ir-23-053-001 (1)

10971520474?profile=RESIZE_400x

  • A new threat cluster we track as WIP26 has been targeting telecommunication providers in the Middle East.
  • Sentinel assess it is likely that WIP26 is espionage-related.
  • WIP26 relies heavily on public Cloud infrastructure to evade detection by making malicious traffic look legitimate.
  • WIP26 involves the use of backdoors, titled CMD365 and CMDEmber, which abuse Microsoft 365 Mail and Google Firebase services for C2 purposes.
  • WIP26 also involves the use of Microsoft Azure and Dropbox instances as