TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations: Agrius (SentinelLabs), Agonizing Serpens (Palo Alto Networks Unit 42), Pink Sandstorm (Microsoft, formerly Americium), Marshtreader (Security.com), BlackShadow (public hack-and-leak persona), DEV-0022 (Microsoft pre-attribution). Additional alias: G1030 (MITRE ATT&CK). Origin Iran. Presumed sponsor…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: APT42 (Mandiant/Google TI, reference designation : first public documentation September 2022), Damselfly (Mandiant internal), UNC788 (Mandiant pre-attribution), CALANQUE (Google Threat Analysis Group), OwlSandstorm (Microsoft), Yellow Garuda (PwC), ITG18 (IBM X-Force).…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: MERCURY (Microsoft, historical designation), MuddyWater (ClearSky, common usage designation), Mango Sandstorm (Microsoft, current designation), Seedworm (Symantec/Broadcom), Static Kitten (CrowdStrike), Earth Vetala (Trend Micro), TEMP.Zagros (Mandiant/FireEye pre-attribution), TA450 (Proofpoint), Boggy Serpens…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: APT39 (Mandiant/Google TI, reference designation), Chafer (Symantec, CrowdStrike), REMIX KITTEN (CrowdStrike), Burgundy Sandstorm (Microsoft), Radio Serpens (ESET), COBALT HICKMAN (SecureWorks), ITG07 (IBM X-Force), TA454 (Proofpoint), Cadelspy (Symantec), Remexi (Kaspersky). Additional…
Technical and Strategic AnalysisFBI/CISA PSA I-032026-PSA — March 20, 2026 | TLP:CLEAR 1. Executive Summary — Board Level / Strategic View On March 20, 2026, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly published a public service announcement (PSA I-032026-PSA) alerting the public to an active campaign by…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Denominations (known aliases by vendor) The group is tracked under the following denominations: APT35 (Mandiant/Google TI, reference designation), Phosphorus / Mint Sandstorm (Microsoft), TA453 (Proofpoint), Charming Kitten (ClearSky), Ballistic Bobcat (ESET), ITG18 (IBM X-Force), Yellow Garuda (PwC), NewsBeef (Kaspersky). Additional documented aliases: Ajax…
TLP:CLEAR | CTI Analysts | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Naming (known aliases by vendor) The group is tracked under the following names across vendors: APT33 (Mandiant/FireEye, reference designation), Elfin / Elfin Team (Broadcom/Symantec), Refined Kitten (CrowdStrike), Peach Sandstorm (Microsoft, formerly HOLMIUM), MAGNALLIUM (Dragos), COBALT TRINITY (SecureWorks), ATK35, TA451, G0064 (MITRE ATT&CK) (1)(2)(3)(4).…
TLP:CLEAR | General Public | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Naming (known aliases by vendor) The group is tracked under the following names across vendors: Handala, Handala Hack, Handala Hack Team, Void Manticore (Check Point Research), Storm-0842 / Storm-842 (Microsoft), BANISHED KITTEN (CrowdStrike), Dune (other vendors) (1)(2). Associated operational personas include Karma (alias…
TLP:CLEAR | Mixed audience | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations: OilRig (CrowdStrike), Helix Kitten (CrowdStrike), APT34 (Mandiant/Google), IRN2 (SecureWorks), COBALT GYPSY (SecureWorks), Crambus (Symantec), Earth Simnavaz (Trend Micro), EUROPIUM (Microsoft) Origin: Iran Suspected sponsor: Iranian Ministry of Intelligence (MOIS — Vezarat-e Ettela’at va Amniat-e Keshvar) Sophistication level: High (confirmed APT, persistent operations…
On March 13, 2026, Microsoft released out-of-band update KB5084597 to remediate three remote code execution (RCE) vulnerabilities in the RRAS (Routing and Remote Access Service) MMC snap-in: CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111. Attack surface and exploitation vector The vulnerability resides in the RRAS MMC snap-in used for remote server management. The attack vector is client-side: the…
