Technische Advisories, produziert von unserem europäischen Cyber-Threat-Intelligence-Team: neu offengelegte Schwachstellen, gegen europäische Organisationen beobachtete Angriffskampagnen, Breaches mit Supply-Chain-Auswirkung. Jeder Report enthält eine Executive Summary, Indicators of Compromise (IoCs) und operative Runbooks für IT & Security – keine Aggregationen öffentlicher Quellen, Intelligence aus direkter Beobachtung.
Kompromittierung mit bösartigen VS-Code-Erweiterungen. GitHub hat bisher weder IoCs veröffentlicht noch die betroffenen Erweiterungen öffentlich identifiziert. Empfohlen: vollständiges Inventar aller VS-Code-Erweiterungen auf Unternehmensgeräten und Einsatz der nativen Enterprise-Kontrolle extensions.allowed (VS Code 1.96+), um nur freigegebene Publisher und Erweiterungen zuzulassen. Fortgale-Telemetrie wird analysiert.
Als Mini Shai-Hulud bezeichneter Angriff auf das @antv-npm-Ökosystem und verwandte Bibliotheken (z. B. echarts-for-react). Ein Maintainer-Konto wurde kompromittiert und bösartige Versionen mit Credential-Theft-Payload veröffentlicht: GitHub-Token, AWS-Zugangsdaten, SSH-Schlüssel, kubeconfig-Dateien und SaaS-Token, exfiltriert nach t.m-kosche[.]com. 639 Versionen über 323 Pakete betroffen. IoCs im Fortgale Intelligence Feed hinterlegt.
SEO-Poisoning-Kampagne, die mit KI erstellte Websites missbraucht, auf denen angebliche KI-basierte Utility-Tools beworben werden. Die heruntergeladenen Programme infizieren das Gerät mit Malware. Beispiel für eine bösartige Domain: kitchen-canvas[.]com. Empfohlen: Vorsicht bei Downloads aus nicht verifizierten Quellen und Sperrung der gemeldeten Domains.
Zero-Day (CVE-2026-0300), aktiv ausgenutzt im Dienst User-ID Authentication Portal (Captive Portal) von PAN-OS. Ermöglicht einem nicht authentifizierten Angreifer die Codeausführung (RCE) mit Root-Rechten durch speziell gestaltete Netzwerkpakete. Betroffen sind ausschließlich PA-Series- und VM-Series-Firewalls mit konfiguriertem und zum Internet/nicht vertrauenswürdigen Netzen exponiertem Captive Portal; Prisma Access, Cloud NGFW und Panorama sind nicht betroffen. Sofortiges Einspielen der gepatchten Versionen und ACL-Beschränkung der Management-Schnittstellen. IoCs in den Fortgale-Feeds.
Active campaign across europäische Organisationen exploiting forced authentication via legacy protocols. Emails relay the Net-NTLMv2 hash to threat actor infrastructure with no user interaction required — automatic email client preview is enough.
PackageKit (versions 1.0.2-1.3.4) contains a vulnerability that lets an unprivileged local user install or remove packages without authorisation, gaining full root access. Update to 1.3.5 or apply distro patches.
Open-source vulnerability scanning tool for cloud, containers and CI/CD compromised via GitHub Actions. Guidance on SHA pinning, credential rotation, outbound connection monitoring. IoCs included.
Failed access attempts identified against Fortinet management interfaces directly exposed on the internet. No unauthorised access detected, but the attack surface is high. Recommended isolation via VPN/private network.
Chinese threat actors exploited Notepad++ infrastructure for targeted attacks between May-Dec 2025. Update to 8.9.1+, monitor %AppData%\Bluetooth, review WinGUp.exe logs. Fortgale telemetry: no customers compromised.
CVSS 7.8, already in active exploitation. Insufficient input validation in security decisions lets an unauthenticated attacker bypass local features. Office 2016/2019/LTSC 2021/2024 and 365 Apps for Enterprise.
