DAILY WORKFLOW ARCHIVE

2026-07-03 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-07-03 AI创业新闻

Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices

Google has significantly degraded NetNut , one of the biggest networks that turns home devices into rented relays for other people’s traffic. Working with the FBI, Lumen, and others, Google’s Threat Intelligence Group (GTIG) said this week it had reduced the network’s pool of usable devices by millions. Google identifies NetNut, also tracked as Popa , as a network spread across home devices worldwide, including smart TVs and streaming boxes , and GTIG estimates the network holds at least 2 million devices. If one of those devices is in your home, strangers can route their own traffic through your internet connection, and your address gets the blame for whatever they do with it.

How It Works A residential proxy network sells access to real home internet addresses. Attackers pay to route their traffic through your connection so it looks like ordinary home browsing, not the datacenter traffic that security tools tend to block. To build that pool, operators need their code running on home devices. Some devices ship with it pre-installed on cheap off-brand hardware; others pick it up when someone installs a free app that hides it.

Once it is running, the device becomes an “exit node,” a doorway that other people’s traffic flows through. Google says an exit node brings outside traffic inside the home network, giving attackers a foothold to reach other devices on it. Some of these home gadgets have also been pulled into large attack botnets such as Mirai and Badbox 2.0 . In a single week in June, GTIG counted 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups, to hide their real location and run password-guessing attacks .

The Company Behind It Unlike most proxy botnets , NetNut traces back to a public company. In June, researchers at Qurium, Synthient, Nokia Deepfield, and Spur tied Popa to NetNut. NetNut is a proxy provider owned by publicly traded Israeli company Alarum Technologies (NASDAQ: ALAR). In a controlled test, Synthient said traffic it sent into NetNut’s commercial gateway came out through a device it had enrolled in Popa.

Synthient framed that as evidence of the traffic path, not proof of what NetNut knew or intended. Google’s own intelligence aligns: it treats NetNut and Popa as the same network, and says the public reporting matches its view of how NetNut builds its botnet. The Hacker News covered the researchers’ findings when they were published. Alarum rejects the “botnet” label.

It calls the research “demonstrably inaccurate assertions and flawed deductions rather than verified facts,” and says its software is for consented bandwidth-sharing that does not compromise the devices it runs on. The researchers’ testing complicates that defense: Synthient reported that none of the more than 20 apps it examined actually showed users a consent prompt. Why One Takedown Isn’t Enough Cutting off NetNut is messy by design. NetNut runs a reseller program that lets other companies sell its network under their own brand names.

Google says it has high confidence that many popular, seemingly separate proxy brands are really reselling the same NetNut pool. So a single takedown ripples across a lot of brands that look independent but are not. That is also why Google calls this degradation, not a kill. It says its earlier action against a similar IPIDEA network showed these networks can look resilient: operators start buying capacity from rivals, in effect becoming resellers themselves.

Real, lasting damage, Google says, means going after several connected providers at once. In January, Google and partners disrupted IPIDEA , a China-based network that at its peak was one of the largest of its kind. In July 2025, Google took the operators of Badbox 2.0 to court , the botnet of hijacked Android TV devices whose components overlap with Popa. Each time, the networks proved stubborn.

What Consumers Should Do The single clearest warning sign is an app that offers to pay you for your “unused bandwidth” or for “sharing your internet.” That is one of the main ways these networks grow. Beyond that: Stick to official app stores, and check what permissions a VPN or proxy app is asking for. Keep built-in protections like Google Play Protect switched on. Buy streaming boxes and smart TV hardware from known manufacturers, not no-name brands.

The demand for these home addresses does not disappear when a network goes down; it just moves. For defenders and platforms, the next signal to watch is whether NetNut-linked traffic resurfaces under reseller brands. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access. “Although tactics differ between affiliates, common patterns emerged in tradecraft through use of legitimate Remote Management and Monitoring (RMM) tooling, credential access, and hands-on-keyboard procedures used for lateral movement,” Arctic Wolf said in a report published this week. “Anubis affiliates repeatedly abused legitimate remote access and administration tools, including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment, to blend in with normal IT activity while maintaining control of victim systems.” Anubis is a ransomware-as-a-service (RaaS) group that first emerged in late 2024 as a rebrand of Sphinx ransomware. The ransomware operation was formally announced on the Ransomware and Advanced Malware Protection (RAMP) underground forum in February 2025.

According to data from Ransomware.Live, the cybercrime crew has claimed 91 victims on its data leak site, with 11 victims reported in June 2026 alone. Some of the prominent sectors targeted include healthcare, business services, manufacturing, technology, and financial services. More than 50% of the victims are located in the U.S., followed by the U.K., Australia, France, and Canada. In a report published in July 2025, Rubrik Zero Labs said Anubis advertises attractive profit splits, offering affiliates 80% of the ransom amounts paid, and pairs it with an irreversible data-wiping feature that ups the pressure on victims to pay up.

“When Anubis’s /WIPEMODE module is activated, files remain in directories but are reduced to a 0 KB size regardless of ransom payment,” Rubrik noted at the time. “Knowing threat actors can revert victims’ environments to this scorched-earth state with a single command significantly increases pressure on victims to pay before the wiper is fully activated.” The ransomware intrusions, observed this year, involve both valid VPN credential use and the exploitation of CVE-2025-5777 (CVSS score: 9.3), a critical flaw impacting Citrix NetScaler ADC and Gateway that could be abused by an attacker to bypass authentication when the appliance is configured as a Gateway or AAA virtual server. The exact source of VPN credentials used in these intrusions is unknown. However, it’s possible they were procured following prior compromise, or through initial access brokers (IABs), credential stuffing, or information stealer activity.

“In addition to CitrixBleed 2 exploitation, valid Cisco AnyConnect VPN logins were observed from several hosting ASNs, including AS20473 — The Constant Company and AS55286 — ServerMania,” Arctic Wolf explained. “Malicious VPN authentication was then followed by login activity involving RDP and SMB, leading to credential access, PsExec service creation, RMM deployment, and ultimately invoking cloud-transfer tooling for exfiltration.” Lateral movement is facilitated via RDP and PsExec, which then leads to the deployment of various legitimate RMM tools for persistent access, granting the attackers the ability to transfer files and remotely execute code, while staying under the radar. Select intrusions also configure a Cloudflare Tunnel (aka cloudflared) to establish tunnels to victim environments. The next phase of the attacks involves gathering credentials to facilitate deeper access to the compromised environment, after which tools like S3 Browser, rclone, s5cmd, WinSCP, and PuTTY are installed for data transfer or exfiltration prior to ransomware deployment.

In parallel, steps are taken to impair system defenses and complicate post-incident analysis. “These techniques included Windows Defender real-time protection disablement, SophosUninstall activity, PCHunter-related artifacts, and log clearing or manipulation across multiple systems,” the cybersecurity company explained. “In at least one intrusion, an Anubis encryptor was deleted after execution, reducing the availability of on-disk payload artifacts for later analysis.” The Gentlemen’s Go Backdoor and BYOVD 0-Day Exploit The disclosure comes as Kaspersky detailed The Gentlemen RaaS group’s exploitation of known vulnerabilities and stolen or weak login credentials to breach targets and its use of a Go-based backdoor to enable remote command execution after reconnaissance, lateral movement through Group Policy or PsExec, and defense evasion using the bring your own vulnerable driver (BYOVD) technique. The implant is designed to collect system information, exfiltrate it to an external server (“81.177.215[.]15:9443”) over a bidirectional TCP connection, and await operator responses that are then executed on the host using “cmd.exe” if the response byte is “c.” If the byte is “s,” a SOCKS proxy connection is established.

“This functionality likely enables The Gentlemen’s red team to pivot within the target network and expand their scan coverage,” Kaspersky said . “Given the backdoor implant’s capabilities, such as establishing two-way communication, executing commands, setting up a SOCKS proxy, and gathering information, it’s clear that it can also be used to expand the attack chain as needed.” According to Expel, the RaaS group has also weaponized a zero-day vulnerability in a little-known third-party vendor driver as part of its BYOVD arsenal to obtain kernel-level access, bypass Windows security protections, and kill protected security processes associated with Microsoft, ESET, Palo Alto Networks, and SentinelOne. The driver in question is ktapi.sys , which is part of an API developed by Kontron. “It’s still unclear how the threat actors came into possession of the file or gained knowledge of its vulnerability,” Marcus Hutchins, principal threat researcher at Expel, said .

“BYOVD continues to be a huge threat to enterprises, enabling attackers to disable state-of-the-art endpoint security systems in seconds. Even using the latest Windows version, with all exploit mitigations enabled, does not provide complete protection.” VECT and TeamPCP’s Ransomware Partnership The findings also follow an investigation from Sophos Counter Threat Unit into the partnership between VECT and TeamPCP that was announced in March 2026 to combine supply chain attack-driven credential theft with ransomware deployment. “The formal partnership between TeamPCP and VECT allows VECT to deploy ransomware across all organizations compromised in the Trivy and LiteLLM supply chain attacks,” Sophos said in a report shared with The Hacker News. “Prior to the VECT partnership, TeamPCP was running another ransomware operation under the CipherForce brand.

