TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations: Agrius (SentinelLabs), Agonizing Serpens (Palo Alto Networks Unit 42), Pink Sandstorm (Microsoft, formerly Americium), Marshtreader (Security.com), BlackShadow (public hack-and-leak persona), DEV-0022 (Microsoft pre-attribution). Additional alias: G1030 (MITRE ATT&CK). Origin Iran. Presumed sponsor…
TLP:CLEAR | CTI Team | Updated: March 2026 1. IDENTIFICATION & ATTRIBUTION Designations (vendor aliases) The group is tracked under the following designations by vendors: APT42 (Mandiant/Google TI, reference designation : first public documentation September 2022), Damselfly (Mandiant internal), UNC788 (Mandiant pre-attribution), CALANQUE (Google Threat Analysis Group), OwlSandstorm (Microsoft), Yellow Garuda (PwC), ITG18 (IBM X-Force).…
Technical and Strategic AnalysisFBI/CISA PSA I-032026-PSA — March 20, 2026 | TLP:CLEAR 1. Executive Summary — Board Level / Strategic View On March 20, 2026, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly published a public service announcement (PSA I-032026-PSA) alerting the public to an active campaign by…
Exploitation of CVE-2025-0282 | CVSS 9.0 | SPAWN/SPAWNCHIMERA Malware Family Dominant ATT&CK Techniques: T1190 (Exploit Public-Facing Application), T1071.001 (Web Protocols), T1556 (Modify Authentication Process) Affected Technology: Ivanti Connect Secure (Pulse Secure) VPN Appliance Classification: TLP:CLEAR-PAP:CLEAR 1. Executive Summary (Board-Level Strategic Abstract) The RESURGE implant represents a first-order structural threat to any organization operating Ivanti Connect…
Threat Analysis and Exposure Surfaces According to ANSSI 1. Scope and Context of the Analysis In its report CERTFR-2026-CTI-001 published on February 4, 2026, ANSSI provides a structured threat assessment focused on the role of generative artificial intelligence in cyber attacks. The document specifically addresses generative AI systems, defined as systems capable of producing text,…
Executive Summary In late January 2026, CERT-UA issued a critical alert regarding the active exploitation of CVE-2026-21509, a vulnerability affecting Microsoft Office. The vulnerability is being leveraged by the threat actor UAC-0001, attributed to the Russian state-sponsored group APT28 (Fancy Bear). Observed attacks primarily target Ukrainian governmental institutions, but multiple European Union organizations have also…
Context CISA published an alert on January 28, 2026, regarding active exploitation of vulnerability CVE-2026-24858 affecting multiple Fortinet products. This flaw was added to CISA’s KEV (Known Exploited Vulnerabilities) catalog on January 27, 2026. Fortinet has released patches and recommendations to remediate this critical authentication bypass vulnerability. Technical Description of the Vulnerability CVE-2026-24858 is an…
Executive Summary The 2025 CWE Top 25 by MITRE highlights the most prevalent and dangerous software weaknesses, derived from an analysis of 39,080 CVE records published between mid-2024 and mid-2025. These weaknesses – often easy to find and exploit – account for a large share of critical vulnerabilities that enable adversaries to fully compromise systems,…
Total vulnerabilities fixed: Microsoft’s December 2025 Patch Tuesday addresses 57 security flaws. Among these, 3 vulnerabilities are rated Critical (all remote code execution issues), with the remainder classified as Important (none are labeled as Moderate or Low this month). Note that Microsoft Edge updates (15 vulnerabilities) are not included here, as Edge was updated earlier…
Executive Summary Between May and November 2025, threat actor UAC-0241 conducted a campaign against educational institutions and government bodies in eastern Ukraine. The attack involved a compromised Gmail account distributing a ZIP archive containing a malicious LNK that triggered an HTA → JS → PowerShell execution chain. This led to the deployment of LAZAGNE, several…
