage infection chain using VBS downloaders, DLL side-loading, and encrypted launcher payloads to deploy BoryptGrab and additional malware. The stealer collects browser credentials, cryptocurrency wallet data, system information, files, screenshots, Telegram data, and Discord tokens. In some cases, TunnesshClient establishes a reverse SSH tunnel for persistence and proxy access, while additional loaders may deploy Vidar variants and other components.	BoryptGrab, Vidar, TunnesshClient, HeaconLoad	N/A	Unknown	Multi-sector / Consumer endpoints	T1189 – Drive-by Download; T1566.002 – Phishing Link; T1574.002 – DLL Side-Loading; T1059.005 – VBS Script Execution; T1059.001 – PowerShell Execution; T1053.005 – Scheduled Task Persistence; T1547.001 – Startup Persistence; T1027 – Obfuscated Malware; T1105 – Payload Download; T1041 – Data Exfiltration	High	Avoid downloading tools from unknown or unofficial repositories; verify the authenticity of developers before downloading files; monitor and block suspicious ZIP downloads; restrict DLL side-loading through application control; monitor scheduled task creation and persistence activity; inspect outbound traffic for suspicious downloads or exfiltration; deploy endpoint protection capable of detecting infostealers; keep systems and browsers updated; educate users about risks of cracked software and unofficial tools.
Dindoor Backdoor Deployment – State-Linked Network Intrusion / Persistence	No specific IoCs publicly reported in this advisory.	Threat actors associated with the MuddyWater (Seedworm) group have been observed establishing persistent access within enterprise networks across multiple sectors. The campaign involves long-term network infiltration intended to maintain covert access for potential future disruption, intelligence collection, or data exfiltration. The activity represents a shift from traditional espionage operations toward maintaining embedded access within critical infrastructure environments, allowing attackers to blend with legitimate network activity and launch operations at a later stage.	Dindoor Backdoor	United States, Israel	MuddyWater (Seedworm)	Finance, IT, Government, Transportation	T1547.001 – Persistence via Startup Mechanisms; T1078 – Valid Account Abuse; T1133 – External Remote Access; T1059.001 – PowerShell Execution	High	Implement strong network segmentation to limit lateral movement; deploy intrusion detection and prevention systems; audit privileged accounts and access permissions regularly; enable enhanced logging and monitoring to detect anomalous activity; conduct proactive threat hunting for persistence mechanisms; implement zero trust architectures to continuously verify user and device access.
Strategic Cyber Conflict Analysis – Cyber Warfare Escalation	No technical IoCs reported.	Analysis discussing the growing prominence of cyber operations as a central component of modern geopolitical conflict. The report highlights how cyber capabilities are increasingly being used as primary instruments of state conflict, shifting from covert intelligence operations toward overt cyber warfare activities. The discussion reflects the evolving role of cyber operations in strategic military engagements and their potential to replace or complement traditional warfare methods.	N/A	Iran	N/A	Government, IT	N/A	Medium	Strengthen cyber resilience through proactive threat intelligence monitoring, vulnerability management, and incident response preparedness; implement continuous monitoring and threat hunting to detect emerging cyber threats; promote information sharing and cooperation to address evolving cyber warfare risks.
Camaro Dragon Campaign – Cyber Espionage / Malware Delivery	4d8027424b5bcd167ab70c8320ce3c5df72a9ecca01246b095e4af498f77725d fff7864019b651bea2448228d6557d995edc929276bb9d8cb34c3c280a42684e fa3a1153018ac1e1a35a65e445a2bad33eac582c225cf6c38d0886802481cd43 a7c56033f2264c71b0485da693e3f627b2b5ccfe3399a53cc558be77f95d9c13 c78eb1cecef5f865b6d150adcf67fa5712c5a16b94f1618c32191e61fbe69590 1ddbed0328a60bb4f725b4ef798d5d14f29c04f7ffe9a7a6940cacb557119a1c 26d10996fd2880441445539cd8a6e7fe0777f6ca3352dae6ef84d1d747aabb0c a9de383c6a1b00c9bd5a09ef87440d72ec7fc4bcd781207b3cace2f246788d4d b58ec14b0119182aef12d153280962ad76c30e3cd67533177d55481704eba705 a8acb9864e6f64323ed75e69038ca9bfe76f7b1b0d24ec7df8ac07b6dbd641a3 almersalstore[.]com	Cyber espionage campaign targeting organizations in the Middle East using conflict-themed phishing lures referencing missile strikes and attacks on Gulf oil and gas facilities. Malicious archives containing LNK files initiate a multi-stage infection chain leading to deployment of the PlugX backdoor and Cobalt Strike. Attackers leveraged DLL side-loading and widely available offensive tooling to establish access and conduct reconnaissance, demonstrating rapid adaptation to geopolitical developments to increase lure credibility.	PlugX Backdoor, Cobalt Strike	Qatar	Camaro Dragon (Earth Preta / Mustang Panda)	N/A	T1566.001 – Phishing Attachment; T1204.002 – Malicious File Execution; T1574.002 – DLL Side-Loading; T1105 – Payload Download; T1059 – Command Execution; T1071 – Web C2 Communication	High	Enhance threat monitoring and incident response readiness; deploy advanced email security and phishing detection; implement robust endpoint protection; educate employees on current-event themed phishing lures; conduct proactive threat hunting related to geopolitical events.
IP Camera Reconnaissance Campaign – Cyber Espionage / Surveillance Infrastructure Targeting	Vulnerabilities exploited: CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067, CVE-2021-33044 affecting internet-exposed IP camera systems and management platforms.	Threat actors conducted reconnaissance operations by exploiting vulnerabilities in internet-connected IP cameras, primarily Hikvision and Dahua devices. The activity aims to gather intelligence and perform battle damage assessment by accessing live video feeds and surveillance infrastructure. Compromised cameras were reportedly used to observe sensitive locations and monitor the impact of military operations. The campaign reflects the increasing use of IoT surveillance devices as intelligence collection tools during geopolitical conflicts.	N/A	Israel, UAE, Qatar, Bahrain, Kuwait, Lebanon, Cyprus	State-linked cyber actors	Government, Science, Military	T1190 – Remote Service Exploitation	High	Remove internet exposure of IP cameras and place devices behind VPN or zero-trust access gateways; change default credentials and enforce strong authentication; regularly update firmware and patch known vulnerabilities; isolate surveillance devices on segmented networks; monitor authentication logs and outbound traffic for suspicious activity; prioritize remediation of vulnerabilities listed in the KEV catalog.

Mar 9, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Seedworm Campaign – Cyber Espionage / Infrastructure Targeting	Indicators referenced include certificates signed to “Amy Cherne” and “Donald Gay” used in attacker tooling and infrastructure. No additional technical IoCs publicly disclosed in this advisory.	Ongoing cyber espionage and intrusion activity attributed to the Seedworm (MuddyWater) threat group targeting critical infrastructure and enterprise organizations. The campaign involves establishing persistent access to victim environments using custom backdoors and legitimate tools for data exfiltration and command execution. Targets include financial institutions, aviation organizations, software companies, and NGOs across North America and allied regions. The activity reflects expanded operational scope during geopolitical escalation and includes additional disruption attempts by aligned groups using DDoS techniques.	Dindoor Backdoor, Fakeset, Darkcomp, Rclone	United States, Canada, Israel	Seedworm (MuddyWater / Temp Zagros / Static Kitten), Handala, DieNet	Finance, IT, Government, Energy, Healthcare, Transportation	T1566 – Phishing Initial Access; T1190 – Web Application Exploitation; T1078 – Valid Account Abuse; T1027 – Obfuscated Malware; T1560 – Data Collection & Archiving; T1041 – Data Exfiltration over C2	Critical	Enforce multi-factor authentication across all remote access and privileged accounts; monitor outbound network traffic for abnormal data transfers; deploy web application firewalls and updated detection rules; restrict unauthorized external cloud storage access; maintain immutable offline backups; implement network segmentation and least-privilege access controls; conduct proactive threat hunting and continuous monitoring for indicators of compromise.
Hacktivist Mobilization – Coordinated Cyber Activity / Disruption Campaigns	No specific IoCs publicly reported. Activity primarily coordinated through online communities and messaging platforms used by hacktivist groups to organize operations and publicize attacks.	Following recent geopolitical escalation, more than 60 hacktivist groups rapidly mobilized and began conducting cyber operations aligned with broader political objectives. These groups reportedly leveraged AI tools to enhance operational planning, target discovery, and messaging amplification. The surge in activity increases the complexity of the threat landscape by combining hacktivist operations with broader nation-state cyber activity, potentially leading to disruption campaigns, influence operations, and opportunistic attacks against organizations linked to geopolitical actors.	N/A	United States, Israel, Iran	Multiple hacktivist groups (various)	Multi-sector	T1499 – Service Disruption (DDoS); T1585 – Online Persona Creation; T1598 – Social Engineering / Influence	High	Heighten monitoring and incident response readiness; deploy strong intrusion detection and network monitoring; enforce multi-factor authentication and strong access controls; maintain up-to-date systems and security tools; conduct proactive threat hunting; prepare contingency plans for potential service disruptions or cyber incidents linked to geopolitical developments.
Information Control Event – Internet Connectivity Disruption	No technical IoCs reported.	Ongoing nationwide internet disruption affecting connectivity and digital communications. The shutdown has restricted access to online services and information for several days, impacting civilian communication, media access, and digital services. While not a cyberattack, prolonged internet outages during geopolitical tensions can influence information flow, incident reporting, and the broader cyber threat landscape.	N/A	Iran	N/A	Telecommunications / Internet Infrastructure	N/A	Medium	Maintain awareness of regional connectivity disruptions and potential information flow limitations; monitor geopolitical developments that may correlate with cyber activity; ensure alternative communication channels and contingency plans are in place for operational continuity during large-scale connectivity disruptions.
Cyber Espionage / Critical Infrastructure Targeting	No confirmed IoCs publicly disclosed.	Ongoing intrusion activity targeting critical infrastructure and high-value organizations during the current geopolitical escalation. Activity linked to the Seedworm threat cluster involves establishing persistent access within victim networks and deploying backdoors for potential intelligence collection or future disruption. Campaigns have targeted sectors such as telecommunications, defense, and infrastructure operators.	Backdoors (unspecified)	United States	Seedworm / MuddyWater / Temp Zagros / Static Kitten	Critical Infrastructure	T1598 – Phishing / Initial Contact; T1190 – Public-Facing Exploitation; T1078 – Valid Accounts / Credential Abuse	High	Strengthen network defenses across critical infrastructure environments; enforce multi-factor authentication and strong credential policies; monitor networks for unusual access patterns or backdoor activity; conduct proactive threat hunting and incident response exercises; share threat intelligence with trusted industry partners.
Cyber Espionage / Backdoor Deployment – MuddyWater Dindoor Campaign	gitempire[.]s3[.]us-east-005[.]backblazeb2[.]com elvenforest[.]s3[.]us-east-005[.]backblazeb2[.]com uppdatefile[.]com serialmenot[.]com moonzonet[.]com	A cyber espionage campaign observed since early 2026 targeting organizations in strategic sectors including aviation, financial services, banking, and software companies connected to defense and aerospace supply chains. The attackers maintained persistence within victim networks for extended periods and attempted to exfiltrate sensitive data to cloud infrastructure using legitimate tools, indicating intelligence-gathering objectives aligned with ongoing geopolitical tensions.	Dindoor backdoor; Fakeset backdoor; Rclone; Deno runtime	United States; Canada; Israel	MuddyWater / Seedworm	Finance; IT; Defense; Aerospace; Banking	T1071.001 – Web Communication; T1105 – Tool Transfer; T1059 – Command Execution; T1547 – Persistence; T1005 – Data Collection; T1041 – Data Exfiltration; T1567.002 – Cloud Exfiltration; T1219 – Remote Access	High	Monitor for abnormal execution of Deno runtime processes and unexpected Rclone activity; implement behavioral detection for persistence mechanisms and remote access tools; conduct threat hunting for MuddyWater indicators; strengthen logging and monitoring of outbound traffic to cloud storage; ensure security tooling and threat intelligence feeds are regularly updated.
RedAlert Mobile Espionage Campaign / Mobile Spyware Distribution	hxxps://www[.]shirideitch[.]com/wp-content/uploads/2022/06/RedAlert[.]apk hxxp://bit[.]ly/3Ozydsn hxxps://api[.]ra-backup[.]com/analytics/submit[.]php	A mobile espionage campaign distributing a trojanized version of the legitimate Red Alert rocket warning application via SMS phishing messages. Victims are directed to sideload a malicious APK that mimics the official emergency alert application. Once installed, the malware collects sensitive data including SMS messages, contact lists, device information, and GPS location data while maintaining the appearance of a functional alert application. The campaign primarily targets civilians during the ongoing conflict and focuses on intelligence collection through mobile device compromise.	Android spyware (trojanized RedAlert APK)	Israel	Not attributed	Government; Defense; Military; Civilian Users	T1566.002 – Phishing Link; T1476 – Malicious App Delivery; T1409 – Sensitive Data Access; T1416 – SMS Collection; T1430 – Location Tracking; T1421 – System Discovery; T1404 – Data Exfiltration; T1027 – Obfuscation	High	Only download applications from official app stores and verify the developer before installation; avoid installing APK files from SMS or unknown links; review application permissions carefully; deploy mobile threat defense solutions where possible; educate users on mobile phishing risks, especially during periods of heightened geopolitical tension.
Cyber Espionage / Infrastructure Targeting – State-Aligned Activity	37[.]1[.]213[.]152 184[.]75[.]210[.]206 162[.]0[.]230[.]185	Increased cyber activity linked to multiple state-aligned threat actors conducting reconnaissance, credential abuse, and network probing against organizations globally amid heightened geopolitical tensions. The activity appears focused on early-stage intrusion and access establishment that could enable espionage or future disruptive operations. Targeted sectors include manufacturing, transportation, telecommunications, energy, government, finance, and defense-related organizations.	Not specified	Middle East; Europe; United States	MuddyWater / APT34 / OilRig / Seedworm; APT33 / Elfin / Refined Kitten; UNC1549 / CURIUM / Tortoise Shell / Crimson Sandstorm	Telecoms; Energy; Government; Transport; Manufacturing; Finance; Defense; Aerospace	T1566.001 – Phishing Attachment; T1110 – Brute Force; T1110.003 – Password Spraying; T1078 – Valid Accounts; T1190 – Public-Facing Exploit; T1059.001 – PowerShell Execution; T1046 – Network Scanning; T1087 – Account Discovery; T1083 – File Discovery; T1021 – Remote Services	High	Implement multi-factor authentication and strong credential policies; patch public-facing systems and monitor for exploitation attempts; enhance network monitoring for scanning or credential abuse; conduct proactive threat hunting for indicators linked to Iranian APT groups; review incident response plans and strengthen threat intelligence sharing.
Mobile Exploitation Campaign / Watering-Hole Attack – Coruna iOS Exploit Kit	TO ADVISE	A mobile exploitation campaign leveraging the Coruna iOS exploit kit targeting iPhones running iOS 13–17.2.1. The campaign has been observed in watering-hole attacks on compromised Ukrainian websites and in cryptocurrency-related scam pages. The exploit kit uses malicious web pages and hidden iframe mechanisms to deliver exploit chains and connect infected devices to attacker-controlled infrastructure for surveillance or further exploitation. Infrastructure includes domains disguised as gambling, gaming, cryptocurrency, and promotional sites.	Coruna iOS Exploit Kit	Ukraine	Not attributed	Not specified	T1189 – Drive-by Compromise; T1059 – Command Execution; T1071 – Web Communication; T1090 – Proxy Use; T1573 – Encrypted Channel; T1568 – Dynamic Resolution; T1583.001 – Domain Infrastructure; T1608.001 – Malware Staging; T1204 – User Interaction	High	Ensure iOS devices are updated with the latest security patches; deploy mobile device management (MDM) or mobile threat defense solutions where possible; restrict access to suspicious or untrusted websites; educate users about watering-hole and scam-related phishing pages; monitor network traffic for connections to suspicious domains or exploit delivery infrastructure.

