🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• oss-sec: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown - The **Xen.org security team** controls the content posted at the provided URL . 🔍 Show Kagi Synopsis
  The cybersecurity article details **Xen Security Advisory XSA-482, version 2**, which describes a vulnerability in the Linux kernel's `privcmd` driver that can **circumvent kernel lockdown and secure boot** 【1】.
  
  **What Happened:**
  The `privcmd` driver can be exploited to modify page tables. This allows user-mode processes to alter kernel memory, effectively bypassing security measures like secure boot 【1】.
  
  **Who is Affected:**
  This vulnerability affects **PV, PVH, and HVM guests running Linux that utilize secure boot** 【1】. BSD-based systems are believed to be unaffected due to their lack of secure boot support 【1】.
  
  **Security Implications:**
  An administrator of an unprivileged guest booted in secure mode can perform actions on the kernel that should be restricted. This could lead to a **complete compromise of the guest system's integrity** 【1】.
  
  **Technical Details:**
  The vulnerability stems from the ability to manipulate **page tables**, which are crucial for memory management and protection. By altering these tables, an attacker can gain unauthorized access to and modify kernel memory 【1】.
  
  **What Defenders Should Know:**
  Currently, there is **no known mitigation** for this vulnerability 【1】. The resolution requires applying specific patches (xsa482-linux-1.patch and xsa482-linux-2.patch) 【1】. The deployment of these patches is subject to an embargo period with specific rules for organizations on the Xen Project Security Issues Predisclosure List. Deployment on public cloud systems is prohibited until the embargo lifts 【1】. The CNA for Linux has not assigned a CVE at this time 【1】.
• UNISOC T612 RCE - vulnerability has been discovered in the UNISOC modem firmware that enables one User Equipment (UE) to remotely attack another UE over the cellular network - no vendor response - SSD Secure Disclosure 🔍 Show Kagi Synopsis
  A critical vulnerability has been discovered in the **UNISOC modem firmware**, allowing a remote attacker to execute arbitrary code on a target device. This vulnerability, identified as an **Uncontrolled Recursion (CWE-674)**, stems from unsafe parsing logic within the modem's handling of **SDP** messages, specifically the `_SDPDEC_AcapDecoder` function 【1】.
  
  **What Happened:**
  An attacker can send specially crafted malformed **SDP** messages within **SIP** signaling requests to a target device. This triggers a memory corruption vulnerability in the modem's firmware. The root cause is the `_SDPDEC_AcapDecoder` function, which recursively calls itself without proper validation of message fields. This can lead to a stack overflow in the `sblock_0_2` task, especially when data fragmentation occurs (e.g., during an IMS video call with **SRTP** packets). By overwriting function pointers on the stack, an attacker can achieve arbitrary code execution 【1】.
  
  **Who is Affected:**
  The vulnerability affects devices utilizing UNISOC chipsets, specifically those with the following firmware versions and chipsets:
  * **Firmware:** MOCORTM\_22A\_W23.02.5\_P12.14\_Debug (found in Realme C33) 【1】
  * **Chipsets:** T612, T616, T606, and T7250 【1】
  
  UNISOC chipsets are used by major brands such as Honor, realme, vivo, Samsung, and Motorola, with products distributed in over 140 countries 【1】.
  
  **Security Implications:**
  The primary security implication is **Remote Code Execution (RCE)**. An attacker can gain control over the victim's device by exploiting this vulnerability over the cellular network. This could lead to a wide range of malicious activities, including data theft, surveillance, or further compromising the device.
  
  **Technical Details:**
  The vulnerability lies in the `_SDPDEC_AcapDecoder` function's handling of the `acap` attribute within SDP messages. This function can recursively call itself when encountering multiple `acap` attributes on the same line. The `SipHandler_AttrDecoder` table includes an entry for `acap`, which points to the vulnerable decoder function. An input like `v=0\na=acap:1 acap:1 acap:1 ... acap:1` can trigger a stack overflow in the `sblock_0_2` task. This task is activated during data fragmentation, which can be induced by initiating an IMS video call. The overflow allows an attacker to overwrite function pointers, enabling code execution 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware that this vulnerability allows for remote exploitation over the cellular network. The exploit involves crafting specific **SIP** and **SDP** messages. Mitigation efforts would involve patching the UNISOC modem firmware to address the unsafe parsing logic in the `_SDPDEC_AcapDecoder` function and implement proper validation of message fields and recursion depth. Users of affected devices should ensure their devices receive firmware updates from their manufacturers.
• From Privilege Escalation to Full Denial of Service: Exploit Chain Across Multiple CVEs in Cisco Catalyst Devices - OPSWAT 🔍 Show Kagi Synopsis
  OPSWAT Unit 515 has discovered a chain of four vulnerabilities in **Cisco Catalyst 9300 Series switches** that can lead to privilege escalation and a full denial of service (DoS) condition 【1】.
  
