🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• CVE-2026-35616 - CISA KEV 🔍 Show Kagi Synopsis
  **CVE-2026-35616** is a critical vulnerability affecting **Fortinet FortiClient EMS** (Endpoint Management Server) software . The vulnerability, an **improper access control** issue within the FortiClient EMS API, allows an **unauthenticated attacker to execute unauthorized code or commands** by sending specially crafted requests . Public reports describe this as a pre-authentication API access bypass that can circumvent authentication and authorization mechanisms .
  
  This vulnerability has been **actively exploited in the wild as a zero-day** . The exploitation is being used against internet-facing applications, aligning with the MITRE ATT&CK technique T1190 (Exploit Public-Facing Application) . While specific threat actors or campaigns are not detailed in the provided information, the fact that it was exploited before Fortinet released an advisory indicates a significant and immediate threat .
  
  **Affected Versions:** The specific versions of Fortinet FortiClient EMS affected by CVE-2026-35616 are not explicitly listed in the provided sources, but Fortinet has released hotfixes and patches for this vulnerability .
  
  **Immediate Actions for Defenders:**
  
  * **Patch Immediately:** Apply the hotfixes and patches released by Fortinet for CVE-2026-35616 as soon as possible to prevent authentication bypass and server compromise .
  * **Monitor for Exploitation:** Be vigilant for signs of exploitation, especially on internet-facing FortiClient EMS instances.
  * **Review Access Controls:** Ensure that access controls for EMS are robust and that only necessary systems and users have access.
• The FBI's Internet Crime Complaint Center (IC3) 2025 report is out. In 2025, losses from cyber-enabled fraud surpassed the $20 billion mark. - Internet Crime Complaint Center (IC3) 🔍 Show Kagi Synopsis
  The provided link leads to the **Internet Crime Complaint Center (IC3) Annual Reports** page, which contains annual reports from 2015 to 2025. 【1】 While the page mentions specific reports on State, Cryptocurrency, and Elder Fraud, and provides information on filing complaints and identifying official government websites (which use `.gov` and HTTPS for security), **it does not contain a detailed cybersecurity article that allows for a summary covering specific incidents, affected parties, technical details, or defender strategies.** 【1】 Therefore, a detailed precis on those specific aspects cannot be provided based on the given information.
• Twenty Nodes, Eight Platforms, and a Password Stolen Twice: SideWinders PaaS-Hopping Campaign Against South Asian Defense - GHOST -- Breakglass Intelligence 🔍 Show Kagi Synopsis
  The cybersecurity group **SideWinder** has been observed conducting a sophisticated credential harvesting operation targeting defense and government organizations in **South Asia** 【1】. This campaign, which ran for at least five months, utilizes a novel technique of stealing the same victim's password twice 【1】.
  
  **What Happened:**
  SideWinder employed a multi-stage phishing attack that began with a PDF lure. This was followed by a loading spinner and then presented the victim with two distinct credential harvesting pages, disguised as login portals for different military organizations. The first page impersonated the **Bangladesh Navy's** Zimbra webmail, and the second impersonated the **Pakistan Air Force's** Zimbra webmail. This "dual harvest" technique is designed to capture credentials from individuals who have accounts with multiple military services 【1】. The operation leverages **eight legitimate Platform-as-a-Service (PaaS) providers**, including Zeabur, Leapcell, and Railway, across **twenty infrastructure nodes**, avoiding traditional hosting methods 【1】.
  
  **Who is Affected:**
  The campaign has targeted seven organizations across Pakistan and Bangladesh, including:
  * **Margalla Heavy Industries Limited (MHIL)**, a Pakistani defense contractor 【1】.
  * **Pakistan Air Force** 【1】.
  * **Bangladesh Navy** 【1】.
  * **Nayatel**, a Pakistani Telecom/ISP 【1】.
  * **Bangladesh Computer Council**, a government IT entity 【1】.
  * **NTC Pakistan**, a telecommunications company 【1】.
  * An unidentified entity involved in **International Relations** 【1】.
  
  The targeting indicates a broad scope, encompassing diplomacy, civilian government, military, defense industry, and telecommunications sectors 【1】.
  
