Another week, another reminder that the internet is still a mess. Systems people thought were secure are being broken in simple ways, showing many still ignore basic advisories.

This edition covers a mix of issues: supply chain attacks hitting CI/CD setups, long-abused IoT devices being shut down, and exploits moving quickly from disclosure to real attacks. There are also new malware tricks showing attackers are becoming more patient and creative.

It’s a mix of old problems that never go away and new methods that are harder to detect. There are quiet state-backed activities, exposed data from open directories, growing mobile threats, and a steady stream of zero-days and rushed patches.

Grab a coffee, and at least skim the CVE list. Some of these are the kind you don’t want to discover after the damage is done.

⚡ Threat of the Week

Trivy Vulnerability Scanner Breached in for Supply Chain Attack — Attackers have backdoored the widely used open-source Trivy vulnerability scanner, injecting credential-stealing malware into official releases and GitHub Actions used by thousands of CI/CD workflows. The breach has triggered a cascade of additional supply-chain compromises stemming from impacted projects and organizations not rotating their secrets, resulting in the distribution of a self-propagating worm referred to as CanisterWorm. Trivy, developed by Aqua Security, is one of the most widely used open-source vulnerability scanners, with over 32,000 GitHub stars and more than 100 million Docker Hub downloads. The Trivy compromise is the latest in a growing pattern of attacks targeting GitHub Actions and developers in general. GitHub changed the default behavior of pull_request_target workflows in December 2025 to reduce the risk of exploitation.

🔔 Top News

• DoJ Takes Down DDoS Botnets — A cluster of IoT botnets behind some of the largest DDoS attacks ever recorded — AISURU, Kimwolf, JackSkid, and Mossad — were wiped as part of a broad law enforcement operation. The botnets largely spread across routers, IP cameras, and digital video recorders that are often shipped with weak credentials and rarely patched. Authorities removed the command-and-control servers used to commandeer the infected nodes. Together, operators of the four botnets had amassed more than 3 million devices, which they then sold access to other criminal hackers, who then used them to target victims with DDoS attacks to knock websites and internet services offline or mask other illicit activity. Some of these DDoS attacks were aimed at U.S. Department of Defense systems and other high-value targets. No arrests were announced, but two suspects associated with AISURU/Kimwolf are said to be based in Canada and Germany. All four botnets disrupted by the operation are variants of Mirai, which had its source code leaked in 2016 and has served as the starting point for other botnets. The U.S. Justice Department said some victims of the DDoS attacks lost hundreds of thousands of dollars through remediation expenses or ransom demands from hackers who would only stop overloading websites for a price.
• Google Debuts New Advanced Flow for Sideloading on Android — Google’s advanced flow for Android changes how apps from unverified developers are installed, adding friction to combat scams and malware. The feature is aimed at experienced users and allows sideloading through a one-time setup. The advanced flow adds a 24-hour delay and verification steps intended to disrupt coercive pressure and give users time to make decisions. It’s designed to address scenarios where attackers pressure individuals to install unsafe software and play on the urgency of the operation to push them to bypass security warnings and disable protections before they can pause or seek help.
• Critical Langflow Flaw Comes Under Attack — A critical security flaw impacting Langflow has come under active exploitation within 20 hours of public disclosure, highlighting the speed at which threat actors weaponize newly published vulnerabilities. The security defect, tracked as CVE-2026-33017 (CVSS score: 9.3), is a case of missing authentication combined with code injection that could result in remote code execution. Cloud security firm Sysdig said that the attacks weaponize the vulnerability to steal sensitive data from compromised systems. «The real-world proof is definitive: threat actors exploited it in the wild within 20 hours of the advisory going public, with no public PoC code available,» Aviral Srivastava, who discovered the vulnerability, told The Hacker News. «They built working exploits just from reading the advisory description. That’s the hallmark of trivial exploitation when multiple independent attackers can weaponize a vulnerability from a description alone, within hours.»
• Interlock Ransomware Exploited Cisco FMC Flaw as 0-Day — An Interlock ransomware campaign exploited a critical security flaw in Cisco Secure Firewall Management Center (FMC) Software as a zero-day well over a month before it was publicly disclosed. The vulnerability in question is CVE-2026-20131 (CVSS score: 10.0), a case of insecure deserialization of user-supplied Java byte stream, which could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device. «This wasn’t just another vulnerability exploit; Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look,» Amazon, which spotted the activity, said.
• Yet Another iOS Exploit Kit Comes to Light — A new watering hole attack against iPhone users has been found to deliver a previously undocumented iOS exploit kit codenamed DarkSword. While some of the attacks targeted users in Ukraine, the kit has also been put to use by two other clusters that singled out Saudi Arabian users in November 2025, as well as users in Turkey and Malaysia. It’s worth noting that these exploits would not be effective on devices where Lockdown Mode is active or on the iPhone 17 with Memory Integrity Enforcement (MIE) enabled. The kit used a total of six exploits in iOS to deliver various malware families designed for surveillance and intelligence gathering. Apple has since addressed all of them. «Completely written in JavaScript, DarkSword comprises six vulnerabilities across two exploit chains that were patched in stages ending with iOS 26.3,» iVerify said. «Starting in WebKit and moving down to the kernel, it achieves full iPhone compromise with elegant techniques never publicly seen before.» The discovery of DarkSword makes it the second mass attack targeting iOS devices. What’s more, the Russian threat actor that deployed DarkSword demonstrated poor operational security. They left the full JavaScript code unobfuscated, unprotected, and easily accessible. The findings also point to a secondary market where such exploits are being acquired by threat actors of varied motivations to actively infect unpatched iOS users on a large scale.
• Perseus Banking Malware Targets Android — A newly discovered Android malware is masking itself within television streaming apps in order to steal users’ passwords and banking data and spy on their personal notes, researchers have found. The malware, dubbed Perseus by researchers at ThreatFabric, is being actively distributed in the wild and primarily targets users in Turkey and Italy. To infect devices, attackers disguise the malware inside apps that appear to offer IPTV services — platforms that stream television content over the internet. These apps are also widely used to stream pirated content and are often downloaded outside official marketplaces like Google Play, making users more accustomed to installing them manually and less likely to view the process as suspicious. Once installed, Perseus can monitor nearly everything a user does in real time. It uses overlay attacks — placing fake login screens over legitimate apps — and keylogging capabilities to capture credentials as they are entered. The malware’s most unusual feature is its focus on personal note-taking applications. «Notes often contain sensitive information such as passwords, recovery phrases, financial details, or private thoughts, making them a valuable target for attackers,» ThreatFabric said.

