DAILY WORKFLOW ARCHIVE

2026-05-03 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-05-03 AI创业新闻

Trellix Confirms Source Code Breach With Unauthorized Repository Access

Cybersecurity company Trellix has announced that it suffered a breach that enabled unauthorized access to a “portion” of its source code. It said it “recently identified” the compromise of its source code repository and that it began working with “leading forensic experts” to resolve the matter immediately. It also said it has notified law enforcement of the matter. Trellix did not disclose the exact nature of the data that may have been accessed by the attackers.

However, it pointed out that there are no indications that its source code has been affected or exploited. “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited,” the company added. The company did not share any details about who may be behind the incident, and for how long the attackers had access to its systems. Trellix noted that additional information will be shared as appropriate once its investigation is complete.

Owned by Symphony Technology Group, Trellix was founded in January 2022 following the merger of McAfee Enterprise and FireEye. Around the same time, Mandiant, which was owned by FireEye, was acquired by Google in a deal worth $5.4 billion. When reached for comment, a spokesperson for Trellix acknowledged the breach and shared the same official statement posted on its website. (This is a developing story.

Please check back for more details.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign

A newly discovered Vietnamese-linked operation has been observed using a Google AppSheet as a “phishing relay” to distribute phishing emails with an aim to compromise Facebook accounts. The activity has been codenamed AccountDumpling by Guardio, with the scheme selling the stolen accounts back through an illicit storefront run by the threat actors. In all, roughly 30,000 Facebook accounts are estimated to have been hacked as part of the campaign. “What we found wasn’t a single phishing kit,” security researcher Shaked Chen wrote in a report shared with The Hacker News.

“It was a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back.” The findings are just the latest example of how Vietnamese threat actors continue to embrace various tactics to gain unauthorized access to victims’ Facebook accounts, which are then sold on underground ecosystems for monetary gain. The starting point of the latest attacks is a phishing email targeting Facebook Business account owners, claiming to be from Meta Support and urging them to submit an appeal, or risk getting their account permanently deleted. The emails are sent from a Google AppSheet address (“noreply@appsheet.com”), allowing them to bypass spam filters. This false sense of urgency is used to direct users to a fake web page designed to harvest their credentials.

It’s worth noting that a similar campaign was reported by KnowBe4 in May 2025. Over the past few weeks, these campaigns have adopted various kinds of lures designed to induce a “Meta-related panic.” These range from account disablement and copyright complaints to verification review, executive recruitment, and Facebook login alerts. The four main clusters identified by Guardio are listed below - Netlify-hosted Facebook help center pages that enable account takeover attacks, in addition to collecting dates of birth, phone numbers, and government-issued ID photos. The data is ultimately forwarded to an attacker-controlled Telegram channel.

Blue badge evaluation lures that guide victims to Vercel-hosted “Security Check” or “Meta Privacy Center” pages that are gated by a bogus CAPTCHA check before directing users to the phishing landing page to collect contact details, business information, credentials (after a forced retry), and two-factor authentication (2FA) codes and exfiltrate them to a Telegram channel. Google Drive-hosted PDFs masquerading as instructions to complete account verification to direct users to collect passwords, 2FA codes, government ID photos, and browser screenshots through html2canvas. The PDF documents are generated using a free Canva account. Fake job offers that impersonate companies like WhatsApp, Meta, Adobe, Pinterest, Apple, and Coca-Cola to build rapport with the recipients and ask them to join a call or continue the discussion on attacker-controlled sites.

Cumulatively, the Telegram channels associated with the first three clusters have been found to hold about 30,000 victim records, most of whom are located in the U.S., Italy, Canada, the Philippines, India, Spain, Australia, the U.K., Brazil, and Mexico, and have been locked out of their own accounts. As for who is behind the operation, the smoking gun evidence has come from the PDFs generated as part of the third cluster using the free Canva account, with metadata listing a Vietnamese name “PHẠM TÀI TÂN” as the files’ author. Further open-source intelligence has led to the discovery of a website (“phamtaitan[.]vn”), where they offer digital marketing services. In a post shared on X in February 2023, the website’s handle said it “specializes in providing digital marketing services, marketing resources, and consulting on effective digital marketing strategies.” “Taken together, they form a consistent picture of a large, Vietnamese-based, mega operation,” Chen said.

“This campaign is bigger than a single AppSheet abuse. It’s a window into the dark market around stolen Facebook assets, where access, business identity, ad reputation, and even account recovery have all become tradable commodities. Another entry in the pattern we keep surfacing: trusted platforms repurposed as delivery, hosting, and monetization layers.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks

Cybersecurity researchers are warning of two cybercrime groups that are carrying out “rapid, high-impact attacks” operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and extortion campaigns that share a remarkable degree of operational similarities. Both hacking groups are assessed to be active since at least October 2025, with the latter a native English-speaking crew sharing ties to the e-crime ecosystem known as The Com . “In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications,” CrowdStrike’s Counter Adversary Operations said in a report.

“By operating almost exclusively within trusted SaaS environments, they minimize their footprint while accelerating time to impact. The combination of speed, precision, and SaaS-only activity creates significant detection and visibility challenges for defenders.” In a report published back in January 2026, Google-owned Mandiant revealed that the two clusters represent an expansion in threat activity that employs tactics consistent with extortion-themed attacks carried out by the ShinyHunters group. This involves impersonating IT staff in calls to deceive victims and obtain their credentials and multi-factor authentication (MFA) codes by directing them to phishing pages. Snarky Spider begins exfiltration in under an hour As recently as last week, Palo Alto Networks Unit 42 and Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) assessed with moderate confidence that the attackers behind CL-CRI-1116 are also most likely associated with The Com, adding that the intrusions primarily rely on living-off-the-land (LotL) techniques, as well as utilize residential proxies to conceal their geographic location and bypass basic IP-based reputation filters.

“CL-CRI-1116 activity has been actively targeting the retail and hospitality space since February 2026, specifically leveraging vishing attacks impersonating IT help desk personnel in combination with phishing login sites to steal credentials,” researchers Lee Clark, Matt Brady, and Cuong Dinh said. Attacks mounted by the two groups are known to register a new device in order to bypass MFA and maintain access to compromised access – but not before removing existing devices – following which the threat actors move to suppress automated email notifications related to unauthorized device registration by configuring inbox rules that automatically delete such messages. The next stage entails pivoting to targeting high-privileged accounts via further social engineering by scraping internal employee directories. Upon again elevated access, the adversaries break into target SaaS environments to look for high-value files and business-critical reports in Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce, and then exfiltrate data of interest to infrastructure under its control.

“In most observed cases, these credentials grant access to the organization’s identity provider (IdP), providing a single point of entry into multiple SaaS applications,” CrowdStrike said. “By abusing the trust relationship between the IdP and connected services, the adversaries bypass the need to compromise individual SaaS apps and instead move laterally across the victim’s entire SaaS ecosystem with a single authenticated session.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists

Cybersecurity researchers have disclosed details of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia, along with one European government belonging to NATO. Trend Micro has attributed the activity to a threat activity cluster it tracks under the temporary designation SHADOW-EARTH-053 . The adversarial collective is assessed to be active since at least December 2024, while sharing some level of network overlap with CL-STA-0049, Earth Alux, and REF7707 . “The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells ( Godzilla ) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables,” security researchers Daniel Lunghi and Lucas Silva said in an analysis.

Targets of the campaigns include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. The lone European country that features in the threat actor’s victimology footprint is Poland. The cybersecurity vendor said it observed nearly half the SHADOW-EARTH-053 targets, particularly those in Malaysia, Sri Lanka, and Myanmar, also compromised earlier by a related intrusion set dubbed SHADOW-EARTH-054, although no evidence of direct operational coordination has been observed. The starting point of the attacks is the exploitation of known security flaws to breach unpatched systems and drop web shells like Godzilla to facilitate persistent remote access.

The web shells function as a delivery vehicle for command execution, enabling reconnaissance and ultimately resulting in the deployment of the ShadowPad backdoor via AnyDesk. The malware is launched using DLL side-loading. In at least one case, the weaponization of the React2Shell (CVE-2025-55182) is said to have facilitated the distribution of a Linux version of Noodle RAT (aka ANGRYREBEL and Nood RAT). It’s worth mentioning here that the Google Threat Intelligence Group (GTIG) linked this attack chain to a group known as UNC6595.

Also put to use are open-source tunneling tools like the IOX, GO Simple Tunnel (GOST), and Wstunnel, as well as RingQ to pack malicious binaries and evade detection. To facilitate privilege escalation, SHADOW-EARTH-053 has been found to use Mimikatz, while lateral movement is accomplished using a custom remote desktop protocol (RDP) launcher and C# implementation of SMBExec known as Sharp-SMBExec . “The primary entry vector used in this campaign were vulnerabilities in internet-facing IIS applications,” Trend Micro said. “Organizations should prioritize applying the latest security updates and cumulative patches to Microsoft Exchange and any web applications hosted on IIS.” “In scenarios where immediate patching is not feasible, we strongly recommend deploying Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with rulesets specifically tuned to block exploit attempts against these known CVEs (Virtual Patching).” GLITTER CARP and SEQUIN CARP Go After Activists and Journalists The disclosure comes as the Citizen Lab flagged a new phishing campaign undertaken by two distinct China-affiliated threat actors targeting and impersonating journalists and civil society, including Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists.

The wide-ranging campaigns were first detected in April and June 2025, respectively. The clusters have been codenamed GLITTER CARP , which has singled out the International Consortium of Investigative Journalists (ICIJ), and SEQUIN CARP , whose main target was ICIJ journalist Scilla Alecci and other international journalists writing about topics of critical interest to the Chinese government. “The actor employs well-thought-out digital impersonation schemes in phishing emails, including impersonation of known individuals and tech company security alerts,” the Citizen Lab said . “Although the targeted groups vary, this activity employs the same infrastructure and tactics across all cases, frequently reusing the same domains and same impersonated individuals across multiple targets.” GLITTER CARP, besides conducting broad-scale phishing attacks, has been tied to phishing campaigns targeting the Taiwanese semiconductor industry.