  **Security Implications:**
  The use of PaaS providers for hosting phishing infrastructure presents a significant challenge for defenders. SideWinder's "living off the land" approach, where they utilize free tiers of legitimate services, makes it difficult to disrupt their operations through traditional takedowns of dedicated servers or domains 【1】. The dual password harvesting technique increases the likelihood of obtaining valid credentials, especially from individuals with cross-organizational responsibilities 【1】. This could lead to further compromise of sensitive military and government systems.
  
  **Technical Details:**
  The attack chain involves five stages:
  1. **PDF Lure:** A document related to defense or engineering is presented.
  2. **Loading Spinner:** A timed redirect delay is implemented.
  3. **First Credential Theft:** A Zimbra webmail clone impersonating the **Bangladesh Navy** attempts to steal credentials.
  4. **Second Credential Theft:** A Zimbra clone impersonating the **Pakistan Air Force** attempts to steal credentials.
  5. **Final Redirect:** The victim is redirected to a seemingly legitimate PDF document 【1】.
  
  The infrastructure relies on PaaS providers such as **Zeabur** (primary phishing hosting), **Leapcell** (secondary phishing hosting), and **Railway** (credential collection backend), among others 【1】. Most of the infrastructure uses subdomains provided by these PaaS services, further obscuring attribution 【1】.
  
  **What Defenders Should Know:**
  * **PaaS Abuse:** Be aware that threat actors are actively abusing PaaS providers for malicious activities. Traditional methods of blocking IP addresses or domains may be less effective.
  * **Dual Harvest Technique:** Recognize the possibility of phishing campaigns designed to harvest credentials multiple times within a single attack chain, targeting users with access to multiple services.
  * **Detection Signatures:** **Four YARA rules and nine Suricata signatures** have been developed to detect the patterns associated with this campaign, including the Zeabur/Leapcell/Railway phishing sites, the dual-harvest Zimbra clones, and reused parameter fingerprints 【1】.
  * **Active Threats:** At least two Zeabur-hosted phishing sites remain active, targeting MHIL and Nayatel 【1】.
• [PATCH v2 0/1] HID: add malicious HID device detection driver - Zubeyr Almaho - The content posted at the URL is controlled by the administrator of the website that uses Anubis to protect the server from AI companies scraping websites. 🔍 Show Kagi Synopsis
  The cybersecurity article discusses **Anubis**, a system implemented to protect websites from aggressive scraping by AI companies, which can lead to server downtime and inaccessibility of resources.
  
  - **What Happened**: The website administrator has implemented Anubis to prevent AI companies from scraping the site. This system acts as a deterrent by requiring a Proof-of-Work (PoW) challenge, similar to Hashcash, which is designed to be a minor load for individual users but significantly more expensive for mass scrapers.
  - **Who is Affected**: The primary targets are **AI companies** engaging in aggressive web scraping. Legitimate users might also be affected if they are using browser plugins like **JShelter** that disable modern JavaScript features required by Anubis.
  - **Security Implications**: The main implication is the **prevention of website downtime and resource inaccessibility** caused by excessive scraping. Anubis aims to make scraping economically unfeasible for AI companies, thereby protecting the website's availability for legitimate users. It's described as a "compromise" solution, with the long-term goal of developing more sophisticated methods to identify and block headless browsers.
  - **Technical Details**: Anubis employs a **Proof-of-Work scheme** inspired by Hashcash. This means that users (or scrapers) must perform a computational task to prove their legitimacy. The article notes that Anubis relies on **modern JavaScript features**, and users are advised to disable plugins like JShelter that might interfere with these features.
  - **What Defenders Should Know**: Defenders should be aware that Anubis is a **temporary measure** while more advanced bot detection methods, such as fingerprinting headless browsers by analyzing font rendering, are developed. They should also understand that **browser extensions that block JavaScript** might interfere with Anubis, and users may need to whitelist the domain or disable such extensions for the site to function correctly.
• Remote code execution in CentOS Web Panel - CVE-2025-70951 - Fenrisk research team 🔍 Show Kagi Synopsis
  A critical vulnerability, **CVE-2025-70951**, has been discovered in **Control Web Panel (CWP)**, allowing for remote code execution (RCE) 【1】.
  
