Cyber Threat Brief — March 1, 2026
Cyber Threat Brief — March 1, 2026
Five actionable threats today — two are Metasploit exploit drops (GL.iNet, Barracuda ESG), one is a fresh supply chain attack (Go/Rekoobe/APT31), one is an unauthenticated root RCE in Juniper ISP-grade routers patched today, and one is a new SQLi-to-RCE chain in openDCIM. All sources verified within the 24-hour window.
1. Malicious Go Module Impersonates x/crypto to Deploy Rekoobe Backdoor (APT31)
What’s New (Last 24 Hours)
Socket security researcher Kirill Boychenko disclosed a malicious Go module (github.com/xinfeisoft/crypto) impersonating the canonical golang.org/x/crypto library. The module hooks ReadPassword() in ssh/terminal/terminal.go to silently capture SSH passwords, exfiltrate them to attacker infrastructure, then stage a shell script that: (1) appends threat actor SSH keys to authorized_keys, (2) sets iptables default policies to ACCEPT, and (3) downloads additional payloads disguised with .mp5 extensions — including Rekoobe, a Linux backdoor linked to Chinese APT31 since at least August 2023. C2 IP confirmed: 154.84.63.184:443. Go security team has blocked the package on pkg.go.dev but it remains in many dependency graphs.
Actionable Intel (Mapped to MITRE ATT&CK)
| Artifact | Type | ATT&CK Technique | How to Use |
|---|---|---|---|
| github.com/xinfeisoft/crypto | IOC | T1195.001 | Search SBOMs/go.mod/go.sum and dependency graphs for this module path; alert on new introductions in build pipelines. |
| ssh/terminal/terminal.go | TTP | T1056.001 | Hunt for this modified file in Go module caches/build artifacts; review diffs around ReadPassword(). |
| /home/ubuntu/.ssh/authorized_keys | IOC | T1098.004 | Alert on unexpected writes/modifications to authorized_keys outside admin tooling (ssh-copy-id/sshd). |
| iptables -P INPUT ACCEPT | TTP | T1562.004 | Alert on iptables default policy changes to ACCEPT; correlate with curl |
| 154.84.63.184 | IOC | T1071.001 | Hunt outbound connections to 154.84.63.184:443 from developer/build hosts; pivot to process + module provenance. |
Hunt Queries (Pseudo)
FROM telemetry
WHERE timestamp >= now()-24h
AND dest_ip IN ('154.84.63.184')
AND file_path CONTAINS ANY ('github.com/xinfeisoft/crypto', 'ssh/terminal/terminal.go', '/home/ubuntu/.ssh/authorized_keys')
SELECT host, user, process_name, cmdline, dest_ip, dest_domain, file_hash, file_path
ORDER BY timestamp DESCDetect Queries (Pseudo)
RULE go_xinfeisoft_crypto_supply_chain
WHEN
event.type IN (process_start, network_connection, file_create, dns_query)
AND any(event.observable IN ['github.com/xinfeisoft/crypto', 'ssh/terminal/terminal.go', '/home/ubuntu/.ssh/authorized_keys', 'iptables -P INPUT ACCEPT', '154.84.63.184'])
AND mitre.technique_id IN ['T1195.001', 'T1056.001', 'T1098.004', 'T1562.004', 'T1071.001']
THEN
alert.severity = 'high'
alert.title = 'Malicious Go crypto supply chain — Rekoobe/APT31 indicators'
group_by = [host, user, process_name]
window = 15mDetection Coverage (Existing Rules)
Sources
- The Hacker News — Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor — Published 2026-02-28
- The Insider X — Malicious Go Module Impersonates crypto Library to Deploy Rekoobe Backdoor — Published 2026-02-28
2. GL.iNet Router Unauthenticated Brute-Force to Root RCE (CVE-2025-67090 / CVE-2025-67089)
What’s New (Last 24 Hours)
Metasploit PR #21037 (March 1, 2026) adds a full unauthenticated-to-root exploit chain for GL.iNet OpenWrt-based routers running firmware <= 4.6.8. Step 1: auxiliary/scanner/http/glinet_login exploits CVE-2025-67090 — no rate limiting on the LuCI login endpoint (POST /cgi-bin/luci), enabling credential brute-force via 302-redirect success detection. Step 2: exploits/linux/http/glinet_rce exploits CVE-2025-67089 — the plugins.install_package RPC method passes the name parameter unsanitized to a shell command, allowing root command injection via backtick substitution. Targets aarch64/armle/mipsle. Affected models: MT6000, AXT1800, MT3000, MT300N-V2, AR750.
