ZCyberNews
中文

#living-off-the-land

6 articles

Government and education sectors across APAC, Asia, Central America, CIS, and META were the primary targets in six articles from April to July 2026 tagged living-off-the-land. The coverage included one critical and four high-severity incidents, with threat actors GopherWhisper, KongTuke, and Operation PhantomCLR observed leveraging legitimate tools. The vulnerability CVE-2023-36036 was specifically cited, while affected industries also encompassed energy, enterprise, and financial services.

Bar chart showing percentage of incidents missed by automated security tools from Kaspersky 2025 compromise assessment report
Industry News

Kaspersky: 60% of Incidents Missed by Automated Security Tools

Kaspersky Compromise Assessment 2025 findings: 60% of incidents lacked high-confidence alerts; 30.8% of threats persisted over 3 months; 40% of web shells hid in backups.

3 min read
ModeloRAT Campaign Abuses Microsoft Teams for Enterprise IntrusionCRITICAL
Threat Intel

ModeloRAT Campaign Abuses Microsoft Teams for Enterprise Intrusion

Rapid7 dissects an April 2026 intrusion where a fake IT Support Teams message delivered ModeloRAT via Dropbox, leading to privilege escalation, credential theft, and lateral...

CVE-2023-36036
4 min readKongTuke
Unit 42 Tracks TGR-STA-1030 Activity in Central and South AmericaHIGH
Threat Intel

Unit 42 Tracks TGR-STA-1030 Activity in Central and South America

Palo Alto Unit 42 reports TGR-STA-1030 remains active in Central and South America, targeting government and energy sectors with custom malware and living-off-the-land techniques.

2 min readTGR-STA-1030
GopherWhisper APT Uses Go Tools, Legit Services in Gov AttacksHIGH
Threat Intel

GopherWhisper APT Uses Go Tools, Legit Services in Gov Attacks

GopherWhisper, a new state-backed APT, targets government entities with a Go-based toolkit abusing Outlook, Slack, and Discord for C2.

2 min readGopherWhisper
Operation PhantomCLR Hijacks Intel Driver to Deploy Stealthy MalwareHIGH
Threat Intel

Operation PhantomCLR Hijacks Intel Driver to Deploy Stealthy Malware

Operation PhantomCLR exploits a legitimate Intel driver to hijack the .NET CLR and deploy malware, bypassing security tools by using a trusted, signed binary without modifying its code.

3 min readOperation PhantomCLR
Credential-Based Attacks Blur Line Between Breach and Normal ActivityHIGH
Threat Intel

Credential-Based Attacks Blur Line Between Breach and Normal Activity

Modern attackers are exploiting valid credentials and living-off-the-land techniques to make breaches indistinguishable from legitimate user activity, rendering traditional perimeter and anomaly detection ineffective.

4 min read

Stay Updated

Get the latest cybersecurity news delivered to your inbox.