  **What Happened:**
  The vulnerability stems from an authentication bypass in the "addons" module of CWP. While a similar issue (CVE-2025-48703) was patched in the "filemanager" module, the "addons" module remained susceptible. Attackers can exploit this bypass, combined with a command injection flaw in the `dompath` parameter, to execute arbitrary commands on the server 【1】.
  
  **Who is Affected:**
  The vulnerability affects users running **Control Web Panel versions 0.9.8.1222, 0.9.8.1219, and 0.9.8.1218** 【1】. An attacker needs to know a valid username on the targeted CWP server to exploit this vulnerability 【1】.
  
  **Security Implications:**
  The primary security implication is **unauthenticated remote code execution**. This means an attacker can gain full control over the affected server, leading to data breaches, system compromise, and further network infiltration 【1】.
  
  **Technical Details:**
  The exploit involves sending a POST request to the `/cwp_a89c3f3d35b74378/test2/test2/index.php?module=addons&act=install` endpoint. The authentication bypass allows the request to proceed without proper credentials. Subsequently, the `dompath` parameter is manipulated to inject malicious commands. For example, an attacker could use `dompath=$(uname -a)` to execute the `uname -a` command, which would be reflected in the server's strace output 【1】. The vulnerability was tested and confirmed on CentOS 7 【1】.
  
  **What Defenders Should Know:**
  - **Update CWP Immediately:** The vulnerability has been fixed in **version 0.9.8.1224**. All users running affected versions should update their CWP installation as soon as possible 【1】.
  - **Vigilance for Older Versions:** Be aware that older versions of CWP are vulnerable. If immediate updating is not possible, consider implementing additional security measures or isolating affected systems.
  - **Username Knowledge Required:** While the exploit is unauthenticated in terms of session credentials, it does require the attacker to know a valid username on the CWP instance 【1】.
  - **Timeline:** The vulnerability was discovered in December 2025, with a fix released in March 2026 【1】.
• Creative approaches to coding FUD Stagers - R.B.C (g3tsyst3m) 🔍 Show Kagi Synopsis
  The article details creative methods for coding Fully Undetected (FUD) stagers, which are designed to evade detection by modern Endpoint Detection and Response (EDR) systems, particularly those employing machine learning and AI 【1】.
  
  **What Happened:**
  The article presents a FUD stager variant that operates by downloading raw shellcode from a remote URL and executing it directly in memory, without writing any files to disk. This approach aims to bypass static analysis and API monitoring commonly used by security software 【1】.
  
  **Who is Affected:**
  The primary targets are **users and organizations** whose systems are vulnerable to malware execution. The techniques described are employed by **threat actors** seeking to gain initial access or maintain persistence on compromised systems.
  
  **Security Implications:**
  The core security implication is the **successful evasion of detection mechanisms**. By executing code in memory and obfuscating API calls, these stagers can deliver malicious payloads undetected, leading to potential data breaches, system compromise, or further network infiltration. The use of script interpreter languages and low-level NT APIs makes detection more challenging 【1】.
  