Actionable Intel (Mapped to MITRE ATT&CK)
| Artifact | Type | ATT&CK Technique | How to Use |
|---|---|---|---|
| CVE-2025-67090 | IOC | T1110 | Patch to firmware >= 4.6.8; monitor for high-rate POST auth attempts on LuCI interface from non-admin IPs. |
| POST /cgi-bin/luci (302 redirect = valid credential) | TTP | T1110 | Hunt web logs for spikes of POST /cgi-bin/luci with varying passwords and 302 responses indicating valid credential discovery. |
| CVE-2025-67089 | IOC | T1059.004 | Patch to firmware >= 4.6.8; monitor RPC calls for install_package name[] values containing shell metacharacters or backticks. |
| POST /rpc (jsonrpc method=challenge/login) | TTP | T1071.001 | Hunt for unusual volumes of /rpc JSON-RPC challenge/login sequences from non-admin networks. |
| plugins.install_package name[] with backtick command substitution | TTP | T1059.004 | Detect payload injection in RPC request bodies; correlate with subsequent outbound reverse shell traffic from router. |
Hunt Queries (Pseudo)
FROM web_logs
WHERE timestamp >= now()-24h
AND uri IN ('/cgi-bin/luci', '/rpc')
AND method = 'POST'
AND (response_code = 302 OR request_body CONTAINS 'install_package')
SELECT src_ip, uri, response_code, request_body, timestamp
ORDER BY timestamp DESCDetect Queries (Pseudo)
RULE glinet_exploit_chain
WHEN
event.type IN (network_connection, http_request)
AND any(event.observable IN ['POST /cgi-bin/luci', 'POST /rpc', 'install_package', 'CVE-2025-67090', 'CVE-2025-67089'])
AND mitre.technique_id IN ['T1110', 'T1059.004', 'T1071.001']
THEN
alert.severity = 'high'
alert.title = 'GL.iNet LuCI brute-force or RPC command injection detected'
group_by = [src_ip, dest_host]
window = 5mDetection Coverage (Existing Rules)
Sources
- GitHub — Metasploit PR #21037: GL.iNet Router Exploit Chain — Published 2026-03-01
3. Barracuda ESG XLS Eval Injection Gets Metasploit Module (CVE-2023-7102)
What’s New (Last 24 Hours)
Metasploit PR #21035 (March 1, 2026) introduces exploit/linux/smtp/barracuda_esg_spreadsheet_rce — a working module for CVE-2023-7102 in Barracuda Email Security Gateway. The exploit crafts a BIFF8 XLS attachment embedding a malicious Number format string ([>0;system('CMD')]0) that Amavis processes via Spreadsheet::ParseExcel’s unsafe eval() in Utility.pm. Payload executes as the scana mail-scanning user 30–90 seconds after email delivery. Tested against physical Barracuda ESG 300 (firmware 8.0.1.001). Originally exploited by UNC4841 (China-nexus) starting November 2023; Barracuda auto-patched December 21, 2023. A working Metasploit module significantly lowers the exploitation bar for unpatched/legacy ESG appliances still in the wild.