Some aspects of these efforts were previously documented by Proofpoint in July 2025 under the name UNK_SparkyCarp. SEQUIN CARP (aka UNK_DualTone), on the other hand, shares similarities with a group tracked by Volexity as UTA0388 and an intrusion set detailed by Trend Micro as TAOTH . The end goal of the campaigns is to obtain initial access to email-based accounts via credential harvesting, phishing pages, or by socially engineering the target into granting access to a third-party OAuth token. GLITTER CARP’s phishing emails also involve the use of 1x1 tracking pixels that point to a URL on the attacker’s domain to gather device information and confirm if they were opened by the recipients.

The Citizen Lab said it “observed concurrent targeting of specific organizations using both the AiTM phishing kit (GLITTER CARP, UNK_SparkyCarp) and the delivery of HealthKick using different phishing tactics by a separate group (UNK_DropPitch).” This indicates some level of overlap between these groups, it added, although the precise nature of the relationship remains unknown. “Our analysis of the GLITTER CARP and SEQUIN CARP attacks shows that digital transnational repression increasingly operates through a distributed network of actors,” the research unit said. “The targets we identified in both GLITTER CARP and SEQUIN CARP align with the intelligence priorities of the Chinese government.” “The breadth of targeting documented in this report and by others, combined with the available information on China’s past and current use of contractors which mirrors the activity we have observed, suggests with a medium level of confidence that commercial entities hired by the Chinese state may have been behind both clusters of activity described here.” When reached for comment, Mark Kelly, staff threat researcher at Proofpoint, told The Hacker News via email that both UNK_SparkyCarp and UNK_DualTone have carried identity-focused phishing activity against a range of targets, characterizing the targeting of civil society members as likely a “longstanding feature of these groups’ targeting” rather than a recent shift. “We have observed UNK_SparkyCarp (GLITTER CARP) conducting credential phishing activity against academic, political, semiconductor, and legal sector targets in the United States, Europe, and Taiwan,” Kelly added.

“We have not observed the group targeting civil society specifically.” “However, this is very likely a result of our visibility, and we concur with the attribution within Citizen Lab’s reporting. We understand the group has been heavily active in targeting civil society groups of interest to the Chinese government for some time, which is further supported by domains spoofing perceived opposition groups, such as Falun Gong, that date back several years.” Proofpoint also noted that it has detected UNK_DualTone targeting multiple U.S.-based journalists in May 2025, and that the activity closely aligns with a campaign using lures related to protests planned on the occasion of the U.S. Army 250th Anniversary Parade. (The story was updated after publication on May 2, 2026, with additional insights from Proofpoint.) Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Top Five Sales Challenges Costing MSPs Cybersecurity Revenue

The managed security services market is projected to grow from $38.31 billion in 2025 to $69.16 billion by 2030 [1] , with cybersecurity being the fastest-growing sector [2] . Despite this opportunity, many MSPs leave revenue on the table because their go-to-market strategy fails to connect technical expertise with business needs. This execution gap is where most deals stall. MSPs often focus on frameworks and vulnerabilities, but their clients make decisions based on business outcomes: risk reduction, successful compliance audits, and business continuity.

When sales messaging fails to bridge this divide, prospects tend to view cybersecurity as a cost center instead of a strategic investment. To win, MSPs must align security value with business priorities and translate complex offerings into compelling reasons for clients and prospects to act. Cynomi developed the GTM Academy Sales Kit to address this challenge and provide a structured, outcome-driven approach to help MSP sales teams convert rising demand into consistent, profitable revenue. Through our work empowering partner growth, we have identified five core go-to-market challenges holding MSPs back and the strategies required to overcome them.

  1. Overcoming a Lack of Client Urgency Data shows that 77% of MSPs cite a lack of client urgency as a major sales challenge [3] . Technical teams understand a prospect’s security weaknesses, but they struggle to translate that risk into the business terms that drive investment. When that translation fails, cybersecurity becomes a line item to defer rather than a strategic priority.

Sellers must learn to frame security program management in terms of operational continuity, regulatory consequences, and reputational liability to create immediate urgency. 2. Navigating Expanded Buying Committees Buying decisions don’t happen in a vacuum. Buying committees for cybersecurity have expanded to an average of over eight stakeholders, with projections exceeding nine stakeholders by 2026 [4] .

You are dealing with executives, finance, IT, and operations. These individuals have different concerns, motivations, and definitions of value. The discovery questions that move a CEO are not the same ones that move a CTO. MSPs must develop tailored discovery frameworks for different business stakeholders to keep complex deals moving forward.

  1. Defeating the Cost Objection Cost sensitivity remains a stubborn barrier, with 66% of SMBs identifying cost as their top obstacle to adopting stronger security [5] . Prospects often view security as a sunk cost rather than a business enabler. Overcoming this requires an objective scoring framework and clear objection handling that addresses the underlying beliefs driving the hesitation, rather than simply restating the technical pitch.

  2. Leveraging Compliance as a Catalyst Over 56% of new managed security agreements are initiated to meet compliance requirements [6] . Deadlines surrounding cyber insurance renewals, industry mandates, and state-level privacy laws create a hard timeline that organic sales conversations rarely generate. Providers must position compliance readiness as a potential entry point, but only one outcome of a broader security program management.

  3. Expanding Revenue in Existing Accounts For established MSPs, existing clients represent the fastest path to partner growth and revenue enablement. However, focusing only on new client acquisition leaves substantial revenue untapped within your current base. Expanding accounts needs a deliberate, data-driven strategy.

To expand revenue from existing clients, MSPs should use visual, CISO Intelligence dashboards to proactively review security postures and identify gaps. This analysis drives tailored upsell campaigns and justifies new investments during strategic business reviews. Benchmarking clients against industry peers creates urgency, while consistent education on the business impact of security reinforces its value. By turning account management into an ongoing advisory relationship and consistently surfacing new value, MSPs can deepen trust, drive margin improvement, and unlock recurring revenue opportunities year over year.

Turning GTM Challenges into Opportunities: Practical Strategies Overcoming these sales barriers requires a disciplined, systematic approach anchored in actionable processes and strategic alignment. Align sales and technical messaging: Work collaboratively with technical experts to translate security findings into business outcomes. Use client-friendly language to communicate risk, operational impact, and business value rather than technical jargon. Map the stakeholder landscape early: Identify all decision-makers and influencers at the outset, including executive, finance, IT, and operational leads.

Develop messaging and presentations targeted to each persona’s priorities, and build consensus through regular, transparent communication. Quantify outcomes and ROI: Present security investments in terms of measurable impact, such as reduction in incident response time, decreased compliance risk, or improved operational uptime. Providing decision-makers with concrete data driven by business impact assessments supports faster, higher-confidence purchasing decisions. Automate for consistency and scale: Leverage sales kits, playbooks, and CRM technology to standardize outreach, discovery, and proposal development.

Consistent processes and a central repository for discovery answers ensure smooth handoffs from prospect to client, even with multiple stakeholders involved. Measure, optimize, and adapt: Track sales performance against leading indicators such as conversion rates, deal cycle length, and upsell frequency. Analyze your pipeline consistently to identify bottlenecks and refine your sales strategy. Operator-Led Resources for Security Program Management To support service providers in achieving predictable growth, Cynomi established the GTM Academy.

Designed as a practical enablement program for MSPs and MSSPs, the GTM Academy features resources developed by practitioners who are actively running and scaling security practices. The first release is the Complete Sales Kit , which includes dozens of resources covering every stage of the sales lifecycle, from initial prospecting through close and expansion. The kit provides actionable tools to solve the toughest sales challenges, including: Actionable videos from MSP operators and GTM practitioners Ideal client profile (ICP) strategic frameworks to target buyers effectively Positioning scripts and email templates to drive engagement Discovery frameworks tailored for technical and business stakeholders Cheat sheets and scoring worksheets for building a predictable pipeline Upselling and cross-selling playbooks to expand existing accounts As a Security Growth Platform, that unifies security program management, risk management, and GRC capabilities to help partners scale, Cynomi understands that the sales motion and service delivery must reinforce each other to protect every client, at every maturity level. The Complete Sales Kit provides the foundation for building that motion, empowering your team to deliver expert guidance with confidence and consistency.

Building a Sustainable Sales Advantage To move from reactive selling to predictable success, MSPs need a scalable system that evolves with the market. Invest in continuous education by hosting internal workshops, reviewing wins and losses, and connecting sales metrics to business goals like margin improvement and client retention. A culture of continuous learning, built on insights from top performers and peer mentoring, prepares your team to address new threats and regulations with authority. By embedding these best practices, MSPs can become trusted security advisors, reduce friction, accelerate revenue, and maximize client value.

Download the GTM Academy Complete Sales Kit today and transform your sales motion . Sources Fortune Business Insights, 2024, “Cyber Security Managed Services Market Size, Share & Industry Analysis.” Channel Futures, 2024, “Cybersecurity Dominates the 2024 MSP 501.” Infrascale, 2025, “MSPs Selling More Cybersecurity: Statistics and Trends in the U.S.” Gartner, 2024, “Market Trends: Security Buying Committees and Stakeholder Expansion.” CrowdStrike, 2025, “SMB Cybersecurity Study.” Cynomi internal data, 2024, “Managed Security Agreements and Compliance Initiation Trends.” Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

99% of Mythos Findings Remain Unpatched. Defenders Are Building the Response

Two Cybersecurity Professionals Get 4-Year Sentences in BlackCat Ransomware Attacks

The U.S. Department of Justice (DoJ) on Thursday announced the sentencing of two cybersecurity professionals to four years each in prison for their role in facilitating BlackCat ransomware attacks in 2023. Ryan Goldberg , 40, of Georgia, and Kevin Martin , 36, of Texas, were accused of deploying the ransomware against multiple victims located throughout the U.S. between April and December 2023.

