ShinyHunters exploited critical Oracle PeopleSoft zero-day (CVE-2026-35273, CVSS 9.8) against 100 organizations from May 27-June 9, before Oracle issued patches. 68% of victims were US 🇺🇸 universities. Key technical details: • CVE-2026-35273: RCE in Environment Management component, no auth/interaction required • Affects PeopleTools 8.61/8.62, likely earlier versions too • Attack chain: exploit PSEMHUB endpoints → deploy MeshCentral agents disguised as Azure services • C2 infrastructure: wss://azurenetfiles[.]net:443/agent.ashx with valid Let's Encrypt certs • Lateral movement via SSH credential spraying using [victim]_fanout.sh scripts DFIR artifacts: • WebLogic access logs showing external POST to /PSEMHUB/* and /PSIGW/HttpListeningConnector • Unexpected JSP files under PSEMHUB.war directory • Directories named "logs", "persistantstorage", "scratchpad" under PSEMHUB paths • README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT in WebLogic/Process Scheduler dirs • Outbound SMB traffic (port 445) to external IPs, zstd compressed exfiltration Impact: University of Nottingham confirmed victim with 455k email addresses leaked including student PII, passport numbers, ethnicity/disability records. Hunt for MeshCentral agents named meshagent*-azure-ops.exe and monitor outbound connections to azurenetfiles[.]net. Oracle advises disabling EMHub service or blocking /PSEMHUB/* at perimeter. #DFIR_Radar

The crown jewel of their toolkit? Classroom Spy (they recently replaced their older MeshAgent tool). Installed via simple PowerShell scripts and renamed to look like vmtoolsd.exe or systemsvc.exe. This gives them full remote takeover: - Live screen viewing and control - Keylogging, audio recording, and camera access - File upload and download - App monitoring and blocking

Bearlyfyは、ロシア企業70社超を攻撃している親ウクライナ系グループで、最近は独自ランサムのGenieLockerを使い始めた。重要なのは、金銭目的の恐喝だけでなく、ロシア企業への破壊・妨害も明確な目的になっている点。 このグループは2025年1月ごろから活動し、初期はLockBit 3やBabuk系の暗号化ツール、のちにVice Society系のPolyVice改変版も使用していた。現在は2026年3月以降、Windows端末向けに独自のGenieLockerへ移行しており、外部公開サービスや脆弱なアプリの悪用で侵入し、MeshAgentのような遠隔操作ツールを入れて暗号化やデータ破壊につなげている。 F6によると、BearlyfyはPhantomCoreやHead Mareとの重なりも見られ、ロシアとベラルーシ企業を継続的に狙う文脈にある。特徴は、準備期間の短い高速侵入と、ランサムノートを自動生成せず攻撃者が直接被害者に圧力をかける運用で、要求額も数十万ドル規模まで上がっている。 APT: Bearlyfy, Labubu, PhantomCore関連 Malware: GenieLocker, PolyVice, LockBit 3, Babuk, MeshAgent CVE: 記載なし IoC: GenieLocker, MeshAgent, PolyVice, Windows endpoints, Russian company targeting #CyberSecurity #ThreatIntel #Ransomware #Bearlyfy #GenieLocker thehackernews.com/2026/03/be…

FortiGateの侵害が相次ぎ、攻撃者は境界防御を踏み台に社内へ深く入り込んだ。しかも狙いは機器停止ではなく、設定ファイルから認証情報を抜き取りADへ横展開することにあった。2件の侵入はいずれも内部拡散の段階で見つかり、企業環境の乗っ取りは寸前で食い止められた。 SentinelOneによると、攻撃は2025年12月から2026年2月に公表されたFortinetの欠陥群と整合する。CVE-2025-59718とCVE-2025-59719では細工したSAMLトークンで管理者権限を奪取でき、CVE-2026-24858はFortiCloudアカウントを悪用してログインできるゼロデイだった。侵入後はshow full-configurationで設定を吸い出し、可逆的に保護されたLDAPやADの資格情報を復号して内部へ移動した。1件目では不正管理者supportを追加し、盗んだ資格情報で偽端末2台をドメイン参加させた。2件目ではssl-adminを作成し、PulsewayやMeshAgentを展開、NTDS.ditとSYSTEMを持ち出した。更新適用、関連資格情報のローテーション、弱い認証情報の排除、FortiGateログの長期保存が急務である。 cybersecuritynews.com/fortig…