Mar 8, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Cyber Reconnaissance / IoT Surveillance Exploitation	CVE-2017-7921; CVE-2021-36260; CVE-2023-6895; CVE-2025-34067; CVE-2021-33044	Iran-linked cyber actors conducted large-scale scanning and exploitation attempts against internet-exposed surveillance cameras across the Middle East. The campaign targeted Hikvision and Dahua IP cameras to gain unauthorized access and potentially obtain real-time video intelligence. Compromised devices could enable reconnaissance, monitoring of strategic locations, and battle damage assessment during regional military operations. Activity correlates with heightened geopolitical tensions and demonstrates the use of compromised IoT infrastructure to support physical military intelligence operations.	Hikvision IP Cameras; Dahua Surveillance Systems	Israel; Kuwait; Qatar; UAE; Bahrain; Lebanon	Iran-linked threat actors	Military; Government; Administration	T1595 – Active Scanning; T1590 – Reconnaissance; T1190 – Public-Facing Exploit; T1046 – Service Discovery; T1021 – Remote Access; T1071 – Web Communication	High	Remove direct internet exposure of surveillance devices; place cameras behind VPN or zero-trust access gateways; apply latest firmware patches; replace unsupported devices; enforce strong unique credentials; segment surveillance devices into isolated network zones; monitor logs for suspicious login attempts and abnormal outbound connections.
Opportunistic Cybercrime / Phishing & Malware Distribution – Conflict-Themed Campaigns	hxxp://www[.]e-kflower[.]com/_prozn/_skin_mbl/home/KApp[.]rar hxxps://www[.]360printsol[.]com/2026/alfadhalah/thumbnail?img=index[.]png hxxp://www[.]e-kflower[.]com/_prozn/_skin_mbl/home/KAppl[.]rar 172[.]81[.]60[.]97 017[.]65c[.]mytemp[.]website arch[.]megadatahost1[.]lol arch2[.]maxdatahost1[.]cyou arch2[.]megadatahost1[.]lol cfgomma[.]com flourishingscreencousin[.]com goldman-iran-krieg[.]pages[.]dev irandonation[.]org khameneisol[.]xyz lettucecircumvent[.]com media[.]hyperfilevault2[.]mom media[.]maxdatahost1[.]cyou media[.]megadatahost1[.]lol media[.]megafilehost2[.]sbs nowarwithiran[.]store	Multiple malware and phishing campaigns exploiting geopolitical tensions in the Middle East. Threat actors distribute malware through conflict-themed lures, fake news blogs, fraudulent donation portals, and impersonation websites targeting victims across government, finance, and digital services sectors. Attack techniques include DLL sideloading using legitimate binaries, malicious LNK execution, CHM exploitation, shellcode loading, and remote management tool hijacking to establish persistence and exfiltrate data.	LOTUSLITE; StealC	Middle East; Bahrain; Israel	Mustang Panda (suspected activity)	Government; Military; Finance; Banking; Digital Services; IT/ISP; High-Value Individuals	T1204 – User Execution; T1566 – Phishing; T1218 – Signed Binary Proxy Execution; T1071 – Web Communication; T1547 – Persistence; T1059 – Command Execution; T1105 – Tool Transfer; T1053 – Scheduled Task; T1090 – Proxy; T1083 – File Discovery; T1027 – Obfuscation	High	Minimize exposure of internet-facing applications and VPN services; inspect network traffic for malware delivery and exploit activity; enforce least-privilege access controls and strong MFA; monitor for suspicious persistence mechanisms or proxy usage; conduct security awareness training to mitigate phishing and fraud risks; perform regular threat hunting and security assessments.

Mar 6, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Opportunistic Cybercrime / Phishing & Malware Distribution	Large number of newly registered domains (>8,000) using conflict-related keywords and malicious infrastructure distributing malware (full IoC list extensive).	Surge in opportunistic cyber activity exploiting geopolitical tensions in the Middle East. Observed campaigns include phishing attacks using conflict-themed lures, fake news blogs distributing malware, fraudulent websites impersonating legitimate services, donation scams, and cryptocurrency-related fraud campaigns. Some operations delivered malware via DLL sideloading while leveraging compromised or newly registered domains to host payloads and phishing infrastructure.	StealC; LOTUSLITE backdoor	Bahrain; Iran; Israel; Iraq; United States	Mustang Panda (associated activity observed)	Finance; Government; IT	T1566.001 – Phishing Attachment; T1189 – Drive-by Compromise; T1059.001 – Command Execution; T1555.003 – Credential Theft; T1195.001 – Compromised Infrastructure; T1078.004 – Valid Accounts	High	Reduce attack surface through strong access controls and least-privilege policies; enforce multi-factor authentication; inspect network traffic to detect malicious domains and payload delivery; implement threat hunting for conflict-themed phishing campaigns and malware indicators; conduct regular security awareness training and risk assessments to mitigate social-engineering threats.
Hacktivism / DDoS & Website Defacement Campaign	No specific IoCs reported.	Ongoing hacktivist cyber operations attributed to the Fatimion Cyber Team, involving Distributed Denial of Service (DDoS) attacks, website defacements, and database data exfiltration. The group has conducted sustained activity across the Middle East since 2023 and continues operations into 2026, combining disruptive cyber activity with coordinated information operations aimed at amplifying psychological and political impact.	Not specified	Not specified	Fatimion Cyber Team	Not specified	T1499 – Service Disruption (DDoS); T1491 – Website Defacement; T1041 – Data Exfiltration; T1596 – Information Operations	Medium	Implement DDoS mitigation and web application protection mechanisms; monitor web assets for defacement attempts; strengthen database access controls and logging; deploy intrusion detection and monitoring for data exfiltration; monitor online channels for coordinated influence or disinformation activity related to hacktivist campaigns.
Cyber Espionage / Backdoor Deployment – MuddyWater Dindoor Campaign	No specific IoCs reported in the advisory.	A cyber espionage campaign attributed to the MuddyWater APT group targeting banks, airports, nonprofits, and a software supplier connected to the defense and aerospace sector. The campaign deploys newly identified backdoors to establish persistent access in victim networks, enabling long-term surveillance and potential data exfiltration. Attackers leveraged legitimate tools for data transfer to cloud storage and may use the foothold for future disruptive or destructive operations amid ongoing geopolitical tensions.	Dindoor; Fakeset; Rclone; Deno runtime	United States; Israel; Saudi Arabia; Iraq; UAE; Georgia; India; Pakistan; Turkey	MuddyWater / Seedworm / TEMP.Zagros / Mango Sandstorm / TA450 / Static Kitten	Finance; IT; Energy; Government; Aerospace; Defense	T1566 – Phishing; T1105 – Tool Transfer; T1078 – Valid Accounts; T1190 – Public-Facing Exploit	High	Strengthen phishing defenses and user awareness; monitor networks for unusual use of tools such as Rclone or abnormal cloud storage access; enforce multi-factor authentication and strong credential management; patch public-facing systems; implement network segmentation and threat hunting for MuddyWater indicators.
Cyber Espionage / Spear-Phishing Malware Campaign	No public IoCs disclosed in the advisory.	A targeted phishing campaign against Iraqi government officials using lures impersonating Iraq’s Ministry of Foreign Affairs. The operation delivers previously unseen malware families designed to establish persistence and conduct espionage activities. The attack chain uses phishing emails and fake Cisco Webex meeting pages to trigger PowerShell execution and deploy multi-stage malware capable of in-memory execution and evasion.	SPLITDROP; TWINTASK; TWINTALK; GHOSTFORM	Iraq	Dust Specter (Iran-linked)	Government	T1566 – Phishing; T1204 – User Execution; T1059 – PowerShell Execution; T1105 – Tool Transfer; T1027 – Obfuscation; T1547 – Persistence	High	Strengthen email security controls and phishing detection; conduct user awareness training to identify impersonation attempts; deploy EDR solutions to detect suspicious PowerShell and in-memory execution; apply application control to block unauthorized binaries; monitor network traffic for anomalous activity and emerging indicators linked to Dust Specter campaigns.

