Microsoft Uncovers Storm-0249’s Cloud-Based Data Exfiltration Attack Targeting Azure and Microsoft 365 Microsoft Threat Intelligence has exposed a sophisticated cyberattack by the threat actor Storm-0249, which leveraged legitimate cloud tools and Azure role-based access control (RBAC) to exfiltrate sensitive data from Microsoft 365 and Azure environments. The attack began with highly targeted social engineering against IT personnel and senior leadership, exploiting Microsoft’s Self-Service Password Reset (SSPR) feature. Attackers impersonated IT support, tricking victims into approving fraudulent multifactor authentication (MFA) prompts, allowing them to reset passwords and register their own devices for persistent access. Once inside, Storm-0249 used custom Python scripts and Microsoft Graph API to enumerate users, roles, and applications, stealing sensitive documents including VPN configurations from OneDrive and SharePoint. This initial breach served as a foothold to map the organization’s broader infrastructure. Exploiting privileged Azure RBAC roles, the attackers pivoted to Azure, initially targeting auxiliary Azure App Service web apps to retrieve publishing profiles. When this failed to grant access to the primary production app, they shifted tactics, compromising the Azure Key Vault in just four minutes. They extracted database connection strings and credentials, enabling authentication into the production environment. The attack escalated as Storm-0249 modified Azure SQL firewall rules and Azure Storage network configurations, enabling public access from attacker-controlled IPs (176.123.4.44, 91.208.197.87). Using shared access signature (SAS) tokens and Python scripts, they siphoned large volumes of data. Additionally, they abused Azure VM extensions (Run Command, VMAccess) to create backdoor admin accounts, disable Microsoft Defender Antivirus, and deploy ScreenConnect (hosted at 185.241.208.243) to harvest credentials and certificate files. The incident highlights the growing threat of cloud-native attacks that exploit legitimate tools and misconfigured permissions to bypass traditional security measures.

Microsoft Uncovers Sophisticated Cloud-Based Data Exfiltration Campaign by Storm-2949 Microsoft Threat Intelligence recently exposed a highly coordinated cyberattack by the threat actor Storm-2949, targeting a single organization’s cloud infrastructure to exfiltrate sensitive data. The campaign, which spanned Microsoft 365 applications, Azure-hosted production environments, and file-hosting services, demonstrated a shift in attacker tactics prioritizing identity compromise and control-plane access over traditional malware-based methods. ### Attack Overview Storm-2949 executed a two-phase assault, beginning with targeted identity compromise and escalating into a full-scale cloud infrastructure breach. The threat actor exploited legitimate Azure management features, blending malicious activity with expected administrative behavior to evade detection. #### Phase 1: Identity Compromise via Social Engineering & SSPR Abuse - Initial Access: Storm-2949 used social engineering to manipulate Microsoft’s Self-Service Password Reset (SSPR) process, tricking users including IT personnel and senior leadership into approving fraudulent MFA prompts. - Persistence: After gaining access, the attacker removed existing MFA methods, enrolled their own device for Microsoft Authenticator, and locked out legitimate users. - Discovery: Using Microsoft Graph API, the threat actor ran automated queries to enumerate users, applications, and privileged identities, identifying high-value targets. #### Phase 2: Cloud Infrastructure Compromise & Data Exfiltration - Microsoft 365 Exfiltration: Storm-2949 accessed OneDrive and SharePoint, downloading thousands of files including VPN configurations and remote access documents to facilitate lateral movement. - Azure App Service & Key Vault Breach: - The attacker exploited Azure RBAC permissions to retrieve publishing profiles from auxiliary web apps, gaining credentials for FTP, Web Deploy, and Kudu consoles. - After failing to access the primary production app, they pivoted to Azure Key Vault, extracting database connection strings, credentials, and secrets ultimately compromising the target web app. - Azure Storage & SQL Data Theft: - Storm-2949 manipulated firewall rules to access Azure SQL databases and storage accounts, using SAS tokens and account keys to exfiltrate large volumes of data via custom Python scripts. - Virtual Machine (VM) Compromise: - The attacker deployed VMAccess extensions to create backdoor admin accounts and used Run Command to execute scripts, attempting token theft and credential harvesting. - ScreenConnect was installed for remote access, with efforts to disable Microsoft Defender protections and obscure forensic traces. ### Impact & Key Observations - No Traditional Malware: Storm-2949 relied on legitimate cloud features, making detection harder by mimicking normal administrative activity. - Identity-Centric Attack: The campaign underscored how compromised cloud identities can enable lateral movement and data exfiltration with minimal indicators of compromise. - Defense Evasion: The threat actor cleared logs, manipulated configurations, and used RMM tools to maintain persistence while avoiding detection. Microsoft’s Defender suite generated cross-domain alerts, correlating activity across endpoints, identities, and cloud environments to provide a unified view of the attack. The incident highlights the growing trend of cloud-focused threats, where attackers exploit misconfigured permissions, weak identity controls, and legitimate administrative tools to achieve their objectives. (Indicators of compromise, including attacker IPs and ScreenConnect instances, were identified but not exhaustive.)

