Executive Summary
The past 24 hours have seen continued activity from nation-state threat actors and ransomware groups, with several high-severity vulnerabilities actively exploited in the wild. CISA added CVE-2026-31431 (Linux Kernel privilege escalation) to the KEV catalog on 2026-05-01, and CVE-2026-41940 (cPanel authentication bypass) remains under active exploitation. APT28 (Fancy Bear/Pawn Storm) is conducting ongoing PRISMEX-based espionage targeting Ukraine and NATO allies, leveraging CVE-2026-21509 and abusing Filen.io as a C2 channel. A newly updated PRISMEX component — SLIMAGENT — is now confirmed deployed via Signal messaging abuse. Mustang Panda has deployed an updated LOTUSLITE backdoor variant targeting India's banking sector, South Korean policy circles, and US government entities. A newly identified APT group (TGR-STA-1030 / UNC6619) has compromised government and critical infrastructure organisations in 37 countries over the past 12 months. Ransomware groups including Arkana Security, Akira, and RansomHub remain highly active, with approximately 70% of intrusions initiating via VPN credential compromise.
Threat Level: HIGH
Vulnerability Spotlight
| CVE | Product | CVSS | Status | Required Action |
|---|---|---|---|---|
| CVE-2026-41940 | cPanel & WHM | 9.8 | KEV; exploited since ~2026-02-23 | Patch immediately; audit cPanel logs on ports 2082-2087 |
| CVE-2026-31431 | Linux Kernel | 7.8 | KEV added 2026-05-01 | Apply kernel patches; monitor kernel module loading |
| CVE-2026-32202 | Microsoft Windows | 7.5 | Actively exploited; confirmed in updated advisory | Apply Patch Tuesday fixes; monitor anomalous SMB activity |
| CVE-2026-21509 | TBD | TBD | Actively exploited by APT28 | Patch immediately; check for PRISMEX artefacts |
| CVE-2026-1731 | Bomgar RMM | TBD | Actively exploited for ransomware deployment | Patch or isolate Bomgar instances; audit remote sessions |
| CVE-2024-57726 | SimpleHelp | 9.9 | KEV | Patch; review active sessions |
| CVE-2024-1708 | ConnectWise ScreenConnect | 8.4 | KEV | Patch immediately |
| CVE-2026-5281 | Google Chrome | High | KEV | Update to 146.0.7680.178+ |
APT Campaign Activity
APT28 / Fancy Bear / Pawn Storm (Russia — GRU)
Confidence: HIGH | Targeting: Ukraine, NATO allies (Czech Republic, Poland, Romania, Slovakia, Slovenia, Turkey)
APT28 is conducting an active espionage campaign using a new modular malware suite called PRISMEX. The campaign uses spear-phishing with malicious Excel documents (VBA macro droppers) and weaponises recently patched vulnerabilities (CVE-2026-21509, CVE-2026-21513). A new component, SLIMAGENT (SlimAgent), is now confirmed: a C++ implant delivered via weaponised Signal group messages that captures screenshots with AES/RSA encryption, deployed via CERT-UA-tracked activity.
Malware Components:
- PrismexSheet — Malicious Excel dropper using VBA macros and steganography; establishes persistence via COM hijacking
- PrismexDrop — Native dropper; uses scheduled tasks and COM DLL hijacking for persistence
- PrismexStager — Covenant Grunt implant; abuses Filen.io cloud storage HTTPS API for C2
- SLIMAGENT (SlimAgent) — C++ implant; captures screenshots with AES/RSA encryption; delivered via Signal messaging
Key TTPs: T1546.015 COM Object Hijacking, T1102.002 Cloud Storage C2 (Filen.io), T1566.002 Signal messaging abuse, rapid CVE weaponisation (2-week window)
Mustang Panda / TA416 / Earth Preta (China — PLA/MSS linked)
Confidence: HIGH | Targeting: India (banking sector), South Korea (policy/government), US (government/policy)
An updated LOTUSLITE backdoor variant (C++ custom backdoor) is being delivered via spear-phishing emails containing ZIP archives with a legitimate executable and a sideloaded malicious DLL. The staging infrastructure used Google Drive for payload hosting.
