Table of Contents

Apple Patches Exploited Notification Flaw

Apple has released iOS/iPadOS 26.4.2 and iOS/iPadOS 18.7.8 to address a single Notification Services vulnerability, identified as CVE-2026-28950. This flaw allowed notifications marked for deletion to be unexpectedly retained on devices due to a logging issue, which has now been resolved with improved data redaction. Although Apple did not officially mark the vulnerability as exploited, reports indicate that the FBI leveraged this specific vulnerability to extract Signal messages from a seized device. Signal, an end-to-end encrypted messaging application designed to avoid storing retrievable data, was affected because it utilizes Apple's Notification Services framework. These notifications, which can display sender usernames and message content, were not properly deleted by iOS even when marked for removal, highlighting a potential mismatch between the threat models of secure messaging applications and underlying operating system libraries and APIs.

Severity: Critical

Threat Details and IOCs

Malware: Chrysaor, DEV-0336, Night Tsunami, Pegasus
CVEs: CVE-2026-28950
Technologies: Apple iOS, Signal
Attacker Countries: United States
Victim Industries: Construction, Financial Services, Government, Healthcare, Health Care Technology, Information Technology, Legal Services, Manufacturing, Media and Entertainment, Retail, Technology Hardware
Victim Countries: Hong Kong, United States

Mitigation Advice

  • Use your Mobile Device Management (MDM) solution to enforce an immediate update of all managed iPhones and iPads to iOS/iPadOS 26.4.2 or 18.7.8, or the latest available version.
  • Issue a security advisory to all employees, instructing them to immediately change the notification settings for all messaging applications (like Signal, Teams, Slack) on their mobile devices to hide message content and sender details from the lock screen and notification center.

Compliance Best Practices

  • Review and strengthen Mobile Device Management (MDM) policies to enforce a minimum required OS version for all mobile devices accessing corporate resources, ensuring timely and automatic deployment of critical security updates.
  • Incorporate modules into the annual security awareness training program that specifically address mobile device security hygiene, including the risks of displaying sensitive information in notifications and how to configure these settings securely.
  • Establish a formal application vetting process that includes a security review of how any new application proposed for corporate use handles sensitive data, specifically its interaction with OS-level features like notifications, clipboard, and backups.
Sources

https://buaq.net/go-412218.html

https://buaq.net/go-412427.html

https://cyberinsider.com/apple-fixes-ios-privacy-flaw-that-allowed-signal-message-retrieval/

https://cyberpress.org/apple-fixes-notification-privacy-issue-that-allowed-fbi-access-to-signal-messages/

https://gbhackers.com/apple-patches-privacy-issue-exposing-signal-message-data/

https://isc.sans.edu/diary/rss/32922

https://socprime.com/blog/cve-2026-28950-detection/

https://thehackernews.com/2026/04/apple-patches-ios-flaw-that-stored.html

https://www.helpnetsecurity.com/2026/04/23/cve-2026-28950-iphone-vulnerability-notifications-signal/

https://www.hendryadrian.com/apple-patches-ios-flaw-allowing-recovery-of-deleted-chats/

https://www.hkcert.org/security-bulletin/apple-products-information-disclosure-vulnerability_20260423

https://www.infosecurity-magazine.com/news/apple-ios-notification-bug-deleted/

https://www.techzine.eu/news/privacy-compliance/140751/apple-patches-ios-bug-that-allowed-the-fbi-to-read-signal-messages/

Bitwarden CLI Hijacked to Steal Your AWS, GitHub, and SSH Secrets

Bitwarden CLI version 2026.4.0, distributed via npm, was compromised through a hijacked GitHub Action within Bitwarden's CI/CD pipeline, leading to the theft of developer credentials. This malicious package, part of a broader supply chain campaign, replaced the legitimate CLI binary entry point with a custom loader, ``bw_setup.js`,` which silently executed a heavily obfuscated payload, `bw1.js`, after downloading the Bun JavaScript runtime. The payload aggressively collected SSH keys, `.git-credentials`, `.npmrc`, `.env` files, shell history, AWS, GCP, and Azure credentials, GitHub CLI tokens, and AI coding assistant configuration files like `~/.claude.json`. A notable aspect of the attack was the weaponization of stolen GitHub tokens to enumerate repositories, create new branches, commit malicious workflow files, execute them, and then delete the evidence. Stolen data was encrypted and exfiltrated to `audit.checkmarx.cx` or staged within the victim's own GitHub repositories. Immediate actions for those who installed `@bitwarden/cli 2026.4.0` include running `npm uninstall -g @bitwarden/cli` and `npm cache clean --force`, rotating all GitHub PATs, npm tokens, AWS access keys, GCP, and Azure secrets, auditing GitHub Actions workflows, blocking `audit.checkmarx.cx` and `94.154.172.43`, and reviewing shell history and AI tooling configuration files for sensitive data exposure.