Actionable Intel (Mapped to MITRE ATT&CK)
| Artifact | Type | ATT&CK Technique | How to Use |
|---|---|---|---|
| CVE-2023-7102 | IOC | T1203 | Validate patch status on all Barracuda ESG appliances; firmware must be >= Dec 21, 2023 auto-patch baseline. |
| [>0;system(‘COMMAND’)]0 | TTP | T1203 | Hunt for XLS attachments with Number format strings containing semicolons/system() in gateway/sandbox scan logs. |
| BIFF8 FORMAT record (opcode 0x041E) with Perl eval payload | TTP | T1566.001 | Flag XLS files with FORMAT records containing Perl metacharacters (semicolons adjacent to comparison operators). |
| Amavis/scana user spawning unexpected child processes | TTP | T1203 | Alert on child processes or outbound network connections initiated by Amavis or the scana mail-scanner user. |
Hunt Queries (Pseudo)
FROM email_gateway_telemetry
WHERE timestamp >= now()-24h
AND attachment_extension IN ('.xls')
AND scanner_user IN ('scana', 'amavis')
SELECT src_ip, sender, recipient, attachment_name, child_process, dest_ip, timestamp
ORDER BY timestamp DESCDetect Queries (Pseudo)
RULE barracuda_esg_amavis_rce
WHEN
event.type IN (process_start, network_connection)
AND event.user IN ('scana', 'amavis')
AND (child_process NOT IN ['clamscan','spamassassin','razor2'] OR dest_ip_external = true)
AND mitre.technique_id IN ['T1203', 'T1566.001']
THEN
alert.severity = 'critical'
alert.title = 'Barracuda ESG Amavis spawned unexpected process or outbound connection — CVE-2023-7102'
group_by = [host, child_process, dest_ip]
window = 5mDetection Coverage (Existing Rules)
Sources
- GitHub — Metasploit PR #21035: Barracuda ESG Spreadsheet::ParseExcel RCE (CVE-2023-7102) — Published 2026-03-01
4. openDCIM install.php SQLi to RCE (CVE-2026-28515 / CVE-2026-28516 / CVE-2026-28517)
What’s New (Last 24 Hours)
Metasploit PR #21034 (February 28, 2026) adds exploit/linux/http/opendcim_install_sqli_rce chaining three vulnerabilities in openDCIM (through version 25.01). Attack chain: CVE-2026-28515 — install.php remains accessible post-install with no auth and no input sanitization; attacker injects stacked SQL via the LDAP configuration form to overwrite the Graphviz dot binary path in fac_Config; triggering report_network_map.php causes exec() to run the poisoned command as www-data. The module backs up and restores the original config. In common Docker deployments (SetEnv REMOTE_USER dcim), the entire attack is unauthenticated.
Actionable Intel (Mapped to MITRE ATT&CK)
| Artifact | Type | ATT&CK Technique | How to Use |
|---|---|---|---|
| CVE-2026-28515 | IOC | T1190 | Identify all internet-facing openDCIM instances; block/restrict access to install.php immediately. |
| POST install.php with stacked SQL in LDAP parameters | TTP | T1190 | Hunt web logs for POST to install.php with LDAP-parameter values containing SQL metacharacters (SLEEP(), stacked queries). |
| fac_Config dot binary path set to shell payload | TTP | T1059.004 | Monitor the fac_Config DB table for changes to the Graphviz dot parameter containing shell metacharacters. |
| report_network_map.php triggering exec() | TTP | T1059.004 | Hunt for GET requests to report_network_map.php shortly after install.php POST activity; correlate with unexpected child process spawning on web server. |
Hunt Queries (Pseudo)
FROM web_logs
WHERE timestamp >= now()-24h
AND (uri CONTAINS 'install.php' OR uri CONTAINS 'report_network_map.php')
AND (request_body CONTAINS 'SLEEP' OR request_body CONTAINS 'SELECT' OR request_body CONTAINS 'LDAP')
SELECT src_ip, uri, request_body, response_code, timestamp
ORDER BY timestamp DESCDetect Queries (Pseudo)
RULE opendcim_sqli_rce
WHEN
event.type IN (http_request, process_start)
AND any(event.observable IN ['install.php', 'report_network_map.php', 'CVE-2026-28515', 'fac_Config'])
AND mitre.technique_id IN ['T1190', 'T1059.004']
THEN
alert.severity = 'critical'
alert.title = 'openDCIM install.php SQLi-to-RCE chain detected'
group_by = [src_ip, host, child_process]
window = 10mDetection Coverage (Existing Rules)
Sources
- GitHub — Metasploit PR #21034: openDCIM install.php SQLi to RCE — Published 2026-02-28
5. Juniper PTX Series Unauthenticated Root RCE (CVE-2026-21902)
What’s New (Last 24 Hours)
Juniper Networks released emergency patches today for CVE-2026-21902 affecting Junos OS Evolved 25.4 on PTX Series core routers. The On-Box Anomaly detection service — intended as an internal-only component — is exposed on an external port by default due to incorrect permission settings, allowing unauthenticated remote attackers to execute arbitrary code as root with no user interaction (CVSS ~9.8). No in-the-wild exploitation reported yet. PTX Series devices are ISP/enterprise backbone hardware — high-value targets for supply chain and infrastructure attacks. Patched versions: 25.4R1-S1-EVO, 25.4R2-EVO, 26.2R1-EVO. Immediate workaround: request pfe anomalies disable.
