Progress ShareFile Pre-Auth RCE Chain, Stryker Recovers from 200K-Device Wiper Attack, CERT-UA Impersonation Spreads AGEWHEEZE to 1M Emails, Casbaneiro PDF Lures Hit LatAm & Europe
Progress ShareFile harbors a dangerous vulnerability chain enabling pre-authentication remote code execution against unpatched instances. Medtech giant Stryker declares full operational recovery after a wiper attack destroyed 200,000 devices. A large-scale phishing campaign impersonating CERT-UA has blasted AGEWHEEZE malware to over one million inboxes. Casbaneiro banking trojan returns with dynamic PDF lures across Latin America and Europe. WhatsApp-delivered VBS malware exploits UAC bypass to hijack Windows systems. Residential proxies now evade IP reputation controls at a 78% rate across four billion observed sessions.
1. Progress ShareFile Pre-Auth RCE — Vulnerability Chain Enables Unauthenticated Takeover
⚠ CRITICAL — Pre-Authentication Remote Code Execution
Multiple flaws in Progress ShareFile can be chained by an unauthenticated attacker to achieve remote code execution without any valid credentials. Organizations running on-premises ShareFile deployments should treat this as an emergency and apply available patches immediately.
Progress ShareFile — a widely deployed enterprise file-sharing and collaboration platform — has been found to contain a chain of vulnerabilities that, when combined, allow a remote, unauthenticated attacker to achieve full remote code execution (RCE) on vulnerable server instances.
The Vulnerability Chain
The exploit chain links two distinct weaknesses. The first is an authentication bypass flaw in the ShareFile web application that allows unauthenticated requests to reach endpoints intended only for logged-in users. The second is a server-side deserialization vulnerability reachable via those protected endpoints. By combining the two, an attacker can supply a crafted serialized payload through the authentication bypass, triggering arbitrary code execution under the context of the web server process — with no credentials required at any stage.
Affected Versions
- ShareFile StorageZones Controller 5.12.x and earlier
- ShareFile on-premises deployments on Windows Server 2016/2019/2022
- Cloud-hosted ShareFile tenants managed by Progress are already patched
- Self-hosted and hybrid StorageZones configurations remain at risk until updated
Exploitation Risk
Progress ShareFile is heavily used in regulated industries including financial services, legal, and healthcare — sectors that store highly sensitive documents on the platform. A successful pre-auth RCE gives attackers direct access to the underlying file server, all stored documents, and credentials cached within the application environment. Given that similar Progress vulnerabilities (e.g., MOVEit Transfer in 2023) were mass-exploited by ransomware groups within days of disclosure, active exploitation attempts should be expected imminently.
Patching and Mitigation
- Apply the latest Progress ShareFile StorageZones Controller patch immediately
- If patching is delayed, isolate StorageZones Controller from internet-facing access
- Review web server and application logs for unexpected POST requests to admin endpoints
- Rotate all ShareFile service account credentials after patching
- Cloud-hosted ShareFile tenants: verify with Progress that your tenant is on the patched build
2. Stryker Fully Operational After Devastating Data-Wiping Attack on 200K Devices
🔶 HIGH — Medtech Giant Completes Recovery; Attack Scale Revealed
Stryker Corporation has declared full operational restoration following a destructive wiper attack that permanently erased data from approximately 200,000 devices across its global manufacturing and logistics network.
Stryker Corporation, one of the world's largest medical technology companies with operations spanning surgical equipment, orthopedic implants, and hospital logistics, has confirmed it is now fully operational after a wiper malware attack that wiped data from an estimated 200,000 devices across its infrastructure.
Attack Timeline
- Mid-February 2026 — Initial intrusion; attackers establish persistence across Stryker's internal network
- March 3, 2026 — Wiper payload deployed simultaneously across global manufacturing and logistics segments; ~200,000 devices rendered inoperable
- March 3–March 14 — Crisis response; manufacturing lines disrupted, shipping delays reported for surgical and orthopedic product lines
- March 14–March 28 — Staged recovery using clean imaging, backups, and replacement hardware for devices beyond recovery
- April 1, 2026 — Stryker declares full operational restoration
Impact and Recovery
The attack's use of wiper malware — rather than ransomware — indicates the primary objective was disruption rather than financial extortion. The destruction of 200,000 devices represented a significant blow to Stryker's manufacturing capacity, with delays cascading to hospital supply chains for joint replacement components and surgical instruments. Recovery required a combination of full OS reimaging from hardened golden images, hardware replacement for devices where storage was physically overwritten beyond recovery, and manual reconfiguration of thousands of production systems.
Stryker has not publicly attributed the attack to a specific threat actor. Analysis of the wiper's behavior shares characteristics with destructive tooling previously associated with state-sponsored actors operating in support of geopolitical objectives, though this attribution remains unconfirmed.
