InfoSec Briefing - March 26, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This briefing covers security developments from Wednesday, March 25, 2026, with 6 articles analyzed. All attribution is by the article authors. All article analysis is automated.

CISA has added CVE-2026-33017 to its Known Exploited Vulnerabilities catalog. This critical unauthenticated remote code execution vulnerability in the Langflow AI platform allows attackers to execute arbitrary Python code through a public flow endpoint without authentication, leading to complete system compromise and data exfiltration. Working exploits were developed within 20 hours of disclosure, and the vulnerability is actively exploited against internet-facing Langflow instances. Organizations running Langflow versions 1.8.1 or earlier must immediately upgrade to version 1.9.0 or later, or temporarily disable public flow endpoints if patching cannot be done immediately.

Fortgale reports on Operation Storming Tide, a large-scale intrusion campaign attributed to Russian-speaking threat actors, including Mora_001, targeting over 600 FortiGate devices across 55 countries. The campaign exploits Fortinet firewall vulnerabilities to establish persistent VPN tunnels, then deploys Matanbuchus 3.0 loader, Astarion RAT, and SystemBC for intelligence collection and data exfiltration. Primary targets include logistics and transportation sector organizations, with threat actors shifting from rapid ransomware deployment to patient, long-term intelligence gathering.

The U.S. Attorney's Office for the Eastern District of Michigan announced that Russian national Ilya Angelov, also known as 'milan' and 'okart', was sentenced to 24 months in prison for co-managing the Mario Kart botnet operation. The Russia-based cybercriminal group distributed malware via spam emails, then sold access to compromised systems to ransomware operators who extorted over $14 million from more than 70 U.S. corporations.

The Natto Team and Robin Dimyanoglu published a wargaming analysis of a China-Taiwan conflict and its cyber scenarios. The CSIS wargame simulates a Chinese invasion of Taiwan, analyzing how China would integrate cyber operations with kinetic military actions in a phased, escalating manner. The scenario emphasizes that cyber warfare would be an integral component of the conflict, affecting organizations across multiple sectors and requiring comprehensive defense strategies that address both physical and digital threats.

Project V4bel researcher Hyunwoo Kim disclosed a new vulnerability class called 'Out-of-Cancel' bugs affecting Linux kernel workqueue cancellation APIs. These flaws can lead to Use-After-Free conditions enabling privilege escalation, demonstrated through CVE-2026-23239 in the espintcp module. The vulnerability stems from race conditions where work items can be rescheduled after cancellation, allowing freed objects to be accessed.

Peter Gabaldon documented a sophisticated multi-stage malware attack chain that leverages phishing emails with malicious links exploiting open redirects to deliver a ZIP archive disguised as a financial bill. The attack uses Internet Shortcut files, WebDAV hosted on Cloudflare tunnels, Python shellcode loaders, and Donut-generated .NET executables with Early Bird APC injection for in-memory execution. The attack primarily targets users susceptible to phishing in corporate environments, using advanced evasion techniques and living-off-the-land methods to bypass traditional detection.

That concludes today's briefing.

📰 Articles Covered

CVE-2026-33017 - CISA KEV

**CVE-2026-33017** is a critical vulnerability affecting the **Langflow** platform, an open-source tool used for building AI workflows.

**Vulnerability Details:**
* **Affected Product and Vendor:** Langflow, an open-source AI platform.
* **Vulnerability Type:** Missing authentication combined with code injection.
* **What it Allows Attackers to Do:** The vulnerability allows unauthenticated attackers to achieve **remote code execution (RCE)**. This could lead to full system compromise and exfiltration of sensitive data such as API keys, database credentials, and environment variables.
* **Exploitation:** The vulnerability has been actively exploited in the wild, with attackers developing working exploits within approximately 20 hours of its public disclosure on March 17, 2026. Exploitation occurs by supplying arbitrary executable code through the `build_public_tmp` endpoint, which is designed to be unauthenticated but incorrectly accepts malicious flow data. This aligns with the MITRE ATT&CK technique **T1190 - Exploit Public-Facing Application**.
* **Known Threat Actors or Campaigns:** While specific threat actors or campaigns are not detailed, the rapid exploitation indicates that threat actors are actively weaponizing newly disclosed vulnerabilities.
* **Affected Versions:** All Langflow versions **prior to and including 1.8.1** are affected.
* **Fixed Versions:** The vulnerability has been addressed in the development version **1.9.0.dev8** and released in version **1.9.0**.

