Threat Alerts

A false-flag campaign used Chaos ransomware branding to support covert espionage and data exfiltration, with the activity assessed to align with MuddyWater-linked tradecraft. Attackers relied on social engineering over collaboration tools to harvest credentials, bypass MFA, and deploy a custom RAT while avoiding encryption.

The operation began with interactions over Microsoft Teams, including live screen-sharing to capture credentials and manipulate multifactor authentication. A downloader retrieved a trojanized WebView2-based RAT (Game.exe) that established C&C, executed commands, and transferred files. Lateral movement and persistence were achieved via RDP and legitimate remote access tools such as DWAgent and AnyDesk, enabling long-term access and staged exfiltration.

No file encryption was observed; the actors emphasized stealth, credential compromise, and sustained access while leveraging criminal ransomware branding to delay detection and attribution. Historical connections to related infrastructure, code-signing artifacts, and hosts showing unusual remote-access or authentication changes are relevant indicators when assessing potential compromise.

A newly identified threat group has been conducting a large-scale SEO-poisoning campaign that distributes trojanized Microsoft Teams installers to deploy a multi-stage malware framework. The operation targets users searching for Teams installers across multiple countries. The campaign demonstrates a higher level of operational maturity than typical commodity malware operations, leveraging verified code-signing certificates, rapidly rotating infrastructure and sustained search engine manipulation to position malicious download sites above legitimate software sources.

The infection chain begins with attacker-controlled websites masquerading as legitimate Microsoft Teams download portals, directing victims to a single installer that is digitally signed to appear trustworthy. Once executed, the installer deploys both a legitimate Teams application and a hidden PowerShell-based loader, allowing malicious activity to proceed while the real application acts as a distraction. The loader decrypts AES-encrypted payloads using externally supplied keys, progressively unpacking additional stages directly into memory through reflective loading techniques. Persistence is established via Windows registry Run keys, while command-and-control infrastructure is concealed through abuse of legitimate third-party platforms used as dead-drop resolvers containing encoded C2 information. Communication with attacker infrastructure occurs through image-based payload exchange with commands and responses encapsulated within seemingly benign image files to evade detection. Over a short period, the campaign evolved from lightly obfuscated payloads into a sophisticated multi-stage framework incorporating substitution ciphers, XOR-encrypted shellcode, DLL sideloading, and victim-specific C2 callbacks, reflecting a rapidly advancing malware development cycle.

Researchers have analyzed a sophisticated Go-based Remote Access Trojan (RAT) dubbed Salat Stealer, which combines advanced credential theft, remote access functionality, and resilient command-and-control (C2) infrastructure. The malware operates as a full post-exploitation framework rather than a traditional infostealer, supporting remote shell access, keylogging, screenshot capture, webcam streaming, SOCKS5 proxying, clipboard theft, and browser and token harvesting. The malware also implements multiple runtime modes, allowing operators to deploy it selectively for keylogging, command execution, or full RAT activity.

Salat Stealer uses layered encryption and obfuscation techniques, including a six-mode string obfuscation mechanism and victim-specific key derivation based on hardware and hostname information. The malware attempts privilege escalation, establishes persistence through scheduled tasks, registry Run keys, and hidden file copies, and continuously communicates with its infrastructure using WebSocket, QUIC, or HTTP/2 transports. If hardcoded C2 servers become unavailable, the malware can retrieve replacement infrastructure through the TON blockchain, significantly improving operational resilience and complicating takedown efforts.

The malware is capable of harvesting extensive system and user data, including browser credentials, Discord and Steam tokens, screenshots, process lists, and cryptocurrency wallet information. Operators can remotely execute commands, download additional payloads, deploy SOCKS tunnels, and maintain long-term access to compromised hosts. Persistence mechanisms include scheduled tasks configured to execute at user logon and every 30 minutes, as well as registry-based autoruns using masqueraded filenames such as svchost.exe, lsass.exe, and explorer.exe.