‎️‍🔥 Trending CVEs

New vulnerabilities show up every week, and the window between disclosure and exploitation keeps getting shorter. The flaws below are this week’s most critical — high-severity, widely used software, or already drawing attention from the security community.

Check these first, patch what applies, and don’t wait on the ones marked urgent — CVE-2026-21992 (Oracle), CVE-2026-33017 (Langflow), CVE-2026-32746 (GNU InetUtils telnetd), CVE-2026-32297, CVE-2026-32298 (Angeet ES3 KVM), CVE-2026-3888 (Ubuntu), CVE-2026-20643 (Apple WebKit), CVE-2026-4276 (LibreChat RAG API), CVE-2026-24291 aka RegPwn (Microsoft Windows), CVE-2026-21643 (Fortinet FortiClient), CVE-2026-3864 (Kubernetes), CVE-2026-32635 (Angular), CVE-2026-25769 (Wazuh), CVE-2026-3564 (ConnectWise ScreenConnect), CVE-2026-22557, CVE-2026-22558 (Ubiquiti), CVE-2025-14986 (Temporal), CVE-2026-31381, CVE-2026-31382 (Gainsight Assist), CVE-2026-26189 (Trivy), CVE-2026-4439, CVE-2026-4440, CVE-2026-4441 (Google Chrome), CVE-2026-33001, CVE-2026-33002 (Jenkins), CVE-2026-21570 (Atlassian Bamboo Center), and CVE-2026-21884 (Atlassian Crowd Data Center).

