ZeroDay Field Notes - New Year, Same Threat Actors: Supply-Chain Mayhem and APT Innovation

UncleSp1d3r here, bringing you into 2026 with a reminder that threat actors don't take vacations. While most of us were nursing hangovers and pretending to care about resolutions, attackers were busy compromising browser extensions, poisoning DNS queries, and turning 59,000 Next.js servers into credential farms. This week's stories share a common thread: the infrastructure you trust--your package manager, your browser extensions, your software update mechanism--is the infrastructure they're targeting.

Let's dig in.

The React/Next.js Nightmare Continues

We've been tracking the React Server Components RCE (CVE-2025-55182) since it dropped in early December, and the fallout keeps getting worse. If you haven't patched yet, congratulations--you're now hosting cryptocurrency miners, botnets, and APT-grade implants.

BI.ZONE's latest analysis documents active exploitation against Russian companies using a toolkit they're calling React2Shell. The attack chain is straightforward: unauthenticated attackers send crafted requests to exposed Server Function endpoints, trigger RCE, and deploy post-exploitation payloads. The interesting part is what they're dropping.

The researchers observed a full menu of post-exploitation tooling:

• XMRig cryptominers for passive revenue generation
• Kaiji and RustoBot botnets for DDoS and proxy infrastructure
• Sliver and CrossC2 Cobalt Strike beacons for long-term C2
• VShell and EtherRAT for command execution and data exfiltration

The sophistication varies--some campaigns are automated spray-and-pray operations, while others show clear operational planning and persistence mechanisms. BI.ZONE provides extensive IOCs (IPs, URLs, file hashes) and detection strategies in their write-up. If you're running React Server Components in production, hunt for the listed indicators immediately, patch to 19.0.1+, 19.1.2+, or 19.2.1+, and assume any unpatched instance is compromised until proven otherwise.

Operation PCPcat: 59,000 Servers and Counting

While React2Shell was grabbing headlines, a separate campaign called Operation PCPcat was quietly harvesting credentials from 59,000+ Next.js servers by exploiting two related vulnerabilities: CVE-2025-29927 (which we covered in the Dec 26 edition) and the newly disclosed CVE-2025-66478.

The attack is elegant in its simplicity. Researchers documented a Python-based scanner (react.py) that sweeps IP ranges for vulnerable Next.js instances, extracts environment variables (database credentials, API keys, session secrets, cloud provider tokens) via crafted HTTP requests, and installs persistence through a shell script (proxy.sh) that sets up GOST SOCKS5 proxies and FRP tunnels for long-term access.

The campaign's C2 infrastructure is exposed and actively reachable. Multiple independent researchers confirmed access to the attacker's control panel at 67.217.57.240:5656, which accepts JSON payloads containing exfiltrated credentials via a /result endpoint. The panel also exposes /domains and /stats endpoints that leak campaign metrics--59,128 confirmed compromises out of 91,505 scanned targets as of late December.

For operators, the tradecraft is worth studying:

• Exploitation: Automated scanning for x-middleware-subrequest header handling and .env file exposure
• Credential harvesting: Exfiltration of database connection strings, OAuth secrets, Stripe API keys, Docker credentials
• Persistence: Systemd service units (pcpcat-*), cron jobs, and proxy services (GOST on port 5656, FRP on 666/888)
• C2 resilience: Use of Telegram channels for coordination and Ethereum Name Service (ENS) domains for infrastructure

AlienVault OTX documented the full pulse with IOCs, and multiple security outlets corroborated the campaign details.

Mitigations: Patch Next.js to 12.3.5+, 13.5.9+, 14.2.25+, or 15.2.3+. Block inbound requests with x-middleware-subrequest headers at the edge. Hunt for pcpcat-* systemd services, suspicious proxy processes, and outbound connections on ports 5656, 666, and 888. Rotate all secrets stored in .env files and treat any exposed instance as fully compromised.

For red teams, this is a case study in automated exploitation at scale and effective persistence via legitimate system services. The use of ENS for C2 and Telegram for exfiltration demonstrates mature operational security.

