Weekly Threat Advisory: APT Surge, Ransomware Full-Pivot, Messaging Weaponised — June 22-28, 2026

This was an APT week. Four named state-aligned threat actors ran in parallel against the global telemetry plane. A ransomware operator rotated a full multi-pivot kill chain in seven days. A direct-messaging platform became this week’s novel initial-access surface. Stop scrolling. Read this. Your perimeter probably saw none of it.

Sectioned for the working analyst: cluster catalogue, deep-dives on the high-tempo names, MITRE ATT&CK technique mapping per adversary, subnet anchors for cheap perimeter blocking, top 15 IOCs per indicator type, four production-ready Sigma rules. Vendor-neutral. Operator-grade. Archive of prior advisories.

01 · This week in numbers

The catalogue produced 54,820 indicator observations this cycle across 87 adversary clusters. Topline volume is flat versus last week; the character of the catalogue shifted hard. Last week was supply-chain dominated; this week is an APT week with four named state-aligned threat actors running in parallel, a ransomware operator rotating a full multi-pivot kill chain in seven days, and a direct-messaging platform becoming the catalogue’s novel initial-access surface. If your detection programme only consumes the technical layer, you will see the topline number and assume the week was normal. It was not.

02 · Five headlines — what defined this week

If you read nothing else, read these five.

Headline 01 · APT week — four named state-aligned threat actors active in parallel

Four distinct named threat-actor clusters surfaced operationally active in this cycle: Gamaredon (68 IOCs across DOMAIN+HASH+IP — a Russian-aligned cluster historically active in regional operations), Turla APT (26 IOCs across DOMAIN+IP+URL), MustangPanda (18 IOCs across all four IOC types — a Chinese-aligned cluster), and CL-STA-1062 (17 IOCs across HASH+IP+URL — an emerging tracked cluster with a distinctive multi-file second-stage delivery pattern). Two more APTs — Silent Lynx and APT-C-35 — surfaced in IP-only form. Four concurrent named APT clusters in a single week is the widest APT footprint observed in the year-to-date window. If you operate in research, government-adjacent, critical-infrastructure, or strategic-vertical environments, these are the catalogue entries that warrant immediate ingestion and a focused retrospective hunt.

Headline 02 · A ransomware operator rotated a full multi-pivot kill chain in 7 days

The DragonForce ransomware cluster contributed 32 unique indicators across all four primary IOC types (domains, hashes, IPs, URLs) in seven days. Multi-pivot rotation at this breadth, in this short a window, is a load-bearing intelligence signal: the operator is not iterating a single tactic, they are running a coordinated kill-chain refresh — new initial-access landing pages, new payload binaries, new C2 listener IPs, and new staging URLs concurrently. Single-type blocklists (only domains, only hashes) will catch a fraction of the activity. The full kill chain — T1078 initial access via valid accounts, T1021.001 lateral movement via remote desktop, T1219 remote-access tooling, T1567 double-extortion exfiltration to operator-controlled web service, T1486 data encryption for impact, T1490 recovery inhibition — is the structural signature you should be hunting.

Headline 03 · Direct-messaging platform weaponised — novel initial-access vector

The WhatsApp VBScript Campaign contributed 61 IOCs across DOMAIN+HASH+IP — the catalogue’s first observation at scale of a direct-messaging platform serving as a primary phishing-and-delivery channel for a Visual Basic script payload. The campaign exhibited a tight subnet anchor at 202.61.160.0/24 (five IPs concentrated in a single /24 block). The operational implication: defenders without direct-messaging telemetry will not see the initial vector. The implant lands, the second-stage pulls, the C2 establishes — and the first endpoint-side observable is the executed VBScript, not the inbound message. Treat your enterprise messaging platforms as initial-access surfaces, not just collaboration tools.