Malicious package via typosquatting (~85M downloads/month for the legitimate one). 4 versions published Jan 2026 contain code inside polynomial routines that drops in-memory XMRig payload via memfd_create. >1000 downloads in 1 day.
Tables published that drastically lower the bar for attacking the protocol. Credential recovery from hash with consumer hardware around 600 USD. Disable everywhere, set 'NTLMv2 only' via Group Policy, monitor Event ID 4624.
Resource Owner Password Credential flow lets username+password be exchanged directly for an access token, bypassing MFA and Conditional Access. Dangerous for Microsoft Graph/EWS/SharePoint API. Disable via CA policy.
Authentication coercion techniques exploited in enterprise environments where legacy protocols remain active. Active Directory hardening recommendations and authentication telemetry.
Operational Cyber Security and IT guide for disabling Net-NTLMv1 in Active Directory. Lower technical barrier following Mandiant rainbow tables release. Enforcement measures + Event ID 4624 monitoring.
Several campaigns exploit Chrome/Edge/Firefox/Opera extensions to access victim systems and data. Audit installed extensions, centralised allow-lists via GPO/MDM, separate business and personal browsers.
Active reconnaissance campaigns against European M365 tenants using password spraying techniques. Tenant hardening, legacy authentication blocking, Conditional Access bypass monitoring.
CVE-2025-55182, CVSS 10.0, named 'React2Shell'. Allows arbitrary remote code execution on the server. Affects React apps with RSC/Next.js Server Functions ('use server' directive). Immediate patching required.
Threat actors mine data inadvertently shared on jsonformatter.org, codebeautify.org, etc. — credentials, AWS keys, source code. Compromises observed within hours of publication. Recommend corporate proxy block.
F5 Networks announced (15 Oct 2025) unauthorised access by a nation-state actor with exfiltration of portions of BIG-IP source code, documentation on vulnerabilities under remediation, and customer configuration data.
CVE-2025-55241 allowed access to any M365 enterprise tenant by impersonating any user, including Global Admin. Migrate from Azure AD Graph (deprecated) to Microsoft Graph, review service principals/OAuth, deploy PIM/JIT.
Aktive Kampagnen against Salesforce tenants targeting strategic data. Measures: vishing/social engineering training, phishing-resistant MFA, least-privilege principle, monitoring of API and third-party connected apps.
18 popular NPM packages compromised (chalk, debug, ansi-styles, color-convert, supports-color, etc.). Verify internal dependencies, build/deployment logs, block suspicious releases. Update to safe versions.
Fraud attempt against a europäischer Einzelhandel bank branch over a weekend in August 2025: physical component (sealed doors to delay staff entry) + KVM-over-IP installation for remote control of a branch workstation. All fraudulent transfers blocked.
Malicious campaign distributing a backdoor via fake PDF editor download sites. C2 domains (5b7crp[.]com, 9mdp5f[.]com) added to the Fortgale Intelligence Feed. Verifications on monitored systems in progress.
Active ClickFix campaigns trick users into running malicious PowerShell commands disguised as anti-bot verification. IoCs: 45.221.64[.]224, pub-dce4815fde8f4b84a55fe31ab7cf28c3[.]r2[.]dev. Already in the Fortgale Intelligence Feed.
After the partial dismantling of the group, other threat actors are adopting similar TTPs. Hardening: separate hypervisor admin (vCenter/ESXi) from AD, multi-channel MFA for password reset, monitor AnyDesk/Teleport, centralise vSphere logs to SIEM.
Emails simulating Microsoft communications themed 'salary amendment' or 'pending payments' targeting top-level executives. Redirect to fake Microsoft login pages built with the RaccoonO365 kit — steals credentials and session cookies, bypasses MFA.
Spear phishing aimed at CFOs and finance executives at europäische Unternehmen (banking/insurance/energy). Threat actors use advanced social engineering, impersonating prestigious consulting firms with exclusive executive job offers.
Campaign distributing Lumma Stealer through fraudulent domains that mimic legitimate software download pages. Variations in names (e.g. 'v2-' prefixes). Block list of SEO Poisoning domains + C2 in the Fortgale report.
