Reports/New Malware Families Confirm Systematic, Sustained Targeting of Network Infrastructure

New Malware Families Confirm Systematic, Sustained Targeting of Network Infrastructure

Threat Intelnetwork-infrastructurestate-sponsored-malwarecritical-infrastructurethreat-intelligenceAPT

March 19, 20264,219 words~17 min read

Network infrastructure has become the primary battlefield for state-sponsored cyber operations. Over the past eighteen months, at least six distinct campaigns have deployed purpose-built malware against telecommunications providers, virtualization platforms, authentication systems, and Linux servers worldwide. The trend is clear: adversaries are moving past endpoint compromises and focusing on the connective tissue of enterprise and government networks.

This report synthesizes recent advisories and research from CISA, Google, Cisco Talos, and Palo Alto's Unit 42 to map the current state of infrastructure-targeted operations.

The Latest Salvo: Seedworm Hits U.S. Banks, Airports, and Software Firms

The most recent campaign comes from Iranian APT Seedworm, which Cisco Talos observed targeting U.S. companies beginning in early February 2026 and continuing into recent days [5]. The group deployed a previously unknown custom backdoor called Dindoor, built on the Deno JavaScript runtime, alongside a Python-based backdoor named Fakeset [5]. Additional tooling included Darkcomp, a backdoor component, and Stagecop, a loader for Darkcomp [5]. Targets included banks, airports, and software companies [5].

Dindoor is notable for its choice of runtime. Using Deno gives the operators a cross-platform JavaScript execution environment that's less scrutinized by endpoint detection tools compared to Node.js or native binaries. Fakeset's use of Python fits a well-established pattern: attackers lean on scripting interpreters already present in enterprise environments to blend in.

PRC Actors Entrench with BRICKSTORM

CISA and NSA published a joint analysis report on the BRICKSTORM backdoor, attributed to PRC state-sponsored actors [3]. BRICKSTORM targets VMware vSphere and Windows environments and was used for long-term persistence from April 2024 through at least September 2025 [3]. The malware modifies VMware init scripts including files in /etc/sysconfig/ [3]. A related backdoor, SLAPSTICK, was also identified with similar functionality [3].

VMware vCenter is the control plane for thousands of enterprise virtualization deployments. Compromising it gives an attacker visibility into and control over every virtual machine in the environment. PRC operators clearly understand this, and BRICKSTORM's eighteen-month operational window suggests many victims never detected the intrusion.

Google Disrupts GRIDTIDE: Eight Years of Tracking Leading to Disruption

Google's Threat Intelligence team disclosed a campaign by UNC2814 that compromised 53 victims across 42 countries [2]. The group deployed the GRIDTIDE backdoor, which abused Google Sheets API calls for command-and-control communications [2]. The campaign targeted telecommunications and government organizations, and Google has been tracking the threat actor UNC2814 since 2017 [2].

GRIDTIDE's C2 mechanism is worth examining closely. By tunneling commands through legitimate SaaS API calls, the operators ensured that network monitoring tools would see traffic to Google's infrastructure, not to a suspicious domain [2]. The backdoor established persistence through a systemd service file at /etc/systemd/system/xapt.service, executing the malware binary stored at /usr/sbin/xapt [2].

The breadth of this campaign (42 countries) points to a well-resourced intelligence operation. Google's disruption is significant, but the operational model of hiding C2 inside legitimate cloud services will persist. Every major SaaS API is a potential C2 channel.

Liminal Panda and Telecom Infiltration

Unit 42 documented activity cluster CL-STA-0969 targeting telecommunications providers from February through November 2024 [4]. The operators deployed AuthDoor, a backdoor that hooks into the pam_sm_authenticate function to harvest credentials from the authentication process itself [4]. A custom network scanning utility called Cordscan was also deployed, specifically designed for telecom system reconnaissance [4]. The activity overlaps with the nation-state adversary tracked as Liminal Panda [4].

AuthDoor's technique is precise and dangerous. By inserting itself into PAM (Pluggable Authentication Modules), it captures every credential that passes through the authentication stack. In a telecom environment, that means network engineer credentials, system administrator passwords, and potentially customer-facing service accounts. Cordscan's telecom-specific scanning capabilities suggest the operators had deep familiarity with their target environment before deploying tools.

LummaC2: Commodity Malware Against Critical Infrastructure

Not every threat to network infrastructure comes from bespoke nation-state tooling. CISA and the FBI issued a joint advisory on LummaC2, an information stealer that has been targeting U.S. critical infrastructure with activity observed from November 2023 through May 2025 [1]. LummaC2 is embedded within spoofed software to evade detection and exfiltrates sensitive information from victim networks [1].

LummaC2 operates as malware-as-a-service, meaning its use against critical infrastructure isn't necessarily the work of a single sophisticated actor. The advisory signals that commodity infostealers are being deliberately aimed at high-value infrastructure targets, either by their operators or by customers who purchase access to the platform.

VoidLink: A New Modular Framework for Linux

Cisco Talos identified VoidLink, a new modular implant management framework targeting Linux-based systems [6]. The framework's modular architecture allows operators to load and execute different capabilities on demand [6]. While the threat actor's activity dates back to 2019, the adoption of VoidLink is recent [6].

Linux dominates server infrastructure, container orchestration, cloud workloads, and networking equipment. A mature, modular framework purpose-built for Linux represents a direct threat to the operating system that runs most of the internet's backbone.

