Intelligence Center

Key Takeaways

• Attackers are increasingly targeting identity infrastructure, such as ADCs and network management platforms, to bypass MFA and impersonate users.
• React2Shell and ToolShell were the top targeted vulnerabilities in 2025, with significant focus on supply chain attacks via frameworks and libraries.
• Qilin was the most prevalent ransomware variant observed in 2025.
• Phishing remains the primary initial access vector, present in 40% of IR cases, with internal phishing accounting for 35% of those cases.
• A critical Oracle Identity Manager vulnerability (CVE-2026-21992) is being actively exploited in the wild.

Affected Systems

• Identity and Access Management (IAM) applications
• Network devices (ADCs)
• Apple iOS (older versions)
• Checkmarx KICS
• Oracle Identity Manager

Vulnerabilities (CVEs)

• CVE-2026-21992
• React2Shell
• ToolShell

Attack Chain

Attackers heavily utilize phishing, including internal phishing, for initial access. Once inside, they target identity-centric network components like ADCs and management platforms to bypass MFA and impersonate users. This allows them to traverse networks undetected and deploy payloads such as Qilin ransomware or PureLog Stealer across the compromised infrastructure.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the execution of malware payloads like PureLog Stealer or Qilin ransomware, but may lack visibility into compromises occurring directly on network appliances like ADCs. Network Visibility: High — Network telemetry is crucial for detecting anomalous administrative access to network management platforms and identifying MFA bypass attempts. Detection Difficulty: Moderate — Detecting identity compromise via network appliances requires correlating authentication logs with network traffic, which can be challenging without centralized logging and behavioral analytics.

Required Log Sources

• Authentication Logs
• Network Device Logs
• Email Gateway Logs
• IAM Application Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Adversaries may be performing MFA spray attacks against Identity and Access Management (IAM) applications.	Authentication logs showing high volumes of failed MFA prompts across multiple accounts in a short timeframe.	Credential Access	Low
Threat actors may be accessing network management platforms or ADCs from unexpected external IP addresses to modify identity controls.	Network device administrative access logs and VPN logs.	Defense Evasion	Medium

Control Gaps

• Lack of EDR deployment on network appliances and ADCs
• Insufficient monitoring of internal phishing campaigns

Key Behavioral Indicators

• MFA spray patterns
• Unexpected identity infrastructure configuration changes
• Anomalous internal email forwarding or mass mailing

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Apply the emergency patch for Oracle Identity Manager vulnerability CVE-2026-21992.
• Block the provided malicious SHA256 and MD5 hashes in EDR and network security controls.

Infrastructure Hardening

• Prioritize patching of network devices and ADCs, treating them as critical identity control points.
• Secure CI/CD pipelines against poisoned GitHub Actions, specifically auditing Checkmarx KICS usage.

User Protection

• Implement phishing-resistant MFA across all critical applications.
• Deploy advanced email filtering to detect and block internal phishing attempts and malicious copyright infringement notices.

Security Awareness

• Train employees on the risks of internal phishing and how to verify suspicious requests from colleagues.
• Educate staff on identifying fake copyright infringement notices used to distribute infostealers.

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1566.002 - Phishing: Spearphishing Link
• T1078 - Valid Accounts
• T1111 - Two-Factor Authentication Interception
• T1190 - Exploit Public-Facing Application
• T1486 - Data Encrypted for Impact

Additional IOCs

• Urls:
  • hxxps://talosintelligence[.]com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 - Talos reputation lookup for Win.Worm.Coinminer::1201
  • hxxps://talosintelligence[.]com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 - Talos reputation lookup for W32.Injector:Gen.21ie.1201
  • hxxps://talosintelligence[.]com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 - Talos reputation lookup for Auto.90B145.282358.in02
  • hxxps://talosintelligence[.]com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe - Talos reputation lookup for W32.5E6060DF7E-100.SBX.TG
  • hxxps://talosintelligence[.]com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 - Talos reputation lookup for Win.Dropper.Miner::95.sbx.tg
  • hxxps://talosintelligence[.]com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 - Talos reputation lookup for W32.38D053135D-95.SBX.TG
• File Hashes:
  • 2915b3f8b703eb744fc54c81f4a9c67f (MD5) - MD5 hash for Win.Worm.Coinminer::1201
  • aac3165ece2959f39ff98334618d10d9 (MD5) - MD5 hash for W32.Injector:Gen.21ie.1201
  • c2efb2dcacba6d3ccc175b6ce1b7ed0a (MD5) - MD5 hash for Auto.90B145.282358.in02
  • a2cf85d22a54e26794cbc7be16840bb1 (MD5) - MD5 hash for W32.5E6060DF7E-100.SBX.TG
  • 7bdbd180c081fa63ca94f9c22c457376 (MD5) - MD5 hash for Win.Dropper.Miner::95.sbx.tg
  • 41444d7018601b599beac0c60ed1bf83 (MD5) - MD5 hash for W32.38D053135D-95.SBX.TG