The Forensics Way

Front Page

Nation-State Infrastructure

Operation Masquerade Dismantled: DOJ and Allies Seize APT28's 18,000-Router DNS Hijacking Network

The DOJ, FBI, UK NCSC, and allied agencies revealed on April 8 the court-authorized disruption of Operation Masquerade — a Russian GRU (APT28 / Fancy Bear) botnet of 18,000 compromised SOHO routers across 120+ countries. The GRU hijacked router DNS resolvers to redirect traffic to fraudulent servers impersonating Microsoft Outlook Web Access, silently harvesting passwords, authentication tokens, and email content.

The FBI deployed court-authorized commands directly to compromised US routers — collecting forensic evidence, resetting malicious DNS resolvers, and blocking the original access vector. DNS hijacking leaves no malware on victim endpoints; investigators must work entirely from router configuration snapshots, DNS query histories, and cloud-service authentication logs.

Cloud Forensics

CERT-EU's Kill Chain: How TruffleHog Became the Attacker's Pivot Tool Inside the Commission's AWS Environment

CERT-EU's April 12 reconstruction confirmed the Trivy breach reached 71 EU entities — 42 Commission bodies plus 29 other EU organizations. After obtaining the initial AWS API key, the attacker immediately used TruffleHog to harvest additional cloud credentials, then created a new IAM key attached to an existing user to blend into normal account activity.

The 340 GB of uncompressed data appeared on ShinyHunters nine days after initial access — compressing the remediation window to hours. Security tooling in CI/CD pipelines must itself be subject to integrity verification, and DFIR teams must add secrets-scanning tools like TruffleHog to their threat models as attacker pivot instruments.

Threat Bulletin

ACTIVE EXPLOIT
CVE-2026-34621

Adobe Acrobat & Reader — JavaScript prototype pollution enables RCE when a victim opens a crafted PDF; CVSS 8.6. Exploited since late 2025; emergency patch April 12; CISA KEV April 13 with April 27 federal deadline. Forensic Note: Review email gateway logs for PDF delivery and endpoint telemetry for Reader spawning unexpected child processes.

ACTIVE EXPLOIT
CVE-2012-1854

Microsoft Office VBA — Insecure library loading (DLL hijacking) originally disclosed 2012; re-added to CISA KEV April 13 due to active re-exploitation combined with modern initial-access chains. Forensic Note: Hunt for DLL side-loading artifacts in VBA macro process trees and unexpected DLL loads from user-writable directories.

Malware Spotlight

Omnistealer (North Korea)

North Korea-linked infostealer using TRON blockchain as C2 — payloads embedded in BSC transaction input fields, making sinkholing useless. Targets 10+ password managers, 60+ crypto wallets, and cloud credentials; ~300,000 credentials stolen. Forensic Note: Hunt outbound connections to TRON and Aptos RPC endpoints; on-chain transaction analysis is now a required DFIR capability for this class of malware.

3 Billion Accounts — Russian FSB Operated Silently Inside Yahoo for Three Years

Russian FSB officers infiltrated Yahoo between 2013 and 2016, stealing data on all 3 billion user accounts — the largest breach ever recorded — while Yahoo remained unaware for three years. The attackers also forged authentication cookies, bypassing login event logging entirely. The case established that post-breach forensics must account for multi-year silent dwell and authentication artifact gaps — the same patient persistence pattern demonstrated by APT28 this week.

Chinese State Actors Spent Four Years Inside a Network That Was Then Acquired for $13 Billion

Chinese state-sponsored hackers breached Starwood's hotel network in 2014 and remained undetected for four years — surviving Marriott's $13 billion acquisition in 2016 without detection. By discovery in 2018, 500 million guest records had been exfiltrated including passport numbers. The case is the definitive forensic lesson in M&A due diligence: Marriott unknowingly acquired an active four-year intrusion as part of the deal.

4,000 Infected iOS Apps: When China Poisoned the Developer Toolchain Itself

In 2015, Chinese attackers distributed a counterfeit version of Apple's Xcode through domestic file-sharing sites, causing thousands of iOS developers to unknowingly compile malware into their own apps. Over 4,000 infected apps — including WeChat — passed Apple's code-signing process and reached end users worldwide. The case proved developer toolchain compromise is more dangerous than direct payload delivery — the developer becomes an unwitting distributor at scale.

Ownership Transfer as an Attack Vector: The npm Compromise That Foreshadowed the Supply Chain Era

In November 2018, a malicious contributor convinced the maintainer of event-stream — 2 million weekly downloads — to transfer package ownership, then quietly added a dependency containing a cryptocurrency stealer targeting Copay Bitcoin wallet users. The package sat undetected for two months. The case first demonstrated that npm ownership transfer itself was an attack vector, directly foreshadowing the social engineering of the Axios maintainer by UNC1069.

Nation-State Infrastructure

Operation Masquerade Dismantled: DOJ and Allies Seize APT28's 18,000-Router DNS Hijacking Network

Cloud Forensics

CERT-EU's Kill Chain: How TruffleHog Became the Attacker's Pivot Tool Inside the Commission's AWS Environment

Threat Bulletin

Malware Spotlight

The Forensics Way

Yahoo Data Breach (2013–2016)

3 Billion Accounts — Russian FSB Operated Silently Inside Yahoo for Three Years

Marriott / Starwood Breach (2014–2018)

Chinese State Actors Spent Four Years Inside a Network That Was Then Acquired for $13 Billion

XcodeGhost (2015)

4,000 Infected iOS Apps: When China Poisoned the Developer Toolchain Itself

Event-Stream npm Poisoning (2018)

Ownership Transfer as an Attack Vector: The npm Compromise That Foreshadowed the Supply Chain Era

Spectacular

TruffleHog

Zeek

Chainalysis Reactor