CipherForce listed six victims on its leak site in February 2026 and rebranded as a TeamPCP leak site in May.” Recent analyses from Check Point and JUMPSEC have found VECT to contain implementation flaws that cause any file larger than 128 KB to be permanently destroyed rather than encrypted, prompting TeamPCP to issue a statement stating they had never used VECT’s encryptor in attacks. “We own CipherForce, our own private locker,” the group claimed . “The VECT/TeamPCP alliance represents a meaningful shift in the ransomware threat landscape, even accounting for the technical shortcomings that undermine its operational effectiveness,” Sophos said . “The convergence of large-scale supply chain credential theft, a maturing RaaS operation, and mass underground forum mobilization constitutes an unprecedented model of industrialized ransomware deployment that significantly lowers the barrier to entry for cybercrime.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories

This week’s security news is mostly about weak spots. Browsers, bots, sandboxes, AI systems, and email flows all show the same problem in different ways. Everything looks normal until someone tests a small gap and finds a way through. This is not one big break.

It is small permissions, weak checks, open systems, and normal tools doing things they were allowed to do. That same pattern runs through the stories below. Ransomware phishing lure Fake INTERPOL Investigation Emails Lures Lead to Ransomware A phishing campaign is targeting small businesses across Europe, Asia, the Middle East, and the U.S. with fake investigation emails impersonating law enforcement officials.

“The emails claim to contain evidence of suspicious company activity and pressure recipients into opening a password-protected archive,” Bitdefender said . “Recipients are directed to a Proton Drive-hosted file that ultimately delivers ransomware. The ransomware appears to be a custom-built payload rather than a known ransomware family.” Sandbox root escape Exploiting Root Execution in Claude Cowork Sandbox New research from Armadin has discovered an attack chain affecting Claude Cowork on Windows. The attack allows an attacker with local code execution to plant a malicious file in Claude Desktop’s application directory, hijacking a trusted process to communicate with Cowork’s underlying VM service.

“An attacker with local code execution could run arbitrary commands as root in Claude Cowork’s sandbox without network egress restrictions,” the company said . The exploit takes advantage of two unvalidated parameters in the service’s interface that allow the attacker to run commands as root and bypass network filtering entirely, thereby allowing sensitive data to be exfiltrated to attacker-controlled infrastructure. Following responsible disclosure on May 29, 2026, Anthropic said it does not consider it to be a security issue because exploitation requires pre-existing local code execution on the host. Email privacy flaw Flaw in Apple’s Hide My Email A vulnerability has been disclosed in Apple’s Hide My Email service that allows users’ real email addresses to be unmasked.

Tyler Murphy, the researcher who found the bug, said that he reported the issue to Apple over a year ago and that it continues to remain unpatched. “We don’t know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable,” Murphy told 404 Media. Exact details surrounding the vulnerability have been withheld to avoid potential exploitation concerns. China-linked RAT activity New BeepRAT Remote Access Trojan Discovered A customized version of the open-source DCRat framework dubbed BeepRAT has been identified as distributed via a Chinese phone number management utility packaged within a ZIP archive, per Rubrik Zero Labs.

“The archive contained a .NET application named HFY.exe alongside several third-party libraries commonly associated with database-driven applications,” Rubrik said . “Although the application appeared to function as a telephone number management tool, further analysis revealed a sophisticated multi-stage infection chain that ultimately deployed the customized BeepRAT payload.” The malware establishes persistence on the host via scheduled tasks, and resolves the command-and-control infrastructure using DNS-over-HTTPS (DoH) requests. It then beacons a packet containing information about the compromised host, after which a persistent communication channel is opened to receive incoming commands that allow the malware to transfer files between the host and the server, launch interactive command prompt sessions, issue commands to it, launch PowerShell sessions, enumerate running processes and available storage drives, terminate a specified process, perform file system operations, record through webcam, log keystrokes, take screenshots, list active network connections, download and run .NET assemblies in memory, and launch a proxy. It’s assessed that BeepRAT operates within the China-nexus espionage ecosystem.

AI cyber benchmark Evaluation of OpenAI GPT-5.6 Sol An evaluation of OpenAI’s GPT-5.6 Sol on real-world offensive security benchmarks by AI security lab Irregular has found the model to perform slightly better than GPT-5.5, while continuing to struggle with well-defended targets and complete end-to-end attacks. “GPT-5.6 Sol demonstrated capabilities relevant to offensive cyber misuse, including finding and exploiting high-impact zero-day vulnerabilities across multiple real systems,” it said . “These capabilities were demonstrated on sensitive, widely used classes of systems, including mobile operating systems and database systems. Despite these capabilities, GPT-5.6 Sol continued to show clear limitations against hardened targets and in orchestration, operationalization, and operational security.

Performance also degrades when tasks require sustained logical coherence over long horizons or quick, time-sensitive decision-making.” Platform-aware phishing Phishing Campaigns Tailored to Targets’ Devices Cofense said it’s observing a “clear shift in phishing operations” where threat actors are moving beyond broad, one-size-fits-all campaigns to adopt platform-aware delivery that adapts to the victim’s device, browser, and environment. Phishing campaigns have been found to deliver Itarian RAT or the ConnectWise tool via Ninite Loader on Windows, while serving credential harvesting phishing pages when URLs are visited from macOS or Android. The operating system-specific payloads are delivered by fingerprinting victims through User-Agent data. “What began as simple Windows-focused malware distribution campaigns has evolved into more sophisticated campaigns that can selectively deliver credential phishing, remote access tools, or malware across Windows, MacOS, and Android,” it said .

“This trend reflects a broader strategic change in the threat landscape, one that is designed to increase the likelihood of compromise, expand target coverage, and improve threat actor return on investment.” Russian hacker reward U.S. Offers $10M for Info on UNC5792 The U.S. State Department is offering a reward of up to $10 million for information leading to the identification or location of threat actors associated with UNC5792 , a malicious cyber group associated with the Russian Federal Security Service (FSB) Border Guards and UNC4221, a malicious group of cyber actors working on behalf of the Russian military services. UNC5792 has been linked to widespread phishing campaigns targeting Signal and WhatsApp accounts of U.S.

government officials, military leadership, and allied personnel with an aim to gain unauthorized access. “Although these malicious cyber activities did not exploit any security vulnerability in the platforms’ encryption protections, they have compromised thousands of individual commercial messaging application accounts,” the State Department said . LLM role confusion Prompt Injection as Role Confusion New research from a group of academics has revealed that machine learning models cannot reliably distinguish between authorized and unauthorized input, leaving them susceptible to a persistent problem called prompt injection. “LLMs see the world as a single stream of text, partitioned into roles like or ," the researchers said.

“We trace prompt injection to role confusion: models perceive the source of text from how it sounds, not its labeled role. A command hidden in a web page hijacks an agent simply because it sounds like text, despite its label." The attack, dubbed CoT Forgery, involves injecting fabricated reasoning into user prompts and tool outputs, causing the models to mistake the forgery for their own thoughts and act on them, yielding 60% attack success against frontier models. The attack essentially exploits the trust a model places in its own thinking. Covert tracking rollback Anthropic Says it's Removing Covert Code Tracking Feature Anthropic said it plans to remove the hidden code it added to Claude Code several months ago to detect unauthorized distillation efforts.

The relevant code checks Claude Code’s base URL environment variable that’s used to route API requests to a proxy or gateway. If the base URL has been overridden, the code snippet checks the system time zone and whether the hostname matches any entry in a list of known Chinese companies, account resellers, and gateway domains. “This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation,” Anthropic’s Thariq Shihipar said . “The team has landed stronger mitigations since then and we’ve actually been meaning to take this down for a while.” Clipboard attack defense Opera Takes on ClickFix with Paste Protect Opera has introduced Paste Protect, a new security feature designed to block ClickFix -style attacks that deceive users into executing malicious commands through social engineering techniques.

“Paste Protect helps identify situations where malicious websites attempt to either replace something you copied with a malicious version or place potentially harmful commands on your clipboard and later trick you into pasting them onto a terminal,” the browser maker said . “When any kind of suspicious clipboard activity is detected, Opera’s Paste Protect warns users before dangerous content can be executed.” The development comes as ClickFix continues to be a popular initial access vector for threat actors. According to Huntress, ClickFix was responsible for over 53% of all malware loader activity in 2025. Data from ReliaQuest for the period between March 1 and May 31, 2026, ClickFix remained the dominant delivery method during this period and targeted both Windows and macOS systems.

One notable trend observed during the period was that ClickFix activity appeared to shift from delivery via compromised websites to emailed links. “ClickFix demonstrates that the human element remains one of the most effective attack vectors, especially when combined with legitimate system functionality and trusted binaries,” security researcher Bert-Jan Pals said . Gmail phishing operation UNC1151 Phishing Campaign Analyzed A spear-phishing attack orchestrated by UNC1151 (aka Ghostwriter) targeting Belarusian pro-democracy politician Yury Hubarevich has been assessed to be part of a much broader credential phishing operation. The activity involved sending emails from Gmail accounts claiming to have detected suspicious activity on targets’ Google accounts, urging them to click on a link to verify their account.

The catch here was that entering the credentials on the phishing page harvested the victim’s login information and exfiltrated it to the attacker-controlled infrastructure. Attack surface management platform Censys has since uncovered additional domains impersonating the I.UA email portal, suggesting the activity also likely targeted Ukrainians. FTC enforcement action FTC Fines Amazon $2.25N for Failing to Help Identity Theft Victims The U.S. Federal Trade Commission has fined Amazon $2.25 million to settle claims that the company failed to help customers who fell victim to identity theft.