Technical Details:
- Delivery via CHM files and ZIP archives containing sideloaded DLLs
- Malicious DLL:
dnx.onecore.dll(sideloaded via legitimate binary) - C2 domain:
editor.gleeze[.]com - Mutex value:
1ac5e7ee1a107499 - Staging observed via Google Drive folder named "March 30"
- Persistence: Registry run keys + kernel-mode rootkits
TGR-STA-1030 / UNC6619 (Attribution Pending — Asia-based)
Confidence: MEDIUM | Targeting: 70 government and critical infrastructure organisations across 37 countries
A newly identified advanced cyberespionage group has compromised a broad range of targets over the past 12 months using a sophisticated, multi-stage toolset. Initial access via phishing and exploitation kits, with post-compromise use of custom malware, Linux rootkits, web shells, and tunneling/proxy tools for long-term persistence and exfiltration.
BRICKSTORM Operators (China — PRC State-Sponsored)
Confidence: HIGH | Targeting: Technology and legal sectors; VMware vSphere environments
BRICKSTORM is a sophisticated backdoor targeting VMware vCenter, ESXi, and Aria Automation Orchestrator. C2 traffic is tunnelled via DNS-over-HTTPS (DoH) to evade traditional DNS monitoring. CISA, NSA, and the Canadian Cyber Centre released updated IOCs and detection signatures on 2026-02-11 (updated Malware Analysis Report including Rust-based samples). Note: IOC reuse is not observed; signature-based detection is ineffective — TTP-based hunting is required.
Ransomware Activity
| Group | Targeting | Notable TTP | Status |
|---|---|---|---|
| RansomHub | Healthcare, critical infra | Ex-ALPHV affiliates; double extortion | Highly Active |
| Arkana Security | US ISPs | Doxxing + encryption; data exposure | Active |
| Akira | Cross-sector (Windows/Linux) | ESXi targeting; data exfil | Highly Active |
| Dire Wolf | Manufacturing | Live negotiations; destructive | Active |
| Qilin | Cross-sector | Possible state links; 101+ incidents | Active |
| Gentlemen | Cross-sector | SystemBC + Mimikatz + RPC lateral movement | Active |
Primary Initial Access Vector (2026): Compromised VPN credentials (~70% of intrusions)
Secondary Vectors: Phishing, vulnerability exploitation (Bomgar CVE-2026-1731, ConnectWise CVE-2024-1708)
Post-Compromise Tooling: SystemBC (proxy/bot), Mimikatz (credential theft), Cobalt Strike, Covenant
IOC Pack
| Domain | Threat Actor | Malware | Confidence |
|---|---|---|---|
editor.gleeze[.]com | Mustang Panda | LOTUSLITE C2 | HIGH |
wellnessmedcare[.]org | APT28 | PRISMEX dropper | HIGH |
wellnesscaremed[.]com | APT28 | PRISMEX dropper | HIGH |
freefoodaid[.]com | APT28 | PRISMEX dropper | HIGH |
longsauce[.]com | APT28 | PRISMEX dropper | HIGH |
filen.io (C2 API) | APT28 | PrismexStager (Covenant) | MEDIUM |
| Indicator | Type | Threat Actor | Notes |
|---|---|---|---|
dnx.onecore.dll | Filename | Mustang Panda | LOTUSLITE malicious sideloaded DLL |
1ac5e7ee1a107499 | Mutex | Mustang Panda | LOTUSLITE South Korea variant |
323.txt | Filename | Mustang Panda | Decoy document (South Korea variant) |
KQL Hunting Queries
HQ-01: LOTUSLITE DLL Sideloading — Filename Hunt
// Hunt for Mustang Panda LOTUSLITE sideloaded DLL
DeviceFileEvents
| where TimeGenerated > ago(24h)
| where FileName =~ "dnx.onecore.dll"
| project TimeGenerated, DeviceName, FolderPath, SHA256, MD5,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName
| order by TimeGenerated descHQ-02: LOTUSLITE C2 Communication — DNS/Network
// Hunt for LOTUSLITE C2 domain gleeze[.]com
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteUrl has "gleeze.com"