  **What Happened:**
  An authenticated user with low privileges can exploit two vulnerabilities (CVE-2026-20114 and CVE-2026-20110) to escalate their privileges. This escalation allows them to execute commands that force the switch into maintenance mode, resulting in a complete denial of service. This state may require physical intervention to resolve 【1】. Additionally, two other vulnerabilities were identified: a Cross-Site Scripting (XSS) vulnerability (CVE-2026-20112) and a CRLF Injection vulnerability (CVE-2026-20113) 【1】.
  
  **Who is Affected:**
  The vulnerabilities affect **Cisco Catalyst 9300 Series switches**, which are commonly used in enterprise networks and are critical for network operations 【1】.
  
  **Security Implications:**
  The primary implication is the ability to move from a low-privilege account (Lobby Ambassador, privilege level 0) to a higher privilege level (level 1), enabling command injection. This can then be used to trigger a DoS by putting the device into maintenance mode 【1】. The XSS vulnerability allows for the injection and execution of malicious JavaScript within other users' sessions. The CRLF injection vulnerability compromises log integrity by allowing manipulation of log entries 【1】.
  
  **Technical Details:**
  The exploit chain begins with a command injection vulnerability that can be accessed by the restricted Lobby Ambassador account. This allows for the creation of a new user with privilege level 1 【1】. A second command injection, facilitated by insufficient command sanitization, can then be used to execute the "start maintenance" command, which is normally reserved for administrators with privilege level 15. This action triggers the DoS 【1】. The XSS vulnerability stems from inadequate server-side input validation, and the CRLF injection arises from insufficient sanitization of user input before it is logged 【1】.
  
  **What Defenders Should Know:**
  Defenders should **immediately upgrade affected Cisco Catalyst 9300 Series switches** to the latest fixed versions, following Cisco's advisories 【1】. Interim mitigation strategies include restricting WebUI access from untrusted networks, enforcing strong authentication and role-based access controls, and actively monitoring for unusual activity 【1】. Implementing a layered defense strategy, potentially including deep content inspection and device validation solutions, is recommended. Regular security validation through penetration testing is also advised to proactively identify and address vulnerabilities 【1】.
• Apifox CDN 供应链投毒事件简单复盘 - A brief recap of the Apifox CDN supply chain poisoning incident - The content posted at the URL is controlled by Apifox. The author's pseudonym appears to be 离别歌. 🔍 Show Kagi Synopsis
  A supply chain attack targeted **Apifox's CDN**, leading to the injection of malicious code into a JavaScript file (`apifox-app-event-tracking.min.js`) served from their official CDN. This compromised script was designed to **steal sensitive user information** from the Apifox desktop client. The incident occurred around **March 4th, 2026** 【1】.
  
  **Who is affected:**
  **Users of Apifox desktop versions below 2.8.19** who used the client during the period of the attack are affected 【1】.
  
  **Security Implications:**
  The attack has significant security implications, as the malicious code was capable of exfiltrating highly sensitive data. This includes **SSH keys, shell history** (e.g., `.zsh_history`, `.bash_history`), **Git credentials** (e.g., `.git-credentials`), and general **system information** 【1】. Such a breach could grant attackers unauthorized access to code repositories, servers, and other critical systems.
  
