Originally reported by The Hacker News, SANS ISC
TL;DR
Russian APT28 exploited CVE-2026-21513, an MSHTML zero-day vulnerability, before Microsoft's February patch. North Korean threat actors published 26 malicious npm packages using Pastebin for C2 infrastructure in their ongoing Contagious Interview campaign.
APT28's active exploitation of a zero-day vulnerability before the patch was available represents confirmed zero-day exploitation by a state-sponsored threat actor, meeting the threshold for critical severity.
Akamai researchers have attributed the exploitation of CVE-2026-21513 to APT28, the Russia-linked state-sponsored threat actor. The vulnerability represents a high-severity security feature bypass in Microsoft's MSHTML Framework with a CVSS score of 8.8.
The critical aspect of this discovery lies in the timeline: APT28 successfully exploited this zero-day vulnerability before Microsoft addressed it in the February 2026 Patch Tuesday release. The protection mechanism failure in MSHTML Framework allows unauthorized access, though the full attack chain details remain under analysis.
This incident underscores the sophisticated capabilities of state-sponsored actors to identify and weaponize previously unknown vulnerabilities in widely deployed Microsoft components.
Security researchers have documented a new iteration of the Contagious Interview campaign, with North Korean threat actors publishing 26 malicious packages to the npm registry. The packages masquerade as legitimate developer tools while containing sophisticated command-and-control mechanisms.
The attack's innovation lies in its use of Pastebin content as a dead drop resolver. The malicious packages extract actual C2 server information from seemingly benign Pastebin posts, allowing the operators to dynamically update their infrastructure without modifying the deployed packages.
This technique represents an evolution in supply chain attacks, demonstrating how threat actors adapt their tradecraft to evade detection while maintaining operational flexibility across compromised environments.
Wireshark version 4.6.4 has been released, addressing three security vulnerabilities alongside 15 bug fixes. While specific vulnerability details were not disclosed in the announcement, the update follows the project's regular security maintenance cycle.
Security teams relying on Wireshark for network analysis should prioritize this update, particularly given the tool's privileged access to network traffic and its common deployment in security operations centers.
SANS Internet Storm Center has published guidance on extracting ZIP files embedded within RTF documents, expanding their previous work on URL extraction from RTF files. This technique proves valuable for malware analysts examining sophisticated document-based attacks.
The methodology addresses the increasing complexity of document-based malware delivery mechanisms, where attackers embed multiple layers of obfuscation within seemingly legitimate file formats.
Originally reported by The Hacker News, SANS ISC