🎥 Cybersecurity Webinars

• Learn How to Automate Exposure Management with OpenCTI & OpenAEV → Discover how to automate continuous, threat-informed testing using open-source tools like OpenCTI and OpenAEV to validate your security controls against real attacker behavior without increasing your budget. See a live demo on how to verify your security works, identify real gaps, and integrate it into your SOC workflow at no extra cost.
• Identity Maturity Cracking in 2026: See the New Data + How to Catch Up Fast → Identity programs are under massive pressure in 2026 – disconnected apps, AI agents, and credential sprawl are creating real risks and audit challenges. Join this webinar for new Ponemon Institute 2026 research from over 600 leaders, showing the scale of the problem and practical steps to close gaps, reduce friction, and catch up quickly.

📰 Around the Cyber World

• WhatsApp Tests Usernames Instead of Phone Numbers — WhatsApp is planning to introduce usernames and unique IDs instead of phone numbers, allowing users to send messages and make voice or video calls without sharing numbers. The optional privacy feature is expected to roll out globally by June 2026, with users and businesses able to reserve unique handles. «We’re excited to bring usernames to WhatsApp in the future to help people connect with new friends, groups, and businesses without having to share their phone numbers,» the company said in a statement shared with The Economic Times. The feature has been under test since early January 2026. Signal introduced a similar feature in early 2024.
• FBI Details SE Asia Scam Centers — The U.S. Federal Bureau of Investigation (FBI) detailed its work with Thai authorities to shut down scam centers proliferating in Southeast Asia. The schemes, which primarily target retirees, small-business owners, and people seeking companionship, have been described as a blend of cyber fraud, money laundering, and human trafficking, causing billions of dollars in annual losses. These scam centers operate in a manner that’s similar to how legitimate corporations do. «Recruiters advertise high-paying jobs abroad. Workers are flown to foreign countries only to discover that the positions do not exist,» the FBI said. «Passports are confiscated. Armed guards patrol the grounds. Under threat of violence, workers are forced to pose as potential romantic partners or savvy investment advisers, cultivating trust with victims over weeks or months.» Recent crackdowns in countries like Cambodia have freed thousands of workers from scam compounds, but the FBI warned that these breakthroughs can be temporary, as criminal networks always tend to relocate, rebrand, or shift tactics in response to law enforcement actions.
• APT28 Exposed Server Leaks SquirrelMail XSS Payload — A second exposed open directory discovered on a server («203.161.50[.]145») associated with APT28 (aka Fancy Bear) has offered insights into the threat actor’s espionage campaigns targeting government and military organizations across Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. According to Ctrl-Alt-Intel, the directory contained command-and-control (C2) source code, scripts to steal emails, credentials, address books, and 2FA tokens from Roundcube mailboxes, telemetry logs, and exfiltrated data. The stolen data consists of 2,870 emails from government and military mailboxes, 244 sets of stolen credentials, 143 Sieve forwarding rules (to silently forward every incoming email to an attacker-controlled mailbox), and 11,527 contact email addresses. One of the newly identified tools is an XSS payload targeting the SquirrelMail webmail software, highlighting the threat actor’s continued focus on leveraging XSS flaws to steal data from email inboxes. It’s worth noting that the server was attributed to APT28 by the Computer Emergency Response Team of Ukraine (CERT-UA) as far back as September 2024. «Fancy Bear developed a modular, multi-platform exploitation toolkit where a victim simply opening a malicious email – with no further clicks – could result in their credentials stolen, their 2FA bypassed, emails within their mailbox exfiltrated, and a silent forwarding rule established that persists indefinitely,» Ctrl-Alt-Intel said.
• Analysis of a Beast Ransomware Server — An analysis of an open directory on a server («5.78.84[.]144») associated with Beast, a ransomware-as-a-service (RaaS) that’s suspected to be the successor to Monster ransomware, has uncovered the various tools used by the threat actors and the different stages of their attack lifecycle. These included Advanced IP Scanner and Advanced Port Scanner to map internal networks and find open remote desktop protocol (RDP) or server message block (SMB) ports. Also identified were programs to locate sensitive files for exfiltration and flag which servers hold the most data, as well as Mimikatz, LaZagne, and Automim (for credential harvesting), AnyDesk (for persistence), PsExec (for lateral movement), and MEGASync (for data exfiltration). Beast ransomware operations paused in November 2025 and resumed in January 2026.
• GrapheneOS Opposes the Unified Attestation Initiative — GrapheneOS has come out strongly against Unified Attestation, stating it «serves no truly useful purpose beyond giving itself an unfair advantage while pretending it has something to do with security.» The Unified Attestation initiative is an open-source, decentralized alternative to the Google Play Integrity API to provide device and app integrity checks for custom ROMs without requiring Google Play Services. «We strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security, and freedom on mobile to avoid it,» GraphenseOS said. «Companies selling phones should not be deciding which operating systems people are allowed to use for apps.»
• VoidStealer Uses Chrome Debugger to Steal Secrets — An information stealer known as VoidStealer has observed using a novel debugger-based Application-Bound Encryption (ABE) bypass technique that leverages hardware breakpoints to extract the «v20_master_key» directly from browser memory and use it to decrypt sensitive data stored in the browser. VoidStealer is a malware-as-a-service (MaaS) infostealer that began being marketed on several dark web forums in mid-December 2025. The ABE bypass technique was introduced in version 2.0 of the stealer announced on March 13, 2026. «The bypass requires neither privilege escalation nor code injection, making it a stealthier approach compared to alternative ABE bypass methods,» Gen Digital said. VoidStealer is assessed to have adopted the technique from the open-source ElevationKatz project.