  **Technical Details:**
  The attack unfolded in multiple stages:
  * **Stage 1**: An initial script injected into the CDN file gathered machine fingerprints (MAC address, CPU info, hostname, username, OS type) and Apifox account details (email, display name). This data was encrypted using an embedded RSA private key and transmitted to a Command and Control (C2) server at `apifox.it.com`. This stage also facilitated the retrieval and execution of further JavaScript from the C2 【1】.
  * **Stage 2**: A script fetched from `apifox.it.com/public/apifox-event.js` was responsible for injecting a third-stage script into the Document Object Model (DOM) 【1】.
  * **Stage 3**: The final script, loaded from `02ab429d.js`, was designed to steal sensitive data. It specifically targeted files within `~/.ssh/` (recursively), `.zsh_history`, `.bash_history`, and `.git-credentials` on Linux/macOS, and `%USERPROFILE%'s .ssh` on Windows. The collected data was compressed, encrypted using AES-256-GCM with a key derived via `scrypt`, and then sent via POST request to `https://apifox.it.com/event/log` 【1】.
  
  **What defenders should know:**
  * **Vulnerability Window**: Users were at risk if they used Apifox desktop versions below 2.8.19 between March 4th, 2026, and the official fix 【1】.
  * **Indicators of Compromise**: Defenders should look for network logs showing outbound connections to `apifox.it.com` or related malicious domains, requests for specific paths like `/public/apifox-event.js` or `/02ab429d.js`. Additionally, the presence of `_rl_mc` and `_rl_headers` in the client's Local Storage or `Network Persistent State` file could be indicative. The `_rl_headers` might contain fields such as `af_uuid` and `af_user` 【1】.
  * **Mitigation Steps**: Users should **immediately upgrade to Apifox version 2.8.19 or higher**. It is also critical to **rotate SSH keys, Git Personal Access Tokens, change Apifox account passwords, and review shell history** for any exposed secrets. For enterprise environments, **blocking malicious domains** and **reinstalling Apifox** from the official website are recommended actions 【1】.
• Ivanti EPMM Exploitation: Hit-and-Run - WithSecure™ Labs 🔍 Show Kagi Synopsis
  A cybersecurity incident involved the exploitation of two critical vulnerabilities, **CVE-2026-1281** and **CVE-2026-1340**, in **Ivanti Endpoint Manager Mobile (EPMM)** 【1】. These vulnerabilities allowed for remote code execution (RCE) and were exploited in the wild starting in February 2026 【1】.
  
  **Who is Affected:**
  Organizations using **Ivanti EPMM** that have internet-facing servers are at risk 【1】. At least one compromised host was identified during incident response, and multiple threat actors were observed conducting exploitation attempts 【1】.
  
  **Security Implications:**
  The incident highlights the **speed at which vulnerabilities are exploited** after their disclosure, the use of **automated toolkits**, and the **reuse of open-source tools** like AntSword webshell 【1】. It underscores the critical need for **timely patching**, robust **exposure management** for internet-facing systems, and the significant risks posed by webshells and subsequent payloads that enable data theft and persistence 【1】.
  
  **Technical Details:**
  The exploitation involves crafted HTTP GET requests using `st` and `et` parameters to achieve command execution, enabling pre-authentication code execution and the potential for a reverse shell 【1】. Attackers deployed a webshell named `403.jsp` which, when executed with `setuid` to `/usr/bin/env`, allowed for root execution 【1】. This webshell accepted a base64-encoded Java class as a payload via the `k` parameter 【1】. Two variants of the payload were observed, differing in their Java runtime requirements (Java 5+ or Java 17+) 【1】. The attack flow included reconnaissance, establishing a reverse shell, installing the webshell for persistence, deploying next-stage payloads, exfiltrating sensitive data (database and system files) into a web-accessible directory, and then retrieving it over HTTP, with attempts to cover tracks by deleting files 【1】.
  
  **What Defenders Should Know:**
  Defenders should be vigilant for **indicators of exploitation**, such as unusual URL patterns (e.g., `theValue%20%20`, `h=gPath[`). It is crucial to **detect upstream vulnerabilities**, apply patches promptly, and verify the integrity of the `403.jsp` webshell for any modifications 【1】. Monitoring for **unusual outbound network requests** and artifacts related to file exfiltration is also recommended 【1】. Organizations should focus on **controlling internet exposure**, enforcing the principle of **least privilege**, and having well-defined **incident response playbooks** ready for automated exploitation campaigns 【1】.
• Malware on public sector devices was active for almost a month in Luxembourg via a hacked MDM - Luxembourg Times 🔍 Show Kagi Synopsis
  A cybersecurity incident affected **thousands of devices within the Luxembourg public sector**, with malware remaining active for nearly a month before being discovered on February 26th and confirmed on February 27th 【1】.
  