or RemoteUrl has "editor.gleeze"
| project TimeGenerated, DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName
| order by TimeGenerated descHQ-03: LOTUSLITE Mutex Artefact Hunt
// Hunt for LOTUSLITE mutex value in process artefacts
DeviceEvents
| where TimeGenerated > ago(24h)
| where ActionType == "CreateRemoteThreadApiCall" or ActionType == "ProcessCreated"
| where AdditionalFields has "1ac5e7ee1a107499"
| project TimeGenerated, DeviceName, ActionType, FileName, ProcessCommandLine, AdditionalFieldsHQ-04: APT28 PRISMEX — Known Malicious Infrastructure
// Hunt for connections to APT28 PRISMEX delivery domains
let prismex_domains = dynamic(["wellnessmedcare.org", "wellnesscaremed.com", "freefoodaid.com", "longsauce.com"]);
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteUrl has_any (prismex_domains)
| project TimeGenerated, DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName
| order by TimeGenerated descHQ-05: APT28 PRISMEX — COM DLL Hijacking via Scheduled Tasks
// Hunt for COM DLL hijacking via schtasks - PRISMEX persistence mechanism
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has_any ("regsvr32", "rundll32", "/sc", "COM")
| where ProcessCommandLine has ".dll"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated descHQ-06: APT28 — Filen.io C2 Abuse (Non-Browser Processes)
// Hunt for non-browser processes communicating with filen.io (PRISMEX Stager C2)
let legitimate_browsers = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "brave.exe",
"opera.exe", "iexplore.exe", "safari.exe"]);
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteUrl has "filen.io"
| where InitiatingProcessFileName !in~ (legitimate_browsers)
| project TimeGenerated, DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName
| order by TimeGenerated descHQ-07: BRICKSTORM — DNS-over-HTTPS C2 from Non-Browser Processes
// Hunt for BRICKSTORM-style DoH C2 evasion - non-browser DoH connections
let doh_providers = dynamic(["dns.google", "cloudflare-dns.com", "doh.opendns.com",
"dns.quad9.net", "8.8.8.8", "1.1.1.1", "9.9.9.9"]);
let legitimate_browsers = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "brave.exe",
"opera.exe", "iexplore.exe", "svchost.exe"]);
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemotePort == 443
| where RemoteUrl has_any (doh_providers) or RemoteIP in ("8.8.8.8", "1.1.1.1", "9.9.9.9", "8.8.4.4")
| where InitiatingProcessFileName !in~ (legitimate_browsers)
| project TimeGenerated, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName
| order by TimeGenerated descHQ-08: Ransomware — SystemBC C2 Beaconing (Gentlemen Group)
// Hunt for SystemBC proxy C2 beaconing behaviour (Gentlemen ransomware group)
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemotePort in (4443, 8080, 8443, 5544)
| where ActionType == "ConnectionSuccess"
| join kind=inner (
DeviceProcessEvents
| where FileName in~ ("systembc.exe")
or ProcessCommandLine has "systembc"
or ProcessCommandLine has "socks5"
) on DeviceId
| project TimeGenerated, DeviceName, RemoteIP, RemotePort,
FileName, ProcessCommandLine, AccountNameHQ-09: Credential Theft — Mimikatz TTPs
// Hunt for Mimikatz command-line artefacts (Gentlemen + RansomHub groups)
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where ProcessCommandLine has_any (
"sekurlsa::", "lsadump::", "privilege::debug",
"kerberos::", "vault::", "dpapi::", "lsass",
"token::elevate", "pass-the-hash", "pth"
)
| project TimeGenerated, DeviceName, AccountName,
FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessAccountName
| order by TimeGenerated descHQ-10: cPanel CVE-2026-41940 Exploitation Attempts