Consumers who contacted Amazon to report fraud were told by its customer service agents that they could not provide the application and business transaction records about fraudulent transactions made in their names for “security” or “privacy” reasons. “Amazon often puts identity theft victims through a Kafkaesque ordeal by demanding they identify the thief who stole their information before Amazon would release the records the law entitles them to – records that could help victims protect themselves and recover from the fraudulent conduct,” said Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection. Telegram RAT surge Telegram-Based Millenium RAT Infects 60,000 Devices A remote access trojan (RAT) named Millennium RAT has undergone an architectural shift from .NET to native C++, while still relying on the Telegram Bot API for command-and-control (C2). The malware is attributed to a developer named ShinyEnigma, who is also behind DotStealer and was first seen in September 2023.

It is offered as malware-as-a-service (MaaS) for $50 for the first month, $10 for subsequent months, or a one-time $90 lifetime purchase. “As a full-featured remote access trojan, Millenium RAT 4.* is designed to compromise Windows machines,” Group-IB said . “It enables threat actors to exfiltrate sensitive browser and system data, capture screenshots and audio, perform keylogging, and download and run arbitrary executables.” Exploitation campaigns involving the malware are carried out by a threat actor cluster codenamed Y2K Operators. The threat actor has been active since May 2025, using social engineering as a way to trick users into executing malicious payloads by masquerading them as legitimate software or cracked applications.

As of writing, 62,289 devices have been infected with the Millenium RAT 4.* versions, with more than 16,000 infections reported in the month of March 2026 alone. In an interesting twist, the attackers even target other cybercriminals. “They take popular RATs, builders, and exploit kits, add a backdoor, and redistribute them — so the would-be attacker downloads a working tool and gets infected at the same time,” Group-IB said. Search hijack extension Chromium Extension Uses AI Branding to Redirect Browser Search Microsoft said it discovered a malicious Chromium-based extension that impersonates the AI-powered answer engine Perplexity AI to trick unsuspecting users into installing it.

The extension, named “Search for Perplexity ai” (ID: flkebkiofojicogddingbdmcmkpbplcd), has since been taken down by Google, but not before it attracted 10,000 installs. “We assess its primary objective to be search traffic interception and data collection, which might enable downstream use cases such as profiling, targeted advertising, or other forms of misuse depending on operator intent,” the tech giant said . “However, unlike traditional search hijackers that rely primarily on aggressive monetization or visible redirection, this extension combines Manifest Version 3 (MV3) capabilities with intermediary infrastructure and declarativeNetRequest (DNR) rules to transparently intercept Omnibox queries while preserving the appearance of legitimate search results.” The attacks illustrate how threat actors continue to capitalize on the popularity of AI tools to abuse them as a social engineering vector. Meeting bot controls Bot Protection in Microsoft Teams Microsoft said it’s introducing “smarter bot protection” features to tackle scenarios where bots connected to a third-party service attend meetings as AI tools become more common in enterprise setups.

“Unexpected participants in a meeting can create security and privacy risks, particularly when sensitive information is being discussed,” it said . “That’s why we’re introducing a new Teams admin policy designed to give organizations more visibility and control over external bots in their meetings. This new experience helps organizers identify bots, and adds safeguards before they’re admitted, giving organizations greater confidence that only the intended participants and tools will be present.” As part of this effort, Microsoft intends to clearly distinguish between bots and human participants, give organizers more visibility when bots join a meeting, and issue warnings when organizers choose Admit all and bots are included. With these new safeguards rolling out, Microsoft plans to retire the existing CAPTCHA verification experience.

Defender zero-day abuse BlueHammer Exploited in Ransomware Attacks The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that the now-patched Microsoft Defender vulnerability known as BlueHammer (aka CVE-2026-33825) was exploited in ransomware attacks. BlueHammer was first disclosed as a zero-day by an anonymous researcher named Chaotic Eclipse (aka Nightmare-Eclipse) in April 2026. It’s unclear which ransomware group has exploited the flaw.

Stolen AI compute abuse Using Stolen AI Compute to Build Offensive Agentic Tools Threat actors have been observed using a misconfigured Ollama model server as the reasoning engine for an automated, multi-stage offensive security tool called the VAPT framework, according to findings from Sysdig. The development marks a new evolution of LLMjacking , which refers to a form of resource hijacking attack in which malicious actors steal API keys, cloud credentials, or non-human identities to hijack an organization’s Large Language Model (LLM) resources. The unauthorized access is then abused to run heavy AI workloads or sell access to third-parties, leaving the legitimate account holder to pay the usage bills. “The actor was not chatting with the model or reselling access,” Sysdig’s Michael Clark said .

“Instead, they wired access to the AI tool into a software pipeline that scans a target, matches it to known vulnerabilities, writes proof-of-concept exploits, and attempts to break into a victim’s environment — with the model making the decisions at every step.” The lesson this week is simple: attackers do not need the front door when the side door is already open. A copied command, an exposed server, a trusted bot, a weak check. Small things become entry points when nobody treats them like one. So read the list with that in mind.

The loud part is the breach. The useful part is the quiet mistake that made it possible. Until next ThreatsDay. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API

The threat actor known as ToddyCat has been attributed to a new malware called Umbrij that’s designed to gain surreptitious access to a victim’s email correspondence via the Google API. “In this campaign, the attackers focused their attention on corporate email communications hosted on Gmail, targeting access compromise via APIs,” Kaspersky said in a detailed report published this week. “Because the Google API relies on the OAuth 2.0 protocol for authorization, applications can use an OAuth token to access requested email resources.” The adversary is said to have developed Umbrij to acquire this token and use it to connect to the browser’s management console in headless mode via a remote debugging port. Subsequently, a series of requests was issued to obtain an OAuth authorization code, which was then exchanged for an access token to reach the target resources via the API.

The technique has been codenamed Shadow Token via Remote Debug (STRD) by the Russian cybersecurity vendor. What’s notable about the attack is that it’s viable on Chromium-based browsers and exploits an active Gmail session. In other words, the idea is to launch the browser in headless mode , connect via the remote debugging port to seize control, and leverage an already logged-in Gmail session to obtain access to the Google account resources. Three different versions of Umbrij have been uncovered, including versions that feature helper functions for debugging and for searching and selecting user accounts within the browser.

ToddyCat is the name assigned to an advanced persistent threat (APT) that has a history of targeting various organizations in Europe and Asia since at least 2020. In November 2025, Kaspersky detailed the hacking group’s use of a custom tool dubbed TCSectorCopy to lay their hands on Microsoft Outlook email data belonging to targeted companies. The cybersecurity company said it discovered Umbrij during what it described as a “threat hunting operation,” as part of which a scheduled task impersonating its software (“KasperskyEndpointSecurityEDRAvp”) was used to launch a digitally signed file. The signed file then employed DLL side-loading to launch Umbrij.

To accomplish this task, one of the three legitimate binaries susceptible to DLL side-loading were abused - BDSubWiz.exe , a component of the Submission Wizard in Bitdefender ConnectAgent VSTestVideoRecorder.exe , a component of the video-recording tool used for testing with Microsoft Visual Studio GoogleDesktop.exe , a discontinued Google Desktop Search application used for indexing files and performing quick searches on a local Windows computer Regardless of the executable used, the end result is the same: launching the rogue Umbrij DLL written in .NET and obfuscated with ConfuserEx, an open-source obfuscator. The tool can also be invoked along with command-line parameters that specify which browsers to target (Google Chrome or Microsoft Edge), instruct it to save a screenshot of the user profile as a PDF file, and provide the system username under which the tool will run. Umbrij workflow diagram Umbrij, once launched, performs a series of preparatory actions on a compromised Windows host to breach the Gmail account - Verify the availability of the port that will be designated for browser debugging. Retrieve the user context by searching for the “explorer.exe” process and duplicating the token of the first such process it encounters in order to retain all of that logged-in user’s privileges.

Alternatively, the -user switch can be used alongside the tool to specify the target user whose token needs to be duplicated. Construct the path to the web browser application folder within the user's local application data repository and then parse the Local State file corresponding to Chrome or Edge to gather information about stored browser user profiles. Enumerate all profiles and scan them for a field named "user_name" that includes an email address. It's worth noting that the presence of an email address signals that the user is authenticated to a Google service.

Create a directory called “BackupFiles” within “%LOCALAPPDATA%\Google\Chrome" and “%LOCALAPPDATA%\Microsoft\Edge.” Copy the following files and folders of each target user profile into them: IndexedDB, Local Storage, Network, Login Data, Login Data For Account, Preferences, Secure Preferences, and Web Data. Should these files be locked by other processes, the tool includes a force-copy mechanism. Search the “Program Files” and “Program Files (x86)” folders for the browser installation folder for Chrome and Edge. Launch the browsers in headless mode by using the user profile copied to the “BackupFiles” folder, causing the browser to apply all active user cookies, including the signed-in Google account, and skip authentication.

