Inferlume

How it Works
Pricing
About
Get Free Access →

Get Free Access

Last Updated On

DDAAIILLYY--22002266--00661188
IInnffoorrmmaattiioonnaall
AAccttiivvee  EExxppllooiittaattiioonn  CCoonnffiirrmmeedd

How Ransomware Cartels Weaponize Microsoft Teams Relays For C2 Evasion

DragonForce deployed Backdoor.Turn—a specialized Go binary routing QUIC command channels through trusted Microsoft Teams TURN relays—establishing a two-month network dwell time supported by a multi-driver kernel blinding chain. Concurrently, public web networks and wide-area architecture planes face active exploitation via critical KEV vulnerabilities in LiteSpeed cPanel tools (CVE-2026-54420) and Cisco Catalyst SD-WAN consoles (CVE-2026-20262). Operational impacts escalated as Anubis ransomware locked down IT systems at the Adriatic Port Authority, causing widespread shipping reroutes across Italy despite leaving core OT networks untouched. Additionally, up to one point two million WordPress sites sustained supply-chain impacts from tampered CDN scripts, while ShinyHunters targeted Kodak in a major data extortion campaign. Urgent defensive actions require process-aware network filtering, immediate infrastructure patch cycles, and rigorous validation of endpoint kernel driver loads.

10

CVSS Score

35

IOC Count

17

Source Count

85

Confidence Score

CVEs

CVE-2026-54420, CVE-2026-20262, CVE-2023-52271, CVE-2025-61155, CVE-2025-1055

Actors

ShinyHunters, DragonForce, Anubis, The Gentlemen, Qilin, Gunra, Other Under Attribution

Sectors

Shared Hosting Providers, Web Hosting Resellers, E commerce Sites, WordPress Site Operators, Network Service Providers, Technology Vendors, Printing and Imaging Services, Services, Enterprise Teams Users, Web Hosting, MSPs, Transportation, Maritime Logistics, Critical Infrastructure, Healthcare

Regions

United States, Italy, Adriatic maritime region, Global

Chapter 01 - Executive Overview

Core Threat Analysis and Operational Assessment

A severe escalation in infrastructure exploitation and advanced command and control evasion has emerged over the current intelligence window. Operations are led by a sophisticated DragonForce ransomware campaign that introduces a novel defense evasion technique, leveraging legitimate corporate communication infrastructure to bypass standard network detection. Concurrently, public web infrastructure and edge management planes face immediate risk from two flaws newly added to the CISA Known Exploited Vulnerabilities catalog. Finally, critical transportation logistics have experienced deep physical and economic fallout from targeted ransomware chains, highlighting that threat actors are successfully executing operational disruptions without requiring direct operational technology environment access.

Consolidated Strategic Incident Summary

  • DragonForce Ransomware and Backdoor.Turn C2 Evasion: Threat actors compromised a major United States services firm, establishing a dwell time of up to two months. The operation deployed Backdoor.Turn, a custom Go-based remote access tool that routes command and control communications through legitimate Microsoft Teams TURN relay servers using QUIC sessions. This technique makes malicious outbound traffic visually and behaviorally indistinguishable from routine corporate Teams usage, exploiting enterprise firewall trust. The group paired this network bypass with an extensive multi-driver Bring Your Own Vulnerable Driver defense evasion chain, utilizing a novel kernel terminator technique via a Huawei driver alongside a custom-built driver designed to spoof Palo Alto Networks endpoint security tools.

  • LiteSpeed cPanel Root Escalation: CISA has added CVE-2026-54420 to the Known Exploited Vulnerabilities catalog, confirming active in-the-wild exploitation. The flaw resides in the LiteSpeed cPanel plugin and mishandles user-supplied symlinks on shared hosting servers running CloudLinux or CageFS. Any threat actor possessing low-privilege FTP or webshell access on a tenant account can exploit this vulnerability to break containment and escalate directly to root privileges, creating an immediate supply-side risk across high-density multi-tenant web hosting environments.

  • Anubis Ransomware Critical Infrastructure Impact: Targeted cyber operations by the Anubis ransomware cartel against the Adriatic Port Authority in Italy have resulted in widespread regional maritime logistics disruptions. Initial access was achieved via spear-phishing attachments, followed by lateral movement exploiting unpatched vulnerabilities and misconfigured corporate cloud accounts. While the attackers did not breach internal operational technology networks, the encryption of IT-dependent cargo tracking, customs processing, and shipping schedule systems forced the rerouting of commercial vessels across the Adriatic Sea, demanding a ten million dollar ransom and leaking sensitive safety, employee, and contract data.

  • Cisco Catalyst SD-WAN Manager File Write: Active exploitation has been confirmed for CVE-2026-20262, a path-traversal arbitrary file write vulnerability affecting the web UI of Cisco Catalyst SD-WAN Manager. Authenticated threat actors with lower-privileged write access can submit crafted HTTP POST requests to upload malicious web application archive files into underlying directory paths. The application server automatically deploys these archives, allowing the adversary to execute code with root privileges across all deployment modes and alter enterprise wide-area network policies.