  **Technical Details:**
  The FUD stager variant employs several techniques:
  * **Obfuscation:** API names and URLs are reversed as strings to evade static analysis. Familiar terms like "shellcode" are shortened or renamed 【1】.
  * **In-Memory Execution:** The stager downloads shellcode from a URL (itself obfuscated via string reversal) 【1】.
  * **Memory Allocation:** It uses `NtAllocateVirtualMemory` to allocate executable (RWX) memory, bypassing standard API monitoring 【1】.
  * **Shellcode Execution:** The downloaded shellcode is copied into the allocated memory using `memmove` and then executed via `NtCreateThreadEx`, a low-level NT API 【1】.
  * **Evasion of API Monitoring:** By using NT-layer APIs and obfuscating their names, the stager aims to avoid detection by security solutions that monitor common API calls 【1】.
  * **Scripting Languages:** The article suggests that languages like Python, Ruby, Perl, and PHP are good candidates for FUD stagers due to less scrutiny compared to compiled code, although Powershell, despite heavy abuse, is also considered viable with effort 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware of the evolving tactics used to bypass EDR solutions. Key points include:
  * **Adaptive Defenses:** Relying solely on signature-based detection is insufficient. EDR solutions need to incorporate behavioral analysis and machine learning to detect novel evasion techniques 【1】.
  * **Monitoring Low-Level APIs:** Increased scrutiny of calls to NT-layer APIs like `NtAllocateVirtualMemory` and `NtCreateThreadEx` is crucial, especially when combined with other suspicious activities.
  * **Script Interpreter Scrutiny:** While compiled code is often targeted, the article highlights the effectiveness of using scripting languages for FUD payloads. Monitoring script execution and network connections initiated by scripts is important 【1】.
  * **In-Memory Threats:** The ability to execute code entirely in memory without touching the disk presents a significant challenge. Memory forensics and runtime analysis become critical for detection and investigation.
  * **Obfuscation Techniques:** Understanding common obfuscation methods, such as string reversal, is vital for de-obfuscating and analyzing suspicious code.
• KslKatzBof: A Beacon Object File (BOF) in-line LSASS credential extraction from C2 using the KslD.sys BYOVD technique - Maximilian Barz 🔍 Show Kagi Synopsis
  The cybersecurity article details **KslKatzBof**, a tool designed to extract credentials from LSASS (Local Security Authority Subsystem Service) processes that are protected by PPL (Protected Process Light) 【1】.
  
  **What Happened:**
  KslKatzBof utilizes a **Bring Your Own Vulnerable Driver (BYOVD)** technique, specifically employing **KslD.sys**, a Microsoft-signed kernel driver. This allows it to perform in-line LSASS credential extraction without injecting code into the target process 【1】.
  
  **Who is Affected:**
  Systems with **LSASS processes protected by PPL** are affected. This technique bypasses the protections typically afforded by PPL 【1】.
  
  **Security Implications:**
  The primary security implication is that **attackers can obtain credentials from protected systems** by leveraging legitimate, signed components. This bypasses security measures designed to protect sensitive credential data 【1】.
  
  **Technical Details:**
  - KslKatzBof is a **Beacon Object File (BOF)** 【1】.
  - It uses the **BYOVD technique** with **KslD.sys** 【1】.
  - It achieves **in-line LSASS credential extraction** without process injection 【1】.
  - It can extract **MSV1_0 NT hashes** per logon session and **WDigest cleartext passwords** if caching is enabled 【1】.
  - The technique builds upon prior work from projects like **KslDump and GhostKatz**, with a vulnerability attributed to **maxkray13's Defender project** 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware of this **BYOVD technique**. They should understand that **LSASS credential theft is still possible** even on systems with PPL enabled, as attackers can exploit signed drivers to bypass these protections 【1】.
• SilentNimvest: Nim implementation for sud0Ru's Credential Dumping from SAM/SECURITY Hives Method (a.k.a. SilentHarvest) - The content posted at the URL is controlled by the individual or organization associated with the GitHub username @R0h1rr1m 🔍 Show Kagi Synopsis
  **SilentNimvest** is a tool designed to parse Security Account Manager (SAM) and Security Hives, which contain sensitive credential information on Windows systems 【1】. It utilizes the **Silent Harvest technique** to extract this data 【1】.
  
  **What Happened:**
  SilentNimvest allows an administrator with `SeBackupPrivilege` enabled to dump local user hashes, cached domain logon information, LSA Secrets, and other secrets from SAM and Security hives 【1】. This is achieved by using the `RegQueryMultipleValuesW` API, which is less likely to trigger alerts from Endpoint Detection and Response (EDR) systems compared to other methods 【1】.
  
  **Who is Affected:**
  The tool affects **Windows systems** where it is executed. Specifically, it targets local user credentials, cached domain logon information, and LSA secrets. The example output shows it can extract information for local users like "Administrator," "Guest," and custom users like "zoro" 【1】.
  
  **Security Implications:**
  The primary security implication is the **unauthorized access to sensitive credentials**. By obtaining local user hashes and cached domain logon information, an attacker could potentially perform **pass-the-hash** or **pass-the-ticket** attacks to gain further access to the network 【1】. The extraction of LSA secrets can also lead to the compromise of other sensitive data stored by the operating system. The use of a less-alerted API makes detection more challenging for security defenders 【1】.
  