UNC6692 Threat Group Exploits Microsoft Teams in Sophisticated Cloud-Based Intrusion Campaign A newly uncovered threat group, UNC6692, has been executing a multistage intrusion campaign targeting enterprise networks without exploiting a single software vulnerability. Instead, the attackers leverage Microsoft Teams impersonation, custom malware, and cloud infrastructure abuse to gain deep access, as revealed by Google Threat Intelligence Group (GTIG) and Mandiant in an April 22, 2026 disclosure. ### Attack Timeline & Tactics In late December 2025, UNC6692 launched a mass email bombing campaign to overwhelm victims, creating urgency and distraction. Exploiting this chaos, the group sent phishing messages via Microsoft Teams, posing as IT helpdesk staff offering assistance. The attack abused legitimate external collaboration features in Teams, bypassing technical exploits by convincing users to override security warnings. ### Infection Chain: From Teams Chat to Full Compromise 1. Initial Contact – Victims accepted a Teams chat from an external account, believing it to be IT support. 2. Phishing Link – The attacker directed victims to a fake "Mailbox Repair and Sync Utility" hosted on an AWS S3 bucket, masquerading as a legitimate tool. 3. Multi-Phase Exploitation: - Environment Gating – A script forced victims onto Microsoft Edge for optimal exploitation. - Credential Harvesting – A fake "Health Check" prompted users to re-enter passwords, ensuring accurate capture before exfiltration. - Distraction Sequence – A fake progress bar masked real-time data theft. - Malware Staging – An AutoHotkey binary and script installed SNOWBELT, a malicious Chromium extension disguised as "MS Heartbeat". ### The SNOW Malware Ecosystem UNC6692’s modular malware suite consists of three components: - SNOWBELT (JavaScript extension) – Establishes persistence, intercepts commands, and uses DGA-based S3 URLs for C2. - SNOWGLAZE (Python WebSocket tunneler) – Routes traffic via a SOCKS proxy to a Heroku C2 server, blending malicious traffic with legitimate encrypted web traffic. - SNOWBASIN (Python HTTP server) – Executes shell commands, captures screenshots, and exfiltrates files. Persistence was maintained via Windows Startup shortcuts, scheduled tasks, and a headless Edge process loading the extension. ### Post-Exploitation & Data Theft After gaining access, UNC6692: - Scanned networks for open ports (135, 445, 3389). - Used PsExec to move laterally, dumping LSASS memory via Task Manager to extract password hashes. - Employed Pass-the-Hash to authenticate to domain controllers without plaintext passwords. - Extracted Active Directory databases (NTDS.dit), SAM, SYSTEM, and SECURITY hives using FTK Imager, exfiltrating them via LimeWire. ### Cloud Abuse & Evasion Tactics A defining feature of this campaign is its "living off the cloud" strategy, using AWS S3, Heroku, and other trusted platforms for: - Payload delivery - Credential exfiltration - Command-and-control (C2) infrastructure This approach blends malicious traffic with legitimate cloud traffic, evading domain reputation filters and IP-based blocklists. ### Indicators of Compromise (IOCs) - Phishing URL Pattern: `https://service-page-[ID]-outlook.s3.us-west-2.amazonaws.com/update.html?email=` - C2 Server: `wss://sad4w7h913-b4a57f9c36eb[.]herokuapp[.]com:443/ws` - SNOWBELT C2 URL Pattern: `https://[a-f0-9]{24}-[0-9]{6,7}-[0-9]{1}.s3.us-east-2.amazonaws[.]com` - Masquerading Files: `RegSrvc.exe` (AutoHotKey), `Protected.ahk`, `SysEvents` (SNOWBELT extension directory). The campaign underscores how employee trust in enterprise tools rather than technical vulnerabilities can be the weakest link in cybersecurity. Organizations are advised to monitor Teams external access, browser extensions, and cloud egress traffic to detect similar threats.

