This Maltrail IOC report dated 2026-03-24 compiles a set of indicators related to various malware and APT campaigns, primarily focusing on network activity and OSINT-derived threat intelligence. The report includes URLs and domains tied to multiple threat actors and malware families, such as APT Sidewinder, APT Kimsuky, UNC2465, Android Joker malware, and fake Android applications. These indicators represent command and control (C2) servers, phishing domains, and compromised infrastructure used for malware distribution or control. Notably, the report references compromised open-source tools like Trivy, which have been targeted by threat actors to insert malicious code, indicating supply chain attack vectors. The absence of CVEs or patches suggests these are not newly discovered software vulnerabilities but rather active malicious infrastructure and malware campaigns. The threat intelligence is derived from manual OSINT collection and external analysis, emphasizing network-level detection and blocking. While no active exploits or ransomware campaigns are currently known, the presence of multiple APT-linked domains and URLs indicates persistent targeting of organizations, especially those with Android device usage or reliance on open-source security tools. The medium severity rating reflects the moderate risk posed by these indicators, which require proactive monitoring and mitigation to prevent infection or data exfiltration.

The potential impact of this threat is significant for organizations worldwide, particularly those with Android device ecosystems, software supply chains involving open-source tools, or exposure to targeted APT campaigns. Successful exploitation or infection could lead to unauthorized access, data theft, espionage, or disruption of operations. The use of fake Android apps and Joker malware variants can result in financial fraud, credential theft, and persistent device compromise. Supply chain attacks via compromised tools like Trivy can undermine trust in software development and deployment pipelines, potentially affecting a wide range of enterprises and developers. The presence of multiple APT-linked domains suggests targeted espionage campaigns that could impact government, defense, technology, and critical infrastructure sectors. Although no ransomware or widespread exploits are currently reported, the evolving nature of these threats means organizations could face increased risk if these indicators are not addressed. Network-level compromise could also facilitate lateral movement and further infiltration within corporate environments.

Organizations should implement targeted network defenses to block and monitor traffic to the listed malicious domains and URLs associated with the identified threat actors and malware families. Deploy and regularly update intrusion detection/prevention systems (IDS/IPS) with these IOCs to detect suspicious network activity. Conduct thorough endpoint security scans on Android devices to identify and remove fake apps and Joker malware variants. Review and harden software supply chain security by verifying the integrity of open-source tools like Trivy and monitoring for unusual commits or updates. Employ threat intelligence sharing to stay updated on evolving indicators linked to these APT groups. Implement strict application whitelisting and mobile device management (MDM) policies to control app installations on corporate devices. Enhance user awareness training focused on phishing and social engineering tactics used to distribute fake apps. Regularly audit DNS logs and network traffic for connections to suspicious domains, and isolate affected systems promptly. Finally, establish incident response plans tailored to APT and supply chain attack scenarios to minimize damage and recovery time.