Advisory ID: NCC-CSIRT-2026-004

Summary: 

Cybersecurity firm Mandiant, part of Google Cloud threat intelligence, has identified an active and escalating vishing (voice phishing) campaign attributed to threat actors associated with the ShinyHunters criminal syndicate and related clusters (tracked as UNC6661, UNC6671, UNC6240). These actors impersonate internal IT staff via telephone calls and direct employees to victim-branded credential harvesting sites, convincing them to enter single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. Attackers then register their own devices, bypass MFA protections, and gain unauthorized access to corporate SaaS platforms, where they harvest sensitive data for extortion and financial gain. This campaign does not exploit software vulnerabilities in SaaS products but relies on advanced social engineering and real-time credential relaying.

Damage/Probability: Critical/High

Product(s): 

• Identity Providers and Single Sign-On (SSO) Systems (e.g., Okta, Microsoft Entra/Azure AD, Google Workspace SSO).
• Cloud-based Software-as-a-Service (SaaS) Platforms (email, file storage, CRM, collaboration suites).
• Multi-Factor Authentication (MFA) mechanisms in enterprise environments.

Version(s): 

Not product/version-specific, impacts any enterprise using SSO and MFA protections that rely on user-supplied codes, push approvals, SMS, or help-desk resets without phishing-resistant second factors.

Platform(s): 

• Corporate identity systems
• Workforce SSO dashboards
• Cloud applications (Microsoft 365, Okta, Google Workspace, SharePoint, OneDrive, Salesforce, Slack, etc.).

Description: 

Mandiant and related threat intelligence sources report that since early January 2026, sophisticated vishing operations have been targeting enterprise employees across sectors. Adversaries call targets impersonating legitimate IT support or security personnel, claiming an urgent need to update MFA or verify credentials. Victims are guided to company-branded phishing domains that imitate real SSO login portals. While still on the call, attackers capture single sign-on credentials and MFA codes, then immediately use them to authenticate on the legitimate SSO portal, effectively bypassing MFA protections and enrolling attacker-controlled devices for persistent access.

Once access is achieved, threat actors can traverse the SaaS environment, including email, file shares, collaboration tools and CRM systems, to exfiltrate sensitive data and internal communications. In many cases, attackers export data and later contact organizations with extortion demands or harass personnel to pressure compliance.

This activity is tracked under multiple clusters (UNC6661, UNC6671, UNC6240) and appears to be an evolution of ShinyHunters-brand extortion operations, expanding across SaaS ecosystems and leveraging social engineering tradecraft rather than technical exploits.

Threat Types: 

• Vishing: Calls posing as IT/help desk to steal credentials and MFA codes.
• Credential phishing + MFA bypass: Real-time phishing sites capture logins and MFA tokens.
• SSO compromise & Cloud pivoting: Stolen identities used to access SaaS and linked services.
• Data theft & Extortion: Exfiltrated data used for ransom and follow-on phishing.

Impacts: 

• Unauthorized access to identity/SSO systems, bypassing MFA.
• Sensitive data stolen from connected cloud apps (email, files, CRM, chat).
• Hijacked accounts used for internal phishing or lateral movement.
• Ransom extortion, staff harassment, and operational disruption.
• Data breaches cause fines, reputational damage, and loss of trust.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

• Use phishing-resistant MFA (FIDO2 keys/passkeys), not SMS, push, or email codes.
• Run targeted vishing and social-engineering simulation training.
• Enforce strict MFA request verification, including supervisor call-backs.
• Review MFA enrollments, remove suspicious devices, and apply conditional access.
• Use SIEM and UEBA to detect suspicious cross-platform access.
• Apply least-privilege access and segment cloud environments.
• Enable detailed identity audit logs and retain them for forensics. 
• If compromised, revoke sessions/devices and reissue credentials with strong MFA.
• Investigate lateral movement and data exfiltration (API/OAuth activity) after compromise.