Headline 04 · Five concurrent supply-chain campaigns hit the developer ecosystem

The supply-chain category produced 51 unique IOCs across five distinct campaigns: GhostShell (26 IOCs, full kill chain), Miasma (18 hashes, dependency compromise), Malicious npm Package (10 IOCs, package-registry attack), Operation FlutterBridge (14 IOCs, mobile-framework supply chain), and the Chrome ad-blocker extension cluster (14 IOCs — eight domains in a deliberate adblock-for-* / abu-* / abfc-* naming pattern that defenders can catch with a single regex). Five concurrent supply-chain attacks against developer-flow surfaces is not coincidence; it is a structural shift in operator targeting. The defensive answer is package allow-listing, publisher-identity verification, and outbound-domain monitoring from build agents.

Headline 05 · A new RAT family arrived — ModeloRAT, full footprint

ModeloRAT contributed 39 IOCs across all four IOC types (DOMAIN, HASH, IP, URL) and matches the canonical RAT TTP profile: T1059 command interpreter, T1105 ingress tool transfer, T1071 web-protocol C2, T1056.001 keylogging, T1113 screen capture, T1041 exfiltration over C2, T1547.001 registry-run-key persistence. The breadth of indicator coverage from week one suggests either a mature build pipeline or a fork from an existing RAT family. Either way, the cluster is operational now — not future-threat material.

03 · Indicator type, severity, and category mix

An intelligence catalogue is only useful if you know where the high-value records concentrate. As in prior weeks, the IP-address layer dominates the topline volume (98 percent) because the largest contributing feed is a C2-infrastructure flood that produces dense IP-only output. The story sits in the narrow indicator types — domains, hashes, URLs — where new tradecraft surfaces. The story also sits in the APT and Supply Chain categories, which collectively carry 218 IOCs (about a third of the high-severity layer).

By indicator type

By severity

By category

The APT signal. The 167 APT-category records this week are spread across 16 distinct named adversary entries. That is the most APT-diverse catalogue week observed in the year-to-date window. The detection-engineering takeaway: spend a disproportionate share of this week’s content-deployment hours on APT TTPs, not on the C2-listener IP flood.

04 · Top 30 adversary clusters by indicator footprint

The table ranks every named adversary cluster by unique indicator count this week. The dominant first entry — an open-source C2 framework family with 52,648 observations — reflects infrastructure-monitoring feed output and is shown in grey to preserve readability of the other 30 entries. The remaining 30 carry the operationally interesting signal: named threat actors, ransomware operators, supply-chain campaigns, RAT families.

How to read this. Pay disproportionate attention to clusters that span three or more IOC types — that breadth is a campaign-fingerprint signal indicating active operator tempo rather than retrospective indicator publication. Clusters with only IP indicators (meshagent, metasploit, mythic, havoc) are open-source C2 framework infrastructure; useful for perimeter blocking but limited as attribution anchors. Clusters with all four IOC types (ModeloRAT, DragonForce, GhostShell, MustangPanda, OpenClaw, Mirai, Remcos, fake CAPTCHA, Malicious npm Package, CVE-2026-33017) are the full-kill-chain rotations — treat them as priority.

05 · Cluster deep-dives — the names you need to act on

05.1 · Gamaredon — 68 IOCs, heavy tunnel-service abuse

The largest APT-category cluster this week. The 68 indicators span domains, hashes, and IPs — and a structural pattern emerges in the domains: heavy use of legitimate tunnel-service relay infrastructure (developer-tunnel hostnames in devtunnels[.]ms, throwaway hostnames on tunnelling subdomains, loophole-site relays). This is operationally significant. The operator is renting trust from legitimate developer-infrastructure providers as cover for second-stage delivery. Defenders running domain reputation alone will give these a pass; defenders running content inspection on tunnel-service hostnames will catch the activity.

Defensive actions: Alert on outbound to *.devtunnels[.]ms and *.loophole[.]site from non-engineering endpoints (zero legitimate use case for most users). Hash-block the 41 binary indicators. Push the 21 IP indicators to perimeter blocklist with high confidence.

05.2 · DragonForce ransomware — full multi-pivot kill chain

32 IOCs across all four IOC types in seven days — the broadest single-week ransomware rotation observed since the prior week’s Rhysida-Interlock cluster. The TTP signature: T1078 valid-account initial access, T1021.001 remote-desktop lateral movement, T1219 remote-access tooling, T1567 data-leak-site exfiltration, T1486 encryption-for-impact, T1490 recovery inhibition, T1003 credential dumping. Tor-onion domains in the indicator set serve as the double-extortion leak-site infrastructure.

