Executive Summary
The 24-hour window ending 2026-05-04 reflects a threat environment under significant pressure across multiple attack surfaces. Seven discrete, active threat clusters were observed with fresh intelligence, spanning ransomware-as-a-service, nation-state espionage, ICS/OT disruption, AI-assisted credential theft, and software supply chain compromise.
Top priorities for security teams today:
- Storm-1175 / Medusa remains the highest-velocity ransomware operator globally; healthcare, finance, and education are in the crosshairs. Patch BeyondTrust and SmarterMail immediately.
- CVE-2026-32202 (Windows Shell NTLM coercion) is being actively exploited by APT28 for NTLM hash capture. Apply the April 14 patch (KB5056575) and block outbound TCP/445 at the perimeter.
- Lightning PyPI supply chain (Mini Shai-Hulud worm) is actively poisoning AI/ML developer environments via versions 2.6.2 and 2.6.3 of the
lightningpackage. Audit pip installs across dev pipelines immediately. - FIRESTARTER remains a persistent threat to Cisco Firepower/ASA devices; confirmed active C2 communications observed through early May 2026. Patches alone do not remove it — hard power cycle and clean image reinstall required.
- Iranian-affiliated APT actors are conducting sustained OT/ICS campaigns against U.S. critical infrastructure PLCs; internet-facing Rockwell Allen-Bradley devices are primary targets.
Threat Level: CRITICAL
Threat Landscape Overview
| # | Threat Cluster | Severity | Target Sectors | Attribution | Status |
|---|---|---|---|---|---|
| 1 | Storm-1175 / Medusa Ransomware | CRITICAL | Healthcare, Finance, Education, Professional Services | China-linked | Active |
| 2 | CVE-2026-32202 Windows Shell NTLM Coercion | HIGH | All Windows Environments | APT28 (Fancy Bear / GRU) | Active — Exploited in Wild |
| 3 | HexagonalRodent / DPRK Crypto Theft | HIGH | Web3/Crypto, Software Developers | DPRK (Famous Chollima subgroup) | Active |
| 4 | FIRESTARTER Backdoor / UAT-4356 | CRITICAL | Federal/Government, Telecoms | China-linked (UAT-4356) | Persistent — C2 Active |
| 5 | Lightning PyPI Mini Shai-Hulud Supply Chain | HIGH | AI/ML Developers, DevOps | Unknown (cross-platform campaign) | Active |
| 6 | Iranian APT — ICS/OT PLC Exploitation | HIGH | Water, Energy, Gov Facilities | Iran-IRGC (CyberAv3ngers / Shahid Kaveh) | Ongoing since March 2026 |
| 7 | CVE-2026-41940 cPanel RCE / "Sorry" Ransomware | HIGH | Web Hosting, SMBs | Unknown | Active — Mass Exploitation |
Campaign Deep-Dives
1. Storm-1175 / Medusa Ransomware
Actor: Storm-1175 (China-linked cybercriminal organisation)
Malware Family: Medusa Ransomware
First Observed: Early 2026 (escalated from April 2026 per Microsoft disclosure)
Storm-1175 is operating at extremely high tempo, often compressing the full attack chain — initial access through data exfiltration to ransomware detonation — into under 24 hours. The group exploits internet-facing vulnerabilities in enterprise perimeter products. Primary target sectors are healthcare (AU/UK/US), education, professional services, and finance.
Vulnerabilities exploited:
- CVE-2026-1731 — Critical RCE in BeyondTrust Remote Support / Privileged Remote Access (PRA)
- CVE-2026-23760 — Critical authentication bypass in SmarterMail (zero-day)
- CVE-2025-10035 — Max-severity flaw in GoAnywhere MFT License Servlet
- CVE-2023-21529 — Microsoft Exchange (continuing n-day exploitation)
TTPs (MITRE ATT&CK): T1190 (Exploit Public-Facing Application), T1486 (Data Encrypted for Impact), T1041 (Exfiltration Over C2 Channel), T1489 (Service Stop), T1490 (Inhibit System Recovery), T1078 (Valid Accounts).
Post-exploitation includes rapid reconnaissance with ADRecon or SharpHound, lateral movement via PsExec or WMI, and credential dumping via a custom Mimikatz variant. Ransomware detonation is preceded by exfiltration to actor-controlled SFTP infrastructure.