  • OptinMonster CDN Supply Chain Compromise: A widespread supply chain attack impacted up to one point two million sites utilizing OptinMonster, TrustPulse, and PushEngage WordPress marketing plugins. Attackers compromised core vendor infrastructure to inject malicious JavaScript into legitimate vendor-hosted content delivery network files. When site administrators logged into their environments, the tampered scripts executed in their browser context to silently mint rogue administrative accounts and plant persistent, hidden file-system backdoors.

Senior Leadership Risk and Action Priorities

+-------------------------------------------------------------------+-------------------------------------------------------------------+
| Incident Context                                                  | Immediate Leadership Action Requirement                           |
+-------------------------------------------------------------------+-------------------------------------------------------------------+
| DragonForce Backdoor.Turn Evasion                                 | Mandate process-level inspection of QUIC egress traffic and audit |
|                                                                   | all kernel driver load events against known allowlists.           |
+-------------------------------------------------------------------+-------------------------------------------------------------------+
| LiteSpeed cPanel Root Escalation                                  | Enforce immediate patching to version 5.3.2.1 across all shared   |
|                                                                   | hosting tenants and restrict raw shell access.                    |
+-------------------------------------------------------------------+-------------------------------------------------------------------+
| Anubis Port Authority Breach                                      | Update critical infrastructure incident response plans to address |
|                                                                   | IT-to-OT cascading operational downtime dependencies.             |
+-------------------------------------------------------------------+-------------------------------------------------------------------+
| Cisco Catalyst SD-WAN File Write                                  | Isolate orchestrator web interfaces from the public internet and  |
|                                                                   | apply designated security upgrade paths immediately.              |
+-------------------------------------------------------------------+-------------------------------------------------------------------+
| OptinMonster CDN Supply Chain                                     | Audit active WordPress plugin directories for unauthorized admin  |
|                                                                   | accounts and enforce subresource integrity for marketing scripts

Chapter 02 - Threat & Exposure Analysis

Strategic Risk Analysis and Actor Landscape

The global threat landscape is currently dominated by highly organized ransomware cartels executing operations that blur the line between traditional financial extortion and state-like tactical sophistication. Groups like DragonForce and Anubis are intentionally shifting away from indiscriminate, high-volume ransomware-as-a-service distributions toward meticulous, long-dwell network intrusions targeting critical services and physical infrastructure. This evolution is defined by an increased capacity to discover and weaponize novel evasion vectors, such as the manipulation of trusted cloud relay systems and multi-driver kernel tampering chains. Concurrently, unattributed actors are actively exploiting high-density edge software and hosting utilities, creating an environment where a single unpatched appliance or shared plugin can compromise hundreds of downstream enterprise operations simultaneously.

Analysis of Primary Threat Exposures

  • Exploitation of Microsoft Teams Infrastructure by DragonForce: The deployment of Backdoor.Turn represents a significant architectural shift in command and control design. By leveraging anonymous guest visitor tokens from Microsoft Skype-backed identity services to spin up authenticated TURN relay paths, the malware forces all command traffic through legitimate Microsoft infrastructure using encrypted QUIC sessions. This creates a critical blind spot for enterprise security teams; standard network perimeter defenses, firewalls, and cloud access security brokers are typically configured to implicitly trust or whitelist traffic directed at major Microsoft IP ranges. Because the outbound sessions match the exact protocols, destinations, and formatting of legitimate corporate video calls, the backdoor easily maintains a multi-month network dwell time, completely invisible to purely behavioral or network-layer anomalies that lack process-level telemetry correlation.

  • Bring Your Own Vulnerable Driver (BYOVD) Escalation: The tactical execution of DragonForce's endpoint defense evasion demonstrates a deep understanding of modern operating system security models. The cartel deployed a concurrent chain of four distinct vulnerable kernel drivers—including Topaz Antifraud, Tower of Fantasy, K7 Security, and a novel, unconfirmed Huawei audio component—to systematically blind endpoint detection and response software. Rather than relying solely on publicly disclosed exploit toolkits, the actors developed a highly custom malicious driver, designated ABYSSWORKER, which specifically masquerades as a legitimate Palo Alto Networks security driver. By utilizing these drivers to terminate security processes from the kernel space, the actors ensured that follow-on activities, such as Active Directory reconnaissance via ADExplore and credential-based Remote Desktop Protocol lateral movement, could proceed across the target's services network without triggering localized endpoint alerts.

  • Multi-Tenant Exposure via LiteSpeed cPanel Vulnerability: The active exploitation of CVE-2026-54420 poses an acute supply-side risk to shared web hosting environments. The vulnerability allows any threat actor who has established low-privileged FTP or web-shell access within a single isolated tenant directory on a CloudLinux or CageFS server to abuse symlink tracking routines inside the LiteSpeed plugin. Because the plugin processes these links with elevated privileges, it can be manipulated into reading or modifying arbitrary system files outside the user's containerized jail. In high-density environments where thousands of corporate websites, marketing landing pages, and e-commerce portals share the same underlying hardware infrastructure, a single weak or compromised account can be utilized as an exploitation spring-board to claim root administrative authority over the entire physical node, exposing all co-located tenants to data theft, code injection, and credential harvesting.