Actionable Intel (Mapped to MITRE ATT&CK)
| Artifact | Type | ATT&CK Technique | How to Use |
|---|---|---|---|
| CVE-2026-21902 | IOC | T1190 | Identify all PTX Series devices on Junos OS Evolved 25.4 (show version); patch immediately or disable with request pfe anomalies disable. |
| On-Box Anomaly detection service exposed on external port | TTP | T1190 | Hunt for unexpected network traffic to Junos anomaly detection service port from external/non-management source IPs. |
| request pfe anomalies disable | TTP | T1562.001 | Monitor for unauthorized execution of this Junos CLI command; correlate with change management to detect attacker-initiated service tampering. |
| Junos OS Evolved 25.4 PTX Series asset fingerprint | TTP | T1595.002 | Enumerate exposed PTX instances in asset inventory; prioritize those reachable from untrusted networks without management ACLs. |
Hunt Queries (Pseudo)
FROM network_telemetry
WHERE timestamp >= now()-24h
AND dest_device_type = 'Juniper PTX'
AND dest_port NOT IN (22, 23, 80, 443, 179)
AND src_ip NOT IN trusted_management_ranges
SELECT src_ip, dest_ip, dest_port, protocol, bytes, timestamp
ORDER BY timestamp DESCDetect Queries (Pseudo)
RULE juniper_ptx_anomaly_service_abuse
WHEN
event.type IN (network_connection, syslog_event)
AND device_vendor = 'Juniper'
AND device_model CONTAINS 'PTX'
AND (event.service CONTAINS 'anomaly' OR event.command CONTAINS 'pfe anomalies')
AND mitre.technique_id IN ['T1190', 'T1562.001', 'T1595.002']
THEN
alert.severity = 'critical'
alert.title = 'Juniper PTX On-Box Anomaly service access from external source — CVE-2026-21902'
group_by = [src_ip, dest_device]
window = 5mDetection Coverage (Existing Rules)
Sources
- VPNCentral — Juniper PTX Routers Patched Against Root RCE Vulnerability CVE-2026-21902 — Published 2026-03-01
6. Archive.org Stego Delivers Remcos and AsyncRAT (MSBuild + In-Memory .NET Injector)
What’s New (Last 24 Hours)
derp.ca published fresh analysis of an active (Feb 24–28) campaign abusing archive.org as a payload delivery platform. The operator hides base64-encoded .NET injector DLLs appended after the JPEG end-of-file marker and extracts them via regex markers (e.g., IN-(.*?)-in1). Execution observed as wscript.exe → hidden PowerShell → [Reflection.Assembly]::Load() → MSBuild (LOLBin), ultimately delivering Remcos RAT and AsyncRAT with YDNS-backed C2.