Russian APT28 Exploits Vulnerable Routers in Large-Scale Credential Theft Campaign The UK’s National Cyber Security Centre (NCSC) has issued a warning about two ongoing cyberespionage campaigns by the Russian hacking group APT28 (also known as Fancy Bear, Forest Blizzard, and Sofacy), which is linked to Russia’s GRU military intelligence unit. Since early 2024, APT28 has been hijacking vulnerable internet routers particularly TP-Link models to redirect traffic through attacker-controlled servers and steal credentials from targeted organizations. ### How the Attack Works APT28 has repurposed virtual private servers (VPS) as malicious DNS servers, intercepting high volumes of DNS requests from compromised routers. The group employs an opportunistic approach, initially casting a wide net to identify potential victims before narrowing down targets of intelligence value. In one campaign, APT28 exploited CVE-2023-50224, a vulnerability in TP-Link WR841N routers that allows unauthenticated attackers to extract credentials via crafted HTTP requests. By altering the DHCP DNS settings on these routers, the group forced downstream devices (such as laptops and phones) to resolve requests through their malicious servers. This enabled adversary-in-the-middle (AitM) attacks, allowing APT28 to harvest passwords, OAuth tokens, and other credentials from web and email services. Microsoft Threat Intelligence further reported that APT28 and its sub-group Storm-2754 have been compromising SOHO routers since at least August 2023, expanding their infrastructure to facilitate these attacks. ### Impact and Attribution The NCSC assesses that APT28’s operations are highly targeted, focusing on entities of strategic interest to Russian intelligence. While the initial router compromises appear broad, the group refines its focus at later stages to prioritize high-value victims. The stolen credentials could enable further unauthorized access, though the exact scope of follow-on attacks remains unclear. This campaign underscores the persistent threat posed by state-backed cyber actors leveraging common vulnerabilities in consumer-grade networking devices to conduct large-scale espionage.

Storm-1175: China-Based Cybercrime Group Exploits Zero-Days in High-Speed Ransomware Attacks Microsoft has identified Storm-1175, a financially motivated cybercriminal group based in China, as the force behind a series of high-velocity ransomware attacks leveraging zero-day and n-day exploits. The group, known for deploying Medusa ransomware, rapidly weaponizes newly disclosed vulnerabilities sometimes within 24 hours of discovery and, in some cases, a week before patches are released. Storm-1175’s attacks follow a streamlined playbook: initial access via unpatched flaws, followed by credential theft, security tool disablement, and ransomware deployment often within days. The group has targeted organizations in healthcare, education, professional services, and finance, with significant impacts in the U.S., U.K., and Australia. Recent campaigns have exploited over 16 vulnerabilities across 10 software products, including: - Microsoft Exchange (CVE-2023-21529) - PaperCut (CVE-2023-27351, CVE-2023-27350) - Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887) - ConnectWise ScreenConnect (CVE-2024-1709, CVE-2024-1708) - JetBrains TeamCity (CVE-2024-27198, CVE-2024-27199) - SmarterMail (CVE-2026-23760, CVE-2025-52691) - GoAnywhere MFT (CVE-2025-10035) In October 2024, Microsoft reported Storm-1175 exploiting CVE-2025-10035 (GoAnywhere MFT) before a patch was available. The group has also chained exploits to create persistence, deploy remote monitoring tools, and exfiltrate data before encrypting systems. A March 2025 advisory from CISA, the FBI, and MS-ISAC warned that Medusa ransomware attacks had compromised over 300 U.S. critical infrastructure organizations. Microsoft previously linked Storm-1175 to Black Basta and Akira ransomware campaigns exploiting a VMware ESXi flaw in July 2024. The group’s rapid exploitation of zero-days suggests either advanced in-house capabilities or access to exploit brokers, though many attacks still rely on known (n-day) vulnerabilities. Their tactics highlight the growing threat of high-speed, financially driven cybercrime operations.