  • Cyber-Physical Cascading Impacts of Anubis Ransomware: The targeted intrusion against the Adriatic Port Authority highlights the severe real-world operational vulnerabilities inherent in modern maritime logistics and supply chains. The attack chain, initiated via spear-phishing attachments and accelerated by unpatched software flaws and insecure cloud access accounts, focused entirely on the port's enterprise IT environment. Crucially, the threat actors never successfully breached or modified actual operational technology or vessel control systems. However, by encrypting the core IT applications responsible for tracking commercial cargo manifests, executing customs verifications, and managing shipping schedules, the cartel effectively brought physical operations to a halt. This forced the immediate rerouting of maritime vessels across the Adriatic Sea, proving that modern transport infrastructure is completely dependent on its data plane, and that IT-level compromises can cause multi-million dollar physical logistics failures.

  • Edge Management Risks via Cisco Catalyst SD-WAN Manager: The active weaponization of CVE-2026-20262 presents a severe risk to wide-area network architectures. Because Cisco Catalyst SD-WAN Manager serves as the centralized orchestration plane for corporate branch routing, security policies, and data tunnels, its integrity is vital to network segmentation. The path-traversal flaw allows an authenticated attacker possessing basic, low-level write privileges to bypass upload restrictions and deposit malicious Java web archive files directly into directories managed by the WildFly application server. The automated deployment of these archives grants the actor root code execution on the management appliance itself. From this vantage point, an adversary can push compromised configuration templates, alter firewall rules, manipulate traffic paths, or pivot directly into distributed, isolated branch networks across on-premises, cloud, and FedRAMP environments.

Technical Intel Summary

Exploit Context / Group Profile

Rationale and Visible Data Gaps

DragonForce & Backdoor.Turn

Driven by direct, primary forensic analysis from major commercial research groups, complete with extensive file and network IOCs. Limited only by unconfirmed initial SQL access CVE details.

Anubis Port Authority Intrusion

Supported by explicit public data dumps and post-incident threat analyses. Gaps remain regarding the exact unpatched lateral CVEs.

LiteSpeed cPanel Root Escalation

Confirmed via official CISA KEV listing and vendor warnings. Only limited by a lack of public threat actor attribution details.

Chapter 03 - Operational Response

Remediation Strategies and Isolation Actions

Organizations must immediately execute host-layer and network-layer segmentation to isolate core management systems and exposed public stacks. Security operations teams should establish rigorous observation controls to identify anomalous process-to-network binding behaviors, particularly involving non-browser utilities attempting to negotiate direct communication with standard cloud collaboration relays. Immediate intervention requires the tactical enforcement of kernel driver signing rules to block untrusted third-party binaries from impacting running operating system security architectures.

Sector Specific Operational Directives

  • Strategic Infrastructure and Network Operations: Network management planes running Cisco Catalyst SD-WAN Manager must be immediate targets for isolation. Operations teams must completely remove any direct public web accessibility to the vManage management console, restricting web console access to administrative jump boxes or authenticated administrative virtual private network tunnels. Security managers must immediately verify deployment levels against the specified vendor patches across all production branches. For the DragonForce campaign, security architectures must immediately implement process-level connection filtering, restricting any outbound User Datagram Protocol destination traffic on port 443 targeting Microsoft Teams infrastructure unless it stems from verified, signed native collaboration executables like msteams.exe.

  • Web Hosting, Services, and Multi-Tenant Providers: Web hosting infrastructure running cPanel or WHM stacks requires immediate technical verification of active plugin deployment versions. System administrators must force an immediate update to the LiteSpeed WHM plugin version 5.3.2.1 to neutralize the symlink privilege elevation vector across all CloudLinux or CageFS deployment nodes. Direct local access channels, including interactive secure shell sessions, raw file transfer protocols, and web-shell execution boundaries, must be restricted to minimal absolute baselines, enforcing stringent IP range logging and multi-factor authorization checkpoints across all tenant spaces.

  • E-Commerce Platforms and Enterprise Application Managers: Digital commerce teams running OptinMonster, TrustPulse, or PushEngage WordPress utilities must execute deep scanning of file systems to uncover hidden file footprints. Teams must directly scrutinize the internal application plugin directory for unauthorized folders, explicitly matching items like Content Delivery Helper or Database Optimizer. Organizations must immediately force a global rotation of all administrative access passwords, database connection strings, application API keys, and internal cryptographic salting tokens across any instance active during the identified June compromise window.

  • Critical Logistics and Maritime Transportation Hubs: Transportation operators must immediately perform third-party data tracking audits to evaluate dependencies on external business partners like Kodak. Incident handlers must monitor internal phishing channels for incoming communications referencing compromised services, corporate logos, or vendor account configurations. Port authority operators must establish strict identity isolation baselines for administrative Azure and Office 365 services, deploying comprehensive conditional access boundaries to eliminate unauthorized external session access.

