LATEST THREAT INTELLIGENCE.
Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions
Description: A threat actor known as TeamPCP expanded its supply chain attack from Aqua Security's Trivy to Checkmarx's AST GitHub Action. The attack, which began on March 19, 2026, involved injecting a credential-stealing payload into CI/CD pipelines across thousands of repositories. The malicious code harvested secrets from runner memory, queried cloud metadata, and exfiltrated encrypted data to typosquat domains. The Checkmarx compromise occurred approximately four days after the initial Trivy incident, using identical techniques but targeting a different action. This cascading effect demonstrates how compromised actions can be used to harvest credentials and compromise additional dependencies. Runtime detection proved effective in identifying the attack pattern across both waves, as the underlying behavior remained consistent despite changes in the delivery mechanism.
Created at: 2026-03-24T08:49:58.740000
Updated at: 2026-03-24T11:28:43.598000
Tracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure
Description: A multi-stage malware delivery campaign was uncovered, initially detected through a suspicious VBS file. The investigation revealed a complex attack infrastructure using Unicode obfuscation, PNG-based payload staging, and reflectively loaded .NET execution. The attacker utilized open directories to host multiple obfuscated VBS files, each mapping to different malware payloads including XWorm and Remcos RAT. A secondary infection vector involving a weaponized 'PDF' and batch script was also discovered. The campaign demonstrated a modular approach, allowing for payload rotation and multiple attack vectors from the same domain. This sophisticated infrastructure design enables rapid modification and expansion of available payloads without altering the initial delivery mechanism.
Created at: 2026-03-24T08:49:51.419000
Updated at: 2026-03-24T11:16:30.013000
KICS GitHub Action Compromised: TeamPCP Supply Chain Attack
Description: The KICS GitHub Action, an open-source infrastructure as code security scanner by Checkmarx, was compromised by TeamPCP, the group behind the recent Trivy attack. Between 12:58 and 16:50 UTC on March 23, 35 tags were hijacked, exposing users to credential-stealing malware. The attack involved staging imposter commits and updating tags using a compromised identity. The malware uses a new C2 domain, creates a fallback repository, and adds Kubernetes-focused persistence code. Additionally, two OpenVSX extensions were compromised. The payload targets cloud provider credentials and installs persistence on non-CI systems. Security teams are advised to audit workflows, search for exfiltration artifacts, and implement long-term hardening measures.
Created at: 2026-03-24T08:49:53.168000
Updated at: 2026-03-24T11:13:36.523000
CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran
Description: A new payload in the TeamPCP arsenal has been discovered, capable of wiping entire Kubernetes clusters. The script uses the same ICP canister as the CanisterWorm campaign, with consistent lateral movement via DaemonSets. However, this variant introduces a geopolitically targeted destructive payload aimed specifically at Iranian systems. The malware checks timezone and locale to identify Iranian systems, deploying privileged DaemonSets across every node in Kubernetes environments. Iranian nodes are wiped and force-rebooted, while non-Iranian nodes receive the CanisterWorm backdoor. The latest variant adds network-based lateral movement, exploiting exposed Docker APIs and using SSH for spread. This development shows TeamPCP's ability to operate at supply chain scale and their willingness to engage in destructive actions.
Created at: 2026-03-24T10:50:58.319000
Updated at: 2026-03-24T11:05:58.343000
Massive Winos 4.0 Campaigns Target Taiwan
Description: A series of targeted phishing campaigns in Taiwan have been observed disseminating Winos 4.0 (ValleyRat) malware and associated plugins. The attacks exploit local business processes using themes like tax audits and e-invoices. The campaigns employ various techniques including malicious LNK files, DLL sideloading, and Bring Your Own Vulnerable Driver (BYOVD) attacks. The malware utilizes UAC bypassing, driver loading, and process termination to evade detection and disable security software. The attacks are attributed to a subgroup of the Silver Fox APT, showing sophisticated localization and evolving evasion techniques. The campaigns have been active since at least January 2026, using consistent infrastructure and development identifiers.
