Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
🚩 Iranian APT Seedworm Deploys New Backdoors on U.S. Bank, Airport, and Software Company Networks
Symantec researchers identified Iranian APT group Seedworm conducting intrusion operations against multiple U.S. organizations beginning in early February 2026 and continuing through early March following U.S. and Israeli military strikes on Iran. Targeted entities include a U.S. bank, software company, airport, and non-governmental organizations in the U.S. and Canada. Seedworm, also tracked as MuddyWater, Temp Zagros, and Static Kitten, is assessed by CISA as a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS). The group deployed a previously unknown backdoor named Dindoor leveraging Deno runtime for JavaScript and TypeScript execution, signed with certificates issued to “Amy Cherne” and found on networks of the Israeli software outpost, U.S. bank, and Canadian non-profit. A separate Python backdoor called Fakeset was discovered on U.S. airport and non-profit networks, signed with certificates issued to “Amy Cherne” and “Donald Gay,” with the Donald Gay certificate previously used to sign Seedworm-linked malware families Stagecomp and Darkcomp. Attackers attempted data exfiltration from the software company using Rclone to transfer backups to Wasabi cloud storage buckets, though success of the operation remains unclear.
Impact: Seedworm’s presence on U.S. and Israeli networks prior to current regional hostilities positions the group for potential destructive operations beyond traditional espionage activities. The targeting of a defense and aerospace industry software supplier with Israeli operations provides potential access to supply chain relationships and sensitive project data across multiple sectors. The bank intrusion creates risks for financial data exfiltration and potential payment system disruption, while airport network access enables surveillance of transportation infrastructure. Iran has demonstrated capability for destructive cyberattacks including wiper malware deployment, with historical operations like Shamoon against Saudi Arabia’s oil industry and BibiWiper attacks against Israeli targets.
Recommendation: Organizations, particularly those in critical infrastructure and defense sectors, should heighten their security posture against Iranian state-sponsored threats. Search environments for the presence of Deno runtimes or unauthorized Python scripts, which may indicate Dindoor or Fakeset infections. Monitor for the unauthorized use of data exfiltration tools like Rclone, especially large outbound transfers to external cloud storage platforms like Wasabi or Backblaze. Organizations should maintain immutable backups. Block network connections to identified IOCs. Deploy monitoring for password spraying attempts across multiple user accounts from unusual geographic locations, particularly authentication failures outside normal working hours or from VPN infrastructure including Nord VPN endpoints. Enable multi-factor authentication across all remote access, disable legacy authentication protocols, and implement conditional access policies based on location and device risk. Organizations should deploy web application firewalls with updated rule sets, enable DDoS protection via CDN or upstream filtering services, and monitor for spikes in HTTP requests from distributed IP ranges. Given Broadcom’s warning that Iranian actors may escalate to disruptive or destructive operations, organizations should also validate network segmentation, protect and isolate backups, test recovery procedures, and ensure monitoring is in place for shadow copy deletion, mass task creation, suspicious administrative command execution, and attempts to disable security tooling.
🚩 Cisco Talos Discovers China-Nexus APT UAT-9244 Targeting South American Telecoms with Novel Malware Implants
Cisco Talos disclosed details regarding UAT-9244, a high-confidence China-nexus advanced persistent threat group. The actor, closely associated with FamousSparrow and Tropic Trooper, has been actively targeting critical telecommunications infrastructure in South America since 2024. UAT-9244 compromises both Windows and Linux-based endpoints, as well as network edge devices, utilizing three newly identified malware implants: TernDoor, PeerTime, and BruteEntry. The primary Windows backdoor, TernDoor, is a variant of the previously known CrowDoor malware. It is deployed via a DLL side-loading technique where a benign executable loads a malicious loader to decrypt the final payload in memory. TernDoor utilizes a custom encrypted Windows driver to evade detection by suspending and terminating processes. On Linux and embedded architectures, the threat actor deploys PeerTime, a peer-to-peer backdoor that uses the BitTorrent protocol to receive command-and-control instructions and download payloads using BusyBox. Finally, UAT-9244 uses BruteEntry to compromise network edge devices and convert them into Operational Relay Boxes. These compromised nodes act as mass-scanning proxies that attempt to brute-force SSH, Postgres, and Tomcat servers.
