Threat Research | Weekly Recap [15 Mar 2026]

hendryadrian.com

hendryadrian.com

Ransomware & Wipers

• GreenBlood — Go-based ransomware with fast parallel encryption (extensions .tgbg/.gblood); detection/auto-response demo using Sysmon, custom Wazuh rules and YARA Active Response. Detecting GreenBlood (Wazuh)
• Handala — Iran‑linked destructive persona conducting large‑scale wiper operations (Stryker), using phishing, Intune abuse and multi-technique disk/MBR wipers; defenders urged to harden identities, Intune controls and backups. Handala Hack — Modus Operandi
• INC Ransom (affiliate RaaS) — Joint Australia/NZ/Tonga advisory: affiliate‑driven RaaS targeting healthcare and Pacific networks via spear‑phishing, credential purchase and living‑off‑the‑land exfiltration. INC Ransom Pacific Advisory
• Black Basta — Alleged leader added to Most Wanted; recent campaign IoCs show phishing + exploitation + double‑extortion playbook. Black Basta — Post‑arrest Analysis

APT & Espionage Campaigns

• Operation CamelClone — Spear‑phishing ZIP→LNK delivers JS loader “HOPPINGANT” that deploys Rclone (l.exe) to exfiltrate docs to MEGA; targets gov/defense/diplomatic/energy across multiple countries. Operation CamelClone
• CL‑STA‑1087 (China‑nexus) — Long‑running espionage against SE Asian militaries using custom backdoors AppleChris/MemFun, Getpass credential harvester and Pastebin/Dropbox DDRs for resilient C2. China‑nexus Espionage (Unit42)
• PeckBirdy — JavaScript‑based C2 framework tied to China‑aligned APTs and modular backdoors (HOLODONUT/MKDOOR); extensive DNS IoC mapping and sample release. PeckBirdy DNS Investigation
• MuddyWater + Tsundere — Open‑directory stager deploys persistence + Tsundere botnet that retrieves C2 from the Ethereum chain (“EtherHiding”) and uses AES WebSockets; Node.js obfuscation and language checks observed. MuddyWater & Tsundere — EtherHiding C2
• PlugX (China‑nexus) — Conflict‑themed lure chain (ZIP→LNK→CHM→shellcode) delivering PlugX to Persian Gulf targets; uses reflective DLL injection, CFF/MBA obfuscation and HTTPS/DoH C2. PlugX Campaign — Persian Gulf
• Earth Lusca — China‑linked long‑term espionage actor expanding tooling (Go-based KTLVdoor), ShadowPad/Winnti usage and cloud‑hosted rotating C2 to maintain stealth. Earth Lusca APT Profile
• Iran MOIS & cyber‑crime blend — MOIS‑linked actors increasingly leverage criminal tooling, shared code‑signing certs, botnets and infostealers to advance state objectives and complicate attribution. Iran MOIS — Crime Connection
• Proofpoint — Iran‑conflict surge — Multiple state‑aligned/opportunistic clusters exploiting conflict lures with LNK loaders, DLL sideloading, Rust backdoors and Cobalt Strike to target Middle East gov/diplomatic orgs. Iran‑Conflict Espionage Surge

