Weekly Threat Intel
April 11–18, 2026
- Iran’s cyber apparatus is consolidating. DomainTools’ MOIS ecosystem report ties Handala, Homeland Justice, and Karma to a single Ministry of Intelligence hub — the same week Handala claimed destruction of 6 PB of GCC data and Iran-nexus actors password-sprayed Israeli and UAE M365 tenants.
- Patch FortiGate, Adobe Acrobat, TrueConf, and Office immediately. Four zero-days were confirmed under active exploitation this week, three by state-aligned actors.
- APT28 is hitting the network edge and the endpoint simultaneously. A 189-IOC SOHO router DNS-hijacking campaign (CVE-2023-50224) runs in parallel with a 174-IOC PRISMEX zero-day chain targeting Ukraine and NATO.
- ClickFix has a new cousin — BlobPhish. Attackers now generate fake login pages entirely client-side using browser blob objects, bypassing URL-based phishing detection.
- Workflow automation is the new C2. Threat actors are weaponizing n8n webhooks, Heroku dyno URLs, and Solana RPC endpoints as living-off-the-SaaS command infrastructure.
- GlassWorm isn’t done. A second wave hit Open VSX and VS Code extensions with runtime-rebuilt loaders pulling staged payloads from Solana blockchain RPCs — review your IDE extension inventory.
- OT/ICS remains exposed. CyberAv3ngers continued exploiting CVE-2021-22681 on U.S. Rockwell PLCs — a five-year-old bug still yielding initial access against critical infrastructure.
- The Iran Convergence: MOIS Ecosystem, Handala Wipers, and Password Spray
- APT28 on Two Fronts: Router DNS Hijacking and Office Zero-Day Chain
- Zero-Day Week: FortiGate, Adobe Acrobat, TrueConf, and MSHTML
- Developer & SaaS Supply Chain: GlassWorm Redux and n8n Abuse
- Stealers & Ransomware: Lumma, NWHStealer, HVNC, and Payouts King
- Additional Threats Worth Tracking
The Iran Convergence: MOIS Ecosystem, Handala Wipers, and Password Spray
Four separate reports this week illuminated different facets of a single picture: Iran’s Ministry of Intelligence and Security is running a coordinated cyber influence and sabotage operation that blurs the lines between hacktivism, espionage, and destructive attack.
DomainTools Ties Handala, Homeland Justice, Karma to MOIS
DomainTools Investigations published an extensive analysis of the Iran-linked “Moist Grasshopper” (also tracked as Banished Kitten) ecosystem, tying three high-profile “hacktivist” personas — Homeland Justice, Karma (Karmabelow80), and Handala — to coordinated MOIS-directed operations. DTI describes the personas as “interchangeable operational veneers applied to a consistent underlying capability” — a framing echoed by FBI and DOJ actions last month that seized Handala infrastructure after the Stryker Corporation breach. Shared tooling spans destructive wipers (Handala.exe, BiBi-Windows Wiper, Ptable.exe, NACL.exe), a purpose-built encryptor (GoXML.exe), backdoors (RuntimeSSH.exe, NetBird), and data-theft implants (MsCache.exe, MicDriver.dll). Exploitation relies on CVE-2026-35616 (FortiClient EMS) and CVE-2026-2699/2701 (Progress ShareFile).
Handala Claims 6 PB Destroyed in GCC Infrastructure Attack
HivePro documented a significant destructive operation in which the Handala Hack Team — one of the personas in the MOIS ecosystem — claimed destruction of 6 petabytes of data and exfiltration of 149 TB of documents from Gulf Cooperation Council critical infrastructure. C2 operated from 107.189.19.52 with supporting infrastructure across .to, .ps, .tw, and .org domains. The group continues to coordinate announcements via Telegram channels and dedicated “news” domains, consistent with the influence-operation wrapper identified by DomainTools.
CyberAv3ngers Still Exploiting 2021 Rockwell PLC Bug
HivePro reported continued exploitation by the Iran-affiliated CyberAv3ngers group against U.S. critical infrastructure via CVE-2021-22681 — an authentication bypass in Rockwell Automation PLCs. Post-exploitation involves deploying Dropbear SSH for persistent remote access and a reset.ps1 PowerShell utility, with C2 consolidated in the 185.82.73.0/24 range. The campaign illustrates how OT environments continue to surface five-year-old bugs as viable initial-access vectors.
