InfoSec Briefing - March 18, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Tuesday, March 17, 2026, covering six articles analyzed overnight. All attribution is by the article authors. All article analysis is automated.

Microsoft's Research Team has documented a significant architectural change in Windows, with native Model Context Protocol support now available in Dev and Beta Insider Preview Channels. The implementation uses an undocumented system called On-Device Registry, or ODR, which provides granular permissions and user consent mechanisms for AI agents interacting with the operating system through SQL-backed databases and ETW telemetry.

Airfill Prepaid AB, operating as Bitrefill, disclosed a successful compromise by North Korea's Lazarus and Bluenoroff groups on March 1st. The cryptocurrency service provider confirmed that initial access originated through a compromised employee laptop from which legacy credentials were exfiltrated, with the attack showing patterns consistent with previous Lazarus operations including malware signatures and infrastructure reuse.

Unit 42 has published a comprehensive threat assessment on Boggy Serpens, also known as MuddyWater, attributed to Iran's Ministry of Intelligence. The group has evolved from high-volume campaigns to sophisticated cyberespionage operations targeting diplomatic entities and critical infrastructure globally, now employing AI-assisted malware development in Rust, account hijacking techniques, and Telegram API for command and control, with primary targets in the energy, maritime, and finance sectors across the Middle East, Europe, and South America.

The Council of the European Union announced sanctions against three entities and two individuals for cyber-attacks against EU member states. Chinese companies Integrity Technology Group and Anxun Information Technology were sanctioned for providing hacking tools that compromised over 65,000 devices and targeted critical infrastructure, while Iranian company Emennet Pasargad was sanctioned for data breaches, dark web data sales, and disinformation operations during the 2024 Paris Olympics.

Ctrl-Alt-Intel reports a catastrophic operational security failure by Russian APT group FancyBear, also known as APT28 and attributed to the GRU. On March 11th, an open directory on their command and control server zhblz.com exposed source code, payloads, telemetry logs, and exfiltrated data, revealing active espionage campaigns against 175 victims in Ukraine and targeting government and military entities across Romania, Greece, Serbia, Bulgaria, and North Macedonia, including four NATO member countries, with the compromised server having operated for over 500 days.

Nokia Deepfield Emergency Response Team has identified Katana, a sophisticated Mirai variant compromising Android TV set-top boxes through the Android Debug Bridge. The botnet operates at least 30,000 active bots conducting distributed denial of service attacks reaching 150 gigabits per second using 11 different attack methods, maintaining persistence through an on-device compiled kernel rootkit that hides processes and prevents removal.

That concludes today's briefing.

📰 Articles Covered

ODR: Internals of Microsoft's New Native MCP Registration - The content posted on the page is controlled by the **Research Team** .

The article details Microsoft's new On-Device Registry (ODR) for managing Model Context Protocol (MCP) servers on Windows, focusing on its internal workings and security implications. 【1】

**What Happened:**
Microsoft has introduced native MCP support in Windows through the Dev and Beta Insider Preview Channels via ODR. This system manages registered MCP servers, allowing them to interact with the operating system in a controlled manner. The article delves into the undocumented COM interfaces, a SQL-backed consent database, and Event Tracing for Windows (ETW) telemetry that underpin ODR's functionality. 【1】

**Who is Affected:**
* **Users:** Users are affected as ODR prompts them for consent when an MCP client requests access to system resources or MCP servers. Their decisions are stored in a consent database. 【1】
* **Developers:** Developers creating MCP servers need to package them as MSIX for full ODR benefits, including granular permissions and native telemetry. 【1】
* **Microsoft:** Microsoft is affected by the need to manage and secure the growing ecosystem of AI agents and their interactions with the operating system. 【1】

**Security Implications:**
* **Controlled Access:** ODR provides a mechanism for granular permissions, ensuring MCP servers only access necessary system resources. 【1】
* **Isolation:** MCP servers run in a separate user context, isolating them from the main user's data and processes. 【1】
* **Auditing:** ETW telemetry logs all interactions between MCP clients and servers, providing an audit trail. 【1】
* **Consent Management:** The system relies on user consent for access, with decisions persisted in a database. 【1】
* **Potential for Abuse:** While designed for security, the undocumented nature of some interfaces and the reliance on feature flags could present potential attack vectors if not properly managed. 【1】

