2026-05-134 minhigh

Intelligence Center

This threat intelligence newsletter highlights the emerging 'Platform-as-a-Proxy' (PaaP) technique, where attackers abuse legitimate SaaS notifications to bypass traditional email security. It also covers active campaigns, including Storm-1175 deploying Medusa ransomware via CVE-2026-1731, and UAT-10362 targeting Taiwanese organizations with a novel Lua-based malware called LucidRook.

Conf:highAnalyzed:2026-04-09reports

Authors: William Largent

ActorsFancy BearStorm-1175UAT-10362North Korean hackersMedusa ransomwareLucidRook

CVE-2026-1731 LucidRook SaaS Phishing PaaP Medusa Ransomware

Source:Cisco Talos

IOCs · 6

sha256
38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55Prevalent malware file observed by Talos (W32.38D053135D-95.SBX.TG)
sha256
5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfePrevalent malware file observed by Talos (W32.5E6060DF7E-100.SBX.TG)
sha256
90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59Prevalent malware file observed by Talos (Auto.90B145.282358.in02)
sha256
96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974Prevalent malware file observed by Talos (W32.Injector:Gen.21ie.1201)
sha256
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507Prevalent malware file observed by Talos (Win.Worm.Coinminer::1201)
sha256
a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91Prevalent malware file observed by Talos (Win.Dropper.Miner::95.sbx.tg**)

Key Takeaways

Threat actors are weaponizing legitimate SaaS notification pipelines (GitHub, Jira) in a 'Platform-as-a-Proxy' (PaaP) technique to bypass email authentication.
Storm-1175 is rapidly exploiting CVE-2026-1731 in BeyondTrust Remote Support to deploy Medusa ransomware.
A new Lua-based malware named 'LucidRook' is being used by UAT-10362 to target Taiwanese NGOs and universities.
APT 28 (Fancy Bear) has compromised thousands of home routers for credential theft operations.

Affected Systems

GitHub
Jira
BeyondTrust Remote Support
BeyondTrust Privileged Remote Access
Home routers

Vulnerabilities (CVEs)

CVE-2026-1731

Attack Chain

Threat actors are increasingly utilizing a 'Platform-as-a-Proxy' (PaaP) technique, abusing legitimate SaaS platforms like GitHub and Jira to send malicious notifications. Because these notifications originate from trusted infrastructure, they successfully bypass traditional email authentication protocols (SPF, DKIM, DMARC) to deliver phishing links for credential harvesting. Concurrently, other threat groups like Storm-1175 are exploiting known vulnerabilities (such as CVE-2026-1731 in BeyondTrust) to gain initial access and rapidly deploy ransomware payloads like Medusa.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

The article does not provide specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the execution of dropped malware (like LucidRook or Medusa), but lacks visibility into the initial SaaS-based phishing delivery mechanism. Network Visibility: Low — PaaP attacks utilize legitimate, encrypted SaaS infrastructure (GitHub, Jira), making network-level detection of the malicious payload highly difficult. Detection Difficulty: Hard — The PaaP technique relies on trusted domains and valid email authentication, bypassing standard perimeter defenses and blending in with normal business operations.

Required Log Sources

SaaS API Logs
SIEM
Email Gateway Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Search SaaS API logs for anomalous project creation or mass invitations that deviate from established user baselines.	SaaS API Logs	Initial Access	High
Monitor for unusual spikes in system-generated notifications from platforms like GitHub or Jira directed at users who do not typically interact with those platforms.	Email Gateway Logs	Initial Access	Medium

Control Gaps

Traditional Email Security Gateways (SEGs) relying solely on SPF, DKIM, and DMARC

Key Behavioral Indicators

Anomalous SaaS project creation
Mass invitations originating from SaaS platforms
Semantic deviation in notification content compared to standard platform baselines

False Positive Assessment

High, as detecting Platform-as-a-Proxy (PaaP) attacks requires identifying behavioral anomalies within legitimate SaaS traffic, which can easily flag normal, benign business operations.

Recommendations

Immediate Mitigation

Implement instance-level verification for SaaS notifications.
Cross-reference incoming notifications against internal SaaS directories.

Infrastructure Hardening

Ingest SaaS API logs into the SIEM to detect anomalous precursor activities.
Require out-of-band verification for high-risk interactions.

User Protection

Apply semantic intent analysis to identify notifications that deviate from a platform's established functional baseline.

Security Awareness

Train employees on 'automation fatigue' and the risks of reflexively trusting system-generated alerts from business-critical platforms.

MITRE ATT&CK Mapping

T1566.002 - Phishing: Spearphishing Link
T1190 - Exploit Public-Facing Application
T1486 - Data Encrypted for Impact
T1078 - Valid Accounts

Additional IOCs

Urls:
- hxxps://talosintelligence[.]com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 - Talos Reputation Link for Win.Worm.Coinminer::1201
- hxxps://talosintelligence[.]com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 - Talos Reputation Link for Auto.90B145.282358.in02
- hxxps://talosintelligence[.]com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 - Talos Reputation Link for W32.38D053135D-95.SBX.TG
- hxxps://talosintelligence[.]com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 - Talos Reputation Link for Win.Dropper.Miner::95.sbx.tg**
- hxxps://talosintelligence[.]com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 - Talos Reputation Link for W32.Injector:Gen.21ie.1201
- hxxps://talosintelligence[.]com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe - Talos Reputation Link for W32.5E6060DF7E-100.SBX.TG
File Hashes:
- 2915b3f8b703eb744fc54c81f4a9c67f (MD5) - MD5 for Win.Worm.Coinminer::1201
- c2efb2dcacba6d3ccc175b6ce1b7ed0a (MD5) - MD5 for Auto.90B145.282358.in02
- 41444d7018601b599beac0c60ed1bf83 (MD5) - MD5 for W32.38D053135D-95.SBX.TG
- 7bdbd180c081fa63ca94f9c22c457376 (MD5) - MD5 for Win.Dropper.Miner::95.sbx.tg**
- aac3165ece2959f39ff98334618d10d9 (MD5) - MD5 for W32.Injector:Gen.21ie.1201
- a2cf85d22a54e26794cbc7be16840bb1 (MD5) - MD5 for W32.5E6060DF7E-100.SBX.TG
File Paths:
- VID001.exe - Example filename for Win.Worm.Coinminer::1201
- APQ9305.dll - Example filename for Auto.90B145.282358.in02
- content.js - Example filename for W32.38D053135D-95.SBX.TG
- d4aa3e7010220ad1b458fac17039c274_62_Exe.exe - Example filename for Win.Dropper.Miner::95.sbx.tg**
- d4aa3e7010220ad1b458fac17039c274_63_Exe.exe - Example filename for W32.Injector:Gen.21ie.1201
- a2cf85d22a54e26794cbc7be16840bb1.exe - Example filename for W32.5E6060DF7E-100.SBX.TG