F5 Threat Report - January 7th, 2026

Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia

Transparent Tribe (APT36) has initiated new cyber espionage campaigns against Indian governmental, academic, and strategic entities. One campaign utilizes spear-phishing emails containing ZIP archives with weaponized Windows shortcut (LNK) files, disguised as PDFs, which execute a remote HTML Application (HTA) script via `mshta.exe`. This HTA loads a RAT payload (`iinneldc.dll`) directly into memory, adapting its persistence method based on the victim's installed antivirus software (Kaspersky, Quick Heal, Avast, AVG, or Avira), and provides comprehensive remote control, file management, and data exfiltration capabilities. A second APT36 campaign employs a malicious shortcut (`NCERT-Whatsapp-Advisory.pdf.lnk`) to deliver a .NET-based loader through an MSI installer retrieved from `aeroclubofindia.co[.]in`, establishing registry persistence and communicating with `dns.wmiprovider[.]com` via HTTP GET endpoints that use reversed characters for evasion. Concurrently, the Patchwork group (Maha Grass) has targeted Pakistan's defense sector with a Python-based backdoor, distributed via phishing emails containing MSBuild project files. This backdoor leverages `msbuild.exe` for execution, downloads a Python interpreter, and maintains persistence through scheduled tasks, communicating with command-and-control (C2) servers such as `nexnxky[.]info`. Patchwork is also associated with the newly identified StreamSpy trojan, distributed via ZIP archives from `firebasescloudemail[.]com`, which employs WebSocket and HTTP for C2 communication (`www.mydropboxbackup[.]com`, `www.virtualworldsapinner[.]com`), establishes persistence through various Windows mechanisms, and supports extensive remote control and data collection, with its digital signature correlating with the DoNot Team's ShadowAgent, indicating potential resource sharing.

Severity: Critical

Sources

• https://buaq.net/go-385045.html
• https://cyberpress.org/apt36-cyber-attack/
• https://securityonline.info/apt-36-uses-fake-whatsapp-fraud-advisory-to-hack-government-systems/
• https://thehackernews.com/2026/01/transparent-tribe-launches-new-rat.html
• https://www.hendryadrian.com/apt36-lnk-based-malware-campaign-leveraging-msi-payload-delivery/
• https://www.hendryadrian.com/apt36-multi-stage-lnk-malware-campaign-targeting-indian-government-entities/

Threat Details and IOCs

Mitigation Advice

• Add the following domains to your network blocklist via firewall, DNS sinkhole, or web proxy: aeroclubofindia.co[.]in, dns.wmiprovider[.]com, firebasescloudemail[.]com, www.mydropboxbackup[.]com, www.virtualworldsapinner[.]com.
• Block all inbound and outbound traffic to and from the IP address 2.56.10[.]86 at the network firewall.
• Configure your email security gateway to block or quarantine all incoming emails with .lnk file attachments, including those within ZIP archives.
• Configure your email gateway and web proxy to block the download and execution of HTML Application (.hta) files.
• Using your EDR or endpoint management tool, scan all Windows systems for the existence of the directories 'C:\Users\Public\core\' and 'C:\ProgramData\PcDirvs\'.
• Using your EDR or endpoint management tool, hunt for the following file names across all systems: 'iinneldc.dll', 'nikmights.msi', 'PcDirvs.exe', 'PcDirvs.hta', 'Annexure.exe'.
• Audit the Windows Startup folders for all users on all endpoints for any recently created or suspicious .LNK files.
• Review scheduled tasks on all endpoints for entries with suspicious names or actions, particularly those executing scripts or binaries from unusual locations.
• Scan endpoint registry hives, specifically common autorun locations (e.g., Run, RunOnce), for entries configured to launch 'PcDirvs.exe'.
• In your network traffic logs or SIEM, search for outbound HTTP GET requests where the URI path ends with '/retsiger', '/taebtraeh', '/dnammoc_teg', or '/dnammocmvitna'.