**Immediate Actions for Defenders:**
* **Upgrade Langflow immediately** to version 1.9.0 or later.
* Organizations running exposed Langflow instances should prioritize this upgrade due to the critical nature and active exploitation of the vulnerability.
Operation Storming Tide: A massive multi-stage intrusion campaign - Fortgale

**Operation Storming Tide** is a large-scale, multi-stage intrusion campaign attributed to Russian-speaking threat actors, primarily focusing on **intelligence collection and data exfiltration**, with financial gain as a potential secondary objective 【1】. The campaign, which began in late 2025, involves multiple criminal groups operating in concert 【1】.

### What Happened

The campaign commenced with the exploitation of **Fortinet firewall vulnerabilities**, allowing threat actors to establish a persistent, encrypted **VPN tunnel** for re-entry into victim networks 【1】. After a dormancy period, the actors pivoted into internal networks using unmanaged assets to evade endpoint detection 【1】. They then deployed a series of malware, including the **Matanbuchus 3.0 loader**, **Astarion RAT**, and **SystemBC**, to gain comprehensive remote access, execute commands, and exfiltrate data 【1】. In the Fortgale engagement, rapid containment actions **prevented any data exfiltration or ransomware execution** 【1】.

### Who is Affected

The primary targets appear to be organizations within the **logistics and transportation sector**, as evidenced by the initial Fortgale engagement 【1】. However, the campaign has a broader reach, with intelligence indicating that over **600 FortiGate devices across 55 countries** may have been compromised 【1】. The threat actor **Mora\_001**, assessed to be of Russian origin, is a key player, previously linked to Fortinet vulnerability exploitation and ransomware deployment 【1】.

### Security Implications

The primary implication is the shift in tactics by threat actors like Mora\_001, evolving from rapid ransomware deployment to a more patient, intelligence-gathering approach 【1】. This "sleeper" strategy aims to maintain persistent access and evade detection for longer periods 【1】. The use of sophisticated malware distributed via a Malware-as-a-Service (MaaS) model, such as Matanbuchus 3.0, indicates well-funded operations with access to advanced tools 【1】. The campaign also highlights the risk of **dual-purpose operations**, combining espionage with potential financial motives 【1】.

### Technical Details

The campaign utilizes a range of sophisticated tools and techniques:

* **Initial Access:** Exploitation of Fortinet firewall vulnerabilities (e.g., CVE-2024-55591, CVE-2025-24472, CVE-2026-24858) and credential brute-forcing 【1】.
* **Persistence:** Configuration of a remote VPN tunnel on the firewall and the use of scheduled tasks (e.g., "JavaUpdate") 【1】.
* **Malware:**
* **Matanbuchus 3.0:** A MaaS loader that delivers secondary payloads. It uses Protocol Buffers (Protobuf) and ChaCha20 encryption for C2 communications 【1】.
* **Astarion RAT:** A remote access trojan with modular capabilities for espionage and payload delivery, using RSA-encrypted C2 communications 【1】.
* **SystemBC:** A SOCKS5 proxy used for covert C2 communications and traffic obfuscation, linked to APT actors and ransomware affiliates 【1】.
* **RClone:** An open-source utility abused for high-volume data exfiltration to S3-compatible storage 【1】.
* **Command and Control (C2):** Encrypted channels using asymmetric cryptography (RSA for Astarion RAT) and ChaCha20 encryption with Protobuf serialization for Matanbuchus 3.0 【1】. SystemBC provides multi-hop proxy capabilities 【1】.
* **Data Exfiltration:** Primarily achieved using RClone to cloud storage services 【1】.

### What Defenders Should Know

Defenders should be aware of the following:

* **Fortinet Vulnerabilities:** Prioritize patching and monitoring for exploitation of Fortinet firewall vulnerabilities 【1】.
* **Evolving TTPs:** Recognize that threat actors are adopting more patient, stealthy tactics, including extended dwell times and strategic intelligence collection, rather than immediate ransomware deployment 【1】.
* **Malware Arsenal:** Be vigilant for the presence of Matanbuchus 3.0, Astarion RAT, and SystemBC, as well as the abuse of legitimate tools like RClone 【1】.
* **Indicators of Compromise (IoCs):** Monitor for the provided network and host IoCs, including specific IP addresses, domains, file paths, and malicious DLLs 【1】.
* **MITRE ATT&CK Mapping:** Understand the adversary's tactics and techniques as mapped to the MITRE ATT&CK framework, particularly in Initial Access, Persistence, Command & Control, and Exfiltration 【1】.
* **Early Detection is Crucial:** The lack of ransomware execution in some incidents may be due to successful defensive intervention, highlighting the importance of early detection and rapid containment 【1】.
Russian cybercriminal sentenced to prison for using a “botnet” to steal millions from American businesses - U.S. Attorney's Office, Eastern District of Michigan

**Ilya Angelov**, a Russian national, has been sentenced to **24 months in prison** for his role in managing a botnet used to conduct ransomware attacks against U.S. corporations 【1】. He was also fined $100,000 and ordered to forfeit $1.6 million 【1】.

