In February 2026, the Fortgale Incident Response team was engaged to investigate a suspected security breach at a European organization operating within the logistics and transportation sector.
The investigation uncovered a sophisticated, multi-stage intrusion attributed to Mora_001 (internally dubbed “FortiSync Quasar”), a threat actor of assessed Russian origin previously documented in connection with the exploitation of Fortinet vulnerabilities and ransomware deployment.
However, the patterns observed during Incident Response operations bear striking resemblance to a series of intelligence reports independently published by multiple security organizations, including Amazon, SentinelOne, Arctic Wolf, eSentire, and Huntress. The common thread connecting all of these analyses is unmistakable: Russian-speaking criminal groups, deployment of the Matanbuchus malware (sharing the same C2 infrastructure), compromise of perimeter Fortinet firewalls, and TTPs consistent with a ransomware operation, yet with no concrete evidence of the final payload ever being executed.
This convergence of evidence leads Fortgale to assess these operations as components of a single coordinated campaign named “Storming Tide”, executed by multiple criminal groups operating in concert. The primary objective appears to be intelligence collection and data exfiltration, with financial gain remaining a probable but unconfirmed secondary motive.
Intelligence Sources Explorer
Select a report to view key findings and their relevance to the Storming Tide campaign.
Cyber Attack Analysis
Fortgale assesses with moderate confidence that this campaign was primarily driven by intelligence collection objectives. The presence of ransomware tooling does not contradict this assessment, dual-purpose operations are an emerging pattern among Russian-nexus threat actors, combining espionage with the potential for financially motivated disruption.
In mid-February 2026, the Fortgale Incident Response team identified suspicious internal network scanning activity. This early access detection triggered a comprehensive investigation that revealed a deeply embedded intrusion persisting for several months, with the initial compromise of a perimeter firewall traced to late 2025.
Attack Timeline
Following the initial access phase, the threat actor entered a period of inactivity, a characteristic tactic observed in operations prioritizing stealth over speed. After this quiescent interval, Mora_001 pivoted into the internal network, leveraging unmanaged assets to establish an operational foothold outside the visibility of the organization’s endpoint detection capabilities.
Rapid containment actions by the Fortgale IR team prevented any data exfiltration and the execution of the ransomware payload staged within the environment.
VPN Tunnel Persistence
During the initial compromise of the perimeter firewall, Mora_001 configured a remote VPN tunnel on the compromised Fortinet appliance, establishing a persistent and encrypted communication channel directly into the victim’s network perimeter. This VPN peer provided the actor with a reliable re-entry mechanism that bypassed traditional network monitoring, effectively granting on-demand access to the internal environment.
The campaign’s next phase was marked by the deployment of multiple tools, each serving a distinct role in the attack chain:
| Malware | Category | Role in Campaign |
|---|---|---|
| Matanbuchus 3.0 | Loader (MaaS) | Primary delivery mechanism for secondary payloads. Used to stage and deploy Astarion RAT and SystemBC. |
| Astarion RAT | Remote Access Trojan | Comprehensive remote access, command execution, and data collection capabilities. |
| SystemBC | Proxy / Backdoor | Encrypted proxy tunneling for covert C2 communications and traffic obfuscation. |
| RClone | Exfiltration Utility | High-volume data exfiltration to external S3-compatible storage infrastructure. |
Observed Malware Arsenal
Matanbuchus 3.0 (The Loader)
Matanbuchus 3.0 is a sophisticated malware loader distributed through a Malware-as-a-Service (MaaS) model that marked its return to the cyberthreat landscape in May 2025, following a brief period of inactivity.
The malware is actively marketed on high-profile Russian underground forums by threat actors such as “BelialDemon,” with a premium subscription model that reflects its technical sophistication: the HTTPS protocol-based variant is priced at $10,000 / month, while the version leveraging DNS protocol for C2 communications reaches $15,000 / month.
Technical capabilities include the execution of multiple payload types (EXE, DLL, MSI, and Shellcode) both through disk-based deployment and directly in-memory to minimize forensic artifacts, support for reverse shells via CMD or PowerShell, and execution of WQL (WMI Query Language) queries for comprehensive reconnaissance of compromised systems. A distinctive feature of this release is the implementation of Protocol Buffers (Protobuf) serialization coupled with ChaCha20 encryption to protect the integrity and confidentiality of C2 server communications. The loader serves as a gateway for more severe second-stage threats, including ransomware and remote access trojans such as Astarion RAT.
