Recent OTX Pulse data indicates a surge in sophisticated threat activity targeting European and global infrastructure, characterized by a blend of state-sponsored espionage and mass-exploitation campaigns.

Webworm (China-aligned) has evolved its "burrowing" techniques, shifting focus from Asia to European government and education sectors. The group is deploying advanced backdoors, EchoCreep and GraphWorm, which abuse legitimate services like Discord and the Microsoft Graph API for Command and Control (C2) to evade network defenses.

Simultaneously, FrostyNeighbor (Belarus-aligned) is actively conducting cyberespionage against Ukraine, Poland, and Lithuania. Their campaign relies on spearphishing and exploits for WinRAR (CVE-2023-38831, CVE-2024-42009) to deliver PicassoLoader and Cobalt Strike.

On the criminal front, a mass-compromise campaign targeting Ghost CMS (via CVE-2026-26980) is fueling ClickFix attacks. Over 700 domains have been poisoned to deliver fake software updates (Notepad++, installers), resulting in information stealer infections across Technology, Finance, and Media sectors. This convergence of APT tradecraft and mass-exploitation tooling presents a high risk to enterprise networks.

Threat Actor / Malware Profile

Webworm

Malware: EchoCreep, GraphWorm, ChainWorm, SmuxProxy.
Distribution: Spearphishing and exploitation of vulnerabilities (e.g., CVE-2017-7692).
Behavior:
- EchoCreep: Uses Discord Webhooks or API for C2, blending in with legitimate traffic.
- GraphWorm: Leverages Microsoft Graph API for C2 communications, making detection difficult in cloud-heavy environments.
Persistence: Utilizes proxy tools (WormSocket, WormFrp) to maintain long-term access.

FrostyNeighbor

Malware: PicassoLoader, Cobalt Strike.
Distribution: Spearphishing emails containing malicious attachments exploiting WinRAR vulnerabilities.
Behavior:
- PicassoLoader: A custom loader used to stage Cobalt Strike beacons.
- C2: Standard Cobalt Strike traffic, likely over HTTP/HTTPS.
Targets: Government, Defense, Healthcare in Eastern Europe.

Ghost CMS / ClickFix Actors

Malware: Information Stealers delivered via UtilifySetup.exe, installer.dll, NotepadPlusPlus.dll.
Distribution: SQL Injection (CVE-2026-26980) on Ghost CMS platforms to inject malicious JavaScript loaders (SEO poisoning/cloaking).
Behavior: Fake browser update prompts (ClickFix) leading to malware execution.

IOC Analysis

The provided IOCs span multiple vectors requiring layered defense:

File Hashes (SHA1/MD5):
- Pulse 1 (Webworm): 7 SHA1 hashes associated with various worms (e.g., 1df40a4a31b30b62ec33dc6fecc2c4408302adc7).
- Pulse 3 (Ghost CMS): MD5 hashes for malicious payloads (e.g., 18a7251ddde77ed24bc54700d84d9be1).
- Action: Load into EDR alerting and conduct retrospective hunts.
Hostnames/Domains:
- Pulse 2 (FrostyNeighbor): Typosquatting and random hostnames (e.g., mickeymousegamesdealer.alexavegas.icu).
- Pulse 3 (Ghost CMS): Malicious domains serving payloads (e.g., clo4shara.xyz, jalwat.com).
- Action: Block at DNS/Proxy level. Note the use of .icu and .xyz TLDs.
CVEs:
- CVE-2017-7692: Older vulnerability exploited by Webworm.
- CVE-2023-38831 / CVE-2024-42009: WinRAR exploits used by FrostyNeighbor.
- CVE-2026-26980: Critical SQL Injection in Ghost CMS.
- Action: Prioritize patching for Ghost CMS and WinRAR immediately.

Detection Engineering

YAML

---
title: Potential Webworm EchoCreep Discord C2 Activity
id: 8a7b9c1d-0e3f-4a5b-8c6d-7e8f9a0b1c2d
description: Detects processes other than the Discord client communicating with Discord API endpoints, potentially indicating C2 activity like EchoCreep.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/665c0f4c8f8e9e9e9e9e9e9e
tags:
    - attack.command_and_control
    - attack.t1102.001
logsource:
    category: network_connection
product: windows
detection:
    selection:
        DestinationHostname|contains: 'discord.com'
    filter_legit:
        Image|endswith: 
            - '\Discord.exe'
            - '\DiscordCanary.exe'
            - '\DiscordPTB.exe'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate third-party tools integrating with Discord
level: high
---
title: Suspicious Microsoft Graph API Usage (GraphWorm)
id: 9b8c0d2e-1f4a-5b6c-9d7e-0f1a2b3c4d5e
description: Detects unusual command-line usage or script processes interacting with Microsoft Graph API, indicative of GraphWorm or similar tools abusing O365 for C2.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/665c0f4c8f8e9e9e9e9e9e9e
tags:
    - attack.command_and_control
    - attack.t1102.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_graph:
        CommandLine|contains: 
            - 'graph.microsoft.com'
            - 'outlook.office.com'
    selection_script:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
            - '\wscript.exe'
            - '\cscript.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate O365 management scripts
level: medium
---
title: Ghost CMS ClickFix Payload Execution
id: 0c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f
description: Detects execution of known suspicious filenames associated with the Ghost CMS ClickFix campaign delivering malicious installers.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/665c0f4c8f8e9e9e9e9e9e9e
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\UtilifySetup.exe'
            - '\chrome_installer.exe' # Often spoofed
            - '\firefox_installer.exe'
        or
        CommandLine|contains:
            - 'UtilifySetup.exe'
            - 'NotepadPlusPlus.dll'
    condition: selection
falsepositives:
    - Legitimate software updates (rare for these specific filenames)
level: critical