**What Happened:**
Angelov, who used online aliases such as "milan" and "okart," co-managed a Russia-based cybercriminal group known as **Mario Kart** 【1】. This group built a botnet by distributing malware through spam emails with infected attachments 【1】. Angelov and his co-manager then sold access to these compromised computers, referred to as "bots," to other criminal organizations. These organizations used the access to deploy ransomware, locking victims out of their networks and demanding cryptocurrency payments for restoration 【1】.

**Who is Affected:**
The primary victims are **American businesses**. The FBI identified over **70 U.S. corporations** that were infected with ransomware by an organization linked to Angelov's group, resulting in over **$14 million in extortion payments** 【1】. Additionally, another ransomware group paid Angelov's group over $1 million for access to the Mario Kart botnet 【1】.

**Security Implications:**
This case highlights the significant threat posed by **sophisticated foreign cybercriminal operations** that target American businesses for financial gain 【1】. The use of botnets and ransomware demonstrates a persistent and evolving threat landscape where cybercriminals monetize compromised systems to facilitate further criminal activity.

**Technical Details:**
- **Botnet Creation:** Malware-infected files were distributed via **spam emails** to compromise computers 【1】.
- **Monetization:** Access to individual compromised computers ("bots") was **sold to other criminal groups** 【1】.
- **Ransomware Attacks:** The purchased access was used to deploy **ransomware**, which locks victims' networks and demands payment, often in cryptocurrency 【1】.
- **Group Designation:** Angelov's group was identified by the FBI as **Mario Kart**, with other designations used by private security researchers including TA-551, Shathak, GOLD CABIN, Monster Libra, ATK236, and G0127 【1】.

**What Defenders Should Know:**
- **Vigilance Against Spam:** Organizations must remain vigilant against **malware-laden spam emails**, as these are a common vector for botnet infection 【1】.
- **Ransomware Preparedness:** Robust **ransomware defenses and recovery plans** are crucial, given the prevalence of these attacks 【1】.
- **International Cooperation:** The successful prosecution involved **international collaboration** with Dutch and German authorities, underscoring the global nature of cybercrime and the importance of cross-border partnerships in investigations 【1】.
- **Accountability:** Law enforcement agencies are committed to **tracking and dismantling cybercriminal networks**, assuring that perpetrators will be held accountable regardless of their location 【1】.
Wargaming a China-Taiwan Conflict and Its Cyber Scenarios - Natto Team and Robin Dimyanoglu

The article discusses a wargaming scenario from the Center for Strategic and International Studies (CSIS) titled "The First Battle of the Next War: Wargaming a Chinese Invasion of Taiwan," focusing on the **cyber implications** of such a conflict 【1】.

**What Happened:**
The CSIS wargame simulated a potential Chinese invasion of Taiwan, exploring how cyber operations would be integrated into a broader kinetic conflict. The scenario posits that China would likely employ cyber operations in a **methodical and gradual manner**, escalating alongside kinetic actions 【1】.

**Who is Affected:**
The article highlights that **organizations across various sectors** could be affected, either directly by cyberattacks or indirectly through the disruption of critical infrastructure and information environments 【1】. This includes businesses, government agencies, and potentially the general public.

**Security Implications:**
The primary security implication is that cyber warfare would be an **integral component of a kinetic invasion**, not a standalone event. This suggests a need for a comprehensive defense strategy that accounts for both physical and digital threats. The scenario also underscores the importance of **resilience across different sectors** and the need for **collaboration between public and private entities**, as well as across supply chains 【1】.

**Technical Details:**
While the provided excerpt does not delve into highly specific technical details of cyber techniques, it emphasizes the **phased nature of cyber operations** that would accompany kinetic actions 【1】. For a more in-depth understanding of specific cyber techniques and defender actions, reference to the full CSIS study would be necessary 【1】.