The two defendants, who pleaded guilty to their crimes in December 2025, conspired with Angelo Martino, 41, of Florida, to conduct the attacks. “The three men agreed to pay the ALPHV BlackCat administrators a 20% share of any ransoms received in exchange for access to the ransomware and ALPHV/BlackCat’s extortion platform,” the DoJ said . “All three men worked in the cybersecurity industry – meaning that they had special skills and experience in securing computer systems against harm, including the type of harm they themselves were committing against the victims in this case.” In one case, the defendants are said to have successfully extorted a victim for approximately $1.2 million in Bitcoin, splitting their 80% share three ways and subsequently laundering the funds to cover up the tracks. Although the BlackCat ransomware-as-a-service (RaaS) scheme no longer exists, the group is estimated to have targeted the computer networks of more than 1,000 victims around the world.

The development comes a week after Martino pleaded guilty to the same crime, and is scheduled to be sentenced in July 2026. In addition, Martino is said to have abused his role as a negotiator to extract higher payouts from victims by sharing confidential information about their insurance policy limits with the BlackCat operators. Martino and Martin worked for DigitalMint, while Goldberg was employed as an incident response manager for cybersecurity company Sygnia. “These defendants exploited specialized cybersecurity knowledge not to protect victims, but to extort them,” said U.S.

Attorney Jason A. Reding Quiñones for the Southern District of Florida. “They used ransomware to lock down critical systems, steal sensitive data, and pressure American businesses into paying to regain access to their own information.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft

A new software supply chain attack campaign has been observed using sleeper packages as a conduit to subsequently push malicious payloads that enabled credential theft, GitHub Actions tampering, and SSH persistence. The activity has been attributed to the GitHub account “ BufferZoneCorp ,” which has published a set of repositories that are associated with malicious Ruby gems and Go modules. As of writing, the packages have been yanked from RubyGems, and the Go modules have been blocked. The names of the libraries are listed below - Ruby: knot-activesupport-logger knot-devise-jwt-helper knot-rack-session-store knot-rails-assets-pipeline knot-rspec-formatter-json knot-date-utils-rb (Sleeper gem) knot-simple-formatter (Sleeper gem) Go: github[.]com/BufferZoneCorp/go-metrics-sdk github[.]com/BufferZoneCorp/go-weather-sdk github[.]com/BufferZoneCorp/go-retryablehttp github[.]com/BufferZoneCorp/go-stdlib-ext github[.]com/BufferZoneCorp/grpc-client github[.]com/BufferZoneCorp/net-helper github[.]com/BufferZoneCorp/config-loader github[.]com/BufferZoneCorp/log-core (Sleeper module) github[.]com/BufferZoneCorp/go-envconfig (Sleeper module) The identified packages masquerade as recognizable and well-known modules like activesupport-logger, devise-jwt, go-retryablehttp, grpc-client, and config-loader so as to evade detection and trick users into downloading them.

“The account is part of a software supply chain campaign targeting developers, CI runners, and build environments across two ecosystems,” Socket security researcher Kirill Boychenko said in an analysis published today. The Ruby gems are designed to automate credential theft during install time, harvesting environment variables, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI configuration, and RubyGems credentials. The stolen data is then exfiltrated to an attacker-controlled Webhook[.]site endpoint. On the other hand, the Go modules harbor broader capabilities to tamper with GitHub Actions workflows, plant fake Go wrappers, steal developer data, and add a hard-coded SSH public key to “~/.ssh/authorized_keys” for remote access to the compromised host.

The modules do not all have the same payload; instead, they are spread across the cluster. “The module executes through init(), detects GITHUB_ENV and GITHUB_PATH, sets HTTP_PROXY and HTTPS_PROXY, writes a fake go executable into a cache directory, and appends that directory to the workflow path so the wrapper is selected before the real binary,” Boychenko explained. “That wrapper can then intercept or influence later go executions while still passing control to the legitimate binary to avoid breaking the job.” Users who have installed the packages are advised to remove them from their systems, review for signs of access to sensitive files or unauthorized changes to “~/.ssh/authorized_keys,” rotate exposed credentials, and inspect network logs for outbound HTTPS traffic to the exfiltration point. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials

In yet another software supply chain attack, threat actors have managed to compromise the popular Python package Lightning to push two malicious versions to conduct credential theft. According to Aikido Security , OX Security , Socket , and StepSecurity , the two malicious versions are versions 2.6.2 and 2.6.3, both of which were published on April 30, 2026. The campaign is assessed to be an extension of the Mini Shai-Hulud supply chain incident that targeted SAP-related npm packages on Wednesday. As of writing, the project has been quarantined by the administrators of the Python Package Index (PyPI) repository.

PyTorch Lightning is an open-source Python framework that provides a high-level interface for PyTorch. The open-source project has more than 31,100 stars on GitHub. “The malicious package includes a hidden _runtime directory containing a downloader and an obfuscated JavaScript payload,” Socket said. “The execution chain runs automatically when the lightning module is imported, requiring no additional user action after installation and import.” The attack chain paves the way for a Python script (“start.py”), which downloads and executes the Bun JavaScript runtime, and then uses it to run an 11MB obfuscated malicious payload (“router_runtime.js”) with an aimto conduct comprehensive credential theft.

From among the harvested credentials, the GitHub tokens are validated against the “api.github[.]com/user” endpoint before being used to inject a worm-like payload to up to 50 branches retrieved from every repository the token can write to. “The operation is an upsert: it creates files that do not yet exist and silently overwrites files that do,” Socket added. “No pre-check for existing content is performed. Every poisoned commit is authored using a hardcoded identity designed to impersonate Anthropic’s Claude Code.” Separately, the malware implements an npm-based propagation vector that modifies the developer’s local npm packages with a postinstall hook in the “package.json” file to invoke the malicious payload, increases the patch version number, and repacks the .tgz tarballs.

Should the unsuspecting developer publish the tampered packages from their local environment, they are made available on npm, from where the malware ends up on downstream user systems. The maintainers of the project have acknowledged that “we are aware of the issue and are actively investigating.” It’s currently not clear how the incident occurred, but indications are that the project’s GitHub account has been compromised. In a separate advisory , Lightning revealed an investigation is still underway to determine the exact root cause of the compromise and that the “affected versions have introduced functionality consistent with a credential harvesting mechanism.” In the interim, it’s advised to block Lightning versions 2.6.2 and 2.6.3 and remove them from developer systems, if already installed. It’s also essential to downgrade to the last known clean version, 2.6.1, and rotate credentials exposed in affected environments.

The supply chain attack is the latest addition to a long list of compromises carried out by a threat actor known as TeamPCP, which has now launched an onion website on the dark web after its account was suspended from X for violating the platform’s rules. It also called LAPSUS$ , a “good partner of ours and has been involved heavily throughout this entire operation.” The group also made it a point to emphasize that it has “never used VECT encryption tools and we own CipherForce, our own private locker,” following a report from Check Point Research about vulnerabilities discovered in the ransomware’s encryption process. Intercom npm and Packagist Packages Compromised as Part of Mini Shai-Hulud In a related development, it has emerged that version 7.0.4 of intercom-client has been compromised as part of the Mini Shai-Hulud campaign, following a similar modus operandi as that of the SAP packages to trigger the execution of a credential-stealing malware using a preinstall hook. “The overlap is significant because the SAP CAP campaign was linked to TeamPCP activity based on shared technical details, including distinctive payload implementation patterns, GitHub-based exfiltration, credential harvesting across developer and CI/CD environments, and similarities to prior attacks affecting Checkmarx, Bitwarden, Telnyx, LiteLLM, and Aqua Security Trivy,” Socket said .

It has since been confirmed that the GitHub user “nhur” was hacked and that the malicious intercom-client@7.0.4 package was published through a now-deleted branch that triggered an automated CI publish workflow.In tandem, the campaign has also spread to Packagist with the compromise of “intercom/intercom-php” (version 5.0.2), which adapts the same credential-stealing mechanism for the PHP ecosystem. Specifically, the package uses Composer plugin execution to download Bun by means of a shell script (“setup-intercom.sh”) that’s triggered during install or update events (via the “post-install-cmd” and “post-update-cmd” hooks) and launches an obfuscated “router_runtime.js” credential-stealing payload. The malware component, as before, targets GitHub, npm, SSH keys, cloud credentials, Kubernetes, Vault, Docker credentials, .env files, and other developer/CI secrets. The stolen data is then encrypted and exfiltrated to a remote server (“zero.masscan[.]cloud:443/v1/telemetry”).

If this primary method fails, it falls back to the GitHub-based exfiltration method using the pilfered GitHub tokens by creating a public repository with the description “A Mini Shai-Hulud has Appeared.” It also comes fitted with propagation capabilities, abusing the discovered npm tokens to modify and republish packages containing the malware, in addition to writing the payload files to paths like “.claude/settings.json” and “.vscode/tasks.json.” “The PHP payload mirrors the broader Mini Shai-Hulud tradecraft observed across recent npm and PyPI compromises: install-time execution, Bun-based payload launch, heavily obfuscated JavaScript, credential harvesting from developer and CI/CD environments, and encrypted exfiltration,” Socket said. Intercom, for its part, has traced the root cause of the compromise to a local install of “pyannote-audio,” which introduced the compromised Lightning PyPI package as a transitive dependency, offering clear evidence that the newer infections are downstream effects from prior TeamPCP waves rather than entirely independent initial access events. “That makes this especially concerning because one compromised dependency can become a bridge into additional package ecosystems,” Socket told The Hacker News via email. “After two solid weeks of virtually nonstop attacks, the tempo looks deliberate and sustained rather than opportunistic.

The repeated use of install-time execution, Bun-based payload delivery, obfuscated ‘router_runtime.js,’ credential harvesting, GitHub abuse, and package/repository propagation shows a campaign built to turn one compromised developer environment into the next package compromise.” Lightning PyPI Quarantine Removed The PyPI quarantine on the Lightning package has been lifted and the malicious versions 2.6.2 and 2.6.3 have been deleted. The latest safe version is 2.6.1. In a follow-up update, the package maintainers said the malicious versions were live in PyPI for 42 minutes before they were quarantined. There is no evidence that the GitHub source code repository was ever compromised.