Impact: The deployment of these highly specialized implants allows UAT-9244 to establish deep, resilient footholds across diverse operating environments within targeted telecommunication networks. By weaponizing network edge devices into Operational Relay Boxes, the threat actor obscures the true origin of their scanning and brute-forcing activities, complicating attribution and defense. The inclusion of encrypted drivers and peer-to-peer communication protocols significantly reduces the efficacy of traditional signature-based detection and network monitoring, exposing critical infrastructure to persistent espionage, unauthorized access, and potential disruption.
Recommendation: Ingest the provided indicators of compromise to block associated command-and-control IP addresses and domains. Monitor endpoints for anomalous dynamic-link library loading and investigate any unexpected creation of scheduled tasks or registry run keys used for persistence. Scrutinize edge devices for unauthorized SSH or database login attempts originating from unexpected IP addresses, which may indicate targeting by BruteEntry proxies. Furthermore, Monitor or hunt for unconventional network traffic patterns, such as the unauthorized use of the BitTorrent protocol by internal Linux servers or embedded devices.
FreeScout Zero-Click RCE Vulnerability Exploits Zero-Width Character to Bypass Filename Validation
OX Security researchers discovered CVE-2026-28289, a zero-click unauthenticated remote code execution vulnerability in FreeScout help desk software, patched in version 1.8.207 on March 3, 2026. The vulnerability escalates a previously patched authenticated RCE (CVE-2026-27636) by bypassing filename validation through zero-width space character injection. Attackers can achieve code execution by sending a single crafted email to any address configured in FreeScout, requiring no authentication and no user interaction. The flaw affects all FreeScout versions up to and including 1.8.206, with researchers identifying over 1,100 publicly exposed instances via Shodan across public health institutions, technology providers, financial services platforms, and news organizations. FreeScout is an open-source help desk and shared mailbox application built on PHP Laravel framework with over 4,000 GitHub stars, allowing organizations to manage customer support tickets without subscription fees. The original CVE-2026-27636 patch attempted to prevent dangerous file uploads by appending underscores to restricted file extensions or filenames beginning with periods, but researchers discovered this validation could be bypassed by prepending Unicode U+200B zero-width space characters to filenames.
Impact: The zero-width space bypass exploits FreeScout’s filename validation by prepending U+200B characters that are invisible during initial security checks, allowing malicious filenames to pass validation that blocks names starting with periods. During subsequent processing, the zero-width space character is stripped, causing files to be saved as true dotfiles despite passing earlier validation. Attackers leverage this bypass by sending malicious emails containing crafted attachments to any mailbox configured in FreeScout, with the server automatically processing incoming messages and writing payloads to predictable storage locations at /storage/attachment/ paths. Since attachment locations are deterministic based on email metadata, attackers can calculate exact file paths and access uploaded payloads through the FreeScout web interface, executing arbitrary commands remotely. The vulnerability enables full server takeover with complete system compromise, exfiltration of helpdesk tickets and mailbox content including sensitive support data, and lateral movement from compromised FreeScout hosts to other systems within the same network. The zero-click nature eliminates dependency on user actions, with exploitation succeeding automatically when FreeScout processes incoming email, making every configured mailbox an attack vector.
Recommendation: The zero-width space bypass exploits FreeScout’s filename validation by prepending U+200B characters that are invisible during initial security checks, allowing malicious filenames to pass validation that blocks names starting with periods. During subsequent processing, the zero-width space character is stripped, causing files to be saved as true dotfiles despite passing earlier validation. Attackers leverage this bypass by sending malicious emails containing crafted attachments to any mailbox configured in FreeScout, with the server automatically processing incoming messages and writing payloads to predictable storage locations at /storage/attachment/ paths. Since attachment locations are deterministic based on email metadata, attackers can calculate exact file paths and access uploaded payloads through the FreeScout web interface, executing arbitrary commands remotely. The vulnerability enables full server takeover with complete system compromise, exfiltration of helpdesk tickets and mailbox content including sensitive support data, and lateral movement from compromised FreeScout hosts to other systems within the same network. The zero-click nature eliminates dependency on user actions, with exploitation succeeding automatically when FreeScout processes incoming email, making every configured mailbox an attack vector.
