Malware Activity
When Trust Becomes the Attack Surface
Two (2) recent campaigns highlight a growing shift in cybercrime where attackers exploit trusted platforms and everyday user actions, rather than software flaws, to cause harm. In the first campaign, threat actors exploited the popular note‑taking app Obsidian by posing as venture capital investors and convincing finance and cryptocurrency professionals to enable a normally disabled plugin feature. That single action allowed malicious configurations to run silently inside a legitimate, signed application, bypassing traditional antivirus tools and installing hidden remote‑access malware. In a separate campaign dubbed Pushpaganda, attackers used AI‑generated news content and search optimization to push fake stories into Google’s Discover feed. Victims who clicked were p ressured into enabling browser notifications, which then delivered fake legal threats, scareware, and financial scams directly to their devices. Both campaigns relied on legitimate features, trusted brands, and user consent, allowing malicious activity to blend into normal behavior. Together, they show how cyber risk is increasingly driven by social engineering and manipulated trust, making user awareness and visibility into real behavior just as important as patching vulnerabilities. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheHackerNews: Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks article
- TheHackerNews: AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud article
Threat Actor Activity
Cargo-Theft Hackers are Using Remote Access Tools to Target Trucking and Logistics
Proofpoint researchers recently shared visibility into a financially motivated threat actor targeting the trucking and logistics sector. Proofpoint researchers detonated the crime group’s payload in a specialized decoy environment. After compromising a load board platform and sending a malicious VBS file masquerading as broker and carrier paperwork, the attackers deployed several remote management tools, including four (4) ScreenConnect instances as well as Pulseway and SimpleHelp, to maintain redundant, long-term access. A key discovery was a “signing-as-a-service” scheme: via PowerShell, the actor fetched a ScreenConnect installer from their own infrastructure, sent it to an external signing service, then downloaded a re-signed MSI and binaries bearing a valid (but fraudulent) Sectigo code-signing certificate. This allowed them to replace revoked vendor-signed components and maintain trusted, stealthy remote access despite ScreenConnect’s certificate revocations. With persistence in place, the next step in the campaign was for the threat actor to conduct hands-on-keyboard activity: accessing PayPal in the browser, running a PyInstaller tool to locate browser and desktop crypto wallets, and executing at least thirteen (13) PowerShell scripts to mine browser histories and SQLite databases for banking, money transfer, accounting, fleet fuel card, load board, and freight brokerage access. Results were funneled to Telegram for operator review. The operation shows deep knowledge of transportation workflows and intent to enable both cargo theft and broader financial fraud. It also highlights a growing criminal trend of abusing legitimate trust mechanisms (code signing, RMM tools). CTIX Analysts recommend that transport and logistics firms monitor for unauthorized RMM, suspicious PowerShell use, and abnormal access to financial and freight platforms. Please find relevant IOCs in the Proofpoint report linked below. CTIX will continue to provide timely reporting of relevant and ongoing threat actor activities.
Vulnerabilities
Critical Nginx-UI MCP Vulnerability Enables Unauthenticated Server Takeover
A critical authentication bypass vulnerability in nginx-ui dubbed “MCPwn,” is being actively exploited to fully compromise exposed Nginx servers. The flaw, tracked as CVE-2026-33032, affects the platform’s Model Context Protocol (MCP) integration, where the /mcp_message endpoint is left insufficiently protected and, by default, allows requests from any IP address without requiring authentication. This enables remote attackers to invoke privileged MCP functions such as restarting Nginx, modifying or deleting configuration files, injecting malicious server blocks, forcing configuration reloads, intercepting traffic, and harvesting administrator credentials. Researchers found that exploitation can occur in seconds using just two (1) requests. The first establishes a session and obtains a session ID, and the second issues unauthorized MCP commands through /mcp_message. Attackers can further enhance exploitation by chaining the flaw with CVE-2026-27944, a separate nginx-ui vulnerability that exposes backup encryption keys and sensitive data such as user credentials, SSL private keys, Nginx configurations, and the “node_secret” value used to authenticate MCP sessions. Security researchers warn that the issue reflects a broader risk with MCP integrations, where newly added AI- or automation-related capabilities inherit application functionality without inheriting the same security protections. The flaw was patched in nginx-ui version 2.3.4 in March 2026, but public proof-of-concept exploit code and technical details quickly became available, accelerating attacks in the wild. Current Shodan data indicates there are roughly 2,600 to 2,700 internet-exposed nginx-ui instances, primarily located in China, the United States, Indonesia, Germany, and Hong Kong, leaving a large attack surface for threat actors. CTIX analysts strongly advise administrators to upgrade immediately to the latest secure release, currently version 2.3.6, disable MCP functionality where possible, restrict network exposure, and enforce authentication on MCP endpoints, as well as adopt deny-by-default IP allowlisting.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
