Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
Microsoft Disclosed a ClickFix Campaign that Uses Windows Terminal to Launch Lumma Stealer and Evade Detections Focused on Run Dialog Abuse.
Microsoft Threat Intelligence discloseda widespread ClickFix social engineering campaign observed in February 2026 that uses Windows Terminal as the primary execution mechanism to deploy Lumma Stealer. Instead of the more familiar Win + R workflow, the campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal directly. Microsoft said the lures were delivered through fake CAPTCHA pages, troubleshooting prompts, and similar verification-style themes designed to convince users to paste attacker-supplied commands. The attack begins when a user pastes a hex-encoded, XOR-compressed command into Windows Terminal. In one path, the command spawns additional Terminal and PowerShell instances, decodes the script, downloads a ZIP payload and a legitimate but renamed 7-Zip binary, and then extracts additional components. Microsoft said the follow-on activity includes retrieving more payloads, creating scheduled-task persistence, configuring Microsoft Defender exclusions, collecting machine and network data, and injecting Lumma Stealer into chrome.exe and msedge.exe using QueueUserAPC(). In a second path, the command downloads a randomly named batch script into AppData\Local, writes a VBScript into %TEMP%, re-executes through cmd.exe and MSBuild.exe, and connects to crypto blockchain RPC endpoints, which Microsoft said indicates etherhiding. Exploitation is confirmed by Microsoft’s observed campaign activity.
Impact: This campaign increases risk because it shifts ClickFix execution into Windows Terminal, which can appear more legitimate to users and may bypass detections built around Run dialog abuse. The resulting Lumma Stealer activity targets browser credential stores such as Web Data and Login Data, enabling theft of stored credentials and other browser artifacts. The observed follow-on behaviors also show potential for broader host compromise through persistence, defense evasion, system reconnaissance, and LOLBin abuse.
Recommendation: Hunt for suspicious wt.exe, PowerShell, cmd.exe, VBScript, MSBuild.exe, and renamed 7-Zip execution chains, especially where they originate from user-driven copy-and-paste activity or lead to files dropped in AppData\Local or %TEMP%. Review systems for unexpected scheduled tasks, unauthorized Microsoft Defender exclusions, outbound connections associated with crypto blockchain RPC endpoints, and signs of QueueUserAPC()-based injection into chrome.exe or msedge.exe.
Cognizant TriZetto Healthcare Portal Breach Exposes Health Data of 3.4 Million Patients
A report from March 6, 2026 states TriZetto Provider Solutions, a healthcare IT company operating under Cognizant since 2014, suffered a data breach affecting over 3.4 million individuals. The company detected suspicious activity on a web portal on October 2, 2025, but the investigation revealed unauthorized access had begun nearly a year earlier, on November 19, 2024. The breach targeted insurance eligibility verification transaction records used by health insurers and providers. Exposed data varies by individual and may include full names, physical addresses, dates of birth, Social Security numbers, health insurance member numbers, Medicare beneficiary identifiers, provider names, health insurer names, and broader demographic and health information. Financial data such as payment card or bank account details were not compromised. Affected providers were notified December 9, 2025, with consumer notifications beginning in early February 2026. No ransomware group has claimed responsibility, and no data has surfaced on underground forums.
Impact: The exposure of Social Security numbers, Medicare identifiers, and health insurance details for 3.4 million individuals could lead to identity theft, insurance fraud, and medical identity fraud. Affected patients may face unauthorized use of their insurance benefits. The nearly 10-month delay between initial unauthorized access and detection raises concerns about the volume of data potentially harvested. The extended notification gap may also expose TriZetto to regulatory scrutiny under HIPAA.
Recommendation: Individuals who receive notification letters should enroll promptly in the free 12-month Kroll credit monitoring and identity protection services offered by TriZetto. Place a credit freeze with all three major credit bureaus (Equifax, Experian, TransUnion) to prevent new accounts from being opened fraudulently. Monitor Explanation of Benefits statements from your insurer for unfamiliar claims or treatments. Be alert to phishing attempts that may exploit the exposed personal and health data. Healthcare organizations using TriZetto services should review access controls and audit logs on connected portals. Implement continuous anomaly detection on web-facing portals to reduce dwell time for unauthorized access. Ensure vendor contracts include breach notification timelines aligned with HIPAA requirements.
VOID#GEIST Multi-Stage Malware Campaign Delivers Three RATs via Phishing Emails
Securonix Threat Research disclosed on March 6, 2026 a multi-stage malware campaign dubbed VOID#GEIST that delivers three remote access trojans — XWorm, AsyncRAT, and Xeno RAT — through phishing emails carrying obfuscated batch scripts hosted on TryCloudflare domains. The campaign targets Windows endpoints and operates using a fileless execution approach, injecting encrypted shellcode directly into memory via Early Bird Asynchronous Procedure Call (APC) injection into explorer.exe instances, minimizing disk-based detection opportunities. The attack chain begins when a victim executes a phishing-delivered batch script, which displays a decoy financial document or invoice in full-screen Chrome as a distraction. Behind the scenes, it establishes user-level persistence by dropping an auxiliary batch script into the Windows Startup directory — requiring no privilege escalation and generating minimal security alerts. A legitimate Python runtime is then downloaded directly from python.org, creating a self-contained execution environment to decrypt and deploy all three RAT payloads. The infection concludes with an HTTP beacon to attacker-controlled C2 infrastructure hosted on TryCloudflare. Targets and confirmed compromises are not yet known.