IOC Table

Type	Value	Context	Source
malware	`LummaC2`	Information stealer targeting critical infrastructure	[1]
filename	`LummaC2.exe`	Main executable	[1]
malware	`GRIDTIDE`	Backdoor using Google Sheets API for C2	[2]
filename	`/etc/systemd/system/xapt.service`	Persistence via systemd service	[2]
filename	`/usr/sbin/xapt`	Malware executable location	[2]
malware	`BRICKSTORM`	Backdoor for VMware vCenter and Windows	[3]
malware	`SLAPSTICK`	Related backdoor	[3]
malware	`AuthDoor`	Authentication-hooking backdoor	[4]
malware	`Cordscan`	Telecom-specific scanning tool	[4]
malware	`Dindoor`	Deno-based custom backdoor	[5]
malware	`Fakeset`	Python-based backdoor	[5]
malware	`Darkcomp`	Backdoor component	[5]
malware	`Stagecop`	Loader for Darkcomp	[5]
malware	`VoidLink`	Modular Linux implant framework	[6]

MITRE ATT&CK Techniques

ID	Technique	Relevant Campaign(s)
T1036	Masquerading	LummaC2 spoofed software [1]
T1071.001	Application Layer Protocol: Web Protocols	GRIDTIDE Google Sheets API C2 [2]
T1543.002	Create or Modify System Process: Systemd Service	GRIDTIDE persistence [2]
T1556	Modify Authentication Process	AuthDoor PAM hooking [4]
T1040	Network Sniffing	Cordscan telecom reconnaissance [4]
T1190	Exploit Public-Facing Application	BRICKSTORM VMware targeting [3]
T1105	Ingress Tool Transfer	Multiple campaigns
T1059.006	Command and Scripting Interpreter: Python	Fakeset [5]
T1059.007	Command and Scripting Interpreter: JavaScript	Dindoor Deno runtime [5]
T1083	File and Directory Discovery	Multiple campaigns
T1119	Automated Collection	LummaC2 credential exfiltration [1]
T1566.001	Phishing: Spearphishing Attachment	Seedworm initial access [5]

Analysis: Infrastructure Is the Target, Not the Path

A pattern runs through all six campaigns. Attackers aren't just traversing network infrastructure to reach endpoints. They're targeting the infrastructure itself: the authentication systems, the virtualization control planes, the telecom switching fabric, the Linux servers that run cloud services.

This represents a maturation of adversary tradecraft. Compromising a vCenter server (BRICKSTORM) or a PAM module (AuthDoor) gives persistent, high-privilege access that most endpoint detection and response tools won't see. These components sit below the visibility layer of standard security stacks.

The diversity of actors is also telling. PRC state actors (BRICKSTORM, GRIDTIDE/UNC2814), Iranian APTs (Seedworm/Dindoor), and other threat actors (VoidLink/UAT-9921) are all converging on the same target set. This convergence likely reflects shared intelligence requirements (telecom intercept, financial system access) and a shared tactical conclusion that infrastructure compromise pays higher dividends than endpoint compromise.

The SaaS-as-C2 pattern seen in GRIDTIDE will spread. Legitimate API traffic is extremely difficult to distinguish from malicious API traffic without deep application-layer inspection. Defenders who rely on domain reputation or IP blocklists won't catch C2 traffic routed through Google, Microsoft, or AWS APIs.

🐑

Red Sheep Assessment

Confidence: High

We assess that the six campaigns documented here share one operational principle: attack the layer that defenders monitor least. VMware vCenter, PAM authentication modules, systemd services, and SaaS API channels all occupy blind spots in most security architectures. EDR tools focus on user endpoints. Network monitoring focuses on known-bad indicators. These campaigns exploit the gap between those two approaches.

The most concerning development is likely the normalization of infrastructure targeting across multiple threat actor tiers. BRICKSTORM and AuthDoor represent sophisticated, purpose-built tools from well-resourced state programs. LummaC2 represents commodity malware pointed at infrastructure targets. When both the elite and the commodity tiers converge on the same strategy, we assess the strategy has matured past the experimental phase.

A contrarian reading would argue these campaigns simply reflect better detection and reporting, not a genuine shift in adversary behavior. There's some truth to that: Google, Palo Alto, and Cisco Talos have all invested heavily in infrastructure threat hunting over the past two years. But the tooling itself (AuthDoor's PAM hooks, GRIDTIDE's Sheets API C2, VoidLink's Linux modularity) is purpose-built for infrastructure targets. This isn't accidental spillover from endpoint campaigns. It's deliberate engineering.

Defenders should expect this trend to accelerate. Every organization running VMware, managing Linux server fleets, or operating telecom infrastructure needs to treat those assets as primary attack surfaces, not supporting infrastructure that sits behind the "real" security perimeter.

🛡️

Defender's Checklist

▢[ ] Audit PAM configurations on all Linux systems, especially telecom infrastructure. Check for unauthorized modifications to PAM modules and unexpected shared libraries loaded by pam_sm_authenticate. Compare against known-good baselines.
▢[ ] Hunt for rogue systemd services by diffing current service files against a gold image. Prioritize /etc/systemd/system/ and look specifically for services with unfamiliar names or binaries in /usr/sbin/ that don't match package manager records.
▢[ ] Monitor SaaS API traffic patterns for anomalous behavior. Flag hosts making regular, periodic API calls to Google Sheets, Google Docs, or similar services from servers that have no business reason to do so. Query example: index=proxy dest_host="sheets.googleapis.com" src_category=server
▢[ ] Review VMware vCenter access logs and file integrity on vSphere deployments. Check /etc/sysconfig/ for unexpected modifications. Ensure vCenter admin accounts use MFA and that API access is logged and reviewed.
▢[ ] Search for credential staging files across Linux fleets. Hunt for hidden files in system directories: find /usr/bin/ -name ".*" -type f and check for unexpected files that may indicate active credential harvesting.

