S2

My latest research is now live! We analyze an espionage campaign targeting high-ranking government officials leveraging CVE-2021-40444 and possibly linked to APT28. trellix.com/en-us/about/ne… #apt28 #cve_2021_40444

In my Fast16 story I mention Israeli intelligence stole a tranche of documents from Iran about its nuclear program. In 2018, Israeli PM Bibi Netanyahu gave presentation using the docs, incl an Iranian video showing a simulated implosion of nuclear weapon m.youtube.com/watch?v=pkihrV…

AVAILABLE NOW - Our analysis of the Fast 16 Malware: Fast 16 Malware Aimed at Undermining Proliferant State Nuclear Weapons Programs, Iran was a Credible Target We performed this analysis in collaboration with Symantec’s Threat Hunter Team and Kim Zetter, with whom we had collaborated years ago on the Stuxnet malware. Our collaboration with @symantec and @KimZetter developed after Sentinel One publicly revealed the Fast16 malware, which is dated to about 2005 and was a multi-year sustained operation. The malware looks to be targeting a nuclear weapon program’s hydrodynamic calculation group working on implosion systems using weapon-grade uranium as the nuclear explosive material. Fast 16 targets the LS DYNA and AUTODYN software and specifically manipulates the values during simulations of explosively driven compressions of very dense materials. These software packages are very useful and capable to model the whole hydrodynamic process starting with the detonation of the high explosives, the development of a shock wave accelerating a high density metal flyer plate that strikes the core with tremendous force, causing compression of a central dense core to very high pressures and temperatures, exactly the hydrodynamic process in an implosion-type, solid core, levitated design, common to many early nuclear weapons programs. The software packages enable the solution and characterization of a very difficult problem involving full transient physics of matter under extreme compression. It turns an extremely fast, and opaque physical process into a fully resolved, designable system, with an exact geometry, driver, and timing that produces the pressure, density, and uniformity desired. Although the malware looks first for specific high explosive equation of state (EOS) packages in either LS DYNA or AUTODYN, that seems just to be a first step in locating a worthwhile target, or a way to narrow its search. The ultimate target is a material being compressed that is far denser than the high explosive materials and far denser than the metals commonly studied in commercial applications of LS DYNA and AUTODYN. The target metal appears to be uranium. The software lists a value of 19, where 19 g/cc is the density of solid uranium at atmospheric pressure. The manipulation of the simulation output was to start when the density of the compressed material would reach 30, which again indicates uranium. The density of 30 g/cc is the point at which the lattice structure of solid uranium is soon to collapse, and the material starts to liquify under shock. A density of 30 g/cc is further assessed to be a compression within reach of an early nuclear implosion weapons program. This indicates that a core of uranium is the target and shows the malware starting to act in a particularly important region where the uranium is starting to undergo a phase change from solid to liquid. This region is particularly important to a nuclear weapons team that wants to understand how to increase the uranium’s density, and ultimately help achieve a higher explosive yield, but also a region that is very difficult to study experimentally. The accuracy of predicted pressures, densities, and phase states becomes increasingly uncertain at high compression because of limitations in available uranium equation-of-state data and the complexity of its phase behavior, leaving the designer more dependent on the model rather than experimental data. Target Iran? While we cannot exclude other target countries working on nuclear weapons in the early 2000s, such as North Korea or possibly Syria, the timing, the access required for creating the faulty driver memory, and the focus on uranium point to Iran’s nuclear weapons efforts being the target. It is also known from a variety of academic publications that both LS DYNA and AUTODYN were being used in Iran in this time period. In the period of 2003 to 2005, Western intelligence agencies believed that Iran had an active nuclear weapons program concentrated on building warheads for ballistic missile delivery, with active calculation and simulation teams modeling the nuclear explosion. Although Western intelligence was unaware in 2005 that Iran had ended the program, codenamed the Amad Plan, dedicated to building five nuclear weapons as fast as possible, Iran instituted a new nuclear weapons program on a reduced scale which was likely more dependent on computer calculations and simulations. In either case, malware targeting the results of these complex calculations characterizing a region of high pressure and density posed a serious threat to the program. Despite missing Amad’s shutdown, Western intelligence in 2005 had penetrated Iran’s nuclear weapons program in multiple ways, and within a few years afterwards learned that the Amad Plan had shut down. The penetration could have been sufficient that someone could have inserted the malware into the internal computer networks used by the nuclear weapons teams, a requirement