“The threat compromised our PyPI publishing channel,” they added . “An attacker with access to our PyPI credentials cloned our open source code, injected a malicious payload, and pushed those tampered builds directly to PyPI as malicious versions 2.6.2 and 2.6.3, bypassing our source control entirely. Any user who pip installed or updated to either of those versions received the attacker’s build, not ours.” (The story was updated after publication to reflect the latest developments and include additional insights from Socket.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The internet is noisy this week. We are seeing some wild new tactics, like people using fake cell towers to send scam texts, while some developers are accidentally downloading tools that peek into their private files during a simple install. It is definitely a busy time to be online. Security is always a moving target.

Millions of servers are currently sitting online without any passwords, and old software bugs are showing up in the most unexpected places. Even with the right fixes available, staying one step ahead is a full-time job for all of us. Data is shifting in strange ways, too. Some browser tools are now legally selling user history for profit, and new kits are making it simpler for almost anyone to launch a campaign.

You have to see these latest updates to believe them. Let’s look at the full list… SMS blaster phishing crackdown Canadian Authorities Arrest 3 Men for Alleged Use of SMS Blaster Canadian authorities have arrested three men for operating an SMS blaster device that masquerades as a cellular tower to send phishing texts to nearby phones. These tools trick devices into connecting to them by emitting signals that mimic a legitimate tower.

“An SMS blaster works by mimicking a legitimate cellular tower. When nearby phones connect to it, users receive fraudulent text messages that appear to come from trusted organizations,” authorities said . “These messages often prompt recipients to click on links that lead to fake websites designed to capture personal information, including banking credentials and passwords.” The three men are facing 44 charges in connection with the crime. About tens of thousands of devices were connected to the blaster over several months, the official said.

This is the first time that an SMS blaster has been spotted in the country. npm brandsquat data theft npm Package Brand-Squats TanStack to Exfiltrate Environment Variables A new supply chain attack has leveraged an npm package impersonating TanStack to ship malicious versions that exfiltrate environment variables from developers’ machines during install. The package, named tanstack, is designed to “silently steal environment variable files, including .env, .env.local, and .env.production, from developers’ machines at install time, exfiltrating them to an attacker-controlled endpoint,” Socket said . The malicious package is maintained by a user named “sh20raj.” Versions 2.0.4 through 2.0.7 are confirmed malicious.

Update: In a post shared on X, Shaswat Raj (@SH20RAJ), the developer behind the package, apologized for his actions and claimed he demanded $10,000 from Tanner Linsley, creator of TanStack, as he “thought it was acceptable to ask for a bounty” for returning the name. The developer also stated the malicious code was part of “random testing” for jailbreaking Google Antigravity. Extensions legally sell user data Extension Developers Sell Data of At Least 6.5M Users In a new analysis, LayerX found that multiple networks of browser extensions collect user data and resell it for profit. Unlike malicious extensions that conceal their behavior by offering some harmless functionality, the identified 80 extensions explicitly inform users in their privacy policy that they collect and sell data of users who install their extensions.

“A network of 24 media extensions that are installed on 800,000 users and collect viewing data and demographic information on major streaming platforms such as Netflix, Hulu, Disney+, Amazon Prime Video, HBO, Apple TV, and others,” LayerX said . “12 separate ad blockers with a combined install base of over 5.5 million users openly selling user data. Nearly 50 other extensions, with over 100,000 users in aggregate, that collected and resold users’ browsing data.” Komari tool weaponized in attacks First Recorded Abuse of Komari Agent Huntress has revealed that unknown threat actors used stolen VPN credentials to pivot into a Windows workstation belonging to an unspecified organization via Impacket’s smbexec.py, and dropped a SYSTEM-level backdoor using the Komari agent, a Go-based remote-control, monitoring, and management tool. The development marks the first publicly documented case of the tool being abused in a real-world intrusion.

It also illustrates how bad actors are increasingly switching to publicly available and legitimate tools to conduct attacks. “Komari is not a telemetry tool that happens to be abusable - it is a bidirectional control channel by design. The agent opens a persistent WebSocket to its server and accepts three server-to-agent event types out of the box: exec (arbitrary command execution via PowerShell / sh), terminal (interactive PTY reverse shell in the operator’s browser), and ping (ICMP / TCP / HTTP probing),” Huntress said . “All three are enabled by default.” Whereas other tools like Velociraptor and SimpleHelp that have been abused by threat actors typically act as means to an end, Komari gives an operator arbitrary command execution, an interactive PTY reverse shell, and network probing by default, over a TLS-fronted WebSocket.

Next-gen phishing kits escalate New Saiga 2FA and Phoenix System Phishing Kits Spotted Threat actors have detailed two new phishing kits named Saiga 2FA and Phoenix System that have been linked to emails and SMS phishing attacks. According to Barracuda, Saiga 2FA goes beyond traditional adversary-in-the-middle ( AitM ) features by integrating tools like FM Scanner for extracting and analyzing mailbox content. “Saiga 2FA is an example of how phishing kits are evolving into application-level platforms,” the company said . “Unlike traditional phishing kits, Saiga integrates infrastructure, automation, and post-compromise capabilities into a unified system, supporting advanced and highly targeted campaigns.” Phoenix System, on the other hand, has been tied to over 2,500 phishing domains since January 2025, while relying on IP-based filtering and geofencing for precision targeting.

It’s assessed to be the successor to the now-defunct Mouse System. “The campaigns are delivered via SMS, potentially leveraging fake Base Transceiver Stations (BTS) to bypass carrier-level filtering and allow threat actors to send messages that appear under the brand names of trusted organizations directly to victims,” Group-IB said . “The campaign has so far targeted more than 70 organizations across the financial services, telecommunications, and logistics sectors globally.” Mass exposure of remote access servers Exposed RDP and VNC Servers Found A new analysis from Forescout has found 1.8 million RDP and 1.6 million VNC servers are exposed on the internet. “China accounts for 22% of exposed RDP and 70% of exposed VNC servers; the U.S.

accounts for 20% and 7%; Germany accounts for 8% and 2%,” the company said . “Of 91,000 RDP and 29,000 VNC servers mapped to specific industries, retail, services, and education lead RDP exposure; education, services, and healthcare lead VNC.” What’s more, 18% of exposed RDP servers run end-of-life Windows versions, more than 19,000 RDP servers remain vulnerable to BlueKeep (CVE-2019-0708), and nearly 60,000 VNC servers have authentication disabled. To make matters worse, more than 670 exposed VNC servers have authentication disabled and provide direct access to OT/ICS control panels. China-linked influence op falters Spamouflage Attempts to Influence Tibetan Parliament-in-Exile Elections A China-linked online influence campaign attempted to undermine April 26 elections for the Tibetan parliament-in-exile with little impact.

The operation, part of Spamouflage , a long-running influence network linked to Beijing, has used a cluster of 90 Facebook profiles and 13 Instagram profiles to push criticism of the Tibetan government-in-exile and its leadership. “The network tries to drive wedges within the community,” DFRLab said . “The goal is to erode trust in the exile government, weaken its international voice, and raise doubts about whether it can credibly represent Tibetans without the Dalai Lama. However, virtually none of these posts seem to have attracted any organic engagement, possibly because all the identified assets are regular Facebook profiles with limited reach and not established pages.” Unpatched RPC privilege escalation Windows PhantomRPC Privilege Escalation Remains Unpatched An unpatched vulnerability can allow for local privilege escalation in Windows systems through the abuse of the Remote Procedure Call (RPC) architecture in the operating system.

Called PhantomRPC , the flaw stems from an architectural weakness in how RPC handles connections to unavailable services. To exploit the flaw , an attacker with limited local access needs to first compromise a privileged service that runs under the Network Service identity, deploy a fake RPC server with the same RPC interface UUID and exposed endpoint name (i.e., TermService), listen to specific requests, and then impersonate the targeted service to escalate their privileges to SYSTEM. Kaspersky, which identified the weakness, said it discovered four PhantomRPC exploitation paths that could lead to privilege escalation. Following responsible disclosure in September 2025, Microsoft opted to not address the issue as it requires an attacker to first compromise the machine through some other means.

Vidar dominates infostealer market Vidar Stealer Races to the Top The information stealer known as Vidar (now in its second iteration called Vidar Stealer 2.0 ) has vaulted to the top of the infostealer market since November 2025 in the aftermath of law enforcement takedowns of Lumma and Rhadamanthys. “Vidar profited from the generated chaos to rise to the top of the stealer ecosystem,” Intrinsec said . “We assess that this rise was made available due to the release of version 2.0 of the malware, and to the collaboration with ‘Cloud’ Telegram channels.” It’s advertised by a user named “Loadbaks” on underground forums. Recent campaigns have been observed distributing malware that has used bogus links shared via YouTube videos promoting fake software to direct users to Mediafire pages, which are used to deliver executables responsible for downloading and running the broad-spectrum credential harvester.

The stolen credentials are then quickly monetized on underground marketplaces like Russian Market. Critical flaws hit healthcare platform 38 Flaws Discovered in OpenEMR Thirty-eight critical security vulnerabilities have been disclosed in OpenEMR, the world’s most widely used open-source electronic medical records platform. The vulnerabilities, now patched, range in severity from medium to critical and include missing or incorrect authorization checks, cross-site scripting (XSS), SQL injection, path traversal, and insufficient session expiration. These issues, which include two designated critical (CVE-2026-24908 and CVE-2026-23627), could have been exploited to access and tamper with patient and provider data, posing a serious health and regulatory risk to individuals and institutions.

“In the most severe cases, SQL injection vulnerabilities combined with modest database privileges could have led to full database compromise, PHI exfiltration at scale, and remote code execution on the server,” AISLE said . OpenEMR is used by more than 100,000 medical providers, serving more than 200 million patients in 34 languages. Swiss crackdown on Black Axe Black Axe Members Arrested in New Swiss Operation A coordinated police operation in Switzerland has led to the arrest of 10 suspected members of the Black Axe criminal network, including the Black Axe “Regional Head” for the Southern European region. Most of those arrested are reported to be of Nigerian origin.

