Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
🚩 PyStoreRAT Malware Exploits GitHub Supply Chain to Target Security Professionals via AI-Generated Projects
Morphisec Threat Labs uncovered PyStoreRAT, a JavaScript/HTA backdoor deployed through coordinated GitHub supply chain attacks targeting IT administrators, cybersecurity analysts, and OSINT professionals. Dormant GitHub accounts, some inactive for years, suddenly reactivated to publish polished AI-generated projects including OSINT tools, DeFi bots, GPT wrappers, and security utilities that climbed into GitHub’s top trending lists. After gaining legitimate traction and trust, attackers introduced subtle “maintenance” commits deploying the previously undocumented PyStoreRAT backdoor. The malware performs extensive system profiling, deploys the Rhadamanthys stealer, and dynamically adjusts execution techniques when detecting CrowdStrike Falcon or Reason-related AV products by switching to alternate launch paths. PyStoreRAT features circular rotating C2 infrastructure using node{i}-py-store and py-installer domains enabling seamless payload updates and resilience against takedowns. The malware spreads through removable drives and dynamically pulls additional modules from operators while maintaining long-term access. Russian-language strings including “СИСТЕМА” found in the codebase indicate dual targeting of both Russian and non-Russian victims.
Impact: PyStoreRAT enables complete compromise of security professionals’ workstations through trusted development channels that bypass traditional security awareness training. The targeting of OSINT and cybersecurity tools ensures infection of high-value systems with access to sensitive threat intelligence, investigation data, and security infrastructure. AI-generated project legitimacy defeats manual code review processes as repositories contain functional, well-documented code that passes initial scrutiny. The adaptive execution paths based on detected security products demonstrate advanced evasion capabilities specifically designed to bypass enterprise EDR solutions. Long-term persistence through removable drive propagation and modular architecture enables lateral movement across air-gapped research environments.
Recommendation: Organizations should implement strict GitHub repository vetting processes including verification of contributor history and sudden reactivation patterns of dormant accounts. Monitor for JavaScript/HTA files introduced through “maintenance” commits in previously clean repositories, particularly those targeting security tools. Alert on execution technique changes based on security product detection, specifically alternate launch paths when CrowdStrike Falcon or Reason products are identified. Implement USB device controls to prevent removable drive propagation and monitor for Russian-language strings in unexpected contexts. Consider deploying Automated Moving Target Defense (AMTD) solutions that deny malware stable execution environments rather than relying on signature-based detection.
Apple Patches Two Zero-Day WebKit Vulnerabilities Exploited in Sophisticated Targeted Attacks
Apple released iOS 26.2 and iPadOS 26.2 on December 12, 2025, fixing multiple security issues across core components including WebKit, Kernel, FaceTime, Messages, and system frameworks. Apple notes that at least two WebKit vulnerabilities were exploited in “extremely sophisticated” attacks against specific targeted individuals on versions of iOS prior to iOS 26, and issued CVE-2025-14174 in response to this reporting. Among the fixes are issues that could lead to arbitrary code execution or memory corruption when processing maliciously crafted web content in WebKit, as well as privilege and data exposure risks such as an app gaining root privileges (Kernel), access to sensitive payment tokens (App Store), and exposure of hidden photos without authentication.
Impact: Organizations with iOS and iPadOS fleets face elevated risk from web-based exploitation paths, particularly via Safari or embedded WebKit content. The presence of in-the-wild exploitation signals that these flaws can be used for targeted compromise, and unpatched devices may remain exposed to drive-by or link-based attack chains that lead to code execution, data exposure, or privilege escalation.
Recommendation: Update all eligible devices to iOS 26.2 and iPadOS 26.2, prioritizing users in high-risk roles or who handle sensitive data. Enforce rapid OS patching through MDM, restrict untrusted browsing and link handling where possible, and monitor for signs of targeted mobile exploitation such as unusual Safari crashes, unexpected profile or configuration changes, and anomalous account activity following web interactions. Confirm Safari and platform updates are applied consistently across managed endpoints and review mobile security posture for gaps in update compliance.
