TLP:CLEAR | CTI Analysts | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Naming (known aliases by vendor) The group is tracked under the following names across vendors: APT33 (Mandiant/FireEye, reference designation), Elfin / Elfin Team (Broadcom/Symantec), Refined Kitten (CrowdStrike), Peach Sandstorm (Microsoft, formerly HOLMIUM), MAGNALLIUM (Dragos), COBALT TRINITY (SecureWorks), ATK35, TA451, G0064 (MITRE ATT&CK) (1)(2)(3)(4).…
TLP:CLEAR | General Public | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Naming (known aliases by vendor) The group is tracked under the following names across vendors: Handala, Handala Hack, Handala Hack Team, Void Manticore (Check Point Research), Storm-0842 / Storm-842 (Microsoft), BANISHED KITTEN (CrowdStrike), Dune (other vendors) (1)(2). Associated operational personas include Karma (alias…
TLP:CLEAR | Mixed audience | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations: OilRig (CrowdStrike), Helix Kitten (CrowdStrike), APT34 (Mandiant/Google), IRN2 (SecureWorks), COBALT GYPSY (SecureWorks), Crambus (Symantec), Earth Simnavaz (Trend Micro), EUROPIUM (Microsoft) Origin: Iran Suspected sponsor: Iranian Ministry of Intelligence (MOIS — Vezarat-e Ettela’at va Amniat-e Keshvar) Sophistication level: High (confirmed APT, persistent operations…
Classification: TLP:CLEAR Unrestricted public distributionPrimary source: ANSSI CERTFR-2026-CTI-002 March 2026Frameworks: MITRE ATT&CK v16 · Diamond Model · Cyber Kill Chain · CVSS v3.1Regulatory context: NIS2 Directive · Cyber Resilience Act · GDPRSectors covered: Education · Healthcare · Telecom · Local Government · Defense · Cloud · OT/ICS This article is CTI analysis based on the…
Exploitation of CVE-2025-0282 | CVSS 9.0 | SPAWN/SPAWNCHIMERA Malware Family Dominant ATT&CK Techniques: T1190 (Exploit Public-Facing Application), T1071.001 (Web Protocols), T1556 (Modify Authentication Process) Affected Technology: Ivanti Connect Secure (Pulse Secure) VPN Appliance Classification: TLP:CLEAR-PAP:CLEAR 1. Executive Summary (Board-Level Strategic Abstract) The RESURGE implant represents a first-order structural threat to any organization operating Ivanti Connect…
Threat Analysis and Exposure Surfaces According to ANSSI 1. Scope and Context of the Analysis In its report CERTFR-2026-CTI-001 published on February 4, 2026, ANSSI provides a structured threat assessment focused on the role of generative artificial intelligence in cyber attacks. The document specifically addresses generative AI systems, defined as systems capable of producing text,…
CISA, FBI, NSA and 23 international partner organizations published on December 9, 2025 a joint advisory detailing the activities of pro-Russia hacktivist groups targeting industrial control systems and critical infrastructure in the United States and globally. This publication follows Operation Eastwood conducted by the European Cybercrime Centre and the joint fact sheet of May 6,…
Executive Summary: A recent CISA alert warns that multiple threat actors are leveraging commercial spyware to compromise users of end-to-end encrypted mobile messaging apps. These attackers employ sophisticated tactics – including malicious QR codes, zero-click exploits, and trojanized messaging apps – to gain unauthorized access to victims’ messaging accounts and intercept private communications. Once a…
Executive Summary: On October 15, 2025, F5 Networks disclosed a major security breach involving a long-term compromise of its corporate systems by a highly sophisticated state-sponsored threat actor. The attackers maintained persistent access for over a year, notably into F5’s BIG-IP development environment, and exfiltrated sensitive data including portions of BIG-IP source code and details…
Executive Summary The U.S. Secret Service dismantled a network of electronic devices across the New York tristate area used to conduct telecommunications-related threats targeting senior U.S. government officials, which posed an imminent risk to protective operations. The investigation uncovered more than 300 co-located SIM servers and 100,000 SIM cards at multiple sites. The devices were…