2. CVE-2026-32202 — Windows Shell NTLM Coercion (APT28)
Actor: APT28 (Fancy Bear / Forest Blizzard / GRU Unit 26165)
CVE: CVE-2026-32202 | CVSS: 4.3 (exploitability is high despite moderate base score)
Patch Available: Yes — Microsoft April 14 2026 Patch Tuesday (KB5056575)
CISA KEV: Yes — Deadline May 12 2026 for federal agencies
This Windows Shell spoofing vulnerability triggers automatic NTLM authentication from any Windows user whose file manager renders a folder containing a malicious LNK shortcut file. No user click is required — only folder viewing. The NTLMv2 hash is sent to an attacker-controlled SMB server and can be captured for offline cracking or used in real-time NTLM relay attacks.
The vulnerability is an incomplete patch bypass of CVE-2026-21510 (fixed February 2026). The root cause is that Windows Explorer fetches shortcut icons before any security checks, establishing an SMB connection and transmitting credentials to attacker-controlled infrastructure. APT28 has weaponised this to collect credentials targeting NATO member organisations, government agencies, and defence contractors.
Technical mechanism:
- Attacker delivers malicious
.lnkfile (via phishing email, cloud share link, or compromised file share) - Victim opens the containing folder in Windows Explorer
- Explorer automatically resolves the LNK icon via UNC path
\\attacker-ip\share\icon.ico - NTLMv2 hash transmitted to attacker SMB listener (Responder, ntlmrelayx)
- Hash relayed or cracked — full credential compromise
3. HexagonalRodent — DPRK AI-Powered Crypto Theft
Actor: HexagonalRodent (DPRK Famous Chollima subgroup)
Malware: BeaverTail (loader/stealer), OtterCookie (in-memory implant), InvisibleFerret (Python RAT)
Financial Impact: ~$12M confirmed from 2,726 infected developer systems; broader DPRK crypto operations estimated at $290M+ in April 2026
HexagonalRodent contacts software developers via LinkedIn, posing as legitimate recruiters from fabricated Web3 companies with convincing online presence. Developers are asked to complete a "technical interview" by cloning and running a repository. The repository contains obfuscated malware embedded in package dependencies. The group makes extensive use of AI tools — specifically Cursor and ChatGPT — to generate convincing recruiter personas, company websites, and code that appears legitimate.
Malware toolkit:
- BeaverTail — JavaScript/Node.js first-stage loader and stealer. Exfiltrates browser-stored credentials, API keys, and crypto wallet seed phrases
- OtterCookie — In-memory implant for persistent access. Communicates via encrypted WebSocket
- InvisibleFerret — Python-based RAT with keylogging, screenshot capture, and crypto wallet draining capabilities
Campaign statistics: 26,584 cryptocurrency wallets exfiltrated; 2,726 infected developer systems identified.
4. FIRESTARTER Backdoor — UAT-4356 / Cisco Firepower
Actor: UAT-4356 (China-linked, overlaps with ArcaneDoor)
Malware: FIRESTARTER (Linux ELF), LINE VIPER (second-stage)
Devices Targeted: Cisco Firepower / Adaptive Security Appliance (ASA)
CISA Advisory: AR26-113A (April 2026)
FIRESTARTER is a sophisticated Linux-based backdoor designed exclusively for Cisco Firepower and Secure Firewall platforms. It provides persistent C2 access that survives firmware updates, security patches, and device reboots — it is only fully removed by hard power cycling the device and performing a clean image reinstall.
Initial access was via exploitation of CVE-2025-20333 and/or CVE-2025-20362 in internet-facing Cisco ASA devices. The backdoor was deployed to at least one confirmed U.S. federal civilian agency network in September 2025; in March 2026 the actors deployed a second-stage implant (LINE VIPER) leveraging the persistent FIRESTARTER access. FIRESTARTER detects process termination signals and relaunches itself, maintaining persistent operation even after security patch cycles.