Severity: Critical

Threat Details and IOCs

Malware: ACR Stealer, AdaptixC2, Amatera, AMOS, Arkei, Atomic macOS Stealer, Atomic Stealer, BIGMACHO, BlackByte, bw1.js, CanisterSprawl, CanisterWorm, CHROMEPUSH, CipherForce, Clawdbot, DEEPBREATH, Donut, donut_injector, DonutLoader, Everbe 2.0, Everest, GhostSocks, hackerbot-claw, Havoc, Havoc C2, HEUR:Worm.Script.Shulud.gen, Kamikaze, kamikaze.sh, Kamikaze Wiper, LiteLLM-Stealer, macWebT, mcpAddon.js, Moltbot, Multiverze, NukeSped, OpenClaw, pgmon, plain-crypto-js, postmark-mcp, PureLogs, PureLog Stealer, RedLine, RedLine Stealer, RisePro, s1ngularity, SANDCLOCK, SANDWORM_MODE, Sha1-Hulud, SHA1-Hulud, Sha1-Hulud: The Second Coming, Shai-Hulud, Shai Hulud 2.0, Shai-Hulud 2.0, Shai-Hulud 3.0, Shai-Hulud V2, SILENCELIFT, SILKBELL, Skeleton Key, SUGARLOADER, TeamPCP cloud stealer, TeamPCP Cloud stealer, TeamPCP Cloud Stealer, TeamPCP stealer, Telnyx-WAV, Trojan.Skelky, Vect, Vect 2.0, Vect Ransomware, Vidar, WAVESHAPER, WAVESHAPER.V2, XMRig, XWorm, XWorm RAT, ZshBucket, ZshBucket RAT
CVEs: CVE-2025-29927, CVE-2025-30066, CVE-2025-30154, CVE-2025-55182, CVE-2026-20093, CVE-2026-28353, CVE-2026-33017, CVE-2026-33634, CVE-2026-3502, CVE-2026-35616, CVE-2026-40175
Technologies: Alpine Linux, Amazon Elastic Container Registry (ECR), Amazon Web Services, Amazon Web Services (AWS), Amazon Web Services (AWS) CloudFormation, Anodot, Anthropic Claude, Anyscale Ray, Apache Kafka, Apple macOS, Aqua Security Trivy, Atomic Wallet, AWS CloudFormation, axios, Bitcoin Core, Bitwarden, Cardano, Checkmarx, Checkmarx AST, Checkmarx cx-dev-assist, Checkmarx KICS, Checkmarx Visual Studio Code Extension, Cisco, crypto-js, Databricks, Debian, DFINITY Internet Computer Protocol, Docker, Docker Hub, Dogecoin, Doppler, Eclipse Foundation Open VSX Registry, Ethereum, Exodus Wallet, Git, GitHub, GitHub Actions, GitHub Container Registry, GNU Bash, Google Chrome, Google Cloud Platform, Google Cloud Platform (GCP), HashiCorp Terraform, HashiCorp Vault, IBM Watson, Infisical, Kubernetes, Langflow, Linux, Litecoin, LiteLLM, MetaMask, Microsoft Azure AI, Microsoft Azure Key Vault, Microsoft Entra ID, Microsoft Visual Studio, Microsoft Windows, MongoDB Server, Node.js, npm, Okta Auth0, OpenAI, OpenAI ChatGPT Atlas, OpenAI Codex, OpenClaw, OpenClaw Clawdbot, OpenSSH, Open VSX Registry, Oracle Database, ownCloud, Phantom, PostgreSQL, Python, Python Package Index, Python PyPI, Python Software Foundation Python Package Index, React, Redis, Ripple, Salesforce, Snowflake, Solana, Tailscale, Telnyx, Telnyx Python SDK, Xorbits Xinference, Yarn, Zcash, Zsh
Threat Actors: APT38, Bluenoroff, CageyChameleon, CipherForce, CryptoCore, DeadCatx3, DEV0537, FamousChollima, FatimionCyberTeam, Handala, Lapsus, LAPSUS$, Lazarus, LazarusGroup, MASAN, NICKELGLADSTONE, PCP, PCPcat, PersyPCP, SapphireSleet, ScatteredLAPSUSHunters, ScatteredSpider, ShellForce, ShinyHunters, StardustChollima, StrawberryTempest, TAG-160, TeamPCP, UNC1069, UNC6040, UNC6780, VoidDokkaebi
Attacker Countries: Armenia, Brazil, France, Iran, North Korea, Russia, United Kingdom
Attacker IPs: 103[.]75[.]11[.]59, 105[.]245[.]181[.]120, 138[.]199[.]15[.]172, 142[.]11[.]206[.]72, 142[.]11[.]206[.]73, 154[.]47[.]29[.]12, 163[.]245[.]223[.]12, 170[.]62[.]100[.]245, 185[.]77[.]218[.]4, 193[.]32[.]126[.]157, 195[.]5[.]171[.]242, 209[.]159[.]147[.]239, 209[.]34[.]235[.]18, 212[.]71[.]124[.]188, 23[.]142[.]184[.]129, 23[.]234[.]107[.]104, 23[.]254[.]167[.]216, 34[.]205[.]27[.]48, 44[.]252[.]85[.]168, 45[.]148[.]10[.]212, 46[.]151[.]182[.]203, 63[.]251[.]162[.]11, 67[.]217[.]57[.]240, 83[.]142[.]209[.]11, 83[.]142[.]209[.]203, 91[.]195[.]240[.]123, 94[.]154[.]172[.]43
Attacker Emails: axios-project@proton[.]me, helloworm00@proton[.]me, ifstap@proton[.]me, ifstap@proton[.]me, nrwise@proton[.]me, nrwise@proton[.]me, phan@giftshop[.]club, rauchg@gmail[.]com
Attacker Domains: api[.]github[.]com, api-update[.]telnyx[.]me, aquasecurtiy[.]org, audit[.]checkmarx[.]cx, callnrwise[.]com, championships-peoples-point-cassette[.]trycloudflare[.]com, checkmarkx[.]zone, checkmarx[.]cx, checkmarx[.]zone, cjn37-uyaaa-aaaac-qgnva-cai[.]raw[.]icp0[.]io, create-sensitivity-grad-sequence[.]trycloudflare[.]com, drnatashachinn[.]com, ffxjhdp4aaucgrkh5jy5xb4f4lhwre7wqxteg27i24pfyb2uwlwxgoyd[.]onion, get[.]trivy[.]dev, giftshop[.]club, github[.]com, icp0[.]io, investigation-launches-hearings-copying[.]trycloudflare[.]com, litellm[.]cloud, mirror[.]gcr[.]io, models[.]litellm[.]cloud, nsa[.]cat, packages[.]npm[.]org, pbyi76s0e9[.]execute-api[.]us-east-1[.]amazonaws[.]com, plug-tab-protective-relay[.]trycloudflare[.]com, proton[.]me, registry[.]npmjs[.]org, scan[.]aquasecurtiy[.]org, sfrclak[.]com, souls-entire-defined-routes[.]trycloudflare[.]com, tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io, telemetry[.]api-monitor[.]com, telnyx-api[.]cloud, whereisitat[.]lucyatemysuperbox[.]space, zoom[.]uswe05[.]us
Attacker URLs: