🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware - Rapid7 🔍 Show Kagi Synopsis
  In early 2026, a sophisticated cyber intrusion, initially appearing as a standard Chaos ransomware attack, was identified as a **state-sponsored operation using a "false flag" tactic** to mask its true intent 【1】. The operation is attributed with moderate confidence to **MuddyWater (Seedworm)**, an Iranian Advanced Persistent Threat (APT) group linked to the Ministry of Intelligence and Security (MOIS) 【1】.
  
  **What Happened:**
  The attackers employed a high-touch social engineering approach, primarily using **Microsoft Teams** for interactive screen-sharing sessions to harvest credentials and manipulate Multi-Factor Authentication (MFA) 【1】. Instead of encrypting files as typical ransomware, the group focused on **data exfiltration and establishing long-term persistence** using remote management tools like DWAgent. They also utilized a custom Remote Access Trojan (RAT) named "Game.exe" 【1】. The use of Chaos ransomware was a deliberate misdirection to obscure their objectives and complicate attribution 【1】.
  
  **Who is Affected:**
  The targeted organizations are predominantly located in the **United States**, with a specific focus on the **construction, manufacturing, and business services sectors** 【1】.
  
  **Security Implications:**
  This incident highlights the evolving tactics of state-sponsored actors who are increasingly using deceptive methods to conceal their operations. The bypass of traditional ransomware indicators and the focus on data exfiltration and persistence pose significant risks for organizations. MuddyWater's increased activity in early 2026, involving cyber espionage and potential preparation for disruptive operations, underscores the heightened threat landscape 【1】.
  
  **Technical Details:**
  The attack chain involved:
  - **Initial Access:** Social engineering via Microsoft Teams messages and spearphishing 【1】.
  - **Credential Harvesting:** Users were tricked into entering credentials into attacker-controlled files or pages 【1】.
  - **MFA Manipulation:** Attackers manipulated MFA to add their own devices 【1】.
  - **Persistence and Control:** Legitimate remote access tools like DWAgent and AnyDesk were used for persistence, with DWAgent installed as a service 【1】.
  - **Data Exfiltration:** Data was exfiltrated over Command-and-Control (C2) channels 【1】.
  - **Custom Tools:** A custom RAT, "Game.exe," was analyzed, featuring anti-virtualization and anti-debugging capabilities 【1】.
  - **Infrastructure:** Specific code-signing certificates and C2 infrastructure were identified as indicators linking the activity to MuddyWater 【1】.
  - **MITRE ATT&CK Techniques:** The campaign utilized techniques including Phishing, Valid Accounts, Remote Services (RDP), Remote Access Tools, and Ingress Tool Transfer 【1】. YARA rules are available for detecting the MuddyWater RAT and Downloader 【1】.
  
  **What Defenders Should Know:**
  Defenders need to **look beyond overt ransomware indicators** and focus on the entire intrusion lifecycle 【1】. Key areas of concern include:
  - **Social Engineering:** Be vigilant against social engineering tactics employed through enterprise communication platforms like Microsoft Teams 【1】.
  - **Credential and MFA Security:** Implement robust measures to protect credentials and detect/prevent MFA manipulation 【1】.
  - **Abuse of Legitimate Tools:** Monitor for the misuse of legitimate remote access tools, which are often abused for persistence 【1】.
  - **Attribution Complexity:** Recognize that threat actors, especially state-sponsored ones, may use false flags to mislead investigations 【1】.
  - **Threat Intelligence:** Stay informed about the evolving tactics and increased operational activity of APT groups like MuddyWater 【1】.
• Iranian-Nexus Operation Against Oman's Government: 12 Ministries Hit and 26,000 Citizen Records Exposed - Hunt.io 🔍 Show Kagi Synopsis
  An **Iranian-nexus cyber operation** has been uncovered, targeting the **Omani government**, with a significant breach exposing over **26,000 citizen records** 【1】. The intrusion was discovered due to an **open directory on a RouterHosting VPS** that contained the attacker's tools, command and control (C2) code, session logs, and exfiltrated data 【1】.
  
  **What Happened:**
  The operation involved persistent access to the Omani government's network, primarily targeting the **Ministry of Justice and Legal Affairs (MJLA)** 【1】. Attackers deployed a custom webshell to maintain access and systematically extracted sensitive data, including judicial case information and user records 【1】. The attackers also utilized various exploit scripts for tasks such as Exchange spraying and SQL server escalation 【1】.
  
