Coverage: Last 24 hours

Today’s Highlights

Ransomware actors face rare legal consequences, while enterprise SaaS platforms, AI services, and exposed business apps remain prime attacker targets. This cycle shows surges in hands-on remote code execution exploits, supply-chain compromises, and increasingly creative abuses of legitimate cloud infrastructure. Key themes include active exploitation of critical business applications, supply-chain surveillance, risks from misconfigured AI and SaaS, and operational uncertainty introduced by both law enforcement actions and complex threat actor tactics.

Table of Contents

1. Karakurt extortion gang ‘cold case’ negotiator gets 8.5 years in prison
2. CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs
3. ScarCruft hackers push BirdCall Android malware via game platform
4. Amazon SES increasingly abused in phishing to evade detection
5. Karakurt Ransomware Negotiator Sentenced to Prison
6. ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows
7. Weaver E-cology critical bug exploited in attacks since March

Top Stories

Karakurt extortion gang ‘cold case’ negotiator gets 8.5 years in prison

Source: BleepingComputer | Risk: Medium | Impacted: Incident response teams, Ransomware negotiators, Critical infrastructure operators

Summary: Deniss Zolotarjovs, a 35‑year‑old Latvian national and “cold case” negotiator for the Karakurt ransomware gang, was extradited to the U.S., pleaded guilty to wire fraud and money laundering, and has been sentenced to 8.5 years in prison for facilitating extortion efforts and leveraging sensitive data to pressure victims. He coordinated extortion of dozens of companies and a U.S. government 911 system.

Why it matters: The prosecution of ransomware facilitators disrupts payment negotiation workflows and may force other actors to accelerate or alter their extortion methods. Organizations could see less experienced intermediaries and riskier demands, increasing operational unpredictability during future extortion events.

Practitioner Perspective

This case signals that Western law enforcement can successfully extradite, arrest, and prosecute non-technical but operationally critical contributors in ransomware groups, even after conventional attribution challenges. The Karakurt gang had professionalized ransom negotiations, sometimes leveraging sensitive business or government data for leverage. With their negotiation ecosystem disrupted, future extortion may exhibit more chaotic or overt pressure tactics, and inexperienced actors may mishandle communications. Security teams should expect less predictable negotiation outcomes and prepare crisis comms and legal with these shifts in mind.

Recommended Actions

• Review and update extortion and ransom communication playbooks to account for changing threat actor negotiation tactics
• Coordinate with legal and executive leadership for rapid decisions and contingency planning in the wake of organizational data theft

CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs

Source: BleepingComputer | Risk: High | Impacted: Microsoft Phone Link users, 2FA-protected accounts, Endpoints with remote tooling exposure

Summary: A newly updated CloudZ remote access tool now includes a malicious plugin named Pheno, which exploits Microsoft Phone Link to intercept SMS messages and one-time passwords by reading its local SQLite database. The attack bypasses the mobile device entirely, allowing attackers to steal sensitive codes while the RAT also enables various other system manipulations.

Why it matters: Malware that exploits desktop-side access to Microsoft Phone Link SMS and OTP data can bypass typical mobile security controls and directly undermine multi-factor authentication, putting sensitive accounts at risk even when no mobile device is compromised.

Practitioner Perspective

The CloudZ RAT’s new Pheno plugin demonstrates adversary adaptation to desktop-mobile converged workflows, specifically targeting the Microsoft Phone Link app’s SQLite database for SMS and OTP theft. Any workstation allowing Phone Link with privileged accounts becomes a viable vector for account takeovers and bypassing SMS-based 2FA, irrespective of mobile endpoint hygiene. Organizations permitting Phone Link in regulated or high-risk environments may have a fundamental exposure. Security should rigorously re-assess their threat models around desktop-mobile app integration and OTP flows.

Recommended Actions

• Disable Microsoft Phone Link where not strictly required, especially on endpoints with privileged access or sensitive accounts
• Hunt for unauthorized access to the com.microsoft.yoursphone.sqlite database on user workstations

ScarCruft hackers push BirdCall Android malware via game platform

Source: BleepingComputer | Risk: High | Impacted: Multinational Android fleets, Users of regional gaming platforms, Organizations with supply-chain dependency in China

Summary: The North Korean group APT37 (ScarCruft) has compromised a video game platform hosting Yanbian‑targeted apps, trojanizing Android APKs to deliver a novel version of the BirdCall backdoor, which harvests contacts, SMS, files, screenshots, and records ambient audio. The attack dates back to late 2024. Researchers at ESET uncovered the campaign.