References

📊

Visual Intelligence

Entity Graph (14 entities, 51 relationships)

organization malware country threat actor

Diamond Model

Adversary

PRC UNC2814 Iran

Capability

BRICKSTORM GRIDTIDE Dindoor

Infrastructure

Unknown

Victim

Google VMware Cisco CISA NSA FBI Microsoft

Relationships

victim → capability: targeted_by (Google, GRIDTIDE)

capability → adversary: related_to (BRICKSTORM, PRC)

capability → adversary: uses (GRIDTIDE, UNC2814)

victim → adversary: targeted (Google, UNC2814)

victim → adversary: related_to (NSA, PRC)

---

Hunt Guide: Hunt Report: Infrastructure-Targeted Malware Campaign

Hypothesis: If infrastructure-targeting adversaries (PRC/Iranian APTs) are active in our environment, we expect to observe rogue systemd services, PAM authentication hooks, VMware vCenter modifications, and anomalous SaaS API communications in Linux system logs, authentication logs, and proxy data.

Intelligence Summary: Multiple state-sponsored campaigns are systematically targeting network infrastructure using purpose-built malware including BRICKSTORM (VMware vCenter), GRIDTIDE (Google Sheets C2), AuthDoor (PAM hooks), and Dindoor (Deno runtime). Adversaries from PRC and Iran are moving beyond endpoints to compromise authentication systems, virtualization platforms, and Linux servers for long-term persistence.

Confidence: High | Priority: Critical

Scope

Networks: Focus on DMZ systems, authentication servers, virtualization infrastructure, and Linux servers in datacenter VLANs
Timeframe: Initial sweep: 90 days retrospective. Ongoing: Real-time alerting with weekly hunt validation
Priority Systems: VMware vCenter servers, telecom infrastructure, PAM-enabled systems, jump servers, API gateways

MITRE ATT&CK Techniques

T1543.002 — Create or Modify System Process: Systemd Service (Persistence) [P1]

GRIDTIDE establishes persistence via systemd service at /etc/systemd/system/xapt.service executing /usr/sbin/xapt

Splunk SPL:

index=linux sourcetype=linux_audit (type=SYSCALL AND (comm=systemctl OR exe=/usr/bin/systemctl)) OR (type=PATH AND (name="/etc/systemd/system/*" OR name="/usr/lib/systemd/system/*")) | stats count by host, name, exe, comm | where count < 5

Elastic KQL:

event.module:auditd AND (process.executable:/usr/bin/systemctl OR file.path:/etc/systemd/system/* OR file.path:/usr/lib/systemd/system/*) AND event.action:("opened-file" OR "created-file")

Sigma Rule:

title: Suspicious Systemd Service Creation
id: 8e7c2649-de3f-4a8b-8a39-99c7c320c7e0
status: experimental
description: Detects creation of systemd services in suspicious locations
logsource:
  product: linux
  service: auditd
detection:
  selection:
    type: 'PATH'
    name|contains:
      - '/etc/systemd/system/'
      - '/usr/lib/systemd/system/'
  filter:
    exe|contains:
      - '/usr/bin/apt'
      - '/usr/bin/yum'
      - '/usr/bin/dnf'
  condition: selection and not filter
falsepositives:
  - Legitimate software installation
level: high

Focus on services with generic names (xapt, systemd-, init-). Cross-reference with package manager logs to identify services not installed via apt/yum/dnf.

T1556 — Modify Authentication Process (Credential Access) [P1]

AuthDoor hooks pam_sm_authenticate function to harvest credentials from PAM authentication stack

Splunk SPL:

index=linux sourcetype=linux_audit type=SYSCALL syscall=open name="/etc/pam.d/*" OR name="/lib*/security/*" | join host [| inputlookup pam_baseline.csv] | where isnull(baseline_hash) OR hash!=baseline_hash | table host, name, exe, hash

Elastic KQL:

event.module:auditd AND event.action:"opened-file" AND (file.path:"/etc/pam.d/*" OR file.path:"/lib*/security/*" OR file.path:"/usr/lib*/security/*")

Sigma Rule:

title: PAM Configuration Modification
id: 7a4b2e51-9d0f-4bb5-8c56-1107e9a943a2
status: experimental
description: Detects modifications to PAM configuration files or modules
logsource:
  product: linux
  service: auditd
detection:
  selection:
    type: 'PATH'
    name|contains:
      - '/etc/pam.d/'
      - '/lib/x86_64-linux-gnu/security/'
      - '/lib64/security/'
      - '/usr/lib/security/'
  filter:
    exe|contains:
      - '/usr/bin/dpkg'
      - '/usr/bin/rpm'
  condition: selection and not filter
falsepositives:
  - System updates
level: critical

Monitor for new .so files in PAM directories. Use 'ldd /lib/security/.so' to check for unexpected dependencies.

