{"id":9517,"date":"2026-03-13T17:58:48","date_gmt":"2026-03-13T17:58:48","guid":{"rendered":"https:\/\/fortgale.com\/blog\/?p=9517"},"modified":"2026-03-30T11:03:57","modified_gmt":"2026-03-30T11:03:57","slug":"operation-storming-tide","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/defence\/operation-storming-tide\/","title":{"rendered":"Operation Storming Tide: A massive multi-stage intrusion campaign"},"content":{"rendered":"\n<style>\n  \/* \u2500\u2500 Base \u2500\u2500 *\/\n  .fg-article { font-family: 'Segoe UI', system-ui, -apple-system, sans-serif; color: #2b2b2b; line-height: 1.8; max-width: 820px; margin: 0 auto; text-align: justify; }\n  .fg-article h2 { color: #1b2a4a; font-size: 1.55em; margin-top: 2.4em; margin-bottom: 0.6em; padding-bottom: 10px; border-bottom: 2px solid #1b2a4a; letter-spacing: 0.02em; text-transform: uppercase; font-weight: 700; }\n  .fg-article h3 { color: #1b2a4a; font-size: 1.15em; margin-top: 1.8em; margin-bottom: 0.5em; text-transform: uppercase; letter-spacing: 0.06em; font-weight: 600; }\n  .fg-article h4 { color: #1b2a4a; font-size: 1.05em; margin-top: 1.5em; margin-bottom: 0.4em; font-weight: 700; }\n  .fg-article p { margin-bottom: 1.15em; font-size: 1.02em; color: #3a3a3a; }\n  .fg-article strong { color: #1b2a4a; }\n  .fg-article a { color: #b22234; text-decoration: none; border-bottom: 1px solid rgba(178,34,52,0.3); transition: border-color 0.2s; }\n  .fg-article a:hover { border-bottom-color: #b22234; }\n  .fg-article em { font-style: italic; color: #555; }\n\n  \/* \u2500\u2500 Divider \u2500\u2500 *\/\n  .fg-divider { border: none; border-top: 1px solid #d8d8d8; margin: 2.2em 0; }\n\n  \/* \u2500\u2500 Info box \u2500\u2500 *\/\n  .fg-infobox { background: #f7f8fa; border: 1px solid #dde0e6; padding: 26px 30px; margin: 28px 0; position: relative; }\n  .fg-infobox::before { content: ''; position: absolute; left: 0; top: 0; bottom: 0; width: 4px; background: #1b2a4a; }\n  .fg-infobox-title { font-weight: 700; color: #1b2a4a; font-size: 0.92em; margin-bottom: 14px; text-transform: uppercase; letter-spacing: 0.08em; display: flex; align-items: center; gap: 10px; }\n  .fg-infobox ul { margin: 0; padding-left: 18px; }\n  .fg-infobox li { margin-bottom: 10px; font-size: 0.98em; color: #3a3a3a; line-height: 1.7; }\n  .fg-infobox li strong { color: #1b2a4a; }\n\n  \/* \u2500\u2500 Callout: Operation \u2500\u2500 *\/\n  .fg-operation { background: #fafafa; border: 1px solid #e0e0e0; padding: 24px 28px; margin: 30px 0; position: relative; }\n  .fg-operation::before { content: ''; position: absolute; left: 0; top: 0; bottom: 0; width: 4px; background: #b22234; }\n  .fg-operation-title { font-weight: 700; color: #b22234; font-size: 0.92em; margin-bottom: 10px; text-transform: uppercase; letter-spacing: 0.08em; display: flex; align-items: center; gap: 10px; }\n  .fg-operation p { margin: 0; color: #444; }\n\n  \/* \u2500\u2500 Containment \/ success callout \u2500\u2500 *\/\n  .fg-containment { background: #f7f8fa; border: 1px solid #dde0e6; padding: 24px 28px; margin: 36px 0; position: relative; }\n  .fg-containment::before { content: ''; position: absolute; left: 0; top: 0; bottom: 0; width: 4px; background: #2e7d32; }\n  .fg-containment-title { font-weight: 700; color: #2e7d32; font-size: 0.92em; margin-bottom: 8px; text-transform: uppercase; letter-spacing: 0.08em; display: flex; align-items: center; gap: 10px; }\n  .fg-containment p { margin: 0; }\n\n  \/* \u2500\u2500 Assessment callout \u2500\u2500 *\/\n  .fg-assessment { background: #fafafa; border: 1px solid #e0e0e0; padding: 26px 30px; margin: 30px 0; position: relative; }\n  .fg-assessment::before { content: ''; position: absolute; left: 0; top: 0; bottom: 0; width: 4px; background: #1b2a4a; }\n  .fg-assessment-title { font-weight: 700; color: #1b2a4a; font-size: 0.92em; margin-bottom: 10px; text-transform: uppercase; letter-spacing: 0.08em; }\n  .fg-assessment p { margin: 0 0 10px; color: #3a3a3a; }\n  .fg-assessment p:last-child { margin-bottom: 0; }\n\n  \/* \u2500\u2500 Assessment callout: red variant \u2500\u2500 *\/\n  .fg-assessment-red { background: #fdf2f2; border-color: #f0d0d0; }\n  .fg-assessment-red::before { background: #b22234; }\n  .fg-assessment-red .fg-assessment-title { color: #b22234; }\n\n  \/* \u2500\u2500 Attack flow diagram \u2500\u2500 *\/\n  .fg-flow { margin: 36px 0; overflow-x: auto; }\n  .fg-flow svg { display: block; margin: 0 auto; max-width: 100%; height: auto; }\n\n  \/* \u2500\u2500 Malware stack cards \u2500\u2500 *\/\n  .fg-stack { display: flex; flex-wrap: wrap; gap: 14px; justify-content: center; margin: 32px 0; }\n  .fg-stack-item { background: #fff; border: 1px solid #d0d0d0; padding: 20px 18px 16px; text-align: center; min-width: 155px; flex: 1; max-width: 200px; position: relative; transition: box-shadow 0.25s; }\n  .fg-stack-item::before { content: ''; position: absolute; top: 0; left: 0; right: 0; height: 3px; background: #1b2a4a; }\n  .fg-stack-item:hover { box-shadow: 0 4px 16px rgba(0,0,0,0.08); }\n  .fg-stack-item .fg-stack-icon { font-size: 1.6em; margin-bottom: 8px; color: #1b2a4a; }\n  .fg-stack-item .fg-stack-name { font-weight: 700; color: #1b2a4a; font-size: 0.95em; letter-spacing: 0.01em; }\n  .fg-stack-item .fg-stack-role { font-size: 0.82em; color: #888; margin-top: 4px; font-style: italic; }\n\n  \/* \u2500\u2500 Timeline \u2500\u2500 *\/\n  .fg-timeline { position: relative; margin: 32px 0 32px 16px; padding-left: 30px; border-left: 2px solid #d0d0d0; }\n  .fg-timeline-item { position: relative; margin-bottom: 26px; }\n  .fg-timeline-item::before { content: ''; position: absolute; left: -37px; top: 5px; width: 12px; height: 12px; background: #1b2a4a; border-radius: 50%; border: 3px solid #fff; box-shadow: 0 0 0 2px #1b2a4a; }\n  .fg-timeline-item:last-child::before { background: #b22234; box-shadow: 0 0 0 2px #b22234; }\n  .fg-timeline-item .fg-tl-date { font-weight: 700; color: #888; font-size: 0.82em; margin-bottom: 2px; text-transform: uppercase; letter-spacing: 0.06em; }\n  .fg-timeline-item .fg-tl-title { font-weight: 700; color: #1b2a4a; font-size: 1.02em; }\n  .fg-timeline-item .fg-tl-desc { color: #555; font-size: 0.95em; margin-top: 4px; line-height: 1.6; }\n\n  \/* \u2500\u2500 Tables \u2500\u2500 *\/\n  .fg-table-wrap { overflow-x: auto; margin: 28px 0; }\n  .fg-table { width: 100%; border-collapse: collapse; font-size: 0.93em; }\n  .fg-table thead th { background: #1b2a4a; color: #fff; padding: 12px 16px; text-align: left; font-weight: 600; text-transform: uppercase; letter-spacing: 0.05em; font-size: 0.88em; }\n  .fg-table tbody td { padding: 11px 16px; border-bottom: 1px solid #e8e8e8; color: #3a3a3a; vertical-align: top; line-height: 1.6; }\n  .fg-table tbody tr:nth-child(even) { background: #f9f9fb; }\n  .fg-table tbody tr:hover { background: #f0f1f5; }\n  .fg-table .fg-highlight-cell { color: #b22234; font-weight: 600; }\n  .fg-table .fg-match-cell { background: rgba(46,125,50,0.06); }\n  .fg-table code { background: #f0f1f5; padding: 2px 6px; border-radius: 3px; font-size: 0.92em; font-family: 'Consolas', 'Courier New', monospace; color: #1b2a4a; word-break: break-all; }\n\n  \/* \u2500\u2500 Profile card \u2500\u2500 *\/\n  .fg-profile { display: flex; gap: 28px; align-items: flex-start; background: #f7f8fa; border: 1px solid #dde0e6; padding: 28px 30px; margin: 30px 0; position: relative; }\n  .fg-profile::before { content: ''; position: absolute; left: 0; top: 0; bottom: 0; width: 4px; background: #b22234; }\n  .fg-profile-badge { flex-shrink: 0; width: 80px; height: 80px; display: flex; align-items: center; justify-content: center; }\n  .fg-profile-info { flex: 1; }\n  .fg-profile-name { font-weight: 700; color: #1b2a4a; font-size: 1.2em; margin-bottom: 4px; }\n  .fg-profile-origin { font-size: 0.88em; color: #888; text-transform: uppercase; letter-spacing: 0.06em; margin-bottom: 10px; }\n  .fg-profile-desc { font-size: 0.97em; color: #3a3a3a; line-height: 1.7; margin: 0; }\n\n  \/* \u2500\u2500 Hypothesis list \u2500\u2500 *\/\n  .fg-hypotheses { margin: 28px 0; padding: 0; list-style: none; counter-reset: hyp; }\n  .fg-hypotheses li { position: relative; padding: 18px 22px 18px 70px; margin-bottom: 14px; background: #f7f8fa; border: 1px solid #dde0e6; counter-increment: hyp; }\n  .fg-hypotheses li::before { content: counter(hyp, decimal-leading-zero); position: absolute; left: 18px; top: 18px; font-weight: 700; color: #b22234; font-size: 1.4em; line-height: 1; }\n  .fg-hypotheses li strong { color: #1b2a4a; display: block; margin-bottom: 4px; }\n\n  \/* \u2500\u2500 Malware detail card \u2500\u2500 *\/\n  .fg-malware-detail { background: #fff; border: 1px solid #dde0e6; margin: 24px 0; position: relative; }\n  .fg-malware-detail-header { background: #1b2a4a; color: #fff; padding: 14px 22px; display: flex; align-items: center; gap: 12px; }\n  .fg-malware-detail-header .fg-md-icon { font-size: 1.3em; }\n  .fg-malware-detail-header .fg-md-title { font-weight: 700; font-size: 1.05em; letter-spacing: 0.02em; }\n  .fg-malware-detail-header .fg-md-tag { background: rgba(255,255,255,0.15); padding: 2px 10px; border-radius: 2px; font-size: 0.78em; text-transform: uppercase; letter-spacing: 0.06em; margin-left: auto; }\n  .fg-malware-detail-body { padding: 22px 24px; }\n  .fg-malware-detail-body p { margin-bottom: 12px; font-size: 0.97em; }\n  .fg-malware-detail-body p:last-child { margin-bottom: 0; }\n\n  \/* \u2500\u2500 IoC section \u2500\u2500 *\/\n  .fg-ioc-title { font-size: 0.88em; font-weight: 700; color: #1b2a4a; text-transform: uppercase; letter-spacing: 0.08em; margin-top: 20px; margin-bottom: 10px; }\n  .fg-ioc-list { margin: 0 0 16px; padding-left: 18px; font-size: 0.95em; }\n  .fg-ioc-list li { margin-bottom: 6px; line-height: 1.6; }\n  .fg-ioc-list code { background: #f0f1f5; padding: 2px 6px; border-radius: 3px; font-size: 0.92em; font-family: 'Consolas', 'Courier New', monospace; color: #1b2a4a; }\n\n  \/* \u2500\u2500 Contact bar \u2500\u2500 *\/\n  .fg-contact { background: #1b2a4a; color: #fff; padding: 20px 28px; margin: 36px 0; text-align: center; }\n  .fg-contact a { color: #fff; border-bottom: 1px solid rgba(255,255,255,0.4); }\n  .fg-contact a:hover { border-bottom-color: #fff; }\n\n  \/* \u2500\u2500 Price tag \u2500\u2500 *\/\n  .fg-price { display: inline-block; background: #b22234; color: #fff; padding: 2px 10px; border-radius: 2px; font-weight: 700; font-size: 0.9em; }\n\n  \/* \u2500\u2500 Evolution diagram \u2500\u2500 *\/\n  .fg-evo-diagram { margin: 32px 0; overflow-x: auto; }\n  .fg-evo-diagram svg { display: block; margin: 0 auto; max-width: 100%; height: auto; }\n\n  \/* \u2500\u2500 Table of Contents \u2500\u2500 *\/\n  .fg-toc { background: #f7f8fa; border: 1px solid #dde0e6; padding: 24px 30px; margin: 0 0 36px; position: relative; }\n  .fg-toc::before { content: ''; position: absolute; left: 0; top: 0; bottom: 0; width: 4px; background: #1b2a4a; }\n  .fg-toc-title { font-weight: 700; color: #1b2a4a; font-size: 0.82em; text-transform: uppercase; letter-spacing: 0.1em; margin-bottom: 14px; }\n  .fg-toc ol { margin: 0; padding-left: 18px; counter-reset: toc; list-style: none; }\n  .fg-toc li { counter-increment: toc; margin-bottom: 7px; font-size: 0.93em; line-height: 1.5; }\n  .fg-toc li::before { content: counter(toc, decimal-leading-zero); color: #b22234; font-weight: 700; margin-right: 10px; font-size: 0.88em; }\n  .fg-toc a { color: #1b2a4a; text-decoration: none; border-bottom: 1px solid transparent; transition: border-color 0.2s, color 0.2s; }\n  .fg-toc a:hover { color: #b22234; border-bottom-color: #b22234; }\n\n  \/* \u2500\u2500 Executive Summary \u2500\u2500 *\/\n  .fg-exec { background: #1b2a4a; color: #fff; padding: 28px 32px; margin: 0 0 36px; position: relative; }\n  .fg-exec::after { content: ''; position: absolute; bottom: 0; left: 0; width: 60px; height: 3px; background: #b22234; }\n  .fg-exec-title { font-weight: 700; font-size: 0.82em; text-transform: uppercase; letter-spacing: 0.1em; color: rgba(255,255,255,0.5); margin-bottom: 14px; }\n  .fg-exec ul { margin: 0; padding-left: 0; list-style: none; }\n  .fg-exec li { position: relative; padding-left: 18px; margin-bottom: 10px; font-size: 0.95em; line-height: 1.6; color: rgba(255,255,255,0.85); }\n  .fg-exec li::before { content: ''; position: absolute; left: 0; top: 8px; width: 6px; height: 6px; background: #b22234; }\n  .fg-exec li strong { color: #fff; }\n\n  \/* \u2500\u2500 IoC type badge \u2500\u2500 *\/\n  .fg-ioc-badge { display: inline-flex; align-items: center; justify-content: center; width: 28px; height: 28px; border-radius: 2px; margin-right: 6px; vertical-align: middle; }\n  .fg-ioc-badge-ip { background: #1b2a4a; }\n  .fg-ioc-badge-domain { background: #555; }\n  .fg-ioc-badge-hash { background: #b22234; }\n  .fg-ioc-badge svg { display: block; }\n\n  \/* \u2500\u2500 Final CTA banner \u2500\u2500 *\/\n  .fg-cta { background: #1b2a4a; color: #fff; padding: 36px 32px; margin: 40px 0 0; text-align: center; position: relative; overflow: hidden; }\n  .fg-cta::before { content: ''; position: absolute; top: 0; left: 0; right: 0; height: 4px; background: #b22234; }\n  .fg-cta-title { font-weight: 700; font-size: 1.15em; margin-bottom: 8px; }\n  .fg-cta-sub { font-size: 0.95em; color: rgba(255,255,255,0.6); margin-bottom: 18px; }\n  .fg-cta-links { display: flex; gap: 16px; justify-content: center; flex-wrap: wrap; }\n  .fg-cta-link { display: inline-block; padding: 10px 24px; font-weight: 700; font-size: 0.88em; text-transform: uppercase; letter-spacing: 0.06em; text-decoration: none; border: none; transition: background 0.2s, color 0.2s; }\n  .fg-cta-link-primary { background: #b22234; color: #fff; }\n  .fg-cta-link-primary:hover { background: #8b1a28; }\n  .fg-cta-link-secondary { background: transparent; color: #fff; border: 1px solid rgba(255,255,255,0.3) !important; }\n  .fg-cta-link-secondary:hover { border-color: #fff !important; }\n\n  @media (max-width: 600px) {\n    .fg-hero { padding: 28px 22px 24px; }\n    .fg-hero h1 { font-size: 1.4em; }\n    .fg-profile { flex-direction: column; align-items: center; text-align: center; }\n    .fg-hypotheses li { padding-left: 60px; }\n    .fg-stack-item { min-width: 130px; }\n    .fg-cta-links { flex-direction: column; align-items: center; }\n  }\n<\/style>\n\n<div class=\"fg-article\">\n\n\n\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <!--  INTRODUCTION                                        -->\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <p>In February 2026, the Fortgale Incident Response team was engaged to investigate a suspected security breach at a European organization operating within the logistics and transportation sector.<\/p>\n\n  <p>The investigation uncovered a sophisticated, multi-stage intrusion attributed to <strong>Mora_001<\/strong> (internally dubbed <em>&ldquo;FortiSync Quasar&rdquo;<\/em>), a threat actor of assessed Russian origin previously documented in connection with the exploitation of Fortinet vulnerabilities and ransomware deployment.<\/p>\n\n  <p>However, the patterns observed during Incident Response operations bear striking resemblance to a series of intelligence reports independently published by multiple security organizations, including <a href=\"https:\/\/aws.amazon.com\/it\/blogs\/security\/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale\/\" target=\"_blank\" rel=\"noopener\"><strong>Amazon<\/strong><\/a>, <a href=\"https:\/\/www.sentinelone.com\/blog\/fortigate-edge-intrusions\/\" target=\"_blank\" rel=\"noopener\"><strong>SentinelOne<\/strong><\/a>, <a href=\"https:\/\/arcticwolf.com\/resources\/blog\/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts\/\" target=\"_blank\" rel=\"noopener\"><strong>Arctic Wolf<\/strong><\/a>, <a href=\"https:\/\/www.esentire.com\/security-advisories\/confirmed-zero-day-vulnerability-in-fortinet-products-cve-2026-24858\" target=\"_blank\" rel=\"noopener\"><strong>eSentire<\/strong><\/a>, and <a href=\"https:\/\/www.huntress.com\/blog\/clickfix-matanbuchus-astarionrat-analysis\" target=\"_blank\" rel=\"noopener\"><strong>Huntress<\/strong><\/a>. The common thread connecting all of these analyses is unmistakable: Russian-speaking criminal groups, deployment of the <strong>Matanbuchus<\/strong> malware (sharing the same C2 infrastructure), compromise of perimeter Fortinet firewalls, and TTPs consistent with a ransomware operation, yet with no concrete evidence of the final payload ever being executed.<\/p>\n\n\n  <!-- Operation Storming Tide -->\n  <div class=\"fg-operation\">\n    <div class=\"fg-operation-title\">\n      <svg width=\"18\" height=\"18\" viewBox=\"0 0 18 18\" fill=\"none\"><circle cx=\"9\" cy=\"9\" r=\"7.5\" stroke=\"#b22234\" stroke-width=\"1.8\"\/><line x1=\"9\" y1=\"4.5\" x2=\"9\" y2=\"9.5\" stroke=\"#b22234\" stroke-width=\"1.8\" stroke-linecap=\"round\"\/><circle cx=\"9\" cy=\"12.5\" r=\"1\" fill=\"#b22234\"\/><\/svg>\n      Operation Storming Tide\n    <\/div>\n    <p>This convergence of evidence leads Fortgale to assess these operations as components of a <strong>single coordinated campaign named &ldquo;Storming Tide&rdquo;<\/strong>, executed by multiple criminal groups operating in concert. The primary objective appears to be <strong>intelligence collection and data exfiltration<\/strong>, with financial gain remaining a probable but unconfirmed secondary motive.<\/p>\n  <\/div>\n\n\n  <!-- \u2500\u2500 Interactive Intelligence Sources Explorer \u2500\u2500 -->\n  <h3 style=\"margin-top:2.4em;\">Intelligence Sources Explorer<\/h3>\n  <p style=\"font-size:0.93em;color:#888;margin-bottom:6px;\">Select a report to view key findings and their relevance to the Storming Tide campaign.<\/p>\n\n  <style>\n    .fg-explorer { margin: 24px 0 36px; position: relative; }\n\n    \/* \u2500\u2500 Horizontal scrollable timeline bar \u2500\u2500 *\/\n    .fg-explorer-bar { display: flex; gap: 0; overflow-x: auto; padding: 0 0 14px; position: relative; scrollbar-width: thin; scrollbar-color: #c8c8c8 transparent; }\n    .fg-explorer-bar::-webkit-scrollbar { height: 5px; }\n    .fg-explorer-bar::-webkit-scrollbar-thumb { background: #c8c8c8; border-radius: 3px; }\n\n    .fg-explorer-node { flex: 0 0 auto; display: flex; flex-direction: column; align-items: center; cursor: pointer; padding: 0 18px; position: relative; transition: transform 0.15s; user-select: none; }\n    .fg-explorer-node:hover { transform: translateY(-2px); }\n\n    \/* connector line between nodes *\/\n    .fg-explorer-node:not(:last-child)::after {\n      content: ''; position: absolute; top: 18px; left: calc(50% + 16px); width: calc(100% - 32px);\n      height: 2px; background: #d0d0d0; z-index: 0;\n    }\n\n    .fg-explorer-dot {\n      width: 36px; height: 36px; border-radius: 50%; display: flex; align-items: center; justify-content: center;\n      font-size: 15px; font-weight: 700; color: #fff; position: relative; z-index: 1;\n      transition: box-shadow 0.2s, transform 0.2s; border: 3px solid #fff; box-shadow: 0 1px 6px rgba(0,0,0,0.1);\n    }\n    .fg-explorer-node[data-active=\"true\"] .fg-explorer-dot { transform: scale(1.2); box-shadow: 0 2px 14px rgba(27,42,74,0.35); }\n\n    .fg-explorer-date { font-size: 0.72em; color: #999; margin-top: 6px; letter-spacing: 0.04em; font-weight: 600; text-transform: uppercase; white-space: nowrap; }\n    .fg-explorer-label { font-size: 0.78em; color: #1b2a4a; font-weight: 700; margin-top: 2px; white-space: nowrap; max-width: 110px; overflow: hidden; text-overflow: ellipsis; text-align: center; }\n\n    \/* \u2500\u2500 Detail panel \u2500\u2500 *\/\n    .fg-explorer-panel {\n      background: #f7f8fa; border: 1px solid #dde0e6; position: relative; overflow: hidden;\n      max-height: 0; opacity: 0; transition: max-height 0.4s ease, opacity 0.3s ease, margin 0.3s ease, padding 0.3s ease;\n      margin: 0; padding: 0 28px;\n    }\n    .fg-explorer-panel.fg-panel-open {\n      max-height: 600px; opacity: 1; margin: 18px 0 0; padding: 24px 28px 22px;\n    }\n    .fg-explorer-panel::before { content: ''; position: absolute; left: 0; top: 0; bottom: 0; width: 4px; }\n\n    .fg-explorer-panel-head { display: flex; align-items: center; gap: 12px; margin-bottom: 14px; }\n    .fg-explorer-panel-org { font-weight: 700; color: #1b2a4a; font-size: 1.08em; }\n    .fg-explorer-panel-date { font-size: 0.78em; color: #888; text-transform: uppercase; letter-spacing: 0.06em; }\n    .fg-explorer-panel-badge { font-size: 0.72em; padding: 2px 10px; border-radius: 2px; font-weight: 700; text-transform: uppercase; letter-spacing: 0.06em; color: #fff; margin-left: auto; }\n\n    .fg-explorer-panel p { font-size: 0.95em; color: #3a3a3a; margin-bottom: 10px; line-height: 1.7; }\n    .fg-explorer-panel p:last-of-type { margin-bottom: 0; }\n\n    .fg-explorer-tags { display: flex; flex-wrap: wrap; gap: 6px; margin-top: 14px; }\n    .fg-explorer-tag { font-size: 0.73em; padding: 3px 10px; background: #e8eaf0; color: #1b2a4a; font-weight: 600; letter-spacing: 0.03em; }\n\n    .fg-explorer-link {\n      display: inline-block; margin-top: 16px; font-size: 0.85em; font-weight: 700; color: #b22234;\n      text-transform: uppercase; letter-spacing: 0.06em; text-decoration: none; border-bottom: 1px solid rgba(178,34,52,0.3);\n      transition: border-color 0.2s;\n    }\n    .fg-explorer-link:hover { border-bottom-color: #b22234; }\n\n    @media (max-width: 600px) {\n      .fg-explorer-node { padding: 0 10px; }\n      .fg-explorer-label { max-width: 80px; font-size: 0.7em; }\n    }\n  <\/style>\n\n  <div class=\"fg-explorer\" id=\"fgExplorer\">\n\n    <!