Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cyber Security Weekly Briefing, 6 March
Internal tools for cloning and manipulating malicious packages in NuGet exposed
An investigation by ReversingLabs explains how threat actors industrialise the creation, publication and artificial popularisation of malicious packages in NuGet after discovering two packages (8y234rtv8yvf and 3rugfbe8rivferiuv) that contained the internal tools used in previous campaigns.
These packages, accidentally published by the threat actors, included a complete chain of three components: a cloner capable of automatically replicating metadata from legitimate packages; a poster that generated and published cloned packages (including "future" versions to appear to be actively maintained); and a botter, a multi-threaded script designed to artificially inflate download counters by rotating IPs, proxies, and user agents. This finding definitively confirms practices that until now had only been suspected: systematic typosquatting campaigns, reputation manipulation, and mass preparation of seemingly legitimate packages as a prelude to introducing malicious payloads.
Furthermore, the methods coincide with recent campaigns that mimic popular packages, including financial targets such as Nethereum and Stripe.net, demonstrating that this is a scalable, automated operating model aimed at abusing the trust of developers in the NuGet ecosystem.
CyberStrikeAI: offensive platform with links to China's MSS used against FortiGate
Team Cymru has analysed the use of CyberStrikeAI, an AI-based offensive security tool developed in Go, in reconnaissance and exploitation activities against Fortinet FortiGate devices. The IP address 212.11.64[.]250 was used in the infrastructure associated with the attack, where an active CyberStrikeAI banner and communications targeting Fortinet FortiGate devices were observed.
The adoption of CyberStrikeAI has increased since 8 November, with 21 unique IP addresses running it between 20 January and 26 February 2026, mainly in China, Singapore and Hong Kong. The developer of CyberStrikeAI, Ed1s0nZ, maintains other projects aimed at exploitation and privilege escalation, such as PrivHunterAI and InfiltrateX, and has shown interactions with entities linked to China's Ministry of State Security, including Knownsec and the CNNVD programme managed by CNITSEC. The subsequent removal of references to CNNVD from his profile suggests an attempt to hide these connections.
Aeternum: botnet that uses the Polygon blockchain as C2 infrastructure
Researchers at Qrator Labs have identified Aeternum, a C2 infrastructure that uses the Polygon blockchain to host commands in a decentralised manner. The campaign uses a C++ loader to deploy various malicious payloads (such as information stealers, miners and RATs) and allows individual bots to be controlled via their Hardware ID. Its persistent design makes it difficult to disrupt and reinforces the need to improve endpoint detection and monitoring of traffic to blockchain networks.
To evade detection, Aeternum incorporates anti-analysis mechanisms that prevent its execution in virtualised or sandboxed environments, and also integrates a real-time antivirus scanner via the Kleenscan API to verify the status of systems. No quantitative impact on specific victims or sectors has been detailed.
Abuse of legitimate OAuth flows in campaigns to deploy malware
Microsoft has issued an alert about phishing campaigns that exploit the native redirection functionality of OAuth flows to evade perimeter defences. The attack vector uses malicious applications in environments controlled by the attacker, configured with manipulated parameters, such as the state parameter for data persistence, which redirect victims to command and control infrastructures after an induced authentication error.
This technique facilitates the distribution of ZIP files with LNK files that initiate PowerShell execution and DLL side-loading techniques using legitimate binaries such as steam_monitor.exe. The final payload, which is memory-resident, enables host reconnaissance and post-exploitation activities aimed at deploying ransomware. In addition to malware deployment, the use of AitM frameworks such as EvilProxy has been detected for session cookie interception and MFA bypass.
It is recommended to restrict application consent and periodically audit third-party application permissions to mitigate this identity risk.
Europol dismantles Tycoon2FA, PhaaS responsible for compromising more than 500,000 organisations
An international operation coordinated by Europol has dismantled Tycoon2FA, a phishing-as-a-service platform active since August 2023 and responsible for tens of millions of phishing emails per month. A total of 330 domains linked to control panels and phishing pages were seized in an operation carried out by authorities in Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom. Tycoon2FA enabled adversary-in-the-middle attacks using reverse proxies, intercepting credentials and session cookies in real time to bypass MFA on Microsoft and Google services.
By mid-2025, it was generating tens of millions of emails per month, reaching more than 500,000 organisations, and accounted for 60% of phishing attempts blocked by Microsoft. The platform facilitated the spoofing of Microsoft 365, OneDrive, Outlook, SharePoint and Gmail home pages, allowing persistence even after password changes if active sessions were not revoked.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
