Geopolitical Cyber Escalation, OAuth Phishing Bypasses, and AI-Automated Exploitation

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Geopolitical Conflict and State-Sponsored Automation

Global tensions are manifesting in both cyberspace and physical infrastructure, while state-aligned actors scale their operations using artificial intelligence.

• CRITICAL Advisory: Iran–Israel–US Escalation — Cybersecurity risk levels are significantly elevated, particularly for the BFSI sector. Iranian-linked actors (APT35, MuddyWater, APT42) and hacktivists are expected to launch disruptive operations, including DDoS, credential abuse, and wiper malware, in retaliation for ongoing geopolitical events.

• AWS Middle East Multi-AZ Outage — Blurring the line between physical and cyber risk, drone strikes damaged AWS data centers in the UAE and Bahrain. The strikes caused structural and power damage, resulting in significant service disruptions and highlighting the need for multi-region disaster recovery in conflict zones.

• APT36 (Transparent Tribe) AI “Vibeware” — Pakistan-aligned APT36 is targeting Indian government entities using AI to mass-produce disposable malware in uncommon languages (Nim, Zig, Crystal). Rather than relying on technical sophistication, they use a “Distributed Denial of Detection” strategy, overwhelming defenders with sheer volume and using cloud services (Slack, Firebase) for C2.

2. Social Engineering and Identity Evasion

Attackers are manipulating trusted workflows and legitimate features to trick users and bypass email gateways.

• Malicious OAuth Applications Bypass Protections — Attackers are exploiting OAuth 2.0 redirection mechanisms in Microsoft Entra ID. By triggering silent authentication errors using invalid scopes, they force legitimate Microsoft endpoints to redirect victims to attacker-controlled phishing pages or malware delivery sites, completely bypassing standard URL filters.

• Velvet Tempest Ransomware Uses ClickFix — This ransomware affiliate is using the ClickFix method (fake CAPTCHA prompts) to trick victims into pasting obfuscated commands into the Run dialog. The attack leverages LOLBins like finger.exe and csc.exe to deploy DonutLoader and CastleRAT, paving the way for data theft and double-extortion.

• Fake IT Support Deploys Havoc C2 — Attackers flood victim inboxes with spam, then call them posing as IT support. They guide victims to a fake Outlook update page to harvest credentials and deploy a modified Havoc C2 agent via DLL sideloading (abusing binaries like WerFault.exe), enabling rapid lateral movement.

3. Supply Chain Poisoning and Fileless Execution

Threat actors are hiding malicious payloads in memory, Python runtimes, and steganographic texts to evade disk-based detection.

• Contagious Interview npm Supply Chain Attack — A new wave of this campaign targets developers with 26 typosquatted npm packages. The malware cleverly hides its C2 infrastructure using text-based steganography inside public Pastebin files, delivering remote access trojans and credential stealers via Vercel.

• VOID#GEIST Fileless Malware Operation — This campaign uses phishing to deliver obfuscated batch scripts that download an embedded Python runtime. The Python loader decrypts payloads (XWorm, AsyncRAT, Xeno RAT) and executes them entirely in memory via Early Bird APC injection into explorer.exe, minimizing forensic artifacts.

4. Critical Vulnerabilities and AI-Orchestrated Exploitation

Unpatched edge devices and helpdesk platforms are facing both automated AI scanning and zero-click exploitation.

• Cisco Catalyst SD-WAN Active Exploitation (CVE-2026-20122, CVE-2026-20128) — Cisco disclosed active exploitation of arbitrary file overwrite and information disclosure vulnerabilities in vManage. Authenticated attackers are leveraging these flaws to overwrite system files and steal Data Collection Agent (DCA) passwords, escalating privileges across the SD-WAN fabric.

• FreeScout Zero-Click RCE (CVE-2026-28289) — A critical patch bypass in the FreeScout helpdesk platform allows unauthenticated remote code execution. Attackers can send a single crafted email containing an attachment with an invisible zero-width space in the filename, bypassing validation to drop a malicious .htaccess file onto the server.

• CyberStrikeAI FortiGate Targeting — Threat actors are using an open-source, AI-native offensive security platform called CyberStrikeAI to automate the reconnaissance and exploitation of vulnerable Fortinet FortiGate appliances. Integrating models like Claude and DeepSeek, the campaign has successfully compromised over 600 devices globally.

Proactive Steps for the Week 

• Elevate Geopolitical Defenses: For organizations in the BFSI sector, review incident response plans, enforce strict MFA on all externally facing services, and monitor for Iranian-linked TTPs (e.g., unexpected RDP/VPN authentications from anomalous IPs).

• Audit OAuth Applications: Review enterprise OAuth app registrations in Microsoft Entra ID. Restrict user consent for new applications and monitor for suspicious authentication requests utilizing prompt=none or invalid scopes.

• Patch Critical Infrastructure: Immediately update Cisco Catalyst SD-WAN (e.g., to 20.12.6.1), Fortinet FortiGate edge devices, and FreeScout instances (to v1.8.207+) to prevent automated and zero-click exploitation.

• Block ClickFix and LOLBins: Educate employees that CAPTCHAs and updates will never require pasting commands into the Run dialog. Use EDR or AppLocker to monitor and restrict the execution of finger.exe, csc.exe, and PowerShell spawned from browser processes.

• Review Cloud Disaster Recovery: Validate backups and ensure multi-region failover capabilities are active for critical workloads, treating physical infrastructure risks (like the AWS Middle East outage) with the same urgency as cyber threats.