Weekly Threat Bulletin – April 1st, 2026

Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities

The Pawn Storm (APT28) campaign, active since September 2025 and escalating in January 2026, deploys the modular PRISMEX malware suite to target the Ukrainian defense supply chain and allied logistics. This campaign leverages spear-phishing with hydrometeorological or military-themed lures, exploiting newly disclosed vulnerabilities CVE-2026-21509 (Office OLE Shell.Explorer.1 bypass) and likely CVE-2026-21513 (MSHTML LNK/IE frame bypass) as a zero-day. PRISMEX components include PrismexSheet (Excel dropper with VBA steganography), PrismexDrop (native dropper using COM hijacking for persistence via adwapi64.dll and CLSID {68DDBB56-9D1D-4FD9-89C5-C0DA2A625392}, triggered by a "OneDriveHealth" scheduled task), PrismexLoader (proxy DLL extracting payloads from PNGs using "Bit Plane Round Robin" steganography), and PrismexStager (Covenant Grunt for C2). Advanced evasion techniques involve fileless CLR bootstrapping, in-memory .NET assembly loading within explorer.exe, and abuse of legitimate cloud services like Filen.io (e.g., gateway.filen.io, ingest.filen.io) for command-and-control and data exfiltration, alongside domains such as wellnesscaremed[.]com. Observed actions indicate both espionage and potential for destructive capabilities.

Severity: Critical

Threat Details and IOCs

Malware:	Backdoor.SofacyX, BadPaw, BeardShell, BEARDSHELL, Chopstick, CHOPSTICK, Cordyceps, Covenant, COVENANT, CovenantGrunt, Empire, GONEPOSTAL, Graphite, Grunt, MeowMeow, MeowMeowProgram.exe, Neo-reGeorg, NotDoor, PowerShell Empire, PRISMEX, ReGeorg, Roundish, SalatStealer, Sednit, Sedreco, ShadowSniff, SlimAgent, SLIMAGENT, Sofacy, splm, SPLM, Trojan.Shunnael, WEB_RAT, Xagent, X-Agent, XAgent, XAgentOSX, XAPS, Xtunnel, X-Tunnel, XTunnel, Zebrocy
CVEs:	CVE-2017-6742, CVE-2020-12641, CVE-2020-35730, CVE-2021-44026, CVE-2022-38028, CVE-2023-23397, CVE-2023-43770, CVE-2026-21509, CVE-2026-21513
Technologies:	Cisco IOS, Filen, Google Chrome, icedrive, Koofr, Kubernetes, LastPass, Linux, Microsoft 365, Microsoft Exchange Server, Microsoft .NET Framework, Microsoft OneDrive, Microsoft PowerShell, Microsoft Windows, Mozilla Firefox, Roundcube Webmail, SquirrelMail, Ubiquiti EdgeRouter
Threat Actors:	APT28, BlueAthena, BlueDelta, FancyBear, FightingUrsa, ForestBlizzard, FROZENLAKE, Group74, GruesomeLarch, GRUUnit26165, IronTwilight, ITG05, MilitaryUnit26165, PawnStorm, Sednit, SIG40, SNAKEMACKEREL, Sofacy, Strontium, TA422, ThreatGroup4127, TsarTeam, UAC-0252
Attacker Countries:	Russia
Attacker IPs:	106[.]51[.]89[.]49, 130[.]61[.]233[.]105, 162[.]0[.]236[.]189, 193[.]187[.]148[.]169, 203[.]161[.]50[.]145, 209[.]74[.]89[.]76, 217[.]146[.]67[.]241, 23[.]227[.]202[.]14, 72[.]62[.]185[.]31
Attacker Emails:	advenwolf@proton[.]me, a[.]matti444@proton[.]me, dubravka[.]jovanovic2024@proton[.]me, srezoska@skiff[.]com, teoabarquero@tutamail[.]com, uffetroelsen@atomicmail[.]io
Attacker Domains:	910cf351-a05d-4f67-ab8e-6f62cfa8e26d[.]dnshook[.]site, api[.]icedrive[.]net, app[.]koofr[.]net, a[.]zhblz[.]com, dbca10b5-63e0-42ec-ad10-de13be96dc42[.]dnshook[.]site, docs[.]goog1e[.]com[.]spreadsheets[.]d[.]1ipevana4hglaeksstshboujdk[.]zhblz[.]com, docs[.]google[.]com[.]spreadsheets[.]d[.]1ip6eeakdebmwteh36vana4hu-glaeksstsht-boujdk[.]zhblz[.]com, egest[.]filen[.]io, filen[.]io, freefoodaid[.]com, gateway[.]filen-1[.]net, gateway[.]filen-6[.]net, gateway[.]filen[.]io, gateway[.]filen[.]net, goog1e[.]com, gov[.]vppdr[.]com, ingest[.]filen[.]io, longsauce[.]com, mail[.]govmk[.]com, pcloud[.]com, proton[.]me, skiff[.]com, ukr[.]net, virtualdailyplanner[.]pro, wellnesscaremed[.]com, wellnessmedcare[.]org, zhblz[.]com
Attacker URLs:	a[.]zhblz[.]com/end, a[.]zhblz[.]com/leak, a[.]zhblz[.]com/start, hxxps[://]zhblz[.]com/adbook.js, hxxps[://]zhblz[.]com/addRedirectMailBox.js, hxxps[://]zhblz[.]com/authentification.php, hxxps[://]zhblz[.]com/delTwoAuth.js, hxxps[://]zhblz[.]com/getUserCredentials.js, hxxps[://]zhblz[.]com/getUserCredentialsOLD.js, hxxps[://]zhblz[.]com/keyTwoAuth.js, hxxps[://]zhblz[.]com/worker, hxxps[://]zhblz[.]com/worker2, hxxps[://]zhblz[.]com/zJ2w9x, hxxps[://]zhblz[.]com/zJ2w9xP8cVb3D4s1mQe7rX6fT5yLg0HhKjNuAoIiZpCkRlOvBtWnYqMUEaSdvGbJ, hxxps[://]zhblz[.]com/zJ2w9x/uploadfile/, zhblz[.]com/adbook.js, zhblz[.]com/addRedirectMailBox.js, zhblz[.]com/authentification.php, zhblz[.]com/getUserCredentials.js, zhblz[.]com/keyTwoAuth.js, zhblz[.]com/upload, zhblz[.]com/worker, zhblz[.]com/zJ2w9x, zhblz[.]com/zJ2w9x/uploadfile/
Attacker Hashes:	2cae8dc37baf5216a3e7342aac755894, 4b3e139c122df9fbc08442b7823ebde9, 5603e99151f8803c13d48d83b8a64d071542f01b, 6d39f49aa11ce0574d581f10db0f9bae423ce3d5, 889b83d375a0fb00670af5276816080e, 915179579ab7dc358c41ea99e4fcab52, 99b454262dc26b081600e844371982a49d334e5e, aeeb08c154d8e1d765683d399f9c784f2047bac7d39190580f35c001c8fe2a17, aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa, be588c14f7ed3252e36c7db623c09cde8e01fa850c5431d9d621ac942695804d, c49d4acad68955692c32d5fa924eb5bb3f95a192d2c70ff6b0b2ce63c6afe985, d0db619a7a160949528d46d20fc0151bf9775c32, e76f54b7b98ba3a08f39392e6886a9cb3e97d57b8a076e6b948968d0be392ed8
Victim Industries:	Advocacy Organizations, Aerospace, Cloud Infrastructure, Defense, Education, Energy, Government, Hospitality, Humanitarian, Logistics, Manufacturing, Media and Entertainment, Military, Multimedia, Non-Governmental Organizations (NGOs), Public Administration, Retail, Technology Hardware, Telecommunications, Transportation, Utilities
Victim Countries:	Albania, Austria, Belgium, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Montenegro, Netherlands, North Macedonia, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Turkey, Ukraine, United Arab Emirates, United Kingdom, United States

Mitigation Advice

Apply the security patch for Microsoft Office vulnerability CVE-2026-21509 on all affected endpoints.
Apply the security patch for the MSHTML vulnerability CVE-2026-21513 on all affected Windows systems.
Block the following domains at the network firewall, web proxy, and DNS filter: wellnesscaremed[.]com, gateway.filen.io, ingest.filen.io, and egest.filen.io.
Use your EDR or endpoint scanning tools to search all systems for the file hash SHA256: aefd15e3c395edd16ede7685c6e97ca0350a702ee7c8585274b457166e86b1fa.
Use your EDR or endpoint scanning tools to search all systems for the presence of the following file names: adwapi64.dll, EhStoreShell.dll, SplashScreen.png, and background.png.
Query all endpoints for a scheduled task named "OneDriveHealth" and investigate any findings.
Use endpoint management or EDR tools to scan the registry on all Windows systems for the CLSID {68DDBB56-9D1D-4FD9-89C5-C0DA2A625392}.
If patching for CVE-2026-21509 is not immediately possible, implement a registry change to disable the Shell.Explorer.1 OLE object (CLSID EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B) as a temporary mitigation.

