Normal view

Received — 23 April 2026 Proofpoint Threat Insight

Beyond the breach: inside a cargo theft actor’s post-compromise playbook

17 April 2026 at 01:38
Key findings Proofpoint monitored a cargo theft actor’s post‑compromise activity for more than a month in a decoy environment operated by Deception.pro.  The attacker abused multiple remote access tools to establish persistence, including the use of a previously unknown third‑party signing‑as‑a‑service capability.  Proofpoint also observed extensive reconnaissance to identify financial access, payment platforms, and cryptocurrency assets to enable freight fraud and broader financial theft.  Reconnaissance specifically targeting fuel card services, fleet payment platforms, and load board operators was likely intended to enable transportation‑related crimes, including cargo theft.  Overview  In late February 2026, Proofpoint researchers executed a malicious payload from a threat actor targeting transportation organizations inside a controlled decoy environment operated by our partners at Deception.pro. While the environment did not represent a transportation carrier, it remained compromised for more than a month—offering rare, extended visibility into post‑compromise operations, tooling, and decision‑making.  Proofpoint previously documented this actor’s campaigns against trucking and logistics companies to facilitate cargo theft and freight fraud. In this case, the extended interaction revealed persistence through multiple remote management tools, the use of a previously unknown signing‑as‑a‑service capability designed to evade detection and suppress security warnings, and extensive post-compromise reconnaissance activity.   This reconnaissance focused on identifying financial access—such as banking, accounting, tax software, and money transfer services—as well as transportation‑related entities, including fuel card services, fleet payment platforms, and load board operators. The latter activity was likely designed to support crimes against the transportation industry, including cargo theft and related financial fraud.  A familiar actor, a new view  In November 2025, Proofpoint published research describing a threat actor leveraging compromised load boards to gain access to trucking companies, enabling freight diversion and cargo theft. While that research focused on initial access and target impact, opportunities to observe the actor’s post-compromise operations were limited.   This engagement changed that.  Following payload execution inside the Deception.pro environment in late February, the actor maintained access for more than a month. Their ensuing activity provided Proofpoint researchers with an unusually detailed view of post‑compromise tooling, scripting, reconnaissance behavior, and operator‑driven decision‑making.  Initial access and payload delivery  On February 27, 2026, after compromising a load board platform, the actor delivered a malicious payload via email to transportation carriers inquiring about fraudulent advertised loads. Load board platforms are online marketplaces that connect shippers and freight brokers with motor carriers by advertising available loads.  The payload consisted of a Visual Basic Script (VBS) file that, when executed:  Downloaded and executed a PowerShell script  Installed the ScreenConnect remote access tool  Displayed a decoy broker‑carrier agreement to mask malicious activity  Figure 1. Email content sent after responding to a fraudulent load posted on a load board.  Figure 2. Actor-controlled web page hosting a malicious VBS payload.  Establishing persistence with multiple RMM tools  Once access was established, the actor focused heavily on remote administration and redundancy.  Over the following month, the actor leveraged existing access to install:  Four separate ScreenConnect instances  Pulseway Remote Monitoring and Management (RMM)  SimpleHelp RMM  The use of multiple concurrent RMM platforms suggests deliberate redundancy designed to preserve access even if one tool is detected or disabled.  A previously unknown signing‑as‑a‑service capability  The fourth ScreenConnect instance, downloaded in late March, stood apart from earlier installations.  This installation chain began when the attacker used an existing ScreenConnect session to launch an initial PowerShell script. That script bypassed normal PowerShell controls, downloaded and executed a second‑stage PowerShell payload with parameters specific to the ScreenConnect installer, and then deleted itself to reduce forensic artifacts. The second‑stage script performed the core deployment using a third‑party signing‑as‑a‑service provider, which re‑signed ScreenConnect installers and components with a valid—but fraudulent—code‑signing certificate.  Specifically, the second‑stage script:   Built a ScreenConnect MSI download URL from the attacker’s ScreenConnect infrastructure hosted at amtechcomputers[.]net.  Submitted that MSI URL to an external signing service hosted at signer[.]bulbcentral[.]com  Polled the service until signing was completed  Downloaded the newly signed MSI from a separate, signer‑controlled URL hosted at services-sc-files.s3.us-east-2.amazonaws[.]com  Verified that the MSI’s Authenticode signature was valid  Silently installed the signed MSI on the system  After installation, the script optionally downloaded a ZIP archive from the same S3 infrastructure. This ZIP contained ScreenConnect component binaries (e.g., ScreenConnect.Client.exe) re‑signed with the same certificate used for the MSI. The script extracted these files and replaced the originally installed components—backing up existing files, stopping and restarting the ScreenConnect service as needed. This step eliminated ScreenConnect binaries signed with now‑revoked ConnectWise certificates and ensured that all installed components were uniformly signed with a certificate that Windows still treated as trusted.  In combination, these actions allowed the attacker to establish and maintain persistent remote access while actively circumventing certificate revocations, security warnings, and trust‑based endpoint controls. By laundering trust through an external signing service and replacing revoked vendor‑signed binaries, the attacker preserved long‑term, stealthy access and reduced the likelihood of user awareness or control‑based detection.  Proofpoint researchers collaborated with security researcher @Squiblydoo to analyze the signing service and successfully revoke the associated certificate:  SignerName: STEPHEN WHANG, CPA, INC.  ValidFrom 5:00 PM 12/23/2025  ValidTo 4:59 PM 12/24/2026  SerialNumber 38 4B 49 3A B7 6F AE 54 F8 3A E6 BF A8 7E 5C 10  Thumbprint D45D60B20006BC3A39AE1761CB5F5F5B067B4EE5  CertIssuer Sectigo Public Code Signing CA EV R36  Interactive hands-on-keyboard (HOK) post-compromise activity  With persistent access in place, the actor conducted hands‑on-keyboard activity and tooling execution:  Approximately three days after intrusion, the actor manually accessed the PayPal website through the user’s browser.  Eight days into the intrusion, the actor used ScreenConnect to execute a PyInstaller‑packed binary designed to scan for browser extension and desktop cryptocurrency wallets and exfiltrate positive findings to attacker‑controlled Telegram bots.  These actions indicate discretionary, operator‑driven targeting rather than purely automated malware execution.  Reconnaissance through PowerShell automation  During the intrusion, Proofpoint observed at least 13 PowerShell scripts executed by the threat actor which, collectively, focused on determining whether the compromised host belonged to a financially valuable user.  Script Capabilities:  Enumerate all local user accounts and browser profiles  Extract browsing history from Chrome, Edge, Firefox, and Chromium‑based variants  Copy locked browser databases to temporary locations  Identify hard‑coded URLs associated with banking, payments, logistics, fleet services, and accounting platforms  Exfiltrate metadata—such as hostname, browser type, profile counts, and match frequency—to attacker‑controlled Telegram bots  This telemetry provides the actor with rapid insight into a victim’s financial authority, payment access, and business role.  Consistent behaviors across scripts  Across multiple scripts, Proofpoint identified consistent behaviors:  Scanning browser history across all user profiles  Querying SQLite databases and performing binary pattern matching  Searching for access to specific logistics, payment, and financial services  Storing artifacts in hidden directories (e.g., C:\H)  Executing successfully under SYSTEM context  Sending summary results to Telegram for operator review  In one instance, creating delayed SYSTEM scheduled tasks to evade proxy controls  The scripts searched for indicators of access to the following platforms, among others:  U.S. financial institutions and banks  Money transfer services  Online accounting platforms  Interbank payment systems  Fleet fuel card and payment providers  Freight brokerage and load management platforms  The breadth of these targets strongly aligns with financially motivated theft, fraud, and cargo diversion operations tied to transportation workflows. In particular, targeting of fuel card services, fleet payment platforms, and freight brokerage systems indicates intent to enable crimes against the transportation industry, including freight diversion and cargo theft.  A final PowerShell script  In late March, the attacker ran an additional PowerShell script through ScreenConnect’s custom property feature to quietly collect endpoint intelligence and report it back to the attacker through the existing remote‑access channel. It enumerated installed antivirus software and checked for the presence of high‑value financial, tax, accounting, and cryptocurrency applications. The results were automatically returned to the attacker’s ScreenConnect console without generating separate network traffic or alerts.  Conclusion  This extended intrusion highlights how financially motivated threat actors targeting transportation organizations operate well beyond initial access, prioritizing persistence, reconnaissance, and credential harvesting to identify opportunities for financial exploitation across transportation and related financial platforms. Portions of this activity are also consistent with preparatory behavior observed in freight theft and cargo diversion operations.  Notably, the use of a signing‑as‑a‑service capability underscores a growing trend toward attacker use of legitimate trust mechanisms to evade detection.  For transportation, logistics, and freight organizations, these findings reinforce the importance of monitoring for unauthorized remote management tools, suspicious PowerShell activity, and abnormal browser telemetry associated with financial platform access.  Emerging Threats signatures  2049863 - SimpleHelp Remote Access Software Activity  2049805 - Simplehelp Remote Administration Suite HTTP Server Value in Response  2066799 - Kaseya Pulseway Domain in DNS Lookup (pulseway .s3-accelerate .amazonaws .com)  2066797 - Kaseya Pulseway RMM Domain in DNS Lookup (pulseway .com)  2066798 - Observed Kaseya Pulseway Domain (pulseway .com) in TLS SNI  2066800 - Observed Kaseya Pulseway Domain (pulseway .s3-accelerate .amazonaws .com) in TLS SNI  Indicators of compromise*  *First Uploaded to VirusTotal by Proofpoint  Indicator  Description  First Seen  1f89a432471ec2efe58df788c576007d6782bbdf5b572a5fbf5da40df536c9f5  SHA256  VBS Payload  2026-02-27  hxxps://carrier-packets-docs[.]com/FREEDOM_FREIGHT_SERVICES_CARRIERS_ONBOARDING.vbs  URL  VBS Staging  2026-02-27  hxxps://qto12q[.]top/pdf.ps1  URL  PowerShell Staging  2026-02-27  f4977bfeae2a957add1aaf01804d2de2a5a5f9f1338f719db661ac4f53528747  SHA256  ScreenConnect  2026-02-27  nq251os[.]top  Domain  ScreenConnect C2  2026-02-27  d9832d9208b2c4a34cf5220b1ebaf11f0425cf638ac67bf4669b11c80e460f58  SHA256  Pulseway RMM  2026-02-27  7f54cf5e2beb3f1f5d2b3ba1c6a16ce1927ffecd20a9d635329b1e16cb74fb14*  SHA256  ScreenConnect  2026-02-27  officcee404[.]com  Domain  ScreenConnect C2  2026-02-27  de30bb1e367d8c9b8b7d5e04e5178f2758157302638f81480ba018331a6f853e*  SHA256  ScreenConnect  2026-02-28  af124i1agga.anondns[.]net  Hostname  ScreenConnect C2  2026-02-28  b861e3682ca3326d6b29561e4b11f930f4a9f10e9588a3d48b09aa6c36a8ea80  SHA256  SimpleHelp  2026-02-28  147.45.218[.]0  Domain  SimpleHelp C2  2026-02-28  82d603c0b387116b7effdee6f361ca982c188de0c208e681e942300a0139c03f  SHA256  Cryptocurrency Wallet Stealer  2026-03-07  8a3d6a6870b64767ad2cc9ad4db728abf08bae84726b06be6cb97faac6c14ae4*  SHA256  ScreenConnect  2026-03-24  screlay[.]amtechcomputers[.]net  Hostname  ScreenConnect C2  2026-03-24  3dcb89430bae8d89b9879da192351506f4fdb7c67e253a27f58b3bf52101cd4c*  PowerShell Script  Signing Service  2026-03-24  signer.bulbcentral[.]com  Hostname  Signing Service  2026-03-24  services-sc-files.s3.us-east-2.amazonaws[.]com  Hostname  Signing Service  2026-03-24   

Mailbox rules in O365—a post-exploitation tactic in cloud ATO

13 April 2026 at 16:48
Key Takeaways  Mailbox rules are a high-risk post-exploitation tactic. Attackers abuse native mailbox rules for exfiltration, persistence, and communication manipulation. Combined with third-party services and domain spoofing, attackers can hijack threads, impersonate victims, and manipulate vendor communications, all without network-level interception.  It's more common than you think. Approximately 10% of compromised accounts in Q4 2025 had malicious mailbox rules created shortly after initial access.  Attackers use recognizable patterns. Malicious rules overwhelmingly use minimal, nonsensical names (., ..., ;) and favor actions like deleting messages, or moving them to rarely checked folders like Archive or RSS Subscriptions. Attackers are being lazy, confident they won't be detected, they put little thought into rule names, opting for quick, throwaway characters instead.  Persistence survives password resets. Forwarding and suppression rules remain active after credential changes, allowing continued data leakage as long as the rule exists.  Introduction  When was the last time you checked your mailbox rules?  In Microsoft 365 environments, attackers typically gain initial access through credential phishing, password spraying, brute-force, or OAuth consent abuse.  Once inside, adversaries focus on persistence and stealth rather than immediate disruption. Instead of deploying malware or C2 infrastructure, they abuse native platform features to operate undetected under the compromised identity.  One especially effective technique for maintaining persistence is creating malicious mailbox rules. While mailbox rules are designed to help users organize email, attackers leverage them to delete, hide, forward, or mark messages as read, silently controlling email flow without alerting the victim.  Why Attackers Abuse Mailbox Rules  Mailbox rules provide stealth, automation, and persistence using built-in M365 functionality, enabling several attacker objectives:  Covert Data Exfiltration:  Attackers create forwarding or redirection rules to automatically send copies of emails to external, attacker-controlled mailboxes, often using specific keywords ("invoice", "wire", "contract") or senders to collect high-value data while minimizing noise. Alternatively, emails are moved to obscure folders (Archive, RSS Feeds, or hidden folders) for periodic review without triggering forwarding indicators.  Victim Deception and Email Suppression:  Rules that delete, mark as read, or relocate messages hide security alerts, password reset emails, MFA notifications, suspicious replies, and third-party service registrations that could expose attacker activity. This manipulates the victim's perception of their own mailbox, buying attackers time to deepen their foothold or complete fraudulent operations.  Persistence Without Malware:  Auto-forwarding rules maintain visibility into a mailbox even after password changes. As long as the rule persists, information continues to leak, and creating a cloud-native persistence mechanism.  Man-in-the-Middle-Like Behavior:  By routing specific correspondence to hidden folders, attackers position themselves within communication channels to:  Intercept messages from vendors, partners, or clients before the victim sees them.  Impersonate the mailbox owner or inject themselves into existing message threads.  Suppress replies and notifications revealing fraudulent activity.  Control the narrative by selectively showing or hiding messages to both parties.  Unlike traditional MITM attacks requiring network positioning, this achieves similar outcomes using legitimate platform features. The victim communicates normally, unaware that high-value conversations are being silently intercepted and manipulated, giving attackers significant tactical advantage with a low detection profile.  