LATEST THREAT INTELLIGENCE.
South American telecommunication providers targeted with three new malware implants
Description: UAT-9244, a China-nexus advanced persistent threat actor, has been targeting critical telecommunications infrastructure in South America since 2024. The group employs three new malware implants: TernDoor, a Windows-based backdoor variant of CrowDoor; PeerTime, an ELF-based backdoor using BitTorrent protocol; and BruteEntry, a brute force scanner for SSH, Postgres, and Tomcat servers. UAT-9244 uses dynamic-link library side-loading, scheduled tasks, and registry modifications for persistence. The group is closely associated with FamousSparrow and Tropic Trooper, sharing similar tooling and tactics. Their infrastructure includes multiple command and control servers and operational relay boxes for scanning and brute-forcing activities.
Created at: 2026-03-05T20:13:36.305000
Updated at: 2026-04-04T20:21:48.976000
MuddyWater Exposed: Inside an Iranian APT operation
Description: Researchers identified and analyzed exposed infrastructure of MuddyWater, an Iranian cyber espionage group linked to the Ministry of Intelligence and Security. The investigation revealed their reconnaissance methods, exploitation of vulnerabilities, custom command and control frameworks, and exfiltration techniques. Targets included organizations in Israel, Jordan, Egypt, UAE, Portugal, and the US. Notable findings include the use of Ethereum smart contracts for C2 communication, multiple custom C2 frameworks, and exploitation of various CVEs. The group showed a pattern of rapid adoption of public exploits and development of custom tools, while also exhibiting operational security failures that enabled this research.
Created at: 2026-03-05T15:18:30.318000
Updated at: 2026-04-04T15:09:45.509000
Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation
Description: The analysis examines Iranian state-aligned threat actors and their infrastructure patterns during heightened geopolitical tensions. It focuses on mapping network infrastructure, ASN patterns, TLS fingerprints, and hosting clusters associated with various Iranian APT groups. The report highlights the importance of proactive infrastructure monitoring to detect and disrupt potential cyber operations. Key findings include the identification of previously unreported hosts, domains, and servers linked to Iranian operations, as well as insights into the tactics used by groups like MuddyWater and Dark Scepter. The article emphasizes the value of infrastructure intelligence in early threat detection and provides recommendations for organizations to monitor and defend against these threats.
Created at: 2026-03-04T19:42:41.596000
Updated at: 2026-04-03T19:20:13.778000
DPRK-Related Campaigns with LNK and GitHub C2
Description: FortiGuard Labs recently detected a series of LNK files targeting users in South Korea. These attacks use a multi-stage scripting process and leverage GitHub as Command and Control (C2) infrastructure to evade detection. Although these LNK files can be traced back to 2024, earlier versions had less obfuscation and contained significant metadata, allowing us to track similar attacks spreading the XenoRAT malware.
Created at: 2026-04-03T14:30:06.242000
Updated at: 2026-04-03T16:49:18.577000
A Technique-Based Approach to Hunting Web-Delivered Malware
Description: This report presents a technique-based approach to HTTP body hunting using Censys that addresses this tension directly, and demonstrates its effectiveness by walking through a live discovery: a ClickFix campaign delivering XWorm V5.6 through a 5-stage attack chain.
Created at: 2026-04-03T09:49:01.862000
Updated at: 2026-04-03T16:48:34.590000
Securing the Supply Chain: How SentinelOne's AI EDR Stops the ...
Description: On March 31, 2026, a North Korean state actor hijacked the npm credentials of the primary Axios maintainer and published two backdoored releases that deployed a cross-platform remote access trojan (RAT) to Windows, macOS, and Linux systems. Axios is the most widely used HTTP client in the JavaScript ecosystem, with approximately 100 million weekly downloads and a presence in roughly 80% of cloud and code environments.
Created at: 2026-04-03T00:03:44.645000
Updated at: 2026-04-03T16:45:59.385000
Signed malware impersonating workplace apps deploys RMM backdoors
Description: Multiple phishing campaigns were identified using workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware. The attacks used digitally signed executables masquerading as legitimate software to install remote monitoring and management (RMM) tools like ScreenConnect, Tactical RMM, and Mesh Agent. These tools enabled attackers to establish persistence and move laterally within compromised environments. The malware was signed using an Extended Validation certificate issued to TrustConnect Software PTY LTD. The campaigns demonstrate how familiar branding and trusted digital signatures can be exploited to bypass user suspicion and gain an initial foothold in enterprise networks.
Created at: 2026-03-04T00:20:30.607000
Updated at: 2026-04-03T00:08:04.195000
Blurred Lines: AdTech Abuse Delivers Browser Hijackers Through the Microsoft Store
Description: A newly uncovered campaign abuses the Trillion (formerly Trellian) AdTech network, mimicking the flow of a Traffic Direction System (TDS) to trick visitors of typo-squatted domains into downloading Microsoft Store apps that contain browser hijacking malware. While the abuse of AdTech networks to deliver malware isn’t new, this campaign highlights incredibly similar tactics to VexTrio and previous TDS networks; further blurring the line between AdTech and malicious TDS systems.
Created at: 2026-04-02T17:24:27.896000
Updated at: 2026-04-02T17:50:11.180000
Cisco Talos: Qilin EDR killer infection chain
Description: Endpoint detection and response (EDR) tools are widely deployed and far more capable than traditional antivirus. As a result, attackers use EDR killers to disable or bypass them. The malicious “msimg32.dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems. It can terminate over 300 different EDR drivers from almost every vendor in the market.
Created at: 2026-04-02T15:23:51.858000
Updated at: 2026-04-02T17:33:25.859000
Stranger Strings: Yurei Ransomware Operator Toolkit Exposed
Description: Active since September 2025, Yurei is a double extortion ransomware campaign. The operators run their own Tor data leak site with a low number of victims listed at the time of writing. It is reportedly derived from Prince Ransomware, an open-source ransomware family written in Go. Check Point researchers noted that all samples were first submitted to VirusTotal from Morocco, and that one sample did not include a ticket ID, indicating that this could be a test build, possibly uploaded by the developer themselves. Yurei ransomware samples also contained a link to SatanLockv2, based on the presence of the PDB path string “D:\satanlockv2” present in the Yurei samples.
Created at: 2026-04-01T18:38:57.381000
Updated at: 2026-04-01T19:34:01.809000
