Universal Local Privilege Escalation in the Linux Kernel Executive summary On May 7, 2026, researcher Hyunwoo Kim (alias @v4bel) publicly disclosed a new class of Linux kernel vulnerabilities named Dirty Frag (1) (2). This disclosure, brought forward as a result of an embargo break by an unrelated third party, exposes an exploitation chain combining two…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations: Agrius (SentinelLabs), Agonizing Serpens (Palo Alto Networks Unit 42), Pink Sandstorm (Microsoft, formerly Americium), Marshtreader (Security.com), BlackShadow (public hack-and-leak persona), DEV-0022 (Microsoft pre-attribution). Additional alias: G1030 (MITRE ATT&CK). Origin Iran. Presumed sponsor…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: APT42 (Mandiant/Google TI, reference designation : first public documentation September 2022), Damselfly (Mandiant internal), UNC788 (Mandiant pre-attribution), CALANQUE (Google Threat Analysis Group), OwlSandstorm (Microsoft), Yellow Garuda (PwC), ITG18 (IBM X-Force).…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: MERCURY (Microsoft, historical designation), MuddyWater (ClearSky, common usage designation), Mango Sandstorm (Microsoft, current designation), Seedworm (Symantec/Broadcom), Static Kitten (CrowdStrike), Earth Vetala (Trend Micro), TEMP.Zagros (Mandiant/FireEye pre-attribution), TA450 (Proofpoint), Boggy Serpens…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: APT39 (Mandiant/Google TI, reference designation), Chafer (Symantec, CrowdStrike), REMIX KITTEN (CrowdStrike), Burgundy Sandstorm (Microsoft), Radio Serpens (ESET), COBALT HICKMAN (SecureWorks), ITG07 (IBM X-Force), TA454 (Proofpoint), Cadelspy (Symantec), Remexi (Kaspersky). Additional…