**Technical Details:**
* **ODR Architecture:** ODR acts as an aggregator and proxy for MCP servers. MCP servers are registered with ODR, and ODR brokers communication between clients and servers. 【1】
* **`Odr.exe`:** This executable loads `OSClient.NET.dll`, which contains the core ODR logic. It handles client identity validation, policy checks, and communication brokering. 【1】
* **COM Interfaces:** New, undocumented COM interfaces, `IMcpAccessManagerStatics` and `IMcpConsentManagerStatics`, are used to manage access control and user consent. These interfaces are implemented in `windowsudk.shellcommon.dll` and `ConsentUxClient.dll`. 【1】
* **Consent Database:** A SQL database (`CapabilityConsentStorage.db`) stores user consent decisions for MCP server access. This database is accessible only by SYSTEM. 【1】
* **Telemetry:** ETW events are generated for various actions, including consent outcomes, tool usage, and server registration, using specific GUIDs for providers like `Windows-AI-MCP`. 【1】
* **MSIX Packaging:** For full benefits, MCP servers should be packaged as MSIX, allowing them to run in a contained environment under a separate agent user account. 【1】

**What Defenders Should Know:**
* **New Attack Surface:** ODR and MCP introduce a new layer of interaction between AI agents and the OS, creating a potential attack surface. 【1】
* **Telemetry Monitoring:** Defenders should monitor ETW logs related to `Windows-AI-MCP`, `Windows-AI-On-Device-Registry`, and `Windows-AI-Agents` for suspicious activity. 【1】
* **Consent Database Integrity:** The integrity of the `CapabilityConsentStorage.db` is crucial, as it stores user consent. Unauthorized modifications could lead to privilege escalation. 【1】
* **Feature Flag Management:** The reliance on feature flags for enabling ODR functionality means that defenders should be aware of which features are active and ensure they are configured securely. 【1】
* **Undocumented Interfaces:** The existence of undocumented COM interfaces warrants attention, as they may be targets for exploitation or reveal deeper system functionalities. 【1】
* **MSIX Security:** Understanding the security implications of MSIX packaging for MCP servers is important, as vulnerabilities in these packages could be exploited. 【1】
Bitrefill was the target of a cyberattack - by the DPRK Lazarus / Bluenoroff - initial access originated through a compromised employee laptop, from which a legacy credential was exfiltrated. - Airfill Prepaid AB

On **March 1, 2026**, Bitrefill experienced a **cyberattack** 【1】. The company identified similarities between this incident and previous attacks, including the methods used, the malware involved, on-chain tracing, and the reuse of IP addresses and email addresses 【1】.

**Who is affected:**
The primary entity affected is **Bitrefill**, a company that provides services related to cryptocurrency. The report does not specify if individual users or their funds were directly compromised, but the attack targeted the company itself 【1】.

**Security implications:**
The attack highlights the ongoing threat of sophisticated cyberattacks against cryptocurrency service providers. The reuse of indicators like IP addresses and email addresses suggests a persistent threat actor who may have been involved in previous incidents. This underscores the importance of robust security measures and continuous monitoring for such platforms 【1】.

**Technical details:**
The provided information is limited in technical specifics. It mentions the use of **malware** and **on-chain tracing** as indicators of the attack's nature. The reuse of **IP addresses and email addresses** also points to potential reconnaissance or credential stuffing tactics by the attackers 【1】.

**What defenders should know:**
Defenders should be aware of the evolving tactics used by threat actors in the cryptocurrency space. The reuse of attack indicators suggests that threat actors may be persistent and adaptable. Key takeaways for defenders include:
- **Enhanced monitoring:** Implement comprehensive monitoring for unusual activity, including IP and email address reuse.
- **Malware analysis:** Maintain up-to-date intelligence on malware used in attacks targeting the financial and cryptocurrency sectors.
- **On-chain analysis:** Utilize on-chain tracing tools to identify suspicious transaction patterns and potential links to known malicious actors.
- **Proactive security:** Continuously review and strengthen security protocols to mitigate risks associated with credential reuse and other common attack vectors 【1】.
Boggy Serpens Threat Assessment - We have been tracking ongoing cyberespionage campaigns by the threat group Boggy Serpens, also known as MuddyWater. Attributed to the Iranian Ministry of Intelligence - Unit 42

Boggy Serpens, an Iranian state-sponsored threat actor also known as MuddyWater, has been conducting sophisticated cyberespionage campaigns targeting diplomatic entities and critical infrastructure sectors globally 【1】.