Use Puppeteer , a JavaScript library used for controlling Chromium-based browsers via the Chrome DevTools Protocol, to connect to the remote debugging port and send an authorization code request to direct the browser to a “accounts.google[.]com/o/oauth2/v2/auth/identifier” URL containing a “client_id” that corresponds to a migration tool used for importing local PST files and data from Microsoft Exchange accounts into a Google Workspace account. The HTTP GET request also specifies the set of permissions required by the application. Use JavaScript to emulate mouse click events to select the appropriate Google account after navigating to the URL and grant it the necessary permissions, including full access to Gmail, Drive, Contacts, Calendar, and Tasks. Redirect the browser session to a local address specified in the initial request and extract the OAuth authorization code from it.

“Umbrij, like most other tools in ToddyCat’s arsenal, logs its actions in detail and saves them to a file,” Kaspersky said. “It also saves the retrieved authorization code to this log file, which the operator subsequently exfiltrates from the compromised host.” “The acquired authorization code is then exchanged for an OAuth access token. The threat actors use that token to connect to the Gmail account through the API, thus compromising corporate email communications.” To counter the threat, it’s advised to review the authorization codes granted to applications by navigating to “myaccount.google[.]com/connections” and then looking for applications named “Google Workspace Migration for Microsoft Outlook” or “Google Workspace Sync for Microsoft Outlook.” If either of those applications is present and is not actually used within the organization, it’s essential to revoke their access to invalidate the OAuth tokens. “The ToddyCat APT group continues to search for ways of compromising corporate email communications,” Andrey Gunkin, senior malware analyst at Kaspersky, said.

“Their new tool, Umbrij, automates the attackers’ attempts to gain access to organizational email accounts. This automation not only helps increase the scale and frequency of their attacks but also demonstrates ToddyCat’s strong motivation and advanced technical skills.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Identity Lifecycle Management Wasn’t Built for AI Agents

Identity lifecycle management was architected around a person with an employment record, a manager, and a departure date. AI agents have none of those. As autonomous principals proliferate across enterprise environments, the governance model built for humans develops structural blind spots that traditional IGA tools weren’t designed to detect. This guide covers where that model breaks, what it fails to govern, and what extending it to agents actually requires.

What Identity Lifecycle Management Was Designed to Handle To understand why identity lifecycle management breaks down around AI agents, you need to understand what it was built to do well and who it was built for. The entire architecture rests on a single foundational assumption: every identity maps to a human being whose organizational status changes through documented, HR-driven events. The identity lifecycle management process governs access from an identity’s first provisioning event through every modification it accumulates to its eventual deactivation. At its core, it’s an event-driven control system built around three canonical transitions: joiner, mover, and leaver.

HR as the Authoritative Engine The HR platform, whether Workday, SAP SuccessFactors, or ServiceNow HR, functions as the system of record that drives the entire identity and access management lifecycle. A new hire record triggers automated provisioning into Active Directory or Azure AD, which propagates entitlements to downstream applications through IGA connectors. A department transfer updates role attributes and recalculates the appropriate entitlement set. A termination event triggers deprovisioning workflows across all connected systems.

The strength of the model is its determinism. Access rights reflect a verifiable organizational fact: a person holds a specific role in a specific team under a specific manager. Role-based access control maps those attributes to defined entitlement sets, delivering the right permissions at onboarding without manual negotiation per account. Identity governance lifecycle management builds accountability on top of that structure.

Access certification campaigns route to the identity manager or application owner for attestation. Separation-of-duties controls detect conflicting permissions. Audit logs tie every provisioning action back to the originating HR event and the approver who authorized it, providing the compliance evidence that frameworks such as SOX, HIPAA, and PCI DSS require. What the Identity Lifecycle Management Phases Enforce in Practice When an employee changes roles, attribute updates automatically recalculate entitlements, revoking what the new role doesn’t require and granting what it does.

When an employee leaves, the HR termination event triggers deprovisioning across all connected applications. Certification campaigns run on a defined cadence to fill the gaps between events, requiring managers to attest to current access against current role requirements. Every control in the standard identity lifecycle management phases assumes a human principal with an employment record, a manager relationship, and a predictable transition pattern. Access review workflows route to humans.

Provisioning triggers are triggered by humans entering or changing their status in the HR system. Offboarding fires when a human’s organizational status changes. The model is coherent, auditable, and well-supported by decades of IGA tooling. It reliably governs the human identity population.

The problem begins precisely at its edges, where the principals accumulating access inside enterprise environments no longer have employment records, managers, or departure dates. Where AI Agents Fall Outside That Model AI agents don’t arrive through HR. They don’t have employment records, reporting structures, or defined role profiles that map to entitlement sets. They are created by engineers, orchestration frameworks, or automated deployment pipelines, and they land in production with whatever permissions the developer scoped at creation time or whatever the platform granted by default.

That origin story breaks every assumption the identity lifecycle management model depends on. No Authoritative Source, No Governed Entry Point Standard identity and access management lifecycle controls require an authoritative source to initiate provisioning. For humans, that source is the HR system. For AI agents, provisioning typically happens through a developer committing a configuration file, a platform API call that instantiates a new agent runtime, or an orchestration layer like LangChain, AutoGen, or AWS Bedrock Agents spinning up a new execution context.

None of those events touches an IGA platform. None generates a provisioning record tied to a defined identity owner. The agent arrives with credentials already attached: a manually created service account, an API key generated and stored in an environment variable, or an OAuth grant issued through a developer consent flow. The IGA platform, if it sees the credential at all, treats it as a static machine identity with a fixed purpose.

What it’s actually dealing with is an autonomous principal that will make access decisions, traverse API boundaries, and accumulate behavioral scope in ways no static service account ever does. Dynamic Scope in a System Built for Fixed Roles Role-based access control works because human job functions are, within limits, predictable. A database administrator needs specific permissions. A finance analyst needs access to a defined set of systems.

Entitlement sets get designed around those functions and updated when roles change through documented HR events. AI agents don’t operate within fixed functional boundaries. An agent built to summarize internal documents may, through tool-calling or RAG retrieval patterns, end up querying APIs it wasn’t explicitly provisioned for, writing outputs to storage systems outside its original scope, or chaining actions across multiple enterprise systems to complete a task. The access surface expands at runtime, driven by the agent’s objective-seeking behavior rather than by any policy decision made in advance by a governance team.

Identity lifecycle management phases weren’t designed to govern runtime-expanding scope. They were designed to govern access defined at provisioning and adjusted at known transition points. Simultaneous Multi-Environment Instantiation A human identity exists in one place at a time. An AI agent can run as dozens of parallel instances across cloud environments, containerized workloads, and SaaS API surfaces simultaneously.

Each instance may carry its own credential set, its own tool permissions, and its own session context, none of which is correlated in any IGA system. In multi-agent architectures, the complexity compounds further. Orchestrator agents spawn sub-agents, delegate tasks, and pass credentials between execution contexts. The identity and access management lifecycle has no native model for a principal that forks, delegates, and recombines access rights dynamically across a distributed execution graph.

What IGA Tools Actually See When an IGA platform encounters an agent identity, it sees a service account with an API key or an OAuth client credential. Identity governance lifecycle management tooling applies the same governance logic it applies to any machine identity: it checks for an owner, verifies the credential age, and notes whether the account appeared in the last access review. What it doesn’t see is that the account is actively making authorization decisions, traversing application boundaries, and operating with a degree of autonomy that no traditional service account possesses. The governance record looks static.

The actual access behavior is anything but. The Lifecycle Events Agents Never Trigger The joiner-mover-leaver model works because human employment generates a continuous stream of structured events that governance systems can act on. AI agents generate none of them. Every control point in the standard identity lifecycle management phases depends on a signal that agent deployments never produce by design.

No Joiner Event, No Governed Entry When a new employee joins, the creation of an HR record triggers provisioning. Access gets scoped to a role definition, routed through an approval chain, and recorded in the IGA platform with an owner attached. The identity enters the governance boundary on day one. An AI agent enters production through a deployment pipeline, a Terraform apply, or a direct API call to an agent orchestration platform.

No IGA workflow fires. No access request gets submitted. No manager approves the entitlement set. The agent’s credentials, whether a service account, an OAuth client, or an API key, are created inline with the deployment, often by the same automated process that provisions the compute environment.

The identity and access management lifecycle never receives a joiner signal, so the governance record for that agent starts as a blank. No Mover Event, No Entitlement Recalculation When a human employee changes roles, HR attribute updates flow into the IGA platform, triggering entitlement recalculation. Access appropriate to the old role gets revoked. Access required by the new role gets provisioned.

The governance record reflects the current organizational reality. AI agents change scope constantly, and none of those changes generate a mover event. An agent retooled to access a new data source, extended to call additional APIs, or redeployed against a different environment doesn’t update any HR system. No IGA connector receives an attribute change.

No access review fires to reconcile what the agent now reaches against what it was originally provisioned for. Identity governance lifecycle management has no visibility into scope expansion that happens entirely within the deployment layer. No Access Review Signal Periodic access certification depends on a manager or application owner receiving a review task tied to a specific identity. That routing logic requires an identity with a human owner on record and an organizational relationship that the IGA platform can traverse.

Agent identities accumulate permissions across deployment iterations without generating any of the signals that recertification workflows depend on. Each new tool integration, each additional API scope, and each expanded OAuth grant layer is added to the agent’s access profile without triggering a review. The what is identity lifecycle management question, answered honestly for agents, is a model that produces no certification record, no attestation history, and no evidence of ongoing governance. No Leaver Event, No Deprovisioning Offboarding fires when an HR termination record closes the employment relationship.