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P2]

GRIDTIDE uses Google Sheets API for C2 communications, making detection difficult as traffic appears legitimate

Splunk SPL:

index=proxy dest_host="sheets.googleapis.com" OR dest_host="www.googleapis.com" | bucket _time span=5m | stats count by _time, src_ip, user_agent | where count > 10 | join src_ip [search index=assets asset_type=server] | table _time, src_ip, hostname, count, user_agent

Elastic KQL:

destination.domain:("sheets.googleapis.com" OR "www.googleapis.com") AND source.ip:10.0.0.0/8 AND NOT user_agent.original:*Chrome* AND NOT user_agent.original:*Firefox*

Sigma Rule:

title: Suspicious Google Sheets API Access from Servers
id: 3b5e1f7a-4c3d-4a89-8f23-731e8d5a4b12
status: experimental
description: Detects unusual Google Sheets API access from server networks
logsource:
  category: proxy
detection:
  selection:
    c-uri|contains:
      - 'sheets.googleapis.com'
      - 'www.googleapis.com/upload/sheets'
  filter_browsers:
    c-useragent|contains:
      - 'Chrome'
      - 'Firefox'
      - 'Safari'
  filter_apps:
    c-useragent|contains:
      - 'Google-Apps-Script'
      - 'Google-HTTP-Java-Client'
  condition: selection and not filter_browsers and not filter_apps
fields:
  - src_ip
  - c-uri
  - cs-host
falsepositives:
  - Legitimate automation scripts
level: medium

Baseline normal Google API usage first. Focus on servers with no business need for Sheets access.

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

BRICKSTORM targets VMware vSphere environments, modifying init scripts for persistence

Splunk SPL:

index=vmware sourcetype=vcenter* OR sourcetype=esxi* ("/etc/sysconfig/*" OR "/etc/rc.local" OR "/etc/init.d/*") | regex file_path="/etc/(sysconfig|init\.d|rc\.)/[^/]+$" | stats count by host, file_path, action | where action="modified" OR action="created"

Elastic KQL:

event.module:vmware AND (file.path:"/etc/sysconfig/*" OR file.path:"/etc/init.d/*" OR file.path:"/etc/rc.local") AND event.action:("creation" OR "modification")

Enable ESXi shell logging. Monitor vCenter file operations via vpxd logs. Check for modifications during non-maintenance windows.

T1059.006 — Command and Scripting Interpreter: Python (Execution) [P2]

Fakeset backdoor uses Python runtime, blending with legitimate Python processes in enterprise environments

Splunk SPL:

index=endpoint sourcetype=sysmon EventID=1 Image="*python*" CommandLine="*" | rex field=CommandLine "python[0-9\.]?\s+(?<script_path>[^\s]+)" | eval script_dir=mvindex(split(script_path,"/"),0,-2) | stats count by Computer, script_dir | where script_dir IN ("/tmp", "/var/tmp", "/dev/shm")

Elastic KQL:

process.name:("python" OR "python3" OR "python2.7") AND (process.command_line:*/tmp/* OR process.command_line:*/var/tmp/* OR process.command_line:*/dev/shm/*)

Focus on Python processes running from temporary directories or with base64-encoded arguments.

T1059.007 — Command and Scripting Interpreter: JavaScript (Execution) [P1]

Dindoor uses Deno JavaScript runtime, an unusual choice that evades detection focused on Node.js

Splunk SPL:

index=endpoint (process_name=deno OR Image="*deno*") | join type=left host [search index=endpoint sourcetype=netstat state=ESTABLISHED | stats values(dest_ip) as connections by host] | table _time, host, CommandLine, connections

Elastic KQL:

process.name:"deno" OR process.executable:*deno* AND network.direction:"outbound"

Deno is rare in production. Any Deno process should be investigated. Check for deno binaries in unusual locations.

T1040 — Network Sniffing (Credential Access) [P2]

Cordscan is purpose-built for telecom reconnaissance, likely capturing authentication and routing data

Splunk SPL:

index=linux sourcetype=ps_aux command IN ("*tcpdump*", "*tshark*", "*dumpcap*", "*pcap*") NOT user=root | rex field=command "(?<pcap_filter>port\s+\d+|host\s+[\d\.]+)" | stats count by host, user, pcap_filter

Elastic KQL:

process.name:("tcpdump" OR "tshark" OR "dumpcap") AND NOT user.name:"root" AND NOT user.name:"_wireshark"

Monitor for processes opening /dev/ppp or /dev/tun devices. Check for libpcap library loads by non-standard processes.

Indicators of Compromise

Type	Value	Context
filename	`/etc/systemd/system/xapt.service`	GRIDTIDE persistence mechanism - systemd service file
filename	`/usr/sbin/xapt`	GRIDTIDE malware executable location
filename	`LummaC2.exe`	LummaC2 information stealer main executable
domain	`sheets.googleapis.com`	GRIDTIDE C2 infrastructure - legitimate Google API abused for command and control

IOC Sweep Queries (Splunk):

index=* "/etc/systemd/system/xapt.service" | stats count by host, source, sourcetype

index=* "/usr/sbin/xapt" | stats count by host, source, sourcetype | append [| inputlookup dnslookup | search query="xapt*" | stats count by src_ip]

index=endpoint (filename="LummaC2.exe" OR Image="*LummaC2.exe" OR TargetFilename="*LummaC2.exe") | stats earliest(_time) as first_seen latest(_time) as last_seen by host, filename, hash

index=proxy dest="sheets.googleapis.com" src_category=server | bucket _time span=1h | stats count by _time, src_ip | where count > 20