Increased mass scanning activity against PAN-OS GlobalProtect. Restrict access via external VPN/IP whitelisting, consider ZTNA so as not to expose critical portals to the internet, periodic audit of the exposed surface.
Sophisticated campaign attributed to the Chinese 'Weaver Ant' group using the China Chopper web shell. Restrict service-account privileges, ACL web→internal traffic, deploy EDR/XDR for web shell detection, harden WAF rules for anomalous HTTP requests.
Vulnerability in Apache Tomcat actively exploited during March 2025. Immediate patching required on all internet-facing Tomcat installations, monitor anomalous requests via WAF.
RaaS active since 2021, over 300 organisations hit (healthcare, education, legal, manufacturing). Double extortion, phishing + vulnerability exploitation, lateral movement with legitimate tools. European cases observed: maritime, manufacturing, consulting.
Brute-force-style password spraying campaign against European Office 365 tenants. Conditional Access hardening, legacy authentication blocking, account lockout pattern monitoring.
Sophisticated attacks by Russian groups (Storm-2372, CozyLarch/APT29) against governments, NGOs and enterprises. The 'Device Code Authentication phishing' technique deceives victims by abusing legitimate authentication flows — hard to detect.
Geopolitical landscape and overlapping tensions have significantly shaped cyberspace. Threat actors leverage cyber operations for strategic objectives thanks to territorial neutrality, attribution ambiguity and concealment capabilities.
Data on more than 15,000 FortiGate devices (configurations, IPs, VPN credentials, private keys, firewall rules) from October 2022 published on the dark web — exploiting CVE-2022-40684. Many European infrastructures affected. Attribution: 'Belsen' group.
Phishing against Chrome Web Store developers compromised at least 35 extensions (~2.6M users). Malicious OAuth chain via fake 'Privacy Policy Extension', MFA bypass. Malicious code (worker.js, content.js) for theft of Facebook Business accounts.
Sophisticated PhaaS platform designed to bypass 2FA. Customisable Outlook templates, automation, modular infrastructure with redirect/obfuscation. Dynamic subdomains, AES + Base64 to hide payload. Fortgale published a threat hunting signature.
LummApp variant abusing OBS Studio for infostealing activity. Masking techniques to evade detection. IoCs in the Fortgale feeds.
Massive malvertising campaign via fake CAPTCHA pages: 1M ad impressions/day from 3,000+ publisher sites. Abuses Monetag (PropellerAds) and BeMob for cloaking. Tricks users into running PowerShell under the pretext of anti-bot verification.
Chinese cyberespionage against europäische Unternehmen (June-July 2024) exploiting SQL injection for initial access, PHPsert webshell for persistence, abuse of Visual Studio Code Remote Tunnel + Microsoft-signed binaries + Azure for C2.
Windows logic flaw: native applications run before full OS initialisation, allowing removal of any EDR/Antivirus and bypassing anti-tampering (T1562.001). Fortgale published specific Threat Hunting rules.
WARMCOOKIE backdoor expanding, IoCs monitored via Shodan (specific header hash, html hash). Active Fortgale tracking, indicators added to feeds.
FortiGate compromise campaign reported by European national CERTs. COATHANGER malware establishes persistence via BusyBox reverse shell, surviving reboot and firmware update. Exploits CVE-2022-42475. Attribution: Chinese threat actors.
Resurgence of AgentTesla with functional loader, advanced AES encryption and memory-only execution. Email subject pattern: 'Vietnam Da Nang Buy Order &C248SH12'. IoCs in the Fortgale Intelligence Feed.
Lumma Stealer expands its infrastructure with new domains (.shop TLD) for exfiltration. Domain pattern: 'lum' prefix + random string. All sharing the same Russian title (Esenin poem). Fortgale tracks dozens of these domains.
On 28 Nov 2024 the 'Argonauts' ransomware group announced the compromise of ZACROS (formerly Fujimori Kogyo, JP). 140GB+ of sensitive data exfiltrated (users, passwords, business records, production data, financial). Active sale of the data.