5. Lightning PyPI Supply Chain — Mini Shai-Hulud Worm
Package: lightning (PyTorch Lightning) versions 2.6.2 and 2.6.3
Published: April 30, 2026
Detected: 18 minutes post-publication (Socket Research Team)
Current Status: Package quarantined by PyPI administrators
Threat actor(s) compromised the lightning PyTorch training library by injecting a hidden _runtime directory containing obfuscated JavaScript (router_runtime.js) that executes automatically upon module import. This attack is part of a broader cross-ecosystem campaign (Mini Shai-Hulud) that previously compromised Bitwarden CLI (npm) and SAP npm packages. The worm propagates by abusing discovered npm tokens to modify and republish additional packages with embedded malware.
Payload capabilities: credential theft (browser-stored passwords, tokens), environment variable exfiltration (cloud secrets, API keys, AWS/GCP tokens), GitHub repository poisoning via discovered Git credentials, and payload file writes to .claude/settings.json and .vscode/tasks.json.
6. Iranian APT — ICS/OT PLC Exploitation (CISA AA26-097A)
Actor: Iranian-affiliated APT (CyberAv3ngers / Shahid Kaveh Group — IRGC-CEC)
Targets: Rockwell Automation/Allen-Bradley PLCs; Water/Wastewater, Energy, Government sectors
CISA Advisory: AA26-097A (April 7, 2026)
Campaign Active: March 2026 — present
Iranian-affiliated threat actors are systematically targeting internet-facing Rockwell Automation/Allen-Bradley PLCs across U.S. critical infrastructure. Attacks involve direct manipulation of PLC project files and HMI/SCADA display data, resulting in operational disruption and financial loss. Access is gained directly through internet-exposed OT interfaces — no IT pivot required. This mirrors past activity from CyberAv3ngers (Shahid Kaveh Group), affiliated with Iran's IRGC Cyber Electronic Command.
7. CVE-2026-41940 — cPanel RCE / "Sorry" Ransomware
CVE: CVE-2026-41940
Affected: cPanel web hosting control panel (unpatched instances)
Attack Type: Mass exploitation, webshell deployment, "Sorry" ransomware encryption
Sectors: Web hosting providers, SMBs running self-hosted cPanel infrastructure
CVE-2026-41940 is a critical remote code execution vulnerability in cPanel being mass-exploited to achieve unauthenticated code execution, deploy webshells, and deliver "Sorry" ransomware. The low barrier to exploitation and wide deployment of cPanel across SMB hosting environments makes this a broad-surface attack. Patch or isolate cPanel instances immediately.
IOC Pack
IOCs sourced from public reporting within the past 24 hours. Validate against your environment before blocking. TTL recommended: 7–14 days.
File Hashes (SHA256) — Confirmed Malicious
| Hash | Malware Family | Description |
|---|---|---|
5f5852b5f604369945118937b058e49064612ac69826e0adadca39a357dfb5b1 | Mini Shai-Hulud | router_runtime.js — obfuscated JS payload in lightning 2.6.2/2.6.3 |
8046a11187c135da6959862ff3846e99ad15462d2ec8a2f77a30ad53ebd5dcf2 | Mini Shai-Hulud | start.py — launch script in compromised lightning package |
PyPI Package Versions — Malicious (Remove/Block)
| Package | Malicious Versions | Safe Version |
|---|---|---|
lightning | 2.6.2, 2.6.3 | 2.6.1 or earlier |
CVEs — Actively Exploited in the Wild
| CVE | CVSS | Product | Exploited By | CISA KEV | Patch Deadline |
|---|---|---|---|---|---|
| CVE-2026-32202 | 4.3 | Windows Shell (all supported Windows) | APT28 | Yes | May 12, 2026 (federal) |
| CVE-2026-1731 | Critical | BeyondTrust Remote Support / PRA | Storm-1175 | Pending | ASAP |
| CVE-2026-23760 | Critical | SmarterMail | Storm-1175 (zero-day) | Pending | ASAP |
| CVE-2025-10035 | Critical | GoAnywhere MFT | Storm-1175 | Yes | Passed |
| CVE-2025-20333 | High | Cisco ASA/Firepower | UAT-4356 | Yes | Passed |
| CVE-2025-20362 | High | Cisco ASA/Firepower | UAT-4356 | Yes | Passed |