Actionable Intel (Mapped to MITRE ATT&CK)
| Artifact | Type | ATT&CK Technique | How to Use |
|---|---|---|---|
| archive.org | IOC | T1105 | Hunt for downloads from archive.org to endpoints followed by immediate PowerShell/.NET in-memory loading; review proxy/DNS logs for archive.org download paths used for payload staging. |
| http://archive.org/download/optimized_msi_20260226_1507/optimized_MSI.png | IOC | T1105 | Block/alert on fetches to this specific archive.org download path; pivot to parent process and subsequent PowerShell activity. |
| http://archive.org/download/optimized_msi_20260227_1420/optimized_MSI.png | IOC | T1105 | Block/alert on fetches to this specific archive.org download path; pivot to parent process and subsequent PowerShell activity. |
| IN-(.*?)-in1 | TTP | T1027 | Hunt PowerShell command lines / scripts containing this regex marker used to carve base64 from a JPEG carrier. |
| [Reflection.Assembly]::Load | TTP | T1059.001 | Detect PowerShell reflective assembly loads (esp. immediately after WebClient.DownloadData) to catch in-memory .NET injector execution. |
| Msbuild.exe | TTP | T1218.005 | Alert on MSBuild spawned from wscript/powershell with network egress shortly after; common in both Remcos/AsyncRAT chains. |
| CopilotDrivers.js | IOC | T1059.007 | Hunt for this dropper filename on disk/email/web-download telemetry; correlate with wscript.exe launching hidden PowerShell. |
| WMIEventLogs.js | IOC | T1059.007 | Hunt for this dropper filename; correlate with wscript.exe -> PowerShell -> archive.org download chain. |
| msidownloads.duckdns.org | IOC | T1071.001 | Hunt DNS + HTTP GETs to this domain (“/Nueva%20carpeta/”) from endpoints; block if possible. |
| systemcopilotdrivers.ydns.eu | IOC | T1071.001 | Hunt outbound connections (notably :3001) to this domain; pivot to associated IPs and process tree. |
| securityhealthservice.ydns.eu | IOC | T1071.001 | Hunt outbound connections (notably :1000) to this domain; pivot to endpoints with archive.org downloads. |
| hostphpwindowsapps.ydns.eu | IOC | T1071.001 | Hunt HTTP GETs to :8011/data/optimized_MSI.png as alternate stego staging; block/alert. |
| 181.206.158.190 | IOC | T1071.001 | Hunt outbound to this IP (staging + C2 infra per report); prioritize endpoints with wscript/powershell + MSBuild chains. |
| eae6a4c5d87b8cf77b73626857ce4ace839e9edfb20ce72c46d162156be140cf | IOC | T1204.002 | Hash hunt for the Remcos JS dropper identified in the report. |
| 9a7153d921414cf235936c00352f7a54ebedd0c131314382099d85acd83b286c | IOC | T1204.002 | Hash hunt for the AsyncRAT JS dropper identified in the report. |
Hunt Queries (Pseudo)
FROM telemetry
WHERE timestamp >= now()-24h
AND dest_ip IN ('181.206.158.190')
AND dest_domain IN ('archive.org', 'msidownloads.duckdns.org', 'systemcopilotdrivers.ydns.eu', 'securityhealthservice.ydns.eu', 'hostphpwindowsapps.ydns.eu')
AND file_hash IN ('eae6a4c5d87b8cf77b73626857ce4ace839e9edfb20ce72c46d162156be140cf', '9a7153d921414cf235936c00352f7a54ebedd0c131314382099d85acd83b286c')
SELECT host, user, process_name, cmdline, dest_ip, dest_domain, file_hash, file_path
ORDER BY timestamp DESCDetect Queries (Pseudo)
RULE archive_org_stego_msbuild_injector
WHEN
event.type IN (process_start, network_connection, file_create, dns_query)
AND any(event.observable IN ['archive.org', 'IN-(.*?)-in1', '[Reflection.Assembly]::Load', 'Msbuild.exe', 'msidownloads.duckdns.org', 'systemcopilotdrivers.ydns.eu', 'securityhealthservice.ydns.eu', '181.206.158.190'])
AND mitre.technique_id IN ['T1105', 'T1027', 'T1059.001', 'T1218.005', 'T1059.007', 'T1071.001', 'T1204.002']
THEN
alert.severity = 'high'
alert.title = 'archive.org stego delivery → PowerShell in-memory load → MSBuild execution (Remcos/AsyncRAT)'
group_by = [host, user, process_name]
window = 15mDetection Coverage (Existing Rules)
Sources
- derp.ca — Archive.org Stego Delivers Remcos and AsyncRAT — Published 2026-02-28