#living-off-the-land
5 articles
Government and energy sectors bore the brunt of five living-off-the-land attacks between April 12 and May 14, 2026, with one critical and four high-severity incidents. Threat actors GopherWhisper, KongTuke, and Operation PhantomCLR were observed exploiting CVE-2023-36036, primarily targeting organizations in Asia, Central America, and South America. The campaign leveraged legitimate system tools to evade detection, posing significant risks to enterprise networks across the affected regions.
CRITICALModeloRAT Campaign Abuses Microsoft Teams for Enterprise Intrusion
Rapid7 dissects an April 2026 intrusion where a fake IT Support Teams message delivered ModeloRAT via Dropbox, leading to privilege escalation, credential theft, and lateral...
HIGHUnit 42 Tracks TGR-STA-1030 Activity in Central and South America
Palo Alto Unit 42 reports TGR-STA-1030 remains active in Central and South America, targeting government and energy sectors with custom malware and living-off-the-land techniques.
HIGHGopherWhisper APT Uses Go Tools, Legit Services in Gov Attacks
GopherWhisper, a new state-backed APT, targets government entities with a Go-based toolkit abusing Outlook, Slack, and Discord for C2.
HIGHOperation PhantomCLR Hijacks Intel Driver to Deploy Stealthy Malware
Operation PhantomCLR exploits a legitimate Intel driver to hijack the .NET CLR and deploy malware, bypassing security tools by using a trusted, signed binary without modifying its code.
HIGHCredential-Based Attacks Blur Line Between Breach and Normal Activity
Modern attackers are exploiting valid credentials and living-off-the-land techniques to make breaches indistinguishable from legitimate user activity, rendering traditional perimeter and anomaly detection ineffective.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.