Cyber Threat Brief — March 3, 2026
⚠️ This report is AI-generated. Always validate findings.
Cyber Threat Brief — March 3, 2026
Four things worth a defender’s attention from the last 24 hours: two fresh Metasploit additions (GL.iNet router chain + Barracuda ESG XLS RCE), a macOS infostealer tradecraft dump with explicit C2 endpoints + command chain, and a new Nuclei template that hands you a ready-made WordPress traversal hunting pattern.
1. GL.iNet router LuCI brute-force + authenticated RCE via RPC plugin handler (Metasploit modules)
Summary
Rapid7 Metasploit PR adds a paired GL.iNet chain: brute-force LuCI login due to missing rate limiting, then authenticated command injection via the router RPC plugin handler.
What’s New (Last 24 Hours)
New Metasploit PR published with modules for (1) concurrent brute-force against /cgi-bin/luci (302 redirect = valid creds) and (2) authenticated RCE via /rpc JSON-RPC plugins.install_package passing unsanitized input to a shell command.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
| /cgi-bin/luci (POST luci_username/luci_password; 302 redirect on success) | TTP | T1110 | Web proxy / HTTP access logs | Hunt for high-rate POSTs to /cgi-bin/luci with repeated luci_username attempts and frequent 302 responses (success) amid many failures. |
| /rpc JSON-RPC method=challenge/login | TTP | T1071.001 | Web proxy / HTTP access logs | Look for router management traffic invoking /rpc with JSON-RPC methods challenge/login from unusual source IPs or outside admin IP allowlists. |
| /rpc JSON-RPC method=plugins.install_package (command injection surface) | TTP | T1059.004 | Web proxy / HTTP access logs | Alert on /rpc calls invoking plugins.install_package, especially when followed by new outbound connections or unexpected process execution on the router. |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | none found | No high-confidence, GL.iNet-specific detections were returned by term/technique search; implement a simple web-access analytic for rapid POST brute-force against /cgi-bin/luci and alert on /rpc plugins.install_package calls from non-admin IPs. |
| Elastic | Web Server Potential Command Injection Request Unusual Login Activity | Command-injection rule can catch suspicious request patterns consistent with RPC handler abuse; unusual-login ML can help surface abnormal auth behavior that may align with brute-force attempts (then pivot to /cgi-bin/luci and 302 success patterns). |
| Sigma | none found | No Sigma matches were returned for the concrete URI/method terms; prioritize a webserver rule for /cgi-bin/luci brute-force (volume + mixed status codes) and a focused match on /rpc JSON-RPC method names (challenge/login/plugins.install_package). |
Sources
- Rapid7 Metasploit PR: GL.iNet Router Exploit Chain (CVE-2025-67089, CVE-2025-67090) — Published 2026-03-02
2. Barracuda ESG RCE via malicious XLS number-format string (Metasploit module)
Summary
A new Metasploit PR drops a Barracuda Email Security Gateway exploit that weaponizes Spreadsheet::ParseExcel number-format parsing to get code execution during attachment scanning.
What’s New (Last 24 Hours)
Metasploit PR published with a module that sends an email with a crafted BIFF8 .xls; payload is injected into a FORMAT record via a number-format string like [>0;system('COMMAND')]0, triggering execution when Amavis parses the attachment.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
| XLS number-format payload pattern: [>0;system(‘COMMAND’)]0 | TTP | T1566.001 | Email gateway / mail server logs | Hunt inbound emails delivering .xls attachments to ESG-scanned mailboxes; prioritize subjects like “Q4 Financial Report” and attachments with anomalous/custom number formats (if content inspection is available). |
| Amavis attachment scanning executes Perl eval() via Spreadsheet/ParseExcel/Utility.pm | TTP | T1059.006 | Linux process execution + Amavis logs | On ESG hosts, monitor Amavis/Perl execution spawning unexpected child processes or network egress shortly after processing .xls attachments (30–90s delay noted in exploit docs). |
| Target port/protocol: SMTP (25) delivering XLS attachment for scanning | IOC | T1071.003 | SMTP logs / network telemetry | Baseline external SMTP senders to ESG; alert on unusual senders delivering XLS attachments followed by outbound callbacks from the ESG device. |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | Suspicious Email Attachment Extensions Gsuite Email Suspicious Subject With Attachment Windows Spearphishing Attachment Connect To None MS Office Domain | These cover the delivery side (unexpected attachment types/subjects) and follow-on network behavior after opening/processing attachments; pair them with ESG-specific logging (Amavis/mail-scanner telemetry) to better map “email with XLS arrives → scanner processes → suspicious child process/network egress.” |
| Elastic | Remote Desktop File Opened from Suspicious Path Suspicious Explorer Child Process | Mostly endpoint-focused rules; useful if the attack chain pivots into user endpoints (phish attachment) rather than purely server-side scanning. For ESG-side exploitation, you’ll likely need custom detections on Amavis/Perl spawning network tooling or shells. |
| Sigma | Password Protected ZIP File Opened (Email Attachment) | Not Barracuda/Amavis-specific, but provides a baseline for suspicious attachment-handling patterns; for this exploit, prioritize content/attachment inspection + server-side process/network telemetry around Amavis scanning. |
Sources
- Rapid7 Metasploit PR: Barracuda ESG Spreadsheet::ParseExcel RCE exploit (CVE-2023-7102) — Published 2026-03-02
3. macOS infostealer targeting browsers + wallets with explicit C2/contact endpoints (X post)
Summary
Fresh macOS stealer notes surfaced with concrete C2/contact endpoints and a very defender-friendly execution chain (dscl auth check, ditto zip, curl POST exfil, and cleanup via pkill).
