← Back to Threat Briefs

Cyber Threat Brief — February 28, 2026

⚠️ This report is AI-generated. Always validate findings.

Cyber Threat Brief — February 28, 2026

Three threats with fresh, actionable artifacts landed in the last 24 hours: APT37’s “Ruby Jumper” toolkit for bridging air-gapped systems via removable media, a new YARA rule + hashes for Prosperous Werewolf (Trinper/LeetAgent), and a GitHub PoC demonstrating MCP tool-poisoning / indirect prompt injection leading to unauthorized filesystem access.

1. APT37 “Ruby Jumper” — Air-Gap Bridging via Removable Media

What’s New (Last 24 Hours)

Zscaler ThreatLabz (via BleepingComputer, Feb 27) detailed APT37’s new five-tool toolkit — RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE — designed to bridge air-gapped systems via removable drives. RESTLEAF uses Zoho WorkDrive as C2, SNAKEDROPPER installs a disguised Ruby 3.3.0 runtime (usbspeed.exe) and corrupts RubyGems via a scheduled task (rubyupdatecheck) to auto-load malicious code. THUMBSBD creates hidden directories on USB drives and turns them into a bidirectional C2 relay. VIRUSTASK spreads via LNK replacement. FOOTWINE is a full spyware backdoor (keylog, screenshot, audio/video, remote shell).

Actionable Intel (Mapped to MITRE ATT&CK)

ArtifactTypeATT&CK TechniqueHow to Use
usbspeed.exeIOCT1036.005Alert on any host executing usbspeed.exe; cross-correlate with PowerShell parent and subsequent Ruby file drops.
rubyupdatecheckIOCT1053.005Detect creation/execution of scheduled task named rubyupdatecheck; correlate with RubyGems file modifications.
operating_system.rb (RubyGems default replaced)IOCT1565.001Monitor RubyGems library files for unexpected modifications; alert on operating_system.rb writes outside gem install paths.
ascii.rb (THUMBSBD)IOCT1092Hunt for ascii.rb creation in user-writable paths and on removable media alongside hidden directory creation on USB drives.
bundler_index_client.rb (VIRUSTASK)IOCT1092Detect bundler_index_client.rb on endpoints and USB drives; correlate with LNK replacement of legitimate user files.
LNK → PowerShell payload extraction chainTTPT1204.002Hunt process trees where explorer.exe/LNK launches PowerShell that decodes embedded payload and spawns usbspeed.exe.
PowerShell extracts and executes payload from LNKTTPT1059.001Alert on PowerShell launched by LNK with no parent CLI args that immediately writes Ruby binaries to disk.

Hunt Queries (Pseudo)

FROM endpoint_telemetry
WHERE timestamp >= now()-24h
  AND process_name IN ('usbspeed.exe')
  OR scheduled_task_name LIKE '%rubyupdatecheck%'
  OR file_path CONTAINS ANY ('ascii.rb', 'bundler_index_client.rb', 'operating_system.rb')
  OR (process_name = 'powershell.exe' AND parent_process LIKE '%.lnk%')
SELECT host, user, process_name, cmdline, file_path, parent_process
ORDER BY timestamp DESC

Detect Queries (Pseudo)

RULE apt37_ruby_jumper_detection
WHEN
  event.type IN (process_start, file_create, scheduled_task_create, dns_query)
  AND any(event.observable IN [
    'usbspeed.exe', 'rubyupdatecheck', 'ascii.rb',
    'bundler_index_client.rb', 'operating_system.rb'
  ])
  AND mitre.technique_id IN ['T1036.005', 'T1053.005', 'T1565.001', 'T1092', 'T1204.002', 'T1059.001']
THEN
  alert.severity = 'critical'
  alert.title = 'APT37 Ruby Jumper — air-gap bridging toolkit detected'
  group_by = [host, user, process_name]
  window = 30m

Detection Coverage (Existing Rules)

SourceExisting Detections
SplunkAttacker Tools On Endpoint
Malicious PowerShell Process - Execution Policy Bypass
Detect Certify With PowerShell Script Block Logging
ElasticA scheduled task was created
Command and Scripting Interpreter via Windows Scripts
Disabling Windows Defender Security Settings via PowerShell
SigmaAlternate PowerShell Hosts - PowerShell Module
Base64 Encoded PowerShell Command Detected
Cmd.EXE Missing Space Characters Execution Anomaly

Sources

2. Prosperous Werewolf (Trinper/LeetAgent) — New YARA Rule + Hashes Published

What’s New (Last 24 Hours)

Researcher @t3ft3lb published a new YARA rule (day_59.yara, committed 2026-02-28T20:58Z) for the Prosperous Werewolf / Team46 / TaxOff / ForumTroll group’s Trinper (LeetAgent) backdoor. The rule includes three SHA-256 hashes, characteristic wide-string patterns (CBC mode encryption, cmd.exe /u /c invocation, keylogger key tokens), and API imports (BCryptEncrypt, PeekNamedPipe, WriteProcessMemory, HttpOpenRequestW, GetDriveType) for high-fidelity detection.

