A cargo threat actor’s playbook: revealed. 📖 Proofpoint researchers baited a logistics/transportation industry threat actor into performing its malicious activities in a decoy environment operated by Deception.Pro for over 30 days. 🚚

In a new blog, our team of experts shared their observations, complete with rare, extended visibility into post‑compromise operations, tooling, and decision‑making.

Activities the threat actor performed:

• Delivered malicious payloads via email
• Established persistence with multiple RMM tools
• Use of a previously unknown malware signing‑as‑a‑service capability
• Hands-on-keyboard interaction to access PayPal
• Executed 13 PowerShell scripts to understand targets' financial value

Cargo theft leads to $34 billion in losses annually. These findings offer never-before-seen insight into how financially motivated threat actors operate well beyond initial access.

Read the full blog here: https://www.proofpoint.com/us/blog/threat-insight/beyond-breach-inside-cargo-theft-actors-post-compromise-playbook?utm_source=twitter&utm_medium=social_organic

Proofpoint's latest Discarded podcast episode explores the stealthy world of backdoors, malware detection, and the “secret signals” threat actors use to stay hidden.

Featured guest Stuart Del Caliz expertly blends his deep insights on signature development, PCAP analysis, and countering espionage tools with real-world analogies (think speakeasy knocks and undercover “internet cops”).

🎙️ Stream now on your favorite platform!
Apple Podcasts: https://podcasts.apple.com/us/podcast/magic-packets-stealth-backdoors-the-art-of/id1612506550?i=1000761262723
Spotify: https://open.spotify.com/episode/1dNtdbqLKFCiQIwNRJ4xB4?si=d351c6bd514b4128
Web player: https://www.proofpoint.com/us/podcasts/discarded#146156?utm_source=linkedin&utm_medium=social_organic

Have you checked your mailbox rules lately? Our cloud threat researchers found that approximately 10% of compromised accounts in Q4-2025 had malicious mailbox rules created by threat actors shortly after initial access.

This is a prime example of how adversaries can abuse legitimate platform features that Microsoft users rely on every day.

Combined with third-party services and domain spoofing, this post-exploitation tactic can lead to:

• Hijacked email threads
• Impersonation
• Manipulated vendor communication

…all without network interception.

See our blog for details and example scenarios https://www.proofpoint.com/us/blog/threat-insight/mailbox-rules-o365-post-exploitation-tactic-cloud-ato?utm_source=twitter&utm_medium=social_organic

The China-aligned espionage actor TA416 (RedDelta, Vertigo Panda, Red Lich) has been observed targeting European and Middle Eastern governments, a sign of how its priorities are likely influenced by geopolitical flashpoints and escalations.

It is a shift following two years of focus on Southeast Asia and Mongolia, with recent campaigns most heavily targeting individuals or mailboxes associated with diplomatic missions and delegations to NATO and the EU.

Our threat research blog has the details. https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionag

Monetary concerns + federal deadlines + abundance of “time-sensitive” email advertisements. Tax season is a recipe for #cybercrime. Our researchers have seen hundreds of malicious tax-themed campaigns this year.

Read the threat brief: https://brnw.ch/21x1bsI

🚨 New tactics and activity: An increase in RMM payloads, activity from newly identified threat actors, and a broader variety of social engineering lures.

👉 Same end goal: To trick your users into clicking malicious links, downloading infected files, or sharing sensitive information.

See our team’s blog for campaign examples targeting organizations in the U.S., as well as Canada, Australia, Switzerland, and Japan, among others.

While #taxseason is a popular time for these types of lures, financial-themed campaigns are effective year-round. Proofpoint recommends organizations educate users about these scams and encourage them to stay vigilant. ⚠️

Proofpoint has directly observed a targeted email campaign that delivers DarkSword RCE, and we attribute the messages to Russian FSB threat actor TA446 with high confidence. We have not previously observed TA446 target users’ iCloud accounts or Apple devices, but the adoption of the leaked DarkSword iOS exploit kit has now enabled the actor to target iOS devices. TA446 does not overlap with UNC6353.

On March 26, 2026, Proofpoint observed many compromised senders spoofing the Atlantic Council in a campaign that we attribute to TA446 (Callisto, COLDRIVER, Star Blizzard, which is linked to Russia’s FSB Centre 18). The volume of emails from TA446 has been significantly higher over the last 2 weeks compared to normal operational tempo delivering the MAYBEROBOT backdoor via password-protected ZIP files. The activity on March 26 was a similar spike, but with links instead of attachments. Proofpoint automated analysis was redirected to a benign decoy PDF, likely because of server-side filtering to only redirect iPhone browsers to the exploit kit.

New reports on TA446 using the DarkSword iOS exploit kit were intriguing. The DarkSword iOS exploit kit was recently published on GitHub, but Proofpoint had not yet observed it in use in the wild. A DarkSword loader uploaded to VirusTotal (MD5: 5fa967dbef026679212f1a6ffa68d575) referenced escofiringbijou[.]com, a TA446 second-stage domain independently observed by Proofpoint, corroborating the group's use of DarkSword.

