Cyber Threat Brief — July 17 2026

⚠️ This report is AI-generated. Always validate findings.

1. UAT-11795 Deploys Starland RAT + WLDR C2 via Trojanized Installers

TL;DR: Cisco Talos disclosed a Russian-speaking financially motivated actor (UAT-11795) delivering a Python RAT and bespoke PowerShell C2 implant through trojanized WebEx, Zoom, MobaXterm, and DBeaver installers — targeting U.S. and European users since June 2025 for credential and crypto theft.

What’s New:

  • Trojanized NSIS installers bundle pythonw.exe + XOR-encrypted Starland RAT disguised as LICENSE.txt
  • WLDR agent: memory-only PowerShell C2 with AES-256-CBC + HMAC-SHA256 beaconing, RunspacePool (10 threads), AMSI/ETW bypass via AmsiScanBuffer/EtwEventWrite patching
  • Fallback C2 via Polygon smart contract 0x6ae382ed2154cc84c6672e4e908cd2c69c1b35ba storing XOR-encrypted domain
  • CastleStealer (.NET) and Remcos RAT as secondary payloads via APC injection
  • Telegram bots 8384531459 (skuefq_bot) and 7993597060 (komandastuk_bot) for beacon telemetry

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
windowscreenrepairnearme[.]com, aipythondevs[.]comC2 domainT1071.001DNS / proxy logsBlock
eorthopaedics[.]com/feed/, sastoro[.]com/alpha/Staging / C2T1071.001DNS / proxy logsBlock
web-devtools[.]com (paths: /starlandfox, /x32remka, /dopfile)Payload stagingT1588.001Proxy / IDSBlock
zynaris[.]ioHTA stager / lure hostingT1218.005Proxy / Sysmon EID 1Block
polygon-rpc[.]com JSON-RPC call to contract 0x6ae382...Fallback C2 resolutionT1102.002Proxy / NDRHunt — eth_call to this contract
Telegram bot IDs 8384531459, 7993597060Beacon exfilT1567.001Proxy / DLPBlock api.telegram.org from non-browser processes
mshta.exe executing remote HTA → batch file dropInitial accessT1218.005Sysmon EID 1Alert — mshta.exe with URL argument
Scheduled task PythonLauncher-??? (3 random chars)PersistenceT1053.005Security EID 4698 / Sysmon EID 1Alert — pythonw.exe scheduled task
HKCU\...\Run value MyApp → mshta.exePersistenceT1547.001Sysmon EID 13Alert
UA: Mozilla/5.0 ... Chrome/138.0.0.0 from non-browser processC2 commsT1071.001Proxy logsHunt
Snort SIDs 66787–66790, 301580Network detectionIDS/IPSDeploy

Detection

SourceRuleGap
Splunk ESCUNone specificNo Starland RAT / WLDR agent detection; need mshta remote HTA + pythonw.exe scheduled task + Polygon RPC hunt
ElasticSuspicious Mshta Child Process (partial)No WLDR-specific PowerShell Runspace detection
Sigmaproc_creation_win_mshta_url.yml (partial)No trojanized installer + pythonw.exe LICENSE.txt pattern
CiscoClamAV sigs: Py.Loader.Agent-10060315/16, Ps1.Trojan.WLDRAgent-10060319, Win.Trojan.CastleStealer-10060341Deploy ClamAV/Cisco signatures

Sources: Cisco Talos blog · Cisco Talos IOCs (GitHub) · BleepingComputer

2. Spirals Ransomware — 24-Hour Full Intrusion Cycle

TL;DR: Symantec disclosed a new Rust-based ransomware family “Spirals” that completed initial access to full encryption of a South Asian IT services company in under 24 hours — using ASP.NET webshells, reverse-SOCKS proxies, and AES-128 + ECDH P-256 encryption with double extortion.

