Operation Roundish: Uncovering an APT28 Roundcube Exploitation Toolkit Targeting Ukraine
Pulse ID: 69bb260932564fa54536f69f
Pulse Link: https://otx.alienvault.com/pulse/69bb260932564fa54536f69f
Pulse Author: Tr1sa111
Created: 2026-03-18 22:24:09
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#APT28 #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #UK #Ukr #Ukraine #bot #Tr1sa111
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
Google Threat Intelligence Group has identified a new iOS full-chain exploit called DarkSword, which leverages multiple zero-day vulnerabilities to compromise devices running iOS 18.4 through 18.7. Since November 2025, multiple commercial surveillance vendors and suspected state-sponsored actors have been observed using DarkSword in campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit chain utilizes six different vulnerabilities to deploy final-stage payloads, including three distinct malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of DarkSword across various threat actors mirrors the previously discovered Coruna iOS exploit kit. Notable users include UNC6353, a suspected Russian espionage group, which has incorporated DarkSword into their watering hole campaigns targeting Ukrainian websites.
Pulse ID: 69bac861fe18a3b724f976fe
Pulse Link: https://otx.alienvault.com/pulse/69bac861fe18a3b724f976fe
Pulse Author: AlienVault
Created: 2026-03-18 15:44:33
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #Espionage #Google #InfoSec #Malware #OTX #OpenThreatExchange #RAT #Russia #SaudiArabia #Turkey #UK #Ukr #Ukraine #Ukrainian #Word #ZeroDay #bot #iOS #AlienVault
Operation Roundish: Uncovering an APT28 Roundcube Exploitation Toolkit Targeting Ukraine
An exposed open directory revealed a comprehensive Roundcube exploitation toolkit used by APT28 to target Ukrainian government entities. The toolkit includes XSS payloads, a Flask-based C2 server, CSS injection tools, and a Go-based implant. It enables credential harvesting, persistent mail forwarding, bulk email exfiltration, address book theft, and 2FA secret extraction. The primary target was identified as mail.dmsu.gov.ua, Ukraine's State Migration Service. Technical analysis shows significant overlaps with previously documented APT28 operations, while introducing new capabilities such as CSS-based side-channel attacks and browser credential theft. The toolkit's modular approach and sophisticated evasion techniques demonstrate APT28's evolving tactics in compromising webmail platforms for long-term intelligence gathering.
Pulse ID: 69ba83b93cb449af00474243
Pulse Link: https://otx.alienvault.com/pulse/69ba83b93cb449af00474243
Pulse Author: AlienVault
Created: 2026-03-18 10:51:37
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#2FA #APT28 #Browser #CredentialHarvesting #CyberSecurity #Email #Government #ICS #InfoSec #OTX #OpenThreatExchange #RAT #UK #Ukr #Ukraine #Ukrainian #Webmail #XSS #bot #AlienVault
New backdoor targeting Ukrainian entities with possible links to Laundry Bear
Pulse ID: 69b9c8443f453e548185d895
Pulse Link: https://otx.alienvault.com/pulse/69b9c8443f453e548185d895
Pulse Author: Tr1sa111
Created: 2026-03-17 21:31:48
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #InfoSec #OTX #OpenThreatExchange #UK #Ukr #Ukrainian #bot #Tr1sa111
Operation GhostMail: Russian APT Exploits Zimbra XSS to Target Ukraine Government
Pulse ID: 69b9c8896a5079f403559eca
Pulse Link: https://otx.alienvault.com/pulse/69b9c8896a5079f403559eca
Pulse Author: Tr1sa111
Created: 2026-03-17 21:32:57
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #Government #InfoSec #OTX #OpenThreatExchange #RAT #Russia #UK #Ukr #Ukraine #XSS #Zimbra #bot #Tr1sa111
Operation GhostMail: Russian APT Exploits Zimbra XSS to Target Ukraine Government
A sophisticated phishing campaign targeting a Ukrainian government agency exploits a cross-site scripting vulnerability in Zimbra Collaboration Suite. The attack, attributed to a Russian APT group, uses a seemingly innocuous internship inquiry email to deliver a malicious JavaScript payload. When opened in a vulnerable Zimbra webmail session, the script silently executes, harvesting credentials, session tokens, 2FA codes, and mailbox contents. The multi-stage attack employs obfuscation techniques, SOAP API abuse, and dual-channel exfiltration via DNS and HTTPS. The campaign demonstrates the evolution of webmail-focused intrusions, relying on browser-resident stealers rather than traditional malware binaries.
