LATEST THREAT INTELLIGENCE.
Microsoft OAuth Device Code Phishing
Description: A new phishing technique abusing Microsoft's OAuth Device Code flow is on the rise, with over 180 phishing URLs detected in a week. This method shifts from credential theft to token-based account takeover, making detection more challenging. Attackers initiate a device authorization process, tricking victims into approving it on legitimate Microsoft pages. The attack uses encrypted HTTPS traffic and legitimate authentication flows, bypassing traditional phishing indicators. Victims unknowingly grant attackers access to their Microsoft 365 accounts through OAuth tokens. This poses a critical risk as it allows immediate access to corporate data and resources, potentially leading to business email compromise and persistent access through refresh tokens.
Created at: 2026-03-11T06:17:03.540000
Updated at: 2026-03-11T10:19:13.935000
Iranian MOIS Actors & the Cyber Crime Connection
Description: Iranian intelligence services are increasingly engaging with the cyber crime ecosystem, leveraging criminal tools, services, and operational models to support state objectives. This trend is particularly evident among actors linked to the Ministry of Intelligence and Security (MOIS), such as Void Manticore and MuddyWater. These actors are not merely imitating criminal behavior but actively associating with the cyber criminal ecosystem, using its infrastructure, malware, and affiliate-style relationships. This approach enhances their operational capabilities, complicates attribution, and contributes to confusion around Iranian threat activity. Examples include the use of ransomware branding, commercial infostealers, and overlaps with criminal malware clusters. This shift from imitation to active engagement with cyber crime offers both improved deniability and expanded technical capabilities for Iranian actors.
Created at: 2026-03-10T21:10:43.542000
Updated at: 2026-03-11T10:12:34.364000
KadNap Malware Turning Asus Routers Into Botnets
Description: A sophisticated new malware called KadNap has been discovered targeting Asus routers and conscripting them into a botnet for proxying malicious traffic. The malware employs a custom version of the Kademlia Distributed Hash Table protocol to conceal its command-and-control infrastructure within a peer-to-peer system, evading traditional network monitoring. The botnet, which has grown to over 14,000 infected devices, is marketed by a proxy service called Doppelganger, tailored for criminal activity. More than 60% of KadNap's victims are based in the United States. The malware demonstrates versatility by targeting various edge networking devices and employing different C2 servers for different victim types.
Created at: 2026-03-11T10:02:07.876000
Updated at: 2026-03-11T10:06:18.797000
A security alert regarding APT-C-28 (ScarCruft) using MiradorShell to launch a cyberattack.
Description: A recent investigation reveals that the APT-C-28 (ScarCruft) group has expanded its targets to include the cryptocurrency industry. The group employs sophisticated phishing tactics, using LNK files disguised as PDFs to lure victims with investment proposals ranging from $1-3 million. Upon execution, a multi-stage payload deployment occurs, ultimately installing MiradorShell v2.0 to gain system control. The attack chain involves file downloads, decryption, and the creation of scheduled tasks for persistence. MiradorShell, an AutoIt-based backdoor, connects to a command and control server, offering reverse shell capabilities, file management, remote program execution, and victim fingerprinting. The malware employs various evasion techniques, including inline library files and direct API calls.
Created at: 2026-02-09T10:18:26.280000
Updated at: 2026-03-11T10:00:03.773000
Tenant from Hell: Prometei's Unauthorized Stay in Your Windows Server
Description: eSentire's Threat Response Unit detected Prometei botnet activity on a customer's Windows Server in the Construction industry. Prometei, a Russian-origin botnet active since 2016, features remote control, credential harvesting, crypto-mining, lateral movement, and C2 communication over clearweb and TOR. The malware uses complex encryption, including rolling XOR and RC4, for payload decryption and C2 communications. It establishes persistence as a Windows service, creates firewall exceptions, and downloads additional modules for specialized functions like credential theft and TOR routing. The attack likely began with compromised RDP credentials, followed by the execution of a malicious command to download and run the Prometei payload.
