ReliaQuest Threat Research

Between February and March 2026, we identified what we assess to be the first in-the-wild exploitation of CVE-2024-12802, an auth bypass in SonicWall SSL VPN that reduces security to single-factor even when MFA appears enabled. On Gen6 devices, patching the firmware isn't enough. Six manual LDAP reconfiguration steps are required, and standard patch workflows can't verify them. Devices showed as "patched" while remaining fully exploitable. Attackers brute-forced VPN credentials using automated tools and bypassed MFA silently with no failed login alert and no anomalous flag. In some cases it took as few as 13 attempts to land a valid credential. In one environment, the attacker went from VPN auth to file server to Cobalt Strike beacon and a BYOVD driver load in under 40 minutes. EDR stopped the payload, but the attacker adapted and started manually hunting for credentials through Notepad, a technique that blends right into normal file server activity. The pattern is consistent with initial access broker activity feeding into the ransomware ecosystem. The tools match TTPs seen in previous Akira-linked intrusions. Read our full analysis here 🔗 https://t.co/RK2MSkrrku

Help desk impersonation is evolving past credential theft into hands-on-keyboard intrusion. In a recent campaign, attackers spoofed IT support via Microsoft Teams, walked victims through a ClickFix lure, and dropped an evolved variant of "ModeloRAT" tracked as "Kongtuke." The payload established persistence, dumped credentials, and pivoted toward domain controllers, all under the cover of a routine support session. The lure looks like helpdesk noise, but the chain ends in pre-ransomware staging. If affiliates standardize this pattern, the line between social engineering delivery and full hands-on-keyboard intrusion becomes harder to draw. Read our full analysis here: https://t.co/apgPvnw91t

🚨 ClickFix is starting to look less like a delivery mechanism and more like a launchpad for modular post-exploitation.  In a recent intrusion, one pasted command triggered persistence, domain enumeration, a PowerShell C2 loop, and the deployment of PySoxy as an encrypted proxy, all without dropping traditional malware. Both C2 channels were blocked, but a scheduled task kept relaunching the chain for hours, reinforcing that a blocked callback is not containment. The chain bears operational resemblance to SocGholish pre-ransomware staging, and if affiliates begin treating ClickFix as an equivalent initial-access source, the implication is that social engineering delivery paired with bring-your-own-interpreter post-exploitation could become a more common path to ransomware deployment. IOCs and full analysis: https://t.co/kDKzdgiPk3

RansomHouse's claim against Trellix is interesting, but the more important takeaway is the realistic possibility the group used MrAgent, a custom management tool designed to automate and track ransomware deployments across ESXi hypervisor environments. If true, the implication for defenders is significant: once operators gain access to hypervisor management, they may be able to move from initial foothold to widespread encryption far faster than traditional intrusion timelines would suggest. In ESXi environments, automation at the management layer can compress the time between access and impact, leaving defenders with much less time to detect, investigate, and contain the intrusion.

The group claims its attack on Ubuntu servers is ongoing and escalating, with indications of increased DDoS intensity. They have also issued an extortion demand, stating that their "communication channels remain open for Ubuntu to contact us so that we may agree on a ceasefire." X has since suspended the group's account.

🚨 Iran-aligned hacktivist group Team 313 (Islamic Cyber Resistance in Iraq) claims an ongoing attack against Ubuntu's core infrastructure, alleging that standard updates, security patches, and CI/CD pipelines have been disrupted. The group is also urging hackers to exploit CVE-2026-31431 ("Copy Fail"), claiming most Ubuntu systems are now vulnerable, and has published exploit material to lower the barrier. Ubuntu has released mitigations via kmod updates, but the kernel-level fix remains unavailable. Team 313 has been increasingly active since the Iran-US-Israel conflict escalated in early 2026 and has deployed wiper malware against at least one major US enterprise.

