Threat Research | Weekly Recap [08 Mar 2026]

Cybersecurity Threat Research ‘Weekly’ Recap highlights a widespread mix of opportunistic campaigns, AI-enabled tradecraft, and nation-state activity across ICS/OT, mobile, and software supply chains, with notable tools and actors such as LOTUSLITE, StealC, Coruna, TaxiSpy, VioletRAT, Agent Tesla and APT41. The roundup also covers phishing, AiTM and OAuth abuse, developer-supply-chain compromises, crypto-theft schemes, rootkits, disinformation infrastructure, and practical hardening guidance to defend identity, backups, OT segmentation, and cloud/mobile environments.

#LOTUSLITE #StealC #RedAlert #TaxiSpy #Coruna #VioletRAT #AgentTesla #VIP_Keylogger #WsgiDAV #DustSpecter #Seedworm #SilverDragon #APT41

Middle East conflict & ICS/OT risk

Surge of opportunistic campaigns—fake news, donation scams, meme‑coins, LNK/CHM loaders, DLL sideloading and in‑memory shellcode; notable chains include LOTUSLITE and web lures delivering StealC. Zscaler — Middle East opportunistic attacks
Coordinated strikes triggered widespread hacktivist/APT activity, national internet outages and a wave of phishing/wipers; mitigations: layered defenses, offline backups, IR. Unit42 — Iran‑related escalation brief
Assessment: AI-assisted reconnaissance and 60+ Iranian‑aligned groups have turned exposed ICS/HMI portals and default credentials into mass‑targeting opportunities; immediate actions: remove internet‑facing ICS, change defaults, block industrial ports. CloudSEK — ICS/OT risk assessment

Mobile & iOS exploitation

Targeted SMS (smishing) campaign delivers trojanized Israeli “Red Alert” app that preserves legit UI while running hidden spyware to harvest SMS, contacts, location and apps; C2 at api[.]ra-backup[.]com. Acronis — RedAlert mobile spyware
TaxiSpy: sophisticated Android banking RAT with native obfuscation, Firebase C2, real‑time VNC control and extensive SMS/notification/keylog exfiltration targeting Russian banks. CYFIRMA — TaxiSpy RAT
Coruna iOS exploit kit: commercial‑grade package of five exploit chains (23 exploits) targeting iOS 13–17.2.1 used by multiple operators; extensive C2/dropper infra mapped. GTIG — Coruna iOS exploit kit

AI-enabled tradecraft & agent risks

North Korean‑linked groups operationalize generative/agentic AI across the attack lifecycle (recon, persona fabrication, AI‑assisted malware); includes artifacts like OtterCookie and GAN domain impersonation. Microsoft — AI as tradecraft
Web‑based indirect prompt injection (IDPI) observed in the wild—hidden instructions on pages cause LLM/agents to execute attacker prompts (ad‑review evasion, data exfiltration); includes IOCs and mitigations. Unit42 — IDPI / AI agent prompt injection
Supply‑chain risk: OpenVSX versions of the Aqua Trivy VS Code extension launched local AI assistants in permissive modes for reconnaissance and attempted exfiltration—uninstall affected versions and audit local AI activity. Socket — Trivy OpenVSX AI agent abuse

Phishing, AiTM & OAuth/session abuse

Tycoon2FA AiTM phishing‑as‑a‑service enabled large‑scale MFA bypass via session cookie capture; Microsoft/partners disrupted infrastructure and seized hundreds of domains—recommend phishing‑resistant MFA and Defender protections. Microsoft — Inside Tycoon2FA
OAuth redirection abuse: campaigns exploit OAuth redirect/silent auth (prompt=none/invalid scopes) to route users to attacker landing pages; Microsoft Entra disabled apps but monitoring remains critical. Microsoft — OAuth redirection abuse

Developer supply‑chain & repository attacks

Multi‑stage supply‑chain: weaponized GitHub repo (“ShoeVista”) delivered obfuscated Node/Python stagers to retrieve DEV#POPPER RAT and OmniStealer via blockchain transactions—developer creds and wallets targeted. eSentire — DEV#POPPER / OmniStealer
Malicious Packagist packages disguised as Laravel utilities contained a persistent PHP RAT connecting to helper[.]leuleu[.]net:2096 (AES‑CTR) and providing remote shell/screen capture—rotate secrets and treat hosts as compromised. Socket — Malicious Packagist packages
Code‑extension repo compromise: Trivy/VS Code incident (see AI section) and related supply‑chain injection underscore need for extension vetting and credential rotation. Socket — Trivy OpenVSX AI agent abuse

Crypto theft & browser/extension/installer scams

Malicious Chrome extension impersonating imToken redirects users to phishing pages that capture 12/24‑word seed phrases and private keys. Socket — Fake imToken extension
Fake CleanMyMac site tricks macOS users into running a loader that installs SHub Stealer, backdoors Electron wallet apps and exfiltrates Keychain/browser/wallet data. Malwarebytes — Fake CleanMyMac / SHub
BoryptGrab stealer: deceptive GitHub pages and staged download chains steal browser wallets, tokens and screenshots and drop backdoors like TunnesshClient/Vidar. Trend Micro — BoryptGrab stealer
Lookalike FileZilla site distributes trojanized portable FileZilla with malicious version.dll (DLL search‑order hijack) to steal saved FTP credentials; includes DoH and C2 IOCs. Malwarebytes — Fake FileZilla trojan
Linux X11 clipboard hijacker ClipXDaemon autonomously swaps crypto addresses (ChaCha20 rules), persists under ~/.local/bin and operates without network C2. Cyble — ClipXDaemon

