The #APT36 cluster can't stop, won't stop

216.73.216.226

The #APT36 cluster can't stop, won't stop

· Published 23/06/2026 21:23

Essential information

Published: 23/06/2026 21:23
Modified: —
Source / Author: AlienVault
Confidence: 100/100
Report type(s): threat-report
Labels / Tags: apt36 crystalshell firepower lnk rtf turkey
Related entities: 5 indicators, 1 intrusion sets (apt), 2 malware

Description

They just added #CVE-2026-21509 and #CVE-2026-21513 (borrowed from APT28) onto their delivery chain, pushing updated FIREPOWER via weaponized RTF and LNKs against 🇮🇳 targets. Separately, fresh SheetCreep + a shiny new CrystalShell-Slack variant co-dropped on a Kashmir target, because one implant is never enough. The vibeware factory is running three shifts: Crystal, .NET and PowerShell.

External references

AlienVault (6a3add255a93c4e851962479)
AlienVault

The #APT36 cluster can't stop, won't stop

Essential information

Description

Related entities

Indicators (5)

Intrusion sets (APT) (1)

Malware (2)

External references