Created at: 2026-02-22T02:50:09.203000
Updated at: 2026-03-24T02:42:54.494000
Pro-Iranian Nasir Security is Targeting The Energy Sector in the Middle East
Description: A new cybercriminal group, Nasir Security, believed to be associated with Iran, is targeting energy organizations in the Middle East. They focus on attacking supply chain vendors involved in engineering, safety, and construction. The group emerged in October 2025 and has claimed attacks on various energy sector companies, including Dubai Petroleum, CC Energy Development, and Al-Safi Oil Company. However, their claims are likely exaggerated, and the actual breaches appear to be of third-party contractors. The group's tactics include business email compromise, spear phishing, and exploiting public-facing applications. Their activities are seen as part of a broader Iranian strategy to conduct cyberattacks and spread misinformation during ongoing geopolitical conflicts.
Created at: 2026-03-23T18:36:23.531000
Updated at: 2026-03-23T21:11:59.116000
Libyan Oil Refinery Among Targets in Long-running Likely Espionage Campaign
Description: A series of attacks targeting Libyan organizations, including an oil refinery, a telecoms organization, and a state institution, occurred between November 2025 and February 2026. The campaign utilized the AsyncRAT backdoor, delivered through spear-phishing emails with Libya-themed lure documents. The attackers exploited current events, such as the assassination of Saif al-Gaddafi, to gain access to networks. The modular nature of AsyncRAT and the targeted organizations suggest possible state sponsorship. The campaign's focus on Libya and its oil industry is notable, given the country's increased oil production and global energy supply concerns amidst Middle East conflicts.
Created at: 2026-03-20T21:15:16.361000
Updated at: 2026-03-23T09:36:29.975000
GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer
Description: The GhostClaw malware campaign has expanded its distribution methods beyond npm packages to include GitHub repositories and AI-assisted development workflows. The attackers impersonate legitimate tools and utilize multi-stage payloads to steal credentials and retrieve additional malicious code. The infection chain involves executing shell commands, presenting fake authentication prompts, and establishing persistence. The campaign leverages both manual installation through README instructions and automated AI-assisted workflows. Multiple GitHub repositories have been identified, all communicating with a common command-and-control infrastructure. This shift in tactics allows the attackers to target a broader range of victims, including developers and users of AI-assisted coding tools.
Created at: 2026-03-23T09:27:46.476000
Updated at: 2026-03-23T09:31:05.731000
MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites
Description: A sophisticated ClickFix campaign has been uncovered, compromising legitimate websites to deliver a multi-stage malware chain. The attack culminates in MIMICRAT, a custom remote access trojan with advanced capabilities. The campaign uses compromised sites across industries and geographies for delivery, employing a five-stage PowerShell chain that bypasses security measures before deploying a Lua-scripted shellcode loader. MIMICRAT, the final payload, is a native C++ RAT featuring malleable C2 profiles, Windows token theft, and SOCKS5 proxy functionality. The attack chain involves multiple compromised websites, obfuscated scripts, and sophisticated evasion techniques, demonstrating a high level of operational sophistication.
Created at: 2026-02-20T14:51:41.673000
Updated at: 2026-03-22T14:24:30.577000
VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
Description: A critical remote code execution vulnerability (CVE-2026-1731) in BeyondTrust remote support software is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary OS commands with high privileges. Observed attacker activities include network reconnaissance, account creation, webshell deployment, C2 traffic, backdoor installation, lateral movement, and data theft. Affected sectors include finance, legal, technology, education, retail, and healthcare across multiple countries. Attackers are using tools like SparkRAT, VShell, and custom scripts for exploitation. The vulnerability is related to a similar one from 2024, highlighting the need for improved input validation and defense-in-depth strategies for remote access platforms.
Created at: 2026-02-20T00:28:19.348000
Updated at: 2026-03-22T00:04:28.839000