Malicious Rule Creation Statistics  Analysis of compromised accounts consistently shows that mailbox rule abuse is not an edge case, but a frequent post-exploitation activity. During Q4 2025 approximately 10% of compromised user accounts had at least one malicious mailbox rule created shortly after initial access. The minimal time of mail rules creation after an ATO is around 5 seconds.  Most Common Rule Names Observed:  Attackers rarely use descriptive or human-readable names for malicious rules. Instead, they favor short, generic, or visually inconspicuous strings. This happens because attackers are often overconfident they won't be detected, allowing themselves to be lazy.  The most frequently observed rule names were:   ‘.’ (16%)   ‘...’ (8.5%)   ‘..’ (8%)   ‘;’ (6%)   ‘;;;’ (4%)  Figure 1: Rule creation example in Microsoft Outlook.  Most Common Rule Actions:  The most commonly observed actions in mailbox rule creation include:  Delete messages from certain senders or containing certain words.  Move messages to ‘Conversation History’ folder  Move messages to ‘Archive’ folder  Why Attackers Use Minimal or Nonsensical Rule Names:  Low Effort, Low Risk:  Attackers are often rushed or overconfident, investing minimal effort into naming convention given mailbox rules have historically low detection rates and are rarely reviewed.  Several factors may explain shared rule naming across different attackers. Public post-exploitation tools, phishing kits, and PhaaS platforms often use hardcoded default names or identical templates when programmatically creating rules across victims and operators. Additionally, BEC guides and code snippets circulated on forums and dark web marketplaces get copied and reused, including rule names. Even without shared tooling, attackers can independently arrive at similar names driven by the same minimal-effort logic.  Example Scenarios  Payroll Fraud  The following scenario illustrates how attackers combine mailbox rule abuse with internal phishing to execute a targeted payroll fraud attempt, while remaining largely invisible to the affected users.   Initial Compromise and Rule Creation  In this incident, the first compromised account belonged to a user with the title ‘Accounting Specialist’. Shortly after access was obtained, the attacker created a mailbox rule named ‘...’. Its logic was simple: Any email with the subject containing “FW: Payment Receipt” was automatically moved to the Archive folder. This subject line would later be used in the attacker's internal phishing campaign, with the rule designed specifically to suppress any warning replies or suspicious activity reports about that phishing email.  Internal Phishing:  With control over the first mailbox, the attacker launched an internal phishing campaign targeting 45 additional users within the same organization using the subject "FW: Payment Receipt". The phishing email was deliberately minimal:  The email body was empty  An attachment was included  The sender’s email signature had been subtly modified  Because the email originated from a legitimate internal account and used a familiar signature, it bypassed many user suspicion checks and traditional email security controls.  Secondary Compromise:  Among the recipients was the Assistant to the CEO, a role with visibility into sensitive business and payroll-related communications.  After opening the phishing attachment, this second account was also compromised. As with the first account, the attacker immediately established post-exploitation control by creating a mailbox rule again named ‘...’. This rule moved any email with the subject containing “Payroll enrollment” to the Archive folder, effectively suppressing payroll-related visibility for the victim.  An email with the subject “Payroll enrollment” was sent from the compromised Assistant to the CEO account to the company’s payroll specialist. The message attempted to initiate a fraudulent payroll-related action. At this stage, mailbox rules played a critical role in the attack’s success. They ensured that:  Replies or clarification requests were hidden  Security alerts were suppressed  Victims remained unaware of ongoing misuse of their accounts  The entire attack chain operated within Microsoft 365 using legitimate functionality, demonstrating why mailbox rules must be treated as a high-risk post-exploitation signal rather than a benign productivity feature.  Email Hijacking and Thread Manipulation  The following scenario demonstrates how attackers use mailbox rules in combination with third-party email services to create a man-in-the-middle-like environment entirely within email communications, enabling sophisticated business email compromise (BEC) without requiring persistent account access.  Initial Compromise and Suppression Rule  After the initial user account was compromised, the attacker created a malicious mailbox rule named '....'. The rule's logic targeted a specific email service: any email with a 'From' address containing the word 'zoho' was automatically moved to the 'RSS Subscriptions' folder. This folder, typically used for automated feed updates, is rarely checked by users, making it an ideal location for hiding attacker-controlled correspondence.  Abusing Third-Party Email Services for Infrastructure  Zoho offers a service that allows businesses to register custom email domains and create professional email addresses. The attacker leveraged the compromised user's business email to register for this service, creating a custom email account under the attacker's control. Because the mailbox rule was already in place, all verification emails and correspondence from Zoho were automatically hidden in the 'RSS Subscriptions' folder. The attacker retrieved verification codes and completed account setup without the victim's awareness.  Figure 2: Zoho Verification Code.  Domain Spoofing via Homoglyph Registration  Using the Zoho platform, the attacker registered a domain employing a homoglyph attack to closely mimic the legitimate tenant name. They then created the email account '[user_name]@[tenant_name]0.com' (note the number zero instead of the letter 'O'). They also configured an alias email address using the same spoofed domain structure. These nearly identical addresses were designed to appear legitimate in email threads, especially when viewed quickly or on mobile devices.  Figure 3: New spoofed email address add to the account.  Thread Hijacking and Fraudulent Communication  The attacker identified an existing payment request thread between the compromised tenant and third-party vendor. Rather than initiating a new conversation, which might raise suspicion, they hijacked the legitimate thread. Using the fake email addresses created via Zoho, the attacker added these spoofed addresses to the CC field, lending false authenticity to the correspondence.  The attacker sent a message inquiring about the status of a transaction. The vendor replied stating that the transaction had already been completed approximately one week prior. At this point, the attacker lost access to the compromised tenant account a few days later, after it was suspended and the password was changed following our alert to the customer.  Presumed Attack Continuation and Persistent Risk  Based on the established infrastructure and communication pattern, the primary assumption is that the attacker's plan was to claim that funds were never received and request a duplicate payment to the attacker-controlled account. Although access to the original mailbox was lost, the fake Zoho-based email address likely remains active. This creates a persistent risk: the attacker may continue the scam independently from the external spoofed account, leveraging the hijacked email thread's perceived legitimacy and the vendor's prior engagement.  This scenario illustrates a form of email-based man-in-the-middle activity conducted entirely within the application layer, where mailbox rules suppress detection, third-party platforms provide infrastructure, and thread hijacking establishes social proof, all without requiring continuous access to the compromised environment.  University Account Takeover and Mass Spam Operations  The following scenario illustrates a distinctly different attacker motivation and operational pattern. Unlike targeted business email compromise, where stealth and precision are paramount, university account compromises often involve complete mailbox takeover with little regard for detection, prioritizing volume and speed over sophistication.  Unconditional Mailbox Isolation  In university environments, compromised accounts frequently exhibit mailbox rules with a defining characteristic: they are unconditional. Rather than targeting specific senders, keywords, or subject lines, these rules apply blanket actions to all incoming email. The most common configurations observed include:  Delete all incoming messages   Move all incoming messages to obscure folders (e.g., Archive, RSS Subscriptions, Deleted Items)   Mark all incoming messages as read and move them out of the Inbox  The purpose is not selective suppression of security alerts or vendor communications. Instead, the goal is total mailbox isolation, completely severing the legitimate user's ability to receive any email whatsoever.  Operational Objectives: Mass Spam Distribution  Unlike BEC attackers, who craft narrowly scoped rules to intercept only emails from impersonated vendors or replies to specific phishing threads, university account attackers prioritize mass email distribution. Once the mailbox is isolated:  The attacker gains unrestricted control over outbound communications.  The legitimate user is unaware of incoming warnings, bounce-backs, or abuse reports.  The compromised account is used to send high-volume spam or phishing campaigns, often targeting other students, faculty, or external contacts.  This approach sacrifices stealth for operational efficiency. Attackers are aware that the account will likely be detected and disabled, but the short window of access is sufficient to distribute thousands of malicious emails before institutional security teams respond.  Common Fraud Schemes Targeting University Communities  University environments are particularly vulnerable to specific fraud schemes that exploit the academic community's characteristics. Attackers commonly distribute fake job postings targeting students seeking internships or part-time work, scholarship scams requesting upfront fees or personal information, and fraudulent marketplace listings advertising electronics, textbooks, or other items at suspiciously low prices. These schemes are effective because they align with legitimate student needs and often circulate during high-activity periods like semester start dates or graduation season. The compromised institutional email address lends false credibility to these scams, as recipients are conditioned to trust communications originating from .edu domains.  Figure 4: University fake job scam example.  Targeting Dormant and Abandoned Accounts  While active student and faculty accounts are frequently compromised, attackers also target dormant accounts, those belonging to former students, retired faculty, or staff who have left the institution, but whose accounts were never properly deactivated. These accounts present an attractive target for several reasons:  Weaker security posture: Dormant accounts often predate current security policies, lacking MFA enforcement, modern password requirements, or conditional access protections that have since been implemented for active users.  Absence of monitoring: Security teams typically focus monitoring efforts on active accounts where user behavior can be baselined. Dormant accounts generate no legitimate activity, meaning any authentication or mailbox rule creation may go entirely unnoticed.  Delayed detection: Because no legitimate user is actively checking these mailboxes, there is no one to notice suspicious emails, password reset notifications, or warning messages. Attackers can operate from these accounts for weeks or months before discovery.  Why Universities Are Targeted for This Tactic  Several factors make university environments attractive for mass spam operations:  Large contact lists with trusted relationships across academic and administrative networks.  Institutional email addresses carry inherent legitimacy, improving phishing success rates.  Historically lower security posture compared to enterprise environments, including weaker MFA adoption and limited mailbox rule monitoring.  High user turnover and decentralized IT management can delay detection and response.  Organizations should recognize that mailbox rule abuse is not a monolithic technique. Detection and response strategies must account for both sophisticated, low-and-slow BEC operations and aggressive, high-volume spam campaigns, each exhibiting distinct behavioral patterns in rule creation and usage.  Attacker Automation and Tools  Mailbox rules do require manual but not time-intensive effort from attackers. In practice, the creation of malicious mailbox rules across multiple compromised accounts can be fully automated, allowing attackers to scale their operations from individual targets to enterprise-wide campaigns with minimal effort.  The Reality of Bulk Rule Deployment  Attackers used to manually create each rule for each compromised account. Modern attack frameworks leverage Microsoft Graph API, Exchange Online PowerShell, and direct API calls to programmatically create, modify, or delete mailbox rules across dozens or hundreds of accounts simultaneously. Once an attacker has obtained valid session tokens or credentials, the technical barrier to mass rule deployment is extremely low.  This automation capability transforms mailbox rule abuse from a targeted, precision technique into a scalable, repeatable attack pattern. A single attacker with basic scripting knowledge can compromise multiple accounts through phishing and immediately establish persistence mechanisms across all of them within minutes.  ATOLS: Demonstrating the Ease of Automation  To demonstrate the potential risks and ease of how accessible and dangerous this automation capability has become, Proofpoint researchers created ATOLS (Account Take Over Live Simulation) a fully functional tool that demonstrates the simplicity with which attackers can execute these operations at scale.  ATOLS operates through the following workflow:  Phishing Infrastructure Setup: Via VPN for anonymity, ATOLS generates a phishing URL (with the help of an external phishing kit) that mimics legitimate Microsoft 365 login pages.  Session Token Theft: The phishing link is delivered to target users via email or through compromised third-party applications (3PA). Rather than simply capturing username and password combinations, the reverse proxy captures the session cookie/token generated after successful authentication. ATOLS uses the captured session cookie. This cookie provides immediate, authenticated access to the user's Microsoft 365 environment without triggering additional MFA challenges.  Automated Malicious Actions: Once the session token is obtained, ATOLS automatically creates a malicious mailbox rule with a name and logic specified by the operator.  Post-Exploitation: ATOLS can optionally perform additional post-exploitation actions such as enumerating contacts, accessing SharePoint, or pivoting to other connected services.  Mitigation  Preventive Controls  Strong preventive measures significantly reduce both the likelihood and impact of mailbox rule abuse:  Disable External Auto-Forwarding: Block automatic forwarding to external addresses in Exchange Online by default, disrupting one of the most common exfiltration and persistence mechanisms.  Enforce Conditional Access Policies: Require MFA, restrict access by device compliance and location, limit legacy authentication, and apply risk-based controls to reduce phishing, password spraying, and token replay success.  Monitor OAuth Grants and Consent Changes: Track new OAuth app registrations, consent grants, and permission changes, especially involving Mail.Read, Mail.ReadWrite, or offline_access scopes, to detect persistent passwordless access.  Incident Response Steps  When malicious mailbox rules are identified, focus on containment, eradication, and access revocation:  Remove Malicious Rules: Delete all unauthorized inbox rules and verify no additional hidden or conditional rules remain.  Revoke Sessions and Reset Tokens: Invalidate active sessions and refresh tokens to eliminate persistent access that survives password changes.  Review Sign-In Activity: Analyze Entra ID logs for suspicious IPs, unfamiliar user agents, anomalous locations, or risky authentication events preceding rule creation.  Audit OAuth Applications: Remove unrecognized or overly permissive apps with mailbox access and revalidate consent for legitimate ones.  These steps should be treated as mandatory, even if mailbox rules appear to be the only visible indicator of compromise.  [Disclaimer]  Third‑party product names, logos, and brands are the property of their respective owners. References to third‑party services (e.g., Microsoft 365/Outlook, Zoho Mail) are for identification only and do not imply endorsement or affiliation.     