The suspects are accused of numerous crimes, including romance scams, cyber fraud offences causing millions of Swiss francs in damages, and money laundering. “The criminal network is known for its involvement in a wide range of criminal activities, including cyber-enabled fraud, drug trafficking, human trafficking and prostitution, kidnapping, armed robbery, and fraudulent spiritual practices,” Europol said . PyPI package hijacked via CI exploit New Supply Chain Attack Hits elementary-data In yet another software supply chain attack, unknown threat actors pushed a malicious version of the popular “elementary-data” package on the Python Package Index (PyPI) to steal sensitive developer data and cryptocurrency wallets. According to StepSecurity, elementary-data version 0.23.3 was uploaded to PyPI on April 24, 2026, at 10:20 p.m.

UTC. The attacker opened a pull request with malicious code and exploited a script-injection vulnerability in one of its GitHub Actions workflows to publish it as release 0.23.3. Specifically, it came embedded with a “elementary.pth” file that enabled the theft of developer credentials and secrets. “The attacker exploited a script injection vulnerability in one of the project’s own GitHub Actions workflows, then used the workflow’s GITHUB_TOKEN to forge a signed release commit and dispatch the legitimate publishing pipeline against it – without ever touching the master branch or opening a pull request,” the company said .

The developers urged users who installed 0.23.3, or pulled and ran its Docker image, to assume compromise and rotate any credentials . $230M crypto laundering sentence California Man Gets 70 Months in Prison for $230M Crypto Heist 22-year-old Evan Tangeman of Newport Beach, California, was sentenced to 70 months in prison for laundering funds stolen in a massive $230 million cryptocurrency heist as part of an elaborate social engineering scheme. “This criminal enterprise was built on greed so brazen it borders on the cartoonish. They stole millions, spent it on half-million-dollar nightclub tabs, Lamborghinis, and Rolexes,” said U.S.

Attorney Jeanine Ferris Pirro. “But Evan Tangeman didn’t just launder the money that fueled that lifestyle. When his co-conspirators were arrested, he moved to destroy the evidence. That is consciousness of guilt, and this office and the court have treated that accordingly.” Tangeman pleaded guilty in December 2025.

The criminal enterprise began no later than October 2023 and continued through at least May 2025. Legacy TLS finally deprecated Microsoft to Block Legacy TLS Connections for POP and IMAP in Exchange Online Microsoft has announced plans to start blocking legacy TLS connections for POP and IMAP email clients in Exchange Online starting in July 2026. “We’re planning to fully deprecate support for legacy TLS versions (TLS 1.0 and TLS 1.1) for POP3 and IMAP4 connections to Exchange Online. These older TLS versions have been industry-deprecated for some time and are no longer considered secure,” the company said .

“Several years ago, we started the move to block these older versions, but we did allow you to use them by opting in; we’re now removing support for them entirely. Our expectation is that only customers who have explicitly opted into using those legacy endpoints are impacted by the deprecation.” Phishing via account flow abuse Phishing Campaign Abuses Robinhood’s Account Creation Flow Threat actors are abusing online trading platform Robinhood’s account creation process to send phishing emails that bypass spam filters. The emails, which originate from “noreply@robinhood[.]com,” warn of suspicious activity tied to their accounts and urge them to click to complete a security check by clicking on a link that directs to a phishing site. “This phishing attempt was made possible by an abuse of the account creation flow,” Robinhood said in an X post.

“It was not a breach of our systems or customer accounts, and personal information and funds were not impacted. If you received this email, please delete it and do not click any suspicious links. If you have clicked a suspicious link or have any questions about your account, please contact us directly within the Robinhood app or website.” Reports on Reddit indicate that the attackers created new Robinhood accounts using modified versions of existing Gmail addresses via the so-called “dot trick.” The technique takes advantage of the fact that Gmail ignores periods inserted into or removed from a username, whereas Robinhood treats each variation as a distinct user, allowing the attackers to create a new account that points to an existing account. Social media scams surge FTC Warns of Surge in Losses from Social Media Scams The U.S.

Federal Trade Commission (FTC) warned of a massive increase in losses from social media scams since 2020, exceeding $2.1 billion in 2025, including $794 million to scams that started on Facebook, more than on any other platform. “In 2025, nearly 30% of people who reported losing money to a scam said that it started on social media, with reported losses reaching a staggering $2.1 billion. Social media scams produced far more in losses – an eightfold increase since 2020 – than any other contact method used by scammers to reach consumers,” the FTC said . “Social media creates easy access to billions of people from anywhere in the world, making a scammer’s job easier at very little cost.

Scammers may hack a user’s account, exploit what a user posts to figure out how to target them, or buy ads and use the same tools used by real businesses to target people by age, interests, or shopping habits.” Billions of credentials exposed Nearly 2.9B Compromised Credentials Tracked in 2025 KELA said it tracked 2.86 billion compromised credentials in 2025 globally. These included usernames, passwords, session tokens, cookies found in URL, login and password (ULP) lists, breached email repositories, and cybercrime marketplaces. At least 347 million were originally obtained by infostealers found on around 3.9 million infected machines. arXiv papers leak sensitive data What Do arXiv Preprints Contain?

An analysis of 2.7 million submissions to the arXiv preprint service – which also makes available the LaTeX sources and other files used to create them – has found that they include unnecessary files, expose metadata embedded in files (usernames, email addresses, hardware details, GPS information, software versions), and leak irrelevant content in files such as source code comments. This includes backups, hidden .nfs files, Git repositories (including editing histories), andconfiguration files containing API keys. “Apart from unused template files that put unnecessary storage burden on arXiv, we further discovered scripts, research data, and even entire Git repositories. Additionally, comments in LaTeX sources reveal, e.g., author conversations or todo items – for some of those comments, we are certain that the authors did not intend to disclose them publicly.

Alarmingly, our findings also include URLs without any access restrictions to other resources (e.g., Google Docs), security tokens, and private keys,” the study said . While arXiv recommends Google’s arxiv_latex_cleaner to clean the LaTeX code, the researchers have released a tool called ALC-NG to comprehensively remove files, metadata, and comments that are not needed to compile a LaTeX paper. Roblox account hacking ring busted Ukrainian Authorities Arrest 3 for Hacking Over 600K Roblox Accounts The Ukrainian police have arrested three individuals who hacked more than 610,000 Roblox gaming accounts and sold them for a profit of $225,000 on Russian websites. The suspects face up to 15 years in prison if convicted and have been placed in pretrial detention while the investigation is in progress.

The scheme was allegedly masterminded by a 19-year-old resident of Drohobych, Lviv Oblast, who met his accomplices, aged 21 and 22, on gaming forums last year. From October 2025 to January 2026, the suspects are believed to have accessed more than 600,000 Roblox user accounts. Iran-linked group targets troops Handala Group Targets U.S. Troops in Bahrain The Iran-linked threat actor Handala Hack has targeted U.S.

troops in Bahrain in an influence campaign carried out via WhatsApp, according to Stars and Stripes . The messages, signed Handala and containing a link to the group’s website, claimed the service members were under surveillance and soon to be targeted with drones and missiles. “Your identities are fully known to our missile units, and every move you make is under our surveillance. Very soon, you will be targeted by our Shahed drones and Kheibar and Ghadeer missiles,” the message sent on April 28, 2026, read.

Record surge in privacy fines U.S. States Issued $3.45B in Privacy Fines in 2025 U.S. states issued $3.45 billion in privacy-related fines to companies in 2025, a total larger than the last five years combined, per Gartner. “Regulators are also shifting their efforts away from spreading awareness to full-scale enforcement,” the company said .

“This is increasingly becoming the standard in 2026 and beyond.” WordPress plugin backdoor uncovered WordPress Plugin Hijacked in 2020 to Plant Dormant Backdoor Anchor Hosting has revealed that a WordPress plugin named Quick Page/Post Redirect plugin, which has over 70,000 installs, was compromised with a backdoor that enables injecting arbitrary code into users’ sites. Plugin versions 5.2.1 and 5.2.2, released between 2020 and 2021, have been found to include a covert self-update mechanism that reaches out to a third-party domain, anadnet[.]com, to facilitate the execution of arbitrary code. It’s worth noting that the passive backdoor triggers only for logged-out users to hide its activity from site administrators. As of April 16, the plugin has been closed temporarily pending a full review.

Qinglong flaws abused for mining Threat Actors Exploit Qinglong Flaws for Crypto Mining Hackers are exploiting two authentication bypass vulnerabilities in Qinglong , an open-source timed task management platform with over 19,500 GitHub stars, to deploy cryptocurrency miners. The two flaws – CVE-2026-3965 and CVE-2026-4047 – enable authentication bypass that results in remote code execution. “While these vulnerabilities were formally reported on February 27, exploitation had already been underway for weeks,” Snyk said . “Starting around February 7-8, 2026, Qinglong users began opening issues about a hidden process called .fullgc consuming 85-100% of their CPU.

The .fullgc filename may have been chosen to blend in with legitimate processes. In Java/JVM environments, ‘Full GC’ (Full Garbage Collection) is a known source of CPU spikes, which could delay an administrator’s investigation.” The issues have since been addressed in #PR 2941 . Trivy hack enabled repo breach Checkmarx Says Trivy Scanner Hack Led to its Compromise In a new update shared this week, Checkmarx said its investigation into the cybersecurity incident has revealed the TeamPCP attack affecting the Trivy scanner is the “likely vector that enabled the attackers to obtain credentials and to gain unauthorized access to our GitHub repositories.” This, in turn, allowed the attackers to interact with Checkmarx’s GitHub environment and publish malicious code to certain artifacts. The development comes as the company acknowledged that data stolen from the GitHub repository was published on the dark web by a cybercrime group known as LAPSUS$.

npm stealer tied to DPRK group Famous Chollima Linked to js-logger-pack npm Package The North Korean threat actor known as Famous Chollima has been attributed to the npm package named js-logger-pack that comes embedded with a WebSocket stealer that’s triggered via a postinstall hook. “The payload is a long-running WebSocket agent that: installs the attacker’s RSA key into ~/.ssh/authorized_keys on Linux; exfiltrates Telegram Desktop tdata sessions; drains credentials from 27 crypto wallets and Chromium-family browsers; steals .npmrc, cloud provider tokens, and shell history; and runs a native keylogger on Windows, macOS, and Linux with autostart persistence on all three,” SafeDep said . Security is a team sport. We keep seeing the same gaps because we focus on the new shiny toys while the basics, like simple passwords and old software versions, fall through the cracks.