audit[.]checkmarx[.]cx/v1/telemetry, championships-peoples-point-cassette[.]trycloudflare[.]com, checkmarkx[.]zone/raw, checkmarx[.]zone/raw, checkmarx[.]zone/vsx, cjn37-uyaaa-aaaac-qgnva-cai[.]raw[.]icp0[.]io/drop, create-sensitivity-grad-sequence[.]trycloudflare[.]com, hxxp[://]169[.]254[.]169[.]254/latest/meta-data/iam/security-credentials/, hxxp[://]44[.]252[.]85[.]168[:]666/files/kube.py, hxxp[://]45[.]148[.]10[.]212/api/v1/status, hxxp[://]45[.]148[.]10[.]212/content.html, hxxp[://]45[.]148[.]10[.]212/updates/check.php, hxxp[://]67[.]217[.]57[.]240[:]666/files/pcpcat.py, hxxp[://]67[.]217[.]57[.]240[:]666/files/proxy.sh, hxxp[://]83[.]142[.]209[.]203[:]8080/, hxxp[://]83[.]142[.]209[.]203[:]8080/hangup.wav, hxxp[://]83[.]142[.]209[.]203[:]8080/ringtone.wav, hxxps[://]api[.]github[.]com/search/commits?q=beautifulcastle+&sort=author-date&order=desc, hxxps[://]api[.]github[.]com/user, hxxps[://]checkmarx[.]zone, hxxps[://]checkmarx[.]zone/raw, hxxps[://]checkmarx[.]zone/vsx, hxxp[://]sfrclak[.]com[:]8000, hxxp[://]sfrclak[.]com[:]8000/, hxxp[://]sfrclak[.]com[:]8000/6202033, hxxps[://]github[.]com/leaked-claude-code/leaked-claude-code, hxxps[://]models[.]litellm[.]cloud/, hxxps[://]registry[.]npmjs[.]org/-/npm/v1/oidc/token/exchange/package/%40bitwarden%2Fcli, hxxps[://]scan[.]aquasecurtiy[.]org/static, hxxps[://]scan[.]aquasecurtiy[.]org/upload, hxxps[://]tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io/, hxxps[://]www[.]npmjs[.]com/package/axios/v/0.30.4, hxxp[:]//83.142.209.203:8080/, hxxps[:]//83.142.209.203:8080, hxxps[:]//83.142.209.203:8080/hangup.wav, hxxps[:]//83.142.209.203:8080/ringtone.wav, hxxps[:]//api.github.com/search/commits?q=beautifulcastle, hxxps[:]//api.github.com/search/commits?q=beautifulcastle%20&sort=author-date&order=desc, hxxps[:]//api.github.com/search/commits?q=LongLiveTheResistanceAgainstMachines&sort=author-date&order=desc&per_page=50, hxxps[:]//audit.checkmarx.cx/v1/telemetry, hxxps[:]//checkmarx.zone/raw, hxxp[:]//sfrclak.com:8000/6202033, hxxps[:]//github.com/oven-sh/bun/releases/download/bun-v1.3.13/.zip, hxxps[:]//models.litellm.cloud/, hxxps[:]//tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/, hxxps[:]//whereisitat.lucyatemysuperbox.space/, hxxrs[:]//checkmarx.zone/raw, hxxrs[:]//models.litellm.cloud/, investigation-launches-hearings-copying[.]trycloudflare[.]com, plug-tab-protective-relay[.]trycloudflare[.]com, sfrclak[.]com[:]8000, sfrclak[.]com[:]8000/6202033, souls-entire-defined-routes[.]trycloudflare[.]com, telemetry[.]api-monitor[.]com/v1/drop, telemetry[.]api-monitor[.]com/v1/telemetry
Attacker Hashes: 0376b98064636c30f5fbe60fb3b1225516e23e88dd7e909937f81d9265292e7d, 03df1ecd86132e06643d24c856d8976d1b497945, 04e3073b3cd5c5bfcde6f575ecf6e8c1, 07d889e2dadce6f3910dcbc253317d28ca61c766, 0880819ef821cff918960a39c1c1aada55a5593c61c608ea9215da858a86e349, 089e2872016f75a5223b5e02c184dfec, 0a8cf90379e91837f87a8b7cc0d529c2, 0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a, 0c6a3555c4eb49f240d7e0e3edbfbb3c900f123033b4f6e99ac3724b9b76278f, 0ca60dd18178d1c79d59cc06be12c540c121a4aea467484244667131aa13c311, 107be2081bdc3ddad2889ae037ab2ad6bbd214fb9a43eaa25390d00411d1c7dd, 1154c2bb1eaf49dba11c04145e8ea97569788eee, 12c702212dee1cbec9471e9261501a3335963321fe76e60e5a715b5acd3c40a2, 13ab317c5dcab9af2d1bdb22118b9f09f8a4038e, 167ce57ef59a32a6a0ef4137785828077879092d7f83ddbc1755d6e69116e0ad, 16c855c398a8b185a907790054b70164358844a893bf9965651b88d6967c7c0a, 1885610c6a34811c8296416ae69f568002ef11ec, 18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a, 18af2b181388d1e142d5cb45300aff49, 18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb, 196b5e0e06424a02e360e28e08d7dcfab7ec8946af9477ca352c6cf6b7d4e9bd, 19851bef764b57ff95b35e66589f31949eeb229d, 1b8615b9732833b4dd0a3e82326982fa, 1c778f0df703f77c150b340127ff16f122ad9a41, 1dc871b02cd7a1fd80babb1b8762a2fd9cc2b735d4d3759d012626de3ccc7a5b, 1e559c51f19972e96fcc5a92d710732159cdae72f407864607a513b20729decb, 21d2470cae072cf2d027d473d168158c, 23b1ec58649170650110ecad96e5a9490d98146e105226a16d898fbe108139e5, 24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9, 2553649f2322049666871cea80a5d0d6adc700ca, 27f446230c60bbf0b70e008db798bd4f33b7826f9f76f756606f5417100beef3, 284622577cf6a7c58704de60194205f765fcef432934c200b462ef0290aa5f57, 2d7cee41048988eec27615412e7c6e2e21046f2b5faa888c24e11ca6764058ed, 2dbedfba5f6bf5f69b471447e4161311, 2e3a4412a7a487b32c5715167c755d08, 30015dd1e2cf4dbd49fff9ddef2ad4622da2e60e5c0b6228595325532e948f14, 30767275ca828ec1c9d62baccbb0cdf1, 384add36b52014a0f99c0ab3a3d58bd47e53d00f, 385d498d18a3a7c67878ca7322716f9da25683eb1a4bf9e9592da0d5f2ab09f6, 386c0f18ac3d7f2ed33e2d884761119f4024ff8a, 3f88eca0a421a81595ee5669e6fd0816, 41c4f2f37c0b257d1e20fe167f2098da9d2e0a939b09ed3f63bc4fe010f8365c, 425cd3e1a2846ac73944e891250377d2b03653e6f028833e30fc00c1abbc6d33, 43f46547efd488e56dcf862ed4d7cc342730a803f8d5bec5cac443028fefabef, 451ce0c4deb620894d07a2f4a37c8ea3b7a4f9b6d111651b4ac3bcc737b0fac0, 4581ab19daebfd2e96962645e798b6fa, 4ac3e3b1f0d054a4ed682a1d6a53ddb3, 4b22cedea58780ff76735c3e08b9ee8cb5d06c908ffa868152f11d45349eb696, 4f7a06bb51714713ab308d2f8125f3b09ee1c3ffbba1a5ffd0cc80da95fbb6cc, 52518d441fd6dd25fa5126683a330592d3be80d5ce3fb9e0b1becb806ff4f857, 52f3311ceb5495796e9bed22302d79bc, 55047c55a5ceab6d80b13884b4a4e8cd27a0bab7a218a952a00aae9e05f16f80, 58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668, 59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f, 5aaa1d7cfa9ca4649d6ffad165435c519dc836fa6e21b729a2174ad10b057d2b, 5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd, 5ce544a8db5d0b0953c966384858e4e8a017e7acba2f5f6d0ac8f529d59939d8, 5e2ba7c4c53fa6e0cef58011acdd50682cf83fb7b989712d2fcf1b5173bad956, 5e5fb53cf4ce5555171ff5206302ba2f4f66f5381bbf673c354c87a925473f07, 5fac89e66d70cadec5c0e30c0b0cf8bf38c145cbf06422d40d076985195e1dd6, 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101, 61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba, 62585efcdc7767f3fe0b9ae2897fe03bf331934492fd7a5da46f14fd7bf705c8, 6328a34b26a63423b555a61f89a6a0525a534e9c88584c815d937910f1ddd538, 692238a56e1941b1d92df3d8dfd513eb, 6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a, 6d8d730153d6151e03549f276faca0275ed9c7b2, 70379aad1a8b40919ce8b382d3cd7d0315cde1d0, 7290353a3bc2b18e9ea574d3294b09e28edaa6b038285bb101cf09760f187dcd, 7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9, 7658962ae060a222c0058cd4e979bfa1, 7a4b6f31edb8db48cc22a1d41e298b38c4a6417e, 7a9ddef00f69477b96252ca234fcbeeb, 7b5cc85e82249b0c452c66563edca498ce9d0c70badef04ab2c52acef4d629ca, 7cac57b2d328bd814009772dd1eda429, 7df6cef7ab9aae2ea08f2f872f6456b5d51d896ddda907a238cd6668ccdc4bb7, 