The post Tax Audit Trap: Silver Fox Unleashes “ABCDoor” via Modified Rust Loaders appeared first on Daily CyberSecurity.

Suspected Russian phishing via Signal targeted German officials, exploiting trust to access accounts and sensitive political communications.

A new wave of cyber operations targeting European political leadership is once again highlighting how modern espionage increasingly relies on deception rather than technical exploits. Recent investigations by German authorities point to a large-scale phishing campaign conducted via the Signal messaging platform, with strong suspicions of Russian involvement.

According to multiple reports [1, 2, 3], the campaign targeted high-profile individuals, including German politicians, ministers, military personnel, diplomats, and journalists. German prosecutors have launched an investigation into what they believe may be a coordinated espionage effort, with early evidence suggesting a state-sponsored actor.

The attack did not rely on malware or vulnerabilities in Signal itself. Instead, it exploited human trust—arguably the weakest link in cybersecurity. Victims were approached through messages impersonating official Signal support or trusted contacts, prompting them to share authentication codes, scan malicious QR codes, or click on crafted links. Once compromised, attackers gained access to private chats, contact lists, and potentially sensitive political discussions.

One of the most notable targets was Julia Klöckner, whose account was reportedly compromised through a phishing attempt embedded in what appeared to be a legitimate group chat linked to her political party. The operation also attempted to target German Chancellor Friedrich Merz, although no compromise was confirmed in that case.

Authorities estimate that hundreds of accounts may have been affected. While Berlin has not formally attributed the campaign, intelligence sources increasingly point toward Russian involvement, consistent with a broader pattern of cyber activities aimed at European democracies.

“The German government suspects Russia is behind a series of phishing attacks on Signal targeting high-ranking politicians, including two government ministers, military personnel and journalists, a government spokesperson said.

“Federal prosecutors have been conducting a preliminary investigation since mid-February 2026 into alleged cyberattacks on Signal accounts, a spokesperson for the federal prosecutors confirmed on Saturday. Among other things, the investigation involves an initial suspicion of espionage, she added, without specifying which country might be involved.” reads the report published by the Associated Press.

“The German government has still not officially attributed the attacks to Russia.”

This incident is not isolated. Over the past decade, Western intelligence agencies have repeatedly linked Russian state-backed groups to cyber espionage and influence operations targeting political institutions. These activities are part of a broader strategy often described as “hybrid warfare,” where cyber operations, disinformation, and psychological tactics are combined to achieve geopolitical objectives without direct military confrontation.

Security experts stress that what makes this campaign particularly concerning is its simplicity and effectiveness. Instead of exploiting software flaws, attackers leveraged legitimate platform features and social engineering techniques. This approach allows them to bypass many traditional security controls and remain largely undetected.

We are witnessing a new phase of hybrid warfare, where attackers don’t need to break encryption—they just trick the user. The human factor has become the primary attack surface.”

Targeting secure messaging platforms like Signal demonstrates how threat actors adapt quickly to changing communication habits. When politicians and officials move to more secure platforms, adversaries follow them. The battlefield is no longer the infrastructure, but the user.”

Another critical aspect is the potential impact. Access to private conversations between political leaders, policymakers, and diplomats can provide strategic intelligence, enable blackmail, or support disinformation campaigns. Even limited breaches can undermine trust in secure communication tools and institutions.

German authorities, including the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI), have already issued warnings about similar tactics earlier this year. They highlighted that such campaigns are likely ongoing and could expand to other platforms like WhatsApp or Telegram.

The broader implication is clear: cybersecurity is no longer just a technical issue but a geopolitical one. As digital communication becomes central to governance, diplomacy, and decision-making, it also becomes a primary target for intelligence operations.

This campaign serves as a reminder that even the most secure technologies cannot protect against deception if users are not adequately trained and aware. In today’s threat landscape, resilience depends not only on encryption and infrastructure but also on human vigilance.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – German officials, Bundestag)

Grinex exchange collapses after $13.7M breach, blames Western spies as Chainalysis flags possible exit scam and sanctions evasion network links claims.

CERT-UA reports UAC-0247 targeting Ukrainian clinics and government bodies with malware stealing data from Chromium browsers and WhatsApp.

CERT-UA has revealed a cyber campaign by the threat actor UAC-0247 targeting Ukrainian government entities and municipal healthcare facilities, including clinics and emergency hospitals. The operation between March and April 2026, used malware designed to steal sensitive data from Chromium-based browsers and WhatsApp. The origin of the threat actor remains unclear, raising concerns about ongoing espionage risks.

The attack begins with a phishing email posing as a humanitarian aid proposal, prompting the victim to click a link. To appear credible, attackers may use AI-generated fake websites or exploit legitimate sites vulnerable to XSS attacks.

Clicking the link downloads an archive containing a shortcut file that triggers an HTA execution chain. This retrieves a remote HTA file showing a decoy form while silently launching an EXE via a scheduled task.

The malware injects shellcode into legitimate processes like RuntimeBroker.exe. Recent variants use a two-stage loader with a custom executable format, delivering a compressed and encrypted payload. A reverse shell, often similar to RAVENSHELL, establishes a TCP connection with the command server, encrypts traffic via XOR, and executes commands.

“A typical TCP reverse shell or an analogue classified as RAVENSHELL can be used as stagers, which provides for establishing a TCP connection with the management server, encrypting traffic using 9-byte XOR (key: “01 01 02 03 74 15 04 FF EE”; during the first connection, an XOR-encrypted message “Connected!” is transmitted), as well as executing commands using CMD.” reads the report published by CERT-UA.