It is clear that just having a patch isn’t enough if nobody actually installs it. The best lesson here is to stay curious and cautious. Whether it is a weird text from a “trusted” source or a new tool that seems too good to be true, taking a second to verify can save a lot of trouble later. Let’s keep learning and stay sharp until the next update!

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials

Cybersecurity researchers have disclosed details of a stealthy Python-based backdoor framework called DEEP#DOOR that comes with capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts. “The intrusion chain begins with execution of a batch script (‘install_obf.bat’) that disables Windows security controls, dynamically extracts an embedded Python payload (‘svc.py’), and establishes persistence through multiple mechanisms including Startup folder scripts, registry Run keys, scheduled tasks, and optional WMI subscriptions,” Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News. It’s assessed that the batch script is distributed via traditional approaches like phishing. It’s currently not known how widespread attacks distributing the malware are, and if any of those infections have been successful.

“Based on our current analysis, there is no clear evidence to suggest that this malware framework was widely used in large-scale or highly active campaigns,” Gaikwad, senior security research engineer at Securonix, told The Hacker News via email. “Its observed usage appears to be limited and somewhat targeted rather than broadly distributed.” “At this stage, we have not identified consistent indicators pointing to specific geographies or industry sectors being systematically targeted. However, given the modular nature of the framework, it is possible that different threat actors could adapt it for varied use cases over time.” What makes the attack chain noteworthy is that the core Python implant is embedded directly inside the dropper script, from where it’s extracted, reconstructed, and executed. This reduces the need for repeatedly having to reach out to external infrastructure and minimizes the forensic footprint.

Once launched, the malware establishes communication with “bore[.]pub,” a Rust-based tunneling service , allowing the operator to issue commands that facilitate remote command execution and extensive surveillance. This includes - Reverse shell System reconnaissance Keylogging Clipboard monitoring Screenshot capture Webcam access Ambient audio recording Web browser credential harvesting SSH key extraction Credentials stored in Google Chrome, Mozilla Firefox, and Windows Credential Manager Cloud credential theft (Amazon Web Services, Google Cloud, and Microsoft Azure) The use of public TCP tunneling service for command-and-control (C2) offers several advantages in that it eliminates the need for setting up dedicated infrastructure, blends malicious traffic, and avoids embedding details of the server within the payload. In parallel, DEEP#DOOR incorporates a bevy of anti-analysis and defense evasion mechanisms, such as sandbox, debugger, and virtual machine (VM) detection, AMSI and Event Tracing for Windows ( ETW ) patching, NTDLL unhooking, Microsoft Defender tampering, SmartScreen bypass, PowerShell logging suppression, command-line wiping, timestamp stomping, and log clearing, to fly under the radar and complicate incident response efforts. It also employs multiple persistence mechanisms that involve creating Windows Startup folder scripts, Registry Run keys, and scheduled tasks, while also relying on a watchdog mechanism to make sure the persistence artifacts have not been removed, and if so, automatically recreate them, making remediation challenging.

“The resulting implant operates as a fully featured Remote Access Trojan (RAT) capable of long-term persistence, espionage, lateral movement, and post-exploitation operations within compromised environments,” Securonix said. “The implant prioritizes evading detection and forensic visibility by directly tampering with Windows security and telemetry mechanisms.” “DEEP#DOOR highlights the continued evolution of threat actors toward fileless, script-driven intrusion frameworks that rely heavily on native system components and interpreted languages like Python. By embedding the payload directly within the dropper and extracting it at runtime, the malware significantly reduces external dependencies and limits traditional detection opportunities.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades

Intro A sophisticated, high-resilience malicious campaign was identified by Atos Threat Research Center (TRC) in March 2026. This operation specifically targets the high-privilege professional accounts of enterprise administrators, DevOps engineers, and security analysts by impersonating administrative utilities they rely on for daily operations. By integrating Search Engine Order (SEO) poisoning , a dual-stage GitHub distribution architecture , and decentralized blockchain-based command-and-control (C2) resolving, Threat Actors have established a highly resilient delivery and persistence mechanism. Creative Distribution via GitHub Facades The campaign utilizes a multi-layered delivery chain designed to evade platform-level takedowns and maintain a high search engine ranking.

The attack begins with SEO poisoning on various search engines, including Bing, Yahoo, DuckDuckGo, and Yandex. That ensures that malicious results for niche IT terms rank at the top of search results. Users are initially directed to a primary “facade” GitHub repository . These repositories are optimized for SEO but contain no malicious code - just a professional-looking README file.

To maintain operational flexibility, the README contains a link directing a victim to a second, hidden GitHub repository . It serves as the true distribution point for the malware. By separating the SEO-optimized “storefront” from the payload delivery account, the threat actors can rapidly rotate their distribution repositories if flagged, while the primary search-indexed facade remains active and untouched. Strategic Tool Impersonation and Victim Profiling The campaign is characterized by its focus on the administrative stack .

By distributing malicious MSI installers disguised as tools like PsExec , AzCopy , Sysmon , LAPS , and Kusto Explorer , the adversary performs automated victim profiling. These utilities are almost exclusively used by personnel with elevated network and system permissions. A successful infection on an administrator’s workstation may provide the “keys to the kingdom, “ which can facilitate lateral movement inside the enterprise environment. Decentralized Command and Control via Ethereum The most technically significant aspect of the campaign is its implementation of Blockchain-based Dead Drop Resolving (DDR) .

Once the malicious MSI is executed, the malware does not reach out to a hardcoded domain or IP address, which could be easily blocklisted. Instead, the malware repetitively initiates a query to a public Ethereum (ETH) RPC endpoint . The malware is hardcoded with a specific Smart Contract address on the Ethereum blockchain. By querying this contract, malware dynamically retrieves the live C2 server address.

This technique provides the adversary with extreme resilience: Infrastructure agility: The attacker can rotate C2 servers globally simply by updating the value stored in the blockchain contract. Robustness: As long as public Ethereum gateways are accessible, the malware can always find its “home,” making traditional domain takedown or blockage efforts ineffective. Research analysis This research provides a comprehensive technical analysis of the current campaign, based on long-term observation and active detonation within a controlled environment. Our research moves beyond initial delivery vectors to examine the sophisticated infrastructure and post-exploitation behaviors.

The following data points represent the core operational mechanics of the campaign, including: Malware Distribution: breakdown of the dual-stage GitHub repository architecture and the SEO-poisoning usage to manipulate search engine results. Administrative Tools Impersonation: adetailed look at the specific administrative utilities being impersonated to ensure the compromise of high-privilege IT personnel. Malware Logic: malware analysis of the malicious MSI payloads, including their initial staging and persistent components. Decentralized C2 Infrastructure: investigation into the malware’s use of Ethereum Smart Contracts and public RPC gateways to dynamically resolve live Command and Control (C2) addresses.

NOTE: During the finalization of the research, we identified a preliminary alert from KISA&KrCERT/CC regarding this threat actor’s campaign - LINK . While their initial report provided early visibility, our longitudinal investigation confirms the campaign remains highly active and has undergone significant technical maturation. Our investigation further confirms that the malware is evolving, with several distinct variants and additional C2 infrastructure identified since the campaign’s inception. Find out the latest threat intelligence and adversary research insights on Atos Cyber Shield Blogs.

Malware Distribution Visualisation below demonstrates the dual-stage distribution chain, where SEO-optimized facade repository redirects unsuspecting users to a secondary GitHub account hosting the malicious MSI. This modular architecture allows the threat actors to preserve their search engine rankings even if the individual payload delivery accounts are taken down. The intrusion lifecycle begins with a search query via Bing (also Yahoo, DuckDuckGo, Yandex) for specialized IT administrative utilities. Through aggressive SEO poisoning, the threat actors ensure that the facade GitHub repository appears prominently among the top search results.

In this instance, a user seeking Kusto Explorer – acritical tool for engineers and analysts querying Azure Data Explorer via KQL – is led toward a non-malicious storefront designed to build initial trust. Bing search for “kusto explorer” Bing search for “kusto explorer download” The first repository the user opens is a storefront that impersonates the targeted administrative tool. This facade repo is intentionally clean of malware, acting only as a gateway to the second, malicious stage of the delivery process. Thanks to such a design, it maintains a high search engine ranking.

First GitHub repo - used only as a facade First GitHub repo - used only as a facade As we can see it’s the one that survives quite long time By embedding a link in the README of a clean facade repository, Threat Actors effectively separate their search visibility from their malware distribution. This second repository hosts the actual malware, while the first remains untainted. This strategy allows for rapid recovery after a takedown, as the adversary only needs to update a single URL to restore their infection chain. This separation is key to the campaign’s longevity, as the initial landing page appears benign to both users and security tools.

Link to second GitHub repo that serves malware to the user Historical Commits in facade GitHub: we can see changes of links to second GitHub repo The redirection leads the user to a second GitHub repository where the malicious software is hosted. This secondary site acts as the final stage in the distribution chain, providing the direct download for the malware impersonating administrative tools. Second GitHub used to host malware Malware downloaded by user The threat actor has successfully hijacked the search results for larger set of Windows administrative stack, placing malicious storefronts at the very top of Bing. This dominant search presence effectively masks the threat, as the facade repositories appear as the primary, verified download locations for essential IT tools.