Immediate Tactical Milestones

+----------------------------------------------------+----------------------------------------------------+
| 0 to 24 Hour Critical Requirements                 | 24 to 72 Hour Validation Benchmarks                |
+----------------------------------------------------+----------------------------------------------------+
| Isolate Cisco vManage instances from public web    | Enforce strict Windows Defender Application        |
| access lines.            | Control driver load allowlists.   |
+----------------------------------------------------+----------------------------------------------------+
| Audit WordPress file structures for rogue plugins  | Scan shared hosting systems for unauthorized local |
| and admin profiles.       | symlink generation events.     |
+----------------------------------------------------+----------------------------------------------------+
| Block unauthorized outbound QUIC traffic directed  | Re-verify data processing profiles for all major   |
| at Teams relays.                  | third-party business partners

Historical Progression of Operations

The timeline across the current intelligence cycle reveals long-running infiltration campaigns running parallel to sudden, highly coordinated edge exploitations. Threat actors have demonstrated an ability to maintain silent access configurations inside complex business services providers for several weeks before triggering disruptive or extortionate events. Meanwhile, zero-day vulnerabilities and high-impact supply chain configurations show rapid operational escalation immediately following initial asset compromise.

Milestones of Adversary and Defensive Actions

  • December 2025: Threat actors associated with the DragonForce ransomware cartel successfully execute initial network exploitation against a major United States services company, likely leveraging unconfirmed SQL or MSSQL database application flaws. The adversaries drop a malicious compressed archive containing specialized dynamic link library sideloading configurations. Concurrently, the Anubis ransomware organization initiates its spear-phishing and cloud-account compromise campaign against the internal corporate IT environment of the Adriatic Port Authority in Italy.

  • December 2025 through January 2026: DragonForce maintains a silent persistent posture inside the victim network, deploying Backdoor.Turn to tunnel command sessions through legitimate Microsoft Teams TURN relay nodes using encrypted QUIC traffic. The actors systematically drop multiple vulnerable drivers to dismantle local endpoint detection tools while performing extensive internal Active Directory structure mapping using ADExplore. Simultaneously, Anubis completes network discovery across Italian port infrastructure, gaining access to critical cargo tracking databases, customs files, and shipping schedules.

  • January 14, 2026: Following a breakdown in commercial extortion communications and a refusal to meet a ten million dollar ransom demand, the Anubis group publicly announces the breach of the Adriatic Port Authority. The threat actors launch file encryption routines across core shipping management systems and begin publishing stolen corporate logs, employee records, and sensitive safety documents directly onto their dark web disclosure portal.

  • February 2026: The DragonForce threat actors finalize their multi-month data exfiltration phase over the hijacked Microsoft Teams communication path and deploy their primary ransomware encryption payload across the compromised services firm infrastructure, generating significant operational lockouts.

  • March 2026: Independent research teams at Huntress publicly disclose a severe security vulnerability inside the Huawei audio driver file HWAudioOs2Ec.sys. Forensic analysis later confirms that DragonForce had already discovered and successfully weaponized this specific driver as an endpoint tool terminator during their active December network intrusion, confirming independent development capabilities.

  • May 31, 2026: External security practitioners at Namecheap identify active local root privilege escalation anomalies stemming from the LiteSpeed plugin on managed cPanel hosting systems and submit a comprehensive technical reporting package directly to the product engineering vendor.

  • June 10, 2026: Microsoft issues its scheduled corporate security update package, addressing two hundred and six distinct system flaws, including multiple critical remote code execution parameters within HTTP.sys, Windows Kernel, and network DHCP clients.

  • June 12 through June 13, 2026: Attackers breach core internal operations infrastructure belonging to web software provider Awesome Motive. The adversaries hijack internal content delivery network access credentials to overwrite legitimate external JavaScript code libraries serving the OptinMonster, TrustPulse, and PushEngage plugin ecosystems, beginning the active delivery of malicious scripts to downstream client browsers.

  • June 14, 2026: Global security reporting agencies publish coordinated coverage of the active WordPress content delivery network supply chain compromise, detailing rogue administrative account naming schemas and outbound data leaks routing to the look-alike destination domain tidio.cc.

  • June 15, 2026: Cisco publishes a formal security advisory warning of active, in-the-wild exploitation targeting its Catalyst SD-WAN Manager software suite under identifier CVE-2026-20262. The same morning, the ShinyHunters extortion group adds Kodak to its public disclosure site, claiming the unauthorized exfiltration of over two million customer profiles and corporate data entries, setting an immediate extortion compliance timeline.

  • June 16, 2026: The United States Cybersecurity and Infrastructure Security Agency adds both the LiteSpeed cPanel privilege escalation flaw (CVE-2026-54420) and the Cisco SD-WAN Manager arbitrary file write flaw (CVE-2026-20262) to the Known Exploited Vulnerabilities catalog, establishing strict emergency federal mitigation remediation tracking timelines.

  • June 17, 2026: Specialized industrial defense groups publish post-incident forensics covering the Anubis port authority operation, clarifying the exact mechanism of IT-to-cyber-physical transport failure. Simultaneously, global telemetry trackers report that over the preceding ninety days, the healthcare sector sustained two hundred and sixteen separate ransomware events, driven by threat brands including Qilin and The Gentlemen.