Defensive actions: Hunt for the kill-chain sequence valid-account login from unusual source → remote-management tool execution → large outbound transfer to operator-controlled web service. Block the Tor egress at the perimeter if your environment has no legitimate Tor use case. Push all 32 indicators to the watchlist; the IP and hash layers should be hard-blocks.

05.3 · WhatsApp VBScript Campaign — 61 IOCs, novel social-vector

The catalogue’s first observation at scale of a direct-messaging platform as primary delivery vector for a Visual Basic script payload. The campaign’s IP infrastructure clusters tightly in 202.61.160.0/24 (5 IPs concentrated in a single /24 block — treat the whole /24 as suspect). The technique chain: T1566.002 spearphishing via service, T1204.002 user-execution of malicious file, T1059.005 Visual Basic script interpreter, T1105 second-stage payload pull, T1547.001 registry-run-key persistence.

Defensive actions: Block the 202.61.160.0/24 subnet at the perimeter (cost: zero; operational risk: none). Hunt for wscript.exe and cscript.exe with parent-process equal to any messaging-platform client. Audit messaging platforms for file-attachment policy enforcement.

05.4 · ModeloRAT — new RAT family, full footprint

39 IOCs across all four primary IOC types in seven days, matching the canonical RAT TTP profile (command interpreter + ingress tool transfer + web-protocol C2 + keylogging + screen capture + exfil over C2 + registry persistence). The breadth of indicator coverage from week one suggests either a mature build pipeline or a fork from an existing RAT family.

Defensive actions: Treat as a Tier-04 (network/host artefact) detection priority. Hash-block known binaries, watchlist known C2 IPs. Behavioural detection on the keylogging + clipboard-scrape combination.

05.5 · The supply-chain trio (GhostShell, Miasma, Malicious npm Package) + Browser ad-blocker cluster

Five concurrent supply-chain attacks this week — the largest concurrent supply-chain attack surface observed in this catalogue. The four primary contributors:

• GhostShell (26 IOCs across all four types) — build-dependency compromise with full network footprint.
• Miasma (18 hashes) — dependency compromise; hash-heavy distribution suggests multiple delivered binary variants.
• Malicious npm Package (10 IOCs across all four types) — package-registry attack with post-install command execution.
• Chrome ad-blocker extension cluster (14 IOCs, 8 domains) — deliberate naming pattern (adblock-for-chrome[.]com, adblock-for-y[.]com, abu-xt[.]com, abfc-extension[.]com) makes regex detection trivial.

Defensive actions: Package allow-listing in CI build agents. Outbound-domain monitoring from build runners and production web pages. Regex-block on the ad-blocker naming pattern at the resolver. Publisher-identity verification at the extension store.

05.6 · CL-STA-1062 — multi-file second-stage delivery anchor

17 IOCs with a distinctive structural pattern: a single IP infrastructure anchor (139.180.134.221) serving six named payload files from one path (/sdksdk608/1.zip, /sdksdk608/anydesk_0117.zip, /sdksdk608/hamcore.se2, /sdksdk608/httpdf, /sdksdk608/vpn_bridge.config, /sdksdk608/win-vpn.rar, plus a separate /PerfWatson2.exe path). The multi-file second-stage delivery from a single host with a stable path structure is itself a fingerprint.

Defensive actions: Block the anchor IP. Hunt for any second-stage pull where the destination URL matches /sdksdk608/* or any of the named filenames (the filenames are themselves IOCs). Audit your environment for legitimate use of the named tools the operator is abusing.

05.7 · Browser-in-the-Browser (BitB) campaign — phishing innovation

10 domains supporting a phishing technique that renders a fake authentication-flow window inside the legitimate browser, indistinguishable from a real provider sign-in popup unless the user attempts to drag the window outside the parent tab. The technique defeats most user-awareness training because the visual is convincing.

Defensive actions: Hunt for inbound traffic to the 10 catalogued domains. Promote single-sign-on with hardware-bound credentials so even successful BitB credential capture cannot replay against your services.

