EvilBit Threat Digest - New Year Breaches and Phishing at Scale

KryptoKat here. The start of 2026 brings the usual mix of festive malaise and operational reality. While most of us were setting resolutions we won't keep, threat actors were busy with four distinct stories that underscore why security is a 365-day discipline: a massive insider-driven e-commerce breach, GlassWorm pivoting to macOS with novel blockchain C2, a sophisticated Indian tax-themed phishing campaign targeting finance professionals, and a rare policy update removing sanctions from Intellexa spyware vendors.

Let's dig into what actually matters.

The Coupang Breach: When 33.7 Million Records Walk Out the Door

South Korea's largest e-commerce platform just announced what may be the defining insider threat case study of the year. Coupang confirmed a breach affecting 33.7 million customers--nearly two-thirds of South Korea's population--with the company attributing the incident to a former employee who exfiltrated names, phone numbers, emails, and delivery addresses.

The scale is staggering. TechRadar reports that Coupang is offering $1.17 billion in voucher compensation to affected users, including former customers. The company claims to have recovered the stolen data and identified the culprit, but South Korean lawmakers have criticized the response as inadequate given the severity and scope.

For defenders, this is a textbook insider threat scenario. The breach underscores critical gaps that most organizations still haven't addressed:

• Data loss prevention (DLP) configured to detect mass exfiltration of customer databases
• Access controls with least-privilege enforcement and separation of duties for database administrators
• Behavioral analytics to flag anomalous bulk exports or downloads by privileged users
• Audit logging with retention and monitoring for database access patterns
• Offboarding procedures that immediately revoke access for departing employees

The insider threat model is totally different from outside attacks. There’s no perimeter to guard, no firewall to fix. The bad guys already have legit credentials and know where the data is. Spotting them relies on noticing weird behavior, enforcing policies, and being ready to see privileged users as possible threats. Honestly, I don’t think you can really “recover stolen data,” unless we’re talking about physical drives that fell off a truck. Once the data’s out of a controlled space, it’s pretty much out there in the wild. All we can do is our best to figure out the damage.

For organizations handling sensitive customer data, the Coupang breach is yet another wake-up call: insider risk isn't theoretical, and the consequences--financial, reputational, regulatory--are massive.

GlassWorm's Fourth Wave: macOS, Solana C2, and Hardware Wallet Trojanization

We've tracked GlassWorm's VS Code extension campaign in previous editions, but Koi Security's latest research documents a significant evolution: the fourth wave now targets macOS developers with three compromised Open VSX extensions (pro-svelte-extension, vsce-prettier-pro, full-access-catppuccin-pro-extension) delivering encrypted JavaScript payloads via Solana blockchain C2.

The technical sophistication is notable. The malware uses:

• 900-second sandbox evasion delay: Extensions wait 15 minutes after installation before executing malicious code, bypassing automated analysis
• AES-256 encrypted payloads: JavaScript delivered from Solana blockchain transaction memos, retrieved via on-chain queries
• LaunchAgent persistence: macOS-specific persistence via ~/Library/LaunchAgents/
• Keychain credential theft: Targeting macOS Keychain for stored passwords and API tokens
• Hardware wallet trojanization: Injecting malicious code into Ledger/Trezor browser extensions to steal seed phrases during transactions

The campaign has achieved over 50,000 downloads across the malicious extensions, with C2 infrastructure using fixed IPs (45.32.151.157, 45.32.150.251) for command-and-control alongside the blockchain dead-drop mechanism.

For defenders managing macOS developer fleets:

• Audit and remove the listed extensions (pro-svelte-extension, vsce-prettier-pro, full-access-catppuccin-pro-extension)
• Block outbound connections to 45.32.151.157 and 45.32.150.251
• Monitor for LaunchAgent creation in user directories
• Detect anomalous 900-second delays followed by network activity from VS Code processes
• Hunt for modifications to cryptocurrency wallet browser extensions
• Monitor Solana blockchain queries (on-chain transaction memo reads)

For red teams, the tradecraft is worth emulating:

• Delayed execution to evade sandbox analysis
• Blockchain C2 for resilience against domain takedowns (remember its forever, though)
• Keychain targeting for high-value credential theft
• Platform-specific persistence (LaunchAgents for macOS, systemd for Linux)

The shift to macOS targeting demonstrates GlassWorm's operators adapting to defensive measures and expanding their attack surface. The use of Solana blockchain for C2 is particularly interesting--transaction memos provide a decentralized, censorship-resistant dead-drop mechanism that's immune to traditional takedowns.

Fake Tax Notices Deliver ValleyRAT to Indian Enterprises

CloudSEK documented a sophisticated spearphishing campaign by the Silver Fox APT (also tracked as Void Arachne) targeting Indian enterprises with fake Income Tax Department notices. The campaign delivers ValleyRAT (also known as Winos 4.0), a modular backdoor with extensive surveillance and data exfiltration capabilities.