Compliance Best Practices

Implement and enforce a group policy to block all Microsoft Office macros from documents originating from the internet.
Develop and enforce a corporate policy that restricts network access to only approved cloud storage and file-sharing services, blocking all others by default.
Configure your SIEM or EDR to generate alerts for suspicious modifications to COM registry keys, particularly the creation or modification of InProcServer32 keys in the HKEY_CURRENT_USER hive.
Tune EDR policies to monitor for and alert on unusual process injection events, specifically focusing on non-standard modules or CLR assemblies being loaded into trusted Windows processes like explorer.exe.
Implement a continuous security awareness training program that includes regular phishing simulations, focusing on educating users to identify and report suspicious emails with attachments or links.

Sources

https://buaq.net/go-399399.html

https://cyberinsider.com/apt28-revives-advanced-malware-toolkit-used-in-cyber-espionage-ops/

https://cyberpress.org/fancybear-credential-theft-exposed/

https://gbhackers.com/fancybear-server-leak/

https://securereading.com/apt28-beardshell-covenant-malware-ukraine-espionage/

https://securityonline.info/badpaw-and-meowmeow-russian-cyber-offensive-targets-ukraine-with-novel-malware-duo/

https://securityonline.info/exposed-server-reveals-apt28-roundish-toolkit-cyber-espionage/

https://thehackernews.com/2026/03/apt28-linked-campaign-deploys-badpaw.html

https://thehackernews.com/2026/03/apt28-uses-beardshell-and-covenant.html

https://www.bleepingcomputer.com/news/security/apt28-hackers-deploy-customized-variant-of-covenant-open-source-tool/

https://www.helpnetsecurity.com/2026/03/10/sednit-espionage-toolkit-stealing-data/

https://www.hendryadrian.com/pawn-storm-campaign-deploys-prismex-targets-government-and-critical-infrastructure-entities/

https://www.scworld.com/brief/russian-phishing-campaign-hits-ukraine-with-novel-malware

https://www.securitylab.ru/news/570314.php

https://www.welivesecurity.com/en/eset-research/sednit-reloaded-back-trenches/

Coruna iOS Exploit Framework Linked to Operation Triangulation Spyware

Kaspersky researchers have established strong technical connections between the "Coruna" iOS exploit framework and the "Operation Triangulation" campaign. Coruna, previously detailed by Google and iVerify, is a sophisticated exploit kit targeting Apple iPhones, observed in watering-hole attacks in Ukraine and financially motivated operations in China. Kaspersky's investigation, building on its earlier discovery of Operation Triangulation's advanced spyware implant and zero-day vulnerabilities, revealed that a kernel exploit within Coruna, targeting CVE-2023-32434 and CVE-2023-38606, is an updated variant of an exploit used in Operation Triangulation. Furthermore, Coruna incorporates four additional kernel exploits, all sharing a common codebase, indicating a unified development effort and positioning Coruna as an evolution of the Triangulation toolkit. The multi-stage attack chain begins in Apple's Safari browser, fingerprints the target, and deploys remote code execution and pointer authentication code exploits. It then retrieves and decrypts payload modules using ChaCha20 and custom container formats (e.g., 0xBEDF00D, 0xF00DBEEF), dynamically selecting components based on device specifics to achieve kernel access. A launcher component subsequently removes forensic traces, injects malicious code, and deploys the final spyware implant with persistence. This modular framework, leveraging both new and previously patched vulnerabilities, is expanding beyond targeted espionage into broader cybercriminal use, underscoring the importance of immediate iOS updates and activating Lockdown Mode for defense.