  • June 18, 2026: The active CISA KEV emergency remediation patch timeline for the LiteSpeed cPanel vulnerability expires for all federal civilian agencies, marking the final mandatory implementation date for hosting infrastructure protection.

Chapter 04 - Detection Intelligence

Deep-Dive Software Flaw Analysis

The technical commonality across today's incident clusters is the manipulation of input handling and logical trust assumptions within core infrastructure applications. Adversaries are heavily prioritizing vulnerabilities that allow them to transition from initial lower-privileged foot-holds to total kernel or root administrative authority. By targeting input ingestion routines inside network edge management consoles, web control panels, and client-side web application scripts, threat groups are effectively neutralizing perimeter investments and standard sandboxing controls.

Detailed Incident Technical Deconstructions

  • Backdoor.Turn Architectural Execution Mechanics: The custom remote access tool developed by DragonForce relies on a highly sophisticated abuse of the Session Traversal Utilities for NAT (STUN) and Traversal Using Relays around NAT (TURN) network protocols. The Go-based binary interacts with Microsoft's Skype-backed authentication services to request and obtain legitimate anonymous visitor tokens. Once authenticated, the malware establishes a stable connection to official Microsoft Teams TURN relay servers and opens an outbound User Datagram Protocol session over port 443. Inside this trusted tunnel, the backdoor wraps command and control traffic within standard QUIC transport layers directed at its actual external server located at 62.164.177.25. Because enterprise firewalls view the connection as a standard, authorized outbound Microsoft Teams multimedia stream, the session bypasses layer-seven packet inspection protocols.

  • Kernel Blinding via Multi-Driver BYOVD Chain: To guarantee unhindered execution, the DragonForce payload drops a suite of four distinct signed kernel drivers known to contain security flaws. These include wsftprm.sys (associated with Topaz Antifraud), Gamedriverx64.sys (from Tower of Fantasy), and K7RKScan.sys (from K7 Security). The actors abuse these drivers' raw memory read and write capabilities to disable local endpoint security agents from the kernel layer. This is reinforced by the weaponization of a Huawei audio driver file, HWAudioOs2Ec.sys, to execute an advanced process termination routine that systematically crashes security agent threads. Additionally, the actors leverage a custom-compiled kernel agent named ABYSSWORKER, explicitly configured with internal metadata to impersonate an official Palo Alto Networks driver, preventing automated behavioral engine blocks.

  • Symlink Traversal in LiteSpeed cPanel Plugin: The vulnerability classified under CVE-2026-54420 represents a structural flaw in how the LiteSpeed Web Server management extension handles file operations within multi-user operating systems. When a web administrator or hosting tenant triggers operations like automated security certificate generation or file size processing via the cPanel interface, the underlying plugin runs with root administrative execution rights. A malicious tenant can deliberately construct standard filesystem symbolic links inside their containerized CloudLinux or CageFS directory pointing to critical files outside their jail, such as /etc/shadow or /root core files. When the plugin processes these links without performing appropriate verification checks, it follows the symlink outside the user's isolated container, allowing the low-privilege account user to read, execute, or overwrite files across the master host operating system.

  • Cisco Catalyst SD-WAN Manager Arbitrary File Write: The flaw tracked as CVE-2026-20262 stems from inadequate parameter verification and lack of path sanitization inside the centralized management web console file upload api. An authenticated user possessing basic administrative permissions can issue a maliciously formatted HTTP POST request containing directory traversal sequences. The application failing to strip these relative directory markers allow the file payload to escape the designated temporary upload directory. Threat actors exploit this behavior to write malicious Java web application archive files directly into the autodeployment paths managed by the underlying WildFly application server engine. Once written, the server immediately unpacks and runs the archive, granting the attacker interactive root command shell access over the orchestration console.

  • Awesome Motive CDN Script Hijacking: In the WordPress supply chain campaign, threat actors compromised a staging system inside the vendor's enterprise architecture, reportedly leveraging an old vulnerability within the UpdraftPlus utility. The adversaries exfiltrated stored API tokens belonging to the vendor's production content delivery network provider. With these access privileges, the actors directly modified the vendor-hosted JavaScript libraries that support OptinMonster, TrustPulse, and PushEngage. The modified scripts were delivered to downstream customer sites under valid cryptographic trust parameters. When an authentic web administrator loaded their local WordPress dashboard panel, the code intercepted the active cookie session tokens to issue background requests that secretly created a new administrative user account and downloaded a stealth backdoor utility that completely masked its presence from standard dashboard plugin overviews.

Structured Indicator Repository

Indicator Type

Technical Value

Operational Context and Placement

Enrichment Verdict

CVE ID

CVE-2026-54420

LiteSpeed cPanel plugin local root privilege escalation flaw.

Active Exploitation

CVE ID

CVE-2026-20262

Cisco Catalyst SD-WAN Manager web path traversal arbitrary file write vuln.

Active Exploitation

Domain

tidio.cc

Malicious command destination mimicking authentic live chat networks.

Verified Malicious

IP Address

84.201.6.54

Network infrastructure hosting malicious script distribution payloads.

Verified Malicious

IP Address

62.164.177.25

Direct QUIC session target for Backdoor.Turn communications.