Compliance Best Practices

• Implement an application control policy, such as Windows Defender Application Control (WDAC) or AppLocker, to block or restrict the execution of mshta.exe.
• Implement an application control policy, such as Windows Defender Application Control (WDAC) or AppLocker, to block or restrict the execution of msbuild.exe, especially when initiated by non-developer users or from non-standard directories.
• Use Group Policy (GPO) to enforce a corporate-wide setting that requires Windows Explorer to always show file extensions for known file types.
• Enable PowerShell Script Block Logging and Module Logging via Group Policy and forward these logs to your SIEM for monitoring and analysis.
• Develop and deploy a detection rule in your EDR or SIEM to alert on suspicious process chains, such as an email client or browser spawning cmd.exe or mshta.exe to download or execute a remote script.
• Develop and deploy a detection rule in your SIEM or network monitoring tool to alert on new or unusual WebSocket connections to external IP addresses, especially to non-categorized or newly registered domains.
• Implement a continuous security awareness training program that includes phishing simulations focused on lures with attachments, especially those disguised as documents or contained within archives.
• Configure your email security gateway to perform deep content inspection on archive files (e.g., .zip, .rar) and block any archives that contain executable or script files such as .exe, .lnk, .hta, or .vbs.

---

NoName057(16) DDoS Attack Disrupts La Poste and La Banque Postale Online Services

French postal and banking services, La Poste and La Banque Postale, experienced significant disruptions on January 1, 2026, when a cyberattack rendered their websites and mobile applications largely inaccessible. This incident followed a previous denial-of-service (DDoS) attack from December 22-26, 2025, which had also affected parcel tracking services. The pro-Russian hacker group NoName057(16), known for targeting countries supporting Ukraine, claimed responsibility for both disruptions. While the attacks caused downtime and limited digital access, no customer data was compromised, as DDoS attacks primarily aim to overload servers. Despite the digital outages, essential postal services and banking transactions remained available at physical locations, and online payments with SMS authentication, card payments, and ATM withdrawals continued to function. The Paris prosecutor's office has launched an investigation, delegating the case to the General Directorate for Internal Security (DGSI) and the national cyber unit, as both organizations' teams are actively working to restore full digital access. This event is part of a broader trend of recent cyber incidents affecting French public institutions, including a breach of the Interior Ministry on December 17, 2025, and the French Football Federation in November 2025.

Severity: High

Sources

• https://hackread.com/ukraine-woman-us-custody-russia-noname057-hackers/
• https://thecyberexpress.com/la-poste-la-banque-postale-cyberattack-2026/
• https://www.cisa.gov/news-events/alerts/2025/12/09/opportunistic-pro-russia-hacktivists-attack-us-and-global-critical-infrastructure

Threat Details and IOCs

Mitigation Advice

• Implement or tighten rate-limiting rules on web servers, load balancers, and API gateways to cap the number of requests from individual IP addresses.
• Configure your Web Application Firewall (WAF) to block or challenge traffic originating from geographic regions associated with the NoName057(16) group and other high-risk areas.

Compliance Best Practices

• Procure and implement a cloud-based, always-on DDoS mitigation service to protect all internet-facing services and infrastructure.
• Develop and formalize a Denial-of-Service Incident Response Plan that includes technical containment procedures, internal and external communication templates, and defined roles for the response team.
• Design and deploy public-facing applications using auto-scaling groups and load balancers across multiple geographic regions or availability zones to build resilience and distribute traffic loads effectively.
• Establish a threat intelligence program to monitor hacktivist groups like NoName057(16), track their TTPs, and proactively adjust security controls based on their evolving campaigns and targets.