For persistence, the attackers deployed the malware AGINGFLY alongside a PowerShell script, SILENTLOOP, which manages commands, updates configuration, and retrieves C2 server data via Telegram with backup mechanisms.

AGINGFLY is a C# malware used to remotely control infected computers. It can run commands, download files, take screenshots, log keystrokes, and execute code. It communicates with its control server via encrypted web sockets using AES-CBC. Unlike typical malware, it doesn’t store command functions locally, instead, it downloads them from the server and compiles them on the fly, making it more flexible and harder to detect.

CERT-UA experts analyzed multiple incidents, discovering that attackers stole credentials from browsers using CHROMELEVATOR and from WhatsApp via ZAPIXDESK, while also conducting reconnaissance and lateral movement within networks. They employ subnet scanners and tools like RUSTSCAN, and create covert tunnels using LIGOLO-NG and CHISEL. In one case, an XMRIG miner was deployed via a modified WIREGUARD executable. Targets include Ukrainian Defense personnel, with malware spread through a fake “BACHU” tool shared on Signal, leveraging DLL side-loading to deploy AGINGFLY.

“To reduce the likelihood of a cyberthreat, it is enough to limit the launch of LNK, HTA, and JS files, as well as legitimate utilities mshta.exe, powershell.exe, and wscript.exe, the necessity of which has been repeatedly emphasized in the context of reducing the attack surface by using standard operating system protection mechanisms.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CERT-UA)

APT28 targets Ukraine and allies with PRISMEX malware, using stealthy techniques for espionage and command-and-control.

Russia-linked group APT28 (aka UAC-0001, aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) is running a spear-phishing campaign against Ukraine and its allies, deploying a new malware suite called PRISMEX. Active since September 2025, the campaign uses advanced stealth techniques like steganography and COM hijacking, and targets defense systems and aid infrastructure to support long-running espionage operations.

The Russian cyber espionage group remains highly aggressive, quickly weaponizing newly disclosed flaws like CVE-2026-21509 to target government, military, and critical infrastructure in Central and Eastern Europe. Its latest campaign uses the PRISMEX malware suite, combining a dropper, loader, and implant based on the Covenant framework to enable stealthy, fileless attacks and encrypted command-and-control.

The operation shows advanced preparation and links to past activity, focusing on Ukraine’s defense supply chain, including allies, transport, and aid networks. Researchers believe this marks an evolution of the NotDoor ecosystem, expanding capabilities for rapid exploitation and long-term espionage.

Attack chain starts with spear-phishing emails themed around military training, weather alerts, or weapon smuggling. Victims who open the attached RTF file trigger exploitation of CVE-2026-21509, which bypasses security controls and forces the system to connect to an attacker-controlled WebDAV server. This automatically retrieves and executes a malicious LNK file without further user interaction.

The LNK file may then exploit CVE-2026-21513 to bypass browser protections and execute code silently, downloading additional payloads. This suggests a possible two-stage attack chain designed for stealth and reliability.

“TrendAI Research has tracked Pawn Storm’s activities across three distinct but interconnected campaigns, each building upon its previous infrastructure and tooling.” reads the report published by Trend Micro. “The timeline of this campaign indicates advanced knowledge of multiple vulnerabilities: 

• CVE-2026-21509: Domain registration for WebDAV servers began on January 12, 2026, exactly two weeks prior to the public disclosure on January 26. 
• CVE-2026-21513: The LNK exploit sample appeared on VirusTotal on January 30, 2026, while Microsoft’s patch was not released until February 10, 2026. This 11-day gap confirms zero-day exploitation in the wild.

This pattern suggests Pawn Storm had access to vulnerability details ahead of public disclosure.” 

From there, the infection can follow different paths, including deployment of the PRISMEX malware suite. PRISMEX components, such as PrismexSheet, PrismexDrop, PrismexLoader, and PrismexStager, use techniques like steganography, COM hijacking, and abuse of cloud services for command-and-control. These methods enable fileless execution, persistence, and evasion of modern security tools, allowing attackers to maintain long-term access and conduct espionage operations.

The researchers detailed decoy documents and targeting, such as a malicious Excel files showing realistic decoy content once macros are enabled, including Ukrainian drone inventories, supplier price lists, and military logistics forms.

These themes clearly target Ukrainian drone units and logistics staff. The upload data suggests victims across key regions like Kyiv and Kharkiv, indicating a focus on both frontline and command structures.

PrismexDrop is a native dropper that prepares the system by decrypting payloads, dropping files, and ensuring persistence via COM hijacking and a scheduled task that restarts explorer.exe. This allows the malware to run within a trusted process, improving stealth and reliability.

PrismexLoader is a loader that acts as a proxy DLL, executing malicious code while mimicking legitimate system behavior. It uses a custom “Bit Plane Round Robin” steganography method to extract hidden payloads from images, spreading data across the file to evade detection. The payload is then executed entirely in memory using .NET runtime loading, leaving minimal traces on disk.

The final component, PrismexStager, connects to command-and-control servers via Filen.io cloud services. This helps attackers blend malicious traffic with normal encrypted communications, making detection harder while enabling data exfiltration and remote control.

“The payload extracted from the image is the Covenant Grunt Stager, which we have internally tracked as PrismexStager. This is a .NET assembly responsible for C&C and executing further tasks from the Covenant framework. It is heavily obfuscated with randomized function names to hinder static analysis. ” states the report. “The malware abuses the legitimate end-to-end encrypted cloud storage service Filen.io for C&C communications. By leveraging this trusted service, the malicious traffic blends in with normal encrypted web traffic, effectively bypassing reputation-based filtering and firewall rules.”