7e521bb895d7329b7fb2b2a8736f4b19, 822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0, 834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812, 8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2, 84edce66f09c55bbb44754411bde4b092288d172734df62fac20d6f794b3a2ec, 85cb72f1e8ee5e6e44488cd6cbdbca94722f96ed, 85ed77a21b88cae721f369fa6b7bbba3, 8605e365edf11160aad517c7d79a3b26b62290e5072ef97b102a01ddbb343f14, 87259b0d1d017ad8b8daa7c177c2d9f0940e457f8dd1ab3abab3681e433ca88e, 887e1f5b5b50162a60bd03b66269e0ae545d0aef0583c1c5b00972152ad7e073, 8afa9b9f9183b4e00c46e2b82d34047e3c177bd0, 8f0c7b92b251c61cbca2add06c676dd21fde8fbb2d0cd6616383fae29b21756a, 90d61cf37355b89fae9ff84867100e1721c1876007ef1771e465ce5a721141ad, 91e7c2c36dcad14149d8e455b960af62a2ffb275, 9280d7dadb8e9268d8d8692a391d3bb77f24a8480c66f07b3aace6beca2d9ebb, 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a, 95ff680103570179feb0c6667a9b9b2d98c53fa5a9a451265036810390bbe70a, 9663665850cdd8fe12e30a671e5c4e6f, 98021dca558b69e93a20d912200f1782, 99b93c070aac11b52dfc3e41a55cbb24a331ae75, 9a833d68a49ec6d44bc50fb9ff3b184bafb0edc913e1293daebe51d334676a70, 9efd59534d2b6b81b8b7a0eeb3ad0e74015f358650e24b9dab00c900d3118593, a0d6118b15ff55fd2dc63b72fbc54108, a5696321a6c93071f46c8bb8cbd0a8d2bce6d1860cc3c109247a4e8b64ebd317, a585277a67a176fe098edf90986670653a5039e03e4028d18dd0b607ed287caa, a9235c0eb74a8e92e5a0150e055ee9dcdc6252a07785b6677a9ca831157833a5, ab3441f16434b948a1bc653c2822e114, ab4c4aebb52027bf3d2f6b2dcef593a1a2cff415774ea4711f7d6e0aa1451d4e, ab6606b76e5a054be08cab3d07da323e90e751e8, ad623e14ebdfe82b9627811d57b9a39e283d6128, ad8ba560ae5c4af4758bc68cc6dcf43bae0e0bbf9da680a8dc60a9ef78e22ff7, ae3494bd6ae860d7727116681bd09fc7b20dc994ec7a8105738f0a623ea93427, af6b28b9565fe1022ab904151393fd62, af915698efd4542a58fe0b293f4a9e40, b676c0703f8e4d6a198aa370ca4f5405, b72c2be9651ede5f337926c6b5830624, ba04ba6a0c028cde17599c8ddaefdb854055c5a23c595e06630732002ea59a76, bbbca2ddaa5d8feaa63e36b76fdaad77386f024f, bef7e2c5a92c4fa4af17791efc1e46311c0f304796f1172fce192f5efc40f5d7, c19c4574d09e60636425f9555d3b63e8cb5c9d63ceb1c982c35e5a310c97a839, c37c0ae9641d2e5329fcdee847a756bf1140fdb7f0b7c78a40fdc39055e7d926, c48ead53448a9c62ccd1dd62e2111011, c5b16c42dbd2a1494141cd651a406ec9094d5031a421c0aa624c4d139ae81239, c5df9d1bc6275711b2884a9ed4aacfe4e10dbe3c8f6c79df59126fd0e6dcd83f, cc464a3961e1dbe145c75343b55c2f446e08b821782ec993728c4222b0d85589, ccd59fd564a4780c3186ef43d0d02723, cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3, cde4951bee7e28ac8a29d33d34a41ae5, cff74e3e9ac0cda2078d31800d8fcad832d7b52c9920b085054d1e96dacff8a3, d2210feb0438c0ce89b5579ef75ae4d4, d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb, d5edd791021b966fb6af0ace09319ace7b97d6642363ef27b3d5056ca654a94c, d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71, d761a6a7ae9f2254bd81ac234033a8b8, d8caf4581c9f0000c7568d78fb7d2e595ab36134e2346297d78615942cbbd727, db7f4c82c732e8b107492cae419740ab, dd8beb3b40df080b3fd7f9a0f5a1b02f3692f65c68980f46da8328ce8bb788ef, ddb94181dcbc723d96ffc07fddd14d97e4849016, ddb9da4475c1cef7d5389062bdfdfbdbd1394648, de0fac2e4500dabe0009e67214ff5f5447ce83dd, e0198fd2b6e1679e36d32933941182d9afa82f6f, e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09, e401ae1e6d2442fa9a0c79dc0f3b0457ecfebf74a9c0a920159c49437f663aef, e4edd126e139493d2721d50c3a8c49d3a23ad7766d0b90bc45979ba675f35fea, e4f074172ffde75287346d207debee39, e56bafda15a624b60ac967111d227bf8, e6310d8a003d7ac101a6b1cd39ff6c6a88ee454b767c1bdce143e04bc1113243, e64e152afe2c722d750f10259626f357cdea40420c5eedae37969fbf13abbecf, e87a55d3ba1c47e84207678b88cacb631a32d0cb3798610e7ef2d15307303c49, e8ad669f9a29983f7252ebbd40e4c4aa, e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b, ecce2568792b0fd029a8f3b056468125, ecce7ae5ffc9f57bb70efd3ea136a2923f701334a8cd47d4fbf01a97fd22859c, ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c, edef8e5816eced552a909b878ff262c0c47776d3297bcc23796ad4cce1e85414, f398f06eefcd3558c38820a397e3193856e4e6e7c67f81ecc8e533275284b152, f4436225d8a5fd1715d3c2290d8a50643e726031, f4f1785be270ae13f36f6a8cfbf6faaae50e660a, f5560871f6002982a6a2cc0b3ee739f7, f66c1ea3b25ec95d0c6a07be92c761551e543a7b256f9c78a2ff781c77df7093, f7084b0229dce605ccc5506b14acd4d954a496da4b6134a294844ca8d601970d, f77738448eec70113cf711656914b61905b3bd47, f7a9bbfec8add36c548add4d875848b8b57c21fabe236d115f1c49113d12b332, f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd, fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf, ff65f5d264b36a8eb3a6e8037d29fdcb
Victim Industries: Aerospace, Artificial Intelligence, Automotive, Biotechnology, Business Process Outsourcing, Business Services, Cloud Infrastructure, Consulting Services, Cryptocurrency, Defense, E-commerce, Education, Financials, Financial Services, Gaming, Government, Healthcare, Health Care Technology, Human Resources, Industrials, Industrial Sector, Information Security, Information Technology, Insurance, Legal and Professional Services, Legal Services, Logistics, Manufacturing, Media and Entertainment, Medical Equipment Manufacturing, Multimedia, Oil & Gas, Online Gambling, Pharmaceuticals, Professional Services, Public Administration, Public Sector, Recruitment, Retail, Social Media, Software, Sporting Goods, Sports and Entertainment, Supply Chain, Technology Hardware, Telecommunications, Transportation, Universities, Utilities, Venture Capital
Victim Countries: Australia, Austria, Belgium, Bulgaria, Canada, China, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, India, Iran, Ireland, Israel, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, North Korea, Poland, Portugal, Romania, Singapore, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Uganda, United Arab Emirates, United Kingdom, United States