The agent equivalent, a deployment being retired, a workflow being deprecated, or a project being shut down, produces no equivalent signal. Retired agent credentials persist in secrets managers, environment variable stores, and OAuth authorization servers long after the workload they served stopped running. An identity lifecycle management solution built around HR-triggered deprovisioning has no mechanism to detect that an agent is gone. The credentials remain valid.

The access paths remain open. The governance record shows an active identity because, from the IGA platform’s perspective, nothing has changed. What This Means for Provisioning, Reviews, and Offboarding The governance gaps described above aren’t theoretical edge cases. They produce concrete risks, compounding them at every operational stage of an agent’s existence.

When provisioning has no defined scope, when reviews produce no actionable signal, and when offboarding has no trigger, the access surface expands in only one direction. Provisioning: Over-Permission as the Default Starting Point Human provisioning starts from a role definition. The IGA platform maps job functions to an entitlement set, and the new identity receives access calibrated to what that function requires. Scope is defined before the identity exists.

Agent provisioning works in reverse. A developer needs the agent to complete a task and grants access broad enough to ensure success. The path of least resistance across major cloud and SaaS platforms is permissive: AWS IAM policies default toward broad resource access when scoped to wildcards, OAuth consent flows issue all requested scopes without challenging individual permissions, and service account creation in Azure AD or Google Workspace carries no built-in entitlement governance check. The agent arrives in production over-permissioned from its first moment of operation, with no minimum-necessary baseline, no approval chain, and no IGA record linking the granted access to a defined business requirement.

Access Reviews: Routing Logic That Finds No Owner Certification campaigns in standard identity governance lifecycle management platforms route review tasks based on identity attributes, specifically manager relationships and application ownership records. A reviewer receives a list of identities and their entitlements, confirms each access grant remains appropriate, and submits an attestation. Agent identities break the routing logic at its foundation. Most carry no manager attribute.

Many have no defined human owner in the IGA platform. Where application ownership records exist, they typically point to a team rather than an individual, and that team’s familiarity with what the agent currently accesses rarely matches what was originally provisioned. When certification campaigns do reach agent identities, reviewers attest to the access record in the IGA system, which reflects what was provisioned at creation rather than what the agent has accumulated through iterative deployment changes. The attestation is formally complete and operationally meaningless.

Offboarding: Credentials That Outlive Their Workload HR-triggered deprovisioning is deterministic. A termination record closes, the IGA platform sends deprovisioning instructions to every connected application, and the access path closes at a defined moment. Agent deprecation generates no equivalent signal. A development team retires a workflow, archives the repository, and decommissions the compute environment.

The service account persists in Active Directory or Entra ID. The API key remains valid in the secrets manager. The OAuth authorization grant remains valid on the authorization server. None of the systems that issued those credentials received a revocation instruction because no system monitored the agent’s operational status in the first place.

Stale agent credentials aren’t a minor hygiene issue. A long-lived API key with production database access, attached to a workload that no longer runs, is an ungoverned access path with no owner, no review history, and no expiration. In environments running large numbers of agents across iterative deployment cycles, those credentials accumulate faster than any manual audit process can keep up with. The identity and access management lifecycle, as currently implemented across most enterprise environments, has no mechanism to detect agent inactivity, flag credential age against operational status, or trigger revocation when a workload goes dark.

How to Extend Identity Lifecycle Management to Cover Agents Extending identity lifecycle management to cover AI agents doesn’t mean retrofitting HR-driven workflows onto a principal type for which they were never designed. It means rebuilding the governance logic around the agent’s actual operational characteristics: how it gets created, how its scope evolves, and how its operational life ends. Automated Discovery Across Every Deployment Surface Agent identities get created across cloud provider IAM systems, SaaS OAuth authorization servers, Kubernetes service accounts, secrets managers, and CI/CD pipeline credential stores. No single system maintains a complete inventory, and agents deployed through automated pipelines frequently appear in none of the places a traditional IGA platform looks for them.

A genuine identity lifecycle management solution for agents requires continuous, automated discovery that instruments the environments where agents actually live: reading IAM policy attachments in AWS and Azure, extracting OAuth client registrations from authorization servers, surfacing service account configurations from Kubernetes namespaces, and identifying API keys embedded in runtime configurations. Discovery has to be ongoing because agent deployments change faster than any quarterly audit cycle can capture. Attribute Modeling Built Around Agent Behavior Human identity attributes map to organizational structure: department, job title, manager. Those attributes anchor entitlement decisions and review routing.

Agent identity requires an entirely different attribute model. Each agent identity needs a documented owning team, a defined operational purpose, a bounded list of the systems and APIs it’s authorized to reach, a deployment timestamp, and an expected operational lifetime tied to the workload it serves. Behavioral attributes matter equally: which APIs the agent calls, how often, and across which data surfaces. An identity governance lifecycle management approach built for agents treats observed access patterns as governance inputs, using behavioral baselines to surface permission grants the agent holds but never exercises.

Policy-Driven Provisioning Scoped to Agent Function Rather than granting access at deployment time and reviewing it later, provisioning for agent identities should follow the same least-privilege logic that mature IAM program frameworks apply to privileged human accounts: define the minimum access the agent requires to perform its documented function, enforce that scope through policy at credential issuance, and attach the credential to a defined owner who carries accountability for any scope changes. In practice, this means integrating agent provisioning into IGA intake workflows rather than leaving it entirely within the deployment pipeline. When an agent requires access to a production API or a sensitive data store, that request routes through an access governance control, not around it. Continuous Behavioral Monitoring as the Review Substitute Periodic access certification produces no actionable signal for agent identities.

The operational substitute is continuous behavioral monitoring: tracking what each agent actually calls, comparing observed access against the provisioned entitlement set, and flagging divergence in real time. When an agent starts calling APIs outside its provisioned scope, that divergence is a governance event requiring immediate response, not a finding to surface at the next quarterly review. Behavioral monitoring closes the gap left by recertification campaigns across the identity and access management lifecycle for agent principals. Deprecation Workflows Triggered by Operational Status Offboarding for agents requires a trigger mechanism that reflects operational reality.

Inactivity monitoring tied to credential usage logs provides the signal: an API key that hasn’t generated an authenticated request within a defined window is a candidate for revocation review. Scope change detection flags when a deployment modifies the permissions attached to an agent credential, generating a governance event that routes to the owning team for reauthorization. Connecting those signals to automated revocation workflows, integrated with AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault, closes the offboarding gap without requiring a manual discovery step. The identity lifecycle management phases for agents end when operational status ends.

Where Orchid Security Fits In Most enterprise IAM stacks govern the identity population they can see through their existing connectors. Agent identities, ungoverned credentials, and authentication paths that bypass the corporate IdP fall into the space that those connectors don’t reach. That’s the gap Orchid Security was built to close. Continuous Discovery Across the Full Identity Surface Orchid deploys lightweight orchestrators that instrument applications directly, extracting authentication flows, authorization logic, account configurations, and credential storage patterns from both managed and unmanaged environments.

The result is a continuously updated identity inventory that reflects what the environment actually contains, including every agent identity, service account, and API credential that never passed through an IGA intake workflow. For organizations asking what identity lifecycle management is in practice, Orchid’s answer starts with visibility: you govern what you’ve found, and most programs haven’t found everything. An Identity Graph That Reflects Agent Reality Orchid’s identity graph maps every principal, human and non-human, to the authentication flows, entitlements, and application access paths it actually uses. For agent identities specifically, the graph surfaces the owning team, the provisioned permission set, observed behavioral patterns, and credential age, producing the attribute model that identity governance lifecycle management for agents requires, but traditional IGA platforms don’t generate.

Guardrails for Autonomous Identity Orchid’s guardrails for the autonomous identity apply policy-driven controls directly to agent identity populations: scoped provisioning tied to documented agent function, continuous monitoring of behavioral divergence from provisioned entitlements, and deprecation workflows triggered by inactivity signals rather than HR events. The platform integrates with existing IAM, PAM, and IGA infrastructure, routing remediation through the tools organizations already operate rather than replacing them. Governance scope expands to match the actual identity surface, including agent identities, and the identity and access management lifecycle extends to cover the principals that every traditional identity lifecycle management solution leaves outside its boundary. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack

Security firm Sysdig says it has found what it believes is the first ransomware attack run from start to finish by an AI agent. Its Threat Research Team calls the operator JADEPUFFER and says a large language model handled the whole job: breaking in, stealing credentials, moving deeper into the network, then encrypting and wiping a company’s production database. Ransomware has always needed a skilled person somewhere in the loop, either at the keyboard or writing the script the malware follows. If a model can chain those steps on its own, the skill needed to run an attack drops to whatever it costs to rent an AI agent.

The way in was an old, already-patched bug. JADEPUFFER exploited CVE-2025-3248 , a missing-authentication flaw in Langflow , an open-source tool for building AI apps and agent workflows. The flaw lets anyone who can reach the server run their own Python code on it, no login needed. Langflow boxes are a tempting target because they often sit exposed on the internet and hold API keys and cloud credentials for the services they connect to.

