Advisories techniques produits par notre équipe européenne Cyber Threat Intelligence : vulnérabilités nouvellement divulguées, campagnes d'attaque observées contre les organisations européennes, brèches avec impact supply-chain. Chaque Report contient un executive summary, indicators of compromise (IoC) et runbooks opérationnels pour IT & Sécurité — pas d'agrégations de sources publiques, intelligence construite sur observation directe.
Campagne active contre les organisations européennes exploitant authentification forcée via les protocoles legacy. Emails relay the Net-NTLMv2 hash to infrastructure threat actor sans interaction utilisateur requise — le simple aperçu automatique du client e-mail suffit.
PackageKit (versions 1.0.2-1.3.4) contient une vulnérabilité qui permet à un utilisateur local non privilégié d'installer ou retirer des paquets sans autorisation, obtenant un accès root complet. Mise à jour vers 1.3.5 ou application des patches de la distro.
Outil open-source de scan de vulnérabilités pour cloud, conteneurs et CI/CD compromis via GitHub Actions. Recommandations sur SHA pinning, rotation des identifiants, monitoring des connexions sortantes. IoC inclus.
Tentatives d'accès en échec identified against Fortinet management interfaces directement exposées sur Internet. Aucun accès non autorisé détecté, but la surface d'attaque est élevée. Isolation recommandée via VPN/réseau privé.
Threat actors chinois ont exploité Notepad++ infrastructure pour des attaques ciblées entre mai et déc. 2025. Mise à jour vers 8.9.1+, surveiller %AppData%\Bluetooth, revoir les logs de &. Télémétrie Fortgale : aucun client compromis.
CVSS 7.8, already in active exploitation. Insufficient input validation in security decisions lets an unauthenticated attacker bypass local features. Office 2016/2019/LTSC 2021/2024 and 365 Apps for Enterprise.
Malicious package via typosquatting (~85M downloads/month for the legitimate one). 4 versions published Jan 2026 contain code inside polynomial routines that drops in-memory XMRig payload via memfd_create. >1000 downloads in 1 day.
Tables published that drastically lower the bar for attacking the protocol. Credential recovery from hash with consumer hardware around 600 USD. Disable everywhere, set 'NTLMv2 only' via Group Policy, monitor Event ID 4624.
Resource Owner Password Credential flow lets username+password be exchanged directly for an access token, bypassing MFA and Conditional Access. Dangerous for Microsoft Graph/EWS/SharePoint API. Disable via CA policy.
Authentication coercion techniques exploited in enterprise environments where legacy protocols remain active. Active Directory hardening recommendations and authentication telemetry.
Operational Cyber Security and IT guide for disabling Net-NTLMv1 in Active Directory. Lower technical barrier following Mandiant rainbow tables release. Enforcement measures + Event ID 4624 monitoring.
Several campaigns exploit Chrome/Edge/Firefox/Opera extensions to access victim systems and data. Audit installed extensions, centralised allow-lists via GPO/MDM, separate business and personal browsers.
Active reconnaissance campaigns against European M365 tenants using password spraying techniques. Tenant hardening, legacy authentication blocking, Conditional Access bypass monitoring.
CVE-2025-55182, CVSS 10.0, named 'React2Shell'. Allows arbitrary remote code execution on the server. Affects React apps with RSC/Next.js Server Functions ('use server' directive). Immediate patching required.
Threat actors mine data inadvertently shared on jsonformatter.org, codebeautify.org, etc. — credentials, AWS keys, source code. Compromises observed within hours of publication. Recommend corporate proxy block.
F5 Networks announced (15 Oct 2025) unauthorised access by a nation-state actor with exfiltration of portions of BIG-IP source code, documentation on vulnerabilities under remediation, and customer configuration data.
CVE-2025-55241 allowed access to any M365 enterprise tenant by impersonating any user, including Global Admin. Migrate from Azure AD Graph (deprecated) to Microsoft Graph, review service principals/OAuth, deploy PIM/JIT.
Campagnes actives against Salesforce tenants targeting strategic data. Measures: vishing/social engineering training, phishing-resistant MFA, least-privilege principle, monitoring of API and third-party connected apps.
18 popular NPM packages compromised (chalk, debug, ansi-styles, color-convert, supports-color, etc.). Verify internal dependencies, build/deployment logs, block suspicious releases. Mise à jour vers safe versions.
