Cyware Weekly Threat Intelligence, March 02–06, 2026
The Good
A powerful shift toward structural resilience is occurring as global coalitions and law enforcement strike at the core of digital infrastructure and illicit finance. The Global Coalition on Telecoms launched landmark 6G security guidelines, championing "resilience by design" and Open RAN frameworks to protect the next generation of mobile connectivity. Simultaneously, the DOJ’s $61 million seizure of Tether marks a major victory against "pig butchering" syndicates, targeting the industrial-scale fraud networks that have already forced the freezing of over $4.2 billion in assets.
A coalition of seven countries, including Australia, Canada, Japan, the UK, the US, Finland, and Sweden, has launched voluntary cybersecurity and resilience guidelines for 6G networks at the Mobile World Congress 2026. Known as the Global Coalition on Telecoms (GCOT), the group aims to enhance the security and resilience of future mobile networks through principles focusing on containment of malicious activities, data confidentiality, integrity, and regulatory compliance. The guidelines emphasize the importance of robust failover mechanisms and the integration of alternative positioning and navigation solutions to reduce vulnerabilities. GCOT also advocates for Open RAN frameworks to promote flexibility and innovation within the telecommunications ecosystem, ensuring that 6G infrastructure is prepared to meet emerging challenges.
The DOJ recently seized $61 million in Tether connected to fraudulent cryptocurrency schemes known as pig butchering. These scams typically involve criminals establishing fake romantic relationships with victims through social media and dating apps, ultimately coercing trafficked individuals into executing the fraud. Victims are lured into investing by deceptive platforms showcasing fictitious high returns, only to face demands for additional fees when attempting to withdraw their funds. Once the money is transferred to wallets controlled by scammers, it is quickly laundered through various accounts to obscure its origin. In response to these illicit activities, Tether has frozen approximately $4.2 billion in assets linked to scams, including $250 million since mid-2025.
A joint operation by the FBI, Europol, and various international law enforcement agencies has successfully dismantled LeakBase, one of the largest online forums for cybercriminals. With over 142,000 members, LeakBase facilitated the trade of stolen credentials, hacked databases, and cybercrime tools. The operation, named "Operation Leak," took place on March 3 and 4, 2026, resulting in multiple arrests and the seizure of evidence, including user accounts and private messages. The forum, which had been active since June 2021, specialized in selling sensitive information, such as credit card details and account credentials, often harvested through malware. Authorities targeted 37 of the platform's most active users, marking a significant blow to cybercrime operations globally.
The Bad
In South America, the China-nexus actor UAT-9244 has been observed targeting telecommunications providers using a sophisticated trio of implants. In a recent discovery on Packagist, malicious PHP packages masquerading as Laravel utilities were found embedding a cross-platform RAT. The threat actor known as SloppyLemming has intensified its focus on South Asia, launching a year-long offensive against government and nuclear sectors in Pakistan and Bangladesh.
UAT-9244 is a China-nexus APT actor that has been targeting South American telecommunications infrastructure since 2024. This group employs three primary malware implants: TernDoor, PeerTime, and BruteEntry. TernDoor, a variant of the CrowDoor backdoor, uses DLL side-loading for infection and incorporates an encrypted Windows driver for process management. PeerTime is an ELF-based backdoor utilizing the BitTorrent protocol, enabling it to infect various architectures and execute commands through a peer-to-peer network. BruteEntry functions as a brute-force scanner, converting compromised devices into operational relay boxes to attack SSH, Postgres, and Tomcat servers. Each implant showcases sophisticated techniques for evasion and persistence, indicating a well-coordinated effort to compromise critical telecommunications systems.
SloppyLemming, a threat actor known for targeting government and critical infrastructure entities, has launched a series of attacks against Pakistan and Bangladesh. Utilizing dual malware chains, the group deployed BurrowShell, a sophisticated backdoor, alongside a Rust-based keylogger. These attacks, occurring between January 2025 and January 2026, involved spear-phishing emails containing PDF lures and macro-enabled Excel documents to initiate infections. BurrowShell enables file manipulation, remote shell execution, and network tunneling while disguising its command-and-control traffic as legitimate Windows Update communications. The keylogger is designed for information theft and network enumeration. Notably, SloppyLemming has significantly increased its use of Cloudflare Workers domains, employing advanced techniques such as DLL side-loading and ClickOnce execution, targeting sectors like nuclear regulation and telecommunications to gather intelligence in the region.
Cybersecurity researchers have identified malicious PHP packages on Packagist that masquerade as Laravel utilities, enabling a cross-platform RAT affecting Windows, macOS, and Linux systems. Notably, the package "nhattuanbl/lara-swagger" does not contain malicious code itself but relies on "nhattuanbl/lara-helper," which embeds the RAT. This RAT connects to a C2 server, sending system reconnaissance data and executing commands such as running shell commands and capturing screenshots. The RAT employs various obfuscation techniques to evade detection and is designed to maintain persistent connections to the C2 server, attempting reconnections every 15 seconds. The threat actor has also published additional libraries that appear legitimate, likely to build trust and lure users into installing the malicious packages.