• FBI Says it is Buying Americans’ location Data — FBI director Kash Patel admitted that the agency is buying location data that can be used to track people’s movements without a warrant. «We do purchase commercially available information that’s consistent with the Constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us,» Patel said at a hearing before the Senate Intelligence Committee.
• Iranian Botnet Exposed via Open Directory — An Open Directory on «185.221.239[.]162:8080» has been found to contain several payloads, including a Python-based botnet script, a compiled DDoS binary, multiple C-language denial-of-service files, and IP addresses associated with SSH credentials. «A Python script called ohhhh.py reads credentials in a host:port|username|password format and opens 500 concurrent SSH sessions, compiling and launching the bot client on each host automatically,» Hunt.io said. «The exposed .bash_history captured three distinct phases of work: standing up the tunnel network, building and testing DDoS tooling against live targets, and iterative botnet development across multiple script versions.» The activity has not been linked to any state-directed campaign.
• OpenClaw Developers in Phishing Attack — OpenClaw’s combination of flexibility, local control, and a fast-growing ecosystem has made it popular among developers in a very short time. While that unprecedented adoption speed has exposed organizations to new security risks of its own (i.e., vulnerabilities and the presence of malicious skills on ClawHub and SkillsMP), threat actors are also capitalizing on the brand name and reputation to set up fake GitHub accounts for a phishing campaign that lures unsuspecting developers with promises of free $CLAW tokens and trick them into connect their cryptocurrency wallet. «The threat actor creates fake GitHub accounts, opens issue threads in attacker-controlled repositories, and tags dozens of GitHub developers,» OX Security researchers Moshe Siman Tov Bustan and Nir Zadok said. «The posts claim that recipients have won $5,000 worth of CLAW tokens and can collect them by visiting a linked site and connecting their crypto wallet.» The linked site («token-claw[.]xyz») is a near-identical clone of openclaw.ai rigged with a wallet-draining «Connect your wallet» button designed to conduct cryptocurrency theft.
• New Campaign Targets Energy Operations Personnel in Pakistan — A targeted campaign against operations personnel at energy firms linked to projects in Pakistan has leveraged phishing emails mimicking invitations to the upcoming Pakistan Energy Exhibition & Conference (PEEC). The messages, sent from compromised accounts from a Pakistani university and a government organization, aim to deceive victims into opening PDF attachments with a fake Adobe Acrobat Reader update prompt. Clicking the update leads to the download of a ClickOnce application resource that drops the Havoc Demon C2 framework. «The redirect chain was also wrapped in geofencing and browser fingerprinting, limiting access to intended targets,» Proofpoint said. «That likely reduced the exposure to automated analysis while keeping the delivery path tightly scoped.» The activity has been codenamed UNK_VaporVibes. It’s assessed to share overlaps with activity publicly associated with SloppyLemming.
• Over 373K Dark Web Sites Down — International law enforcement agencies announced the takedown of one of the largest known networks of fraudulent platforms on the dark web, uncovering hundreds of thousands of fake websites used to scam users seeking child sexual abuse content. A 10-day international operation led by German authorities and supported by Europol shut down more than 373,000 dark web domains run by a 35-year-old man based in China, who had been operating a sprawling network of fraudulent platforms since at least 2021. While the sites advertised child abuse material and cybercrime-as-a-service offerings, nothing was actually delivered after victims made a payment in Bitcoin. The fraudulent scheme netted the operator an estimated €345,000 from around 10,000 people. Authorities from 23 countries participated in the operation, and have since identified 440 customers whose purchases are now under active investigation.
• Malicious npm Packages Steal Secrets — Two malicious npm packages, sbx-mask and touch-adv, have been found to steal secrets from victims’ computers. While one invokes the malicious code via the postinstall script, the other executes it when application code is invoked by the developer after importing it. «The evidence strongly suggests account takeover of a legitimate publisher, rather than intentional malicious activity,» Sonatype said. «Hijacked publisher accounts are particularly concerning as, over time, maintainers build trust with the users of their components. Attackers aim to take advantage of that trust in order to steal valuable, or profitable, information.»
• China to Have Its Own Post-Quantum Cryptography in 3 Years — China is reportedly planning to develop its own national post-quantum cryptography standards within the next three years, according to a report from Reuters. The U.S. finalized ​its first set of post-quantum cryptography standards in 2024 and is aiming to achieve full industry migration by 2035.
• What’s Next for Tycoon2FA? — A recent law enforcement operation dismantled the infrastructure associated with the Tycoon2FA phishing-as-a-service (PhaaS) platform. However, a new analysis from Bridewell has revealed that some of the 2FA phishing CAPTCHA pages are still live. The lingering activity, the cybersecurity company noted, stems from the fact that these pages operate on a massive network of compromised third-party sites, legitimate SaaS platforms, and thousands of disposable domains. «Operators and affiliates are highly agile and will attempt to rebuild, migrate to new infrastructure, or pivot to competing PhaaS platforms,» it added. «The live CAPTCHA pages we are seeing may belong to surviving criminal affiliates attempting to keep their individual campaigns breathing on secondary proxy networks.»