I’d come running back to EU again: TA416 resumes European government espionage campaigns

1 April 2026 at 21:52
Key findings From mid-2025 onwards, the China-aligned threat actor TA416 resumed observed targeting of European government and diplomatic organizations following a period of reduced EU-focused activity in our telemetry. This TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries. In March 2026, Proofpoint also observed TA416 expand targeting to include diplomatic and government entities in the Middle East in the weeks following the outbreak of conflict in Iran. Throughout this period, TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as frequently updating its custom PlugX payload. TA416 most directly overlaps with public reporting on RedDelta, Red Lich, Vertigo Panda, SmugX, and DarkPeony. Overview In 2022, Proofpoint reported on high-volume TA416 activity targeting European governments, which increased sharply as Russian troops began amassing on the border of Ukraine. This high operational tempo of TA416 campaigns against European government targets continued until mid-2023, when the group shifted targeting away from Europe. From mid-2023 until mid-2025, Proofpoint observed minimal TA416 targeting within Europe, with the group mostly active across Southeast Asia, Taiwan, and Mongolia during this period. Since mid-2025, TA416 resumed regular targeting of European government and diplomatic entities. This renewed focus most heavily targeted individuals or mailboxes associated with diplomatic missions and delegations to NATO and the EU. TA416’s return to European government targeting occurred during heightened EU–China tensions over trade, the Russia–Ukraine war, and rare earths exports, and commenced immediately following the 25th EU–China summit. In March 2026, following the outbreak of the Iran war, TA416 conducted multiple campaigns targeting a wide range of diplomatic and government entities in the Middle East, a region not traditionally regularly targeted by this threat actor. This aligns with a trend observed by Proofpoint of some state-aligned threat actors shifting targeting toward Middle Eastern government and diplomatic entities in the aftermath of the war. This likely reflects an effort to gather regional intelligence on the status, trajectory, and broader geopolitical implications of the conflict. From mid-2025 to early 2026, TA416 conducted both broad web bug and malware delivery campaigns. The TA416 web bug campaigns used freemail sender accounts and a range of thematic lures, such as Europe sending troops to Greenland, to perform delivery and engagement reconnaissance. A web bug (or tracking pixel) is a tiny invisible object embedded in an email that triggers an HTTP request to a remote server when opened, revealing the recipient's IP address, user agent, and time of access, allowing the threat actor to assess whether the email was opened by the intended target. Malware delivery campaigns used both attacker-controlled freemail accounts and compromised government and diplomatic mailboxes to send links to malicious archives hosted on Microsoft Azure Blob Storage, actor-controlled domains, Google Drive, and compromised SharePoint instances. During this period, TA416 repeatedly altered its initial infection chains while maintaining a consistent goal of loading the group's customized PlugX backdoor via DLL sideloading triads. Initial access techniques evolved from using fake Cloudflare Turnstile challenge pages that gated access to ZIP archives, to abuse of Microsoft Entra ID third‑party applications that redirected users to attacker-controlled malware delivery domains, and finally to archives containing a renamed Microsoft MSBuild executable and malicious C# project files. In each case, TA416 relied on either ZIP smuggling using Microsoft shortcut (LNK) files or CSPROJ-based downloaders to deliver a signed executable, malicious DLL, and encrypted payload triad that ultimately loaded PlugX into memory. Delivery: widespread web bug campaigns targeting EU diplomatic entities Figure 1: TA416 “humanitarian concerns” web bug phishing email from July 2025. TA416’s renewed targeting of European government entities commenced one day after the 25th EU–China summit with a series of web bug campaigns targeting diplomatic missions to the EU across many European countries. In late July and early August 2025, TA416 sent over 100 phishing emails containing web bugs from the following Gmail email addresses: emmeline.voss@gmail[.]com kordula.wehrli@gmail[.]com kayden.beaufort@gmail[.]com The group used multiple lure topics such as urgent humanitarian concerns, requests for interviews, and proposals for collaboration. These web bug campaigns were likely conducted for reconnaissance purposes to track delivery and engagement to inform follow-on malware delivery attempts. Proofpoint observed the following URL formats used in these campaigns, with each email including a unique image filename: hxxps://welnetsanda[.]org/images/upload/logo.png/{UniqueID}.png hxxps://phpthemes[.]net/images/upload/eu.png/{UniqueID}.png hxxps://phpthemes[.]net/images/upload/{UniqueID}.png In January 2026, Proofpoint observed TA416 send another widespread wave of web bug phishing emails to European government entities, this time using an article taken from the London School of Economics website titled ‘It is time for Europe to send “tripwire” troops to Greenland.’ These emails also contained unique URLs that redirected to this news article if clicked. This was likely included as an additional method of reconnaissance, given many modern email clients and applications disable external image download by default, diminishing the efficacy of web bugs. Both the web bug and link included in the email used the infrastructure associated with TA416 domain speedifynews[.]com. Figure 2: TA416 Greenland-themed web bug phishing email campaign from January 2026. Delivery: malware campaigns targeting EU diplomatic entities In late September 2025, Proofpoint observed TA416 conduct multiple malware delivery campaigns targeting European ministries of defense and ministries of foreign affairs. This targeting predominantly focused on individuals assigned to NATO missions and delegations. In one instance, TA416 used a likely compromised account belonging to a European armed forces organization to send the phishing emails. In another, the group used a compromised email address from a Southeast Asian diplomatic entity. Proofpoint has observed TA416 abusing compromised accounts from this same Southeast Asian entity to conduct phishing campaigns on multiple occasions throughout 2025 and 2026. The infection chains observed in these campaigns have been covered extensively in public reporting by StrikeReady and Arctic Wolf. Figure 3: TA416 February 2026 spearphishing email spoofing Icelandic Ministry of Foreign Affairs. In January and February 2026, TA416 again conducted a series of malware delivery campaigns targeting numerous European government organizations, with later campaigns focusing on targeting individuals or mailboxes associated with diplomatic missions to the EU and Taiwan. Most of these phishing emails were sent via the Gmail accounts office2000005@gmail[.]com and hsuhalingaye26@gmail[.]com and spoofed various diplomatic entities. A smaller subset was sent via likely compromised accounts associated with the interior ministry of a European country and a Southeast Asian ministry of foreign affairs. Delivery: post-conflict expansion to Middle East targeting In mid-March 2026, Proofpoint observed TA416 conduct multiple campaigns targeting government and diplomatic entities within the Middle East. Historically, this region has not been regularly targeted by TA416, and this expansion in targeting was very likely driven by the outbreak of the war in Iran. One campaign conducted on 16 March 2026 used a compromised Syrian Ministry of Foreign Affairs and Expatriates account to send a phishing email concerning energy infrastructure in Iran, which was sent to a wide range of embassies located across multiple Middle Eastern countries. Figure 4: TA416 March 2026 spearphishing email using Iranian energy infrastructure lure. Shifting infection chains: all roads lead to PlugX The following section examines how TA416's infection chains have evolved over recent months while maintaining core elements of the group's longstanding tradecraft. Figure 5: Evolving TA416 infection chain from September 2025 to March 2026. Some components of TA416’s Tactics, Techniques, and Procedures (TTPs) remain consistent after many years. This includes the continued use of compromised diplomatic email accounts, web bug reconnaissance campaigns, and DLL sideloading triads to deploy a custom PlugX variant, all of which align with previous Proofpoint reporting on this threat actor in 2022. Despite this, TA416 continues to regularly evolve and innovate. The group regularly adapts the early stages of its infection chains and integrates new defense evasion and anti-analysis features into a custom PlugX variant. Between September 2025 and March 2026, Proofpoint observed TA416 employing multiple different initial infection chains that all ultimately lead to this customized PlugX variant. September 2025 – January 2026: Fake Cloudflare Turnstile challenge pages Beginning in September 2025, TA416 began employing fake Cloudflare Turnstile challenge pages impersonating login.microsoftonline[.]com hosted on Microsoft Azure Blob Storage sites. Early variations used a real Turnstile widget, which is used to redirect the target to a ZIP archive hosted on the same Microsoft Azure Blob Storage site when the checkbox is clicked and a Turnstile token is returned, though this token is not validated at any point. The user is redirected to a payload URL that is obfuscated within the page source code using character code arrays, as noted in StrikeReady reporting. Figure 6: Fake Cloudflare Turnstile challenge landing page used by TA416. Later variations instead redirected the user from the fake Cloudflare Turnstile challenge page to an attacker-controlled domain, with the returned Turnstile token appended as a URL parameter. This allows the threat actor to validate the Turnstile token server-side to impede automated analysis, before redirecting to a direct download of a ZIP archive, again hosted using Microsoft Azure Blob Storage. Figure 7: Redirection logic employed in later variations of fake Cloudflare Turnstile challenge landing page used by TA416. The downloaded archives in these infection chains all use a ZIP smuggling technique to hide the next stage file within the ZIP structure. The ZIP files contain a single Microsoft shortcut (LNK) file that runs an embedded PowerShell command to search for the parent ZIP, then carve an MSI or TAR file from the ZIP using either a byte marker or hardcoded offset, and execute either the MSI or a DLL sideloading executable contained within the TAR. In all cases, this leads to a DLL sideloading triad loading PlugX. While Proofpoint has not observed the use of these fake Cloudflare Turnstile pages in our telemetry since November 2025, submissions to third-party malware repositories in January 2026 suggest the group is continuing to use this technique selectively. December 2025 – January 2026: Microsoft OAuth redirect abuse In December 2025, TA416 began abusing third-party Microsoft Entra ID cloud applications to trigger redirects leading to direct downloads of malicious archives. In this infection chain, the group registers a third-party application in Entra ID and configures its redirect URI to point to an attacker-controlled domain hosting the malicious payload. TA416 phishing emails using this technique contain a link to Microsoft's legitimate OAuth authorization endpoint, crafted with parameters that suppress user interaction and force an authorization failure. When clicked, the user is redirected to the application's registered redirect URI, resulting in a direct download of the malicious archive with no user interaction. Proofpoint has previously reported on similar techniques used to perform redirection, which allow threat actors to bypass URL reputation checks and email security filters by ensuring the initial link points to a trusted Microsoft domain. The inclusion of