Astarion RAT (MimicRAT)
Astarion RAT is a next-generation Remote Access Trojan featuring a modular architecture that allows it to be used both as an espionage tool and as a distribution vector for additional malicious payloads. Primary attribution links it to financially motivated actors.
It was notably observed between late 2025 and early 2026. The malware excels at maintaining persistence and achieving total remote control of the compromised host, leveraging RSA-encrypted C2 communications to prevent traffic interception.
Its ability to execute PowerShell scripts directly in memory drastically reduces on-disk artifacts, making incident response and forensic analysis activities particularly complex.
SystemBC
SystemBC, also operating under the names of Coroxy or DroxiDat, is a malware specialized in creating persistent network tunnels, acting as an invisible SOCKS5 proxy. Technical attribution closely links it to APT actors such as “Vanilla Tempest” and numerous high-profile ransomware affiliates, including groups tied to LockBit and Black Basta infrastructures.
Its primary use lies in masking Command and Control (C2) traffic, allowing attackers to channel commands to other malware on the network without triggering perimeter firewall alarms. Campaigns detected throughout 2025 highlighted the deployment of SystemBC against the public sector in Central Asia and critical infrastructure in Latin America, confirming its effectiveness in bypassing traditional network defenses through communication protocol obfuscation.
Notably, the deployment of SystemBC via Matanbuchus represents the first publicly documented case of this particular infection chain.
RClone
RClone represents a critical example of Living-off-the-Land tool abuse; it is an open-source software originally designed for managing files on cloud storage that is systematically employed by threat actors for rapid data exfiltration. Although it lacks an intrinsic viral signature, its forensic attribution is constant across nearly all incidents involving ransomware groups like Akira, Cl0p, and LockBit.
Attackers use RClone to transfer massive volumes of sensitive data to remote servers or commercial cloud services such as Mega, Dropbox, or Amazon S3, an operation that usually precedes the final system encryption phase. The tool’s effectiveness lies in its stability and speed, as well as its ability to operate through encrypted channels that mimic normal corporate traffic, making the distinction between legitimate and illicit use extremely dependent on behavioral analysis.
Threat Actor Profile: Mora_001
A sophisticated threat actor whose TTPs align with groups of assessed Russian origin. Initially categorized as a ransomware operator deploying SuperBlack, a custom strain built upon the leaked LockBit builder. Linked to the exploitation of Fortinet vulnerability chains CVE-2024-55591 and CVE-2025-24472. In early campaigns, exhibited a rapid operational tempo, deploying ransomware within 48 hours of initial access when conditions were favorable.
Even if attribution to Mora_001 is confirmed with high confidence based on the use of the forticloud-sync service account during the initial firewall compromise and based on similarity in infrastructure and TTPs, the operational profile observed in this campaign represents a significant evolution from Mora_001’s previously documented behavior, suggesting an advancement in the actor’s mandate or operational tasking.
As of today, comparison and attribution are based only on similarities with TTPs described by Forescout. No other documentation mentioning these TTPs and the use of forticloud-sync are publicly available. Fortgale is open to confrontation with whom could have further information or has observed similar techniques.
Operational Evolution: From Ransomware to Espionage
The findings from this engagement reveal a significant evolution from the operational profile previously attributed to Mora_001. The following table summarizes the key behavioral similarities and differences between the documented 2025 campaigns and the current intrusion:
| Indicator | 2025 Profile (Forescout) | 2026 Campaign (Fortgale) |
|---|---|---|
| Infrastructure | Malicious infrastructure based in Russia | Malicious infrastructure based in Russia |
| Dwell Time | Rapid: ransomware deployed within 48 hours of initial access | Extended: months of dormancy between initial access and lateral movement |
| Primary Objective | Financial extortion via SuperBlack ransomware deployment | Strategic data exfiltration, followed by potential ransomware deployment |
| Malware Tooling | SuperBlack (LockBit-based), custom exfiltration tools | Matanbuchus 3.0, Astarion RAT, SystemBC, RClone |
| Operational Tempo | Aggressive, opportunistic exploitation of exposed Fortinet devices | Deliberate, patient; extended reconnaissance and careful target selection |
| Initial Access | Fortinet firewall exploitation (forticloud-sync, forticloud-tech account) |
Fortinet firewall exploitation (forticloud-sync, forticloud-tech account) |
| Initial Access | Brute forcing of OWA using “VPN Brute Force” | Brute forcing of OWA using “VPN Brute Force” |
Fortgale assesses that this behavioral shift is indicative of an evolution in Mora_001’s operational mandate. Several non-mutually exclusive hypotheses may explain this transition:
- Tasking Shift The substantial change in the second part of the attack chain could be justified by a change in the business model adopted by Mora_001, now acting as an Initial Access Broker and selling the access to the infrastructure to a third party.
