{ "id": "c6fce160-5ee4-48db-bffa-063d5ba69fa1", "created_at": "2026-04-06T00:20:51.835922Z", "updated_at": "2026-04-10T03:37:58.917805Z", "deleted_at": null, "sha1_hash": "d6be926cd99f60becd3a32b88726289d84cafffd", "title": "Research, News, and Perspectives", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6329380, "plain_text": "Research, News, and Perspectives\r\nArchived: 2026-04-02 12:29:14 UTC\r\nArtificial Intelligence (AI)\r\nThe Real Risk of Vibecoding\r\nThis blog looks at how AI‑driven vibecoding speeds up software development while increasing security risk by\r\noutpacing traditional review and ownership. It explains why security needs to move earlier and be built into\r\nmodern development workflows.\r\nExpert Perspective Mar 31, 2026\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/\r\nPage 1 of 10\n\nExpert Perspective Mar 31, 2026\r\nArtificial Intelligence (AI)\r\nTrendAI™ Research at RSAC 2026: Advancing Defense Across AI‑Driven and Cyber‑Physical\r\nThreats\r\nTrendAI™ Research explored agentic AI cybercrime and EV infrastructure security through two research sessions\r\nat RSAC 2026.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/\r\nPage 2 of 10\n\nMalware\r\nTeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM\r\nMoving beyond their LiteLLM campaign, TeamPCP weaponizes the Telnyx Python SDK with stealthy\r\nWAV‑based payloads to steal credentials across Linux, macOS, and Windows.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/\r\nPage 3 of 10\n\nArtificial Intelligence (AI)\r\nYour AI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise\r\nTeamPCP orchestrated one of the most sophisticated multi-ecosystem supply chain campaigns publicly\r\ndocumented to date. It cascaded through developer tooling and compromised LiteLLM and exposed how AI proxy\r\nservices that concentrate API keys and cloud credentials become high-value collateral when supply chain attacks\r\ncompromise upstream dependencies.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/\r\nPage 4 of 10\n\nAPT \u0026 Targeted Attacks\r\nPawn Storm Campaign Deploys PRISMEX, Targets Government and Critical Infrastructure\r\nEntities\r\nThis blog discusses the steganography, cloud abuse, and email-based backdoors used against\r\nthe Ukrainian defense supply chain in the latest Pawn Storm campaign that TrendAI™ Research observed and\r\nanalyzed.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/\r\nPage 5 of 10\n\nArtificial Intelligence (AI)\r\nYour AI Stack Just Handed Over Your Root Keys: Inside the litellm PyPI Breach\r\nLitellm PyPI breach explained: malicious versions steal cloud credentials, SSH keys, and Kubernetes secrets.\r\nLearn impact and urgent mitigation steps.\r\nExpert Perspective Mar 25, 2026\r\nExpert Perspective Mar 25, 2026\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/\r\nPage 6 of 10\n\nMalware\r\nCopyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries\r\nWe look into a stealthy multi‑stage attack campaign that delivers PureLog Stealer entirely in memory using\r\nencrypted, fileless techniques.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/\r\nPage 7 of 10\n\nCompliance \u0026 Risks\r\nWhy East-West Visibility Matters for Grid Security\r\nLearn how east-west traffic visibility helps detect and stop lateral movement attacks inside electric grid\r\ninfrastructure and critical OT networks.\r\nConsumer Focus Mar 18, 2026\r\nConsumer Focus Mar 18, 2026\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/\r\nPage 8 of 10\n\nCyber Threats\r\nFrom Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials\r\nBypass MFA\r\nNot every cloud breach starts with malware or a zero-day. In this incident, attackers discovered an exposed Spring\r\nBoot Actuator endpoint, harvested credentials from leaked configuration data, then used the OAuth2 Resource\r\nOwner Password Credentials (ROPC) flow to authenticate without MFA.\r\nInvestigations Mar 18, 2026\r\nInvestigations Mar 18, 2026\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/\r\nPage 9 of 10\n\nCyber Crime\r\nTrendAI™ Supports Global Law Enforcement Efforts\r\nLearn how TrendAI™ and our researchers contributed threat intelligence and analysis to support INTERPOL\r\nagainst cybercrime.\r\nNo matches found\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/" ], "report_names": [ "chinese-language-ransomware-makes-appearance" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "63883709-27b5-4b65-9aac-c782780fbb28", "created_at": "2026-04-10T02:00:03.996704Z", "updated_at": "2026-04-10T02:00:03.996704Z", "deleted_at": null, "main_name": "TeamPCP", "aliases": [], "source_name": "MISPGALAXY:TeamPCP", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434851, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d6be926cd99f60becd3a32b88726289d84cafffd.pdf", "text": "https://archive.orkl.eu/d6be926cd99f60becd3a32b88726289d84cafffd.txt", "img": "https://archive.orkl.eu/d6be926cd99f60becd3a32b88726289d84cafffd.jpg" } }