Password Spray Targets Israeli & UAE M365 Tenants
A separate HivePro report documented an Iran-aligned threat actor conducting a large-scale password spraying operation against Microsoft 365 tenants, focused on Israeli municipalities and UAE organizations. The campaign leverages commercial VPN infrastructure (ASN AS35758) with five rotating source IPs in the 185.191.204.0/24 and 169.150.227.0/24 ranges. Defenders with M365 exposure in these regions should review conditional access policies, enable MFA across all privileged accounts, and alert on failed-authentication patterns matching the published ASN.
Why it matters: For years, Iran’s hacktivist personas were analyzed in isolation. This week’s MOIS mapping changes the game: the same ministerial apparatus runs the destructive ops (Handala wipers), the OT exploitation (CyberAv3ngers), the identity attacks (M365 password spray), and the influence-operation fronts. Defenders tracking any one of these under a narrow “hacktivist” label should widen the aperture — the infrastructure overlap is significant enough that an IOC from one campaign often applies to the others.
APT28 on Two Fronts: Router DNS Hijacking and Office Zero-Day Chain
Two large APT28 (Pawn Storm / Fancy Bear) reports this week accounted for 363 IOCs between them — among the week’s largest single-campaign datasets — and revealed parallel operations against both the network edge and the Microsoft endpoint.
TP-Link Router DNS Hijacking at Scale (CVE-2023-50224)
APT28 — GRU Military Unit 26165 — exploited CVE-2023-50224, an authentication bypass in TP-Link WR841N SOHO routers, via crafted HTTP GET requests that first extract stored credentials, then rewrite DHCP DNS settings to point at actor-controlled resolvers. The campaign, jointly disclosed this week by the UK NCSC and FBI, has been running since at least 2024; at its December 2025 peak, 18,000+ unique IPs across 120 countries were communicating with the infrastructure, with an estimated 200+ organizations and 5,000 consumer devices impacted. The operation enables adversary-in-the-middle interception of Outlook, Office 365, and Live authentication flows for OAuth token theft.
PRISMEX Dual Zero-Day Chain Against Ukraine & NATO
HivePro expanded on last week’s PRISMEX coverage with detailed analysis of the dual zero-day chain: CVE-2026-21509 (Microsoft Office) establishes initial access, then CVE-2026-21513 (MSHTML) delivers the PRISMEX payload alongside the Covenant C2 framework. Infrastructure abuses filen.io and dnshook.site for staging, with WebDAV URLs used during exploitation and registry modifications for persistence. Targeting continues to center on Ukrainian and NATO entities.
BPFdoor “Sleeper Cells” in Telecom Kubernetes 5G Core
Rapid7 Labs published a months-long investigation into Red Menshen, a China-nexus actor planting BPFdoor sleeper cells inside carrier networks across South Korea, Hong Kong, Myanmar, Malaysia, Egypt, and the Middle East. The backdoor uses eBPF inside the Linux kernel to filter network traffic, exposing no listening ports and activating only on specifically-crafted trigger packets. Crucially, current samples spoof dockerd and containerd command lines — targeting Kubernetes-hosted 5G core functions (AMF, SMF, UDM). The spoofing is convincing enough to hide in a standard ps listing on carrier-grade hosts.
LucidRook Expands: New LucidPawn & LucidKnight Variants
HivePro published additional analysis of the UAT-10362 campaign against Taiwanese NGOs and universities. The operation now includes three related payloads — LucidRook, LucidPawn, and LucidKnight — delivered via password-protected ZIP archives. DLL sideloading via DismCore.dll, PowerShell abuse through the Pester module, and exfiltration via OAST services (dnslog.ink, digimg.store) round out the tradecraft. Phishing lures originate from [email protected] and [email protected].
Trend to watch: APT28’s router-level DNS hijacking is the sort of campaign that doesn’t show up in endpoint telemetry — the victim’s laptop sees entirely normal-looking DNS responses, just resolved to attacker infrastructure. Selective resolution (only target-matching domains hit the malicious resolver; everything else resolves cleanly) makes casual detection even harder. Organizations should audit that outbound DNS only traverses corporate resolvers, enforce DNS-over-HTTPS where practical, and cross-reference the 180+ published resolver IPs against passive DNS and NetFlow. Work-from-home users on consumer TP-Link hardware should verify firmware is current and the admin password has been rotated — stored credentials are the initial access.