Supply-Chain Strikes: When Your Browser Extension Is the Backdoor

Trust Wallet: $7M Stolen via Malicious Chrome Extension Update

Christmas Eve delivered a brutal reminder that browser extensions are high-value supply-chain targets. Trust Wallet's Chrome extension v2.68.0 was compromised via a malicious update that exfiltrated seed phrases every time users unlocked their wallets. The result: approximately $7 million stolen in under 48 hours.

The technical details are straightforward but effective. The malicious update hijacked PostHog analytics endpoints and injected code that captured wallet seed phrases on every unlock event. The exfiltration was silent--no user interaction, no visible network anomalies (because the traffic looked like legitimate analytics), and no on-device artifacts beyond the compromised extension itself.

Koi Security's analysis includes a detailed code breakdown and specific IOCs. Trust Wallet patched the issue in v2.69.1 within hours of discovery, but anyone who unlocked the extension between Dec 24 and Dec 26 should assume their seed phrase was compromised. Binance issued a public advisory recommending users migrate funds to fresh wallets immediately.

For defenders, the lessons are clear:

• Implement 48-72 hour cooldowns for browser extension updates in enterprise environments
• Monitor extension manifest changes, especially removal of security-sensitive permission declarations
• Block or scrutinize third-party analytics endpoints in extension traffic (especially those using WebSocket or long-polling)
• For high-value cryptocurrency operations, mandate hardware wallets and air-gapped signing

For red teams, this is a textbook supply-chain attack: compromise the update mechanism, inject credential-harvesting code disguised as benign telemetry, and exfiltrate via trusted infrastructure. The speed of compromise (48 hours from update to $7M stolen) underscores the value of targeting cryptocurrency wallets specifically.

Zoom Stealer: 2.2 Million Browsers, One Persistent Threat

While Trust Wallet made headlines, a much larger campaign was quietly harvesting corporate meeting intelligence. Koi Security documented a cluster of 18 malicious browser extensions--collectively dubbed Zoom Stealer--that have infected over 2.2 million users (and potentially up to 8.8 million when combined with related ShadyPanda/GhostPoster clusters) across Chrome, Firefox, Edge, and Opera.

The extensions masquerade as productivity tools, VPNs, and utilities but silently collect:

• Meeting URLs and IDs (including embedded passwords) for Zoom, Teams, Google Meet, and Cisco Webex
• Registration data and attendee lists
• Speaker and host profiles
• Corporate calendar data
• Credentials from targeted high-value domains

The exfiltration mechanism uses WebSocket connections to attacker-controlled infrastructure hosted on Alibaba Cloud. BleepingComputer confirmed the campaign and identified the threat actor as DarkSpectre, who has been running this operation for years with little disruption.

The tradecraft is particularly interesting for corporate espionage scenarios:

• Collection: Passive harvesting of meeting metadata without triggering user-visible prompts
• Exfiltration: WebSocket-based streaming to cloud infrastructure (harder to detect than bulk HTTP uploads)
• Persistence: Extensions remain installed and active even after app store removals (users must manually uninstall)
• Scale: 2.2M installs provide massive coverage for broad targeting or selective pivoting to high-value organizations

Koi Security's report includes extension IDs, malicious domains, and Firebase/Cloud Functions endpoints used for C2. For defenders, the immediate actions are:

• Audit and remove listed malicious extensions across all browser fleets
• Enforce enterprise extension allowlists (Chrome/Edge group policies, Firefox enterprise policies)
• Block identified malicious domains and monitor for unusual WebSocket/persistent outbound connections from browsers
• Treat meeting links as sensitive--especially those with embedded passwords--and rotate/regenerate exposed meeting IDs

For offensive operators, the DarkSpectre campaign demonstrates the viability of browser extensions as long-term collection platforms. The extensions' longevity (years of operation before disclosure) and scale (millions of installs) show that this attack vector remains under-defended.

