Technical advisories produced by our European Cyber Threat Intelligence team: newly disclosed vulnerabilities, attack campaigns observed against European organisations, breaches with supply-chain impact. Every Report contains an executive summary, indicators of compromise (IoCs) and operational runbooks for IT & Security — no aggregations of public sources, intelligence built on direct observation.
Compromise involving malicious VS Code extensions. GitHub has not yet released IoCs nor publicly identified the affected extensions. We recommend a complete inventory of all VS Code extensions on corporate devices and adopting the native enterprise control extensions.allowed (VS Code 1.96+) to authorise only approved publishers and extensions. Fortgale telemetry under analysis.
Attack dubbed Mini Shai-Hulud targeting the @antv npm package ecosystem and related libraries (e.g. echarts-for-react). A maintainer account was compromised and malicious versions published with a credential-theft payload: GitHub tokens, AWS credentials, SSH keys, kubeconfig files and SaaS tokens, exfiltrated to t.m-kosche[.]com. 639 versions across 323 packages involved. IoCs added to the Fortgale Intelligence Feed.
SEO Poisoning campaign abusing AI-built websites that advertise alleged AI-based utility tools. The downloaded executables compromise the device with malware. Example malicious domain: kitchen-canvas[.]com. Recommended caution on downloads from unverified sources and blocking of the flagged domains.
Zero-day (CVE-2026-0300) under active exploitation in the User-ID Authentication Portal (Captive Portal) service of PAN-OS. It lets an unauthenticated attacker execute code (RCE) with root privileges by sending specially crafted network packets. Only PA-Series and VM-Series firewalls with the Captive Portal configured and exposed to the Internet/untrusted networks are affected; Prisma Access, Cloud NGFW and Panorama are not impacted. Apply patched versions immediately and restrict ACLs on management interfaces. IoCs in the Fortgale feeds.
Active campaign across European organisations exploiting forced authentication via legacy protocols. Emails relay the Net-NTLMv2 hash to threat actor infrastructure with no user interaction required — automatic email client preview is enough.
PackageKit (versions 1.0.2-1.3.4) contains a vulnerability that lets an unprivileged local user install or remove packages without authorisation, gaining full root access. Update to 1.3.5 or apply distro patches.
Open-source vulnerability scanning tool for cloud, containers and CI/CD compromised via GitHub Actions. Guidance on SHA pinning, credential rotation, outbound connection monitoring. IoCs included.
Failed access attempts identified against Fortinet management interfaces directly exposed on the internet. No unauthorised access detected, but the attack surface is high. Recommended isolation via VPN/private network.
Chinese threat actors exploited Notepad++ infrastructure for targeted attacks between May-Dec 2025. Update to 8.9.1+, monitor %AppData%\Bluetooth, review WinGUp.exe logs. Fortgale telemetry: no customers compromised.
CVSS 7.8, already in active exploitation. Insufficient input validation in security decisions lets an unauthenticated attacker bypass local features. Office 2016/2019/LTSC 2021/2024 and 365 Apps for Enterprise.
Malicious package via typosquatting (~85M downloads/month for the legitimate one). 4 versions published Jan 2026 contain code inside polynomial routines that drops in-memory XMRig payload via memfd_create. >1000 downloads in 1 day.
Tables published that drastically lower the bar for attacking the protocol. Credential recovery from hash with consumer hardware around 600 USD. Disable everywhere, set 'NTLMv2 only' via Group Policy, monitor Event ID 4624.
Resource Owner Password Credential flow lets username+password be exchanged directly for an access token, bypassing MFA and Conditional Access. Dangerous for Microsoft Graph/EWS/SharePoint API. Disable via CA policy.
Authentication coercion techniques exploited in enterprise environments where legacy protocols remain active. Active Directory hardening recommendations and authentication telemetry.
Operational Cyber Security and IT guide for disabling Net-NTLMv1 in Active Directory. Lower technical barrier following Mandiant rainbow tables release. Enforcement measures + Event ID 4624 monitoring.
Several campaigns exploit Chrome/Edge/Firefox/Opera extensions to access victim systems and data. Audit installed extensions, centralised allow-lists via GPO/MDM, separate business and personal browsers.
Active reconnaissance campaigns against European M365 tenants using password spraying techniques. Tenant hardening, legacy authentication blocking, Conditional Access bypass monitoring.
CVE-2025-55182, CVSS 10.0, named 'React2Shell'. Allows arbitrary remote code execution on the server. Affects React apps with RSC/Next.js Server Functions ('use server' directive). Immediate patching required.
