The flaw, tracked as CVE-2026-8633, affects environments that use the optional Web Server Plug-ins component, significantly elevating the risk for enterprise deployments that rely on WebSphere infrastructure.

The vulnerability has been assigned a CVSS score of 9.8, highlighting its critical severity. It requires no authentication and can be exploited remotely, allowing attackers to gain full control of affected systems.

Successful exploitation could result in complete compromise, affecting confidentiality, integrity, and availability.

Given the widespread adoption of WebSphere in enterprise and government networks, the exposure is considered highly significant.

IBM WebSphere RCE Vulnerability

The root cause of the issue lies in improper control of code generation, categorized under CWE-94. This weakness allows attackers to inject malicious payloads into the system via crafted HTTP requests.

Once processed by the vulnerable Web Server Plug-ins, these requests can trigger remote code execution.

Additionally, the flaw introduces the risk of HTTP request smuggling, enabling attackers to bypass security mechanisms and manipulate backend communications.

CVE-2026-8633 specifically affects IBM Web Server Plug-ins used alongside both traditional WebSphere Application Server and WebSphere Liberty deployments

Impacted versions include WebSphere Application Server 8.5 and 9.0, as well as WebSphere Liberty 8.5 and 9.0, along with their corresponding plug-in versions.

Because these plug-ins are commonly used to route requests between web servers and application servers, exploitation could provide attackers with a direct pathway into backend systems.

IBM has issued remediation guidance and strongly recommends immediate action. Organizations are advised to apply interim fixes that address APAR PH71342 after upgrading to the required minimum fix pack levels.

For WebSphere 9.0 environments, users should upgrade to Fix Pack 9.0.5.28 or later once available. Similarly, WebSphere 8.5 users are advised to update to Fix Pack 8.5.5.30 or a later version when released.

In addition to patching, organizations should take proactive defensive measures. Monitoring HTTP traffic for anomalies, especially malformed or unexpected request patterns, can help detect exploitation attempts.

Restricting external access to WebSphere plug-in endpoints and deploying Web Application Firewall protections can further reduce exposure. Security teams should also initiate threat hunting activities to identify any signs of compromise within affected environments.

As threat actors increasingly target middleware and application infrastructure, vulnerabilities like CVE-2026-8633 underscore the importance of timely patching and layered security controls.

Organizations using IBM WebSphere are urged to treat this issue as a priority and act swiftly to mitigate potential risks.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post IBM WebSphere Server Vulnerable to Remote Code Execution Attack Via Crafted Request appeared first on Cyber Security News.

Security researchers at Sansec uncovered an unauthenticated PHP object injection flaw in Mirasvit Cache Warmer, a full-page cache extension used by thousands of Magento and Adobe Commerce storefronts.

The vulnerability, tracked as CVE-2026-45247, carries a maximum-severity CVSS score of 9.8 (Critical).

Magento Cache Plugin Vulnerability

Mirasvit Cache Warmer is designed to preload cached versions of store pages for different visitor types, varying by currency, customer group, and other session states.

To do this, it packs session details into a cookie and sends them with each crawl request. On the server side, a plugin reads that cookie and adjusts the session accordingly before rendering the page.

The critical problem: the plugin passes part of that cookie value directly to PHP’s native unserialize() function, with no class restrictions and no authentication checks.

Because the cookie value is entirely client-side, an attacker can craft it to inject arbitrary PHP objects. This is known as PHP Object Injection (CWE-502).

When combined with a gadget chain, malicious logic built from classes already bundled within Magento and its dependencies, this object injection escalates directly into Remote Code Execution (RCE).

The attack fires on every storefront request, not just internal cache-warming traffic, making any public-facing Magento store a potential target.

All versions of Mirasvit Cache Warmer before 1.11.12 are vulnerable. The extension ships bundled inside several other Mirasvit packages, meaning many merchants may be running it without realizing it.