Severity: Critical

Threat Details and IOCs

Malware:	A0Backdoor, Coruna, CryptoWaters, Darksword, DarkSword, EternalBlue, IronLoader, Parallax, Pegasus, Photon, PlasmaGrid, PLASMAGRID, PlasmaLoader, TriangleDB, WanaCrypt0r, WannaCry, WannaCrypt, WannaCryptor, WCry
CVEs:	CVE-2017-7921, CVE-2020-27932, CVE-2020-27950, CVE-2021-22681, CVE-2021-30952, CVE-2022-48503, CVE-2023-32409, CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, CVE-2023-41974, CVE-2023-41990, CVE-2023-42916, CVE-2023-43000, CVE-2023-43010, CVE-2024-23222, CVE-2024-23225, CVE-2024-23296, CVE-2025-14174, CVE-2025-31277, CVE-2025-43510, CVE-2025-43520, CVE-2025-43529, CVE-2026-20700
Technologies:	Apple iOS, Apple iPhone, Apple macOS, Apple Memos, Apple Safari, Apple tvOS, Apple watchOS, Apple WebKit, Bitget Wallet, Exodus Wallet, Hikvision IP Cameras, MetaMask, Phantom, Rockwell Automation RSLogix 5000, Rockwell Automation Studio 5000 Logix Designer, TokenPocket, Trust Wallet, Uniswap
Threat Actors:	Careto, Coruna, CryptoWaters, GALLIUM, Lazarus, LazarusGroup, NSO, PLASMAGRID, Ta505, TheMask, TheShadowBrokers, UNC1878, UNC6353, UNC6691, WIZARDSPIDER
Attacker Countries:	China, North Korea, Russia, Turkey, United States
Attacker IPs:	119[.]8[.]238[.]183, 156[.]254[.]5[.]4, 203[.]168[.]129[.]71
Attacker Domains:	17cx11[.]com, 17cx1[.]com, 17cx2[.]com, 17cx3[.]com, 17cx4[.]com, 17cx5[.]com, 17cx7[.]com, 17cx8[.]com, 17cx9[.]com, 17cxa[.]com, 17f2c2i2npjklhl[.]xyz, 1d42ghd36as85azx54[.]com, 1i0bmf9m5w47lnq[.]xyz, 1lpaavvmir4v9dzsb4jte0o[.]icu, 1vfw4raxub65c3d[.]xyz, 26a[.]online, 28w6a049zm106wi[.]xyz, 2gx51m4kethqidh[.]xyz, 2qiy9d567qj5drz[.]xyz, 2s3b3rknfqtwwpo[.]xyz, 2z5y01z53ri8xg2[.]xyz, 3dfigura[.]com, 3dh24gfk25er62ted13[.]com, 3ej7wtf93vnv8pbpq06dwwco[.]cc, 3v5w1km5gv[.]xyz, 4a95f[.]sod777[.]com, 4fh0tu51hafgn9t[.]xyz, 4kgame[.]us, 4u[.]game, 4yifrepplzrrgf1[.]cfd, 51crdh[.]com, 51fl[.]club, 51fl[.]shop, 51fuli1[.]com, 54mx1[.]com, 54mx2[.]com, 54mx3[.]com, 5813hmmm3smt0rf3g[.]lol, 590[.]sod777[.]com, 5chnx0w1finu45l[.]xyz, 65sse[.]668ddf[.]cc, 697hiw91h3ksgk11wsl8k[.]org, 6cxrf02iacu9s87[.]xyz, 6lghtrr13tslzo7bpm[.]com, 6zvjeulzaw5c0mv[.]xyz, 7979fcso79w5hd8-mgb[.]net, 7csmorkzy78p2dfgal-ar9[.]live, 7dbf38s0ryve399-fan09vh[.]net, 7ff[.]online, 7fun[.]icu, 7p[.]game, 7uspin[.]us, 8df7[.]cc, 8fn4957c5g986jp[.]xyz, 8h2rwon9ffd0rd69r74jh3[.]com, 8k5a06tag3daemo[.]xyz, 8sie[.]cc, 91nx1[.]com, 91nx2[.]com, 91nx3[.]com, 91nx4[.]com, 91nx5[.]com, 91nx6[.]com, 91nx7[.]com, 98a[.]online, adbagtak[.]cc, aidm8it5hf1jmtj[.]xyz, airdropdao[.]cc, ai-scoreestimate[.]com, ai-scoreforecast[.]com, ai-scorepredict[.]com, aisht4h[.]com, ajerdsg[.]top, ajskbnrs[.]xn--jor0b302fdhgwnccw8g[.]com, alphadrop-dao[.]one, anygg[.]liquorfight[.]com, armfail[.]com, atsfgbu[.]com, au6ofswy4iclfnm[.]xyz, b27[.]icu, b38w09ecdejfqsf[.]xyz, bbhwlwd[.]com, bestcryptocurrency[.]top, bezghdg[.]com, binancealliancesintro[.]com, bitcoin1[.]cc, bitcoinbtc1[.]cyou, bitcoinbtc2[.]cyou, bnbluckydraw[.]cc, boqegh[.]com, bpivmyj[.]com, brandloom[.]top, brljrla[.]com, btcmegareward[.]cc, btcpolymarket[.]cc, btrank[.]top, ccatdot[.]com, ccbtc17bdaxhvfo[.]cyou, ccvyomsbtc[.]cyou, cdgrobnblucky[.]cyou, cdn[.]uacounter[.]com, cjbnwqj[.]com, clhl6c0b8b2dn7jr5psmlh[.]com, coins-ph[.]vip, crfbbarx[.]com, cryptocurrencyworld[.]top, cryptonews26[.]com, cryptonewsd[.]com, csfa1fv80g6sb[.]xyz, csffifdsfsransupasdports[.]cyou, csjspce[.]com, cvmnyvr[.]com, cwz2f5eikofeipludv47ql6894ai0j[.]net, cy8[.]top, data-cdn-analysis[.]cc, dbgopaxl[.]com, dcfdosc[.]com, dcnjuzb[.]com, dd9l7e6ghme8pbk[.]xyz, ddus17[.]com, dghghhweett[.]com, djohclg[.]com, dmjdwvpy[.]com, dnadmvtp[.]cc, du9zx9-6h34j9k5hwjtpk747[.]org, earscjiy[.]cc, eg2bjo5x5r8yjb5[.]xyz, ejwyhtg[.]com, enrlbei[.]com, entjogos[.]com, epylbkm[.]com, esqifis[.]com, etzsow0oatxbcqn[.]xyz, faaajtm[.]com, faiproy[.]com, fbpxrlc[.]com, fgr1w2gnsdvsb[.]xyz, fgr1w3gnsdvsb[.]xyz, fhdfhasd[.]com, firansupport[.]cyou, fmsfckuxyzsb[.]online, fojh88k4ez0njbg[.]xyz, fomobnb[.]vip, frgphvk[.]com, fszawtp[.]com, fwcup1sdg[.]com, fwcup2026[.]com, fwcup3t[.]com, fwcup57[.]com, fwcuppg1[.]com, fwcupy6j[.]com, fwz1x2jtnvsb[.]xyz, fxrhcnfwxes90q[.]xyz, g1q6l4vzd3eo2zb[.]xyz, gdvynopz3pa0tik[.]xyz, geewvzz[.]com, ggljsuzr9dwc1me87312[.]net, gjrwegh[.]com, gjtyjyrqwr[.]com, goanalytics[.]xyz, gogjyqi[.]com, goodcryptocurrency[.]top, gpmzepe[.]com, gqjs3ra34lyuvzb[.]xyz, gr1w2gnsdvsb[.]xyz, gr3a1fv80g6sb[.]xyz, gulplit[.]com, gvltnzx[.]com, h3vxji-ppqezfii5lajb[.]store, h4k[.]icu, h5iixig1wb4ibjo[.]xyz, h85rra7anjieeio[.]xyz, hefidqw[.]com, hfteigt3kt0sf3z[.]xyz, hgjtato[.]com, hhcckni[.]com, hjawukp[.]xyz, hnoadyy[.]com, houjogos[.]com, hqucmwy[.]com, hui4tbh9uv9x4yi[.]xyz, huiyuangoedge[.]com, huiyuanswift[.]com, hxa4tglju3hpmze[.]xyz, i[.]binaner[.]com, idggpch[.]com, igjavke[.]xyz, ijmwdvi[.]xyz, ios[.]lgdzwfop[.]cn, ios[.]teegrom[.]top, iphonex[.]mjdqw[.]cn, iransupasdports[.]cyou, iransupport[.]cyou, iransupporttyst[.]cyou, jeqioerb32aroto[.]xyz, jfusop55cjquz7seqnuta-d[.]cc, jhcfciv[.]com, jivtfgf[.]com, jlfcqk8htya-gznhnyw0n[.]live, jlw8l8as5suldc9[.]xyz, jnvzxso[.]com, jogo6314[.]com, jogo6315[.]com, jogo681[.]com, jogosall[.]com, jpgaesv[.]com, jqeltri4ai7zxsn[.]cfd, jthezrl97inhxhw[.]xyz, jzljddw[.]com, k96[.]icu, kanav[.]blog, kbjpauvh[.]xyz, kiransupport[.]cyou, kkhzmcjfi0gxxv5[.]xyz, klgmmyk[.]com, koasghg[.]com, kowgbfzd[.]com, kpeijpl[.]com, kpwwuty[.]com, kqyxwyb[.]xyz, krfxif575qucgz9[.]xyz, ksotmwu[.]com, kvcdn-002[.]xyz, kvetjdj[.]com, kxxgyak[.]com, l54vt9pr0pzao1s[.]xyz, l6sarqzzm1q-qclgmsj36o2[.]info, land[.]777bingos[.]xyz, land[.]77bingos[.]com, land[.]bingo777[.]now