Key Lessons
- Offline, air-gapped backups proved critical — devices without disconnected backups required full hardware replacement
- Clean OS golden images dramatically accelerated reimaging at scale
- Network segmentation limited lateral spread of the wiper payload
- OT/manufacturing network monitoring gaps allowed the attacker's dwell time to extend for weeks undetected
3. CERT-UA Impersonation Campaign Delivers AGEWHEEZE Malware to 1 Million Inboxes
⚠ CRITICAL — State-Aligned Phishing at Nation-Scale
A sophisticated threat actor has impersonated Ukraine's Computer Emergency Response Team (CERT-UA) in a phishing campaign that distributed AGEWHEEZE malware to over one million email addresses spanning Ukrainian government, military, and allied partner organizations.
Ukraine's cybersecurity community is responding to one of the largest phishing operations targeting the country in 2026: a campaign that convincingly impersonated CERT-UA — the Ukrainian government's own computer emergency response body — to deliver a previously undocumented malware family dubbed AGEWHEEZE to over one million recipients.
Phishing Technique
The campaign used spoofed sender addresses closely mimicking official CERT-UA email domains, combined with email content that replicated the formatting, branding, and tone of legitimate CERT-UA security advisories. Recipients were instructed to download and execute an "urgent security patch" or "mandatory scanning tool" for a fabricated critical vulnerability — a social engineering technique that exploits the trust relationship between CERT-UA and the organizations it normally protects.
The emails were distributed in at least three waves, with subject lines referencing current geopolitical tensions and active conflict-adjacent themes to maximize urgency and open rates. Researchers noted that the campaign's targeting list included Ukrainian government ministries, military support organizations, critical infrastructure operators, and allied partner nations in Eastern Europe.
AGEWHEEZE Malware Capabilities
AGEWHEEZE is a modular implant with a staged architecture designed to minimize initial footprint while enabling expansive post-exploitation capabilities:
- Stage 1: Lightweight dropper that validates the operating environment and beacons to C2 for go/no-go instruction before executing further
- Stage 2: Persistent backdoor establishing encrypted communication over HTTPS to attacker-controlled infrastructure disguised as legitimate cloud service traffic
- Credential harvesting: Extracts saved credentials from browsers, email clients, and Windows Credential Manager
- Keylogging and screenshot capture: Continuous surveillance capability once fully deployed
- Lateral movement: Leverages harvested credentials for SMB-based propagation within corporate networks
- Self-deletion: Removes initial dropper artifacts after successful implant installation
Indicators of Compromise (IoCs)
- Sender domains spoofing cert-ua[.]gov[.]ua — look for subtle typosquats (cert-uaa, cert-u4, certua)
- Attachment names:
CERT-UA_Advisory_March2026.exe,security_scanner_v2.zip - C2 infrastructure leveraging bulletproof hosting in unallocated Eastern European IP ranges
- HTTPS beaconing to domains mimicking major cloud providers (azure-cdn-updates[.]net pattern)
- Registry persistence:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinSecService
4. Casbaneiro Banking Trojan Returns with Dynamic PDF Lures Targeting LatAm and Europe
🔶 HIGH — Banking Trojan Evolves with PDF-Based Delivery
The Casbaneiro banking trojan has resurfaced with a novel delivery mechanism using dynamic, personalized PDF lures to target banking customers across Latin America and select European markets.
Casbaneiro (also tracked as Metamorfo/Ponteiro), a Latin American banking trojan with a history stretching back to 2018, has returned in a significantly evolved form. Security researchers have identified an active campaign using dynamically generated PDF lures as the initial infection vector, replacing the group's earlier reliance on malicious Office macro documents.
The Dynamic PDF Technique
The campaign's most notable innovation is its use of server-side PDF generation to create personalized lure documents at the moment of delivery. Unlike static malicious PDFs that trigger security products through signature matching, these documents are generated on-demand and incorporate:
- Victim-specific details (name, bank, partial account numbers) harvested from prior data breaches, lending legitimacy
- Legitimate embedded fonts and branding from real financial institutions to defeat visual inspection
- Embedded JavaScript that exploits PDF reader vulnerabilities or triggers a download prompt for a "required security plugin"
- QR codes redirecting to attacker-controlled infrastructure, bypassing URL reputation filters that scan email links
Targeted Regions and Institutions
- Brazil — Primary target; major retail banks, digital payment platforms, and investment brokers impersonated
- Mexico, Colombia, Argentina — Regional banking customers across all major financial institutions
- Spain and Portugal — European expansion leveraging shared language and banking brand recognition with LatAm targets
- Italy — Italian banking sector targeted via separate lure theme referencing INPS (social security) notifications
Detection Guidance
- Flag inbound PDFs with embedded JavaScript or launch actions in email security gateways
- Alert on PDF viewer processes spawning child processes (cmd.exe, powershell.exe, mshta.exe)
- Block QR code links in corporate mail environments; require users to report suspicious QR codes
- Monitor for Casbaneiro's characteristic DLL side-loading patterns and AutoHotkey-based persistence
- Casbaneiro typically targets full-screen window overlay attacks — detect unexpected full-screen application launches
5. WhatsApp-Delivered VBS Malware Hijacks Windows via UAC Bypass
🔶 HIGH — Consumer Messaging App Weaponized for Enterprise Compromise
Attackers are distributing malicious VBScript files via WhatsApp, exploiting user trust in the messaging platform to deliver malware that bypasses Windows UAC and establishes persistent elevated access.