Mar 5, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Mobile Exploitation Campaign / iOS Exploit Kit Activity	Multiple exploit delivery domains, configuration servers, and C2 infrastructure associated with the Coruna exploit kit (extensive IoC set reported).	A mobile exploitation campaign leveraging the Coruna iOS exploit kit targeting Apple iPhone devices. The campaign uses malicious web infrastructure to deliver exploits through exploit chains designed to compromise vulnerable iOS devices. The exploit kit includes delivery infrastructure, implant servers, and command-and-control channels used for post-exploitation control and potential surveillance or data collection from compromised devices.	Coruna iOS Exploit Kit	Not specified	Not attributed	Not specified	T1189 – Drive-by Compromise; T1071 – Web Communication; T1059 – Command Execution	High	Ensure iOS devices are updated to the latest security patches; deploy mobile device management (MDM) or mobile threat defense solutions where possible; restrict access to suspicious websites or links; monitor mobile device behavior for abnormal network connections or exploit activity; educate users about risks of malicious links and exploit delivery pages.
Cyber Reconnaissance / IoT Surveillance Exploitation	No specific IoCs reported.	Large-scale scanning and exploitation attempts targeting internet-connected surveillance cameras across Israel and other Middle Eastern countries following recent missile strikes. Attackers search for exposed devices with weak or default credentials and attempt to exploit known vulnerabilities to gain access. Compromised cameras could provide reconnaissance capabilities, enabling monitoring of locations, infrastructure, or individuals during periods of geopolitical tension.	Internet-connected surveillance cameras (IoT devices)	Israel; Middle East	State linked threat actors (suspected)	Not specified	T1190 – Public-Facing Exploit; T1110 – Brute Force; T1046 – Network Scanning	High	Update firmware on all internet-exposed surveillance cameras; enforce strong and unique credentials and disable default passwords; segment IoT devices from core networks; monitor network traffic for unusual connections from camera systems; deploy intrusion detection or prevention mechanisms and prioritize patching of disclosed vulnerabilities.
Data Breach / Financial Data Leak	No IoCs reported.	A data leak involving the Ariomex cryptocurrency exchange exposed a database containing information on over 11,800 users, including identities, emails, IP addresses, and cryptocurrency transaction records between 2022–2025. The data reportedly surfaced on dark web forums and may enable tracking of financial activity associated with Iranian users and entities. Initial analysis suggests the breach may have originated from a compromised customer support system, potentially exposing transaction patterns and incomplete or altered KYC information.	Not specified	Global users of the platform	Not attributed	Finance / Cryptocurrency	T1078 – Valid Accounts (account access abuse); T1190 – Exploit Public-Facing Application (system compromise); T1567 – Exfiltration Over Web Services (data leak)	Medium	Implement strong access controls and MFA across all financial platforms; enhance monitoring and logging to detect anomalous access to customer databases; conduct regular security assessments of customer support systems and external-facing services; deploy data loss prevention (DLP) controls to protect sensitive financial information; monitor dark web sources for potential exposure of organizational data.
Cyber Espionage / Network Intrusion	No IoCs reported.	A sustained intrusion campaign attributed to an Iranian state-linked threat actor targeted several U.S. organizations across finance, transportation, and software sectors. The attackers reportedly established persistent access within victim networks, embedding a custom implant that allows remote control and long-term intelligence collection. The activity began in early 2026 and intensified following geopolitical tensions, suggesting pre-positioning within networks for potential data exfiltration or future disruptive activity.	Custom backdoor implant	United States	MuddyWater	Finance, IT, Transportation	T1598 – Phishing; T1190 – Exploit Public-Facing Application; T1078 – Valid Accounts; T1059 – Command & Scripting	High	Enhance monitoring for unusual outbound traffic and lateral movement; enforce multi-factor authentication across all privileged accounts; regularly patch external-facing systems and services; deploy endpoint detection and response (EDR) to identify persistence mechanisms; conduct security awareness training to reduce phishing risks; implement intrusion detection/prevention systems (IDS/IPS) and proactive threat hunting for indicators linked to MuddyWater activity.
Cyber Espionage / IoT Surveillance Intrusion	No IoCs reported.	Reports indicate a cyber-enabled intelligence operation in which traffic camera infrastructure in Iran was compromised to enable surveillance and tracking of high-value individuals. The operation allegedly leveraged access to internet-connected cameras to monitor movement patterns and gather real-time situational intelligence. The activity highlights how IoT and surveillance infrastructure can be exploited for reconnaissance and intelligence collection supporting broader geopolitical or military objectives.	Compromised traffic camera systems (IoT devices)	Iran	State-linked actor	Government, Critical Infrastructure	T1190 – Exploit Public-Facing Application; T1078 – Valid Accounts; T1189 – Drive-by Compromise	Medium	Secure internet-connected cameras and IoT devices by disabling direct internet exposure; enforce strong authentication and device-level encryption; apply firmware updates and patch known vulnerabilities; segment surveillance infrastructure from enterprise networks; monitor access logs and network traffic for anomalous device activity; conduct regular security assessments of IoT deployments in critical environments.
Cyber Espionage / IoT Surveillance Intrusion	No IoCs reported.	Reports indicate a cyber-enabled intelligence operation in which traffic camera infrastructure in Iran was compromised to enable surveillance and tracking of high-value individuals. The operation allegedly leveraged access to internet-connected cameras to monitor movement patterns and gather real-time situational intelligence. The activity highlights how IoT and surveillance infrastructure can be exploited for reconnaissance and intelligence collection supporting broader geopolitical or military objectives.	Compromised traffic camera systems (IoT devices)	Iran	State-linked actor	Government, Critical Infrastructure	T1190 – Exploit Public-Facing Application; T1078 – Valid Accounts; T1189 – Drive-by Compromise	Medium	Secure internet-connected cameras and IoT devices by disabling direct internet exposure; enforce strong authentication and device-level encryption; apply firmware updates and patch known vulnerabilities; segment surveillance infrastructure from enterprise networks; monitor access logs and network traffic for anomalous device activity; conduct regular security assessments of IoT deployments in critical environments.
Operation CandleStone – Cyber Espionage / Spear-Phishing Campaign	health-beauty-skin-care[.]com abudhabspacedebate[.]com abudhbispacedebate[.]com huammings[.]com	An active cyber-espionage campaign attributed to a state-linked threat actor targeting organizations in the UAE’s aerospace, defense, government, and energy sectors. The operation uses spear-phishing emails themed around the Abu Dhabi Space Debate to deliver malicious archives containing VHD files designed to bypass Windows Mark-of-the-Web protections. Once executed, the attack chain leverages DLL sideloading to deploy the CandleStone backdoor and supporting malware, enabling reconnaissance, credential theft from Chromium-based browsers, and encrypted command-and-control communications. Analysts assess the activity may represent early-stage intelligence collection potentially preceding more disruptive operation	Phoenix v4 RAT; Chromium credential stealer; FakeUpdate loader	United Arab Emirates	APT33 (Peach Sandstorm / Elfin / Magnallium / Refined Kitten)	Government, Aerospace, Defense, Energy	T1566.001 – Spear-phishing attachment; T1553.005 – Mark-of-the-Web bypass; T1574.002 – DLL sideloading; T1071.001 – Web-based C2	High	Block identified campaign domains; restrict mounting of VHD/ISO disk images through Group Policy; monitor for abnormal execution of mounted disk content and LNK files; hunt for dxgi.dll loaded by ApplicationFrameworkHost.exe; deploy EDR detection for DLL sideloading behavior and suspicious outbound connections; strengthen phishing detection and user awareness controls.
RedAlert – Mobile Espionage / Trojanized Application Campaign	No IoCs reported.	A mobile espionage campaign exploiting the conflict by distributing a trojanized version of the legitimate Rocket Alert application used for missile warning notifications. The malicious application targets civilians by masquerading as the official alert app while covertly collecting sensitive personal data, device information, and geolocation data. The campaign leverages heightened public reliance on emergency warning systems during conflict to trick users into installing the malicious application, enabling surveillance and intelligence collection.	Trojanized Rocket Alert Android application (mobile spyware)	Israel, Iran	Not attributed	Government, Civilian	T1588.002 – Malicious Tool Acquisition; T1189 – Drive-by / Malicious App Distribution; T1057 – Mobile Device Monitoring	High	Only install mobile applications from official app stores and verify developer authenticity; review and restrict excessive application permissions; deploy Mobile Threat Defense (MTD) solutions to detect malicious apps; educate users about risks of installing apps from external sources; verify emergency alerts and applications through official government channels.
Ransomware Activity / Data Leak Operations	No IoCs reported	Threat monitoring in early March 2026 observed continued ransomware activity and dark web–related operations. The Morpheus ransomware group reportedly targeted a manufacturing organization, while another ransomware actor resumed activity by re-publishing previously stolen victim data on leak sites to increase extortion pressure. Additionally, multiple hacktivist-style cyber activities were observed targeting organizations in regions affected by the ongoing conflict. These activities indicate a combination of financially motivated ransomware operations and politically themed cyber disruptions.	Morpheus ransomware	South Korea; Middle East region	Not attributed	Manufacturing	T1486 – Data Encrypted for Impact; T1567 – Data Exfiltration; T1499 – Service Disruption	Medium	Maintain secure and regularly tested offline backups; enforce multi-factor authentication across critical systems; apply timely patching to reduce ransomware exposure; monitor networks for indicators of data exfiltration and unusual traffic patterns; strengthen logging, intrusion detection, and threat hunting capabilities; monitor dark web sources for potential exposure of organizational data.
Cyber Espionage Campaign / Spear-Phishing Intrusion	b8254efd859f5420f1ce4060e4796c08 8621be9e1aa730d1ac8eb06fa8f66d9da70ff293 903f7869a94d88d43b9140bb656f7bb86ef725efc78ef2ff9d12fd7c7c2aca74 78275f3fc7e209b85bff6a6f99acc68a Fc08f8403849c6233978a363f4cdc58cd7041823 6bb0d45799076b3f2d7f602b978a0779868fc72a1188374f6919fbbfba23efce d5ddf40ba2506c57d3087d032d733e08 682c043443cb81b6c2fde8c5df43333f5d1fec53 797325b3c8a9356dcace75d93cb5cfb7847d2049c66772d4cc2cee821618cb96 8f44262afaa171b78fc9be20a0fb0071 1debc4c512ded889464e386739d5d2f61b87ff13 293ee1fe8d36aa79cf1f64f5ddef402bc6939d229c6fca955c7b796119564779 19ab3fd2800f62a47bf13a4cc4e4c124 c79c261457def606c3393dde77c82832a5c0ded3 ad26cd72a83b884a8bc5aaa87309683953e151ebb3fde42eda7bf9a4406e530d 63702bd6422ec2d5678d4487146ea434 c7dff3a0675f330feb9a7c469f8340369451d122 f3f2dc31f70a105db161a5e7b463b2215d3cbd64ac0146fd68e39da1c279f7ef aa887d32eb9467abba263920e55d6abe ad97e1bba1d040a237727afdb2787d6867d72b74 6af71297ce7681e64d9a4c5449a7326f17f3f107cb7940ec5e0840390c457a47 b19add5ccaa17a1308993e6f3f786b06 51a746c85bd486f223130173b7e674379a51b694 69294ad90aeb7f05e501e7191c95beb14e23da5587dd75557c867e2944a57fdc 7f17fa22feaced1a16d4d39c545cdb16 369b56a89b2fce2cbdc36f5a23bdec6067242911 fa51aff99d86a9f1f65aa0ebbf6ca40411d343cea59370851ab328b97e2164bb 70a9b537b9b7e1b410576d798e6c5043 cb1760c90fb6c399e0125c7aa793efe37c4ce533 a27d53608ab05b5c7cb86bcf4a273435238beeb7e7efd7845375b2aa765f51e2 a7561eb023bb2c4025defcfe758d8ac2 df04e36c106691f9fe88e5798e4ae86438bd4f1d eb5b7275c41de8e98d72696eeac9cba3719f334f8e7974e6b8760ece820b1d0c 809139c237c4062baecab43570060d67 8735ee29c409b8d101eb3170f011455be41b7a91 3a66ae5942f6feb79cf81ee70451f761253e0e0bde95f0840abdd42a804fad39 lecturegenieltd[.]pro meetingapp[.]site afterworld[.]store girlsbags[.]shop onlinepettools[.]shop web14[.]info web27[.]info	A cyber-espionage campaign targeting government officials through social-engineering lures such as fake government documents and meeting invitations. The intrusion delivers previously undocumented .NET-based malware families enabling command execution, file transfer, and remote system control through command-and-control infrastructure. Observed techniques include DLL sideloading, PowerShell execution, registry modification, delayed execution, and obfuscated network communication. The activity indicates a targeted intelligence-gathering operation using compromised infrastructure and advanced evasion methods.	SPLITDROP; TWINTASK; TWINTALK; GHOSTFORM	Iraq	Dust Specter (suspected state-linked)	Government, Administration	T1583.001 – Infrastructure Acquisition; T1587.001 – Malware Development; T1204.004 – User Execution; T1112 – Registry Modification; T1574.002 – DLL Sideloading; T1071.001 – Web-based C2	High	Implement application allow-listing to prevent unauthorized DLL sideloading; block password-protected archives from unverified senders; enable PowerShell script block logging and monitor registry Run keys for persistence; inspect outbound HTTPS traffic for anomalous URI patterns or unusual authentication headers; regularly patch systems and maintain updated endpoint protection; conduct user awareness training to identify phishing attempts.
Cyber Threat Escalation / Early Warning	No IoCs reported.	Threat intelligence reporting indicates a heightened risk of destructive cyber activity following ongoing geopolitical tensions. Analysts assess that cyber operations may focus on critical infrastructure sectors, including energy, transportation, communications, government, finance, water, and healthcare. The anticipated activity may prioritize disruptive or destructive actions rather than intelligence collection, potentially accompanied by information manipulation campaigns. While large-scale systemic disruption is considered less likely, organizations with exposed or poorly protected infrastructure may face increased targeting risk.	Not specified	Multiple regions	State-linked actors (not specified)	Energy, Finance, IT, Government, Healthcare, Transportation, Water	T1485 – Data Destruction; T1490 – Inhibit System Recovery; T1562.001 – Impair Defenses; T1562.003 – Disable Security Tools	Medium	Strengthen defenses across critical infrastructure environments; review and update incident response and business continuity plans; ensure strong network segmentation and secure backups; enhance monitoring for abnormal system behavior; conduct vulnerability management and patching for internet-exposed systems; maintain executive awareness and ongoing threat intelligence monitoring.