Mitigation Advice

  • Scan all developer workstations and CI/CD environments for the npm package `@bitwarden/cli`. If version `2026.4.0` is found, immediately run `npm uninstall -g @bitwarden/cli` and `npm cache clean --force` to remove it.
  • Add `audit.checkmarx.cx` and `94.154.172.43` to the network firewall and DNS sinkhole blocklists to prevent communication with the attacker's command and control infrastructure.
  • Force the rotation of all GitHub Personal Access Tokens (PATs) on any machine where the malicious package was or could have been installed.
  • On all potentially affected systems, identify and immediately rotate all AWS IAM user access keys.
  • On all potentially affected systems, identify and immediately rotate all Google Cloud Platform (GCP) service account keys and other secrets.
  • On all potentially affected systems, identify and immediately rotate all Azure service principal credentials and other secrets.
  • Initiate a rotation of all SSH keys stored on developer workstations that may have been compromised by the malicious package.
  • Conduct an immediate audit of GitHub repositories and Actions logs for any unauthorized commits, branches, or workflow executions originating from potentially compromised developer accounts.

Compliance Best Practices

  • Implement a private artifact repository (e.g., JFrog Artifactory, Sonatype Nexus) to proxy, vet, and cache approved versions of third-party software packages used in development.
  • Enforce mandatory peer review for all changes to CI/CD workflow configuration files (e.g., via GitHub's CODEOWNERS) to prevent unauthorized modifications.
  • Phase out the use of static IAM user access keys for developers and migrate to a system that provides short-lived credentials, such as AWS IAM Identity Center (SSO).
  • Deploy and mandate the use of a centralized secrets management tool (e.g., HashiCorp Vault, AWS Secrets Manager, Bitwarden) to inject secrets into applications and developer environments at runtime.
  • Configure and tune Endpoint Detection and Response (EDR) policies to generate high-priority alerts for suspicious process activity, such as a package manager downloading and executing a new binary for the first time.
  • Implement a network egress filtering strategy for developer workstations and CI/CD environments that denies outbound traffic by default and only allows connections to explicitly approved domains and IP addresses.
Sources

https://about.gitlab.com/blog/pipeline-security-lessons-from-march-supply-chain-incidents/

https://blog.polyswarm.io/infect-once-spread-everywhere-canisterworm-and-the-automation-of-supply-chain-compromise

https://buaq.net/go-406390.html

https://buaq.net/go-406409.html

https://buaq.net/go-406755.html

https://buaq.net/go-406824.html

https://buaq.net/go-406870.html

https://buaq.net/go-406925.html

https://buaq.net/go-407432.html

https://buaq.net/go-407462.html

https://buaq.net/go-407711.html

https://buaq.net/go-408167.html

https://buaq.net/go-412150.html

https://buaq.net/go-412245.html

https://checkmarx.com/blog/checkmarx-security-update-april-22/

https://ciso.economictimes.indiatimes.com/news/ot-security/openai-identifies-security-issue-involving-third-party-tool-says-user-data-was-not-accessed/130183844

https://cyberinsider.com/axios-supply-chain-attack-hits-library-with-400m-monthly-downloads/

https://cyberinsider.com/bitwarden-cli-backdoored-in-checkmarx-supply-chain-attack/

https://cyberinsider.com/eu-commission-says-teampcp-data-breach-impacted-29-union-entities/

https://cyberpress.org/canisterworm-hits-containers/

https://cyberpress.org/checkmarx-kics-compromised-to-inject-malicious-code/

https://cyberpress.org/malicious-pypi-sdk-targets/

https://cyberpress.org/namastex-packages-drop-canisterworm/

https://dailydarkweb.net/axios-npm-package-compromised-in-supply-chain-attack/

https://dataconomy.com/2026/04/13/openai-confirms-limited-exposure-tied-to-axios-npm-breach/

https://gbhackers.com/axios-npm-packages-breached/

https://gbhackers.com/canisterworm-targets-docker/

https://gbhackers.com/checkmarx-kics-docker-repo-hijacked/

https://gbhackers.com/namastex-npm-packages/

https://gbhackers.com/pypi-telnyx-python-sdk/

https://gbhackers.com/xinference-pypi-breach-exposes-developers/

https://hackread.com/ai-firm-mercor-breach-hackers-4tb-data/

https://hackread.com/teampcp-fake-ringtone-file-tainted-telnyx-sdk-credentials/

https://infosecwriteups.com/the-axios-npm-compromise-how-the-internets-most-popular-http-client-became-a-trojan-horse-c80c6f73f52d?source=rss----7b722bfd1b8d---4