Impact: Successful infection grants attackers remote access and control over compromised Windows systems through three concurrent RATs, which could lead to data exfiltration, credential theft, lateral movement, and persistent surveillance. The fileless, modular delivery method makes detection with traditional endpoint tools difficult. The use of legitimate infrastructure (TryCloudflare, python.org, Microsoft binaries) may allow the campaign to bypass network-level controls and firewall policies.
Recommendation: Block or alert on outbound connections to TryCloudflare tunnel domains at the network perimeter unless explicitly required for business operations. Configure endpoint detection rules to flag repeated process injection into explorer.exe within short time windows, as Securonix identifies this as a key behavioral indicator. Restrict execution of batch scripts and PowerShell with hidden window parameters via application control policies (e.g., AppLocker, Windows Defender Application Control). Disable or monitor the Windows Startup directory for unauthorized script placements. Train users to recognize phishing emails containing financial document lures. Enable script-block logging for PowerShell and audit AppInstallerPythonRedirector.exe usage. Deploy email filtering rules to quarantine messages containing .bat or .zip attachments from external senders.
🚩 Iranian APT Seedworm Deploys New Backdoors on U.S. Bank, Airport, and Software Company Networks
Symantec researchers identified Iranian APT group Seedworm conducting intrusion operations against multiple U.S. organizations beginning in early February 2026 and continuing through early March following U.S. and Israeli military strikes on Iran. Targeted entities include a U.S. bank, software company, airport, and non-governmental organizations in the U.S. and Canada. Seedworm, also tracked as MuddyWater, Temp Zagros, and Static Kitten, is assessed by CISA as a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS). The group deployed a previously unknown backdoor named Dindoor leveraging Deno runtime for JavaScript and TypeScript execution, signed with certificates issued to “Amy Cherne” and found on networks of the Israeli software outpost, U.S. bank, and Canadian non-profit. A separate Python backdoor called Fakeset was discovered on U.S. airport and non-profit networks, signed with certificates issued to “Amy Cherne” and “Donald Gay,” with the Donald Gay certificate previously used to sign Seedworm-linked malware families Stagecomp and Darkcomp. Attackers attempted data exfiltration from the software company using Rclone to transfer backups to Wasabi cloud storage buckets, though success of the operation remains unclear.
Impact: Seedworm’s presence on U.S. and Israeli networks prior to current regional hostilities positions the group for potential destructive operations beyond traditional espionage activities. The targeting of a defense and aerospace industry software supplier with Israeli operations provides potential access to supply chain relationships and sensitive project data across multiple sectors. The bank intrusion creates risks for financial data exfiltration and potential payment system disruption, while airport network access enables surveillance of transportation infrastructure. Iran has demonstrated capability for destructive cyberattacks including wiper malware deployment, with historical operations like Shamoon against Saudi Arabia’s oil industry and BibiWiper attacks against Israeli targets.
Recommendation: Organizations, particularly those in critical infrastructure and defense sectors, should heighten their security posture against Iranian state-sponsored threats. Search environments for the presence of Deno runtimes or unauthorized Python scripts, which may indicate Dindoor or Fakeset infections. Monitor for the unauthorized use of data exfiltration tools like Rclone, especially large outbound transfers to external cloud storage platforms like Wasabi or Backblaze. Organizations should maintain immutable backups. Block network connections to identified IOCs. Deploy monitoring for password spraying attempts across multiple user accounts from unusual geographic locations, particularly authentication failures outside normal working hours or from VPN infrastructure including Nord VPN endpoints. Enable multi-factor authentication across all remote access, disable legacy authentication protocols, and implement conditional access policies based on location and device risk. Organizations should deploy web application firewalls with updated rule sets, enable DDoS protection via CDN or upstream filtering services, and monitor for spikes in HTTP requests from distributed IP ranges. Given Broadcom’s warning that Iranian actors may escalate to disruptive or destructive operations, organizations should also validate network segmentation, protect and isolate backups, test recovery procedures, and ensure monitoring is in place for shadow copy deletion, mass task creation, suspicious administrative command execution, and attempts to disable security tooling.