  **Technical Details:**
  - **Tool:** SilentNimvest, written in Nim.
  - **Technique:** Silent Harvest.
  - **Target Hives:** SAM and Security Hives.
  - **Privilege Required:** Administrator account with `SeBackupPrivilege` enabled.
  - **API Used:** `RegQueryMultipleValuesW` (less EDR-alerted registry read API).
  - **Data Extracted:**
  - Local user hashes (e.g., `aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0`) 【1】.
  - Cached domain logon information.
  - LSA Secrets.
  - DPAPI keys (machine and user) 【1】.
  - NL$KM 【1】.
  - Plaintext user information (e.g., from `_SC_Backupservice`) 【1】.
  - **Execution:** Can be executed directly from an elevated Administrator terminal without parameters 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware of the **Silent Harvest technique** and the use of the `RegQueryMultipleValuesW` API for registry reads. Monitoring for unusual access patterns to SAM and Security hives, especially by processes that have `SeBackupPrivilege` enabled, is crucial. Additionally, understanding the types of data SilentNimvest extracts can help in developing more targeted detection rules and incident response playbooks. It is important to note that the misuse of this tool is illegal and should only be used for authorized security testing 【1】.
• PoisonKiller: Another BYOVD process killer. works on CrowdStrike. fully signed. - The content posted at the URL is controlled by **j3h4ck** . 🔍 Show Kagi Synopsis
  **PoisonKiller** is a proof-of-concept (POC) kernel-mode process killer that utilizes a signed Microsoft driver, **PoisonX.sys**, to terminate any process on a system 【1】. This includes processes protected by **Protected Lightweigth Processes (PPL)**, such as **CrowdStrike Falcon** endpoint detection and response (EDR) services 【1】.
  
  **What Happened:**
  The PoisonKiller POC was developed as part of research into Bring Your Own Vulnerable Driver (BYOVD) techniques. It exploits a signed Microsoft driver to gain kernel-level access and terminate processes 【1】.
  
  **Who is Affected:**
  Any system running **Windows** that can have the PoisonX.sys driver loaded is potentially affected. This is particularly concerning for systems protected by EDR solutions that rely on PPL for process integrity, as PoisonKiller can bypass these protections 【1】.
  
  **Security Implications:**
  The primary security implication is the ability to bypass EDR solutions and terminate critical security processes. The driver has a valid **Microsoft signature** and, at the time of discovery, had **0 detections on VirusTotal** 【1】. This low detection rate and legitimate signature make it stealthy and difficult to block using traditional signature-based methods 【1】. The driver was signed on **March 25, 2025** 【1】.
  
  **Technical Details:**
  - **Driver:** PoisonX.sys is a kernel-mode driver.
  - **Loading the Driver:** It can be loaded using standard Windows service commands:
  ```cmd
  sc create PoisonX type= kernel binPath= C:\full\path\to\PoisonX.sys
  sc start PoisonX
  ```
  To stop and remove it:
  ```cmd
  sc stop PoisonX
  sc delete PoisonX
  ```
  【1】
  - **Execution:** The POC executable, `PoisonKiller.exe`, takes a **Process ID (PID)** as a command-line argument to terminate a specific process. For example:
  ```cmd
  PoisonKiller.exe 5140
  ```
  【1】
  - **Interface:** The driver exposes an **IOCTL interface** to interact with it 【1】. The specific IOCTL code is `0x22E010` 【1】.
  - **Write-up:** A detailed reverse engineering analysis, including IDA analysis and driver internals, is available at [Reverse Engineering a 0day used Against CrowdStrike EDR](https://medium.com/@jehadbudagga/reverse-engineering-a-0day-used-against-crowdstrike-edr-a5ea1fbe3fd4) 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware of the following Indicators of Compromise (IOCs) related to this driver:
  - **Device Path:** `\\.\{F8284233-48F4-4680-ADDD-F8284233}` 【1】
  - **IOCTL Code:** `0x22E010` 【1】
  - **Signer:** Microsoft Windows Hardware Compatibility Publisher 【1】
  - **Sign Date:** 2025-03-25 【1】
  