, lbyxyxl[.]xyz, lddx3z2d72aa8i6[.]xyz, lfhbtowr[.]xyz, lgoofpr[.]com, lk4x6x2ejxaw2br[.]xyz, lknahrh[.]com, lmt0ken[.]com, l-rkj7-u-q3b1nkjv[.]site, lrlithf[.]com, lsnngjyu9x6vcg0[.]xyz, ltldxvs[.]com, luckywheel2026[.]cc, masofhnk[.]com, maspffjg[.]com, mengdrp[.]com, mhhpdtl[.]xyz, mimihuayuan01[.]com, mkkku[.]com, m[.]pc6[.]com, mpmhskx[.]cc, mscxcvl[.]com, mwdbrlf[.]com, mwefgwzd[.]cc, mxbc-v2[.]tjbjdod[.]cn, mzng3dfrrxjx3qm[.]xyz, n28pqxe8ajr6dkb[.]xyz, n49[.]top, naosihf[.]com, nh843cbkjgr1tfh[.]xyz, nintendobr[.]com, nn2a1fv80g6sb[.]xyz, nzlpcqr[.]com, o08h5rhu2lu1x0q[.]xyz, ockkht8v7nv1nuw[.]xyz, ofvtspr[.]xyz, ol67el6pxg03ad7[.]xyz, oqpxppl[.]cc, ose[.]668ddf[.]cc, osec2[.]668ddf[.]cc, ou51jv387wknkhg[.]xyz, owvzvkz[.]com, p7fw-paom2yz-233iy[.]lol, pen0axt0u476duw[.]xyz, pepeairdrop01[.]com, pfrycdp[.]com, pnmxbrj[.]com, poly-marketairdrop[.]cc, poly-marketairdrop[.]one, pqurynm[.]cc, prnmyrd[.]com, pzggwwzgdrpozzj[.]xyz, q40r7vgm7z2tpboxi9[.]net, qcechaw[.]cc, qgkcvxl[.]com, qogwn[.]com, qoregsf[.]com, qrowaxs[.]com, qtpvylc[.]xyz, qwrqtht[.]com, qxuvcem[.]com, r-amhknhrk6u98ige9fqn0q[.]cfd, reaecoo[.]com, remote222helper[.]com, remotehealthcheck[.]com, remotexxxyyy[.]com, res54allb[.]xn--xkrsa0078bd6d[.]com, rjcmvbi[.]com, rlau616jc7a7f7i[.]xyz, roy2tlop2u[.]xyz, rpyxwm6m54hndo0[.]xyz, rvvmahq[.]com, rzfpqbmh[.]cc, sadjd[.]mijieqi[.]cn, safepal[.]cyou, seven7[.]to, seven7[.]vip, sf2bisx5nhdkygn3l[.]xyz, sgoggxm[.]com, share[.]4u[.]game, share[.]7p[.]game, sj9ioz3a7y89cy7[.]xyz, slvzyws[.]com, so5083[.]tubeluck[.]com, sod772[.]com, sod776[.]com, sod777[.]com, sogoodnv[.]com, solana1[.]cc, sollucky-hash[.]one, spin7[.]icu, stilfva[.]com, sxtolloh[.]xyz, t7c[.]icu, tbgaduh[.]com, tcympesj[.]xyz, tdxaspt[.]com, thisairdrop[.]com, tiasfph[.]com, todzojs[.]cn, tvvcan[.]com, txcxrhy[.]xyz, tyyurk643jtonaqhy3x4i[.]live, uawwydy3qas6ykv[.]xyz, uclvpxtg[.]com, uf245[.]cn, ufaagag[.]com, ui6t6-9xjevimbc5ofhf[.]net, uimhtzr[.]com, u-ipzooile00ca1gqid[.]site, urjhhzu[.]com, utlwvxy[.]com, v2gmupm7o4zihc3[.]xyz, vahqxwy[.]com, vdrywdi[.]xyz, vlgoses[.]com, vmbdmko[.]com, vmhmhzj[.]com, volgohb[.]com, vqhnjmny[.]xyz, vvri8ocl4t3k8n6[.]xyz, vvzwbqw[.]com, w2a315[.]tubeluck[.]com, wljcvaz[.]com, wronios[.]cc, wwgmohs[.]xyz, www[.]appstoreconn[.]com, wz1w2gnsdvsb[.]xyz, wzk2nbdawerbsb[.]online, wzk2nccccrbsb[.]online, x4kmlmwbc71fto0[.]xyz, xdjuvoau[.]xyz, xfal48cf0ies7ew[.]xyz, xittgveqaufogve[.]xyz, xjhvsgg[.]xyz, x-jpmrqa-6nfrl6si5pb[.]site, xjslbdt9jdijn15[.]xyz, xkbaamgc[.]cc, xmmfrkq9oat1daq[.]xyz, xmtawlj[.]com, xn--9kq23k8wc[.]com, xn--fiq64bkz1jz9k[.]com, xqyrbub[.]com, xtikbxvv[.]top, xvceqlg[.]com, y4w[.]icu, ybbshhn[.]com, yhmthqq[.]com, yojvhod[.]com, yqsvgkm[.]com, yuxsbln[.]com, yvgy29glwf72qnl[.]xyz, ywdyhpc[.]com, yzofzjn[.]com, z09l21abp753vcj21k5ke[.]com, zbuaite[.]com, zcjdlb5ubkhy41u[.]xyz, zcomhoa[.]com, zsvggzm[.]com, ztvnhmhm4zj95w3[.]xyz
Attacker URLs:	hxxp[://]bestcryptocurrency[.]top/details/group.html, hxxp[://]/details/f6lib.js, hxxp[://]/details/show.html, hxxp[://]cdn[.]uacounter[.]com/stat.html, hxxp[://]cryptocurrencyworld[.]top/details/group.html, hxxp[://]ddus17[.]com/tuiliu/group.html, hxxp[://]goodcryptocurrency[.]top/details/group.html, hxxp[://]land[.]777bingos[.]xyz/88k4ez/group.html, hxxp[://]land[.]77bingos[.]com/88k4ez/group.html, hxxp[://]land[.]bingo777[.]now/88k4ez/group.html, hxxp[://]pepeairdrop01[.]com/static/analytics.html, hxxps[://]26a[.]online/group.html, hxxps[://]3v5w1km5gv[.]xyz/group.html, hxxps[://]4kgame[.]us/group.html, hxxps[://]4u[.]game/group.html, hxxps[://]65sse[.]668ddf[.]cc/tuiliu/group.html, hxxps[://]7ff[.]online/group.html, hxxps[://]7fun[.]icu/group.html, hxxps[://]7p[.]game/group.html, hxxps[://]7uspin[.]us/group.html, hxxps[://]8df7[.]cc/api/ip-sync/sync, hxxps[://]98a[.]online/group.html, hxxps[://]ai-scorepredict[.]com/static/analytics.html, hxxps[://]ajskbnrs[.]xn--jor0b302fdhgwnccw8g[.]com/details/settings.html, hxxps[://]ajskbnrs[.]xn--jor0b302fdhgwnccw8g[.]com/gogo/list.html, hxxps[://]anygg[.]liquorfight[.]com/88k4ez/group.html, hxxps[://]b27[.]icu/group.html, hxxps[://]binancealliancesintro[.]com/group.html, hxxps[://]btrank[.]top/tuiliu/group.html, hxxps[://]cy8[.]top/group.html, hxxps[://]dbgopaxl[.]com/static/goindex/tuiliu/group.html, hxxps[://]dd9l7e6ghme8pbk[.]xyz/group.html, hxxps[://]fgr1w2gnsdvsb[.]xyz/x, hxxps[://]fwz1x2jtnvsb[.]xyz/x, hxxps[://]fxrhcnfwxes90q[.]xyz/group.html, hxxps[://]goanalytics[.]xyz/88k4ez/group.html, hxxps[://]goodcryptocurrency[.]top/details/group.html, hxxps[://]h4k[.]icu/group.html, hxxps[://]i[.]binaner[.]com/group.html, hxxps[://]ios[.]lgdzwfop[.]cn/details/view.html, hxxps[://]ios[.]teegrom[.]top/tuiliu/group.html, hxxps[://]iphonex[.]mjdqw[.]cn/tuiliu/group.html, hxxps[://]k96[.]icu/group.html, hxxps[://]kanav[.]blog/group.html, hxxps[://]land[.]bingo777[.]now/88k4ez/group.html, hxxps[://]lddx3z2d72aa8i6[.]xyz/group.html, hxxps[://]mkkku[.]com/static/analytics.html, hxxps[://]m[.]pc6[.]com/test/tuiliu/group.html, hxxps[://]mxbc-v2[.]tjbjdod[.]cn/static/analytics.html, hxxps[://]n49[.]top/group.html, hxxps[://]ose[.]668ddf[.]cc/tuiliu/group.html, hxxps[://]osec2[.]668ddf[.]cc/tuiliu/group.html, hxxps[://]pepeairdrop01[.]com/static/analytics.html, hxxps[://]remotehealthcheck[.]com/static/analytics.html, hxxps[://]remotexxxyyy[.]com/static/analytics.html, hxxps[://]res54allb[.]xn--xkrsa0078bd6d[.]com/group.html, hxxps[://]sadjd[.]mijieqi[.]cn/group.html, hxxps[://]seven7[.]to/group.html, hxxps[://]seven7[.]vip/group.html, hxxps[://]share[.]4u[.]game/group.html, hxxps[://]share[.]7p[.]game/group.html, hxxps[://]sj9ioz3a7y89cy7[.]xyz/list.html, hxxps[://]so5083[.]tubeluck[.]com/static/goindex/group.html, hxxps[://]spin7[.]icu/group.html, hxxps[://]t7c[.]icu/group.html, hxxps[://]u-ipzooile00ca1gqid[.]site/x, hxxps[://]w2a315[.]tubeluck[.]com/static/goindex/tuiliu/group.html, hxxps[://]www[.]appstoreconn[.]com/xmweb/group.html, hxxps[://]wzk2nbdawerbsb[.]online/x, hxxps[://]wzk2nccccrbsb[.]online/x, hxxps[://]y4w[.]icu/group.html