Sansec’s scanning found approximately 6,000 stores running Mirasvit extensions, with the actual number likely far higher, as CDNs like Cloudflare mask many installations from external fingerprinting.

The exploit leaves a recognizable trail in web logs. Security teams should watch for storefront requests carrying a CacheWarmer cookie whose value begins with CacheWarmer: followed by a base64 string.

Serialized PHP objects typically base64-encode to strings starting with Tz, Qz, or YT — making the pattern CacheWarmer:(Tz|Qz|YT) a strong indicator of an active exploitation attempt.

Mitigations

Mirasvit released the patched version 1.11.12 on May 25, 2026, within days of being notified. Store owners should act immediately:

Update now:  Upgrade Mirasvit Cache Warmer to version 1.11.12 or later.

Block attacks: Deploy a web application firewall capable of blocking serialization-based exploit attempts.

Scan for compromise: Check for webshells, backdoors, or unexpected PHP files in pub/ and other web-accessible directories.

Audit installed packages: Confirm whether Cache Warmer is bundled inside other Mirasvit modules on your store.

Sansec’s Shield customers were already protected from April 24, 2026, the same day the flaw was discovered. The CVE was formally assigned on May 26, 2026.

Given that exploitation requires zero authentication and can be fully automated, unpatched stores remain at serious risk of full server compromise.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Critical Magento Cache Plugin Vulnerability Enables Remote Code Execution Attacks appeared first on Cyber Security News.

The flaw, currently awaiting NVD enrichment, allows attackers to exploit a DNS rebinding weakness that could lead to unauthorized access to backend systems.

Security researchers identified that the issue stems from a misconfigured cross-origin policy within the MCP Toolbox SSE implementation.

Despite earlier efforts to enforce stricter origin controls during the beta phase, a critical security header remained overly permissive, exposing systems to cross-domain attacks.

MCP Toolbox Vulnerability

The vulnerability is classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). It occurs because a hard-coded HTTP response header sets Access-Control-Allow-Origin to a wildcard value.

This configuration allows any external domain to interact with the SSE endpoint, effectively bypassing intended origin restrictions.

Although developers introduced security flags such as allowed-origins and allowed-hosts, these controls were nullified by the wildcard policy.

The issue specifically affects environments running MCP Toolbox with SSE enabled under the v2024-11-05 specification, particularly when enterprise database connectors are exposed via SSE endpoints.

Attackers can leverage DNS rebinding techniques to trick a victim’s browser into sending authenticated requests to internal services, potentially exposing sensitive data or enabling unauthorized database queries.

In a typical attack scenario, a victim visits a malicious website controlled by an attacker. The attacker then uses DNS rebinding to redirect browser requests to internal MCP Toolbox services.

Because of the permissive cross-origin resource sharing configuration, the browser allows interaction with these internal endpoints. This ultimately enables the attacker to gain indirect access to enterprise database connectors.

This form of attack is especially dangerous in cloud and hybrid environments where internal services are accessible through web interfaces, significantly increasing the attack surface.

CVE-2026-9739 is categorized as a DNS rebinding vulnerability caused by CORS misconfiguration and mapped to CWE-942.

The affected component is the MCP Toolbox SSE handler, and the primary impact is unauthorized access to internal services. A CVSS score has not yet been assigned, as the NVD assessment is still pending.

Mitigation and Fixes

Developers have addressed the vulnerability in recent updates by removing the wildcard origin header and enforcing strict origin validation.

Organizations are strongly advised to upgrade MCP Toolbox to the latest patched version and avoid using permissive CORS policies in production environments.

Restricting allowed origins to trusted domains, turning off unnecessary SSE endpoints, and monitoring network traffic for unusual internal requests are essential defensive measures.

Security teams should also audit their deployments to identify exposed SSE endpoints and ensure proper access control mechanisms are in place.

The vulnerability was publicly disclosed through GitHub issue #3053 and resolved in pull request #3054 within the official MCP Toolbox repository.