a trusted Microsoft URL is also more likely to appear legitimate to targeted users. Figure 8: Example of Microsoft OAuth redirect technique employed by TA416. An example of a URL observed in a TA416 phishing email is shown above. In this case, the client_id refers to the attacker-controlled third-party application, the scope is set to a nonexistent value (scope=invalid) to deliberately trigger an authorization failure, and prompt=none is set to suppress user interaction. As the URL does not include a redirect_uri value, it defaults to the redirect URI configured on the application registration. This deliberately triggers an interaction_required error, and the user is redirected to a predetermined URL where TA416 has staged a direct download of a malicious ZIP archive. Proofpoint observed TA416 using a different state value for each target, likely to allow the use of unique URLs within each email and to easily correlate payload downloads with targets. The downloaded ZIP archives delivered through these infection chains use the same previously described ZIP smuggling technique to load PlugX. Microsoft published a report in March 2026 on the use of this redirection technique by TA416 and other threat actors. February 2026: use of MSBuild and C# project files Beginning in February 2026, Proofpoint observed TA416 adapt its initial infection chain once again in campaigns linking to archives hosted on Google Drive or a compromised SharePoint instance. In this case, the downloaded archives contained a legitimate Microsoft MSBuild executable renamed as a lure filename, alongside a malicious C# project (CSPROJ) file. Figure 9: Archive containing renamed MSBuild executable and malicious C# project file. When the MSBuild executable is run, it searches the current directory for a project file and automatically builds it. In the observed TA416 activity, the CSPROJ file acts as a downloader, decoding three Base64-encoded URLs to fetch a DLL sideloading triad from a TA416-controlled domain, saving them to the user's temp directory, and executing a legitimate executable to load PlugX via the group's typical DLL sideloading chain. The CSPROJ samples observed by Proofpoint were highly similar, with only the Base64-encoded URLs swapped out. The presence of slightly modified comments before these encoded URL variables within each sample, such as Base64-encoded URLs with separate endpoints and Base64-encoded URLs with new endpoints, suggests that these CSPROJ files may have been created or altered with the assistance of an LLM. Figure 10: Excerpt of C# project file showing example of comments preceding Base64-encoded URL variables. TA416 tweaks PlugX sideloading chain While the overall DLL sideloading triad delivery mechanism has remained consistent for several years, TA416 regularly changes the PlugX payload loading chain, in particular the DLL loader, payload obfuscation, and sideloading executable used. Between September 2025 and March 2026, Proofpoint observed the following signed executables being abused by TA416 to load PlugX. Filename SHA256 cnmpaui.exe 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3 steam_monitor.exe 8c0051a83b3611ff2b669b670aa005633f3d9e844454a112b31d2a4bc944a234 ABRemove.exe 6b363e0f16fc5a612bd98631e7cdc4f68a95329e92c21ef0495c9117b8b8f360 Avk.exe 8421e7995778faf1f2a902fb2c51d85ae39481f443b7b3186068d5c33c472d99 ErsChk.exe bc8b022c10bcab39da302446b0a50988de94607c7e724f2051578e8ed2f8bbe7 CNMNSST2.exe 53086e3b557a1d21cf7f4ffc73d92c39b08872334a8cdb09dda0a06bd060cfe9 Figure 11: Signed executables vulnerable to DLL sideloading abused by TA416 between September 2025 – March 2026. In the latest observed variants in March 2026, TA416 used a signed Canon executable CNMNSST.exe to sideload a malicious loader DLL named CNCLID.dll. The loader DLL uses DJB2 API hashing to dynamically resolve Windows API functions and execute a payload file Canon.dat as shellcode, which decodes the PlugX payload. The loader and payload code and data are obfuscated using techniques such as API hashing, junk code, and control-flow flattening. For persistence, the DLL sideloading triad is copied to the directory C:\Users\Public\Canon and a Run registry key Canon is created to run CNMNSST.exe upon startup. Overview and updates in C&C protocol The PlugX payload establishes C&C communications over HTTP using an RC4-encrypted binary protocol. Prior to initiating network activity, the malware performs several initialization steps to generate host identifiers and applies anti-analysis checks. The client initiates communication to the C&C server by sending an HTTP GET request. The server responds with application/octet-stream data that serves as the RC4 encryption key for the subsequent exchange. The client creates a SYSINFO structure containing information on the infected host; RC4 encrypts it using the key received in the previous step; and sends it to the server inside an HTTP POST request body. The SYSINFO structure is as follows: Field Description is64bit Whether the host runs a 64-bit OS dwMajorVersion OS major version dwMinorVersion OS minor version dwBuildNumber OS build number wServicePackMajor Service pack major version wServicePackMinor Service pack minor version wSuiteMask OS suite mask user_name Current username computer_name Computer name id Campaign/victim identifier ip_address Host IP address Figure 12: PlugX SYSINFO system reconnaissance structure. The server then replies with RC4 encrypted data that contains the command and its parameters. Currently, the following list of commands are available: Command Description 0x00000002 Outgoing system information beacon (SYSINFO structure) 0x00001005 Uninstall — deletes autorun registry keys and drops a self-delete batch file 0x00001007 Adjusts reconnect_interval and connection_timeout parameters 0x00003004 Downloads a new payload set (EXE, DLL, DAT) and executes the sideloading binary 0x00007002 Opens a reverse command shell Figure 13: List of available PlugX commands. In older variations seen prior to December 2025, the C&C HTTP requests include four custom headers that mimic the Fetch metadata specification: Sec-Fetch-Dest: <random_string> If-None-Match: <system_token> Sec-Fetch-Site: none Sec-Fetch-Mode: cors The If-None-Match header carries a host-generated hex token, while the Sec-Fetch-Dest value is randomized per request. In this older C&C protocol, the HTTP URI used the following predictable pattern: A base endpoint selected randomly from a fixed set: /upload /download /developer /help/? /api/v1/resource /user/profile /settings /i/bookmark A timestamp parameter appended: ?t=<unix_timestamp> A variable number of randomly generated key-value pairs This led to URI values such as /api/v1/resource?t=1760970011&1Tr=askZVyeahfE00bt4&d9=e8cAQ4T&vE8=uUlMYYuJ&S=zMLY3z. Figure 14: Older PlugX variant HTTP C&C traffic. In the updated variants first seen in December 2025, the group updated this C&C protocol, likely to evade network-based detections. In the new variation, the Sec-Fetch-Dest, If-None-Match, Sec-Fetch-Site, and Sec-Fetch-Mode custom headers are no longer sent. Instead, a 16-character host token is embedded within a Cookie header, surrounded by randomly generated cookie key-value pairs. Additionally, the use of hardcoded base URI endpoints is removed, with the full URI path now randomly generated. Figure 15: Newer PlugX variant HTTP C&C traffic. Updates in config encryption The PlugX payload C&C parameters (C&C domains or IP addresses, campaign identifiers, mutex names, install paths, and decoy document metadata) are stored in an embedded configuration blob that is RC4-encrypted. The encryption scheme and internal structure of this configuration have evolved in more recent variations such as those seen in February 2026, with the newer variant introducing additional hardening to the configuration encryption and now employing two layers of obfuscation. After RC4 decryption of the outer blob, individual string fields such as C&C domains, mutex names, and campaign identifiers are then independently decoded using a rolling XOR. Variable Value RC4 key anMgFtsFCvA Decoy Size 41671 Decoy Filename Meeting invitation.pdf Mutex Name dGcEuQhKT Campaign ID msbuild Install Directory %public%\GData Decoy Directory %temp% C&C ombut[.]com:443, ombut[.]com:443, ombut[.]com:443 Figure 16: Example of decrypted PlugX configuration from February 2026 campaign. Infrastructure analysis In recent years, TA416 has shifted its infrastructure procurement TTPs and now almost exclusively uses a steady supply of re-registered, formerly legitimate domains for C&C, malware delivery, and web bugs, often first using domains within days after re-registering them. This tactic of purchasing previously legitimately used domains is likely an effort to evade domain reputation-based heuristics. The group typically also uses the Cloudflare Content Delivery Network (CDN) to obscure backend hosting IP addresses used for malware delivery and C&C. Figure 17: Timeline of TA416 C&C domain first sightings (July 2025-March 2026). TA416 has heavily favored use of the virtual private server (VPS) providers Evoxt Enterprise (AS149440), XNNET LLC (AS6134), and Kaopu Cloud HK Limited (AS138915) throughout 2025 and 2026. The group also typically deploys minimal fake websites on its C&C domains, likely to hinder signaturing and tracking efforts and to make these domains appear legitimate. Figure 18: Example of fake websites hosted on TA416 C&C domains (example shown is ombut[.]com). Attribution – what even is Mustang Panda anyway? In recent years, the Mustang Panda moniker within public threat intelligence reporting has become increasingly opaque and difficult to disentangle. Generally, Proofpoint tracks what is commonly publicly referred to as Mustang Panda under two primary clusters: TA416 (covered within this report) and a second group tracked under the temporary designator UNK_SteadySplit. Within Proofpoint’s visibility, UNK_SteadySplit has been active since at least 2022, with related open-source activity dating back to at least 2019. UNK_SteadySplit is a user of the custom TONESHELL and PUBLOAD malware families, alongside multiple other first-stage malware families delivered in phishing campaigns. Since the beginning of 2025, Proofpoint has predominantly observed UNK_SteadySplit targeting government, hospitality, and technology organizations in South and Southeast Asia, with a particular focus on Myanmar and Thailand. Within Proofpoint's telemetry, the group exclusively uses freemail senders and typically employs much more simplistic infection chains than TA416, most often delivering an archive containing a DLL sideloading pair downloaded from a cloud storage service. The table below highlights some of the key similarities and differences between the two clusters, as observed within Proofpoint’s visibility.   