ZeroDay Field Notes - When Pixels Hide Payloads and Trust Gets Weaponized

UncleSp1d3r here. This week's been a reminder that creative obfuscation never goes out of style--we've got malware hiding in PNG pixel values, supply chains compromised through developer tooling you trust every day, and enough sandbox escapes to stock a breakout simulator. The offensive landscape is maturing in interesting ways: attackers are moving beyond simple packers into custom steganographic extraction, abusing legitimate platforms from VS Code to npm, and chaining hardware vulnerabilities that most defenders don't even know exist. Let's dig into the tradecraft that matters.

ClickFix Gets an Upgrade: Steganography Edition

The ClickFix social engineering technique--tricking users into pasting malicious commands via fake CAPTCHA prompts--just got significantly more evasive. Huntress documented a campaign embedding entire payload chains inside PNG images using custom steganography. Here's how it works:

The initial lure is a fake Windows Update screen served over ClickFix infrastructure. When the victim executes the mshta.exe command, it fetches a .NET loader that downloads a benign-looking PNG. But the image's red channel pixels contain XOR-encrypted Donut shellcode. The loader extracts bytes from specific pixel offsets, applies a custom XOR key, and reconstructs the payload in memory--either LummaC2 or Rhadamanthys stealer, depending on the variant.

From an operator's perspective, this is beautiful work. The PNG passes basic image validation, uploads to CDNs without issue, and survives automated malware scans. The extraction algorithm is simple enough for rapid deployment:

# Simplified extraction logic (actual implementation uses more sophisticated offset patterns)
from PIL import Image

def extract_payload(png_path, xor_key):
    img = Image.open(png_path)
    pixels = img.load()
    width, height = img.size

    payload = bytearray()
    for y in range(height):
        for x in range(width):
            r, g, b = pixels[x, y][:3]
            payload.append(r ^ xor_key)  # Red channel XOR

    return bytes(payload)

For red teams, fork this technique with your own extraction patterns--blue channels, alpha transparency, or even steganalysis-resistant LSB encoding. The Huntress report includes IOCs and YARA rules for defenders, but the core lesson is about trust: if it looks like an image and passes as an image, most security tools wave it through.

Acronis documented another variant called JackFix that combines fullscreen fake Windows Updates with hex-obfuscated PowerShell and UAC bypasses. The hex encoding (0x63,0x6d,0x64...) slips past basic string detection, and the campaign adds Windows Defender exclusions before dropping multiple stealers (Rhadamanthys, Vidar 2.0, RedLine, Amadey).

Supply Chain Attacks: When Your Dev Tools Turn on You

GlassWorm Infects VS Code Extensions

The GlassWorm campaign is a supply-chain nightmare hiding in plain sight. Attackers published malicious Visual Studio Code extensions to the Open VSX Registry using invisible Unicode characters to obfuscate malicious code. The extensions--targeting developers--steal credentials from GitHub, npm, and OpenVSX APIs, drain cryptocurrency wallets (supporting 49+ extensions), and use Solana blockchain transactions as C2 channels.

The clever bit? The malware self-propagates by stealing developer tokens and publishing new infected extensions under compromised accounts. For red teams simulating insider threats or supply-chain compromise, this is the playbook: compromise one trusted publisher, inherit their reputation, and spread laterally through the ecosystem.

Microsoft and Open VSX pulled the extensions, but the technique is portable. Any marketplace relying on publisher trust without deep code analysis is vulnerable to similar attacks. Defenders should implement Unicode analysis in CI/CD pipelines and monitor API token usage patterns--bulk package publishes from normally-quiet accounts are a strong signal.

NPM Malware: Typosquatting Meets Cloaking

Socket Security documented seven npm packages using Adspect cloaking to fingerprint victims and serve selective payloads. The packages--signals-embed, dsidospsodlks, applicationooks21, and others--use Adspect's commercial fingerprinting service to detect researchers, sandboxes, and automated scanners, showing them benign behavior while redirecting real victims to crypto scams.

The technical implementation is straightforward: on postinstall, the package phones home to an Adspect proxy with browser fingerprints. If the victim passes the check, they're redirected through association-google.xyz and similar domains to phishing pages. For offense, this demonstrates selective targeting at scale--your payload only activates for high-value victims. For defense, monitor npm scripts for external HTTP calls and sandbox installations in throwaway VMs before deploying to production.