-- Timeline bar -->\n    <div class=\"fg-explorer-bar\" id=\"fgExplorerBar\">\n\n      <div class=\"fg-explorer-node\" data-idx=\"1\" data-active=\"false\" onclick=\"fgSelectReport(0)\">\n        <div class=\"fg-explorer-dot\" style=\"background:#3a6b8c;\">1<\/div>\n        <div class=\"fg-explorer-date\">Mar 2025<\/div>\n        <div class=\"fg-explorer-label\">Forescout<\/div>\n      <\/div>\n\n      <div class=\"fg-explorer-node\" data-idx=\"2\" data-active=\"false\" onclick=\"fgSelectReport(1)\">\n        <div class=\"fg-explorer-dot\" style=\"background:#1b2a4a;\">2<\/div>\n        <div class=\"fg-explorer-date\">Jan 2026<\/div>\n        <div class=\"fg-explorer-label\">Arctic Wolf<\/div>\n      <\/div>\n\n      <div class=\"fg-explorer-node\" data-idx=\"3\" data-active=\"false\" onclick=\"fgSelectReport(2)\">\n        <div class=\"fg-explorer-dot\" style=\"background:#c67b00;\">3<\/div>\n        <div class=\"fg-explorer-date\">Jan 2026<\/div>\n        <div class=\"fg-explorer-label\">eSentire<\/div>\n      <\/div>\n\n      <div class=\"fg-explorer-node\" data-idx=\"4\" data-active=\"false\" onclick=\"fgSelectReport(3)\">\n        <div class=\"fg-explorer-dot\" style=\"background:#2e7d32;\">4<\/div>\n        <div class=\"fg-explorer-date\">Feb 2026<\/div>\n        <div class=\"fg-explorer-label\">Huntress<\/div>\n      <\/div>\n\n      <div class=\"fg-explorer-node\" data-idx=\"5\" data-active=\"false\" onclick=\"fgSelectReport(4)\">\n        <div class=\"fg-explorer-dot\" style=\"background:#5a3e7a;\">5<\/div>\n        <div class=\"fg-explorer-date\">Feb 2026<\/div>\n        <div class=\"fg-explorer-label\">Amazon<\/div>\n      <\/div>\n\n      <div class=\"fg-explorer-node\" data-idx=\"6\" data-active=\"false\" onclick=\"fgSelectReport(5)\">\n        <div class=\"fg-explorer-dot\" style=\"background:#b22234;\">6<\/div>\n        <div class=\"fg-explorer-date\">Mar 2026<\/div>\n        <div class=\"fg-explorer-label\">SentinelOne<\/div>\n      <\/div>\n\n      <div class=\"fg-explorer-node\" data-idx=\"6\" data-active=\"false\" onclick=\"fgSelectReport(6)\">\n        <div class=\"fg-explorer-dot\" style=\"background:#1b2a4a; border-color:#b22234;\">\n          <svg width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" fill=\"none\"><path d=\"M8 1.5l1.8 4.2h4.5l-3.6 2.8 1.3 4.3L8 10.3l-3.9 2.5 1.3-4.3L1.7 5.7h4.5z\" fill=\"#fff\"\/><\/svg>\n        <\/div>\n        <div class=\"fg-explorer-date\">Mar 2026<\/div>\n        <div class=\"fg-explorer-label\">Fortgale<\/div>\n      <\/div>\n\n    <\/div>\n\n    <!-- Detail panel (populated by JS) -->\n    <div class=\"fg-explorer-panel\" id=\"fgExplorerPanel\"><\/div>\n\n  <\/div>\n\n  <script>\n  (function(){\n    var reports = [\n      {\n        org: \"Forescout\",\n        date: \"March 2025\",\n        color: \"#3a6b8c\",\n        badge: \"First Attribution\",\n        badgeColor: \"#3a6b8c\",\n        url: \"https:\/\/www.forescout.com\/blog\/new-ransomware-operator-exploits-fortinet-vulnerability-duo\/\",\n        summary: \"Forescout provided the first public attribution of the Mora_001 threat actor, documenting its exploitation of CVE-2024-55591 and CVE-2025-24472 to deploy SuperBlack ransomware. Their analysis established the baseline behavioral profile against which subsequent campaigns\\u2014including the Fortgale engagement\\u2014are compared.\",\n        overlap: \"Forescout\\u2019s documentation of the forticloud-sync service account and VPN tunnel persistence mechanism is the primary attribution anchor linking Mora_001\\u2019s 2025 ransomware operations to the evolved 2026 espionage campaign observed by Fortgale.\",\n        tags: [\"Mora_001\", \"SuperBlack\", \"CVE-2024-55591\", \"CVE-2025-24472\"]\n      },\n      {\n        org: \"Arctic Wolf\",\n        date: \"January 2026\",\n        color: \"#1b2a4a\",\n        badge: \"First Responder\",\n        badgeColor: \"#1b2a4a\",\n        url: \"https:\/\/arcticwolf.com\/resources\/blog\/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts\/\",\n        summary: \"Arctic Wolf was among the first organizations to publicly report on malicious configuration changes targeting FortiGate devices. Their observations revealed automated SSO-based logins creating rogue administrator accounts and exfiltrating firewall configurations at scale, providing early warning of a broader campaign targeting Fortinet perimeter infrastructure.\",\n        overlap: \"The rogue SSO account creation pattern documented by Arctic Wolf matches the exact initial access technique observed in the Fortgale incident, confirming a shared playbook across geographically dispersed targets.\",\n        tags: [\"FortiGate SSO\", \"Rogue Accounts\", \"Config Exfiltration\", \"CVE-2025-59718\"]\n      },\n      {\n        org: \"eSentire\",\n        date: \"March 2026\",\n        color: \"#c67b00\",\n        badge: \"Zero-Day\",\n        badgeColor: \"#c67b00\",\n        url: \"https:\/\/www.esentire.com\/security-advisories\/confirmed-zero-day-vulnerability-in-fortinet-products-cve-2026-24858\",\n        summary: \"eSentire confirmed active exploitation of CVE-2026-24858, a critical authentication bypass zero-day (CVSS 9.8) in the FortiCloud SSO mechanism. Even fully patched FortiGate devices were found compromised through this separate vulnerability, significantly extending the window of exposure beyond initial remediation efforts.\",\n        overlap: \"The rogue SSO account creation pattern documented by eSentire matches the exact initial access technique described by Artic Wolf and observed in the Fortgale incident.\",\n        tags: [\"CVE-2026-24858\", \"CVSS 9.8\", \"Zero-Day\", \"FortiCloud SSO Bypass\"]\n      },\n      {\n        org: \"Huntress\",\n        date: \"February 2026\",\n        color: \"#2e7d32\",\n        badge: \"Malware Chain\",\n        badgeColor: \"#2e7d32\",\n        url: \"https:\/\/www.huntress.com\/blog\/clickfix-matanbuchus-astarionrat-analysis\",\n        summary: \"Huntress documented a hands-on-keyboard intrusion where ClickFix social engineering delivered Matanbuchus 3.0, which in turn deployed Astarion RAT (also tracked as MIMICRAT by Elastic). Operators moved from initial access to domain controllers in under 40 minutes using PsExec, rogue accounts, and Defender exclusions\\u2014classic pre-ransomware staging. The Huntress team disrupted the operation before the final objective could be achieved.\",\n        overlap: \"The Matanbuchus 3.0 \\u2192 Astarion RAT delivery chain is identical to the one observed in the Fortgale incident. The DLL side-loading technique (java.exe + malicious jli.dll) and the shared pre-ransomware staging TTPs reinforce the assessment that these are components of the same coordinated campaign. As with the Fortgale case, IR intervention prevented the final payload\\u2014making it unclear whether ransomware was the intended endgame.\",\n        tags: [\"Matanbuchus 3.0\", \"Astarion RAT\", \"ClickFix\", \"DLL Side-Loading\", \"jli.dll\"]\n      },\n      {\n        org: \"Amazon (AWS Security)\",\n        date: \"February 2026\",\n        color: \"#5a3e7a\",\n        badge: \"Scale Assessment\",\n        badgeColor: \"#5a3e7a\",\n        url: \"https:\/\/aws.amazon.com\/it\/blogs\/security\/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale\/\",\n        summary: \"Amazon\\u2019s threat intelligence team documented a Russian-speaking actor who compromised over 600 FortiGate devices across 55 countries, augmenting their capabilities with commercial generative AI services. The actor harvested credentials, exfiltrated Active Directory databases, and staged for potential ransomware deployment\\u2014without executing the final payload.\",\n        overlap: \"The operational pattern\\u2014Fortinet targeting, credential harvesting, AD exfiltration, and ransomware staging\\u2014mirrors the Storming Tide profile. The scale (600+ devices) suggests industrialized access acquisition consistent with the tiered operational model assessed by Fortgale.\",\n        tags: [\"600+ Devices\", \"AI-Augmented\", \"AD Exfiltration\", \"Ransomware Staged\"]\n      },\n\n      {\n        org: \"SentinelOne\",\n        date: \"February 2026\",\n        color: \"#b22234\",\n        badge: \"DFIR Correlation\",\n        badgeColor: \"#b22234\",\n        url: \"https:\/\/www.sentinelone.com\/blog\/fortigate-edge-intrusions\/\",\n        summary: \"SentinelOne\\u2019s DFIR investigations into FortiGate edge intrusions confirmed a parallel pattern of stolen service accounts leading to rogue workstations, Active Directory compromise, and DLL side-loading chains employing java.exe with a malicious jli.dll. In at least one case, post-exploitation behavior was consistent with an Initial Access Broker establishing a foothold for a secondary operator.\",\n        overlap: \"The DLL side-loading chain (java.exe \/ jli.dll) and the IAB operational pattern directly corroborate Fortgale\\u2019s hypothesis regarding Mora_001\\u2019s potential shift toward access brokering. The shared forensic artifacts confirm infrastructure and tooling overlap across independent investigations.\",\n        tags: [\"FortiGate DFIR\", \"java.exe \/ jli.dll\", \"IAB Pattern\", \"AD Compromise\"]\n      },\n      {\n        org: \"Fortgale\",\n        date: \"February 2026\",\n        color: \"#1b2a4a\",\n        badge: \"This Report\",\n        badgeColor: \"#b22234\",\n        url: \"#characteristics\",\n        summary: \"Fortgale\\u2019s Incident Response engagement uncovered a multi-stage intrusion attributed to Mora_001 targeting a European logistics organization. The investigation revealed the deployment of Matanbuchus 3.0, Astarion RAT, SystemBC, and RClone, with an extended dwell time of several months and data exfiltration staged to S3-compatible storage\\u2014culminating in the assessment that links these operations as the coordinated Storming Tide campaign.\",\n        overlap: \"By correlating findings with all five external intelligence sources, Fortgale established the Storming Tide campaign hypothesis\\u2014assessing with moderate-to-high confidence that multiple criminal groups are operating in concert under a shared operational framework targeting Fortinet infrastructure for intelligence collection.