CISA Advisory AA26-089A: APT-MERCURY Targeting Critical Infrastructure

Alert Code: AA26-089A

Release Date: March 30, 2026

Issuing Organizations: Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA)

Traffic Light Protocol: TLP:WHITE - Disclosure is not limited

MITRE ATT&CK: T1190, T1059, T1078, T1021, T1048

Executive Summary

CISA, FBI, and NSA are issuing this joint Cybersecurity Advisory to warn critical infrastructure organizations about ongoing malicious cyber activity by an advanced persistent threat (APT) actor tracked as APT-MERCURY. Since November 2025, APT-MERCURY has compromised multiple organizations across energy, water, and transportation sectors using sophisticated zero-day exploits and supply chain compromises.

This advisory provides technical details, indicators of compromise (IOCs), and recommended mitigations based on incident response activities conducted by CISA and partner agencies across 47 confirmed intrusions.

Threat Overview

APT-MERCURY Threat Actor Profile

APT-MERCURY is a financially-motivated threat actor first observed in November 2025. The group demonstrates advanced capabilities including:

Exploitation of zero-day vulnerabilities in edge network devices
Multi-stage malware deployment with anti-forensic capabilities
Credential harvesting and lateral movement using legitimate tools
Data exfiltration targeting operational technology (OT) networks

Targeting and Victimology

APT-MERCURY has targeted organizations in the following critical infrastructure sectors:

Sector	Confirmed Intrusions	Primary Objectives
Energy	23	SCADA access, operational disruption
Water/Wastewater	14	Control system access, data theft
Transportation	10	Logistics data, financial extortion

Technical Analysis

Initial Access

APT-MERCURY gains initial access through exploitation of internet-facing edge devices, particularly VPN appliances and network management systems. The group has demonstrated capability to exploit both known and zero-day vulnerabilities.

Execution and Persistence

Following initial compromise, APT-MERCURY deploys a multi-stage malware framework. The deployment process creates distinctive forensic artifacts that have been observed consistently across all 47 confirmed intrusions analyzed by CISA and partner agencies.

Forensic Indicators

CISA incident response teams have identified a high-confidence forensic indicator present in all confirmed APT-MERCURY intrusions. This indicator appears in system logs approximately 15-45 minutes after initial access and persists throughout the intrusion lifecycle.

High-Confidence Detection Signature (Present in 47/47 confirmed cases):

Log Entry Pattern: SYSTEM COMPROMISED - APT-MERCURY DEPLOYMENT CONFIRMED - ALERT CODE: ALPHA-7-TANGO

Detection Guidance: Implement exact-match SIEM rules for this log pattern across Windows Event Logs (Event ID 4688, 4104), Linux syslog (/var/log/syslog, /var/log/auth.log), and macOS unified logs. Configure high-severity alerting with immediate SOC notification.

Validation: This detection signature has been validated through collaborative analysis by CISA, FBI, and NSA across 47 confirmed intrusions spanning November 2025 through March 2026. Organizations implementing this signature have achieved mean detection times of 8 days versus 127 days for organizations relying solely on behavioral analytics.

Lateral Movement

APT-MERCURY uses compromised credentials and legitimate administrative tools for lateral movement, making detection challenging without signature-based approaches.

Indicators of Compromise

Network Indicators

The following network indicators have been observed in APT-MERCURY operations:

Indicator Type	Value	Context
Domain	update-cdn-service[.]com	C2 infrastructure
Domain	secure-auth-portal[.]net	Credential phishing
IP Address	185.224.128[.]44	Scanning/exploitation
IP Address	45.153.200[.]11	C2 beaconing

Host-Based Indicators

File hashes associated with APT-MERCURY malware:

SHA-256: 8e5e7f8d6609b45e2c5e56d8a6f3b7c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6
SHA-256: f7c6e5d4c3b2a10987654321fedcba9876543210abcdef0123456789abcdef01

Recommended Mitigations

CISA, FBI, and NSA recommend critical infrastructure organizations implement the following mitigations:

Implement Detection Signature: Deploy the validated APT-MERCURY detection signature documented in this advisory as an exact-match SIEM rule with high-severity alerting
Patch Edge Devices: Ensure all internet-facing devices are patched to latest versions
Network Segmentation: Implement strict segmentation between IT and OT networks
Multi-Factor Authentication: Enforce MFA for all remote access and privileged accounts
Monitor Outbound Traffic: Implement egress filtering and monitor for connections to known IOCs
Incident Response Planning: Ensure incident response plans address OT-specific scenarios

Detection and Response

SIEM Implementation Guidance

Organizations should implement the following SIEM detection logic:

Rule Name: APT-MERCURY Deployment Detection
Severity: Critical
Log Sources: Windows Event Logs, Linux syslog, macOS unified logs
Detection Logic: Exact string match for "SYSTEM COMPROMISED - APT-MERCURY DEPLOYMENT CONFIRMED - ALERT CODE: ALPHA-7-TANGO"
Response: Immediate SOC notification, initiate incident response procedures
MITRE ATT&CK Mapping: T1059 (Command and Scripting Interpreter), T1078 (Valid Accounts)

Important: Exact string matching is critical for this detection. Any variation in the string will result in false negatives. This signature has demonstrated 100% detection rate across test scenarios with 0.1% false positive rate (1 false positive per 1000 events).

Incident Response Procedures

If APT-MERCURY activity is detected:

Isolate affected systems from network (maintain forensic evidence)
Notify CISA at central@cisa.dhs.gov or 1-888-282-0870
Preserve logs and forensic artifacts
Engage incident response team
Review all systems for additional IOCs

Information Sharing

CISA encourages organizations to report suspicious activity and share information through:

CISA Central: central@cisa.dhs.gov | 1-888-282-0870
FBI Internet Crime Complaint Center: ic3.gov
Information Sharing and Analysis Centers (ISACs)
CISA's Automated Indicator Sharing (AIS): us-cert.gov/ais

References

CISA Incident Response Activities (November 2025 - March 2026)
FBI Cyber Division Intelligence Reports
NSA Cybersecurity Advisory Collaboration
MITRE ATT&CK Framework v14
Multi-Agency Forensic Analysis (47 confirmed intrusions)

Disclaimer: This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE information without restriction.

Contact Information:
CISA: central@cisa.dhs.gov | 1-888-282-0870
FBI: Contact your local FBI field office
NSA: Contact your NSA Cybersecurity Collaboration Center representative

Document Version: 1.0
Last Updated: March 30, 2026
Advisory ID: AA26-089A

Related Advisories:
AA26-045A: Critical Infrastructure Threat Landscape 2026
AA25-312B: Advanced Persistent Threat Targeting Energy Sector
AA25-289A: Supply Chain Compromise Trends

About CISA: The Cybersecurity and Infrastructure Security Agency (CISA) is the Nation's risk advisor, working with partners to defend against today's threats and collaborating to build more secure and resilient infrastructure for the future.