This incident highlights how misconfigured cross-origin policies in modern streaming technologies, such as SSE, can introduce critical security risks if not properly secured.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Critical MCP Toolbox Vulnerability Impacts Enterprise Database onnectors appeared first on Cyber Security News.

The malware has been active since May 2025 and spreads through malicious links disguised as downloads from trusted, well-known applications.

What makes OverlayPhantom particularly alarming is how it gets onto a device. It uses a two-stage infection process, starting with a dropper app that pretends to be either ID Austria, the official Austrian government identity application, or the popular platform TikTok.

Victims are tricked into installing what appears to be a routine system update, and from that point, the malware takes hold.

Analysts at Cyble Research and Intelligence Labs (CRIL) uncovered OverlayPhantom while investigating government-themed URL impersonation campaigns. 

Cyble said in a report shared with Cyber Security News (CSN) that the malware targets more than 180 banking, financial services, and cryptocurrency applications across the United States, Australia, Germany, France, Belgium, Finland, the Netherlands, Italy, Spain, and the United Kingdom.

Once installed, OverlayPhantom disguises itself as “Google Play Services,” making it nearly impossible for an average user to spot or remove.

From that position, it abuses Android’s Accessibility Service, a built-in feature designed to help users with disabilities, to take persistent control of the infected device.

The threat actor can then issue over 30 remote commands to manipulate the device without the victim ever noticing.

The breadth of its reach, paired with the technical sophistication behind its design, points to a financially motivated group running a large-scale fraud operation.

With over 180 targeted apps and victims spread across Western markets, OverlayPhantom is far from a small campaign.

Android Banking Trojan OverlayPhantom

The Accessibility Service abuse is what gives OverlayPhantom its real power over infected devices. Once the victim grants this permission, guided through a tutorial embedded in the dropper app, the malware connects to its Command and Control (C&C) server at IP address 199.217[.]99[.]122.

The C&C traffic is divided across three dedicated ports: port 9091 for issuing commands, port 9092 for device status updates, and port 9090 for live screen streaming.

This multi-port setup keeps communication running reliably and harder to block. The malware uses Android’s MediaProjection API to stream the victim’s screen in near real time using JPEG compression, giving the attacker a live view of everything on the device.

The remote command set covers a wide range of actions. The attacker can simulate taps, swipes, and long presses, lock the screen, manipulate clipboard contents, display fake notifications, and launch overlay windows to capture PIN codes or passwords.

These controls let the threat actor perform unauthorized transactions without the victim ever knowing.

Overlay Attacks Targeting Banking and Cryptocurrency Apps

OverlayPhantom keeps a hardcoded list of target applications embedded in its code. When the victim opens a banking or financial app, the malware silently checks whether that app is on its list.

If there is a match, it pulls up a counterfeit HTML phishing page, renders it in a WebView layer, and places it over the legitimate application. The fake screen looks identical to the real one.

The victim enters credentials believing they are logging into their actual bank or crypto wallet. That data is instantly harvested and sent to the C&C server without leaving any visible sign of compromise.

This overlay technique is exactly what makes OverlayPhantom so effective and difficult for victims to detect.

To stay protected, users should only download apps from official platforms like the Google Play Store and avoid clicking links received through SMS, email, or social media.

Granting Accessibility Service permissions to any unfamiliar app should be avoided at all costs. Enabling multi-factor authentication on banking and financial apps adds a critical extra layer of defense, even when credentials are stolen.

Keeping Android OS and installed apps regularly updated is equally important, as security patches often close the exact vulnerabilities that malware like OverlayPhantom exploits.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Android Banking Trojan OverlayPhantom Abuses Accessibility Service to Control Devices appeared first on Cyber Security News.

The incident, tracked internally under MO1329446 in the Microsoft 365 Admin Center, began with widespread user reports of file-access failures across web-based Office experiences.