Campaign identified late October 2024 against telco and finance. Google Docs for phishing-link delivery → fake login pages on Weebly. Sentry.io and Datadog for metrics. AT&T-themed lures, US/CA banking. Fake MFA prompt.
Mysterious Elephant (APT-K-47) uses CHM files to run Asyncshell payload (v4). Base64 variant for string hiding, disguised C2, reduced logging. Targeting: Pakistan, Bangladesh, Turkey with gov/religious decoys.
JinxLoader (Go-based, distributed via phishing) evolved into Astolfo Loader (C++, improved performance, smaller file size). MaaS, anti-analysis and geolocation check before C2. Distributed on Hack Forums.
Russian threat actor TAG-110 extends its cyber activity against European targets. Active Fortgale tracking.
On 20 Nov 2024 IncRansom announced the compromise of PBS Aerospace (Atlanta, USA — UAV/drone turbines, EASA-certified). 2TB exfiltration declared, including CAD files and internal documents. The INC Ransom group has been active since Aug 2023, ~200 victims.
Campaign identified by European CERTs leveraging GitHub Pages to host fake login pages (WeTransfer, cPanel). Stolen credentials sent via Telegram API to attacker-controlled bot. Visual spoofing + abuse of legitimate domain.
Chinese threat actor BrazenBamboo exploits a zero-day in FortiClient Windows VPN via DEEPDATA to extract VPN credentials from process memory. Multi-platform: WeChat/Skype/Telegram/Signal, browser data, Outlook contacts.
.NET infostealer that bypasses Chrome App-Bound Encryption via IElevator. Targets: browsers, crypto wallets, 2FA authenticators, password managers, email clients. Distribution: phishing with HTML 'ClickFix'. C2: master.hdsjfkgsadoghdsiougds[.]space, master.volt-texs[.]online.
Threat actors use fake Google Meet pages in the ClickFix campaign. Win → StealC + Rhadamanthys. Mac → Atomic stealer. Expansion to impersonate Facebook, Chrome, reCAPTCHA. Groups: Slavic Nation Empire, Scamquerteo. Thousands of domains tracked by Fortgale.
PAN-SA-2024-0015: unauthenticated RCE vulnerability in management interfaces of Palo Alto NGFWs exposed to the internet (CVSS 4.0: 9.3). Already exploited in real-world attacks. Does not affect Prisma Access/Cloud NGFW. Isolate the interface from the internet.
Chinese SilkSpecter phishing against Black Friday 2024 e-commerce shoppers (US/EU). Stripe API abuse for real transactions with CHD/SAD exfiltration. Dynamic localisation via Google Translate. 4,000+ domains, 89 IPs. Chinese oemapps SaaS.
Russian threat actor UAC-0194 exploits an NTLM zero-day (CVSS 6.5) for Net-NTLMv2 hash theft with minimal interaction (right-click, drag). Phishing emails from compromised Ukrainian gov → ZIP with malicious .url → Spark RAT (open source, persistence). Microsoft patch available.
TA455/Charming Kitten (APT35) launches 'Dream Job' against aerospace and defence sectors with SnailResin malware via LinkedIn message + spear-phishing email. Lure: fake job offers to gain access, exfiltrate data and remote control.
Phishing against European DocuSign users: emails with HTML attachment that opens a fake login page. JavaScript intercepts credentials and forwards them via Telegram bot API. Pattern is simple but effective and bypasses many email filters.
Operation (Russian origin, Aug 2024+) using Teams, SharePoint, Quick Assist and OneDrive as C2. Non-obfuscated Java .jar bypasses EDR and VirusTotal. Microsoft Graph API to manage ODC2 via files on OneDrive named after device UUIDs. US kritische Infrastruktur.
New Android banking trojan (Oct 2024) targeting Southern Europe heavily (>50% Italy, plus Portugal, Spain) and LATAM. RAT abusing Android Accessibility for ODF, intercepts OTPs, bypasses PSD2 2FA. C2: dksu.top, mixcom.one, freebasic.cn. Chinese threat actors.