https://isc.sans.edu/diary/32846

https://isc.sans.edu/diary/32880

https://isc.sans.edu/diary/rss/32856

https://isc.sans.edu/diary/rss/32864

https://jfrog.com/blog/supply-chain-attackers-are-coming-for-your-agents/

https://malwaretips.com/threads/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan.140621/

https://malwaretips.com/threads/mercor-ai-confirms-data-breach-following-lapsus-claims-of-4tb-data-theft.140650/

https://malwaretips.com/threads/teampcp-said-no-one-analyzed-their-malware-challenge-accepted.140614/

https://meterpreter.org/the-devsecops-paradox-how-the-teampcp-supply-chain-attack-turned-ciscos-security-tools-into-trojan-horses/

https://orca.security/resources/blog/checkmarx-supply-chain-compromise-ci-cd-secrets/

https://osintteam.blog/european-commision-breach-ironically-via-trivy-supply-chain-attack-235cf1c0d977?source=rss----2983bc435765---4

https://osintteam.blog/our-security-scanner-was-the-hacker-i-spent-last-week-cleaning-up-7df4410a76b1?source=rss----2983bc435765---4

https://osintteam.blog/the-axios-npm-supply-chain-attack-a-complete-breakdown-c0dfc79f5c25?source=rss-8eb17886caac------2

https://securityboulevard.com/2026/03/poisoned-axios-npm-account-takeover-50-million-downloads-and-a-rat-that-vanishes-after-install/

https://securityboulevard.com/2026/04/bitwarden-cli-compromise-linked-to-ongoing-checkmarx-supply-chain-campaign/

https://securityboulevard.com/2026/04/supply-chain-attacks-surge-in-march-2026/

https://securityboulevard.com/2026/04/the-butlerian-jihad-compromised-bitwarden-cli-deploys-npm-worm-poisons-ai-assistants-and-dumps-github-secrets/

https://socradar.io/blog/trivy-cisco-breach-shinyhunters/

https://solcyber.com/return-of-the-worm-teampcp-versus-the-supply-chain/

https://sploitus.com/exploit?id=2C2E9B76-EF2D-55A5-80B8-30E2501BC821

https://techcrunch.com/2026/04/03/europes-cyber-agency-blames-hacking-gangs-for-massive-data-breach-and-leak/

https://thecyberexpress.com/axios-npm-supply-chain-attack-escalating/

https://thecyberexpress.com/axios-supply-chain-attack-npm-malware/

https://thecyberexpress.com/european-commission-cloud-breach/

https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html

https://thehackernews.com/2026/04/how-litellm-turned-developer-machines.html

https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html

https://thehackernews.com/2026/04/openai-revokes-macos-app-certificate.html

https://thehackernews.com/2026/04/self-propagating-supply-chain-worm.html

https://theravenfile.com/2026/04/02/inside-teampcps-shell-arsenal/

https://tracebit.com/blog/detecting-cicd-supply-chain-attacks-with-canary-credentials

https://vaultproof.dev/blog/trivy-supply-chain-attack

https://www.bleepingcomputer.com/news/security/cisco-source-code-stolen-in-trivy-linked-dev-environment-breach/

https://www.bleepingcomputer.com/news/security/new-checkmarx-supply-chain-breach-affects-kics-analysis-tool/

https://www.catonetworks.com/blog/teampcp-supply-chain-attack/

https://www.cyberkendra.com/2026/04/bitwarden-cli-hijacked-to-steal-your.html

https://www.cyberkendra.com/2026/04/hackers-poisoned-official-checkmarx.html

https://www.darkreading.com/cloud-security/teampcp-breaches-cloud-saas-instances-stolen-credentials

https://www.darkreading.com/threat-intelligence/teampcp-attacks-hacker-infighting

https://www.esecurityplanet.com/threats/checkmarx-supply-chain-attack-exploits-docker-images-and-ci-cd-pipelines/

https://www.helpnetsecurity.com/2026/03/30/teampcp-supply-chain-attacks-ransomware/

https://www.helpnetsecurity.com/2026/03/31/axios-npm-backdoored-supply-chain-attack/

https://www.helpnetsecurity.com/2026/04/02/supply-chain-hacks-data-theft/

https://www.helpnetsecurity.com/2026/04/03/european-commission-cloud-breach/

https://www.hendryadrian.com/anthropic-leak-and-mercor-ai-attack-takeaways-for-enterprise-ai-security/

https://www.hendryadrian.com/axios-npm-package-supply-chain-compromise-leads-to-rat-deployment/

https://www.hendryadrian.com/bitwarden-cli-npm-package-compromised-to-steal-developer-credentials/

https://www.hendryadrian.com/dark-web-profile-teampcp/

https://www.hendryadrian.com/examining-the-blast-radius-from-the-axios-npm-supply-chain-compromise/

https://www.hendryadrian.com/how-we-caught-the-axios-supply-chain-attack/

https://www.hendryadrian.com/namastex-ai-npm-packages-hit-with-teampcp-style-canisterworm-malware/

https://www.hendryadrian.com/new-npm-supply-chain-attack-self-spreads-to-steal-auth-tokens/

https://www.hendryadrian.com/openai-impacted-by-north-korea-linked-axios-supply-chain-hack/

https://www.hendryadrian.com/sportradar-bet365-and-fiba-data-exposed-in-vect-ransomware-breach/

https://www.hendryadrian.com/the-case-for-dependency-cooldowns-in-a-post-axios-world/

https://www.hendryadrian.com/weaponizing-the-protectors-teampcps-multi-stage-supply-chain-attack-on-security-infrastructure/

https://www.infosecurity-magazine.com/news/teampcp-exploit-stolen-supply/

https://www.kaspersky.com/blog/why-hackers-target-developers/55630/

https://www.mend.io/blog/malicious-xinference-pypi-teampcp-part-4/

https://www.newsbytesapp.com/news/science/openai-mandates-chatgpt-macos-update-after-axios-related-security-issue/story

https://www.recordedfuture.com/blog/your-supply-chain-breach-is-someone-else-payday

https://www.scworld.com/brief/aws-environments-subjected-to-teampcp-targeting

https://www.scworld.com/brief/trivy-supply-chain-intrusion-reportedly-compromises-cisco-source-code

https://www.securityweek.com/mercor-hit-by-litellm-supply-chain-attack/

https://www.securityweek.com/teampcp-moves-from-oss-to-aws-environments/

https://www.securityweek.com/telnyx-targeted-in-growing-teampcp-supply-chain-attack/

https://www.sentinelone.com/blog/how-sentinelones-ai-edr-autonomously-discovered-and-stopped-anthropics-claude-from-executing-a-zero-day-supply-chain-attack-globally/