**What Happened:**
Boggy Serpens has evolved its tactics from high-volume, low-sophistication attacks to more stealthy and persistent operations. They now focus on compromising trusted relationships by hijacking legitimate internal accounts, which allows them to bypass reputation-based blocking and deliver malware through secondary social engineering prompts 【1】. A notable example is a six-month campaign against a UAE-based energy and marine services company, involving four distinct attack waves with tailored lures 【1】. Their toolset has also advanced, incorporating AI-assisted development for malware implants, utilizing modern programming languages like Rust, and employing custom platforms for mass email distribution 【1】. Command and control (C2) communication is managed through methods such as standard HTTP status codes, custom UDP-based traffic, and the Telegram API 【1】.

**Who is Affected:**
The primary targets are **diplomatic and critical infrastructure entities**, including organizations in the **energy, maritime, and finance sectors**, as well as **government and military bodies** 【1】. Specific regions and countries affected include the Middle East (UAE, Saudi Arabia, Israel, Egypt, Turkmenistan), Hungary, Turkey, South America, and Europe 【1】. High-profile victims like diplomats and IT vendors are also targeted 【1】.

**Security Implications:**
The security implications are significant due to Boggy Serpens' ability to gain a foothold within vital networks by exploiting trusted relationships and hijacked accounts, enabling continued reconnaissance and access 【1】. Their adaptable tactics, advanced evasion techniques, and AI-enhanced malware make detection difficult and allow for long-term persistence 【1】. The focus on critical infrastructure and economic espionage poses a threat to regional stability and economic interests 【1】. The use of AI-assisted development suggests a rapid evolution of their capabilities, challenging defenders 【1】.

**Technical Details:**
Boggy Serpens employs a diverse toolset and techniques, including:
* **Trusted Relationship Compromise:** Hijacking official government and corporate accounts to bypass email filters 【1】.
* **Social Engineering:** Using tailored lures, often with blurred documents that require users to click "Enable Content" to trigger macros 【1】.
* **Malware:** Development and deployment of new malware families such as UDPGangster, LampoRAT, and BlackBeard, often written in Rust 【1】.
* **AI-Assisted Development:** Evidence suggests the use of generative AI for coding, indicated by emoji usage in malware strings 【1】.
* **C2 Communication:** Utilizing custom UDP-based traffic, standard HTTP status codes, and the Telegram Bot API 【1】.
* **Delivery Platform:** A custom-built, web-based orchestration platform for automating mass email delivery 【1】.
* **VBA Macros:** Extensively used to deliver payloads 【1】.

**What Defenders Should Know:**
Defenders must be aware of Boggy Serpens' maturing threat profile, which combines sophisticated social engineering with advanced technological capabilities 【1】. The group's increasing reliance on identity-based attacks necessitates robust **identity and access management controls**, including multi-factor authentication and continuous monitoring for anomalous login activity 【1】. The adoption of modern languages like Rust and AI-assisted development means that traditional signature-based detection may be less effective 【1】. Organizations should focus on comprehensive security solutions that can detect and prevent advanced threats, including **endpoint detection and response (XDR), advanced email security, URL filtering, and DNS security** 【1】. Proactive threat hunting and incident response capabilities are crucial 【1】.
Cyber-attacks against the EU and its member states: Council sanctions three entities and two individuals - Council of the EU

On March 16, 2026, the Council of the European Union adopted restrictive measures against **three entities and two individuals** for their involvement in cyber-attacks targeting EU member states and partners 【1】.