APT Tradecraft: DNS Poisoning and Kernel Rootkits

Evasive Panda: DNS Poisoning Update

We covered Evasive Panda's DNS poisoning campaign in our Dec 28 edition, but Kaspersky's full technical analysis dropped this week with additional operational details worth highlighting.

The campaign (active from November 2022 through November 2024) targeted organizations in Türkiye, China, and India by poisoning DNS responses for software updaters--SohuVA, iQIYI Video, IObit Smart Defrag, and Tencent QQ. The adversary-in-the-middle (AitM) attacks redirected update requests to attacker-controlled servers hosting trojanized installers that delivered MgBot malware via DLL sideloading.

The new technical details reveal sophisticated persistence and obfuscation:

• Per-victim encryption: Hybrid DPAPI+RC5 encryption for system-tied payloads that resist forensic extraction
• XOR obfuscation: Multi-stage shellcode with XOR-encrypted DAT files stored in C:\ProgramData\Microsoft\MF and C:\ProgramData\Microsoft\eHome
• DLL sideloading: Abuse of a signed Python wrapper (evteng.exe) to load malicious libpython2.4.dll
• In-memory injection: Process injection into legitimate signed binaries to avoid on-disk artifacts
• Persistence: Some infections maintained access for over one year via modified startup scripts and systemd/scheduled tasks

Kaspersky provides detailed IOCs (MD5 hashes, C2 IPs, file paths) and hunting guidance. The DNS poisoning mechanism is particularly interesting for offensive operators--by compromising ISP infrastructure or local network gateways (routers, DHCP servers), the attackers were able to weaponize any DNS-reliant software update mechanism.

For red teams, the tradecraft highlights:

• DNS poisoning as initial access: Control of network infrastructure grants the ability to hijack any update channel
• DPAPI for per-victim payloads: System-tied encryption ensures payloads can't be reused across victims (complicates analysis)
• DLL sideloading + signed binaries: Abuse of legitimate signed executables minimizes AV/EDR alerts

For defenders, the mitigations remain the same: enforce DNSSEC where feasible, monitor for DNS anomalies (authoritative NS vs resolved IP mismatches), detect DLL sideloading and DPAPI-backed DAT file creation, and harden software update mechanisms (HTTPS with certificate pinning, signature validation).

HoneyMyte: When Your Malware Gets a Kernel-Mode Bodyguard

Kaspersky's analysis of HoneyMyte APT (also tracked as Mustang Panda/Bronze President) reveals a new evolution in the group's toolkit: a kernel-mode rootkit designed to protect and hide the ToneShell backdoor.

The campaign targets government organizations in Myanmar, Thailand, and broader Southeast/East Asia with a multi-stage infection chain:

1. Initial access: Spearphishing emails with weaponized documents or drive-by downloads
2. Dropper execution: User-mode loader installs the kernel driver and ToneShell backdoor
3. Rootkit installation: Custom kernel driver intercepts I/O stack operations to hide files, processes, and network connections
4. Persistence: Registry Run keys, Winlogon DLL injection, and scheduled tasks
5. Backdoor deployment: ToneShell provides remote shell, file exfiltration, and C2 via HTTP with custom encryption

The rootkit itself is technically sophisticated. It uses I/O request packet (IRP) hooking to intercept file system and registry operations, hiding ToneShell-related files, registry keys, and network activity from user-mode tools (including most EDR agents that don't operate at kernel level). The backdoor communicates with C2 domains using AES-encrypted HTTP traffic and supports:

• Remote shell execution
• File upload/download
• Process injection (NtQueueApcThread)
• Credential harvesting

Kaspersky provides file hashes, C2 domains, and registry keys used for persistence. The rootkit's use of kernel-mode hiding is a notable escalation--most APT groups rely on user-mode evasion or living-off-the-land techniques. Deploying a custom kernel driver increases operational risk (driver signing is required on modern Windows, and kernel crashes are highly visible) but dramatically improves stealth against user-mode detection.