RATs, stealers & multi‑stage campaigns

VioletRAT variant (Italy): memory‑carved payload with Pastebin bootstrap, encrypted TCP C2, remote shell, RDP/credential theft and mixed version markers indicating code reuse. CERT‑AGID — VioletRAT analysis
Multi‑stage Agent Tesla campaign: spearphishing → obfuscated JScript loader → encrypted PowerShell stages and reflective .NET loading to harvest cookies/credentials. Fortinet — Agent Tesla deep dive
Email RAR campaign delivering in‑memory VIP_Keylogger via steganography/AES and process hollowing; detailed kill‑chains and IOCs. K7Labs — MAAS VIP_Keylogger
WsgiDAV multi‑stage phishing chain: .url → WebDAV download → .wsh/.js/.bat loaders → explorer.exe injection; Pastebin C2 config and XWorm links. CERT‑AGID — WsgiDAV multi‑stage campaign

Nation‑state APT activity

Silver Dragon (China‑nexus): targeted government/high‑profile orgs in SEA and Europe using exploited servers, phishing → Cobalt Strike; custom tools include GearDoor (Google Drive C2), BamboLoader and DNS tunneling. Check Point — Silver Dragon
Seedworm (Iran‑nexus): active on multiple U.S. networks deploying novel backdoors (Dindoor in Deno, Python Fakeset), signed binaries, Rclone exfiltration to cloud storage. Security.com — Seedworm activity
Dust Specter: Iran‑nexus actor targeting Iraqi officials with social engineering and undocumented .NET tools (SPLITDROP, TWINTASK, GHOSTFORM); infra uses randomized C2 URIs and signs of generative AI. Zscaler — Dust Specter
Long‑dwell China‑communicating cluster CL‑UNK‑1068 targeted high‑value sectors since 2020 using web shells, FRP tunneling, DLL side‑loading and credential theft (GodZilla, AntSword, Xnote). Unit42 — CL‑UNK‑1068 investigation
APT41: dual espionage/financial‑crime nexus leveraging rapid weaponization and living‑off‑the‑land tradecraft; tied to TOUGHPROGRESS and wide exploit usage. Socradar — APT41 profile

Vulnerabilities, exploitation chains & patching

Use‑After‑Free in dwmcore.dll (DirectComposition) enables RCE in DWM and SYSTEM escalation via a RECT‑buffer heap spray (“GetRECT”) and CFG‑bypass gadget chain; patch discussed. Elastic — Patch diff to SYSTEM (DWM UAF)
CVE‑2026‑25611: MongoDB OP_COMPRESSED flaw allows unauthenticated remote server crash/DoS (3.4+ with compression); patch and network exposure mitigations recommended. Cato CTRL — MongoDB CVE‑2026‑25611
GTIG review: 90 zero‑days exploited in 2025 (record enterprise targeting); warns AI will accelerate exploit discovery and exploit dev. Google Cloud — 2025 zero‑days review
Multiple methods to execute commands on Azure VMs/VMSS via Entra ID credentials (RunCommand, Custom Script Extension, DSC, REST/CLI); includes detection via Azure Activity Log. NetSPI — Azure VM execution techniques
Patch reality gap: SMB median Microsoft patch time ~7.7 days with long P90 tail; operational fixes (staged rollouts, reboot discipline) most effective to reduce exposure. Acronis — Patch reality gap
Practical hardening guidance to prepare/detect/recover from destructive attacks (identity, backups, cloud/OT segmentation, BABYWIPER detection rules). Google Cloud — Hardening for destructive attacks

Linux rootkits & persistence

Rootkit taxonomy and hooking tradecraft: evolution from userland SO hooks → LKMs → eBPF → io_uring techniques; persistence/privilege escalation patterns and detection challenges. Elastic — Hooked on Linux (rootkit taxonomy)

Disinformation & influence infrastructure

Doppelgänger / RRN ecosystem: cloud‑native, professionally managed disinformation infrastructure using brand impersonation, automated domain generation, CDN fronting and resilient registrar/TLD diversification across Europe and the U.S. DomainTools — Doppelgänger / RRN ecosystem

Trends & sector reports

Top malware DNS deep dive (Q4 2025): CIS highlights top 10 families, network IoCs and client‑IP/global distribution for prioritized detections. CIS — Top 10 malware Q4 2025 (DNS deep dive)
February 2026 briefing: AI‑driven attacks and supply‑chain compromises accelerated exploit weaponization and token theft—prioritize identity hygiene, token rotation and AI agent governance. Sysdig — February 2026 security briefing
Attack emulation: LokiLocker ransomware emulation guidance for tabletop and purple‑team exercises. AttackIQ — Emulating LokiLocker

Threat Research | Weekly Recap – hendryadrian.com

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print