ZeroDay Field Notes - Payloads in the Browser, Rootkits in the ATM

Alright operators, UncleSp1d3r here. It’s been a weird week. While the blue team was busy watching progress bars on firewall patches, the rest of the world was getting creative. We’re seeing attackers move beyond basic EDR evasion and into some truly inspired territory, from fileless C2 that lives entirely in your browser’s notification drawer to APTs planting rogue routers on the wire. And for a real throwback, we even have a heist crew plugging Raspberry Pis directly into bank networks. It’s a good reminder that the attack surface is bigger, and stranger, than your average vulnerability scan will ever show you.
Let’s get into the code and tradecraft.

EDR Evasions & Windows Dirty Tricks

First up, the crew at DragonBreath is back with a slick new multi-stage loader called RONINGLOADER, and it’s a masterclass in dismantling endpoint defenses. The deep-dive from Elastic Security Labs shows a chain that’s pure operator gold. It kicks off with a Nullsoft Scriptable Install System (NSIS) dropper that executes a signed, malicious driver (ollama.sys). This driver doesn't bother with subtle hooks; it goes straight for the jugular, terminating popular Chinese EDR and AV products at the kernel level.
With security tools out of the picture, the loader moves on to disabling Windows Defender. It abuses Protected Process Light (PPL) and Windows Defender Application Control (WDAC) by loading a policy (CiPoliciesActive{31351756-3F24-4963-8380-4E7602335AAE}.cip) that effectively neuters Defender’s scanning capabilities. Only then does it inject a gh0st RAT variant into memory, which proceeds to do what RATs do: keylogging, clipboard hijacking, and beaconing to its C2 at qaqkongtiao[.]com. For operators, this is a beautiful demonstration of subverting trust controls (T1553.006) and impairing defenses (T1562.001). The full list of IOCs is also available on OTX.
And while we’re on the subject of Windows internals, Google’s Project Zero gifted us a lovely little Elevation of Privilege bug in Windows 11. Tracked as CVE-2025-60718, this one bypasses the new "Administrator Protection" feature, which is supposed to make UAC bypasses harder. The bug, detailed in the Project Zero issue tracker, lives in RAiLaunchAdminProcess. By crafting a malicious application name, an attacker can trigger a DLL planting/hijacking vulnerability that results in code execution in a UI Access process, effectively granting shadow admin privileges. A patch was released in the November cycle, but the PoC is out there for anyone testing on unpatched Insider Preview builds.

Novel C2 and Initial Access Vectors

The initial access game got a fresh coat of paint this week with the emergence of Matrix Push, a command-and-control framework that abuses browser push notifications. As analyzed by BlackFog and Dark Reading, this fileless technique runs entirely in the browser. After a user is tricked into accepting a notification permission prompt, operators can use the Matrix Push dashboard to send brand-impersonating alerts (think fake PayPal, Netflix, or Cloudflare messages). Clicking these notifications redirects the victim to a phishing page or triggers a malware download. It's a slick, cross-platform method for T1566.002 (Spearphishing via Service) that requires no executable on disk and gives attackers a real-time view of their victims. While no in-the-wild use has been confirmed yet, the tooling is out there.
We're also seeing clever abuse of trusted applications. A campaign targeting Brazilian financial organizations used hijacked WhatsApp sessions to deliver the Astaroth infostealer. According to a Sophos report, attackers would send a "View Once" message containing a VBS/HTA file in a ZIP. Once executed, it kicks off a PowerShell chain to deploy Astaroth. The really interesting part is the self-propagation: the malware hijacks the victim's WhatsApp web session using Selenium and a framework called WPPConnect to spam their contacts with the same lure. It's a great example of combining social engineering with session hijacking for rapid spread. AlienVault OTX has a pulse with related IOCs.
On the APT front, China-linked actors are upping their game with PlushDaemon. ESET's research details how this group infects routers with a MIPS32-based implant called EdgeStepper. This implant allows the attackers to perform adversary-in-the-middle (AitM) attacks by manipulating DNS and hijacking software update checks. In one observed case, they intercepted updates for the popular Sogou Pinyin input method editor, replacing the legitimate update with their own multi-stage backdoor, SlowStepper. The technique is a potent reminder that controlling the network gives you control of reality.
Finally, the Lazarus Group has retooled. According to a report from ENKI Whitehat, they're targeting the aerospace and defense sectors with a new variant of their Comebacker backdoor. Delivered via the usual macro-laced Word docs, this updated version encrypts its C2 traffic with ChaCha20 and AES and uses domains like hiremployee[.]com to blend in. It’s another turn of the crank in the ongoing evolution of their toolset.

Physical Access and Patch Roundup

For the "hold my beer and watch this" story of the week, Group-IB dropped an incredible report on UNC2891, a crew that went after Indonesian banks with a decidedly old-school approach. They gained physical access to ATM systems and plugged in a Raspberry Pi equipped with a 4G modem. This implant gave them a foothold on the internal network. From there, they deployed CAKETAP, a Linux rootkit that spoofs Hardware Security Module (HSM) PIN verification responses. This allowed them to use cloned cards at ATMs while making the transactions appear legitimate to the bank's backend. The full report from Group-IB is a must-read for anyone interested in physical access and specialized financial fraud tradecraft.
And for your weekly patch-and-forget list, SonicWall has pushed fixes for CVE-2025-40601, a stack buffer overflow in the SonicOS SSL-VPN service. An unauthenticated remote attacker can toss a crafted packet at the firewall and cause it to crash, resulting in a denial of service. While it’s not RCE, taking a firewall offline is a pretty effective way to get past it. The advisory (SNWLID-2025-0016) affects Gen7 and Gen8 firewalls. No active exploitation has been seen, but now that it’s public, the clock is ticking.

Closing Thoughts

This week was a good reminder to think outside the EDR console. While everyone’s focused on memory injection and fileless malware, there are crews out there plugging hardware directly into the network and others building C2 channels out of browser APIs that most SOCs probably don’t even log. Keep your skills sharp, but don't forget to look up from the terminal once in a while. You never know what you might see.
Stay curious.
-- UncleSp1d3r