Threat actors mine data inadvertently shared on jsonformatter.org, codebeautify.org, etc. — credentials, AWS keys, source code. Compromises observed within hours of publication. Recommend corporate proxy block.
F5 Networks announced (15 Oct 2025) unauthorised access by a nation-state actor with exfiltration of portions of BIG-IP source code, documentation on vulnerabilities under remediation, and customer configuration data.
CVE-2025-55241 allowed access to any M365 enterprise tenant by impersonating any user, including Global Admin. Migrate from Azure AD Graph (deprecated) to Microsoft Graph, review service principals/OAuth, deploy PIM/JIT.
Active campaigns against Salesforce tenants targeting strategic data. Measures: vishing/social engineering training, phishing-resistant MFA, least-privilege principle, monitoring of API and third-party connected apps.
18 popular NPM packages compromised (chalk, debug, ansi-styles, color-convert, supports-color, etc.). Verify internal dependencies, build/deployment logs, block suspicious releases. Update to safe versions.
Fraud attempt against a European retail bank branch over a weekend in August 2025: physical component (sealed doors to delay staff entry) + KVM-over-IP installation for remote control of a branch workstation. All fraudulent transfers blocked.
Malicious campaign distributing a backdoor via fake PDF editor download sites. C2 domains (5b7crp[.]com, 9mdp5f[.]com) added to the Fortgale Intelligence Feed. Verifications on monitored systems in progress.
Active ClickFix campaigns trick users into running malicious PowerShell commands disguised as anti-bot verification. IoCs: 45.221.64[.]224, pub-dce4815fde8f4b84a55fe31ab7cf28c3[.]r2[.]dev. Already in the Fortgale Intelligence Feed.
After the partial dismantling of the group, other threat actors are adopting similar TTPs. Hardening: separate hypervisor admin (vCenter/ESXi) from AD, multi-channel MFA for password reset, monitor AnyDesk/Teleport, centralise vSphere logs to SIEM.
Emails simulating Microsoft communications themed 'salary amendment' or 'pending payments' targeting top-level executives. Redirect to fake Microsoft login pages built with the RaccoonO365 kit — steals credentials and session cookies, bypasses MFA.
Spear phishing aimed at CFOs and finance executives at European companies (banking/insurance/energy). Threat actors use advanced social engineering, impersonating prestigious consulting firms with exclusive executive job offers.
Campaign distributing Lumma Stealer through fraudulent domains that mimic legitimate software download pages. Variations in names (e.g. 'v2-' prefixes). Block list of SEO Poisoning domains + C2 in the Fortgale report.
Increased mass scanning activity against PAN-OS GlobalProtect. Restrict access via external VPN/IP whitelisting, consider ZTNA so as not to expose critical portals to the internet, periodic audit of the exposed surface.
Sophisticated campaign attributed to the Chinese 'Weaver Ant' group using the China Chopper web shell. Restrict service-account privileges, ACL web→internal traffic, deploy EDR/XDR for web shell detection, harden WAF rules for anomalous HTTP requests.
Vulnerability in Apache Tomcat actively exploited during March 2025. Immediate patching required on all internet-facing Tomcat installations, monitor anomalous requests via WAF.
RaaS active since 2021, over 300 organisations hit (healthcare, education, legal, manufacturing). Double extortion, phishing + vulnerability exploitation, lateral movement with legitimate tools. European cases observed: maritime, manufacturing, consulting.
Brute-force-style password spraying campaign against European Office 365 tenants. Conditional Access hardening, legacy authentication blocking, account lockout pattern monitoring.
Sophisticated attacks by Russian groups (Storm-2372, CozyLarch/APT29) against governments, NGOs and enterprises. The 'Device Code Authentication phishing' technique deceives victims by abusing legitimate authentication flows — hard to detect.
Geopolitical landscape and overlapping tensions have significantly shaped cyberspace. Threat actors leverage cyber operations for strategic objectives thanks to territorial neutrality, attribution ambiguity and concealment capabilities.
Data on more than 15,000 FortiGate devices (configurations, IPs, VPN credentials, private keys, firewall rules) from October 2022 published on the dark web — exploiting CVE-2022-40684. Many European infrastructures affected. Attribution: 'Belsen' group.
Phishing against Chrome Web Store developers compromised at least 35 extensions (~2.6M users). Malicious OAuth chain via fake 'Privacy Policy Extension', MFA bypass. Malicious code (worker.js, content.js) for theft of Facebook Business accounts.
Sophisticated PhaaS platform designed to bypass 2FA. Customisable Outlook templates, automation, modular infrastructure with redirect/obfuscation. Dynamic subdomains, AES + Base64 to hide payload. Fortgale published a threat hunting signature.