**What Happened:**
The Council sanctioned **Integrity Technology Group**, a China-based company, for providing products that facilitated the hacking of over 65,000 devices across six EU member states between 2022 and 2023 【1】. Additionally, **Anxun Information Technology**, also based in China, was sanctioned for offering hacking services against critical infrastructure. Two co-founders of Anxun Information Technology were also sanctioned 【1】. The Iranian company **Emennet Pasargad** was sanctioned for illegally accessing a French subscriber database, selling its contents on the dark web, spreading disinformation via compromised advertising billboards during the 2024 Paris Olympic Games, and compromising a Swedish SMS service 【1】.

**Who is Affected:**
The sanctions directly affect the three sanctioned entities and two individuals. As a consequence, they are subject to an **asset freeze**, and EU citizens and companies are prohibited from providing them with funds, financial assets, or economic resources. The two individuals also face a **travel ban** preventing their entry into or transit through EU territories 【1】. With these new listings, the EU's cyber sanctions regime now applies to a total of 19 individuals and 7 entities 【1】.

**Security Implications:**
These actions underscore the EU's commitment to a robust response against persistent malicious cyber activities that threaten its integrity and security 【1】. The sanctions demonstrate the EU's capability to use restrictive measures as part of its "cyber diplomacy toolbox" to deter and respond to cyber-attacks 【1】. The incidents highlight the vulnerability of critical infrastructure, personal data, and public information systems to sophisticated cyber threats.

**Technical Details:**
The specific technical details of the cyber-attacks are not extensively elaborated in the provided text. However, the actions described include:
- Providing products used to compromise and access devices 【1】.
- Offering hacking services aimed at critical infrastructure and critical functions 【1】.
- Unlawfully gaining access to a French subscriber database and advertising its contents for sale 【1】.
- Compromising advertising billboards to spread disinformation 【1】.
- Compromising a Swedish SMS service 【1】.

**What Defenders Should Know:**
Defenders should be aware that the EU has established a framework for targeted restrictive measures against cyber-attack perpetrators 【1】. The EU and its member states are committed to cooperating internationally to promote a secure cyberspace 【1】. The sanctions serve as a clear signal of the EU's intent to counter cyber threats, and organizations should remain vigilant against sophisticated cyber-attacks targeting critical infrastructure and sensitive data.
FancyBear Exposed: Major OPSEC Blunder Inside Russian Espionage Ops - Ctrl-Alt-Intel

On March 11th, 2026, a significant operational security (OPSEC) blunder by the Russian APT group **FancyBear** (also known as APT28, Forest Blizzard, or Sednit) exposed extensive details of their espionage operations 【1】. This group, attributed to Russia's GRU, compromised government and military entities across several European nations 【1】.

### What Happened

The exposure occurred due to FancyBear leaving an "open-directory" on one of their command and control (C2) servers. This allowed researchers to access a trove of data, including C2 source code, payloads, telemetry logs, exfiltrated data, and evidence of ongoing campaigns 【1】. This was not the first instance of such an exposure; a similar open-directory had been identified and archived by Hunt.io earlier in January 2026 【1】. The C2 server, identified as `zhblz.com` (resolving to IP `203.161.50[.]145`), had been in use for over 500 days, even after being publicly attributed to FancyBear by CERT-UA 【1】.

### Who is Affected

The primary targets of this campaign were **government and military entities** in:
- **Ukraine**: With 175 unique victims, including regional prosecutors and the Asset Recovery Agency 【1】.
- **Romania**: Including the Romanian Air Force and Air Force Academy 【1】.
- **Greece**: Including the National Defence General Staff 【1】.
- **Serbia**: Including the Ministry of Defence and Military Academy 【1】.
- **Bulgaria**: Government entities 【1】.
- **North Macedonia**: Government entities 【1】.

Notably, the targeting included entities from **four NATO member countries**, aligning with regional security developments and support for Ukraine 【1】.