Mar 4, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
AI-Enabled Cyber Operations / Emerging Threat Landscape	No specific IoCs reported.	Threat intelligence reporting highlights the increasing use of AI to automate cyber operations, enabling rapid exploit development, network reconnaissance, phishing campaigns, and deepfake-enabled social engineering. Nation-state actors and cybercriminal groups are leveraging AI and Living-off-the-Land (LotL) techniques to conceal malicious activity within trusted cloud services and accelerate attack timelines. The report also notes a rise in token theft campaigns and large-scale DDoS attacks reaching record traffic volumes.	LummaC2; Aisuru; Cloud service abuse (Google Drive, Microsoft Teams, Amazon S3)	Not specified	Salt Typhoon; Linen Typhoon; FrumpyToad; PunyToad; NastyShrew; PatheticSlug; CrustyKrill	IT; Government; Telecommunications; Finance	T1598 – Phishing; T1078 – Valid Accounts; T1190 – Public-Facing Exploit; T1027 – Obfuscation; T1059.001 – Command Execution; T1071.001 – Web Communication	High	Deploy autonomous and AI-assisted defense capabilities; enforce strong email authentication controls (DMARC, DKIM, SPF); implement Zero Trust access policies across SaaS platforms; continuously audit third-party API integrations; strengthen monitoring for token theft and suspicious cloud service activity; conduct proactive threat hunting and maintain robust incident response procedures.
Operation Epic Fury / Cyber Conflict Escalation Advisory	N/A	Following the launch of Operation Epic Fury on February 28, 2026, involving coordinated military and cyber operations, analysts assess an increased likelihood of retaliatory cyber activity and disruptive operations linked to the geopolitical escalation. While no specific malware or threat actors have been confirmed, the conflict raises the probability of cyber espionage, disruption, and destructive attacks targeting government systems, energy infrastructure, and military-related organizations.	N/A	Iran; United States; Israel; Middle East	Not attributed	Government; Military; Energy	Potential tactics may include Phishing (T1566), Public-Facing Exploitation (T1190), and Valid Account Abuse (T1078)	High	Review and test incident response plans for nation-state attack scenarios; enforce multi-factor authentication and strong access controls; strengthen network segmentation and monitoring; patch critical vulnerabilities promptly; conduct proactive threat hunting and share threat intelligence with trusted partners to detect potential retaliatory cyber operations.
Cyber Espionage / AI-Assisted Malware Campaign	No specific IoCs reported.	Targeted campaign against Iraqi government officials leveraging phishing and social engineering to deliver AI-assisted custom .NET malware. The attack chains combine DLL sideloading, in-memory PowerShell execution, and ClickFix-style lures impersonating Iraq’s Ministry of Foreign Affairs. Attackers also leveraged compromised government infrastructure to increase credibility and deliver payloads, suggesting a coordinated espionage effort designed to evade detection and maintain persistence.	Custom .NET malware; PowerShell; DLL sideloading	Iraq	Dust Specter (Iran-linked)	Government	T1566.001 – Phishing; T1059.001 – PowerShell Execution; T1574.002 – DLL Sideloading; T1105 – Tool Transfer	High	Deploy advanced email filtering and phishing detection; use EDR solutions to detect DLL sideloading and in-memory execution; regularly patch systems and applications; strengthen network segmentation; conduct targeted security awareness training for government personnel; monitor networks for suspicious behavior and anomalous PowerShell activity.
Cyber Activity Surge / Conflict-Related Threat Landscape	No IoCs reported.	Increased cyber activity has been observed following recent geopolitical tensions, including hacktivist-style activity, psychological operations, opportunistic phishing campaigns, and exploitation of public-facing systems. Some incidents include application defacement, broadcast intrusions, and temporary internet connectivity disruptions, while other threat actors appear to be leveraging the broader conflict as a theme for phishing and malware distribution. Analysts highlight a potential delayed activation pattern, where initial access may be established in advance and used later for disruptive or destructive operations.	Not specified	Middle East region	Not attributed	Finance, Energy, IT, Government	T1566 – Phishing; T1190 – Exploit Public-Facing Application; T1562 – Impair Defenses; T1485 – Data Destruction; T1486 – Data Encrypted for Impact; T1133 – External Remote Services	Medium	Strengthen cyber hygiene through timely patching and vulnerability management; enforce multi-factor authentication (MFA) across remote access services; reduce exposure of internet-facing systems; maintain regular security awareness training; implement strong backup and recovery procedures; leverage security monitoring tools such as SIEM, NDR, and deception technologies; enhance threat intelligence sharing and continuous exposure monitoring.
Hacktivism / Distributed Denial-of-Service (DDoS) Campaign	No IoCs reported.	A surge in hacktivist cyber activity has been observed following escalating regional tensions, with 149 DDoS attacks impacting approximately 110 organizations across 16 countries within a short time frame. The activity appears coordinated and primarily focused on service disruption rather than long-term compromise. Analysts note that a small number of hacktivist groups were responsible for a significant portion of the attacks, indicating organized campaigns leveraging DDoS techniques to disrupt online services and increase visibility during the broader conflict environment.	DDoS attack infrastructure	Multiple regions	Keymous+; DieNet	Multiple sectors	T1499 – Endpoint/Service Disruption (DDoS); T1190 – Exploit Public-Facing Application; T1566 – Phishing (potential initial access)	Medium	Deploy DDoS mitigation services and traffic filtering; monitor network traffic for abnormal spikes and volumetric attacks; maintain updated incident response procedures for service disruption scenarios; regularly patch internet-facing systems; strengthen security awareness programs to reduce phishing risks; implement centralized logging and monitoring to quickly detect coordinated attack activity.
Cyber Espionage Campaign / Spear-Phishing Intrusion	No IoCs reported	A targeted cyber-espionage campaign against government officials using social-engineering lures such as password-protected archives disguised as official documents and fake online forms to deliver newly observed malware families. The intrusion chain uses DLL sideloading through legitimate applications, PowerShell execution, registry persistence, and encrypted command-and-control communications. The malware supports remote command execution, file transfer, and system control. Analysts also noted indicators suggesting automated or AI-assisted malware development techniques within the tooling used in the campaign.	SPLITDROP; TWINTASK; TWINTALK; GHOSTFORM	Iraq	Dust Specter (suspected state-linked)	Government	T1566 – Phishing; T1204 – User Execution; T1059.001 – PowerShell Execution; T1574 – DLL Sideloading; T1105 – Ingress Tool Transfer; T1071 – Web Protocol C2; T1027 – Obfuscation	High	Implement application allow-listing to prevent unauthorized DLL sideloading; block password-protected archives from untrusted senders; enable PowerShell script block logging and monitor registry persistence locations; inspect outbound HTTPS traffic for anomalous URI patterns or unusual authentication headers; maintain regular patching and endpoint monitoring; conduct user awareness training to reduce phishing risk.
Cyber Espionage & Infrastructure Targeting / Reconnaissance Activity	No IoCs reported	Threat intelligence reporting indicates an increase in cyber activity targeting critical infrastructure sectors, including manufacturing and transportation. The activity appears to focus on early-stage reconnaissance and network positioning, with attackers attempting to identify vulnerable systems and establish initial access that could later support espionage, disruption, or destructive operations. Observed techniques include default credential abuse, valid account exploitation, brute-force attempts, and network scanning to map target environments and identify exploitable services.	Not specified	Middle East region; Global organizations with regional exposure	MuddyWater; OilRig (APT34); APT33; UNC1549	Manufacturing, Transportation, Energy, Government, Finance, Aerospace, Aviation, Telecommunications	T1110 – Brute Force; T1078 – Valid Accounts; T1046 – Network Service Discovery; T1595 – Active Scanning	High	Reduce external attack surface by eliminating default credentials and restricting remote access services; enforce multi-factor authentication for privileged accounts; apply network segmentation and monitor lateral movement; prioritize patching of exposed vulnerabilities and monitor systems that cannot be patched; deploy continuous monitoring and anomaly detection for industrial and enterprise networks; leverage threat intelligence to detect reconnaissance and pre-positioning activity early.
Cyber Espionage / IoT Surveillance Targeting	CVE-2017-7921; CVE-2021-36260; CVE-2023-6895; CVE-2025-34067; CVE-2021-33044	Security researchers observed targeting of internet-exposed IP cameras across several Middle East countries, likely to support reconnaissance and situational monitoring during a period of heightened regional tensions. The activity involves attempts to exploit known vulnerabilities in surveillance devices manufactured by Hikvision and Dahua, potentially enabling unauthorized access to video feeds. Such access may provide attackers with visual intelligence and operational awareness, demonstrating how compromised IoT devices can be leveraged to support broader cyber or operational objectives.	Compromised IP cameras (Hikvision, Dahua)	Middle East region (including UAE, Qatar, Bahrain, Kuwait, Cyprus, Lebanon, Israel)	Not attributed	Government, Infrastructure, Surveillance systems	T1595 – Active Scanning; T1190 – Exploit Public-Facing Application; T1046 – Network Service Discovery; T1071 – Application Layer Protocol	High	Remove direct internet exposure for surveillance cameras; place devices behind VPN or zero-trust gateways; enforce strong unique credentials and disable default passwords; apply firmware updates and security patches; segment camera networks from corporate and operational systems; monitor logs for repeated authentication failures or abnormal outbound connections; replace unsupported or end-of-life devices.

