New backdoor targeting Ukrainian entities with possible links to Laundry Bear

A new campaign targeting Ukrainian entities has been identified, attributed to actors linked to Russia. The campaign uses judicial and charity-themed lures to deploy a JavaScript-based backdoor called DRILLAPP, which runs through the Edge browser. This backdoor enables various actions including file manipulation, microphone access, and webcam capture. Two variants of the campaign have been observed, with the second variant introducing additional capabilities. The attackers utilize the browser's capabilities to evade detection and gain access to sensitive resources. The campaign shares tactics with a previously reported Laundry Bear operation, leading to a low-confidence attribution to this group.

Pulse ID: 69b934921c208cec80c35f6c
Pulse Link: https://otx.alienvault.com/pulse/69b934921c208cec80c35f6c
Pulse Author: AlienVault
Created: 2026-03-17 11:01:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #CyberSecurity #Edge #ICS #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #RAT #RCE #Russia #UK #Ukr #Ukrainian #bot #AlienVault

Middle East Crisis Exploited by Fraudsters: Government Impersonation and Evacuation Scam Infrastructure Identified

The ongoing Middle East crisis has given rise to opportunistic online fraudulent activities. Two main strands have been observed: confirmed government-impersonation fraud and suspicious evacuation-themed websites. Fraudsters are exploiting the confusion and urgency surrounding the crisis to launch phishing campaigns and create deceptive websites. A notable example includes an email impersonating UAE authorities, urging recipients to complete a mandatory emergency registration form. Additionally, several newly registered websites offering evacuation services from Dubai and the Gulf region have emerged, displaying characteristics commonly associated with scams. These sites use crisis-related domain names, employ urgent messaging, lack verifiable operator details, and often request unconventional payment methods. The situation highlights the need for increased vigilance and proactive monitoring of emerging digital threats during geopolitical crises.

Pulse ID: 69b14da851c481eb34355935
Pulse Link: https://otx.alienvault.com/pulse/69b14da851c481eb34355935
Pulse Author: AlienVault
Created: 2026-03-11 11:10:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #Government #ICS #InfoSec #MiddleEast #OTX #OpenThreatExchange #Phishing #RAT #UAE #bot #AlienVault

Boggy Serpens Threat Assessment

The Iranian threat group Boggy Serpens, linked to the Ministry of Intelligence and Security, has refined its cyberespionage tactics to focus on trusted relationship compromises and multi-wave targeting of strategic organizations. The group combines social engineering with AI-enhanced malware for long-term persistence, primarily targeting diplomatic and critical infrastructure sectors. Recent campaigns show increased technological capabilities, including AI-generated code and Rust-based tools. Boggy Serpens exploits hijacked accounts to bypass security measures and employs a secondary social engineering prompt to deliver malware. The group's determination is exemplified by a sustained four-wave campaign against a UAE marine and energy company, demonstrating its focus on infiltrating regional maritime infrastructure.

Pulse ID: 69b91b4202446dd5143da7c3
Pulse Link: https://otx.alienvault.com/pulse/69b91b4202446dd5143da7c3
Pulse Author: AlienVault
Created: 2026-03-17 09:13:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Cyberespionage #Espionage #ICS #InfoSec #Iran #Malware #OTX #OpenThreatExchange #RAT #Rust #SocialEngineering #UAE #bot #AlienVault

COVERT RAT: Phishing Campaign

A sophisticated multi-stage infection chain targets Argentina's judicial ecosystem using spear-phishing tactics and authentic-looking judicial content. The campaign employs a carefully crafted ZIP archive containing a weaponized LNK shortcut, BAT-based loader script, and judicial-themed PDF decoy. The attack chain leads to the deployment of a Rust-based Remote Access Trojan (RAT) that demonstrates extensive anti-VM, anti-sandbox, and anti-debugging techniques. The RAT establishes a resilient command-and-control channel, supports modular commands for various malicious activities, and implements full lifecycle management. The operation, dubbed 'Operation Covert Access,' aims to secure long-term access within high-trust institutional settings, highlighting the need for improved defenses against socially engineered intrusion chains.

Pulse ID: 69b821c38b5e35d90728323e
Pulse Link: https://otx.alienvault.com/pulse/69b821c38b5e35d90728323e
Pulse Author: AlienVault
Created: 2026-03-16 15:29:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #LNK #OTX #OpenThreatExchange #PDF #Phishing #RAT #RemoteAccessTrojan #Rust #SpearPhishing #Trojan #ZIP #bot #AlienVault

Phishers hide scam links with IPv6 trick in 'free toothbrush' emails

A recurring phishing scheme impersonates United Healthcare, offering a free Oral-B toothbrush as bait. The scammers have evolved their tactics, now using IPv6-mapped IPv4 addresses to obfuscate links in emails. This technique makes the IP addresses appear confusing while remaining valid and routable. The phishing emails direct victims to fast-rotating landing pages, likely aiming to collect personal information and card data under the guise of confirming eligibility or paying for shipping. The article provides technical details on how the IPv6 trick works and offers advice on staying safe, including steps to take if personal information has been compromised.

