← Back to Security Blog
Beveiligingsbriefing 8 maart 2026 9 min leestijd

Beveiligingsbriefing: OpenAI Codex Security, MuddyWater Dindoor & ClickFix CastleRAT — 8 maart 2026

Dagelijkse cyberbeveiligingsbriefing: OpenAI Codex Security scant 1,2M commits en vindt 10.561 kwetsbaarheden, Irans MuddyWater richt zich op VS met Dindoor-backdoor, Termite-ransomware zet CastleRAT in via ClickFix, Microsoft waarschuwt voor AI-aanvallen in elke fase, en meer.


🤖 OpenAI Codex Security Scans 1.2M Commits, Finds 10,561 High-Severity Vulnerabilities

⚠️ AI-Powered Security Agent Goes Live

OpenAI has launched Codex Security, an AI-powered security agent that autonomously reviews code commits for vulnerabilities. In its first week of general availability, it scanned 1.2 million commits and identified 10,561 high-severity vulnerabilities — including SQL injection, authenticatie-omzeilinges, and hardcoded secrets.

Key Capabilities

Evolution & Availability

Milestone Date Details
Aardvark private beta October 2025 Internal testing with select enterprise partners
Codex Security launch March 2026 General availability for ChatGPT Pro/Enterprise/Business users
First week results 8 maart 2026 1.2M commits scanned, 10,561 high-severity findings

💡 Industry Impact

Codex Security represents a significant shift in application security — moving from periodic scanning to continuous AI-powered code review. The 10,561 high-severity findings in just one week suggest many vulnerabilities slip through traditional SAST/DAST tooling. Available to ChatGPT Pro, Enterprise, and Business subscribers at no additional cost.


🦟 Termite Ransomware Deploys CastleRAT via ClickFix Social Engineering

⚠️ New Ransomware Delivery Technique

The Velvet Tempest threat actor group is deploying Termite ransomware using a ClickFix social engineering technique combined with legitimate Windows utilities to deliver DonutLoader malware and the CastleRAT backdoor.

Attack Chain

  1. ClickFix lure — Victims encounter fake error messages prompting them to "fix" an issue by running a command
  2. PowerShell execution — The "fix" executes an obfuscated PowerShell script
  3. DonutLoader deployment — Uses legitimate Windows utilities (mshta.exe, certutil) to load DonutLoader
  4. CastleRAT installation — DonutLoader deploys the CastleRAT backdoor for persistent access
  5. Termite ransomware — Once the network is mapped and data exfiltrated, Termite ransomware is deployed

CastleRAT Capabilities

🛡️ Defense Recommendations

Block ClickFix-style attacks by training users to never execute commands from pop-up error messages. Implement application whitelisting to prevent unauthorized use of mshta.exe and certutil. Monitor for DonutLoader indicators and unusual PowerShell execution patterns.


🧠 Microsoft: Threat Actors Abusing AI at Every Stage of Attacks

⚠️ AI-Accelerated Threat Landscape

Microsoft's latest threat intelligence report confirms that dreigingsactoren are increasingly using AI across all stages of de aanval lifecycle — from reconnaissance and social engineering to malware development and evasion.

AI Abuse Across the Kill Chain

Attack Stage AI Application Impact
Reconnaissance AI-powered OSINT gathering, target profiling Faster, more thorough target analysis
Social Engineering Deepfake voice/video, AI-written phishing Higher success rates, multilingual campaigns
Malware Development AI-generated code, polymorphic malware Faster development cycles, evasion of signatures
Credential Attacks AI-optimized password spraying, CAPTCHA solving Higher throughput, bypass of protections
Evasion AI-modified payloads to bypass EDR/AV Lower detection rates

🎯 Key Takeaway

Microsoft emphasizes that AI is lowering the barrier to entry for cybercrime — less skilled actors can now execute sophisticated attacks. Organizations must adopt AI-powered defenses to keep pace with AI-powered offense. Traditional signature-based detection is increasingly inadequate.


🇮🇷 Iran's MuddyWater Targets US with New Dindoor Backdoor

⚠️ State-Sponsored Espionage in US Kritieke infrastructuur

MuddyWater (also tracked as Seedworm), affiliated with Iran's Ministry of Intelligence and Security (MOIS), is actively embedding in US company networks including banks, airports, and nonprofits using a new backdoor called Dindoor.

Campaign Tijdlijn

Date Event
February 2026 Initial campaign activity detected targeting US organizations
Late February 2026 Campaign intensifies following US/Israeli strikes on Iranian nuclear facilities
March 2026 Dindoor backdoor identified in multiple US financial and transportation networks

Dindoor Backdoor Technische details

🏛️ Geopolitical Context

The intensification of this campaign directly correlates with escalating US-Iran tensions following military strikes. MuddyWater's targeting of banks and airports suggests both intelligence collection and potential pre-positioning for disruptive attacks. US CISA has issued an advisory urging kritieke infrastructuur operators to hunt for Dindoor indicators.


🍎 CISA Orders Patch for Apple iOS Flaws Exploited by Coruna Exploit Kit

⚠️ Federal Agencies Must Patch Immediately

CISA has ordered all federal agencies to patch three Apple iOS security flaws actief misbruikt by the Coruna exploit kit in cyberespionage and cryptocurrency theft campaigns.

