Inferlume

How it Works
Pricing
About
Get Free Access →

Get Free Access

PUBLISHED ON

AApprr  55,,  22002266
EEDDIITTIIOONN  000011

The Week The Threat Landscape Showed Up

Nation-states attended your conferences, your inbox, and your water supply. Busy week

WEEKLY OPENING

Welcome back to NightWatch — where we take everything the threat landscape threw at defenders this week, dress it in a blazer, and try to make sense of it before Sunday bleeds into Monday. This week's show has everything: Iranian actors disrupting water infrastructure without a single zero-day, North Korean operatives who attended multiple international conferences before deploying their malware, and a phishing-as-a-service platform so polished it sent five fake prior emails to make the CEO feel personally remembered. Grab your coffee. It was that kind of week.

EXECUTIVE TAKE

This week reinforced a structural reality defenders have heard before but rarely act on: sophistication is increasingly optional. Iran-affiliated actors disrupted US critical infrastructure PLCs — water, wastewater, energy, and government facilities — not through novel exploits but by accessing internet-exposed control systems that had no business being reachable from the public internet. Six federal agencies (FBI, CISA, NSA, EPA, DoE, CNMF) confirmed disruption and financial loss in a joint advisory.

In parallel, North Korea's Golden Chollima group concluded a six-month social engineering operation against Solana-based exchange Drift, stealing $285 million on April 1. The operation involved real conference attendance, fabricated professional identities, a deposited $1M good-faith stake, and ultimately a malicious VS Code workspace. The patch for the technique used existed since December 2025. The gap was human, not technical.

On the brighter side, Anthropic's Project Glasswing used Claude Mythos Preview to autonomously discover thousands of previously unknown vulnerabilities in critical open-source software — including a 27-year-old OpenBSD remote crash bug and a 16-year-old FFmpeg flaw. The attack surface is both older and broader than most defenders assume.

KEY FINDINGS

  • Iranian APT / ICS: Iran-affiliated actors disrupted Rockwell Automation / Allen-Bradley PLCs at US water, energy, and government facilities since March 2026 — confirmed by six-agency advisory (FBI, CISA, NSA, EPA, DoE, CNMF).

  • DPRK / Drift: Golden Chollima (UNC4736) stole $285M from Solana exchange Drift via a six-month social engineering operation culminating in a malicious VS Code tasks.json on April 1.

  • Venom PhaaS: New closed-access phishing platform targeting C-suite executives across 20+ verticals using QR codes, AiTM relay, and device-code flow abuse — rendering MFA ineffective end-to-end.

  • Storm Infostealer: New Chrome credential stealer using server-side decryption to bypass Google's App-Bound Encryption, documented by Varonis research.

  • Project Glasswing: Anthropic's Claude Mythos Preview autonomously discovered thousands of zero-days — including a 27-year OpenBSD RCE and 16-year FFmpeg flaw. All responsibly disclosed and patched.

  • FrostArmada Disrupted: APT28-linked router DNS hijacking campaign (18,000 devices, 120 countries) taken down — campaign stole Microsoft 365 credentials and OAuth tokens at peak in Dec 2025.

  • Apple DarkSword: iOS 18.7.7 / macOS 26.4 patch expanded to cover spyware-grade zero-days confirmed exploited in the wild prior to release.

  • FBI IC3: $17 billion in cyber fraud losses documented over the past year — ransomware and BEC as primary contributors.

WEEKLY THREAT NARRATIVE

01 The ICS Problem Is a Policy Problem

The most significant development this week wasn't a novel exploit — it was a six-agency advisory confirming Iran-affiliated actors have been successfully disrupting US industrial control systems. The attack vector was basic: internet-exposed PLCs with no meaningful access controls. "If an OT environment is reachable from the internet, that is an inherent design flaw and not a nation-state problem," said Gabrielle Hempel of Exabeam. The advisory's recommendation to place physical mode switches in run position to block remote modification is a 2026 document recommending a 1980s mitigation. That gap is the whole story.

The advisory linked this campaign to a pattern going back to CyberAv3ngers, affiliated with Iran's IRGC Cyber Electronic Command. The current group is assessed as distinct but related — conducting activity to "cause disruptive effects within the United States," tied to ongoing US-Iran-Israel hostilities.

02 DPRK's Long Game at the Conference Bar

Golden Chollima didn't send a phishing email — they built real personas, attended international crypto conferences in person using third-party intermediaries, deposited over $1M to establish operational credibility, and ran six months of substantive technical conversations before executing. The VS Code tasks.json trick weaponizes the runOn: folderOpen option to execute arbitrary code silently upon opening a workspace. Microsoft had documented and patched this in December 2025. Nation-state patience now routinely exceeds enterprise patch cycles.