Iranian-Backed Hackers Breach FBI Director’s Personal Email, Leak Private Photos On March 27, 2026, the Iranian-linked hacktivist group Handala Hack Team claimed responsibility for accessing the personal emails of FBI Director Kash Patel, publishing alleged photos and documents as proof. The leaked images dated between 2010 and 2019 depict Patel in personal settings, including vacations and social gatherings. The U.S. Justice Department confirmed the breach, verifying the authenticity of the materials. Handala framed the attack as retaliation for the ongoing U.S.-Iran conflict and the FBI’s $10 million bounty for information on its members. The group boasted of bypassing the FBI’s security systems, though officials clarified that only Patel’s personal Gmail account not government systems was compromised. The incident highlights persistent risks tied to officials using personal emails for professional matters. About Handala Hack Team Active since 2023 and linked to Iran’s Ministry of Intelligence and Security, Handala specializes in disruptive cyberattacks, often targeting Israeli and Western entities. The group has previously breached Lockheed Martin and executed a 200,000-user data wipe at medical tech firm Stryker, leveraging malware designed to delete or expose sensitive data. The breach underscores vulnerabilities in personal email security, even among high-profile officials.

New "Steaelite" RAT Emerges as a Potent Threat for Double Extortion Attacks In November 2025, cybersecurity researchers at BlackFog uncovered Steaelite, a sophisticated remote access trojan (RAT) being sold on cybercrime forums. Marketed as "fully undetectable" and the "best Windows RAT," the malware targets Windows 10 and 11 systems, with an Android module reportedly in development. Steaelite operates via a browser-based dashboard, automating data theft the moment a victim connects even before an attacker interacts with the system. It harvests browser-stored passwords, session cookies, and application tokens immediately upon infection. The tool’s interface includes three main sections: - Primary Toolbar: Enables remote code execution, file management, live surveillance (webcam/microphone access), process manipulation, clipboard monitoring, password recovery, and DDoS attacks, among other functions. - Advanced Tools: Provides ransomware deployment, hidden RDP access, Windows Defender disabling, and persistence mechanisms. - Developer Tools: Adds keylogging, client-to-victim chat, USB spreading, cryptocurrency wallet hijacking (via clipboard manipulation), and tools to remove competing malware. A standout feature is its clipper module, which silently replaces cryptocurrency wallet addresses in the clipboard with attacker-controlled ones, enabling theft without the victim’s knowledge. The malware also streamlines double extortion attacks by combining data theft and ransomware deployment in a single interface eliminating the need for separate tools or coordination between cybercriminal groups. Steaelite’s active promotion across forums (with 87 messages at the time of reporting) and a YouTube demonstration video suggests aggressive marketing to expand its buyer base. Once the Android version launches, a single license could compromise both corporate Windows machines and employee mobile devices, amplifying its threat potential. The tool’s automation and integrated capabilities lower the barrier for attackers, making it a significant risk for organizations.