Mar 3, 2026

Campaign	IoC	Campaign Scope	Malware/ Tools	Targeted Country	Threat Actor	Sector	MITRE ATT&CK Techniques	Threat Severity	Recommendation
Hacktivism / Coordinated Cyber Activity	No IoCs reported.	Increased hacktivist activity has been observed amid ongoing geopolitical tensions, with multiple groups conducting cyber operations such as website defacements, distributed denial-of-service (DDoS) attacks, and limited data disclosures. Organizations perceived as linked to the wider conflict have been targeted. While the immediate operational impact has remained limited, the growing frequency of these incidents suggests potential for further escalation.	Not specified	Middle East region	Not attributed	Multiple sectors	T1499 – Endpoint/Service Disruption (DDoS); T1491 – Defacement; T1190 – Exploit Public-Facing Application; T1566 – Phishing	Medium	Increase monitoring of public-facing applications and services; deploy DDoS mitigation and web application firewall (WAF) protections; regularly patch externally exposed systems and applications; enforce strong authentication and access controls; monitor website integrity for unauthorized changes; maintain updated incident response procedures and conduct user awareness training against phishing and social engineering.
Hybrid Conflict-Related Cyber Activity / Multi-Actor Operations	No IoCs reported.	Ongoing geopolitical tensions have led to an increase in hybrid cyber activity combining cyber intrusions, information manipulation, and opportunistic cybercrime. Observed activity includes phishing campaigns, credential theft, DDoS attacks, website defacements, and data theft operations carried out by a mix of state-linked actors, hacktivist groups, and financially motivated cybercriminals. Analysts note that the broader conflict environment is being leveraged by multiple actors to conduct disruptive cyber operations and opportunistic attacks across digital infrastructure.	RedAlert APK (mobile spyware referenced in related activity)	Middle East region	Multiple threat actors	Government, Military, Finance, IT	T1566 – Phishing; T1486 – Data Theft/Impact; T1490 – Inhibit System Recovery; T1562 – Impair Defenses; T1190 – Exploit Public-Facing Application	Medium	Strengthen monitoring for credential theft and phishing activity; implement robust DDoS mitigation and web application protections; enforce multi-factor authentication across critical systems; apply network segmentation to reduce lateral movement; conduct regular security audits and vulnerability management; enhance incident response preparedness and threat intelligence sharing to detect emerging hybrid cyber threats.
Critical Infrastructure Disruption / Physical–Digital Impact	No IoCs reported	Reports indicate physical attacks targeting data center infrastructure in the Gulf region, leading to temporary disruption of cloud services relied upon by organizations across multiple sectors. The incident highlights the interdependency between physical infrastructure and digital services, where disruptions to data center facilities can impact availability of cloud platforms, enterprise applications, and online services. The situation demonstrates how kinetic events can have downstream digital and operational effects on cloud-dependent organizations.	Not specified	Gulf region (UAE, Bahrain)	Not attributed	IT, Cloud Services	T1499 – Endpoint/Service Disruption; T1485 – Data Destruction (service disruption impact); T1490 – Inhibit System Recovery	High	Review business continuity and disaster recovery plans for cloud service outages; implement geographically distributed infrastructure and failover mechanisms; enhance monitoring and alerting for service disruptions; maintain redundancy for critical workloads; conduct risk assessments covering both cyber and physical infrastructure dependencies; ensure incident response procedures address large-scale service availability incidents.
Cyber Risk Advisory / Heightened Threat Environment	No IoCs reported	Security researchers issued a “Shields Up” advisory highlighting increased cyber risk associated with an ongoing geopolitical conflict. The advisory emphasizes that organizations should anticipate potential disruptive cyber activity linked to the evolving situation. While no specific malware, campaigns, or threat actors were identified, the warning reflects a heightened threat environment where cyber operations may accompany broader geopolitical developments. Organizations are advised to increase vigilance, strengthen monitoring, and proactively prepare for potential cyber incidents.	Not specified	Not specified	Not specified	Cross-sector	N/A	Medium	Review and strengthen cybersecurity posture by enforcing multi-factor authentication, prioritizing patching of critical vulnerabilities, and increasing logging and monitoring across networks and endpoints. Validate incident response and disaster recovery plans, ensure reliable offline backups, reduce external attack surface, and maintain awareness of emerging threats through threat intelligence monitoring.
Cyber Threat Escalation / Multi-Actor Cyber Operations	No IoCs reported	Intelligence reporting highlights increased cyber activity associated with ongoing regional instability, including disruptive cyber operations targeting digital and physical infrastructure. Observed activity includes DDoS attacks, data exfiltration attempts, phishing campaigns, and potential destructive operations affecting cloud infrastructure and critical services. Multiple threat clusters appear to be operating concurrently, using varied techniques to disrupt services and gather intelligence during a period of heightened geopolitical tension. The evolving situation indicates a sustained risk of cyber disruption across infrastructure and enterprise networks globally.	Not specified	Global / Multiple regions	Multiple threat clusters	Energy, Finance, Government, Critical Infrastructure	T1566 – Phishing; T1567 – Data Exfiltration; T1190 – Exploit Public-Facing Application; T1499 – Service Disruption (DDoS); T1485 – Data Destruction	High	Strengthen cyber resilience by reviewing incident response and business continuity plans; enforce multi-factor authentication and strict access controls; apply network segmentation to protect critical systems; maintain secure offline backups; enhance monitoring and anomaly detection across cloud and enterprise environments; prioritize patching of exposed vulnerabilities and leverage threat intelligence feeds to detect emerging threats.
State Cyber Operations / Strategic Cyber Warfare Activity	Public statements indicate that cyber operations are increasingly integrated with broader military strategies, highlighting the role of offensive cyber capabilities alongside traditional military actions. While specific technical details or targets were not disclosed, the development reflects the growing role of cyber operations as a strategic component of modern conflict, potentially involving disruption of systems, intelligence gathering, or defense impairment activities. The announcement signals a shift toward greater transparency regarding the operational importance of cyber capabilities in national security contexts.	Not specified	Not specified	State-linked actors	Government, Military	T1562.001 – Impair Defenses; T1005 – Data from Local System	Medium	Strengthen cyber resilience across critical systems through network segmentation and endpoint protection; deploy intrusion detection and prevention systems (IDS/IPS); enhance continuous monitoring and threat intelligence sharing; conduct regular security assessments and threat hunting exercises; integrate physical and cyber security planning to address hybrid threat scenarios.
Conflict-Related Cyber Activity Monitoring	No IoCs reported	Security researchers are monitoring cyber activity associated with an ongoing regional conflict. While large-scale cyber impacts have not yet been observed, minor incidents such as website defacements and small-scale distributed denial-of-service (DDoS) attacks have occurred. Analysts expect continued cyber espionage, disruptive operations, and potential hack-and-leak campaigns as the situation evolves. Opportunistic actors are also exploiting the situation for phishing and social-engineering campaigns. The activity currently appears regionally focused but may affect organizations indirectly through supply chains, partners, or exposed public-facing systems.	Not specified	Middle East (regional impact)	MuddyWater (suspected activity referenced)	Cross-sector	T1566 – Phishing; T1190 – Exploit Public-Facing Application	Medium	Strengthen security hygiene by enforcing multi-factor authentication and applying timely security patches. Increase monitoring for abnormal activity and protect public-facing assets with web application firewalls and DDoS mitigation. Conduct third-party risk assessments, particularly for suppliers or partners operating in affected regions. Provide employee awareness training on phishing and social-engineering attempts that may reference ongoing geopolitical events.
Threat Landscape Advisory / Increased Cyber Activity	No IoCs reported	Security researchers report an escalation in cyber activity associated with actors linked to Iran, including phishing campaigns, hacktivist operations, and financially motivated cybercrime. The activity reflects a broadening operational scope targeting multiple sectors and organizations globally. While specific tools, malware, or technical indicators were not detailed, analysts warn of a potential increase in disruptive or destructive cyber operations as geopolitical tensions continue. The advisory highlights the need for heightened vigilance and proactive defensive measures across enterprise environments.	Not specified	Not specified	Not specified	Cross Sector	T1566 – Phishing	Medium	Strengthen phishing defenses through email filtering, user awareness training, and multi-factor authentication. Increase monitoring for suspicious network behavior and unauthorized access attempts. Ensure timely patching of vulnerabilities, implement network segmentation to limit lateral movement, and maintain robust logging and alerting to support rapid incident detection and response. Organizations should review and test incident response procedures to ensure readiness for potential cyber incidents.
Conflict-Driven Cyber Operations / Hacktivist Activity	No IoCs reported	A coordinated military campaign triggered a significant escalation in cyber activity across multiple regions. The situation involved a combination of state-aligned actors, hacktivist collectives, and cybercriminal groups conducting disruptive cyber operations. Observed activity includes phishing campaigns distributing a malicious mobile application masquerading as a legitimate alert app, distributed denial-of-service (DDoS) attacks, infrastructure compromises, and threats targeting organizations and individuals. Analysts also observed coordination among hacktivist groups through centralized channels, highlighting a broader mobilization of cyber actors responding to geopolitical events.	RedAlert (malicious mobile application)	Iran, Israel, Jordan, UAE, Saudi Arabia, Bahrain, Canada, United States	Handala Hack, Cyber Islamic Resistance, NoName057(16), Russian Legion, Tarnished Scorpius	Energy, Finance, Government, Defense, Payment, Industrial	T1566 – Phishing; T1598 – Phishing to Deliver Malware; T1190 – Exploit Public-Facing Application; T1041 – Exfiltration Over C2 Channel	High	Strengthen defenses against phishing and mobile malware by educating users to avoid installing applications from untrusted sources and verifying official app publishers. Maintain fully patched and hardened internet-facing systems and deploy web application firewalls and DDoS protection. Implement strong monitoring for anomalous network activity and potential data exfiltration. Maintain reliable offline backups and review incident response and business continuity plans to ensure resilience against coordinated cyber disruptions.
Physical Attack Impacting Cloud Infrastructure / Cyber-Physical Risk Event	No IoCs reported	Physical attacks targeting cloud infrastructure resulted in damage to data center facilities in the UAE and Bahrain, leading to service disruptions affecting multiple cloud services across the Middle East. The incident highlights how physical attacks on critical digital infrastructure can cause cascading effects on organizations relying on cloud services, including application outages, degraded performance, and operational disruption. The event underscores the growing convergence of physical and digital threats affecting critical technology infrastructure.	Not specified	UAE, Bahrain	Not specified	IT, Cloud Services	T1485 – Data Destruction; T1490 – Inhibit System Recovery	High	Organizations relying on cloud services should review disaster recovery and business continuity plans to ensure rapid failover to alternative regions or providers. Implement monitoring and alerting for service disruptions, maintain redundant infrastructure where possible, and ensure backups are securely stored across geographically distributed locations. Data center operators should strengthen physical security controls, including perimeter monitoring, surveillance, and access management, while regularly assessing resilience against cyber-physical threat scenarios.
Conflict-Driven Cyber Activity / Retaliatory Cyber Campaign	No IoCs reported	Following coordinated military operations on February 28, 2026, analysts reported the emergence of a retaliatory cyber campaign associated with the broader conflict. The activity is described as multi-vector and rapidly expanding, indicating a potential escalation of cyber operations alongside physical hostilities. While specific technical details, malware, or intrusion methods were not disclosed, the situation reflects the increasing integration of cyber operations into modern conflict scenarios and highlights the potential for disruption targeting organizations and infrastructure connected to the affected regions.	Not specified	United States, Israel	Not specified	Cross-sector	N/A	Medium	Organizations should review and strengthen incident response and business continuity plans to prepare for potential disruptions to services and infrastructure. Implement network segmentation, enforce multi-factor authentication, and maintain continuous monitoring of network activity. Prioritize patching of critical systems, enhance threat intelligence monitoring, and collaborate with industry and government partners to remain informed of emerging risks associated with ongoing geopolitical developments.
Potential Cyber Counteroffensive / Conflict-Driven Threat Activity	No IoCs reported	Security researchers warn of potential cyber counteroffensive operations following a major military campaign. Multiple Iran-linked threat actors are believed to be preparing disruptive cyber activity targeting critical infrastructure and opportunistic organizations. Observed behavior includes reconnaissance, vulnerability exploitation of internet-facing systems, and staging activity that could precede destructive attacks such as wiper malware or ransomware. Analysts also report the potential for increased botnet-driven disruption and distributed denial-of-service (DDoS) activity as part of broader retaliation campaigns aligned with geopolitical tensions.	Not specified	United States, Israel, Global	Altoufan Team, HANDALA, Banished Kitten, CyberAv3ngers, APT34, MuddyWater, APT42, Cotton Sandstorm, APT35, Agrius, Imperial Kitten	Energy, Telecommunications, Government, Critical Infrastructure, Transportation, Logistics	T1566 – Phishing; T1190 – Exploit Public-Facing Application; T1486 – Data Encrypted for Impact; T1490 – Inhibit System Recovery	High	Prioritize patching of vulnerabilities in internet-facing systems and strengthen monitoring for abnormal network activity. Implement strong multi-factor authentication and reduce external attack surface where possible. Prepare for potential DDoS activity by deploying mitigation services and traffic filtering. Conduct proactive threat hunting for indicators linked to known threat actor tactics, ensure reliable offline backups are maintained, and regularly review incident response and business continuity plans to maintain operational resilience.
Distributed Denial-of-Service (DDoS) Attack Claim	No technical IoCs reported	A threat actor known as 313 Team claimed responsibility for cyberattacks targeting the official websites of the Kuwait Ports Authority and the Ministry of Electricity and Water. According to the claim, the attacks resulted in temporary disruption of the Kuwait Ports Authority website for approximately one hour and a complete shutdown of the Ministry of Electricity and Water website during the attack window. The activity appears to involve disruptive operations against public-facing government services, likely intended to cause service outages and signal operational capability.	Not specified	Kuwait	313 Team / The Islamic Cyber Resistance	Government, Public Services	T1498 – Network Denial of Service	Medium	Implement or reinforce DDoS mitigation services to protect public-facing infrastructure. Monitor network traffic for abnormal spikes and volumetric anomalies indicative of denial-of-service activity. Enable rate limiting and deploy Web Application Firewall (WAF) protections to filter malicious traffic. Establish and regularly test incident response procedures specifically designed for DDoS scenarios to ensure rapid service restoration.
Potential Cyber Counteroffensive / Threat Activity Advisory	No IoCs reported	Analysts warn of potential cyber counteroffensive operations following a major geopolitical escalation. Multiple Iran-linked threat actors are expected to increase cyber operations targeting critical infrastructure and opportunistic organizations globally. Historical behavior indicates these groups may shift from espionage to disruptive or destructive attacks, including wiper malware, ransomware-style operations, vulnerability exploitation, and botnet-driven DDoS campaigns. Recent reporting indicates reconnaissance, probing, and staging activities that may precede broader cyber operations.	Not specified	United States, Israel, Global	Altoufan Team, HANDALA, Banished Kitten, CyberAv3ngers, APT34, MuddyWater, APT42, APT35, Agrius	Energy, Telecommunications, Government, Defense, Transportation, Logistics, Water	T1566 – Phishing; T1190 – Exploit Public-Facing Application; T1486 – Data Encrypted for Impact; T1133 – External Remote Services; T1562 – Impair Defenses	High	Prioritize patching vulnerabilities in internet-facing systems and reduce external attack surface. Strengthen monitoring for reconnaissance and anomalous network activity. Implement multi-factor authentication and intrusion detection systems to prevent unauthorized access. Prepare for potential DDoS activity by deploying mitigation services and traffic filtering. Conduct proactive threat hunting and regularly review incident response plans to maintain resilience against disruptive cyber operations.
Hacktivist Cyber Campaign / Conflict-Driven Cyber Activity	hxxps:www[.]shirideitch[.]com/wp-content/uploads/2022/06/RedAlert[.]apk hxxps://api[.]ra-backup[.]com/analytics/submit[.]php hxxps://bit[.]ly/4tWJhQh	Analysts report a surge in cyber activity linked to multiple hacktivist groups aligned with regional geopolitical narratives. Despite domestic internet disruption affecting coordination of some operations, affiliated groups and external proxies continue launching disruptive campaigns including DDoS attacks, phishing campaigns, ransomware incidents, hack-and-leak operations, and claims of infrastructure compromise. Targets reportedly include government institutions, financial services, defense systems, and critical infrastructure across the Middle East and partner nations. The activity remains dynamic, with continued disruptive and opportunistic cyber operations expected.	RedAlert (malicious APK)	Jordan, Kuwait, Saudi Arabia, United Arab Emirates, Bahrain, Turkey, United States, Canada	Handala Hack; Cyber Islamic Resistance; RipperSec; Cyb3rDrag0nzz; Dark Storm Team (DarkStorm/MRHELL112); FAD Team (Fatimiyoun Cyber Team); Evil Markhors; Sylhet Gang (SG); 313 Team (Islamic Cyber Resistance in Iraq); DieNet	Government, Administration, Defense, Finance, Military, Banking, Energy, Health, Industrial	T1566.002 – Spearphishing Link; T1498 – Network Denial of Service; T1486 – Data Encrypted for Impact; T1485 – Data Destruction; T1041 – Exfiltration Over C2 Channel	High	Strengthen monitoring of internet-facing infrastructure and enable real-time alerting for abnormal activity. Immediately patch and harden exposed systems and enforce multi-factor authentication across privileged accounts. Deploy robust DDoS protection and traffic filtering mechanisms to mitigate volumetric attacks. Conduct regular phishing awareness training to reduce social-engineering risk. Maintain secure offline backups of critical data and test restoration procedures regularly. Continuously monitor for unauthorized access, data-leak claims, or suspicious network behavior and ensure incident response and business continuity plans are ready to address potential disruptions.