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

https://www.techrepublic.com/article/news-meta-pauses-work-with-mercor-after-data-breach/

https://www.techzine.eu/news/security/140082/axios-npm-package-compromised-posing-a-new-supply-chain-threat/

https://www.theregister.com/2026/03/30/telnyx_pypi_supply_chain_attack_litellm/

https://www.theregister.com/2026/04/02/mercor_supply_chain_attack/

https://www.theregister.com/2026/04/11/trivy_axios_supply_chain_attacks/

https://www.theregister.com/2026/04/22/another_npm_supply_chain_attack/

https://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html

https://www.wiz.io/blog/axios-npm-compromised-in-supply-chain-attack

https://www.wiz.io/blog/tracking-teampcp-investigating-post-compromise-attacks-seen-in-the-wild

CISA Warns of FIRESTARTER Malware Targeting Cisco ASA Including Firepower and Secure Firewall Products

CISA has released a malware analysis report on FIRESTARTER, a threat enabling remote access and control by malicious actors targeting Cisco Firepower and Secure Firewall products running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. An Advanced Persistent Threat (APT) actor exploited CVE-2025-20333 and CVE-2025-20362 in Cisco ASA firmware to gain initial access and deploy FIRESTARTER, which can persist on devices even after firmware patching. In response, CISA updated Emergency Directive 25-03, requiring Federal Civilian Executive Branch (FCEB) agencies to identify affected devices, collect forensic data, and apply new vendor-provided updates. Organizations using these Cisco products are urged to review the FIRESTARTER report, assess their devices for compromise, implement mitigations, and report any findings to CISA.

Severity: Critical

Threat Details and IOCs

Malware: FIRESTARTER, LINE VIPER, RayInitiator
CVEs: CVE-2025-20333, CVE-2025-20362
Technologies: Cisco Adaptive Security Appliance, Cisco Firepower Threat Defense
Threat Actors: STORM-1849, Uat4356
Attacker Countries: China
Victim Industries: Cloud Infrastructure, Government, Telecommunications
Victim Countries: United Kingdom, United States

Mitigation Advice

  • Create and verify an inventory of all Cisco Firepower, Secure Firewall, ASA, and FTD devices on the network.
  • Apply vendor-supplied patches to all identified Cisco devices to remediate CVE-2025-20333 and CVE-2025-20362.
  • Hunt for indicators of compromise (IOCs) associated with FIRESTARTER malware on all Cisco ASA and FTD devices by reviewing logs and system files for anomalies as described in the CISA malware analysis report.
  • For any Cisco device confirmed to be compromised with FIRESTARTER, isolate the device from the network, collect forensic data, and reimage it using a verified, clean firmware version before restoring a sanitized configuration.

Compliance Best Practices

  • Establish a formal vulnerability management program for network infrastructure that defines specific timelines for patching critical devices based on CVSS scores and threat intelligence.
  • Implement enhanced logging and network flow monitoring for traffic to and from the management interfaces of all network security appliances and establish alerts for anomalous connections.
  • Develop and implement a network segmentation strategy to create security zones that restrict communication between critical servers and user workstations, limiting lateral movement from a compromised network device.
  • Institute a quarterly review process to audit and harden the configurations of all internet-facing network appliances, ensuring that unused services are disabled and administrative access is restricted to a secure management network.
Sources

https://cyberscoop.com/cisco-firestarter-malware-cisa-warning/

https://www.cisa.gov/news-events/analysis-reports/ar26-113a

https://www.cisa.gov/news-events/news/cisa-warns-firestarter-malware-targeting-cisco-asa-including-firepower-and-secure-firewall-products

Critical Spring Authorization Server Issue Exposes Systems to XSS and SSRF Attacks

A critical vulnerability, tracked as CVE-2026-22752, has been disclosed in Spring Security Authorization Server, affecting organizations that utilize Dynamic Client Registration endpoints. This flaw arises from insufficient validation of client metadata when Dynamic Client Registration is explicitly enabled, allowing an attacker with a valid Initial Access Token to register a malicious OAuth client with specially crafted metadata. Exploitation can lead to Stored Cross-Site Scripting (XSS), Privilege Escalation, and Server-Side Request Forgery (SSRF) attacks. The vulnerability is network-exploitable, requires low privileges, and has a CVSS vector of AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N. Affected versions include Spring Security 7.0.0 through 7.0.4, and Spring Authorization Server 1.3.0 through 1.3.10, 1.4.0 through 1.4.9, and 1.5.0 through 1.5.6. Immediate upgrades to Spring Security 7.0.5, Spring Authorization Server 1.3.11, 1.4.10, or 1.5.7 are strongly advised, with disabling Dynamic Client Registration endpoints serving as a temporary mitigation if patching is not immediately feasible. Compromise of an Authorization Server, which is central to modern application authentication, can result in full organizational account takeover, lateral movement, and sensitive data exfiltration, making this vulnerability particularly dangerous for cloud-native and microservice environments.

Severity: Critical

Threat Details and IOCs

Malware: Auraboros RAT, CanisterWorm, DinDoor, Lotus Wiper, Shai-Hulud
CVEs: CVE-2026-22752
Technologies: Spring Security, Spring Security OAuth
Victim Industries: Healthcare
Victim Countries: France

Mitigation Advice

  • Use asset inventory and dependency analysis tools to identify all applications using vulnerable versions of Spring Security (7.0.0 – 7.0.4) and Spring Authorization Server (1.3.0 – 1.3.10, 1.4.0 – 1.4.9, 1.5.0 – 1.5.6).
  • Upgrade all identified instances of Spring Security 7.0.x to version 7.0.5 or later.
  • Upgrade all identified instances of Spring Authorization Server to the appropriate patched version: 1.3.x to 1.3.11, 1.4.x to 1.4.10, or 1.5.x to 1.5.7.
  • For any vulnerable Spring Authorization Server instance that cannot be patched immediately, disable the Dynamic Client Registration feature.
  • Review application and server logs for all Spring Authorization Servers, looking for unusual or suspicious client metadata in dynamic client registration requests, especially those created after the vulnerability disclosure.