Why it matters: Supply-chain compromise of regional app distribution platforms severely increases stealth and reach for state-linked threat actors, enabling deep surveillance across user bases not well protected by conventional mobile app vetting or MDM controls.

Practitioner Perspective

APT37 (ScarCruft) leveraged a compromised game platform to distribute a trojanized Android BirdCall backdoor targeted at Yanbian users, blending surveillance malware into popular apps. This highlights the growing risk of state actors subverting local or gray-market app ecosystems where code reviews and supply-chain protections are weak. Large multinationals with presence in regions like Yanbian should treat local app sourcing as a key risk vector, especially with the demonstrated capability for audio, file, and credential exfiltration. The main lesson: standard MDM and Play Store protections do not cover these supply-chain attacks.

Recommended Actions

• Hunt for BirdCall malware artifacts on Android endpoints distributed via Yanbian gaming apps since 2024
• Require code-signing and supply-chain validation for all internally or externally sourced regional APK deployments

Amazon SES increasingly abused in phishing to evade detection

Source: BleepingComputer | Risk: High | Impacted: Companies using AWS SES, Engineering teams managing AWS secrets, Recipients of business email lures

Summary: Attackers are increasingly abusing Amazon Simple Email Service (SES) to send phishing emails that bypass authentication and reputation filters, driven by exposed AWS access keys. These keys are often leaked via public repositories and are exploited using automated tools to mass-distribute realistic phishing campaigns, including fake DocuSign notifications and business email compromise attempts.

Why it matters: Attackers using Amazon SES and leaked AWS keys to send phishing emails defeat many anti-spam and DMARC controls, enabling sophisticated credential theft, business email compromise, and document lures to land directly in employee inboxes.

Practitioner Perspective

Adversaries are exploiting publicly exposed AWS access keys to generate convincing phishing campaigns using Amazon SES, undermining email filtering that relies on sender reputation or authentication records. Many organizations underestimate the risk from developer leaks in public or poorly monitored repositories. Those failing to audit and rotate AWS secrets or lacking detection for SES abuse are likely to see an increase in successful phishing, especially with convincing themes like DocuSign. Defense now requires tighter cloud secret hygiene and live abuse monitoring far beyond traditional secure email gateway settings.

Recommended Actions

• Continuously scan public code repositories and internal artifact stores for exposed AWS access keys linked to SES
• Restrict SES send permissions via IAM least privilege and mandate MFA for all AWS admin users

Karakurt Ransomware Negotiator Sentenced to Prison

Source: SecurityWeek | Risk: Medium | Impacted: Healthcare and government IR teams, Organizations historically contacted by Karakurt, Cyber insurance carriers

Summary: Deniss Zolotarjovs, a 35‑year‑old Latvian negotiator for the Karakurt ransomware gang, was sentenced in the United States to 102 months (8.5 years) in prison for orchestrating extortion negotiations, including advising on data release strategies and exploiting sensitive patient data, contributing to losses of at least $56 million across 53 victims. He pleaded guilty in July 2025 after being extradited in August 2024. Criminal charges covered his role in negotiating ransoms rather than executing intrusions. Zolotarjovs received 10% of each ransom, paid in cryptocurrency.

Why it matters: Disabling a major ransomware negotiator weakens the coordination structures threat actors rely on when asserting leverage over victims, potentially driving more unpredictable ransom demands and increasing the cost of incident recovery.

Practitioner Perspective

This sentencing removes a pivotal human infrastructure element from Karakurt’s ransomware operation, sending a deterrent message to other intermediaries. Without expert negotiators, some groups may escalate their leverage more aggressively or fumble extortion, leading to chaotic recovery scenarios and unpredictable payment timelines. Security leaders should account for changes to the criminal “customer service” approach and revise board-level risk and communications strategies. Effective incident planning now requires anticipating far less professionalism by threat actors.

Recommended Actions

• Refresh Karakurt-related threat intelligence and pre-populate investigation playbooks for extortion contacts
• Educate senior leadership about the possible procedural shifts and increased volatility in ransom events

Emerging Signals

ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows

Source: The Hacker News | Risk: High | Impacted: Users of regional gaming platforms, Organizations with desktop/mobile software dependencies in China, Hybrid fleet security teams

Summary: North Korea–aligned ScarCruft compromised a video game platform used by ethnic Koreans in China, inserting its BirdCall backdoor into both Windows and Android components via a supply‑chain attack. The Windows and Android versions facilitate surveillance such as keystroke logging, screenshots, file access, and voice recording.