Odyssey Stealer Surges in Global macOS Campaign, Expands Beyond Initial Target Regions A sharp rise in Odyssey Stealer activity is targeting macOS users worldwide, with recent telemetry revealing a rapid geographic expansion of the malware campaign. Initially detected in the U.S., France, and Spain, the threat has now spread to the U.K., Germany, Italy, Canada, Brazil, India, and multiple countries across Africa and Asia. Notably, the campaign avoids victims in CIS nations, a pattern often linked to Russian-aligned cybercriminal groups. Odyssey Stealer emerged as a rebranded evolution of Poseidon Stealer, which itself originated from the AMOS Stealer. After the sale of Poseidon in fall 2024, its developer known as "Rodrigo4" relaunch the operation under the Odyssey name, introducing enhanced evasion and persistence mechanisms. ### Distribution & Infection Tactics Threat actors deploy Odyssey Stealer through social engineering, primarily via fake CAPTCHA verification pages using the "ClickFix" technique. Victims encounter these pages on compromised websites impersonating legitimate software downloads, such as Microsoft Teams, Homebrew, or Ledger Live. The malware checks the victim’s OS before delivering malicious instructions. Once executed, the stealer harvests a wide range of sensitive data, including: - Cryptocurrency wallets (Tron, Electrum, Binance) - Browser credentials, cookies, and autofill data (Chrome, Firefox, Safari) - Over 100 browser extensions - macOS Keychain passwords - Payment information, browsing history, and files from Desktop and Documents folders (targeting `.txt`, `.pdf`, `.docx`, `.jpg`, `.png`, `.rtf`, and `.kdbx` files) ### Persistence & Exfiltration Odyssey Stealer establishes persistence via LaunchDaemons with randomly generated names (e.g., `com.{random}.plist`), ensuring survival across reboots. The attack tricks users into copying and executing base64-encoded terminal commands, which decode and run malicious AppleScript to install the stealer without traditional binary drops. Advanced variants include a SwiftUI-based "Technician Panel", using social engineering to prompt users for passwords under the guise of tech support. Stolen data is compressed into an "out.zip" file in a temporary directory and exfiltrated to command-and-control (C2) servers via curl POST requests. If the initial upload fails, the malware retries up to 10 times with 60-second delays, ensuring data delivery even if connections are blocked. After exfiltration, the script deletes temporary files to hinder forensic analysis. ### Attacker Infrastructure & Capabilities The Odyssey operation features a sophisticated control panel, allowing threat actors to: - Monitor infected devices (IP addresses, online status) - Store stolen passwords, cookies, and cryptocurrency wallets in organized logs - Generate custom malware versions via a builder function Some C2 infrastructure has been identified, including the IP 45.46.130[.]131, which hosts the Odyssey Stealer login panel for attackers to access harvested data.

New Storm Infostealer Emerges as a Stealthy Threat to Browser and Crypto Security Security researchers at Varonis have identified Storm, a sophisticated infostealer malware that harvests browser credentials, session cookies, and cryptocurrency wallets before exfiltrating encrypted data to attacker-controlled servers. First observed on underground cybercrime forums in early 2026, Storm represents an evolution in credential theft tactics, bypassing traditional detection methods. Unlike earlier infostealers that decrypted data locally making them vulnerable to endpoint security tools Storm avoids detection by transmitting encrypted files to remote infrastructure for decryption. This approach circumvents protections like Google’s App-Bound Encryption (introduced in Chrome 127 in July 2024), which previously forced attackers to rely on detectable methods such as Chrome injection or debugging protocol abuse. Storm targets both Chromium-based (Chrome, Edge) and Gecko-based browsers (Firefox, Waterfox, Pale Moon), extracting saved passwords, session cookies, autofill data, Google account tokens, credit card details, and browsing history. It also captures system information, screenshots, and session data from messaging apps like Telegram, Signal, and Discord, while targeting crypto wallets via browser extensions and desktop applications. All operations run in memory to minimize forensic traces. A key feature of Storm is its automation: rather than requiring manual replay of stolen logs, it uses Google Refresh Tokens and geographically matched SOCKS5 proxies to silently restore authenticated sessions, granting attackers access to SaaS platforms, internal tools, and cloud environments without triggering password-based alerts. Available for under $1,000 per month, Storm has already compromised victims across multiple countries, including Brazil, Ecuador, India, Indonesia, the U.S., and Vietnam. Varonis identified 1,715 entries in attacker panels, though some may include test data. The stolen credentials span high-value platforms such as Google, Facebook, Twitter/X, Coinbase, Binance, and Crypto.com data commonly sold on credential marketplaces for account takeovers, fraud, and further cyber intrusions.

