EvilBit Threat Digest - EvilBit Threat Digest: The Walls Have AI Ears

KryptoKat: It was a week for questioning who (or what) you can trust. The lines between a helpful browser extension and a corporate spy, a legitimate software update and a backdoor, or even a friendly investment group and an AI-driven simulation blurred considerably. We saw threat actors poison everything from search results to npm packages, while others turned trusted communication platforms like WhatsApp into self-propagating malware networks.

But the biggest story is one that pulls back the curtain on the machinery of state-sponsored operations, reminding us that sometimes the call is coming from inside a government contractor’s house. It’s a good time to double-check your trust boundaries. They’re probably not where you left them.

Here's a quick recap of what went down this week, plus a few things we haven't chatted about yet.

The Knownsec Leak: Another Look Behind the Curtain

KryptoKat: It seems 2026 is the year of the cyberespionage contractor breach. Following in the footsteps of the i-Soon leak, another major Chinese security firm, Knownsec, has had its internal files laid bare. A bunch of detailed analyses from different sources shows that a leak of over 12,000 internal documents reveals the company's role as a major contractor for China's Ministry of Public Security and military intelligence operations.

The leaked data provides a rare glimpse into the tooling and targeting of state-aligned threat actors. This includes offensive tools like the GhostX RAT, an email eavesdropping platform called Un-Mail that exploits XSS and stolen cookies, and the well-known ZoomEye internet-wide scanner. The documents also had a ton of targeting info on government, telecom, financial, and critical infrastructure entities in over 20 countries, especially Taiwan, India, and South Korea. Just like the i-Soon files, this leak shows how a state-sponsored system relies on private contractors to create and run tools for global intelligence gathering. For defenders, these leaks are a goldmine of intel on TTPs and strategic priorities.

When Your Tools Turn on You

UncleSp1d3r: I've been saying it for years: every dependency can be a ticking time bomb. This week, the JavaScript world really drove that home. Researchers at Aikido Security broke down a sneaky npm supply-chain attack they call NeoShadow. The attackers dropped a bunch of malicious packages, including typosquats of popular libraries like viem-js and supabase-js. The infection chain is a three-stage mess that kicks off with obfuscated JavaScript, then moves to an MSBuild XML file to run PowerShell, and finally injects shellcode into RuntimeBroker.exe.

But here’s the part that really got my attention: the C2 infrastructure is resolved using the Ethereum blockchain. The malware checks a specific smart contract to grab its C2 address. It’s a smart, decentralized method for creating tough C2 infrastructure that's a real pain to shut down. You can't just sinkhole a domain when the address is stored in a public ledger.

KryptoKat: And it wasn't just the package managers. The browser, our window to the world, continues to be a prime target for data theft, especially with the rise of AI assistants. Researchers from OX Security and others uncovered two malicious Chrome extensions, masquerading as AI sidebar tools, that were installed by over 900,000 users. One even managed to get Google’s coveted "Featured" badge. These extensions grabbed whole chats from ChatGPT and DeepSeek, plus browsing history, and sent the data to servers controlled by attackers every 30 minutes.

This “prompt poaching” is more than just a privacy violation; it’s industrialized corporate espionage. Developers pasting proprietary code, marketing teams drafting strategy, executives discussing financials--it all gets vacuumed up. It’s a stark reminder that browser extensions with broad permissions, especially those interacting with sensitive SaaS platforms, are a critical control point for enterprise security. Trusting a "Featured" badge is no substitute for a proper vetting and allowlisting policy.

The Phisherman's Net Gets Wider

KryptoKat: Phishing tradecraft operates as a continuous cycle of innovation. Just as users become aware of one tactic, a new one emerges. A fascinating report from the SANS Internet Storm Center detailed a phishing campaign that bypassed image-based detection by rendering QR codes using HTML tables. Instead of an <img> tag, the threat actor used a <table> with hundreds of tiny cells colored with bgcolor attributes to form the QR code pattern. It's a straightforward and classy way to dodge security gateways that scan for image files to process with OCR. The QR codes pointed to sites that harvest credentials, of course.