Users attempting to open documents, spreadsheets, or presentations via the browser-based Office suite or Teams encountered errors, disrupting collaboration workflows for potentially millions of enterprise users globally.

Microsoft’s engineering team initially acknowledged the issue, stating they were “investigating reports that some users are unable to open files in Office for the Web or Microsoft Teams.” Shortly after, the team confirmed detection of elevated error rates spanning multiple Office for the Web services.

Engineers conducted service telemetry analysis to identify the failure scope, correlating error patterns across service dependencies to determine the root cause and remediation path.

The cross-dependency investigation suggests the disruption may have stemmed from a shared backend component or infrastructure layer serving multiple Microsoft 365 services simultaneously, a pattern consistent with prior Azure-backed service incidents.

Microsoft has not yet publicly disclosed whether the incident originated from a code deployment, configuration change, or underlying infrastructure fault.

Microsoft confirmed that the impact is no longer occurring and has published final incident details under MO1329446 in the Microsoft 365 Admin Center. Affected organizations with active Microsoft 365 subscriptions can review the post-incident report through their admin portals for detailed timelines and remediation steps.

Enterprises relying on Microsoft 365 for critical workflows are advised to monitor the Microsoft 365 Service Health Dashboard for real-time status updates and configure admin center alerts to receive proactive notifications during future service disruptions.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Microsoft Office for the Web and Teams Hit by File Access Outage appeared first on Cyber Security News.

What was once a niche concern has grown into a serious and escalating threat, with attackers running multi-stage operations that extend well beyond a single compromised container.

Modern container platforms are designed to isolate applications from one another and from the host. But that isolation is only as strong as the configuration behind it.

When settings are applied carelessly or left at insecure defaults, the wall between a container and its host becomes dangerously thin, giving attackers a direct path to escalate privileges.

Researchers at Securelist said in a report shared with Cyber Security News (CSN) that these attacks have evolved into multi-stage scenarios involving supply chain compromises, Kubernetes secrets theft, orchestration API abuse, and container escape attempts.

In one notable case, the APT group TeamPCP compromised Checkmarx KICS across multiple attack chains, poisoning a Docker Hub repository to steal Kubernetes secrets.

The threat is not limited to exotic zero-day exploits. Misconfigurations are far more common as the root cause of successful breaches than complex kernel vulnerabilities. Attackers look for the low-hanging fruit first, and insecure container configurations remain plentiful across enterprise environments.

Once inside a compromised container, an attacker rarely needs to do much to find something valuable. Containers routinely hold API keys, SSH keys, access tokens, service credentials, and Kubernetes ServiceAccount tokens.

These assets alone can be enough to pivot into cloud infrastructure or establish long-term persistence without ever escaping the container.

Attackers Abuse Docker and Kubernetes Misconfigurations

The most dangerous configuration a container operator can enable is the privileged flag. When a container runs with this setting, it receives all Linux capabilities and direct access to host devices, making it functionally equivalent to root access on the host machine.

Using a utility like nsenter, an attacker can spawn a shell outside the container and move freely on the underlying system.

Specific Linux capabilities also open the door to escapes when improperly assigned. The CAP_SYS_ADMIN capability allows a container to mount file systems and interact with kernel parameters.

Combined with access to host directories through the hostPath parameter, an attacker can mount the host disk inside the container and overwrite critical system files. CAP_SYS_MODULE lets an attacker load a malicious kernel module that triggers a reverse shell from kernel space.

CAP_SYS_PTRACE becomes dangerous when the host PID namespace is shared via hostPID: true.

An attacker can then attach to host processes, inject code, and extract sensitive data from memory. CAP_NET_ADMIN enables network stack manipulation and, when combined with hostNetwork: true, opens the door to traffic interception across the environment.

Orchestration APIs present an equally serious risk. An exposed Docker API accessible over TCP without authentication gives an attacker remote administrative access to the host.

A compromised Kubernetes token with weak RBAC policies can allow deployment of privileged pods and a full cluster takeover with just a few API calls.