The campaign shows a clear strategy: disrupt Ukraine’s supply chain and operational planning, while extending access to NATO-linked logistics. Targets include the Ukrainian government, defense, emergency services, and hydrometeorology, critical for drone and artillery operations, as well as hubs in Poland, Romania, Slovakia, and others supporting military aid flows.

TrendAI attributes the activity to the APT28 group with high confidence, based on consistent tools, infrastructure, and behavior. Unique elements like the custom steganography method, MiniDoor/NotDoor malware lineage, use of Covenant, and COM hijacking reinforce this link, along with reused infrastructure and rapid exploitation of vulnerabilities.

The operation reflects a shift toward tactical disruption rather than pure espionage. By targeting weather data, transport networks, and aid organizations, attackers aim to map and potentially sabotage support to Ukraine. The presence of destructive capabilities alongside espionage tools highlights the dual-use nature of the campaign, enabling both intelligence gathering and potential disruptive attacks aligned with military objectives.

“The technical links between the PRISMEX components and previous campaigns demonstrate the threat actor’s continuous development cycle and modular approach to capability building. Organizations in the targeted geographic and industry sectors should consider themselves at elevated risk and implement the countermeasures detailed above immediately. ” concludes the report. “The use of newly disclosed vulnerabilities and legitimate cloud services makes detection challenging. Defenders must adopt an “assume breach” mentality and focus on behavioral anomalies rather than just static indicators. ”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT28)

Almost 800 Hungarian government email addresses and associated passwords are circulating online, revealing basic vulnerabilities in the security protocols of ministries involved in classified and sensitive work.

A Bellingcat analysis of breach data shows that 12 out of the government’s 13 ministries have been affected, which in some cases have exposed the confidential information of military personnel and civil servants posted abroad. 

Among those affected were a senior military officer responsible for information security, a counter terrorism coordinator in the foreign affairs department, and an employee whose role was to identify hybrid threats against the country.

The revelations come as Hungarians head to the polls this Sunday to decide if Viktor Orbán, leader of the right-wing populist party Fidesz and the country’s longest-serving prime minister, will be elected to a fifth consecutive term.

This is not the first time that deficiencies in the Hungarian government’s IT security have been revealed. In 2022, ahead of Hungary’s last election, Direkt36 reported that Russia’s intelligence services had gained access to the computer network of the Hungarian foreign ministry, including its internal communications channels.

It said Russian cyber attacks against the Hungarian government had been occurring for at least a decade and extended to the foreign ministry’s encrypted network for transmitting classified data and confidential diplomatic documents.

At the time, the foreign ministry denied it had been hacked. But in 2024, news outlet 444 published a letter that had been sent from Hungary’s National Security Service to the foreign ministry six months before the cyberattack was first reported. The letter linked the attacks to Russia and described more than 4,000 workstations and 930 servers as “unreliable”.

As part of this new analysis, Bellingcat identified a total of 795 unique email and password combinations among thousands of search results for Hungarian government domains in breach databases. Key departments that handle the country’s governance, defence, foreign affairs and finances were the worst affected.

The analysis does not include central government agencies that operate under the government’s official ministries and use separate domains, such as the tax and customs administration or the police – meaning breaches affecting government employees could be even more widespread.

The findings are not evidence of high-tech infiltration of Hungarian government systems. Instead, our analysis indicates that the breaches are more likely the result of poor digital hygiene. In many cases, staff used simple passwords along with their government email addresses for what appear to be non-work-related matters, such as signing up to dating, music, sport and food websites.

Some government workers used easy-to-guess passwords such as variations of the word “Password” or the number sequence “1234567”. One employee whose credentials were exposed in the 2012 LinkedIn hack used the password “linkedinlinkedin”. Another, in the defence ministry, used their surname. One leaked password from an employee in the foreign affairs ministry was “embassy13hungary”. 

Multiple breaches also contained phone numbers, addresses, dates of birth, usernames and IP addresses – data that, when exposed, could pose security risks.  

Additionally, a search of breach databases showed instances where computers have been infected with malware designed to steal login credentials. These records show that 97 machines across Hungarian government departments had been compromised, with stealer logs from as recently as last month found in the data.

Bellingcat contacted the Hungarian government’s spokesperson and the Prime Minister’s office, but did not receive a response.

The Weakest Link: Searching Breach Data

Breach databases are large collections of credentials harvested from previous cyber incidents. These databases can be searched by domain to identify email addresses belonging to a specific organisation, company or government. 

Bellingcat used Darkside, a paid service by District 4 Labs, to search the main email domains assigned to each of the Hungarian government’s 13 ministries. 

In total, 795 breaches containing government emails and associated passwords were identified. But most – 641 breaches – were linked to just four central institutions. 

In the examples detailed below, staff have been anonymised. However, Bellingcat has confirmed these accounts are genuine by cross-checking the employees named in the breaches against media reports and online profiles, such as LinkedIn.  

Ministry of Interior – this “super-ministry” oversees everything from health and education to the police, immigration, disaster management and local government 

Bellingcat identified 170 sets of emails and passwords linked to the domain used by the ministry in charge of domestic affairs. Passwords used by staff in this department included “Arsenal” and “Paprika”. Some used passwords that contained only three or four letters. We traced these accounts to professional profiles and government web pages listing both junior and senior staff.

One senior official in the prison service used the password “adolf”. After it appeared in breach databases the password was changed twice – first to a five-digit number and then to what appeared to be the name for a pet dog. The passwords were subsequently breached again. Bellingcat identified this employee through several instances of their name and email address being listed on public-facing documentation, including a press release celebrating an award for outstanding professional work.  