### Security Implications

The exposed data provided unprecedented visibility into FancyBear's espionage activities. The implications include:
- **Theft of sensitive data**: Over 2,800 exfiltrated emails from government and military mailboxes were discovered 【1】.
- **Compromise of credentials**: More than 240 sets of stolen credentials, including passwords and TOTP 2FA secrets, were found 【1】.
- **Bypassing multi-factor authentication (MFA)**: FancyBear successfully stole TOTP secrets, allowing them to generate valid 2FA codes and bypass this security layer 【1】.
- **Persistent email forwarding**: Over 140 Sieve forwarding rules were silently implemented, redirecting all incoming emails to attacker-controlled mailboxes, ensuring continued access to communications 【1】.
- **Network mapping**: Over 11,500 contact email addresses were harvested from victim address books, mapping extensive communication networks 【1】.
- **Understanding TTPs**: The open-directory provided a rare look into FancyBear's Tactics, Techniques, and Procedures (TTPs), including their C2 infrastructure, malware, and operational methods 【1】.

### Technical Details

FancyBear employed a sophisticated toolkit, primarily targeting webmail platforms like **Roundcube** and, in a previously unreported variant, **SquirrelMail** 【1】. Key technical details include:

- **Command and Control (C2)**: The primary C2 server was `zhblz.com` (IP `203.161.50[.]145`), which hosted payloads, logged telemetry, and facilitated exfiltration 【1】.
- **Exploitation Method**: Cross-Site Scripting (XSS) vulnerabilities were exploited to deliver JavaScript payloads (`worker.js` for Roundcube, `worker2.js` for SquirrelMail) 【1】.
- **Credential Theft**:
- **In-line capture**: A hidden form injected into the Roundcube page captured credentials upon user interaction 【1】.
- **External modules**: Separate modules were used for credential theft 【1】.
- **Phishing pages**: Cloned Roundcube login pages were hosted on the C2 server to trick users into submitting credentials 【1】.
- **Email Exfiltration**: The entire Inbox and Sent folders of victims could be exfiltrated by iterating through Roundcube's email UIDs 【1】.
- **TOTP/2FA Theft**: The `keyTwoAuth.js` module extracted TOTP secrets and recovery codes from the Roundcube twofactor\_gauthenticator plugin settings page 【1】.
- **Address Book Theft**: The `adbook.js` module (Roundcube) and inline SquirrelMail scripts extracted contact lists 【1】.
- **Sieve Forwarding Rule Creation**: The `addRedirectMailBox.js` module created rules to forward all incoming emails to attacker-controlled mailboxes, provided the server supported ManageSieve 【1】.
- **Lure Documents**: Various PDF lures were hosted, including documents related to Romanian air-force, Ukrainian defense, and Bulgarian Interior Ministry reports 【1】.
- **Indicators of Compromise (IOCs)**: Specific IP addresses, domains (`zhblz.com`, `gov.vppdr.com`), email addresses (`advenwolf@proton.me`), URL paths, and file names have been identified 【1】.

### What Defenders Should Know

Defenders should be aware of the following:
- **Targeting is not random**: FancyBear's targeting aligns with geopolitical events and regional military relevance, particularly concerning Ukraine and NATO member states 【1】.
- **Sophisticated capabilities**: The group can bypass MFA, exfiltrate entire mailboxes, and establish persistent email forwarding without further user interaction 【1】.
- **Persistence**: FancyBear has demonstrated a high degree of persistence, operating from the same C2 infrastructure for extended periods, even after public attribution 【1】.
- **OPSEC failures can be revealing**: While sophisticated, even advanced threat actors can make mistakes, providing valuable intelligence through exposed infrastructure 【1】.
- **Webmail security**: Organizations using Roundcube and SquirrelMail should ensure their systems are patched and monitored for signs of XSS exploitation and unauthorized Sieve rule creation 【1】.
- **Monitor for IOCs**: Implement detection rules based on the provided IOCs, including network traffic to known C2 domains and IP addresses, and suspicious file names or URL paths 【1】.
- **Review Sieve rules**: Regularly audit mail server Sieve rules for any unauthorized or suspicious forwarding configurations 【1】.
Katana: a Mirai variant that compiles its own rootkit on Android TV set-top boxes - Nokia Deepfield Emergency Response Team (ERT)

The **Katana botnet** is a sophisticated variant of the Mirai malware that targets **Android TV set-top boxes**, specifically low-cost, unbranded devices running the Android Open Source Project (AOSP) that lack Google Play Protect or official Google certification. It is not targeting Google-branded Android TV products 【1】.

