Secure Chicken 🐣

Yet they do. In 2026 we expect a new lot of unwanted - sometimes avoidable - developments in cyberspace. After a full review of last year's predictions, our HarfangLab 2026 Threatscape report anticipates 9 trends and threats 🔦. harfanglab.io/insidethelab/2…

2026 starts with abduction🥷, massive protests✊ and intentions to dispose🧊, on top of tensions + wars🪖 we got out of 2025 with - cyber ppl are humbly reminded of the quite minor role cyber threats💾play in global risks and changes.

Mails can contain invitation to online meeting (ie MS Teams), but link is replaced to trick the user into signing-in (using MS device code flow which requires a manually entered and TA-generated code). Similar campaigns and TTPS previously documentd by Volexity and Elastic.

Up to now we identified tgts in NGOs and think-tanks. In december, threat actor notably leveraged an online profile using "Janis Cerny" name, who pretends to be a diplomat working with the EU. Mail is janiscerny[@]seznam[.]cz, and WhatsApp profile/number is [+42]0 735 596 5[65]

Likely state-sponsored TA still targeting orgs with WhatsApp🤳 + mail 📩 phishing in 🇪🇺 in December. Goal is to get access to the MS account of high value targets. TA is particularly interested in people or organisations that run activities in 🇺🇦

@bluish_red_ @_CPResearch_ @harfanglab Finding hints of access dev wave A in several cases of org B exploitation is then likely. 4th parties can always join, but for me it's more likely A+B somehow cooperate, or in a large ecosystem, just that 2 streams going the same direction ended up in the same place.

@bluish_red_ @_CPResearch_ @harfanglab Looking in a single ecosystem: accesses can be opportunistically developed. Those can then be used separetely based on ops need: turned into infra, sold, used for exploitation, or combination of such. By same or cooperating party. Several streams of such can flow simultaneously.

Cool write-up! REF7707 (another new alias #InkDragon) is again expanding operations. With this report we are now up to Southeast Asia, Africa, Europe, Russia, South America. I believe this is the first time i've seen the ShadowPad link as well.

Anyway, we wanted to tell a bit later, but we had to rush it now, as fellows did publish about the same toolset today (as "TOLLBOOTH"). We're fewer guys but we may still have found a bit more. IOCs & Yaras: harfanglab.io/insidethelab/r…

All tools speak CN, operators leveraged a CN RMM service, domains are registered in CN and some infra is at Alibaba Cloud - it's likely way more CN-language and specifics than an actual CN operator would need...

Late summer our stuff stopped an infection chain involving a driver, a previously undocumented malicious IIS module, and ASP .NET viewstate abuse.

Because of simplicity of associated exploitation and tools, several third parties could have hijacked and/or mimicked past or recent BellaCiao/CYCLOPS-related activity and infrastructure... but it starts to quacks quite like a duck 🦆 to me. harfanglab.io/insidethelab/c…

"ea3e059ca58eec16a98691bcae372170d83b97c0_Shell failed[.]txt" contains WebShell filenames which match those dropped by some BellaCiao samples. Several IPs and domains that are listed as "targets" in Episodes 1 and 2 indeed match targets of BellaCiao malware that I know of.

Documents 📃 about alleged IRGC 🇮🇷cyber ops are being disclosed since last week (#KittenBusters). 2nd batch of data includes a reference to our work @HarfangLab: "see reports on publicly available tools (such as BellaCiao and CYCLOPS) – these are malware tools used"

As usual, you'll will find IOCs and YARA rules on our blog post and on our GitHub repository harfanglab.io/insidethelab/u…

We found striking similarities with previously reported activity from UNC1151, sometimes referred to as UAC-0057, FrostyNeighbor or Ghostwriter

We @aridjourney @ArielJT at HarfangLab had a look at archives containing weaponized XLS spreadsheets dropping C# and C++ downloaders, likely intended for targets in Ukraine and Poland