Ministry of Defence – responsible for national defence policy and directing the country’s defence forces

The credentials of staff working for the Ministry of Defence were found in 120 compromised records. This includes a 2023 breach of NATO’s eLearning services which resulted in 42 records containing emails, passwords and phone numbers becoming public.

The breaches peaked in 2021 but continued up to 2026. Included in the data were stealer logs, indicating that machines within the department may have been infected. 

Military personnel from junior ranks to command positions were identified. A Brigadier General used a common six letter nickname, based on his own, to sign up to a film festival. A Colonel specialising in “information security” took inspiration from an English football manager for his password: “FrankLampard”. A district director used the password “123456aA”, while a high-ranking member of Hungary’s delegation to NATO used a password that translates in English to “cute”. 

Ministry of Foreign Affairs and Trade – responsible for international relations, Hungarian embassies and consulates operate under the direction of the department

The credentials of current and former foreign affairs personnel have been exposed in dozens of data breaches from 2011 to February 2026. In total, there were 107 email and password combinations linked to this government ministry. 

Among the staff affected was a deputy head of mission, consuls, diplomats and communications personnel posted in Europe, the Americas and the Middle East. These include a counter terrorism coordinator, an EU spokesperson, and an individual whose role was to identify hybrid threats to Hungary.

Although the breaches peaked in 2020, with emails being found in 42 separate breaches indexed by Darkside, MFA emails have been circulated, often with passwords, in 36 separate breaches since the beginning of 2024. The most recent breaches were in 2026.  

Simple passwords appear to have left Hungary’s foreign affairs ministry vulnerable. In some cases, employees used a password that consisted of their own name and a two digit number. Others appeared to take inspiration from pop culture: “porsche911”, “frogger” and “Batman2013” are examples of real passwords used by staff.

Ministry of National Economy – oversees economic policy and financial strategy, including budget preparation and reducing national debt

Bellingcat’s analysis shows that staff in the Ministry for National Economy suffered 99 breaches. The Ministry of Finance, which was merged into this department in 2025, had suffered 145 breaches.

Among the breached data were the credentials of a deputy state secretary, who used the password “snoopy”. Other staff members used their date of birth or the word “Jelszo” – the Hungarian word for password.

A senior advisor who currently works in the ministry had their credentials breached four times using four different passwords, including “Kurvaanyad1” (roughly translated to “your mother is a wh**e”).

Cybersecurity Not Taken Seriously

Szabolcs Dull, a political analyst and the former editor-in-chief of the independent Hungarian news websites Index and Telex, said the government had failed to prioritise data security. 

“It’s clear from the data breaches that have come to light that government agencies did not take data security seriously,” he said. 

“This suspicion arose even when Russian hackers breached the foreign ministry’s IT system. That is why I believe Hungarian politicians and the public will interpret this new information as a continuation and confirmation of the Russian hacking story.”

Dull added that he was not aware of any investigation having been launched following the 2022 revelations of the Russian hack.

Kata Kincső Bárdos, a cybersecurity expert in Hungary, said it was difficult to understand why stricter controls would not be consistently enforced in government environments handling sensitive data.

She said governments should not only apply baseline rules for passwords – such as that staff use long, unique passwords and multi-factor authentication (MFA) – but also continuously monitor for compromised credentials and suspicious access patterns.

“Without MFA, systems become significantly more vulnerable to common attack methods such as phishing and credential stuffing,” she said. “A single compromised password can provide immediate access to internal systems.” 

Bárdos added that unauthorised access to government systems should automatically trigger incident response procedures, investigation and containment measures.

“It is also important to note that targeting lower-level employees is a well-documented and common tactic,” she said. “Attackers frequently gain initial access through phishing or weak credentials and then move laterally within systems.”

---

Bellingcat’s Ross Higgins and investigative journalist Eva Vajda contributed to this article.

Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.

The post ‘Snoopy’, ‘Adolf’ and ‘Password’: The Hungarian Government Passwords Exposed Online appeared first on bellingcat.

Operation Masquerade: The FBI and DoJ disrupted a Russian GRU campaign that hijacked routers via DNS attacks to spy on users and steal credentials.

A major outage hit Russian banking apps and payments, blocking card use, cash withdrawals, and mobile access for hours.

A widespread outage disrupted banking apps and payment systems across Russia, leaving customers unable to pay by card, withdraw cash, or access mobile banking for hours. According to The Record Media, the incident affected major banks, including Sberbank, VTB, Alfa-Bank, T-Bank, and Gazprombank, and impacted multiple regions, including Moscow.

“The combined client base of VTB , Sberbank, T-Bank , and Alfa-Bank amounts to tens of millions of people across the country. Apparently, the scale of the outage is colossal and affects most regions of Russia. Complaints number in the thousands.” reported the Russian website CNews. “For example, in just one hour, more than 3,300 complaints were filed about a Sberbank outage. Over the past 12 hours, 35% of complaints came from Moscow, 8% each from St. Petersburg and the Sverdlovsk region , and 7% and 5% from the Novosibirsk and Chelyabinsk regions .”

Media say the outage comes as Russia tightens internet control, restricting apps and cracking down on VPN use.

“Russia’s major banks faced large-scale disruptions to their electronic services on April 3, according to online tracking data and customer reports.” reports Kyiv Independent. “The outage comes as the Russian government has increasingly tightened control over internet access in the country, imposing restrictions on popular apps and seeking to clamp down on the use of virtual private networks (VPNs).“

A temporary outage on April 3 affected Sberbank and spread to other major banks, including VTB Bank and T-Bank. Starting around 10 a.m. Moscow time, customers faced issues with mobile apps, transfers, and ATM withdrawals, forcing many businesses to accept only cash and causing long lines across cities.