YARA Rules

GRIDTIDE_Systemd_Persistence — Detects GRIDTIDE systemd service persistence files

rule GRIDTIDE_Systemd_Persistence {
    meta:
        description = "Detects GRIDTIDE backdoor systemd persistence"
        author = "Threat Hunt Team"
        date = "2024-01-15"
        reference = "Google Threat Intelligence GRIDTIDE report"
    strings:
        $service1 = "[Service]" ascii
        $service2 = "Type=simple" ascii
        $service3 = "ExecStart=/usr/sbin/xapt" ascii
        $path1 = "/usr/sbin/xapt" ascii
        $path2 = "xapt.service" ascii
    condition:
        filesize < 1KB and
        (all of ($service*) or all of ($path*))
}

AuthDoor_PAM_Hook — Detects AuthDoor PAM authentication hooking patterns

rule AuthDoor_PAM_Hook {
    meta:
        description = "Detects AuthDoor PAM module hooks"
        author = "Threat Hunt Team"
        date = "2024-01-15"
    strings:
        $pam1 = "pam_sm_authenticate" ascii
        $pam2 = "pam_get_user" ascii
        $pam3 = "pam_get_authtok" ascii
        $hook1 = {48 89 E5 48 83 EC ?? 48 89 7D ?? 48 89 75} // function prologue
        $exfil1 = "/tmp/." ascii
        $exfil2 = "/var/tmp/." ascii
    condition:
        uint32(0) == 0x464c457f and // ELF header
        2 of ($pam*) and
        ($hook1 or any of ($exfil*))
}

Dindoor_Deno_Backdoor — Detects Dindoor backdoor using Deno JavaScript runtime

rule Dindoor_Deno_Backdoor {
    meta:
        description = "Detects Dindoor Deno-based backdoor"
        author = "Threat Hunt Team"
        date = "2024-01-15"
    strings:
        $deno1 = "deno" ascii wide
        $deno2 = "Deno.serve" ascii
        $deno3 = "Deno.Command" ascii
        $net1 = "fetch(" ascii
        $net2 = "WebSocket" ascii
        $enc1 = "atob" ascii
        $enc2 = "btoa" ascii
    condition:
        filesize < 50KB and
        any of ($deno*) and
        any of ($net*) and
        any of ($enc*)
}

Suricata Rules

SID 1000001 — GRIDTIDE Google Sheets API C2 Beacon

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GRIDTIDE Google Sheets API C2 Beacon"; flow:established,to_server; content:"POST"; http_method; content:"sheets.googleapis.com"; http_host; content:"/v4/spreadsheets/"; http_uri; pcre:"/\/v4\/spreadsheets\/[a-zA-Z0-9_-]{44}\/values/"; content:"Authorization|3a 20|Bearer"; http_header; threshold:type both,track by_src,count 5,seconds 300; classtype:trojan-activity; sid:1000001; rev:1;)

SID 1000002 — Potential Deno Runtime Backdoor Outbound

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Deno Runtime Backdoor Outbound Connection"; flow:established,to_server; content:"User-Agent|3a 20|Deno/"; http_header; threshold:type limit,track by_src,count 1,seconds 3600; classtype:trojan-activity; sid:1000002; rev:1;)

Data Source Requirements

Source	Required For	Notes
Linux auditd	T1543.002, T1556, T1040	Required for systemd service creation, PAM modifications, and process execution monitoring
Sysmon for Linux	T1543.002, T1059.006, T1059.007	Provides process creation with full command lines, file creation events
Web proxy logs	T1071.001	Essential for detecting Google Sheets API abuse and other SaaS C2 channels
VMware vCenter logs	T1190	vpxd.log and shell.log needed for BRICKSTORM detection
PAM authentication logs	T1556	/var/log/auth.log or journald with pam_* entries
DNS query logs	T1071.001	For correlation with proxy logs and detecting direct DNS queries to C2 infrastructure

Sources

Found this useful?

Related Reports

Threat IntelApril 10, 2026

Unpatched Adobe Reader Zero-Day Exploited for Months via Weaponized PDFs Targeting Energy and Government Sectors

tacticaladobe-reader

Threat IntelApril 10, 2026

Why Your Security Team Is Blind Without Comprehensive Log Collection

threat detectionsiem

Threat IntelApril 9, 2026

Pacific Crosshairs: Chinese APT Groups and the Cyber Siege on America's Naval Shipyards

tacticalChinese APT

← All Reports

Reports/New Malware Families Confirm Systematic, Sustained Targeting of Network Infrastructure

New Malware Families Confirm Systematic, Sustained Targeting of Network Infrastructure

Threat Intelnetwork-infrastructurestate-sponsored-malwarecritical-infrastructurethreat-intelligenceAPT

March 19, 20264,219 words~17 min read

This report synthesizes recent advisories and research from CISA, Google, Cisco Talos, and Palo Alto's Unit 42 to map the current state of infrastructure-targeted operations.

The Latest Salvo: Seedworm Hits U.S. Banks, Airports, and Software Firms

PRC Actors Entrench with BRICKSTORM

Google Disrupts GRIDTIDE: Eight Years of Tracking Leading to Disruption

Liminal Panda and Telecom Infiltration

LummaC2: Commodity Malware Against Critical Infrastructure

VoidLink: A New Modular Framework for Linux

IOC Table

Type	Value	Context	Source
malware	`LummaC2`	Information stealer targeting critical infrastructure	[1]
filename	`LummaC2.exe`	Main executable	[1]
malware	`GRIDTIDE`	Backdoor using Google Sheets API for C2	[2]
filename	`/etc/systemd/system/xapt.service`	Persistence via systemd service	[2]
filename	`/usr/sbin/xapt`	Malware executable location	[2]
malware	`BRICKSTORM`	Backdoor for VMware vCenter and Windows	[3]
malware	`SLAPSTICK`	Related backdoor	[3]
malware	`AuthDoor`	Authentication-hooking backdoor	[4]
malware	`Cordscan`	Telecom-specific scanning tool	[4]
malware	`Dindoor`	Deno-based custom backdoor	[5]
malware	`Fakeset`	Python-based backdoor	[5]
malware	`Darkcomp`	Backdoor component	[5]
malware	`Stagecop`	Loader for Darkcomp	[5]
malware	`VoidLink`	Modular Linux implant framework	[6]

