Signed malware impersonating workplace apps deploys RMM backdoors

Multiple phishing campaigns were identified using workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware. The attacks used digitally signed executables masquerading as legitimate software to install remote monitoring and management (RMM) tools like ScreenConnect, Tactical RMM, and Mesh Agent. These tools enabled attackers to establish persistence and move laterally within compromised environments. The malware was signed using an Extended Validation certificate issued to TrustConnect Software PTY LTD. The campaigns demonstrate how familiar branding and trusted digital signatures can be exploited to bypass user suspicion and gain an initial foothold in enterprise networks.

Pulse ID: 69a77ace20faf9114cbb120b
Pulse Link: https://otx.alienvault.com/pulse/69a77ace20faf9114cbb120b
Pulse Author: AlienVault
Created: 2026-03-04 00:20:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #PDF #Phishing #RAT #Rust #ScreenConnect #bot #AlienVault

Silver Dragon Targets Organizations in Southeast Asia and Europe

Check Point Research has identified a Chinese-nexus advanced persistent threat group named Silver Dragon, targeting organizations in Southeast Asia and Europe since mid-2024. The group, likely operating under APT41, exploits public-facing servers and uses phishing emails for initial access. They deploy custom tools including GearDoor, a backdoor using Google Drive for command and control, SSHcmd for remote access, and SilverScreen for covert screen monitoring. Silver Dragon primarily focuses on government entities, utilizing Cobalt Strike beacons and DNS tunneling for communication. The group's sophisticated tactics and evolving toolkit demonstrate a well-resourced and adaptable threat actor.

Pulse ID: 69a73e8545dc6a32312482a1
Pulse Link: https://otx.alienvault.com/pulse/69a73e8545dc6a32312482a1
Pulse Author: AlienVault
Created: 2026-03-03 20:03:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CheckPoint #Chinese #CobaltStrike #CyberSecurity #DNS #Email #Europe #Google #Government #ICS #InfoSec #OTX #OpenThreatExchange #Phishing #RAT #RCE #SSH #bot #AlienVault

Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT

A remote access trojan (RAT) has been discovered in multiple Packagist packages published by the threat actor nhattuanbl. The malicious packages, disguised as Laravel utilities, install an encrypted PHP RAT via Composer dependencies. The payload connects to a C2 server, sends system reconnaissance data, and awaits commands, granting full remote access to the host. The RAT uses obfuscation techniques to resist analysis and employs a self-launch mechanism. It communicates with the C2 server using encrypted JSON messages and supports various commands for system control and data exfiltration. The attack vector leverages dependency chains, with clean-looking packages pulling in malicious ones. Affected systems should be treated as compromised, with recommendations provided for mitigation and prevention.

Pulse ID: 69a80fbbdd6d5ec66e2a4a06
Pulse Link: https://otx.alienvault.com/pulse/69a80fbbdd6d5ec66e2a4a06
Pulse Author: AlienVault
Created: 2026-03-04 10:55:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #InfoSec #OTX #OpenThreatExchange #PHP #RAT #RemoteAccessTrojan #Trojan #bot #AlienVault

Funnull Resurfaces: Exposing RingH23 Arsenal and MacCMS Supply Chain Attacks

The report details the resurgence of the Funnull cybercriminal group, now utilizing a new arsenal called RingH23. It exposes their tactics, including compromising GoEdge CDN nodes, poisoning the MacCMS supply chain, and deploying sophisticated malware components like Badredis2s, Badnginx2s, and Badhide2s. The group has expanded its operations to inject malicious JavaScript, hijack cryptocurrency transactions, and redirect traffic to fraudulent sites. The campaign's impact is estimated to affect millions of users daily. The report also highlights Funnull's use of a suspicious new CDN infrastructure, CDN1.AI, likely created to evade detection.

Pulse ID: 69a5cb4a6a4e3817035f5326
Pulse Link: https://otx.alienvault.com/pulse/69a5cb4a6a4e3817035f5326
Pulse Author: AlienVault
Created: 2026-03-02 17:39:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CDN #CyberSecurity #Edge #ICS #InfoSec #Java #JavaScript #Mac #Malware #Nginx #OTX #OpenThreatExchange #RAT #Redis #SupplyChain #bot #cryptocurrency #AlienVault

Dust Specter APT Targets Government Officials in Iraq

A suspected Iran-nexus threat actor, dubbed Dust Specter, targeted Iraqi government officials in January 2026. The campaign involved impersonating Iraq's Ministry of Foreign Affairs and using compromised government infrastructure to host malicious payloads. Two attack chains were identified, utilizing previously undocumented malware including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The malware employed creative evasion techniques, leveraged generative AI for development, and used file-based polling mechanisms for command execution. The campaign also incorporated ClickFix-style attacks and social engineering lures. Attribution to an Iran-nexus group is based on code similarities, victimology, and overlapping tactics with known Iranian APT groups.