Supply Chain Attacks Targeting Container Infrastructure

Beyond runtime misconfigurations, attackers are going after containers before they are even deployed. Supply chain attacks target the image build and delivery process, injecting malicious code at stages where organizations are least likely to look.

Developers who pull public images from Docker Hub without checking their origin are especially vulnerable, since threat actors regularly publish tainted images that mimic legitimate tools.

CI/CD pipelines are another high-value target. These systems hold elevated privileges and broad infrastructure access.

By compromising a single pipeline stage, an attacker can modify Docker image builds, quietly adding hidden scripts or remote management tools, while the container appears legitimate on the outside.

To defend against these threats, teams should audit container configurations regularly and avoid running containers with the privileged flag.

All images should be verified before use, RBAC policies should be tightened, and CI/CD pipelines treated as critical infrastructure with strict access controls. Runtime monitoring and supply chain validation are essential parts of any secure container deployment.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Attackers Abuse Docker and Kubernetes Misconfigurations to Compromise Host Systems appeared first on Cyber Security News.

The campaign lures victims through fake verification pages that trick them into running a malicious script without realizing the full damage it causes.

What makes this wave especially concerning is that the attack does not stop at one piece of malware. It delivers a second, more powerful tool once it gains a foothold inside the system.

The infection chain starts when a user visits a compromised or malicious website displaying a fake “verification” page. This page instructs the visitor to copy and run a PowerShell or similar script, which is the ClickFix technique.

Once the script runs, it silently reaches out to attacker-controlled servers and pulls down the first stage of the infection. The victim sees nothing unusual on their screen, while the attacker gains quiet and persistent access to the machine.

Internet Storm Center said in a report shared with Cyber Security News (CSN) that they identified the campaign after observing a suspicious infection on May 27, 2026.

Researcher Brad Duncan noted that an unidentified RAT had been generating encoded traffic to a command and control server since at least April 2026.

The discovery confirmed that this campaign had been quietly running for several weeks before it was formally documented and published.

What sets this attack apart is its deliberate two-stage design. The first stage drops an unidentified RAT that sends encoded traffic to its C2 server over TCP port 443, making it blend in with regular web traffic.

Once the initial RAT is in place, it pulls in a second payload: a malicious package of NetSupport Manager RAT, a legitimate remote access tool that attackers have repurposed to take unauthorized control of infected machines.

The entire process is built to stay quiet and survive reboots. After the NetSupport RAT is installed and made persistent on the host, the scripts used to set it up are deleted automatically, removing traces of the initial compromise.

This cleanup step makes forensic investigation harder and reveals the careful level of planning behind the campaign.

SmartApeSG Campaign Uses ClickFix Scripts

The SmartApeSG campaign uses a fake browser verification page as its entry point, a tactic that has grown increasingly popular among threat actors.

Visitors are told to run a script to “verify” their identity, which instead executes the ClickFix payload. The script then contacts attacker infrastructure to fetch a ZIP archive containing the initial RAT package from a remote server.

Once extracted and executed, the initial RAT begins sending encoded traffic to its C2 server at a fixed IP address over port 443.

The use of encoded, non-SSL traffic on that port is unusual and helps the malware avoid detection tools that expect standard HTTPS on that port. The RAT then pulls down follow-up files through the same C2 channel to prepare the system for the next stage of the attack.

NetSupport RAT Deployed as Persistent Follow-Up Payload

The second stage delivers a malicious NetSupport Manager RAT package via a CAB file that is fetched and extracted to the system.

A batch script called token.bat handles the extraction and installation, while a VBScript file called processor.vbs triggers the batch script. Together, these components install the NetSupport RAT and configure it to run automatically whenever the system restarts.

Defenders are advised to monitor for unusual PowerShell execution tied to browser events, as this is a clear sign of the ClickFix technique being abused. Blocking access to suspicious or newly registered domains can also reduce the overall risk.