Russia’s National Payment Card System said the disruption was due to a technical failure at one bank and did not affect funds. Reports from Kommersant linked it to a Sberbank glitch, possibly worsened by VPN use, shortly after plans to curb VPNs.

“The mass outage comes less than a week after Russia’s Digital Development Minister Maksut Shadayev said on March 30 that the government will work to “reduce the use of VPNs” — one of the few remaining ways for Russian citizens to bypass online censorship.” continues the Kyiv Independent. “Shadayev reportedly asked telecom operators and digital platforms to introduce fees and block users for using VPN services following an order by Russian President Vladimir Putin.”

Local security experts speculate that blocking VPNs likely contributed to the April 3 banking outage, describing it as possible “friendly fire” in comments to Kommersant. Russian authorities have steadily tightened online censorship since the war in Ukraine began, with restrictions accelerating in recent months. In early March, the Kremlin introduced a whitelist system allowing access only to selected, mostly pro-government sites during mobile internet outages. Internet shutdowns have become more frequent, officially justified as security measures against Ukrainian drone attacks.

The Record Media also reported that the outage also impacted public transport, with Moscow metro and suburban train turnstiles unable to accept cards, forcing staff to let passengers pass for free to avoid crowding.

By Monday, reports had largely vanished from many sites. Independent media said the Russian Internet watchdog Roskomnadzor ordered outlets to remove content linking the banking outage to its VPN-blocking efforts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Russian banking apps)

Microsoft Threat Intelligence reveals how Russian hacking group Forest Blizzard uses home routers for DNS hijacking and spying.

The post Apple Severs All Payment Processing in Russia Following Government Mandates appeared first on Daily CyberSecurity.

Threat actors impersonated CERT-UA to send phishing emails with AGEWHEEZE malware, tricking victims into installing a fake “security tool.”

A threat actor, tracked as UAC-0255, impersonated CERT-UA in a phishing campaign, sending emails to about 1 million users. The messages urged victims to download a password-protected archive from Files.fm and install a fake “specialized software,” which actually deployed the AGEWHEEZE remote access tool, giving attackers control over infected systems.

“The National Cyber ​​Incident, Cyber ​​Attack, and Cyber ​​Threat Response Team CERT-UA recorded cases of distribution of emails allegedly on behalf of CERT-UA on March 26-27, 2026, urging people to download a password-protected archive (“CERT_UA_protection_tool.zip”, “protection_tool.zip”) from the Files.fm service and install “specialized software”.” reads the advisory published by CERT-UA. “It was found that the executable file that was offered to be installed (internal package name: “/example.com/tvisor/agent”) is a multifunctional software tool for remote computer control, classified by CERT-UA as AGEWHEEZE.”

AGEWHEEZE supports command execution, file management, screen capture, input control, and process/service management. It ensures persistence via registry, startup, or scheduled tasks, installing itself in AppData paths. The malware communicates with its server via WebSockets and can also steal clipboard data, run commands, and control system actions.

The campaign targeted government organizations, medical centers, security companies, educational institutions, financial institutions, software development companies, and others.

The attackers created a fake website (cert-ua[.]tech) mimicking the real CERT-UA site to spread the fake “security tool” that is actually AGEWHEEZE malware. The tool allows remote control of infected systems. CERT-UA experts state that the command server is hosted on OVH infrastructure and includes a login page (“The Cult”) with Russian-language elements, suggesting the attackers’ origin or links.

The fake site cert-ua[.]tech includes links to a Telegram channel claiming responsibility for the attack, confirming attribution to UAC-0255.

The fake site was likely AI-generated and included references to “CYBER SERP,” a group active since late 2025, claiming responsibility. The group says it sent phishing emails to 1 million users and infected over 200,000 devices, though this is unverified.

The campaign had a limited impact, infecting only a few devices in educational institutions. CERT-UA experts helped contain it. The case shows how AI can make cyberattacks easier, and highlights the need to reduce attack surfaces and use security tools like AppLocker and system protections.

Authorities thanked Ukrainian telecom providers for supporting cyber defense efforts and sharing threat information. They also warned that AI is making attacks easier, urging organizations to reduce attack surfaces and strengthen security using system protections and dedicated tools.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Wired writes (alternate source):

Security researchers at Google on Tuesday released a report describing what they’re calling “Coruna,” a highly sophisticated iPhone hacking toolkit that includes five complete hacking techniques capable of bypassing all the defenses of an iPhone to silently install malware on a device when it visits a website containing the exploitation code. In total, Coruna takes advantage of 23 distinct vulnerabilities in iOS, a rare collection of hacking components that suggests it was created by a well-resourced, likely state-sponsored group of hackers...

The post Possible US Government iPhone Hacking Tool Leaked appeared first on Security Boulevard.

Wired writes (alternate source):

Security researchers at Google on Tuesday released a report describing what they’re calling “Coruna,” a highly sophisticated iPhone hacking toolkit that includes five complete hacking techniques capable of bypassing all the defenses of an iPhone to silently install malware on a device when it visits a website containing the exploitation code. In total, Coruna takes advantage of 23 distinct vulnerabilities in iOS, a rare collection of hacking components that suggests it was created by a well-resourced, likely state-sponsored group of hackers.

[…]

Coruna’s code also appears to have been originally written by English-speaking coders, notes iVerify’s cofounder Rocky Cole. “It’s highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government,” Cole tells WIRED. “This is the first example we’ve seen of very likely US government tools­based on what the code is telling us­spinning out of control and being used by both our adversaries and cybercriminal groups.”

