Threat Research | Weekly Recap [12 Apr 2026]

Supply‑chain & package ecosystem attacks

• Maintainer account compromises spiked in March — large, multi‑ecosystem campaigns stole creds, implanted backdoors and propagated via CI runners and package registries. TeamPCP supply‑chain campaign
• Malicious npm releases executed hidden postinstall hooks to install RATs (cross‑platform impact, developer/CI systems). Axios npm supply‑chain blast
• Broad summary: March saw a wave of package/CI abuse (npm, PyPI, LiteLLM, GitHub Actions) used to deliver RATs and credential stealers. Supply‑chain attacks surge (Mar 2026)

AI, Anthropic & Claude‑themed lures

• Fake Claude sites and trojanized installers sideloaded PlugX and other backdoors by bundling a “working” Claude app with a malicious dropper. Fake Claude site installs malware
• Claude Code source and packaging errors exposed internal tooling and enabled trojanized GitHub releases that distributed stealers (Vidar, PureLog) via malicious archives. Claude Code leak (source)
• AI supply‑chain incidents (Anthropic leak, Mercor compromise, LiteLLM PyPI publishes) highlight urgent enterprise AI‑integration and dependency risks. Anthropic & Mercor AI security takeaways

Infostealers, RATs & modular malware

• New and evolving RAT/stealer families: STX RAT (X25519/ChaCha20‑Poly1305 C2, HVNC, credential/crypto theft) and developer‑focused supply‑chain loaders delivering RATs. STX RAT discovery
• Lumma/Remus evolution: 64‑bit Remus builds, EtherHiding smart‑contract dead‑drops, and pairing with CastleLoader for in‑memory execution. Remus (Lumma family)
• Monthly trend: Windows infostealers remain EXE‑centric with DLL sideloading; macOS campaigns use mutating scripts and clipboard tricks. March 2026 Infostealer trend
• Clipboard stealers and long fileless chains continue to spread via trojanized installers (e.g., ClipBanker via Proxifier). ClipBanker infection chain

ClickFix, TDS & MaaS ecosystems

• ClickFix‑centric TDS campaigns abused compromised WordPress sites and Polygon smart‑contract dead‑drops (EtherHiding) to deliver OS‑specific lures and stealers. ErrTraffic v3 / ClickFix
• Netskope found a modular Node.js infostealer delivered via malicious MSI installers with a gRPC‑over‑Tor C2 and an exposed MaaS admin panel. From ClickFix to MaaS
• DNS and hosting analyses reveal mass domain churn and thousands of victim IPs communicating with ClickFix/Lumma‑linked infrastructure. LummaStealer + CastleLoader DNS deep dive

Trojanized installers & fileless loaders

• Trusted installers were trojanized to deliver multi‑stage, fileless .NET payloads via scriptlets, regsvr32 and MSBuild abuse — validate installers and monitor scriptlet/LOLBin use. HWMonitor trojanized installer
• Obfuscated VBScript/PowerShell loaders staged in‑memory .NET implants and abused auto‑elevated COM objects to install ScreenConnect. In‑memory loader drops ScreenConnect
• MSBuild and other Microsoft‑signed binaries continue to be abused for inline C# and fileless execution — focus detections on project‑file execution context and behavior. LOLBins: MSBuild analysis

Ransomware & extortion operations

• Storm‑1175 / Medusa: opportunistic exploitation of public‑facing flaws, webshells, LOLBins and RMM tools to enable fast double‑extortion. Storm‑1175 (Medusa)
• NightSpire shows TTP variance between intrusions (changing encryptors/notes, third‑party tools), complicating detection and attribution. NightSpire analysis
• Active operator toolkits were exposed online (Beast server), revealing full operator workflows for reconnaissance, exfiltration and cleanup. Beast ransomware server toolkit
• Adversary‑emulation: AttackIQ published a Sinobi ransomware emulation to validate defenses against discovery, escalation and encryption behaviors. Sinobi emulation (AttackIQ)