  **Who is Affected:**
  The primary target was the **Ministry of Justice and Legal Affairs (MJLA)** 【1】. However, the operation extended to at least **12 Omani ministries** 【1】, including:
  - Royal Oman Police
  - Royal Fleet of Oman
  - Tax Authority of Oman
  - State Audit Institution
  - Royal Court Affairs
  - Authority for Public Services Regulation
  - Civil Aviation Authority
  - Information Technology Authority (ITA)
  - Ministry of Finance
  - Ministry of Transport, Communications & IT (MTCIT)
  - Office of Public Prosecution
  
  Over **26,000 user records** were exfiltrated, containing judicial case data and registry hives 【1】.
  
  **Security Implications:**
  The breach highlights the vulnerability of government networks to sophisticated cyber espionage. The exposure of citizen data, including national ID numbers, names, and birthdates, poses significant risks of identity theft and further exploitation 【1】. The use of custom tools and exploitation of known vulnerabilities like ProxyShell (CVE-2021-34473/34523/31207) indicates a determined and capable adversary 【1】. The operation's infrastructure, linked to spoofed Iranian diaspora media and censorship circumvention tools, suggests a connection to state-sponsored activities 【1】.
  
  **Technical Details:**
  - **Command and Control (C2):** The C2 infrastructure utilized a Python HTTP server and a PowerShell beacon (`new_beacon.ps1`) that polled for commands every 30 seconds 【1】. The server exposed various ports for different functions, including SSH, HTTP, reverse shell listeners, and data exfiltration 【1】.
  - **Exploitation:** Techniques observed include password brute-forcing, ProxyShell exploitation, SQL injection, and attacks targeting Oracle APEX/ORDS and Spring Boot Actuator 【1】.
  - **Data Exfiltration:** Over 26,000 user records were extracted, with a specific focus on DotNetNuke superuser accounts and the `eGov_Person` table for personal identification details 【1】.
  - **Custom Tools:** The attackers employed custom webshells and exploit scripts, indicating a tailored approach to their targets 【1】.
  - **Infrastructure:** The operation leveraged a RouterHosting VPS in the UAE, with associated infrastructure including spoofed media sites and censorship circumvention tools, consistent with Iranian state-nexus operations 【1】.
  
  **What Defenders Should Know:**
  - **Monitor for Exposed Directories:** Attackers can be exposed during the setup phase of their operations. Tools that can detect exposed directories in real-time are crucial for early detection 【1】.
  - **Understand TTP Overlap:** The tactics, techniques, and procedures (TTPs) observed in this campaign show overlap with known Iranian-nexus groups like APT34 (OilRig) and MuddyWater (Mango Sandstorm) 【1】. Awareness of these overlaps can aid in threat intelligence and attribution.
  - **Secure Government Systems:** Robust security measures are essential to prevent unauthorized access. This includes regular vulnerability scanning, patching, and implementing strong access controls, especially for critical government systems and citizen data repositories 【1】.
  - **Investigate Infrastructure:** Defenders should be vigilant about infrastructure that mimics legitimate services or is associated with known malicious actors or state-sponsored activities 【1】.
• UAT-8302 and its box full of malware - Cisco Talos 🔍 Show Kagi Synopsis
  **UAT-8302**, a sophisticated China-nexus advanced persistent threat (APT) group, has been actively targeting **government entities in South America since at least late 2024** and **government agencies in southeastern Europe in 2025** 【1】. The primary objective of UAT-8302 is to **obtain and maintain long-term access to these entities** 【1】.
  
  The security implications of UAT-8302's activities are significant, as their post-compromise actions involve **information collection, credential extraction, and proliferation** within compromised networks 【1】. They achieve this by employing a combination of open-source tools like Impacket and proxying tools, alongside custom-built malware 【1】.
  
  Technically, UAT-8302 deploys several malware families, including **NetDraft, CloudSorcerer version 3, and VSHELL** 【1】.
  - **NetDraft and FringePorch** offer functionalities such as executing arbitrary commands, running .NET assemblies, file upload/download, file management, and executing .NET plugins 【1】.
  - **CloudSorcerer v3** exhibits varied behavior based on the process it's injected into. For instance, if running as `dpapimig.exe`, it gathers system information and receives commands. If named `spoolsv.exe`, it contacts GitHub for command and control (C2) information. In other processes, it injects itself into `dpapimig.exe` or `spoolsv.exe` to initiate malicious operations 【1】.
  - **VSHELL** is deployed through a side-loading technique where a legitimate executable loads a malicious DLL (`wininet.dll`), which then reads a BIN file and injects it into `explorer.exe` 【1】.
  
  Furthermore, UAT-8302 establishes backdoor access by setting up **proxy servers on infected systems** using tools like Stowaway to tunnel traffic outside the enterprise 【1】.
  