A newly identified malware campaign is exploiting WhatsApp as a delivery channel for Visual Basic Script (VBS) malware targeting Windows systems. The attack leverages the inherent trust users place in files received via personal messaging — particularly when appearing to originate from known contacts whose accounts have been compromised — to bypass security skepticism that would normally flag unsolicited email attachments.
Delivery Mechanism
Victims receive a WhatsApp message from a compromised contact or an unknown number, delivering a compressed archive (ZIP/RAR) containing a VBS file disguised as a document, invoice, or media file. Common lure themes include:
- Fake shipping notifications ("Your package could not be delivered — see details")
- Bogus financial documents ("Invoice_March2026.pdf.vbs" with PDF icon)
- Impersonated government communications (tax notices, fine notifications)
Exploitation Chain
Once executed, the VBS payload performs a multi-stage attack:
- Environment check: Validates it is running in a real user environment, not a sandbox or analysis VM
- UAC bypass: Exploits a known Windows User Account Control bypass technique via the
fodhelper.exeauto-elevation mechanism, achieving elevated privileges without displaying a UAC prompt - Persistence: Installs a PowerShell-based backdoor in the Windows startup folder and creates a scheduled task for resilience
- C2 beaconing: Establishes outbound HTTPS connection to attacker infrastructure for command and payload delivery
- Data exfiltration: Harvests browser credentials, system information, and locally stored documents
Defensive Actions
- Train users that VBS, JS, and WSF files received via ANY channel (including messaging apps) are dangerous
- Configure Windows to block VBScript execution via Group Policy or WDAC rules
- Monitor for
fodhelper.exespawning unexpected child processes — a reliable UAC bypass indicator - Alert on scheduled tasks created by scripting engines (wscript.exe, cscript.exe)
- Consider deploying Attack Surface Reduction rules targeting script execution
6. Residential Proxies Achieve 78% IP Reputation Evasion Across 4 Billion Sessions
🔶 HIGH — Threat Actor Evasion Infrastructure at Industrial Scale
New research reveals that residential proxy networks now successfully evade IP reputation and geoblocking controls in 78% of malicious sessions analyzed, rendering traditional IP-based defense mechanisms largely ineffective at scale.
A comprehensive analysis of over four billion proxy sessions conducted by threat intelligence researchers has quantified the scale at which residential proxy networks undermine IP-based security controls. The findings represent a significant challenge for organizations relying on IP reputation feeds, geofencing, and blocklists as primary defensive mechanisms.
Scale of the Problem
Residential proxy networks — which route attacker traffic through the internet connections of unwitting consumers whose devices have been enrolled (often via shady free VPN apps or malware) — are now used in an estimated 78% of credential stuffing, account takeover, and web scraping attacks observed in the dataset. The residential IP addresses used are indistinguishable from legitimate home broadband connections, meaning:
- IP reputation feeds that flag datacenter and hosting IPs are largely blind to residential proxy traffic
- Geoblocking is trivially bypassed by selecting exit nodes in the target country
- Rate limiting based on IP address is defeated by rotating across thousands of residential IPs per campaign
- The median residential proxy session lasts only 8 minutes before rotating to a fresh IP, preventing time-based blocking
Defense Recommendations
The research underscores that IP-centric defenses must be supplemented with behavioral and device-level signals:
- Device fingerprinting: Canvas, WebGL, and audio fingerprinting detect automated clients reusing the same device profile across multiple IPs
- Behavioral biometrics: Mouse movement patterns, typing cadence, and scroll behavior identify bots regardless of IP origin
- TLS fingerprinting (JA3/JA4): Automated tooling produces distinctive TLS handshake profiles not matching real browser distributions
- Challenge-based verification: Deploy invisible CAPTCHA or proof-of-work challenges for high-value endpoints
- Velocity anomalies on business logic: Flag unusual patterns in account actions (login attempts from many different states/cities within minutes)
7. ISO Image Lures Spreading RATs and Crypto Miners in Active Campaign
🔶 HIGH — ISO-Disguised Malware Bypasses Email Attachment Filters
Threat actors are distributing malicious ISO image files disguised as software installers and media content to deliver remote access trojans and cryptocurrency mining malware while evading standard email attachment controls.