Such high visibility on the front page is the critical factor that could help campaign’s broader reach into corporate environments. “ProcDump” Bing SEO poisoning and Threat Actors GitHub repo “LAPS” Bing SEO poisoning and Threat Actors GitHub repo “BgInfo” Bing SEO poisoning and Threat Actors GitHub repo DuckDuckGo SEO poisoning and Threat Actors GitHub repo Yandex SEO poisoning and Threat Actors GitHub repo Yahoo SEO poisoning and Threat Actors GitHub repo Between early December 2025 and April 1, 2026, the threat actor deployed 44 separate GitHub facades, each spoofing a different administrative or developer tool. This high-volume approach indicates a sustained effort to maximize search engine visibility and capture a diverse range of high-privilege victims. Total 44 malicious GitHub repositories identified Administrative Tools Impersonation Category Impersonated tools Sysinternals / Diagnostics Autoruns, ProcDump, RAMMap, TCPView, Process Monitor, Process Explorer, Disk2vhd, Sysmon, DebugView, WinDbg, BgInfo AD / Credential / Admin Windows ADK, Windows LAPS, RSAT, IIS Crypto, Profwiz, PCmover, Transwiz, Delprof2 Remote Access Dameware, SecureCRT, SuperPuTTY, ScreenConnect Client, Bitvise SSH Client, TeraTerm Data Transfer / Cloud AzCopy, FSLogix, PCmover, Transwiz Security / Auth AppLocker, SafeNet Authentication Client, NSSM Network / Debugging PRTG Network Monitor, HTTP Debugger Utility / Business Apps KDiff3, Beyond Compare, BarTender, PaperPort Misc Sysadmin Tools Autologon, Kusto Explorer, LEAP Desktop, VMware Tools Identified Threat Actors campaign specifically targets the professional toolsets of enterprise administrators, systems engineers, and security practitioners.

Unlike traditional malware campaigns that cast a wide net across general consumers, this activity is surgically focused on the “crown jewel” accounts of the enterprise . By leveraging Search Engine Optimization (SEO) poisoning, theadversary is distributing malicious MSI installers that mimic essential infrastructure management and diagnostic tools. The primary objective is the compromise of high-privilege credentials and the establishment of persistent backdoors within corporate environments, which can lead to large-scale breaches . The current threat landscape is defined by the strategic impersonation of utilities foundational to modern IT operations, such as PsExec, AzCopy, Sysmon, and LAPS.

The rationale for selecting these specific targets is rooted in an advanced victim profiling model. Because a standard user very rarely interacts with a debugger like WinDbg or a deployment kit like Windows ADK, the adversary ensures that every successful infection lands on a machine belonging to a user with elevated system or network permissions. The psychological component of this campaign is also particularly aggressive. Many of these utilities are the tools defenders use to investigate malicious activity.

This creates an “irony lure” where a security professional, attempting to diagnose a perceived issue using a tool like Process Explorer or TCPView, inadvertently introduces a threat. By delivering these via legitimate-looking MSI packages, the attackers bypass the initial suspicion often associated with raw scripts or standalone executables. The consequences of an infection might be devastating. Given the administrative nature of the victims, this often transitions into a “keys to the kingdom” scenario.

Find out the latest threat intelligence and adversary research insights on Atos Cyber Shield Blogs. Malware Logic Atos TRC has analyzed a number of .msi installers from identified malicious repositories. Since the malware evolved over time this analysis focuses on its latest variant. All paths, file names, extensions, and keys shown are specific to one single sample as they are randomly generated for each.

This malware is a multi-stage, fileless-style Remote Access Trojan (RAT) written in  JavaScript, delivered as a malicious MSI installer impersonating various IT administration and enterprise sysadmin tools. It uses layered AES-256-CBC encryption to conceal its payload, a blockchain-based dead-drop resolver for resilient C2 communication, and an AsyncFunction constructor engine for arbitrary remote code execution. Node.js is downloaded at runtime from nodejs.org rather than bundled, keeping the package small (~4.7 MB) at the cost of requiring internet access during infection. Ultimately, Atos Researchers identified it to be an EtherRat malware, a recently emerging threat using Ethereum to store C2 URL addresses, preventing takedown of the infrastructure.

Latest versions of installers consist of four files. When the MSI is executed, these files are extracted, and a CMD batch script is run via a Custom Action, initiating the chain that leads to RAT deployment: MSI content screenshot It is important to note that file extensions differed among the analyzed samples, but “.cmd” was always the initiating file. The table contains a few examples: Stage # Extensions Sample #1 Sample #2 Sample #3 Sample #4 0 - Dropper .cmd .cmd .cmd .cmd 1 – In-memory loader .bak .cfg .xml .tmp 2 – Loader/Persistence .xml .bak .bak .dat 3 - RAT .cfg .bin .xml .log File names, decryption keys, secrets, directory names, and extensions presented below are extracted from the latest installer version. STAGE 0 - DROPPER File: VW80IqXy.cmd (2,377 bytes) Stage 0 code screenshot The malware’s entry point is a heavily obfuscated Windows batch script (VW80IqXy.cmd), launched at SYSTEM privilege by the MSI CustomAction immediately after file extraction.

Its primary obfuscation mechanism splits all sensitive command names - including curl, tar, copy, start, and cmd - across multiple SET variable assignments that are silently concatenated at runtime, ensuring no recognizable keywords appear in the raw file and defeating simple string-based static analysis. To ensure execution in a hidden window regardless of how the MSI launched it, the script immediately re-launches itself as a minimized background process and exits, with the re-launched copy performing all actual work. That copy proceeds to create a build-specific staging directory under %LOCALAPPDATA%\, download the Node.js runtime from its official distribution endpoint to a temporary archive via curl, extract it into a build-specific runtime subdirectory within the staging directory, and delete the zip archive to minimize forensic artifacts on disk. With the environment prepared, the script hands off execution to Stage 1 by invoking the bundled node.exe against the first-stage payload file and terminates, carrying no persistence mechanism of its own and playing no further role in the infection chain.

Stage 0 simplified graph ( link to detailed) STAGE 1 – In-memory loader File: ZOVTSc3WW9wotbj.bak (472 bytes) Stage 1 code screenshot A minimal Node.js script. Unobfuscated and fully readable. It is never saved onto the disk. Its main goal is to read the file containing the second-stage payload (in this example, “tQqoxkAJFhqWtg5.xml”), decrypt it using a hardcoded key and initialization vector (IV), and execute it in memory via “module._compile()” AES-256-CBC credentials from example: Key : F4J/454U+W0+8y7L+L9MxSY15rB0KoSeQkPauifCTiQ= IV  : RXvUsgFBwDx9HuOhpkoiqQ== Simplified Stage 1 graph ( link to detailed) STAGE 2 – Loader/Persistence File: tQqoxkAJFhqWtg5.xml (2,096 bytes encrypted) Stage 2 code screenshot Stage 2 decrypted code screenshot Decrypted and executed in-memory by Stage 1.

It is an intermediary stage that decrypts the content of obfuscated stage 3 payload (0cZeeDPZMsxWtaK.cfg), writes this content into a new file (4S3HKjraAP.cfg) and then executes it via node.exe wrapped by “conhost.exe –headless”, which disguises the process in Task Manager as a standard console host. Additionally, it creates persistence via the registry Run key. AES-256-CBC credentials from example: Key : m+wOc81aCEKfGEOpZsEr8WAN4O8mJnEoalp3LwZau0A= IV  : cOoXZ1ImLZ/V90MLhCpVJw== Registry persistence from example: Key  : HKCU\Software\Microsoft\Windows\CurrentVersion\Run Name : <6-byte random hex, regenerated on every fresh install> Data : conhost.exe –headless 1FgUre\node.exe 4S3HKjraAP.cfg Simplified Stage 2 graph ( link to detailed) STAGE 3 - RAT File: 0cZeeDPZMsxWtaK.cfg (encrypted) / 4S3HKjraAP.cfg (plaintext, ~9.8 KB) Stage 3 code screenshot Stage 3 decrypted code screenshot Stage 3 is the malware’s main payload - a JavaScript file that runs silently in the background on every system boot. It is written to disk under a randomly generated filename with a non-descriptive extension, making pattern-based file detection unreliable across different malware distributions.

It runs inside conhost.exe, a legitimate Windows process, so it does not stand out in Task Manager. All strings inside the file - including server addresses and API names - are encrypted, making static analysis difficult. When executed, the RAT first assigns to the infected machine a persistent identity. It reads a unique bot ID from a hidden file on disk or generates a fresh one if the file does not yet exist and stores it for use in all future communication.

It also computes a working directory path derived from the machine’s username and computer name, making that path unique on every victim system. RAT’s next task is to find out where its command-and-control server is. Rather than hardcoding a server address directly, which could be blocked by defenders, the attacker stores the address inside an Ethereum smart contract on the blockchain. RAT queries nine public Ethereum API services in parallel and picks the answer that the majority return - this makes the lookup reliable even if some services are temporarily down.

Because the address lives on the blockchain, it cannot be taken down by blocking a domain or an IP address; the attacker can update it at any time by sending a single transaction. Independent of everything else, a background timer re-runs this blockchain lookup every five minutes, so if the attacker publishes a new server address, the RAT switches to it automatically on its next contact attempt without needing to restart. Once the C2 address is known, the RAT enters a continuous polling loop, repeatedly beaconing to the server to check for new commands. Each request is constructed to resemble an ordinary browser fetch for a static web asset — the URL path contains random hex segments, a randomly chosen common file extension (.png, .jpg, .gif, .css, .ico, or .webp), and a randomly selected query parameter name.

While every beacon looks different to a network observer, each one also silently carries the bot’s unique ID and a campaign identifier baked into the build, allowing the attacker’s server to recognize and track each victim individually. RAT also sends its own source code to the server and receives back a freshly obfuscated replacement, which it writes over itself on disk, effectively re-encrypting itself once every execution, whether it was from “.msi” or a persistent Run registry key. Commands from the attacker arrive as JavaScript code and are executed directly inside the running Node.js process, giving the attacker full access to the file system, the ability to run any OS command, and the ability to exfiltrate data - all without ever dropping a traditional executable to disk.” Every action that the malware makes, like startup, blockchain resolution, re-obfuscation, every poll request, task receipt, task execution, errors, URL updates are being written to %APPDATA%\svchost.log, keeping a complete operational trace of everything the RAT does. For all samples analyzed, the same 9 endpoints were queried to obtain the C2 address from the contract.

