EvilBit Threat Digest - Turning the Tables: When Deception Becomes Defense

KryptoKat here. Sometimes the best defense is a well-laid trap. This week brought a textbook example of active cyber deception that security vendors should study carefully. While most honeypots sit passive, waiting for opportunistic scans, Resecurity engineered a synthetic-data trap specifically designed to bait the ShinyHunters/Scattered LAPSUS$ Hunters threat group, and it worked beautifully.

Between December 12-24, 2025, the threat actors made over 188,000 automated requests to exfiltrate what they believed were consumer records and payment transaction data. But every byte was fabricated: AI-generated synthetic records mixed with previously breached dark web datasets to build credibility. No real customer data. No production assets exposed. Just attacker infrastructure and operational security failures captured in detail.

The operation yielded actionable intelligence: real IP addresses (Egyptian infrastructure at 156.193.212.244 and 102.41.112.148), proxy breakdowns, and behavioral patterns that defenders can use to identify and track the group. More importantly, it demonstrates a practical framework for deception-in-depth--using synthetic data to investigate threats without risking genuine exposure.

For defenders, the mitigations are straightforward but powerful: deploy isolated honeypot environments populated with realistic synthetic data, combine AI-generated records with dark web datasets for authenticity, monitor for proxy failures that expose real attacker IPs, and share captured IOCs with law enforcement. The technique scales across sectors--finance, retail, healthcare--anywhere you can build believable decoy data.

For threat intelligence teams, this is a case study in attribution through controlled engagement. Resecurity's December 24 blog post and January 3 follow-up provide full technical details, and the fact that ShinyHunters inadvertently confirmed the operation's success via Telegram posts is chef's kiss–level operational security wins.

The lesson here isn't just about honeypots--it's about proactive defense. Waiting for breach notifications is reactive. Building traps that expose attacker methods, infrastructure, and mistakes? That's getting ahead of the threat.

FortiWeb Under Fire: When Patching in Silence Becomes Exploits in Public

Fortinet's having a rough month. CVE-2025-64446 is a critical path traversal vulnerability in FortiWeb WAF appliances (versions 5.4.202–8.0.1, fixed in 8.0.2+) that's been actively exploited since at least late 2025. The issue was silently patched in October, but active campaigns deploying Sliver C2 and Fast Reverse Proxy (FRP) for persistent network access have now been documented by multiple sources.

The attack chain is clean: unauthenticated HTTP requests exploit path traversal to create unauthorized administrator accounts, establish persistence via Sliver beacons in /bin/.root/ directories, deploy FRP for tunneling, and masquerade as legitimate systemd services. The campaign specifically uses decoy domains mimicking Ubuntu packages (ns1.ubunutpackages.store--note the typo) and Bangladesh Air Force (ns1.bafairforce.army) to evade casual inspection.

Google Threat Intelligence, Bitsight, the Canadian Cyber Centre, and VulnCheck all corroborate the same technical details and exploitation timeline. CISA added this to the Known Exploited Vulnerabilities catalog, which means federal agencies have hard remediation deadlines.

For defenders:

• Update FortiWeb to 8.0.2 or later immediately
• Disable HTTP/HTTPS management access from internet-facing interfaces
• Audit configurations for unauthorized administrator accounts
• Block decoy domains ns1.ubunutpackages.store and ns1.bafairforce.army
• Monitor for FRP tool deployment and outbound connections to port 8003
• Hunt for Sliver beacon binaries in /bin/.root/ directory
• Review systemd services for suspicious entries masquerading as legitimate processes

The fact that over 30 victims have been identified across South Asia, South Africa, and the US suggests this is a mature campaign with clear operational goals. If your FortiWeb appliance is internet-facing and you haven't patched, assume compromise and begin forensic investigation.

Chinese Supply Chain Strike: Office Assistant Delivers Mltab Browser Plugin to 1M+ Endpoints

This one's a doozy for defenders tracking Chinese software ecosystems. QiAnXin RedDrip Team documented a supply chain compromise affecting Office Assistant v3.1.10.1 (released May 28, 2024) that delivered the Mltab/MadaoL Newtab browser plugin via signed malicious DLLs. The campaign has affected nearly 1 million Chinese terminals and over 210,000 Edge browser installs, and the plugin is still available in the Edge store as of publication.

The infection chain is multi-stage: Office Assistant installs signed malicious DLLs that inject browser-hooking code, install the Mltab extension persistently, and establish command-and-control via domains like fh67k.com, g6ht.com, cjtab.com, and giw36.com. The extension hijacks new tab pages, injects ads and tracking, steals browsing data, and exfiltrates credentials.

The technical details are well-documented in QiAnXin's English-language analysis, with MD5 hashes for malicious components, C2 infrastructure, and the Edge extension ID (ohlnkhlhjgcfgggejkkjokalhjgopfie for MadaoL Newtab). GBHackers corroborated the findings, and the extension remains live on Microsoft Edge Add-ons at the time of writing. NOTE: The extension is gone as of 2026-01-07 20:05 EST.

For defenders in Chinese/enterprise environments:

• Remove Mltab/MadaoL Newtab extensions from all browsers immediately
• Block C2 domains: fh67k.com, g6ht.com, cjtab.com, giw36.com
• Scan for malicious DLLs using provided MD5 hashes
• Disable auto-install of browser extensions via enterprise policies
• Deploy endpoint detection (Tianqing detects Mltab components, per QiAnXin)

The campaign highlights the risk of trusting popular Chinese productivity software and demonstrates how supply chain attacks can persist for extended periods when browser extension marketplaces don't vet updates aggressively. For organizations operating in or with Chinese partners, this is a high-priority threat requiring immediate remediation.

The broader lesson is that supply chain compromises extend beyond npm and PyPI; every productivity tool, browser extension, and auto-update mechanism can serve as a potential vector. Vet your software, monitor for unexpected DLL loads and extension installs, and treat third-party code as guilty until proven innocent.

Closing Thoughts: Defense Evolves, Offense Adapts

This week's stories show two sides of the same coin. Resecurity's honeypot operation proves that defenders can flip the script when they think offensively. They set traps that catch attacker behavior without risking real assets. But the FortiWeb and Office Assistant campaigns remind us that attackers never quit, taking advantage of every gap, from quietly patched vulnerabilities to trusted Chinese software update channels.

The basics stay the same: patch known vulnerabilities, watch for weird behavior, limit privileges, and question trust relationships. But putting this into action takes creativity. Think honeypots with synthetic data, supply chain audits for Chinese software, and behavioral detection for browser extension abuse.

So, patch your FortiWeb appliances, audit your Chinese productivity software, and maybe think about building your own deception environments. The threat actors are innovative—so we should be too.

Stay sharp, the new year calls for new tradecraft.

-- KryptoKat