Why it matters: Adversaries controlling upstream software distribution channels can stealthily deliver persistent malware to both endpoint and mobile fleets, increasing the chance of undetected cross-OS compromise and deep surveillance.

Practitioner Perspective

ScarCruft’s supply-chain attack on a gaming platform serving ethnic Koreans in China injected the BirdCall backdoor into both Android and Windows builds, with functionality for files, audio, and keystroke monitoring. This case exemplifies the danger of relying on unaudited third-party distribution channels and highlights weak spots in cross-platform security governance. Standard endpoint protection rarely inspects app provenance or matches threat intelligence on local distribution platforms. Defenders must now operate from the expectation that their mobile and desktop fleets could be simultaneously targeted without direct exposure to known C2 infrastructure.

Recommended Actions

• Search for known BirdCall malware indicators on both Windows and Android devices deployed via the compromised gaming platform
• Establish controls around software origin verification before approving application deployment in hybrid environments

Exploits & CVEs

Weaver E-cology critical bug exploited in attacks since March

Source: BleepingComputer | Risk: Critical | Impacted: Weaver E-cology users, Regional business app operators, IT outsourcing partners

Summary: Hackers have been exploiting a critical unauthenticated remote‑code‑execution vulnerability (CVE‑2026‑22679, CVSS 9.8) in Weaver E‑cology 10.0 since mid‑March, shortly after a patch was released but before public disclosure, using it to run discovery commands without establishing persistence. Users are urged to apply the March 12, 2026 update immediately.

Why it matters: Internet-exposed business platforms with weak asset visibility can remain vulnerable long after emergency fixes ship. Security teams should identify unmanaged regional or subsidiary deployments and hunt for post-exploitation command activity immediately.

Practitioner Perspective

Weaver E-cology 10.0 prior to the 20260312 release is under active remote exploitation due to the CVE-2026-22679 debug API flaw. The attack pattern includes rapid ‘opportunistic’ command execution, file delivery, and possible use of deceptive installers, primarily targeting exposed instances. This increases risk for organizations lacking unified asset management across subsidiaries or global branches where visibility is limited. Attackers do not require prior access and can target any unpatched internet-facing deployment. Every defender should treat this as a likely foothold vector and prioritize both emergency patching and post-event artifact review.

Recommended Actions

• Inventory and locate all internet-facing Weaver E-cology 10.0 instances, including shadow IT and third-party managed systems
• Apply the 20260312 patch for CVE-2026-22679 to every deployment, do not leave regional or subsidiary instances unaddressed

Defensive Actions

• Inventory and locate all internet-facing Weaver E-cology 10.0 instances, including shadow IT and third-party managed systems
• Apply the 20260312 patch for CVE-2026-22679 to every deployment, ensuring no unaddressed regional or subsidiary instances
• Review logs for exploitation attempts to sensitive debug API endpoints and hunt for command execution, MSI drops, or lateral movement
• Use vendor-provided detection scripts to analyze for evidence of compromise in Weaver E-cology deployments
• Scan public code repositories and internal assets for exposed AWS SES access keys
• Restrict Amazon SES send permissions, mandate IAM least privilege and multi-factor authentication for all AWS admin users
• Hunt for BirdCall malware artifacts on Android endpoints distributed via regional gaming apps since 2024
• Require code-signing and conduct supply-chain validation for regional APK deployments
• Search for BirdCall malware indicators on both Windows and Android devices supplied by compromised gaming platforms
• Audit for unauthorized access to com.microsoft.yoursphone.sqlite databases on workstations and monitor EDR for CloudZ or Pheno plugin traces

What We’re Watching

• Trends in active exploitation of enterprise SaaS platforms and increasing overlap in attack surfaces across unrelated vendors
• The rapid evolution of supply-chain attacks targeting both desktop and mobile software, especially in regional app stores
• Law enforcement actions shaping the operational landscape and negotiation tactics of ransomware/extortion groups
• The abuse of cloud provider infrastructure and credentials to bypass traditional email and authentication defenses
• Accelerating risks posed by misconfigured and unauthenticated AI and LLM endpoints accessible on the public internet

Categories: Cybersecurity Blog, Cybersecurity News

Tags: cybersecurity, Phishing, Ransomware, remote code execution, Vulnerabilities