Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
🚩 Cisco Talos Discovers China-Nexus APT UAT-9244 Targeting South American Telecoms with Novel Malware Implants
Cisco Talos disclosed details regarding UAT-9244, a high-confidence China-nexus advanced persistent threat group. The actor, closely associated with FamousSparrow and Tropic Trooper, has been actively targeting critical telecommunications infrastructure in South America since 2024. UAT-9244 compromises both Windows and Linux-based endpoints, as well as network edge devices, utilizing three newly identified malware implants: TernDoor, PeerTime, and BruteEntry. The primary Windows backdoor, TernDoor, is a variant of the previously known CrowDoor malware. It is deployed via a DLL side-loading technique where a benign executable loads a malicious loader to decrypt the final payload in memory. TernDoor utilizes a custom encrypted Windows driver to evade detection by suspending and terminating processes. On Linux and embedded architectures, the threat actor deploys PeerTime, a peer-to-peer backdoor that uses the BitTorrent protocol to receive command-and-control instructions and download payloads using BusyBox. Finally, UAT-9244 uses BruteEntry to compromise network edge devices and convert them into Operational Relay Boxes. These compromised nodes act as mass-scanning proxies that attempt to brute-force SSH, Postgres, and Tomcat servers.
Impact: The deployment of these highly specialized implants allows UAT-9244 to establish deep, resilient footholds across diverse operating environments within targeted telecommunication networks. By weaponizing network edge devices into Operational Relay Boxes, the threat actor obscures the true origin of their scanning and brute-forcing activities, complicating attribution and defense. The inclusion of encrypted drivers and peer-to-peer communication protocols significantly reduces the efficacy of traditional signature-based detection and network monitoring, exposing critical infrastructure to persistent espionage, unauthorized access, and potential disruption.
Recommendation: Ingest the provided indicators of compromise to block associated command-and-control IP addresses and domains. Monitor endpoints for anomalous dynamic-link library loading and investigate any unexpected creation of scheduled tasks or registry run keys used for persistence. Scrutinize edge devices for unauthorized SSH or database login attempts originating from unexpected IP addresses, which may indicate targeting by BruteEntry proxies. Furthermore, Monitor or hunt for unconventional network traffic patterns, such as the unauthorized use of the BitTorrent protocol by internal Linux servers or embedded devices.
FreeScout Zero-Click RCE Vulnerability Exploits Zero-Width Character to Bypass Filename Validation
OX Security researchers discovered CVE-2026-28289, a zero-click unauthenticated remote code execution vulnerability in FreeScout help desk software, patched in version 1.8.207 on March 3, 2026. The vulnerability escalates a previously patched authenticated RCE (CVE-2026-27636) by bypassing filename validation through zero-width space character injection. Attackers can achieve code execution by sending a single crafted email to any address configured in FreeScout, requiring no authentication and no user interaction. The flaw affects all FreeScout versions up to and including 1.8.206, with researchers identifying over 1,100 publicly exposed instances via Shodan across public health institutions, technology providers, financial services platforms, and news organizations. FreeScout is an open-source help desk and shared mailbox application built on PHP Laravel framework with over 4,000 GitHub stars, allowing organizations to manage customer support tickets without subscription fees. The original CVE-2026-27636 patch attempted to prevent dangerous file uploads by appending underscores to restricted file extensions or filenames beginning with periods, but researchers discovered this validation could be bypassed by prepending Unicode U+200B zero-width space characters to filenames.
