APT28 wellnesscaremed[.]com multistage LNK campaign
Campaign
Summary
Hide ▲
Show ▼
An APT28-linked LNK/HTML delivery chain is being used for multistage payloads, indicating an ongoing phishing-style operation that can broaden exploitation paths. The infrastructure centers on wellnesscaremed[.]com and was associated with a malicious artifact uploaded on January 30, 2026. The technique can help bypass MotW and IE ESC, raising the risk of code execution outside the browser sandbox.
Related Happenings
Hugging Face shared-loader supply chain campaign
Campaign
First: 11.05.2026 10:05
Last: 11.05.2026 10:05
Sources 1
About this happening:
A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....
Hugging Face shared-loader supply chain campaign
CampaignAbout this happening: A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....
GlassWorm open-source supply-chain campaign targeting developers
Campaign
First: 14.03.2026 14:55
Last: 14.03.2026 14:55
Sources 1
About this happening:
The **GlassWorm** campaign has added a new **Open VSX** wave of **73 cloned VS Code extensions** that impersonate legitimate packages to build trust before delivering malware. **S...
GlassWorm open-source supply-chain campaign targeting developers
CampaignAbout this happening: The **GlassWorm** campaign has added a new **Open VSX** wave of **73 cloned VS Code extensions** that impersonate legitimate packages to build trust before delivering malware. **S...
Latest development: 17.03.2026 23:42
GlassWorm renewed its supply-chain campaign against GitHub, npm, and VSCode/OpenVSX, with researchers identifying 433 compromised components this month across 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. The operators compromised GitHub accounts to force-push malicious commits, published obfuscated code using invisible Unicode characters, and used Solana blockchain transactions as C2 to deliver a Node.js runtime and a JavaScript-based information stealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.
Stryker hit by cyberattack
Incident
First: 12.03.2026 11:30
Last: 12.03.2026 11:30
Sources 1
About this happening:
Stryker confirmed a **cyberattack** that caused **global disruption** to its **Microsoft environment**, interrupting access to business systems and applications. The company said...
Stryker hit by cyberattack
IncidentAbout this happening: Stryker confirmed a **cyberattack** that caused **global disruption** to its **Microsoft environment**, interrupting access to business systems and applications. The company said...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
Campaign
First: 03.03.2026 08:53
Last: 03.03.2026 08:53
Sources 1
About this happening:
The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
CampaignAbout this happening: The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
APT28 Operation MacroMaze campaign targeting Western and Central Europe
Campaign
First: 23.02.2026 21:41
Last: 23.02.2026 21:41
Sources 1
About this happening:
**APT28** was attributed to **Operation MacroMaze**, a **spear-phishing** campaign against entities in **Western and Central Europe** that used **basic tooling** and **webhook[.]s...
APT28 Operation MacroMaze campaign targeting Western and Central Europe
CampaignAbout this happening: **APT28** was attributed to **Operation MacroMaze**, a **spear-phishing** campaign against entities in **Western and Central Europe** that used **basic tooling** and **webhook[.]s...
Timeline
-
02.03.2026 12:36 1 articles · 2mo ago
APT28-linked malicious artifact reaches VirusTotal
Campaign Scope UpdateA malicious artifact associated with APT28-linked infrastructure was uploaded to VirusTotal on January 30, 2026, providing an early dated marker for the campaign's LNK/HTML delivery activity.
Show sources
- APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday — thehackernews.com — 02.03.2026 12:36
-
02.03.2026 12:36 2 articles · 2mo ago
Akamai ties CVE-2026-21513 exploitation to APT28
Initial DisclosureAkamai linked possible exploitation of CVE-2026-21513 against victims opening malicious HTML or LNK files to APT28, while Microsoft said the MSHTML Framework security feature bypass had already been used as a zero-day and fixed it in February 2026 Patch Tuesday; the analysis described a crafted Windows Shortcut that can invoke ShellExecuteExW, bypass Mark-of-the-Web (MotW) and Internet Explorer Enhanced Security Configuration (IE ESC), and use wellnesscaremed[.]com for multistage payload delivery.
Show sources
- APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday — thehackernews.com — 02.03.2026 12:36
- APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday — thehackernews.com — 02.03.2026 12:36