The flaw was fixed in Langflow 1.3.0 and added to CISA’s Known Exploited Vulnerabilities list in May 2025, but plenty of servers were never updated. It is not even the only Langflow bug being hit this way . Once inside, the agent worked fast and cleaned up after itself. It mapped the machine, then swept it for secrets: API keys for AI services (OpenAI, Anthropic, DeepSeek, Gemini), cloud credentials (Chinese providers like Alibaba and Tencent alongside AWS, Google, and Azure), crypto wallet keys, and database logins.

It raided a MinIO storage server using its factory-default login (minioadmin:minioadmin), which had never been changed. It also set up a way back in, adding a scheduled task that pinged the attacker’s server every 30 minutes. Then it pivoted to its real target: a separate, internet-facing server running a MySQL database and Alibaba’s Nacos, a settings and service directory common in microservice setups. The agent logged into the database as root.

Sysdig says it never saw where those root credentials came from, so their origin is unknown. From there, it took over Nacos using a 2021 authentication bypass ( CVE-2021-29441 ) and a default signing key that Nacos has shipped unchanged since 2020, then planted its own admin account. The Ransom Note With No Key The agent encrypted all 1,342 Nacos settings, dropped the original tables, and left a ransom note demanding Bitcoin with a Proton Mail contact. It generated a random encryption key, printed it to the screen once, and never saved or sent it anywhere.

There is no key to hand over. The victim cannot get the data back even if they pay. (The note claims AES-256; Sysdig notes the tool it used defaults to weaker AES-128, though the result is the same.) It then went further, deleting whole databases and leaving a comment in its own code claiming it had already copied the data somewhere else. Sysdig says that is the agent talking, not something the team could confirm, and found no evidence that any data was actually left.

How Experts Know an AI Was Driving The clearest sign was the code itself. The attack payloads were full of plain-English notes explaining why each step was being taken, the running commentary a human hacker never bothers to write, but a model produces by default. The agent also fixed its own mistakes at machine speed. In one case, it went from a failed login to a correct, multi-step fix in 31 seconds, diagnosing the exact cause instead of blindly retrying.

Sysdig counted more than 600 separate, purposeful payloads across the operation. One detail is still a puzzle. The Bitcoin address in the ransom note is the exact sample address that appears throughout Bitcoin’s own developer documentation, which means it shows up all over the text these models are trained on. It is also a real, active wallet with a long history of payments.

Sysdig cannot tell whether the model simply pasted a familiar-looking address from memory, or whether the operator deliberately used a real wallet that happens to match the famous example. Part of a Bigger Shift JADEPUFFER is the latest step in a fast-moving year for AI-driven attacks. In August 2025, researchers at ESET flagged PromptLock , billed as the first AI-powered ransomware; it later turned out to be a lab prototype from NYU called Ransomware 3.0, not a real attack. Around the same time, Anthropic reported a real extortion campaign that used its Claude Code tool to hit at least 17 organizations , with demands topping $500,000, though a human still steered that one.

In November 2025, Anthropic disclosed what it called the first largely autonomous cyberattack , a Chinese state-linked spying effort that had Claude write exploits and steal data with little human help. That operation also had the AI inventing credentials that did not exist, possibly the same kind of hallucination behind JADEPUFFER’s odd Bitcoin address. The pieces of a serious attack are getting automated, and old, unpatched software is the easy first target. Agents make spraying the entire back catalogue of known bugs nearly free, so neglected servers get more exposed, not less.

What Defenders Should Do The fixes are familiar. Patch Langflow and never expose its code-running endpoints to the internet. Do not run AI tools with cloud keys and provider credentials sitting in their environment; keep secrets in a proper manager, away from anything the web can reach. Harden Nacos: change the default signing key, keep it off the public internet, and never let it connect to its database as root.

Never expose a database’s admin account to the internet, and lock down outbound traffic so a hacked server cannot phone home. Because attackers can now weaponize a fresh advisory in hours, Sysdig argues that watching for bad behavior at runtime matters more than racing to patch. Sysdig’s published indicators for this operation include: Entry point: CVE-2025-3248 (Langflow unauthenticated remote code execution) Command-and-control: 45.131.66[.]106, with a beacon to hxxp://45.131.66[.]106:4444/beacon every 30 minutes Claimed staging server: 64.20.53[.]230 Ransom Bitcoin address: 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy; contact e78393397[@]proton[.]me; ransom table named README_RANSOM Sysdig calls JADEPUFFER a warning sign rather than a crisis. None of the individual moves was clever or new.

What is new is that a model stitched them into a complete attack against a neglected server, on its own. Expect more of the same as agent tools mature, and treat any exposed server, config store, or database admin login as something a machine will probe, not just a person. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

The recently discovered financially-motivated FortiBleed campaign has been attributed to INC and Lynx ransomware operations, indicating that the verified, stolen credentials were intended for follow-on intrusions. “An operator tied to FortiBleed’s infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment for the first time,” SOCRadar said in a new report published Wednesday. The company said it tracked scanning activity against approximately 11,250 FortiGate portals in more than 150 countries, followed by confirmed admin-level access on 409 targets and successful completion of the full attack chain on 354 of them. In all, at least 12 ransomware deployments have resulted from this access, causing hundreds of endpoints to be encrypted across affected organizations.

The large-scale credential-harvesting operation, which came to light last month, involved the threat actors systematically scanning the internet for exposed Fortinet devices, attempting to break into them using known credential combinations, and then deploying custom packet sniffers to passively gather credentials and other authentication data from network traffic. The campaign is assessed to have targeted 430,000 FortiGate firewalls globally, gathering over 110 million credentials in the process. The activity was exposed after an operational security error on the part of the attackers left a server containing credentials stolen from thousands of Fortinet appliances exposed on the internet. The Golang sniffer is estimated to have been installed on about 12,000 Fortinet devices, making it a subset of the total number of networking gear targeted.

The latest findings from SOCRadar show that an operator with access to FortiBleed infrastructure was found logged in to both INC Ransom and Lynx negotiation panels, with victims listed by INC Ransom overlapping with data from the campaign. The links are based on one of the 200 newly discovered servers associated with the FortiBleed infrastructure that granted visibility into internal files, logs, and operational documentation. Ensar Seker, chief information security officer at SOCRadar, told The Hacker News via email that the exposed server functioned as a staging staging and operational coordination server, and was not used for phishing or active credential collection. “It contained target inventories, harvested data, automation scripts, configuration files, and operational artifacts that indicate it was used to coordinate large-scale credential harvesting against internet-facing network appliances,” Seker said.

“In other words, it served as part of the attackers’ backend infrastructure rather than the infrastructure victims directly interacted with.” Tooling, logs, and working hours indicate that the activity is the work of a Russian-speaking threat actor who likely operates as an initial access broker. Much of the targeting has singled out manufacturing, technology, and logistics sectors in Latin America and the Asia Pacific regions. SOCRadar also said it discovered an internal document that indicates it’s an organized operation comprising about 20 people with a clear division of labor. “A small core of lead operators drives most high-impact intrusions, backed by specialists and support staff,” it added.

In addition, the threat actors are believed to be in possession of at least one zero-day vulnerability in Nextcloud. The threat intelligence firm said it’s actively coordinating with the affected vendor. The Delaware-based company said it also identified Citrix-related artifacts that indicate the activity is likely targeting beyond Fortinet devices. The identified infrastructure included a dedicated target list containing about 29,000 IP addresses and 37 domains associated with Citrix environments.

This suggests the automated workflow may be repurposed for other remote access technologies. “At this stage, the presence of these target lists does not conclusively prove that credential harvesting against Citrix devices has already occurred at scale,” Seker explained. “Rather, it demonstrates clear reconnaissance and targeting preparations.” “However, given the sophistication of the infrastructure and the operators proven ability to automate credential collection against Fortinet devices, organizations using internet-facing Citrix infrastructure should treat this as an early warning and verify authentication logs, rotate exposed credentials where appropriate, enforce MFA, and monitor for anomalous login activity.” The disclosure comes as eSentire said it observed threat actors exploiting a flaw in Fortinet FortiClient EMS ( CVE-2026-35616 , CVSS score: 9.1) to deploy an information stealer called EKZ Stealer against a customer in the energy, utilities, and waste sector with the end goal of harvesting credentials from Chromium-based browsers and Firefox and exfiltrating them via PowerShell. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC , travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new CVEs. Run one, and it quietly lifts your saved passwords, browser cookies, and files, then hands the attacker a shell on your machine. YesWeHack and Sekoia published their joint findings on July 1 and warned that, as of that report, the malware and its servers were still live, so do not run any of these PoCs.

The trick is where the code sits. The visible PoC looks clean. The malware hides in a Python package that the PoC pulls in as a dependency, so it slips past a quick code review. How the trap works The bait is time pressure.

When a big flaw drops, researchers race to test it and grab community PoCs to move fast. This campaign turns that habit into an infection route. The chain, in plain terms: You clone the repo and run pip install to fetch the PoC’s requirements. That pulls in a package named frint, which in turn drags in a second package, skytext.

skytext ships a small compiled file (gradient.so on Linux, gradient.pyd on Windows) that runs the moment you launch the PoC. It only wakes up when it sees the real PoC loaded, checking for a file named EXPLOIT_POC.py or similar, then unpacks its payload and downloads the trojan. That last check is why a plain sandbox sees nothing. Detonate the package on its own, without the full PoC around it, and the malware stays asleep.