  Defenders should focus on detecting the loading of unsigned or unusually signed kernel drivers, monitoring for suspicious process termination events, and implementing robust endpoint security solutions that can detect and block kernel-level manipulation. Given the driver's valid Microsoft signature, traditional signature-based detection might be insufficient, necessitating behavioral analysis and integrity monitoring.
• Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab - KrebsOnSecurity 🔍 Show Kagi Synopsis
  German authorities have identified and "doxxed" a key figure in the ransomware world, **Daniil Maksimovich Shchukin**, a 31-year-old Russian national. He is accused of leading the notorious **GandCrab** and **REvil** ransomware operations, which were responsible for at least 130 acts of computer sabotage and extortion against German victims between 2019 and 2021 【1】.
  
  **Who is Affected:**
  The primary victims identified are **businesses and organizations within Germany**, with at least 130 specific instances of cyberattacks 【1】. Shchukin and another Russian national, **Anatoly Sergeevitsch Kravchuk**, are accused of extorting nearly 2 million euros from these victims, causing over 35 million euros in total economic damage 【1】. Globally, GandCrab and REvil were significant ransomware groups, with GandCrab extorting over $2 billion before shutting down 【1】, and REvil evolving into a "big-game-hunting" operation targeting large organizations 【1】. A major REvil attack on Kaseya impacted over 1,500 businesses, nonprofits, and government agencies 【1】.
  
  **Security Implications:**
  The doxxing of Shchukin highlights the ongoing efforts by law enforcement to unmask and hold accountable leaders of major cybercrime syndicates. The article underscores the significant financial and operational impact of ransomware groups like GandCrab and REvil, which have pioneered sophisticated extortion tactics. The **double extortion** method, where victims are pressured to pay for both decryption and the non-publication of stolen data, is a key tactic that these groups popularized 【1】. The FBI's previous infiltration of REvil's servers and subsequent release of a decryption key severely impacted the group, demonstrating the effectiveness of coordinated law enforcement actions 【1】.
  
  **Technical Details:**
  * **GandCrab:** This ransomware operation, active from January 2018, utilized an **affiliate program** that offered substantial profit shares to hackers for gaining initial access to corporate networks. The group released five major versions of its malware, each incorporating new features and bug fixes to evade security firms 【1】.
  * **REvil:** Emerging around the time of GandCrab's shutdown, REvil was widely believed to be a reorganization of GandCrab 【1】. It evolved into a sophisticated operation targeting large companies with substantial revenues and cyber insurance 【1】. A notable attack involved compromising Kaseya, a software provider, which led to a widespread impact on its clients 【1】.
  * **Double Extortion:** Both GandCrab and REvil pioneered the practice of demanding two separate payments: one for decrypting systems and another to prevent the public release of exfiltrated data 【1】.
  * **Financial Traces:** Shchukin's alleged involvement is linked to a digital wallet containing over $317,000 in cryptocurrency, as noted in a U.S. Justice Department filing 【1】.
  
  **What Defenders Should Know:**
  * **Leadership is Being Targeted:** Law enforcement agencies are actively identifying and pursuing the alleged leaders of major ransomware operations, as demonstrated by the German authorities' action against Shchukin 【1】.
  * **Sophistication of Tactics:** Ransomware groups like REvil have become highly sophisticated, employing "big-game-hunting" strategies and double extortion to maximize their profits 【1】.
  * **Persistence of Threat Actors:** Even after the shutdown of GandCrab and the disruption of REvil, the individuals behind them may continue to operate or re-emerge in new forms 【1】. Shchukin is also linked to earlier cybercrime activities, such as operating botnets under the alias "Ger0in" 【1】.
  * **Importance of Incident Response and Decryption:** The FBI's successful release of a decryption key for REvil victims highlights the potential for law enforcement intervention to mitigate damage 【1】. Robust incident response plans and the ability to leverage available decryption tools are crucial.
  * **Geographical Considerations:** Shchukin is believed to be in Russia, indicating the challenges in apprehending cybercriminals operating from certain jurisdictions 【1】.
  
  It is noted that Shchukin was previously identified as the REvil leader in a 2023 conference talk 【1】.