Targeted Vulnerabilities

Coruna Exploit Kit

The Coruna exploit kit chains these three vulnerabilities together for a zero-click exploit capable of fully compromising iOS devices. It has been observed in two distinct campaigns:

📱 Action Required

Update all iOS devices to the latest version immediately. Federal agencies have a mandatory deadline to comply. Organizations should verify all corporate-managed iOS devices are patched and monitor for indicators of compromise associated with the Coruna exploit kit.


🔍 FBI Investigates Breach of Surveillance and Wiretap Systems

⚠️ Law Enforcement Systems Compromised

The FBI heeft bevestigd it is investigating a breach of systems used for surveillance and wiretap warrant management — potentially exposing details of ongoing investigations and surveillance targets.

While details remain limited due to the sensitivity of the investigation, key concerns include:

🏛️ Broader Implications

This breach follows a pattern of attacks targeting law enforcement and intelligence community systems. The compromise of wiretap management systems is particularly sensitive — it could undermine active criminal and national security investigations and erode public trust in the government's ability to secure its most sensitive operations.


⚠️ Fake Claude Code Install Guides Push InstallFix Malware

⚠️ Developer Tooling Impersonation Attack

A new ClickFix variant called InstallFix is targeting developers by creating fake installation guides for popular CLI tools — including Claude Code by Anthropic — that trick users into running malicious commands.

How InstallFix Works

  1. SEO poisoning — Fake "how to install Claude Code" guides rank high in search results
  2. Legitimate appearance — Pages mimic official documentation with accurate branding
  3. Malicious command — Installation instructions include a curl | bash one-liner that fetches malware
  4. Payload delivery — The script installs the legitimate tool AND a backdoor simultaneously
  5. Persistence — Backdoor survives tool updates and system reboots

Targeted Tools

🛡️ Protection Advice

Always install developer tools only from official sources. For Claude Code, use Anthropic's official documentation at docs.anthropic.com. Never run curl | bash commands from unofficial websites. Verify package checksums and use package managers (npm, pip) rather than raw shell scripts.


🦠 Transparent Tribe Industrializes Malware with AI — "Vibeware" Emerges

⚠️ AI-Powered Malware Mass Production

Transparent Tribe (APT36), a Pakistan-aligned APT group, is using AI coding tools to mass-produce malware in uncommon languages like Nim, Zig, and Crystal — creating what researchers are calling "Vibeware": vibe-coded malware produced at industrial scale.

The Vibeware Threat

Aspect Traditional Malware Vibeware
Development time Weeks to months Hours to days
Languages C/C++, Python, C# Nim, Zig, Crystal, V, Odin
Signature evasion Manual obfuscation Inherent — uncommon language binaries evade most AV
Scale Dozens of variants Hundreds of unique binaries per day
Disposability Reused across campaigns Single-use, discarded after detection

Waarom het belangrijk is

🎯 Strategic Impact

Vibeware represents a fundamental shift in the malware economy. Transparent Tribe's use of AI to industrialize malware production means defenders must move beyond signature-based detection toward behavioral analysis, memory forensics, and AI-powered threat detection. The concept of "known malware" becomes less relevant when attackers can generate unique variants on demand.


🛡️ Today's Mitigation Priorities

For Development Teams

  1. Evaluate AI security tools — Consider Codex Security or similar for continuous code review
  2. Verify installation sources — Only use official documentation for developer tool installations
  3. Implement package verification — Enforce checksum validation and signed packages in CI/CD pipelines

For Kritieke infrastructuur

  1. Hunt for Dindoor indicators — Check for DNS-over-HTTPS anomalies, suspicious Windows services, and LOLBin abuse
  2. Patch iOS devices — Apply latest iOS updates to defend against Coruna exploit kit
  3. Review wiretap system access — Law enforcement agencies should audit access controls on sensitive systems

For All Organizations

  1. Train against ClickFix — Users must understand that legitimate software never asks them to run commands from error pop-ups
  2. Deploy behavioral detection — Signature-based AV alone cannot handle Vibeware; invest in behavioral and AI-powered EDR
  3. Monitor for AI-powered attacks — Update threat models to account for AI-enhanced reconnaissance and social engineering
  4. Block LOLBin abuse — Restrict mshta.exe, certutil, and other commonly abused Windows utilities

📊 Threat Landscape Samenvatting

Threat Actor Severity Action Required
OpenAI Codex Security launch N/A (Defensive) 🟢 Info Evaluate for CI/CD integration
Termite ransomware + CastleRAT Velvet Tempest 🔴 Critical Block ClickFix, monitor DonutLoader IOCs
AI abuse across attack stages Multiple 🔴 Critical Deploy AI-powered defenses, update threat models
MuddyWater Dindoor backdoor Iran (MOIS) 🔴 Critical Hunt for DoH anomalies, audit kritieke infrastructuur
Coruna iOS exploit kit Unknown (espionage) 🔴 Critical Patch all iOS devices immediately
FBI wiretap system breach Unknown 🔴 Critical Audit law enforcement system access controls
InstallFix fake install guides Cybercriminals 🟠 High Verify all tool installations from official sources
Transparent Tribe Vibeware Pakistan-aligned APT 🟠 High Deploy behavioral detection, move beyond signatures

Continuous Threat Detection for Your Infrastructure

KENSAI's automated security scanning detects vulnerabilities, misconfigurations, and indicators of compromise across your entire aanvalsoppervlak — before attackers exploit them.

Start Free Security Scan

Stay vigilant. Stay protected.

🗡️ KENSAI Dreigingsinformatie Team