Threat actors are actively targeting FortiGate firewalls as entry points to breach victim networks, using known vulnerabilities and weak credentials to extract configuration files containing service account credentials. The Attack Chain: Case 1 – Initial Access Broker (Nov 2025 – Feb 2026) Attacker breached FortiGate, created "support" admin account, added unrestricted firewall policies. Periodically checked access, consistent with IAB establishing foothold for sale. Months later, another actor extracted config, decrypted LDAP credentials. Used fortidcagent service account to authenticate to AD and enroll rogue workstations. Network scanning triggered detection; lateral movement halted. Case 2 – Rapid Deployment (Jan 2026) Attacker moved from firewall access to deploying Pulseway and MeshAgent. Downloaded Java malware from AWS via PowerShell. Used DLL side-loading to launch malware and exfiltrate NTDS.dit and SYSTEM hive to external server. Why FortiGate Devices Are Targeted: They integrate with AD/LDAP for role mapping and security responses. Configuration files store service account credentials and network topology. Compromise grants attackers direct pathways into authentication infrastructure. Exploited Vulnerabilities: CVE-2025-59718, CVE-2025-59719, CVE-2026-24858 Weak credentials and misconfigurations Targeted Sectors: Healthcare, Government, Managed Service Providers FortiGate devices are high-value targets for espionage and ransomware groups. A compromised firewall is a gateway to the entire network.

🚨 FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Threat actors are actively targeting FortiGate Next-Generation Firewall appliances as entry points to breach victim networks, with recent campaigns singling out healthcare, government, and managed service providers. By exploiting known vulnerabilities or weak credentials, attackers extract configuration files containing service account credentials and network topology information. These compromised devices then become launchpads for deeper network infiltration, including Active Directory compromise and data exfiltration. The campaign leverages known FortiGate flaws: 🔴 CVE-2025-59718 🔴 CVE-2025-59719 🔴 CVE-2026-24858 🔴 Attackers also exploit weak credentials and misconfigurations where devices are left exposed with default or easily guessable passwords. Why FortiGate Devices? FortiGate appliances have considerable access to the environments they protect. In many configurations, they connect to authentication infrastructure such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP). This setup allows the firewall to map roles to specific users and accelerate security responses, but it also creates a dangerous opportunity for attackers. When threat actors break into FortiGate devices through vulnerabilities or misconfigurations, they gain access to: → Service account credentials stored in configuration files. → Network topology information. → Direct pathways into AD and LDAP environments. 🎯 The Attack Chain 🔴 Case 1: Initial Access Broker Establishes a Foothold → In November 2025, attackers breached a FortiGate appliance → Created a new local administrator account named "support" → Set up four new firewall policies allowing the account to traverse all zones without restrictions → Periodically checked device accessibility, consistent with an initial access broker (IAB) establishing a foothold for sale to other criminals In February 2026, a new attacker likely: → Extracted the configuration file containing encrypted service account LDAP credentials → Decrypted the credentials and authenticated to AD using the fortidcagent service account in clear text → Enrolled rogue workstations in AD, gaining deeper access → Initiated network scanning, at which point the breach was detected and halted 🔴 Case 2: Rapid Deployment of Remote Access Tools → In late January 2026, attackers moved swiftly from firewall access to deploying remote access tools: Pulseway and MeshAgent → Downloading malware from an AWS cloud storage bucket via PowerShell → Launching Java malware through DLL side-loading → Exfiltrating NTDS.dit file and SYSTEM registry hive to external server 172.67.196[.]232 over port 443 ⚠️ Targeted Sectors: Healthcare organizations, Government agencies, Managed service providers (MSPs). Next-Generation Firewalls have become ubiquitous because they integrate security controls with management features like AD integration. But this same integration makes them high-value targets for: → State-aligned actors conducting espionage. → Financially motivated attackers pursuing ransomware. → Initial access brokers selling compromised footholds. → A compromised firewall is a gateway to the entire network, complete with service account credentials that unlock AD, LDAP, and beyond.

FortiGateの次世代ファイアウォールが侵入口として悪用される攻撃が確認された。脆弱性や弱い認証を突いて侵入し、設定ファイルからサービスアカウント情報やネットワーク構成を取得する手口で、医療機関や政府機関、MSPなどの環境が標的となっている。 SentinelOneの調査によると、FortiGateはActive DirectoryやLDAPと連携する設定が多く、認証や権限管理のためにサービスアカウントを利用する。そのため装置が侵害されると、ディレクトリ基盤へアクセスするための重要な認証情報が漏えいする可能性がある。攻撃者はCVE-2025-59718、CVE-2025-59719、CVE-2026-24858などの脆弱性や設定不備を悪用して侵入し、2025年11月の事例では「support」という管理者アカウントを作成し、全ネットワークゾーンを通過できるファイアウォールポリシーを追加した。その後、設定ファイルを取得してLDAPサービスアカウントの資格情報を解読し、ADへ認証して不正なワークステーションを登録、ネットワーク内部の探索を行った。別の事例ではPulsewayやMeshAgentなどの遠隔管理ツールを導入し、AWS上のストレージからPowerShellでマルウェアを取得した。DLLサイドロードで実行されたJavaマルウェアはNTDS.ditとSYSTEMレジストリを外部サーバーへ送信していた。 thehackernews.com/2026/03/fo…

