TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations: Agrius (SentinelLabs), Agonizing Serpens (Palo Alto Networks Unit 42), Pink Sandstorm (Microsoft, formerly Americium), Marshtreader (Security.com), BlackShadow (public hack-and-leak persona), DEV-0022 (Microsoft pre-attribution). Additional alias: G1030 (MITRE ATT&CK). Origin Iran. Presumed sponsor…
Technical and Strategic AnalysisFBI/CISA PSA I-032026-PSA — March 20, 2026 | TLP:CLEAR 1. Executive Summary — Board Level / Strategic View On March 20, 2026, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly published a public service announcement (PSA I-032026-PSA) alerting the public to an active campaign by…
TLP:CLEAR | General Public | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Naming (known aliases by vendor) The group is tracked under the following names across vendors: Handala, Handala Hack, Handala Hack Team, Void Manticore (Check Point Research), Storm-0842 / Storm-842 (Microsoft), BANISHED KITTEN (CrowdStrike), Dune (other vendors) (1)(2). Associated operational personas include Karma (alias…
TLP:CLEAR | Mixed audience | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations: OilRig (CrowdStrike), Helix Kitten (CrowdStrike), APT34 (Mandiant/Google), IRN2 (SecureWorks), COBALT GYPSY (SecureWorks), Crambus (Symantec), Earth Simnavaz (Trend Micro), EUROPIUM (Microsoft) Origin: Iran Suspected sponsor: Iranian Ministry of Intelligence (MOIS — Vezarat-e Ettela’at va Amniat-e Keshvar) Sophistication level: High (confirmed APT, persistent operations…
On March 13, 2026, Microsoft released out-of-band update KB5084597 to remediate three remote code execution (RCE) vulnerabilities in the RRAS (Routing and Remote Access Service) MMC snap-in: CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111. Attack surface and exploitation vector The vulnerability resides in the RRAS MMC snap-in used for remote server management. The attack vector is client-side: the…
Classification: TLP:CLEAR Unrestricted public distributionPrimary source: ANSSI CERTFR-2026-CTI-002 March 2026Frameworks: MITRE ATT&CK v16 · Diamond Model · Cyber Kill Chain · CVSS v3.1Regulatory context: NIS2 Directive · Cyber Resilience Act · GDPRSectors covered: Education · Healthcare · Telecom · Local Government · Defense · Cloud · OT/ICS This article is CTI analysis based on the…
Exploitation of CVE-2025-0282 | CVSS 9.0 | SPAWN/SPAWNCHIMERA Malware Family Dominant ATT&CK Techniques: T1190 (Exploit Public-Facing Application), T1071.001 (Web Protocols), T1556 (Modify Authentication Process) Affected Technology: Ivanti Connect Secure (Pulse Secure) VPN Appliance Classification: TLP:CLEAR-PAP:CLEAR 1. Executive Summary (Board-Level Strategic Abstract) The RESURGE implant represents a first-order structural threat to any organization operating Ivanti Connect…
Executive Summary In late January 2026, CERT-UA issued a critical alert regarding the active exploitation of CVE-2026-21509, a vulnerability affecting Microsoft Office. The vulnerability is being leveraged by the threat actor UAC-0001, attributed to the Russian state-sponsored group APT28 (Fancy Bear). Observed attacks primarily target Ukrainian governmental institutions, but multiple European Union organizations have also…
Context CISA published an alert on January 28, 2026, regarding active exploitation of vulnerability CVE-2026-24858 affecting multiple Fortinet products. This flaw was added to CISA’s KEV (Known Exploited Vulnerabilities) catalog on January 27, 2026. Fortinet has released patches and recommendations to remediate this critical authentication bypass vulnerability. Technical Description of the Vulnerability CVE-2026-24858 is an…
Executive Summary In January 2026, Microsoft’s Patch Tuesday addressed 114 vulnerabilities, including 8 Critical flaws primarily in Windows and Office. The release fixed multiple remote code execution (RCE) and elevation of privilege (EoP) bugs. Microsoft confirmed one actively exploited zero-day (CVE-2026-20805) and two publicly disclosed issues patched this month (CVE-2023-31096 and CVE-2026-21265). One publicly known…