CISA Adds Exploited GeoServer Vuln to Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a previously reported vulnerability, CVE-2025-58360, affecting OSGeo GeoServer, to its Known Exploited Vulnerabilities (KEV) Catalog. Details of the nature of the active exploitation were not provided. GeoServer is used for collecting/sharing geospatial data. The vulnerability is an XML External Entities (XXE) exploit, whereby improperly sanitized XML input via specific operations can allow an attacker to define external entities within the request, opening the door to a potential compromise. The vulnerability affects older versions up to 2.25.5 as well as 2.26.0 through 2.26.1, but versions 2.25.6 or 2.26.2 and above are patched.
Impact: Exploitation of this vulnerability could enable an attacker to undertake various malicious actions, such as accessing sensitive files, Server-Side Request Forgery (SSRF), or Denial of Service (DoS) attacks.
Recommendation: Organizations using GeoServer should ensure that they are running a patched version and keep an eye out for more details regarding active exploitation.
Ashen Lepus (WIRTE) deploys new “AshTag” espionage suite using phishing, DLL sideloading, and hidden HTML payloads to target Middle Eastern governments and diplomats.
The Hamas-affiliated cyber threat group Wirte, tracked by Palo Alto Networks’ Unit 42 as Ashen Lepus, continues to conduct sophisticated espionage operations across the Middle East despite ongoing regional conflicts. The group targets victims through phishing emails containing PDFs related to the Israel-Palestine conflict, which direct recipients to file-sharing services hosting malicious RAR archives. When victims open these files, the attack triggers a dynamic link library sideloading technique that deploys the AshTag malware suite in the background while displaying the expected document. AshTag consists of three main components: a loader that extracts payloads embedded within HTML header tags on command-and-control servers, a stager, and a modular backdoor that retrieves additional capabilities from commented-out HTML tags where most detection programs do not scan. The group encrypts its payloads using AES-CTR-256 encryption and regularly rotates encryption keys to evade detection. Recent infrastructure changes show the attackers now register subdomains of legitimate domains rather than hosting their own infrastructure, allowing malicious traffic to blend with normal internet activity. The group has also expanded beyond pure espionage, deploying the SameCoin wiper in destructive attacks against Israeli targets timed to significant dates in the conflict.
Impact: Wirte has expanded its targeting beyond traditional focus areas like Egypt, Jordan, and the Palestinian Authority to include nations with less direct involvement in the Israel-Palestine conflict, such as Oman, Morocco, and Turkey. Compromised organizations may experience theft of sensitive diplomatic correspondence, internal government documents, and politically significant intelligence that adversaries can exploit for strategic advantage. The group’s demonstrated ability to maintain operations throughout the Gaza conflict suggests resilience and potentially indicates operations from locations outside the most affected conflict zones, making disruption efforts more challenging.
Recommendation: Treat unsolicited conflict-themed documents and links as high risk: block known malicious file-sharing domains, enforce robust email filtering and attachment sandboxing, and remove the ability for unprivileged users to load unsigned or unexpected DLLs. Maintain endpoint and network monitoring tuned for DLL sideloading behaviors, suspicious process ancestry, and unusual outbound connections to HTML pages that contain anomalous payload patterns.
🚩 BlackForce Phishing Kit Performs Real-Time MFA Bypass Through Man-in-the-Browser Attacks
Zscaler ThreatLabz discovered the BlackForce phishing-as-a-service kit in August 2025, which has evolved through five distinct versions while impersonating over 11 major brands including Disney, Netflix, DHL, and UPS. The kit is actively sold on Telegram forums for €200-€300 and enables Man-in-the-Browser (MitB) attacks to dynamically bypass multi-factor authentication through real-time operator intervention. BlackForce deploys cache-busted JavaScript files with filename patterns like index-[hash].js, where 99% of content consists of legitimate React and React Router production builds to evade detection. The phishing infrastructure features dual-channel exfiltration, sending stolen credentials simultaneously to the attacker’s C2 panel and Telegram channels, ensuring data persistence even if the phishing panel is taken down.