What’s New:

  • Initial access via compromised IIS web server through ASP.NET web shell
  • Lateral movement via WMI beginning 23:33 on day one; full encryption within 24 hours
  • Persistence: revsocks, Chisel, Cloudflare Tunnel for covert C2 access
  • Credential harvesting from SAM and LSASS
  • Rust-based encryptor: per-file AES-128 keys wrapped with attacker ECDH P-256 public key
  • Ransom note: RECOVERY_SECTION.log on C:\ with 6-day payment deadline
  • Double extortion model — data theft confirmed before encryption

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
ASP.NET webshell on IISInitial accessT1505.003IIS logs / Sysmon EID 11Hunt — new .aspx/.ashx in web directories
WMI lateral movementLateral movementT1047Security EID 4648 / Sysmon EID 1Alert — wmiprvse.exe spawning cmd/powershell
revsocks, Chisel, Cloudflare TunnelC2 tunnelingT1572EDR / proxyHunt — known tunnel tool process names and hashes
SAM/LSASS credential dumpCredential accessT1003.001/002Sysmon EID 10 / EDRAlert — LSASS access from non-standard processes
RECOVERY_SECTION.log on C:\Ransom noteT1486EDR / file monitoringAlert — canary file
Endpoint security tampering pre-encryptionDefense evasionT1562.001EDR health / Windows Defender EIDAlert — security service stop/disable events

Detection

SourceRuleGap
Splunk ESCUCredential Dumping via SAM Database (generic) / Detect LSASS Access (generic)No Spirals-specific Rust binary or RECOVERY_SECTION.log detection
ElasticSuspicious LSASS Access / Web Shell Detection (generic)No Spirals ransomware note or encryptor hash detection
Sigmaproc_creation_win_susp_wmi_lateral_movement.yml / web_shell_aspx_creation.ymlNo Spirals-specific rules

Sources: Symantec / Security.com · BleepingComputer · SC Media

3. CISA KEV Adds FortiSandbox Triple-CVE Chain — CVE-2026-25089 / CVE-2026-39808 / CVE-2026-39813

TL;DR: CISA added three FortiSandbox CVEs to KEV on July 16, confirming active exploitation of a triple-CVE chain combining auth bypass, OS command injection, and web UI command injection — with exploit code assessed as AI-generated.

What’s New:

  • CVE-2026-39813 (auth bypass via path traversal in JRPC API: session: ../../tmp/) now CISA KEV
  • CVE-2026-39808 (CVSS 9.8 unauthenticated OS command injection via /fortisandbox/job-detail/tracer-behavior) now CISA KEV
  • CVE-2026-25089 (web UI command injection, exploit assessed as vibecoded/AI-generated by Defused Cyber) now CISA KEV
  • Triple chain observed ITW since June 16 per Defused Cyber
  • Affects FortiSandbox 4.4.0-4.4.8 and 5.0.0-5.0.5; patched April 2026
  • ~2,400 internet-facing instances at initial disclosure

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
session: ../../tmp/ in JRPC API requestsAuth bypassT1190WAF / FortiSandbox logsBlock — path traversal in session parameter
POST to /fortisandbox/job-detail/tracer-behaviorRCE exploitationT1190WAF / reverse proxyBlock external access
FortiSandbox 4.4.x < 4.4.9, 5.0.x < 5.0.6Vulnerable versionT1190Asset inventoryPatch

Detection

SourceRuleGap
Splunk ESCUNoneNo FortiSandbox-specific JRPC or tracer-behavior endpoint detection
ElasticNoneNo FortiSandbox exploitation rules
SigmaNoneNo FortiSandbox exploitation rules

Sources: CISA KEV Catalog · CISA Alert July 16


Status Updates

  • CVE-2026-15409 / CVE-2026-15410 (SonicWall SMA1000): CISA KEV federal deadline TODAY July 17. Zero-day exploitation ongoing. Apply hotfix 12.4.3-03453 / 12.5.0-02835 immediately. Original brief.
  • CVE-2026-58644 (SharePoint Server): CISA KEV addition July 16 — confirmed exploited as zero-day pre-patch. Federal deadline July 19. CVSS 9.8 pre-auth deserialization RCE. Apply July Patch Tuesday. Original brief.
  • CVE-2026-46817 (Oracle E-Business Suite): CISA KEV addition July 15. Federal deadline TOMORROW July 18. DriveSurge IAB exploitation ongoing with 950 exposed instances. Apply May 2026 CPU. Original brief.