**What Defenders Should Know:**
Defenders should be aware of the following key takeaways:
- **Phased Cyber Operations:** Cyberattacks will likely be coordinated with kinetic actions, suggesting a need to anticipate and respond to evolving threat landscapes 【1】.
- **Cross-Sector Resilience:** Critical infrastructure and information systems across all sectors must be resilient to withstand and recover from cyber disruptions 【1】.
- **Collaboration is Crucial:** Effective defense requires transparent methodologies, strong supply chain security, and robust public-private partnerships 【1】.
- **Multi-Scenario Preparedness:** Defenders need to prepare for exposure across various scenarios impacting critical infrastructure and the information environment 【1】.
When Bills Come with Surprise: Donut of Python and Rat🤮 - The content posted at the URL is controlled by **Peter Gabaldon**.

A sophisticated, multi-stage malware attack chain has been identified, characterized by its advanced evasion techniques and in-memory execution to minimize on-disk footprints 【1】.

**What Happened:**
The attack commences with a **phishing email** containing a malicious link that exploits open redirects to guide victims to a compromised web resource 【1】. This resource then delivers a ZIP archive, presented as a financial bill, which contains an Internet Shortcut (`.url`) file 【1】. This `.url` file points to a WebDAV path hosted on a Cloudflare tunnel, from which a Windows Script Host (`.wsh`) file is retrieved 【1】. The `.wsh` file proceeds to copy a batch (`.bat`) file to the local Downloads folder and executes it, establishing persistence via the Startup folder 【1】. Subsequently, it downloads an embeddable Python runtime and utilizes a Python script (`sb.py`) to download and execute the final payload 【1】. This Python script functions as a shellcode loader, decoding an encrypted payload, creating a suspended `explorer.exe` process, allocating memory, and injecting the payload using Early Bird APC injection 【1】. The ultimate payload is a .NET executable, generated by the Donut shellcode generator, which is decrypted, decompressed using LZNT1, and executed entirely in memory 【1】. A benign PDF document is also launched to distract the user 【1】.

**Who is Affected:**
This attack primarily affects **users susceptible to phishing lures**, particularly those who might be deceived into opening files disguised as financial documents 【1】. The use of corporate-sounding filenames and decoy documents suggests a potential targeting of **corporate environments** 【1】.

**Security Implications:**
The attack poses significant risks due to its **advanced evasion techniques**, operating mainly in memory and leveraging legitimate tools and services (Living off the Land) to bypass traditional file-based antivirus and detection methods 【1】. The use of Cloudflare tunnels and WebDAV for its infrastructure complicates attribution and blocking efforts 【1】. The final payload, linked to ResolverRAT/zgRAT and possessing Lumma-like stealing capabilities, indicates potential **data exfiltration and further system compromise** 【1】.

**Technical Details:**
* **Initial Access:** Phishing URLs with open redirects leading to a ZIP archive containing a malicious `.url` file 【1】.
* **Infrastructure:** Abuse of Cloudflare tunnels and WebDAV for remote staging 【1】.
* **Execution Chain:** The attack progresses through a sequence of files: `.url` -> `.wsh` -> JScript -> `.bat` -> Python runtime -> `sb.py` (injector) -> Donut shellcode -> .NET PE 【1】.
* **Evasion Techniques:** Includes the use of `.url` files, WebDAV over SSL, Cloudflare tunnels, native Windows scripting (`.wsh`, JScript, `cmd.exe`, PowerShell), downloading a legitimate Python embeddable runtime, multi-layer XOR transformation, Donut shellcode loader, Early Bird APC injection into a suspended `explorer.exe`, and in-memory execution 【1】.
* **Payload:** An encrypted and LZNT1-compressed .NET executable, identified as part of the ResolverRAT/zgRAT family with Lumma-like capabilities 【1】.
* **Persistence:** Achieved through a `.bat` file placed in the Windows Startup folder 【1】.