  **What Happened:**
  Malware, described as "memory resident," infiltrated devices managed by the **State Centre for Information Technology (CTIE)**. This malware gained access to device and user data managed by CTIE 【1】.
  
  **Who is Affected:**
  **All 4,850 devices managed by the CTIE** were affected by the malware 【1】. However, devices managed by the educational IT service (CGIE) are not believed to have been impacted 【1】. While the malware accessed data managed by CTIE, personal data such as messages, calendars, and photos stored directly on the devices were not affected 【1】. State services continued to operate normally throughout the incident 【1】.
  
  **Security Implications:**
  The incident highlights the vulnerability of public sector IT infrastructure to sophisticated malware. Although state services remained operational and personal data on devices was not compromised, the breach of data managed by CTIE poses a significant security implication. The CTIE was able to isolate and reinstall the affected system, and the National Commission for Data Protection (CNPD) has concluded its investigation 【1】.
  
  **Technical Details:**
  The malware was characterized as "memory resident," meaning it operated within the device's RAM. This type of malware can be stealthy and difficult to detect 【1】. Further technical details regarding the specific type of malware or the method of initial infection were not provided in the article 【1】.
  
  **What Defenders Should Know:**
  This incident underscores the persistent threat of malware and the importance of robust security measures. While the CTIE successfully contained the threat, the minister acknowledged that such incidents cannot be entirely prevented 【1】. Defenders should be aware of the potential for memory-resident malware and the need for continuous monitoring and rapid response capabilities to mitigate such threats effectively 【1】.
• Voidstealer ABE Bypass: Chromium Application-Bound Encryption. - Gendigital 🔍 Show Kagi Synopsis
  A cybersecurity advisory details **VoidStealer**, a malware that bypasses **Application-Bound Encryption (ABE)** in Chromium-based browsers like Chrome and Edge on Windows 【1】.
  
  **What Happened:**
  VoidStealer operates by launching a suspended Chrome process, then using Windows APIs to set hardware breakpoints. These breakpoints are designed to capture the **Chrome Master Key (v20_master_key)** directly from the browser's memory. Once the key is obtained, the malware can decrypt sensitive browser data, including saved logins, cookies, and web data. The stolen information is then exfiltrated through a hidden folder and a command-and-control (C2) server. The malware also has the capability to self-delete to cover its tracks 【1】. This exploit leverages a Windows vulnerability that allows a non-administrator user to debug their own child processes 【1】.
  
  **Who is Affected:**
  **Users of Chromium-based browsers (Chrome, Edge) on Windows** are affected if VoidStealer is present on their system. The malware can function with low privileges, exploiting the Debug Privilege on a child process and hardware breakpoints to access Master Keys in memory 【1】.
  
  **Security Implications:**
  The primary security implication is a **high-risk bypass of Chrome's password protection mechanisms** by extracting Master Keys from memory. This allows attackers to decrypt saved passwords, cookies, and web data 【1】. The advisory highlights that ABE protections fail when the browser process itself is compromised by malware. Furthermore, it demonstrates how legitimate Windows debugging APIs can be misused by malware to inspect memory without triggering standard security defenses 【1】.
  
  **Technical Details:**
  The attack involves several key technical steps:
  * **Process Creation:** VoidStealer uses `CreateProcessW` with `CREATE_SUSPENDED` and `DEBUG_PROCESS` flags to initiate Chrome under a debugger, granting `SeDebugPrivilege` to the child process 【1】.
  * **Memory Access and Breakpoints:** The malware employs `ReadProcessMemory` to read process memory and `SetThreadContext` to establish hardware breakpoints in DR0-DR3 and DR7 registers. These breakpoints monitor specific memory addresses for triggers 【1】.
  * **Master Key Extraction:** It scans `chrome.dll` for a string related to password decryption (`v20_master_key`) to calculate the memory address of the Master Key. When the hardware breakpoint is hit, `ReadProcessMemory` captures the Master Key 【1】.
  * **Data Decryption and Exfiltration:** With the Master Key, the malware decrypts `Logins.json`/`Login Data`, Cookies, and Web Data. The compromised data is then stored in a hidden folder and sent to a C2 server via an encrypted channel. The malware may also delete itself 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware of the following:
  * **Endpoint Protection:** Employing endpoint protection and EDR/anti-malware solutions is crucial to prevent malware insertion and debugging activities 【1】.
  * **Password Management:** Consider using standalone password managers instead of relying solely on browser-stored credentials 【1】.
  * **Session Management:** Logging out of websites can invalidate session cookies, mitigating some risks if cookies are stolen 【1】.
  * **Monitoring:** Monitor for unusual or "ghost" Chrome processes and signs of process injection or debugging activity 【1】.
  * **Privilege Hardening:** Harden Windows debugging privileges. Restricting or disabling `Debug Privilege` for non-administrators can be a mitigation strategy 【1】.
  * **Multi-Factor Authentication:** Utilize hardware security keys and app-based two-factor authentication (2FA) to add layers of security, even if credentials are compromised 【1】.
• BPFDoor-controller-source: Source code to recent BPFDoor's controller variant - The content posted at the URL is controlled by **haxrob**. 🔍 Show Kagi Synopsis
  The provided GitHub repository, `BPFDoor-controller-source`, contains the source code for a controller variant of BPFDoor. It does not appear to be a cybersecurity article detailing a specific incident. Therefore, information regarding what happened, who is affected, or specific security implications beyond the tool's functionality is not available in this source.
  