Chinese-Linked Hacking Group Targets Azerbaijani Oil & Gas Firm in Multi-Wave Cyber Espionage Campaign A cyber espionage campaign attributed to the China-affiliated threat group FamousSparrow (also tracked as UAT-9244) targeted an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of the group’s operational focus. The intrusion, analyzed by Bitdefender, involved three distinct waves of attacks, each deploying different backdoors while exploiting the same unpatched Microsoft Exchange Server vulnerability via the ProxyNotShell exploit chain. The campaign leveraged two primary malware families: Deed RAT (a successor to ShadowPad, widely used by Chinese espionage groups) and TernDoor, a backdoor previously observed in attacks on South American telecommunications infrastructure since 2024. Despite the victim’s remediation attempts, the threat actors repeatedly re-exploited the same entry point, deploying Deed RAT on December 25, 2025, TernDoor in late January/early February 2026, and a modified Deed RAT variant in late February 2026. Initial access was followed by the deployment of web shells for persistence, with Deed RAT delivered via an evolved DLL side-loading technique using the legitimate LogMeIn Hamachi binary. Unlike traditional side-loading, this method manipulated two exported functions in the malicious DLL, creating a two-stage execution trigger to evade detection. The attackers also conducted lateral movement to expand access and establish redundant footholds within the network. The second wave, occurring nearly a month after the initial breach, saw an unsuccessful attempt to deploy TernDoor using Mofu Loader, a shellcode loader linked to the GroundPeony threat cluster. The third wave, in late February 2026, reintroduced a modified Deed RAT variant, which used the domain sentinelonepro[.]com for command-and-control (C2) communications. Bitdefender’s analysis highlights the campaign’s adaptive persistence, with the threat actors refining their malware arsenal and re-exploiting the same vulnerability despite mitigation efforts. The targeting of Azerbaijan whose role in European energy security has grown following the 2024 expiration of Russia’s Ukraine gas transit agreement and 2026 Strait of Hormuz disruptions suggests strategic espionage motives tied to regional energy dynamics. The intrusion underscores how threat actors will repeatedly exploit unpatched systems until access is fully disrupted.

Storm-1175: Rapid Ransomware Deployment via Zero-Day and N-Day Exploits A Chinese-speaking cybercriminal group, Storm-1175, is accelerating its attacks, moving from initial access to full system compromise including Medusa ransomware deployment in as little as 24 hours, according to a new Microsoft report. Unlike state-sponsored actors, the group operates for financial gain, targeting healthcare, finance, education, and professional services sectors, primarily in the U.S., U.K., and Australia. Storm-1175 exploits a mix of zero-day and n-day vulnerabilities, often chaining flaws for maximum impact. The group has been observed abusing zero-days before public disclosure and rapidly weaponizing n-days leaving defenders minimal time to patch. Over 16 vulnerabilities across 10 products have been leveraged, including critical flaws in: - Microsoft Exchange (CVE-2023-21529) - PaperCut (CVE-2023-27351, CVE-2023-27350) - Ivanti Connect Secure/Policy Secure (CVE-2023-46805, CVE-2024-21887) - ConnectWise ScreenConnect (CVE-2024-1709, CVE-2024-1708) - JetBrains TeamCity, SimpleHelp, CrushFTP, SmarterMail, and BeyondTrust After gaining access, the group disables antivirus and endpoint protection, deploys tools for lateral movement and persistence, and exfiltrates data before encrypting systems with Medusa ransomware. Their high operational tempo and ability to identify exposed assets have made their attacks particularly effective.