05.8 · Turla APT — resurfacing with web-protocol C2

26 IOCs across DOMAIN+IP+URL after a quiet stretch. TTP signature: T1071 web-protocol C2, T1105 ingress tool transfer, T1059 command interpreter, T1041 exfil over C2, T1027 obfuscation, T1095 non-application-layer C2 backup, T1568 dynamic resolution. The cluster’s reappearance after dormancy is a high-confidence signal of new operational tempo.

05.9 · MustangPanda — full four-type footprint

18 IOCs across all four IOC types. Chinese-aligned cluster with a long operational history; the four-type footprint indicates active campaign infrastructure rather than retrospective indicator publication. TTP signature focuses on user-execution-driven loader chains with registry persistence.

06 · MITRE ATT&CK mapping per named cluster

The table below maps each named cluster to the MITRE ATT&CK techniques observed in its catalogued indicators, with an operational narrative on how the technique chain plays out in practice. Use this table to drive your detection-engineering priority list this week — rules that fire on the listed techniques will catch the cluster even after IP/domain/hash rotation.

Detection-engineering takeaway. The technique catalogue above is dominated by T1059 (command-interpreter), T1105 (ingress tool transfer), T1071 (web-protocol C2), and T1041 (exfil over C2). If your environment lacks coverage on those four techniques specifically, you are blind to roughly 70 percent of this week’s adversary tradecraft. Prioritise the four-technique coverage above any single-IOC blocklist work.

07 · MITRE tactic-pressure roll-up

The catalogue aggregates technique tags from every IOC where the source feed published an ATT&CK mapping, then rolls them up to the parent tactic. The table below shows the adversary tactic-pressure profile this week — which phases of the kill chain were most heavily represented in the indicator stream.

08 · Subnet clustering — shared-infrastructure anchors

The /24 subnet group-by surfaces two operator anchors this week. Both are candidates for subnet-level perimeter blocking — the operational gain is amortised across every future rotation inside the block, the false-positive cost is bounded (~256 addresses per /24).

The asymmetric block. The 202.61.160.0/24 anchor is the highest-leverage perimeter control this week. Five concentrated WhatsApp VBScript Campaign IPs in one /24 means the operator has tenant concentration there — future rotation will likely land in the same block. Subnet-block today and you defeat the rotations tomorrow.

09 · Top 15 IOCs per indicator type

Operator-grade extractions from this week’s catalogue — 15 indicators per IOC type. All indicators are defanged per publish-safe convention (re-fang on import: replace [.] with . and hxxp with http). Use the IP and domain tables as immediate blocklist input; use the hash table for endpoint binary scan; use the URL table for proxy/DNS sinkholing.

Top 15 · IP addresses (High severity)

Top 15 · Domains

Top 15 · File hashes

Top 15 · URLs

10 · Sigma detection rules — four for this week’s standout patterns

Each rule below addresses a distinct technique cluster from this week. Drop them into your detection-content pipeline, normalise field names to your SIEM’s schema, tune the false-positive filters against your organisation’s allowlist, ship.

Sigma 01 · Tunnel-service relay (Gamaredon-style)

title: Outbound to Tunnel-Service Relay Used by Gamaredon-Style Operators
id: 4f8b2c1a-9d3e-4567-8901-2b4c6d8e0f12
status: experimental
description: Detects outbound HTTP/HTTPS connection from non-engineering endpoints
  to developer-tunnel hostnames. Adversaries (notably Gamaredon-aligned activity
  this cycle) rent trust from legitimate tunnelling services as second-stage relay
  infrastructure. The rule excludes the engineering subnet which has a legitimate
  use case.
references:
  - https://hackforlab.com/weekly-threat-advisory-june-22-28-2026/
author: HackForLab Threat Intelligence
date: 2026/06/29
tags:
  - attack.command_and_control
  - attack.t1071.001
  - attack.t1568
  - attack.t1102
logsource:
  category: proxy
detection:
  selection:
    cs-host|endswith:
      - '.devtunnels.ms'
      - '.loophole.site'
      - '.duckdns.org'
      - '.pages.dev'
  exclusion:
    src-ip|cidr:
      - '10.engineering.0.0/16'   # replace with your engineering subnet
  condition: selection and not exclusion
falsepositives:
  - Engineering / DevOps endpoints with legitimate tunnel use (allowlist explicitly)
level: high