  **Technical Details:**
  The repository primarily offers instructions on how to compile the BPFDoor controller. It also lists various command-line options supported by the controller. These options include:
  - Specifying destination hosts and ports.
  - Configuring secondary IP addresses.
  - Setting up reverse shell parameters.
  - Adjusting timeouts.
  - Enabling and configuring HTTPS mode.
  - Using custom magic sequences.
  - Selecting different network modes such as TCP, ICMP, and UDP.
  
  **Information for Defenders:**
  No specific information for defenders is provided within this source code repository.
• Bypassing Code Integrity Using BYOVD for Kernel R/W Primitives - S12 - 0x12Dark Development 🔍 Show Kagi Synopsis
  This article details a cybersecurity technique that bypasses Windows **Code Integrity (CI)** policies to gain **Kernel Read/Write (R/W) primitives** 【1】. This is achieved through a method known as **BYOVD (Bring Your Own Vulnerable Driver)** 【1】.
  
  **What Happened:**
  The technique allows an attacker to circumvent Windows' security measures that ensure only trusted code is executed. By exploiting a vulnerable driver, an attacker can gain the ability to modify critical system components in the kernel's memory. This ultimately leads to the disabling of **Driver Signature Enforcement (DSE)**, enabling the loading of any unsigned driver 【1】.
  
  **Who is Affected:**
  Any Windows system is potentially affected, as the bypass targets core Windows security features. The attack requires **Administrator privileges** to initiate the process of enabling necessary permissions 【1】.
  
  **Security Implications:**
  The primary security implication is a complete compromise of the system's integrity. By disabling DSE, attackers can load malicious, unsigned drivers, which can then be used for various nefarious purposes, including:
  - **Persistence:** Maintaining a foothold on the system.
  - **Privilege Escalation:** Gaining even higher levels of access.
  - **Data Exfiltration:** Stealing sensitive information.
  - **System Disruption:** Causing instability or rendering the system inoperable.
  - **Evading Detection:** Bypassing security software that relies on code integrity checks 【1】.
  