Zero-Day Week: FortiGate, Adobe Acrobat, TrueConf, and MSHTML
Four distinct zero-days were confirmed under active exploitation this week, spanning edge appliances, PDF readers, collaboration clients, and browser engines.
| CVE | Product | Impact | Status |
|---|---|---|---|
| CVE-2025-59718 | FortiOS, FortiProxy, FortiSwitchManager, FortiWeb | Improper SAML signature verification (CWE-347) enabling FortiCloud SSO login bypass. Rapid7 IR observed ~2-week dwell time: attackers authenticate as admin, immediately pull the config file (with hashed creds), then pivot via Mimikatz and Advanced IP Scanner. Attacker domain openmail[.]pro |
Active exploitation |
| CVE-2026-34621 | Adobe Acrobat / Reader | Prototype pollution enabling data exfiltration via malicious PDFs. Two weaponized samples observed; C2 at 169.40.2.68:45191 and 188.214.34.20:34123 |
Active exploitation |
| CVE-2026-3502 | TrueConf Client (v8.1.0–8.5.2) | Check Point’s “Operation TrueChaos”: China-nexus actor abuses trusted on-prem TrueConf server’s updater to push Havoc C2 to all connected endpoints at once. UAC bypass via iscsicpl.exe. Fixed in v8.5.3; CISA KEV deadline was April 16 |
Active exploitation |
| CVE-2026-21509 / CVE-2026-21513 | Microsoft Office / MSHTML | Chained by APT28 to deliver PRISMEX malware; WebDAV-based exploitation without user warning prompts | Active exploitation |
| CVE-2021-22681 | Rockwell Automation PLCs | Five-year-old authentication bypass still actively exploited by CyberAv3ngers for U.S. OT network access | Active exploitation |
| CVE-2018-10561 / CVE-2018-10562 / CVE-2024-12847 | GPON & Netgear routers | Exploited by Masjesu IoT botnet for DDoS-for-hire device recruitment across multiple CPU architectures | Mass exploitation |
Operational note: The Operation TrueChaos campaign (CVE-2026-3502) is particularly instructive — attackers compromised the TrueConf Client update channel itself, meaning endpoints that religiously apply vendor updates became the delivery vector. C2 from 43.134.90.60, 43.134.52.221, and 47.237.15.197 should be blocklisted immediately in any environment running TrueConf.
GlassWorm Redux and Workflow Automation Weaponized
Last week’s GlassWorm infection of Open VSX was not a one-off. And in a new trend, threat actors are treating SaaS workflow automation platforms as purpose-built malware delivery infrastructure.
GlassWorm: 433 Packages, Solana Dead-Drops, Runtime-Rebuilt Loaders
Checkmarx documented a renewed GlassWorm campaign using runtime-rebuilt loaders to hide staged payloads — part of a broader wave that Aikido, Socket, and Step Security collectively tied to 433 compromised components across npm, GitHub, VS Code, and Open VSX. The C2 mechanism is the novel part: the malware polls a hardcoded Solana wallet address every ~5 seconds, reading payload URLs embedded in the memo field of recent transactions. Step Security documented 50+ such payload-update transactions between Nov 2025 and Mar 2026. The stealer harvests browser cookies, SSH keys, AWS config, keychain databases, and crypto wallets across Windows and macOS; DHT bootstrap nodes provide resilience.
n8n Webhooks: 686% Spike in Weaponized Automation Emails
Cisco Talos uncovered threat actors abusing n8n — the AI workflow automation platform — as malware delivery infrastructure, with email volume weaponizing n8n webhooks up ~686% in March 2026 vs. January 2025. Attackers register free developer accounts that auto-provision trusted-looking *.app.n8n.cloud subdomains, then use webhooks for both malware staging and invisible-pixel device fingerprinting that captures victim IPs on email open. The delivered payload — DownloadedOneDriveDocument.exe and an MSI variant — installs a modified Datto RMM (centrastage.net) and runs PowerShell chains, with Softr.io phishing pages layered on top. The stack inherits each SaaS platform’s sender reputation.