| CVE-2026-41940 | Critical | cPanel | Mass exploitation | Pending | ASAP |
| CVE-2026-42369 | 10.0 | GV-VMS V20 (GeoVision) | Multiple actors | No | ASAP |
| CVE-2023-21529 | High | Microsoft Exchange | Storm-1175, others | Yes | Passed |
Behavioural IOCs / Suspicious Artefacts
| Type | Value | Campaign | Notes |
|---|---|---|---|
| Outbound port | TCP/445 from endpoint | CVE-2026-32202 / APT28 | Explorer.exe initiating SMB to external IP — block at perimeter |
| Inbound port | TCP/44818, 102, 502, 20000, 47808, 4840 | Iranian APT ICS | OT/ICS protocol exposure to internet |
| File path | */_runtime/router_runtime.js in Python site-packages | Mini Shai-Hulud | Malicious payload in compromised lightning package |
| File path | .claude/settings.json modified by non-Claude process | Mini Shai-Hulud | Propagation payload drop |
| File path | .vscode/tasks.json modified by Python/Node | Mini Shai-Hulud | Propagation payload drop |
| File extension | .medusa, !!!READ_ME_MEDUSA!!!.txt | Medusa Ransomware | Post-encryption artefacts |
| UNC pattern | \\<external-IP>\share\*.ico resolved by Explorer.exe | CVE-2026-32202 | LNK icon fetch triggering NTLM auth |
| Process | SharpHound.exe, ADRecon.ps1 | Storm-1175 | Post-exploitation reconnaissance |
KQL Hunting Queries
Proactive threat hunting queries for Microsoft Defender for Endpoint / Microsoft Sentinel. Broader in scope and intended for analyst-driven investigation.
HUNT-01: SMB Outbound from Explorer — CVE-2026-32202 NTLM Coercion
// HUNT-01: CVE-2026-32202 NTLM Coercion via LNK File
// Hunt: Windows Explorer initiating outbound SMB to non-RFC1918 addresses
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 445
| where InitiatingProcessFileName =~ "explorer.exe"
| where not(RemoteIP matches regex @"^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1)")
| project
Timestamp,
DeviceName,
LocalIP,
RemoteIP,
RemotePort,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessAccountName
| order by Timestamp descHUNT-02: Storm-1175 Initial Access — Target Product Exploitation
// HUNT-02: Storm-1175 Initial Access — BeyondTrust, SmarterMail, GoAnywhere
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (
"bomgar-helper.exe", "bomgar-scc.exe",
"MailService.exe",
"GoAnywhere.exe", "goanywhere.exe"
)
| where ProcessCommandLine has_any (
"cmd.exe", "powershell", "wscript", "cscript",
"certutil", "bitsadmin", "regsvr32", "mshta",
"whoami", "ipconfig", "net user", "net group",
"ADRecon", "SharpHound"
)
| project
Timestamp,
DeviceName,
InitiatingProcessFileName,
ProcessCommandLine,
AccountName,
FolderPath
| order by Timestamp descHUNT-03: Medusa Pre-Detonation — Shadow Copy Deletion + Recon
// HUNT-03: Medusa Ransomware Pre-Encryption Activity (VSS + recon)
let ShadowCopyDeletion = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
"vssadmin delete shadows",
"wmic shadowcopy delete",
"bcdedit /set",
"wbadmin delete catalog",
"diskshadow /s")
| extend Activity = "ShadowCopyDeletion";
let BackupServiceKill = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (
"net stop vss", "net stop backup",
"net stop \"Volume Shadow Copy\"",
"sc stop vss")
| extend Activity = "BackupServiceKill";
let ReconTools = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
FileName =~ "SharpHound.exe"
or FileName =~ "ADRecon.ps1"
or ProcessCommandLine has "Invoke-ADRecon"
or ProcessCommandLine has "SharpHound"
)
| extend Activity = "DomainRecon";
union ShadowCopyDeletion, BackupServiceKill, ReconTools
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, Activity
| order by Timestamp descHUNT-04: BeaverTail/InvisibleFerret — Crypto Wallet Access
// HUNT-04: HexagonalRodent — DPRK Crypto Wallet Theft
DeviceFileEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("python.exe", "python3", "pythonw.exe", "node.exe", "node")
| where (
