The IT Nerd

CloudSEK, a cybersecurity intelligence company, today published a threat intelligence report showing how Iranian state-sponsored hacking group APT35 (also known as Charming Kitten) had already broken into the digital infrastructure of every country Iran attacked with ballistic missiles and drones starting February 28, 2026, during Operation Epic Fury.

The report, titled “The Kitten Had the Map All Along,” is based on the KittenBusters intelligence leak and documents a pattern of cyber infiltration that APT35 carried out across Jordan, the UAE, Saudi Arabia, Kuwait, Bahrain, Qatar, and Israel in the years before the strikes began.

According to CloudSEK’s analysis, every Gulf country subsequently struck by Iran had previously appeared in documented APT35 targeting, reconnaissance, or compromise activity.

CloudSEK assesses that the alignment between cyber reconnaissance and later kinetic targeting is too consistent to dismiss as a coincidence. 

While the company stops short of claiming conclusive proof of a formal intelligence-to-strike handoff, the report argues that the most likely explanation is that cyber operations helped prepare the battlefield by mapping targets, collecting internal data, and maintaining pre-positioned access across multiple countries before the conflict escalated.

The report identifies APT35, also known as Charming Kitten, Phosphorus, Magic Hound, and Mint Sandstorm, as the central actor in this activity. CloudSEK links the group to the IRGC Intelligence Organisation, Unit 1500, Department 40, and says newly examined leaked material indicates the group maintained visibility into government, aviation, energy, legal, financial, and civilian infrastructure across the region in the years leading up to the current crisis.

Key Findings from the Report

CloudSEK’s research says that Jordan, the UAE, Saudi Arabia, Kuwait, Bahrain, Qatar, and Israel all appeared in prior APT35 cyber activity before becoming part of the regional strike pattern.

Among the report’s most significant findings:

• Jordan was one of the most extensively documented targets, with evidence pointing to prior compromise of the Ministry of Justice and targeting of civil aviation-related infrastructure
• UAE-linked infrastructure, including aviation-related systems and government assets, appears in the leaked data reviewed by CloudSEK
• Saudi government and energy-related entities were previously profiled, with the report pointing to compromised policy-related documents and access tied to sectors of strategic importance
• Kuwait, Bahrain, and Qatar were identified as targets of reconnaissance and operational interest before being drawn into the current conflict environment
• Israel remained a primary focus, with the report citing prior targeting of industrial systems, modems, civilian digital infrastructure, and influence operations.
   

The report also says the leaked material provides unusually rare insight into the malware, infrastructure, financial records, and operating patterns of APT35. According to CloudSEK, that includes exposed source code for malware families such as BellaCiao and Sagheb RAT, as well as blockchain-verifiable payment trails and infrastructure records that help unify multiple previously distinct personas under one broader operational umbrella.

CloudSEK further assesses that personas historically tracked separately, including Moses-Staff and Al-Qassam Cyber Fighters, may in fact be financially and operationally linked to the same broader APT35 ecosystem.

Cyber Operations Running in Parallel

Beyond historic targeting, CloudSEK warns that the cyber dimension of the conflict is already active.

The report highlights ongoing or likely cyber operations by multiple Iran-linked or Iran-aligned actors, including:

• Handala Hack, linked in the report to attacks and threats involving Israeli and Jordanian targets
• Cyber Islamic Resistance, associated with destructive and disruptive operations against military and logistics-related entities
• APT35 / Department 40, which CloudSEK says may already be positioned for follow-on disruptive or destructive activity
• APT33 / Elfin, historically associated with attacks on the Saudi energy sector
• CyberAv3ngers, known for prior targeting of internet-exposed industrial control systems
   

CloudSEK says the immediate risk is not limited to military assets. The company warns that aviation systems, airport operations, ports, financial networks, logistics platforms, telecom, government communications, and industrial control environments may all face heightened exposure as the conflict continues.

Why This Matters

CloudSEK’s central warning is that cyber activity in this conflict should not be viewed as reactive noise or opportunistic hacktivism alone. Instead, the report suggests that pre-conflict cyber collection may have played a strategic role in identifying, understanding, and preparing regional targets well before missiles were launched.