What it steals and does Once running, ChocoPoC is a full remote access trojan. It pulls saved passwords, cookies, autofill, and history from Chrome, Brave, Edge, and Firefox. It grabs text files, notes, and local databases, along with shell history, network settings, and the list of running processes. The attacker can also run any shell command, run arbitrary Python, pull whole folders, and slow the malware down to stay quiet.

Several command names are in Spanish, and the code carries small bugs, which the researchers read as hand-written rather than AI-generated. For control, the malware hides in plain sight. It reads its orders from a dataset on Mapbox, a normal mapping service, using it as a dead drop. It resolves that address over DNS-over-HTTPS and uses a domain-fronting trick, so the traffic looks like ordinary Mapbox API calls.

Larger uploads go to a separate server at 91.132.163.78. How far has it spread YesWeHack and Sekoia found at least seven fake PoC repos, each tied to a high-profile flaw: FortiWeb path traversal (CVE-2025-64446) React2Shell (CVE-2025-55182) MongoBleed (CVE-2025-14847) PAN-OS auth bypass (CVE-2026-0257) Ivanti Sentry command injection (CVE-2026-10520) Check Point VPN auth bypass (CVE-2026-50751) Joomla SP Page Builder RCE (CVE-2026-48908) The skytext package alone was downloaded about 2,400 times, mostly on Linux. Downloads do not prove anyone was infected, but they spiked right after major CVEs went public, which fits the lure. An earlier run of the same campaign, going back to late 2025, used two other packages, slogsec and logcrypt.cryptography, with near-identical code.

Sekoia assesses with high confidence that one actor is behind both, based on reused control markers. It says the operator rotated through GitHub, PyPI, and Mapbox accounts, several built from leaked or stolen logins. No known group has been named. Security researchers make a rich target.

They run untrusted code by design, often with high privileges, and their machines hold client credentials, private reports, and details of live engagements. Compromise one, and you can reach far past a single laptop. The MUT-1244 campaign showed the payoff, using fake PoC repositories to steal SSH keys and cloud credentials from red teamers and researchers. This is not a new idea, only a new wrapper.

North Korea’s Lazarus group has courted researchers for years, posing as fellow bug hunters and shipping malicious Visual Studio projects in 2021 , then burning a zero-day on them in 2023 , with fresh waves since. On the commodity-crime side, Trend Micro found a fake PoC for a Windows LDAP flaw (CVE-2024-49113) that stole researcher data in early 2025, and a separate campaign pushed fake CVE PoCs carrying a trojan called WebRAT in late 2025, mostly hitting students and junior testers. What ChocoPoC adds is the hiding spot. The malware lives in a dependency, so the PoC you actually read stays clean.

As the researchers put it, the malware itself is old news, but “what is changing is the delivery mechanism.” What to do now Treat any PoC as hostile until proven otherwise, and steer clear of code from brand-new or unknown accounts. Read the full dependency chain, not just the PoC file. Watch for freshly published packages, unfamiliar maintainers, and accounts with hidden history. Test only in a throwaway VM, but remember isolation alone will not trip this one.

The real fix is not installing the packages at all. Check your systems for frint, skytext, slogsec, and logcrypt.cryptography, plus the file hashes in the report. If you ran any of them, rotate credentials and rebuild the host. The bigger risk is downstream.

These lures target the researchers who supply detections and PoCs to frameworks like Nuclei and MDUT. Sekoia flags the danger of a double supply chain hit: poison one researcher, and the bad code can ride into a framework thousands of others trust. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a high-severity flaw impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-45659 (CVSS score: 8.8), is a case of remote code execution arising from the deserialization of untrusted data. The issue was addressed by Microsoft in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.

Microsoft noted that any authenticated attacker could trigger the vulnerability, and that it does not require admin or other elevated privileges. In a network-based attack, an authenticated attacker with a minimum of Site Member permissions (PR:L) could leverage it to execute code remotely on the SharePoint Server. “Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability which allows an authorized attacker to execute code over a network,” CISA said . According to the Windows maker’s advisory, the flaw has been tagged with an “Exploitation Less Likely” assessment.

It’s currently not known how the vulnerability is being exploited, who is behind the activity, and what the end goals of these efforts are. In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are advised to apply the fixes by July 4, 2026. Microsoft Uncovers Parallel Threat Activity from 2 Clusters Late last month, Microsoft revealed that a routine ransomware investigation uncovered two unrelated attackers operating simultaneously within the same network, while adopting deliberate techniques to establish persistent access and complicate incident response efforts. One set of attacks has been attributed to Storm-2603 , a threat actor known for deploying Warlock ransomware often by exploiting known vulnerabilities in on-premises SharePoint servers since mid-2025 .

“In this case, initial access was likely attempted through a separate vulnerability, with requests for files like win.ini and web.config, indicating probing for local file inclusion,” Microsoft said. Evidence points to it being CVE-2025-11371 (CVSS score: 9.1), a critical flaw impacting Gladinet Triofox. Upon gaining initial access, the threat actor is said to have deployed tools like Velociraptor to blend malicious activity with trusted administrative behavior, as well as established multiple remote access channels through Cloudflare tunneling, Zoho Assist, and Secure Shell (SSH) connections configured through Visual Studio Code. The attack also escalated privileges by creating new local and domain administrator accounts, while a vulnerable driver (“NSecKrnl.sys”) acted as a conduit for tampering with endpoint security protections to help reduce their visibility.

In tandem, Microsoft said it uncovered signs of a second, unrelated threat actor co-existing in the same environment using DLL side-loading and custom backdoors, thereby making attribution more challenging. Further investigation uncovered that the attackers had moved laterally beyond the first network and into a second organization, which confirmed they had been compromised by the same ransomware activity attributed to Storm-2603. “Together, these overlapping activity streams enabled sustained access while masking the full scope of the intrusion,” the Microsoft Incident Response team said. “The blend of known ransomware tactics and hidden techniques allowed the threat actors to establish deep and lasting access.” “What may appear to be a single ransomware incident can quickly expand into something more complex-spanning organizations, blending tactics, and even involving multiple threat actors operating in parallel.

For security teams, the implication is clear: isolated signals rarely tell the full story.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Unpatched Argo CD Repo-Server Flaw Could Let Attackers Take Over Kubernetes Clusters

Argo CD , a widely used tool for deploying software to Kubernetes, has an unpatched flaw in its repo-server component that lets an unauthenticated attacker run code, provided they can reach the component’s internal network port. Synacktiv , which found the bug, says it can lead to a full cluster takeover. There is no fix and no CVE. The firm says it reported the flaw to Argo CD’s maintainers in January 2025; roughly eighteen months later, it remains unpatched, so it published the details to warn users.

The bug sits in repo-server, the Argo CD component that reads Git repositories and builds Kubernetes manifests, the files that define what the cluster deploys. Its internal gRPC service has no authentication; anyone who can reach it can send a crafted request to run a command. Synacktiv demonstrated the attack against Argo CD v2.13.3 and reports no patched release; it did not publish a full list of affected versions. The technique abuses kustomize , a standard tool Argo CD runs to turn repository files into manifests.

Kustomize has a –helm-command option that points to the helm binary it should call. Synacktiv found that an unauthenticated request to the repo-server’s GenerateManifest service can set that option to a script instead, pulled from an attacker-controlled Git repository. When kustomize runs, it executes the script rather than helm. But “internal” does not mean isolated by default.

Argo CD ships Kubernetes network policies that wall the repo-server off from everything except its own components. Synacktiv found the Helm chart, a common way to install Argo CD, leaves those policies off by default , with networkPolicy.create set to false. In that setup, an attacker who compromises a single pod in the cluster can reach the repo-server and trigger the bug. Running code on the repo-server is not the end of it.

Synacktiv used that access to read the cluster’s Redis password from an environment variable, connect to Argo CD’s Redis cache, and poison the stored deployment data. On the next automatic sync, Argo CD deployed an attacker-supplied workload. That step revives CVE-2024-31989 , a 2024 flaw Cycode found where Argo CD’s Redis had no password, letting any pod in the cluster poison the deployment cache. Argo CD fixed that by adding a Redis password, but the cache itself is still not signed, so stealing the password back reopens the same attack.

What to do There is no patched version, so the defense is network isolation. Turn on Kubernetes network policies so only Argo CD’s own components can reach the repo-server and Redis ports. Argo CD provides the policy files; Helm users have to enable them because the chart leaves them off. Check what is active with: kubectl get networkpolicy -A.

A healthy install shows one network policy per component, including the repo-server and Redis. If those policies are missing, the repo-server and Redis ports are reachable from the rest of the cluster. Synacktiv built a tool, argo-cdown, that automates the full attack. It is holding the tool back for now to give defenders time to lock down their network policies, and says it will publish it on GitHub later so administrators can test their own deployments.

This is not Argo CD’s first exposure of its own internals. In September 2025, it patched CVE-2025-55190 , where an API token with only basic read access could pull back a project’s Git repository credentials, a flaw that The Hacker News flagged at the time . In May 2026, another bug, CVE-2026-42880 , allowed read-only users to read plaintext Kubernetes secrets. The pattern is hard to miss: Argo CD concentrates cluster access and repository secrets, and its internal surfaces keep handing them out, to an unauthenticated request in one bug and a low-privilege token in the next.