🔧 Cybersecurity Tools

• MESH → It is an open-source tool from BARGHEST that enables remote mobile forensics and network monitoring over an encrypted, peer-to-peer mesh network resistant to censorship. It connects Android/iOS devices behind firewalls or CGNAT using a modified Tailscale-like protocol (no central servers needed), supports ADB wireless debugging, libimobiledevice, PCAP capture, and Suricata IDS—allowing secure, direct access for live logical acquisitions in restricted or hostile environments.
• enject → It is a lightweight Rust tool that protects .env secrets from AI assistants like Copilot or Claude. It replaces real values in your .env file with placeholders (e.g., en://api_key). Secrets stay encrypted in a per-project store (AES-256-GCM, master password protected). When you run enject run — , it decrypts them only in memory at runtime, then wipes them—never leaving plaintext on disk. Open-source, macOS/Linux, perfect for safe local development.

Disclaimer: For research and educational use only. Not security-audited. Review all code before use, test in isolated environments, and ensure compliance with applicable laws.

Conclusion

And that’s the week. The real pattern isn’t any one story; it’s the gap. The gap between a flaw and detection. Between a patch and a deployment. Between knowing and doing. Most of this week’s damage happened in that gap, and it’s not new.

Before you move on: update your mobile devices, review anything touching your CI/CD pipeline, and don’t store crypto wallet recovery phrases in notes apps.

Las entidades ucranianas se han convertido en el objetivo de una nueva campaña probablemente orquestada por actores de amenazas vinculados a Rusia, según un informe del equipo de inteligencia de amenazas LAB52 de S2 Grupo.

La campaña, observado en febrero de 2026, se ha evaluado que comparte superposiciones con una campaña anterior montada por Laundry Bear (también conocido como UAC-0190 o Void Blizzard) dirigida a las fuerzas de defensa ucranianas con una familia de malware conocida como PLUGGYAPE.

La actividad de ataque «emplea varios señuelos con temas judiciales y de caridad para implementar una puerta trasera basada en JavaScript que se ejecuta a través del navegador Edge», dijo la compañía de ciberseguridad. nombre en clave TALADROel malware es capaz de cargar y descargar archivos, aprovechar el micrófono y capturar imágenes a través de la cámara web aprovechando las funciones del navegador web.