  Defenders should be aware that UAT-8302 utilizes a range of custom and open-source tools for their operations. Cisco Talos provides **ClamAV signatures and Snort rules** to detect and block this threat 【1】. Additionally, **indicators of compromise (IOCs)**, including file hashes and network infrastructure details, are available for monitoring and blocking purposes 【1】.
• A rigged game: ScarCruft compromises gaming platform in a supply-chain attack - ESET Research 🔍 Show Kagi Synopsis
  A cybersecurity incident involving the North Korea-aligned APT group **ScarCruft** has compromised a gaming platform, leading to a supply-chain attack that targets ethnic Koreans in China's Yanbian region 【1】. The attackers have trojanized both Windows and Android components of the platform with backdoors named **BirdCall** and **RokRAT** 【1】.
  
  **What Happened:**
  ScarCruft infiltrated the **sqgame** platform, which hosts games themed around the Yanbian region 【1】. They compromised the platform's update server and website to distribute malicious versions of games and software updates 【1】. Specifically, two Android games were trojanized with the BirdCall backdoor, and a malicious update package for the Windows desktop client contained a trojanized `mono.dll` library that deployed the RokRAT backdoor, which in turn installed BirdCall 【1】. It is believed ScarCruft did not access the game's source code but rather repackaged existing game APKs with malicious code 【1】.
  
  **Who is Affected:**
  The primary targets are **ethnic Koreans living in the Yanbian Korean Autonomous Prefecture**, a region in China bordering North Korea 【1】. The attack is likely aimed at gathering intelligence on individuals of interest to the North Korean regime, such as refugees or defectors 【1】.
  
  **Security Implications:**
  The goal of this campaign is **espionage** 【1】. The BirdCall backdoor is designed to collect sensitive personal data and documents, take screenshots, and record audio 【1】. This poses a significant risk of privacy violation and intelligence gathering for the attackers.
  
  **Technical Details:**
  - **Malware:** The attack utilizes two main backdoors:
  - **BirdCall:** This backdoor exists in both Windows and Android versions. The Android version is a port of the Windows version and is internally known as "zhuagou" 【1】.
  - **RokRAT:** This backdoor was deployed on Windows systems via a trojanized `mono.dll` library found in a software update package 【1】.
  - **Infection Vector:** The compromise occurred through a supply-chain attack, where ScarCruft injected malicious code into legitimate software distributed by the sqgame platform 【1】.
  - **Command and Control (C2):** Both versions of BirdCall use cloud storage services for C2 communication. The Android version supports pCloud, Yandex Disk, and Zoho WorkDrive, with Zoho WorkDrive being the actively used service 【1】.
  - **Data Collection:** The Android BirdCall backdoor can collect contact lists, SMS messages, call logs, documents, media files, and private keys. It can also capture screenshots and record audio 【1】. It periodically searches for files with specific extensions (e.g., .jpg, .doc, .pdf, .p12) for exfiltration 【1】.
  - **MITRE ATT&CK Techniques:** ScarCruft employed various techniques across different tactics, including Compromise Software Supply Chain (T1195.002/T1474.003), Obfuscated Files or Information (T1027.013/T1406), Screen Capture (T1113/T1513), and Exfiltration to Cloud Storage (T1567.002) 【1】.
  
  **What Defenders Should Know:**
  - **Supply Chain Risks:** Organizations should be vigilant about the security of their software supply chains, as attackers are increasingly targeting legitimate distribution channels 【1】.
  - **Targeted Espionage:** Be aware of espionage campaigns that may leverage seemingly innocuous platforms like gaming sites to target specific demographics 【1】.
  - **Indicators of Compromise (IoCs):** A comprehensive list of malicious file hashes and network infrastructure used in this attack is available, which can aid in detection and prevention 【1】.
  - **Malware Capabilities:** Defenders should understand the capabilities of backdoors like BirdCall, including their data collection methods (screenshots, audio recording, file exfiltration) and C2 communication patterns using cloud storage 【1】.
  - **Platform-Specific Threats:** Both Windows and Android platforms are targeted, requiring comprehensive security measures across all endpoints 【1】.
• CVE-2026-0300 PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal - Palo Alto Networks 🔍 Show Kagi Synopsis
  A critical buffer overflow vulnerability, **CVE-2026-0300**, has been identified in the **User-ID™ Authentication Portal** of Palo Alto Networks PAN-OS software 【1】. This vulnerability allows an unauthenticated attacker to execute arbitrary code with root privileges on affected firewalls by sending specially crafted packets 【1】. Limited exploitation of this vulnerability has already been observed in the wild 【1】.
  