A newly disclosed set of Linux local privilege escalation vulnerabilities, collectively referred to as “Dirty Frag,” is being actively monitored following reports of limited in-the-wild exploitation activity. The vulnerabilities, tracked as CVE-2026-43284 and CVE-2026-43500, affect Linux kernel networking and memory-fragment handling components, including esp4, esp6, and rxrpc. Attackers with local access can exploit the flaws to escalate privileges to root, enabling full control over affected systems.

Unlike traditional Linux privilege escalation exploits that often rely on unstable race conditions, Dirty Frag introduces multiple kernel attack paths designed to improve exploitation reliability across enterprise environments. The vulnerabilities can be leveraged after initial compromise through SSH access, web shells, container escapes, compromised service accounts, or phishing-related intrusions. Successful exploitation allows attackers to disable security tools, access sensitive credentials, tamper with logs, and move laterally within the environment.

Observed attack activity includes SSH-based access followed by execution of ELF binaries that rapidly escalate privileges using su, after which attackers perform reconnaissance, modify authentication-related files, and interact with sensitive session data. The vulnerabilities affect multiple Linux distributions and containerized environments, including Ubuntu, RHEL, Fedora, AlmaLinux, openSUSE, and OpenShift deployments.

Apache released HTTP Server version 2.4.67 to address CVE-2026-23918 (CVSS Score 8.8), a critical double-free vulnerability in the HTTP/2 handler. The flaw enables Denial-of-Service (DoS) attacks with an extremely low barrier to entry, and on systems using the APR mmap allocator — such as Debian distributions and official Docker images — also opens a path to Remote Code Execution (RCE).
The vulnerability is triggered when a client sends a HEADERS frame immediately followed by an RST_STREAM frame with a non-zero error code. This sequence causes the same stream pointer to be inserted twice into the cleanup array — an array that should only hold unique references — because both the request handling and reset reception code paths simultaneously flag the stream for disposal. During pool destruction, the first cleanup call frees the allocated memory, and a second call then attempts to operate on that same released address, triggering the double-free. The resulting heap corruption is sufficient to crash the worker process and cause a temporary denial of service.
The path from DoS to RCE hinges on the Apache scoreboard — a data structure tracking worker status that sits at a fixed memory address for the entire lifetime of the server process. The combination of the mmap allocator and this predictable address made a laboratory RCE feasible, though whether this exploit chain is viable outside of controlled environments remains unconfirmed.

A newly identified Linux remote access trojan known as Quasar Linux (QLNX) has emerged as a highly capable threat targeting developer workstations and DevOps environments. The malware combines remote access functionality with credential harvesting, persistence, keylogging, and stealth techniques, specifically focusing on software supply chain compromise. By targeting package maintainers and developer endpoints, QLNX enables attackers to gain access to publishing pipelines, inject malicious code into software packages, compromise build systems, and pivot into cloud infrastructure where production assets and sensitive credentials are stored.

Once executed, the malware copies itself into an in-memory file, relaunches from memory, and removes the original binary from disk to eliminate forensic artifacts. It disguises itself by spoofing legitimate kernel thread names across multiple process metadata fields, ensuring consistency across monitoring and inspection tools. QLNX supports multiple persistence methods at both user and system levels, including systemd services, cron reboot entries, init scripts, shell profile modification, desktop autostart entries, and dynamic linker preload injection. It also embeds two separate backdoor components as C source code, compiling them locally on the victim system to ensure compatibility with the host architecture and installed libraries. Beyond persistence, the malware harvests SSH keys, browser credentials, cloud provider configurations, container orchestration files, package registry tokens, and source control authentication data. A userspace rootkit hides associated processes and files by intercepting standard library calls, while a peer-to-peer mesh capability allows infected hosts to operate as a resilient distributed network. Together, these capabilities make QLNX a stealthy and persistent threat optimized for long-term access within modern development and cloud-centric environments.