DigiCert’s Open-Source Intelligence (OSINT) Report – March 13 – March 19, 2026

Iran-Linked Botnet Exposed After Open Directory Leak Reveals 15-Node Relay Network

(TLP: CLEAR) An open directory left exposed on a staging server led to an open observation of an active botnet operation linked to Iranian infrastructure. The exposed server, discovered on February 24, 2026, was hosted on an Iranian ISP and contained nearly 450 files including tunnel configuration files, Python deployment scripts, compiled DDoS binaries, and credential lists. The leak revealed a 15-node relay network, a mass SSH deployment framework, DDoS tooling, and a bot client with a hardcoded C2 address still under development. By pivoting on a shared TLS certificate, researchers identified 14 additional related IP addresses across servers in Finland and Iran, with DNS routed through an Iranian CDN provider. The botnet infected machines by opening 500 concurrent SSH sessions simultaneously using a Python script. Once access was established, bot client source code was transferred to the victim machine and compiled locally using gcc, a method that avoids triggering hash-based detection tools. Code comments in Farsi and Arabic-script keyboard errors indicated the operator is likely Iran-based.

(TLP: CLEAR) Comments: The on-host compilation technique, compiling malware directly on victim machines rather than transferring a pre-built binary, is a notable evasion method that limits the effectiveness of standard hash-based detection. The infrastructure appeared to serve two functions simultaneously: hosting offensive attack tooling alongside what researchers identified as a commercial VPN relay service. Defenders should block identified IPs, enforce key-based SSH authentication, disable root login, and flag unexpected gcc compilation activity on servers.

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA) publication “VOLUMETRIC DDOS AGAINST WEB SERVICES TECHNICAL GUIDANCE”: “Agencies should select a provider that has the capacity to scale and withstand large volumetric DDoS attacks. Agencies should also understand their role and the role of the provider if targeted by a DDoS attack. Note the two consumption models previously identified for DDoS mitigation services – always-on and on-call/on-demand. In an always-on model, all traffic always passes through the mitigation provider’s service (which may add latency if the distance between the customer internet circuit and mitigation service are high). Always-on can provide instant protection, but agencies should always validate time-to-mitigation of any proposed solution. The on-demand consumption model only sends traffic to scrubbing centers when directed to do so via human intervention during an attack. Agencies must communicate with their provider to understand which protections are available, the protections that are included in the existing contracts, and those offered à la carte. For services that require manual activation, agencies must understand each organization and individual’s roles, as well as develop, maintain, and test the activation procedures for best response.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides proven and consistent DDoS protection for any of your assets whether they reside in the cloud, multi-cloud, data center, or hybrid. With always-on DDoS protection, you can stop a DDoS attack instantly, and more complex DDoS attacks and be mitigated within seconds.

Source: https://cybersecuritynews.com/iran-linked-botnet-exposed-after-open-directory-leak/

New Malware Campaigns Turn Network Devices into DDoS Nodes and Crypto-Mining Bots

(TLP: CLEAR) Two previously undocumented malware strains were identified on March 6, 2026, both targeting routers, IoT devices, and enterprise network equipment. The first, named CondiBot, is a DDoS botnet built on the Mirai framework that infects Linux-based network devices and enrolls them into a remotely controlled attack network. The second, named Monaco, is written in Go 1.24.0 and functions as both an SSH scanner and a cryptocurrency miner, gaining access through weak or default SSH credentials before deploying Monero mining software. At the time of discovery, neither strain had been flagged on major threat intelligence platforms including VirusTotal, ThreatFox, or Hybrid Analysis. Once CondiBot infects a device, it disables reboot utilities to prevent the infection from being cleared by a simple restart, registers 32 attack handlers for use against targets, and terminates competing botnet processes on the same device. This variant registers notably more attack modules than earlier documented versions. Network devices present a particular detection challenge because most cannot run standard endpoint security agents, meaning infections may go unnoticed for extended periods.

(TLP: CLEAR) Comments: Both strains were undetected by major threat intelligence platforms at the time of discovery, highlighting the gap between emerging malware and existing detection coverage. Network devices are a consistent blind spot in many security environments due to their inability to run traditional endpoint agents, making proactive hardening and monitoring especially important.

(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users.

NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Digicert’s UltraDDoS Protect.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.

Digicert UltraDDoS Protect provides proven and consistent DDoS protection for any of your assets whether they reside in the cloud, multi-cloud, data center, or hybrid. With always-on DDoS protection, you can stop a DDoS attack instantly, and more complex DDoS attacks and be mitigated within seconds.