since the malware does not transit via the internet. Iran’s nuclear weapons program in 2003, at the end of Amad, was suffering problems in its nuclear weapons design. The 2018 seizure by Israel of the Nuclear Archive, a detailed library of the Amad Plan, contains discussions about the state of the nuclear weapons effort as of late 2003. In summing up the challenges that remained when the Amad Plan was ending, the leaders of the program met and noted difficulties in the design section, defined as calculations and analysis, production, and test. They cited the lack of scientific knowledge of design, where the main problem is the reduction in the scientific studies of the project. The head of the program concluded that the design team had to specify a set of questions so that these questions become the instructions for other teams such as production and test. These problems likely persisted into the time when the malware was active, and the reorganized nuclear weapons team was running computer codes. One further indication of Iran’s on-going multi-year efforts to conduct satisfactory hydrodynamic simulations is that the IAEA reported that Iran in 2008 and 2009 was modeling spherical geometries consisting of a weapon-grade uranium core subject to shock compression. If Iran was the target, Iran’s nuclear weapons program would have had a hard time doubling the core density in 2005, likely also today. Achieving such high densities in uranium poses several challenges in a single HE-flyer plate-solid core system. Moreover, in 2003, Iran was looking to achieve only an explosive yield of 10 kilotons, further suggesting that the nuclear weapons team was not working to achieve such high densities. This would suggest that the actual densities being achieved were less than double and closer to 31 or 33 grams per cc, close to the activation density of the malware and after the solid would undergo a phase change to a liquid. Action of the Malware The Symantec threat hunter team identified multiple mechanisms, called by them as A, B, and C, in the malware sample that was detected and analyzed. Mechanism A was judged as naive and not further assessed. B appears to target LS DYNA, and C targets AUTODYN. Beyond the malware authors’ apparent confidence in the worthiness of the effort, thus far, it is not possible to fully establish the malware’s impact on a nuclear weapons program. Simply put, both mechanisms B and C manipulated Equation of State results for the compressed weapon-grade uranium, or its stand-in natural uranium, metal, and specifically lowered the calculated pressure experienced by the uranium by a factor determined by the actual pressure being calculated by the EOS program. If this or these values are lowered too much, the inconsistencies in the resulting physics should be noticeable or discoverable by the user. But if the change is less, lowering the results artificially, it may not be noticed by the user of the software. If pressure is the output value lowered, the manipulated results would indicate to the user that the uranium is “softer” and more easily compressed than it is in reality. However, it would also indicate the shock wave propagating through the material, intended to sustain super criticality throughout the core as well as initiating the neutron source at the center, is weaker than expected and the phase change to melting may appear to onset earlier or later or the dense-fluid region look broader or narrower. The accuracy of predicted pressures, densities, and phase states becomes increasingly uncertain at high compression because of limitations in available uranium equation-of-state data and the complexity of its phase behavior. Thus, a misperceived result of this region may be more believed because of these uncertainties, particularly because of the difficulty of testing experimentally in this density region. The impact of a malware’s change in the pressure in the region above 30 grams per cc can complicate efforts to improve the design and even send programs down wrong paths. The calculational team may recommend more force on the core or more efficient transfer of force to increase the compression. This may put pressure on manufacturing teams to make and test new components to enable these changes. This could complicate miniaturization efforts, a critical concern to ensure the warhead fits into a ballistic missile re-entry vehicle. The effect could be to waste time, resources, and lower the overall morale of the program. If “fixes” are made and the program runs again, unsatisfactory values will be generated anew. If the results are accepted as valid and no further work is done, then the nuclear weapons program ends with a mistaken view of the performance of the imploding core, leading to potential distortions when the code is combined with neutronic codes. The sum total may result in a system that will not work, or will underperform, when detonated. Thus, the results would undermine confidence in the overall workability of a simulated design, and if the scaling in the pressure went unnoticed, could potentially lead to structural design changes in the components of the weapon to rectify the perceived problems. In any case, the malware appears intended to disrupt the development and construction of a nuclear weapon. Links to the analysis on our website, Symantec, and Kim Zetter's report here: isis-online.org/isis-reports/f…; security.com/blog-post/fast…; zetter-zeroday.com/experts-confir…

