TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: MERCURY (Microsoft, historical designation), MuddyWater (ClearSky, common usage designation), Mango Sandstorm (Microsoft, current designation), Seedworm (Symantec/Broadcom), Static Kitten (CrowdStrike), Earth Vetala (Trend Micro), TEMP.Zagros (Mandiant/FireEye pre-attribution), TA450 (Proofpoint), Boggy Serpens…
Technical and Strategic AnalysisFBI/CISA PSA I-032026-PSA — March 20, 2026 | TLP:CLEAR 1. Executive Summary — Board Level / Strategic View On March 20, 2026, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly published a public service announcement (PSA I-032026-PSA) alerting the public to an active campaign by…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Denominations (known aliases by vendor) The group is tracked under the following denominations: APT35 (Mandiant/Google TI, reference designation), Phosphorus / Mint Sandstorm (Microsoft), TA453 (Proofpoint), Charming Kitten (ClearSky), Ballistic Bobcat (ESET), ITG18 (IBM X-Force), Yellow Garuda (PwC), NewsBeef (Kaspersky). Additional documented aliases: Ajax…
Exploitation of CVE-2025-0282 | CVSS 9.0 | SPAWN/SPAWNCHIMERA Malware Family Dominant ATT&CK Techniques: T1190 (Exploit Public-Facing Application), T1071.001 (Web Protocols), T1556 (Modify Authentication Process) Affected Technology: Ivanti Connect Secure (Pulse Secure) VPN Appliance Classification: TLP:CLEAR-PAP:CLEAR 1. Executive Summary (Board-Level Strategic Abstract) The RESURGE implant represents a first-order structural threat to any organization operating Ivanti Connect…
Context CISA published an alert on January 28, 2026, regarding active exploitation of vulnerability CVE-2026-24858 affecting multiple Fortinet products. This flaw was added to CISA’s KEV (Known Exploited Vulnerabilities) catalog on January 27, 2026. Fortinet has released patches and recommendations to remediate this critical authentication bypass vulnerability. Technical Description of the Vulnerability CVE-2026-24858 is an…
Executive Summary The 2025 CWE Top 25 by MITRE highlights the most prevalent and dangerous software weaknesses, derived from an analysis of 39,080 CVE records published between mid-2024 and mid-2025. These weaknesses – often easy to find and exploit – account for a large share of critical vulnerabilities that enable adversaries to fully compromise systems,…
CISA, FBI, NSA and 23 international partner organizations published on December 9, 2025 a joint advisory detailing the activities of pro-Russia hacktivist groups targeting industrial control systems and critical infrastructure in the United States and globally. This publication follows Operation Eastwood conducted by the European Cybercrime Centre and the joint fact sheet of May 6,…
Executive Summary In a coordinated international initiative, the ASD, CISA, FBI, and their partners released the “Bulletproof Defense” guide. This document goes beyond simple warnings; it provides a technical methodology to dismantle the tactical advantage of Bulletproof Hosting (BPH) providers. These actors are not merely lax hosts; they are architects of cybercrime, providing infrastructure resilient…
On November 14, 2025, Fortinet released a PSIRT advisory for a critical vulnerability affecting its FortiWeb Web Application Firewall (WAF). Tracked as CVE-2025-64446, this flaw carries a CVSS 3.1 score of 9.8 (Critical) and is confirmed to be actively exploited in the wild. Vulnerability Description The vulnerability is the result of a chain of two…
In this article, I present a summary of the security best practices for Microsoft Exchange Server, directly inspired by the recommendations published by the NSA and CISA. These guidelines aim to strengthen the resilience of Exchange environments hosted in data centers — whether on-premises or hybrid — against current threats, including email account compromises and…