Meanwhile, Microsoft Threat Intelligence warned that attackers are increasingly exploiting misconfigured email routing and weak DMARC/SPF policies to make phishing emails appear as if they are from an internal sender. This approach proves particularly effective in intricate circumstances where MX records do not directly connect to Microsoft 365, thereby preventing the native spoof detection from springing into action. Phishing-as-a-Service platforms, such as Tycoon2FA, artfully employ this technique to circumvent MFA through adversary-in-the-middle attacks. It serves as a poignant reminder that email authentication is not merely a matter of ticking a box; a p=reject policy is in place for a compelling reason.

If that wasn't strange enough, Check Point Research detailed an elaborate, AI-powered investment scam they’ve aptly named the "Truman Show" attack. Victims find themselves drawn into WhatsApp or Telegram groups that seem to buzz with vibrant communities of savvy investors sharing tips. Yet, beneath the surface, the entire community, every member, every post, and every success story, is artificially crafted by LLMs to create an illusion of trust and social proof. The aim? To entice the target into downloading a malicious financial app from a legitimate app store and depositing their hard-earned money. These apps, nothing more than simple WebView wrappers devoid of any malicious code, slip through app store reviews with ease. It is a chilling glimpse into social engineering at scale, where reality is algorithmically spun for a single unsuspecting target.

Exploits, Malware, and the Usual Mayhem

UncleSp1d3r: Well, it finally happened. In what has become the natural corruption of all sophisticated exploits, that critical RCE in React Server Components, CVE-2025-55182 (aka React2Shell), has officially made its debut in the ransomware world. According to researchers at S-RM, threat actors are now using the vulnerability to deploy Weaxor ransomware. The attack chain is super efficient. It kicks off with initial access via React2Shell, then deploys Cobalt Strike and runs full ransomware in under a minute. If you haven't patched your Next.js instances yet, your grace period is officially over. In my view of the hacking world, I rank ransomware pretty low on the honor scale, so it was only a matter of time before all good tech eventually floats down there.

On the malware front, the Brazilian banking trojan Astaroth has found a clever new propagation method: WhatsApp. In a campaign dubbed "Boto Cor-de-Rosa," the malware uses a Python-based component to hijack a victim's WhatsApp Web session, harvest their contacts, and then automatically send a malicious ZIP archive to everyone on the list. It’s a worm that exploits social trust instead of software vulnerabilities. The payload is a multi-stage banking trojan designed to steal credentials.

And lest we forget our IoT devices, researchers have been tracking the Kimwolf botnet, which has quietly infected over 2 million Android TV devices worldwide. The main way this infection spreads seems to be through exposed Android Debug Bridge (ADB) services and weak residential proxy SDKs that come pre-installed on cheap devices. This botnet is all about launching huge DDoS attacks and, of course, selling proxy bandwidth. Just a reminder: every smart device could end up being a future node in someone else's botnet until we see otherwise.

A Win for the Home Team

KryptoKat: It's not all doom and gloom. It’s always nice to see a plan come together, especially when it involves turning the tables on the attackers. Cybersecurity firm Resecurity published a fantastic write-up on how they used a high-interaction honeypot to trap and observe a threat actor with ties to the ShinyHunters/Scattered Lapsus$ cluster. I talked about this a bit more already on Wednesday, but it makes the list as my favorite news item of the week.

After detecting initial scanning, they planted a decoy employee credential in a third-party data source. The attackers took the bait, using the synthetic credential to log into emulated services, including a decommissioned Mattermost server populated with fake data. Over a 12-day period, Resecurity observed over 188,000 requests as the attacker scraped the decoy environment. The best part? The attacker’s proxies failed at one point, revealing their real IP address. All the collected intelligence was packaged and handed over to law enforcement. It’s a masterclass in active defense and a beautiful example of how deception can yield high-fidelity threat intelligence without risking a single byte of production data. Bravo.

KryptoKat: This week was a lesson in the fragility of implicit trust. Whether it’s a helpful-looking browser extension, a friendly face in a chat room, or a trusted software package, the underlying assumption of safety can be weaponized. Verification has to be the default.

UncleSp1d3r: Assume there's a breach and check everything. And maybe skip the smart toaster. Just saying. But from what I've seen in the news from this year's CES show, there are plenty of bad ideas to expect in future newsletters.

That's a wrap for us! So, we’ll sign off with this: "May your fridge door always swing open when you need it, and may your coffee maker's data exfiling never slow down your YouTube streams."