That has serious implications for defenders.

If the report’s assessment is correct, organizations across the Gulf and adjacent geographies may be facing adversaries that already understand their networks, their supply chains, their exposed infrastructure, and in some cases their internal communications or operational dependencies.

Immediate Recommendations

CloudSEK is urging organizations, especially those operating in the GCC, Israel, Jordan, and adjacent sectors supporting regional infrastructure, to take immediate defensive steps, including:

• Patching exposed internet-facing systems linked to known exploited vulnerabilities
• Auditing Exchange, VPN, and web-facing infrastructure for compromise
• Hunting for webshells, suspicious tunneling tools, and malware indicators tied to APT35 activity
• Rotating privileged credentials and auditing administrative access
• Reviewing aviation, energy, telecom, logistics, and industrial environments for abnormal activity
• Blocking known indicators of compromise and validating detection coverage against the malware families referenced in the report
   

Caveat and Analytical Position

CloudSEK notes that while several parts of the dataset reviewed in the report are assessed with high confidence, some elements remain only partially independently verified. The company has therefore framed its conclusions carefully: the evidence strongly supports a pattern of pre-positioning and reconnaissance aligned with later regional strikes, but not every operational detail can yet be confirmed with complete certainty.

Even with that caution, CloudSEK says the risk environment is already severe.

The report concludes that the current period should be treated as critical and active, with the likelihood of further Iranian cyber retaliation remaining elevated in the days and weeks ahead.

 For More Details, Read The Full Report Here

CloudSEK has published research showing that 22 popular Android applications, collectively installed on more than 500 million devices, contain hardcoded Google API keys that now provide full, unauthorized access to Google’s Gemini artificial intelligence platform.

The report, released today by CloudSEK’s BeVigil security search engine, reveals a structural flaw at the crossroads of decade-old developer practices and Google’s rapidly expanding AI infrastructure. It is available at: 

Background: A Decade-Old Assumption, Quietly Broken

For more than a decade, Google told developers that API keys in the AIza… format were safe to embed in public-facing applications. They were treated as public identifiers, not secrets.

That changed with Gemini. When a developer enables the Gemini API on a Google Cloud project, every existing API key on that project silently inherits access to Gemini endpoints, with no warning, no notification, and no opt-in prompt. 

Developers who embedded Maps or Firebase keys years ago, following Google’s own documentation, now unknowingly hold live credentials to one of the world’s most powerful AI systems.

BeVigil scanned the top 10,000 Android apps by install count and confirmed 32 such live keys across 22 applications.

The Affected Apps: Household Names, Global Reach

The 22 vulnerable applications span e-commerce, travel, finance, education, news, and productivity. They include:

• OYO Hotel Booking App (100M+ installs)
• Google Pay for Business (50M+ installs)
• Taobao (50M+ installs)
• apna Job Search App (50M+ installs)
• ELSA Speak: AI English Learning (10M+ installs) – confirmed data exposure
• The Hindu: India and World News (10M+ installs)
• Shutterfly: Prints, Cards and Gifts (10M+ installs)
• JioSphere Web Browser (10M+ installs)
• Muslim: Ramadan 2026, Athan (10M+ installs)
• 30 Day Fitness Challenge, Krishify, ISS Live Now, and 10 others
   

CONFIRMED DATA EXPOSURE: Using the key found in ELSA Speak’s publicly downloadable app, CloudSEK researchers queried Google’s Gemini Files API and received a live response listing uploaded audio files. The files were likely speech recordings submitted by users for AI-powered pronunciation coaching.