Attacker Hashes:	0035f50f9adb9ba98ef1eb394724c3ff6cf7a4a26dc6e7662a1c9c95afa20ed1, 017c7b48a9b05e13f67e1395b3b0d774, 023e5fb71923cfa2088b9a48ad8566ff7ac92a99630add0629a5edf4679888de, 03417453be0a3045a2fccb3ae4124623d8478ead976e6468b85da142400546ad, 05b5e4070b3b8a130b12ea96c5526b4615fcae121bb802b1a10c3a7a70f39901, 067c2c99ef0b537fb9ca9de9beed8ad1a01faa68c021a82d935c52fb7211c411, 0d0e89b9a48c2471b00b2c47d81fc17b3b4a3c74414127a009b3f0658801181d, 0dff17e3aa12c4928273c70a2e0a6fff25d3e43c0d1b71056abad34a22b03495, 10bd8f2f8bb9595664bb9160fbc4136f1d796cb5705c551f7ab8b9b1e658085c, 13f59ce4cf6b32bd5b4341b470975b71ab67fc20, 14746193252a44d2c2f251cdc20400ebcf9f96cd90a22c4c50c9816cd80c68f9, 18394fcc096344e0730e49a0098970b1c53c137f679cff5c7ff8902e651cd8a3, 1c7c51c159e4b34c748be9aad183e68f5185aeb0, 1e86532642e13027cf77f32e50ee1314e2bf35015c4556085fc2eba7e6b8d6d8, 1fb9dedf1de81d387eff4bd5e747f730dd03c440157a66f20fdb5e95f64318c0, 25a9b004cf61fb251c8d4024a8c7383a86cb30f60aa7d59ca53ce9460fcfb7de, 2a9d21ca07244932939c6c58699448f2147992c1f49cd3bc7d067bd92cb54f3a, 2b90b95338f4f928eaccbaa6bbd6a5283def5ec9bf97e2902c4d2a3f7e502649, 2daa9dc9cedda40b2b0793bdc38314e8f2e694ebf10f27bf2fb45030af9b538a, 31494c96cd890ab4d93f62d84f2cb273936df3ffbaacaa13bb0e318ffb16a692, 3550126071fb4dac0b39b35b5673274ec54fca60c989be8ccc7653db290b395b, 3c297829353778857edfeaed3ceeeca1bf8b60534f1979f7d442a0b03c56e541, 3ef82e94d38bbc44626f3821db9eda2ea636c1ae413d8890b752bd965acd2c6e, 3f57d5057092f9a6e340f8497be9402660d78f307c6a481f7f757cfd7fe5149c, 42cc02cecd65f22a3658354c5a5efa6a6ec3d716c7fbbcd12df1d1b077d2591b, 499f6b1e012d9bc947eea8e23635dfe6464cd7c9d99eb11d5874bd7b613297b1, 4c2d67afd451badc642db9ee188972217718c399ac999a83e20e4501229d22d3, 4dc255504a6c3ea8714ccdc95cc04138dc6c92130887274c8582b4a96ebab4a8, 4dfcf5a71e5a8f27f748ac7fd7760dec0099ce338722215b4a5862b60c5b2bfd, 5b37a02967f539f1b6cab8fafeeeb3a7, 612cb971bd84f005bc10ac701293b0f80ebafd25b51e7ba6d541df2d536f5e69, 63b6b3181822df175fdb4b58a08703be5bbfd18fc38612dc8396df0dbd2c0f09, 6715b1be1c0b35fe82cce71eb224db32205df9bb53e55083d592b711f16d008f, 6b5c6921b048f05b449fe3f4b71f49cf6dd3634f, 6d8cfa2a73f5ef754e2ae5ba83b7b4f0588cbe1bb1d2970bf89bfaba954c9ff4, 6eafd742f58db21fbaf5fd7636e6653446df04b4a5c9bca9104e5dfad34f547c, 721b46b43b7084b98e51ab00606f08a6ccd30b23bef5e542088f0b5706a8f780, 73390742eba6f7a85d894f961efa77272fbaceb91a278efcad4f497612c02699, 73b26374b1c8df29c163775c2cd1f735ff6acd56, 7979c79f58b7316557cba7d0f49fac2c409010aa770fab74348e6d974d1ea244, 79c27dccb899af47ea7900e4f6ab5dc3312a53ef0b6c3a7ded535dc6f2755ee2, 80a056f8e12be600bb3c2b72fa90189d3aff4ac9798aa3ca10e266d34b84e5ba, 86dc5728538e67197d71f731c640652ebfb0b03b9da15d5ba78cbfa0aa9d8c4f, 87b521ba4401a34f1d972d66ccd32fde, 890fff603542c4b4de6508dcee41f73d8875a40f, 91d44c1f62fd863556aac0190cbef3b46abc4cbe880f80c580a1d258f0484c30, 946da0bef24d50655a2d9177611ec4c11929dda375805bf4272806491c4e34cc, 98be59db1ad60b6e6e9e9d43442ce1e9e0e17b65, 9ac0454100f1409b1984d3133db1eb0a121381f9d5969121f8eabf3970eac51e, 9cfcdc594e2d5c4d4eefe4e5a967d90096eedfd352c89c87ed81c716aca25966, 9dfa3fa7e81993174669bedb08b3212993e91d93d6227f0cf8b8d45b6981a9c0, a12a7a8db91f1e364f43b3d695d9f58172f2b168f29488f593714e255cf500d4, a205ca801f41dcb4d2ad4fa82b50c651, a938b812696e8b01830423cd05d3b60defbaebd5b65e62aa87501884e8acc209, a986c15401fda1d9ad7e4b308e4907dced24e30d2126fac8f7c788dda049455d, ae67f7a235061643b64625c2c3cd125c6a5559d772c4c6a1aa8d6d19998bec9a, b0b6c50df15e1e99c4d23da002b29f31a648a7bab9831283d6306cc7a60bdd42, b541840d71f466c249422012fc0e91f0c90a35c9759bb791e721567cdb773cb1, bb33ae77f4c7e8858cdb9c91985c46d58b28c0e0, be28b40df919d3fa87ed49e51135a719bd0616c9ac346ea5f20095cb78031ed9, bed840be5744726f8d344b4aca51508a673cce77368c78023bd0c17f29df5c78, c091e67ceebe869ec50eac32ed385d7d5043abd9c5dbcf2be65128f41a3cdf06, cb8ee5920b7dcc1d16a71342a21adfb7423363427110f66198b94964c87ec547, ce0a80a99b00d7ab74a90fa265a62755c25f78a3cd5ee7d9779d829bcd8c1895, ce11b285b4226979c1cfe50a119feff3df66e11d8a1e2f10a680ef2d6c63cb07, cf2d1788cb336581dfbdd556eb77f983fca4b0d39250efbfe4f10b20214576e5, d2e8d45a52e1788cf679d15c3a3f89e7428c5958557c19964e7cd59f7fe802f4, d371e3bed18ee355438b166bbf3bdaf2e7c6a3af8931181b9649020553b07e7a, d46c0d304370b4ca40526d029bce48e9912d8b5111cb6f4db359c769a951e8bb, d517c3868c5e7808202f53fa78d827a308d94500ae9051db0a62e11f7852e802, d8d55d8880596c61ff9b38a96008cbfe, de652f1142d47ee89253ff4e65759045, e3bc53583ac3a7fcd2ee923dce3fe280, e7b06484763ee379c969613fbfe73bab29f1a0836ae2208136df564596354a04, ef9169cde76d8d41008c8efa9828483633b117651087c8722e459fa1c173e0da, f1074228cc21dcbd4250b1c25c033a7426431982, f218068ea943a511b230f2a99991f6d1fbc2ac0aec7c796b261e2a26744929ac, f84e13161729ff8b9f46ad4d77a09273c790f808dd9b1298ecf23eb54efa939c, fb5e847bafc0b6275c1c38d70ec6869f
Victim Industries:	Aerospace, Business Services, Cryptocurrency, Defense, E-commerce, Financial Services, Gaming, Government, Industrials, Industrial Sector, Information Security, Information Technology, Manufacturing, Multimedia, Online Gambling, Public Sector, Retail, Sports and Entertainment, Technology Hardware
Victim Countries:	China, Iran, Israel, Malaysia, Russia, Saudi Arabia, Syria, Turkey, Ukraine, United Arab Emirates, United States