// Hunt for suspicious burst access to cPanel management ports
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemotePort in (2082, 2083, 2086, 2087)
| where ActionType == "ConnectionSuccess"
| summarize ConnectionCount = count(),
UniqueDestinations = dcount(RemoteIP)
by DeviceName, InitiatingProcessFileName, bin(TimeGenerated, 1h)
| where ConnectionCount > 5
| order by ConnectionCount descHQ-11: VPN Credential Abuse — Geographically Impossible Login
// Hunt for multi-country VPN logins (credential stuffing / initial access)
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| where AppDisplayName has_any ("VPN", "GlobalProtect", "FortiClient",
"Cisco AnyConnect", "Pulse Secure", "Zscaler")
| summarize LoginCount = count(),
Countries = make_set(Location),
IPs = make_set(IPAddress)
by UserPrincipalName, bin(TimeGenerated, 1h)
| where array_length(Countries) > 1
| project TimeGenerated, UserPrincipalName, Countries, IPs, LoginCount
| order by LoginCount descHQ-12: CHM File Execution (Mustang Panda Delivery Vector)
// Hunt for CHM file execution - Mustang Panda delivery mechanism
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where FileName =~ "hh.exe"
| where ProcessCommandLine has ".chm"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine,
InitiatingProcessFileName, FolderPath
| order by TimeGenerated descKQL Detection Rules (High-Fidelity)
DR-01: LOTUSLITE Backdoor — Confirmed C2 Domain Contact
Severity: CRITICAL | MITRE: T1071.001, T1105 | Actor: Mustang Panda
// RULE: Mustang Panda LOTUSLITE confirmed C2 domain - HIGH FIDELITY
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where RemoteUrl has "gleeze.com"
| extend AlertName = "LOTUSLITE C2 Communication Detected"
| extend ThreatActor = "Mustang Panda (TA416)"
| extend MalwareFamily = "LOTUSLITE"
| extend Severity = "Critical"
| extend MITRE_Tactic = "Command and Control"
| extend MITRE_Technique = "T1071.001 - Web Protocols"
| project TimeGenerated, AlertName, ThreatActor, MalwareFamily, Severity,
DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName, MITRE_Tactic, MITRE_TechniqueDR-02: LOTUSLITE DLL — Exact Filename Match
Severity: HIGH | MITRE: T1574.002 | Actor: Mustang Panda
// RULE: Confirmed LOTUSLITE malicious DLL creation or load
DeviceFileEvents
| where TimeGenerated > ago(1h)
| where FileName =~ "dnx.onecore.dll"
| extend AlertName = "Mustang Panda LOTUSLITE DLL Detected"
| extend ThreatActor = "Mustang Panda (TA416)"
| extend MalwareFamily = "LOTUSLITE"
| extend Severity = "High"
| extend MITRE_Tactic = "Persistence / Defense Evasion"
| extend MITRE_Technique = "T1574.002 - DLL Side-Loading"
| project TimeGenerated, AlertName, ThreatActor, MalwareFamily, Severity,
DeviceName, FolderPath, SHA256, MD5,
InitiatingProcessFileName, InitiatingProcessAccountName,
MITRE_Tactic, MITRE_TechniqueDR-03: APT28 PRISMEX — Confirmed Malicious Domain Access
Severity: CRITICAL | MITRE: T1566.001, T1105 | Actor: APT28
// RULE: APT28 PRISMEX confirmed delivery infrastructure contact
let prismex_iocs = datatable(domain:string, note:string) [
"wellnessmedcare.org", "APT28 PRISMEX Office exploit delivery",
"wellnesscaremed.com", "APT28 PRISMEX Office exploit delivery",
"freefoodaid.com", "APT28 PRISMEX Office exploit delivery",
"longsauce.com", "APT28 PRISMEX Office exploit delivery"
];
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| join kind=inner prismex_iocs on $left.RemoteUrl contains $right.domain
| extend AlertName = "APT28 PRISMEX Infrastructure Contact"
| extend ThreatActor = "APT28 / Fancy Bear / Pawn Storm"