- Dual-Purpose Operations The actor may operate under a hybrid model, conducting ransomware operations for revenue generation while selectively executing espionage missions against high-value targets.
- Capability Maturation The significant upgrade in malware arsenal suggests increased funding and access to higher-tier procurement channels.
Unlike cybercriminal groups that prioritize rapid monetization, the Mora_001 observed in this campaign demonstrates a high degree of operational discipline, often maintaining inactivity for weeks or months between the initial breach and the commencement of lateral movement. This patience is indicative of an actor with strategic objectives that extend beyond immediate financial gain.
The actor’s ability to procure and deploy premium malware builds, such as Matanbuchus 3.0, which commands a significant price ($15,000 / month) on underground marketplaces, is indicative of a well-funded operation with access to established procurement channels within the Russian-language cybercriminal ecosystem.
The operational methodology, characterized by the use of legitimate administrative tools, compromised service accounts, and extended dwell times, is consistent with a long-term “sleeper” strategy designed to maintain persistent access while evading detection.
Campaign Storming Tide: Shared Technical Characteristics
From Fortgale’s analytical perspective, the intrusion documented in this report does not represent an isolated incident. Cross-referencing our findings with intelligence independently published by SentinelOne, Amazon, Arctic Wolf, eSentire, Huntress, and Forescout reveals a consistent pattern of overlapping indicators, shared infrastructure, and synchronized operational timelines that point toward a single, coordinated campaign rather than a collection of unrelated intrusions.
The convergence is striking. Between late 2025 and early 2026, multiple security organizations documented threat activity targeting Fortinet perimeter appliances at scale. Arctic Wolf was among the first to observe malicious SSO logins on FortiGate devices following the disclosure of CVE-2025-59718 and CVE-2025-59719, identifying automated creation of rogue administrator accounts and exfiltration of firewall configurations. This activity intensified when CVE-2026-24858, a critical authentication bypass zero-day (CVSS 9.8) in the FortiCloud SSO mechanism, was confirmed under active exploitation, as documented by eSentire and CISA. Notably, even fully patched devices were found to be compromised through this separate vulnerability, extending the window of exposure well beyond initial remediation efforts.
SentinelOne’s DFIR investigations into FortiGate edge intrusions confirmed a parallel pattern: stolen service accounts leading to rogue workstations, Active Directory compromise, and DLL side-loading chains employing java.exe with a malicious jli.dll, the identical technique observed in the Fortgale incident.
Amazon’s threat intelligence team documented a Russian-speaking actor who compromised over 600 FortiGate devices across 55 countries between January and February 2026, augmenting their capabilities through commercial generative AI services. While this actor exhibited lower baseline technical sophistication, the operational pattern, targeting Fortinet management interfaces, harvesting credentials, exfiltrating Active Directory databases, and staging for potential ransomware deployment, mirrors the Storming Tide operational profile with notable precision.
The malware dimension provides the strongest connective thread. Huntress documented an intrusion chain in which Matanbuchus 3.0 delivered Astarion RAT (also tracked as MIMICRAT by Elastic Security Labs), the exact same loader-to-RAT delivery chain observed in the Fortgale incident. The operators moved from initial access to domain controllers in under 40 minutes, leveraging PsExec, rogue account creation, and Defender exclusions, tactics fully consistent with pre-ransomware staging.
A recurring pattern across multiple engagements is the absence of final-stage ransomware execution. However, this observation must be interpreted with caution. In the Fortgale case, rapid containment by the IR team explicitly prevented both data exfiltration and ransomware deployment; similarly, in other reports early detection disrupted the operation before the threat actor could achieve their final objectives. It is therefore plausible that the lack of ransomware execution in several of these incidents reflects successful defensive intervention rather than deliberate restraint by the operators.