Pulse ID: 69b975d80c8af764ef55c18f
Pulse Link: https://otx.alienvault.com/pulse/69b975d80c8af764ef55c18f
Pulse Author: AlienVault
Created: 2026-03-17 15:40:08
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#2FA #Browser #CyberSecurity #DNS #Email #Government #HTTP #HTTPS #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #Phishing #RAT #Russia #UK #Ukr #Ukraine #Ukrainian #Vulnerability #Webmail #XSS #Zimbra #bot #AlienVault
New backdoor targeting Ukrainian entities with possible links to Laundry Bear
A new campaign targeting Ukrainian entities has been identified, attributed to actors linked to Russia. The campaign uses judicial and charity-themed lures to deploy a JavaScript-based backdoor called DRILLAPP, which runs through the Edge browser. This backdoor enables various actions including file manipulation, microphone access, and webcam capture. Two variants of the campaign have been observed, with the second variant introducing additional capabilities. The attackers utilize the browser's capabilities to evade detection and gain access to sensitive resources. The campaign shares tactics with a previously reported Laundry Bear operation, leading to a low-confidence attribution to this group.
Pulse ID: 69b934921c208cec80c35f6c
Pulse Link: https://otx.alienvault.com/pulse/69b934921c208cec80c35f6c
Pulse Author: AlienVault
Created: 2026-03-17 11:01:38
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Browser #CyberSecurity #Edge #ICS #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #RAT #RCE #Russia #UK #Ukr #Ukrainian #bot #AlienVault
Operation CamelClone: Multi-Region Espionage Campaign Targets Government and Defense Entities Amidst Regional Tensions
Operation CamelClone is a multi-region espionage campaign targeting government and defense entities in Algeria, Mongolia, Ukraine, and Kuwait. The attackers use spear-phishing emails with malicious ZIP archives containing lure documents and shortcuts. The infection chain involves a JavaScript loader called HOPPINGANT, which downloads additional payloads from public file-sharing websites. The campaign abuses legitimate tools like Rclone for data exfiltration to MEGA cloud storage. Targeting patterns suggest intelligence gathering objectives, focusing on foreign policy, defense capabilities, and diplomatic alignments of countries navigating major-power rivalries. The operation's use of public services for payload hosting and data exfiltration makes network-based detection challenging.
Pulse ID: 69b7db1d163d9323dbb20827
Pulse Link: https://otx.alienvault.com/pulse/69b7db1d163d9323dbb20827
Pulse Author: AlienVault
Created: 2026-03-16 10:27:41
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Cloud #CyberSecurity #Email #Espionage #FileSharing #Government #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #Phishing #RAT #Rclone #SpearPhishing #UK #Ukr #Ukraine #ZIP #bot #AlienVault
Während in der Ukraine weiterhin Krieg herrscht, ist die Zahl ukrainischer Männer im Alter zwischen 18 und 63 Jahren in Deutschland binnen eines Jahres deutlich gestiegen. Nach Daten des Ausländerzentralregisters (AZR), die das Bundesamt für Migration und Flüchtlinge (Bamf) der "Welt am Sonntag" mitteilte, hielten sich zum Stichtag 9. März 2026 1.340.362 Personen in Deutschland auf, die im Zusammenhang mit dem Krieg in der Ukraine eingereist sind.
Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit
A sophisticated iOS exploit kit named Coruna has been discovered, targeting iPhones running iOS 13.0 to 17.2.1. The kit contains five full iOS exploit chains and 23 exploits, using advanced techniques and mitigation bypasses. Initially used by a surveillance vendor, it was later employed in targeted attacks against Ukrainian users and broad-scale campaigns by a Chinese financially motivated group. The kit's proliferation suggests an active market for second-hand zero-day exploits. The exploits are well-engineered and documented, with the most advanced using non-public techniques. The ending payload, PLASMAGRID, focuses on stealing financial information and cryptocurrency wallet data.
Pulse ID: 69a7014e71ff3fc01a6963ba
Pulse Link: https://otx.alienvault.com/pulse/69a7014e71ff3fc01a6963ba
Pulse Author: AlienVault
Created: 2026-03-03 15:42:06
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Chinese #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #UK #Ukr #Ukrainian #ZeroDay #bot #cryptocurrency #iOS #AlienVault
OTX Bot
Hubu.de