Fraud attempt against a European retail bank branch over a weekend in August 2025: physical component (sealed doors to delay staff entry) + KVM-over-IP installation for remote control of a branch workstation. All fraudulent transfers blocked.
Malicious campaign distributing a backdoor via fake PDF editor download sites. C2 domains (5b7crp[.]com, 9mdp5f[.]com) added to the Fortgale Intelligence Feed. Verifications on monitored systems in progress.
Active ClickFix campaigns trick users into running malicious PowerShell commands disguised as anti-bot verification. IoCs: 45.221.64[.]224, pub-dce4815fde8f4b84a55fe31ab7cf28c3[.]r2[.]dev. Already in the Fortgale Intelligence Feed.
After the partial dismantling of the group, other threat actors are adopting similar TTPs. Hardening: separate hypervisor admin (vCenter/ESXi) from AD, multi-channel MFA for password reset, monitor AnyDesk/Teleport, centralise vSphere logs to SIEM.
Emails simulating Microsoft communications themed 'salary amendment' or 'pending payments' targeting top-level executives. Redirect to fake Microsoft login pages built with the RaccoonO365 kit — steals credentials and session cookies, bypasses MFA.
Spear phishing aimed at CFOs and finance executives at European companies (banking/insurance/energy). Threat actors use advanced social engineering, impersonating prestigious consulting firms with exclusive executive job offers.
Campaign distributing Lumma Stealer through fraudulent domains that mimic legitimate software download pages. Variations in names (e.g. 'v2-' prefixes). Block list of SEO Poisoning domains + C2 in the Fortgale report.
Increased mass scanning activity against PAN-OS GlobalProtect. Restrict access via external VPN/IP whitelisting, consider ZTNA so as not to expose critical portals to the internet, periodic audit of the exposed surface.
Sophisticated campaign attributed to the Chinese 'Weaver Ant' group using the China Chopper web shell. Restrict service-account privileges, ACL web→internal traffic, deploy EDR/XDR for web shell detection, harden WAF rules for anomalous HTTP requests.
Vulnérabilité dans Apache Tomcat actively exploited during March 2025. Immediate patching required on all internet-facing Tomcat installations, monitor anomalous requests via WAF.
RaaS active since 2021, over 300 organisations hit (healthcare, education, legal, manufacturing). Double extortion, phishing + vulnerability exploitation, lateral movement with legitimate tools. European cases observed: maritime, manufacturing, consulting.
Brute-force-style password spraying campaign against European Office 365 tenants. Conditional Access hardening, legacy authentication blocking, account lockout pattern monitoring.
Sophisticated attacks by Russian groups (Storm-2372, CozyLarch/APT29) against governments, NGOs and enterprises. The 'Device Code Authentication phishing' technique deceives victims by abusing legitimate authentication flows — hard to detect.
Geopolitical landscape and overlapping tensions have significantly shaped cyberspace. Threat actors leverage cyber operations for strategic objectives thanks to territorial neutrality, attribution ambiguity and concealment capabilities.
Data on more than 15,000 FortiGate devices (configurations, IPs, VPN credentials, private keys, firewall rules) from October 2022 published on the dark web — exploitant CVE-2022-40684. Many European infrastructures affected. Attribution: 'Belsen' group.
Phishing against Chrome Web Store developers compromised at least 35 extensions (~2.6M users). Malicious OAuth chain via fake 'Privacy Policy Extension', MFA bypass. Malicious code (worker.js, content.js) for theft of Facebook Business accounts.
Sophisticated PhaaS platform designed to bypass 2FA. Customisable Outlook templates, automation, modular infrastructure with redirect/obfuscation. Dynamic subdomains, AES + Base64 to hide payload. Fortgale published a threat hunting signature.
LummApp variant abusing OBS Studio for infostealing activity. Masking techniques to evade detection. IoCs in the Fortgale feeds.
Massive malvertising campaign via fake CAPTCHA pages: 1M ad impressions/day from 3,000+ publisher sites. Abuses Monetag (PropellerAds) and BeMob for cloaking. Tricks users into running PowerShell under the pretext of anti-bot verification.
Chinese cyberespionage against European companies (June-July 2024) exploitant SQL injection for initial access, PHPsert webshell for persistence, abuse of Visual Studio Code Remote Tunnel + Microsoft-signed binaries + Azure for C2.
Windows logic flaw: native applications run before full OS initialisation, allowing removal of any EDR/Antivirus and bypassing anti-tampering (T1562.001). Fortgale published specific Threat Hunting rules.