Infostealers, Phishing & Credential Theft

• AhnLab Feb Infostealer Trends — SEO‑poisoning drives Windows EXE/DLL side‑loading and macOS bash/osascript droppers; notable ACRStealer activity and Inno Setup downloader surge. Infostealer Trend — Feb 2026
• MicroStealer — Fast‑spreading infostealer using NSIS→Electron→Java chain to harvest browsers/wallets and exfiltrate via Discord webhooks; low vendor detection noted. MicroStealer Analysis
• Storm‑2561 — SEO‑poisoning redirects to signed MSI installers that side‑load malicious DLLs (Hyrax variant) to steal VPN credentials and connection data. Storm‑2561 — Fake VPNs
• AiTM AWS Console phishing — Reverse‑proxy kit and typosquatted domains harvest validated AWS Console creds/OTPs; rapid infra rotation and Mullvad egress observed. Behind the Console — AWS AiTM
• OAuth Device Code phishing — Attackers trick users into approving device authorizations, receiving OAuth tokens via legitimate Microsoft pages and evading traditional detection. OAuth Device Code Phishing
• Telegram Bot exfil — Threat actors abuse Telegram Bot API to exfiltrate credentials/files from phishing pages and malware (Agent Tesla, Pure Logs, WSH RAT); blocking api.telegram.org recommended. Weaponizing Telegram Bots
• Phishing link obfuscation — “Free toothbrush” emails using IPv6‑mapped IPv4 URLs and other redirect domains to hide scam landing pages that harvest PII/payment data. IPv6 Trick in Scam Emails
• Quiz sites / browser push abuse — Deceptive quiz/extension sites trick users into enabling persistent web push notifications used for ads/affiliate scams. Quiz Sites — Push Notification Abuse
• Contagious Interview — Fake developer interview workflows deliver backdoors (InvisibleFerret/FlexibleFerret) via malicious NPM/VS Code tasks to harvest API/cloud credentials and signing keys. Contagious Interview — Dev Supply‑Chain

Supply‑Chain & Malicious Packages

• Packagist (Composer) trojan themes — Six malicious ophimcms packages shipped trojanized jQuery to exfiltrate URLs, inject ads and redirect mobile users to gambling/ad sites using FUNNULL infrastructure. Malicious Packagist Themes
• Malicious Rust crates — Five crates posed as time utilities to exfiltrate .env secrets; most were yanked after disclosure. Malicious Rust Crates

ClickFix / Lure‑Based RATs & PUAs

• Fake $TEMU airdrop (ClickFix) — Polished airdrop page tricks victims to paste commands, deploying a windowless Python backdoor (pythonw.exe) that streams/executes Python in memory with minimal file artifacts. Fake TEMU Airdrop — ClickFix Trap
• KongTuke / ClickFix — Compromised WordPress + fake CAPTCHA/CrashFix lures deliver Python modeloRAT for reconnaissance, remote exec and persistence. KongTuke — ClickFix Abuse
• REMCOS in PUAs — REMCOS RAT campaigns trojanize legitimate portable apps (eg. Shotcut ZIPs) by replacing DLLs; uses in‑memory loaders and API‑style shellcode callbacks. REMCOS in PUAs

Mobile Banking & Payment Trojans

• PixRevolution — Android trojan streams victims’ screens and enables operator‑assisted real‑time hijacking of Brazil PIX transfers via Accessibility/MediaProjection abuse. PixRevolution — PIX Hijack
• BeatBanker — Dual‑mode Android campaign (miner + banking module/BTMOB RAT) targeting Brazil; uses inaudible audio loop, overlays and Firebase for C2. BeatBanker — Miner & Banker

Defensive Tooling, Observability & Research Methods

• Elastic + Terraform — Terraform provider now supports managing detection rules and exception lists as code (ES|QL → Terraform resources) for IaC‑driven detections. Managing Elastic Rules with Terraform
• Copilot Studio logging gaps — Datadog disclosed missing Copilot Studio admin‑action logs (Aug–Sep 2025); MSRC remediations and regressions tracked. Copilot Studio — Logging Gaps
• Generative AI in BAS — Picus proposes agentic BAS architecture to compress attacker‑to‑remediation timelines using cooperating AI agents for research, simulation and vendor‑specific fixes. Generative AI for BAS
• LLM→Knowledge Graph for CTI — Workflow and experiments for transforming CTI narratives into structured JSON and knowledge graphs using LLMs; discusses accuracy, abstention and ensemble tradeoffs. LLM‑Driven CTI → Knowledge Graph

Threat Research | Weekly Recap – hendryadrian.com