Impact: BlackForce enables complete account takeover through MFA bypass techniques that defeat standard two-factor authentication protections. The real-time operator model ensures attacks adapt dynamically to each victim’s authentication flow, maximizing compromise success rates. Organizations face immediate credential theft risks as the kit’s legitimate-appearing React codebase evades traditional phishing detection mechanisms. Widespread brand impersonation capabilities allow attackers to target diverse victim populations across entertainment, logistics, and financial services sectors.
Recommendation: Organizations should implement zero trust architecture to limit access scope even after successful credential theft. Monitor for JavaScript files with cache-busting hash patterns and unusually large React/React Router bundles on suspicious domains. Deploy behavioral detection for rapid sequential authentication attempts following credential entry, indicating potential MitB attacks in progress. Block all identified indicators of compromise. Monitor for sessionStorage operations storing credentials across page loads and train users to verify URL authenticity before entering authentication codes.
Critical Authentication Bypass in FortiCloud SSO Affects Multiple Fortinet Products
Fortinet disclosed a critical cryptographic signature verification vulnerability (CVE-2025-59718, CVE-2025-59719) affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that allows unauthenticated attackers to bypass FortiCloud SSO login authentication through crafted SAML messages. The vulnerability stems from improper verification of cryptographic signatures (CWE-347) and affects FortiOS versions 7.0.0-7.0.17, 7.2.0-7.2.11, 7.4.0-7.4.8, and 7.6.0-7.6.3, with similar version ranges for other affected products. While FortiCloud SSO is disabled by default in factory settings, the feature automatically enables when administrators register devices to FortiCare unless explicitly disabled via the “Allow administrative login using FortiCloud SSO” toggle during registration. The vulnerability allows complete authentication bypass through malicious SAML message manipulation, granting unauthorized administrative access to affected devices. Fortinet internally discovered the issue through their Product Security team members Yonghui Han and Theo Leleu, with a CVSS v3 score of 9.1 indicating critical severity. Emergency mitigation requires disabling FortiCloud login via System Settings or CLI command “config system global set admin-forticloud-sso-login disable end” until patches are applied. All affected products have received security updates with FortiOS requiring upgrades to versions 7.0.18, 7.2.12, 7.4.9, or 7.6.4 depending on the deployed branch.
Impact: This vulnerability enables unauthenticated attackers to gain full administrative access to critical network security infrastructure without valid credentials. Compromised FortiGate firewalls, FortiWeb WAFs, and FortiProxy systems expose entire network perimeters to unauthorized configuration changes, traffic interception, and security policy manipulation. Organizations face immediate risks of network breach, data exfiltration, and complete security control bypass through exploitation of trusted SSO mechanisms. The automatic enablement during FortiCare registration means many organizations may be unknowingly exposed despite never manually configuring FortiCloud SSO.
Recommendation: Organizations must immediately disable FortiCloud SSO login on all vulnerable devices via “config system global set admin-forticloud-sso-login disable end” command until patches are applied. Prioritize upgrading FortiOS to 7.6.4/7.4.9/7.2.12/7.0.18, FortiProxy to 7.6.4/7.4.11/7.2.15/7.0.22, FortiWeb to 8.0.1/7.6.5/7.4.10, and FortiSwitchManager to 7.2.7/7.0.6 based on current versions. Review FortiCare registration procedures to ensure SSO toggle is explicitly disabled during device onboarding. Use Fortinet’s upgrade path tool at docs.fortinet.com/upgrade-tool to plan coordinated updates across infrastructure.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.