Mitigation Advice

Force an immediate update of all corporate-managed iPhones to the latest available iOS version to patch the vulnerabilities exploited by the Coruna framework, including CVE-2023-32434 and CVE-2023-38606.
Enable iOS Lockdown Mode on the devices of high-risk users, such as executives and system administrators, to provide enhanced protection against zero-day exploits.
Create detection rules in your SIEM or network monitoring tools to search for the hexadecimal identifiers `0xBEDF00D` and `0xF00DBEEF` in network traffic, which are indicative of the Coruna exploit framework's payload containers.

Compliance Best Practices

Implement or mature a Mobile Device Management (MDM) solution to centrally enforce security policies, automate patching, and monitor the compliance of all corporate iOS devices.
Invest in and configure a Network Detection and Response (NDR) solution to monitor traffic from mobile devices on corporate networks, establishing baselines to detect anomalous activity indicative of a compromise.
Develop and implement a recurring security awareness training program that educates employees on identifying and avoiding mobile-specific threats like watering-hole attacks and malicious links.
Evaluate and deploy a Mobile Threat Defense (MTD) or mobile-capable Endpoint Detection and Response (EDR) solution to detect and respond to malicious process behavior and post-exploitation activity on iOS devices.

Sources

https://apple.slashdot.org/story/26/03/03/2049253/a-possible-us-government-iphone-hacking-toolkit-is-now-in-the-hands-of-foreign-spies-criminals

https://arstechnica.com/security/2026/03/cisa-adds-3-ios-flaws-to-its-catalog-of-known-exploited-vulnerabilities/

https://au.lifehacker.com/apple/117904/news/if-you-have-one-of-these-older-apple-devices-update-it-asap

https://buaq.net/go-399924.html

https://buaq.net/go-403891.html

https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit/

https://coinedition.com/iphone-security-alert-coruna-hack-targets-crypto-wallet-recovery-phrases/

https://cyberinsider.com/apple-backports-coruna-exploit-fixes-to-older-iphones-and-ipads/

https://cyberinsider.com/coruna-ios-exploit-framework-linked-to-operation-triangulation-spyware/

https://cyberinsider.com/google-uncovers-new-coruna-ios-exploit-kit-used-in-iphone-espionage/

https://cyberpress.org/apple-issues-emergency-ios-15-8-7-update/

https://cyberpress.org/coruna-exploit-kit-leveraging-23-vulnerabilities/

https://cyberpress.org/hackers-exploit-macos-and-ios-vulnerabilities/

https://cyberpress.org/iphone-hacking-toolkit-used-by-russian/

https://exploit-intel.com/vuln/CVE-2023-43010

https://financefeeds.com/google-researchers-discover-ios-exploit-kit/

https://gbhackers.com/apple-releases-emergency-ios-15-8-7-update/

https://gbhackers.com/iphone-hacking-toolkit-may-have-originated-in-the-u-s/

https://gbhackers.com/thousands-of-iphones-compromised-in-massive-hack-via-coruna-exploit-kit/

https://meterpreter.org/from-spyware-to-scams-the-coruna-ios-arsenal-exploiting-23-vulnerabilities-to-plunder-iphones/

https://meterpreter.org/the-coruna-code-clash-kaspersky-challenges-google-over-the-origins-of-a-multi-million-dollar-ios-arsenal/

https://seclists.org/fulldisclosure/2026/Mar/1

https://seclists.org/fulldisclosure/2026/Mar/2

https://securelist.com/coruna-framework-updated-operation-triangulation-exploit/119228/

https://securereading.com/apple-iphone-coruna-darksword-exploit-warning/

https://securityonline.info/coruna-exploit-kit-mass-ios-attacks-pivot-from-crypto-scams-to-iran-themed-lures/

https://securityonline.info/coruna-the-high-powered-ios-exploit-kit-proliferating-across-the-global-threat-landscape/

https://securityonline.info/legacy-under-siege-apple-pushes-emergency-ios-15-8-7-update-to-thwart-coruna-exploit-kit/

https://sploitus.com/exploit?id=43D73A3D-B17C-5650-ADD1-0A440F38D03B

https://sploitus.com/exploit?id=81F563EA-F160-582D-AAA5-D5964E5EF53E

https://support.apple.com/en-us/126632

https://techcrunch.com/2026/03/03/a-suite-of-government-hacking-tools-targeting-iphones-is-now-being-used-by-cybercriminals/

https://techcrunch.com/2026/03/09/an-iphone-hacking-toolkit-used-by-russian-spies-likely-came-from-u-s-military-contractor/

https://thehackernews.com/2026/03/apple-issues-security-updates-for-older.html

https://thehackernews.com/2026/03/apple-warns-older-iphones-vulnerable-to.html

https://thehackernews.com/2026/03/coruna-ios-exploit-kit-uses-23-exploits.html

https://thehackernews.com/2026/03/coruna-ios-kit-reuses-2023.html

https://www.androidheadlines.com/2026/03/apple-just-patched-a-government-linked-exploit-on-older-iphones-heres-why-you-should-update-now.html

https://www.androidheadlines.com/2026/03/us-government-hacking-tools-are-now-in-criminal-hands-is-your-iphone-safe.html

https://www.bleepingcomputer.com/news/apple/apple-patches-older-iphones-and-ipads-against-coruna-exploits/

https://www.bleepingcomputer.com/news/security/cisa-warns-of-apple-flaws-exploited-in-spyware-crypto-theft-attacks/

https://www.bleepingcomputer.com/news/security/coruna-ios-exploit-framework-linked-to-triangulation-attacks/

https://www.bleepingcomputer.com/news/security/spyware-grade-coruna-ios-exploit-kit-now-used-in-crypto-theft-attacks/

https://www.cyberkendra.com/2026/03/google-uncovers-coruna-ios-exploit-kit.html

https://www.esecurityplanet.com/threats/coruna-ios-exploit-kit-compromises-thousands-of-iphones/

https://www.helpnetsecurity.com/2026/03/03/coruna-ios-exploit-kit/

https://www.hendryadrian.com/aye-coruna-tracing-the-ios-exploit-kit-from-ukraine-to-iran-war-lures-validin/

https://www.hendryadrian.com/coruna-the-mysterious-journey-of-a-powerful-ios-exploit-kit-google-cloud-blog/

https://www.infosecurity-magazine.com/news/coruna-exploit-older-iphones/

https://www.malwarebytes.com/blog/news/2026/03/apple-patches-coruna-exploit-kit-flaws-for-older-ios-versions

https://www.scworld.com/brief/coruna-exploit-kit-government-hacking-tools-surface-in-cybercriminal-hands

https://www.securitylab.ru/news/570046.php

https://www.securitylab.ru/news/570127.php

https://www.securitylab.ru/news/570822.php

https://www.securityweek.com/nation-state-ios-exploit-kit-coruna-found-powering-global-attacks/

https://www.techradar.com/pro/security/iphones-targeted-by-new-and-powerful-malware-and-coruna-may-have-been-developed-by-the-us-government

https://www.techrepublic.com/article/news-coruna-exploit-kit-thousands-of-iphones-compromised/

https://www.theregister.com/2026/03/04/kaspersky_dismisses_claims_that_coruna/

CISA: New Langflow Flaw Actively Exploited to Hijack AI Workflows

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of CVE-2026-33017, a critical vulnerability with a CVSS score of 9.3 affecting Langflow, an open-source framework for building AI agents. This code injection flaw allows for remote code execution, enabling threat actors to build public flows without authentication and execute arbitrary Python code via a single crafted HTTP request due to unsandboxed flow execution. Researchers observed active exploitation beginning March 19, approximately 20 hours after the vulnerability advisory became public, leading to automated scanning, exploitation, and the harvesting of sensitive data such as .env and .db files. The vulnerability impacts Langflow versions 1.8.1 and earlier, and its widespread adoption, evidenced by 145,000 GitHub stars, makes it a significant target. CISA has added this issue to its Known Exploited Vulnerabilities catalog and mandated federal agencies apply security updates or mitigations by April 8, recommending an upgrade to Langflow version 1.9.0 or later, disabling/restricting vulnerable endpoints, avoiding direct internet exposure, monitoring outbound traffic, and rotating API keys and database credentials. This follows a previous CISA warning in May 2025 concerning CVE-2025-3248, another critical API endpoint flaw in Langflow that allowed unauthenticated remote code execution.