Compliance Best Practices

  • Implement and maintain a comprehensive software asset inventory, including a Software Bill of Materials (SBOM) for all developed and third-party applications, to accelerate future vulnerability identification and response.
  • Establish a security baseline for application configurations that disables all non-essential features and endpoints by default and regularly audit applications against this baseline.
  • Implement default-deny egress filtering policies on application servers to restrict outbound network connections to only explicitly approved destinations, mitigating the impact of potential SSRF vulnerabilities.
  • Deploy and configure a Web Application Firewall (WAF) with rules to inspect, detect, and block malicious payloads in client metadata, such as those used in XSS and other injection attacks.
Sources

https://cyberpress.org/spring-authorization-server-flaw/

https://cyberveille.esante.gouv.fr/alertes/spring-cve-2026-22752-2026-04-23

https://gbhackers.com/critical-spring-authorization-server-issue/

Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

The UNC6692 threat group executed a multistage intrusion campaign leveraging persistent social engineering, a custom modular malware suite, and adept internal pivoting to achieve deep network penetration. The attack began with a large email campaign followed by a Microsoft Teams phishing message, where attackers impersonated IT helpdesk personnel to trick victims into downloading a renamed AutoHotKey binary and script from an AWS S3 bucket. This initial compromise led to the installation of SNOWBELT, a malicious Chromium browser extension that established persistence via Windows Startup folders and scheduled tasks, acting as the primary command-and-control (C2) relay. Subsequently, SNOWGLAZE, a Python-based tunneler, created secure WebSocket tunnels to a Heroku subdomain for SOCKS proxy operations, while SNOWBASIN, a Python bindshell, provided remote command execution, screenshot capabilities, and data staging on infected systems. Post-initial access, UNC6692 performed internal reconnaissance, moved laterally using PsExec and RDP, escalated privileges by extracting LSASS process memory, and exfiltrated sensitive data, including Active Directory database files (NTDS.dit), SAM, SYSTEM, and SECURITY registry hives, along with screen captures, via LimeWire. This campaign highlights the abuse of legitimate cloud services for payload delivery, exfiltration, and C2, making detection challenging due to malicious traffic blending with high volumes of encrypted, reputably sourced cloud traffic.

Severity: Critical

Threat Details and IOCs

Malware: MS Heartbeat, PhantomBackdoor, SNOWBASIN, SNOWBELT, SNOWGLAZE, System Heartbeat
Technologies: Amazon S3, AutoHotkey, Google Chrome, Microsoft PowerShell, Microsoft Teams, Microsoft Windows, Microsoft Windows Active Directory, Microsoft Windows Server, Python
Threat Actors: BlackBasta, UNC6692
Attacker Domains: cloudfront-021[.]s3[.]us-west-2[.]amazonaws[.]com, sad4w7h913-b4a57f9c36eb[.]herokuapp[.]com, service-page-11369-28315-outlook[.]s3[.]us-west-2[.]amazonaws[.]com, service-page-18968-2419-outlook[.]s3[.]us-west-2[.]amazonaws[.]com, service-page-25144-30466-outlook[.]s3[.]us-west-2[.]amazonaws[.]com
Attacker URLs: hxxps[://]service-page-25144-30466-outlook[.]s3[.]us-west-2[.]amazonaws[.]com/update.html, hxxps[://]service-page-25144-30466-outlook[.]s3[.]us-west-2[.]amazonaws[.]com/update.html?email=.com, wss[:]//sad4w7h913-b4a57f9c36eb.herokuapp.com:443/ws, wss[:]//sad4w7h913-b4a57f9c36eb.herokuapp.com/ws
Attacker Hashes: 2fa987b9ed6ec6d09c7451abd994249dfaba1c5a7da1c22b8407c461e62f7e49, 691f7258f212fa8908a8bf06bcf9e027d2177276e13e10ff56bd434ff3755cc4, 6e6dab993f99505646051d2772701e3c4740096ff9be63c92713bcb7fcddf9f7, 7f1d71e1e079f3244a69205588d504ed830d4c473747bb1b5c520634cc5a2477, c8940de8cb917abe158a826a1d08f1083af517351d01642e6c7f324d0bba1eb8, ca390b86793922555c84abc3b34406da2899382c617f9dcf83a74ac09dd18190, de200b79ad2bd9db37baeba5e4d183498d450494c71c8929433681e848c3807f
Victim Countries: Italy, Ukraine

Mitigation Advice

  • Block all network indicators of compromise (domains and URLs) listed in the article at the network firewall, web proxy, and in DNS blocklists.
  • Use your Endpoint Detection and Response (EDR) or antivirus solution to scan all endpoints and servers for the file hashes provided in the article.
  • Deploy the YARA rules provided in the article to your EDR, SIEM, or other scanning tools to hunt for the SNOW malware ecosystem across your environment.
  • In your EDR or SIEM, hunt for process execution events where `msedge.exe` is launched with command-line arguments containing both '--headless' and '--load-extension'.
  • Create a high-priority alert in your EDR or SIEM to detect and investigate any process that attempts to read the memory of the LSASS process (lsass.exe).
  • Hunt for executions of AutoHotKey (`AutoHotkey.exe` or renamed variants) in your environment, paying close attention to processes launched by non-administrative users or originating from download or temporary folders.

Compliance Best Practices

  • Implement a recurring security awareness training program that specifically teaches employees how to identify and report impersonation and phishing attempts on collaboration platforms like Microsoft Teams.
  • Configure Microsoft Teams external access policies to either block communication from all external tenants or restrict it to an explicit allowlist of trusted partner organizations.
  • Use Group Policy (GPO) or a Mobile Device Management (MDM) solution to enforce a browser extension allowlist, preventing users from installing any extensions that are not explicitly approved by the security team.
  • Implement an application allowlisting solution, such as Windows Defender Application Control (WDAC) or AppLocker, to restrict executable files, scripts, and installers to only approved software on workstations and servers.
  • Implement a network segmentation strategy using host-based firewalls and network access control lists (ACLs) to prevent client workstations from initiating connections to each other and to sensitive servers on ports like SMB (445) and RDP (3389).
  • Enable LSA Protection (as a Protected Process Light) via Group Policy or Intune on all supported Windows devices to prevent credential dumping from LSASS memory.
  • Enable comprehensive PowerShell logging, including Script Block Logging, Module Logging, and Transcription, and forward these logs to your SIEM for monitoring and analysis.
  • Deploy a forward proxy capable of TLS inspection to monitor and filter outbound web traffic, blocking connections to unsanctioned cloud storage and Platform-as-a-Service (PaaS) providers.
Sources

https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware/

https://gbhackers.com/hackers-impersonate-it-helpdesk-staff-microsoft-teams/

https://thehackernews.com/2026/04/unc6692-impersonates-it-helpdesk-via.html

Authors & Contributors

Brian Sayer (Author)

Threat Intelligence Analyst, F5

All Articles
Tags :
OSINT
Threat Research
CVE-2026-28950
CVE-2025-29927
CVE-2025-30066
CVE-2025-30154
CVE-2025-55182
CVE-2026-20093
CVE-2026-28353
CVE-2026-33017
CVE-2026-33634
CVE-2026-3502
CVE-2026-35616
CVE-2026-40175
CVE-2025-20333
CVE-2025-20362
CVE-2026-22752
Table of Contents

Read More from F5 Labs