\",\n        tags: [\"Mora_001\", \"Matanbuchus 3.0\", \"Astarion RAT\", \"SystemBC\", \"RClone\", \"Storming Tide\"]\n      }\n    ];\n\n    window.fgSelectReport = function(idx) {\n      var nodes = document.querySelectorAll('.fg-explorer-node');\n      var panel = document.getElementById('fgExplorerPanel');\n      var r = reports[idx];\n\n      \/* toggle off if same node clicked *\/\n      if (nodes[idx].getAttribute('data-active') === 'true') {\n        nodes[idx].setAttribute('data-active', 'false');\n        panel.classList.remove('fg-panel-open');\n        return;\n      }\n\n      \/* reset all nodes *\/\n      nodes.forEach(function(n){ n.setAttribute('data-active','false'); });\n      nodes[idx].setAttribute('data-active','true');\n\n      \/* build panel content *\/\n      var linkTarget = r.url.startsWith('#') ? '' : ' target=\"_blank\" rel=\"noopener\"';\n      var linkLabel = r.url.startsWith('#') ? 'Jump to section \\u2192' : 'Read full report \\u2192';\n\n      var html = '<div style=\"position:absolute;left:0;top:0;bottom:0;width:4px;background:' + r.color + ';\"><\/div>';\n      html += '<div class=\"fg-explorer-panel-head\">';\n      html += '<span class=\"fg-explorer-panel-org\">' + r.org + '<\/span>';\n      html += '<span class=\"fg-explorer-panel-date\">' + r.date + '<\/span>';\n      html += '<span class=\"fg-explorer-panel-badge\" style=\"background:' + r.badgeColor + ';\">' + r.badge + '<\/span>';\n      html += '<\/div>';\n      html += '<p><strong style=\"color:#1b2a4a;\">Summary:<\/strong> ' + r.summary + '<\/p>';\n      html += '<p><strong style=\"color:#b22234;\">Storming Tide Overlap:<\/strong> ' + r.overlap + '<\/p>';\n      html += '<div class=\"fg-explorer-tags\">';\n      r.tags.forEach(function(t){ html += '<span class=\"fg-explorer-tag\">' + t + '<\/span>'; });\n      html += '<\/div>';\n      html += '<a class=\"fg-explorer-link\" href=\"' + r.url + '\"' + linkTarget + '>' + linkLabel + '<\/a>';\n\n      panel.innerHTML = html;\n\n      \/* animate open *\/\n      panel.classList.remove('fg-panel-open');\n      void panel.offsetHeight; \/* force reflow *\/\n      panel.classList.add('fg-panel-open');\n    };\n  })();\n  <\/script>\n\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <!--  TABLE OF CONTENTS                                   -->\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <div class=\"fg-toc\">\n    <div class=\"fg-toc-title\">Table of Contents<\/div>\n    <ol>\n      <li><a href=\"#background\">Cyber Attack Analysis<\/a><\/li>\n      <li><a href=\"#arsenal\">Observed Malware Arsenal<\/a><\/li>\n      <li><a href=\"#actor-profile\">Threat Actor Profile: Mora_001<\/a><\/li>\n      <li><a href=\"#evolution\">Operational Evolution: From Ransomware to Espionage<\/a><\/li>\n      <li><a href=\"#characteristics\">Campaign Storming Tide: Shared Technical Characteristics<\/a><\/li>\n      <li><a href=\"#ioc\">Indicators of Compromise<\/a><\/li>\n      <li><a href=\"#mitre\">MITRE ATT&amp;CK Mapping<\/a><\/li>\n    <\/ol>\n  <\/div>\n\n\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <!--  Cyber Attack Analysis-->\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <h2 id=\"background\">Cyber Attack Analysis<\/h2>\n\n  <!-- Intelligence Assessment -->\n  <div class=\"fg-assessment\">\n    <div class=\"fg-assessment-title\">\n      <svg width=\"14\" height=\"14\" viewBox=\"0 0 14 14\" fill=\"none\" style=\"vertical-align: middle; margin-right: 6px;\"><rect x=\"1\" y=\"1\" width=\"12\" height=\"12\" rx=\"2\" stroke=\"#1b2a4a\" stroke-width=\"1.5\"\/><path d=\"M4 7l2 2 4-4\" stroke=\"#1b2a4a\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg>\n      Intelligence Assessment\n    <\/div>\n    <p>Fortgale assesses with <strong>moderate confidence<\/strong> that this campaign was primarily driven by <strong>intelligence collection objectives<\/strong>. The presence of ransomware tooling does not contradict this assessment, dual-purpose operations are an emerging pattern among Russian-nexus threat actors, combining espionage with the potential for financially motivated disruption.<\/p>\n  <\/div>\n\n\n  <p>In mid-February 2026, the Fortgale Incident Response team identified suspicious internal network scanning activity. This early access detection triggered a comprehensive investigation that revealed a deeply embedded intrusion persisting for several months, with the initial compromise of a perimeter firewall traced to <strong>late 2025<\/strong>.<\/p>\n\n  <!-- \u2500\u2500 Attack Timeline \u2500\u2500 -->\n  <h3>Attack Timeline<\/h3>\n  <div class=\"fg-timeline\">\n    <div class=\"fg-timeline-item\">\n      <div class=\"fg-tl-date\">Late 2025<\/div>\n      <div class=\"fg-tl-title\">Initial Compromise<\/div>\n      <div class=\"fg-tl-desc\">Perimeter Fortinet firewall exploited. VPN tunnel configured for persistent encrypted re-entry.<\/div>\n    <\/div>\n    <div class=\"fg-timeline-item\">\n      <div class=\"fg-tl-date\">Late 2025 &ndash; Early 2026<\/div>\n      <div class=\"fg-tl-title\">Dormancy Period<\/div>\n      <div class=\"fg-tl-desc\">Threat actor remains inactive,  prioritizing stealth over speed. No detectable lateral movement.<\/div>\n    <\/div>\n    <div class=\"fg-timeline-item\">\n      <div class=\"fg-tl-date\">Early 2026<\/div>\n      <div class=\"fg-tl-title\">Internal Pivoting<\/div>\n      <div class=\"fg-tl-desc\">Mora_001 pivots into the internal network via unmanaged assets, evading endpoint detection coverage.<\/div>\n    <\/div>\n    <div class=\"fg-timeline-item\">\n      <div class=\"fg-tl-date\">February 2026<\/div>\n      <div class=\"fg-tl-title\">Payload Deployment<\/div>\n      <div class=\"fg-tl-desc\">Matanbuchus 3.0 loader delivers Astarion RAT and SystemBC. Data exfiltration staged via RClone to S3-compatible storage.<\/div>\n    <\/div>\n    <div class=\"fg-timeline-item\">\n      <div class=\"fg-tl-date\">February 2026<\/div>\n      <div class=\"fg-tl-title\">Detection &amp; Containment<\/div>\n      <div class=\"fg-tl-desc\">Fortgale IR team detects anomalous scanning, initiates investigation, and successfully contains the threat.<\/div>\n    <\/div>\n  <\/div>\n\n  <p>Following the initial access phase, the threat actor entered a period of inactivity,  a characteristic tactic observed in operations prioritizing stealth over speed. After this quiescent interval, Mora_001 pivoted into the internal network, leveraging <strong>unmanaged assets<\/strong> to establish an operational foothold outside the visibility of the organization&rsquo;s endpoint detection capabilities.<\/p>\n\n\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <!--  CONTAINMENT NOTE                                    -->\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <div class=\"fg-containment\">\n    <div class=\"fg-containment-title\">\n      <svg width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" fill=\"none\"><path d=\"M8 1.5l1.8 4.2h4.5l-3.6 2.8 1.3 4.3L8 10.3l-3.9 2.5 1.3-4.3L1.7 5.7h4.5z\" fill=\"#2e7d32\"\/><\/svg>\n      Containment Note\n    <\/div>\n    <p style=\"margin:0;font-size:1.02em;\">Rapid containment actions by the Fortgale IR team <strong style=\"color:#2e7d32;\">prevented any data exfiltration<\/strong> and the execution of the ransomware payload staged within the environment.<\/p>\n  <\/div>\n\n  <hr class=\"fg-divider\">\n\n\n  <!-- \u2500\u2500 VPN Persistence \u2500\u2500 -->\n  <h3>VPN Tunnel Persistence<\/h3>\n  <p>During the initial compromise of the perimeter firewall, Mora_001 configured a <strong>remote VPN tunnel<\/strong> on the compromised Fortinet appliance, establishing a persistent and encrypted communication channel directly into the victim&rsquo;s network perimeter. This VPN peer provided the actor with a reliable re-entry mechanism that bypassed traditional network monitoring, effectively granting on-demand access to the internal environment.<\/p>\n\n  <!-- \u2500\u2500 Attack Flow Diagram (SVG) \u2500\u2500 -->\n  <div class=\"fg-flow\">\n    <svg viewBox=\"0 0 780 200\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"font-family:'Segoe UI',system-ui,sans-serif;\">\n      <defs>\n        <marker id=\"fgArrowNavy\" markerWidth=\"8\" markerHeight=\"6\" refX=\"8\" refY=\"3\" orient=\"auto\"><path d=\"M0,0 L8,3 L0,6Z\" fill=\"#1b2a4a\"\/><\/marker>\n        <marker id=\"fgArrowRed\" markerWidth=\"8\" markerHeight=\"6\" refX=\"8\" refY=\"3\" orient=\"auto\"><path d=\"M0,0 L8,3 L0,6Z\" fill=\"#b22234\"\/><\/marker>\n        <marker id=\"fgArrowGray\" markerWidth=\"8\" markerHeight=\"6\" refX=\"8\" refY=\"3\" orient=\"auto\"><path d=\"M0,0 L8,3 L0,6Z\" fill=\"#999\"\/><\/marker>\n      <\/defs>\n      <rect x=\"12\" y=\"60\" width=\"138\" height=\"80\" rx=\"2\" fill=\"#1b2a4a\"\/>\n      <rect x=\"12\" y=\"60\" width=\"138\" height=\"4\" fill=\"#b22234\"\/>\n      <text x=\"81\" y=\"98\" text-anchor=\"middle\" fill=\"#fff\" font-size=\"13\" font-weight=\"700\">Mora_001<\/text>\n      <text x=\"81\" y=\"118\" text-anchor=\"middle\" fill=\"#999\" font-size=\"10\" font-style=\"italic\">Threat Actor<\/text>\n      <line x1=\"150\" y1=\"100\" x2=\"228\" y2=\"100\" stroke=\"#b22234\" stroke-width=\"2\" marker-end=\"url(#fgArrowRed)\"\/>\n      <text x=\"189\" y=\"90\" text-anchor=\"middle\" fill=\"#b22234\" font-size=\"9.5\" font-weight=\"600\" letter-spacing=\"0.5\">VPN TUNNEL<\/text>\n      <rect x=\"230\" y=\"50\" width=\"150\" height=\"100\" rx=\"2\" fill=\"#f5f5f5\" stroke=\"#d0d0d0\" stroke-width=\"1.5\"\/>\n      <rect x=\"230\" y=\"50\" width=\"150\" height=\"4\" fill=\"#1b2a4a\"\/>\n      <text x=\"305\" y=\"90\" text-anchor=\"middle\" fill=\"#1b2a4a\" font-size=\"13\" font-weight=\"700\">Fortinet<\/text>\n      <text x=\"305\" y=\"108\" text-anchor=\"middle\" fill=\"#1b2a4a\" font-size=\"13\" font-weight=\"700\">Firewall<\/text>\n      <text x=\"305\" y=\"128\" text-anchor=\"middle\" fill=\"#999\" font-size=\"9.5\" font-style=\"italic\">(Compromised)<\/text>\n      <line x1=\"380\" y1=\"100\" x2=\"458\" y2=\"100\" stroke=\"#1b2a4a\" stroke-width=\"2\" marker-end=\"url(#fgArrowNavy)\"\/>\n      <text x=\"419\" y=\"90\" text-anchor=\"middle\" fill=\"#1b2a4a\" font-size=\"9.5\" font-weight=\"600\" letter-spacing=\"0.5\">PIVOT<\/text>\n      <rect x=\"460\" y=\"50\" width=\"150\" height=\"100\" rx=\"2\" fill=\"#f5f5f5\" stroke=\"#d0d0d0\" stroke-width=\"1.5\"\/>\n      <rect x=\"460\" y=\"50\" width=\"150\" height=\"4\" fill=\"#1b2a4a\"\/>\n      <text x=\"535\" y=\"90\" text-anchor=\"middle\" fill=\"#1b2a4a\" font-size=\"13\" font-weight=\"700\">Internal<\/text>\n      <text x=\"535\" y=\"108\" text-anchor=\"middle\" fill=\"#1b2a4a\" font-size=\"13\" font-weight=\"700\">Network<\/text>\n      <text x=\"535\" y=\"128\" text-anchor=\"middle\" fill=\"#999\" font-size=\"9.5\" font-style=\"italic\">(Unmanaged Assets)<\/text>\n      <line x1=\"610\" y1=\"100\" x2=\"668\" y2=\"100\" stroke=\"#999\" stroke-width=\"2\" stroke-dasharray=\"5,3\" marker-end=\"url(#fgArrowGray)\"\/>\n      <text x=\"639\" y=\"90\" text-anchor=\"middle\" fill=\"#999\" font-size=\"9.5\" font-weight=\"600\" letter-spacing=\"0.5\">EXFIL<\/text>\n      <rect x=\"670\" y=\"60\" width=\"100\" height=\"80\" rx=\"2\" fill=\"#f5f5f5\" stroke=\"#d0d0d0\" stroke-width=\"1.5\"\/>\n      <rect x=\"670\" y=\"60\" width=\"100\" height=\"4\" fill=\"#b22234\"\/>\n      <text x=\"720\" y=\"98\" text-anchor=\"middle\" fill=\"#1b2a4a\" font-size=\"12\" font-weight=\"700\">S3 Bucket<\/text>\n      <text x=\"720\" y=\"118\" text-anchor=\"middle\" fill=\"#999\" font-size=\"9.5\" font-style=\"italic\">(Staging)<\/text>\n      <text x=\"81\" y=\"30\" text-anchor=\"middle\" fill=\"#999\" font-size=\"8.5\" letter-spacing=\"1\">01<\/text>\n      <text x=\"305\" y=\"30\" text-anchor=\"middle\" fill=\"#999\" font-size=\"8.5\" letter-spacing=\"1\">02<\/text>\n      <text x=\"535\" y=\"30\" text-anchor=\"middle\" fill=\"#999\" font-size=\"8.5\" letter-spacing=\"1\">03<\/text>\n      <text x=\"720\" y=\"30\" text-anchor=\"middle\" fill=\"#999\" font-size=\"8.5\" letter-spacing=\"1\">04<\/text>\n      <text x=\"81\" y=\"42\" text-anchor=\"middle\" fill=\"#1b2a4a\" font-size=\"9\" font-weight=\"600\" letter-spacing=\"0.5\">ORIGIN<\/text>\n      <text x=\"305\" y=\"42\" text-anchor=\"middle\" fill=\"#1b2a4a\" font-size=\"9\" font-weight=\"600\" letter-spacing=\"0.5\">PERIMETER<\/text>\n      <text x=\"535\" y=\"42\" text-anchor=\"middle\" fill=\"#1b2a4a\" font-size=\"9\" font-weight=\"600\" letter-spacing=\"0.5\">LATERAL<\/text>\n      <text x=\"720\" y=\"42\" text-anchor=\"middle\" fill=\"#1b2a4a\" font-size=\"9\" font-weight=\"600\" letter-spacing=\"0.5\">EXFILTRATION<\/text>\n      <line x1=\"12\" y1=\"170\" x2=\"770\" y2=\"170\" stroke=\"#e8e8e8\" stroke-width=\"1\"\/>\n      <text x=\"391\" y=\"188\" text-anchor=\"middle\" fill=\"#bbb\" font-size=\"8.5\" letter-spacing=\"1\" font-style=\"italic\">ATTACK FLOW ,  FORTISYNC QUASAR<\/text>\n    <\/svg>\n  <\/div>\n\n  <p>The campaign&rsquo;s next phase was marked by the deployment of multiple tools, each serving a distinct role in the attack chain:<\/p>\n\n\n  <!-- Arsenal Summary Table -->\n  <div class=\"fg-table-wrap\">\n    <table class=\"fg-table\">\n      <thead>\n        <tr>\n          <th>Malware<\/th>\n          <th>Category<\/th>\n          <th>Role in Campaign<\/th>\n        <\/tr>\n      <\/thead>\n      <tbody>\n        <tr>\n          <td><strong>Matanbuchus 3.0<\/strong><\/td>\n          <td>Loader (MaaS)<\/td>\n          <td>Primary delivery mechanism for secondary payloads. Used to stage and deploy Astarion RAT and SystemBC.<\/td>\n        <\/tr>\n        <tr>\n          <td><strong>Astarion RAT<\/strong><\/td>\n          <td>Remote Access Trojan<\/td>\n          <td>Comprehensive remote access, command execution, and data collection capabilities.<\/td>\n        <\/tr>\n        <tr>\n          <td><strong>SystemBC<\/strong><\/td>\n          <td>Proxy \/ Backdoor<\/td>\n          <td>Encrypted proxy tunneling for covert C2 communications and traffic obfuscation.<\/td>\n        <\/tr>\n        <tr>\n          <td><strong>RClone<\/strong><\/td>\n          <td>Exfiltration Utility<\/td>\n          <td>High-volume data exfiltration to external S3-compatible storage infrastructure.<\/td>\n        <\/tr>\n      <\/tbody>\n    <\/table>\n  <\/div>\n\n \n <!-- \u2500\u2500 Malware infection chain diagram \u2500\u2500 -->\n  <div class=\"fg-flow\" style=\"margin-top: 10px;\">\n    <svg viewBox=\"0 0 780 160\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"font-family:'Segoe UI',system-ui,sans-serif;\">\n      <defs>\n        <marker id=\"fgChainArrow\" markerWidth=\"8\" markerHeight=\"6\" refX=\"8\" refY=\"3\" orient=\"auto\"><path d=\"M0,0 L8,3 L0,6Z\" fill=\"#1b2a4a\"\/><\/marker>\n        <marker id=\"fgChainArrowR\" markerWidth=\"8\" markerHeight=\"6\" refX=\"8\" refY=\"3\" orient=\"auto\"><path d=\"M0,0 L8,3 L0,6Z\" fill=\"#b22234\"\/><\/marker>\n      <\/defs>\n      <text x=\"390\" y=\"16\" text-anchor=\"middle\" fill=\"#999\" font-size=\"8.5\" letter-spacing=\"1.5\" text-transform=\"uppercase\">INFECTION CHAIN<\/text>\n      <!-- Matanbuchus -->\n      <rect x=\"30\" y=\"40\" width=\"155\" height=\"70\" rx=\"2\" fill=\"#1b2a4a\"\/>\n      <rect x=\"30\" y=\"40\" width=\"155\" height=\"3\" fill=\"#b22234\"\/>\n      <text x=\"107\" y=\"72\" text-anchor=\"middle\" fill=\"#fff\" font-size=\"12\" font-weight=\"700\">Matanbuchus 3.0<\/text>\n      <text x=\"107\" y=\"92\" text-anchor=\"middle\" fill=\"#999\" font-size=\"9\" font-style=\"italic\">Loader \/ MaaS<\/text>\n      <!-- Arrow to Astarion -->\n      <line x1=\"185\" y1=\"62\" x2=\"248\" y2=\"42\" stroke=\"#1b2a4a\" stroke-width=\"1.5\" marker-end=\"url(#fgChainArrow)\"\/>\n      <!-- Arrow to SystemBC -->\n      <line x1=\"185\" y1=\"88\" x2=\"248\" y2=\"105\" stroke=\"#1b2a4a\" stroke-width=\"1.5\" marker-end=\"url(#fgChainArrow)\"\/>\n      <!-- Astarion -->\n      <rect x=\"250\" y=\"26\" width=\"155\" height=\"50\" rx=\"2\" fill=\"#f5f5f5\" stroke=\"#d0d0d0\" stroke-width=\"1\"\/>\n      <rect x=\"250\" y=\"26\" width=\"155\" height=\"3\" fill=\"#1b2a4a\"\/>\n      <text x=\"327\" y=\"50\" text-anchor=\"middle\" fill=\"#1b2a4a\" font-size=\"11\" font-weight=\"700\">Astarion RAT<\/text>\n      <text x=\"327\" y=\"66\" text-anchor=\"middle\" fill=\"#888\" font-size=\"9\" font-style=\"italic\">Remote Access<\/text>\n      <!-- SystemBC -->\n      <rect x=\"250\" y=\"90\" width=\"155\" height=\"50\" rx=\"2\" fill=\"#f5f5f5\" stroke=\"#d0d0d0\" stroke-width=\"1\"\/>\n      <rect x=\"250\" y=\"90\" width=\"155\" height=\"3\" fill=\"#1b2a4a\"\/>\n      <text x=\"327\" y=\"114\" text-anchor=\"middle\" fill=\"#1b2a4a\" font-size=\"11\" font-weight=\"700\">SystemBC<\/text>\n      <text x=\"327\" y=\"130\" text-anchor=\"middle\" fill=\"#888\" font-size=\"9\" font-style=\"italic\">C2 Proxy Tunnel<\/text>\n      <!-- Arrows to targets -->\n      <line x1=\"405\" y1=\"51\" x2=\"480\" y2=\"75\" stroke=\"#999\" stroke-width=\"1.5\" stroke-dasharray=\"4,3\" marker-end=\"url(#fgChainArrow)\"\/>\n      <line x1=\"405\" y1=\"115\" x2=\"480\" y2=\"85\" stroke=\"#999\" stroke-width=\"1.5\" stroke-dasharray=\"4,3\" marker-end=\"url(#fgChainArrow)\"\/>\n      <!-- Target \/ C2 -->\n      <rect x=\"482\" y=\"55\" width=\"120\" height=\"50\" rx=\"2\" fill=\"#f5f5f5\" stroke=\"#d0d0d0\" stroke-width=\"1\"\/>\n      <rect x=\"482\" y=\"55\" width=\"120\" height=\"3\" fill=\"#1b2a4a\"\/>\n      <text x=\"542\" y=\"79\" text-anchor=\"middle\" fill=\"#1b2a4a\" font-size=\"11\" font-weight=\"700\">Target Host<\/text>\n      <text x=\"542\" y=\"95\" text-anchor=\"middle\" fill=\"#888\" font-size=\"9\" font-style=\"italic\">Full Control<\/text>\n      <!-- Arrow to exfil -->\n      <line x1=\"602\" y1=\"80\" x2=\"660\" y2=\"80\" stroke=\"#b22234\" stroke-width=\"1.5\" stroke-dasharray=\"4,3\" marker-end=\"url(#fgChainArrowR)\"\/>\n      <!-- RClone -->\n      <rect x=\"662\" y=\"55\" width=\"100\" height=\"50\" rx=\"2\" fill=\"#f5f5f5\" stroke=\"#b22234\" stroke-width=\"1.5\"\/>\n      <rect x=\"662\" y=\"55\" width=\"100\" height=\"3\" fill=\"#b22234\"\/>\n      <text x=\"712\" y=\"79\" text-anchor=\"middle\" fill=\"#b22234\" font-size=\"11\" font-weight=\"700\">RClone<\/text>\n      <text x=\"712\" y=\"95\" text-anchor=\"middle\" fill=\"#888\" font-size=\"9\" font-style=\"italic\">Exfil &rarr; S3<\/text>\n    <\/svg>\n  <\/div> \n\n\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <!--  DETAILED MALWARE DESCRIPTIONS                       -->\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <h2 id=\"arsenal\">Observed Malware Arsenal<\/h2>\n\n  <h3>Matanbuchus 3.0 (The Loader)<\/h3>\n\n  <div class=\"fg-malware-detail\">\n    <div class=\"fg-malware-detail-header\">\n      <span class=\"fg-md-icon\">&#x25A0;<\/span>\n      <span class=\"fg-md-title\">Matanbuchus 3.0<\/span>\n      <span class=\"fg-md-tag\">Loader &middot; MaaS<\/span>\n    <\/div>\n    <div class=\"fg-malware-detail-body\">\n      <p>Matanbuchus 3.0 is a sophisticated malware loader distributed through a Malware-as-a-Service (MaaS) model that <a href=\"https:\/\/www.huntress.com\/blog\/clickfix-matanbuchus-astarionrat-analysis\" target=\"_blank\" rel=\"noopener\">marked its return<\/a> to the cyberthreat landscape in May 2025, following a brief period of inactivity.<\/p>\n      <p>The malware is actively marketed on high-profile Russian underground forums by threat actors such as &ldquo;BelialDemon,&rdquo; with a premium subscription model that reflects its technical sophistication: the HTTPS protocol-based variant is priced at <span class=\"fg-price\">$10,000 \/ month<\/span>, while the version leveraging DNS protocol for C2 communications reaches <span class=\"fg-price\">$15,000 \/ month<\/span>.<\/p>\n      <p>Technical capabilities include the execution of multiple payload types (EXE, DLL, MSI, and Shellcode) both through disk-based deployment and directly in-memory to minimize forensic artifacts, support for reverse shells via CMD or PowerShell, and execution of WQL (WMI Query Language) queries for comprehensive reconnaissance of compromised systems. A distinctive feature of this release is the implementation of <strong>Protocol Buffers (Protobuf)<\/strong> serialization coupled with <strong>ChaCha20 encryption<\/strong> to protect the integrity and confidentiality of C2 server communications. The loader serves as a gateway for more severe second-stage threats, including ransomware and remote access trojans such as Astarion RAT.<\/p>\n    <\/div>\n  <\/div>\n\n  <h3>Astarion RAT (MimicRAT)<\/h3>\n\n  <div class=\"fg-malware-detail\">\n    <div class=\"fg-malware-detail-header\">\n      <span class=\"fg-md-icon\">&#x25C6;<\/span>\n      <span class=\"fg-md-title\">Astarion RAT<\/span>\n      <span class=\"fg-md-tag\">RAT &middot; Espionage<\/span>\n    <\/div>\n    <div class=\"fg-malware-detail-body\">\n      <p>Astarion RAT is a next-generation Remote Access Trojan featuring a modular architecture that allows it to be used both as an espionage tool and as a distribution vector for additional malicious payloads. Primary attribution links it to financially motivated actors.<\/p>\n      <p>It was notably observed between late 2025 and early 2026. The malware excels at maintaining persistence and achieving total remote control of the compromised host, leveraging <strong>RSA-encrypted C2 communications<\/strong> to prevent traffic interception.<\/p>\n      <p>Its ability to execute PowerShell scripts directly in memory drastically reduces on-disk artifacts, making incident response and forensic analysis activities particularly complex.