Storm-1175: China-Based Threat Actor Exploits Zero-Days and N-Days in High-Speed Ransomware Attacks A China-linked threat actor, tracked as Storm-1175, has been identified as the force behind a surge of high-velocity ransomware attacks, leveraging a mix of zero-day and N-day vulnerabilities to breach internet-facing systems. According to Microsoft Threat Intelligence, the group has demonstrated rapid operational tempo, targeting organizations in healthcare, education, professional services, and finance across Australia, the UK, and the U.S. Storm-1175 has exploited at least 16 vulnerabilities since 2023, including CVE-2025-10035 and CVE-2026-23760, which were weaponized as zero-days before public disclosure. The group has also chained multiple exploits (e.g., OWASSRF) for post-compromise activity, often gaining initial access through recently disclosed flaws before patches are widely deployed. Once inside a network, the financially motivated actor moves swiftly exfiltrating data and deploying Medusa ransomware within 24 hours in some cases. Persistence is established through new user accounts, web shells, or legitimate remote monitoring and management (RMM) tools, while security defenses are disrupted via credential theft, firewall manipulation, and antivirus exclusions. Recent attacks have expanded to Linux systems, including vulnerable Oracle WebLogic instances, though the exact exploited flaw remains unidentified. Storm-1175’s tactics include: - Living-off-the-land binaries (LOLBins) like PowerShell, PsExec, and Impacket for lateral movement. - PDQ Deployer for payload delivery, including Medusa ransomware. - Credential dumping via Mimikatz and Impacket. - Data exfiltration using Bandizip and Rclone. - Abuse of RMM tools (e.g., AnyDesk, Atera, ConnectWise ScreenConnect) to blend malicious traffic with legitimate encrypted communications. The group’s ability to rotate exploits quickly capitalizing on the window between disclosure and patch adoption highlights the growing threat of dual-use infrastructure in cyberattacks.

North Korean APT38 Targets Western Businesses with Fake Job Scams and Infostealer Malware Microsoft has issued a warning about Sapphire Sleet (APT38), a North Korean state-sponsored threat group linked to the Lazarus Group, which has been targeting Western businesses since at least 2020 in a campaign designed to steal cryptocurrency. The group employs fake job scams, creating elaborate fictitious personas including companies, recruiters, and job postings to lure victims via email and social media with enticing employment offers. Once engaged, attackers direct victims to a malicious Zoom lookalike instead of the legitimate platform. The fake software deploys infostealer malware to compromise devices. Microsoft’s Sherrod DeGrippo, Global Threat Intelligence GM, highlighted the effectiveness of social engineering in bypassing security measures, noting that attackers exploit human trust by mimicking routine interactions like remote support requests. The campaign primarily targets macOS users, prompting Microsoft to collaborate with Apple, which implemented automatic platform-level protections to detect and block the malware and its infrastructure. The updates were rolled out without requiring manual intervention from users.

Microsoft Patches Actively Exploited Zero-Day in Office (CVE-2026-21509) On January 26, 2026, Microsoft released emergency out-of-band security updates to address CVE-2026-21509, a zero-day vulnerability in Microsoft Office that attackers are actively exploiting. The flaw, rated "Important" with a CVSS score of 7.8, allows threat actors to bypass OLE mitigations by leveraging untrusted inputs in security decisions. The vulnerability enables local attackers to circumvent Office protections after tricking users into opening malicious files typically via phishing or social engineering. Exploitation requires low complexity, no privileges, and user interaction, but results in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The Microsoft Threat Intelligence Center (MSTIC) confirmed active exploitation, marking it as the second zero-day patched this month following January’s Patch Tuesday updates. ### Affected Products & Mitigation The flaw impacts legacy and current Office editions, including: - Office 2016 (32/64-bit) – KB5002713 (Build 16.0.5539.1001) - Office LTSC 2024/2021 – Automatic service-side protection post-restart - Microsoft 365 Apps (Enterprise) – Automatic updates - Office 2019 – Build 16.0.10417.20095 Office 2016/2019 users must apply updates or manually adjust the registry by adding a DWORD "Compatibility Flags" (value 400) under: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}` (Paths may vary for Click-to-Run deployments; registry backups are recommended.) ### Threat Landscape & Recommendations While no public proof-of-concept (PoC) or attributed threat actors have been disclosed, organizations are advised to prioritize patching, enable auto-updates, and monitor for phishing indicators of compromise (IOCs) particularly suspicious Office attachments. Attackers frequently exploit such vulnerabilities for ransomware or APT initial access, making EDR monitoring for COM/OLE anomalies critical. The CISA Known Exploited Vulnerabilities (KEV) catalog may list this flaw in the near future.