PowMix Botnet Runs C2 on Heroku Dynos
Cisco Talos also identified PowMix, a previously undocumented PowerShell-based botnet delivering compliance-themed lures to Czech organizations. The malware uses four .herokuapp.com subdomains for C2 (erpapp-901-53f1ea72f036, crmassets-4a69a8e2b3ee, crmassets-351-0ac3da22f804, erpsync-120-f41cdcf813e4), leveraging legitimate SaaS hosting for HTTPS beaconing. Delivery is via LNK files inside ZIP archives; persistence via scheduled tasks; parent-process verification (svchost/powershell) provides basic anti-analysis.
BlobPhish: Phishing Pages Born in the Browser
Any.run analyzed BlobPhish, a credential-harvesting technique that generates fake login pages directly inside the victim’s browser using blob objects — binary data stored in memory with a local blob: URI. Because the phishing content never hits a public URL, traditional URL reputation engines, proxies, and link scanners are blind to it. The chain starts with DocSend-style redirects, then loader URLs (blob.html, blom.html variants), with exfiltration to PHP endpoints (res.php, panel.php, tele.php) across 9 rotating attacker domains.
Pattern recognition: GlassWorm (Solana RPC), n8n (workflow webhooks), PowMix (Heroku dynos), and BlobPhish (in-browser blob URIs) share a design philosophy: move C2 and payload staging onto infrastructure that defenders implicitly trust, because the platform itself is legitimate. Blocklist-based defenses fail here. Behavioral detection — unusual outbound connections to .herokuapp.com from finance endpoints, Solana RPC calls from developer workstations, n8n webhook traffic from users who don’t run n8n — is now table stakes.
Lumma, NWHStealer, Fake Slack HVNC, and Payouts King
Cracked Premiere Pro Drops Lumma & Sectop RAT
The SANS Internet Storm Center documented a fake Adobe Premiere Pro installer (7z archive) that deploys both Lumma Stealer and Sectop RAT (ArechClient2) via rundll32 with a LoadForm export. Lumma communicates across 9 C2 domains spanning .cyou, .vu, .best, .click, and .shop TLDs; Sectop beacons on port 9000 (HTTP) and 443 (HTTPS) with agent-specific callbacks targeting Chrome and Edge credential stores.
NWHStealer Masquerades as Proton VPN & Game Mods
Malwarebytes tracked NWHStealer distributed via fake Proton VPN websites, hardware utilities (OhmGraphite, Sidebar Diagnostics, HardwareVisualizer), and gaming mods. The malware leverages DLL hijacking through WindowsCodecs.dll, TextShaping.dll, iviewers.dll, and CrashRpt1403.dll, with runpeNew.dll as second-stage self-injection. Hosted on legitimate platforms (SourceForge, GitHub, OnWorks) to bypass reputation controls; exfiltrates to Telegram dead drops.
Trojanized Slack Installer Drops Hidden Desktop
Malwarebytes identified a typosquatted Slack distribution (slacks.pro → slack-4-49-81.exe) that bundles the genuine Slack application alongside a multi-stage loader (svc.tmp, WinSvcUpd.exe) which decrypts and injects an HVNC (Hidden Virtual Network Computing) payload into explorer.exe. HVNC gives attackers a second, invisible desktop session they can control silently while the user works normally. C2 at 94.232.46.16:8081; persistence via the standard Run registry key.
Payouts King: BlackBasta Alumni, Quick Assist Vishing, QEMU Evasion
Zscaler ThreatLabz attributed Payouts King with high confidence to former BlackBasta affiliates, reusing the brand’s signature social-engineering playbook: spam-bomb the inbox, call as IT support, walk the victim into Microsoft Teams and Quick Assist for remote access. Technically the binary is serious — 4096-bit RSA with AES-256-CTR encryption, stack-based string encryption, API hashing, and a custom CRC (polynomial 0xBDC65592) to defeat precomputed rainbow tables. BleepingComputer separately reported some variants run the encryptor inside QEMU virtual machines to bypass endpoint agents entirely. Persistence masquerades as Mozilla update scheduled tasks; files encrypt with .ZWIAAW (.esVnyj backups, readme_locker.txt ransom note); TOX and a Tor leak site handle negotiations.
JanelaRAT Targets Latin American Banks
Kaspersky analyzed JanelaRAT, a modified BX RAT variant targeting financial institutions across Latin America. It uses DLL sideloading with a legitimate nevasca.exe loading a malicious PixelPaint.dll, with C2 at ciderurginsx[.]com. Banking-themed decoy overlays are displayed while credential theft occurs in the background.