  **Who is Affected:**
  The vulnerability impacts **PA-Series and VM-Series firewalls** running PAN-OS versions **10.2, 11.1, 11.2, and 12.1** 【1】. Prisma Access, Cloud NGFW, and Panorama appliances are not affected 【1】. Exposure is limited to devices where the User-ID™ Authentication Portal is enabled and an interface management profile with response pages enabled is associated with an external or internet-accessible interface 【1】.
  
  **Security Implications:**
  This vulnerability is rated as **CRITICAL** with a CVSS score of 9.3 【1】. Successful exploitation can lead to **root-level code execution**, posing significant risks to confidentiality, integrity, and availability 【1】. The fact that it is already being exploited in the wild, particularly against publicly exposed portals, underscores the urgency of addressing this threat 【1】.
  
  **Technical Details:**
  The weakness is categorized as **CWE-787 (Out-of-bounds Write)** and **CAPEC-100 (Overflow Buffers)** 【1】. The attack vector is network-based, meaning it can be exploited remotely without any authentication or user interaction 【1】.
  
  **What Defenders Should Know:**
  Defenders should take immediate action to mitigate this vulnerability 【1】:
  - **Restrict access** to the User-ID™ Authentication Portal to only trusted internal IP addresses 【1】.
  - **Disable Response Pages** in the Interface Management Profile on any L3 interface that is exposed to untrusted or internet traffic 【1】.
  - **Disable the User-ID™ Authentication Portal** entirely if it is not a required feature 【1】.
  - Customers with a **Threat Prevention subscription** can block attacks by enabling **Threat ID 510019** (requires Applications and Threats content version 9097-10022 and PAN-OS 11.1 or later) 【1】.
  - **Remediation** involves applying forthcoming software updates as soon as they are released 【1】.
• Inadvertent Injections - The content posted at the URL is controlled by sud0woodo. 🔍 Show Kagi Synopsis
  The cybersecurity article details a sophisticated malware implant, dubbed "PoisonedRefresh" by ESET, which targets **F5 BIG-IP APM systems** vulnerable to **CVE-2025-53521** 【1】. A new x64 variant, `apmd64`, has been analyzed, which operates by hooking the `read()` function to monitor HTTP traffic for a specific 16-byte trigger string 【1】.
  
  **What Happened:**
  The implant functions as a loader that embeds an `httpd` binary. It hooks system functions, specifically `__libc_start_main` and `read()`, to intercept and monitor HTTP traffic 【1】. Upon detecting a predefined 16-byte magic string within HTTP requests, it can prepend a minimalistic, RC4-encrypted webshell to specific PHP files on the compromised device 【1】.
  
  **Who is Affected:**
  The primary targets are **F5 BIG-IP systems** that are vulnerable to **CVE-2025-53521** 【1】.
  
  **Security Implications:**
  A significant security implication is the implant's ability to perform "inadvertent injection" 【1】. This means that if a security researcher or a third-party scanner inadvertently sends a request containing the magic string, the implant can be triggered to deploy a webshell 【1】. This could lead to misattribution of attacks or accidental compromise during security assessments 【1】. The implant is also designed for resilience, with the capability to re-inject the webshell if a file is cleaned, and it separates the initial dropper from the deployed webshell 【1】.
  
  **Technical Details:**
  - **String Encryption:** The malware uses RC4 for encryption, with keys unique to each sample, which are decrypted on the stack 【1】.
  - **Hooking Mechanism:** It patches `__libc_start_main` and the `read()` function to intercept network traffic 【1】.
  - **Traffic Analysis:** A Knuth-Morris-Pratt (KMP) string search algorithm is implemented within the `read()` hook to efficiently scan for the 16-byte magic string in both `GET` and `POST` buffers 【1】.
  - **Webshell Deployment:** Based on a specific byte following the trigger string, the implant prepends an RC4-encrypted webshell to one of several target PHP files, including `full_wt.php3`, `webtop_popup_css.php3`, `my.logout.php3`, or `apm_css.php3` 【1】.
  - **Anti-Forensics:** To hinder detection and analysis, the implant restores original file timestamps after injection and utilizes `MAP_SHARED + MS_SYNC` to ensure immediate and persistent writes to the filesystem 【1】.
  
  **What Defenders Should Know:**
  Defenders and security researchers need to be aware of the "inadvertent injection" capability 【1】. When scanning or interacting with potentially compromised F5 BIG-IP systems, care must be taken to avoid sending requests that contain the specific 16-byte magic string, as this could unintentionally trigger the webshell deployment and complicate incident response or security assessments 【1】. The implant's resilience means that simply removing the webshell may not be sufficient, as it can automatically re-inject itself 【1】.