🚩 Cisco Talos Discovers China-Nexus APT UAT-9244 Targeting South American Telecoms with Novel Malware Implants
Cisco Talos disclosed details regarding UAT-9244, a high-confidence China-nexus advanced persistent threat group. The actor, closely associated with FamousSparrow and Tropic Trooper, has been actively targeting critical telecommunications infrastructure in South America since 2024. UAT-9244 compromises both Windows and Linux-based endpoints, as well as network edge devices, utilizing three newly identified malware implants: TernDoor, PeerTime, and BruteEntry. The primary Windows backdoor, TernDoor, is a variant of the previously known CrowDoor malware. It is deployed via a DLL side-loading technique where a benign executable loads a malicious loader to decrypt the final payload in memory. TernDoor utilizes a custom encrypted Windows driver to evade detection by suspending and terminating processes. On Linux and embedded architectures, the threat actor deploys PeerTime, a peer-to-peer backdoor that uses the BitTorrent protocol to receive command-and-control instructions and download payloads using BusyBox. Finally, UAT-9244 uses BruteEntry to compromise network edge devices and convert them into Operational Relay Boxes. These compromised nodes act as mass-scanning proxies that attempt to brute-force SSH, Postgres, and Tomcat servers.
Impact: The deployment of these highly specialized implants allows UAT-9244 to establish deep, resilient footholds across diverse operating environments within targeted telecommunication networks. By weaponizing network edge devices into Operational Relay Boxes, the threat actor obscures the true origin of their scanning and brute-forcing activities, complicating attribution and defense. The inclusion of encrypted drivers and peer-to-peer communication protocols significantly reduces the efficacy of traditional signature-based detection and network monitoring, exposing critical infrastructure to persistent espionage, unauthorized access, and potential disruption.
Recommendation: Ingest the provided indicators of compromise to block associated command-and-control IP addresses and domains. Monitor endpoints for anomalous dynamic-link library loading and investigate any unexpected creation of scheduled tasks or registry run keys used for persistence. Scrutinize edge devices for unauthorized SSH or database login attempts originating from unexpected IP addresses, which may indicate targeting by BruteEntry proxies. Furthermore, Monitor or hunt for unconventional network traffic patterns, such as the unauthorized use of the BitTorrent protocol by internal Linux servers or embedded devices.
FreeScout Zero-Click RCE Vulnerability Exploits Zero-Width Character to Bypass Filename Validation
OX Security researchers discovered CVE-2026-28289, a zero-click unauthenticated remote code execution vulnerability in FreeScout help desk software, patched in version 1.8.207 on March 3, 2026. The vulnerability escalates a previously patched authenticated RCE (CVE-2026-27636) by bypassing filename validation through zero-width space character injection. Attackers can achieve code execution by sending a single crafted email to any address configured in FreeScout, requiring no authentication and no user interaction. The flaw affects all FreeScout versions up to and including 1.8.206, with researchers identifying over 1,100 publicly exposed instances via Shodan across public health institutions, technology providers, financial services platforms, and news organizations. FreeScout is an open-source help desk and shared mailbox application built on PHP Laravel framework with over 4,000 GitHub stars, allowing organizations to manage customer support tickets without subscription fees. The original CVE-2026-27636 patch attempted to prevent dangerous file uploads by appending underscores to restricted file extensions or filenames beginning with periods, but researchers discovered this validation could be bypassed by prepending Unicode U+200B zero-width space characters to filenames.
Impact: The zero-width space bypass exploits FreeScout’s filename validation by prepending U+200B characters that are invisible during initial security checks, allowing malicious filenames to pass validation that blocks names starting with periods. During subsequent processing, the zero-width space character is stripped, causing files to be saved as true dotfiles despite passing earlier validation. Attackers leverage this bypass by sending malicious emails containing crafted attachments to any mailbox configured in FreeScout, with the server automatically processing incoming messages and writing payloads to predictable storage locations at /storage/attachment/ paths. Since attachment locations are deterministic based on email metadata, attackers can calculate exact file paths and access uploaded payloads through the FreeScout web interface, executing arbitrary commands remotely. The vulnerability enables full server takeover with complete system compromise, exfiltration of helpdesk tickets and mailbox content including sensitive support data, and lateral movement from compromised FreeScout hosts to other systems within the same network. The zero-click nature eliminates dependency on user actions, with exploitation succeeding automatically when FreeScout processes incoming email, making every configured mailbox an attack vector.
Recommendation: The zero-width space bypass exploits FreeScout’s filename validation by prepending U+200B characters that are invisible during initial security checks, allowing malicious filenames to pass validation that blocks names starting with periods. During subsequent processing, the zero-width space character is stripped, causing files to be saved as true dotfiles despite passing earlier validation. Attackers leverage this bypass by sending malicious emails containing crafted attachments to any mailbox configured in FreeScout, with the server automatically processing incoming messages and writing payloads to predictable storage locations at /storage/attachment/ paths. Since attachment locations are deterministic based on email metadata, attackers can calculate exact file paths and access uploaded payloads through the FreeScout web interface, executing arbitrary commands remotely. The vulnerability enables full server takeover with complete system compromise, exfiltration of helpdesk tickets and mailbox content including sensitive support data, and lateral movement from compromised FreeScout hosts to other systems within the same network. The zero-click nature eliminates dependency on user actions, with exploitation succeeding automatically when FreeScout processes incoming email, making every configured mailbox an attack vector.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.