TA416 UNK_SteadySplit Targeting European government and diplomatic entities Southeast Asian and Mongolian government and healthcare organizations Five Poisons targeting Government, insurance, hospitality, technology, and energy organizations in South and Southeast Asia Capabilities Customized PlugX variant Heavy obfuscation and use of control flow flattening PUBLOAD TONESHELL Various custom first stage loaders Minimal obfuscation Regular inclusion of Easter egg strings and recurring PDB path patterns Recurring use of FakeTLS C&C protocols Infection Chain Use of both freemail and compromised government sender email addresses Varied infection chains, including use of: MSC files HTA files LNK files with Zip Smuggling Fake Cloudflare Turnstile challenge pages CSPROJ files Microsoft OAuth redirection abuse DLL sideloading triads Updates DLL sideloading executable every 1-2 months Exclusive use of freemail sender email addresses Archive download from cloud hosting site (e.g. Google Drive) Archive typically contains a DLL sideloading pair with lure filename More frequent rotation of DLL sideloading executable than TA416, with minimal overlap in sideloading executables Infrastructure Mostly uses domains for C&C Heavy usage of Cloudflare CDN Re-registers former legitimate domains Favors Evoxt Enterprise (AS149440), XNNET LLC (AS6134), and Kaopu Cloud HK Limited (AS138915) Mostly uses raw IP addresses for C&C Varied hosting providers, no overlaps in providers favored by TA416 Lure themes Geopolitical events and diplomatic communications Meeting invitations Conference invitations Geopolitical events and diplomatic communications Fake job promotions Hotel room bookings Hotel association and lifestyle benefits offers Meeting minutes and notes Figure 19: Similarities and differences between TA416 and UNK_SteadySplit clusters. As noted in previous reporting by Trend Micro in 2022, there are historical technical overlaps between TA416 and UNK_SteadySplit activity, most directly via the presence of a UNK_SteadySplit TONESHELL C&C IP address within a filepath seen in two LNK files used in TA416 campaigns. It is therefore likely that some form of organizational, personnel, or hierarchical link exists or existed between TA416 and UNK_SteadySplit. However, currently Proofpoint is unable to assess the nature of this relationship, and we have not observed similar overlaps in recent years. From Proofpoint’s perspective, both clusters appear operationally distinct and use different tooling, TTPs, and infrastructure to conduct different targeting. Based on an analysis of public research and discussions with industry partners, Proofpoint believes the following most accurately reflects the clustering overlaps between TA416, UNK_SteadySplit, and related groups tracked by other vendors: TA416 UNK_SteadySplit TA416 and UNK_SteadySplit combined Vertigo Panda RedDelta Red Lich UNC6384 SmugX DarkPeony Mustang Panda (CrowdStrike) CerenaKeeper Red Ishtar Twill Typhoon Temp.HEX Earth Preta Stately Taurus HoneyMyte Hive0154 Figure 20: Overlaps between TA416, UNK_SteadySplit, and related groups tracked by other vendors. Conclusion TA416's shift back to European government targeting in mid-2025, following two years of focus on Southeast Asia and Mongolia, is consistent with a renewed intelligence-collection focus against EU and NATO-affiliated diplomacy entities. In addition, TA416's expansion to Middle Eastern government targeting in March 2026 further highlights how the group’s tasking prioritization is likely influenced by geopolitical flashpoints and escalations. Throughout this period, the group has shown a willingness to iterate on infection chains, cycling through using fake Cloudflare Turnstile pages, OAuth redirect abuse, and MSBuild-based delivery, while continuing to update its customized PlugX backdoor. These TA416 operations suggest the group will likely continue to prioritize targeting European diplomatic networks and, as the conflict continues, Middle Eastern diplomatic entities, while maintaining parallel activity across Southeast Asia. Organizations in scope for this targeting should expect continued experimentation with initial access vectors delivered via spearphishing campaigns alongside continually updated PlugX payloads.   ET rules 2068412 - ET MALWARE TA416 PlugX CnC Activity (GET) 2068413 - ET MALWARE TA416 PlugX CnC Activity (GET) 2068414 - ET MALWARE TA416 PlugX CnC Activity (POST) Indicators 2026/05/13 update: The domain devredin[.]com that originally appeared in this blog was a false positive that has now been removed. Note: Indicators encompass a range of TA416 activity observed since July 2025, not just campaigns targeting European government.  Indicator   Type   Description   First Seen  cnrelojes[.]com  Domain  C&C domain  Jun-25  hnk-capljina[.]com  Domain  C&C domain  Jun-25  harrietmwelch[.]com  Domain  C&C domain  Jun-25  theprmummy[.]com  Domain  C&C domain  Jun-25  ecolnomy[.]com  Domain  C&C domain  Jun-25  mettayoga[.]org  Domain  C&C domain  Jun-25  it-evenement[.]nl  Domain  C&C domain  Jun-25  welnetsanda[.]org  Domain  Web bug domain  Jun-25  thecamco[.]net  Domain  C&C domain  Jun-25  paquimetro[.]net  Domain  C&C domain  Jun-25  fuyuju[.]com  Domain  C&C domain  Jul-25  nvofficespace[.]com  Domain  C&C domain  Jul-25  premegalithic[.]com  Domain  C&C domain  Jul-25  phpthemes[.]net  Domain  Web bug domain  Jul-25  supplementsoftheyear[.]com  Domain  C&C domain  Jul-25  colorflee[.]org  Domain  C&C domain  Aug-25  atravelingwitch[.]com  Domain  C&C domain  Sept-25  napasbdc[.]org  Domain  C&C domain  Sept-25  buzzurro[.]net  Domain  C&C domain  Sept-25  racineupci[.]org  Domain  C&C domain  Sept-25  cubukluescort[.]com  Domain  C&C domain  Sept-25  cseconline[.]org  Domain  C&C domain  Sept-25  ecomputers[.]org  Domain  C&C domain  Oct-25  designehair[.]com  Domain  C&C domain  Oct-25  loumuenz[.]com  Domain  C&C domain  Oct-25  ronnybush[.]net  Domain  C&C domain  Oct-25  hayabusamt[.]com  Domain  C&C domain  Oct-25  rondabusco[.]com  Domain  C&C domain  Nov-25  doorforum[.]com  Domain  C&C domain  Nov-25  portabalbufe[.]com  Domain  C&C domain  Nov-25  papermoonweddings[.]com  Domain  C&C domain  Nov-25  hoplitellc[.]com  Domain  C&C domain  Nov-25  mongolianews[.]info  Domain  C&C domain  Nov-25  famisu[.]com  Domain  C&C domain  Dec-25  espacebus[.]com  Domain  C&C domain  Dec-25  dnzapping[.]com  Domain  C&C domain  Dec-25  buddhismnewsdaily[.]org  Domain  C&C domain  Dec-25  buywownow[.]com  Domain  C&C domain  Dec-25  goodmedsx[.]com  Domain  C&C domain  Dec-25  anbusivam[.]com  Domain  C&C domain  Dec-25  phbusiness[.]net  Domain  C&C domain  Dec-25  bobbush[.]org  Domain  C&C domain  Dec-25  majicbus[.]org  Domain  C&C domain  Dec-25  busopps[.]org  Domain  C&C domain  Dec-25  turileco[.]net  Domain  C&C domain  Dec-25  basecampbox[.]com  Domain  C&C domain  Jan-26  adimagemarketing[.]com  Domain  C&C domain  Jan-26  ecoafrique[.]net  Domain  C&C domain  Jan-26  speedifynews[.]com  Domain  Web bug domain  Jan-26  creatday[.]com  Domain  C&C domain  Jan-26  fruitbrat[.]com  Domain  C&C domain  Jan-26  dalerocks[.]com  Domain  C&C domain  Jan-26  aaitile[.]com  Domain  C&C domain  Jan-26  ombut[.]com  Domain  C&C domain  Jan-26  gestationsdiabetes[.]com  Domain  C&C domain  Jan-26  gynecocuk[.]net  Domain  C&C domain  Feb-26  decoraat[.]net  Domain  C&C domain  Feb-26  embwishes[.]com  Domain  C&C domain  Feb-26  carhirechicago[.]com  Domain  C&C domain  Feb-26  ytsonline[.]net  Domain  C&C domain  Mar-26  coastallasercompany[.]com  Domain  C&C domain  Mar-26  shalomrav[.]org  Domain  C&C domain  Mar-26  rhonline[.]net  Domain  C&C domain  Mar-26  winesnmore[.]net  Domain  C&C domain  Mar-26  alpinemfg[.]net  Domain  C&C domain  Mar-26  amblecote[.]net  Domain  C&C domain  Mar-26  stuypa[.]org  Domain  C&C domain  Mar-26  buscacnpj[.]org  Domain  Delivery domain  Feb-26  subusiness[.]org  Domain  Delivery domain  Dec-25  florarevival[.]com  Domain  Delivery domain  Jan-26  bushidomma[.]net  Domain  Delivery domain  Jan-26  devlyrics[.]com  Domain  Delivery domain  Feb-26  softhunts[.]com  Domain  Delivery domain  Feb-26  gesecole[.]net  Domain  Delivery domain  Feb-26  meritsoftwebportals[.]com  Domain  Delivery domain  Feb-26  foxmediagency[.]com  Domain  Delivery domain  Mar-26  ghonline[.]net  Domain  Delivery domain  Mar-26  hxxps://mydownload.z29.web.core.windows[.]net/nv2199_update_on_situation_of_cambodia-thailand_border.html   URL  Fake Cloudflare Turnstile challenge page  Sept-25  hxxps://mydownload.z29.web.core.windows[.]net/nv2230_update_of_situation_on_cambodia-thailand_border.html   URL  Fake Cloudflare Turnstile challenge page  Sept-25  hxxps://mydownload.z29.web.core.windows[.]net/naju_plan_obuka_oktobar_2025.html   URL  Fake Cloudflare Turnstile challenge page  Sept-25  hxxps://mydownload.z29.web.core.windows[.]net/epc_invitation_letter_copenhagen_1-2_october_2025.html  URL  Fake Cloudflare Turnstile challenge page  Sept-25  hxxps://mydownloadfile.z7.web.core.windows[.]net/jatec_workshop_on_wartime_defence_procurement_(9-11_september).html   URL  Fake Cloudflare Turnstile challenge page  Sept-25  hxxps://mydownfile.z11.web.core.windows[.]net/agenda_meeting_26_sep_brussels.html   URL  Fake Cloudflare Turnstile challenge page  Sept-25  hxxps://filesdownld.z13.web.core.windows[.]net/a9t3zb7l1qx5.html   URL  Fake Cloudflare Turnstile challenge page  Oct-25  hxxps://filestoretome.z23.web.core.windows[.]net/filelocate.html  URL  Fake Cloudflare Turnstile challenge page  Nov-25  hxxps://attd.z23.web.core.windows[.]net/attd.html   URL  Fake Cloudflare Turnstile challenge page  Nov-25  hxxps://gooledives.z48.web.core.windows[.]net/election_2026.html   URL  Fake Cloudflare Turnstile challenge page  Jan-26  hxxps://gooledives.z48.web.core.windows[.]net/%e0%a6%a8%e0%a6%bf%e0%a6%b0%e0%a7%8d%e0%a6%ac%e0%a6%be%e0%a6%9a%e0%a6%a8_%e0%a7%a8%e0%a7%a6%e0%a7%a8%e0%a7%ac.html   URL  Fake Cloudflare Turnstile challenge page  Jan-26  mydownload.z29.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Sept-25  mydownloadfile.z7.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Sept-25  mydownfile.z11.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Sept-25  filesdownld.z13.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Oct-25    attd.z23.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Nov-25  filestoretome.z23.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Nov-25  gooledives.z48.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Jan-26  reloadsite.z13.web.core.windows[.]net  Hostname  Microsoft Azure Blob Storage site used for delivering malware  Mar-26  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=607bb911-0f5a-4186-9d48-ecff8e094280&response_type=code&scope=invalid&prompt=none&state=2  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Dec-25  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=5e6b7cf5-69b7-4f85-87d1-8b4cb6df8aa2&response_type=code&scope=invalid&prompt=none&state=3  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Dec-25  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=8d015a9c-f912-445d-8b3c-4f3b3201ded1&response_type=code&scope=invalid&prompt=none&state=47  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Dec-25  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=684d7892-c993-41d7-b6c1-07613c43cd61&response_type=code&scope=invalid&prompt=none&state=17  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Dec-25  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=a9785a2d-445e-4ffa-a770-bec734911841&response_type=code&scope=invalid&prompt=none&state=1  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Dec-25  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?state=149&x_client_ver=1.0.0&response_type=code&client_id=b004ab26-f57b-439d-ae54-c39b958e5743&nonce=ab93f2c1&prompt=none&scope=invalid&ui_locales=en-us  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Jan-26  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?state=6&x_client_ver=1.0.0&response_type=code&client_id=3c7bf1a4-927f-40a1-97b0-7a7aa08f4bb2&nonce=ab93f2c1&prompt=none&scope=invalid&ui_locales=en-us  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Jan-26  hxxps://login.windows[.]net/common/oauth2/v2.0/authorize?client_id=7d980c52-31e5-4554-9e20-b89c4617102f&response_type=code&scope=invalid&prompt=none&state=1  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Mar-26  hxxps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?utm_source=portal&utm_medium=web&client_id=c47683e4-16a3-4b8a-a3d3-c1fe4c86f073&response_type=code&scope=invalid&prompt=none&utm_campaign=login&state=o1&ref=dashboard  URL  Microsoft Entra ID OAuth 2.0 third-party application authorization URL used to trigger a silent redirect  Mar-26  hxxps://web.florarevival[.]com:443/download/a6d6u9ff13?error=interaction_required&error_description=session+information+is+not+sufficient+for+single-sign-on.&state=6  URL  Example redirect URL delivering malicious archive  Jan-26  hxxps://www.bushidomma[.]net/download/l7o9afe?error=interaction_required&error_description=session+information+is+not+sufficient+for+single-sign-on.&state=2  URL  Example redirect URL delivering malicious archive  Dec-25  hxxps://www.buscacnpj[.]org/download/we7823bn?error=interaction_required&error_description=session+information+is+not+sufficient+for+single-sign-on.&state=3  URL  Example redirect URL delivering malicious archive  Dec-25  hxxps://www.subusiness[.]org/download/aetce17ge?error=interaction_required&error_description=session+information+is+not+sufficient+for+single-sign-on.&state=47  URL  Example redirect URL delivering malicious archive  Dec-25  hxxps://www.foxmediagency[.]com/download/qqa36sa0d6fq066?error=interaction_required&error_description=Session+information+is+not+sufficient+for+single-sign-on.