Cisco recently revealed a critical vulnerability in its Secure Firewall Management Center (FMC) Software that allows unauthenticated remote attackers to gain complete root access to affected devices. With a maximum CVSS severity score of 10.0, this flaw poses a significant risk to enterprise network infrastructure. Discovered during internal security testing, the vulnerability arises from an improperly initialized system process during the device’s boot sequence. Attackers can exploit this weakness by sending specially crafted HTTP requests to the FMC web interface, bypassing authentication protocols entirely. Once successful, they can execute malicious scripts and take full control of the operating system. This situation represents a worst-case scenario, as it enables attackers to alter security policies and monitor network traffic, thereby compromising the entire organizational security landscape.
A Chrome extension named "QuickLens - Search Screen with Google Lens" was removed from the Chrome Web Store after being compromised to distribute malware and steal cryptocurrency from users. Initially popular, the extension was sold to a new owner who released a malicious update that stripped essential browser security headers, facilitating ClickFix attacks. This update enabled the extension to connect to a command-and-control server, allowing it to execute harmful scripts that targeted various cryptocurrency wallets, capturing sensitive data like seed phrases and login credentials. The malware also scraped personal information from Gmail, Facebook, and YouTube accounts. Following the discovery of these malicious activities, Google disabled the extension and flagged it as malware, affecting around 7,000 users.
North Korean hackers have released 26 malicious npm packages as part of the ongoing Contagious Interview campaign, disguising them as legitimate developer tools. These packages contain functionality to extract C2 server URLs hidden within innocuous Pastebin content, utilizing steganography to encode the addresses. The malware executes upon installation, running a payload that decodes the C2 URLs and connects to infrastructure hosted on Vercel. This sophisticated approach allows the malware to target multiple operating systems, including Windows, macOS, and Linux, while extracting sensitive information such as credentials, browser data, and SSH keys.
New Threats
Deceptive social engineering has evolved to weaponize trusted system utilities, as seen in a new ClickFix campaign that specifically exploits the Windows Terminal app. A targeted Russian campaign against Ukraine has been identified deploying two new malware strains through phishing lures disguised as official border-crossing appeals. The cybercrime underworld has a fast-rising contender in AuraStealer, a modular infostealer that has rapidly emerged as a formidable rival to the notorious LummaC2.
Microsoft has disclosed a new ClickFix campaign that utilizes the Windows Terminal app to deploy Lumma Stealer. This campaign instructs users to launch Windows Terminal directly, creating a more trustworthy environment for executing malicious commands. By bypassing traditional detection methods aimed at the Run dialog, attackers exploit Windows Terminal to guide victims into executing hex-encoded commands that trigger a multi-stage attack. This process includes downloading a ZIP payload, extracting files, and establishing persistence through scheduled tasks. Lumma Stealer targets high-value browser artifacts, harvesting stored credentials and exfiltrating them to attacker-controlled servers. Additionally, a secondary attack pathway involves downloading batch scripts to execute further malicious actions.
Researchers have identified a targeted Russian cyber campaign against Ukraine that utilizes two new malware strains, BadPaw and MeowMeow. The attack begins with a phishing email that contains a ZIP archive, which, when extracted, launches an HTA file displaying a lure document in Ukrainian about border crossing appeals. This initial infection triggers the download of BadPaw, a .NET-based loader, which establishes command-and-control communication and deploys MeowMeow, a sophisticated backdoor. Both malware strains are heavily obfuscated to evade detection and incorporate advanced defense mechanisms, such as parameter validation and environmental awareness, allowing them to remain dormant unless executed under specific conditions. ClearSky attributes this campaign with high confidence to a Russian state-aligned threat actor, likely APT28, based on the targeting of Ukrainian entities and the use of established Russian cyber tactics.
AuraStealer is a newly emerged infostealer actively targeting users through 48 C2 domains, primarily utilizing platforms like TikTok and cracked software sites for distribution. Launched in mid-2025 on Russian cybercrime forums, it positions itself as a competitor to LummaC2, rapidly gaining traction among cybercriminals. The malware is available under a subscription model, with frequent updates enhancing its capabilities. AuraStealer employs various delivery methods, including social engineering tactics and deceptive tools, to infect systems. It utilizes inexpensive top-level domains and sophisticated anti-analysis techniques to evade detection. Once installed, it harvests sensitive data from over 100 browsers and applications, exfiltrating this information via encrypted channels to its rotating C2 infrastructure.
North Korean hacking group APT37, also known as ScarCruft, has launched a new malware campaign named "Ruby Jumper," targeting air-gapped networks. This campaign employs removable drives to facilitate data transfer between isolated systems. Researchers from Zscaler identified five malicious tools used in this operation: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE. The infection begins when a victim opens a malicious Windows shortcut, which deploys a PowerShell script to extract embedded payloads while simultaneously launching a decoy document. RESTLEAF establishes communication with APT37's command-and-control infrastructure, leading to the download of further malware components. THUMBSBD collects system information and prepares data for exfiltration, while VIRUSTASK spreads the infection to new air-gapped machines. This sophisticated approach allows APT37 to bridge air gaps and maintain covert control over compromised systems.