Verified Malicious

Domain

turnkeyaiagents.com

Staging site utilized for DragonForce tooling distribution.

Verified Malicious

Domain

projetosmecanicos.com.br

Domain infrastructure used for tool staging by ransomware cartels.

Verified Malicious

SHA-256 Hash

821da79d727351dd67ce5df7950e9a3de6647a3cf474bb3a093f67507fed92a6

Main binary file hash for Go-compiled Backdoor.Turn access tool.

Verified Malicious

SHA-256 Hash

e45b18c93d187aac5c4486f57483bc87580e15def82a312bfb377ff16eb96b22

Cryptographic hash for DragonForce core ransomware locker payload.

Verified Malicious

SHA-256 Hash

8284c8676cc22c4b2e66826ac16986da7ddecba1f2776b16771be17bfdc45dc2

Malicious ABYSSWORKER kernel driver spoofing security software.

Verified Malicious

SHA-256 Hash

8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531

Malicious kernel module executing Havoc Process Terminator routines.

Verified Malicious

Infrastructure Structural Observations

Analysis of the infrastructure patterns highlights distinct operational approaches between campaigns. The WordPress plugin attackers rely heavily on supply chain subversion, manipulating trusted content delivery endpoints to distribute web scripts while leveraging typosquatted command domains like tidio.cc to mask outbound exfiltration as harmless user analytics data. Conversely, the DragonForce infrastructure footprint mixes high-reputation network assets with obscure direct hosting. By blending raw internet protocol nodes like 62.164.177.25 with automated cloud routing paths pointing into Microsoft's corporate video conferencing ranges, the cartel forces defensive sensors into a position where blocking command infrastructure requires disabling domestic business collaboration tools. No structural overlap exists between the covered groups.

Technical Detection Strategy and Indicators

Detection of these highly evasive campaigns requires a shift toward correlation of process-level actions with network endpoints and kernel-layer state auditing. Network boundary defenses are ineffective against command channels that tunnel through trusted cloud relay infrastructure or legitimate content delivery networks. Security orchestration suites must rely on direct tracking of file execution paths, anomalous API calls within administrative log registries, and the identification of unverified third-party driver attachments in system runtime memories.

Procedural Attack Sequences and Detection Vectors

  • DragonForce Backdoor.Turn Network Evasion Sequence: The threat actor begins by executing an exploit against a public-facing SQL application to drop a compressed loader payload. Next, the host executes a legitimate VirtualBox or DbgView utility to side-load a malicious vboxrt.dll binary. The side-loaded binary injects code into native operating system processes, which then invoke Microsoft Skype-backed identity endpoints to pull anonymous visitor tokens. The process uses these tokens to open an outbound User Datagram Protocol session over port 443 targeting Microsoft Teams TURN relay servers, initiating an encrypted QUIC session directed at external command nodes. Defenders can identify this by auditing network traffic for outbound QUIC or UDP 443 connections originating from processes other than authorized communication binaries like msteams.exe or web browsers.

  • Cisco Catalyst SD-WAN Manager Compromise Sequence: The adversary accesses the centralized web management plane using stolen or compromised credentials possessing write privileges. The attacker structures an HTTP POST request to the file upload API containing relative directory traversal markers. The application server processes the input and deposits a malicious Java web application archive file into the automated deployment directories of the WildFly engine. The application server automatically expands the archive, granting the attacker root-level command execution capability on the controller appliance. Security analysts can spot this attack pattern by monitoring vmanage-server.log, vmanage-appserver.log, and serviceproxy-access.log files for unexpected .war file actions or unusual POST operations targeting index.jsp.

  • LiteSpeed cPanel Root Escalation Sequence: A low-privilege actor establishes an interactive shell or FTP session inside an isolated multi-tenant web hosting directory on a CloudLinux or CageFS instance. The actor generates filesystem symbolic links pointing directly to sensitive master system configuration data outside their container jail. The actor then invokes specific LiteSpeed management API functions, including generateEcCert or packageUserSize, which force the high-privilege master plugin to read or overwrite the target configuration files. This behavior can be identified within cPanel logs by looking for rapid, concurrent calls to these specific JSON API components accompanied by high volumes of concurrent tasks from a single tenant user.

Enterprise SIEM and Detection Rules

# SIGMA RULE: Anomalous QUIC Outbound to Microsoft Teams Relay Nodes
title: Outbound QUIC connection to Teams Relays from Non-Teams Process
id: 5dfbe41a-7963-42bf-be1d-88c2278bf443
status: experimental
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Protocol: udp
    DestinationPort: 443
    DestinationIp|cidr:
      - '13.107.64.0/18'
      - '52.112.0.0/14'
  filter:
    Image|endswith:
      - '\msteams.exe'
      - '\Teams.exe'
      - '\msedge.exe'
      - '\chrome.exe'
  condition: selection and not filter
level: high
tags:
  - attack.command_and_control
  - attack.t1095