Sigma 02 · WhatsApp VBScript Campaign subnet anchor + VBScript-from-messaging

title: WhatsApp VBScript Campaign Subnet Anchor + VBScript Execution
id: a6c9d1f2-3b85-4720-9e12-4f8a7c2d5e91
status: experimental
description: Detects outbound connection to the WhatsApp VBScript Campaign subnet
  anchor (202.61.160.0/24) OR detects wscript.exe / cscript.exe with parent-process
  matching a messaging-platform client image. Either condition is high-confidence.
references:
  - https://hackforlab.com/weekly-threat-advisory-june-22-28-2026/
author: HackForLab Threat Intelligence
date: 2026/06/29
tags:
  - attack.initial_access
  - attack.t1566.002
  - attack.execution
  - attack.t1059.005
  - attack.t1204.002
logsource:
  category: network_connection
detection:
  subnet_anchor:
    DestinationIp|cidr: '202.61.160.0/24'
  messaging_vbscript:
    ParentImage|contains:
      - 'WhatsApp'
      - 'Telegram'
      - 'Signal'
      - 'Slack'
    Image|endswith:
      - '\wscript.exe'
      - '\cscript.exe'
  condition: subnet_anchor or messaging_vbscript
falsepositives:
  - Internal automation that schedules VBScript via collaboration tool (audit and allowlist)
level: critical

Sigma 03 · DragonForce ransomware kill-chain correlation

title: DragonForce Ransomware Kill-Chain Sequence
id: 5e2a8d4f-7c91-4b6d-a3f8-1d9c5e2a4b8f
status: experimental
description: Detects the DragonForce kill-chain shape — valid-account login from
  unusual source within 1 hour of a remote-management tool execution and a large
  outbound transfer to operator-controlled web service. Multi-stage correlation rule.
references:
  - https://hackforlab.com/weekly-threat-advisory-june-22-28-2026/
author: HackForLab Threat Intelligence
date: 2026/06/29
tags:
  - attack.initial_access
  - attack.t1078
  - attack.lateral_movement
  - attack.t1021.001
  - attack.impact
  - attack.t1486
  - attack.t1490
logsource:
  product: correlation
detection:
  s1_unusual_login:
    EventID: 4624
    LogonType: 10
    SourceIp|expand: '%suspicious_geo%'
  s2_rmm_execution:
    EventID: 4688
    Image|endswith:
      - '\anydesk.exe'
      - '\splashtop.exe'
      - '\teamviewer.exe'
      - '\rustdesk.exe'
  s3_large_outbound:
    BytesOut: '> 500000000'
    DestinationDomain|contains: ['.onion', 'leak', 'site']
  condition: s1_unusual_login and s2_rmm_execution and s3_large_outbound within 3600s
falsepositives:
  - Legitimate remote support sessions transferring large diagnostic captures (rare)
level: critical

Sigma 04 · Malicious browser ad-blocker extension domain pattern

title: Malicious Browser Ad-Block Extension Domain Pattern
id: 9b4c7e1d-5a82-4f30-bc91-3e6a8c4f5d12
status: experimental
description: Detects outbound DNS or HTTP to domains matching the Chrome ad-blocker
  extension cluster naming pattern observed this week. The pattern is regex-tight
  enough to avoid false positives against legitimate ad-block vendors.
references:
  - https://hackforlab.com/weekly-threat-advisory-june-22-28-2026/
author: HackForLab Threat Intelligence
date: 2026/06/29
tags:
  - attack.persistence
  - attack.t1176
  - attack.credential_access
  - attack.t1539
  - attack.command_and_control
  - attack.t1102
logsource:
  category: dns_query
detection:
  selection:
    QueryName|re:
      - '^adblock-for-[a-z]{1,8}\.com$'
      - '^ab[a-z]{1,4}-[a-z]{1,12}\.com$'
      - '^abfc-[a-z]+\.com$'
  condition: selection
falsepositives:
  - Legitimate ad-blocker analytics endpoints (verify against known-good list)
level: high