LummApp variant abusing OBS Studio for infostealing activity. Masking techniques to evade detection. IoCs in the Fortgale feeds.
Massive malvertising campaign via fake CAPTCHA pages: 1M ad impressions/day from 3,000+ publisher sites. Abuses Monetag (PropellerAds) and BeMob for cloaking. Tricks users into running PowerShell under the pretext of anti-bot verification.
Chinese cyberespionage against European companies (June-July 2024) exploiting SQL injection for initial access, PHPsert webshell for persistence, abuse of Visual Studio Code Remote Tunnel + Microsoft-signed binaries + Azure for C2.
Windows logic flaw: native applications run before full OS initialisation, allowing removal of any EDR/Antivirus and bypassing anti-tampering (T1562.001). Fortgale published specific Threat Hunting rules.
WARMCOOKIE backdoor expanding, IoCs monitored via Shodan (specific header hash, html hash). Active Fortgale tracking, indicators added to feeds.
FortiGate compromise campaign reported by European national CERTs. COATHANGER malware establishes persistence via BusyBox reverse shell, surviving reboot and firmware update. Exploits CVE-2022-42475. Attribution: Chinese threat actors.
Resurgence of AgentTesla with functional loader, advanced AES encryption and memory-only execution. Email subject pattern: 'Vietnam Da Nang Buy Order &C248SH12'. IoCs in the Fortgale Intelligence Feed.
Lumma Stealer expands its infrastructure with new domains (.shop TLD) for exfiltration. Domain pattern: 'lum' prefix + random string. All sharing the same Russian title (Esenin poem). Fortgale tracks dozens of these domains.
On 28 Nov 2024 the 'Argonauts' ransomware group announced the compromise of ZACROS (formerly Fujimori Kogyo, JP). 140GB+ of sensitive data exfiltrated (users, passwords, business records, production data, financial). Active sale of the data.
Campaign identified late October 2024 against telco and finance. Google Docs for phishing-link delivery → fake login pages on Weebly. Sentry.io and Datadog for metrics. AT&T-themed lures, US/CA banking. Fake MFA prompt.
Mysterious Elephant (APT-K-47) uses CHM files to run Asyncshell payload (v4). Base64 variant for string hiding, disguised C2, reduced logging. Targeting: Pakistan, Bangladesh, Turkey with gov/religious decoys.
JinxLoader (Go-based, distributed via phishing) evolved into Astolfo Loader (C++, improved performance, smaller file size). MaaS, anti-analysis and geolocation check before C2. Distributed on Hack Forums.
Russian threat actor TAG-110 extends its cyber activity against European targets. Active Fortgale tracking.
On 20 Nov 2024 IncRansom announced the compromise of PBS Aerospace (Atlanta, USA — UAV/drone turbines, EASA-certified). 2TB exfiltration declared, including CAD files and internal documents. The INC Ransom group has been active since Aug 2023, ~200 victims.
Campaign identified by European CERTs leveraging GitHub Pages to host fake login pages (WeTransfer, cPanel). Stolen credentials sent via Telegram API to attacker-controlled bot. Visual spoofing + abuse of legitimate domain.
Chinese threat actor BrazenBamboo exploits a zero-day in FortiClient Windows VPN via DEEPDATA to extract VPN credentials from process memory. Multi-platform: WeChat/Skype/Telegram/Signal, browser data, Outlook contacts.
.NET infostealer that bypasses Chrome App-Bound Encryption via IElevator. Targets: browsers, crypto wallets, 2FA authenticators, password managers, email clients. Distribution: phishing with HTML 'ClickFix'. C2: master.hdsjfkgsadoghdsiougds[.]space, master.volt-texs[.]online.
Threat actors use fake Google Meet pages in the ClickFix campaign. Win → StealC + Rhadamanthys. Mac → Atomic stealer. Expansion to impersonate Facebook, Chrome, reCAPTCHA. Groups: Slavic Nation Empire, Scamquerteo. Thousands of domains tracked by Fortgale.
PAN-SA-2024-0015: unauthenticated RCE vulnerability in management interfaces of Palo Alto NGFWs exposed to the internet (CVSS 4.0: 9.3). Already exploited in real-world attacks. Does not affect Prisma Access/Cloud NGFW. Isolate the interface from the internet.
Chinese SilkSpecter phishing against Black Friday 2024 e-commerce shoppers (US/EU). Stripe API abuse for real transactions with CHD/SAD exfiltration. Dynamic localisation via Google Translate. 4,000+ domains, 89 IPs. Chinese oemapps SaaS.