kql
// Hunt for FrostyNeighbor Domains and Ghost CMS Payloads
// Union of Network Events and File Creation Events
let IOCDomains = dynamic(['mickeymousegamesdealer.alexavegas.icu', 'book-happy.needbinding.icu', 'attachment-storage-asset-static.needbinding.icu', 'easiestnewsfromourpointofview.algsat.icu', 'jalwat.com', 'cloud-verification.com', 'script-dev.buzz', 'clo4shara.xyz', 'cdnupdatenews.top']);
let IOCFiles = dynamic(['UtilifySetup.exe', 'installer.dll', 'NotepadPlusPlus.dll']);
DeviceNetworkEvents
| where RemoteUrl has_any (IOCDomains)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, RemoteUrl, ActionType
| union (
    DeviceProcessEvents
    | where FileName in~ (IOCFiles) or ProcessCommandLine has_any (IOCFiles)
    | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessAccountName
)
| order by TimeGenerated desc


powershell
<#
.SYNOPSIS
    IOC Scanner for Webworm, FrostyNeighbor, and Ghost CMS campaigns.
.DESCRIPTION
    Scans the file system for specific file hashes and checks DNS cache for malicious domains.
#>

$MaliciousSHA1 = @(
    "1df40a4a31b30b62ec33dc6fecc2c4408302adc7",
    "77f1970d620216c5fff4e14a6ccc13fccc267217",
    "7dcfe9ee25841dfd58d3d6871bf867fe32141dfb",
    "948159a7fc2e688386864bea59fd40dffc4b24d6",
    "a3c077bdf8898e612ccd65bc82e7960834adb2a9",
    "cb4e50433336707381429707f59c3cbe8d497d98"
)

$MaliciousMD5 = @(
    "18a7251ddde77ed24bc54700d84d9be1",
    "5659292833ec421da11ebde005d9c9a8"
)

$MaliciousDomains = @(
    "mickeymousegamesdealer.alexavegas.icu",
    "book-happy.needbinding.icu",
    "clo4shara.xyz",
    "jalwat.com"
)

Write-Host "[+] Starting IOC Hunt..." -ForegroundColor Cyan

# File Hash Scan (Limit to C:\ for performance, adjust as needed)
Write-Host "[!] Scanning for malicious file hashes (SHA1/MD5)..." -ForegroundColor Yellow
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { !$_.PSIsContainer } | 
    ForEach-Object {
        $hash = Get-FileHash -Path $_.FullName -Algorithm SHA1 -ErrorAction SilentlyContinue
        if ($MaliciousSHA1 -contains $hash.Hash) {
            Write-Host "[ALERT] Malicious SHA1 found: $($_.FullName)" -ForegroundColor Red
        }
        $hashMD5 = Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue
        if ($MaliciousMD5 -contains $hashMD5.Hash) {
            Write-Host "[ALERT] Malicious MD5 found: $($_.FullName)" -ForegroundColor Red
        }
    }

# DNS Cache Check
Write-Host "[!] Checking DNS Cache for malicious domains..." -ForegroundColor Yellow
Get-DnsClientCache | 
    Where-Object { $MaliciousDomains -contains $_.Entry } | 
    ForEach-Object {
        Write-Host "[ALERT] Malicious Domain found in DNS Cache: $($_.Entry) -> $($_.Data)" -ForegroundColor Red
    }

Write-Host "[+] Hunt Complete." -ForegroundColor Cyan


# Response Priorities

*   **Immediate:**
    *   Block all listed domains and hostnames at the DNS/Proxy level.
    *   Scan endpoints for the listed SHA1 and MD5 hashes.
    *   Identify and isolate any systems running unpatched Ghost CMS instances; patch CVE-2026-26980 immediately.
*   **24h:**
    *   Initiate credential reset for users who may have interacted with ClickFix prompts or suspicious emails (FrostyNeighbor).
    *   Review Microsoft 365 audit logs for suspicious Graph API usage patterns.
*   **1 Week:**
    *   Update WinRAR across the enterprise to mitigate FrostyNeighbor spearphishing vectors.
    *   Implement network segmentation to restrict Discord and Graph API access to only approved endpoints/users.
    *   Conduct security awareness training focusing on "Fake Browser Updates" and APT spearphishing techniques.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

Webworm APT, FrostyNeighbor Espionage, and Ghost CMS Mass Exploit: OTX Pulse Analysis