Created at: 2026-02-09T10:17:26.978000
Updated at: 2026-03-11T10:00:03.773000
Quiz sites trick users into enabling unwanted browser notifications
Description: Users are being tricked into enabling unwanted browser notifications through quiz websites. These sites challenge visitors with quizzes on various topics, but their main goal is to get users to click 'Start the quiz' button. This action triggers a misleading prompt that tricks users into allowing notifications. Once enabled, these notifications can display advertisements, scams, or unwanted downloads even when the user is not on the original website. The article provides instructions on how to remove and block web push notifications across different browsers, including Chrome, Firefox, Opera, Edge, and Safari. It also lists several domains associated with this deceptive campaign.
Created at: 2026-03-10T12:56:28.595000
Updated at: 2026-03-10T13:08:27.731000
BeatBanker: both banker and miner for Android
Description: BeatBanker is a sophisticated Android malware campaign targeting Brazil. It spreads through phishing attacks using a fake Google Play Store website. The malware combines a cryptocurrency miner and a banking Trojan capable of hijacking devices and overlaying screens. It employs creative persistence mechanisms, including playing an inaudible audio loop. BeatBanker monitors device status, disguises itself as legitimate apps, and targets cryptocurrency transactions on Binance and Trust Wallet. Recent variants have replaced the banking module with the BTMOB remote administration tool, expanding its capabilities. The threat demonstrates advanced evasion techniques, uses Firebase Cloud Messaging for command and control, and targets multiple browsers for data collection. Victims are primarily located in Brazil, with some samples spreading via WhatsApp.
Created at: 2026-03-10T12:26:22.504000
Updated at: 2026-03-10T12:54:15.216000
New A0Backdoor Linked to Teams Impersonation and Quick Assist Social Engineering
Description: A new backdoor, dubbed A0Backdoor, has been discovered in connection with a campaign using email bombing and IT-support impersonation over Microsoft Teams to gain Quick Assist access. The malware's loader exhibits anti-sandbox evasion techniques, and the campaign's command-and-control has shifted to a covert DNS mail exchange-based channel. This activity is attributed to the threat group Blitz Brigantine, also known as Storm-1811 or STAC5777, and shows similarities to Black Basta-linked social-engineering tactics. The attackers use digitally signed MSI packages, often hosted on Microsoft cloud storage, to deliver their proprietary tooling. The A0Backdoor employs sophisticated techniques such as time-based execution windows, runtime decryption, and DNS tunneling for covert communication. The campaign has been active since August 2025, targeting primarily the finance and health sectors.
Created at: 2026-03-07T09:44:29.978000
Updated at: 2026-03-09T10:39:49.321000
Unmasking an Attack Chain of MuddyWater
Description: An intrusion attributed to MuddyWater, an Iranian-linked APT, was identified in a customer environment. The attack involved initial access through RDP, establishing an SSH tunnel, and deploying malware via DLL side-loading. The threat actor used FMAPP.exe, a legitimate Fortemedia Inc. application, to load a malicious FMAPP.dll for C2 communications. The timeline of activities revealed typos in commands, suggesting manual typing by the attacker. The intrusion included reconnaissance efforts, attempts to verify tunnel functionality, and issues with initial C2 communication. The attack targeted an Israeli company, aligning with known MuddyWater tactics.
Created at: 2026-03-07T09:44:29.026000
Updated at: 2026-03-09T10:38:16.591000
Middle East Conflict Fuels Opportunistic Cyber Attacks
Description: The ongoing conflict in the Middle East has triggered a surge in cybercriminal activity. Over 8,000 newly registered domains with conflict-related keywords have been identified, many of which may be weaponized in future campaigns. Multiple cases of malicious activity have been observed, including targeted attacks using conflict-themed lures, deployment of the LOTUSLITE backdoor, fake news blogs leading to StealC malware, phishing sites impersonating government portals, donation scams, fraudulent storefronts, and meme-coin pump-and-dump schemes. Threat actors are leveraging various techniques such as DLL sideloading, shellcode execution, and social engineering to compromise victims. The campaigns demonstrate the opportunistic nature of cybercriminals in exploiting geopolitical events for malicious purposes.
Created at: 2026-03-06T19:39:15.913000
Updated at: 2026-03-09T10:33:53.468000