VMware Aria Operations Vulnerabilities Enable Remote Code Execution and Privilege Escalation with Active Exploitation
Broadcom disclosed three vulnerabilities in VMware Aria Operations on February 24, 2026, with a March 3 update acknowledging reports of potential in-the-wild exploitation of CVE-2026-22719 that cannot be independently confirmed. CVE-2026-22719 is a command injection vulnerability with a CVSS score of 8.1 allowing unauthenticated attackers to execute arbitrary commands leading to remote code execution during support-assisted product migration operations. CVE-2026-22720 is a stored cross-site scripting vulnerability with a CVSS score of 8.0 enabling malicious actors with custom benchmark creation privileges to inject scripts performing administrative actions. CVE-2026-22721 is a privilege escalation vulnerability with a CVSS score of 6.2 allowing actors with vCenter access to Aria Operations to obtain administrative access. The vulnerabilities affect VMware Aria Operations 8.x, VMware Cloud Foundation 9.x including vSphere Foundation, VMware Telco Cloud Platform 5.x and 4.x, and VMware Telco Cloud Infrastructure 3.x and 2.x. Patches are available through VMware Cloud Foundation Operations 9.0.2.0, VMware Aria Operations 8.18.6, and documented workarounds for CVE-2026-22719 in KB430349.
Impact: The command injection vulnerability requires no authentication and executes during support-assisted migration workflows, providing attackers with remote code execution capabilities on VMware Aria Operations instances. The attack complexity is rated high, but successful exploitation grants complete system compromise with confidentiality, integrity, and availability impacts all rated high. The stored cross-site scripting vulnerability requires low attack complexity and low privileges, specifically the ability to create custom benchmarks, and enables script injection with changed scope allowing high impact to confidentiality, integrity, and availability through administrative action execution. The privilege escalation vulnerability allows actors with existing vCenter privileges to access Aria Operations and leverage high-privilege requirements with high attack complexity to escalate to administrative access, resulting in high confidentiality and integrity impact with low availability impact. The combination of these vulnerabilities creates multiple attack paths, with CVE-2026-22719 providing initial access without credentials, CVE-2026-22720 enabling persistence through stored malicious scripts, and CVE-2026-22721 allowing lateral movement from vCenter access to full Aria Operations administrative control.
Recommendation: Apply patches to VMware Aria Operations 8.18.6, VMware Cloud Foundation Operations 9.0.2.0, or consult KB92148 for VMware Cloud Foundation 5.x and 4.x deployments and KB428241 for VMware Telco Cloud Platform and Infrastructure versions. Implement workarounds documented in KB430349 for CVE-2026-22719 if patches cannot be deployed immediately. Restrict custom benchmark creation privileges to essential personnel only, reviewing existing user permissions for unnecessary access to this functionality. Audit existing custom benchmarks for injected script content, particularly examining benchmark definitions for JavaScript code or HTML event handlers. Implement network segmentation isolating VMware Aria Operations instances from untrusted networks, with particular focus on restricting access during migration operations when CVE-2026-22719 exploitation risk is highest. Monitor vCenter access logs for privilege escalation attempts targeting Aria Operations, specifically reviewing authentication events where vCenter users obtain Aria Operations administrative access without legitimate justification. Deploy intrusion detection signatures detecting command injection patterns targeting VMware Aria Operations migration interfaces. Organizations should prioritize patching given reports of potential active exploitation of CVE-2026-22719.
