Ankura CTIX FLASH Update – March 24, 2026

Malware Activity

Tax-Season Phishing Meets Dev Supply‑Chain Worms

Cyber defenders are seeing two (2) connected surges: tax‑season email scams aimed at everyday users and finance teams, and software supply‑chain attacks aimed at developers and CI/CD pipelines. On the tax side, attackers imitate IRS/tax communications (refunds, W‑2s, filing reminders, “tax professional” requests) to push victims into clicking links, scanning QR codes, or opening files that steal Microsoft 365 credentials and even MFA codes. Microsoft also observed a large IRS‑impersonation wave hitting 29,000+ users across 10,000 organizations, where a fake “IRS Transcript Viewer” led to remote‑access tooling being installed. Instead of “custom malware” that is easier to spot, many campaigns abuse legitimate remote management tools (e.g., ScreenConnect/Datto/SimpleHelp) to blend into normal IT activity while giving attackers persistent access. In parallel, the Trivy incident shows how one compromised credential can ripple outward. Attackers published trojanized Trivy artifacts via trusted channels (including Docker Hub tags), turning routine security scanning into secret theft inside build environments. Those stolen secrets then fueled CanisterWorm, which infected npm packages using post‑install scripts to drop a Python backdoor and persist via a disguised system service. These were especially impactful in CI/CD and Linux build hosts. What makes CanisterWorm unusually resilient is its use of a decentralized Internet Computer (ICP) canister as a “dead drop” to fetch the next payload URL, letting the attacker swap instructions centrally while making takedown harder. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

• TheHackerNews: Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware article
• TheHackerNews: Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper article
• TheHackerNews: Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages article

Threat Actor Activity

Iranian APT, MuddyWater, Targeting US Networks Using Dindoor and Fakeset Backdoors in New Campaign

The Iranian cyber espionage group MuddyWater, also popularly known as Seedworm and MANGO SANDSTORM, has been conducting a coordinated campaign since early February 2026, targeting organizations in the U.S., Israel, and Canada. This campaign, aligned with Iran’s Ministry of Intelligence and Security (MOIS), uses advanced techniques to maintain stealth and persistence, leveraging malware families like Dindoor and Fakeset. Dindoor utilizes the Deno runtime, while Fakeset is a Python-based backdoor, both aiding in data exfiltration and minimizing detection. The campaign focuses on strategically significant entities, including a U.S. bank, a U.S. airport, a Canadian non-profit, and an Israeli subsidiary of a U.S. defense software company. These targets provide intelligence value and potential leverage amidst heightened geopolitical tensions following U.S. and Israeli military actions against Iran. MuddyWater’s operations blend malicious traffic with legitimate cloud services, complicating attribution and detection. Broadcom’s Symantec and Carbon Black have linked MuddyWater to recent network infiltrations, identifying attempts to exfiltrate data using Rclone to Wasabi cloud storage. The group employs sophisticated social engineering tactics, such as spear-phishing and “honeytrap” operations, to access sensitive information. Their activities are part of a broader Iranian strategy to conduct cyber operations as retaliatory measures against perceived adversaries. The ongoing geopolitical conflict in the Middle East has intensified cyber activities, with Iranian actors targeting vulnerable infrastructure in Israel and Gulf countries. The UK’s National Cyber Security Centre warns of potential threats from Iran-linked hacktivists. MuddyWater’s advanced tactics, including the use of legitimate cloud infrastructure and minimal static indicators, highlight a shift towards behavioral stealth and post-signature operational models, posing significant challenges for detection and defense. CTIX Analysts will continue monitoring relevant threat actor activities. A list of Indicators of Compromise (IOCs) and network indicators can be found in the Krypt3ia report linked below.

• The Hacker News: MuddyWater Article
• Krypt3ia: MuddyWater Report
• Symantec and Carbon Black: MuddyWater Article

Vulnerabilities

DarkSword iOS Exploit Chain Drives Espionage and Data Theft Campaigns

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S. Federal Civilian Executive Branch (FCEB) entities to urgently patch actively exploited iOS vulnerabilities tied to the DarkSword exploit kit, a sophisticated spyware framework used in cryptocurrency theft and cyberespionage campaigns since late 2025 and publicly disclosed in March 2026. The attack chains six (6) vulnerabilities to achieve sandbox escape, privilege escalation, and remote code execution (RCE) on iPhones running iOS 18.4 through 18.7. The exploit chain enables attackers to gain deep access for full device surveillance and sensitive data theft, including messages, credentials, and files. Attributed to multiple threat actors including UNC6748 (linked to Turkish surveillance vendor PARS Defense), and UNC6353 (a suspected Russian espionage group) DarkSword has been deployed alongside the Coruna exploit kit in watering-hole attacks targeting Ukrainian websites, using malware families such as GhostBlade (JavaScript infostealer), GhostKnife (data-exfiltrating backdoor), and GhostSaber (code execution and data theft). The framework is designed for stealth, wiping artifacts after execution to evade detection, making it particularly difficult to identify and reinforcing its utility in short-term espionage operations aligned with intelligence and financial objectives. CISA has added three (3) of the vulnerabilities (CVE-2025-31277, CVE-2025-43510, CVE-2025-43520) to its Known Exploited Vulnerabilities (KEV) catalog and mandated remediation within two (2) weeks, while warning that these flaws represent high-risk, frequently exploited attack vectors. Given the web-based, drive-by nature of initial access and the difficulty of detection, mitigation depends heavily on immediate patching, enabling protections such as Lockdown Mode for high-risk users, avoiding suspicious content, and maintaining continuous monitoring. This highlights the increasing sophistication of mobile threat activity and the critical need for proactive defense across both government and private sector environments. CTIX analysts urge any FCEB agencies to ensure they follow CISA’s guidance to prevent exploitation

• Bleeping Computer: DarkSword Article
• Medium: DarkSword Article
• CISA: DarkSword Advisory

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.