Vulnerability Watchlist

Apr 28, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-41636	Apache Thrift (Node.js bindings)	High	Fixed in version 0.23.0; versions prior to 0.23.0 are vulnerable to uncontrolled recursion leading to potential denial of service	Upgrade Apache Thrift to v0.23.0 or later; implement input validation to prevent malicious recursive payloads; monitor applications for abnormal CPU/memory spikes; enforce dependency management and regular patching
CVE-2026-42208	LiteLLM (BerriAI)	Critical	Fixed in version 1.83.7; versions ≥1.81.16 and <1.83.7 are vulnerable to pre-auth SQL injection in Bearer token verification logic	Immediately upgrade to v1.83.7 or later; rotate all API keys, master keys, and provider credentials; restrict external exposure of LiteLLM proxy; deploy WAF/reverse proxy rules to block SQL injection patterns in Authorization headers; monitor logs for suspicious Bearer tokens and unusual API usage; audit billing and API activity for potential abuse
CVE-2026-40966	Spring AI (VMware)	Medium	Fix released by VMware; users should update to the latest patched version addressing conversation isolation bypass	Recommends patching immediately
CVE-2026-33725	Metabase Enterprise	Critical	Affects multiple Metabase Enterprise versions prior to patched releases; enables RCE and arbitrary file read via H2 JDBC INIT injection during serialization import; PoC publicly available	Immediately upgrade Metabase Enterprise to the latest patched version; enforce strict vulnerability management and regular patch cycles; monitor for unusual serialization/import activity and unauthorized file access attempts; strengthen access controls and logging for BI/analytics platforms
CVE-2026-41409	Apache MINA	Critical	Affects Apache MINA 2.0.0–2.0.27, 2.1.0–2.1.10, 2.2.0–2.2.5; vulnerability in AbstractIoBuffer.getObject() deserialization due to late-applied classname allowlist, allowing unsafe object deserialization leading to potential code execution; fixed in 2.0.28, 2.1.11, 2.2.6	Immediately upgrade Apache MINA to patched versions (2.0.28 / 2.1.11 / 2.2.6 or later); review all applications using IoBuffer.getObject(); enforce strict deserialization controls and dependency hygiene; monitor for anomalous object deserialization activity and unexpected class loading

Apr 24, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-4922; CVE-2026-5816; CVE-2026-5262; CVE-2025-0186; CVE-2026-1660; CVE-2025-6016; CVE-2025-3922; CVE-2026-6515; CVE-2026-5377; CVE-2026-3254; CVE-2025-9957	GitLab Community Edition, GitLab Enterprise Edition	High (Multiple vulnerabilities including CSRF, XSS, and path traversal)	Fixed in versions 18.11.1, 18.10.4, and 18.9.6; GitLab.com already patched; GitLab Dedicated not affected	Upgrade immediately to patched versions; prioritize internet-facing instances; monitor GraphQL/API activity; enforce input validation, access controls, and session management; implement rate limiting; review logs for anomalies; apply least privilege and keep systems updated
CVE-2026-33626	LMDeploy (Open-source LLM Inference Toolkit)	Critical	Patched in version 0.12.3; earlier versions (≤0.12.2) are vulnerable. Exploitation observed within ~12 hours of public disclosure, indicating active threat activity	Upgrade to v0.12.3 or later immediately; if not possible, disable or restrict image_url handling via reverse proxy or disable vision endpoints; enforce IMDSv2 (httpTokens=required, hop limit=1); restrict outbound egress to approved destinations; rotate IAM credentials; ensure internal services (Redis, MySQL) are not publicly exposed and require authentication; monitor for abnormal outbound requests to link-local, RFC1918, and loopback ranges; conduct full inventory and security review of AI/LLM infrastructure
CVE-2026-33819 CVE-2026-24303 CVE-2026-35431 CVE-2026-26150 CVE-2026-33102 CVE-2026-32210 CVE-2026-32172	Microsoft Bing Microsoft Partner Center Microsoft Entra ID Entitlement Management Microsoft Purview eDiscovery Microsoft 365 Copilot Microsoft Dynamics 365 (Online) Microsoft Power Apps	Critical, High	Fixed in latest Microsoft security updates	Apply patches immediately; monitor for abnormal network-based code execution attempts; restrict untrusted data deserialization pathways. Apply patches; review access controls and permissions; enforce least privilege and monitor for privilege escalation attempts. Patch immediately; restrict outbound requests; monitor for SSRF attempts targeting internal resources
CVE-2026-28950	Apple iOS & iPadOS	Medium	Fixed in iOS 18.7.8, iPadOS 18.7.8, iOS 26.4.2, and iPadOS 26.4.2	Update all affected devices immediately; ensure sensitive notifications are properly managed; review device data handling policies and enforce regular OS updates

Apr 22, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-5752	Cohere Terrarium (Python sandbox using Pyodide in Docker)	Critical (CVSS 9.3)	No official patch available; project is no longer actively maintained	Disable untrusted code execution, enforce network segmentation, deploy WAF, monitor container behavior, restrict access, keep dependencies updated, and consider additional isolation layers (e.g., VM-based sandboxing)
CVE-2026-40050	CrowdStrike LogScale (Self-Hosted)	Critical (CVSS 9.8)	Fixed. Affected versions: 1.224.0–1.234.0 (GA), 1.228.0–1.228.1 (LTS). Patched in versions 1.235.1+, 1.234.1+, 1.233.1+, and 1.228.2+ (LTS). SaaS instances mitigated on April 7, 2026; no exploitation observed.	Immediately upgrade to patched versions, ensure cluster API endpoints are not publicly exposed, and monitor for signs of unauthorized access or file exfiltration
CVE-2026-40451	DeepL Chrome Browser Extension	Medium	Affects versions v1.22.0 to v1.23.0. Fixed in latest available version (post v1.23.0). Users should update to the latest extension release.	Update the DeepL Chrome extension to the latest version immediately and ensure browser extensions are regularly reviewed and kept up to date
CVE-2026-5754	Radware Alteon vADC Load Balancer (v34.5.4.0)	Medium	Patch status should be verified with the vendor; update to the latest available version addressing the issue	Implement input validation and output encoding, update to patched versions, educate users on phishing risks, and deploy WAF to detect and block XSS attempts

Apr 21, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-33825	FortiGate SSL VPN (and related VPN access components)	High	Patch status should be verified with the vendor; apply latest available updates immediately	Apply security patches, enforce MFA on VPN access, review VPN logs for suspicious activity, monitor for unauthorized access, and restrict exposure of VPN services
CVE-2026-33829	Microsoft Snipping Tool (ms-screensketch protocol)	High	Fixed in Microsoft Patch Tuesday release (April 14, 2026)	Apply April 2026 security updates immediately, monitor for abnormal outbound SMB (port 445) traffic, block external SMB where possible, and strengthen user awareness against malicious links exploiting deep link URIs

Apr 17, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-6364, CVE-2026-6362	Google Chrome (Skia component), Google Chrome (Codecs component)	Medium	Fixed in Chrome 147.0.7727.101	Update Google Chrome to version 147.0.7727.101 or later
CVE-2026-35469	Docker (spdystream Go library used in SPDY/HTTP multiplexing)	High	Fixed in spdystream version 0.5.1 (versions 0.5.0 and below affected)	Upgrade spdystream to version 0.5.1 or later, ensure all Docker components and dependencies using spdystream are updated, and monitor services exposed to untrusted network traffic for abnormal memory consumption or crash conditions

Apr 14, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-5194	wolfSSL SSL/TLS library	Critical	Fixed in wolfSSL version 5.9.1 and later. Users are strongly advised to upgrade immediately. Impact may persist in embedded/IoT devices until vendor firmware updates are applied.	Upgrade wolfSSL to version 5.9.1 or later immediately Identify and update all affected systems and applications Apply firmware/vendor patches for embedded devices Enforce strict certificate validation policies Monitor for abnormal certificate validation behavior
CVE-2026-6231	MongoDB C Driver (prior to 1.30.5, 2.0.0, 2.0.1)	Medium	Fixed in MongoDB C Driver version 1.30.5 and later	Keep all impacted systems patched and up to date

Apr 13, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-0233	Palo Alto Networks Autonomous Digital Experience Manager (Windows)	Low	Affects version 5.10.0 through 5.10.14; fixed in 5.10.14 or later; requires Content Update 2120+ for full remediation	Upgrade to version 5.10.14 or later; ensure Content Update 2120+ is applied; maintain regular patching and monitor certificate validation processes
CVE-2026-0232	Palo Alto Networks Cortex XDR Agent (Windows)	Medium	Protection mechanism issue allowing agent disablement; mitigated via Content Update 2120; additional hardening in Cortex XDR versions 9.1.0+, 9.0.1+, 8.9.1+, 8.7.101-CE+; 8.3-CE and 7.9-CE protected via content update	Apply Content Update 2120+ immediately; upgrade Cortex XDR agent to latest recommended versions; restrict admin privileges; monitor for agent tampering or disablement attempts
CVE-2026-39987	Marimo (≤ 0.20.4)	Critical	Affects Marimo versions up to 0.20.4; fixed in version 0.23.0 and later	Upgrade to version 0.23.0 or later immediately; restrict or disable access to /terminal/ws
CVE-2026-34621	Adobe Acrobat DC, Adobe Acrobat Reader DC, Adobe Acrobat 2024	Critical (CVSS 8.6)	Affects Acrobat DC & Reader DC (Continuous) ≤ 26.001.21367 and Acrobat 2024 ≤ 24.001.30356 (Windows & macOS); patched versions released by Adobe; actively exploited in the wild	Update to latest versions immediately; enable automatic updates; deploy patches via centralized tools (SCCM, GPO, Apple Remote Desktop); prioritize remediation due to active exploitation; monitor systems for suspicious activity related to PDF handling

Apr 10, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-4112 CVE-2026-4113 CVE-2026-4114 CVE-2026-4116	SonicWall SMA1000 Series	High	Fixed in 12.4.3-03387 and 12.5.0-02624 or later	Upgrade immediately; enforce admin access restrictions; monitor for SQL injection attempts. Monitor authentication logs; detect credential enumeration; enforce MFA and account hygiene. Ensure MFA integrity; upgrade immediately; audit admin accounts and VPN access. Patch urgently; review VPN logs; enforce MFA and segmentation of VPN/management interfaces.
CVE-2026-22750	Spring Cloud Gateway (VMware)	High	Fixed in Spring Cloud Gateway 4.2.x (after 4.2.0), 5.0.2, 5.1.1 and later	Upgrade immediately to supported versions (5.0.2 or 5.1.1 recommended); ensure SSL bundle configuration is correctly applied and systems remain fully patched
CVE-2026-0234	Palo Alto Networks Cortex XSOAR / Cortex XSIAM (Microsoft Teams Integration)	High	Fixed in Microsoft Teams integration version 1.5.52 and later (affects 1.5.0–1.5.51)	Upgrade immediately to 1.5.52 or later; restrict/disable integration if patching delayed; review logs for unauthorized access; validate data integrity; enforce strict access controls and continuous monitoring
CVE-2026-5173, CVE-2026-1092, CVE-2025-12664, CVE-2026-1403, CVE-2026-1101, CVE-2026-1516, CVE-2026-4332, CVE-2026-2619, CVE-2025-9484, CVE-2026-1752, CVE-2026-2104, CVE-2026-4916	GitLab Community Edition (CE) / GitLab Enterprise Edition (EE)	High	Fixed in GitLab 18.10.3, 18.9.5, and 18.8.9 for CE and EE; multiple vulnerabilities addressed including access control issues, DoS in Terraform/GraphQL APIs, code injection, XSS, and information disclosure	Immediately upgrade self-managed GitLab instances to the latest patched versions (18.10.3 / 18.9.5 / 18.8.9 or later); continuously monitor GitLab security advisories; enforce regular patch management and vulnerability scanning

Apr 09, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-5858, CVE-2026-5859, CVE-2026-5860 – CVE-2026-5873, CVE-2026-5874 – CVE-2026-5895, CVE-2026-5896 – CVE-2026-5919	Google Chrome	Critical, High, Medium, Low	Fixed in Chrome 147.0.7727.55/56 (Windows/Mac/Linux)	Immediately update Chrome to version 147; prioritize emergency patching across all endpoints. Ensure all systems are updated and verify patch deployment via endpoint management tools. Enable automatic updates and monitor systems for unusual browser activity. Maintain regular patching cycles and enforce browser security policies.
CVE-2026-31790	OpenSSL	Medium	Fixed in OpenSSL 3.0.20, 3.3.7, 3.4.5, 3.5.6, 3.6.2	Upgrade OpenSSL to latest versions; prioritize systems using RSA KEM; validate RSA keys and ensure proper error handling
CVE-2026-28386 – CVE-2026-28390, CVE-2026-31789	OpenSSL	Low	Fixed in OpenSSL 3.x versions and 1.1.1zg (where applicable)	Apply patches; enforce input validation; avoid processing untrusted inputs; follow secure coding practices and monitor for crashes
CVE-2025-30650	Junos OS	Medium	Fixed in 22.4R3-S8, 23.2R2-S6, 23.4R2-S6, 24.2R2-S3, 24.4R2, 25.2R2 and later releases	Upgrade all affected Junos OS systems to the latest patched versions and ensure all impacted line cards are updated

Apr 08, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-0740	Ninja Forms – File Upload	Critical	Partially fixed in version 3.3.25, fully patched in version 3.3.27	Immediately update to the latest version; implement robust server-side file type validation; regularly scan WordPress sites; employ WAF to block malicious uploads; monitor system logs for suspicious activity
CVE-2026-27578	n8n	High	Fixed in versions 2.10.1, 2.9.3, 1.123.22	Upgrade to patched versions; implement strict allowlists for content types; avoid relying on denylist-based CSP; regularly review and update security configurations
CVE-2026-27314	Apache Cassandra	High	Fixed in version 5.0.7+	Keep all impacted systems patched and up to date
CVE-2026-5731	Firefox, Firefox ESR, Thunderbird ESR	Critical	Fixed in Firefox ≥149.0.2, Firefox ESR ≥115.34.1 / ESR ≥140.9.1	Keep all impacted systems patched and up to date
CVE-2026-5732	Firefox, Firefox ESR	High	Fixed in Firefox ≥149.0.2, Firefox ESR ≥140.9.1	Keep all impacted systems patched and up to date
CVE-2026-5733	Firefox	High	Fixed in Firefox ≥149.0.2	Keep all impacted systems patched and up to date

Apr 07, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2025-59528	Flowise	Critical	Fixed in Flowise version 3.0.6; prior versions vulnerable due to insecure evaluation of user input in CustomMCP node	Immediately update Flowise to latest patched version; implement strict input validation and sanitization; conduct regular code audits; deploy WAF to filter malicious requests; enforce least privilege; monitor logs for suspicious activity