Pulse ID: 69a5cc7cdc9811f61e3cde58
Pulse Link: https://otx.alienvault.com/pulse/69a5cc7cdc9811f61e3cde58
Pulse Author: AlienVault
Created: 2026-03-02 17:44:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Government #ICS #InfoSec #Iran #Malware #OTX #OpenThreatExchange #RAT #SMS #SocialEngineering #bot #AlienVault

Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran

A significant joint offensive by the US and Israel has triggered a multi-vector retaliatory campaign from Iran, leading to an escalation in cyberattacks. Iran's limited internet connectivity is likely hindering state-aligned threat actors' ability to coordinate sophisticated attacks. Hacktivist groups are targeting perceived adversaries, while other nation-state actors may exploit the situation. Observed activities include phishing campaigns, DDoS attacks, data exfiltration, and wiper attacks. Multiple Iranian state-aligned personas and collectives have claimed responsibility for various disruptive operations. Pro-Russian hacktivist groups have also been active, targeting Israeli systems and infrastructure. The situation remains fluid, and organizations are advised to implement multi-layered defenses and focus on foundational security hygiene.

Pulse ID: 69a68230a0f1fa4ed0ab3ac6
Pulse Link: https://otx.alienvault.com/pulse/69a68230a0f1fa4ed0ab3ac6
Pulse Author: AlienVault
Created: 2026-03-03 06:39:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberAttack #CyberAttacks #CyberSecurity #DDoS #DoS #Hacktivist #InfoSec #Iran #Israel #OTX #OpenThreatExchange #Phishing #RAT #RCE #Russia #bot #AlienVault

SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh

An extensive cyber espionage campaign conducted by SloppyLemming, an India-nexus threat actor, targeted government entities and critical infrastructure in Pakistan and Bangladesh from January 2025 to January 2026. The campaign used two attack vectors: PDF lures with ClickOnce execution chains and macro-enabled Excel documents. It deployed a custom x64 shellcode implant named BurrowShell and a Rust-based keylogger. The attackers extensively abused Cloudflare Workers for C2 and payload delivery, registering 112 domains impersonating government entities. The campaign focused on nuclear, defense, telecommunications, energy, and financial sectors, aligning with regional strategic competition in South Asia.

Pulse ID: 69a6c1d2775c55bd8367e527
Pulse Link: https://otx.alienvault.com/pulse/69a6c1d2775c55bd8367e527
Pulse Author: AlienVault
Created: 2026-03-03 11:11:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Bangladesh #Cloud #CyberSecurity #Espionage #Excel #Government #India #InfoSec #KeyLogger #Mac #OTX #OpenThreatExchange #PDF #Pakistan #RAT #Rust #ShellCode #SouthAsia #Telecom #Telecommunication #bot #AlienVault

RedAlert Trojan Campaign: Fake Emergency Alert App Spread via SMS Spoofing Israeli Home Front Command

A malicious SMS spoofing campaign is spreading a fake version of Israel's 'Red Alert' emergency app amid ongoing conflict. The trojanized Android app, disguised as a trusted warning platform, can steal SMS, contacts, and location data while appearing legitimate. The campaign exploits public fear during crises to deploy mobile spyware. The malware uses sophisticated techniques to bypass security checks, including package manager hooking and dynamic payload loading. It mirrors the official app's interface but requests high-risk permissions. The malware continuously tracks GPS coordinates and exfiltrates data to attacker-controlled infrastructure, posing severe strategic and physical security risks. This campaign erodes trust in emergency response systems and could potentially be used for targeted attacks or to optimize missile targeting.

Pulse ID: 69a7014c0919cca0bf0d6d59
Pulse Link: https://otx.alienvault.com/pulse/69a7014c0919cca0bf0d6d59
Pulse Author: AlienVault
Created: 2026-03-03 15:42:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #CyberSecurity #InfoSec #Israel #Malware #OTX #OpenThreatExchange #RAT #Rust #SMS #SpyWare #Trojan #Troll #bot #AlienVault

Web-Based Indirect Prompt Injection Observed in the Wild: Fooling AI Agents

This article analyzes real-world instances of indirect prompt injection (IDPI) attacks targeting AI agents and large language models integrated into web systems. The researchers identify 22 distinct techniques used by attackers to embed malicious prompts in webpages, including visual concealment, obfuscation, and dynamic execution methods. They categorize attacker intents ranging from low-severity disruptions to critical data destruction attempts. Notable findings include the first observed case of AI-based ad review evasion and attempts at search engine optimization manipulation. The article presents a taxonomy of web-based IDPI attacks and provides insights into attack trends based on telemetry data. The researchers emphasize the need for proactive, web-scale defenses to detect IDPI and distinguish between benign and malicious prompts.

Pulse ID: 69a7014c21a10eb60fac7567
Pulse Link: https://otx.alienvault.com/pulse/69a7014c21a10eb60fac7567
Pulse Author: AlienVault
Created: 2026-03-03 15:42:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #bot #AlienVault

Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit

A sophisticated iOS exploit kit named Coruna has been discovered, targeting iPhones running iOS 13.0 to 17.2.1. The kit contains five full iOS exploit chains and 23 exploits, using advanced techniques and mitigation bypasses. Initially used by a surveillance vendor, it was later employed in targeted attacks against Ukrainian users and broad-scale campaigns by a Chinese financially motivated group. The kit's proliferation suggests an active market for second-hand zero-day exploits. The exploits are well-engineered and documented, with the most advanced using non-public techniques. The ending payload, PLASMAGRID, focuses on stealing financial information and cryptocurrency wallet data.

Pulse ID: 69a7014e71ff3fc01a6963ba
Pulse Link: https://otx.alienvault.com/pulse/69a7014e71ff3fc01a6963ba
Pulse Author: AlienVault
Created: 2026-03-03 15:42:06

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #UK #Ukr #Ukrainian #ZeroDay #bot #cryptocurrency #iOS #AlienVault