Malware Activity
Emerging Threats and Vulnerabilities in Modern Technology
Recent security findings highlight critical vulnerabilities and advanced hacking techniques targeting both AI platforms and isolated systems. Researchers uncovered “ClawJacked,” a flaw in the popular self-hosted AI platform OpenClaw, which allowed malicious websites to silently connect and guess management passwords through its WebSocket interface, risking complete control over the AI system. This vulnerability was caused by insufficient protection against brute-force attacks on local connections and was promptly patched in February 2026. Meanwhile, North Korean hackers linked to APT37 have developed sophisticated methods to secretly transfer data from air-gapped systems (computers disconnected from the internet) using infected USB drives and malicious scripts. Their campaign, dubbed Ruby Jumper, employs fake shortcut files and specialized malware to turn removable drives into covert communication channels, enabling the theft of sensitive information and surveillance activities. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: ClawJacked Attack Let Malicious Websites Hijack OpenClaw to Steal Data article
- BleepingComputer: APT37 Hackers Use New Malware to Breach Air-Gapped Networks article
Threat Actor Activity
Look into Cyber Operations Amid US-Israel-Iran Conflict
The escalating conflict between United States-Israel and Iran has been accompanied by extensive cyber operations, resulting in significant internet disruptions and cyberattacks. The conflict began on February 28, when the US and Israel launched coordinated airstrikes targeting Iranian military sites, leading to the death of Supreme Leader Ali Khamenei. In retaliation, Iran launched missile and drone attacks on US and Israeli targets in the region, causing limited casualties. US-Israeli cyberattacks have targeted Iranian infrastructure, including news websites, IRGC communications, and government services, using DDoS and deep intrusions into energy and aviation systems. These operations are described as the largest cyberattacks in history. Pro-West hackers also hijacked a popular Iranian prayer app. Iranian cyber hackers have retaliated with increased operations, targeting Israeli air defense systems, Jordanian fuel infrastructure, and Israeli industrial control systems. Activities include DDoS attacks and data-wiping operations aimed at US and Israeli military logistics. Experts caution that while both sides possess advanced cyber capabilities, reports of cyberattack impacts may be exaggerated. Nonetheless, the threat of sophisticated cyber intrusions remains genuine. SentinelOne notes that while significant cyber activity directly linked to the conflict hasn’t been observed, potential targeting of critical sectors in the US and Israel is likely.
Vulnerabilities
CISA Details RESURGE Implant Used in Ivanti Zero-Day Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released updated technical details on RESURGE, a stealthy malicious implant deployed in zero-day attacks exploiting CVE-2025-0282 in Ivanti Connect Secure devices, which Mandiant attributes to a China-linked threat actor tracked as UNC5221 since mid-December 2024. The primary component, a 32-bit Linux shared object file (libdsupgrade.so), functions as a passive command-and-control (C2) implant with rootkit, bootkit, backdoor, proxying, and tunneling capabilities, designed to evade detection by waiting indefinitely for specially crafted inbound TLS connections rather than beaconing outward. It hooks the web server’s accept() function to inspect TLS traffic using CRC32-based fingerprinting, forwarding legitimate traffic to the Ivanti server while intercepting attacker connections authenticated via a forged Ivanti certificate. Although the fake certificate is not used for encryption, it enables authentication and impersonation, and because it is transmitted unencrypted, it may serve as a detectable network signature. Once validated, attackers establish encrypted mutual TLS sessions using elliptic curve cryptography, with the implant verifying keys against a hard-coded EC certificate authority. Additional components include a SpawnSloth variant (liblogblock.so) for log tampering and a kernel extraction script (dsmain) enabling firmware decryption and modification for boot-level persistence. CTIX analysts warn that RESURGE can remain dormant and undetected until activated by a remote operator, posing an ongoing risk, and urges administrators to use updated indicators of compromise to identify and remediate infections.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