Apr 04, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-35616	Fortinet FortiClientEMS	Critical	Patch pending – upgrade to FortiClientEMS 7.4.7 or 7.2.11 or above once available	Apply updates immediately once released; restrict access to EMS interfaces; monitor for suspicious requests and unauthorized access attempts; follow Fortinet hardening best practices
CVE-2026-32186	Microsoft Bing	Medium	Patch available from Microsoft	Apply the latest security updates; monitor for unusual privilege escalation activity; enforce least privilege access controls and review system permissions regularly

Apr 03, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-32211	Azure Web Apps	Critical	Patch released by Microsoft	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2026-33105	Azure Kubernetes Service	Critical	Patch released by Microsoft	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2026-32213	Azure AI Foundry	Critical	Patch released by Microsoft	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2026-33107	Azure Databricks	Critical	Patch released by Microsoft	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2026-32173	Azure SRE Agent Gateway – SignalR Hub	High	Patch released by Microsoft	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2026-26135	Azure Custom Locations Resource Provider	Critical	Patch released by Microsoft	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2025-43219	macOS	High	Fixed in macOS Sequoia 15.6	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2025-43257	macOS	High	Fixed in macOS Sequoia 15.6	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2025-43238	macOS	Medium	Fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2024-44303 CVE-2024-44286 CVE-2024-40858 CVE-2025-43264 CVE-2025-43236 CVE-2025-43210 CVE-2024-44219 CVE-2024-40849	macOS, IPadOs, iOS	High, Low, Medium	Fixed in macOS Sequoia 15.1, Fixed in iOS 18.6, iPadOS 18.6 & 17.7.9, macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7, tvOS 18.6, visionOS 2.6, watchOS 11.6	Keep all impacted systems patched and up to date

Apr 02, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-34982	Vim	High	Fixed in version 9.2.0276; prior versions vulnerable to arbitrary command execution via malicious modelines	Update to version 9.2.0276 or later; disable modeline feature (“set nomodeline”) if patching is not possible; avoid opening untrusted files; implement endpoint protection; enforce least privilege principles
CVE-2026-20160 CVE-2026-20093 CVE-2026-20155 CVE-2026-20094 CVE-2026-20151 CVE-2026-20042 CVE-2026-20095 CVE-2026-20096 CVE-2026-20085 CVE-2026-20097 CVE-2026-20088 CVE-2026-20089 CVE-2026-20174 CVE-2026-20090 CVE-2026-20087 CVE-2026-20041	Cisco Smart Software Manager On-Prem, Cisco IMC (UCS / NFV Infrastructure / UCSE), Cisco EPNM, Cisco UCS / UCSE, Cisco Nexus Dashboard, Cisco UCS / NFV / UCSE, Cisco UCS, Cisco Nexus Dashboard Insights	Critical, High, Medium, Medium, (High SIR)	Patch available from Cisco	Apply patches immediately and restrict access to exposed services. Restrict file uploads and validate metadata. Patch and monitor for XSS attempts.
CVE-2026-5282	Google Chrome	High	Patch available in version 146.0.7680.178	Update all affected Chrome instances immediately to mitigate out-of-bounds memory read risk
CVE-2026-5287 CVE-2026-5273 CVE-2026-5291 CVE-2026-5277 CVE-2026-5290 CVE-2026-5286 CVE-2026-5278 CVE-2026-5284 CVE-2026-5275 CVE-2026-5276 CVE-2026-5289 CVE-2026-5280 CVE-2026-5285 CVE-2026-5279 CVE-2026-5288 CVE-2026-5272 CVE-2026-5281 CVE-2026-5274 CVE-2026-5283 CVE-2026-5292	Chrome	High, Medium, Critical	Patched in 146.0.7680.178	Update Chrome; monitor WebUSB policy enforcement.

Apr 01, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2021-44228, CVE-2020-1472, CVE-2026-1731, CVE-2026-1281, CVE-2026-1340, CVE-2026-20131, CVE-2026-20127, CVE-2025-5777, CVE-2020-0688, CVE-2025-61882, CVE-2025-61757, CVE-2025-55182, CVE-2025-52691, CVE-2025-24016, CVE-2025-59287, CVE-2023-36899, CVE-2023-29552, CVE-2021-45046, CVE-2021-26085, CVE-2021-26086, CVE-2017-7921, CVE-2021-36260, CVE-2025-13223)	Microsoft, Oracle, Apache, Ivanti, Atlassian, Hikvision	Critical	Actively exploited in ongoing campaigns; patches available for most vulnerabilities but unpatched systems remain at risk	Immediately patch all internet-facing systems, prioritize critical CVEs (e.g., Log4j, Netlogon), enforce MFA, implement network segmentation, monitor logs and SIEM alerts, secure edge/IoT devices, and conduct continuous vulnerability scanning.
CVE-2026-2275, CVE-2026-2286, CVE-2026-2287, CVE-2026-2285	CrewAI	High	Patches/mitigations recommended; vendor updates pending/rolling	Disable or restrict Code Interpreter Tool, avoid enabling allow_code_execution=True unless necessary, sanitize inputs to prevent prompt injection, limit exposure to untrusted inputs, monitor Docker behavior, and apply vendor updates when available.

Mar 31, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-34054	vcpkg (Microsoft)	High	Patched in vcpkg version 3.6.1#3	Update all systems to vcpkg 3.6.1#3 or later. Review builds for hardcoded paths and maintain regular patching for package managers and dependencies.
CVE-2026-33990	Docker Model Runner / Docker Desktop	Medium	Patched in Docker Model Runner 1.1.25 and Docker Desktop 4.67.0+	Update Docker Model Runner to 1.1.25 or later and Docker Desktop to 4.67.0 or newer. Verify registry interactions are secured and monitor for abnormal internal requests.
CVE-2026-1166	Hitachi Ops Center Administrator	Medium	Patched in latest vendor release	Upgrade to the latest patched version, restrict access to management interfaces, and monitor for suspicious redirections.
CVE-2026-2072	Hitachi Infrastructure Analytics Advisor / Hitachi Ops Center Analyzer	High	Patched in latest vendor release	Upgrade to the latest patched version, validate and sanitize user input, implement WAF rules, enforce least privilege, and monitor for injected scripts.
CVE-2026-33660	n8n	High	Patched in latest n8n version	Update n8n to the latest version immediately; if patching is delayed, limit workflow editing permissions and exclude the vulnerable Merge node via NODES_EXCLUDE; enforce least privilege; monitor for suspicious activity.

Mar 30, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-3608	Kea DHCP	High	A high-severity vulnerability causing stack overflow leading to denial-of-service; impacts multiple versions across 2.x and 3.x releases; no active exploitation reported; patched versions available	Upgrade Kea to patched versions immediately. Restrict access to API sockets and HA listeners. Enable TLS with mutual authentication. Require client certificates for all connections. Monitor services for unexpected crashes or restarts. Limit network exposure of Kea services. Apply firewall rules to block unauthorized access. Regularly review and update configurations. Monitor logs for malformed or suspicious requests. Implement network segmentation to reduce impact
CVE-2026-33634	Trivy	High	A vulnerability with active exploitation involving embedded malicious code affecting Aqua Security’s Trivy tool	Update Trivy to the latest secure version immediately. Remove or isolate compromised versions from all systems. Review CI/CD pipelines for unauthorized changes. Rotate all credentials used in affected environments. Scan systems for indicators of compromise. Restrict access to sensitive repositories and tools. Implement strict version pinning for dependencies. Monitor network traffic for suspicious activity. Enable logging and alerting for abnormal behavior. Apply timely patches
CVE-2026-27876, CVE-2026-27880	Grafana	Critical, High	Patched versions available – immediate update recommended	Upgrade to patched Grafana versions; Restrict public access; Enforce strong authentication; Use VPN/Zero Trust; Treat observability tools as critical attack surface

Mar 28, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-32187	Microsoft Edge (Chromium-based)	Medium	Microsoft released a security update addressing this vulnerability	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2026-28892	macOS	Medium	Fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2026-20670	macOS	Medium	Fixed in macOS Sonoma 14.8.4, macOS Tahoe 26.3	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2026-20692	iOS, iPadOS, macOS	Medium	Fixed in iOS 26.4, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2026-28831	macOS	Medium	Fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2026-28870	iOS, iPadOS, macOS, tvOS, visionOS, watchOS	Medium	Fixed in iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4	Help AG highly recommends keeping all impacted systems patched and up to dateHelp AG highly recommends keeping all impacted systems patched and up to date
CVE-2026-28867	iOS, iPadOS, macOS, tvOS, visionOS, watchOS	Medium	Fixed in iOS 18.7.7 & 26.4, iPadOS 18.7.7 & 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2026-28893	macOS	Low	Fixed in macOS Tahoe 26.4	Help AG highly recommends keeping all impacted systems patched and up to date
CVE-2026-28871	Safari, iOS, iPadOS, macOS	Medium	Fixed in Safari 26.4, iOS 18.7.7 & 26.4, iPadOS 18.7.7 & 26.4, macOS Tahoe 26.4	Help AG highly recommends keeping all impacted systems patched and up to date

Mar 27, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-4710	Firefox, Firefox ESR, Thunderbird	Critical	Update released; affected versions: Firefox <149, Firefox ESR <140.9, Thunderbird <149, Thunderbird <140.9	Keep all impacted systems patched and up to date
CVE-2026-33017	Langflow / Langflow AI	Critical	Update to version 1.9.0 or later	Immediately update Langflow to version 1.9.0 or later; implement robust input validation and sanitization; monitor network traffic and system logs; prioritize patching critical vulnerabilities

Mar 26, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-20131	Cisco Secure Firewall Management Center (FMC); Cisco Security Cloud Control (SCC) Firewall Management	Critical	A vulnerability in the web-based management interface allows unauthenticated remote attackers to execute arbitrary Java code via insecure deserialization of user-supplied input.	Full device compromise with root-level access; attackers can gain complete control of affected systems.
CVE-2026-20607	macOS	Medium	Fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4	Keep all impacted systems patched and up to date
CVE-2026-28882	iOS, iPadOS, macOS, tvOS, visionOS, watchOS	Medium	Fixed in iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4	Keep all impacted systems patched and up to date
CVE-2026-20695	macOS	Medium	Fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4	Keep all impacted systems patched and up to date
CVE-2026-28827	macOS	Critical	Fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4	Keep all impacted systems patched and up to date
CVE-2026-20657	iOS, iPadOS, macOS	Medium	Fixed in iOS 18.7.7, iPadOS 18.7.7, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5	Keep all impacted systems patched and up to date
CVE-2026-28861	Safari, iOS, iPadOS, macOS, visionOS	Medium	Fixed in Safari 26.4, iOS 18.7.7 & 26.4, iPadOS 18.7.7 & 26.4, macOS Tahoe 26.4, visionOS 26.4	Keep all impacted systems patched and up to date
CVE-2026-20688	iOS, iPadOS, macOS, visionOS	Critical	Fixed in iOS 26.4, iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4	Keep all impacted systems patched and up to date
CVE-2026-28857	Safari, iOS, iPadOS, macOS, visionOS	Medium	Fixed in Safari 26.4, iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4	Keep all impacted systems patched and up to date
CVE-2026-28816	macOS	Medium	Fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4	Keep all impacted systems patched and up to date
CVE-2026-28816	macOS	Medium	Fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4	Keep all impacted systems patched and up to date
CVE-2026-4701	Firefox, Firefox ESR, Thunderbird	Critical	Fixed in Firefox ≥149, Firefox ESR ≥140.9, Thunderbird ≥149	Keep all impacted systems patched and up to date

Mar 25, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2025-62843, CVE-2025-62844, CVE-2025-62845, CVE-2025-62846	QNAP QuRouter (QHora)	Critical (4)	QNAP has released firmware updates addressing multiple critical vulnerabilities in QuRouter 2.6.x, including weaknesses in authentication, improper input handling, SQL injection, and communication restrictions that could allow privilege escalation, unauthorised access, or command execution under certain conditions.	Update to firmware version 2.6.3.009 or later and restrict access to affected devices.
CVE-2026-3055, CVE-2026-4368	Citrix NetScaler ADC & Gateway	Critical (1), High (1)	Citrix has released security updates addressing multiple vulnerabilities in NetScaler ADC and Gateway, including insufficient input validation leading to memory overread and a race condition that may result in user session mix-up under specific configurations.	Keep all impacted systems patched and up to date.