🚨 Stolen EV Certificates Fuel New Phishing Campaign Delivering Remote Access Tools A phishing campaign is disguising fake Zoom, Teams, and Adobe updates as trusted software by using stolen Extended Validation certificates, then deploying tools like ScreenConnect and MeshAgent for persistent access. This matters because signed malware is being used to bypass trust controls and gain privileged footholds in corporate environments. 🕷️ Malware: ScreenConnect, MeshAgent 🎯 Target: Global/Enterprise Office Workers #️⃣ Category: #CyberCrime #Malware #TargetedAttacks 🔗 URL: scworld.com/brief/new-phishi…

Microsoft Defender Experts found phishing campaigns delivering digitally signed malware impersonating workplace apps, deploying RMM backdoors (ScreenConnect, Tactical RMM, MeshAgent) for persistence and lateral movement in enterprise networks. microsoft.com/en-us/security…

#opendir http://141.11.107[.]134:8000/ with Ligolo (tunneling), MeshAgent (RMM) and something else 🤔 [ ] bazaar.abuse.ch/browse/tag/1…

🏡 Room Tour, Day 2: The Storage API Human agent teams need shared context. In a MeshAgent Room, shared storage is built in. Files are a core part of the workspace. Documents, images, and generated outputs live alongside the team's conversation. Agents can create and update files. Humans can open and refine them. Everyone works from the same source of truth so teams stay on the same page. With MeshAgent, infrastructure for agents lives in the Room, not on your to do list.

I’ve been preaching this for over a year now. Stateful runtime environments are the future. That’s why we built MeshAgent. Guess Amazon and OpenAI will be partnering to build something similar.

You shouldn't need to build an entire app just to share an AI agent with your team. Powerboards is an AI native collaboration platform built on MeshAgent where teams of humans and AI agents work together in real time. Create rooms. Install AI agents. Invite your team. Share files. Video conference. Customize agent behavior. All in one place. Try it today: app.powerboards.com/

We're building MeshAgent. Agent-first infrastructure for multiplayer human-AI collaboration. Our core primitive is a Room: a secure workspace where humans agents tools share context and work together in real time.

#100DaysofYARA – Day 41 YARA rule for detecting MeshAgent configuration MSH files 👇 github.com/t3ft3lb/2026-100D…

Signed using the same cert "Oppo USB Driver Setup V4.0.1.7.exe" / "HTTPDebuggerPro.exe" sample, seen from Bangladesh & Nepal: 96d5e8d2dfc2aa17f531746a614e4d1a46181aba64c2549b29c1a2ddb3d08779 PDB again this: "C:\Users\RoshanRoniyaar\Pictures\MeshAgent\Release\MeshService64.pdb" 🤷‍♂️

"svchost.exe": b1e0def9b37b981232c44abcd108a951fe206aa3cde54fc6ed098c9e2fe97400 "C:\Users\RoshanRoniyaar\Pictures\MeshAgent\Release\MeshService64.pdb" 🤷‍♂️

damn i got got 💀 luckily nothing important tho. here is the incident report for this "meshagent" malware I found on my personal server which exploited CVE-2025-55182 in a multi-stage attack asleepace.com/blog/malware-c…

🚩 Microsoft Ties Storm-1175 to GoAnywhere Zero-Day & Medusa Ransomware thehackernews.com/2025/10/mi… Microsoft says threat actor Storm-1175 has been exploiting CVE-2025-10035, a critical deserialization flaw in GoAnywhere MFT, to deploy Medusa ransomware. The exploit chain bypasses authentication, drops .jsp web shells, deploys RMM tools (SimpleHelp, MeshAgent), and uses Rclone & Cloudflare tunnels for exfiltration.. Detect and mitigate this attack vector now with Hunt’s threat hunting capabilities. #CyberSecurity #Ransomware #ZeroDay #ThreatHunting

گروه جرایم سایبری Storm-1175 طی نزدیک به یک ماه گذشته از آسیب‌پذیری بحرانی GoAnywhere برای حملات باج‌افزار مدوسا (Medusa) سوءاستفاده کرده است. این نقص امنیتی که با شناسه CVE-2025-10035 ردیابی می‌شود، ابزار انتقال امن GoAnywhere شرکت Fortra را تحت تأثیر قرار داده و ناشی از ضعف در deserialisation داده‌های غیرقابل اعتماد در License Servlet است. این آسیب‌پذیری قابلیت بهره‌برداری از راه دور با پیچیدگی کم و بدون نیاز به تعامل کاربر را دارد. مایکروسافت تأیید کرد که گروه Storm-1175، وابسته به باج‌افزار مدوسا، از تاریخ ۱۱ سپتامبر ۲۰۲۵ از این آسیب‌پذیری zero-day استفاده کرده است. محققان مایکروسافت اعلام کردند: "فعالیت بهره‌برداری در سازمان‌های متعددی شناسایی شد که با تاکتیک‌ها، تکنیک‌ها و رویه‌های منتسب به Storm-1175 همسو بود." مهاجمان پس از نفوذ اولیه، از ابزارهای مدیریت از راه دور SimpleHelp و MeshAgent برای حفظ دسترسی، از Netscan برای شناسایی شبکه و از Rclone برای سرقت داده‌ها استفاده کردند.