Another campaign used ten typosquatted packages to deploy cross-platform credential harvesters. The malware, written in Python and packaged with PyInstaller, steals browser credentials, keyring data, SSH keys, AWS/Docker configs, and exfiltrates over HTTP to 195.133.79.43. The C2 infrastructure is simple but effective--JSON over HTTPS with Base64-encoded payloads.

PyPI Bootstrap Domain Takeover Risk

ReversingLabs uncovered a supply-chain time bomb: legacy bootstrap.py scripts in multiple PyPI packages (pypiserver, slapos.core, roman, xlutils) still fetch code from the abandoned python-distribute.org domain. If an attacker registers that domain and serves malicious code, any build process running these old scripts would execute arbitrary Python at install time.

The vulnerability affects packages with bootstrap.py SHA1 hashes listed in the ReversingLabs report. While no active exploitation has been observed, this is a perfect candidate for red-team simulations: register similar abandoned domains, serve benign probes, and measure how many legacy build systems blindly trust them. Defenders should grep repos for python-distribute.org references and replace them with pinned, vetted alternatives.

Malware Loaders and Packers: Evasion Gets Exotic

TangleCrypt: Buggy but Beautiful

WithSecure analyzed TangleCrypt, a new packer targeting ransomware delivery (specifically STONESTOP/ABYSSWORKER EDR killers for Qilin). The packer uses a multi-layer approach:

1. Outer VMProtect layer for anti-RE
2. Custom resource-based b64/LZ78/XOR encryption
3. Process or child injection for payload execution
4. Deliberate CRT hooking (though buggy in current samples)

The interesting tradecraft is the resource-based storage: payloads live in PE resources, extracted and decrypted at runtime using custom algorithms that avoid common packer signatures. WithSecure's YARA rule targets loader patterns, but the modular design means operators can swap compression and encryption primitives easily.

For offense, the lesson is layering: even buggy implementations evade detection when they combine non-standard compression, resource-based storage, and injection techniques that don't match common signatures. The bugs in TangleCrypt (broken CRT hooks) suggest this is early-stage development--expect more polished versions soon.

Vidar 2.0: Credential Theft Gets an Azure Upgrade

Ontinue's deep-dive on Vidar Stealer 2.0 shows a complete rewrite in C with Azure/AWS credential targeting. The stealer now:

• Decrypts Chrome v20 AES-GCM encrypted cookies/passwords
• Targets Azure MSAL tokens in %LOCALAPPDATA%\.IdentityService
• Steals AWS CLI credentials from ~/.aws
• Supports 50+ cryptocurrency wallet extensions
• Exfiltrates via HTTP POST multipart/form-data over WinINet

The technical jump from Vidar 1.x is the AES-GCM decryption for Chrome v20+, which uses DPAPI-protected keys. Vidar 2.0 chains DPAPI decryption with AES-GCM to extract credentials that older stealers couldn't touch. For red teams, this is the new baseline--if your credential dumping doesn't handle modern browser encryption, you're leaving data on the table.

Ontinue published 159 SHA256 hashes and YARA rules for hunting. Defenders should monitor %LOCALAPPDATA%\.IdentityService access and WinINet HTTP POST activity with suspicious multipart boundaries.

Offensive Research: Hardware and Sandbox Escapes

Cypherock Hardware Wallet: Supply-Chain Attack Chain

DARKNAVY's full disclosure on compromising the Cypherock X1 Vault is a masterclass in firmware exploitation. The attack chain:

1. Out-of-bounds write in firmware update verification (bypassed signature checks)
2. Hijacked bootloader execution flow
3. Firmware firewall bypass via crafted packets
4. Tamper detection disabled through debug interface abuse

The researchers demonstrated complete compromise via supply-chain tampering--flash malicious firmware, deliver the device to the victim, and silently exfiltrate mnemonics during normal use. While Cypherock's docs claim tamper resistance, the researchers showed that firmware authenticity checks can be bypassed with the right primitives.