What an Attacker Can Do With a Single Exposed Key

Any person who decompiles a vulnerable app and extracts its hardcoded key can:

• Access and download private user files, including documents, audio, and images, stored in the Gemini Files API
• Make unlimited Gemini API calls, potentially generating thousands of dollars in charges on the developer’s Google Cloud account
• Exhaust the organization’s API quotas, knocking out AI-powered features for real users
• Read cached AI context windows, which may contain sensitive prompts and internal data
• Continue exploiting the key across multiple app update cycles, as hardcoded keys often survive app versioning
   

Real Losses: Three Cases of Gemini API Key Abuse

The following highlights three publicly reported cases where stolen or exposed Google API keys led to severe financial harm:

Case 1: $15,400 overnight. A solo developer’s startup nearly collapsed after an attacker used his exposed key to flood Gemini with inference requests. The developer revoked the key within 10 minutes of a $40 billing alert. Due to a 30-hour reporting lag in Google Cloud’s billing system, the damage had already reached $15,400 by the time the dashboard updated.

Case 2: $128,000 and a company facing bankruptcy. A Japanese company using the Gemini API for internal tools saw approximately 20.36 million yen (around $128,000) in unauthorized charges accumulate after its key was compromised, even though firewall-level IP restrictions were in place. Google initially denied an adjustment request.

Case 3: $82,314 in 48 hours, a 455-times spike. A three-person development team in Mexico with a typical monthly cloud spend of $180 had their key stolen between February 11 and 12, 2025. Within 48 hours, attackers generated $82,314 in Gemini charges. Google’s representative initially held the company liable under the platform’s Shared Responsibility Model, citing an amount that exceeded the company’s total bank balance.

Full Report:  https://www.cloudsek.com/blog/hardcoded-google-api-keys-in-top-android-apps-now-expose-gemini-ai 

CloudSEK has analysed the rise and takedown of RAMP, a ransomware-friendly forum seized by the FBI in January 2026, offering a rare inside look at how modern cybercrime ecosystems operate.

Unlike typical reports, this research draws from internal conversations, operational data, and user interactions, revealing how ransomware groups, access brokers, and affiliates coordinated on a single platform. It shows how access to government networks, enterprise systems, and critical infrastructure was traded, and how these operations functioned more like organised businesses than isolated attacks.

The report also captures what followed the takedown. Instead of slowing down ransomware activity, the ecosystem has fragmented into smaller, harder-to-track communities, creating new challenges for law enforcement and organisations alike.

Key insights include:

• How ransomware marketplaces operate as structured supply chains
• Internal chats revealing recruitment, negotiations, and disputes
• The role of access brokers in enabling large-scale breaches
• Why the FBI takedown has led to fragmentation, not decline

You can read the full report here:
https://www.cloudsek.com/blog/the-rise-and-fall-of-ramp-inside-the-forum-where-ransomware-was-always-welcome

Cybersecurity firm CloudSEK has published research showing that the infrastructure organisations use to train and deploy AI systems is dangerously exposed. The report focuses on MLOps platforms, the operational backbone of modern AI, and finds that leaked credentials and misconfigured deployments are handing adversaries quiet, persistent access to systems that were never designed with security in mind.

The timing matters. After US and Israeli forces struck Iranian nuclear and military sites on February 28, 2026, Iranian APT groups, including MuddyWater, APT34, APT33, and APT35 showed clear signs of heightened activity. But CloudSEK’s analysts note that the footholds these groups hold inside Western defence, financial, and aviation networks were not built in response to that escalation. They were built before it.

What CloudSEK Found

In a 72-hour scan of public GitHub repositories and internet-facing infrastructure, the research team identified:

• Over 100 exposed credential instances tied to platforms including ClearML, MLflow, Kubeflow, Metaflow, ZenML, and Weights & Biases. Keys were hardcoded directly into source files, configuration scripts, and environment files that were left public.
• More than 80 MLOps deployments are sitting open on the public internet with weak or no authentication. Basic scanning tools like Shodan and FOFA were enough to find them.
• Multiple platforms where anyone could create an account, walk into the dashboard, browse active projects, pull model artifacts, and access connected cloud storage credentials with no barriers at all.
   

None of this required exploiting a software vulnerability. It used the same interfaces that engineers use every day.