Fortgale analysis on 12,000 tracked Cobalt Strike configurations, 52,000+ indicators. 126 unique IPs associated with BlackBasta. Resurgence late September/early October. europäische Organisationen affected (manufacturing, finance). Eastern European nexus.
Alexander 'Connor' Moucka arrested in Canada (30 Oct 2024) for the Snowflake breach. UNC5537 hit 165+ orgs via credential reuse from infostealers (credentials dating back to 2020). Victims: AT&T, Santander, Ticketmaster. Extortion + sale on forums.
Critical vulnerability in Fortinet's FortiManager product actively exploited. Immediate patching required on all FortiManager installations.
On 23 Oct 2024 BlackSuit announced the compromise of Aerotecnic (Seville, ES — aerospace, supplier to Airbus/Boeing/Aciturri/Aernnova/Embraer). 800GB+ exfiltration declared (users, business records, employees, production data, financial).
Critical unauthenticated RCE in Veeam VBR (build ≤12.1.2.172). Exploited via /trigger on port 8000 to create a rogue admin and deploy Fog/Akira ransomware. Allows full access to the backup environment. Patched September 2024.
CISA adds it to KEV. Vulnerability in Fortinet (FortiOS, FortiPAM, FortiProxy, FortiWeb) allows unauthenticated RCE via specially crafted requests. Immediate patching required.
On 10 Oct 2024 a threat actor put on sale on a darkweb forum a database with 450,000 records of clients of an unnamed European bank: names, emails, phone numbers, addresses, investment amounts. Risk of targeted phishing, fraud, identity theft.
September 2024: targeted campaign against shipping/maritime logistics. Threat actors use compromised email accounts of legitimate shipping companies to inject malicious content into ongoing email threads. Hard to detect.
Iranian cyberespionage campaign (Charming Kitten) against the European aerospace sector via WhatsApp + targeted emails with fake job offers (Dream Job pattern).
New phishing infrastructure targeting europäischer Finanzsektor and insurance organisations via the Supercar Phishing Kit for Microsoft 365. Original Fortgale report: blog.fortgale.com.
Intelligence advisory for European aerospace and satellite companies on the mitigation of new targeted cyber threats.
Following the CrowdStrike BSOD incident, a significant rise in newly registered domains containing the term 'CrowdStrike'. Phishing/impersonation risks. Recommended block list to prevent brand abuse.
New zero-click RCE vulnerability in Microsoft Outlook. Exploitable without user interaction. Severe risk: data breach, unauthorised access — particularly critical for emails from trusted senders.
Keine Reports in dieser Kategorie.
Reports enthalten operative IoCs, Exploitation-Details und – sofern relevant – Verweise auf betroffene Kunden oder laufendes Threat Hunting. Wir teilen sie mit IT- & Security-Profis unter gegenseitigem NDA, mit Antwort innerhalb von 1 Werktag. Kein Funnel, keine Paywall.
Um jeden Report in Echtzeit (innerhalb von 30-60 Minuten nach interner Veröffentlichung) direkt in Ihr SIEM/SOAR zu erhalten, sprechen Sie mit uns über den Intelligence Feed.
Reports, IoCs und Threat-Hunting-Queries werden in Ihr SOC geliefert, sobald ein neuer Gegner beobachtet wird. Setup in 14 Tagen · gegenseitiges NDA.
Keine Nurturing-Sequenzen, keine Auto-Replies. Einer unserer Analysten ruft Sie innerhalb eines Werktags zurück.
Der vollständige Report (Executive Summary · operative IoCs · technisches Runbook) ist vertraulich. Senden Sie uns zwei Angaben und einer unserer Analysten kontaktiert Sie mit Zugang und einem kurzen technischen Briefing.
Reaktion in 30 Minuten, Eindämmung in 1–4 Stunden. Auch wenn Sie kein Fortgale-Kunde sind.