Security teams should watch for encoded traffic over port 443 that does not follow normal SSL/TLS patterns, as this is a known behavior of the initial RAT in this chain. Since the domains and file hashes used in this campaign rotate daily, checking the @monitorsg feed on Mastodon is recommended for the latest indicators.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post SmartApeSG Campaign Uses ClickFix Scripts to Infect Windows Hosts With RAT Malware appeared first on Cyber Security News.

The campaign, dubbed “Miasma: The Spreading Blight,” is a new variant of the Mini Shai-Hulud malware family a sophisticated credential-stealing worm previously linked to threat actor group TeamPCP.

This is not a typosquatting campaign. The attackers hijacked a legitimate, trusted npm namespace and published backdoored versions of widely-used frontend components, API clients, and developer tooling.

According to Aikido and JFrog detections, the malicious packages were published via GitHub Actions OIDC tokens, indicating the CI/CD pipeline itself was compromised, not individual developer accounts.

Each poisoned package embeds a preinstall lifecycle hook in its package.json:

json"scripts": { "preinstall": "node index.js" }

This executes a 4.2 MB obfuscated payload automatically during every npm install, before any application code runs. The loader uses a multi-stage decryption chain — numeric character arrays, a ROT-style transform, and AES-128-GCM blobs — to evade static detection, before dropping a transient Bun-based payload to /tmp/p*.js for execution.

Once active, the malware performs a sweeping credential collection targeting:

• GitHub tokens — classic, fine-grained, and GitHub Actions OIDC tokens
• Cloud credentials — AWS access keys, GCP service account files, Azure service principal and managed identity tokens
• Infrastructure secrets — Kubernetes service account tokens and kubeconfig files, HashiCorp Vault tokens
• Developer tooling — npm and PyPI publish tokens, SSH private keys, Docker registry credentials, GPG keys, .env files across the filesystem

In cloud environments, the malware goes beyond static files. It actively queries AWS Secrets Manager, SSM Parameter Store, Azure Key Vault, and GCP Secret Manager when permissions allow. GitHub Actions runners are a prime target: the payload reads secrets directly from runtime process memory, bypassing workflow log masking entirely.

A notable evasion technique in this wave involves disguising exfiltration traffic to api.anthropic.com/v1/api — a legitimate-looking domain that blends into network logs at organizations using Anthropic services.

The /v1/api path is not a valid Anthropic route, suggesting attackers chose it purely for camouflage. Defenders should hunt for node or Bun processes contacting this host from CI runners or developer machines.

The malware also uses a GitHub dead-drop model, creating public repositories under victim accounts with the description Miasma: The Spreading Blight and committing stolen credentials as JSON result files.

The malware installs persistent monitoring services — kitty-monitor.service on Linux and com.user.kitty-monitor.plist on macOS — that poll for remote instructions. It also injects hooks into AI developer tools including Claude, Codex, Gemini, Copilot, Kiro, and opencode, and adds VS Code folder-open tasks that re-execute the payload.

Most critically, a destructive token monitor (gh-token-monitor) watches stolen GitHub tokens. If a token is revoked before persistence is removed, it can execute destructive commands such as wiping the user’s home directory.

Incident responders must isolate machines and remove persistence before revoking any tokens.

Indicators of Compromise

Any project that installed the following package versions on or after June 1, 2026 should be treated as compromised: Here is the complete IOC table for all 31 compromised @redhat-cloud-services npm packages:

Mitigation Steps

• Run npm uninstall on all affected packages and regenerate lockfiles from trusted metadata
• Use npm ci --ignore-scripts in CI pipelines as a temporary safeguard
• Remove kitty-monitor and gh-token-monitor persistence files from all affected machines before revoking tokens
• Inspect .claude/settings.json, .vscode/tasks.json, and ~/.config/index.js for injected hooks
• Audit npm and GitHub accounts for unexpected patch-version publishes or newly created repositories matching the Miasma: The Spreading Blight description
• Rotate all exposed credentials — GitHub tokens, npm tokens, cloud keys, SSH keys, Vault tokens, and Kubernetes service account tokens — only after persistence is confirmed removed
• Rebuild affected CI runners and developer workstations from clean images

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Multiple Red Hat Cloud Services npm Packages Compromised to Deploy Credential-Stealing Malware appeared first on Cyber Security News.