  **Technical Details:**
  The process involves several key steps:
  1. **Prepare Privileges:** The attacker's process must have **SeDebugPrivilege** enabled, which requires Administrator rights 【1】.
  2. **Locate Target (`ci.dll`):** The attacker identifies the memory address of `ci.dll`, a core component of Windows Code Integrity 【1】. This is done by enumerating loaded kernel drivers using `NtQuerySystemInformation`.
  3. **Calculate Offset:** The exact memory location of the `g_CiOptions` variable within `ci.dll` is determined. This offset varies between Windows versions and is found using tools like WinDbg 【1】.
  4. **BYOVD Bridge (Kernel R/W):** A legitimate but vulnerable driver (BYOVD) is loaded. This driver is exploited to create a pathway for writing to kernel memory 【1】. The article mentions `gdrv.sys` as an example of such a driver, citing several CVEs 【1】.
  5. **Flipping the Switch:** The `g_CiOptions` value is modified using the Kernel R/W primitive. This change, for example from `0x6` to `0x0` or `0x8`, effectively disables DSE 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware of this BYOVD technique for bypassing Code Integrity. Detection methods include:
  - **Signature-based detection:** Tools like Kleenscan and YARA rules can identify known malicious files or patterns associated with this technique 【1】. The article provides a sample YARA rule designed to detect attempts to patch `g_CiOptions` 【1】.
  - **Behavioral analysis:** Endpoint Detection and Response (EDR) solutions, such as Elastic EDR, can detect the anomalous behavior associated with privilege escalation and kernel manipulation 【1】.
  - **Monitoring:** Vigilance against the loading of unsigned or blacklisted drivers is crucial. While some blacklisted drivers might be blocked, attackers can use newer, unlisted vulnerable drivers 【1】.
  - **Patching and Updates:** Keeping systems updated can mitigate vulnerabilities in drivers that might be exploited for BYOVD attacks.
• Business TikTok accounts targeted with AITM phishing kits - The content posted at the URL is controlled by **Dan Green**, who works in Threat Research for **Push Security**. 🔍 Show Kagi Synopsis
  A sophisticated phishing campaign is targeting **business TikTok accounts** by employing Adversary-in-the-Middle (AITM) phishing kits. These kits are designed to steal session tokens and hijack accounts, with a particular focus on those used by marketing teams for advertising campaigns 【1】.
  
  **What Happened:**
  Attackers are using AITM phishing kits that present users with cloned login pages. These pages are often disguised as legitimate TikTok for Business or Google Careers pages, tricking users into entering their credentials 【1】.
  
  **Who is Affected:**
  The primary targets are **business TikTok accounts** that marketing teams use for running ad campaigns. A critical vulnerability is exposed when users log into TikTok using their Google accounts, as compromising the Google login can lead to the compromise of both accounts 【1】.
  
  **Security Implications:**
  The security implications are severe and include:
  - **Account hijacking**: Attackers can take control of business TikTok accounts 【1】.
  - **Malvertising scams**: Malicious advertisements can be spread through compromised accounts 【1】.
  - **Ad fraud**: This can lead to fraudulent charges and the siphoning of company ad budgets 【1】.
  - **Data theft and extortion**: Compromising Google logins can enable further data theft or extortion attempts 【1】.
  
  **Technical Details:**
  The attack flow involves redirecting victims through legitimate Google Storage sites before presenting a Cloudflare Turnstile check to evade bot detection. This is followed by the phishing page. The phishing kits are hosted behind Cloudflare, registered via commonly abused registrars, and utilize domains with a "welcome.careers" naming convention. Attackers are also leveraging Google Storage buckets for hosting malicious content 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware that these attacks are sophisticated and employ dynamic URLs and evasion techniques. While specific Indicators of Compromise (IoCs) like domain names may have a short lifespan, the focus for defense should be on **detecting and blocking browser-based attacks at the point of execution**. This can be achieved through specialized browser security platforms capable of identifying and mitigating AiTM phishing, credential stuffing, and session hijacking attempts 【1】.
• Widespread GitHub Campaign Uses Fake VS Code Security Alerts... - Socket.dev 🔍 Show Kagi Synopsis
  A widespread phishing campaign is targeting developers on **GitHub** by using **fake Visual Studio Code security alerts** posted in GitHub Discussions to deliver malware 【1】.
  
  **What Happened:**
  Attackers are creating numerous, nearly identical posts in GitHub Discussions across various repositories. These posts utilize GitHub's notification system, including email alerts, to reach developers directly. The malicious links bypass official distribution channels and often lead to a multi-step redirection chain designed to trick users into downloading malware disguised as a patched version of VS Code 【1】.
  
  **Who is Affected:**
  The primary targets are **developers who use GitHub** and participate in its Discussions feature. The campaign exploits the trust developers place in GitHub and in security-related communications 【1】.
  
  **Security Implications:**
  The campaign's goal is to trick users into installing malicious software. The initial payload is a JavaScript reconnaissance page that collects fingerprinting data (timezone, locale, platform, user agent, automation signals, URL hash) and sends it to a command-and-control server. This data is used for filtering potential follow-on attacks, such as phishing pages or exploit kits. The attackers leverage the trust in platforms like GitHub and the urgency of security alerts to increase the success rate of their attacks 【1】.
  