| extend MalwareFamily = "PRISMEX"
| extend Severity = "Critical"
| extend MITRE_Tactic = "Initial Access / Command and Control"
| extend MITRE_Technique = "T1566.001 / T1105"
| project TimeGenerated, AlertName, ThreatActor, MalwareFamily, Severity,
DeviceName, RemoteUrl, RemoteIP, note,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName, MITRE_Tactic, MITRE_TechniqueDR-04: APT28 PRISMEX — Steganographic Excel Dropper Chain
Severity: HIGH | MITRE: T1059.005, T1546.015 | Actor: APT28
// RULE: PRISMEX Excel dropper execution chain - VBA macro spawning COM hijack
DeviceProcessEvents
| where TimeGenerated > ago(1h)
| where InitiatingProcessFileName =~ "excel.exe"
| where FileName in~ ("regsvr32.exe", "rundll32.exe", "mshta.exe", "wscript.exe", "cscript.exe")
| join kind=inner (
DeviceProcessEvents
| where TimeGenerated > ago(1h)
| where InitiatingProcessFileName in~ ("regsvr32.exe", "rundll32.exe")
| where ProcessCommandLine has "schtasks" or FileName =~ "schtasks.exe"
) on DeviceId
| extend AlertName = "APT28 PRISMEX Excel Dropper + COM Hijack Chain"
| extend ThreatActor = "APT28 / Fancy Bear"
| extend MalwareFamily = "PrismexSheet / PrismexDrop"
| extend Severity = "High"
| extend MITRE_Tactic = "Execution / Persistence"
| extend MITRE_Technique = "T1059.005 + T1546.015"
| project TimeGenerated, AlertName, ThreatActor, MalwareFamily, Severity,
DeviceName, AccountName, ProcessCommandLine,
MITRE_Tactic, MITRE_TechniqueDR-05: APT28 SlimAgent — Screenshot Exfiltration Pattern
Severity: HIGH | MITRE: T1113, T1022 | Actor: APT28
// RULE: SLIMAGENT screenshot exfiltration - timestamped encrypted screenshot files
DeviceFileEvents
| where TimeGenerated > ago(1h)
| where FileName matches regex @"^\d{14,}.*\.(dat|enc|tmp|bin)$"
| where InitiatingProcessFileName !in~ ("explorer.exe", "OneDrive.exe", "Teams.exe", "chrome.exe")
| where FolderPath has_any ("AppData", "Temp", "ProgramData")
| summarize FileCount = count(), Paths = make_set(FolderPath)
by DeviceName, InitiatingProcessFileName, bin(TimeGenerated, 5m)
| where FileCount > 3
| extend AlertName = "Potential SLIMAGENT Screenshot Exfiltration Activity"
| extend ThreatActor = "APT28 (Suspected)"
| extend MalwareFamily = "SLIMAGENT"
| extend Severity = "High"
| extend MITRE_Tactic = "Collection / Exfiltration"
| extend MITRE_Technique = "T1113 - Screen Capture"DR-06: BRICKSTORM — Non-Browser DoH C2 Evasion
Severity: HIGH | MITRE: T1071.004, T1572 | Actor: PRC State Actors
// RULE: BRICKSTORM DNS-over-HTTPS C2 - non-browser processes using DoH
let legitimate_processes = dynamic([
"chrome.exe", "firefox.exe", "msedge.exe", "brave.exe", "opera.exe",
"iexplore.exe", "safari.exe", "MicrosoftEdgeCP.exe", "msedgewebview2.exe"
]);
let doh_indicators = dynamic([
"dns.google", "cloudflare-dns.com", "doh.opendns.com",
"dns.quad9.net", "8.8.8.8", "1.1.1.1", "9.9.9.9"
]);
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where RemotePort == 443
| where RemoteUrl has_any (doh_indicators) or RemoteIP in ("8.8.8.8", "1.1.1.1", "9.9.9.9", "8.8.4.4")
| where InitiatingProcessFileName !in~ (legitimate_processes)
| where InitiatingProcessFolderPath !startswith @"C:\Program Files\Google"
| extend AlertName = "Suspicious DoH Usage - Possible BRICKSTORM C2 Evasion"
| extend ThreatActor = "PRC State Actors (BRICKSTORM)"
| extend MalwareFamily = "BRICKSTORM"
| extend Severity = "High"
| extend MITRE_Tactic = "Command and Control"
| extend MITRE_Technique = "T1071.004 - DNS over HTTPS"
| project TimeGenerated, AlertName, ThreatActor, MalwareFamily, Severity,
DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessFolderPath,
InitiatingProcessAccountName, MITRE_Tactic, MITRE_TechniqueDR-07: cPanel CVE-2026-41940 — Exploitation Burst Access Pattern
Severity: HIGH | MITRE: T1190 | Actor: Multiple (Initial Access Brokers)
// RULE: CVE-2026-41940 cPanel exploitation - burst of connections to cPanel management ports
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where RemotePort in (2082, 2083, 2086, 2087)
| where ActionType == "ConnectionSuccess"
| summarize
ConnectionCount = count(),
UniqueTargetIPs = dcount(RemoteIP),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, bin(TimeGenerated, 15m)
| where ConnectionCount > 10 or UniqueTargetIPs > 3
| extend AlertName = "cPanel CVE-2026-41940 Exploitation Pattern Detected"
| extend CVE = "CVE-2026-41940"
| extend Severity = "High"
| extend MITRE_Tactic = "Initial Access"
| extend MITRE_Technique = "T1190 - Exploit Public-Facing Application"
| project TimeGenerated, AlertName, CVE, Severity, DeviceName,
InitiatingProcessFileName, InitiatingProcessAccountName,
ConnectionCount, UniqueTargetIPs, FirstSeen, LastSeen,
MITRE_Tactic, MITRE_TechniqueDR-08: Ransomware Precursor — Mimikatz LSASS Credential Dump
Severity: CRITICAL | MITRE: T1003.001 | Actor: RansomHub, Akira, Gentlemen
// RULE: Mimikatz LSASS credential dumping - specific command artefacts
DeviceProcessEvents
| where TimeGenerated > ago(1h)
| where ProcessCommandLine has_any (
"sekurlsa::logonpasswords",
"sekurlsa::wdigest",
"lsadump::sam",
"lsadump::dcsync",
"privilege::debug",
"token::elevate",
"kerberos::ptt",
"kerberos::golden"
)
| extend AlertName = "Mimikatz Credential Dump - Ransomware Precursor"
| extend ThreatActors = "RansomHub / Akira / Gentlemen / Multiple"
| extend Severity = "Critical"
| extend MITRE_Tactic = "Credential Access"
| extend MITRE_Technique = "T1003.001 - LSASS Memory"
| project TimeGenerated, AlertName, ThreatActors, Severity,
DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessAccountName,
MITRE_Tactic, MITRE_TechniqueDR-09: Ransomware Precursor — SystemBC Proxy Deployment
Severity: HIGH | MITRE: T1090.001, T1071.001 | Actor: Gentlemen Ransomware
// RULE: SystemBC proxy tool deployment - Gentlemen ransomware group TTP
DeviceProcessEvents
| where TimeGenerated > ago(1h)
| where FileName =~ "systembc.exe"
or ProcessCommandLine has "systembc"
or ProcessCommandLine has_all ("socks5", "-host")
| extend AlertName = "SystemBC Proxy Detected - Gentlemen Ransomware Precursor"
| extend ThreatActor = "Gentlemen Ransomware Group"
| extend ToolName = "SystemBC"
| extend Severity = "High"
| extend MITRE_Tactic = "Command and Control"
| extend MITRE_Technique = "T1090.001 - Internal Proxy"
| project TimeGenerated, AlertName, ThreatActor, ToolName, Severity,
DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, MITRE_Tactic, MITRE_TechniqueDR-10: CVE-2026-1731 Bomgar RMM Post-Exploitation
Severity: HIGH | MITRE: T1219, T1190 | Actor: Multiple Ransomware Groups
// RULE: Anomalous Bomgar RMM session spawning credential theft or recon tools
DeviceProcessEvents
| where TimeGenerated > ago(1h)
| where InitiatingProcessFileName has_any ("bomgar-scc", "bomgar-rep", "bomgar")
| where FileName in~ (
"mimikatz.exe", "psexec.exe", "wce.exe", "pwdump.exe",
"net.exe", "cmd.exe", "powershell.exe", "wscript.exe"
)
| where ProcessCommandLine has_any (
"sekurlsa", "lsadump", "whoami /all",
"net user /domain", "nltest", "ldapdomaindump",
"-enc", "-encodedcommand", "bypass", "IEX",
"net localgroup administrators"
)
| extend AlertName = "Bomgar CVE-2026-1731 Post-Exploitation Activity"