The campaign intensified following a regional conflict that began on February 28, 2026, attributed to an Iran-linked advanced persistent threat group operating under several known aliases.

Security researchers have been tracking a rapid surge in activity that shows no signs of stopping. The threat group, known as Screening Serpens and also identified as UNC1549, Smoke Sandstorm, and Iranian Dream Job, has been active since at least 2022.

Historically focused on Middle Eastern targets, the group expanded into Western Europe in late 2025. Their preferred targets sit inside high-value sectors including aerospace, defense manufacturing, and telecommunications.

They reach victims through personalized social engineering, using fake job listings and spoofed meeting invitations to lure professionals into downloading malicious files.

Unit 42 researchers identified six new remote access Trojan (RAT) variants deployed between February and April 2026, grouped into two distinct malware families named MiniUpdate and MiniJunk V2.

Unit 42 said in a report shared with Cyber Security News (CSN) that the campaigns align closely with the conflict timeline, with coordinated attacks hitting entities in the U.S. and Israel in late March, followed by targets in the UAE and another Middle Eastern country in mid-April 2026.

Both malware families begin their infection chains through spear phishing. Victims receive what appears to be a recruitment portal or a video conferencing app installer.

Once they interact with the file, a silent multi-stage infection chain kicks off in the background, and the attacker quietly gains full control over the compromised machine.

AppDomainManager Hijacking

The most significant technical leap in this campaign is the use of a technique called AppDomainManager hijacking.

This method targets the initialization phase of .NET applications by modifying a legitimate configuration file, allowing malicious code to run before the host application even finishes loading. Since this happens so early, most security tools do not get a chance to detect it.

By adding a few targeted XML lines to the application’s config file, attackers instruct the .NET runtime to disable its own security features.

They turn off Event Tracing for Windows (ETW), the primary data source that modern endpoint detection and response (EDR) platforms rely on to monitor .NET activity.

They also bypass strong-name signature validation, ensuring that unsigned DLL files load without triggering security exceptions.

This approach is described as a mature living-off-the-land technique because it requires no complex shellcode or memory patching.

The attacker simply asks the system to turn off its own defenses using a file that looks entirely legitimate. The result is a payload running in a completely unmonitored, highly privileged environment with no alerts raised.

Infection Chain and Social Engineering Tactics

The MiniUpdate family was delivered through archives impersonating a global airline and a popular video conferencing platform.

One archive contained six fake job description PDFs with believable job IDs and titles such as Senior Software Engineer, targeting IT and engineering professionals.

A nested payload inside a file named Hiring Portal.zip launched a fake error window while the malware quietly installed itself.

For persistence, the malware used Windows Task Scheduler, creating a daily trigger at 09:30 local time. The MiniJunk V2 family used an older configuration method but added heavy code obfuscation and file size inflation to bypass automated scanning limits.

Command-and-control traffic was routed through Azure-hosted domains that mimicked legitimate Windows service names, making network-level detection significantly harder.

Researchers recommend that defenders tune EDR platforms specifically to flag DLL sideloading and AppDomainManager hijacking behaviors, rather than relying solely on signature-based detection.

Treating trusted, signed binaries that load unsigned modules as high-risk will help security teams catch these attacks much earlier. Organizations in aerospace, defense, and technology should stay alert to fake job offers or meeting invitations arriving through unofficial channels.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Iranian Hackers Abuse AppDomainManager Hijacking to Evade EDR Detection appeared first on Cyber Security News.

The campaign, dubbed Operation XENOFISCAL, targeted provincial finance officials across all 34 Afghan Mustoufiats — regional revenue and finance directorates that form the fiscal backbone of the country.