What’s New (Last 24 Hours)
Newly shared decrypted C2 infrastructure and tradecraft: primary C2 http://38.244.158.103/contact, backup avipstudios.com/contact, password validation via dscl . authonly, exfil via ditto zip + curl POST, and anti-forensics via pkill Terminal.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
| http://38.244.158.103/contact | IOC | T1071.001 | Web proxy / firewall / NetFlow | Hunt/alert on macOS hosts making outbound HTTP requests to 38.244.158.103, especially to URI path /contact. |
| avipstudios.com/contact | IOC | T1071.001 | DNS + web proxy logs | Alert on DNS lookups / HTTP(S) connections to avipstudios.com with /contact path from developer/user endpoints. |
| dscl . authonly | TTP | T1059.004 | EDR process execution telemetry | Detect dscl executions with authonly arguments from non-admin parent processes (e.g., browser, unknown apps) as a credential-validation step. |
| ditto -c -k (zip staging) followed by curl POST (exfil) | TTP | T1041 | EDR process telemetry + proxy logs | Correlate ditto zip creation from user directories (Desktop/Documents) followed within minutes by curl POST to external /contact endpoints. |
| pkill Terminal (attempt to hide evidence) | TTP | T1562.001 | EDR process telemetry | Alert on pkill targeting Terminal shortly after suspicious collection/exfil activity; use as a high-signal correlation step. |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | Cisco Secure Firewall - Wget or Curl Download HTTP Rapid POST with Mixed Status Codes | Curl/wget network analytics map directly to the described curl-based exfil and payload retrieval patterns; rapid POST analytics can help catch automated POSTs to /contact endpoints (then pivot to the specific IP/domain). |
| Elastic | Curl or Wget Spawned via Node.js Curl or Wget Egress Network Connection via LoLBin | These can surface curl execution used for exfil/staging; pair with a hard match on the specific destination IP/domain and correlate with dscl authonly and ditto staging to align with the full chain. |
| Sigma | Suspicious Curl Change User Agents - Linux Suspicious Download and Execute Pattern via Curl/Wget | Generic curl execution patterns can catch common download/exfil behavior; add macOS-focused process + network correlation for dscl/ditto/pkill, plus destination matching for the listed C2 infrastructure. |
Sources
- X post: decrypted C2 infrastructure and stealer tradecraft notes — Published 2026-03-02
4. WordPress EKC Tournament Manager plugin traversal/LFI pattern (new Nuclei template)
Summary
A fresh Nuclei template commit captures an authenticated EKC Tournament Manager WordPress plugin file-download traversal that’s easy to hunt for in web logs.
What’s New (Last 24 Hours)
New Nuclei template published for EKC Tournament Manager < 2.2.2 path traversal via the ekc-backup download action. The template uses backup=../../.../etc/passwd and checks for root:.*:0:0: in the response.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
| /wp-admin/admin.php?page=ekc-backup&action=download&backup=../../../../…/etc/passwd | TTP | T1190 | Web server / WAF logs | Detect requests to /wp-admin/admin.php with page=ekc-backup and action=download where the backup parameter contains traversal sequences (../) and targets sensitive paths like /etc/passwd. |
| Parameter key: backup= (suspicious when containing ../) | TTP | T1005 | Web server logs | Add a focused detection for backup= values containing ../ or URL-encoded traversal (%2e%2e%2f) on WordPress admin.php requests. |
| wordpress_logged_in cookie presence (auth context for exploit path) | TTP | T1078 | Web server logs / WAF logs | If you log cookies/headers, correlate traversal attempts with authenticated sessions (wordpress_logged_in*) and review whether the session/user is legitimate or compromised. |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | Exploit Public Facing Application via Apache Commons Text | Not WordPress/EKC-specific, but provides a baseline for web exploitation attempts; for this issue you want a tight web-log analytic on admin.php with ekc-backup parameters + traversal patterns. |
| Elastic | none found | No clear, WordPress traversal-specific Elastic rules were returned for the concrete URI/parameter terms; implement custom detections for traversal sequences in backup= and for successful 200 responses returning passwd-like strings. |
| Sigma | Path Traversal Exploitation Attempts | Directly maps to the described behavior: web logs containing ../ traversal sequences and sensitive file targets like /etc/passwd (including URL-encoded variants). |
Sources
- Nuclei templates commit: add CVE-2024-9765 EKC Tournament Manager traversal template — Published 2026-03-03