For defenders, the mitigations are kernel-focused:

• Monitor for unusual kernel driver loading and unsigned/test-signed drivers (unless you're in a dev/test environment where that's expected)
• Detect I/O stack interception and IRP hooking via kernel-mode EDR or hypervisor-based inspection
• Hunt for the specific file hashes and registry keys documented in Kaspersky's report
• Implement driver signature enforcement policies and restrict test-signing mode

For offensive operators, this is a case study in kernel-level persistence and evasion. The trade-offs are clear: kernel-mode operations are harder to detect but also harder to deploy stealthily, especially on modern Windows with driver signature enforcement and kernel patch protection (PatchGuard). The fact that HoneyMyte is willing to burn a kernel driver against government targets suggests high operational value and confidence in their ability to maintain access despite the increased visibility risk.

Cobalt Strike Infrastructure Surge

Censys documented a sudden spike of over 400 unique Cobalt Strike listeners in early December 2025, concentrated in two ASNs: AS138415 (YANCY) and AS133199 (SonderCloud LTD). The surge represents a significant scaling of adversary infrastructure, with dozens of unique public keys, varied HTTP C2 profiles mimicking legitimate traffic (redirects to www.yaim.com, fake service names), and beacon configurations using 30-90 second sleep intervals with 0-20% jitter.

The infrastructure details are worth noting:

• ASN concentration: Most new listeners appeared in AS138415 (YANCY) and AS133199 (SonderCloud LTD), with some in newly transferred IP blocks from RedLuff, LLC
• Public key variety: Dozens of unique Cobalt Strike public keys, suggesting multiple operators or teams
• HTTP profiles: C2 profiles designed to mimic legitimate web traffic and redirect to external domains
• Beacon jitter: Sleep intervals of 30-90 seconds with 0-20% jitter (common operational configurations)

The Hacker News corroborated the surge, noting broad industry awareness. Censys provides specific IOCs (IPs, CIDRs, domains, ASNs) for blocking and hunting.

For defenders, the mitigations are straightforward:

• Block listed IOCs (IPs, CIDRs, domains) at network perimeter
• Monitor for beacon sleep intervals of 30-90s with 0-20% jitter
• Analyze HTTP C2 profiles that redirect to external domains or mimic legitimate services
• Focus monitoring on newly allocated IP blocks (e.g., RedLuff, LLC transfers)

For offensive operators, the surge demonstrates the commoditization and scaling of Cobalt Strike infrastructure. The use of varied public keys and HTTP profiles shows operators diversifying their signatures to evade detection, and the concentration in specific ASNs suggests deliberate infrastructure acquisition (possibly via bulletproof hosting or compromised VPS providers).

The tradecraft takeaway: infrastructure diversification is becoming table stakes. If everyone's using the same ASNs, IP ranges, and HTTP profiles, defenders build rules for those patterns. The shift toward varied public keys and custom HTTP profiles forces defenders to write more generalized detections, which increases false positives and analyst fatigue.

Closing Thoughts

This week's stories remind us that the threat landscape doesn't reset with the calendar. Attackers are scaling infrastructure, innovating tradecraft, and targeting the systems we trust most--browser extensions, DNS resolvers, software update channels, and kernel-mode operations. The React/Next.js exploitation wave is still accelerating, supply-chain attacks are hitting high-value targets with precision, and APT groups are deploying kernel rootkits to protect their access.

The defensive playbook hasn't changed--patch aggressively, monitor for anomalous behavior, enforce least privilege, and audit third-party code--but the execution demands sharper focus. You can't just trust a browser extension because it's in the official store or allow a DNS response because it came from your configured resolver. Context matters. Baselines matter. Behavioral detection matters more than signatures.

For operators, the lesson is equally clear: the best tradecraft blends with legitimate operations. Abuse signed binaries, use trusted infrastructure for C2, and diversify your signatures. The defenders who catch you are the ones who actually understand what "normal" looks like in their environment.

So, patch your Next.js servers, audit your browser extensions, validate your DNS responses, and maybe spend some time hunting for kernel drivers that weren't there last week. The new year is here, but the threat actors never left.

-- UncleSp1d3r