Cyware Daily Threat Intelligence, March 27, 2026

The world of financial espionage is seeing a surge in localized yet effective toolsets, as a South Asian institution recently fell victim to a campaign involving the custom BRUSHWORM and BRUSHLOGGER malware. Despite its "amateur" construction, the toolkit’s ability to exfiltrate sensitive data via deceptive filenames on removable drives highlights that even unsophisticated malware can achieve deep penetration when tailored for regional targets.

BPFDoor has resurfaced as the centerpiece of a long-term espionage campaign by the China-linked Red Menshen group, which is burrowing deep into telecommunications networks across the Middle East and Asia. Acting as a digital sleeper cell, the implant remains dormant until it receives a specially crafted magic packet, allowing the actors to maintain persistent, invisible access to critical VPN appliances and firewalls.

The rapid weaponization of AI development tools has reached a critical peak with the active exploitation of CVE-2026-33017, a high-severity flaw in the Langflow framework. Discovered just last week, the vulnerability allows unauthenticated attackers to execute arbitrary Python code by exploiting unsandboxed flow executions within the popular AI orchestration tool.

Top Malware Reported in the Last 24 Hours

BRUSHWORM and BRUSHLOGGER spotted in attackers

A South Asian financial institution has fallen victim to a sophisticated cyberattack involving a custom malware toolkit known as BRUSHWORM and BRUSHLOGGER. BRUSHWORM, a modular backdoor, facilitates installation, persistence, and C2 operations while enabling USB worm propagation and bulk file theft across critical file formats. Complementing this, BRUSHLOGGER functions as a DLL side-loaded keylogger, capturing keystrokes and user activity with detailed context. The malware employs basic anti-analysis techniques, such as checking for sandbox environments and monitoring user activity before executing its payloads. It also infects removable drives with deceptive filenames to exfiltrate sensitive data. Despite displaying signs of an inexperienced developer, including coding errors and unsophisticated implementation, the toolset demonstrates a significant capability for financial espionage.

Bearlyfy targets Russian firms with ransomware

A pro-Ukrainian hacking group named Bearlyfy has conducted over 70 cyber attacks on Russian companies since January 2025, utilizing a custom ransomware strain called GenieLocker. Initially, the group employed ransomware families like LockBit 3 and Babuk, but by May 2025, they transitioned to using PolyVice ransomware, demanding ransoms that escalated to around €80,000. Bearlyfy's tactics include exploiting vulnerabilities in external services and applications, followed by deploying tools like MeshAgent for remote access. Their attacks are characterized by rapid execution and personalized ransom notes crafted by the attackers rather than generated by the ransomware itself. 

China-linked Red Menshen leverages BPFDoor implants

China-linked threat actor Red Menshen has been conducting a sophisticated cyber-espionage campaign against telecom networks in the Middle East and Asia since 2021. This group employs advanced techniques, including kernel-level implants and passive backdoors, to maintain stealthy access to critical environments. Central to their operations is BPFDoor, a Linux backdoor that utilizes Berkeley Packet Filter functionality to monitor network traffic without detection. Unlike conventional malware, BPFDoor activates only upon receiving specially crafted trigger packets, allowing it to remain hidden. The campaign targets internet-facing infrastructure, such as VPN appliances and firewalls, enabling the attackers to gain initial access and deploy additional malicious tools. 

Top Vulnerabilities Reported in the Last 24 Hours

CISA warns of critical Langflow vulnerability

CISA has issued a warning about the active exploitation of a critical vulnerability, CVE-2026-33017, in the Langflow framework, which is widely used for building AI workflows. This vulnerability, rated 9.3 out of 10, allows hackers to execute arbitrary Python code through unsandboxed flow execution, impacting versions 1.8.1 and earlier. Exploitation began shortly after the vulnerability was disclosed, with attackers quickly developing exploits from the advisory information. Automated scanning and data harvesting activities were observed within 24 hours. Langflow, a popular open-source tool with a significant following on GitHub, is particularly appealing to cybercriminals due to its widespread adoption in the AI development community.

Attackers exploit Oracle WebLogic bug rapidly

A critical vulnerability in Oracle WebLogic, identified as CVE-2026-21962, was rapidly exploited by attackers immediately after the public release of exploit code, as shown in a recent honeypot. The vulnerability carries a CVSS score of 10.0, indicating its severity. The research documented that the first exploitation attempt occurred on the same day the exploit was published, with subsequent automated scanning and exploitation attempts observed over the following days. Attackers utilized rented virtual private servers and automated tools like libredtail-http and Nmap Scripting Engine to carry out their attacks. Additionally, the study noted ongoing attempts to exploit older, widely abused WebLogic vulnerabilities.