**What Happened:**
Katana exploits the **Android Debug Bridge (ADB)** to gain unauthorized remote shell access to vulnerable devices. This exploitation is facilitated by residential proxy services that expose internal networks, allowing botnet operators to mass-exploit these Android TV devices without needing to write their own exploits 【1】. The botnet is actively operational and has been observed launching attacks with volumes reaching 150 Gbps 【1】.

**Who is Affected:**
The primary targets are **users of low-cost, unbranded Android TV set-top boxes** that run AOSP and have ADB enabled with unauthenticated access. These devices are often found in homes and are not typically secured by their owners, who may be unaware of the vulnerability 【1】. The botnet is estimated to have at least **30,000 active bots** 【1】.

**Security Implications:**
The security implications are significant due to the botnet's technical complexity and aggressive tactics:
* **Distributed Denial of Service (DDoS) Attacks:** Katana is primarily a DDoS botnet, capable of launching attacks using 11 different methods targeting various services like game servers, SSH, MySQL, and more 【1】.
* **Persistence and Stealth:** It employs an on-device compiled kernel rootkit (`wlan_helper.ko`) that hooks system calls to hide its processes, prevent file deletion, and block signals, making it difficult to detect and remove 【1】.
* **Environmental Control:** The botnet aggressively locks down the infected device by remapping the ADB port, killing unauthorized processes, and disabling over 100 system utilities. This prevents rival bots and forensic tools from accessing the device, and also locks out the device owner 【1】.
* **Competition and Turf Wars:** Katana is part of a growing trend of botnets exploiting the same vulnerabilities, leading to active competition and "turf wars" between operators for control of vulnerable devices 【1】.
* **Potential AI-Assisted Development:** Indicators suggest that components of Katana may have been developed with the assistance of Large Language Models (LLMs), pointing to evolving malware development techniques 【1】.

**Technical Details:**
* **Mirai Variant:** Katana is a variant of the Mirai botnet, though it has no direct code or infrastructure overlap with other Mirai forks 【1】.
* **Propagation:** It relies on external ADB exploitation scripts for propagation, rather than including its own scanner or credential table 【1】.
* **Rootkit Compilation:** The APK contains bot binaries, TinyCC, and rootkit source code, allowing it to compile a kernel module (`wlan_helper.ko`) on the target device to match the specific kernel version 【1】.
* **Command and Control (C2):** It uses encrypted C2 communication with runtime domain rotation. Domains are encrypted via a custom 5-step cipher, and a fourth domain is delivered at runtime. The C2 infrastructure is hosted on bulletproof hosting providers 【1】.
* **Self-Destruct Mechanism:** If the C2 becomes unreachable for three days, the bot initiates a thorough self-destruct sequence, removing all persistence mechanisms and binaries 【1】.
* **Anti-Analysis:** Katana employs techniques such as process masquerading, library preloading, and a "locker process" that maintains an allowlist of running processes to prevent unauthorized execution 【1】. It also blocks over 100 system utilities and specific shell patterns used for analysis 【1】.
* **OOM Evasion:** The bot manipulates the Out-Of-Memory (OOM) score to prevent the kernel from terminating it under memory pressure 【1】.

**What Defenders Should Know:**
* **ADB Security:** The primary attack vector is ADB exploitation. Defenders should ensure ADB is disabled on devices not requiring it, or at least secured with strong authentication if enabled.
* **Device Visibility:** Many low-cost Android TV boxes lack robust security features and may not be easily monitored. Network segmentation and monitoring for unusual ADB traffic can help detect infections.
* **Rootkit Sophistication:** The on-device rootkit compilation makes detection and removal challenging. Standard process listing and file deletion commands may be ineffective 【1】.
* **Evolving Threats:** The potential for AI-assisted development in malware like Katana indicates a need for defenders to stay abreast of rapidly advancing threat capabilities 【1】.
* **Rival Botnet Activity:** The presence of multiple botnets competing for the same devices means that removing one threat may not be sufficient if another can reinfect the device 【1】.
* **Persistence Mechanisms:** Katana uses multiple layers of persistence, including AlarmManager, broadcast receivers, Magisk modules, and system partition modifications, requiring thorough cleanup efforts 【1】.