&state=o1  URL  Example redirect URL, redirects again to direct download of malicious archive  Mar-26  hxxps://dash.ghonline[.]net:443/download/jyebbtg?error=interaction_required&error_description=Session+information+is+not+sufficient+for+single-sign-on.&state=o1  URL  Example redirect URL, redirects again to direct download of malicious archive  Mar-26  607bb911-0f5a-4186-9d48-ecff8e094280  GUID  Microsoft Entra Third Party Application Client ID  Dec-25  5e6b7cf5-69b7-4f85-87d1-8b4cb6df8aa2  GUID  Microsoft Entra Third Party Application Client ID  Dec-25  8d015a9c-f912-445d-8b3c-4f3b3201ded1  GUID  Microsoft Entra Third Party Application Client ID  Dec-25  684d7892-c993-41d7-b6c1-07613c43cd61  GUID  Microsoft Entra Third Party Application Client ID  Dec-25  a9785a2d-445e-4ffa-a770-bec734911841  GUID  Microsoft Entra Third Party Application Client ID  Dec-25  3c7bf1a4-927f-40a1-97b0-7a7aa08f4bb2  GUID  Microsoft Entra Third Party Application Client ID  Jan-26  b004ab26-f57b-439d-ae54-c39b958e5743  GUID  Microsoft Entra Third Party Application Client ID  Jan-26  7d980c52-31e5-4554-9e20-b89c4617102f  GUID  Microsoft Entra Third Party Application Client ID  Mar-26  c47683e4-16a3-4b8a-a3d3-c1fe4c86f073  GUID  Microsoft Entra Third Party Application Client ID  Mar-26  262a1003a2cd04993b29e687686eba573d6202fea8611c437ecbd6312802677a  SHA256  JATEC workshop on wartime defence procurement (9-11 September).zip  Sept-25  7c96d08f5ce46d1a857184490a7e68ca2b02e9cbe9d188742f184f21bc9c62d9  SHA256  JATEC workshop on wartime defence procurement (9-11 September).lnk  Sept-25  ae8d2cef8eac099f892e37cc50825d329459baa9625b71fb6f4b7e8f33c6ccce  SHA256  cnmpaui.dll  Sept-25  36e516182b4c8aa48ea3e50b7dc353f32d3412f59fb0cb1c7b3590aa4d821c57  SHA256  cnmplog.dat  Sept-25  30475ff5b32776e554433ff00e7c18590253521024662c267abaefd24f1b9bbe  SHA256  EPC invitation letter Copenhagen 1-2 October 2025.zip  Sept-25  28a8bdaee803d9cf9186ff4756e15b0fb491fd3b65bde002361615f27e5ca92d  SHA256  EPC invitation letter Copenhagen 1-2 October 2025.lnk  Sept-25  c96338533d0ab4de8201ce1f793e9ea18d30c6179daf1e312e0f01aff8f50415  SHA256  cnmpaui.dll  Sept-25  56f0247049be8b9dc1da7c55957d2fb4f7177965ba62789c512f3e2b4c0c5c26  SHA256  cnmplog.dat  Sept-25  e036e2ba402d808adbb7982ec8d7a207849ff40456633b2b372bc7916d9dc22f  SHA256  ATTD-ASIA-2025.zip  Nov-25  e1e597852d684bd6d0395d5094e58831f13635f668e7cf66ba71b8b66be0ce6c  SHA256  ATTD-ASIA-2025.lnk  Nov-25  795ad4789a185c3abc35b3ad82117db6b60a7b8ab857e41080873f070d4a06f0  SHA256  crashhandler.dll  Nov-25  79e0ab17e761a00ad12b9848f1f07b507f57db532fa2df8c722693e14feb17c3  SHA256  crashlog.dat  Nov-25  784a914bd1878ad68a6cf3f693da5ddcc2f04b794204333098ad749b7e372fd4  SHA256  Concept_Note_2nd_Global_Buddhist_Summit_2026.zip  Dec-25  e31eafb49dbcad079ff177703b5a033f3e0365991cf28492339eccfe0fdf812c  SHA256  Concept_Note_2nd_Global_Buddhist_Summit_2026.lnk  Dec-25  2c3708a103b257fa75fcb34948c817fd564d4479f1e267b33c5b08f0d4c7634f  SHA256  crashhandler.dll  Dec-25  e9d8f28fd0aef3bc3f5b28a41b3f342165b371db9aefd7d03f2aba4292009d3e  SHA256  crashlog.dat  Dec-25  50746ddd81a5dbc5cec793209ab552125fff9c7184aa5bcfe22d6c3b267f67f1  SHA256  Meeting_Outcome_Briefing_10_January_2026.zip  Jan-26  d0576b39bb6c05ea0a24d3a3d5d7cb234454fefc65860f21a97757582adc7650  SHA256  Meeting_Outcome_Briefing_10_January_2026.lnk  Jan-26  84d6a8b47edadf5725d9937d8928a90d190e0c98b5b4d1a4c58e97cddcd36768  SHA256  comn.dll  Jan-26  f988d58e4a32b908ff7a557d740c6860c59807832c7626774330dcaed65ead14  SHA256  backupper.dat  Jan-26  31f3606433e95bfbb047d31c885e56a70111e130f3d2da0580644c01323b46d1  SHA256  Meeting invitation-2026.rar  Feb-26  29cd44aa2a51a200d82cca578d97dc13241bc906ea6a33b132c6ca567dc8f3ad  SHA256  Invitation_Letter_No.02_2026.zip  Feb-26  7d2b6c48cbd6cef05ea2bdae7dfc001504cccda99dd89eb7fe6646e96c1d5515  SHA256  Meeting invitation 2026.rar  Feb-26  3e7478d3854eaeed487230ba9299c87d5a5d70e4fbeac841555327c76b7b405e  SHA256  Meeting invitation 2026.csproj  Feb-26  c8a6302adf92353556c600a0afa9146fbc04663fffe8be90808df2bf04ec5703  SHA256  Meeting invitation 2026.csproj  Feb-26  de8ddc2451fb1305d76ab20661725d11c77625aeeaa1447faf3fbf56706c87f1  SHA256  Invitation_Letter_No.02_2026.csproj  Feb-26  f333bc5238e39790fb7560de067a852e9a99df2bb783cf08738d8a0d424b9658  SHA256  Avk.dll  Feb-26  06a70c54c580ec4c362bfbc94147a0f1ac9020c421933ccf494a8d553b114260  SHA256  Avk.dll  Feb-26  46314092c8d00ab93cbbdc824b9fc39dec9303169163b9625bae3b1717d70ebc  SHA256  Avk.dll  Feb-26  e7ed0cd4115f3ff35c38d36cc50c6a13eba2d845554439a36108789cd1e05b17  SHA256  AVKTray.dat  Feb-26  a3f9e20315663e4e8feb13e77563e3cb0f2f4844734987e51e14bd172b9a04fd  SHA256  AVKTray.dat  Feb-26  5c3208c5217933e16c5119e7baf78f85fd409e8822d1cd7a8ef2d52a5bd511c1  SHA256  AVKTray.dat  Feb-26  42c3b9cad6c8383699eba4f82d51908c0d61e9ea454bc40447cf20475ce20ff0  SHA256  Information_Note_Elections_Republic_of_Kosovo_28_December_2025.zip  Dec-25  64bae6a215ad9e956d1028603438228003d832bdd5e586ad4988f5c7ad1c54f0  SHA256  Information_Note_Elections_Republic_of_Kosovo_28_December_2025.lnk  Dec-25  843b22df66f87a587be77145da163f9615fe8164a5ea17f9e33562ff43894fbf  SHA256  crashhandler.dll  Dec-25  eb10443a2f0b9a25d01a84426a6a8532b0e7c9157abda55b94c98a1fd2d45562  SHA256  crashlog.dat  Dec-25   b1606ca49aa15eadb039f33d438697973b203693d0003e467e1f33b36d10a530  SHA256  Post-Meeting_Report_US-Adriatic_Charter_Partnership_Commission.zip  Dec-25  87929c8f53341a5e413950d33c7946c64e1d4b2eba6d1a8b2d08ef56f7065052  SHA256  Post-Meeting_Report_US-Adriatic_Charter_Partnership_Commission.lnk  Dec-25  6788365386ccd34d1db681c61ef07ef4d2faea5672571b77a76dc48f327afaa9  SHA256  crashlog.dat  Dec-25  2712f4ac5ad422bcf749699389cb1a0111a1b11e298efb0cffebc2e2f0becb5f  SHA256  election_2026.zip  Jan-26  4d528842c7fe73681dfe569d38a39f8d38ca5548dbc8b6ac02df096713a92efd  SHA256  election_2026.lnk  Jan-26  45d8d4f04eb44dc5d10290038825194b0ffc38048a786b4a8b81bb796afc58a3  SHA256  Avk.dll  Jan-26  a82c8845587a87010eab52ef8c35d45eaea8eb8102aae77ec96e222197b7db66  SHA256  AVKTray.dat  Jan-26  16e258b7b712b747a6037d56ee8d2cc99f8f8139da4a3a59c24af0887531ace0  SHA256  নির্বাচন_২০২৬.zip  Jan-26  29a70241660ff3234f1c5e8c01878ee01adb4a289262bd37403e1a323129ea86  SHA256  নির্বাচন_২০২৬.lnk  Jan-26  c73050860c8aaa0f79c03781519cdcee133832805e2e3e778fef3cb0e917efb1  SHA256  Avk.dll  Jan-26  9d61c4e21bbbddde5bb780ea0c5238a3538a84b9afe98d62d08845b47fb5caa9  SHA256  AVKTray.dat  Jan-26  b394e7a3b350b2104b73e29a04e48e5ede5078b9a811abae58d842ce3442c6b3  SHA256  Browser Updater.zip  Feb-26  0b916d2b4a02d01b42c2b04e281d786a05cc7974d2c4a272b01e8060fa713403  SHA256  Browser Updater.csproj  Feb-26  965894996e2cb9be1e0ccc509e079e7eca072cbc4e68945beb00ff5979dda19c  SHA256  Avk.dll  Feb-26  69b685fadce4f34bc4964b3d78d43694a428ae1ee4d2fe0ce4ed26fad07847fa  SHA256  AVKTray.dat  Feb-26  30c71d644bc72e0d55d46bed753ab3f72dc77b7f1be0e34693c957939a779507  SHA256  BRICS Report.zip  Feb-26  e79d19d68d307c12413f8549aafa4a56776002dd04601e36e0125b2e6d56ff94  SHA256  BRICS Report.lnk  Feb-26  44cfba85aa27265779b01f6eb8b69718462b1ca8078b21066061e8d1622dff7a  SHA256  crashhandler.dll  Feb-26  774841a2bfb07b61a8be3de8ae31e9847f987de652eef179761dc3d1b34c42ff  SHA256  crashlog.dat  Feb-26  3c065947461df428b0d29e401e2a28a0d2560943e96d3ac8b9ed71858fbcec38  SHA256  EID_AL-FITR_MESSAGES_2026(Kuwait).zip  Mar-26  7be77e6166aae9a89b16b64b593f35afc7424926047635f2230a4e364c6a46d8  SHA256  EID_AL-FITR_MESSAGES_2026(Kuwait).lnk  Mar-26  b6d866054dedf7a882dd1fa405a066de1278e35acf639b3a0e850a637d27c4bc  SHA256  CNCLID.dll  Mar-26  9e67f72bfbc8772ce10633430e1277fd8374e99877ddedb598b4f6717c799eeb  SHA256  Canon.dat  Mar-26  de13e4b4368fbe8030622f747aed107d5f6c5fec6e11c31060821a12ed2d6ccd  SHA256    Energy_Infrastructure_Situation_Note _Tehran_Province_2026.zip  Mar-26  a95e3857e2f32c2a9c23accadebc1ad6aabf73fed9d63c792d69122d9ec6726d  SHA256  Energy_Infrastructure_Situation_Note _Tehran_Province_2026.lnk  Mar-26  3021f4d365a641722748c5e60d983a080db17bef8f0a1dbe624ffe63cd544cc1  SHA256  Eraser.dll  Mar-26  c5267fefaac1764eba5f42681eb216f146b7d18fcbf546275d33e70cb36fdfba  SHA256  Eraser.dat  Mar-26  bcd30f2116f5ba6731c628483d597b2ba3620ed464c63875855906306beb102a  SHA256  OECD_Update_on_implications_for_energy_markets_of_events_in_the_Middle_East.zip  Mar-26  1df74ce45aa9320c48858eddce3f46f5687fbfdcfd497d92a1e17476e7a2951e  SHA256  OECD_Update_on_implications_for_energy_markets_of_events_in_the_Middle_East.lnk  Mar-26  93e9402af72b355554f9ba93c64871b1bae5be498e3b8a10e61ebdd10ab0d050  SHA256  Eraser.dll  Mar-26  2261c7640fe2f3c2385de61c546b5020ec8a486ad5bad64c31bc9268f6b36a2c  SHA256  Eraser.dat  Mar-26  kordula.wehrli@gmail[.]com  Email Address  TA416-controlled email address  Jul-25  kayden.beaufort@gmail[.]com  Email Address  TA416-controlled email address  Jul-25  emmeline.voss@gmail[.]com  Email Address  TA416-controlled email address  Aug-25  epc.copenhagen2025.dm@gmail[.]com  Email Address  TA416-controlled email address  Sept-25  galinaburl76@gmail[.]com  Email Address  TA416-controlled email address  Nov-25  office2000005@gmail[.]com  Email Address  TA416-controlled email address  Feb-26  hsuhalingaye26@gmail[.]com  Email Address  TA416-controlled email address  Feb-26 

Security brief: tax scams aim to steal funds from taxpayers

30 March 2026 at 15:20
What happened  Threat actors love to take advantage of tax season. It’s peak social engineering time: combine monetary concerns with often stressful responsibilities, sprinkle in the expectation of emails about taxes from multiple organizations and you’ve got a recipe for cybercrime.   So far in 2026 we’ve seen over a hundred campaigns leverage tax themes leading to  malware, remote monitoring and management (RMM) payloads, fraud, and credential phishing. Tax-themed campaigns are expected annually, but this year we’re seeing more RMM payloads, activity from newly identified threat actors, and a broader variety of social engineering lures.   Figure1. Breakdown of threat type delivered in tax-themed email campaigns. (Analyst note: Proofpoint manually contextualizes fewer BEC/Imposter threats overall, so they appear less in campaign data.) Threat actors are using tax themes in many ways, including posing as tax agencies or government entities like the Internal Revenue Service (IRS); claiming the recipient has expired tax documents; impersonating company human resources; requesting for tax filing support; claiming tax violations; and more.   Email volumes vary from a handful of messages to tens of thousands, depending on the campaign and the actors’ objectives. While most campaigns target the United States, Proofpoint has also seen recent tax-themed campaigns target other countries including Canada, Australia, Switzerland, and Japan, among others.   The following is an example of some notable tax-themed campaigns observed in 2026 so far.   Campaign examples  RMM  The most common payloads delivered via tax themes are RMMs. These tools are legitimate software commonly used within the enterprise but abused by cybercriminals. RMMs are used by many threat actors, and the cybercrime ecosystem leveraging legitimate software in malicious campaigns is thriving. Threat actors like using RMMs because they often fly under the radar in enterprise environments since they’re legitimate, often authoritatively signed, pieces of software. If organizations do not implement allow-listing for trusted RMMs, malicious ones may not get flagged by security tools.   Proofpoint has observed tax-themed campaigns deliver RMMs including Datto, N-Able, RemotePC, Zoho Assist, and ScreenConnect, among others. In some cases, threat actors will use one RMM for initial access and then drop another as a follow-on payload once the host is infected.   As an example, on 05 February 2026, Proofpoint observed a campaign impersonating the U.S. IRS. The lure purported to relate to the target’s recent IRS filing.   Figure 2. Phishing lure impersonating the IRS delivering N-able RMM.   Messages contained a hyperlinked button purporting to be a “Transcript Viewer” that was actually a Bitbucket URL leading to an executable file which, if executed, installed N-able RMM. Notably, the actor included a real phone number belonging to the IRS to further the social engineering and believability of the email.  