TechCrunch reports that Coruna is definitely of US origin:

Two former employees of government contractor L3Harris told TechCrunch that Coruna was, at least in part, developed by the company’s hacking and surveillance tech division, Trenchant. The two former employees both had knowledge of the company’s iPhone hacking tools. Both spoke on condition of anonymity because they weren’t authorized to talk about their work for the company.

It’s always super interesting to see what malware looks like when it’s created through a professional software development process. And the TechCrunch article has some speculation as to how the US lost control of it. It seems that an employee of L3Harris’s surviellance tech division, Trenchant, sold it to the Russian government.

A dark web market known as Threat Market is listing 375TB of Lockheed Martin data, which it claims was provided by a group calling itself ‘APT Iran.’

Latvia’s Ministry of Defence has warned that a Russian information operation is currently targeting the Baltic States, with false claims that Latvia, Lithuania, and Estonia are supporting Ukrainian attacks against Russia. In a statement, the Ministry said the allegations are incorrect and that the Baltic States are not involved in planning or carrying out Ukraine’s counterattacks. Officials reiterated that their support to Ukraine is limited to military equipment, humanitarian aid, and financial assistance, in line with international commitments. The Ministry said the Russian information operation is part of a broader effort to discredit NATO, weaken public trust in state institutions, and reduce support for Ukraine across the region.

Russian Information Operation Targets Baltic Societies

According to Latvian authorities, the campaign involves coordinated disinformation efforts, including the use of social media bots and targeted messaging. The operation is said to focus on Russian-speaking communities and younger audiences. Officials stated that such narratives are being amplified to create confusion and division within Baltic societies. The warning comes amid heightened concerns over hybrid threats in the region, including cyberattacks and influence operations linked to Russia. [caption id="attachment_110822" align="aligncenter" width="737"] Image Source: Ministry of Defence of Latvia[/caption]

Ukrainian Drone Incidents Used to Amplify Claims

The Russian information operation follows recent reports of Ukrainian drones entering Baltic airspace during large-scale attacks on Russian infrastructure. Authorities in Latvia and Estonia confirmed that two drones entered their airspace earlier this week via Russia. One drone reportedly struck a chimney at a power station near the Estonian border, while another crash-landed. Lithuania also reported a separate incident where a drone fell into a frozen lake. Officials said there were no casualties or significant damage from these incidents. The drones are believed to have been part of a broader Ukrainian operation targeting Russian oil facilities, including ports along the Baltic Sea.

No Direct Involvement by Baltic States

Latvian authorities stressed that the Russian information operation is attempting to link these drone incidents to alleged Baltic involvement, which they deny. The Ministry noted that Ukraine has the right to defend itself against Russia’s invasion and that Baltic support does not extend to operational involvement in military actions. Officials also suggested that such claims are intended to divert attention from Russia’s own challenges in countering Ukrainian strikes. [caption id="attachment_110823" align="aligncenter" width="751"] Image Source: Ministry of Defence of Latvia[/caption]

Growing Focus on Hybrid Threats

The latest warning adds to ongoing concerns about hybrid activities in the Baltic region. Earlier this year, Latvian security services reported that cyberattacks and sabotage operations linked to Russia remain a significant threat. Officials have also indicated that Russia’s perception of Latvia is becoming more confrontational, drawing comparisons to its stance toward Ukraine prior to the 2022 invasion. While no immediate military threat has been identified, authorities say information operations remain a key tool being used to influence public opinion and destabilize the region.

Monitoring and Response Ongoing

Latvia’s Ministry of Defence said it continues to monitor the Russian information operation and assess its impact across the Baltic States. The government has urged vigilance against disinformation and reiterated its commitment to supporting Ukraine within the framework of international law. The situation remains under observation as authorities track both the spread of false narratives and related security developments in the region.

Russia-linked actors target WhatsApp and Signal accounts of officials and journalists via phishing, gaining access to messages and contacts.

Threat actors linked to Russian Intelligence Services are running phishing campaigns to hijack high-value accounts on messaging apps like WhatsApp and Signal, the FBI warns.

“The FBI has identified cyber actors associated with Russian Intelligence Services targeting users of commercial messaging applications, including Signal.” FBI Director Kash Patel wrote on X. “The campaign targets individuals of high intelligence value, including current and former U.S. government officials, military personnel, political figures, and journalists.”

The @FBI has identified cyber actors associated with Russian Intelligence Services targeting users of commercial messaging applications, including Signal.

The campaign targets individuals of high intelligence value, including current and former U.S. government officials,…

— FBI Director Kash Patel (@FBIDirectorKash) March 20, 2026

Targets include government officials, military personnel, politicians, and journalists. The attackers do not break app encryption but instead use phishing to gain account access. The attacks have already compromised thousands of accounts worldwide. Once inside, attackers can read messages, access contacts, impersonate victims, and launch further phishing using trusted identities.

Attackers especially target Signal but use similar tactics across other platforms. Users who strengthen their security and stay alert to social engineering attempts can reduce the risk and limit the impact of these attacks.

Russia-linked actors pose as messaging app support accounts and send phishing messages tailored to trick targets. They push users to click links or share verification codes or PINs. When victims comply, attackers gain access by linking their own device or taking over the account entirely. As the campaign evolves, they may also deploy malware to further compromise victims.

“If the user performs any of the requested actions, they unwittingly provide the actors with unauthorized access to their account either by adding the attacker’s device as a linked device or through a full account takeover.” reads a joint Public Service Announcement (PSA) published by CISA and the Federal Bureau of Investigation. “As the campaign evolves, actors may use additional techniques, such as malware to infect the victim.”

Phishing remains a simple but highly effective way to compromise accounts, bypassing protections like end-to-end encryption by targeting users directly. Attackers trick victims into sharing codes or clicking malicious links, gaining full account access.

