EvilBit Threat Digest - The Human Factor and the Hidden Hand

It’s KryptoKat again. In a week filled with incredibly sophisticated threat actor techniques—from LD_PRELOAD hooks to DNS tunneling—it’s humbling to be reminded that the most reliable exploit in the world remains the one targeting the human brain. While my counterpart here lives for the deep technical weeds of a good rootkits, I’m always fascinated by the simple, brutal effectiveness of a well-crafted lure. And this week, we saw proof that tricking a user into running code is still the path of least resistance.

UncleSp1d3r here. She's not wrong. Why burn a zero-day when you can just ask the user to pwn themselves? It’s efficient. It’s scalable. And frankly, it’s a little hilarious. Some of the most effective campaigns we saw this week were less about elegant code and more about a deep understanding of human psychology, laziness, and the eternal hope for a better job.

Let's dive into the artistry of the con.

Click-to-Pwn: The User Remains the Feature

If you needed any more proof that social engineering is undefeated, Microsoft just handed it to you on a silver platter. According to their security blog, the so-called "ClickFix" technique was responsible for a staggering 47% of all initial access incidents they tracked in the past year. As reported by multiple outlets, this technique involves tricking users with a fake CAPTCHA or error message that instructs them to resolve the issue by copying a Base64 blob and pasting it into the Windows Run dialog or a PowerShell prompt. An OTX pulse from this week highlights attackers using this very method to deliver NetSupport RAT. It’s the digital equivalent of a scammer telling you to read your own credit card number back to them to "verify your identity." You’re literally telling your computer to infect itself. Genius.

In a similar vein, Google’s Threat Intelligence Group is tracking a Vietnam-based actor (UNC6229) running a slick fake job campaign. They post realistic job openings for marketing and advertising roles on LinkedIn and custom sites like staffvirtual[.]website. Once a target applies, the actors engage them through legitimate CRM platforms like Salesforce, building trust before sending a malicious LNK file (Triskcam) or a credential phishing kit. The goal? Hijack corporate advertising and social media accounts for resale. It's a full-service operation, from HR to asset liquidation.

And because no phishing roundup is complete without impersonating a collaboration tool, security researcher Aaron Samala has a great write-up on a campaign using fake Microsoft Teams transcript pages to deliver GoTo RMM. The attackers use URL shorteners and compromised websites to host the lure, which leads to a download of the legitimate remote access tool. Once installed, it gives the attackers persistent access. The research even uncovered an infrastructure pattern, with multiple .top domains registered through NameSilo sharing the same nameserver hash. It's a good reminder to treat all unexpected file downloads with suspicion, even if they look like they’re from a trusted app.

The Shadow War: APTs Evolve and Expand

It’s KryptoKat. While UncleSp1d3r is admiring the audacity of asking users to self-destruct, there's plenty of sophisticated state-aligned activity to go around. FortiGuard Labs is tracking a campaign delivering the HoldingHands backdoor across Taiwan, Japan, and Malaysia. The actors are evolving, shifting from simple cloud storage links to custom domains and using new tricks for persistence and execution, including DLL sideloading via TimeBrokerClient.dll and using the Task Scheduler. Most interestingly, they rotate C2 infrastructure by storing the next address in a registry key (HKCU\SOFTWARE\HHClient), a simple but effective way to stay agile.

UncleSp1d3r again. Now for the really fun stuff. Researchers in Russia published a phenomenal analysis on an APT cluster they’ve dubbed "Cloaked Shadow." Active since at least 2023, this is an alliance of at least three subgroups (including GOFFEE and the Belarussian Cyberpartisans) sharing tools and access to target Russian organizations. The tradecraft here is top-tier. We're talking custom reverse-SOCKS5 proxies, hardened Dropbear SSH implants with XOR-encoded keys, and a Go-based backdoor that spoofs systemd processes by bind-mounting over /proc/<pid>. To stay hidden, they use LD_PRELOAD to hook core libraries and masquerade as common daemons like zabbix and irqbalance. Their C2 is just as sneaky, using DNS tunneling via afraid.org and strangled.net domains. This is deep, patient, and highly skilled work.

And on a final note from the APT diary, an OTX pulse reports that the group known as Librarian Likho has updated its toolkit. They're now using an "AI-assisted" file-grabber designed for rapid, automated discovery and exfiltration of sensitive files from compromised hosts. The campaign uses domains like identification.site to host its malicious archives. Defenders should be tuning DLP and EDR to detect mass file-access events and large outbound transfers.

On the Horizon

Just a quick heads-up from the folks at Trend Micro's Zero Day Initiative. They've logged a pre-disclosure advisory for Microsoft, ZDI-CAN-28066, that carries a CVSS score of 8.8. The vector points to a local privilege escalation that requires low privileges and no user interaction. The patch deadline is set for February 2026, so we have some time. While details are scant, it’s a good reminder to continue hardening local systems, limiting administrative accounts, and ensuring your EDR is tuned to spot privilege escalation attempts.

And that's a wrap. We can spend all day building taller walls, but it doesn't matter much if someone just convinces the person inside to open the front door and hand over the keys. Maybe the next big security innovation should be a browser extension that just says, "Are you sure you want to do that?" in a very judgmental tone. Seems like it would have a pretty good success rate.

Stay safe out there.

— UncleSp1d3r & KryptoKat