MITRE ATT&CK Techniques

ID	Technique	Relevant Campaign(s)
T1036	Masquerading	LummaC2 spoofed software [1]
T1071.001	Application Layer Protocol: Web Protocols	GRIDTIDE Google Sheets API C2 [2]
T1543.002	Create or Modify System Process: Systemd Service	GRIDTIDE persistence [2]
T1556	Modify Authentication Process	AuthDoor PAM hooking [4]
T1040	Network Sniffing	Cordscan telecom reconnaissance [4]
T1190	Exploit Public-Facing Application	BRICKSTORM VMware targeting [3]
T1105	Ingress Tool Transfer	Multiple campaigns
T1059.006	Command and Scripting Interpreter: Python	Fakeset [5]
T1059.007	Command and Scripting Interpreter: JavaScript	Dindoor Deno runtime [5]
T1083	File and Directory Discovery	Multiple campaigns
T1119	Automated Collection	LummaC2 credential exfiltration [1]
T1566.001	Phishing: Spearphishing Attachment	Seedworm initial access [5]

Analysis: Infrastructure Is the Target, Not the Path

🐑

Red Sheep Assessment

Confidence: High

🛡️

Defender's Checklist

▢[ ] Audit PAM configurations on all Linux systems, especially telecom infrastructure. Check for unauthorized modifications to PAM modules and unexpected shared libraries loaded by pam_sm_authenticate. Compare against known-good baselines.
▢[ ] Hunt for rogue systemd services by diffing current service files against a gold image. Prioritize /etc/systemd/system/ and look specifically for services with unfamiliar names or binaries in /usr/sbin/ that don't match package manager records.
▢[ ] Monitor SaaS API traffic patterns for anomalous behavior. Flag hosts making regular, periodic API calls to Google Sheets, Google Docs, or similar services from servers that have no business reason to do so. Query example: index=proxy dest_host="sheets.googleapis.com" src_category=server
▢[ ] Review VMware vCenter access logs and file integrity on vSphere deployments. Check /etc/sysconfig/ for unexpected modifications. Ensure vCenter admin accounts use MFA and that API access is logged and reviewed.
▢[ ] Search for credential staging files across Linux fleets. Hunt for hidden files in system directories: find /usr/bin/ -name ".*" -type f and check for unexpected files that may indicate active credential harvesting.

References

📊

Visual Intelligence

Entity Graph (14 entities, 51 relationships)

organization malware country threat actor

Diamond Model

Adversary

PRC UNC2814 Iran

Capability

BRICKSTORM GRIDTIDE Dindoor

Infrastructure

Unknown

Victim

Google VMware Cisco CISA NSA FBI Microsoft

Relationships

victim → capability: targeted_by (Google, GRIDTIDE)

capability → adversary: related_to (BRICKSTORM, PRC)

capability → adversary: uses (GRIDTIDE, UNC2814)

victim → adversary: targeted (Google, UNC2814)

victim → adversary: related_to (NSA, PRC)

---

Hunt Guide: Hunt Report: Infrastructure-Targeted Malware Campaign

Confidence: High | Priority: Critical

Scope

Networks: Focus on DMZ systems, authentication servers, virtualization infrastructure, and Linux servers in datacenter VLANs
Timeframe: Initial sweep: 90 days retrospective. Ongoing: Real-time alerting with weekly hunt validation
Priority Systems: VMware vCenter servers, telecom infrastructure, PAM-enabled systems, jump servers, API gateways

MITRE ATT&CK Techniques

T1543.002 — Create or Modify System Process: Systemd Service (Persistence) [P1]

GRIDTIDE establishes persistence via systemd service at /etc/systemd/system/xapt.service executing /usr/sbin/xapt

Splunk SPL:

index=linux sourcetype=linux_audit (type=SYSCALL AND (comm=systemctl OR exe=/usr/bin/systemctl)) OR (type=PATH AND (name="/etc/systemd/system/*" OR name="/usr/lib/systemd/system/*")) | stats count by host, name, exe, comm | where count < 5

Elastic KQL:

event.module:auditd AND (process.executable:/usr/bin/systemctl OR file.path:/etc/systemd/system/* OR file.path:/usr/lib/systemd/system/*) AND event.action:("opened-file" OR "created-file")

Sigma Rule:

title: Suspicious Systemd Service Creation
id: 8e7c2649-de3f-4a8b-8a39-99c7c320c7e0
status: experimental
description: Detects creation of systemd services in suspicious locations
logsource:
  product: linux
  service: auditd
detection:
  selection:
    type: 'PATH'
    name|contains:
      - '/etc/systemd/system/'
      - '/usr/lib/systemd/system/'
  filter:
    exe|contains:
      - '/usr/bin/apt'
      - '/usr/bin/yum'
      - '/usr/bin/dnf'
  condition: selection and not filter
falsepositives:
  - Legitimate software installation
level: high

Focus on services with generic names (xapt, systemd-, init-). Cross-reference with package manager logs to identify services not installed via apt/yum/dnf.