FolderPath has_any (
"\\AppData\\Roaming\\Exodus",
"\\AppData\\Roaming\\Electrum",
"\\AppData\\Local\\MetaMask",
"\\AppData\\Roaming\\atomic",
"\\AppData\\Roaming\\Ethereum",
"\\Library\\Application Support\\Exodus",
"/.config/Exodus",
"keystore",
"wallet.dat"
)
or FileName in~ (
"wallet.dat", "keystore", "seed.txt",
"mnemonic.txt", "secret_recovery_phrase.txt", "private_key.txt"
)
)
| project
Timestamp,
DeviceName,
AccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
FileName,
FolderPath,
SHA256
| order by Timestamp descHUNT-05: Mini Shai-Hulud — Compromised lightning Package Presence
// HUNT-05: Mini Shai-Hulud PyPI Supply Chain — Lightning Package IOCs
DeviceFileEvents
| where Timestamp > ago(7d)
| where (
FileName == "router_runtime.js"
or (FileName == "start.py" and FolderPath has "_runtime")
or SHA256 in (
"5f5852b5f604369945118937b058e49064612ac69826e0adadca39a357dfb5b1",
"8046a11187c135da6959862ff3846e99ad15462d2ec8a2f77a30ad53ebd5dcf2"
)
)
| project
Timestamp,
DeviceName,
AccountName,
FileName,
FolderPath,
SHA256,
InitiatingProcessFileName
| order by Timestamp descHUNT-06: FIRESTARTER — Unexpected Outbound C2 from Network Appliances
// HUNT-06: FIRESTARTER C2 — Shell-initiated outbound from network devices
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (22, 443, 4443, 8443, 8080, 9090)
| where InitiatingProcessFileName in~ ("sh", "bash", "dash", "python3", "python", "perl")
| where not(RemoteIP matches regex @"^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1|fe80:)")
| project
Timestamp,
DeviceName,
LocalIP,
RemoteIP,
RemotePort,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by Timestamp descHUNT-07: Iranian APT — Internet-Exposed OT Protocol Traffic
// HUNT-07: Iranian APT — OT/ICS Protocol Exposure
// Ports: EtherNet/IP (44818), S7 (102), Modbus (502), DNP3 (20000), BACnet (47808), OPC-UA (4840)
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (44818, 102, 502, 20000, 47808, 4840, 1911, 9600, 2404)
| where not(RemoteIP matches regex @"^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1)")
| project
Timestamp,
DeviceName,
LocalIP,
RemoteIP,
RemotePort,
ActionType,
InitiatingProcessFileName
| order by Timestamp descKQL Detection Rules (High Fidelity)
Tuned for direct alerting with low false-positive rates. Suitable for deployment to a SIEM analytic rule set.
DET-01: CVE-2026-32202 — NTLM Hash Coercion via LNK
Rationale: In managed enterprise environments, explorer.exe has no legitimate reason to initiate SMB connections to external IP addresses. Any such connection strongly indicates exploitation of CVE-2026-32202 or a related NTLM coercion technique.
// DET-01: CVE-2026-32202 NTLM Coercion — HIGH FIDELITY
// MITRE: T1187 - Forced Authentication | Severity: HIGH
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where RemotePort == 445
| where InitiatingProcessFileName =~ "explorer.exe"
| where not(RemoteIP matches regex @"^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1|fe80:)")
| extend AlertTitle = "NTLM Coercion via Windows Explorer — CVE-2026-32202 Exploitation Suspected"
| extend Severity = "High"
| extend MITRETactic = "Credential Access"
| extend MITRETechnique = "T1187 - Forced Authentication"
| extend RecommendedAction = "Isolate device; check for .lnk files in user download dirs; verify KB5056575 patch applied; review NTLMv2 hash capture at SMB server logs; enable Protected Users group for privileged accounts"
| project
Timestamp, AlertTitle, Severity, DeviceName, LocalIP, RemoteIP,
InitiatingProcessAccountName, MITRETactic, MITRETechnique, RecommendedActionDET-02: Medusa Ransomware — Mass File Encryption
Rationale: No legitimate application creates hundreds of files with Medusa-specific extensions within minutes. Volume threshold (>50 in 5 min) and extension matching provide near-zero false positives.
