Malware Activity
New Russian Malware Campaigns and Advanced Phishing Tools
Cybersecurity experts have identified a new Russian-led cyber campaign targeting Ukrainian organizations, involving two previously unknown malware families, BadPaw and MeowMeow. The attack starts with a phishing email containing a link to a ZIP file, which delivers a fake Ukrainian border crossing document to deceive victims. Behind the scenes, the malware checks the system’s age to avoid detection, then silently downloads additional malicious components, including a backdoor that allows attackers to remotely control infected devices. Evidence suggests Russian involvement, as the malware often includes Russian language clues. In addition, a new phishing tool called Starkiller has emerged, capable of creating highly convincing fake login pages that bypass multi-factor authentication. Starkiller uses advanced techniques like real-time proxying and headless browsers to steal login information and session tokens, making it easier for cybercriminals to hijack accounts and launch large-scale attacks. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheHackerNews: APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine article
- TheHackerNews: Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication article
Threat Actor Activity
FBI and International Partners Dismantle LeakBase Cybercrime Forum
A coordinated international law enforcement operation known as Operation Leak has dismantled LeakBase, a major cybercrime forum used by threat actors to buy and sell stolen data, hacking tools, and illicit cyber services. Active since 2021 and accessible on the clearnet, the platform had grown to more than 142,000 members and over 215,000 posts by late 2025, becoming a significant marketplace for leaked databases, exploits, and infostealer logs containing credentials harvested from compromised systems. The forum enabled cybercriminal activity such as account takeovers, financial fraud, and network intrusions by providing access to large collections of stolen account credentials, banking and payment card information, and other sensitive data. Law enforcement agencies across fourteen (14) countries, including the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom, conducted coordinated actions on March 3 – 4, 2026, which included arrests, search warrants, interviews, and “knock-and-talk” interventions targeting thirty-seven (37) of the platform’s most active users. Authorities seized LeakBase’s domains and replaced them with an FBI seizure notice, while also securing the forum’s database, including user accounts, posts, credit details, private messages, and IP logs for evidentiary purposes. The site was reportedly operated by a threat actor known as Chucky (also using the aliases Chuckies and Sqlrip), alongside moderators including BloodyMery, OrderCheck, and TSR, and notably prohibited the sale of Russian data to avoid scrutiny. Europol reported roughly 100 enforcement actions worldwide, and officials say the operation will now move into a prevention phase aimed at deterring cybercriminal activity and raising awareness of the consequences of participating in online cybercrime marketplaces. The takedown continues a broader trend of international law enforcement disruptions of major cybercrime communities, following earlier operations against RaidForums in 2022 and BreachForums in 2023, as well as the conviction and sentencing of the BreachForums founder in 2025.
Vulnerabilities
Zero-Click RCE Vulnerability Discovered in FreeScout Helpdesk Platform
A critical vulnerability in the FreeScout open-source helpdesk platform allows attackers to achieve unauthenticated remote code execution (RCE) by sending a specially crafted email attachment to a FreeScout mailbox. The flaw, tracked as CVE-2026-28289, bypasses a recent fix for another RCE vulnerability (CVE-2026-27636) by inserting a zero-width space (Unicode U+200B) before a malicious filename, evading validation checks designed to block dangerous file uploads. During processing, the invisible character is removed, allowing the file to be stored as a dotfile and enabling execution through the web interface. Because FreeScout automatically processes inbound email attachments and stores them in a web-accessible directory, exploitation requires no user interaction, effectively making it a zero-click attack that could lead to full server compromise, data theft, lateral movement, or service disruption. The issue affects FreeScout versions up to 1.8.206 and has been patched in version 1.8.207. Security researchers identified over 1,100 publicly exposed instances of the platform, highlighting the potential impact. Although no active exploitation has been observed yet, CTIX analysts strongly advise any affected readers to patch immediately and consider additional mitigations such as disabling AllowOverrideAll in Apache configurations.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