<\/p>\n    <\/div>\n  <\/div>\n\n  <h3>SystemBC<\/h3>\n\n  <div class=\"fg-malware-detail\">\n    <div class=\"fg-malware-detail-header\">\n      <span class=\"fg-md-icon\">&#x25CF;<\/span>\n      <span class=\"fg-md-title\">SystemBC<\/span>\n      <span class=\"fg-md-tag\">Proxy &middot; Backdoor<\/span>\n    <\/div>\n    <div class=\"fg-malware-detail-body\">\n      <p>SystemBC, also operating under the names of Coroxy or DroxiDat, is a malware specialized in creating persistent network tunnels, acting as an invisible SOCKS5 proxy. Technical attribution closely links it to APT actors such as &ldquo;Vanilla Tempest&rdquo; and numerous high-profile ransomware affiliates, including groups tied to LockBit and Black Basta infrastructures.<\/p>\n      <p>Its primary use lies in masking Command and Control (C2) traffic, allowing attackers to channel commands to other malware on the network without triggering perimeter firewall alarms. Campaigns detected throughout 2025 highlighted the deployment of SystemBC against the public sector in Central Asia and critical infrastructure in Latin America, confirming its effectiveness in bypassing traditional network defenses through communication protocol obfuscation.<\/p>\n      <p>Notably, the deployment of SystemBC via Matanbuchus represents the <strong>first publicly documented case<\/strong> of this particular infection chain.<\/p>\n    <\/div>\n  <\/div>\n\n  <h3>RClone<\/h3>\n\n  <div class=\"fg-malware-detail\">\n    <div class=\"fg-malware-detail-header\">\n      <span class=\"fg-md-icon\">&#x25B2;<\/span>\n      <span class=\"fg-md-title\">RClone<\/span>\n      <span class=\"fg-md-tag\">LoTL &middot; Exfiltration<\/span>\n    <\/div>\n    <div class=\"fg-malware-detail-body\">\n      <p>RClone represents a critical example of Living-off-the-Land tool abuse; it is an open-source software originally designed for managing files on cloud storage that is systematically employed by threat actors for rapid data exfiltration. Although it lacks an intrinsic viral signature, its forensic attribution is constant across nearly all incidents involving ransomware groups like Akira, Cl0p, and LockBit.<\/p>\n      <p>Attackers use RClone to transfer massive volumes of sensitive data to remote servers or commercial cloud services such as Mega, Dropbox, or Amazon S3, an operation that usually precedes the final system encryption phase. The tool&rsquo;s effectiveness lies in its stability and speed, as well as its ability to operate through encrypted channels that mimic normal corporate traffic, making the distinction between legitimate and illicit use extremely dependent on behavioral analysis.<\/p>\n    <\/div>\n  <\/div>\n\n\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <!--  THREAT ACTOR PROFILE                                -->\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <h2 id=\"actor-profile\">Threat Actor Profile: Mora_001<\/h2>\n\n  <!-- Profile card -->\n  <div class=\"fg-profile\">\n    <div class=\"fg-profile-badge\">\n      <svg width=\"72\" height=\"72\" viewBox=\"0 0 72 72\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n        <rect x=\"1\" y=\"1\" width=\"70\" height=\"70\" rx=\"4\" fill=\"#1b2a4a\" stroke=\"#b22234\" stroke-width=\"2\"\/>\n        <text x=\"36\" y=\"30\" text-anchor=\"middle\" fill=\"#fff\" font-family=\"'Segoe UI',system-ui,sans-serif\" font-size=\"10\" font-weight=\"700\" letter-spacing=\"1\">THREAT<\/text>\n        <text x=\"36\" y=\"44\" text-anchor=\"middle\" fill=\"#b22234\" font-family=\"'Segoe UI',system-ui,sans-serif\" font-size=\"14\" font-weight=\"700\">M_001<\/text>\n        <line x1=\"18\" y1=\"52\" x2=\"54\" y2=\"52\" stroke=\"#444\" stroke-width=\"0.5\"\/>\n        <text x=\"36\" y=\"63\" text-anchor=\"middle\" fill=\"#888\" font-family=\"'Segoe UI',system-ui,sans-serif\" font-size=\"8\" letter-spacing=\"0.5\">ACTOR<\/text>\n      <\/svg>\n    <\/div>\n    <div class=\"fg-profile-info\">\n      <div class=\"fg-profile-name\">Mora_001<\/div>\n      <div class=\"fg-profile-origin\">Assessed origin: Russia &nbsp;&middot;&nbsp; First documented: Early 2025 (<a href=\"https:\/\/www.forescout.com\/blog\/new-ransomware-operator-exploits-fortinet-vulnerability-duo\/\" target=\"_blank\" rel=\"noopener\" style=\"color:#888;border-bottom-color:rgba(136,136,136,0.3);\">Forescout<\/a>)<\/div>\n      <p class=\"fg-profile-desc\">A sophisticated threat actor whose TTPs align with groups of assessed Russian origin. Initially categorized as a ransomware operator deploying <strong>SuperBlack<\/strong>, a custom strain built upon the leaked LockBit builder. Linked to the exploitation of Fortinet vulnerability chains <strong>CVE-2024-55591<\/strong> and <strong>CVE-2025-24472<\/strong>. In early campaigns, exhibited a rapid operational tempo, deploying ransomware within 48 hours of initial access when conditions were favorable.<\/p>\n    <\/div>\n  <\/div>\n\n  <!-- Intelligence Assessment -->\n  <div class=\"fg-assessment\">\n    <div class=\"fg-assessment-title\">\n      <svg width=\"14\" height=\"14\" viewBox=\"0 0 14 14\" fill=\"none\" style=\"vertical-align: middle; margin-right: 6px;\"><rect x=\"1\" y=\"1\" width=\"12\" height=\"12\" rx=\"2\" stroke=\"#1b2a4a\" stroke-width=\"1.5\"\/><path d=\"M4 7l2 2 4-4\" stroke=\"#1b2a4a\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg>\n      Intelligence Assessment\n    <\/div>\n    <p>Even if attribution to Mora_001 is confirmed with high confidence based on the use of the <code>forticloud-sync<\/code> service account during the initial firewall compromise and based on similarity in infrastructure and TTPs, the operational profile observed in this campaign represents a <strong>significant evolution<\/strong> from Mora_001&rsquo;s previously documented behavior, suggesting an advancement in the actor&rsquo;s mandate or operational tasking.<\/p>\n    <p>As of today, comparison and attribution are based only on similarities with TTPs described by <a href=\"https:\/\/www.forescout.com\/blog\/new-ransomware-operator-exploits-fortinet-vulnerability-duo\/\" target=\"_blank\" rel=\"noopener\">Forescout<\/a>. No other documentation mentioning these TTPs and the use of <code>forticloud-sync<\/code> are publicly available. Fortgale is open to confrontation with whom could have further information or has observed similar techniques.<\/p>\n  <\/div>\n\n\n\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <!--  OPERATIONAL EVOLUTION                               -->\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <h2 id=\"evolution\">Operational Evolution: From Ransomware to Espionage<\/h2>\n\n  <p>The findings from this engagement reveal a significant evolution from the operational profile previously attributed to Mora_001. The following table summarizes the key behavioral similarities and differences between the documented 2025 campaigns and the current intrusion:<\/p>\n\n  <!-- Evolution visual diagram -->\n  <div class=\"fg-evo-diagram\">\n    <svg viewBox=\"0 0 780 130\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"font-family:'Segoe UI',system-ui,sans-serif;\">\n      <defs>\n        <marker id=\"fgEvoArrow\" markerWidth=\"10\" markerHeight=\"7\" refX=\"10\" refY=\"3.5\" orient=\"auto\"><path d=\"M0,0 L10,3.5 L0,7Z\" fill=\"#b22234\"\/><\/marker>\n      <\/defs>\n      <!-- 2025 box -->\n      <rect x=\"20\" y=\"20\" width=\"260\" height=\"90\" rx=\"2\" fill=\"#f5f5f5\" stroke=\"#d0d0d0\" stroke-width=\"1.5\"\/>\n      <rect x=\"20\" y=\"20\" width=\"260\" height=\"4\" fill=\"#1b2a4a\"\/>\n      <text x=\"150\" y=\"48\" text-anchor=\"middle\" fill=\"#888\" font-size=\"9\" text-transform=\"uppercase\" letter-spacing=\"1\">2025 PROFILE<\/text>\n      <text x=\"150\" y=\"68\" text-anchor=\"middle\" fill=\"#1b2a4a\" font-size=\"14\" font-weight=\"700\">Ransomware Operator<\/text>\n      <text x=\"150\" y=\"88\" text-anchor=\"middle\" fill=\"#888\" font-size=\"10\">SuperBlack &middot; 48h deployment &middot; Aggressive<\/text>\n      <!-- Arrow -->\n      <line x1=\"290\" y1=\"65\" x2=\"490\" y2=\"65\" stroke=\"#b22234\" stroke-width=\"2.5\" marker-end=\"url(#fgEvoArrow)\"\/>\n      <text x=\"390\" y=\"55\" text-anchor=\"middle\" fill=\"#b22234\" font-size=\"10\" font-weight=\"700\" letter-spacing=\"1\">EVOLUTION<\/text>\n      <!-- 2026 box -->\n      <rect x=\"500\" y=\"20\" width=\"260\" height=\"90\" rx=\"2\" fill=\"#f5f5f5\" stroke=\"#b22234\" stroke-width=\"1.5\"\/>\n      <rect x=\"500\" y=\"20\" width=\"260\" height=\"4\" fill=\"#b22234\"\/>\n      <text x=\"630\" y=\"48\" text-anchor=\"middle\" fill=\"#888\" font-size=\"9\" text-transform=\"uppercase\" letter-spacing=\"1\">2026 CAMPAIGN<\/text>\n      <text x=\"630\" y=\"68\" text-anchor=\"middle\" fill=\"#1b2a4a\" font-size=\"14\" font-weight=\"700\">Espionage + Ransomware<\/text>\n      <text x=\"630\" y=\"88\" text-anchor=\"middle\" fill=\"#888\" font-size=\"10\">Matanbuchus 3.0 &middot; Months dwell &middot; Patient<\/text>\n    <\/svg>\n  <\/div>\n\n  <!-- Comparison Table -->\n  <div class=\"fg-table-wrap\">\n    <table class=\"fg-table\">\n      <thead>\n        <tr>\n          <th style=\"width:22%;\">Indicator<\/th>\n          <th style=\"width:39%;\">2025 Profile (<a href=\"https:\/\/www.forescout.com\/blog\/new-ransomware-operator-exploits-fortinet-vulnerability-duo\/\" target=\"_blank\" rel=\"noopener\" style=\"color:#fff;\">Forescout<\/a>)<\/th>\n          <th style=\"width:39%;\">2026 Campaign (Fortgale)<\/th>\n        <\/tr>\n      <\/thead>\n      <tbody>\n        <tr class=\"fg-match-cell\">\n          <td><strong>Infrastructure<\/strong><\/td>\n          <td>Malicious infrastructure based in Russia<\/td>\n          <td>Malicious infrastructure based in Russia<\/td>\n        <\/tr>\n        <tr>\n          <td><strong>Dwell Time<\/strong><\/td>\n          <td>Rapid: ransomware deployed within 48 hours of initial access<\/td>\n          <td class=\"fg-highlight-cell\">Extended: months of dormancy between initial access and lateral movement<\/td>\n        <\/tr>\n        <tr>\n          <td><strong>Primary Objective<\/strong><\/td>\n          <td>Financial extortion via SuperBlack ransomware deployment<\/td>\n          <td class=\"fg-highlight-cell\">Strategic data exfiltration, followed by potential ransomware deployment<\/td>\n        <\/tr>\n        <tr>\n          <td><strong>Malware Tooling<\/strong><\/td>\n          <td>SuperBlack (LockBit-based), custom exfiltration tools<\/td>\n          <td class=\"fg-highlight-cell\">Matanbuchus 3.0, Astarion RAT, SystemBC, RClone<\/td>\n        <\/tr>\n        <tr>\n          <td><strong>Operational Tempo<\/strong><\/td>\n          <td>Aggressive, opportunistic exploitation of exposed Fortinet devices<\/td>\n          <td class=\"fg-highlight-cell\">Deliberate, patient; extended reconnaissance and careful target selection<\/td>\n        <\/tr>\n        <tr class=\"fg-match-cell\">\n          <td><strong>Initial Access<\/strong><\/td>\n          <td>Fortinet firewall exploitation (<code>forticloud-sync<\/code>, <code>forticloud-tech<\/code> account)<\/td>\n          <td>Fortinet firewall exploitation (<code>forticloud-sync<\/code>, <code>forticloud-tech<\/code> account)<\/td>\n        <\/tr>\n        <tr class=\"fg-match-cell\">\n          <td><strong>Initial Access<\/strong><\/td>\n          <td>Brute forcing of OWA using &ldquo;VPN Brute Force&rdquo;<\/td>\n          <td>Brute forcing of OWA using &ldquo;VPN Brute Force&rdquo;<\/td>\n        <\/tr>\n      <\/tbody>\n    <\/table>\n  <\/div>\n\n  <p>Fortgale assesses that this behavioral shift is indicative of an evolution in Mora_001&rsquo;s operational mandate. Several non-mutually exclusive hypotheses may explain this transition:<\/p>\n\n  <!