For named recipients only. No further disclosure permitted. This report may not be shared outside of the individuals explicitly listed in the distribution. Unauthorized disclosure may compromise ongoing investigations and operational security.
Executive Summary
Nerd@Heart has identified active exploitation of a previously unknown vulnerability (CVE pending) in a widely deployed interbank transaction processing platform. The vulnerability allows remote code execution with SYSTEM-level privileges on affected hosts. At least three financial institutions have confirmed compromise as of 02 March 2026.
Given the severity and active exploitation status, this report is issued under TLP:RED with restricted distribution to named recipients involved in incident response coordination.
Key Findings
- The vulnerability resides in the authentication module of the transaction gateway, exploitable via crafted SWIFT-format messages.
- Exploitation grants full control of the transaction processing server, enabling message injection and transaction manipulation.
- The threat actor has deployed a custom implant (designated DARKLEDGER) that intercepts and modifies transaction data in real-time.
- Infrastructure analysis links the operation to a financially motivated APT group with suspected state nexus.
- Estimated financial exposure across confirmed victims exceeds $200M in potentially manipulated transactions.
Technical Analysis
Vulnerability Details
The flaw exists in the XML parsing component of the authentication handshake. A specially crafted authentication request triggers a heap overflow, allowing arbitrary code execution in the context of the transaction processing service.
DARKLEDGER Implant
The implant operates as an in-memory module injected into the transaction processing pipeline. It selectively intercepts outbound transactions matching specific routing criteria and modifies beneficiary account details. The modifications are designed to be below automated fraud detection thresholds.
IF transaction.amount > THRESHOLD_MIN
AND transaction.amount < THRESHOLD_MAX
AND transaction.routing IN TARGET_ROUTES:
transaction.beneficiary = SUBSTITUTE_ACCOUNT
transaction.checksum = RECALCULATE(transaction)
LOG_SUPPRESS(transaction.id)Indicators of Compromise
Due to TLP:RED restrictions, IOCs are provided in a separate encrypted attachment distributed to named recipients via secure channel. Contact your designated Nerd@Heart liaison for access.
Immediate Actions Required
- Isolate all instances of the affected transaction platform from external network connectivity immediately.
- Conduct memory forensics on transaction processing servers — DARKLEDGER operates entirely in-memory and will not appear on disk scans.
- Initiate transaction reconciliation for all outbound transfers processed in the last 45 days through affected systems.
- Engage national financial sector CERT under existing confidential reporting protocols.
- Do NOT disclose the existence of this vulnerability or investigation to parties outside the named distribution list.
For named recipients only. No further disclosure permitted. Unauthorized sharing of this report or its contents may compromise active incident response operations and ongoing law enforcement investigations.