Russian threat actor UAC-0194 exploits an NTLM zero-day (CVSS 6.5) for Net-NTLMv2 hash theft with minimal interaction (right-click, drag). Phishing emails from compromised Ukrainian gov → ZIP with malicious .url → Spark RAT (open source, persistence). Microsoft patch available.
TA455/Charming Kitten (APT35) launches 'Dream Job' against aerospace and defence sectors with SnailResin malware via LinkedIn message + spear-phishing email. Lure: fake job offers to gain access, exfiltrate data and remote control.
Phishing against European DocuSign users: emails with HTML attachment that opens a fake login page. JavaScript intercepts credentials and forwards them via Telegram bot API. Pattern is simple but effective and bypasses many email filters.
Operation (Russian origin, Aug 2024+) using Teams, SharePoint, Quick Assist and OneDrive as C2. Non-obfuscated Java .jar bypasses EDR and VirusTotal. Microsoft Graph API to manage ODC2 via files on OneDrive named after device UUIDs. US critical infrastructure.
New Android banking trojan (Oct 2024) targeting Southern Europe heavily (>50% Italy, plus Portugal, Spain) and LATAM. RAT abusing Android Accessibility for ODF, intercepts OTPs, bypasses PSD2 2FA. C2: dksu.top, mixcom.one, freebasic.cn. Chinese threat actors.
Fortgale analysis on 12,000 tracked Cobalt Strike configurations, 52,000+ indicators. 126 unique IPs associated with BlackBasta. Resurgence late September/early October. European organisations affected (manufacturing, finance). Eastern European nexus.
Alexander 'Connor' Moucka arrested in Canada (30 Oct 2024) for the Snowflake breach. UNC5537 hit 165+ orgs via credential reuse from infostealers (credentials dating back to 2020). Victims: AT&T, Santander, Ticketmaster. Extortion + sale on forums.
Critical vulnerability in Fortinet's FortiManager product actively exploited. Immediate patching required on all FortiManager installations.
On 23 Oct 2024 BlackSuit announced the compromise of Aerotecnic (Seville, ES — aerospace, supplier to Airbus/Boeing/Aciturri/Aernnova/Embraer). 800GB+ exfiltration declared (users, business records, employees, production data, financial).
Critical unauthenticated RCE in Veeam VBR (build ≤12.1.2.172). Exploited via /trigger on port 8000 to create a rogue admin and deploy Fog/Akira ransomware. Allows full access to the backup environment. Patched September 2024.
CISA adds it to KEV. Vulnerability in Fortinet (FortiOS, FortiPAM, FortiProxy, FortiWeb) allows unauthenticated RCE via specially crafted requests. Immediate patching required.
On 10 Oct 2024 a threat actor put on sale on a darkweb forum a database with 450,000 records of clients of an unnamed European bank: names, emails, phone numbers, addresses, investment amounts. Risk of targeted phishing, fraud, identity theft.
September 2024: targeted campaign against shipping/maritime logistics. Threat actors use compromised email accounts of legitimate shipping companies to inject malicious content into ongoing email threads. Hard to detect.
Iranian cyberespionage campaign (Charming Kitten) against the European aerospace sector via WhatsApp + targeted emails with fake job offers (Dream Job pattern).
New phishing infrastructure targeting European finance and insurance organisations via the Supercar Phishing Kit for Microsoft 365. Original Fortgale report: blog.fortgale.com.
Intelligence advisory for European aerospace and satellite companies on the mitigation of new targeted cyber threats.
Following the CrowdStrike BSOD incident, a significant rise in newly registered domains containing the term 'CrowdStrike'. Phishing/impersonation risks. Recommended block list to prevent brand abuse.
New zero-click RCE vulnerability in Microsoft Outlook. Exploitable without user interaction. Severe risk: data breach, unauthorised access — particularly critical for emails from trusted senders.
No Reports in this category.
Reports contain operational IoCs, exploitation details and — when applicable — references to affected customers or threat hunting in progress. We share them with IT & Security professionals under mutual NDA, with a response within 1 business day. No funnel, no paywall.
To receive every Report in real time (within 30-60 minutes of internal publication) delivered straight into your SIEM/SOAR, talk to us about the Intelligence Feed.
Reports, IoCs and threat hunting queries delivered to your SOC the moment a new adversary is observed. Setup in 14 days · mutual NDA.
No nurturing sequences, no auto-replies. One of our analysts calls you back within one business day.
The full Report (executive summary · operational IoCs · technical runbook) is restricted. Share two details and one of our analysts contacts you with access and a short technical briefing.
Response in 30 minutes, containment in 1–4 hours. Even if you are not a Fortgale customer.