🚩 Google Threat Intelligence Details “Coruna” iOS Exploit Kit Used in Widespread Cyber Espionage and Crypto Theft
The Google Threat Intelligence Group (GTIG) reported the discovery of a highly sophisticated iOS exploit kit dubbed “Coruna.” The framework targets Apple iPhones running iOS 13.0 through 17.2.1, boasting a collection of 23 exploits structured into five full exploit chains. Over the course of 2025, Coruna proliferated from a commercial surveillance vendor to a suspected Russian espionage group (UNC6353) conducting watering-hole attacks in Ukraine. By December, it had reached a financially motivated Chinese threat actor (UNC6691) executing mass-scale attacks via fake cryptocurrency exchange websites. Independent researchers at iVerify, who track the kit as CryptoWaters, noted the framework’s sophistication and similarities to past campaigns like Operation Triangulation, suggesting it may have originated as a top-tier nation-state capability before leaking to the broader cybercriminal underground. The exploit chain typically begins when a vulnerable iOS device visits a compromised website and a hidden iFrame silently delivers the initial JavaScript. The framework fingerprints the device, verifies it is not running in a virtualized environment like Corellium, and then deploys a tailored chain of attacks. These attacks sequence through WebKit remote code execution (such as CVE-2024-23222), pointer authentication code (PAC) bypasses, sandbox escapes, and kernel privilege escalation to achieve complete device takeover.
Impact: This development marks a significant escalation in mobile threats, shifting from highly targeted spyware deployments to indiscriminate, mass-scale exploitation against iOS devices. The final payload, tracked as PLASMAGRID or PlasmaLoader, injects itself into the root-level powerd daemon to maintain persistence and evade process monitoring. From this elevated position, the implant actively hunts for financial information. It is designed to decode QR codes from stored images, extract BIP39 seed phrases from Apple Memos, and specifically hook into over a dozen popular cryptocurrency wallet applications, including MetaMask, Phantom, and Trust Wallet, to exfiltrate user funds and sensitive data.
Recommendation: Users and organizations should verify all Apple devices are updated to the latest available iOS versions, as the Coruna exploit kit is ineffective against iOS 17.3 and newer. For individuals at high risk of targeted attacks or those temporarily unable to update their devices, enabling Apple’s Lockdown Mode is advised, as the Coruna framework is specifically programmed to abort its execution if Lockdown Mode or private browsing is detected. Security operations centers should ingest the provided network indicators of compromise to detect and block access to the malicious domains associated with the campaign, including the predictable .xyz domains generated by the malware’s custom domain generation algorithm.
Pro-Iranian and Allied Hacktivist Groups Launch Retaliatory DDoS Campaigns Following Operation Epic Fury
Radware published a threat alert on March 3, 2026, detailing a massive surge in hacktivist distributed denial-of-service (DDoS) attacks following the joint U.S. and Israeli military offensive known as Operation Epic Fury, or Operation Roaring Lion. Initiated on February 28, 2026, the kinetic strikes against Iranian infrastructure acted as an immediate catalyst for global hacktivist mobilization. Within nine hours of the military action, pro-Iranian and allied “axis of resistance” collectives began targeting organizations across the Middle East and Europe. The digital offensive is highly concentrated, with the groups Keymous+ and DieNet driving nearly 70 percent of the attack claims in the Middle East. On March 2, the landscape broadened further as the prominent pro-Russian collective NoName057(16) joined the campaign, focusing its efforts heavily on European targets like Denmark as well as Israeli infrastructure.
Impact: The retaliatory campaigns demonstrate a clear strategic intent to disrupt state functions, public messaging, and economic stability. Rather than selecting random targets, these collectives directed 53 percent of all their attacks toward government institutions, followed by financial services and telecommunications. In the Middle East, the attacks are heavily concentrated on a specific axis consisting of Kuwait, Israel, and Jordan, which collectively represent over 76 percent of all regional claims. This coordinated digital aggression effectively expands the regional conflict into cyberspace, threatening severe operational disruptions for unprotected critical infrastructure and banking systems across multiple nations.
Recommendation: Organizations should proactively harden their network environments and web-facing assets against high-volume distributed denial-of-service attacks before they are targeted. Furthermore, organizations should review their incident response plans to ensure rapid coordination with internet service providers and cloud security vendors in the event of a sustained hacktivist campaign.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
TB20250325 – IngressNightmare_Critical Remote Code Execution Vulnerabilities in Ingress NGINX Controller Enable Kubernetes Cluster Takeover
TB2025318 – GitHub Action “tj-actions/changed-files” Compromised to Leak Secrets for Repositories Using the CI/CD Workflow
TB20250211 – Microsoft Patch Tuesday
TB20250211 – Microsoft Patch Tuesday
TB20250114 – Microsoft Patch Tuesday
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.