---

Critical GNU Wget2 Vulnerability Allows Remote Attackers to Overwrite Sensitive Files

A high-severity security flaw, tracked as CVE-2025-69194, has been identified in GNU Wget2, a widely used command-line tool for web file downloads. This vulnerability, rated "Important" with a CVSS score of 8.8 out of 10, is an Arbitrary File Write (Path Traversal) issue stemming from Wget2's improper handling of Metalink documents. Specifically, the application fails to correctly verify file paths listed in these documents, enabling remote attackers to craft malicious Metalink files using path traversal sequences (like `../`) to overwrite sensitive files anywhere on a victim's system. The consequences are severe, potentially leading to data loss, system crashes, execution of malicious code, or security bypasses by modifying critical system files, user documents, or configuration settings. Although exploitation requires user interaction with a malicious Metalink file, the significant potential for damage necessitates immediate action. Users are strongly advised to update GNU Wget2 to the latest version and to avoid processing Metalink files from untrusted or unknown sources until the software is patched.

Severity: Critical

Sources

• https://cyberpress.org/critical-gnu-wget2-vulnerability-allows-remote-attackers-to-overwrite-sensitive-files/
• https://gbhackers.com/gnu-wget2-vulnerability/
• https://securityonline.info/critical-wget2-flaws-expose-users-to-arbitrary-file-overwrites-and-memory-crashes/

Threat Details and IOCs

Mitigation Advice

• Scan all Linux, UNIX, and Windows endpoints and servers to identify all installed instances of GNU Wget2 and their current versions.
• Patch all identified installations of GNU Wget2 to the latest stable version that addresses CVE-2025-69194.
• Implement a detection rule in your SIEM or EDR to alert on Wget2 process executions where command-line arguments contain path traversal sequences such as "../".
• Issue an immediate advisory to all employees, especially developers and system administrators, instructing them not to use Wget2 to process Metalink files from untrusted sources.

Compliance Best Practices

• Establish or enhance a software asset management (SAM) program to maintain a continuously updated inventory of all software and libraries on all company assets.
• Review and enforce the principle of least privilege for user and service accounts, ensuring that automated tools and scripts do not run with administrative rights unless absolutely necessary.
• Deploy and tune a File Integrity Monitoring (FIM) solution on critical servers to detect and alert on unauthorized changes to sensitive system files, configurations, and startup scripts.
• Update the security awareness training program to include modules on the risks of processing untrusted data and configuration files, using this Wget2 vulnerability as a practical example.

---

Careto Hacker Group Resurfaces After a Decade, Unleashing New Attack Techniques

Careto, also known as "The Mask," has re-emerged after a decade-long disappearance, employing sophisticated new attack methods that demonstrate the group’s continued evolution and technical prowess. This resurgence was unveiled by Kaspersky researchers during the 34th Virus Bulletin International Conference in October, marking the first significant discovery of Careto activity since early 2014.

Severity: High

Sources

• https://gbhackers.com/careto-hacker-group/

Threat Details and IOCs

Mitigation Advice

• Ingest the Indicators of Compromise (IOCs) for the Careto threat actor from the Kaspersky research paper into your SIEM, EDR, and firewall blocklists.
• Create and enable detection rules in your SIEM to alert on anomalous or high-volume data uploads to public cloud storage services like OneDrive and Google Drive, particularly from servers or endpoints that do not typically perform such actions.
• Use a vulnerability scanner to identify all Microsoft Office installations vulnerable to CVE-2010-3333 and deploy the patches associated with Microsoft Security Bulletin MS10-087.
• Scan your network to identify all Windows systems vulnerable to the RDP vulnerability CVE-2012-0002 and deploy the patches from Microsoft Security Bulletin MS12-020.
• Configure your perimeter firewall to block all inbound traffic on TCP port 3389 (RDP) from the internet.
• Audit systems running MDaemon email server software for unauthorized configuration changes or suspicious scheduled tasks.