-- Hypotheses -->\n  <ol class=\"fg-hypotheses\">\n    <li>\n      <strong>Tasking Shift<\/strong>\n      The substantial change in the second part of the attack chain could be justified by a change in the business model adopted by Mora_001, now acting as an Initial Access Broker and selling the access to the infrastructure to a third party.\n    <\/li>\n    <li>\n      <strong>Dual-Purpose Operations<\/strong>\n      The actor may operate under a hybrid model, conducting ransomware operations for revenue generation while selectively executing espionage missions against high-value targets.\n    <\/li>\n    <li>\n      <strong>Capability Maturation<\/strong>\n      The significant upgrade in malware arsenal suggests increased funding and access to higher-tier procurement channels.\n    <\/li>\n  <\/ol>\n\n  <p>Unlike cybercriminal groups that prioritize rapid monetization, the Mora_001 observed in this campaign demonstrates a high degree of operational discipline, often maintaining inactivity for weeks or months between the initial breach and the commencement of lateral movement. This patience is indicative of an actor with strategic objectives that extend beyond immediate financial gain.<\/p>\n\n  <p>The actor&rsquo;s ability to procure and deploy premium malware builds, such as Matanbuchus 3.0, which commands a significant price (<span class=\"fg-price\">$15,000 \/ month<\/span>) on underground marketplaces, is indicative of a well-funded operation with access to established procurement channels within the Russian-language cybercriminal ecosystem.<\/p>\n\n  <p>The operational methodology, characterized by the use of legitimate administrative tools, compromised service accounts, and extended dwell times, is consistent with a long-term &ldquo;sleeper&rdquo; strategy designed to maintain persistent access while evading detection.<\/p>\n\n  <hr class=\"fg-divider\">\n\n\n\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <!--  Campaign Storming Tide: Shared Technical Characteristics                 -->\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <h2 id=\"characteristics\">Campaign Storming Tide: Shared Technical Characteristics<\/h2>\n\n  <p>From Fortgale&rsquo;s analytical perspective, the intrusion documented in this report does not represent an isolated incident. Cross-referencing our findings with intelligence independently published by <a href=\"https:\/\/www.sentinelone.com\/blog\/fortigate-edge-intrusions\/\" target=\"_blank\" rel=\"noopener\">SentinelOne<\/a>, <a href=\"https:\/\/aws.amazon.com\/it\/blogs\/security\/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale\/\" target=\"_blank\" rel=\"noopener\">Amazon<\/a>, <a href=\"https:\/\/arcticwolf.com\/resources\/blog\/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts\/\" target=\"_blank\" rel=\"noopener\">Arctic Wolf<\/a>, <a href=\"https:\/\/www.esentire.com\/security-advisories\/confirmed-zero-day-vulnerability-in-fortinet-products-cve-2026-24858\" target=\"_blank\" rel=\"noopener\">eSentire<\/a>, <a href=\"https:\/\/www.huntress.com\/blog\/clickfix-matanbuchus-astarionrat-analysis\" target=\"_blank\" rel=\"noopener\">Huntress<\/a>, and <a href=\"https:\/\/www.forescout.com\/blog\/new-ransomware-operator-exploits-fortinet-vulnerability-duo\/\" target=\"_blank\" rel=\"noopener\">Forescout<\/a> reveals a consistent pattern of overlapping indicators, shared infrastructure, and synchronized operational timelines that point toward a single, coordinated campaign rather than a collection of unrelated intrusions.<\/p>\n\n  <p>The convergence is striking. Between late 2025 and early 2026, multiple security organizations documented threat activity targeting Fortinet perimeter appliances at scale. Arctic Wolf was among the first to observe malicious SSO logins on FortiGate devices following the disclosure of <strong>CVE-2025-59718<\/strong> and <strong>CVE-2025-59719<\/strong>, identifying automated creation of rogue administrator accounts and exfiltration of firewall configurations. This activity intensified when <strong>CVE-2026-24858<\/strong>, a critical authentication bypass zero-day (CVSS 9.8) in the FortiCloud SSO mechanism, was confirmed under active exploitation, as documented by eSentire and CISA. Notably, even fully patched devices were found to be compromised through this separate vulnerability, extending the window of exposure well beyond initial remediation efforts.<\/p>\n\n  <p>SentinelOne&rsquo;s DFIR investigations into FortiGate edge intrusions confirmed a parallel pattern: stolen service accounts leading to rogue workstations, Active Directory compromise, and DLL side-loading chains employing <strong>java.exe<\/strong> with a malicious <strong>jli.dll<\/strong>, the identical technique observed in the Fortgale incident. <\/p>\n\n  <p>Amazon&rsquo;s threat intelligence team documented a Russian-speaking actor who compromised over <strong>600 FortiGate devices across 55 countries<\/strong> between January and February 2026, augmenting their capabilities through commercial generative AI services. While this actor exhibited lower baseline technical sophistication, the operational pattern, targeting Fortinet management interfaces, harvesting credentials, exfiltrating Active Directory databases, and staging for potential ransomware deployment, mirrors the Storming Tide operational profile with notable precision.<\/p>\n\n  <p>The malware dimension provides the strongest connective thread. Huntress documented an intrusion chain in which <strong>Matanbuchus 3.0<\/strong> delivered <strong>Astarion RAT<\/strong> (also tracked as MIMICRAT by Elastic Security Labs), the exact same loader-to-RAT delivery chain observed in the Fortgale incident. The operators moved from initial access to domain controllers in under 40 minutes, leveraging PsExec, rogue account creation, and Defender exclusions, tactics fully consistent with pre-ransomware staging.<\/p>\n\n <p>A recurring pattern across multiple engagements is the <strong>absence of final-stage ransomware execution<\/strong>. However, this observation must be interpreted with caution. In the Fortgale case, rapid containment by the IR team explicitly prevented both data exfiltration and ransomware deployment; similarly, in other reports <strong>early detection<\/strong> disrupted the operation before the threat actor could achieve their final objectives. It is therefore plausible that the lack of ransomware execution in several of these incidents reflects <strong>successful defensive intervention rather than deliberate restraint<\/strong> by the operators.<\/p>\n\n<p><strong>No ransomware tooling was observed or staged within the compromised environments<\/strong>. However, this is consistent with standard ransomware operational tradecraft, where payloads are typically deployed only in the final stage of an attack, often immediately before execution to minimize detection risk. The absence of ransomware artifacts in earlier phases is therefore <strong>not anomalous in itself<\/strong>. What remains diagnostic is the <strong>operational emphasis<\/strong>: extended dwell times, patient reconnaissance, and prioritized data exfiltration over rapid encryption. While ransomware deployment cannot be definitively ruled out as a contingent or follow-on objective, the observed TTPs align more closely with <strong>intelligence-collection priorities than with financially motivated extortion<\/strong>.<\/p>\n\n  <div class=\"fg-infobox\">\n    <div class=\"fg-infobox-title\">\n      <svg width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" fill=\"none\"><rect x=\"1\" y=\"1\" width=\"14\" height=\"14\" rx=\"2\" stroke=\"#1b2a4a\" stroke-width=\"1.5\"\/><path d=\"M4.5 8h7M4.5 5.5h7M4.5 10.5h4.5\" stroke=\"#1b2a4a\" stroke-width=\"1.2\" stroke-linecap=\"round\"\/><\/svg>\n      Cross-Campaign Convergence Indicators\n    <\/div>\n    <ul>\n<li><strong>Perimeter Targeting:<\/strong> Systematic exploitation of Fortinet firewall vulnerabilities (CVE-2024-55591, CVE-2024-21762, CVE-2022-42475, CVE-2023-27997, CVE-2022-40684) as the primary initial access vector, <strong>frequently accompanied by credential brute-force attacks against firewall management interfaces<\/strong>.<\/li>\n      <li><strong>Shared Malware Arsenal:<\/strong> Deployment of <strong>Matanbuchus 3.0<\/strong> as the primary loader delivering <strong>Astarion RAT<\/strong> and <strong>SystemBC<\/strong>, with overlapping C2 infrastructure.<\/li>\n      <li><strong>Operational Profile:<\/strong> TTPs consistently include ransomware pre-staging (credential harvesting, AD compromise, data exfiltration via RClone).<\/li>\n      <li><strong>Attribution Indicators:<\/strong> Russian-speaking operators, infrastructure geolocated to Russian hosting providers, activity on Russian-language underground forums (BelialDemon \/ Matanbuchus MaaS).<\/li>\n    <\/ul>\n  <\/div>\n\n  <p>Fortgale assesses with <strong>moderate-to-high confidence<\/strong> that these operations constitute components of a single coordinated campaign, <strong>Storming Tide<\/strong>, executed by multiple criminal groups operating in concert under a shared operational framework. The primary objective is assessed to be <strong>intelligence collection and strategic data exfiltration<\/strong>, with ransomware representing a credible secondary objective whose non-execution cannot be definitively attributed to operator intent alone, given the documented role of IR disruption in multiple engagements. The involvement of multiple actors at different skill levels, from AI-augmented operators documented by Amazon to the more sophisticated Mora_001 tradecraft observed by Fortgale and Forescout, suggests a tiered operational structure in which initial access acquisition, network exploitation, and data exfiltration may be distributed across distinct groups within a coordinated ecosystem.