Users should stay alert: pause if something feels off, never share PINs or 2FA codes, and treat unexpected messages with suspicion, even from known contacts. Always check links before clicking, verify group members, and use built-in security features.

Report suspicious activity quickly to security teams or authorities. Remember, legitimate app support will never ask for codes or send links to “verify” accounts, always use official channels.

Recently, Dutch intelligence agencies (MIVD and AIVD) also warned of a global campaign by Russia-linked threat actors aiming to compromise Signal and WhatsApp accounts. The operation targets government officials, civil servants, and military personnel, highlighting growing cyber risks to sensitive communications among national security actors.

Russian cyber spies are tricking users into revealing verification codes to hijack Signal and WhatsApp accounts. They impersonate Signal Support or exploit the “linked devices” feature, gaining access to messages and chat groups, potentially exposing sensitive information from government and military targets.

Dutch intelligence warned that Russia targets Signal for its strong end-to-end encryption, aiming to access sensitive government communications. Officials stressed that apps like Signal and WhatsApp should not be used for classified or confidential information.

The government experts pointed out that attackers don’t exploit app vulnerabilities but abuse legitimate features of Signal and WhatsApp. Only individual accounts are targeted, not the platforms themselves, officials say.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WhatsApp, Signal)

Russia uses Vienna as its largest Western spy hub, monitoring NATO and other sensitive communications via diplomatic sites and satellite dishes.

Western intelligence reports that Russia has transformed Vienna into its largest Western spy hub, steadily expanding surveillance over the past two years. Using diplomatic compounds and rooftop satellite clusters, Russia monitors sensitive communications across NATO, the Middle East, and Africa, reviving a major Cold War-era signals intelligence operation, according to the Financial Times.

“This is one of our main concerns,” a senior European diplomat in Vienna told the Financial Times. “They are targeting NATO government and military communications… Vienna is their hub in Europe.”

Western intelligence reports Russia steadily expanding surveillance in Vienna, with moving antennas and rooftop dishes actively tracking satellites, even adjusting them around major events like the Munich Security Conference.

At Vienna’s “Russencity,” a nine-acre Russian compound, satellite dishes track Europe-Africa communications via geostationary satellites, with movable lenses enhancing signal capture. The complex includes residences, a school, and Russia’s UN mission, revealing advanced espionage capabilities.

The most expensive piece of the Cold War that never ended is a building in central Vienna, and it's still on the clock. Russia's "Russencity" compound in Vienna, a nine-acre complex on the Danube, has SIGINT satellite dishes on its rooftops that face West. They reposition… pic.twitter.com/EITk29aaHm

— Lukasz Olejnik (@lukOlejnik) March 17, 2026

“Russencity” houses residences, a school, and the UN mission, topped with satellite dishes mainly pointing west to 18 geostationary satellites. Researchers identified four in use (Eutelsat 3B, 10B, SES-5, and Rascom QAF1) for Europe-Africa communications, with movable lenses allowing wider satellite coverage. Russencity is just one site; others include the embassy, cultural center, a former sanatorium, and upgraded apartments with rooftop equipment. Dating to 1983 under KGB chief Yuri Andropov, the complex was likely built for intelligence work, and Vienna has become a hub for Russian espionage in Europe.

Russia has around 500 diplomats in Vienna, with up to a third likely covert spies; Austria warns that Russian SIGINT stations present a serious security risk.

Austria’s intelligence warns Russian surveillance poses a major risk, but the law limits action to espionage targeting Austria, so authorities avoid expulsions to prevent Moscow retaliation.

“Austria’s intelligence agency (DSN) has warned that Russia’s surveillance capabilities in Vienna pose a “significant security risk.”” concludes Kyiv Post. “But Austrian law limits action – espionage is only prosecutable if it targets Austria directly. Authorities have identified individuals running the operations but have avoided expulsions, fearing retaliation from Moscow.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NATO)

ASEC Blog publishes Ransom & Dark Web Issues Week 3, March 2026           New Threat Actor CipherForce Claims Cyberattack on South Korean Job Portal New Threat Actor Loki Emerges, Leaks US Citizens’ Personal Data Cybercrime Forum LeakBase Shut Down Again by Russian Authorities

Just a week after the Stryker wiper attack claimed by the Iranian hacker group Handala made global headlines, the U.S. Intelligence Community says its China that we should be worried about instead.

The 2026 Annual Threat Assessment, published by the Office of the Director of National Intelligence, named China, Russia, Iran, and North Korea as the four nation-state cyber actors most actively targeting U.S. government, private-sector, and critical infrastructure networks. It does not rank them by severity — it ranks them by role. And the roles are distinct.

China: Pre-Positioned, Patient and Already Inside

The IC's assessment reserves its sharpest language for China. Beijing is the most active and persistent cyber threat to U.S. government, private-sector, and critical infrastructure networks — a designation the report pairs with a specific warning that Chinese cyber actors have already demonstrated the capability to compromise U.S. infrastructure, and they potentially maintain that access not for immediate disruption but for strategic advantage in the event of a conflict.

The distinction matters enormously for defenders. China does not primarily operate as a smash-and-grab actor. It pre-positions — meaning it establishes persistent footholds inside networks months or years before any potential military confrontation, ensuring that if tensions over Taiwan or the South China Sea escalate into open conflict, Beijing can trigger disruptions to U.S. transportation, logistics, and communications systems at a moment of its choosing. The ATA explicitly warns that a conflict over Taiwan would expose the U.S. to significant cyber attacks against its transportation sector.