Compliance Best Practices

• Implement a continuous security awareness training program that includes regular phishing simulations to train users to identify and report suspicious emails.
• Develop and implement a Data Loss Prevention (DLP) policy and deploy a Cloud Access Security Broker (CASB) to control and monitor data transfers to all cloud services, blocking unsanctioned platforms.
• Implement application control using a tool like AppLocker or a third-party solution to enforce a policy that only allows approved applications and scripts to execute on endpoints and servers.
• Enforce the use of Network Level Authentication (NLA) for all internal and external RDP connections via Group Policy.
• Ensure an Endpoint Detection and Response (EDR) solution with behavioral analysis capabilities is deployed and properly configured on all company endpoints, including Windows, macOS, and Linux systems.
• Configure Microsoft Office File Block settings via Group Policy to prevent users from opening RTF files that originate from the internet.

---

New GlassWorm Malware Wave Targets Macs with Trojanized Crypto Wallets

A fourth wave of the "GlassWorm" campaign is actively targeting macOS developers through malicious VSCode/OpenVSX extensions, delivering trojanized versions of crypto wallet applications. This latest iteration, identified by Koi Security, exclusively targets macOS systems, utilizing AppleScript for execution and LaunchAgents for persistence, a shift from previous Windows-focused attacks. The malware, embedded as an AES-256-CBC-encrypted payload within compiled JavaScript in extensions like `studio-velte-distributor.pro-svelte-extension`, `cudra-production.vsce-prettier-pro`, and `Puccin-development.full-access-catppuccin-pro-extension`, executes after a 15-minute delay. Its capabilities include stealing GitHub, npm, and OpenVSX account credentials, Keychain passwords, and data from over 50 browser crypto extensions and various desktop wallets. Notably, it attempts to replace legitimate hardware wallet applications such as Ledger Live and Trezor Suite with trojanized versions, though this functionality is currently failing due to empty payloads. The campaign maintains its Solana blockchain-based command-and-control (C2) mechanism. Developers who have installed these extensions are advised to remove them immediately, reset GitHub account passwords, revoke NPM tokens, and check their systems for signs of infection or consider a full reinstallation.

Severity: Critical

Sources

• https://gbhackers.com/glassworm-malware-2/
• https://www.bleepingcomputer.com/news/security/new-glassworm-malware-wave-targets-macs-with-trojanized-crypto-wallets/
• https://www.securitylab.ru/news/567691.php

Threat Details and IOCs

Mitigation Advice

• Scan all developer macOS systems for the presence of the malicious VSCode/OpenVSX extensions 'studio-velte-distributor.pro-svelte-extension', 'cudra-production.vsce-prettier-pro', and 'Puccin-development.full-access-catppuccin-pro-extension' and remove them immediately if found.
• Inspect the `~/Library/LaunchAgents` and `/Library/LaunchAgents` directories on all developer macOS endpoints for any recently created or suspicious files to detect the GlassWorm malware's persistence mechanism.
• Require all developers, particularly those using macOS, to immediately reset their GitHub passwords and revoke all active NPM access tokens.
• Instruct developers who use Ledger Live or Trezor Suite on macOS to verify the integrity of the application files or reinstall them directly from the official vendor websites to ensure they have not been replaced by a malicious version.

Compliance Best Practices

• Develop and implement a corporate policy for Visual Studio Code that restricts extension installation to a pre-approved allow-list of vetted and trusted extensions from verified publishers.
• Configure Endpoint Detection and Response (EDR) solutions to monitor and alert on suspicious or anomalous AppleScript execution on macOS developer endpoints.
• Implement a recurring security awareness training program for developers focused on the risks of software supply chain attacks, including how to vet third-party IDE extensions and identify suspicious packages.
• Enhance SIEM and EDR monitoring to baseline normal LaunchAgent activity on macOS systems and create high-fidelity alerts for the creation of new or modified LaunchAgents by non-standard processes.
• Review and strengthen network egress filtering policies to restrict or monitor outbound traffic from developer workstations to unusual ports and destinations, including those associated with cryptocurrency blockchains.

---