DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
ESET researchers discovered a cluster of 28 fraudulent Android applications, dubbed CallPhantom, that accumulated over 7.3 million downloads on Google Play. These apps deceive users by falsely claiming to retrieve call and message logs for arbitrary phone numbers, instead presenting hardcoded, randomly generated data to extort subscription payments via Google Play billing, UPI, or direct card entry.
In Q1 2026, vulnerability registrations continued to rise, heavily influenced by AI-assisted discovery tools. Threat actors and APT groups actively exploited a mix of legacy and newly discovered vulnerabilities across Windows, Linux, and Microsoft Office, frequently utilizing C2 frameworks like Metasploit and Sliver to bypass authentication and gain initial access.
A malvertising campaign is leveraging a fake Claude AI website to distribute a malicious MSI installer. The infection chain employs DLL sideloading via a legitimate G DATA executable to execute DonutLoader, which ultimately deploys a novel backdoor dubbed 'Beagle' for remote command execution and file manipulation.
The Canadian Centre for Cyber Security released a daily digest highlighting five security advisories. Notably, Ivanti Endpoint Manager Mobile (EPMM) contains an actively exploited vulnerability (CVE-2026-6973), and critical updates were issued for Spring Cloud Config, VM2 Node.js library, Mozilla Firefox, and multiple Broadcom VMware Tanzu products.
CISA has added CVE-2026-6973, an improper input validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate this vulnerability per BOD 22-01, and all organizations are strongly urged to prioritize patching to reduce exposure to cyberattacks.
The article details the threat landscape of 'suspicious websites' that evade traditional phishing classifications but remain highly dangerous. These include fake online stores, dubious crypto exchanges, and fake browser extensions. Threat actors leverage newly registered domains, cheap TLDs, and poor infrastructure security (missing HTTP headers, lack of SPF/DMARC) to conduct financial fraud, data theft, and browser hijacking. Detection requires a multi-faceted approach analyzing domain age, IP reputation, and infrastructure configurations.
Threat Activity Enablers (TAEs) are infrastructure providers that deliberately support malicious cyber operations by offering resilient, bulletproof hosting. By leveraging corporate shell companies, controlling Autonomous Systems (ASNs), and rapidly rebranding, TAEs like Virtualine Technologies and Stark Industries evade sanctions and takedowns to sustain ransomware, botnet, and state-sponsored campaigns.
Threat actors are increasingly leveraging Vercel's GenAI capabilities, specifically v0.dev, to rapidly generate and host highly convincing credential phishing pages. By combining AI-generated frontends with Telegram Bot API integrations for real-time credential exfiltration, attackers can deploy resilient, low-effort phishing infrastructure on legitimate cloud services that evades traditional detection mechanisms.
Palo Alto Networks has disclosed a critical buffer overflow vulnerability (CVE-2026-0300, CVSS 9.3) in the PAN-OS User-ID Authentication Portal. This flaw allows unauthenticated remote attackers to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls, with limited active exploitation already observed in the wild.
OceanLotus is suspected of orchestrating a PyPI supply chain attack using malicious wheel packages to deliver a novel cross-platform malware named ZiChatBot. The malware acts as a dropper for Windows and Linux systems, establishing persistence and utilizing the Zulip team chat application's REST APIs for command and control.
This article summarizes a LABScon 25 presentation by Joe FitzPatrick on the systemic risks introduced by foreign-manufactured networked devices in critical infrastructure and consumer markets. It highlights issues such as undocumented cellular radios, mandatory product activation, and the ineffectiveness of import bans, advocating instead for hardware bills of materials and right-to-repair legislation.
The Canadian Centre for Cyber Security released a daily digest highlighting three security advisories. The most critical is an actively exploited, unauthenticated buffer overflow vulnerability (CVE-2026-0300) affecting the Palo Alto Networks PAN-OS User-ID Authentication Portal. Additional routine security updates were announced for Google Chrome and VMware Tanzu GemFire Management Console.
CISA has added CVE-2026-0300, an out-of-bounds write vulnerability affecting Palo Alto Networks PAN-OS, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize remediation to reduce exposure to cyberattacks.
Model Context Protocol (MCP) servers introduce a new attack surface akin to AI-native APIs, exposing organizations to protocol-level attacks, injection vulnerabilities, and authorization bypasses. Because MCP tools often use permissive validation to accommodate LLM inputs and proactively broadcast their capabilities via plain-English descriptions, attackers can easily map business logic and exploit downstream systems or trigger resource exhaustion.
A recent security audit of PyPI by Trail of Bits uncovered 14 vulnerabilities, including high-severity access control flaws that allowed unauthorized role escalation and persistent stale permissions across project transfers. Additionally, a JWT replay vulnerability in the OIDC trusted publishing flow and an unpatched metadata validation gap highlight ongoing supply chain risks for Python package consumers.
Threat actors are exploiting the OpenClaw AI agent framework by publishing a deceptive 'DeepSeek-Claw' skill that distributes malware. The campaign utilizes malicious installation instructions to deploy Remcos RAT on Windows via DLL sideloading and GhostLoader on macOS/Linux via obfuscated Node.js scripts, enabling persistent access and data exfiltration.
A large-scale phishing campaign is targeting U.S. organizations across multiple sectors using fake event invitations. The campaign employs a repeatable infrastructure to bypass initial defenses via CAPTCHA, subsequently leading to either credential and OTP interception or the deployment of legitimate Remote Monitoring and Management (RMM) tools for persistent access.
Cisco Talos identified an intrusion campaign utilizing the CloudZ RAT and a novel plugin named Pheno to intercept SMS and OTP messages. The malware abuses the Microsoft Phone Link application's PC-to-phone bridge, allowing attackers to steal sensitive authentication data from local SQLite databases without deploying malware directly to the victim's mobile device.
Cisco Talos identified UAT-8302, a China-nexus APT, targeting global government entities using a diverse toolkit of custom and shared malware. The threat actor leverages DLL side-loading to deploy implants like NetDraft, CloudSorcerer v3, and VSHELL, while utilizing open-source tools for extensive network reconnaissance, credential harvesting, and lateral movement.
The InstallFix campaign leverages malvertising to distribute fake Claude AI installation pages, tricking users into executing malicious MSHTA commands. This initiates a multi-stage, fileless infection chain utilizing a ZIP/HTA polyglot, COM object abuse, and AMSI/SSL bypasses to deliver a payload associated with RedLine Stealer. The campaign demonstrates advanced evasion tactics, including the use of victim-unique C2 subdomains derived from machine fingerprints.