WARMCOOKIE backdoor expanding, IoCs monitored via Shodan (specific header hash, html hash). Active Fortgale tracking, indicators added to feeds.
FortiGate compromise campaign reported by European national CERTs. COATHANGER malware establishes persistence via BusyBox reverse shell, surviving reboot and firmware update. Exploits CVE-2022-42475. Attribution: Chinese threat actors.
Resurgence of AgentTesla with functional loader, advanced AES encryption and memory-only execution. Email subject pattern: 'Vietnam Da Nang Buy Order &C248SH12'. IoCs in the Fortgale Intelligence Feed.
Lumma Stealer expands its infrastructure with new domains (.shop TLD) for exfiltration. Domain pattern: 'lum' prefix + random string. All sharing the same Russian title (Esenin poem). Fortgale tracks dozens of these domains.
On 28 Nov 2024 the 'Argonauts' ransomware group announced the compromise of ZACROS (formerly Fujimori Kogyo, JP). 140GB+ of sensitive data exfiltrated (users, passwords, business records, production data, financial). Active sale of the data.
Campaign identified late October 2024 against telco and finance. Google Docs for phishing-link delivery → fake login pages on Weebly. Sentry.io and Datadog for metrics. AT&T-themed lures, US/CA banking. Fake MFA prompt.
Mysterious Elephant (APT-K-47) uses CHM files to run Asyncshell payload (v4). Base64 variant for string hiding, disguised C2, reduced logging. Targeting: Pakistan, Bangladesh, Turkey with gov/religious decoys.
JinxLoader (Go-based, distributed via phishing) evolved into Astolfo Loader (C++, improved performance, smaller file size). MaaS, anti-analysis and geolocation check before C2. Distributed on Hack Forums.
Russian threat actor TAG-110 extends its cyber activity against European targets. Active Fortgale tracking.
On 20 Nov 2024 IncRansom announced the compromise of PBS Aerospace (Atlanta, USA — UAV/drone turbines, EASA-certified). 2TB exfiltration declared, including CAD files and internal documents. The INC Ransom group has been active since Aug 2023, ~200 victims.
Campaign identified by European CERTs leveraging GitHub Pages to host fake login pages (WeTransfer, cPanel). Stolen credentials sent via Telegram API to attacker-controlled bot. Visual spoofing + abuse of legitimate domain.
Chinese threat actor BrazenBamboo exploits a zero-day in FortiClient Windows VPN via DEEPDATA to extract VPN credentials from process memory. Multi-platform: WeChat/Skype/Telegram/Signal, browser data, Outlook contacts.
.NET infostealer that bypasses Chrome App-Bound Encryption via IElevator. Targets: browsers, crypto wallets, 2FA authenticators, password managers, email clients. Distribution: phishing with HTML 'ClickFix'. C2: master.hdsjfkgsadoghdsiougds[.]space, master.volt-texs[.]online.
Threat actors use fake Google Meet pages in the ClickFix campaign. Win → StealC + Rhadamanthys. Mac → Atomic stealer. Expansion to impersonate Facebook, Chrome, reCAPTCHA. Groups: Slavic Nation Empire, Scamquerteo. Thousands of domains tracked by Fortgale.
PAN-SA-2024-0015: unauthenticated RCE vulnerability in management interfaces of Palo Alto NGFWs exposed to the internet (CVSS 4.0: 9.3). Already exploited in real-world attacks. Does not affect Prisma Access/Cloud NGFW. Isolate the interface from the internet.
Chinese SilkSpecter phishing against Black Friday 2024 e-commerce shoppers (US/EU). Stripe API abuse for real transactions with CHD/SAD exfiltration. Dynamic localisation via Google Translate. 4,000+ domains, 89 IPs. Chinese oemapps SaaS.
Russian threat actor UAC-0194 exploits an NTLM zero-day (CVSS 6.5) for Net-NTLMv2 hash theft with minimal interaction (right-click, drag). Phishing emails from compromised Ukrainian gov → ZIP with malicious .url → Spark RAT (open source, persistence). Microsoft patch available.
TA455/Charming Kitten (APT35) launches 'Dream Job' against aerospace and defence sectors with SnailResin malware via LinkedIn message + spear-phishing email. Lure: fake job offers to gain access, exfiltrate data and remote control.