# SIGMA RULE: Cisco Catalyst SD-WAN Manager Malicious Web Archive Upload
title: Cisco vManage Unexpected Java Web Archive Deployment
id: b6102da8-6262-4211-9a3e-e6a2bc202622
status: experimental
logsource:
  product: linux
  service: cisco-vmanage
detection:
  selection:
    log_file|contains:
      - 'vmanage-server.log'
      - 'vmanage-appserver.log'
    message|contains:
      - '.war'
      - 'deploy'
      - 'deployment'
  filter:
    process_name: 'expected_upgrade_processes'
  condition: selection and not filter
level: critical
tags:
  - attack.vulnerability_exploitation
  - attack.t1190


# SIEM HUNT LOGIC: Shared Hosting Local Symlink Abuse Detection
index=hosting_servers sourcetype=cpanel_jsonapi
| regex _raw="cpanel_jsonapi_func=(generateEcCert|packageUserSize)"
| stats count, dc(cpanel_jsonapi_func) as api_functions by user, src_ip, _time
| bin _time span=10s
| stats sum(count) as concurrent_calls by user, src_ip, _time
| where concurrent_calls >= 7

Framework Technique Mapping and Evidence

  • Initial Access via Exploit Public Facing Application (T1190): Executed during the DragonForce intrusion to exploit vulnerabilities on target SQL/MSSQL servers, establishing the primary foothold inside the services network. Also observed in the active weaponization of Cisco Catalyst SD-WAN Manager (CVE-2026-20262) web upload APIs.

  • Execution via DLL Side Loading (T1574.002): Utilized by DragonForce to bypass execution controls by forcing legitimate VirtualBox and DbgView binaries to sideload the malicious vboxrt.dll component.

  • Privilege Escalation via Exploitation for Privilege Escalation (T1068): A core mechanism across all major clusters. Manifested in the DragonForce multi-driver Bring Your Own Vulnerable Driver (BYOVD) chain using three distinct CVEs, the Anubis lateral movement phase across port authority networks, and the LiteSpeed cPanel symlink flaw (CVE-2026-54420) to claim local root authority.

  • Defense Evasion via Impair Defenses: Disable or Modify Tools (T1562.001): Core to the DragonForce campaign, which deployed custom kernel terminators alongside the ABYSSWORKER driver to systematically crash endpoint detection and response agents from kernel space.

  • Defense Evasion via Masquerading: Driver Masquerading (T1036.004): Observed in the DragonForce campaign where the custom-built ABYSSWORKER driver was compiled with internal metadata explicitly spoofing a legitimate Palo Alto Networks security component to evade automated analysis.

  • Discovery via Account Discovery: Domain Account (T1087.002): Executed during the DragonForce post-exploitation phase, leveraging the ADExplore utility to map internal Active Directory structures.

  • Discovery via Network Service Scanning (T1046): Utilized during the Anubis intrusion, employing the Netscan tool to capture TLS certificates and page titles across the internal maritime logistics network.

  • Lateral Movement via Remote Services: Remote Desktop Protocol (T1021.001): Applied by DragonForce operators using compromised internal credentials to move laterally across target services networks via standard administrative channels.

  • Command and Control via Non Application Layer Protocol (T1095): The primary command mechanism for Backdoor.Turn, which encapsulates malicious traffic within User Datagram Protocol sessions over port 443 to run QUIC communications.

  • Command and Control via Application Layer Protocol: Web Protocols (T1071.001): Inferred through the Backdoor.Turn mechanism, which uses anonymous visitor tokens to masquerade as standard Microsoft Teams multimedia streaming traffic, effectively blinding standard firewall inspection layers.

  • Exfiltration over C2 Channel (T1041): Executed across the DragonForce, Anubis, and OptinMonster campaigns to silently exfiltrate sensitive files, user credentials, and corporate data repositories prior to triggering visible operational blocks.

  • Impact via Data Encrypted for Impact (T1486): The final operational phase for both the DragonForce and Anubis campaigns, resulting in large-scale system lockouts across target services and critical maritime transport hubs.

Chapter 05 - Governance, Risk & Compliance

Compliance and Corporate Governance Metrics

The convergence of advanced network evasion tools with critical edge infrastructure compromise imposes steep regulatory and governance liabilities on modern enterprises. Corporate officers must evaluate the security posture of their operational networks not merely on numeric severity matrices, but on the potential for lateral cascading failures across disparate business units. Failure to implement process-aware egress filters or robust driver allowlists creates systematic exposure to global data protection regimes, insurance validation mandates, and critical infrastructure notification guidelines.

Regulatory and Governance Impact Dimensions

  • Critical Infrastructure Notification and CIRCIA Compliance: For entities operating within United States critical infrastructure sectors, the long dwell time and confirmed data exfiltration observed in the DragonForce and Anubis ransomware campaigns activate mandatory notification rules. Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), covered organizations must report substantial cyber incidents to CISA within seventy-two hours and ransom payments within twenty-four hours. A two-month network dwell time means that forensic investigations must immediately audit data structures to pinpoint the exact moment of data compromise, as regulatory reporting clocks trigger upon the reasonable belief that a breach has occurred, irrespective of ongoing system containment efforts.

