APT28 is now exploiting a Zimbra XSS bug patched last November in attacks against Ukrainian government entities:

https://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/

Added to CISA KEV this week: https://www.cisa.gov/news-events/alerts/2026/03/18/cisa-adds-one-known-exploited-vulnerability-catalog

🔴 A threat isn't much of a threat if it can't reach the right victims. 📦 That's why many modern threat actors rely on cloakers and traffic distribution systems (TDS) to target, route, and hide at scale. In a six‑month joint effort analyzing four months of data with Confiant, we identified 15,500 domains configured to Keitaro instances and actively used in cyber campaigns. Keitaro is a legitimate ad tracker, but it is frequently misused by cybercriminals as an all‑in‑one tracker + TDS + cloaker in scam and malware campaigns. We encounter Keitaro in our investigations nearly every day, and we set out to quantify that abuse in the broader landscape. We're publishing a three‑part series to share what we learned. Part 1 focuses on a subset of actors who leverage AI in their operations, most of whom are tied to investment scams. At the end of the report, you'll find a link to our github repository that contains thousands of related Keitaro iocs.

https://www.infoblox.com/blog/threat-intelligence/inside-keitaro-abuse-a-persistent-stream-of-ai-driven-investment-scams/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising

I have no idea when Virus Bulletin uploaded our paper - but here it is: our talk from last September at VB2025, where we talked about an APT41-adjacent group started using Google Calendar C2 as part of their espionage operation.

https://www.virusbulletin.com/uploads/pdf/conference/vb2025/slides/Slides-Google-Calendar-as-C2-Infrastructure-A%20-China-nexus-Campaign-with-Stealthy-Tactics.pdf
https://www.virusbulletin.com/uploads/pdf/conference/vb2025/papers/Google-Calendar-as-C2-infrastructure-a-China-nexus-campaign-with-stealthy-tactics.pdf

The cloud threat research team at Proofpoint has discovered an account takeover campaign targeting around 40,000 users. Malicious activity has been recorded as early as Feb. 2nd, with a surge on Feb. 10th and a peak on Feb. 12th.

For a large number of users, the attacker initially attempted to login with the correct credentials, although in most cases, conditional access policies and MFA denied access. This suggests the attacker relied, at least in part, on stolen or leaked credentials.

Malicious login attempts correlated to this campaign seem to originate from an outdated Google Chrome browser, namely version 72, initially released in January 2019. Nowadays, this specific user agent is rarely observed in legitimate activity.

Login attempts correlated to this campaign originated from more than 200 distinct domains, most of which are commercial VPN providers and TOR exit nodes.

Moreover, this campaign solely targets the Microsoft Office 365 Portal.

IoCs:

User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36

Application ID: 00000006-0000-0ff1-ce00-000000000000 (Microsoft Office 365 Portal)

New: Group member labels, a way to describe yourself or your role in a group chat, only visible to that group chat.

Label yourself the “Goalie” to your soccer team or “Favorite Child” to your family to stir some drama.

Available on Android, Desktop & iOS
https://signal.org/blog/group-member-labels

Taking Apart iOS Apps: Anti-Debugging and Anti-Tampering in the Wild

https://blog.calif.io/p/taking-apart-ios-apps-anti-debugging

#ios #reverseengineering #antidebug