References:

• https://cybernews.com/cybercrime/shinyhunters-link-sso-vishing-attacks-okta-paywall/

• https://www.computerweekly.com/news/366637762/Wave-of-ShinyHunters-vishing-attacks-spreading-fast

• https://www.redsecuretech.co.uk/blog/post/shinyhunters-ramp-up-vishing-attacks-on-saas-platforms/853

• https://kbi.media/press-release/mandiant-warns-of-active-shinyhunters-vishing-campaign-targeting-enterprise-identity-systems/

• https://thehackernews.com/2026/01/mandiant-finds-shinyhunters-using.html
  

Advisory ID: NCC-CSIRT-2026-003

Summary: 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-37079, a critical heap-overflow vulnerability in VMware vCenter Server, to its Known Exploited Vulnerabilities (KEV) catalogue following confirmed evidence of active exploitation in the wild. This vulnerability allows a remote attacker with network access to send specially crafted packets that trigger a remote code execution (RCE) condition on vulnerable vCenter systems.

VMware originally released a patch for this flaw in June 2024, but recent security advisory updates by Broadcom confirm that exploitation has been observed in operational environments in early 2026. This context elevates the urgency for organizations relying on VMware virtual infrastructure to remediate without delay.

Damage/Probability: Critical/High

Product(s): 

• Broadcom VMware vCenter Server
• Centralized management platform for VMware ESXi hosts
• Virtual machines

Version(s): 

VMware vCenter Server versions before patched releases (patched in June 2024), CVE-2024-37079 remains a risk where updates have not been fully applied.

Platform(s): 

Virtualization management infrastructures across enterprise, cloud, government, and telecommunication data centers.

Description: 

CVE-2024-37079 is a heap-overflow vulnerability in VMware vCenter Server’s DCE/RPC protocol implementation. When a specially crafted network packet is sent to a vulnerable vCenter instance, the flaw may allow execution of arbitrary code in the context of the vCenter Server process, essentially enabling an attacker to gain unauthenticated remote code execution without the need for valid credentials.

Broadcom’s updated advisory now confirms that CVE-2024-37079 is being exploited in real-world environments, prompting CISA to add it to the KEV catalogue and to require immediate action by relevant agencies and enterprises. Previously, the vulnerability was patched in June 2024, along with related heap-overflow issues affecting the same service.

There are no known effective workarounds that fully mitigate this RCE outside patching and network access restrictions; therefore, patch application and protective segmentation are paramount.

Threat Types: 

• Critical Remote Code Execution (RCE) via heap overflow in the DCERPC (Distributed Computing Environment / Remote Procedure Call) protocol implementation.
• Unauthorized virtual environment compromise, vCenter Server typically runs with elevated privileges and controls ESXi hosts, making this attack vector especially high-impact.
• Potential lateral movement, virtual machine manipulation, and denial-of-service following successful exploit.

Impacts: 

• Exploitation grants attackers high-privilege code execution on vCenter, enabling control over hosts, clusters, virtual machines, and permissions.
• With control over vCenter, adversaries can pivot within virtualized environments and deploy additional malicious payloads.
• vCenter Server is central to operations; compromise may lead to service outages, data loss, and administrative lockout.
• Attackers could access sensitive configuration and credential data stored within the virtual management plane.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

• Update all VMware vCenter Server instances to the patched builds specified by Broadcom, consult the latest VMware advisory (VMSA-2024-0012.1 or later) to confirm exact target versions.
• Restrict network access to vCenter management interfaces — only trusted management hosts should have connectivity.
• Limit exposure of critical vCenter ports and services to internal networks; isolate management plane from general production traffic.
• Enable deep logging and review access logs for anomalous DCERPC traffic or exploit indicators; correlate events with external threat intelligence.
• Prepare playbooks for virtualization layer compromise; maintain backups of vCenter configurations and ensure out-of-band recovery options.
• Treat VMware vCenter Server as a top-priority asset for patching in the next maintenance window.
• Validate that all instances, including test, staging, and disaster-recovery nodes, are updated.
• Enforce MFA for administrative access to vCenter and related infrastructure.
• Deploy network IDS/IPS signatures tuned to identify crafted DCERPC exploit attempts.
• Inform virtualization service providers and cloud tenants if vCenter infrastructure is shared or outsourced.