Impact: The zero-width space bypass exploits FreeScout’s filename validation by prepending U+200B characters that are invisible during initial security checks, allowing malicious filenames to pass validation that blocks names starting with periods. During subsequent processing, the zero-width space character is stripped, causing files to be saved as true dotfiles despite passing earlier validation. Attackers leverage this bypass by sending malicious emails containing crafted attachments to any mailbox configured in FreeScout, with the server automatically processing incoming messages and writing payloads to predictable storage locations at /storage/attachment/ paths. Since attachment locations are deterministic based on email metadata, attackers can calculate exact file paths and access uploaded payloads through the FreeScout web interface, executing arbitrary commands remotely. The vulnerability enables full server takeover with complete system compromise, exfiltration of helpdesk tickets and mailbox content including sensitive support data, and lateral movement from compromised FreeScout hosts to other systems within the same network. The zero-click nature eliminates dependency on user actions, with exploitation succeeding automatically when FreeScout processes incoming email, making every configured mailbox an attack vector.
Recommendation: The zero-width space bypass exploits FreeScout’s filename validation by prepending U+200B characters that are invisible during initial security checks, allowing malicious filenames to pass validation that blocks names starting with periods. During subsequent processing, the zero-width space character is stripped, causing files to be saved as true dotfiles despite passing earlier validation. Attackers leverage this bypass by sending malicious emails containing crafted attachments to any mailbox configured in FreeScout, with the server automatically processing incoming messages and writing payloads to predictable storage locations at /storage/attachment/ paths. Since attachment locations are deterministic based on email metadata, attackers can calculate exact file paths and access uploaded payloads through the FreeScout web interface, executing arbitrary commands remotely. The vulnerability enables full server takeover with complete system compromise, exfiltration of helpdesk tickets and mailbox content including sensitive support data, and lateral movement from compromised FreeScout hosts to other systems within the same network. The zero-click nature eliminates dependency on user actions, with exploitation succeeding automatically when FreeScout processes incoming email, making every configured mailbox an attack vector.
VMware Aria Operations Vulnerabilities Enable Remote Code Execution and Privilege Escalation with Active Exploitation
Broadcom disclosed three vulnerabilities in VMware Aria Operations on February 24, 2026, with a March 3 update acknowledging reports of potential in-the-wild exploitation of CVE-2026-22719 that cannot be independently confirmed. CVE-2026-22719 is a command injection vulnerability with a CVSS score of 8.1 allowing unauthenticated attackers to execute arbitrary commands leading to remote code execution during support-assisted product migration operations. CVE-2026-22720 is a stored cross-site scripting vulnerability with a CVSS score of 8.0 enabling malicious actors with custom benchmark creation privileges to inject scripts performing administrative actions. CVE-2026-22721 is a privilege escalation vulnerability with a CVSS score of 6.2 allowing actors with vCenter access to Aria Operations to obtain administrative access. The vulnerabilities affect VMware Aria Operations 8.x, VMware Cloud Foundation 9.x including vSphere Foundation, VMware Telco Cloud Platform 5.x and 4.x, and VMware Telco Cloud Infrastructure 3.x and 2.x. Patches are available through VMware Cloud Foundation Operations 9.0.2.0, VMware Aria Operations 8.18.6, and documented workarounds for CVE-2026-22719 in KB430349.
Impact: The command injection vulnerability requires no authentication and executes during support-assisted migration workflows, providing attackers with remote code execution capabilities on VMware Aria Operations instances. The attack complexity is rated high, but successful exploitation grants complete system compromise with confidentiality, integrity, and availability impacts all rated high. The stored cross-site scripting vulnerability requires low attack complexity and low privileges, specifically the ability to create custom benchmarks, and enables script injection with changed scope allowing high impact to confidentiality, integrity, and availability through administrative action execution. The privilege escalation vulnerability allows actors with existing vCenter privileges to access Aria Operations and leverage high-privilege requirements with high attack complexity to escalate to administrative access, resulting in high confidentiality and integrity impact with low availability impact. The combination of these vulnerabilities creates multiple attack paths, with CVE-2026-22719 providing initial access without credentials, CVE-2026-22720 enabling persistence through stored malicious scripts, and CVE-2026-22721 allowing lateral movement from vCenter access to full Aria Operations administrative control.