The attack began with a spear phishing email carrying a ZIP archive. Inside was a malicious shortcut file disguised with a PDF icon and a filename written in Pashto — the dominant language used by Afghan government workers.

The lure posed as a list of employees invited to a seminar on psychological and intellectual warfare, showing that the attackers had precise knowledge of their targets’ working environment.

Analysts from Seqrite, in a report shared with Cyber Security News, identified this campaign and attributed it to the SideCopy APT cluster with medium-to-high confidence.

SideCopy operates under the broader Transparent Tribe, also known as APT36, umbrella — a group with a documented history of targeting South Asian government institutions.

Seqrite Labs has been tracking this threat cluster for years as part of its global spear phishing monitoring program.

Once the victim opened the shortcut file, the malware silently used mshta.exe — a legitimate Windows utility — to reach out to a compromised Afghan education domain and pull a remote payload.

This technique is called Living-off-the-Land, where attackers abuse built-in system tools to avoid triggering security alerts. The malware then decoded obfuscated JavaScript in memory and embedded itself in the Windows Registry, disguising its persistence entry as a Microsoft Edge process.

The final stage deployed XenoRAT 1.8.7, an open-source Remote Access Trojan available on GitHub, which established an encrypted connection to a bulletproof server in Frankfurt, Germany.

This command-and-control infrastructure was entirely separate from the delivery domain — a deliberate design to ensure long-term access even if the delivery layer was discovered and shut down.

SideCopy Hackers Deploy Persistent XenoRAT Malware

The malware chain ran across five stages, each built to pass control to the next without triggering detection. After the shortcut file launched mshta.exe, it pulled an HTML Application payload from abimj.edu.af, a compromised Afghan education website.

That payload contained obfuscated JavaScript which decoded itself in memory and dropped a .NET-based loader DLL to continue the infection.

That loader DLL downloaded an encoded, GZIP-compressed blob from attacker-controlled URLs and unpacked it entirely in memory.

The shellcode that followed used reflective loading — allocating executable memory and injecting itself without writing the main payload to disk. This fileless approach makes the malware far harder to catch with conventional antivirus scanning.

XenoRAT is a capable surveillance tool once active. It connects to a hard-coded IP address using encrypted TCP traffic and registers itself through both a Windows Scheduled Task named “XenoUpdateManager” and a Registry Run key.

The malware runs a mutex called “clouda” to prevent duplicate instances, and it queries installed antivirus products before reporting back to its operators.

Persistence Mechanisms and Infrastructure Exposure

The decoy document dropped during execution was a real Afghan Ministry of Finance internal staff directory, listing Finance Directors, Revenue Chiefs, and Secretaries from all 34 provinces — complete with mobile numbers.

This level of detail indicates the attackers conducted prior intelligence gathering, likely through earlier compromises of Afghan government networks.

The delivery domain abimj.edu.af resolved to IPs 103.132.98.224 and 103.132.98.226, both on a subnet belonging to Afghanistan’s own Ministry of Communication.

Staging malicious payloads on local Afghan infrastructure allowed traffic to blend with legitimate government communications, bypassing network monitoring tools.

The RAT’s C2 server at 185.235.137.106 was hosted on AS59711, a Bulgaria-registered provider with Frankfurt data center presence previously linked to SideCopy activity.

Security teams should monitor for unusual mshta.exe executions, unexpected Registry Run keys mimicking Windows processes, and outbound traffic to unrecognized European hosting providers.

Enforcing application allow-listing, auditing scheduled tasks regularly, and restricting HTA execution from public directories are effective mitigations. Seqrite released detections under signatures including Link.Downloader.50744.GC and Script.Netloader.50745.GC to help identify compromised systems.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post SideCopy Hackers Deploy Persistent XenoRAT Malware to Target Afghanistan Finance Ministry appeared first on Cyber Security News.