Phishing against European DocuSign users: emails with HTML attachment that opens a fake login page. JavaScript intercepts credentials and forwards them via Telegram bot API. Pattern is simple but effective and bypasses many email filters.
Operation (Russian origin, Aug 2024+) using Teams, SharePoint, Quick Assist and OneDrive as C2. Non-obfuscated Java .jar bypasses EDR and VirusTotal. Microsoft Graph API to manage ODC2 via files on OneDrive named after device UUIDs. US critical infrastructure.
New Android banking trojan (Oct 2024) targeting Southern Europe heavily (>50% Italy, plus Portugal, Spain) and LATAM. RAT abusing Android Accessibility for ODF, intercepts OTPs, bypasses PSD2 2FA. C2: dksu.top, mixcom.one, freebasic.cn. Chinese threat actors.
Fortgale analysis on 12,000 tracked Cobalt Strike configurations, 52,000+ indicators. 126 unique IPs associated with BlackBasta. Resurgence late September/early October. European organisations affected (manufacturing, finance). Eastern European nexus.
Alexander 'Connor' Moucka arrested in Canada (30 Oct 2024) for the Snowflake breach. UNC5537 hit 165+ orgs via credential reuse from infostealers (credentials dating back to 2020). Victims: AT&T, Santander, Ticketmaster. Extortion + sale on forums.
Vulnérabilité critique in Fortinet's FortiManager product actively exploited. Immediate patching required on all FortiManager installations.
On 23 Oct 2024 BlackSuit announced the compromise of Aerotecnic (Seville, ES — aerospace, supplier to Airbus/Boeing/Aciturri/Aernnova/Embraer). 800GB+ exfiltration declared (users, business records, employees, production data, financial).
Critical unauthenticated RCE in Veeam VBR (build ≤12.1.2.172). Exploited via /trigger on port 8000 to create a rogue admin and deploy Fog/Akira ransomware. Allows full access to the backup environment. Patched September 2024.
CISA adds it to KEV. Vulnérabilité dans Fortinet (FortiOS, FortiPAM, FortiProxy, FortiWeb) allows unauthenticated RCE via specially crafted requests. Immediate patching required.
On 10 Oct 2024 a threat actor put on sale on a darkweb forum a database with 450,000 records of clients of an unnamed European bank: names, emails, phone numbers, addresses, investment amounts. Risk of targeted phishing, fraud, identity theft.
September 2024: targeted campaign against shipping/maritime logistics. Threat actors use compromised email accounts of legitimate shipping companies to inject malicious content into ongoing email threads. Hard to detect.
Iranian cyberespionage campaign (Charming Kitten) against the European aerospace sector via WhatsApp + targeted emails with fake job offers (Dream Job pattern).
New phishing infrastructure ciblant les européens finance and insurance organisations via the Supercar Phishing Kit for Microsoft 365. Original Fortgale report: blog.fortgale.com.
Intelligence advisory for European aerospace and satellite companies on the mitigation of new targeted cyber threats.
Following the CrowdStrike BSOD incident, a significant rise in newly registered domains containing the term 'CrowdStrike'. Phishing/impersonation risks. Recommended block list to prevent brand abuse.
New zero-click RCE vulnerability in Microsoft Outlook. Exploitable without user interaction. Severe risk: data breach, unauthorised access — particularly critical for emails from trusted senders.
Aucun Report dans cette catégorie.
Les Reports contiennent des IoC opérationnels, des détails d'exploitation et — le cas échéant — des références aux clients impactés ou au threat hunting en cours. Nous les partageons avec les professionnels IT & Sécurité sous NDA mutuel, avec une réponse sous 1 jour ouvré. Pas de funnel, pas de paywall.
Pour recevoir chaque Report en temps réel (dans les 30-60 minutes de la publication interne) livré directement dans votre SIEM/SOAR, échangez avec nous sur le Flux Intelligence.
Reports, IoC et requêtes de threat hunting livrés à votre SOC dès qu'un nouvel adversaire est observé. Setup en 14 jours · NDA mutuel.
Aucune séquence de nurturing, aucune réponse automatique. Un de nos analystes vous rappelle sous un jour ouvré.
Le Report complet (executive summary · IoC opérationnels · runbook technique) est confidentiel. Envoyez-nous deux informations et un de nos analystes vous recontacte avec l'accès et un bref briefing technique.
Réponse en 30 minutes, confinement en 1 à 4 heures. Même si vous n'êtes pas client Fortgale.
