Saturday, February 28 2026 · @SignalOverNoizX
Top Story of the Week
APT37 and ScarCruft are actively hunting air-gapped networks using a combination of new malware variants and creative USB-based infection vectors. Multiple reporting this week confirms that these North Korean-linked threat actors have shifted focus toward isolated environments that defenders traditionally considered safer. The approach is methodical: compromise an internet-connected system, establish persistence through dormant malware (like RESURGE on Ivanti devices), then use USB devices as the bridge to jump the air gap. This represents a meaningful escalation in operational sophistication — air-gapped networks are typically where critical infrastructure, financial systems, and government agencies live.
The targeting pattern suggests these actors are playing the long game. CISA's warning about RESURGE remaining dormant on Ivanti devices is particularly sharp because it means compromises from months ago may be sitting undetected, waiting for the operator to activate them post-air-gap breach. Organizations running Ivanti in critical environments need to assume compromise and hunt aggressively. The USB malware angle is a reminder that physical security and endpoint hardening aren't optional anymore — they're table stakes.
Critical Vulnerabilities
-
Juniper Networks PTX Routers — Critical vulnerability in core routing infrastructure; no additional details released yet but PTX routers are backbone equipment in enterprise and service provider networks. Immediate patching required.
-
Ivanti RESURGE Malware — Not a traditional CVE but functionally worse; malware persists dormant on unpatched Ivanti devices and can establish C2 post-compromise. Affects air-gapped network transitions.
-
Sangoma FreePBX — Over 900 instances compromised via web shell attacks. VoIP infrastructure is frequently overlooked in security programs but provides direct access to internal communications and call routing.
-
Microsoft Windows Batch File Execution — Ongoing exploitation vector that Microsoft is finally addressing with security improvements. Batch files (.bat, .cmd) have been a reliable living-off-the-land tool for lateral movement.
Threat Actor Activity
North Korean threat actors (APT37/ScarCruft) continue demonstrating operational persistence and innovation. The shift toward air-gapped network targeting indicates they're moving beyond commodity targets and focusing on high-value, high-security environments. The USB malware component suggests supply chain manipulation or physical access opportunities — either through trusted vendors or insider cooperation. This is the kind of campaign that takes months to set up but pays dividends in access to classified or sensitive systems.
Meanwhile, Europol's coordinated takedown of The Com ransomware-as-a-service operation resulted in 30 arrests and significant infrastructure disruption. While law enforcement wins are psychologically satisfying, ransomware crews rebrand faster than they can be arrested. The real intelligence here is that The Com was operating a significant extortion network with distributed infrastructure — suggesting their victims numbered in the hundreds. Defenders should assume that any organization hit by The Com in the past 18 months has data in circulation, regardless of whether they paid.
By the Numbers
38 million — ManoMano data breach exposed user records; retail e-commerce companies remain soft targets due to legacy authentication and insufficient segmentation between customer-facing and internal systems.
$61 million — DoJ seized Tether cryptocurrency linked to pig butchering scams, highlighting the continued use of crypto for money laundering despite increased regulatory scrutiny. Ransomware actors and extortion crews are active investors in these schemes.
900+ — FreePBX instances compromised in ongoing web shell attacks. VoIP systems are systematically under-monitored and under-patched across enterprises.
30 arrests — Europol crackdown on The Com; a tactical win that will temporarily disrupt operations but unlikely to eliminate the threat actor ecosystem permanently.
The Bottom Line
This week's theme is persistence: APT37 is patient, RESURGE is waiting to activate, and ransomware crews are rebuilding faster than law enforcement can dismantle them. If you're managing critical infrastructure or air-gapped networks, assume compromise and hunt USB-based intrusion paths immediately. Patch Ivanti. Monitor your VoIP systems like they're routers — because functionally, they are. And if you've been hit by ransomware in the past 18 months, your data is compromised; operate under that assumption in your incident response planning.
Follow @SignalOverNoizX for daily threat intelligence. Live feed: signal-noise.tech
Need AI tools for your security work? Signal Over Noise Tools — prompt packs for red teams, SOC analysts, OSINT investigators and IR professionals.