Mar 24, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-4680, CVE-2026-4673, CVE-2026-4679, CVE-2026-4674, CVE-2026-4675, CVE-2026-4678, CVE-2026-4676, CVE-2026-4677	Google Chrome	High (8)	Google has released security updates addressing multiple high-severity vulnerabilities including use-after-free, heap buffer overflows, integer overflows, and out-of-bounds memory issues that could allow remote attackers to execute code or perform memory corruption via crafted HTML pages.	Keep all impacted systems patched and up to date

Mar 23, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-21992	Oracle Identity Manager, Oracle Web Services Manager (Oracle Fusion Middleware)	Critical (CVSSv3 9.8)	Oracle has released out-of-cycle security updates addressing a remote code execution vulnerability that allows unauthenticated attackers to compromise affected systems via HTTP access. Exploitation is considered straightforward, though no active exploitation has been confirmed by the vendor.	Keep all impacted systems patched and up to date
CVE-2026-4368	NetScaler ADC, NetScaler Gateway	High	Citrix has released a security update addressing a race condition vulnerability that can lead to user session mix-up when configured as Gateway or AAA virtual server.	Keep all impacted systems patched and up to date
CVE-2026-3055	NetScaler ADC, NetScaler Gateway	Critical	Citrix has released a security update addressing an insufficient input validation vulnerability that can lead to memory overread when configured as a SAML IDP.	Keep all impacted systems patched and up to date

Mar 20, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-22557	Ubiquiti UniFi Network Application	Critical (CVSSv3 10.0)	Ubiquiti has released a fix in version 10.1.89 addressing an unauthenticated path traversal vulnerability that could allow attackers to access system files and take control of accounts. The issue affects versions 10.1.85 and earlier.	Keep all impacted systems patched and up to date
N/A (PolyShell)	Magento Open Source, Adobe Commerce	Critical	A vulnerability affecting Magento Open Source and Adobe Commerce allows remote code execution or account takeover via the REST API without authentication. The issue involves file upload abuse using polyglot files. A patch is currently only available in alpha version 2.4.9, leaving production versions exposed.	Keep all impacted systems patched and up to date
CVE-2026-4453	Google Chrome	Medium (1)	Google has released a security update addressing an integer overflow vulnerability that could allow cross-origin data leakage via crafted HTML content.	Keep all impacted systems patched and up to date
CVE-2026-4442, CVE-2026-4460, CVE-2026-4456, CVE-2026-4441, CVE-2026-4452, CVE-2026-4450, CVE-2026-4439, CVE-2026-4443, CVE-2026-4463, CVE-2026-4462, CVE-2026-4458, CVE-2026-4461, CVE-2026-4444, CVE-2026-4446, CVE-2026-4440, CVE-2026-4449, CVE-2026-4448, CVE-2026-4455, CVE-2026-4459, CVE-2026-4464, CVE-2026-4454, CVE-2026-4445, CVE-2026-4457, CVE-2026-4451, CVE-2026-4447	Google Chrome	High (25)	Google has released security updates addressing multiple high severity vulnerabilities including memory corruption, use-after-free, buffer overflows, and sandbox escape issues that could allow remote attackers to execute arbitrary code via crafted HTML content.	Keep all impacted systems patched and up to date

Mar 19, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2025-66376	Zimbra ZCS Classic UI	High (CVSSv3 7.2)	CISA has confirmed active exploitation of a stored XSS vulnerability in Zimbra ZCS Classic UI and has mandated patching by 1 April 2026. The vulnerability allows JavaScript execution in HTML emails and potential session hijacking within the Zimbra environment.	Keep all impacted systems patched and up to date
CVE-2026-3564	ConnectWise ScreenConnect	Critical (CVSSv3 9.0)	ConnectWise has released a fix addressing a vulnerability that allows extraction of ASP.NET machine keys, enabling unauthorised authentication and execution of actions with elevated privileges. The issue affects versions prior to 26.1, with cloud instances automatically updated and on-premises installations requiring manual upgrade.	Keep all impacted systems patched and up to date
CVE-2026-26136, CVE-2026-24299, CVE-2026-26120	Microsoft Copilot, Microsoft 365 Copilot, Microsoft Bing	Medium (3)	Microsoft has released security updates addressing medium severity vulnerabilities including command injection and SSRF that could allow information disclosure and tampering over a network.	Keep all impacted systems patched and up to date
CVE-2026-26139, CVE-2026-23658, CVE-2026-26137, CVE-2026-23659, CVE-2026-26138	Microsoft Purview, Azure DevOps, Microsoft 365 Copilot Business Chat, Azure Data Factory	High (5)	Microsoft has released security updates addressing high severity vulnerabilities including SSRF, credential exposure, and information disclosure that could lead to privilege escalation and unauthorized access.	Keep all impacted systems patched and up to date
CVE-2026-32191, CVE-2026-32169	Microsoft Bing Images, Azure Cloud Shell	Critical (2)	Microsoft has released security updates addressing critical vulnerabilities including command injection and server-side request forgery (SSRF) that could allow remote code execution and privilege escalation.	Keep all impacted systems patched and up to date
CVE-2026-32194	Microsoft Bing Images	Critical (1)	Microsoft has released a security update addressing a command injection vulnerability that could allow an unauthorized attacker to execute code over a network.	Keep all impacted systems patched and up to date

Mar 18, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-32746	GNU Inetutils telnetd	Critical (CVSSv3 9.8)	A critical vulnerability in GNU Inetutils telnetd allows an unauthenticated remote attacker to achieve remote code execution via a buffer overflow during Telnet protocol negotiation. The issue affects all versions up to 2.7 and can be exploited without authentication or user interaction. No patch has been confirmed at this time.	Keep all impacted systems patched and up to date
CVE-2026-0231	Cortex XDR Broker VM	Medium (5.7)	Affects Cortex XDR Broker VM versions below 30.0.49. Upgrade available to version 30.0.49 or later.	Upgrade Cortex XDR Broker VM to version 30.0.49 or later; Enable automatic updates to ensure timely security patching; Restrict access to the Broker VM to authorized users only; Limit high-privilege account usage and enforce least privilege; Monitor and audit administrative activities and terminal sessions; Apply network access controls to reduce exposure to internal threats

Mar 17, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
Not specified	AWS Bedrock AgentCore Code Interpreter (Sandbox mode)	Not specified	AWS reproduced the finding, deployed and withdrew an initial fix, and ultimately decided not to address it. Documentation updated to state that complete isolation is only achieved using VPC mode.	Migrate sensitive workloads to VPC; Restrict privileges; Explicitly control DNS resolution

Mar 16, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
Not specified	AppArmor (Linux kernel)	Not specified	Affects AppArmor since Linux kernel version 4.11 (2017), impacting distributions including Ubuntu, Debian, and SUSE. No CVE identifiers or public proof-of-concepts available.
CVE-2026-25172, CVE-2026-25173, CVE-2026-26111	Windows 11 (Routing and Remote Access Service – RRAS)	High (CVSSv3 8.0)	Addressed via out-of-cycle hotfix KB5084597. Previously fixed in Patch Tuesday update (10 March), but required reboot. Hotpatch applies fix in memory without requiring reboot. Applicable to Windows 11 24H2, 25H2, and Enterprise LTSC 2024 enrolled in hotpatch programme and managed by Windows Autopatch.
	OpenClaw AI Agents	Not specified	No CVE assigned. Vulnerability allows indirect prompt injection leading to data exfiltration via crafted URLs and automatic link previews.	Not specified
CVE-2026-3932	Google Chrome (Android)	Medium	Affects Google Chrome on Android prior to version 146.0.7680.71. Update released addressing insufficient policy enforcement in PDF.	Keep all impacted systems patched and up to date
CVE-2026-3934	Google Chrome (ChromeDriver)	Medium	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing insufficient policy enforcement in ChromeDriver.	Keep all impacted systems patched and up to date
CVE-2026-3939	Google Chrome	Medium	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing insufficient policy enforcement in PDF.	Keep all impacted systems patched and up to date
CVE-2026-3930	Google Chrome (iOS)	Medium	Affects Google Chrome on iOS prior to version 146.0.7680.71. Update released addressing unsafe navigation in Navigation.	Keep all impacted systems patched and up to date
CVE-2026-3940	Google Chrome	Medium	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing insufficient policy enforcement in DevTools.	Keep all impacted systems patched and up to date

Mar 13, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-3927	Google Chrome	Medium	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing incorrect security UI in PictureInPicture.	Keep all impacted systems patched and up to date
CVE-2026-3920	Google Chrome	High	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing out of bounds memory access in WebML.	Keep all impacted systems patched and up to date
CVE-2026-3916	Google Chrome	Critical	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing out of bounds read in Web Speech.	Keep all impacted systems patched and up to date
CVE-2026-3914	Google Chrome	High	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing integer overflow in WebML.	Keep all impacted systems patched and up to date
CVE-2026-3941	Google Chrome	Medium	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing insufficient policy enforcement in DevTools.	Keep all impacted systems patched and up to date
CVE-2026-3915	Google Chrome	High	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing heap buffer overflow in WebML.	Keep all impacted systems patched and up to date
CVE-2026-3926	Google Chrome	High	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing out of bounds read in V8.	Keep all impacted systems patched and up to date
CVE-2026-3931	Google Chrome	High	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing heap buffer overflow in Skia.	Keep all impacted systems patched and up to date
CVE-2026-3919	Google Chrome	High	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing use after free in Extensions.	Keep all impacted systems patched and up to date
CVE-2026-3922	Google Chrome	High	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing use after free in MediaStream.	Keep all impacted systems patched and up to date
CVE-2026-3921	Google Chrome	High	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing use after free in TextEncoding.	Keep all impacted systems patched and up to date
CVE-2026-3918	Google Chrome	High	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing use after free in WebMCP.	Keep all impacted systems patched and up to date
CVE-2026-3942	Google Chrome	Medium	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing incorrect security UI in PictureInPicture.	Keep all impacted systems patched and up to date
CVE-2026-3913	Google Chrome	High	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing heap buffer overflow in WebML.	Keep all impacted systems patched and up to date
CVE-2026-3924	Google Chrome	High	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing use after free in WindowDialog.	Keep all impacted systems patched and up to date
CVE-2026-3917	Google Chrome	High	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing use after free in Agents.	Keep all impacted systems patched and up to date
CVE-2026-3929	Google Chrome	Low	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing side-channel information leakage in ResourceTiming.	Keep all impacted systems patched and up to date
CVE-2026-3923	Google Chrome	High	Affects Google Chrome prior to version 146.0.7680.71. Update released addressing use after free in WebMIDI.	Keep all impacted systems patched and up to date
CVE-2026-21666, CVE-2026-21667, CVE-2026-21708	Veeam Backup & Replication	Critical (CVSSv3 9.9)	Affects Veeam Backup & Replication 12.3.2.4165 and all previous versions of the 12 branch. Veeam has released security updates to address these vulnerabilities.	Immediate updating is recommended
CVE-2026-3909	Google Chrome (Stable Desktop Channel)	High	Fixed in Google Chrome version 146.0.7680.75 (Windows, Linux) and 146.0.7680.76 (macOS). Security updates released addressing out-of-bounds write vulnerability in Skia.
CVE-2026-3910	Google Chrome (Stable Desktop Channel)	High	Fixed in Google Chrome version 146.0.7680.75 (Windows, Linux) and 146.0.7680.76 (macOS). Security updates released addressing inappropriate implementation vulnerability in V8.

Mar 12, 2026

CVE	Product	Severity	Patch Status & Updates	Recommendation
CVE-2026-23813	Aruba Networking AOS-CX (CX-series switches)	Critical (CVSSv3 9.8)	HPE has released patches addressing this vulnerability in the AOS-CX operating system. No evidence of active exploitation or public exploit code.	Isolate management interfaces on dedicated VLANs or segments; Restrict access through network policies and control plane ACLs; Disable HTTP(S) on unnecessary interfaces; Enable access monitoring and logging
CVE-2026-3913	Google Chrome	Critical (no CVSS assigned)	Fixed in Chrome version 146.0.7680.71 for Linux and 146.0.7680.71/72 for Windows and Mac. Patch addresses heap buffer overflow in WebML.	Immediately update to Chrome 146.0.7680.71

Schedule a Consultation

Speak to our cybersecurity experts to safeguard
your infrastructure.

End-to-end cybersecurity. Built for today’s threats.

LIVE: Cyber Threat Intelligence Feed

Our Teams are Here to Support You

Threat Intel

Apr 28, 2026

Apr 24, 2026

Apr 23, 2026

Apr 22, 2026

Apr 21, 2026

Apr 20, 2026

Apr 17, 2026

Apr 15, 2026

Apr 14, 2026

Apr 13, 2026

Apr 10, 2026

Apr 09, 2026

Apr 08, 2026

Apr 07, 2026

Apr 06, 2026

Apr 03, 2026

Apr 02, 2026

Apr 01, 2026

Mar 31, 2026

Mar 30, 2026

Mar 29, 2026

Mar 27, 2026

Mar 26, 2026

Mar 25, 2026

Mar 23, 2026

Mar 22, 2026

Mar 18, 2026

Mar 14, 2026

Mar 13, 2026

Mar 12, 2026

Mar 11, 2026

Mar 10, 2026

Mar 9, 2026

Mar 8, 2026

Mar 6, 2026

Mar 5, 2026

Mar 4, 2026

Mar 3, 2026

Vulnerability Watchlist

Apr 28, 2026

Apr 24, 2026

Apr 22, 2026

Apr 21, 2026

Apr 17, 2026

Apr 14, 2026

Apr 13, 2026

Apr 10, 2026

Apr 09, 2026

Apr 08, 2026

Apr 07, 2026

Apr 04, 2026

Apr 03, 2026

Apr 02, 2026

Apr 01, 2026

Mar 31, 2026

Mar 30, 2026

Mar 28, 2026

Mar 27, 2026

Mar 26, 2026

Mar 25, 2026

Mar 24, 2026

Mar 23, 2026

Mar 20, 2026

Mar 19, 2026

Mar 18, 2026

Mar 17, 2026

Mar 16, 2026

Mar 13, 2026

Mar 12, 2026

Schedule a Consultation

Cybersecurity Services

E2E Zero Trust Solutions

Securing AI & Post Quantum

Hyperscalers Security

Media

Blog Post