Originally reported by The Hacker News, SANS ISC
TL;DR
APT28 launched Operation MacroMaze against European targets using webhook-based macro malware, while UnsolicitedBooker deployed dual backdoors against Central Asian telecoms. Meanwhile, Anthropic exposed Chinese AI companies conducting industrial-scale model theft through 16 million fraudulent queries.
Russian state-sponsored APT28 conducting active campaigns against European entities combined with sophisticated backdoor deployments in critical telecom infrastructure represents significant threat activity requiring immediate attention.
Multiple threat campaigns emerged this week spanning state-sponsored attacks, critical infrastructure targeting, and AI model theft operations.
The Russia-linked APT28 group conducted a sustained campaign codenamed Operation MacroMaze targeting Western and Central European entities between September 2025 and January 2026. S2 Grupo's LAB52 threat intelligence team attributed the attacks to the state-sponsored actor.
The campaign leverages basic tooling combined with exploitation of legitimate services, demonstrating APT28's continued adaptation of low-complexity techniques to evade detection. The webhook-based macro delivery mechanism represents an evolution in the group's tactical approach to initial access operations.
The threat cluster known as UnsolicitedBooker expanded operations to target telecommunications companies in Kyrgyzstan and Tajikistan, marking a geographic shift from previous campaigns against Saudi Arabian entities. Positive Technologies researchers documented the deployment of two distinct backdoors: LuciDoor and MarsSnake.
The targeting of telecom infrastructure in Central Asia suggests potential intelligence collection objectives, with critical communications networks serving as high-value targets for state-aligned threat actors. The dual-backdoor approach provides redundant access mechanisms and increased operational persistence.
Anthropic disclosed that three Chinese artificial intelligence companies, DeepSeek, Moonshot AI, and MiniMax, conducted "industrial-scale campaigns" to illegally extract Claude's capabilities through distillation attacks. The operations generated over 16 million exchanges with Anthropic's large language model through approximately 24,000 fraudulent accounts.
The model theft campaigns violate Anthropic's terms of service and represent a sophisticated form of intellectual property theft targeting AI capabilities. The scale of the operation, 16 million queries across thousands of accounts, demonstrates coordinated effort to systematically extract model behavior patterns.
Security practitioners continue to struggle with identity program prioritization, often applying traditional IT ticket management approaches to complex identity risk scenarios. The traditional volume-based or compliance-driven prioritization breaks down in modern environments containing diverse identity types beyond human users.
Effective identity risk management requires consideration of control posture, hygiene metrics, business context, and threat intent as compound factors rather than isolated variables.
The SANS Internet Storm Center released its regular Stormcast update for February 24th, providing ongoing threat intelligence and security community updates.
Originally reported by The Hacker News, SANS ISC