Security researchers have identified an active campaign exploiting ISO disk image files as a delivery mechanism for a dual-payload operation: a remote access trojan (RAT) for persistent access and credential theft, combined with a cryptocurrency miner that monetizes compromised compute resources.
Distribution Method
The campaign distributes ISO files through multiple channels simultaneously:
- Phishing emails with ISO attachments disguised as software license installers, game cracks, or enterprise application setups — email gateways that inspect common executable types (EXE, DLL, SCR) often pass ISO files without deep inspection
- Malvertising on software piracy and torrent sites, presenting ISOs as cracked versions of popular commercial software
- Discord and Telegram software sharing communities, where ISOs are posted as legitimate tool collections
- SEO-poisoned search results leading to fake software download landing pages
When mounted (Windows auto-mounts ISO files on double-click in Windows 10+), the ISO presents a convincing installer UI while silently dropping and executing both the RAT and the miner. The miner is configured to throttle CPU usage during active user sessions to avoid detection, running at full capacity only during idle periods.
Defensive Actions
- Block ISO file downloads at the web gateway level for non-administrative users
- Disable ISO auto-mount via Group Policy: Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies
- Alert on unusual CPU spikes during expected idle periods — a strong crypto miner indicator
- Monitor for processes spawned from virtual drive mount points (D:\, E:\ assigned dynamically)
8. Mercor AI Platform Hit by LiteLLM Supply Chain Compromise
⚠ CRITICAL — AI Infrastructure Supply Chain Attack
Mercor, an AI-powered recruiting platform, has been compromised via a supply chain attack targeting its LiteLLM dependency — an open-source LLM API proxy library — exposing candidate data and API credentials across the platform.
Mercor, an AI-native recruiting platform that uses large language models to match candidates with job opportunities, has disclosed a security incident traced to a supply chain compromise of its LiteLLM dependency. LiteLLM is a popular open-source library used to proxy requests across multiple LLM provider APIs (OpenAI, Anthropic, Azure OpenAI, etc.) from a unified interface.
Nature of the Attack
Attackers introduced malicious code into a LiteLLM release that was subsequently pulled as a dependency by Mercor's production infrastructure. The malicious package version contained a backdoor that:
- Exfiltrated LLM API keys (OpenAI, Anthropic, Azure) stored in the application environment — keys with significant billing and data access implications
- Logged LLM prompts and responses, potentially capturing sensitive candidate information submitted through the platform's AI-powered features
- Attempted lateral movement within the hosting environment by leveraging cloud provider metadata services to obtain instance credentials
Broader AI Supply Chain Risk
This incident highlights an emerging and underappreciated attack surface: the AI application dependency chain. LiteLLM alone is used by hundreds of startups and enterprises building LLM-powered applications. A single compromised release could simultaneously impact dozens of downstream platforms, each handling sensitive user data processed through AI pipelines.
Immediate Actions for LiteLLM Users
- Audit current LiteLLM version in all production environments against the confirmed clean version list
- Rotate all LLM API keys immediately if running a potentially affected version
- Review cloud instance metadata access controls to prevent credential theft via SSRF/metadata endpoints
- Implement package integrity verification (hash pinning) for all AI/ML dependencies
- Consider sandboxing LLM proxy services to limit their access to sensitive environment variables
Threat Landscape Summary
| Threat | Severity | Action Required |
|---|---|---|
| Progress ShareFile Pre-Auth RCE | CRITICAL | Patch StorageZones Controller immediately; isolate if delayed |
| CERT-UA Impersonation / AGEWHEEZE | CRITICAL | Block IoC domains; alert on suspicious CERT-UA-themed emails |
| Mercor / LiteLLM Supply Chain | CRITICAL | Audit LiteLLM versions; rotate all LLM API keys now |
| Stryker Wiper Attack (Recovery) | HIGH | Review OT/manufacturing network detection gaps |
| Casbaneiro PDF Lures | HIGH | Block PDF JavaScript execution; alert on PDF-spawned processes |
| WhatsApp VBS Malware / UAC Bypass | HIGH | Block VBScript execution; monitor fodhelper.exe activity |
| Residential Proxy Evasion (78%) | HIGH | Supplement IP controls with behavioral and device fingerprinting |
| ISO Lure RAT + Crypto Miner | HIGH | Block ISO downloads; disable auto-mount via Group Policy |
Stay Ahead of the Threat Curve
Daily intelligence briefings, real-world attack analysis, and actionable defensive guidance.
Explore KENSAIValidate Your Defenses Against Today's Threats
KENSAI continuously tests your security controls against the latest attack techniques — from supply chain compromises to pre-auth RCE chains — before adversaries exploit them.
See the Platform— KENSAI Security Intelligence · Published April 1, 2026