IRS is a common lure theme used by multiple threat actors, as impersonating government agencies can be a compelling social engineering technique. Since January 2026, Proofpoint observed over a dozen RMM campaigns that have impersonated the IRS.   TA4922   TA4922 is a newly designated financially motivated threat actor regularly tracked by Proofpoint since spring 2025. The actor’s primary objective is to obtain remote access likely for monetization, like fraud, data theft, access brokering, or persistence. This actor delivers malware from the Winos4.0 ecosystem, which is also referred to in some reporting as ValleyRAT, and uses a variety of loaders and stealers. TA4922 also conducts fraud campaigns. The actor is likely based in East Asia and probably is Chinese speaking. TA4922 demonstrates overlaps with the Silver Fox and Void Arachne ecosystem as reported by third-party researchers.   This actor typically targets Japan with some additional East Asian targeting and commonly uses tax themes in its campaigns. One notable technique from TA4922 is its frequent use of impostor emails pretending to be someone in a position of authority. The attacker sends an initial email that requests the recipient’s phone number to establish communications outside of email.   For example, in early February 2026, Proofpoint observed a TA4922 campaign targeting organizations in Japan. Emails impersonated national tax authorities and claimed the recipient had unresolved tax obligations. The actor requested the recipient’s mobile phone number to establish out-of-band communications.   Figure 3. Japanese language National Tax Authority impersonation email.   Once engagement is established, the actor will likely escalate social engineering by impersonating the target organization’s finance leadership and may deliver malicious links or files via out-of-band channels.  In another campaign in early March, emails targeted Japan and purported to be from the "Inland Revenue Department." Messages included a URL which downloaded an executable, which, if executed, installed an information stealer still under investigation by Proofpoint researchers.   Figure 4. Inland Revenue Department impersonation.   Proofpoint has also observed this actor impersonate revenue agencies of other countries and target users in those regions, including India, Taiwan, Indonesia, Malaysia, and, unusually, Italy.   TA2730   Proofpoint has tracked TA2730, a prominent credential phishing threat actor, since June 2025. The actor focuses on obtaining credentials for various financial institutions, typically those focused on investments.  TA2730 campaigns appear opportunistic rather than targeted. The messages are sent from malicious domains most likely registered by the actor. The threat actor uses multiple phishing kits, including one they likely developed and use most frequently. The actor targets many countries, with its most frequent geographies of interest being Canada, Australia, Singapore, Switzerland and Japan.  Figure 5. TA2730 geographic targets of all campaigns.  One of the most popular lure themes this actor uses relates to a "W-8BEN" form, a U.S. tax form for non-U.S. taxpayers. This lure has been used in dozens of campaigns since we began tracking the actor.   Typically, the actor will pose as an investment company, telling the recipient they need to update or provide information for their W-8BEN form. Emails contain URLs leading to counterfeit investment account authentication pages designed to harvest user credentials. The following are two examples of recent campaigns observed in Proofpoint telemetry. Both these campaigns occurred in February, targeting Switzerland and Canada. In some cases, the actor includes the legitimate phone number for the impersonated entity to further the believability of the lure.  Figure 6. TA2730 email impersonating Swissquote (left) and malicious phishing landing page impersonating the company (right). This campaign targeted Switzerland.  Figure 7. TA2730 email impersonating Questrade (left) and malicious phishing landing page impersonating the company (right). This campaign targeted Canada.  The objective of these campaigns is to take over investment accounts for financial gain.   W-2 fraud  Business email compromise (BEC) threat actors also regularly use tax form lures including W-2 Form (Wage and Tax Statement) and W-9 (Request for Taxpayer Identification Number and Certification) themes. Typically, these campaigns will impersonate company executives, human resources, or vendor/supplier contacts in attempts to steal financial and personal data, likely with a goal of leveraging it for follow-on fraud.   For example, in one campaign observed in March, email sender names were spoofed to appear as if they came from an executive at the targeted organization, requesting all employee W-2 forms for 2025.   Figure 8. BEC W-2 fraud email example.   Such forms contain sensitive information like names, addresses, and Social Security numbers. This data can be used for identity theft and banking fraud.   Why it matters  The examples represented in this blog are just a small portion of the overall landscape, and while tax season is a popular time for these types of lures, taxes and financial information can be an effective lure, no matter the time of year.   Tax lures are commonly used by threat actors, especially around filing seasons, as people leverage various applications and services to collate and file important business and personal finance information. Such lures can be convincing to recipients who are either expecting communications from organizations related to financial or government institutions or would be concerned and worried by receiving an email suggesting they will have fines or fees for incorrectly submitting information.   In general, enterprises should educate users about the techniques and lures commonly abused by threat actors and be aware that cybercriminals routinely gravitate towards timely and topical lure themes, with taxes being among their annual favorites.   Indicator  Description   First Seen  Aubrey162243her@hotmail[.]com  TA4922 Sender Email  06 March 2026  Baerg536714qrr@hotmail[.]com  TA4922 Sender Email  06 March 2026  Belinda319932ywa@hotmail[.]com  TA4922 Sender Email  06 March 2026  Brenda26111993bbs@hotmail[.]com  TA4922 Sender Email  06 March 2026  Brett77124cnd@hotmail[.]com  TA4922 Sender Email  06 March 2026  Clint15032004ye@hotmail[.]com  TA4922 Sender Email  06 March 2026  Dan0600ups@hotmail[.]com  TA4922 Sender Email  06 March 2026  Darryl658773qfs@hotmail[.]com  TA4922 Sender Email  06 March 2026  Elmer445637xqd@hotmail[.]com  TA4922 Sender Email  06 March 2026  Genet868615mfd@hotmail[.]com  TA4922 Sender Email  06 March 2026  Gilana406avh@hotmail[.]com  TA4922 Sender Email  06 March 2026  Gilbert6704ysw@hotmail[.]com  TA4922 Sender Email  06 March 2026  Glenn0045bnk@hotmail[.]com  TA4922 Sender Email  06 March 2026  Greg2505880dbq@hotmail[.]com  TA4922 Sender Email  06 March 2026  Hilda2441790ajg@hotmail[.]com  TA4922 Sender Email  06 March 2026  Kaitlyn135452qyw@hotmail[.]com  TA4922 Sender Email  06 March 2026  Kayla383537cau@hotmail[.]com  TA4922 Sender Email  06 March 2026  Kelly5906byn@hotmail[.]com  TA4922 Sender Email  06 March 2026  Mattie9227fdx@hotmail[.]com  TA4922 Sender Email  06 March 2026  Quirita42462vpp@hotmail[.]com  TA4922 Sender Email  06 March 2026  Rafael0746881jxk@hotmail[.]com  TA4922 Sender Email  06 March 2026  Sabah30035vrj@hotmail[.]com  TA4922 Sender Email  06 March 2026  Tanisha535486nyg@hotmail[.]com  TA4922 Sender Email  06 March 2026  Violet82113vbv@hotmail[.]com  TA4922 Sender Email  06 March 2026  Violet900048ege@hotmail[.]com  TA4922 Sender Email  06 March 2026  Yvette20071993pgc@hotmail[.]com  TA4922 Sender Email  06 March 2026  Yvonne8544809axa@hotmail[.]com  TA4922 Sender Email  06 March 2026  YObutler.jonasd8nC29@yahoo[.]com  TA4922 Reply-to Email  09 February 2026  hxxps://www[.]upsystems[.]one/Alex[.]exe  TA4922 Payload URL  06 March 2026  d338a7f85737cac1a7b4b5a1cca94e33d0aa8260548667c6733225d4c20cb848  TA4922 Information Stealer SHA256  06 March 2026  121[.]127[.]232[.]253:8443  TA4922 Information Stealer C2  06 March 2026  Bella1987Jenny8927@outlook[.]com  TA4922 Sender Email  02 February 2026  Cedric1985Mattie70601@outlook[.]com  TA4922 Sender Email  02 February 2026  Chappel1994Sunkel79549@outlook[.]com  TA4922 Sender Email  02 February 2026  Chris1987Juanita79531@hotmail[.]com  TA4922 Sender Email  02 February 2026  Elisa1966Tamara82159@hotmail[.]com  TA4922 Sender Email  02 February 2026  Ellis1986Akihito92@hotmail[.]com  TA4922 Sender Email  02 February 2026  Garrett2003Jaime3246@outlook[.]com  TA4922 Sender Email  02 February 2026  GhaemmaghamiBorg2909@outlook[.]com  TA4922 Sender Email  02 February 2026  Iris2003Francis43001@hotmail[.]com  TA4922 Sender Email  02 February 2026  Jo1990Nelson506@hotmail[.]com  TA4922 Sender Email  02 February 2026  Kamiisa1962Eunice52@outlook[.]com  TA4922 Sender Email  02 February 2026  KatsaounisSetlak6267@outlook[.]com  TA4922 Sender Email  02 February 2026  Lathrop1966Alice63@hotmail[.]com  TA4922 Sender Email  02 February 2026  Lucia1968Sheryl4254@outlook[.]com  TA4922 Sender Email  02 February 2026  LucinaMcnear6104@outlook[.]com  TA4922 Sender Email  02 February 2026  Morris1965Cruz7189@hotmail[.]com  TA4922 Sender Email  02 February 2026  Nabila2004Eunice770@hotmail[.]com  TA4922 Sender Email  02 February 2026  NicholWollan4783@outlook[.]com  TA4922 Sender Email  02 February 2026  Peony1982Jamila936@outlook[.]com  TA4922 Sender Email  02 February 2026  Quirita1980Laraine303@hotmail[.]com  TA4922 Sender Email  02 February 2026  SablanLoretz4374@outlook[.]com  TA4922 Sender Email  02 February 2026  Sheryl1993Sabah3812@outlook[.]com  TA4922 Sender Email  02 February 2026  SteadfastSeefried8443@outlook[.]com  TA4922 Sender Email  02 February 2026  Terrell1980Dawn020@hotmail[.]com  TA4922 Sender Email  02 February 2026  Vanessa1991Gretel73372@outlook[.]com  TA4922 Sender Email  02 February 2026  WaffleMehta9842@outlook[.]com  TA4922 Sender Email  02 February 2026  Wendell1988Lovice46@hotmail[.]com  TA4922 Sender Email  02 February 2026  844202972ff19afa760447fc87963de0fbbc0ebc69d50164f03ecf5d4e67952f  N-Able RMM Payload, Fake IRS Campaign  05 February 2026  hxxps[:]//bitbucket[.]org/pmlasobjekightailsians/rgww/downloads/amzn-s3-EfinTranscriptViewer.cm10_14_4_.EXE  Payload URL Fake IRS Campaign  05 February 2026  bksgcefzqyb[.]com  TA2730 Phishing Landing Domain  25 February 2026  whghfpytehu[.]com  TA2730 Phishing Landing Domain  25 February 2026  akcjdrya[.]com  TA2730 Phishing Landing Domain  27 January 2026  buwxkiy[.]com  TA2730 Phishing Landing Domain  27 January 2026  eodrggi[.]com  TA2730 Phishing Landing Domain  27 January 2026  gyglowcq[.]com  TA2730 Phishing Landing Domain  27 January 2026  iuzndfqr[.]com  TA2730 Phishing Landing Domain  27 January 2026  nirbsff[.]com  TA2730 Phishing Landing Domain  27 January 2026  rmwztbrr[.]com  TA2730 Phishing Landing Domain  27 January 2026  wijgzsfh[.]com  TA2730 Phishing Landing Domain  27 January 2026     

CursorJack: weaponizing Deeplinks to exploit Cursor IDE

17 March 2026 at 22:00