03 Phishing Got a Product Manager

Venom PhaaS is worth a close read. No single technique is new, but the assembly is exceptional: randomized throwaway HTML elements per send to break signature detection, fabricated five-message prior email threads for false context, QR codes to bypass URL scanners, AiTM relay to capture live MFA tokens, and device-code flow abuse to harvest refresh tokens that survive password resets. The platform has a licensing model, campaign management UI, and structured token storage. It was not listed in any public threat intel database at time of reporting.

NOTABLE TECHNICAL SIGNALS

Top CVEs This Week

  • CVE-2026-2699: Citrix ShareFile — Auth bypass enabling RCE when chained with file upload abuse. Can redirect storage to attacker-controlled infrastructure without authentication.

  • CVE-2026-34078: Flatpak 1.16.4 — Complete sandbox escape leading to host file access and code execution. Critical for Linux environments relying on Flatpak isolation.

  • DarkSword: Apple iOS / macOS — Spyware-grade zero-days patched in iOS 18.7.7 and macOS 26.4. Exploitation confirmed in the wild prior to patch release.

Attack Vectors This Week

  • Phishing: 90%

  • Exploit: 75%

  • Credential Theft: 60%

  • Botnet: 30%

  • Misconfiguration: 25%

MITRE ATT&CK Themes

  • T1566 Phishing — Venom PhaaS campaign using QR codes, fabricated email threads, and SharePoint lures against C-suite executives.

  • T1190 Exploit Public-Facing Application — Iranian actors exploiting internet-exposed PLCs; ShareFile CVE-2026-2699 chain.

  • T1078 Valid Accounts — Device code flow abuse by Venom PhaaS harvesting refresh tokens that survive password resets.

  • T1059 Command & Scripting — DPRK VS Code tasks.json runOn: folderOpen execution.

  • T1036 Masquerading — Golden Chollima persona construction: employment histories, conference attendance, deposited funds.

Threat Detection

SIGMA: Suspicious VS Code Task Execution via tasks.json

title: Suspicious VS Code Task Execution
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\code.exe'
    CommandLine|contains: 'tasks.json'
  filter:
    Image|in: [known_dev_tools]
condition: selection and not filter
level

SIEM: Device Code Flow Abuse Detection

-- TITLE: Detect suspicious OAuth device code authentication
SELECT user_principal, source_ip, user_agent, timestamp
FROM   auth_events
WHERE  auth_method = 'device_code'
  AND  user_agent  NOT IN (known_trusted_clients)
  AND  source_ip   NOT IN (corporate_ip_ranges)
  AND  timestamp  > NOW() - INTERVAL 24 HOURS
-- ALERT

DEFENDER PRIORITIES

  1. ICS / OT — Immediate. Audit internet-facing PLC exposure. Query firewall and OT logs for traffic on ICS-associated ports from overseas hosting providers. For Rockwell / Allen-Bradley devices with a physical mode switch: place in Run position to block remote modification.

  2. Identity — MFA Reassessment. Evaluate your MFA posture against AiTM relay and device-code flow abuse. Enforce Conditional Access policies blocking device registration from unmanaged devices. Ensure admin token revocation is in your IR playbook.

  3. Patch — Three items this week. ShareFile (CVE-2026-2699), Flatpak 1.16.4 (CVE-2026-34078), and Apple iOS 18.7.7 / macOS 26.4. ShareFile and Flatpak are chainable — treat as urgent.

  4. Dev Security — VS Code Workspace Audit. Review VS Code configs across engineering teams for runOn: folderOpen patterns in tasks.json. Audit npm package provenance. This technique is not unique to crypto.

  5. Crypto / Fintech — Social Engineering Posture. Six-month relationship-building is now a documented attacker TTP. Red-team your vendor onboarding, conference contact, and third-party integration workflows.

RECOMMENDED ACTIONS

  • Audit internet-facing OT/ICS exposure — query for PLC ports reachable from external IPs

  • Patch ShareFile CVE-2026-2699, Flatpak CVE-2026-34078, Apple iOS 18.7.7 / macOS 26.4

  • Block unmanaged device registration via Conditional Access policies

  • Audit VS Code workspaces for runOn: folderOpen task configurations

  • Revoke all active sessions for any suspected AiTM or device-code compromises

  • Review npm package provenance across dev pipelines

  • Red-team vendor onboarding and conference contact workflows for social engineering resilience

CONFIDENCE & LIMITATIONS

ICS/Iran attribution is high confidence — six-agency joint advisory. Drift/DPRK attribution is medium confidence per Drift's own disclosure. Venom PhaaS documented by Abnormal Research but not yet in public threat intel databases at time of writing. Storm infostealer is based on single-vendor research (Varonis). This was an active reporting week — overall coverage is strong.