← Back to Security Blog
보안 브리핑 2026년 3월 8일 9분 읽기

보안 브리핑: OpenAI Codex Security, MuddyWater Dindoor & ClickFix CastleRAT — 2026년 3월 8일

OpenAI launches Codex Security, an AI agent that scanned 1.2M commits and flagged 10,561 high-severity 취약점. Iran's MuddyWater embeds in US banks and airports with a new Dindoor 백도어. Termite 랜섬웨어 deploys CastleRAT via ClickFix 소셜 엔지니어링. Microsoft warns hackers are abusing AI at every stage of the attack lifecycle. Here's everything you need to know today.


🤖 OpenAI Codex Security, 120만 커밋 스캔으로 10,561개 고위험 취약점 발견

⚠️ AI-Powered Security Agent Goes Live

OpenAI has launched Codex Security, an AI-powered security agent that autonomously reviews code commits for 취약점. In its first week of general availability, it scanned 1.2 million commits and identified 10,561 high-severity 취약점 — including SQL 인젝션, authentication bypasses, and hardcoded secrets.

Key Capabilities

Evolution & Availability

Milestone 날짜 Details
Aardvark private beta October 2025 Internal testing with select enterprise partners
Codex Security launch March 2026 General availability for ChatGPT Pro/Enterprise/Business users
First week results March 8, 2026 1.2M commits scanned, 10,561 high-severity findings

💡 Industry 영향

Codex Security represents a significant shift in application security — moving from periodic scanning to continuous AI-powered code review. The 10,561 high-severity findings in just one week suggest many 취약점 slip through traditional SAST/DAST tooling. Available to ChatGPT Pro, Enterprise, and Business subscribers at no additional cost.


🦟 Termite 랜섬웨어, ClickFix 소셜 엔지니어링으로 CastleRAT 배포

⚠️ New Ransomware Delivery Technique

The Velvet Tempest 위협 행위자 group is deploying Termite 랜섬웨어 using a ClickFix 소셜 엔지니어링 technique combined with legitimate Windows utilities to deliver DonutLoader 악성코드 and the CastleRAT 백도어.

Attack Chain

  1. ClickFix lure — Victims encounter fake error messages prompting them to "fix" an issue by running a command
  2. PowerShell execution — The "fix" executes an obfuscated PowerShell script
  3. DonutLoader deployment — Uses legitimate Windows utilities (mshta.exe, certutil) to load DonutLoader
  4. CastleRAT installation — DonutLoader deploys the CastleRAT 백도어 for persistent access
  5. Termite 랜섬웨어 — Once the network is mapped and data exfiltrated, Termite 랜섬웨어 is deployed

CastleRAT Capabilities

🛡️ Defense Recommendations

Block ClickFix-style attacks by training users to never execute commands from pop-up error messages. Implement application whitelisting to prevent unauthorized use of mshta.exe and certutil. 모니터링 for DonutLoader indicators and unusual PowerShell execution patterns.


🧠 Microsoft: 위협 행위자가 공격 모든 단계에서 AI 남용

⚠️ AI-Accelerated Threat Landscape

Microsoft's latest threat intelligence report confirms that 위협 행위자s are increasingly using AI across all stages of the attack lifecycle — from reconnaissance and 소셜 엔지니어링 to 악성코드 development and evasion.

AI Abuse Across the Kill Chain

Attack Stage AI Application 영향
Reconnaissance AI-powered OSINT gathering, target profiling Faster, more thorough target analysis
소셜 엔지니어링 Deepfake voice/video, AI-written 피싱 높음er success rates, multilingual campaigns
Malware Development AI-generated code, polymorphic 악성코드 Faster development cycles, evasion of signatures
Credential Attacks AI-optimized password spraying, CAPTCHA solving 높음er throughput, bypass of protections
Evasion AI-modified 페이로드s to bypass EDR/AV 낮음er detection rates

🎯 Key Takeaway

Microsoft emphasizes that AI is lowering the barrier to entry for cybercrime — less skilled actors can now execute sophisticated attacks. Organizations must adopt AI-powered defenses to keep pace with AI-powered offense. Traditional signature-based detection is increasingly inadequate.


🇮🇷 이란 MuddyWater, 신형 Dindoor 백도어로 미국 타겟팅

⚠️ 국가 지원 Espionage in US 치명적 Infrastructure

MuddyWater (also tracked as Seedworm), affiliated with Iran's Ministry of Intelligence and Security (MOIS), is actively embedding in US company networks including banks, airports, and nonprofits using a new 백도어 called Dindoor.

Campaign Timeline

날짜 Event
February 2026 Initial campaign activity detected targeting US organizations
Late February 2026 Campaign intensifies following US/Israeli strikes on Iranian nuclear facilities
March 2026 Dindoor 백도어 identified in multiple US financial and transportation networks

Dindoor Backdoor Technical Details

🏛️ Geopolitical Context

The intensification of 이 캠페인은 directly correlates with escalating US-Iran tensions following military strikes. MuddyWater's targeting of banks and airports suggests both intelligence collection and potential pre-positioning for disruptive attacks. US CISA has issued an advisory urging 핵심 인프라 운영자 to hunt for Dindoor indicators.


🍎 CISA, Coruna 익스플로잇 키트가 악용하는 Apple iOS 취약점 패치 명령

⚠️ Federal Agencies Must Patch Immediately

CISA has ordered all federal agencies to patch three Apple iOS security flaws actively 익스플로잇ed by the Coruna 익스플로잇 kit in cyberespionage and cryptocurrency theft campaigns.