The attack chain is classic but well-executed:

1. Initial lure: Phishing emails impersonating India's Income Tax Department with attached PDFs
2. Payload delivery: PDF contains a link that downloads a ZIP archive hosting an NSIS (Nullsoft Scriptable Install System) installer
3. DLL hijacking: Installer exploits DLL search order issues to load malicious libexpat.dll
4. Shellcode injection: Malicious DLL injects shellcode into explorer.exe for in-memory execution
5. Persistence: Registry Run keys and Windows Update service modification
6. Evasion: Disables Windows Defender and adds exclusions for malware directories

ValleyRAT's capabilities are comprehensive:

• Command execution via cmd.exe
• File system operations (upload/download/enumerate)
• Keylogging and clipboard monitoring
• Screenshot capture
• Browser credential theft (Chrome, Edge, Firefox)
• Cryptocurrency wallet targeting
• Multi-tiered C2 infrastructure for resilience

The campaign's use of tax-themed lures is particularly effective in India as the filing season begins. The technical execution--DLL hijacking, shellcode injection, and Defender tampering--demonstrates mature offensive tradecraft. With the UK and US also entering their filing season, this will continue to be an effective lure for many businesses and individuals.

For defenders in India (and beyond, as the techniques are portable):

• Block execution of NSIS installers from phishing downloads (AppLocker/WDAC policies)
• Monitor for DLL hijacking attempts (unexpected DLL loads from writable directories)
• Detect shellcode injection into explorer.exe (look for suspicious threads or memory allocations) - a bit harder for individual defenders, so mostly advice for EDR admins and forensics
• Alert on Windows Update service tampering and Defender exclusion modifications
• Hunt for ValleyRAT registry persistence (documented in CloudSEK's report)
• Block C2 infrastructure (domains and IPs available in the analysis)

For red teams:

The Silver Fox campaign is a blueprint for targeted regional operations: leverage culturally relevant lures (tax notices, government communications), chain multiple evasion techniques (DLL hijacking → shellcode injection → Defender tampering), and deploy modular payloads with tiered C2 for operational resilience.

U.S. Treasury Lifts Intellexa Sanctions: Policy Shift for Predator Spyware Vendors

In a rare policy reversal, The Hacker News reports that the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) removed sanctions from three individuals previously designated for their roles in the Intellexa consortium and its Predator commercial spyware operations: Merom Harpaz, Andrea Gambazzi, and Sara Hamou.

The delisting follows administrative petitions demonstrating the individuals' separation from Intellexa and its sanctioned entities (Thalestris Limited, Intellexa S.A.). OFAC's action reduces formal economic pressure but does not affect the underlying technical threat posed by Predator spyware, which remains actively deployed in surveillance operations globally.

The broader context: Intellexa/Predator has been linked to zero-click exploits targeting iOS and Android devices, with campaigns documented by Amnesty International, Recorded Future, and others. The spyware's capabilities include:

• SMS/messaging app interception
• Location tracking and geofencing
• Microphone/camera activation
• Credential harvesting from device storage
• Privilege escalation and persistence

For defenders:

The sanctions change is a legal/vendor risk issue, not a technical mitigation. Continue treating Predator as an active threat:

• Deploy mobile threat defense (MTD) solutions capable of detecting spyware behaviors
• Harden messaging clients (disable preview features, enforce app sandboxing)
• Monitor for anomalous SMS/WhatsApp activity and credential exfiltration
• Review vendor risk assessments and procurement policies for spyware-linked entities
• Brief legal/compliance teams on the sanctions change for contract reviews

The delisting may complicate procurement restrictions and vendor due diligence but doesn't reduce the operational risk from Predator-equipped adversaries. Amnesty International and others have published extensive technical IOCs for Predator; use them.

Closing Thoughts: From Insiders to Extensions, Trust Remains the Vulnerability

We often try to have a common theme for the stories we select for inclusion and this week's stories are no different: attackers exploit the trust we place in people, platforms, and processes. Coupang's breach demonstrates that insiders with legitimate access are existential threats to data security. GlassWorm shows that developer tools and browser extensions remain high-value supply-chain targets. The Silver Fox campaign proves that culturally relevant phishing still works. And the Intellexa sanctions removal reminds us that policy and law are separate from technical threat.

The defensive fundamentals remain constant: least privilege, behavioral monitoring, supply-chain hygiene, and user education. But the execution has to be sharper. You can't just trust an employee because they passed a background check or allow a browser extension because it's in the official marketplace.

So audit your privileged access, vet your extensions, educate your users on phishing, and maybe spend some time reviewing your DLP policies before the quarter ends. The new year is here, but the threats never left.

Stay sharp. The threat actors are already planning Q1.

-- KryptoKat