EvilBit Threat Digest - Ghosts in the Machine, Failures in the Silicon

Another week, another chance to marvel at the sheer creativity of our adversaries. It’s KryptoKat, and I’m continually impressed by the spectrum of threats we face—from the deeply physical to the purely psychological. One moment, we're discussing academic researchers with logic analyzers physically tapping a DDR5 memory bus to break confidential computing. The next, we're back to a North Korean APT group tricking crypto devs into a fake Zoom meeting to drain their wallets. It’s a beautiful, chaotic mess.

UncleSp1d3r here. She calls it chaos, I call it job security. This week was a masterclass in layered attacks. We’ve got state-sponsored actors acting like common criminals, criminals acting like script kiddies, and botnet herders acting like budding entrepreneurs. And through it all, we see the same fundamental truth: an unlocked door is an unlocked door, whether you kick it in, pick the lock, or just politely ask for the key.

Let's unpack the latest attempts to part you from your data.

The Long Con: State-Sponsored Social Engineering

The operators behind North Korea's BlueNoroff (a subset of the Lazarus Group) are back with a vengeance, running at least two sophisticated, cross-platform campaigns dubbed "GhostCall" and "GhostHire." According to a massive deep-dive from Kaspersky, the group is targeting Web3, FinTech, and crypto developers on Windows, macOS, and Linux. The "GhostCall" campaign uses fake Zoom or Teams meeting pages to lure victims into running malicious AppleScript or PowerShell chains, while "GhostHire" uses fake job offers on Telegram and malicious Go/TypeScript dependencies on GitHub. The end goal is the same: deploy a dizzying array of backdoors (DownTroy, CosmicDoor, RooTroy) and a stealer suite called SilentSiphon that vacuums up everything from SSH keys and cloud credentials to Telegram sessions and crypto wallets. The persistence game is strong, with LaunchAgents on macOS and COM hijacking on Windows.

Meanwhile, the SideWinder APT is also evolving its tactics. Trellix reports the group is targeting South Asian diplomatic entities with a fresh attack chain. Instead of their usual weaponized Word documents, they're now using PDFs with links that coax the user to "update Adobe Reader." This kicks off a ClickOnce application install for a legitimate, signed MagTek configuration utility, which is then abused to sideload a malicious DEVOBJ.dll. This, in turn, launches a .NET loader and the "StealerBot" payload. It’s a clever use of trusted binaries to bypass simple allow-listing, all to gain a foothold inside foreign embassies.

Exploits in the Wild, Patches on the Way

It wouldn’t be a week in security without a few zero-days and a scramble to patch. Kaspersky also revealed that a Chrome zero-day, CVE-2025-2783, was exploited in the wild before Google patched it back in March. The bug, a sandbox escape, was used in a campaign Kaspersky calls "Operation ForumTroll" to deploy the LeetAgent spyware from Memento Labs. Attackers used spear-phishing links to trigger the exploit, escape the browser, and set up persistence via COM hijacking to steal credentials and files. If your Chrome auto-update is somehow broken, you are long past due for a manual check.

And for a blast from the past, the WinRAR path traversal vulnerability CVE-2025-8088 is still getting plenty of mileage. An OTX pulse this week attributes new campaigns exploiting the bug to the "Earth Estries" group. However, ESET has previously documented similar activity from the RomCom group. While the attribution is murky, the TTPs are clear: a malicious RAR archive drops a payload into a less-monitored location (like the Startup folder) to gain persistence. If you haven't yet, update WinRAR to version 7.13 or later and check for any software on your network that bundles the vulnerable UnRAR.dll.

Finally, for our friends in industrial control systems, the Zero Day Initiative has disclosed two nearly identical out-of-bounds write vulnerabilities in Delta Electronics' DIAScreen HMI software. CVE-2025-59297 and CVE-2025-59298 can both lead to remote code execution when an operator opens a malicious DPA project file. Patching OT environments is never simple, but Delta has released a fix (version 1.6.1), so it's time to start planning those maintenance windows and restricting the exchange of project files.

Research Roundup: Attacking a Machine's Trust

This week brought some fascinating—and frankly, terrifying—research from the academic world. Researchers from several universities have demonstrated "TEE.Fail," a side-channel attack that breaks the confidentiality of Intel SGX/TDX and AMD SEV-SNP secure enclaves. By using a ~$1,000 custom interposer to physically sniff the DDR5 memory bus, they can extract encryption keys, including the private keys used for remote attestation. This allows them to forge quotes and make a compromised machine appear trustworthy. In their response, both Intel and AMD have essentially classified this as a physical access threat that is out-of-scope for their threat models. For those of us relying on confidential computing, this is a sobering reminder that physical security is still layer zero.

On the mobile front, a new Android banking trojan named "Herodotus" is making waves. According to research from ThreatFabric, this malware's standout feature is its ability to mimic human typing. By introducing randomized delays between characters when filling in fields on a compromised device, it bypasses many anti-fraud systems that rely on behavioral biometrics to distinguish human users from bots. It still relies on the classic Android malware playbook—abusing Accessibility Services for overlay attacks and to steal credentials and 2FA codes—but the human-like typing is a clever evolution in evasion.

And just to prove no good idea goes un-abused, the botnet known as "Aisuru" has pivoted its business model. As detailed by KrebsOnSecurity and NETSCOUT, this massive botnet of compromised IoT devices, previously known for launching near-record-breaking DDoS attacks, is now being rented out as a residential proxy service. With over 700,000 infected nodes, it offers a huge pool of clean IPs for scraping, credential stuffing, and other nefarious activities, all while retaining its potent DDoS capabilities. It's a two-for-one special of internet misery.

So, what have we learned? That your DDR5 memory bus might be leaking secrets, your router might be part of a massive proxy farm, and your favorite crypto developer might be getting fleeced through a fake Zoom meeting. It’s a full-stack problem, from the silicon to the cerebral cortex. Stay vigilant, trust nothing, and for heaven's sake, keep your software patched.

— UncleSp1d3r & KryptoKat