"If the U.S. were to intervene (in China-Taiwan conflict), it probably would face significant but recoverable disruptions to its transportation sector from Chinese cyber attacks."

China's cyber ambitions also extend far beyond espionage. The report notes that Beijing continues to work to maintain U.S. dependence on sectors where it holds supply chain leverage — critical minerals, energy storage, pharmaceuticals, and unmanned aerial systems — while simultaneously accelerating its own decoupling from U.S. technology in semiconductors and artificial intelligence. The cyber program supports both these objectives. One of stealing what it needs and second of protecting what it builds.

Russia: Gray Zone Sabotage as Standard Operating Procedure

Russia's cyber posture in the ATA reflects a different strategic logic. Unlike China's long-horizon pre-positioning, it focuses on continuous, deniable harassment of adversaries operating in what the report calls the "gray zone" of geopolitical competition. Russia's toolkit, the IC assesses, includes cyber attacks, disinformation and influence operations, energy market manipulation, military intimidation, and physical sabotage — all deployed beneath the threshold of declared conflict.

Russia has targeted European critical infrastructure with the explicit aim of disrupting the military supply chains that sustain Kyiv. The IC notes that Russia also has advanced counterspace capabilities, hypersonic missiles, and undersea assets designed to negate U.S. military advantages — a portfolio that its cyber operations support through intelligence collection and pre-conflict reconnaissance.

Russia's gray zone doctrine deliberately makes attribution complicated. Moscow hides and denies its role in cyber operations, making it difficult for the U.S. and its allies to justify public responses or trigger alliance commitments. The IC warns this approach will continue, particularly as Russia leverages its partnerships with China, Iran, and North Korea to share capabilities and evade sanctions.

North Korea: A Billion-Dollar Cyber Economy Funding a Weapons Program

North Korea's cyber program occupies a unique category. It functions simultaneously as an intelligence collection tool, a sanctions evasion mechanism, and a weapons financing engine. The IC assesses that Pyongyang's cryptocurrency heists and other financial cybercrimes net at least $1 billion each year, with those proceeds flowing directly into the regime's nuclear and missile programs.

Read: North Korea’s $3 Billion Mystery: UN Probes Cyberattacks Funding Nuclear Program

The report introduces a dimension that defenders increasingly face but rarely discuss publicly. North Korea's growing use of IT workers with falsified credentials to gain employment with unwitting companies. This human insider access approach allows Pyongyang to circumvent the technical defenses that would otherwise block external intrusions. It uses a trusted insider inside the network perimeter before any exploit is needed. The IC warns this tactic specifically threatens organizations with stronger defensive measures, because it bypasses the very controls those organizations invested in building.

North Korean cyber actors are also expanding ransomware attacks against U.S. critical infrastructure and businesses — a shift from targeted espionage toward higher-volume, disruptive operations.

Iran: Degraded but Still Dangerous, and Escalating

Iran's cyber posture, the ATA notes, faces significant constraints following the 12-Day War in 2025. The IC characterizes Iran as a threat to U.S. networks primarily through cyber espionage and attacks against poorly defended targets — but couples that assessment with an explicit warning that Iranian proxies and hacktivists outside Iran will pursue cyber-enabled operations against U.S. targets, even if less technically advanced than state-directed campaigns.

The IC noted that a hacking group linked to Iran claimed responsibility on March 11 for wiping 200,000 systems and extracting 50 terabytes of data from a U.S. medical technology company. That company was Stryker, and the attack represented, in the IC's own words, a direct cyber retaliation for U.S. operations against Iran.

Read: Who Is Handala — The Iran-Linked Ghost Group That Just Wiped 200K Stryker Devices

Ransomware: The Non-State Accelerant

Beyond nation-states, the ATA identifies financially and ideologically motivated non-state actors like ransomware groups, cybercriminals, and hacktivists, as taking more aggressive cyber attack postures. Ransomware in particular harms U.S. critical infrastructure and business operations, generating operational disruptions, revenue loss, and sensitive data theft at scale. The IC specifically flags a tactical shift in how ransomware groups now operate faster and in high-volume. This compresses the window in which security teams have to detect and respond. The implication is that the dwell-time advantage defenders once relied on has narrowed significantly.

AI and Space: Emerging Force Multipliers for Adversaries

The ATA's cyber threat picture cannot be read in isolation from two accelerants the report addresses separately. On artificial intelligence, the IC warns that AI already influences targeting and decision-making in active conflicts, and that China — aiming to displace the U.S. as the global AI leader by 2030 — is driving AI adoption at scale using its talent pool, extensive datasets, government funding, and global partnerships. AI's application to offensive cyber operations, the report notes, holds significant potential to increase the autonomy, speed, and effectiveness of attacks that human operators alone could never sustain at scale.

Also read: European Space Agency Confirms Cybersecurity Breach on External Servers

On space, the IC identifies a growing convergence between cyber risk and satellite infrastructure. Adversaries are using jammers against U.S. satellites, and cyber attacks against satellite communications represent a rising threat as global reliance on digital systems expands the exploitable attack surface. Disruptive attacks against space services have become more common and, the report warns, will likely be normalized during crises or periods of strained relations between nations — a trajectory that places satellite ground systems, communication links, and the commercial constellation operators that power military logistics squarely in the crosshairs of China and Russia's counterspace programs.

Akamai researchers saw a 245% spike in cyberattacks in the first two weeks after the start of the U.S. and Israeli war against Iran as Iranian nation-state groups and independent hacktivists launch increasingly decentralized and destructive cyberattacks, which are expected to increase as long as the kinetic battle continues.

The post Cyberattacks Spike 245% in the Two Weeks After the Start of War With Iran appeared first on Security Boulevard.