Until a patch ships, treating the cluster network as hostile is the only real defense. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

19-Year-Old Scattered Spider Suspect Extradited to Face U.S. Hacking Charges

A teenager accused of belonging to the hacking group Scattered Spider has been extradited from Finland to face U.S. charges of conspiracy, computer intrusion, and fraud, the U.S. Department of Justice announced on July 1. Peter Stokes , 19, a dual U.S.

and Estonian citizen, appeared in a Chicago federal court on June 30, where a judge ordered him held in custody. Finnish police arrested him in April on an Interpol Red Notice, an international arrest request, before his extradition in late June. His case is the latest in a run of arrests targeting a crew tied to breaches at casinos, retailers, and airlines. Court records identify Stokes by the online handle “Bouquet” and describe at least four intrusions, the first when he was 16.

In one case, in May 2025, prosecutors say he and others broke into a luxury jewelry retailer, copied its data, and demanded about $8 million in cryptocurrency. The retailer refused to pay, evicted the intruders, and spent at least $2 million cleaning up. According to those records, Finnish officers seized two 2-terabyte hard drives when they stopped Stokes at Helsinki airport as he tried to board a flight to Japan. Who is Scattered Spider Scattered Spider is not a traditional gang.

It is a loose, mostly English-speaking group of young people, many of them teenagers, spread across the U.S., U.K., and Europe. Security companies also track it under the names Octo Tempest, UNC3944, and 0ktapus. Its main trick is simple and hard to stop. Instead of breaking software, it fools people.

Members phone a company’s IT help desk , pretend to be a worker who is locked out, and talk the staff into resetting a password or approving a login. Once inside, they steal files and threaten to leak them unless they are paid. The group is best known for the 2023 attacks on MGM Resorts and Caesars Entertainment, which shut down MGM’s casino and hotel systems. Through 2025, it was linked to attacks on U.K.

retailers including Marks & Spencer, Harrods, and Co-op, then U.S. insurers and, later, airlines, a pattern security researchers describe as moving through one sector at a time. Assistant Attorney General A. Tysen Duva said the group has been involved in “over 100 network intrusions, resulting in more than $100 million in ransom payments.” Part of a wider crackdown Stokes is part of a broader shift in the Scattered Spider story: police are putting names, countries, and court dates to a crew that long operated as handles in chat rooms.

Recent cases include: Tyler Buchanan, a 24-year-old from Scotland, who was once described as a ringleader, pleaded guilty in a U.S. court in April 2026 to fraud and identity theft. He admitted stealing at least $8 million in cryptocurrency through phishing campaigns that hit companies including Twilio and LastPass, and faces a statutory maximum of 22 years in prison. Noah Urban, a member from Florida, was sentenced in August 2025 to 10 years and ordered to repay about $13 million.

Thalha Jubair and Owen Flowers, two young men in the U.K., pleaded guilty in June 2026 to a 2024 attack on Transport for London , the capital’s transit agency. Flowers also admitted conspiring to hack two U.S. health systems, SSM Health and Sutter Health. How companies can defend The playbook has outlived the arrests.

Mandiant reported a lull in attacks tied to the group after the 2025 arrests, then warned that other crews are already copying it. The weak point is the help desk, not the firewall, so the fixes that hold are stricter identity checks before a reset and sign-in keys that phishing cannot steal. A joint U.S. and international advisory adds that once inside, the intruders often lurk in a company’s chat tools and join the calls it holds to respond to the breach, watching who is hunting them.

For investigators, the drives seized in Helsinki may matter as much as the charges: devices taken from one member often lead to others. Stokes is presumed innocent, and his case must still go to trial, but the past year has made one thing plain: being young, scattered across borders, and good at talking past a help desk is no longer keeping this crew out of court. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT

Unknown threat actors are leveraging the ScreenConnect remote access tool as a way to deploy and execute AsyncRAT . Kaspersky said the activity is part of a “massive, multi-domain, multi-language” campaign that distributes malicious installer archives hosted on spoofed websites. These installers masquerade as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam, among others. The Russian cybersecurity company said it identified more than 90 domain names localized across 10 languages, including English, Russian, Chinese, German, French, Spanish, Portuguese, and Arabic.

Some of these domains were set up between August 2025 and March 2026. “The malicious archives bundle a legitimate, signed Microsoft install.exe binary alongside a rogue install.res.1033.dll library,” security researcher Denis Kulik said . “It is loaded onto the device via DLL side-loading and deploys the ScreenConnect service, which awaits further instructions from the threat actors.” “This allowed the attackers to maintain control over compromised endpoints, with victims ranging from individual users to organizations.” Once ScreenConnect is up and running, the service creates and executes a PowerShell script (“Fj5NmEsp9EuKrun.ps1”), which configures Microsoft Defender exclusions, disables User Account Control (UAC) prompts, and then creates a Visual Basic Script (VBScript) file called “installer_method3_stream.vbs.” The script, for its part, creates a set of five files in the “C:\Users\Public directory” - msgbox.txt secret_bytes.txt 1.vb cap.ps1 script.vbs In the next stage, it triggers the execution of “script.vbs,” a script that’s responsible for terminating all active PowerShell processes and running “cap.ps1” in a hidden window. The primary goal of the PowerShell script is to read the contents of the “secret_bytes.txt” file, extract from it the AsyncRAT module, and run it using process hollowing .

The malware then establishes a connection to a remote server (“mora1987.work[.]gd”), allowing the threat actor to covertly control infected Windows systems, steal sensitive data, and monitor user activity by recording screen content. Persistence is established by means of a scheduled task (“MasterPackager.Updater”) that’s activated every two minutes to execute “script.vbs,” ensuring that the entire attack is run after a system reboot. “The threat actor disguises ScreenConnect as popular utilities and distributes it through fraudulent websites that mimic official product pages,” Kaspersky said. “The attackers leverage search engine optimization techniques to push these sites to the top of search results in engines like Google and Bing.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer

Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs . The activity has been codenamed VEIL#DROP by Securonix. It’s suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise , which occurs when an unsuspecting user lands on a website (legitimate or otherwise) under the attacker’s control. “The infection chain begins with a deceptively named JavaScript file masquerading as a document (e.g., transcript.pdf.js), which executes through Windows Script Host and launches PowerShell with execution policy bypasses enabled,” researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a report shared with The Hacker News.

At a high level, the PowerShell script is responsible for retrieving a next-stage payload hosted on Blogger (“htlwub00klocate.blogspot[.]com”), allowing the attackers to bypass reputation-based defenses by abusing Google’s trusted infrastructure as a stager and to blend in with legitimate web activity. The downloaded PowerShell payload acts as a conduit for loading a benign web page like Google, creating the impression that a PDF document is opened, while the infection sequence proceeds silently in the background, ultimately leading to the deployment of PureLogs Stealer , a .NET-based infostealer known for harvesting a wide array of sensitive data from compromised hosts. The PowerShell loader also attempts to ensure unrestricted execution of follow-up PowerShell commands, terminate selected processes such as “wscript.exe” to minimize forensic trail, delete “transcript.pdf.js” to eliminate evidence of execution, and decrypt an embedded payload. “Following successful XOR decryption, the loader transitions into one of the most evasive components of the VEIL#DROP framework: dynamic stage generation combined with runtime mutation,” Securonix explained.

“Rather than using static indicators such as hard-coded URLs or predictable execution patterns, the malware constructs the next-stage payload location dynamically during execution.” This involves building a unique blogspot[.]com URL for each execution by inserting a random number of forward slashes (“/”) to the URL string so as to bypass static URL signatures, indicator-based blocking, and URL-based filtering mechanisms. In addition, the decoded script introduces runtime mutation and polymorphism by replacing placeholder values within the script with randomly generated strings and values during execution. This variability is designed to defeat script signatures and file hashes, thereby preventing reliable detection. The reconstructed script is finally executed entirely in memory without leaving any artifacts on disk.

This component functions as a loader responsible for decoding and running the core malware component, which is nothing but a .NET assembly that’s launched using a technique known as reflective code loading . In the event security controls and other environmental restrictions prevent it from executing the recovered .NET assemblies directly from memory, the loader incorporates a fallback execution method that relies on Microsoft-signed binaries, such as “regsvcs.exe,” “installutil.exe,” “msbuild.exe,” and “aspnet_compiler.exe,” to accomplish the same goals without attracting any attention. Because these binaries are trusted, signed by Microsoft, and are already present on the system, the living-off-the-land (LotL) approach enables the attackers to make their activity appear legitimate and fly under the radar. “One of the most notable aspects of the loader is that it does not depend on any single LOLBin ,” the researchers pointed out.

“Instead, execution follows a cascading model, attempting each method until one succeeds.” The impact of a stealer infection typically goes beyond the initially compromised endpoint, as the harvested data can act as a stepping stone to burrow deeper into the target environment, establish persistence, perform lateral movement, and even breach its cloud infrastructure. “The combination of compromised websites, multi-extension masquerading, trusted cloud services, XOR-obfuscated payloads, reflective .NET loading, fileless execution, and LOLBIN abuse demonstrates a deliberate effort to evade traditional antivirus solutions, reduce forensic artifacts, and maintain operational stealth throughout the infection lifecycle,” Securonix said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.