References:

• https://thehackernews.com/2026/01/cisa-adds-actively-exploited-vmware.htmlw

• https://cloudnews.tech/vmware-vcenter-in-the-spotlight-broadcom-confirms-in-the-wild-exploitation-of-a-critical-flaw-vmsa-2024-0012-1/

• https://www.thaicert.or.th/en/2026/01/26/cisa-adds-vmware-vcenter-vulnerability-cve-2024-37079-to-kev-catalog-after-active-exploitation/

• https://cybersecuritynews.com/vmware-vcenter-rce-vulnerability/

• https://ilja-schlak.de/en/cisa-adds-vmware-vcenter-flaw-cve-2024-37079-to-the-kev-catalog/

• https://nvd.nist.gov/vuln/detail/CVE-2024-37079

Advisory ID: NCC-CSIRT-2026-002

Summary: 

Arctic Wolf Labs has reported an ongoing cluster of automated attacks targeting Fortinet FortiGate devices that leverage the FortiCloud Single Sign-On (SSO) feature to gain unauthorized administrative access and perform malicious configuration changes. The observed activity, which began around 15 January 2026, includes the creation of generic administrative accounts, modifications to VPN configurations that grant access to these accounts, and the exfiltration of complete firewall configurations to external systems.

The attacks exploit critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, through manipulated SAML messages in the FortiCloud SSO chain, allowing attackers to bypass authentication controls without valid credentials.

Damage/Probability: Critical/High

Product(s): 

• Fortinet FortiGate Network Security Appliances
• FortiOS, FortiWeb, FortiProxy, FortiSwitchManager with FortiCloud Single Sign-On (SSO) feature enabled

Version(s): 

• Versions impacted include those vulnerable to CVE-2025-59718 and CVE-2025-59719, even where patches were applied, due to persistence of bypass conditions in some builds.
• FortiOS versions 7.4.9+/7.4.10 and other train releases have been reported as still vulnerable in certain configurations

Platform(s): 

• Internet-facing perimeter firewalls
• Related Fortinet security platforms actively managed via FortiCloud SSO

Description: 

Exploitation of FortiCloud SSO bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) allows attackers to gain unauthorised administrative access to FortiGate devices without credentials.

Once access is obtained, automated scripts rapidly create generic admin accounts, modify VPN and firewall configurations for persistence, and exfiltrate full device configurations for offline credential analysis and further compromise.

Exfiltration activity has been linked to the following IP addresses:
104.28.244[.]115, 104.28.212[.]114, 217.119.139[.]50, 37.1.209[.]19.

The speed and consistency of the activity indicate the use of automated threat actor tooling, enabling rapid and scalable compromise.

Threat Types: 

• Unauthenticated SSO bypass via crafted SAML messages for initial access.
• Automated admin session takeover through malicious login activity.
• Firewall and VPN configuration changes to maintain persistence.
• Exfiltration of firewall configurations enabling credential compromise and lateral access.

Impacts: 

• Exploitation enables attackers to authenticate as administrative users without credentials, granting full control over affected FortiGate devices.
• Malicious changes to firewall rules, VPN policies, and administrative accounts undermine perimeter security and elevate attacker reach for further network intrusion.
• Exfiltrated configuration files contain hashed credentials that may be subject to offline cracking, potentially escalating compromise across other systems or administrative sessions.
• Newly created generic accounts and expanded VPN access provide persistent footholds and can facilitate lateral movement into enterprise networks.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

• Disable FortiCloud SSO admin access until systems are fully patched and validated.
• Restrict admin interfaces (web/SSH/CLI) to trusted internal networks only.
• Apply all Fortinet PSIRT patches and confirm CVE fixes in release notes.
• Monitor admin and SSO logs for anomalous sessions, new accounts, and configuration changes; enable alerts.
• Correlate configuration changes with authenticated sessions to detect unauthorised activity.
• Immediately rotate all admin credentials and revoke active sessions.
• Treat exported configuration files as potentially compromised and sanitise before reuse.
• Enforce least privilege, MFA, and continuous configuration monitoring for firewall administrators.

References:

• https://thehackernews.com/2026/01/automated-fortigate-attacks-exploit.html

• https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/

• https://www.helpnetsecurity.com/2026/01/21/patched-fortigate-compromised-via-cve-2025-59718/

• https://cyberpress.org/fortigate-sso-vulnerability/  

Advisory ID: NCC-CSIRT-2026-001

Summary: 

Cybersecurity researchers have uncovered a significant phishing campaign that exploits private messages on LinkedIn to deliver a Remote Access Trojan (RAT) via Dynamic Link Library (DLL) sideloading. Attackers establish trust with targets, often “high-value” individuals such as executives and IT professionals, through LinkedIn direct messages and persuade them to download and execute a malicious self-extracting WinRAR archive. Once executed, the adversary uses DLL sideloading to execute malicious code in the context of a legitimate PDF reader application, leading to a persistent RAT implant that provides remote control and data exfiltration capabilities.

