Secure Chicken 🐣

2026 starts with abduction🥷, massive protests✊ and intentions to dispose🧊, on top of tensions + wars🪖 we got out of 2025 with - cyber ppl are humbly reminded of the quite minor role cyber threats💾play in global risks and changes.

Mails can contain invitation to online meeting (ie MS Teams), but link is replaced to trick the user into signing-in (using MS device code flow which requires a manually entered and TA-generated code). Similar campaigns and TTPS previously documentd by Volexity and Elastic.

Likely state-sponsored TA still targeting orgs with WhatsApp🤳 + mail 📩 phishing in 🇪🇺 in December. Goal is to get access to the MS account of high value targets. TA is particularly interested in people or organisations that run activities in 🇺🇦

Up to now we identified tgts in NGOs and think-tanks. In december, threat actor notably leveraged an online profile using "Janis Cerny" name, who pretends to be a diplomat working with the EU. Mail is janiscerny[@]seznam[.]cz, and WhatsApp profile/number is [+42]0 735 596 5[65]

Anyway, we wanted to tell a bit later, but we had to rush it now, as fellows did publish about the same toolset today (as "TOLLBOOTH"). We're fewer guys but we may still have found a bit more. IOCs & Yaras: https://t.co/GiISsedSxy

Late summer our stuff stopped an infection chain involving a driver, a previously undocumented malicious IIS module, and ASP .NET viewstate abuse.

All tools speak CN, operators leveraged a CN RMM service, domains are registered in CN and some infra is at Alibaba Cloud - it's likely way more CN-language and specifics than an actual CN operator would need...

Because of simplicity of associated exploitation and tools, several third parties could have hijacked and/or mimicked past or recent BellaCiao/CYCLOPS-related activity and infrastructure... but it starts to quacks quite like a duck 🦆 to me. https://t.co/tnPDgAO1sg

"ea3e059ca58eec16a98691bcae372170d83b97c0_Shell failed[.]txt" contains WebShell filenames which match those dropped by some BellaCiao samples. Several IPs and domains that are listed as "targets" in Episodes 1 and 2 indeed match targets of BellaCiao malware that I know of.

As usual, you'll will find IOCs and YARA rules on our blog post and on our GitHub repository https://t.co/gAZqQVk8oQ

We found striking similarities with previously reported activity from UNC1151, sometimes referred to as UAC-0057, FrostyNeighbor or Ghostwriter