Why MLOps Platforms Are Worth Targeting

MLOps platforms coordinate everything in an AI operation: training pipelines, model storage, cloud integrations, and execution agents that run around the clock. Getting inside one of these platforms gives an attacker far more than a data breach. It gives them four things:Dataset exfiltration: training data typically contains surveillance feeds, telemetry, and behavioural analytics. Studying it tells an adversary exactly what signals a model trusts and where its blind spots are.

Model theft: downloaded model files can be analysed offline to reverse-engineer the decision logic behind AI systems used in targeting, surveillance, or autonomous operations. Training data poisoning: with write access to a pipeline, adversaries can subtly corrupt retraining inputs. The model degrades over time, with no forensic trace and no security alert. Execution environment abuse: MLOps workers trust instructions from the control plane. Attackers can use that trust to run arbitrary code inside the compute infrastructure connected to sensitive internal networks.

A Multi-Actor Threat Landscape

The MLOps threat does not sit with Iran alone. North Korea’s Lazarus Group and TraderTraitor have spent years hiding malicious packages inside npm and PyPI ecosystems, quietly compromising developer infrastructure at scale. Chinese APT groups have a direct strategic interest in understanding how Western militaries use AI-assisted decision-making. Russia, too, has been watching.

Proxy groups add further complexity. Hamas-affiliated MOLERATS, Hezbollah-linked operators, and Houthi-aligned actors have all been documented running cyber operations in parallel with kinetic activity, often targeting the same organisations their backers have in their sights.

The report’s sharpest point is about intent. These actors do not need to destroy an AI system. They need to make it unreliable. A targeting model whose thresholds shift through poisoned retraining data, an anomaly detector tuned to ignore a specific pattern: that is battlefield sabotage. It leaves no forensic trace, triggers no security alert, and has no obvious point of attribution.

The Security Gap No One Is Talking About

The core problem is not a software bug. It is a maturity gap. CI/CD systems and cloud IAM services have been hardened through more than a decade of real-world attack exposure. Most MLOps platforms have not. They were built to speed up model development, and security was rarely part of the original brief.

One finding stands out. Cloud storage credentials for AWS S3, Google Cloud Storage, and Azure Blob are routinely stored inside MLOps platform interfaces in a form that can simply be retrieved. Anyone who gets into the platform gets the keys to the cloud storage too. One breach becomes two.

What Organisations Should Do Now

CloudSEK lays out four immediate steps:

• Stop hardcoding credentials. API keys, access tokens, and cloud credentials have no place in source code or config files. Use a dedicated secrets manager and rotate regularly.
• Take MLOps platforms off the public internet. Enforce authentication, segment networks, and switch off open self-registration on any externally accessible instance.
• Drop static cloud storage keys in favour of short-lived, role-based credentials. It limits how far a compromise can spread.
• Treat MLOps like the critical infrastructure it is. Monitor access to datasets, models, and pipelines with the same rigour applied to CI/CD systems and cloud control planes.
   

Note on Responsible Disclosure

This research was conducted using publicly accessible information. All validation was performed passively, with no modifications made to any systems, pipelines, datasets, or models. All sensitive details, including credential values and organizational identifiers, have been redacted.

For More Details, Read The Full Report

CloudSEK has posted a pair of research reports that are highly relevant to the cyber dimension of the Iran-US conflict, especially in light of developments since the February 28 strikes.

Following the February 28 US-Israel strikes on Iran, CloudSEK has documented an immediate and significant surge in Iranian-aligned cyber activity targeting US critical infrastructure, with AI now acting as a direct force multiplier for threat actors.

The key findings:

• Over 60 Iranian-aligned hacktivist groups activated on Telegram within hours of the February 28 strikes, the largest single-event mobilization of this ecosystem ever recorded.
• An Electronic Operations Room was formed on Telegram to coordinate attacks, operating on ideological initiative rather than central state direction, which makes activity harder to predict and constrain.
• More than 40,000 US industrial control systems are currently reachable on the public internet, many with default or no credentials, representing an immediately exploitable attack surface.
• CloudSEK researchers demonstrated that an actor with no prior ICS knowledge can move from intent to a working list of accessible US industrial targets in under five minutes using AI tools and passive reconnaissance. No scanning, no exploitation, no specialist knowledge required.
• The same AI platforms now embedded in US defense operations are accessible to threat actors for offensive reconnaissance, creating a dual-use dynamic that significantly widens the threat.