Targeted Vulnerabilities

Coruna Exploit Kit

The Coruna 익스플로잇 kit chains these three 취약점 together for a zero-click 익스플로잇 capable of fully compromising iOS devices. It has been observed in two distinct campaigns:

📱 Action Required

Update all iOS devices to the latest version immediately. Federal agencies have a mandatory deadline to comply. 조직은 해야 합니다 verify all corporate-managed iOS devices are patched and monitor for 침해 지표(IoC) associated with the Coruna 익스플로잇 kit.


🔍 FBI, 감시 및 도청 시스템 침해 조사

⚠️ Law Enforcement Systems Compromised

The FBI has confirmed it is investigating a breach of systems used for surveillance and wiretap warrant management — potentially exposing details of ongoing investigations and surveillance targets.

While details remain limited due to the sensitivity of the investigation, key concerns include:

🏛️ Broader Implications

This breach follows a pattern of attacks targeting law enforcement and intelligence community systems. The compromise of wiretap management systems is particularly sensitive — it could undermine active criminal and national security investigations and erode public trust in the government's ability to secure its most sensitive operations.


⚠️ 가짜 Claude Code 설치 가이드로 InstallFix 악성코드 유포

⚠️ Developer Tooling Impersonation Attack

A new ClickFix variant called InstallFix is targeting developers by creating fake installation guides for popular CLI tools — including Claude Code by Anthropic — that trick users into running malicious commands.

How InstallFix Works

  1. SEO poisoning — Fake "how to install Claude Code" guides rank high in search results
  2. Legitimate appearance — Pages mimic official documentation with accurate branding
  3. Malicious command — Installation instructions include a curl | bash one-liner that fetches 악성코드
  4. Payload delivery — The script installs the legitimate tool AND a 백도어 simultaneously
  5. Persistence — Backdoor survives tool updates and system reboots

Targeted Tools

🛡️ Protection Advice

Always install developer tools only from official sources. For Claude Code, use Anthropic's official documentation at docs.anthropic.com. Never run curl | bash commands from unofficial websites. Verify package checksums and use package managers (npm, pip) rather than raw shell scripts.


🦠 Transparent Tribe, AI로 악성코드 산업화 — "Vibeware" 등장

⚠️ AI-Powered Malware Mass 제품ion

Transparent Tribe (APT36), a Pakistan-aligned APT group, is using AI coding tools to mass-produce 악성코드 in uncommon languages like Nim, Zig, and Crystal — creating what researchers are calling "Vibeware": vibe-coded 악성코드 produced at industrial scale.

The Vibeware Threat

Aspect Traditional Malware Vibeware
Development time Weeks to months Hours to days
Languages C/C++, Python, C# Nim, Zig, Crystal, V, Odin
Signature evasion Manual obfuscation Inherent — uncommon language binaries evade most AV
Scale Dozens of variants Hundreds of unique binaries per day
Disposability Reused across campaigns Single-use, discarded after detection

Why It Matters

🎯 Strategic 영향

Vibeware represents a fundamental shift in the 악성코드 economy. Transparent Tribe's use of AI to industrialize malware production means defenders must move beyond signature-based detection toward behavioral analysis, memory forensics, and AI-powered threat detection. The concept of "known 악성코드" becomes less relevant when 공격자가 할 수 있습니다 generate unique variants on demand.


🛡️ 오늘의 완화 우선순위

For Development Teams

  1. Evaluate AI security tools — Consider Codex Security or similar for continuous code review
  2. Verify installation sources — Only use official documentation for developer tool installations
  3. Implement package verification — Enforce checksum validation and signed packages in CI/CD pipelines

For 치명적 Infrastructure

  1. Hunt for Dindoor indicators — Check for DNS-over-HTTPS anomalies, suspicious Windows services, and LOLBin abuse
  2. Patch iOS devices — Apply latest iOS updates to defend against Coruna 익스플로잇 kit
  3. Review wiretap system access — Law enforcement agencies should audit access controls on sensitive systems

For All Organizations

  1. Train against ClickFix — Users must understand that legitimate software never asks them to run commands from error pop-ups
  2. Deploy behavioral detection — Signature-based AV alone cannot handle Vibeware; invest in behavioral and AI-powered EDR
  3. 모니터링 for AI-powered attacks — Update threat models to account for AI-enhanced reconnaissance and 소셜 엔지니어링
  4. Block LOLBin abuse — Restrict mshta.exe, certutil, and other commonly abused Windows utilities

📊 위협 환경 요약

Threat Actor Severity Action Required
OpenAI Codex Security launch N/A (Defensive) 🟢 Info Evaluate for CI/CD integration
Termite 랜섬웨어 + CastleRAT Velvet Tempest 🔴 치명적 Block ClickFix, monitor DonutLoader IOCs
AI abuse across attack stages Multiple 🔴 치명적 Deploy AI-powered defenses, update threat models
MuddyWater Dindoor 백도어 Iran (MOIS) 🔴 치명적 Hunt for DoH anomalies, audit critical infrastructure
Coruna iOS 익스플로잇 kit Unknown (espionage) 🔴 치명적 Patch all iOS devices immediately
FBI wiretap system breach Unknown 🔴 치명적 Audit law enforcement system access controls
InstallFix fake install guides Cybercriminals 🟠 높음 Verify all tool installations from official sources
Transparent Tribe Vibeware Pakistan-aligned APT 🟠 높음 Deploy behavioral detection, move beyond signatures

Continuous Threat Detection for Your Infrastructure

KENSAI's automated security scanning detects 취약점, misconfigurations, and 침해 지표(IoC) across your entire attack surface — before attackers 익스플로잇 them.

Start Free Security Scan

Stay vigilant. Stay protected.

🗡️ KENSAI Threat Intelligence Team