Latest Intelligence

Cisco Talos exposes UAT-9244, a China-linked APT targeting South American telecom providers with three new malware families: TernDoor, PeerTime, and BruteEntry.

• TernDoor: Windows backdoor deployed via DLL side-loading (wsprint.exe/BugSplatRc64.dll), injected into msiexec.exe, persists via scheduled tasks and registry modifications with embedded WSPrint.sys…
• PeerTime: Multi-architecture ELF Linux backdoor (ARM, AARCH, PPC, MIPS) using BitTorrent P2P protocol for C2 communications, with Simplified Chinese debug strings confirming origin
• BruteEntry: Go-based ORB instrumentor that turns compromised devices into scanning nodes brute-forcing SSH, Postgres, and Tomcat to expand attacker infrastructure

Huntress researchers uncovered a campaign using fake OpenClaw GitHub repos promoted by Bing AI to distribute Atomic Stealer, Vidar infostealer, and GhostSocks proxy malware.

• Fake GitHub org 'openclaw-installer' delivered macOS Atomic Stealer via bash command and Windows Vidar infostealer via OpenClaw_x64.exe; C2 retrieved via Telegram and Steam user profiles
• Rust-based malware loaders executed infostealers in-memory; GhostSocks backconnect proxy deployed alongside to route attacker traffic and bypass geo-based fraud detection
• Windows Managed AV and Managed Defender for Endpoint quarantined payloads; macOS users had no equivalent automated protection reported

Pakistan's APT36 is using AI vibe-coding to mass-produce low-quality malware in niche languages, overwhelming defenses through volume rather than technical sophistication.

• APT36 (Transparent Tribe) is generating malware daily in niche languages — Nim, Zig, and Crystal — which reset detection baselines on most endpoint engines tuned for C++ and C#
• C2 communications are routed through legitimate cloud platforms including Slack, Discord, Google Sheets, and Supabase to evade network-level detection
• Victims are infected with multiple simultaneous implants, each using a different language and communication protocol, ensuring persistent access even if one channel is neutralized

A self-propagating JavaScript worm vandalized ~3,996 Wikipedia pages and infected ~85 user accounts today before Wikimedia engineers contained it.

• JavaScript worm propagated via MediaWiki:Common.js injection — malicious script at User:Ololoshka562/test.js loaded external payload from basemetrika.ru/s/e41, infecting both user-level common.js and…
• Worm achieved persistence by overwriting User:<username>/common.js and, for privileged accounts, the global MediaWiki:Common.js — enabling browser-side execution for every editor loading the global…
• Approximately 3,996 pages vandalized and ~85 user common.js files replaced; worm also inserted hidden JavaScript loaders via Special:Random page edits using encoded script tags in span elements

Cisco Talos 2025 CVE retrospective reveals 48,196 vulnerabilities and 241 KEVs (+30%), with actionable malware IOCs and a confirmed Qualcomm zero-day.

• CVE-2026-21385 (CVSS 7.8, KEV confirmed 2026-03-03): memory corruption in Qualcomm chipsets affecting 234 chipsets — patch via Android security bulletin immediately
• 5 malware SHA256 IOCs from Talos telemetry this week: W32.Injector, Win.Worm.Coinminer, Win.Dropper.Suloc — ingest into SIEM/EDR blocklists
• 94 of 241 KEVs (39%) originated from CVE-2024 and earlier; legacy vulnerability exploitation active as far back as CVE-2007 — asset inventory and microsegmentation critical for unpatched systems