Cyber Threat Brief — July 17 2026
1. UAT-11795 Deploys Starland RAT + WLDR C2 via Trojanized Installers
TL;DR: Cisco Talos disclosed a Russian-speaking financially motivated actor (UAT-11795) delivering a Python RAT and bespoke PowerShell C2 implant through trojanized WebEx, Zoom, MobaXterm, and DBeaver installers — targeting U.S. and European users since June 2025 for credential and crypto theft.
What’s New:
- Trojanized NSIS installers bundle
pythonw.exe+ XOR-encrypted Starland RAT disguised asLICENSE.txt - WLDR agent: memory-only PowerShell C2 with AES-256-CBC + HMAC-SHA256 beaconing, RunspacePool (10 threads), AMSI/ETW bypass via
AmsiScanBuffer/EtwEventWritepatching - Fallback C2 via Polygon smart contract
0x6ae382ed2154cc84c6672e4e908cd2c69c1b35bastoring XOR-encrypted domain - CastleStealer (.NET) and Remcos RAT as secondary payloads via APC injection
- Telegram bots
8384531459(skuefq_bot) and7993597060(komandastuk_bot) for beacon telemetry
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
windowscreenrepairnearme[.]com, aipythondevs[.]com | C2 domain | T1071.001 | DNS / proxy logs | Block |
eorthopaedics[.]com/feed/, sastoro[.]com/alpha/ | Staging / C2 | T1071.001 | DNS / proxy logs | Block |
web-devtools[.]com (paths: /starlandfox, /x32remka, /dopfile) | Payload staging | T1588.001 | Proxy / IDS | Block |
zynaris[.]io | HTA stager / lure hosting | T1218.005 | Proxy / Sysmon EID 1 | Block |
polygon-rpc[.]com JSON-RPC call to contract 0x6ae382... | Fallback C2 resolution | T1102.002 | Proxy / NDR | Hunt — eth_call to this contract |
Telegram bot IDs 8384531459, 7993597060 | Beacon exfil | T1567.001 | Proxy / DLP | Block api.telegram.org from non-browser processes |
mshta.exe executing remote HTA → batch file drop | Initial access | T1218.005 | Sysmon EID 1 | Alert — mshta.exe with URL argument |
Scheduled task PythonLauncher-??? (3 random chars) | Persistence | T1053.005 | Security EID 4698 / Sysmon EID 1 | Alert — pythonw.exe scheduled task |
HKCU\...\Run value MyApp → mshta.exe | Persistence | T1547.001 | Sysmon EID 13 | Alert |
UA: Mozilla/5.0 ... Chrome/138.0.0.0 from non-browser process | C2 comms | T1071.001 | Proxy logs | Hunt |
| Snort SIDs 66787–66790, 301580 | Network detection | — | IDS/IPS | Deploy |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None specific | No Starland RAT / WLDR agent detection; need mshta remote HTA + pythonw.exe scheduled task + Polygon RPC hunt |
| Elastic | Suspicious Mshta Child Process (partial) | No WLDR-specific PowerShell Runspace detection |
| Sigma | proc_creation_win_mshta_url.yml (partial) | No trojanized installer + pythonw.exe LICENSE.txt pattern |
| Cisco | ClamAV sigs: Py.Loader.Agent-10060315/16, Ps1.Trojan.WLDRAgent-10060319, Win.Trojan.CastleStealer-10060341 | Deploy ClamAV/Cisco signatures |
Sources: Cisco Talos blog · Cisco Talos IOCs (GitHub) · BleepingComputer
2. Spirals Ransomware — 24-Hour Full Intrusion Cycle
TL;DR: Symantec disclosed a new Rust-based ransomware family “Spirals” that completed initial access to full encryption of a South Asian IT services company in under 24 hours — using ASP.NET webshells, reverse-SOCKS proxies, and AES-128 + ECDH P-256 encryption with double extortion.