Fake YouTube Copyright Strikes Hunt Creators
Malwarebytes documented a targeted credential-theft operation impersonating YouTube’s DMCA takedown system. Creators receive urgent “copyright strike” notifications linking to dmca-notification.info and blacklivesmattergood4.com, which harvest Google credentials for channel hijacking. Supporting infrastructure at dopozj.net, ec40pr.net, and xddlov.net. Standard advice applies: check claims from the official YouTube Studio dashboard, never from a notification link.
Additional Threats Worth Tracking
Masjesu: DDoS-for-Hire with Process Spoofing
HivePro expanded on prior Masjesu coverage with deeper technical detail. The botnet exploits GPON routers (CVE-2018-10561/10562) and Netgear (CVE-2024-12847), establishes cron persistence via ld-unix.so.2, and disguises its processes as systemd-journald. C2 runs on conn.masjesu.zip, Gpbtpz.rodeo, and starlight.fans over port 443.
Analyst Assessment: April 11–18 in Context
Three threads dominated this week’s reporting. First, the Iran picture sharpened dramatically: what had been fragmented coverage of “hacktivist” groups is now explicitly mapped to a coordinated MOIS operation with destructive, espionage, and identity-attack arms. If you track any one Iran-nexus actor, you should now be correlating across all four.
Second, zero-day velocity remains high. FortiGate, Adobe Acrobat, TrueConf, and the Office/MSHTML chain are all being exploited this week, with three of the four tied to state-aligned operators. The TrueConf supply-chain path — where applying vendor updates was itself the compromise — is a reminder that “keep software current” is necessary but not sufficient; update mechanisms themselves need monitoring.
Third, SaaS continues to become C2. GlassWorm’s Solana RPC staging, PowMix’s Heroku dynos, n8n’s webhooks, and BlobPhish’s in-browser page generation all point to the same insight: threat actors have realized that the most trusted infrastructure is infrastructure the defender actually uses. The defensive answer is not more blocklists — it’s context-aware behavioral detection that asks whether this connection from this user makes sense for this role.
Sources
- DomainTools — MOIS-Linked Moist Grasshopper: Homeland Justice, Karmabelow80, Handala Campaigns and Evolution
- HivePro — Handala Destructive Wiper Attack on GCC Infrastructure
- HivePro — CyberAv3ngers Exploits U.S. PLCs
- HivePro — Iran-Aligned Password Spray Campaign
- HivePro — APT28 SOHO Router DNS Hijacking
- UK NCSC & FBI (joint advisory) — APT28 Exploit Routers to Enable DNS Hijacking Operations
- Check Point Research — Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets
- HivePro — Pawn Storm Dual Zero-Day Exploit (PRISMEX)
- Rapid7 Labs — BPFdoor in Telecom Networks: Sleeper Cells
- HivePro — UAT-10362 Deploys LucidRook, LucidPawn & LucidKnight
- Rapid7 — FortiGate CVE-2025-59718 Exploitation — IR Findings
- HivePro — Adobe Acrobat Prototype Pollution Zero-Day (CVE-2026-34621)
- HivePro — Operation TrueChaos: TrueConf Zero-Day (CVE-2026-3502)
- Checkmarx — GlassWorm Targets Developer IDEs Again — Runtime-Rebuilt Loaders
- Cisco Talos — The n8n-n8mare: Workflow Automation as Malware Delivery
- Cisco Talos — PowMix Botnet Targets Czech Workforce
- Any.run — Evasive BlobPhish Detection
- SANS Internet Storm Center — Lumma Stealer and Sectop RAT via Cracked Premiere Pro
- Malwarebytes — NWHStealer: From Fake Proton VPN to Gaming Mods
- Malwarebytes — Fake Slack Download: Hidden Desktop HVNC
- Zscaler ThreatLabz — Payouts King Takes Aim at the Ransomware Throne
- Kaspersky / Securelist — JanelaRAT Financial Threat in Latin America
- Malwarebytes — Fake YouTube Copyright Notices Steal Google Logins
- HivePro — Masjesu IoT Botnet Threat
This post was generated with Claude by Anthropic, based on source reporting from the publications listed above and analysis of 23 IOC submissions to iocget.com between April 11–18, 2026.