A submission on URLScan (https://urlscan.io/result/019d2c02-e06f-773f-a7a8-72516045f0da/#transactions) confirmed that the TA446-controlled domain was serving the DarkSword exploit kit, including the initial redirector, exploit loader, RCE, and PAC bypass components. The sandbox escapes were not observed.

Related compromised first stage domains also include motorbeylimited[.]com and bridetvstreaming[.]org. Only the activity from March 26 spoofing Atlantic Council has been linked to DarkSword usage; previous TA446 activity shows no indication of exploit use.

Proofpoint did not directly observe the iOS exploit kit delivery but believe the actor has adopted the exploit kit for the purposes of credential harvesting and intelligence collection. The targeting Proofpoint observed in the email campaigns was much wider than usual and included government, think tank, higher education, financial, and legal entities, indicating that this new capability led TA446 to attempt to use DarkSword opportunistically against a broader target set. This is a notable adoption, as Proofpoint has not previously observed TA446 targeting iOS devices.

Proofpoint researchers identified a targeted campaign against operations personnel at energy firms linked to projects in Pakistan.

We track the activity as UNK_VaporVibes.

The messages were sent on 18 March 2026, and mimicked invitations to the upcoming Pakistan Energy Exhibition & Conference (PEEC).

The actor used compromised accounts from a Pakistani university and a government organization to deliver PDF attachments with a fake Adobe Reader prompt.

The notable part came after the click. The PDF link used the “microsoft-edge:” URI scheme before redirecting to a Cloudflare Workers hosted (*[.]adobe-org[.]workers[.]dev) ClickOnce application resource.

We assess that the Edge scheme handoff was likely intended to direct victims into the browser path that supports the next stage.

This is consistent with UNK_VaporVibes’ repeated use of ClickOnce-focused delivery.

The redirect chain was also wrapped in geofencing and browser fingerprinting, limiting access to intended targets. That likely reduced the exposure to automated analysis while keeping the delivery path tightly scoped.

The ClickOnce execution chain leads to the Havoc Demon C2 framework (https://github.com/HavocFramework/Havoc), an open-source post exploitation tool.

The targeting, the PEEC-themed PDF lure, Edge redirection, and ClickOnce staging aligns with prior UNK_VaporVibes activity and shows overlaps with activity publicly associated with SloppyLemming. (https://arcticwolf.com/resources/blog/sloppylemming-deploys-burrowshell-and-rust-based-rat-to-target-pakistan-and-bangladesh/).

Indicators of compromise:

7487abe753e73070612c6e8573af9d58791389813a5b54ddcf740f1391e2cd20 (Adobe.application)
Demon C2 host: soc[.]pkcrt-0ea[.]workers[.]dev

Suricata rule to detect the Microsoft Edge redirect:
2068325 - ET HUNTING 302 Redirect to Microsoft Edge Browser

The cloud threat research team at Proofpoint has discovered an account takeover campaign targeting around 40,000 users. Malicious activity has been recorded as early as Feb. 2nd, with a surge on Feb. 10th and a peak on Feb. 12th.

For a large number of users, the attacker initially attempted to login with the correct credentials, although in most cases, conditional access policies and MFA denied access. This suggests the attacker relied, at least in part, on stolen or leaked credentials.

Malicious login attempts correlated to this campaign seem to originate from an outdated Google Chrome browser, namely version 72, initially released in January 2019. Nowadays, this specific user agent is rarely observed in legitimate activity.

Login attempts correlated to this campaign originated from more than 200 distinct domains, most of which are commercial VPN providers and TOR exit nodes.

Moreover, this campaign solely targets the Microsoft Office 365 Portal.

IoCs:

User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36

Application ID: 00000006-0000-0ff1-ce00-000000000000 (Microsoft Office 365 Portal)

Since the start of Operation Epic Fury on February 28, 2026, Proofpoint researchers have observed heightened cyber activity against Middle East targets tied to the war. Our new blog shares examples of how the conflict in Iran is accelerating cyber espionage across the Middle East.

🔗: https://brnw.ch/21x0EJ8

Iran-aligned #TA453 ( #CharmingKitten #APT42 ) recently attempted credential phishing against a U.S. thinktank, continuing its longstanding intelligence collection efforts. At the same time, multiple state-sponsored actors, including groups suspected to be linked to China, Belarus, Pakistan, and Hamas, are targeting Middle Eastern government entities using conflict-themed lures, often sent from compromised government or diplomatic accounts.

This reflects both opportunistic social engineering and a broader shift in intelligence collection priorities driven by the conflict.

View the full blog to see campaign examples observed by our researchers. We will continue monitoring the landscape and keep our customers and community informed as the situation evolves.

Be sure to catch Daniel's presentation, "Welcome to the Endgame," alongside co-presenter Europol during #RSAC 2026.

🗓️ Wednesday, March 25
🕣 8:30 a.m. - 9:20 a.m.
⭐️ Session code FRP-W01