// DET-02: Medusa Ransomware — File Encryption Activity
// MITRE: T1486 - Data Encrypted for Impact | Severity: CRITICAL
DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType in ("FileCreated", "FileRenamed")
| where (
FileName endswith ".medusa"
or FileName endswith ".MEDUSA"
or FileName endswith ".locked"
or FileName endswith ".enc"
or FileName endswith ".encrypted"
or FileName =~ "!!!READ_ME_MEDUSA!!!.txt"
)
| summarize
FileCount = count(),
SampleFiles = make_set(FileName, 5),
AffectedPaths = make_set(FolderPath, 10),
Processes = make_set(InitiatingProcessFileName, 5)
by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where FileCount > 50
| extend AlertTitle = "Medusa Ransomware — Mass File Encryption Detected"
| extend Severity = "Critical"
| extend MITRETactic = "Impact"
| extend MITRETechnique = "T1486 - Data Encrypted for Impact"
| extend RecommendedAction = "CRITICAL: Immediately isolate device at network switch level; do not power off; initiate ransomware IR playbook; check lateral movement via active SMB sessions"
| project
Timestamp, AlertTitle, Severity, DeviceName,
FileCount, SampleFiles, AffectedPaths, Processes,
MITRETactic, MITRETechnique, RecommendedActionDET-03: Shadow Copy Deletion — Pre-Ransomware Indicator
Rationale: Shadow copy deletion combined with backup service termination is universally executed by ransomware groups immediately prior to encryption. Excludes known backup agent process names to reduce false positives.
// DET-03: Shadow Copy Deletion — Pre-Ransomware Stage
// MITRE: T1490 - Inhibit System Recovery | Severity: HIGH
DeviceProcessEvents
| where Timestamp > ago(1h)
| where (
(ProcessCommandLine has "vssadmin" and ProcessCommandLine has_any ("delete shadows", "resize shadowstorage"))
or (ProcessCommandLine has "wmic" and ProcessCommandLine has_any ("shadowcopy delete", "Shadow"))
or (ProcessCommandLine has "bcdedit" and ProcessCommandLine has_any ("recoveryenabled No", "bootstatuspolicy ignoreallfailures"))
or (ProcessCommandLine has "wbadmin" and ProcessCommandLine has "delete catalog")
or (ProcessCommandLine has "diskshadow" and ProcessCommandLine has "/s")
)
| where InitiatingProcessFileName !in~ (
"BackupExec.exe", "veeam.backup.service.exe",
"CommvaultService.exe", "arcserve.exe", "backup.exe"
)
| extend AlertTitle = "Shadow Copy Deletion — Pre-Ransomware Activity Detected"
| extend Severity = "High"
| extend MITRETactic = "Impact"
| extend MITRETechnique = "T1490 - Inhibit System Recovery"
| extend RecommendedAction = "Immediately investigate host; correlate with DET-02 for concurrent encryption; verify account legitimacy; treat as active ransomware incident if unscheduled"
| project
Timestamp, AlertTitle, Severity, DeviceName, AccountName,
ProcessCommandLine, InitiatingProcessFileName,
MITRETactic, MITRETechnique, RecommendedActionDET-04: Mini Shai-Hulud — Malicious PyPI Hash Match
Rationale: Hash-based detection is deterministic. Zero false positives — these exact files do not exist in any legitimate lightning package version.
// DET-04: Mini Shai-Hulud — Malicious lightning Package Hash Match
// MITRE: T1195.001 - Compromise Software Dependencies | Severity: HIGH
let MaliciousHashes = datatable(SHA256: string, MalwareComponent: string)
[
"5f5852b5f604369945118937b058e49064612ac69826e0adadca39a357dfb5b1",
"router_runtime.js (lightning 2.6.2/2.6.3 — credential stealer)",
"8046a11187c135da6959862ff3846e99ad15462d2ec8a2f77a30ad53ebd5dcf2",
"start.py (lightning 2.6.2/2.6.3 — malicious launcher)"
];
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (MaliciousHashes | project SHA256)
| join kind=inner MaliciousHashes on SHA256
| extend AlertTitle = "Supply Chain Compromise — Malicious lightning PyPI Package on Device"
| extend Severity = "High"
| extend MITRETactic = "Initial Access"
| extend MITRETechnique = "T1195.001 - Compromise Software Dependencies and Development Tools"
| extend RecommendedAction = "Quarantine device; revoke all cloud credentials, API tokens, npm/PyPI tokens, browser-stored passwords; audit git repos for injected payloads; downgrade lightning to v2.6.1; rotate AWS/GCP/Azure credentials"
| project
Timestamp, AlertTitle, Severity, DeviceName, AccountName,
FileName, FolderPath, SHA256, MalwareComponent,
MITRETactic, MITRETechnique, RecommendedActionDET-05: BeaverTail/InvisibleFerret — Crypto Wallet Access by Scripting Runtime
Rationale: Python or Node.js processes directly accessing cryptocurrency wallet storage directories is anomalous in enterprise environments. Tuned to exclude known security tooling paths.