Pulse ID: 69b7da2d8e7e63b7e768049a
Pulse Link: https://otx.alienvault.com/pulse/69b7da2d8e7e63b7e768049a
Pulse Author: AlienVault
Created: 2026-03-16 10:23:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #Healthcare #ICS #InfoSec #OTX #OpenThreatExchange #Phishing #bot #AlienVault

"Handala Hack" - Unveiling Group's Modus Operandi

Handala Hack, an online persona operated by Void Manticore, is affiliated with Iranian intelligence services. The group, known for destructive wiping attacks and hack-and-leak operations, has targeted organizations in Israel, Albania, and the US. Their tactics include supply chain attacks, credential theft, and manual intrusions. The group deploys multiple wiping methods simultaneously, including custom malware, PowerShell scripts, and disk encryption. Recent activities show expanded targeting and some new techniques, such as using NetBird for tunneling and AI-assisted wiping scripts. Despite some operational security lapses, Handala continues to pose a significant threat, primarily through hands-on, opportunistic attacks.

Pulse ID: 69b7da4d225961fe7c1f3907
Pulse Link: https://otx.alienvault.com/pulse/69b7da4d225961fe7c1f3907
Pulse Author: AlienVault
Created: 2026-03-16 10:24:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Albania #CyberSecurity #Encryption #ICS #InfoSec #Iran #Israel #Malware #OTX #OpenThreatExchange #PowerShell #RAT #SupplyChain #bot #AlienVault

China-nexus Threat Actor Targets Persian Gulf Region With PlugX

A China-nexus threat actor targeted countries in the Persian Gulf region using a multi-stage attack chain to deploy a PlugX backdoor variant. The campaign exploited the renewed Middle East conflict, using an Arabic-language document lure depicting missile attacks. The attack utilized a ZIP archive containing a malicious Windows shortcut file, which downloaded a CHM file leading to the deployment of PlugX. The malware employed various obfuscation techniques, including control flow flattening and mixed boolean arithmetic. The PlugX variant supported HTTPS for command-and-control communication and DNS-over-HTTPS for domain resolution. Based on the tools and tactics used, the activity is attributed to a China-nexus actor, possibly linked to Mustang Panda.

Pulse ID: 69b7dacde783e4b5dec19bde
Pulse Link: https://otx.alienvault.com/pulse/69b7dacde783e4b5dec19bde
Pulse Author: AlienVault
Created: 2026-03-16 10:26:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Arabic #BackDoor #China #CyberSecurity #DNS #HTTP #HTTPS #ICS #InfoSec #Malware #MiddleEast #OTX #OpenThreatExchange #PlugX #Windows #ZIP #bot #AlienVault

Data Exfiltration and Threat Actor Infrastructure Exposed

Huntress SOC analysts have uncovered sophisticated data exfiltration techniques employed by threat actors. The analysis reveals the use of various tools for data staging, including WinZip, 7Zip, and Windows' native tar.exe. Exfiltration methods observed include the use of finger.exe and backup utilities like restic, BackBlaze, and s5cmd. A specific incident on February 25, 2026, involved INC ransomware deployment, with the threat actor using PSEXEC for privilege escalation and creating a scheduled task to run a malicious PowerShell script. The actor utilized the Restic backup utility, renamed as winupdate.exe, to exfiltrate data. Similar tactics were observed in a previous incident on February 9, suggesting a pattern in the threat actor's methodology.

Pulse ID: 69b3f245c5cf9fd0fee7a16a
Pulse Link: https://otx.alienvault.com/pulse/69b3f245c5cf9fd0fee7a16a
Pulse Author: AlienVault
Created: 2026-03-13 11:17:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#7Zip #CyberSecurity #ICS #InfoSec #OTX #OpenThreatExchange #PowerShell #PsExec #RAT #RansomWare #Windows #ZIP #bot #AlienVault

Iran conflict drives heightened espionage activity against Middle East targets

The ongoing conflict involving Iran has led to increased cyber espionage activities targeting Middle Eastern governments. Multiple state-sponsored threat actors, including those from China, Belarus, Pakistan, and Hamas, have been observed conducting campaigns using the conflict as a lure. These actors are employing various tactics such as credential phishing, malware delivery, and compromised accounts to target government and diplomatic organizations. The campaigns often use war-themed content to engage targets and gather intelligence on the conflict's trajectory and geopolitical implications. Iranian threat actors continue their traditional espionage efforts alongside disruptive campaigns in support of war efforts. This heightened activity reflects both opportunistic use of topical lures and shifts in intelligence collection priorities for various state-aligned groups.

Pulse ID: 69b18928a9cb5b794dd0e2cb
Pulse Link: https://otx.alienvault.com/pulse/69b18928a9cb5b794dd0e2cb
Pulse Author: AlienVault
Created: 2026-03-11 15:24:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Belarus #China #CyberSecurity #Espionage #Government #Hamas #ICS #InfoSec #Iran #Malware #MiddleEast #OTX #OpenThreatExchange #Pakistan #Phishing #bot #AlienVault

24 hours until the CfP for "Security BSides Knoxville 2026" closes: https://papercall.io/cfps/6517/submissions/new

#cfp #conference #Offensive security #Defensive security #Application security #Intelligence #Malware #Exploit development #Social engineering #Security management #Grc #Ciso #Dfir #Soc #Osint #Breaking into industry #Physical pen testing #Body hacking #Red team #Blue team #Human factors #Hardware #Soft skills #Management #Appsec #Ics/scada