Cyber Threat Brief — March 2, 2026
⚠️ This report is AI-generated. Always validate findings.
Cyber Threat Brief — March 2, 2026
Two actionable drops within the last 24 hours:
- A Metasploit module PR that highlights concrete Grav CMS admin/plugin-install request artifacts defenders can pivot on.
- A ThreatFox IOC batch with new ClearFake payload-delivery domains that are immediately usable for blocking + retro hunts.
(24-hour rule: all sources below were published 2026-03-01 or 2026-03-02 at their original feed/source.)
1. Grav CMS Admin Direct Install Plugin Upload RCE
What’s New (Last 24 Hours)
A Metasploit PR added an exploit module for Grav CMS admin ‘Direct Install’ plugin upload RCE, exposing concrete HTTP parameter and path indicators defenders can use for telemetry pivots.
Actionable Intel (Mapped to MITRE ATT&CK)
| Artifact | Type | ATT&CK Technique | How to Use |
|---|---|---|---|
| /admin | TTP | T1190 | Hunt for external HTTP requests to Grav admin endpoints, especially those followed by plugin upload/install actions or abnormal response sizes. |
| task=directInstall | TTP | T1190 | Look for multipart/form-data POSTs where parameters include task=directInstall; correlate with new file writes on the web root and subsequent process execution. |
| admin-nonce | TTP | T1190 | Identify requests carrying an admin-nonce value during plugin installation flows; pivot to source IP/user-agent and any follow-on admin actions. |
| user/plugins/ | TTP | T1505.003 | On Grav hosts, monitor for new/modified directories under user/plugins/ and unexpected executable content dropped during plugin installs. |
Hunt Queries (Pseudo)
Telemetry scope: last 24h across endpoint + network + DNS + web logs.
- Search file/URL/path artifacts: /admin, user/plugins/
- Correlate with parent/child process context and any follow-on outbound connections.Detect Queries (Pseudo)
Create a detection that alerts when one or more of the observables below appear in relevant telemetry:
- Observables: /admin, task=directInstall, admin-nonce, user/plugins/
- Required context: host, user, process lineage, network destination, and touched files/URLs.
- Trigger logic: suspicious observable match + suspicious behavior (execution, persistence, or outbound comms).
- Reduce noise by excluding known admin tooling and approved maintenance activity.
- Escalate when matches are followed by credential access, defense evasion, or remote command execution.Detection Coverage (Existing Rules)
| Source | Existing Detections |
|---|---|
| Splunk | None found |
| Elastic | None found |
| Sigma | None found |
Sources
- rapid7/metasploit-framework PR #21029 — Grav CMS exploit module — Published 2026-03-02
2. ClearFake Payload-Delivery Domains (ThreatFox IOC Batch)
What’s New (Last 24 Hours)
ThreatFox published a fresh batch of ClearFake-associated payload-delivery domains that can be immediately operationalized for DNS/proxy blocking and retrospective hunting.
Actionable Intel (Mapped to MITRE ATT&CK)
| Artifact | Type | ATT&CK Technique | How to Use |
|---|---|---|---|
| kdpofutk.safaricola.digital | IOC | T1189 | Block at DNS/proxy. Hunt for DNS resolution, HTTP Host/SNI matches, and browser-process network connections to this domain; correlate with paste-and-run or follow-on script execution. |
| xmes67am.safaricola.digital | IOC | T1189 | Alert on outbound web traffic to this domain; pivot to referrer URLs, downloaded scripts, and any subsequent PowerShell/cmd execution on the same endpoint. |
| vr3d0r4f.bravepepsi.digital | IOC | T1189 | Add to web filtering. Hunt for user browsing followed by suspicious child processes from the browser (PowerShell, cmd, mshta, rundll32) within minutes. |
| 1lf2pz2k.bravepepsi.digital | IOC | T1189 | Hunt in DNS/proxy logs; correlate with downloaded JavaScript and any creation/execution of script files in user temp directories. |
Hunt Queries (Pseudo)
Telemetry scope: last 24h across endpoint + network + DNS + web logs.
- Pivot on destination domain(s): kdpofutk.safaricola.digital, xmes67am.safaricola.digital, vr3d0r4f.bravepepsi.digital, 1lf2pz2k.bravepepsi.digital
- Correlate with parent/child process context and any follow-on outbound connections.Detect Queries (Pseudo)
Create a detection that alerts when one or more of the observables below appear in relevant telemetry:
- Observables: kdpofutk.safaricola.digital, xmes67am.safaricola.digital, vr3d0r4f.bravepepsi.digital, 1lf2pz2k.bravepepsi.digital
- Required context: host, user, process lineage, network destination, and touched files/URLs.
- Trigger logic: suspicious observable match + suspicious behavior (execution, persistence, or outbound comms).
- Reduce noise by excluding known admin tooling and approved maintenance activity.
- Escalate when matches are followed by credential access, defense evasion, or remote command execution.Detection Coverage (Existing Rules)
| Source | Existing Detections |
|---|---|
| Splunk | None found |
| Elastic | None found |
| Sigma | None found |
Sources
- ThreatFox MISP Feed (mirrored) — “ThreatFox IOCs for 2026-03-01” — Published 2026-03-01