Severity: Critical

Threat Details and IOCs

Malware:	AppleChris, Flodrix, LeetHozer, MemFun
CVEs:	CVE-2025-3248, CVE-2025-68478, CVE-2026-33017, CVE-2026-33309
Technologies:	Amazon Web Services, Anthropic Claude, Langflow, Linux, n8n, OpenAI, Python
Threat Actors:	Flodrix
Attacker IPs:	143[.]110[.]183[.]86, 173[.]212[.]205[.]251, 188[.]166[.]209[.]86, 205[.]237[.]106[.]117, 209[.]97[.]165[.]247, 77[.]110[.]106[.]154, 83[.]98[.]164[.]238
Attacker Domains:	d6tcpc6flblph01gdcb0ku9ixih393m54[.]oast[.]live, d6tcpe7nsv6kk9rdrpggi37zmjfxw9imr[.]oast[.]me, d6td5s9qte0bea7273e0wuou77jjx77uk[.]oast[.]pro, d6tgbe1qte0a8rkffb3gqabqm8517exd3[.]oast[.]fun, dnslog[.]cn, interact[.]sh, oastify[.]com
Attacker URLs:	hxxp[://]143[.]110[.]183[.]86[:]8080/, hxxp[://]173[.]212[.]205[.]251[:]8443/z
Victim Industries:	Artificial Intelligence, Cloud Infrastructure, Defense, Financial Services, Government, Healthcare, Information Technology, Software, Technology Hardware
Victim Countries:	China, France, Germany, India, Singapore, United States

Mitigation Advice

Upgrade all instances of Langflow to version 1.9.0 or later immediately.
Scan the network and all systems to identify every instance of Langflow and confirm their current version.
If patching is delayed, use a firewall or reverse proxy to block all external access to vulnerable Langflow instances.
Rotate all API keys, database credentials, and cloud secrets stored on or used by servers running Langflow.
Review firewall and network flow logs for any unusual outbound connections originating from servers hosting Langflow.

Compliance Best Practices

Establish and enforce a security policy that prohibits exposing internal development frameworks and tools directly to the public internet.
Incorporate all AI/ML development frameworks, including Langflow, into the organization's formal vulnerability management program for continuous scanning and patching.
Implement a centralized secrets management solution to store and manage credentials, and migrate applications away from using .env files for secrets.
Implement strict egress filtering rules on the network firewall to block all outbound traffic from servers except for connections to explicitly approved, necessary destinations.

Sources

https://cyberpress.org/langflow-code-injection-flaw/

https://cyberveille.esante.gouv.fr/alertes/langflow-ai-cve-2026-33017-2026-03-23

https://cyberveille.esante.gouv.fr/alertes/langflow-cve-2026-33309-2026-03-26

https://exploit-intel.com/vuln/CVE-2026-33017

https://gbhackers.com/cisa-issues-urgent-warning-on-langflow-code-injection-vulnerability/

https://securityonline.info/critical-langflow-vulnerabilities-rce-file-write-cve-2026-33017/

https://sploitus.com/exploit?id=CFEED51B-A567-5A95-9094-445E7B4A5933

https://sploitus.com/exploit?id=EAF229D7-1FBB-5F73-995E-E0D21DE76D4B

https://thehackernews.com/2026/03/critical-langflow-flaw-cve-2026-33017.html

https://threatprotect.qualys.com/2026/03/26/cisa-added-langflow-vulnerability-to-its-known-exploited-vulnerabilities-catalog-cve-2026-33017/

https://www.bleepingcomputer.com/news/security/cisa-new-langflow-flaw-actively-exploited-to-hijack-ai-workflows/

https://www.hendryadrian.com/cisa-new-langflow-flaw-actively-exploited-to-hijack-ai-workflows/

https://www.infosecurity-magazine.com/news/hackers-exploit-critical-langflow/

https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours

https://www.techzine.eu/news/security/139999/langflow-rce-flaw-exploited-within-hours-cisa-warns/

Synology DiskStation Manager Vulnerability Puts Users at Risk of Remote Command Execution Attacks

A critical remote command execution vulnerability, tracked as CVE-2026-32746 with a CVSS v3 score of 9.8, has been identified in Synology DiskStation Manager (DSM) software. This flaw, a buffer overflow (CWE-120) within the `telnetd` service of the GNU Inetutils package (versions up to 2.7), specifically in the `LINEMODE SLC` suboption handler's `add_slc` function, allows unauthenticated remote attackers to execute arbitrary commands on affected network-attached storage (NAS) devices. Exploitation of this memory corruption could lead to ransomware deployment, sensitive data theft, or using the compromised NAS as a pivot point for further network attacks. Affected versions include DSM 7.3, 7.2.2, 7.2.1, and DSMUC 3.1, with patches available for most, requiring upgrades to versions like DSM 7.3.2-86009-3 or higher. For systems where patches are still in development, disabling the Telnet service via the Control Panel's Terminal settings is strongly recommended as an immediate mitigation, emphasizing the general practice of favoring encrypted protocols like SSH over legacy plain-text services.

Severity: Critical

Threat Details and IOCs

Malware:	Lumma, LummaC2, Lumma Stealer, Shai-Hulud, Shai-Hulud 2.0
CVEs:	CVE-2026-24061, CVE-2026-32746
Technologies:	Anthropic Claude, Apple macOS, BSD, Citrix NetScaler, Debian, FreeBSD, GNU inetutils, inetd, iXsystems TrueNAS CORE, Linux, NetBSD, NetScaler, Synology DiskStation Manager, Ubuntu, xinetd
Attacker Emails:	admin#unsafe[.]sh
Attacker Domains:	codeberg[.]org, github[.]com, lists[.]gnu[.]org, pwn[.]guide, pwn[.]llc, unsafe[.]sh
Attacker URLs:	hxxps[://]codeberg[.]org/inetutils/inetutils/pulls/17, hxxps[://]github[.]com/jeffaf/cve-2026-32746.git, hxxps[://]lists[.]gnu[.]org/archive/html/bug-inetutils/2026-03/msg00031.html, hxxps[://]pwn[.]guide/free/other/cve-2026-32746
Victim Industries:	Cloud Infrastructure, Education, Energy, Financial Services, Government, Healthcare, Industrial Control Systems, Industrials, Information Technology, Logistics, Manufacturing, Maritime, Media and Entertainment, Oil & Gas, Operational Technology, Retail, Technology Hardware, Telecommunications, Transportation, Utilities, Utilities & Energy, Water Supply
Victim Countries:	France, Taiwan, United States

Mitigation Advice

Identify all Synology NAS devices running DSM 7.3, 7.2.2, or 7.2.1 and immediately upgrade them to the fixed versions (7.3.2-86009-3, 7.2.2-72806-8, 7.2.1-69057-11) or newer.
For any Synology NAS where patches cannot be immediately applied, log into the DSM Control Panel, navigate to 'Terminal & SNMP', and uncheck the 'Enable Telnet service' box to disable the vulnerable service.
Review firewall and network traffic logs for any inbound connections to the Telnet port (TCP/23) on Synology NAS devices. Investigate any identified connections for signs of compromise, such as anomalous outbound traffic or unexpected running processes on the NAS.

