Operation Ghost Mail, Starlink Evasion, and the Stoat Waffle Threat

This week on Dragon News Bytes, Eli Woodward and Will Thomas dive into a packed week of vulnerability disclosures, APT campaigns, and geopolitical cyber fallout. From Iranian threat actors utilizing Starlink to bypass national internet blocks, to North Korean campaigns targeting developers with "Stoat Waffle" malware, the team unpacks the strategies adversaries are using to breach global enterprises. Plus, a look at Team Cymru's latest intel on tracking Beast ransomware infrastructure and an update on our upcoming global events.

‍

Topics & References

Part 1: The Vulnerability Landscape

• Cisco Secure Firewall RCE (CVE-2026-20131): An insecure deserialization flaw was added to the CISA KEV catalog on March 19th, with active exploitation tracked back to late January. The Interlock ransomware gang has been identified as a threat actor exploiting this vulnerability.
• SharePoint On-Prem Pre-Auth RCE: Warlock Ransomware has targeted unpatched Microsoft SharePoint servers (2016 and 2019) in a major exfiltration and extortion campaign.

Part 2: APT Operations & Geopolitics

• Handala (Void Manticore) & Starlink: Following the disruptive attack on medical tech company Stryker via Intune, Checkpoint released research showing Handala operators utilizing Starlink terminals to bypass Iran's national internet blackouts.
• Operation Ghost Mail: Russia's APT 28 (Fancy Bear) is aggressively targeting Zimbra Webmail servers to compromise Ukrainian government operations.
• Waterplum's "Stoat Waffle": A North Korean group is targeting Web3 and cryptocurrency developers with malicious Python, NPM, and JavaScript packages under the guise of "contagious interview" job offers.

Part 3: Supply Chain Threats & Intel Insights

• Invisible Supply Chain Attacks: Aikido Security demonstrated how threat actors are using Unicode to hide disappearing text and malicious scripts in repositories.
• Beast Ransomware Operations: Team Cymru's latest research highlights how Open Directories data combined with NetFlow can unmask ransomware actor infrastructure and target lists.

Events & Community:

• NCAA March Madness Watch Party:  March 27th in Atlanta, US
  
  • 🔗 to register: https://go.team-cymru.com/march-madness-atlanta-2026 
• RISE Ireland: April 14 -25 in Doublim, Ireland
  
  • 🔗 to register: https://go.team-cymru.com/rise-ireland
• RISEx Sydney: May 6 in Sydney, Australia
  
  • 🔗 to register:https://www.team-cymru.com/events/rise-sydney-2026
• RISEx Frankfurt: May 28th in Frankfurt, Germany
  
  • 🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026
• RISEx New York: June 16 in New York City , US
  
  • 🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026
• Underground Economy: To be hosted at the Council of Europe, expecting 600-700 attendees. Registration will open first week of April

Connect with Us:

• Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
• Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
• Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.