New Linux desktop entry file used by #APT36 MD5 hash: 1ded71930d997de43a68e098d232e2e5 SHA1 hash: 8cbd09508dd727ba27fe6ba56be1b81fae03ec4b SHA256 hash: 10b54abba525686869c9da223250f70270a742b1a056424c943cfc438c40cc50 Filename: Meeting_Notice_dtd_20_Aug.desktop Go-based Linux

We published our research on the latest activity of Russia-linked APT group, COLDRIVER (also known as Star Blizzard). In this blog, we introduce the following 1⃣ New lightweight downloader DLL that we named BAITSWITCH 2⃣ New PowerShell-based backdoor that we named SIMPLEFIX 3⃣

New instance of Golang-based RAT related to #APT36 targeting the Linux platform MD5 hash: 3563518ef8389c7c7ac2a80984a2c4cd SHA1 hash: 6dda9056917355b487bc591a828cf85a7e7d577c SHA256 hash: 567dfbe825e155691329d74d015db339e1e6db73b704b3246b3f015ffd9f0b33 Websockets-based C2

Yesterday we published our detailed analysis on an #APT28 campaign exploiting a very recently patched vulnerability in MS Office, CVE-2026-21509. We discovered two infection chains. Both infection chains start with a specially crafted RTF file that weaponizes CVE-2026-21509. 1⃣

Interesting active campaign that abuses ETH smart contracts to store the C2 address and GitHub for hosting the payloads GitHub repositories are live. github.com/dhclnt/BIG-IP-… github.com/nlasvc/BIG-IP-… Mikhail Kasimov

Based on the first C2 domain set by interacting with this smart contract, jariosos[.]com, this should be related to #EtherRAT enki.co.kr/en/media-cente… MalwareHunterTeam