Author’s Note: This post reflects Proofpoint Threat Research observations in a controlled test environment as of January 19, 2026. Proofpoint has no commercial, customer, partner, or vendor relationship with Cursor (published by Anysphere, Inc.). Cursor did not review or endorse this report. We notified Cursor through its vulnerability‑reporting channel; the report was closed as out‑of‑scope / Not Applicable under their policy. Findings are presented as a risk pattern involving deeplink‑driven installation flows and social engineering and may evolve as vendors update features. Configurations and results may vary based on OS, user permissions, enterprise controls, and product versions; readers should apply multi‑layered controls and follow vendor guidance.  Overview  Cursor implements deeplinks for Model Context Protocol (MCP) to provide a mechanism for installation of MCP servers in Cursor IDE. This blog describes CursorJack, a method of potentially abusing Cursor MCP deeplinks that, under certain conditions, could enable code execution or allow installation of a malicious remote MCP server. The behavior described below is specific to the test environments noted and does not imply silent or zero‑click exploitation by default. It does, however, highlight the urgent need to secure agentic AI environments.  Key takeaways  The cursor:// protocol handler could be abused through social engineering in specific configurations.  In our tests, a single click followed by user acceptance of an install prompt could result in arbitrary command execution.  The technique could be leveraged both for local code execution via the command parameter or to install a malicious remote MCP server via the URL parameter.  There is currently no visual distinction between a malicious MCP install deeplink and a legitimate one in the default UI flows we observed.  Developers are potentially high-value targets as their workstations may have privileged accounts or contain credentials, API keys, source code and other sensitive data.  Our POC code is available on GitHub.  Cursor MCP Deeplinks  Deeplinks are custom URL schemes to direct users to specific pages within an app. Cursor IDE implements MCP deeplink for quick installation of MCP servers with the following structure:  cursor://anysphere.cursor-deeplink/mcp/install?name=<name>&config=<base64> Figure 1. Deeplink schema (source: https://cursor.com/docs/context/mcp/install-links ).    The MCP server configuration is base64-encoded within the deeplink URL.  When Cursor is installed, the application registers the cursor:// protocol handler with the operating system. Once registered, any cursor:// link clicked launches Cursor and passes the full URL to the executable. In our tests, we did not alter OS URL‑handler protections or bypass interactive prompts.  Figure 2. Cursor protocol handler.  MCP.json   The mcp.json configuration format has emerged as a standard for clients to declare how MCP servers should be launched or connected to. Within the ‘mcpServers’ object, each server entry defines its setup, including fields such as command, arguments, environment variables, or a url.  Figure 3. mcp.json configuration format.  MCP servers commonly specify a command and arguments in their configuration. Examples include npx, uvx, and docker, though this key can be used to pass any valid command.  Figure 4. Example command-based MCP.  Alternatively, MCP servers may define a URL in their configuration which could point to either a remote or local MCP server, functioning similarly to an API.  Figure 5. Example of URL-based MCP.  Abuse preconditions observed (high‑level): (1) The user clicks a deeplink from an untrusted/spoofed source; (2) The user accepts an installation prompt; (3) Local conditions permit child‑process execution or remote server addition (e.g., default policies, EDR/allow‑listing, user permissions). We did not observe a silent “zero‑click” path in default configurations.   Cursor MCP install process   Cursor hosts an online MCP Directory that makes MCP servers available for installation.  Figure 6. Cursor MCP Directory (source:https://cursor.com/docs/context/mcp/directory).  Installation process  User clicks a Cursor deeplink from a source (ideally trusted).  Browser prompts to open Cursor IDE.  Cursor displays an installation dialogue showing the MCP server name and parameters.  User clicks "Install" to approve.  Cursor adds the MCP configuration to ~/.cursor/mcp.json.  Cursor executes the configured command (subject to OS/user permissions and local security controls).  During the installation process, the user is shown a preview of the configuration within an installation dialogue and is prompted that the MCP server will execute commands with the same privileges as the user.  Figure 7. Installation dialogue for installing example MCP server.  However, this warning is identical for all deeplinks, whether they are legitimate links from MCP directory or a malicious crafted deeplink. It is this mechanism that could be exploited to gain arbitrary local code execution or to socially engineer users into installing a malicious remote MCP server via deeplinks. Outcomes depend on environment, user privileges, and enterprise controls.  Security considerations  MCP servers create a new attack vector in AI development tools. Users are being encouraged to adopt AI, and many are writing and executing code for the first time without fully understanding security implications. The proliferation of AI coding assistants has normalized approval prompts, with even experienced developers becoming conditioned to approve in AI development environments.  Cursor executes user-privileged commands when users accept the install prompt. The command field in the MCP configuration is executed directly by the IDE as designed. IDE’s that support MCP servers are commonly deployed on developers workstations which may have privileged access including SSH keys, API tokens, cloud credentials, source code, and access to production systems.  Controls such as EDR, allow‑listing, and OS policies may limit or block abuse depending on configuration.  Deeplinks can use any name which can be used to masquerade as legitimate MCP servers (e.g., "Azure DevOps”) and there is no verification that the deeplink originates from the claimed vendor. Users should verify origin and review parameters prior to approval.    CursorJack: proof of concept  CursorJack is a proof-of-concept demonstrating that MCP deeplinks can be abused for local command execution or to install a malicious remote MCP server. The attack abuses the intended MCP installation flow combined with social engineering.  For this proof of concept, where testing was conducted exclusively in Outlook, it is shown that a custom protocol handler like cursor:// can be used to phish users, even when Outlook does not render such links as clickable. Results may vary with other email services. Attackers may also deliver deeplinks via browsers, chats, or documents (such as PDFs).  The phishing page redirects to the malicious deeplink, which encodes a malicious MCP configuration in base64. Once the user installs the MCP, the malicious installation command is executed.   Command execution: Meterpreter Reverse Shell  A phishing email directs the victim to a malicious landing page that triggers an MCP deeplink. The deeplink populates the mcp.json configuration with a malicious command that downloads and executes a batch script. This batch script functions as a stager and retrieves a Metasploit payload from attacker‑controlled infrastructure. The payload executes, establishing a full Meterpreter session that enables file system access, credential harvesting, and possible lateral movement.  1. Phishing Link Delivered.     The attacker sends a crafted HTTP link that email clients can render.    Figure 8. Phishing email.  2. When clicked, the phishing link redirects to a MCP install deeplink. This triggers the Cursor protocol handler, prompting the user to install the MCP within the Cursor IDE.  Figure 9. Landing page with automatic JavaScript direct to Cursor deeplink.  3. Malicious MCP config is accepted, triggering bat script download.    Figure 10. Cursor install command.  4. On install, Cursor executes the curl command to fetch run.bat from the attacker's server.    Figure 11. CursorJack PoC hosting phishing page and attacker resources. 5. run.bat is a staging script that uses curl to download and execute the Metasploit payload (p.exe) to the temp folder.   Figure 12. Contents of run.bat script which retrieves remote payload.  6. Payload executes and launches Metasploit payload independent of Cursor process.  Figure 13. Curl executing as a child process of Cursor.  7.  Figure 14. p.exe executing independently of Cursor.  8. Reverse shell connects and Meterpreter establishes connection to attacker's listener.  Figure 15. Successful Meterpreter session.  Command vs URL exploitation  Cursor's MCP can be configured via command or URL, and both paths are exploitable through deeplinks. While the POC used the command key to stage a payload, attackers could alternatively embed payloads directly in the deeplink or install a remote MCP via social engineering using the URL parameter.  Command  Command-based MCP grants immediate code execution with Cursor's privileges and persists across IDE restarts,  consistent with prior community reporting (CVE-2025-54136), with the install command executing each time Cursor is launched. Attackers can establish sessions, deploy software, or harvest credentials like SSH keys and API tokens including those stored in the mcp.json config itself.  URL  The URL key enables a different attack vector, socially engineering users into installing a malicious remote MCP server. While less powerful than local execution, this provides a foothold for MCP-based attacks like tool poisoning and cross-server manipulation, with lower visibility to security controls.  Delivery methods and obfuscation tactics  Mimic legitimate package installations   Adversaries may disguise their payload delivery by using familiar developer binaries like npx or uvx to pull malicious code from seemingly legitimate locations. This approach blends in with standard package installation patterns, making the malicious activity appear routine and reducing opportunities for detection.  Staging vs. embedded payloads   Malicious MCP deeplinks could potentially deliver payloads via remote staging or direct embedding. Staged payloads leave fewer local artifacts but require C2 availability and may trigger detection through suspicious outbound connections. Embedded payloads could avoid external retrieval and can be swapped server-side without modifying the deeplink, but the payload is static once distributed and fully recoverable from the deeplink, potentially increasing likelihood of detection. Both approaches can be mitigated by strict allow‑listing and content inspection.  Obfuscation techniques   Command obfuscation can conceal malicious MCP configurations, exploiting the user-dependent approval flow. A resolved vulnerability (CVE-2025-54133), as reported by its discoverers, previously allowed hiding command arguments from the installation dialog. Attackers may use encoding techniques or excessively long command strings to push harmful arguments outside the preview window, reducing user scrutiny.  Mitigations  The MCP ecosystem requires fundamental security improvements embedded directly into the framework architecture, rather than relying on additional security tools or user vigilance as the primary defense.  Regarding deeplink abuse, the installation process should address arbitrary command execution through the command parameter, such as through a more granular permissions model or containerization approach to isolate from the host OS.  A trusted MCP ecosystem with signing and verified publishers for MCP servers, analogous to browser extension or app installation stores, would establish server authenticity. A robust code signing mechanism would ensure users can verify the source and integrity of servers before installation, creating a marketplace-like environment for trusted MCP integrations.  Deeplinks from untrusted sources should be treated with the same caution as untrusted executables. Approval flows should incorporate granular security warnings and source verification to help users distinguish deeplinks from trusted and untrusted locations. Macros provide a strong security analogy: attackers historically manipulated users into enabling macros, resulting in arbitrary code execution. To mitigate this, internet‑sourced documents are tagged with Mark‑of‑the‑Web and subjected to stricter execution policies.  Disclosure and relationship notes  Proofpoint has no commercial, customer, partner, or vendor relationship with Cursor / Anysphere, Inc.  Proofpoint does not compete in Cursor’s market segment (AI developer IDE/tools). Product names are used for identification only; nothing herein is an endorsement or warranty.  We notified Cursor prior to publication; the report was closed as out‑of‑scope / Not Applicable under their policy. This post may be updated if Cursor issues guidance or product changes.  To facilitate additional research and experimentation, we’ve made the CursorJack POC code available on GitHub. 
❌