Cyware Daily Threat Intelligence, March 05, 2026

The software supply chain remains a high-priority target as attackers leverage trusted development ecosystems to bypass traditional perimeter defenses. In a recent discovery on Packagist, malicious PHP packages masquerading as Laravel utilities were found embedding a cross-platform RAT.

State-aligned cyber operations continue to refine their delivery and obfuscation tactics to maintain a tactical edge in geopolitical conflicts. A targeted Russian campaign against Ukraine has been identified deploying two new malware strains through phishing lures disguised as official border-crossing appeals.

The commodification of high-end mobile surveillance has reached a new peak with the emergence of the Coruna exploit kit, which targets iOS versions 13.0 through 17.2.1. Utilizing a staggering 23 different exploits, this kit has transitioned from commercial use to being a staple in the arsenals of Russian and Chinese espionage groups.

Top Malware Reported in the Last 24 Hours

Malicious Laravel packages deploy cross-platform RAT

Cybersecurity researchers have identified malicious PHP packages on Packagist that masquerade as Laravel utilities, enabling a cross-platform RAT affecting Windows, macOS, and Linux systems. Notably, the package "nhattuanbl/lara-swagger" does not contain malicious code itself but relies on "nhattuanbl/lara-helper," which embeds the RAT. This RAT connects to a C2 server, sending system reconnaissance data and executing commands such as running shell commands and capturing screenshots. The RAT employs various obfuscation techniques to evade detection and is designed to maintain persistent connections to the C2 server, attempting reconnections every 15 seconds. The threat actor has also published additional libraries that appear legitimate, likely to build trust and lure users into installing the malicious packages.

Russian cyber campaign targets Ukraine with malware

Researchers have identified a targeted Russian cyber campaign against Ukraine that utilizes two new malware strains, BadPaw and MeowMeow. The attack begins with a phishing email that contains a ZIP archive, which, when extracted, launches an HTA file displaying a lure document in Ukrainian about border crossing appeals. This initial infection triggers the download of BadPaw, a .NET-based loader, which establishes command-and-control communication and deploys MeowMeow, a sophisticated backdoor. Both malware strains are heavily obfuscated to evade detection and incorporate advanced defense mechanisms, such as parameter validation and environmental awareness, allowing them to remain dormant unless executed under specific conditions. ClearSky attributes this campaign with high confidence to a Russian state-aligned threat actor, likely APT28, based on the targeting of Ukrainian entities and the use of established Russian cyber tactics.

Top Vulnerabilities Reported in the Last 24 Hours

Critical Cisco firewall vulnerability exposed

Cisco recently revealed a critical vulnerability in its Secure Firewall Management Center (FMC) Software that allows unauthenticated remote attackers to gain complete root access to affected devices. With a maximum CVSS severity score of 10.0, this flaw poses a significant risk to enterprise network infrastructure. Discovered during internal security testing, the vulnerability arises from an improperly initialized system process during the device’s boot sequence. Attackers can exploit this weakness by sending specially crafted HTTP requests to the FMC web interface, bypassing authentication protocols entirely. Once successful, they can execute malicious scripts and take full control of the operating system. This situation represents a worst-case scenario, as it enables attackers to alter security policies and monitor network traffic, thereby compromising the entire organizational security landscape. 

Coruna exploit kit targets iOS vulnerabilities

Google has identified a new exploit kit named Coruna, also known as CryptoWaters, which targets iOS versions 13.0 to 17.2.1 through five exploit chains and 23 exploits. This sophisticated kit employs advanced, non-public exploitation techniques and has circulated among various threat actors since February 2025, transitioning from commercial surveillance operations to government-backed and financially motivated groups. The exploit kit utilizes a JavaScript framework to fingerprint devices and deploy specific WebKit exploits, including CVE-2024-23222, which Apple patched in January 2024. Recent activities linked to Coruna involve Russian espionage group UNC6353 and Chinese threat cluster UNC6691, which have used compromised websites to deliver the exploit kit. The kit includes a stager binary, PlasmaLoader, designed to exfiltrate sensitive information and cryptocurrency wallets.