Source: https://cybersecuritynews.com/new-malware-campaigns-turn-network-devices/

FancyBear Server Exposure Reveals Stolen Credentials, 2FA Secrets and NATO-Linked Targets

(TLP: CLEAR) A campaign tracked as Operation Roundish, based on an exposed open directory first scanned on January 13, 2026. The infrastructure is attributed to APT28, also known as FancyBear, Forest Blizzard, and Sednit, which the UK’s NCSC assesses to be associated with Russia’s GRU Military Intelligence Unit 26165. The exposed server had previously been publicly attributed to this group by Ukraine’s CERT-UA in September 2024 and appears to have remained in active use for over 500 days following that attribution. Researchers recovered 2,800 exfiltrated government and military emails, 240 sets of stolen credentials including TOTP 2FA secrets, 140 email-forwarding rules, and over 11,500 contact addresses from victims spanning Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. Email addresses tied to NATO headquarters infrastructure were also identified in the recovered data. A JavaScript module found within the operation, deployed inside victims’ already-authenticated Roundcube webmail sessions, extracted TOTP secrets and recovery codes from the 2FA plugin settings page without requiring any additional action from the victim. The data was then encoded and transmitted to a remote C2 server, potentially allowing future access without needing the victim’s device.

(TLP: CLEAR) Comments: The continued use of a publicly attributed server for over 500 days is a notable detail for threat intelligence tracking purposes, though the reasons for this are not confirmed. The JavaScript-based credential harvesting technique is significant because it functions entirely within an existing authenticated session, leaving no obvious indicators for the victim. The targets identified — including defense ministries, air forces, and NATO-linked organizations — are consistent with intelligence-gathering objectives rather than opportunistic intrusion. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy. 
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://cybersecuritynews.com/fancybear-server-exposure-reveals-stolen-credentials/

Malicious Telegram Download Site Pushes Multi-Stage Loader with In-Memory Execution

(TLP: CLEAR) A typo-squatted domain, telegrgam[.]com, hosting a fraudulent Telegram download page during routine web monitoring. The site presents itself as an official Telegram portal and prompts visitors to download a Windows installer named tsetup-x64.6.exe. Upon execution, the installer runs an obfuscated PowerShell command that configures Windows Defender to exclude all drive partitions from scanning, reducing the likelihood of detection during subsequent stages. The installer then drops several files into a directory path designed to resemble a legitimate software folder and writes a registry entry to identify already-compromised machines. A real Telegram executable is also deployed alongside the malicious components to present the appearance of a functioning installation. The core payload is executed through rundll32.exe, a legitimate Windows process, using a technique known as reflective loading. This reconstructs a full executable directly in memory from encoded data without writing it to disk, which limits the effectiveness of file-based detection tools. Once active, the payload establishes a connection to a remote C2 server, enabling the operator to issue commands or deliver updated payloads. Two additional typo-squatted domains, telefgram[.]com and tejlegram[.]com, were also identified as part of the same campaign infrastructure.

(TLP: CLEAR) Comments: The campaign does not rely on software vulnerabilities to initiate infection; access is gained entirely through user interaction with a convincingly presented fraudulent website. The use of reflective loading means the final payload never exists as a file on disk, which reduces the detection coverage of traditional antivirus and endpoint tools. The registration of multiple typo-squatted domains points to deliberate infrastructure planning, providing the operators with redundant delivery points if one domain is blocked or taken down.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy. 
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers.

Source: https://cybersecuritynews.com/malicious-telegram-download-site/

Aura Confirms Data Breach Exposing 900,000 Customer Records

(TLP: CLEAR) Digital security provider Aura confirmed a data breach affecting approximately 900,000 user records following a targeted social engineering attack. The breach originated from a targeted phone phishing attack directed at a single Aura employee, through which an unauthorized threat actor successfully obtained access to the employee’s account. The attacker maintained unauthorized access for approximately one hour before security teams detected the anomaly and terminated the compromised session. Despite the large number of records involved, Aura’s data segmentation practices successfully limited the severity of the exposure. The threat actor primarily accessed a legacy marketing database from a company Aura acquired in 2021. Approximately 865,000 records from that legacy database contained only names and email addresses. Fewer than 20,000 active Aura customers and under 15,000 former customers had names, emails, home addresses, and phone numbers exposed. Highly sensitive data such as Social Security numbers, payment details, and passwords remained secure due to encryption and strict access controls. The incident serves as a practical illustration of a defense-in-depth strategy performing as intended: while the initial perimeter was breached through human manipulation, secondary technical controls limited the incident significantly. Aura engaged external cybersecurity forensic experts and legal counsel following containment, notified relevant law enforcement, and is in the process of notifying affected individuals. The case underscores that even organizations with strong technical defenses remain vulnerable to attacks that target employees directly through social engineering.

(TLP: CLEAR) Comments: The breach was initiated through a phone-based social engineering attack targeting a single employee, which resulted in approximately one hour of unauthorized access before detection. Data segmentation and Data at Rest practices appear to have limited the scope of exposed information, with most affected records coming from a legacy marketing database containing only names and email addresses. The incident illustrates both the effectiveness of layered technical controls and the persistent risk posed by attacks that target human factors rather than system vulnerabilities.

(TLP: CLEAR) Recommended best practices/regulations: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.

Source: https://gbhackers.com/aura-confirms-data-breach/