What’s New:
- Initial access via compromised IIS web server through ASP.NET web shell
- Lateral movement via WMI beginning 23:33 on day one; full encryption within 24 hours
- Persistence: revsocks, Chisel, Cloudflare Tunnel for covert C2 access
- Credential harvesting from SAM and LSASS
- Rust-based encryptor: per-file AES-128 keys wrapped with attacker ECDH P-256 public key
- Ransom note:
RECOVERY_SECTION.logon C:\ with 6-day payment deadline - Double extortion model — data theft confirmed before encryption
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| ASP.NET webshell on IIS | Initial access | T1505.003 | IIS logs / Sysmon EID 11 | Hunt — new .aspx/.ashx in web directories |
| WMI lateral movement | Lateral movement | T1047 | Security EID 4648 / Sysmon EID 1 | Alert — wmiprvse.exe spawning cmd/powershell |
| revsocks, Chisel, Cloudflare Tunnel | C2 tunneling | T1572 | EDR / proxy | Hunt — known tunnel tool process names and hashes |
| SAM/LSASS credential dump | Credential access | T1003.001/002 | Sysmon EID 10 / EDR | Alert — LSASS access from non-standard processes |
RECOVERY_SECTION.log on C:\ | Ransom note | T1486 | EDR / file monitoring | Alert — canary file |
| Endpoint security tampering pre-encryption | Defense evasion | T1562.001 | EDR health / Windows Defender EID | Alert — security service stop/disable events |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Credential Dumping via SAM Database (generic) / Detect LSASS Access (generic) | No Spirals-specific Rust binary or RECOVERY_SECTION.log detection |
| Elastic | Suspicious LSASS Access / Web Shell Detection (generic) | No Spirals ransomware note or encryptor hash detection |
| Sigma | proc_creation_win_susp_wmi_lateral_movement.yml / web_shell_aspx_creation.yml | No Spirals-specific rules |
Sources: Symantec / Security.com · BleepingComputer · SC Media
3. CISA KEV Adds FortiSandbox Triple-CVE Chain — CVE-2026-25089 / CVE-2026-39808 / CVE-2026-39813
TL;DR: CISA added three FortiSandbox CVEs to KEV on July 16, confirming active exploitation of a triple-CVE chain combining auth bypass, OS command injection, and web UI command injection — with exploit code assessed as AI-generated.
What’s New:
- CVE-2026-39813 (auth bypass via path traversal in JRPC API:
session: ../../tmp/) now CISA KEV - CVE-2026-39808 (CVSS 9.8 unauthenticated OS command injection via
/fortisandbox/job-detail/tracer-behavior) now CISA KEV - CVE-2026-25089 (web UI command injection, exploit assessed as vibecoded/AI-generated by Defused Cyber) now CISA KEV
- Triple chain observed ITW since June 16 per Defused Cyber
- Affects FortiSandbox 4.4.0-4.4.8 and 5.0.0-5.0.5; patched April 2026
- ~2,400 internet-facing instances at initial disclosure
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
session: ../../tmp/ in JRPC API requests | Auth bypass | T1190 | WAF / FortiSandbox logs | Block — path traversal in session parameter |
POST to /fortisandbox/job-detail/tracer-behavior | RCE exploitation | T1190 | WAF / reverse proxy | Block external access |
| FortiSandbox 4.4.x < 4.4.9, 5.0.x < 5.0.6 | Vulnerable version | T1190 | Asset inventory | Patch |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No FortiSandbox-specific JRPC or tracer-behavior endpoint detection |
| Elastic | None | No FortiSandbox exploitation rules |
| Sigma | None | No FortiSandbox exploitation rules |
Sources: CISA KEV Catalog · CISA Alert July 16
Status Updates
- CVE-2026-15409 / CVE-2026-15410 (SonicWall SMA1000): CISA KEV federal deadline TODAY July 17. Zero-day exploitation ongoing. Apply hotfix 12.4.3-03453 / 12.5.0-02835 immediately. Original brief.
- CVE-2026-58644 (SharePoint Server): CISA KEV addition July 16 — confirmed exploited as zero-day pre-patch. Federal deadline July 19. CVSS 9.8 pre-auth deserialization RCE. Apply July Patch Tuesday. Original brief.
- CVE-2026-46817 (Oracle E-Business Suite): CISA KEV addition July 15. Federal deadline TOMORROW July 18. DriveSurge IAB exploitation ongoing with 950 exposed instances. Apply May 2026 CPU. Original brief.