  • Cross-Border Privacy Regimes and GDPR Exposure: The multi-tenant exploitation profile of the LiteSpeed cPanel flaw introduces compound liabilities under the European Union General Data Protection Regulation (GDPR). When a shared hosting infrastructure provider is subverted, the provider acts as a data processor, while individual tenant corporations remain the data controllers. If an attacker leverages a local symlink vulnerability to extract user registry blocks or payment databases across co-located customer environments, both parties face severe exposure. Regulators look unfavorably on data controllers that maintain production client applications on multi-tenant hardware lacking strict kernel-level segmentation or prompt vendor patch verification, creating potential liabilities for structural non-compliance.

  • Maritime Logistics Risk and NIS2 Enforcement: The cascading regional disruptions caused by the Anubis ransomware attack on the Adriatic Port Authority underscore the rigorous enforcement environment of the European Union's NIS2 Directive. Operating as an essential transport entity, a port authority must maintain high operational resiliency across its entire digital supply chain. The fact that the threat group successfully forced the physical rerouting of maritime vessels without ever touching operational technology assets proves that IT application availability is a core dependency for physical safety. Under NIS2, corporate boards face personal liability for systemic failures to manage digital risks, highlighting that generic password configurations or unpatched enterprise software on administrative networks can be penalized as governance oversights.

  • Digital Commerce Script Security and PCI DSS 4.0 Mandates: The wide reach of the OptinMonster, TrustPulse, and PushEngage content delivery network supply chain attack intersects directly with the strict mandates of the Payment Card Industry Data Security Standard (PCI DSS) version 4.0. The standard requires organizations to maintain complete visibility and automated inventory tracking of all client-side JavaScript components running on e-commerce checkout portals. Because the injected scripts secretly created administrative profiles and established hidden file backdoors, any business accepting card payments that loaded these scripts during the June compromise window faces mandatory forensic audits, potential non-compliance fines, and the immediate requirement to rotate all merchant environment API tokens and database keys.

Senior Management Strategic Determinations

Strategic Operational Priority

Corporate Governance Mandate

Risk Abatement Goal

Core Architecture Migration

Evaluate moving customer-facing web assets off high-density shared hosting networks into dedicated cloud instances.

Eliminate multi-tenant co-location vulnerabilities and unauthorized local symlink tracking.

Operational Egress Hardening

Enforce mandatory process-level tracking on all outbound encrypted User Datagram Protocol sessions over port 443.

Neutralize advanced TURN relay and QUIC-based command tunnel blind spots inside corporate firewalls.

Supply Chain Procurement Controls

Require formal security validation and code-integrity reviews for all third-party marketing plugins and client-side web scripts.

Prevent vendor-side content delivery network compromises from introducing persistent backend file backdoors.

Chapter 06 - Adversary Emulation

Adversary Simulation and Framework Validation

Validating enterprise defensive postures against these specific threat profiles requires systematic emulation of their core evasion and escalation behaviors. Because these operations excel at blinding local security layers and blending into trusted network streams, purple team exercises must focus on verifying that log visibility remains intact when these specific techniques are attempted.

Adversary Emulation Steps (Purple Team)

  • Emulate DLL Sideloading (T1574.002): Defenders should place a benign, non-functional dynamic link library named vboxrt.dll directly into a directory containing a valid VirtualBox or DbgView executable. Launch the application and monitor local endpoint detection logs to verify that an image load alert triggers successfully upon application execution.

  • Emulate Bring Your Own Vulnerable Driver (BYOVD) Escalation (T1068): In a secure, isolated testing sandbox, attempt to load a known vulnerable driver block from the published indicator list. Verify that security information tools register a Sysmon Event ID 6 driver load operation and that local endpoint containment policies flag the unverified driver signature.

  • Emulate Anomalous QUIC Command Beaconing (T1095): Construct an outbound User Datagram Protocol session over port 443 targeting an external test node from a generic, non-collaboration process such as a command shell or administrative script utility. Review network firewall and cloud broker alerts to ensure the connection triggers an anomaly warning rather than getting passed as trusted background web traffic.

  • Emulate Local Symlink Traversal (T1068): On a non-production Linux instance running a standard web hosting configuration, create a test symbolic link inside a low-privilege home folder that references a system configuration path located outside the user directory jail. Execute local directory discovery indexing functions across that link to verify that security logging tools capture the traversal boundary jump.

  • Emulate Registry Configuration Tampering (T1547): Programmatically alter the LimitBlankPassword registry key structure on a test endpoint to value zero. Confirm that centralized configuration auditing baselines immediately flag the modification as an unauthorized security posture change.

Intelligence Confidence85%

Input Component Metric

Assigned Value

Evaluative Contribution Notes

Corroborating Primary Sources

45 / 50

High confidence driven by explicit Known Exploited Vulnerabilities entries from CISA, vendor advisory documentation from Cisco and LiteSpeed, and deep technical analyses from Symantec and Resecurity.

Technical Artifact Detail

25 / 30

Strong technical reporting complete with a thirty-one indicator forensic package for Backdoor.Turn and log-based validation logic for edge platforms, offset by a lack of indicators for the maritime and corporate breach events.

Contextual Completeness

15 / 20

Complete historical timelines and operational impact metrics are available for the primary campaigns, though gaps remain regarding the precise CVE codes for the initial access paths and lateral network movements.