Phishing, device‑code abuse & AI‑augmented credential fraud

• OAuth device‑code flow abuse scaled with automation and short‑lived cloud hosting to bypass MFA (multiple campaigns: Storm‑2372, Storm‑2755); Microsoft published detailed telemetry and mitigations. AI‑enabled device‑code phishing (Storm‑2372)
• EvilTokens PhaaS automates Microsoft device‑code phishing, token weaponization and AI‑driven BEC drafting via Graph API and chained LLMs. EvilTokens PhaaS
• Targeted social‑engineering: fake recruiter and job‑offer campaigns (Graphalgo, Coca‑Cola/Ferrari lures) delivered encrypted downloaders and credential harvesters to crypto/dev and general users. Graphalgo recruiter campaign
• Fear‑based phishing (region/conflict themed) and payroll AiTM attacks targeted public and corporate users; defenders urged to monitor inbox rules, token misuse and device‑code flows. Weaponizing fear phishing

State‑aligned campaigns, ICS/OT & infra compromises

• APT35 maintained pre‑positioned access across GCC, correlating cyber reconnaissance with kinetic effects; hunt for web‑shells, Plink.exe and RATs (BellaCiao, Sagheb). APT35 pre‑positioning (GCC)
• Iran‑linked actors exploited internet‑facing PLCs (Rockwell/Allen‑Bradley) to extract project files and manipulate HMI/SCADA displays. PLC exploitation across US critical infrastructure
• SOHO router compromises by Forest Blizzard enabled DNS hijacking and selective AiTM interception across thousands of consumer/enterprise devices. SOHO router DNS hijack (Forest Blizzard)
• Analyses highlight DPRK modular malware programs and influence ecosystems (Handala/MOIS) that fuse intrusion and info‑ops for high‑impact narratives. Handala / MOIS influence ecosystem

Vulnerabilities, Kubernetes & cloud identity risks

• Rapid weaponization observed: niche RCEs and auth bypasses (e.g., Marimo RCE exploited <10 hours after disclosure) underscore fast exploit timelines. Marimo RCE rapid exploitation
• Long‑standing and hard‑to‑mitigate issues: a Kubernetes API proxy TOCTOU (CVE‑2020‑8562) and surge in token‑theft / cluster‑to‑cloud pivots highlight identity exposure risk. Unpatchable Kubernetes vulnerability (CVE‑2020‑8562)
• Critical appliance exploits and exploited CVEs (FortiGate SSO bypass) were used for admin account creation and persistent ingress — patching and log correlation remain essential. FortiGate CVE‑2025‑59718 IR findings
• Weekly vuln surge: thousands of disclosures, many with PoCs and active exploitation across IT/OT (OpenClaw, F5 BIG‑IP, ICS vendors). Week in vulnerabilities

Defensive programs, exercises & AI for security

• Elastic ran a massive Defence Cyber Marvel 2026 exercise validating a multi‑tenant Elastic Cloud for 40 Blue Teams, large‑scale automation and guarded on‑range AI services. Elastic DCM26 technical overview
• Elastic shipped Q1 integrations to expand macOS, cloud, email and identity visibility with normalized pipelines and AI assistant support. Elastic Security integrations (Q1 2026)
• Agentic/dual‑brain AI (e.g., Cyble Blaze AI) promises predictive, autonomous detection and forecasting up to months ahead — a new architecture to watch for defenders and attackers alike. Dual‑brain / Cyble Blaze AI
• Backup readiness: limited immutable backup adoption—recommend pragmatic rollouts (one immutable copy for critical workloads, regular restore tests). Immutable backups: readiness gap

Data exposures & notable leaks

• Supply‑chain compromises tied to large credential theft and data exfiltration (TeamPCP claims: ~500k creds and 300+ GB exfiltrated, including EU Commission impact). TeamPCP data exfiltration
• Over 500 MB of Italian identity documents (500 scanned IDs + selfies) were posted on Telegram; likely recycled material used in smishing and fraud. Telegram dump of Italian IDs

Threat Research | Weekly Recap – hendryadrian.com