  **Technical Details:**
  The attack chain begins with a GitHub Discussion post that links to a file-sharing service, such as Google Drive. This service then redirects users to an attacker-controlled domain. The JavaScript payload on the landing page collects browser and system information for fingerprinting and data collection. Evasion techniques include obfuscation, hidden iframe checks, and immediate form submission. This campaign functions as a Traffic Distribution System (TDS) rather than delivering an immediate payload 【1】.
  
  **What Defenders Should Know:**
  Developers should exercise extreme caution with unsolicited security alerts found in GitHub Discussions, particularly those containing external download links, unverifiable CVEs, urgent installation instructions, or originating from unfamiliar accounts. It is crucial to **always verify security claims through official vendor channels**. This campaign highlights a growing trend of attackers using legitimate platform features for social engineering and large-scale phishing, emphasizing the need for increased vigilance within developer ecosystems 【1】.
• SecuritySnack - OpenAI Anti-Ads Malware - SecuritySnack 🔍 Show Kagi Synopsis
  A malicious Chrome extension, **"ChatGPT Ad Blocker,"** was discovered on the Google Chrome Web Store, designed to steal user data rather than block ads 【1】.
  
  **What Happened:**
  The extension systematically copied ChatGPT conversations, including the HTML structure, user prompts, and metadata. This stolen data was then sent to a webhook on a private Discord channel 【1】. This activity is believed to be a response to OpenAI's policy change to serve advertisements on its free tier 【1】.
  
  **Who is Affected:**
  Users who installed the "ChatGPT Ad Blocker" Chrome extension are affected. The extension ID is `ipmmidjikiklckbngllogmggoofbhjikgb` 【1】. The developer, associated with the GitHub ID "krittinkalra," also has ties to AI4ChatCo and Writecream, suggesting that users of these services might also be at risk 【1】.
  
  **Security Implications:**
  The primary security implication is **significant data theft and privacy violation** 【1】. There is a concern that other applications developed by the same individual or entity might also pose security risks 【1】.
  
  **Technical Details:**
  The extension uses `chrome.runtime.onInstalled` to retrieve remote configurations and creates persistent alarms to update its rules 【1】. It injects `content.js` when users visit ChatGPT, which then captures the sanitized HTML of the page 【1】. Text longer than 150 characters is redacted before the data is exfiltrated via a Discord webhook 【1】. The developer's GitHub account, "krittinkalra," previously focused on Android kernel development but has since shifted to creating JavaScript malware 【1】. The extension was created on February 10, 2026 【1】.
  
  **What Defenders Should Know:**
  Defenders should be **skeptical of extensions that promise ad blocking on valuable websites** and carefully scrutinize the permissions they request 【1】. Services affiliated with suspicious developers, such as AI4ChatCo and Writecream in this case, should be treated as potentially compromised 【1】. Extreme caution is advised with out-of-band AI services that act as intermediaries, as they may not prioritize user privacy and security and have the capability to read or modify conversations 【1】.
• Pawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure Entities - Trend Micro 🔍 Show Kagi Synopsis
  The **Pawn Storm** cyber espionage group, also known as APT28, Fancy Bear, UAC-0001, and Forest Blizzard, has launched a campaign using a new malware suite called **PRISMEX** 【1】. This campaign targets the **defense supply chain of Ukraine and its allies**, including government, military, and critical infrastructure entities in **Czech Republic, Poland, Romania, Slovakia, Slovenia, and Turkey** 【1】.
  
  **What Happened:**
  Pawn Storm is deploying PRISMEX, a collection of malware components including PrismexDrop (dropper), PrismexLoader (steganography loader), and PrismexStager (Covenant Grunt implant) 【1】. The campaign actively exploits vulnerabilities, including a **Windows zero-day (CVE-2026-21513)** and **CVE-2026-21509**, a security feature bypass in Microsoft Office OLE 【1】. The group demonstrated advanced knowledge by preparing infrastructure for CVE-2026-21509 two weeks before its public disclosure 【1】. The malware is designed for both espionage and potential sabotage, with observed wiper commands 【1】.
  
  **Who is Affected:**
  The primary targets are the **defense supply chain of Ukraine** and its allies, encompassing government, military, and critical infrastructure organizations in Central and Eastern Europe 【1】. This includes military allies, meteorological data providers, transport hubs, and international aid corridors vital to Ukraine's defense and humanitarian operations 【1】.
  