Vidar has taken center stage. The infostealer has climbed to the top of the market following law enforcement takedowns of Lumma and Rhadamanthys in 2025. According to security researchers, Vidar has been the most used stealer on Russian Market since November 2025. It secured that position by releasing a major upgrade and expanding its distribution network while its rivals were being disrupted. Its C2 evasion technique stands out. Rather than hardcoding a server address, Vidar uses "dead drop resolvers." The malware points to legitimate public platforms like Telegram, where operators embed the real C2 address inside profile bios or post descriptions. It retrieves that address dynamically at runtime, sidestepping static detection and domain blocking. The takedown of two top tier infostealers did not shrink the threat landscape. It reshuffled it. Vidar stepped in, upgraded, and expanded while its rivals were down. Stolen credentials are hitting underground markets and being used for account takeovers, lateral movement, and ransomware staging. #CyberSecurity #Vidar #Infostealer

Attackers are moving faster and starting higher up the org chart. In 2025, average breakout time (initial compromise to lateral movement) dropped 29%, from 48 minutes to just 34. One tactic fueling that speed is a shift away from privilege escalation toward arriving with elevated credentials from the start, reflected in a 15% decline in privilege escalation activity in 2025, as threat actors lean harder on credential theft and social engineering. This trend is continuing into 2026: from March 1 to April 1, 2026, 77% of observed Microsoft Teams phishing attempts targeted senior-level employees, up from 59% in the first two months of the year. For security teams: tighten identity controls around privileged accounts, shrink detection and response windows, and assume initial access already includes the keys to the kingdom. Join us for ShadowTalk this Wednesday as we break it all down. https://t.co/6Q3fu87XGW #Cybersecurity #ThreatIntel #BlackBasta

TeamPCP is making moves. A threat actor hijacked the official Bitwarden CLI on npm. The attack has been linked to the Checkmarx supply-chain compromise previously claimed by TeamPCP. When users installed the malicious version, it downloaded a JavaScript runtime in the background, launched a hidden payload, and attempted to collect sensitive data from the host — including GitHub tokens, npm tokens, SSH keys, AWS credentials, cloud secrets, and AI tool configurations. The exfiltration method stands out. If the primary server was blocked, the malware fell back to GitHub, created a repository in the victim's own account, and uploaded the stolen data there. That approach is effective because most environments do not flag outbound traffic to GitHub as suspicious. The infrastructure and delivery pattern are consistent with the broader campaign observed across recent investigations. If you installed @bitwarden/[email protected], rotate all potentially exposed credentials immediately. #CyberSecurity #TeamPCP

Multiple actors are now claiming access to Claude Mythos. A Discord group says they guessed the model URL based on Anthropic's naming conventions. One member claims insider access through a third-party contractor. Separately, an unverified actor using the ShinyHunters name is advertising roughly 3,000 internal documents and an "active zero-day" for sale. Anthropic's own investigation tells a different story. Unauthorized access involved someone playing around with the model. No offensive prompts. No damage. No zero-day. Both claims are low confidence and look opportunistic. This is what riding a hype cycle looks like. #CyberSecurity #AI #Mythos

One compromised OAuth integration. Potentially dozens of downstream victims. That's ShinyHunters' playbook — and it's working. A Lumma infostealer on a https://t.co/OMxOi2ieW3 employee's machine harvested Google Workspace credentials, which were likely used to pivot directly into Vercel — a PaaS platform powering thousands of web applications — via an OAuth integration. A threat actor on BreachForums subsequently claimed to sell stolen credentials, API keys, and source code alongside a $2 million ransom demand. This mirrors the Anodot compromise, where the same extortion pattern enabled downstream data theft from over a dozen organizations, including Rockstar. For security teams, two gaps are enabling attacks like this: incomplete logging visibility and unenforced conditional access policies on unmanaged devices. Join us for ShadowTalk this Wednesday as we break down these gaps and how to defend. https://t.co/6Q3fu88vwu #Cybersecurity #SaaS #ShinyHunters

🚨 Former Black Basta affiliates are likely automating the targeting of senior employees. In the first four months of 2026, ReliaQuest observed a sharp rise in Black Basta-style Teams phishing. 56% of all such activity seen since the group’s decline occurred this year alone. In March, 77% of targeted users were executives, directors, or managers. In some cases, attackers went from initial Teams contact to malicious script execution in as little as 12 minutes. The playbook is familiar: mass email bombing followed by Microsoft Teams-based help desk impersonation to pressure users into granting remote access. ReliaQuest also observed signs that parts of the workflow are becoming increasingly automated, including outreach attempts launched within seconds of one another. For security teams, email bombing should be treated as an early warning sign. Any help desk request involving remote access should be verified out of band, and suspicious Teams, Quick Assist, or Supremo activity involving senior users should be treated as high priority. Read our latest blog for more on this campaign: https://t.co/InQ6Pet1Zp