T1556 — Modify Authentication Process (Credential Access) [P1]

AuthDoor hooks pam_sm_authenticate function to harvest credentials from PAM authentication stack

Splunk SPL:

index=linux sourcetype=linux_audit type=SYSCALL syscall=open name="/etc/pam.d/*" OR name="/lib*/security/*" | join host [| inputlookup pam_baseline.csv] | where isnull(baseline_hash) OR hash!=baseline_hash | table host, name, exe, hash

Elastic KQL:

event.module:auditd AND event.action:"opened-file" AND (file.path:"/etc/pam.d/*" OR file.path:"/lib*/security/*" OR file.path:"/usr/lib*/security/*")

Sigma Rule:

title: PAM Configuration Modification
id: 7a4b2e51-9d0f-4bb5-8c56-1107e9a943a2
status: experimental
description: Detects modifications to PAM configuration files or modules
logsource:
  product: linux
  service: auditd
detection:
  selection:
    type: 'PATH'
    name|contains:
      - '/etc/pam.d/'
      - '/lib/x86_64-linux-gnu/security/'
      - '/lib64/security/'
      - '/usr/lib/security/'
  filter:
    exe|contains:
      - '/usr/bin/dpkg'
      - '/usr/bin/rpm'
  condition: selection and not filter
falsepositives:
  - System updates
level: critical

Monitor for new .so files in PAM directories. Use 'ldd /lib/security/.so' to check for unexpected dependencies.

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P2]

GRIDTIDE uses Google Sheets API for C2 communications, making detection difficult as traffic appears legitimate

Splunk SPL:

index=proxy dest_host="sheets.googleapis.com" OR dest_host="www.googleapis.com" | bucket _time span=5m | stats count by _time, src_ip, user_agent | where count > 10 | join src_ip [search index=assets asset_type=server] | table _time, src_ip, hostname, count, user_agent

Elastic KQL:

destination.domain:("sheets.googleapis.com" OR "www.googleapis.com") AND source.ip:10.0.0.0/8 AND NOT user_agent.original:*Chrome* AND NOT user_agent.original:*Firefox*

Sigma Rule:

title: Suspicious Google Sheets API Access from Servers
id: 3b5e1f7a-4c3d-4a89-8f23-731e8d5a4b12
status: experimental
description: Detects unusual Google Sheets API access from server networks
logsource:
  category: proxy
detection:
  selection:
    c-uri|contains:
      - 'sheets.googleapis.com'
      - 'www.googleapis.com/upload/sheets'
  filter_browsers:
    c-useragent|contains:
      - 'Chrome'
      - 'Firefox'
      - 'Safari'
  filter_apps:
    c-useragent|contains:
      - 'Google-Apps-Script'
      - 'Google-HTTP-Java-Client'
  condition: selection and not filter_browsers and not filter_apps
fields:
  - src_ip
  - c-uri
  - cs-host
falsepositives:
  - Legitimate automation scripts
level: medium

Baseline normal Google API usage first. Focus on servers with no business need for Sheets access.

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

BRICKSTORM targets VMware vSphere environments, modifying init scripts for persistence

Splunk SPL:

index=vmware sourcetype=vcenter* OR sourcetype=esxi* ("/etc/sysconfig/*" OR "/etc/rc.local" OR "/etc/init.d/*") | regex file_path="/etc/(sysconfig|init\.d|rc\.)/[^/]+$" | stats count by host, file_path, action | where action="modified" OR action="created"

Elastic KQL:

event.module:vmware AND (file.path:"/etc/sysconfig/*" OR file.path:"/etc/init.d/*" OR file.path:"/etc/rc.local") AND event.action:("creation" OR "modification")

Enable ESXi shell logging. Monitor vCenter file operations via vpxd logs. Check for modifications during non-maintenance windows.

T1059.006 — Command and Scripting Interpreter: Python (Execution) [P2]

Fakeset backdoor uses Python runtime, blending with legitimate Python processes in enterprise environments

Splunk SPL:

index=endpoint sourcetype=sysmon EventID=1 Image="*python*" CommandLine="*" | rex field=CommandLine "python[0-9\.]?\s+(?<script_path>[^\s]+)" | eval script_dir=mvindex(split(script_path,"/"),0,-2) | stats count by Computer, script_dir | where script_dir IN ("/tmp", "/var/tmp", "/dev/shm")

Elastic KQL:

process.name:("python" OR "python3" OR "python2.7") AND (process.command_line:*/tmp/* OR process.command_line:*/var/tmp/* OR process.command_line:*/dev/shm/*)

Focus on Python processes running from temporary directories or with base64-encoded arguments.

T1059.007 — Command and Scripting Interpreter: JavaScript (Execution) [P1]

Dindoor uses Deno JavaScript runtime, an unusual choice that evades detection focused on Node.js

Splunk SPL:

index=endpoint (process_name=deno OR Image="*deno*") | join type=left host [search index=endpoint sourcetype=netstat state=ESTABLISHED | stats values(dest_ip) as connections by host] | table _time, host, CommandLine, connections

Elastic KQL:

process.name:"deno" OR process.executable:*deno* AND network.direction:"outbound"

Deno is rare in production. Any Deno process should be investigated. Check for deno binaries in unusual locations.

