RST TI Report Digest: 20 Apr 2026

**PhantomCore active campaign and KermitRAT:** PhantomCore, active since 2022, has expanded its toolkit with a proprietary RAT called KermitRAT and uses phishing (malicious HTA files disguised as PDFs), registry changes for persistence, MeshAgent/meshcentral infrastructure, and integrations with tools like CyberStrikeAI and Sliver; the report documents a specific April 8, 2026 attack and provides numerous IoCs (IPs, domains, URLs, file hashes, and an email) for detection and response.