**What Defenders Should Know:**
Defenders should focus on detecting anomalies across multiple stages of the attack chain 【1】. This includes:
* **Network Monitoring:** Vigilance for outbound WebDAV traffic and connections to ephemeral tunneling services like `trycloudflare.com` 【1】.
* **File and Execution Monitoring:** Detection of `.url` files pointing to remote UNC paths, Windows Script Host executing remote scripts, and the download/execution of portable Python environments 【1】.
* **Persistence Monitoring:** Identifying unrecognized scripts within the Startup folder 【1】.
* **Memory Forensics and EDR:** Implementing detection for Early Bird APC Injection (monitoring suspended processes, `VirtualAllocEx`, `WriteProcessMemory`, `QueueUserAPC` calls originating from scripting engines) and scanning memory for shellcode framework signatures such as Donut 【1】.
* **MITRE ATT&CK Mapping:** The article provides a detailed mapping of the attack techniques to MITRE ATT&CK tactics and techniques, which can be valuable for threat hunting and developing defense strategies 【1】.
Out-of-Cancel: A Vulnerability Class Rooted in Workqueue Cancellation APIs - Project V4bel, authored by Hyunwoo Kim

The cybersecurity article details a new class of vulnerabilities termed **"Out-of-Cancel" bugs**, which stem from flaws in the Linux kernel's workqueue cancellation APIs. These vulnerabilities can lead to **Use-After-Free (UAF)** conditions, potentially allowing for privilege escalation.

**What Happened:**
The core issue lies in the misuse of workqueue cancellation functions like `cancel_work_sync()`. While these functions can stop currently running or queued work, they do not prevent the same work from being rescheduled through other asynchronous paths. This creates a race condition where an object can be freed after cancellation, but then accessed by a rescheduled work item, leading to a UAF vulnerability. The article uses the **`espintcp` vulnerability (CVE-2026-23239)** as a case study, found within the networking subsystem, specifically in the TCP and Upper Layer Protocol (ULP) handling.

**Who is Affected:**
Systems running **Linux kernel versions** susceptible to this vulnerability, particularly those utilizing the `espintcp` module or similar code patterns that rely on cancellation APIs for object lifetime management. The vulnerability does not require user namespaces to be triggered.

**Security Implications:**
The primary security implication is the potential for **privilege escalation**. A successful exploitation of an Out-of-Cancel bug can lead to a Use-After-Free condition, which attackers can leverage to overwrite kernel memory, gain control of the system, and execute arbitrary code with elevated privileges.

**Technical Details:**
The vulnerability arises from a common kernel pattern: cleaning up work with `_cancel` APIs and then freeing the associated object. This pattern is flawed because `_cancel` APIs do not guarantee that the work will never run again.

In the `espintcp` case (CVE-2026-23239):
* The `espintcp_close()` function calls `cancel_work_sync(&ctx->work)` without acquiring the necessary socket lock (`lock_sock()`).
* The `espintcp_write_space()` hook, triggered by the TCP ACK path when send buffer space becomes available, can reschedule `ctx->work` by calling `schedule_work(&ctx->work)`.
* This creates a race where `ctx->work` can be scheduled after `cancel_work_sync()` returns but before `ctx` is fully freed, leading to a UAF when the worker attempts to access the freed `ctx`.
* Exploitation involves carefully orchestrating events, including:
* **Arming the Socket State:** Setting the `SOCK_NOSPACE` flag by filling the send buffer and causing a Zero Window.
* **Delaying Execution:** Using techniques like the TCP Delayed ACK timer or `timerfd` with epoll waiters to widen the race window.
* **Forcing RST:** Sending malformed data to trigger an RST packet instead of a FIN, ensuring `ctx` is freed regardless of explicit socket closure.
* **Winning the Reallocation Race:** Manipulating scheduler properties (`vruntime`, `deadline`) to ensure a heap spray thread reallocates the freed `ctx` before the espintcp worker accesses it.
* The exploit sequence also involves bypassing KASLR using a Prefetch Side-Channel Attack to determine kernel symbol locations.

**What Defenders Should Know:**
* **Understand Workqueue Behavior:** Developers and security professionals should be aware that `cancel_work_sync()` and similar APIs do not provide a lifetime guarantee for objects. They only stop or clean up currently executing or queued work.
* **Proper Locking:** Ensure that critical sections involving object teardown and workqueue cancellation are adequately protected by appropriate locks, such as `lock_sock()`.
* **Avoid Cancellation as Lifetime Management:** Refrain from using cancellation APIs as the sole mechanism for managing an object's lifecycle. Explicit synchronization and careful state management are crucial.
* **Patching:** Apply security patches for the Linux kernel that address Out-of-Cancel vulnerabilities, such as CVE-2026-23239.
* **Monitoring:** Monitor systems for unusual network traffic patterns or kernel behavior that might indicate exploitation attempts.
* **Side-Channel Awareness:** Be aware that vulnerabilities might be combined with side-channel attacks (like Prefetch Attacks) to bypass security mechanisms like KASLR.