Damage/Probability: High/High

Product(s): 

• Microsoft Windows endpoints and servers
• WinRAR self-extracting archive tools used in delivery
• Legitimate PDF reader application used in the sideloading technique

Version(s): 

Affects systems where users execute malicious archives delivered via LinkedIn messages and where Windows DLL sideloading is possible (generic Windows; not version-specific).

Platform(s): 

• Windows corporate workstations
• Laptops
• Remote devices and unmanaged systems in enterprise environments across sectors, including technology, finance, and professional services.

Description: 

In the observed campaign, attackers contact victims via LinkedIn direct messages (DMs) under professional pretexts and entice them to download a WinRAR self-extracting archive (SFX). When executed, this archive unpacks multiple components, including:

• A legitimate open-source PDF reader,
• A malicious DLL placed for sideloading,
• A portable Python interpreter executable, and
• A decoy RAR file to distract or reassure the user. (TechBooky)

The attack exploits DLL sideloading, a Windows behavior where an application loads a DLL from its own directory before the system path, enabling a rogue DLL to execute code under the guise of a trusted application. When the PDF reader launches, it loads the malicious DLL, which then installs the bundled Python interpreter and creates a Windows Registry Run key to ensure the interpreter starts automatically at each user login. (TechBooky)

Once running, the Python interpreter decodes and executes Base64-encoded shellcode directly in memory, a technique that avoids writing additional malicious executables to disk and helps evade forensic detection. The final payload establishes a remote connection to attacker-controlled infrastructure, providing persistent remote access and control. (LinkedIn)

Security researchers have noted that multiple malware families (e.g., LOTUSLITE, PDFSIDER) have been delivered using similar DLL sideloading techniques in concurrent campaigns.

Threat Types: 

• Social media-based phishing for initial access (LinkedIn direct messages).
• DLL sideloading (defence evasion leveraging legitimate application).
• Remote Access Trojan (RAT) deployment for persistent remote control and data theft.
• Persistence via registry autorun key creation.

Impacts: 

• Attackers gain persistent interactive access to compromised hosts, enabling credential theft, system manipulation, and lateral movement across networks.
• RAT malware may steal sensitive information, including intellectual property and personal data.
• Use of DLL sideloading hides malicious execution under the context of a trusted process, complicating detection by traditional endpoint security tools.
• Social media private messaging becomes a significant vector outside traditional email security controls.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

• Block access to known malicious domains and links distributed via LinkedIn DMs.
• Quarantine affected systems and perform full malware scans using up-to-date signatures.
• Remove unauthorized Registry Run keys and Python interpreter instances established by the attack.
• Update endpoint protection to include heuristics for DLL sideloading behavior and unusual interpreter executions.
• Enforce application allow-listing to restrict execution of unknown or unapproved software.
• Conduct phishing simulations, including social media scenarios, to increase employee awareness of non-email phishing vectors.
• Recognize LinkedIn and other social platforms as potential attack vectors, not just email, and expand monitoring accordingly.
• Educate staff on social engineering risks inherent in professional networking platforms.
• Integrate DLL sideloading and interpreter execution detection into SOC and SIEM rules.
• Implement multi-layered endpoint controls, including application allow-listing, script blocking, and EDR with behavioral analysis.
• Block delivery domains and suspicious WinRAR SFX files; isolate hosts showing unusual DLL loads.
• Deploy endpoint rules to detect sideloaded DLLs and unauthorized interpreter execution.
• Expand phishing training beyond email to include social media threats; adopt zero-trust policies for endpoint execution.

References:

• https://thehackernews.com/2026/01/hackers-use-linkedin-messages-to-spread.html

• https://cybernews.com/security/linkedin-phishing-campaign-targets-execs-weaponized-files/

• https://www.scworld.com/news/phishing-campaign-exploits-linkedin-messages-via-dll-sideloading

• https://www.linkedin.com/posts/david-sehyeon-baek-5a96a9109_cybersecurity-phishing-linkedin-activity-7419526336001568768-3dX3/

• https://www.techbooky.com/how-hackers-spread-rat-malware-via-dll-sideloading-in-linkedin-messages/

• https://www.secnews.gr/684397/hackers-linkedin-rat-dll-sideloading/