T1040 — Network Sniffing (Credential Access) [P2]

Cordscan is purpose-built for telecom reconnaissance, likely capturing authentication and routing data

Splunk SPL:

index=linux sourcetype=ps_aux command IN ("*tcpdump*", "*tshark*", "*dumpcap*", "*pcap*") NOT user=root | rex field=command "(?<pcap_filter>port\s+\d+|host\s+[\d\.]+)" | stats count by host, user, pcap_filter

Elastic KQL:

process.name:("tcpdump" OR "tshark" OR "dumpcap") AND NOT user.name:"root" AND NOT user.name:"_wireshark"

Monitor for processes opening /dev/ppp or /dev/tun devices. Check for libpcap library loads by non-standard processes.

Indicators of Compromise

Type	Value	Context
filename	`/etc/systemd/system/xapt.service`	GRIDTIDE persistence mechanism - systemd service file
filename	`/usr/sbin/xapt`	GRIDTIDE malware executable location
filename	`LummaC2.exe`	LummaC2 information stealer main executable
domain	`sheets.googleapis.com`	GRIDTIDE C2 infrastructure - legitimate Google API abused for command and control

IOC Sweep Queries (Splunk):

index=* "/etc/systemd/system/xapt.service" | stats count by host, source, sourcetype

index=* "/usr/sbin/xapt" | stats count by host, source, sourcetype | append [| inputlookup dnslookup | search query="xapt*" | stats count by src_ip]

index=endpoint (filename="LummaC2.exe" OR Image="*LummaC2.exe" OR TargetFilename="*LummaC2.exe") | stats earliest(_time) as first_seen latest(_time) as last_seen by host, filename, hash

index=proxy dest="sheets.googleapis.com" src_category=server | bucket _time span=1h | stats count by _time, src_ip | where count > 20

YARA Rules

GRIDTIDE_Systemd_Persistence — Detects GRIDTIDE systemd service persistence files

rule GRIDTIDE_Systemd_Persistence {
    meta:
        description = "Detects GRIDTIDE backdoor systemd persistence"
        author = "Threat Hunt Team"
        date = "2024-01-15"
        reference = "Google Threat Intelligence GRIDTIDE report"
    strings:
        $service1 = "[Service]" ascii
        $service2 = "Type=simple" ascii
        $service3 = "ExecStart=/usr/sbin/xapt" ascii
        $path1 = "/usr/sbin/xapt" ascii
        $path2 = "xapt.service" ascii
    condition:
        filesize < 1KB and
        (all of ($service*) or all of ($path*))
}

AuthDoor_PAM_Hook — Detects AuthDoor PAM authentication hooking patterns

rule AuthDoor_PAM_Hook {
    meta:
        description = "Detects AuthDoor PAM module hooks"
        author = "Threat Hunt Team"
        date = "2024-01-15"
    strings:
        $pam1 = "pam_sm_authenticate" ascii
        $pam2 = "pam_get_user" ascii
        $pam3 = "pam_get_authtok" ascii
        $hook1 = {48 89 E5 48 83 EC ?? 48 89 7D ?? 48 89 75} // function prologue
        $exfil1 = "/tmp/." ascii
        $exfil2 = "/var/tmp/." ascii
    condition:
        uint32(0) == 0x464c457f and // ELF header
        2 of ($pam*) and
        ($hook1 or any of ($exfil*))
}

Dindoor_Deno_Backdoor — Detects Dindoor backdoor using Deno JavaScript runtime

rule Dindoor_Deno_Backdoor {
    meta:
        description = "Detects Dindoor Deno-based backdoor"
        author = "Threat Hunt Team"
        date = "2024-01-15"
    strings:
        $deno1 = "deno" ascii wide
        $deno2 = "Deno.serve" ascii
        $deno3 = "Deno.Command" ascii
        $net1 = "fetch(" ascii
        $net2 = "WebSocket" ascii
        $enc1 = "atob" ascii
        $enc2 = "btoa" ascii
    condition:
        filesize < 50KB and
        any of ($deno*) and
        any of ($net*) and
        any of ($enc*)
}

Suricata Rules

SID 1000001 — GRIDTIDE Google Sheets API C2 Beacon

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GRIDTIDE Google Sheets API C2 Beacon"; flow:established,to_server; content:"POST"; http_method; content:"sheets.googleapis.com"; http_host; content:"/v4/spreadsheets/"; http_uri; pcre:"/\/v4\/spreadsheets\/[a-zA-Z0-9_-]{44}\/values/"; content:"Authorization|3a 20|Bearer"; http_header; threshold:type both,track by_src,count 5,seconds 300; classtype:trojan-activity; sid:1000001; rev:1;)

SID 1000002 — Potential Deno Runtime Backdoor Outbound

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Deno Runtime Backdoor Outbound Connection"; flow:established,to_server; content:"User-Agent|3a 20|Deno/"; http_header; threshold:type limit,track by_src,count 1,seconds 3600; classtype:trojan-activity; sid:1000002; rev:1;)

Data Source Requirements

Source	Required For	Notes
Linux auditd	T1543.002, T1556, T1040	Required for systemd service creation, PAM modifications, and process execution monitoring
Sysmon for Linux	T1543.002, T1059.006, T1059.007	Provides process creation with full command lines, file creation events
Web proxy logs	T1071.001	Essential for detecting Google Sheets API abuse and other SaaS C2 channels
VMware vCenter logs	T1190	vpxd.log and shell.log needed for BRICKSTORM detection
PAM authentication logs	T1556	/var/log/auth.log or journald with pam_* entries
DNS query logs	T1071.001	For correlation with proxy logs and detecting direct DNS queries to C2 infrastructure

Sources

Found this useful?

Related Reports

Threat IntelApril 10, 2026