Both reports are primary-sourced, technically detailed, and directly tied to the current conflict escalation. The full write-ups are here:

Report 1: AI, the Iran-US Conflict, and the Threat to US Critical Infrastructure
https://www.cloudsek.com/blog/ai-the-iran-us-conflict-and-the-threat-to-us-critical-infrastructure

Report 2: Threat Actor Landscape Assessment of ICS/OT Targeting in the 2026 Iran-US Conflict
https://www.cloudsek.com/blog/a-threat-actor-landscape-assessment-of-ics-ot-targeting-in-the-2026-iran-us-conflict-and-the-scale-of-the-risk

CloudSEK researchers have documented how artificial intelligence has fundamentally collapsed the barrier to targeting industrial control systems, compressing what once required weeks of specialist knowledge into a five-minute reconnaissance workflow. 

The findings come as the 28 February 2026 US-Israel strikes against Iran triggered the largest single-event activation of Iranian-aligned cyber actors ever documented, with over 60 hacktivist groups mobilising within hours – many without deep ICS expertise, but now equipped with AI tools that make that expertise unnecessary.

Key Findings

• CloudSEK identified 40,000+ internet-exposed US industrial control systems immediately discoverable using AI-assisted reconnaissance – and confirmed that a passive five-minute workflow using free tools can identify live devices, retrieve default credentials, map accessible interfaces, and enumerate CVEs without authenticating to or probing a single system.
• OpenAI confirmed in October 2024 that Iranian-affiliated actors (CyberAv3ngers) used ChatGPT to conduct ICS reconnaissance, querying default credentials for industrial devices, generating Shodan search strings, and requesting automation scripts – one of the first documented use of a commercial LLM by a state-affiliated actor against critical infrastructure.
• More than 60 Iranian-aligned hacktivist groups mobilised within hours of the 28 February 2026 strikes. The death of Supreme Leader Khamenei disrupted IRGC command structures, removing the political constraints that historically governed Iranian cyber targeting. Proxy and hacktivist groups now operate without accountability for civilian harm.
• US government reporting confirms 75+ US ICS devices were compromised in campaigns linked to the same threat ecosystem, including 34+ in the Water and Wastewater sector. The 2023 Aliquippa water plant compromise – forced onto manual operations by a default password – is the documented template these groups are replicating.
• Internet exposure across OT and ICS environments is worsening: 35% year-on-year growth in exposed systems and a 160% surge in Unitronics port 20256 exposure, despite two years of CISA advisories following the Aliquippa attack (ReliaQuest, H1 2025).

Why This Matters

The real shift is not in malware sophistication. It is in speed, scale, and accessibility. AI is enabling less technically mature actors to perform ICS reconnaissance that once required years of specialist knowledge.

 In a conflict environment where over 60 groups are simultaneously activated and seeking accessible targets, AI compresses the cycle from intent to impact.

CloudSEK researchers reproduced the AI-assisted reconnaissance chain as a passive research exercise, mirroring the confirmed methodology. Following the same process, researchers identified multiple live instances of unauthenticated, internet-exposed ICS systems with direct operational impact potential. 

CloudSEK notes that the passive nature of this research, standard HTTP requests against publicly indexed systems, is indistinguishable from what a threat actor would perform.

The cyber fallout from the Iran-US conflict is not limited to advanced state-linked operators. Loosely aligned hacktivists and proxy actors can now use AI-assisted workflows to identify and prioritise exposed industrial assets in real time, increasing the risk of opportunistic disruption to water treatment, energy distribution, fuel management, and manufacturing operations.

The same 28 February window also saw OpenAI confirm a partnership with the US Department of Defense, triggering a 295% spike in ChatGPT app uninstalls (Sensor Tower via TechCrunch). As commercial AI platforms face governance pressure around military use, threat actors migrate to unconstrained alternatives. The safety guardrails that limited CyberAv3ngers on ChatGPT in 2024 are a floor, not a ceiling.