Recommendation: Apply patches to VMware Aria Operations 8.18.6, VMware Cloud Foundation Operations 9.0.2.0, or consult KB92148 for VMware Cloud Foundation 5.x and 4.x deployments and KB428241 for VMware Telco Cloud Platform and Infrastructure versions. Implement workarounds documented in KB430349 for CVE-2026-22719 if patches cannot be deployed immediately. Restrict custom benchmark creation privileges to essential personnel only, reviewing existing user permissions for unnecessary access to this functionality. Audit existing custom benchmarks for injected script content, particularly examining benchmark definitions for JavaScript code or HTML event handlers. Implement network segmentation isolating VMware Aria Operations instances from untrusted networks, with particular focus on restricting access during migration operations when CVE-2026-22719 exploitation risk is highest. Monitor vCenter access logs for privilege escalation attempts targeting Aria Operations, specifically reviewing authentication events where vCenter users obtain Aria Operations administrative access without legitimate justification. Deploy intrusion detection signatures detecting command injection patterns targeting VMware Aria Operations migration interfaces. Organizations should prioritize patching given reports of potential active exploitation of CVE-2026-22719.
🚩 Google Threat Intelligence Details “Coruna” iOS Exploit Kit Used in Widespread Cyber Espionage and Crypto Theft
The Google Threat Intelligence Group (GTIG) reported the discovery of a highly sophisticated iOS exploit kit dubbed “Coruna.” The framework targets Apple iPhones running iOS 13.0 through 17.2.1, boasting a collection of 23 exploits structured into five full exploit chains. Over the course of 2025, Coruna proliferated from a commercial surveillance vendor to a suspected Russian espionage group (UNC6353) conducting watering-hole attacks in Ukraine. By December, it had reached a financially motivated Chinese threat actor (UNC6691) executing mass-scale attacks via fake cryptocurrency exchange websites. Independent researchers at iVerify, who track the kit as CryptoWaters, noted the framework’s sophistication and similarities to past campaigns like Operation Triangulation, suggesting it may have originated as a top-tier nation-state capability before leaking to the broader cybercriminal underground. The exploit chain typically begins when a vulnerable iOS device visits a compromised website and a hidden iFrame silently delivers the initial JavaScript. The framework fingerprints the device, verifies it is not running in a virtualized environment like Corellium, and then deploys a tailored chain of attacks. These attacks sequence through WebKit remote code execution (such as CVE-2024-23222), pointer authentication code (PAC) bypasses, sandbox escapes, and kernel privilege escalation to achieve complete device takeover.
Impact: This development marks a significant escalation in mobile threats, shifting from highly targeted spyware deployments to indiscriminate, mass-scale exploitation against iOS devices. The final payload, tracked as PLASMAGRID or PlasmaLoader, injects itself into the root-level powerd daemon to maintain persistence and evade process monitoring. From this elevated position, the implant actively hunts for financial information. It is designed to decode QR codes from stored images, extract BIP39 seed phrases from Apple Memos, and specifically hook into over a dozen popular cryptocurrency wallet applications, including MetaMask, Phantom, and Trust Wallet, to exfiltrate user funds and sensitive data.
Recommendation: Users and organizations should verify all Apple devices are updated to the latest available iOS versions, as the Coruna exploit kit is ineffective against iOS 17.3 and newer. For individuals at high risk of targeted attacks or those temporarily unable to update their devices, enabling Apple’s Lockdown Mode is advised, as the Coruna framework is specifically programmed to abort its execution if Lockdown Mode or private browsing is detected. Security operations centers should ingest the provided network indicators of compromise to detect and block access to the malicious domains associated with the campaign, including the predictable .xyz domains generated by the malware’s custom domain generation algorithm.