Se han identificado dos versiones diferentes de la campaña, y la primera iteración se detectó a principios de febrero mediante el uso de un archivo de acceso directo de Windows (LNK) para crear una aplicación HTML (HTA) en la carpeta temporal, que luego carga un script remoto alojado en Pastefy, un servicio de pegado legítimo.

Para establecer la persistencia, los archivos LNK se copian a la carpeta de inicio de Windows para que se inicien automáticamente después de reiniciar el sistema. Luego, la cadena de ataque muestra una URL que contiene señuelos relacionados con la instalación de Starlink o una organización benéfica ucraniana llamada Come Back Alive Foundation.

El archivo HTML finalmente se ejecuta a través del navegador Microsoft Edge en modo sin cabezaque luego carga el script ofuscado remoto alojado en Pastefy.

El navegador se ejecuta con parámetros adicionales como –no-sandbox, –disable-web-security, –allow-file-access-from-files, –use-fake-ui-for-media-stream, –auto-select-screen-capture-source=true y –disable-user-media-security, lo que le otorga acceso al sistema de archivos local, así como a la cámara, el micrófono y la captura de pantalla sin requerir ninguna interacción del usuario.

Básicamente, el artefacto funciona como una puerta trasera liviana para facilitar el acceso al sistema de archivos y capturar audio del micrófono, video de la cámara e imágenes de la pantalla del dispositivo a través del navegador. También genera una huella digital del dispositivo utilizando una técnica llamada huellas digitales en lienzo cuando se ejecuta por primera vez y utiliza Pastefy como solucionador de caídas muertas para recuperar una URL de WebSocket utilizada para comunicaciones de comando y control (C2).

El malware transmite los datos de las huellas dactilares del dispositivo junto con el país de la víctima, que se determina a partir de la zona horaria de la máquina. Comprueba específicamente si las zonas horarias corresponden a Reino Unido, Rusia, Alemania, Francia, China, Japón, Estados Unidos, Brasil, India, Ucrania, Canadá, Australia, Italia, España y Polonia. Si ese no es el caso, por defecto será EE.UU.

La segunda versión de la campaña, detectada a finales de febrero de 2026, evita los archivos LNK para los módulos del Panel de control de Windows, manteniendo la secuencia de infección prácticamente intacta. Otro cambio notable tiene que ver con la propia puerta trasera, que ahora se ha actualizado para permitir la enumeración recursiva de archivos, la carga de archivos por lotes y la descarga de archivos arbitrarios.

«Por razones de seguridad, JavaScript no permite la descarga remota de archivos», dijo LAB52. «Es por eso que los atacantes usan el Chrome DevTools Protocol (CDP), un protocolo interno de los navegadores basados ​​en Chromium que sólo se puede usar cuando el parámetro –remote-debugging-port está habilitado».

Se cree que la puerta trasera aún se encuentra en las etapas iniciales de desarrollo. Se observó que una variante temprana del malware detectada en la naturaleza el 28 de enero de 2026 simplemente se comunicaba con el dominio «gnome».[.]com» en lugar de descargar la carga útil principal de Pastefy.

«Uno de los aspectos más notables es el uso del navegador para implementar una puerta trasera, lo que sugiere que los atacantes están explorando nuevas formas de evadir la detección», dijo el proveedor de seguridad español.

«El navegador es ventajoso para este tipo de actividad porque es un proceso común y generalmente no sospechoso, ofrece capacidades extendidas accesibles a través de parámetros de depuración que permiten acciones inseguras como la descarga de archivos remotos, y proporciona acceso legítimo a recursos confidenciales como el micrófono, la cámara o la grabación de pantalla sin activar alertas inmediatas».

Investigadores de ciberseguridad han revelado detalles de una nueva campaña cibernética rusa dirigida a entidades ucranianas con dos familias de malware previamente indocumentadas llamadas pata mala y MiauMiau.

«La cadena de ataque se inicia con un correo electrónico de phishing que contiene un enlace a un archivo ZIP. Una vez extraído, un archivo HTA inicial muestra un documento señuelo escrito en ucraniano sobre apelaciones para cruzar la frontera para engañar a la víctima», ClearSky dicho en un informe publicado esta semana.