Immediate Defensive Priorities

CloudSEK recommends that organisations urgently:

• Remove ICS management interfaces from the public internet immediately and place them behind VPN. This single action eliminates the AI-assisted passive reconnaissance attack path entirely.
• Change default credentials on all deployed ICS devices. The Unitronics default password 1111 is in a vendor manual, in CISA Advisory AA23-335A, and in active use on internet-exposed devices today.
• Block industrial protocol ports at the perimeter: TCP 20256, 102, 502, 44818, 1911 and UDP 47808 have no legitimate reason to be directly internet-accessible.
• Audit all third-party remote access to OT environments. IT managed service providers with tools on OT networks are confirmed entry points for supply chain attacks.
   

CloudSEK’s findings are based on passive reconnaissance of publicly indexed information and exposed web interfaces, without logging into or actively probing any system.

You can read the research here: AI, the Iran-US Conflict, and the Threat to US Critical Infrastructure | CloudSEK

CloudSEK today released a threat landscape assessment warning that more than 60 hacker groups mobilised within hours of the February 28, 2026 Iran–US military escalation — and that tens of thousands of US industrial control systems remain directly reachable from the internet, many with no authentication beyond a factory-default password.

The report, “A Threat Actor Landscape Assessment of ICS/OT Targeting in the 2026 Iran–US Conflict,” identifies a two-tier threat ecosystem: nation-state APTs pre-positioned inside US networks for years, and a fast-expanding pool of state-backed hacktivist proxies that need nothing more than an exposed device and a motivation to cause national-headline disruption. 

CloudSEK’s report finds that the industrial attack surface remains exposed at scale. In the United States alone, researchers identified approximately 182.2K internet-exposed industrial and automation-related assets (including both live and historically observed systems). Many of these were found to be actively reachable and exposed without authentication.

The exposure is not limited to the U.S.: Israel recorded around 104.9K such assets, while the United Kingdom showed roughly 88.8K exposed assets. CloudSEK notes that these listings represent industrial or automation-related devices observed on the public internet, underscoring the scale of potential targeting during periods of geopolitical escalation. 

Key highlights from the report

• Rapid mobilization after escalation: CloudSEK observed a sharp rise in hacktivist and proxy activation following February 28, increasing the volume of actors scanning for high-visibility infrastructure targets.
• Exposure at scale across industrial protocols: The report identifies large volumes of internet-reachable industrial services in the US, across widely used ICS/OT and automation protocols and platforms — indicating that many operational environments remain discoverable from the public internet.
• Three primary routes from discovery to impact:
  1. Direct access to exposed industrial interfaces (often enabled by weak/default credentials)
  2. Phishing and compromise of OT-adjacent users and vendors (engineering workstations, operators, third-party access)
  3. Enterprise IT compromise followed by lateral movement into OT, allowing adversaries to pre-position access and activate during crisis windows
• Basic weaknesses continue to enable real-world compromise: The report underscores that industrial incidents often stem from long-standing issues — internet exposure, unsecured remote access, and default credentials — rather than rare, highly advanced exploits.
• Operational risk is physical by design: Unlike purely digital attacks, ICS/OT compromise can affect physical processes, making disruption potentially immediate and safety-relevant.

Why default access and exposed interfaces remain a critical risk

CloudSEK’s assessment notes that many industrial environments remain vulnerable because exposed devices and interfaces can be identified quickly through standard internet scanning. In such cases, attackers may not need to exploit software vulnerabilities — they only need to find an exposed system and gain access using weak or default authentication.

This dynamic becomes more dangerous during periods of escalation, when some actors prioritise visibility and disruption over stealth.