| extend CVE = "CVE-2026-1731"
| extend Severity = "High"
| extend MITRE_Tactic = "Execution / Credential Access"
| extend MITRE_Technique = "T1219 - Remote Access Software"
| project TimeGenerated, AlertName, CVE, Severity,
DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, MITRE_Tactic, MITRE_TechniqueMITRE ATT&CK Mapping
| Technique ID | Technique Name | Threat Actor / Group | Detection Rule |
|---|---|---|---|
| T1566.001 | Spearphishing Attachment | APT28, Mustang Panda, TGR-STA-1030 | DR-04 |
| T1059.005 | Visual Basic (VBA Macros) | APT28 (PrismexSheet) | DR-04 |
| T1574.002 | DLL Side-Loading | Mustang Panda (LOTUSLITE) | DR-02 |
| T1546.015 | Component Object Model Hijacking | APT28 (PrismexDrop) | DR-04 |
| T1053.005 | Scheduled Task/Job | APT28, Mustang Panda | DR-04 |
| T1071.001 | Web Protocols (HTTP/S C2) | APT28, Mustang Panda | DR-01, DR-03 |
| T1071.004 | DNS over HTTPS | BRICKSTORM operators | DR-06 |
| T1102.002 | Cloud Storage C2 (Filen.io) | APT28 | HQ-06 |
| T1027 | Obfuscated Files/Information (Steganography) | APT28 (PrismexSheet) | DR-04 |
| T1113 | Screen Capture | APT28 (SLIMAGENT) | DR-05 |
| T1003.001 | LSASS Memory | RansomHub, Akira, Gentlemen | DR-08 |
| T1090.001 | Internal Proxy | Gentlemen (SystemBC) | DR-09 |
| T1219 | Remote Access Software | Ransomware via Bomgar | DR-10 |
| T1190 | Exploit Public-Facing Application | Multiple (cPanel, Bomgar) | DR-07, DR-10 |
| T1068 | Exploitation for Privilege Escalation | Multiple (CVE-2026-31431) | HQ-10 |
| T1078 | Valid Accounts (VPN credential abuse) | Ransomware initial access | HQ-11 |
Recommended Actions
Immediate (Within 24 Hours):
- Patch cPanel — Apply fix for CVE-2026-41940 immediately; audit cPanel logs for auth anomalies on ports 2082/2083/2086/2087 since 2026-02-23.
- Block LOTUSLITE C2 — Add
editor.gleeze[.]comto DNS/proxy blocklists. - Block PRISMEX domains — Add
wellnessmedcare[.]org,wellnesscaremed[.]com,freefoodaid[.]com,longsauce[.]comto threat intel blocking. - Chrome patching — Ensure Chrome/Chromium is on latest version (CVE-2026-5281, CVE-2026-2441).
- VPN credential audit — Review VPN auth logs for multi-geography logins and impossible travel.
Short-Term (Within 1 Week):
- Patch Linux Kernel — Apply patches for CVE-2026-31431 on all Linux systems.
- Patch Windows — Address CVE-2026-32202 Windows Shell spoofing.
- Bomgar/SimpleHelp audit — Patch CVE-2026-1731 and CVE-2024-57726; review all active remote sessions.
- Deploy KQL detection rules — Onboard DR-01 through DR-10 to Sentinel / Defender XDR with alerting enabled.
- BRICKSTORM TTP hunt — Run HQ-07 across VMware vSphere environments; review non-browser DoH connections.
Strategic:
- CHM file blocking — Consider blocking
.chmfile execution via AppLocker/Defender ASR for non-IT users (Mustang Panda delivery vector). - VPN MFA enforcement — Enforce phishing-resistant MFA on all VPN gateways; review stolen credential exposure.
- COM hijacking monitoring — Enable detection of COM object registration by non-administrative processes.
- Excel macro hardening — Enforce macro blocking for documents from the internet via Group Policy.
Sources: CISA KEV — May 1, 2026 | The Hacker News — APT28 PRISMEX | Trellix — APT28 CVE-2026-21509 | Trend Micro — Pawn Storm | The Hacker News — LOTUSLITE | Acronis TRU — LOTUSLITE | Picus Security — Mustang Panda | CISA — BRICKSTORM MAR | Google Cloud Blog — BRICKSTORM | CSO Online — TGR-STA-1030 | PurpleOps Ransomware Tracker | Recorded Future — Ransomware 2026 | Security Affairs — CISA Windows KEV