Actionable Intel (Mapped to MITRE ATT&CK)

ArtifactTypeATT&CK TechniqueHow to Use
2a0c6a66774cc535f51e1a12d81ba6aa346934aa542291cee0c57f3bc9373a8eIOCT1055Block/quarantine; retrohunt file events and EDR telemetry for this SHA-256 across all endpoints.
7e82b3f1be69d34684a4aa4823ef0d5ae864db3501fae5a0c3697bcd28df5cefIOCT1055Pivot from this hash to related file paths, parent processes, and outbound connections.
e93c1a0696b59a58e2444eb69ddf165eed71ad159624674a7fe6c91e9852443aIOCT1055Use as a high-confidence IOC for retro-hunts and hash-based detection enrichment.
cmd.exe /u /c “%s” (unicode cmd execution pattern)TTPT1059.003Hunt for cmd.exe with /u flag launched by unusual parent processes (document viewers, staged droppers).
WriteProcessMemory (API import in Trinper)TTPT1055Detect process injection sequences where WriteProcessMemory is called followed by remote thread creation.

Hunt Queries (Pseudo)

FROM endpoint_telemetry
WHERE timestamp >= now()-24h
  AND file_hash IN (
    '2a0c6a66774cc535f51e1a12d81ba6aa346934aa542291cee0c57f3bc9373a8e',
    '7e82b3f1be69d34684a4aa4823ef0d5ae864db3501fae5a0c3697bcd28df5cef',
    'e93c1a0696b59a58e2444eb69ddf165eed71ad159624674a7fe6c91e9852443a'
  )
  OR (process_name = 'cmd.exe' AND cmdline LIKE '%/u /c%')
SELECT host, user, process_name, cmdline, file_hash, parent_process
ORDER BY timestamp DESC

Detect Queries (Pseudo)

RULE trinper_backdoor_detection
WHEN
  event.type IN (process_start, file_create, network_connection)
  AND any(event.observable IN [
    '2a0c6a66774cc535f51e1a12d81ba6aa346934aa542291cee0c57f3bc9373a8e',
    '7e82b3f1be69d34684a4aa4823ef0d5ae864db3501fae5a0c3697bcd28df5cef',
    'e93c1a0696b59a58e2444eb69ddf165eed71ad159624674a7fe6c91e9852443a'
  ])
  AND mitre.technique_id IN ['T1055', 'T1059.003']
THEN
  alert.severity = 'high'
  alert.title = 'Prosperous Werewolf Trinper backdoor hash match'
  group_by = [host, user, file_hash]
  window = 15m

Detection Coverage (Existing Rules)

SourceExisting Detections
SplunkCreate Remote Thread In Shell Application
CMD Carry Out String Command Parameter
Detect Prohibited Applications Spawning cmd exe
ElasticMemory Threat - Detected - Elastic Defend
Potential Process Injection via PowerShell
Conhost Spawned By Suspicious Parent Process
SigmaCobaltStrike Named Pipe
HackTool - CACTUSTORCH Remote Thread Creation
Dllhost.EXE Execution Anomaly

Sources

3. MCP Tool-Poisoning / Indirect Prompt Injection PoC — Unauthorized Filesystem Access

What’s New (Last 24 Hours)

A new GitHub PoC (piyerx/MCP-Weather-Exploit-Research, updated 2026-02-28T18:05Z) demonstrates indirect prompt injection via Model Context Protocol (MCP) tool metadata. By embedding hidden instructions in tool description fields, a malicious MCP server can cause agentic LLM clients (Claude Desktop, Gemini CLI tested) to perform unauthorized filesystem reads — including reading secrets and config files — without user awareness. Validated against real agentic clients, not just protocol inspectors.

Actionable Intel (Mapped to MITRE ATT&CK)

ArtifactTypeATT&CK TechniqueHow to Use
malicious_server.py (rogue MCP server)IOCT1566.002Hunt for execution of python malicious_server.py or unfamiliar MCP server processes on developer workstations.
config.json MCP endpoint modificationTTPT1588.002Audit MCP client config files for new/changed tool endpoints not in an approved allowlist; alert on unexpected additions.
Hidden instructions in tool description fieldTTPT1059Defensively parse and sanitize MCP tool descriptions; hunt for agent clients executing file-read commands after tool-list responses.
Unauthorized filesystem reads by agent clientTTPT1005Detect abnormal file access by LLM client processes (e.g., reading ~/.ssh/, secrets/, memory/, *.json configs) following MCP tool ingestion.

Hunt Queries (Pseudo)

FROM endpoint_telemetry
WHERE timestamp >= now()-24h
  AND (
    process_name IN ('claude', 'gemini', 'cursor', 'copilot')
    AND file_path CONTAINS ANY ('.ssh', 'secrets', 'memory', 'config.json', '.env')
    AND event.type = 'file_read'
  )
  OR (process_name = 'python' AND cmdline LIKE '%malicious_server%')
SELECT host, user, process_name, cmdline, file_path, parent_process
ORDER BY timestamp DESC

Detect Queries (Pseudo)

RULE mcp_tool_poisoning_detection
WHEN
  event.type IN (file_read, process_start, network_connection)
  AND any(event.observable IN [
    'malicious_server.py',
    'config.json (mcp endpoint)',
    'unauthorized filesystem reads by agent client'
  ])
  AND mitre.technique_id IN ['T1566.002', 'T1588.002', 'T1059', 'T1005']
THEN
  alert.severity = 'high'
  alert.title = 'MCP tool-poisoning / indirect prompt injection attempt'
  group_by = [host, user, process_name]
  window = 15m

Detection Coverage (Existing Rules)

SourceExisting Detections
SplunkCisco NVM - Installation of Typosquatted Python Package
Cisco NVM - Suspicious File Download via Headless Browser
CHCP Command Execution
ElasticApple Script Execution followed by Network Connection
Command Prompt Network Connection
Base64 Decoded Payload Piped to Interpreter
SigmaAdd Insecure Download Source To Winget
Alternate PowerShell Hosts - PowerShell Module
AppLocker Prevented Application or Script from Running

Sources