Recommended actions for operators and defenders

CloudSEK urges critical infrastructure owners and operators to prioritise immediate, practical defensive measures:

• Remove ICS/OT management interfaces from the public internet wherever possible; enforce VPN-only access for remote operations
• Eliminate default credentials and strengthen authentication on industrial devices and management consoles
• Restrict industrial protocol exposure at the perimeter and shut down unnecessary remote-access services
• Audit and limit third-party remote access into OT environments (MSPs/RMM tools, vendor pathways)
• Improve monitoring and logging in OT-adjacent environments to detect unauthorised access and lateral movement early

CloudSEK has uncovered a malicious mobile campaign spreading a fake version of Israel’s “Red Alert” emergency warning app, the legitimate alert platform operated by Israel’s Home Front Command, through spoofed SMS messages.

According to CloudSEK’s latest threat intelligence report, the trojanized Android application is designed to appear trustworthy while enabling the theft of SMS data, contact lists, and precise location information from infected devices.

The campaign emerges against the backdrop of the ongoing Israel-Iran conflict, where demand for real-time public safety information has sharply increased. CloudSEK’s researchers found that threat actors are exploiting this urgency by luring users to sideload a malicious APK outside the Google Play Store, while presenting it as an emergency update or warning application. )

According to the report, the malware mimics the user interface of the legitimate Red Alert application closely enough to reduce suspicion and can even continue delivering alert-style functionality to maintain its disguise. 

The key difference appears during installation and onboarding: while the authentic app operates with basic notification access, the fake version aggressively requests high-risk permissions, including access to contacts, SMS, and location. 

CloudSEK’s technical analysis found that the malicious app uses signature spoofing, installer spoofing, reflection, and multi-stage payload loading to conceal its true behaviour and bypass basic integrity checks. Once active, the malware begins harvesting data in the background and exfiltrating it to attacker-controlled infrastructure. The report identifies api[.]ra-backup[.]com/analytics/submit.php as an exfiltration endpoint and lists several associated IP addresses tied to the campaign’s infrastructure.

CloudSEK warns that this campaign carries implications beyond conventional mobile malware. In an active conflict environment, real-time location tracking and SMS interception can create serious physical security, surveillance, and intelligence-gathering risks. The report notes that location data could potentially be misused to map shelter activity, movement patterns, or concentrations of individuals during periods of heightened military escalation.

The report also underscores a larger pattern: threat actors are increasingly weaponising real-world crises and trusted institutions to distribute malware at scale. By impersonating a life-saving emergency app during a volatile geopolitical situation, the attackers behind this campaign have demonstrated how cyber operations can feed directly off civilian anxiety and information dependency.

CloudSEK has advised immediate caution around app downloads delivered through links in SMS messages, particularly in conflict-related or emergency contexts. The company recommends that users install critical public-safety applications only through official app stores and that organisations block the listed indicators of compromise and monitor for suspicious sideloaded Android packages.

For More Information, Read The Full Report Here

CloudSEK’s threat intelligence team has just published an in-depth investigation into Gunra, a rapidly emerging Ransomware-as-a-Service (RaaS) operation that has formalized its affiliate recruitment on the dark web.

What makes this report significant is that their researchers successfully infiltrated the affiliate program, gaining access to:

• The live RaaS management panel
• Affiliate documentation (operator guide)
• A functional ransomware locker sample for full reverse engineering
   

Key findings include:

• Gunra operates a professionalized RaaS business model, lowering the barrier for cybercriminals through structured affiliate onboarding.
• The locker uses a ChaCha20 + RSA-4096 hybrid encryption model, making decryption cryptographically infeasible without attacker-controlled private keys.
• The malware executes fully offline, bypassing network-based detection during encryption.
• It implements multi-threaded parallel encryption, enabling rapid filesystem-wide impact within minutes.
• The ransomware performs surgical targeting, excluding system directories (C:\Windows, Program Files) to maintain operability and ensure ransom payment.
• Embedded Tor payment infrastructure and hardcoded credentials streamline victim-to-operator communication.
• Complete MITRE ATT&CK mapping and actionable IOCs are included for defenders.
   

This report provides rare insight into both the business infrastructure and technical core of a growing RaaS operation.

Full report: https://www.cloudsek.com/blog/inside-gunra-raas-from-affiliate-recruitment-on-the-dark-web-to-full-technical-dissection-of-their-locker