// DET-05: HexagonalRodent — Crypto Wallet Access by Scripting Runtime
// MITRE: T1005 - Data from Local System, T1552.001 - Credentials in Files | Severity: HIGH
DeviceFileEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (
"python.exe", "python3", "pythonw.exe", "node.exe", "node"
)
| where (
FolderPath has_any (
"Exodus", "Electrum", "MetaMask", "atomic wallet",
"Ethereum", "Bitcoin", "Monero", "keystore",
"\\AppData\\Roaming\\com.exodus", "/.config/Exodus"
)
or FileName in~ (
"wallet.dat", "keystore", "seed.txt", "mnemonic.txt",
"secret_recovery_phrase.txt", "private_key.txt"
)
)
| where InitiatingProcessFolderPath !has_any (
"\\antivirus\\", "\\security\\", "\\defender\\", "\\edr\\"
)
| extend AlertTitle = "Crypto Wallet Access by Scripting Engine — HexagonalRodent/BeaverTail Suspected"
| extend Severity = "High"
| extend MITRETactic = "Collection"
| extend MITRETechnique = "T1005 - Data from Local System"
| extend RecommendedAction = "Isolate device; identify Python/Node script origin (interview task repo?); check LinkedIn for recent suspicious job offers; revoke crypto private keys; move funds to clean wallet immediately"
| project
Timestamp, AlertTitle, Severity, DeviceName, AccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
FileName, FolderPath, MITRETactic, MITRETechnique, RecommendedActionDET-06: Iranian APT — Inbound OT Protocol from Internet
Rationale: In any properly segmented OT environment, inbound connections from external IP space on OT protocol ports should not occur. This is a near-certain indicator of misconfiguration under active exploitation.
// DET-06: Iranian APT ICS — Internet-Exposed OT Protocol Inbound
// MITRE: T1133 - External Remote Services | Severity: CRITICAL
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where ActionType == "InboundConnectionAccepted"
| where LocalPort in (44818, 102, 502, 20000, 47808, 4840, 1911, 9600, 2404, 34980)
| where not(RemoteIP matches regex @"^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1|fe80:)")
| extend AlertTitle = "Internet-Facing OT/ICS Protocol Inbound — Iranian APT Exploitation Risk"
| extend Severity = "Critical"
| extend MITRETactic = "Initial Access"
| extend MITRETechnique = "T1133 - External Remote Services"
| extend RecommendedAction = "Block source IP at perimeter immediately; verify if PLC/SCADA device should have internet exposure (it should not); review firewall ACLs; consult CISA Advisory AA26-097A; if Allen-Bradley PLC — initiate OT IR procedure"
| project
Timestamp, AlertTitle, Severity, DeviceName,
LocalIP, LocalPort, RemoteIP,
MITRETactic, MITRETechnique, RecommendedActionDET-07: Ransomware Note Creation — Generic
Rationale: Ransom note filenames follow consistent patterns with no legitimate use case. Even a single ransom note file creation is an unambiguous indicator of active or completed encryption.