  **Security Implications:**
  The PRISMEX malware utilizes advanced techniques such as **steganography, COM hijacking, and the abuse of legitimate cloud services** for command and control 【1】. These methods, combined with fileless execution, are designed to evade modern Endpoint Detection and Response (EDR) systems 【1】. The campaign's focus on critical infrastructure and defense supply chains poses significant risks to national security and the continuity of essential services. The inclusion of wiper commands indicates a potential for destructive actions beyond data theft 【1】.
  
  **Technical Details:**
  PRISMEX consists of several components:
  - **PrismexDrop:** A dropper component.
  - **PrismexLoader:** Utilizes steganography to hide and load the payload.
  - **PrismexStager:** An implant based on the open-source .NET command and control (C&C) framework, Covenant 【1】.
  
  The initial access vector involves weaponizing **CVE-2026-21509**, where specially crafted RTF documents embed OLE objects that trigger outbound connections to attacker-controlled WebDAV servers to retrieve and execute malicious `.lnk` (shortcut) files without user interaction 【1】. These `.lnk` files may then exploit **CVE-2026-21513**, a vulnerability in the MSHTML framework that allows code execution outside the browser sandbox via `ShellExecuteExW` 【1】. There is a suggested, though not independently confirmed by TrendAI™ Research, two-stage exploitation where CVE-2026-21509 retrieves a malicious `.lnk` file that then exploits CVE-2026-21513 【1】. The use of Covenant for payloads and the rapid integration of new vulnerabilities highlight Pawn Storm's aggressive and adaptive tactics 【1】.
  
  **What Defenders Should Know:**
  Organizations should be aware of Pawn Storm's continued aggressive targeting of Ukrainian and allied entities 【1】. Defenders need to implement robust security measures to counter advanced evasion techniques like steganography and cloud abuse 【1】. Prompt patching of vulnerabilities, particularly those exploited by Pawn Storm (CVE-2026-21509 and CVE-2026-21513), is critical 【1】. Organizations should also be vigilant against phishing attempts using RTF documents and be prepared for potential fileless execution and wiper attacks 【1】. TrendAI Vision One™ offers detection and blocking capabilities for this threat 【1】.
• Armenian Man Extradited to U.S. Faces Charges for Role in Infostealing Malware Scheme - U.S. Attorney's Office, Western District of Texas 🔍 Show Kagi Synopsis
  **Hambardzum Minasyan**, an Armenian national, has been extradited to the United States and faces federal charges for his alleged involvement in the development and administration of **RedLine**, an infostealing malware. 【1】
  
  **What Happened:**
  Minasyan is accused of conspiring with others to create and manage RedLine malware. This malware is designed to steal sensitive data, including access devices and financial information, from compromised computers. The conspirators allegedly maintained the necessary digital infrastructure, such as command-and-control (C2) servers and administrative panels, to deploy the malware and receive payments from affiliates who used it. Minasyan is specifically implicated in registering virtual private servers and internet domains to host RedLine's infrastructure and in creating repositories for malware distribution. He also reportedly used a cryptocurrency account to receive payments from affiliates. 【1】
  
  **Who is Affected:**
  The RedLine malware has been used to target **major corporations**, and its victims include individuals whose computers have been infected and had their data stolen. 【1】
  
  **Security Implications:**
  The case highlights the persistent threat of **infostealing malware**, which can lead to significant data breaches and financial losses for both individuals and organizations. The sophisticated infrastructure used to deploy and manage such malware, including the use of cryptocurrency for payments, underscores the challenges in combating these cybercriminal operations. The disruption of RedLine in October 2024 by an international effort demonstrates ongoing law enforcement actions against such threats. 【1】
  
  **Technical Details:**
  RedLine malware, when executed, targets and steals data from victims' computers. The criminal operation involved maintaining digital infrastructure, including C2 servers and administrative panels, for malware deployment and affiliate management. Minasyan allegedly registered virtual private servers and internet domains to host this infrastructure and created repositories for distributing the malware. Cryptocurrency was used to receive payments from affiliates. 【1】
  
  **What Defenders Should Know:**
  Cybersecurity defenders should be aware of the capabilities and widespread use of infostealing malware like RedLine. They should also be informed about the ongoing international efforts by law enforcement agencies to combat such cybercrime. Resources for the public and potential victims are available at [www.operation-magnus.com](http://www.operation-magnus.com). 【1】