acint, Author at Bulwark Black LLC

APT28 Deploys Operation MacroMaze: Webhook-Based Macro Malware Targets European Entities

acint3 months ago03 mins

Russia-linked APT28 (also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has launched a sophisticated espionage campaign targeting entities across Western and Central Europe. The operation, codenamed Operation MacroMaze by S2 Grupo’s LAB52 threat intelligence team, was active between September 2025 and January 2026. Campaign Overview Operation MacroMaze demonstrates that simplicity…

Chinese APT UnsolicitedBooker Deploys LuciDoor and MarsSnake Backdoors Against Central Asian Telecoms

acint3 months ago03 mins

A China-aligned threat actor known as UnsolicitedBooker has expanded its targeting to telecommunications companies in Kyrgyzstan and Tajikistan, deploying two sophisticated backdoors—LuciDoor and MarsSnake—in a series of espionage campaigns documented by Positive Technologies researchers. Campaign Overview UnsolicitedBooker, first documented by ESET in May 2025 after targeting Saudi Arabian organizations, has been active since at least…

AI-Augmented Attack: Russian-Speaking Cybercriminals Compromise 600+ FortiGate Firewalls

acint3 months ago02 mins

A Russian-speaking cybercrime group has compromised more than 600 internet-exposed FortiGate firewalls across 55 countries in just over a month, leveraging off-the-shelf generative AI tools to automate and scale their operations, according to a new incident report from AWS. Attack Campaign Overview The campaign, which ran from mid-January to mid-February 2026, didn’t rely on sophisticated…

APT28 Targets European Entities with Operation MacroMaze Webhook Malware Campaign

acint3 months ago02 mins

Russia’s notorious state-sponsored threat actor APT28 (also known as Fancy Bear) has been attributed to a sophisticated new campaign targeting organizations across Western and Central Europe. According to S2 Grupo’s LAB52 threat intelligence team, the campaign—codenamed Operation MacroMaze—was active between September 2025 and January 2026. What makes this campaign notable is its reliance on basic…

Unit 42 Exposes Active Exploitation of BeyondTrust CVE-2026-1731 with VShell and SparkRAT Backdoors

acint3 months ago03 mins

Palo Alto Networks’ Unit 42 has uncovered an active exploitation campaign targeting BeyondTrust Remote Support and Privileged Remote Access appliances through CVE-2026-1731, a critical pre-authentication remote code execution vulnerability with a CVSS score of 9.9. The attacks have deployed sophisticated backdoors including VShell and SparkRAT across organizations in financial services, healthcare, legal, and high-tech sectors….

Chinese APT Exploited Dell RecoverPoint Zero-Day for 18 Months Before Discovery

acint3 months ago03 mins

A suspected China-linked cyberespionage group has been covertly exploiting a critical zero-day vulnerability in Dell’s RecoverPoint for Virtual Machines (CVE-2026-22769) since at least mid-2024, according to new research from Google’s Threat Intelligence Group (GTIG) and Mandiant. The attackers deployed sophisticated backdoors and maintained persistent access inside targeted networks for over 18 months before discovery. 🎯…

Remcos RAT Evolves with Real-Time Webcam Streaming and Live Keylogging Capabilities

acint3 months ago02 mins

A newly observed variant of Remcos RAT has introduced significant upgrades to its surveillance arsenal, marking a dangerous evolution in how this remote access trojan operates on compromised Windows systems. From Storage to Streaming According to Infosecurity Magazine, the updated strain represents a fundamental shift in operational methodology. Rather than relying primarily on storing stolen…

CVE-2026-20841: Windows Notepad RCE Vulnerability Weaponized with Public PoC Exploit

acint3 months ago03 mins

A high-severity remote code execution (RCE) vulnerability in Microsoft’s modern Windows Notepad application has been patched as part of the February 2026 Patch Tuesday release—but security researchers have already published a working proof-of-concept exploit on GitHub, raising concerns about active exploitation in the wild. The Vulnerability: Command Injection via Markdown Rendering Tracked as CVE-2026-20841, the…

SANDWORMMODE: Self-Replicating npm Worm Steals Dev Secrets and Targets AI Coding Tools

acint3 months ago02 mins

A sophisticated supply chain worm dubbed SANDWORMMODE is actively targeting the npm ecosystem, compromising at least 19 malicious packages designed to steal developer credentials and CI/CD secrets while automatically spreading across repositories and workflows. Researchers at Socket identified the campaign, which uses typosquatted npm packages and poisoned GitHub Actions to infect developer machines and CI…

Starkiller: New Commercial-Grade Phishing Kit Bypasses MFA with Live Site Proxying

acint3 months ago02 mins

A newly uncovered phishing kit allows cybercriminals to steal credentials with a sophisticated toolkit that spoofs live login pages and bypasses multi-factor authentication (MFA) protections, cybersecurity analysts at Abnormal Security have warned. Dubbed Starkiller, the phishing platform has been described as “a commercial-grade cybercrime platform” and “a comprehensive toolkit for stealing identities at scale.” The…