Pro-Iranian and Allied Hacktivist Groups Launch Retaliatory DDoS Campaigns Following Operation Epic Fury
Radware published a threat alert on March 3, 2026, detailing a massive surge in hacktivist distributed denial-of-service (DDoS) attacks following the joint U.S. and Israeli military offensive known as Operation Epic Fury, or Operation Roaring Lion. Initiated on February 28, 2026, the kinetic strikes against Iranian infrastructure acted as an immediate catalyst for global hacktivist mobilization. Within nine hours of the military action, pro-Iranian and allied “axis of resistance” collectives began targeting organizations across the Middle East and Europe. The digital offensive is highly concentrated, with the groups Keymous+ and DieNet driving nearly 70 percent of the attack claims in the Middle East. On March 2, the landscape broadened further as the prominent pro-Russian collective NoName057(16) joined the campaign, focusing its efforts heavily on European targets like Denmark as well as Israeli infrastructure.
Impact: The retaliatory campaigns demonstrate a clear strategic intent to disrupt state functions, public messaging, and economic stability. Rather than selecting random targets, these collectives directed 53 percent of all their attacks toward government institutions, followed by financial services and telecommunications. In the Middle East, the attacks are heavily concentrated on a specific axis consisting of Kuwait, Israel, and Jordan, which collectively represent over 76 percent of all regional claims. This coordinated digital aggression effectively expands the regional conflict into cyberspace, threatening severe operational disruptions for unprotected critical infrastructure and banking systems across multiple nations.
Recommendation: Organizations should proactively harden their network environments and web-facing assets against high-volume distributed denial-of-service attacks before they are targeted. Furthermore, organizations should review their incident response plans to ensure rapid coordination with internet service providers and cloud security vendors in the event of a sustained hacktivist campaign.
🚩 Chinese-Nexus APT Silver Dragon Deploys GearDoor Google Drive Backdoor and Novel Loaders in Southeast Asia and Europe
Check Point Research reported that it is tracking an advanced persistent threat group it calls Silver Dragon, which has targeted organizations across Southeast Asia and Europe since at least mid-2024, with a focus on government entities. Check Point assesses the activity is likely operating within the umbrella of Chinese-nexus APT41. According to Check Point, Silver Dragon gains initial access by exploiting public-facing servers and by delivering phishing emails with malicious attachments, and then uses service hijacking to blend persistence into normal Windows activity. Check Point describes multiple infection chains that ultimately deliver Cobalt Strike as the final payload, including AppDomain hijacking and service DLL-based persistence delivered via archives, as well as a phishing chain using weaponized LNK attachments. The group’s tooling includes BamboLoader, a loader that decrypts and decompresses staged shellcode and injects it into processes, and MonikerLoader, which decrypts and executes a second-stage loader in memory. Check Point also reports Silver Dragon deployed GearDoor, a .NET backdoor that uses Google Drive as its command-and-control channel with encrypted, file-based tasking and exfiltration, along with additional custom tools including SSHcmd for SSH-based remote access and SliverScreen for periodic screen capture.
Impact: This activity can provide sustained remote access and post-exploitation capability in targeted environments through Cobalt Strike and custom tooling designed for persistence and stealth. Abuse of legitimate Windows services and cloud platforms like Google Drive for command-and-control can reduce visibility for defenders and complicate network-based blocking. The inclusion of screen capture and SSH tooling increases risk of credential exposure, operational surveillance, and continued hands-on activity after initial compromise.
Recommendation: Prioritize patching and hardening of public-facing servers to reduce the initial access opportunities Check Point describes and increase monitoring for phishing-based delivery involving LNK attachments and follow-on PowerShell activity. Monitor for signs of Windows service hijacking and unexpected service creation or modification that mimics legitimate components, particularly activity that recreates common services and points ServiceDll paths to non-standard locations. Hunt for behaviors consistent with AppDomain hijacking involving legitimate .NET utilities and suspicious config placement. Because GearDoor uses Google Drive as a C2 channel, review cloud and network telemetry for anomalous Google Drive activity that does not align to normal user behavior, and ensure detection workflows account for encrypted, file-based tasking patterns over trusted cloud services.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.