For red teams working on hardware/IoT assessments, this is your template: firmware analysis, bootloader chains, and update mechanism abuse. The techniques are portable to other embedded systems. For defenders, the lesson is defense-in-depth: secure boot, integrity monitoring, and independent verification layers, because single points of failure in firmware validation are existential risks.

Blu-ray BD-J Sandbox Escape

HackerOne disclosed a beautiful Blu-ray Disc Java sandbox escape via two chained vulnerabilities in the BD-J Ixc (Inter-Xlet Communication) implementation:

1. Security Manager bypass through subclassing of whitelisted Ixc classes
2. Privileged proxy binding allowing arbitrary method invocation in the system context

The escape grants full Java sandbox breakout on BD-J players (PlayStation, consumer Blu-ray hardware). While the impact is limited to Blu-ray playback scenarios, the techniques--subclassing whitelisted components and abusing privileged proxies--apply to other Java sandbox environments.

For offense, this demonstrates that even mature, niche platforms have exploitable trust boundaries. If you're testing embedded Java or smart TV platforms, Ixc-style IPC mechanisms are worth auditing. The full exploit chain is documented on HackerOne. If you're like me and had no idea what an Xlet was before this week, there are a few quick reads on TV Without Borders.

Android Bluetooth RCE: Paint It Blue

Synacktiv's full-chain exploit for CVE-2023-40129 targets the Android Bluetooth Fluoride stack. The exploit:

• Triggers a heap overflow in Bluetooth pairing via crafted packets
• Grooms the heap to control adjacent allocations
• Hijacks callback pointers for RCE in the privileged com.android.bluetooth process

No user interaction required--just proximity. The researcher demonstrated mic access and address book exfiltration on Xiaomi 12T and Samsung A54 devices. While patches shipped in Android's September 2023 bulletin, millions of devices remain unpatched.

For red teams, this is a proximity attack primitive for physical assessments. The exploitation techniques--heap grooming, callback hijacking--are standard but executed flawlessly. The Synacktiv writeup includes technical diagrams and primitives suitable for adapting to similar Bluetooth vulnerabilities.

Offensive Tooling Updates

Brida 0.6: Frida 17 Compatibility Restored

Brida 0.6 fixes compatibility with Frida 17+, which introduced breaking changes to the RPC API. For operators using Burp Suite + Frida for mobile app testing, this update is critical--previous versions crashed on Frida 17.x. The updated release supports:

• Frida 17.3.2+ for current mobile assessments
• Legacy mode (Frida <17) via frida-compile@10.2.5 for older devices
• Full Burp integration for hooking, inspection, and tampering workflows

For mobile pentesting workflows relying on dynamic instrumentation, update immediately. The GitHub release includes installers for all platforms.

Hunt.io: Cobalt Strike Beacon Hunting Recipes

Hunt.io published HuntSQL recipes for detecting and clustering Cobalt Strike beacons via internet-wide scanner data. The queries target:

• Beacon watermark and public_key clustering (grouping campaigns by shared infrastructure)
• Low sleep/jitter combinations indicating interactive sessions
• Suspicious User-Agent strings and URI patterns (/wp-, /login/)
• Process spawn targets (dllhost abuse) and non-standard ports (443/80 on unexpected services)

The post includes working queries and example IOCs, including 93.113.25.195 linked to Lazarus operations. For purple teams, these recipes are gold for validating C2 infrastructure detection and building defender playbooks around attacker patterns.

Closing Thoughts: Obfuscation Scales, Trust Doesn't

This week's toolkit--from pixel-level steganography to supply-chain domain takeovers--reinforces that trust is the weakest link in modern security. Developers trust their toolchains, users trust legitimate-looking update prompts, and firmware trust chains collapse when you can flash unsigned payloads.

The offensive primitives are maturing: steganography isn't just for exfil anymore; it's for payload delivery. Supply chains aren't abstract risks; they're concrete attack vectors with public tooling. And sandbox escapes in legacy platforms like Blu-ray Java remind us that the attack surface is larger and stranger than we usually account for.

For red teams, the week's research offers fresh techniques to test defender assumptions. For blue teams, the message is simple: audit your trust boundaries, instrument your build pipelines, and remember that if it looks benign, it probably passed right through your controls.

Until next time, keep your loaders polymorphic and your trust models paranoid.

-- UncleSp1d3r