The earlier versions of this malware had a lower number of stages used from the moment of execution until the C2 communications and followed the same file extension pattern: .msi -> .cmd -> .js -> obfuscated file with no clear extension. Additionally, the oldest sample Atos Researcher was able to find had fallback C2 IP hardcoded inside the RAT logic to use when the smart contract was unresponsive. This C2 IP was the same as the first value set for the smart contract from this oldest sample (hxxp[://]135[.]125[.]255[.]55). Simplified Stage 3 graph ( link to detailed) Decentralized C2 Infrastructure The campaign implements a decentralized C2 model that does not rely on fixed domains or attacker-controlled servers.

Instead, the malware retrieves its C2 address from the Ethereum blockchain. Each sample contains the address of a specific Ethereum smart contract , which is queried periodically via multiple public Ethereum RPC services. In this context, a smart contract is a small piece of program logic stored on the blockchain that can hold data and return it on request in a consistent and verifiable way. This design enables centralized C2 changes without modifying or redeploying the malware, increasing resilience against takedown and blocklisting efforts.

For the purpose of this explanation, we used one of the contracts used by attackers ( 0xc12c8d8f9706244eca0acf04e880f10ff4e52522) and the wallet that funded it ( 0x37ef6e88425613564b2cf8adc496acff4b6481a9). The smart contract used for C2 resolution is implemented as an on‑chain coordination mechanism and shows clear signs of operational use during its lifetime. Its blockchain record exposes a defined contract address, a fixed creation timestamp, and a sequence of transactions submitted over time. The observed activity indicates that the contract instance is actively used as part of a broader and persistent C2 resolution architecture, even though individual smart contracts may be replaced or rotated as the campaign evolves.

Etherscan contract overview page The contract can be directly associated with the Ethereum wallet that deployed it. Review of the wallet’s activity shows repeated interactions with the same contract during its operational period, demonstrating that control over C2 resolution is exercised through blockchain transactions. This confirms that changes to C2 distribution are performed independently of the malware already deployed on compromised systems. Etherscan wallet page Analysis of the contract’s transaction history reveals multiple state-changing calls used to update values stored on-chain.

Each of these updates corresponds to a change in the C2 address retrieved by the malware during its regular resolution cycle. As a result, infected systems automatically redirect to the new backend infrastructure without requiring any additional payload delivery or local configuration changes. Etherscan contract transaction list highlighting repeated state‑changing calls (Set String) At the transaction level, a single state-changing operation is sufficient to redirect all active infections. Detailed inspection shows that one blockchain write operation, submitted from the operator’s wallet, modifies the contract state and is immediately reflected in subsequent C2 resolution attempts by the malware.

This replaces traditional infrastructure management steps -such as domain registration, DNS updates, or server redeployment -with a single on-chain transaction. Detailed Etherscan view of a single state‑changing transaction, including timestamp, sender, and input data By anchoring C2 resolution to blockchain state and resolving it through widely available public Ethereum services, the campaign moves a critical dependency of its control infrastructure onto a decentralized network designed for high availability. This substantially limits the effectiveness of conventional disruption techniques based on domain seizure, IP blocking, or server takedown, and contributes to the operation’s overall resilience and longevity. Full list of found malicious domains as well as wallets and contracts to distribute them is available for download and review at the TRC GitHub repository .

Conclusions As of the day of writing this article, the Administrative Utility Spoofing campaign remains a highly active and technically resilient threat to enterprise environments. Our research confirms that this is not merely an opportunistic malware cluster, but a more sophisticated operation designed for specific victim profiling. By impersonating the specialized utilities required for infrastructure management, the adversary has “automated” the discovery of high-privilege IT personnel, increasing the probability that successful infections provide immediate pathways for lateral movement into the corporate environment. The campaign’s operational longevity is rooted in two strategic factors: the dual-stage GitHub distribution architecture and the integration of decentralized blockchain-based C2 resolution .

The use of SEO-optimized “facade” repositories allows the threat actors to maintain front-page visibility on search engines while isolating their malicious payloads on secondary accounts that can be rapidly rotated. Furthermore, the EtherHiding module’s reliance on Ethereum smart contracts creates an infrastructure that is particularly difficult to dismantle. Malware analysis of the MSI payload distributed across this campaign identifies it as an EtherRAT , a modular Node.js backdoor distinguished by its high-resilience “ EtherHiding “ C2 module. The Sysdig Threat Research Team has previously linked this malware to the North Korean state-sponsored actor - Lazarus Group .

They noticed significant overlaps in the tooling utilized during operations conducted with the usage of EtherRAT and the “ Contagious Interview ” campaign. Furthermore, in March 2026, eSentire’s Threat Response Unit (TRU) investigated an open-directory web server attributed to Iranian state-sponsored group MuddyWater (APT34). During the engagement, TRU found on that server a malicious file with functionality to establish persistence and deploy the Tsundere botnet malware, which also integrates the “EtherHiding” C2 resolution logic. Their analysis documented extensive code commonalities between EtherRAT and the Tsundere malware .

Active Atos TRC monitoring confirms that this operation is not yet another high-velocity stealer campaign. While commodity malware often prioritizes immediate data exfiltration, these actors demonstrate a focus on operational patience and stealth . Following the initial breach, we have documented a transition to methodical hands-on-keyboard activities characterized by a deliberate approach to environmental discovery. The adversary avoids aggressive, high-volume scanning that might trigger behavioural alerts, opting instead for quiet discovery to map the network’s high-privilege architecture .

This measured pace indicates that the primary objective is sustained persistence and strategic access rather than a simple opportunistic extraction. By carefully profiling the environment before escalating their activity , the threat actors significantly increase their chances of remaining undetected within enterprise networks. In alignment with our commitment to proactive defense, the Atos Threat Research Center has initiated formal takedown actions against the identified malicious scheme in order to neutralize distribution channels and disrupt the campaign’s operational resilience. Recommendation To mitigate the risks associated with the Administrative Utility Spoofing campaign, organizations should implement the following defensive measures: Restrict Decentralized Infrastructure Access: block access to the public Ethereum (ETH) RPC endpoints used by EtherRAT, attached in the Appendixes’ section.

These gateways are the primary heartbeat for the decentralized C2 resolution mechanism. Retrospective Communication Review: review of historical logs to identify any outbound communications with the listed RPC ETH endpoints and identified historical C2 domains identified in this research. Tool Provenance & Administrative Awareness: increase awareness among IT personnel regarding using verified internal software centers or direct, authenticated vendor portals for all administrative tools. It is important to educate administrators on the potential risks of sourcing critical utilities from search engine results.

Behavioural Threat Hunting
following behavioural patterns should be reviewed in the given for organization telemetry: repeated, high-frequency beacons (every 500ms) to suspicious external domains periodic outbound requests (every 30000ms or 5 minutes) to public ETH RPC endpoints suspicious process tree: node.exe processes executing shell commands, which may indicate the secondary stages of the EtherRAT payload usage of conhost.exe with the –headless argument, a common artifact of the malware’s attempts to maintain a silent background presence. Appendixes A complete list of Indicators of Compromise (IoCs), mapped TTPs, and detailed malware relationship graphs for this campaign are available for download and review at the TRC GitHub repository . Find out the latest threat intelligence and adversary research insights on Atos Cyber Shield Blogs. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New Linux ‘Copy Fail’ Vulnerability Enables Root Access on Major Distributions

Cybersecurity researchers have disclosed details of a Linux local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root. The high-severity vulnerability tracked as CVE-2026-31431 (CVSS score: 7.8) has been codenamed Copy Fail by Xint.io and Theori. “An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root,” the vulnerability research team at Xint.io and Theori said . At its core, the vulnerability stems from a logic flaw in the Linux kernel’s cryptographic subsystem, specifically within the algif_aead module.

The issue was introduced in a source code commit made in August 2017. Successful exploitation of the shortcoming could allow a simple 732-byte Python script to edit a setuid binary and obtain root on essentially all Linux distributions shipped since 2017, including Amazon Linux, RHEL, SUSE, and Ubuntu. The Python exploit involves four steps - Open an AF_ALG socket and bind to authencesn(hmac(sha256),cbc(aes)) Construct the shellcode payload Trigger the write operation to the kernel’s cached copy of “/usr/bin/su” Call execve(“/usr/bin/su”) to load the injected shellcode and run it as root While the vulnerability is not remotely exploitable in isolation, a local unprivileged user can get root simply by corrupting the page cache of a setuid binary. The same primitive also has cross-container impacts as the page cache is shared across all processes on a system.

In response to the disclosure, Linux distributions have released their own advisories - Amazon Linux Arch Linux CloudLinux Debian Gentoo Red Hat Enterprise Linux SUSE Ubuntu Copy Fail has its echoes in Dirty Pipe (CVE-2022-0847), another Linux kernel LPE vulnerability that could permit unprivileged users to splice data into the page cache of read-only files and ultimately overwrite sensitive files on the system to achieve code execution. “Copy Fail is the same class of primitive, in a different subsystem,” Bugcrowd’s David Brumley said . “The 2017 in-place optimization in algif_aead allows a page-cache page to end up in the kernel’s writable destination scatterlist for an AEAD operation submitted over an AF_ALG socket. An unprivileged process can then drive splice() into that socket and complete a small, targeted write into the page cache of a file it doesn’t own.” What makes the vulnerability dangerous is that it can be reliably triggered and does not require any race condition or kernel offset.

On top of that, the same exploit works across distributions. “This vulnerability is unique because it has four properties that almost never appear together: it’s portable, tiny, stealthy, and cross-container,” a Xint.io spokesperson told The Hacker News in a statement. “It allows any user account, no matter how low-level, to increase their privilege to full admin access. It also allows them to bypass sandboxing and works across all Linux versions and distributions.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.