11 · Hunt queries — SIEM-agnostic pseudo-syntax

Hunt 01 · First-seen contact with this week’s APT anchors

// Pseudo-query
FROM network_flows
WHERE dest_ip IN (
  '103.30.76.194',     -- Turla APT
  '139.180.134.221',   -- CL-STA-1062
  '149.28.128.239',    -- APT-C-35
  '154.31.217.203',    -- Silent Lynx APT
  '167.88.164.202',    -- Gamaredon
  '172.235.166.243'    -- Gamaredon
)
  AND first_seen_pair(src_ip, dest_ip) WITHIN 30d
| AGGREGATE BY src_ip, dest_ip
| SORT BY flow_count DESC

First-seen pairings are the highest-fidelity signal. Recurring connections may already be in your alert lane; new ones are an in-progress incident.

Hunt 02 · VBScript / WScript execution from messaging clients

// Pseudo-query
FROM process_creates
WHERE process_name IN ('wscript.exe', 'cscript.exe')
  AND parent_process_name MATCHES regex '(?i)(whatsapp|telegram|signal|slack|teams)'
| PROJECT host_name, user, parent_process_name, process_name, command_line, create_time
| SORT BY create_time DESC

Catches the WhatsApp VBScript Campaign technique end-to-end — messaging-client parent process spawning a script interpreter is the operational signature.

Hunt 03 · Multi-file second-stage pull from a single host (CL-STA-1062 shape)

// Pseudo-query
FROM proxy_logs
WHERE dest_host = '139.180.134.221'
  OR cs_uri_query MATCHES regex '/sdksdk[0-9]+/'
  OR cs_uri_query CONTAINS 'PerfWatson2'
| AGGREGATE BY src_host, dest_host, COUNT(DISTINCT cs_uri_stem) AS unique_paths
WHERE unique_paths >= 3
| PROJECT src_host, dest_host, unique_paths

Any endpoint that pulled three or more distinct paths from the CL-STA-1062 anchor in any time window is a candidate compromise.

Hunt 04 · Tor-onion C2 traffic (DragonForce data-leak-site shape)

// Pseudo-query
FROM dns_queries
WHERE query_name LIKE '%.onion'
  AND src_host NOT IN (allowlisted_tor_users)
| AGGREGATE BY src_host
| WHERE COUNT > 5
| SORT BY COUNT DESC

Most enterprises have zero legitimate Tor use case. Onion-domain queries from anything other than an explicitly allowlisted host should produce an alert.

12 · Operationalise this advisory in 60 minutes

This advisory is only useful if Monday morning produces concrete defensive actions. Here is the one-hour routine.

Minute 00 – 15 · Block + sinkhole

• Block 202.61.160.0/24 at the perimeter (WhatsApp VBScript Campaign anchor). Cost: zero. Risk: none.
• Block 77.92.95.0/24 at the perimeter (open-framework listener farm).
• DNS-deny the 14 Chrome ad-blocker extension domains using the regex pattern in Sigma 04.
• Push the top 15 IPs and the top 15 hashes to perimeter/endpoint blocking.

Minute 15 – 30 · Detection content

• Deploy the four Sigma rules from Section 10.
• Tune the false-positive filters against your engineering allowlist and your CI build agent inventory.

Minute 30 – 45 · Retrospective hunt

• Run Hunt 01 (APT anchor first-seen) across the last 30 days. Any historical match is an in-progress incident.
• Run Hunt 03 (CL-STA-1062 multi-file pull) across the last 7 days.
• Run Hunt 04 (Tor onion-domain queries) baseline scan against the last 30 days.

Minute 45 – 60 · Awareness + policy

• Brief endpoint users on the WhatsApp VBScript Campaign — treat unsolicited script attachments from any messaging platform as suspicious.
• Brief developers on the supply-chain campaigns — package allow-listing and publisher-identity verification are not optional this week.
• Audit your enterprise’s tunnel-service usage policy. If your engineering team uses developer-tunnel services, document the use cases; everything outside the documented set is suspicious.

13 · Frequently asked questions