// DET-07: Ransom Note Creation — KRYBIT / Everest / Generic Ransomware
// MITRE: T1486 - Data Encrypted for Impact | Severity: CRITICAL
DeviceFileEvents
| where Timestamp > ago(1h)
| where ActionType == "FileCreated"
| where FileName matches regex @"(?i)(READ[_\s-]?ME|DECRYPT[_\s-]?ME|HOW[_\s-]?TO[_\s-]?DECRYPT|RECOVERY[_\s-]?FILE|RESTORE[_\s-]?FILE|KRYBIT|everest|!!!IMPORTANT!!!|YOUR[_\s-]?FILES[_\s-]?ARE[_\s-]?ENCRYPTED)\.(txt|html|hta|rtf|md)$"
| summarize
NoteCount = count(),
AffectedPaths = make_set(FolderPath, 20),
FileNames = make_set(FileName, 10)
by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m)
| extend AlertTitle = "Ransomware Note Created — Active or Completed Encryption Detected"
| extend Severity = "Critical"
| extend MITRETactic = "Impact"
| extend MITRETechnique = "T1486 - Data Encrypted for Impact"
| extend RecommendedAction = "CRITICAL: Isolate host at network switch level; do not power off; initiate IR; check active SMB connections for lateral spread; preserve forensic artefacts for analysis"
| project
Timestamp, AlertTitle, Severity, DeviceName,
InitiatingProcessFileName, NoteCount, AffectedPaths, FileNames,
MITRETactic, MITRETechnique, RecommendedActionMitigation Priorities
Patch (actively exploited — act now):
- KB5056575 — CVE-2026-32202 Windows Shell (all Windows endpoints + servers)
- BeyondTrust Remote Support / PRA — CVE-2026-1731
- SmarterMail — CVE-2026-23760 (upgrade to latest release)
- cPanel — CVE-2026-41940 (patch or take offline)
- GV-VMS V20 — CVE-2026-42369 (CVSS 10 — patch or network-isolate immediately)
Network hardening:
- Block outbound TCP/445 at all network perimeters (blocks CVE-2026-32202 NTLM coercion)
- Remove internet exposure from all OT/ICS protocol ports — 44818, 102, 502, 20000, 47808, 4840
- Enable Protected Users security group for privileged accounts (blocks NTLMv2 use)
- Enable Credential Guard on all Windows 10/11 and Server 2016+ systems
Cisco Firepower (FIRESTARTER):
- Run CISA YARA rules (AR26-113A) against all Cisco Firepower/ASA device images
- If compromise detected: hard power cycle and perform clean image reinstall — patches alone do not remove FIRESTARTER
- Consult CISA ED 25-03 for identification and mitigation guidance
Developer environments (Mini Shai-Hulud):
- Audit all Python environments for
lightning2.6.2 or 2.6.3 — uninstall immediately - Rotate all cloud credentials, API tokens, and npm/PyPI tokens on affected developer systems
- Review git commit history on repos accessible from affected machines for injected payloads
- Warn developers about HexagonalRodent LinkedIn lures — do not clone and run code from "interview tasks" without security review
Sources
- Storm-1175 / Medusa — Microsoft Security Blog
- Storm-1175 Active IOC Advisory — Rewterz
- Storm-1175 24-Hour Attack Cycle — CybelAngel
- Storm-1175 High Velocity — Dark Reading
- CVE-2026-32202 Windows Shell — Help Net Security
- CVE-2026-32202 Incomplete Patch Analysis — Akamai
- CVE-2026-32202 APT28 Exploitation — CiphersSecurity
- HexagonalRodent DPRK — Help Net Security
- North Korean Crypto Theft $12M — The Record
- DPRK Crypto Theft 2026 Overview — TechCrunch
- FIRESTARTER Backdoor — CISA Advisory AR26-113A
- FIRESTARTER — Help Net Security
- FIRESTARTER — SecurityWeek
- Lightning PyPI Compromise — Semgrep Research
- Lightning PyPI Compromise — Socket.dev
- Lightning PyPI — Aikido Security
- Mini Shai-Hulud Worm — TheCyberThrone
- Iranian APT PLC Attacks — CISA Advisory AA26-097A
- Iranian APT Critical Infrastructure — Dark Reading
- Iranian APT ICS — Industrial Cyber
- CVE-2026-42369 GV-VMS CVSS 10 — TheHackerWire
- CISA Known Exploited Vulnerabilities Catalog
- China-Linked Hackers Target Asian Governments — The Hacker News
- CISA Adds 8 Exploited Flaws — The Hacker News