No ransomware tooling was observed or staged within the compromised environments. However, this is consistent with standard ransomware operational tradecraft, where payloads are typically deployed only in the final stage of an attack, often immediately before execution to minimize detection risk. The absence of ransomware artifacts in earlier phases is therefore not anomalous in itself. What remains diagnostic is the operational emphasis: extended dwell times, patient reconnaissance, and prioritized data exfiltration over rapid encryption. While ransomware deployment cannot be definitively ruled out as a contingent or follow-on objective, the observed TTPs align more closely with intelligence-collection priorities than with financially motivated extortion.
- Perimeter Targeting: Systematic exploitation of Fortinet firewall vulnerabilities (CVE-2024-55591, CVE-2024-21762, CVE-2022-42475, CVE-2023-27997, CVE-2022-40684) as the primary initial access vector, frequently accompanied by credential brute-force attacks against firewall management interfaces.
- Shared Malware Arsenal: Deployment of Matanbuchus 3.0 as the primary loader delivering Astarion RAT and SystemBC, with overlapping C2 infrastructure.
- Operational Profile: TTPs consistently include ransomware pre-staging (credential harvesting, AD compromise, data exfiltration via RClone).
- Attribution Indicators: Russian-speaking operators, infrastructure geolocated to Russian hosting providers, activity on Russian-language underground forums (BelialDemon / Matanbuchus MaaS).
Fortgale assesses with moderate-to-high confidence that these operations constitute components of a single coordinated campaign, Storming Tide, executed by multiple criminal groups operating in concert under a shared operational framework. The primary objective is assessed to be intelligence collection and strategic data exfiltration, with ransomware representing a credible secondary objective whose non-execution cannot be definitively attributed to operator intent alone, given the documented role of IR disruption in multiple engagements. The involvement of multiple actors at different skill levels, from AI-augmented operators documented by Amazon to the more sophisticated Mora_001 tradecraft observed by Fortgale and Forescout, suggests a tiered operational structure in which initial access acquisition, network exploitation, and data exfiltration may be distributed across distinct groups within a coordinated ecosystem.
While not directly attributable to the Storming Tide operations, during reverse engineering activities on the Matanbuchus malware, Fortgale identified a possible connection with Charon Ransomware. This cross-attribution warrants further investigation and may suggest broader malware supply-chain overlaps between distinct threat ecosystems. More information can be found in the Matanbuchus malware analysis.
Indicators of Compromise
Network IoCs
| Type | Value | Context |
|---|---|---|
| IPv4 | 213.226.113[.]74 |
Initial Access Attempt (Late 2025) |
| Domain | www[.]ndibstersoft[.]com |
Matanbuchus C2 |
| SHA-256 | 6d0c02e79858a70aa354a0a4088b671710c7003a62c56d5c6fca7ad376845707 |
SystemBC PowerShell script |
| IPv4 | 86.106.143[.]137 |
SystemBC C2 |
Host IoCs
- File Path:
C:\ProgramData\USOShared\ - Malicious DLL:
jli.dll - Scheduled Task:
JavaUpdateorJavaMainUpdate - Software Abused:
netscan.exe,rclone.exe
MITRE ATT&CK Mapping
| Tactic | ID | Technique | Application |
|---|---|---|---|
| Initial Access | T1133 |
External Remote Services | Exploitation of Firewall VPN/Sync accounts. |
| Persistence | T1053.005 |
Scheduled Task/Job | Use of “JavaUpdate” for malware execution. |
| Persistence | T1133 |
External Remote Services | Remote VPN tunnel created on compromised Fortinet firewall. |
| Command & Control | T1090.003 |
Proxy: Multi-hop Proxy | SystemBC SOCKS5 proxy tunneling for covert C2 communications. |
| Command & Control | T1573.002 |
Encrypted Channel: Asymmetric Cryptography | Astarion RAT RSA-encrypted C2 traffic; Matanbuchus ChaCha20 + Protobuf C2. |
| Exfiltration | T1567.002 |
Exfiltration to Cloud Storage | Use of RClone to exfiltrate data to an external S3 bucket. |