En paralelo, la cadena de ataque conduce a la implementación de un cargador basado en .NET llamado BadPaw, que luego establece comunicación con un servidor remoto para buscar e implementar una puerta trasera sofisticada llamada MeowMeow.

La campaña se ha atribuido con moderada confianza al actor de amenazas patrocinado por el estado ruso conocido como APT28, basándose en la huella de objetivos, la naturaleza geopolítica de los señuelos utilizados y las superposiciones con técnicas observadas en operaciones cibernéticas rusas anteriores.

El punto de partida de la secuencia de ataque es un correo electrónico de phishing enviado desde ukr.[.]net, probablemente en un intento de establecer credibilidad y asegurar la confianza de las víctimas objetivo. En el mensaje hay un enlace a un supuesto archivo ZIP, lo que hace que el usuario sea redirigido a una URL que carga una «imagen excepcionalmente pequeña», actuando efectivamente como un píxel de seguimiento para indicar a los operadores que se hizo clic en el enlace.

Una vez que se completa este paso, la víctima es redirigida a una URL secundaria desde donde se descarga el archivo. El archivo ZIP incluye una aplicación HTML (HTA) que, una vez iniciada, suelta un documento señuelo como mecanismo de distracción, mientras ejecuta etapas de seguimiento en segundo plano.

«El documento señuelo arrojado sirve como una táctica de ingeniería social, presentando una confirmación de recibo de una apelación del gobierno sobre un cruce fronterizo con Ucrania», dijo ClearSky. «Este señuelo tiene como objetivo mantener el barniz de legitimidad».

El archivo HTA también realiza comprobaciones para evitar su ejecución en entornos sandbox. Para ello, consulta la clave del Registro de Windows «KLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate» para estimar la «antigüedad» del sistema operativo. El malware está diseñado para cancelar la ejecución si el sistema se instaló menos de diez días antes.

Si el sistema cumple con los criterios del entorno, el malware localiza el archivo ZIP descargado y extrae dos archivos de él (un Visual Basic Script (VBScript) y una imagen PNG) y los guarda en el disco con nombres diferentes. También crea una tarea programada para ejecutar VBScript como una forma de garantizar la persistencia en el sistema infectado.

La responsabilidad principal de VBScript es extraer código malicioso incrustado en la imagen PNG, un cargador ofuscado conocido como BadPaw que es capaz de contactar a un servidor de comando y control (C2) para descargar componentes adicionales, incluido un ejecutable llamado MeowMeow.

«De acuerdo con el oficio ‘BadPaw’, si este archivo se ejecuta independientemente de la cadena de ataque completa, inicia una secuencia de código ficticio», explicó la compañía israelí de ciberseguridad. «Esta ejecución señuelo muestra una interfaz gráfica de usuario (GUI) que presenta una imagen de un gato, alineándose con el tema visual del archivo de imagen inicial del cual se extrajo el malware principal».

«Cuando se hace clic en el botón ‘MeowMeow’ dentro de la GUI del señuelo, la aplicación simplemente muestra un mensaje ‘Meow Meow Meow’, sin realizar más acciones maliciosas. Esto sirve como un señuelo funcional secundario para engañar al análisis manual».

El código malicioso de la puerta trasera se activa solo cuando se ejecuta con un determinado parámetro («-v») proporcionado por la cadena de infección inicial, y después de verificar que se está ejecutando en un punto final real en lugar de en una zona de pruebas, y que no se ejecutan herramientas forenses y de monitoreo como Wireshark, Procmon, Ollydbg y Fiddler en segundo plano.

En esencia, MeowMeow está equipado para ejecutar de forma remota comandos de PowerShell en el host comprometido y admitir operaciones del sistema de archivos, como la capacidad de leer, escribir y eliminar datos. ClearSky dijo que identificó cadenas en idioma ruso en el código fuente, lo que refuerza la evaluación de que la actividad es obra de un actor de amenazas de habla rusa.

«La presencia de estas cadenas en ruso sugiere dos posibilidades: el actor de la amenaza cometió un error de seguridad operativa (OPSEC) al no localizar el código para el entorno de destino ucraniano, o inadvertidamente dejó artefactos de desarrollo rusos dentro del código durante la fase de producción del malware», dijo.