<\/p>\n\n\n\n  <!-- Charon \/ Earth Baxia note -->\n  <div class=\"fg-assessment fg-assessment-red\">\n    <div class=\"fg-assessment-title\">\n      <svg width=\"14\" height=\"14\" viewBox=\"0 0 14 14\" fill=\"none\" style=\"vertical-align: middle; margin-right: 6px;\"><circle cx=\"7\" cy=\"7\" r=\"5.5\" stroke=\"#b22234\" stroke-width=\"1.5\"\/><path d=\"M7 4.5v3\" stroke=\"#b22234\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><circle cx=\"7\" cy=\"10\" r=\"0.8\" fill=\"#b22234\"\/><\/svg>\n      Analyst Note: Matanbuchus &ndash; Charon Connection\n    <\/div>\n    <p>While not directly attributable to the Storming Tide operations, during reverse engineering activities on the Matanbuchus malware, Fortgale identified a <strong>possible connection with Charon Ransomware<\/strong>. This cross-attribution warrants further investigation and may suggest broader malware supply-chain overlaps between distinct threat ecosystems. More information can be found in the <a href=\"https:\/\/fortgale.com\/blog\/malware-analysis\/matanbuchus-malware-analysis\/\" target=\"_blank\" rel=\"noopener\">Matanbuchus malware analysis<\/a>.<\/p>\n  <\/div>\n\n  <hr class=\"fg-divider\">\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <!--  INDICATORS OF COMPROMISE                            -->\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <h2 id=\"ioc\">Indicators of Compromise<\/h2>\n\n  <h3>Network IoCs<\/h3>\n  <div class=\"fg-table-wrap\">\n    <table class=\"fg-table\">\n      <thead>\n        <tr>\n          <th style=\"width:14%;\">Type<\/th>\n          <th style=\"width:52%;\">Value<\/th>\n          <th style=\"width:34%;\">Context<\/th>\n        <\/tr>\n      <\/thead>\n      <tbody>\n        <tr>\n          <td><span class=\"fg-ioc-badge fg-ioc-badge-ip\"><svg width=\"14\" height=\"14\" viewBox=\"0 0 14 14\" fill=\"none\"><circle cx=\"7\" cy=\"7\" r=\"5\" stroke=\"#fff\" stroke-width=\"1.3\"\/><text x=\"7\" y=\"10\" text-anchor=\"middle\" fill=\"#fff\" font-size=\"7\" font-weight=\"700\">IP<\/text><\/svg><\/span> <strong>IPv4<\/strong><\/td>\n          <td><code>213.226.113[.]74<\/code><\/td>\n          <td>Initial Access Attempt (Late 2025)<\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"fg-ioc-badge fg-ioc-badge-domain\"><svg width=\"14\" height=\"14\" viewBox=\"0 0 14 14\" fill=\"none\"><circle cx=\"7\" cy=\"7\" r=\"5\" stroke=\"#fff\" stroke-width=\"1.3\"\/><path d=\"M2.5 7h9M7 2.5c-1.5 1.5-2 3-2 4.5s.5 3 2 4.5c1.5-1.5 2-3 2-4.5s-.5-3-2-4.5\" stroke=\"#fff\" stroke-width=\"1\" stroke-linecap=\"round\"\/><\/svg><\/span> <strong>Domain<\/strong><\/td>\n          <td><code>www[.]ndibstersoft[.]com<\/code><\/td>\n          <td>Matanbuchus C2<\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"fg-ioc-badge fg-ioc-badge-hash\"><svg width=\"14\" height=\"14\" viewBox=\"0 0 14 14\" fill=\"none\"><text x=\"7\" y=\"10.5\" text-anchor=\"middle\" fill=\"#fff\" font-size=\"9\" font-weight=\"700\">#<\/text><\/svg><\/span> <strong>SHA-256<\/strong><\/td>\n          <td><code>6d0c02e79858a70aa354a0a4088b671710c7003a62c56d5c6fca7ad376845707<\/code><\/td>\n          <td>SystemBC PowerShell script<\/td>\n        <\/tr>\n        <tr>\n          <td><span class=\"fg-ioc-badge fg-ioc-badge-ip\"><svg width=\"14\" height=\"14\" viewBox=\"0 0 14 14\" fill=\"none\"><circle cx=\"7\" cy=\"7\" r=\"5\" stroke=\"#fff\" stroke-width=\"1.3\"\/><text x=\"7\" y=\"10\" text-anchor=\"middle\" fill=\"#fff\" font-size=\"7\" font-weight=\"700\">IP<\/text><\/svg><\/span> <strong>IPv4<\/strong><\/td>\n          <td><code>86.106.143[.]137<\/code><\/td>\n          <td>SystemBC C2<\/td>\n        <\/tr>\n      <\/tbody>\n    <\/table>\n  <\/div>\n\n  <h3>Host IoCs<\/h3>\n  <div class=\"fg-infobox\" style=\"margin-top: 12px;\">\n    <div class=\"fg-infobox-title\">\n      <svg width=\"14\" height=\"14\" viewBox=\"0 0 14 14\" fill=\"none\"><rect x=\"1\" y=\"1\" width=\"12\" height=\"12\" rx=\"2\" stroke=\"#1b2a4a\" stroke-width=\"1.5\"\/><path d=\"M5 7h4\" stroke=\"#1b2a4a\" stroke-width=\"1.2\" stroke-linecap=\"round\"\/><\/svg>\n      Host-Based Indicators\n    <\/div>\n    <ul>\n      <li><strong>File Path:<\/strong> <code>C:\\ProgramData\\USOShared\\<\/code><\/li>\n      <li><strong>Malicious DLL:<\/strong> <code>jli.dll<\/code><\/li>\n      <li><strong>Scheduled Task:<\/strong> <code>JavaUpdate<\/code> or <code>JavaMainUpdate<\/code><\/li> \n      <li><strong>Software Abused:<\/strong> <code>netscan.exe<\/code>, <code>rclone.exe<\/code><\/li>\n    <\/ul>\n  <\/div>\n\n  <hr class=\"fg-divider\">\n\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <!--  MITRE ATT&CK MAPPING                                -->\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <h2 id=\"mitre\">MITRE ATT&amp;CK Mapping<\/h2>\n\n  <!-- MITRE visual strip -->\n  <div class=\"fg-flow\" style=\"margin-bottom: 10px;\">\n    <svg viewBox=\"0 0 780 70\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"font-family:'Segoe UI',system-ui,sans-serif;\">\n      <!-- Tactic boxes -->\n      <rect x=\"20\" y=\"10\" width=\"175\" height=\"50\" rx=\"2\" fill=\"#1b2a4a\"\/>\n      <text x=\"107\" y=\"32\" text-anchor=\"middle\" fill=\"#fff\" font-size=\"8.5\" letter-spacing=\"1\">TACTIC<\/text>\n      <text x=\"107\" y=\"47\" text-anchor=\"middle\" fill=\"#fff\" font-size=\"11\" font-weight=\"700\">Initial Access<\/text>\n      <rect x=\"210\" y=\"10\" width=\"175\" height=\"50\" rx=\"2\" fill=\"#1b2a4a\"\/>\n      <text x=\"297\" y=\"32\" text-anchor=\"middle\" fill=\"#fff\" font-size=\"8.5\" letter-spacing=\"1\">TACTIC<\/text>\n      <text x=\"297\" y=\"47\" text-anchor=\"middle\" fill=\"#fff\" font-size=\"11\" font-weight=\"700\">Persistence<\/text>\n      <rect x=\"400\" y=\"10\" width=\"175\" height=\"50\" rx=\"2\" fill=\"#1b2a4a\"\/>\n      <text x=\"487\" y=\"32\" text-anchor=\"middle\" fill=\"#fff\" font-size=\"8.5\" letter-spacing=\"1\">TACTIC<\/text>\n      <text x=\"487\" y=\"47\" text-anchor=\"middle\" fill=\"#fff\" font-size=\"11\" font-weight=\"700\">Command &amp; Control<\/text>\n      <rect x=\"590\" y=\"10\" width=\"175\" height=\"50\" rx=\"2\" fill=\"#b22234\"\/>\n      <text x=\"677\" y=\"32\" text-anchor=\"middle\" fill=\"#fff\" font-size=\"8.5\" letter-spacing=\"1\">TACTIC<\/text>\n      <text x=\"677\" y=\"47\" text-anchor=\"middle\" fill=\"#fff\" font-size=\"11\" font-weight=\"700\">Exfiltration<\/text>\n    <\/svg>\n  <\/div>\n\n  <div class=\"fg-table-wrap\">\n    <table class=\"fg-table\">\n      <thead>\n        <tr>\n          <th style=\"width:18%;\">Tactic<\/th>\n          <th style=\"width:14%;\">ID<\/th>\n          <th style=\"width:28%;\">Technique<\/th>\n          <th style=\"width:40%;\">Application<\/th>\n        <\/tr>\n      <\/thead>\n      <tbody>\n        <tr>\n          <td><strong>Initial Access<\/strong><\/td>\n          <td><code>T1133<\/code><\/td>\n          <td>External Remote Services<\/td>\n          <td>Exploitation of Firewall VPN\/Sync accounts.<\/td>\n        <\/tr>\n        <tr>\n          <td><strong>Persistence<\/strong><\/td>\n          <td><code>T1053.005<\/code><\/td>\n          <td>Scheduled Task\/Job<\/td>\n          <td>Use of &ldquo;JavaUpdate&rdquo; for malware execution.<\/td>\n        <\/tr>\n        <tr>\n          <td><strong>Persistence<\/strong><\/td>\n          <td><code>T1133<\/code><\/td>\n          <td>External Remote Services<\/td>\n          <td>Remote VPN tunnel created on compromised Fortinet firewall.<\/td>\n        <\/tr>\n        <tr>\n          <td><strong>Command &amp; Control<\/strong><\/td>\n          <td><code>T1090.003<\/code><\/td>\n          <td>Proxy: Multi-hop Proxy<\/td>\n          <td>SystemBC SOCKS5 proxy tunneling for covert C2 communications.<\/td>\n        <\/tr>\n        <tr>\n          <td><strong>Command &amp; Control<\/strong><\/td>\n          <td><code>T1573.002<\/code><\/td>\n          <td>Encrypted Channel: Asymmetric Cryptography<\/td>\n          <td>Astarion RAT RSA-encrypted C2 traffic; Matanbuchus ChaCha20 + Protobuf C2.<\/td>\n        <\/tr>\n        <tr>\n          <td><strong>Exfiltration<\/strong><\/td>\n          <td><code>T1567.002<\/code><\/td>\n          <td>Exfiltration to Cloud Storage<\/td>\n          <td>Use of RClone to exfiltrate data to an external S3 bucket.<\/td>\n        <\/tr>\n      <\/tbody>\n    <\/table>\n  <\/div>\n\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <!--  FINAL CTA BANNER                                    -->\n  <!-- \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550 -->\n  <div class=\"fg-cta\">\n    <div class=\"fg-cta-title\">Fortgale Threat Intelligence<\/div>\n    <div class=\"fg-cta-sub\">For inquiries, collaboration, or to share related observations<\/div>\n    <div class=\"fg-cta-links\">\n      <a href=\"mailto:intel@fortgale.com\" class=\"fg-cta-link fg-cta-link-secondary\">Contact intel@fortgale.com<\/a>\n      <a href=\"#matanbuchus-analysis\" class=\"fg-cta-link fg-cta-link-secondary\">Read Matanbuchus Analysis<\/a>\n    <\/div>\n  <\/div>\n\n<\/div>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In February 2026, the Fortgale Incident Response team investigated a multi-stage intrusion attributed to Mora_001, a Russian-origin threat actor exploiting Fortinet vulnerabilities. The campaign, internally dubbed &#8220;FortiSync Quasar,&#8221; revealed an evolution from ransomware operations to strategic espionage, deploying Matanbuchus 3.0, Astarion RAT, and SystemBC. Rapid containment prevented any data exfiltration.<\/p>\n","protected":false},"author":1,"featured_media":9722,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1497,2515],"tags":[3065,3082,3084,1653,3078,3079,283,3083,3081,3085],"class_list":["post-9517","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-defence","category-featured","tag-espionage","tag-forescout","tag-fortgale","tag-fortinet-it","tag-matanbuchus","tag-mora_001","tag-ransomware","tag-report","tag-sentinelone","tag-storming-tide"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/9517","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=9517"}],"version-history":[{"count":68,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/9517\/revisions"}],"predecessor-version":[{"id":9725,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/9517\/revisions\/9725"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/9722"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=9517"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=9517"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=9517"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}