Exclusive: Fast16 malware has raised questions about what it was designed to do. Researchers at @symantec finally confirm that it was subverting software used to simulate nuclear weapons explosions. Nuclear experts tell me Iran was the likely target zetter-zeroday.com/experts-confir…

⚠️ Our team at Google is releasing more details on the recent NPM #axios supply chain attack. Notably, we now attribute this activity to #UNC1069, a financially motivated North Korean 🇰🇵 nexus threat actor active since at least 2018.

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

#NEW - Libyan Oil Refinery Among Targets in Long-running Likely Espionage Campaign in Which AsyncRAT Backdoor Deployed. Read more: security.com/threat-intelli… #cyberattack #Libya

@vxunderground @malwrhunterteam @AlvieriD @1ZRR4H @JAMESWT_WT

We are actively tracking this. If you have extra information on the attack, have seen Speagle in your telemetry, or want to discuss attribution, my DMs are open. Let's connect and share insights. 🤝 #ThreatIntel #InfoSec #CTI

🎯 New Research: We just published a breakdown of a highly targeted supply chain attack aimed at a Chinese missile research institute. The payload? A custom .NET infostealer we're calling Speagle 🦅. Read the full report: security.com/threat-intelli… 🧵👇

Meet Speagle, a mysterious new threat designed to infect users of a Chinese security software package and then hunt for information on Chinese ballistic missiles. security.com/threat-intelli… #espionage #cobradocguard #missile

🛑 Iran-linked hackers quietly embedded inside multiple U.S. organizations, Broadcom researchers report. The campaign is tied to MuddyWater, an #Iranian state group. Attackers deployed a Deno-based backdoor and tried exfiltrating data using Rclone to cloud storage. 🔗 Read → thehackernews.com/2026/03/iran-l…

#NEW - Iranian APT #Seedworm seen on the networks of multiple U.S. companies - including airport, software company & bank - activity began in February but has continued in recent days as #Iran conflict rages on. Read more: security.com/threat-intelli…

Several Shodan API keys exposed in open directories revealed usernames associated with #MuddyWater members, Edu plan accounts. icemint Blackmoz0 nopac Another C2: 141[.]11.187.165 (moz folder - similar targets, tools, persian comments ,etc.) x.com/polygonben/sta…

🚨Recent MuddyWater APT campaign, linked to Iranian intelligence, exposed by Ctrl-Alt-Intel 😬 - 10+ CVEs used - Custom-developed C2s - EtherHiding malware - Sensitive data stolen ctrlaltintel.com/threat%20resea… Super fun collab-ing with @ice_wzl_cyber to get this published 🔥

A full iOS exploit toolkit, "Coruna," has been found in the wild, hacking iPhones that visited infected websites, used by Russian spies targeting Ukrainians and thieves targeting Chinese crypto holders. And it may have been created for the US government. wired.com/story/coruna-i…

North Korean Lazarus group linked to Medusa ransomware attacks - @billtoulas bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

🛡️💻 Lazarus used Medusa ransomware in a Middle East attack, Symantec reports. The group also targeted a U.S. healthcare org. Medusa claims 366+ victims, with recent U.S. ransoms averaging $260K. Analysts see a shift to off-the-shelf RaaS over custom code. 🔗 Details → thehackernews.com/2026/02/lazaru…

NEW: North Korean Lazarus group is continuing to mount extortion attacks against the U.S. healthcare sector and now appears to be collaborating with Medusa ransomware. security.com/threat-intelli… #lazarus #medusa #ransomware