Compliance Best Practices

Establish and enforce a formal security policy that prohibits the use of insecure, clear-text management protocols like Telnet across the network. Mandate the use of encrypted alternatives such as SSH for all remote device administration.
Implement network segmentation to isolate storage devices like NAS systems into their own security zone. Create strict firewall rules that only allow access to the NAS from authorized systems on specific ports, and deny all other traffic.
Implement and maintain a comprehensive hardware and software asset inventory. Ensure the inventory automatically tracks device models, operating systems, and software versions to enable rapid identification of systems affected by future vulnerabilities.
Establish a formal vulnerability management program that includes regular, automated scanning of all network assets to identify outdated software, missing patches, and insecure configurations like enabled Telnet services.

Sources

https://buaq.net/go-403341.html

https://buaq.net/go-403346.html

https://buaq.net/go-403352.html

https://buaq.net/go-403592.html

https://cyberpress.org/synology-dsm-vulnerability/

https://cyberpress.org/telnetd-vulnerability/

https://cyberveille.esante.gouv.fr/alertes/gnu-cve-2026-32746-2026-03-19

https://gbhackers.com/critical-telnetd-vulnerability/

https://gbhackers.com/synology-diskstation-manager-vulnerability/

https://labs.watchtowr.com/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746/

https://sploitus.com/exploit?id=B6E4E8D1-B299-56A2-9043-5FBF111F3729

https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html

https://www.cyberkendra.com/2026/03/one-packet-full-root-gnu-telnetd-has.html

https://www.hendryadrian.com/critical-unpatched-telnetd-flaw-cve-2026-32746-enables-unauthenticated-root-rce/

https://www.thehackerwire.com/gnu-inetutils-telnetd-out-of-bounds-write/

China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks

A China-nexus threat actor, identified as Red Menshen (also tracked as Earth Bluecrow, DecisiveArchitect, and Red Dev 18), has been conducting a long-term espionage campaign against government networks by embedding stealthy access mechanisms within telecom networks across the Middle East and Asia since at least 2021. This campaign utilizes kernel-level implants, passive backdoors, credential-harvesting utilities, and cross-platform command frameworks, with a central tool being the Linux backdoor BPFDoor. BPFDoor achieves stealth by not exposing listening ports or visible command-and-control channels; instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only upon receiving a specifically crafted "magic" trigger packet. Initial access is gained by targeting internet-facing infrastructure and exposed edge services, including VPN appliances, firewalls, and web platforms from vendors like Ivanti, Cisco, Juniper Networks, Fortinet, VMware, Palo Alto Networks, and Apache Struts. Following initial compromise, the actor deploys Linux-compatible beacon frameworks such as CrossC2, Sliver, TinyShell, keyloggers, and brute-force utilities for post-exploitation activities and lateral movement. BPFDoor operates with a passive backdoor component that installs a BPF filter to detect magic packets and spawn a remote shell, alongside a controller that sends these packets and can operate within the victim's environment to facilitate lateral movement. Advanced variants of BPFDoor support Stream Control Transmission Protocol (SCTP) for monitoring telecom-native protocols and incorporate architectural changes for evasion, such as camouflaging trigger packets within seemingly legitimate HTTPS traffic by embedding a specific string ("9999") at a fixed byte offset, and utilizing Internet Control Message Protocol (ICMP) for lightweight inter-host communication. This tradecraft reflects an evolution towards embedding implants deeper into the computing stack, targeting operating system kernels and infrastructure platforms, which allows for low-noise, long-term persistence in complex telecom environments and evasion of traditional endpoint monitoring.

Severity: Critical

Threat Details and IOCs

Malware:	Backdoor.Linux.BPFDOOR, Backdoor.Solaris.BPFDOOR.ZAJE, BPFdoor, BPFDoor, CrossC2, J-magic, JustForFun, Linux.HackTool.TinyShell, SEASPY, Sliver, Symbiote, TinyShell, Tiny SHell, TinyTim, tsh
CVEs:	CVE-2019-3010, CVE-2022-3236, CVE-2023-2868, CVE-2023-46805, CVE-2023-48788, CVE-2024-21887, CVE-2025-21590
Technologies:	BSD, Cisco Routers, Docker, Fortinet, Hewlett Packard Enterprise ProLiant, HPE ProLiant, Ivanti, Juniper Networks, Juniper Networks Junos OS, Kubernetes, Linux, Palo Alto Networks, VMware
Threat Actors:	DecisiveArchitect, EarthBluecrow, FlaxTyphoon, GhostEmperor, RedDev18, RedMenshen, SaltTyphoon, UNC3886, VoltTyphoon
Attacker Countries:	China
Attacker IPs:	103[.]13[.]28[.]40, 116[.]88[.]34[.]184, 129[.]126[.]109[.]50, 18[.]234[.]7[.]23, 223[.]25[.]78[.]136, 44[.]202[.]135[.]229, 45[.]77[.]39[.]28
Attacker Hashes:	07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d, 123eb70723e4a186fa83ea5760a1ae0e16cffd76a62e6464d5b79b8d0979a7a7, 1f4bde6295973e54ca0bb67c532095559bed024186219d8d0b4323b9750d82f2, 29e1b75c659eabbd9977867f1adc876df2c11c1ae411fade20a0561f58f64baf, 3b071d36ffa393a8891832590304b21ee9017b4977a747917e6c6116596851da, 3e01a4bd73b3567f59bd80c7349e3b7ce85c15a6d94016ddfcd0bf3f239684dc, 3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115, 4ca4f582418b2cc0626700511a6315c0, 785538b21bf8c9f142bb5565f42d5da5e5150dea63eddd5c1b714dc6306c96ae, 7af0e479e50cf2f1c8256f7431b7e0c3, 8f05657f0bd8f4eb60fba59cc94fe189, adfdd11d69f4e971c87ca5b2073682d90118c0b3a3a9f5fbbda872ab1fb335c6, dcb4872d437a14dc814015bf749fb2caf4cc5cb1776118c7e1748a4f657b303e, ed768dd922742a597257ad684820d7562bb6be215710ec614bd041a22f3d6863
Victim Industries:	Cloud Infrastructure, Education, Financial, Financial Services, Government, Logistics, Retail, Telecommunications
Victim Countries:	Afghanistan, Argentina, Australia, Austria, Bahrain, Cambodia, Canada, Colombia, Egypt, Germany, Hong Kong, India, Italy, Japan, Kuwait, Kyrgyzstan, Macao, Malaysia, Myanmar, Nepal, Oman, Qatar, Saudi Arabia, Serbia, Sierra Leone, South Africa, South Korea, Taiwan, Turkey, United Arab Emirates, United Kingdom, United States, Vietnam

Mitigation Advice

Immediately apply all available security patches to internet-facing devices, including VPNs, firewalls, and web servers, prioritizing vendors mentioned in the report such as Ivanti, Cisco, Juniper, Fortinet, and VMware.
Download and run the open-source BPFDoor scanning script provided by Rapid7 across all production Linux systems to detect active infections.
On all Linux servers, hunt for the file path '/dev/shm/kdmtmpflush' and for processes masquerading as '/sbin/udevd -d', which are known indicators of a BPFDoor infection.
Update perimeter firewall and web proxy blocklists to deny all traffic to and from known command-and-control IP addresses and domains associated with Red Menshen's toolset, including Sliver and TinyShell.

Compliance Best Practices

Procure and deploy an Endpoint Detection and Response (EDR) solution on all Linux servers to gain visibility into kernel-level activity and detect anomalous process behavior indicative of implants like BPFDoor.
Design and implement a network segmentation plan to create security zones that isolate critical assets and restrict east-west traffic between servers, limiting the potential for lateral movement.
Configure security monitoring tools to audit and alert on the creation and loading of new Berkeley Packet Filter (BPF) programs on Linux hosts, treating any unauthorized BPF activity as a high-priority incident.
Implement a default-deny egress traffic policy on perimeter firewalls, explicitly allowing only known-required outbound ports and protocols for each system. Monitor and alert on violations, especially unusual protocols like ICMP being used for communication.
Enforce the use of multi-factor authentication (MFA) for all administrative access, including SSH to servers and logins to network appliances. Complement this with a strong password policy that prohibits easily guessable credentials.