EvilBit Threat Digest - Phishing, AI-agent Risks & Malware

The past few days provided a masterclass in how attackers exploit familiarity and trust. A CryptoChameleon phishing campaign targeted LastPass users, North Korea's BlueNoroff unit conducted multi-month social engineering operations against crypto executives, and attackers transformed AI agent tools into a vast new attack surface. Meanwhile, defenders received valuable resources: research on hunting threats using TLS fingerprints, new IOCs for a commoditized ClickFix platform, and critical patches for vulnerabilities in construction software and WordPress plugins.

Let's break it down.

LastPass Phishing: CryptoChameleon Strikes Again

LastPass users are being targeted by a phishing campaign that impersonates the company's security team, urging victims to "back up" their vaults within 24 hours or risk data loss. The campaign, which kicked off around 19 January 2026, uses emails with subject lines like "LastPass Vault Backup Required" and redirects users through Amazon S3 staging URLs to a fake LastPass portal at mail-lastpass[.]com.

This isn't LastPass's first rodeo with CryptoChameleon, a phishing kit that has been targeting their customers since at least April 2024. Previous campaigns documented by LastPass's Threat Intelligence and Monitoring Engineering (TIME) team used domains like tickets-lastpass.com and customer-lastpass.ru to harvest master passwords. The current wave follows the same playbook: create urgency, mimic official branding, and rely on users not verifying the sender or URL before pasting their master password into a fake form.

For defenders, the mitigations are straightforward but critical. Block the identified domains (mail-lastpass[.]com, S3 staging URLs) at your DNS resolver and web proxy. Add sender patterns and subject-line keywords to email filtering rules. Hunt your logs for any authentication attempts or password changes that coincide with the time users received these messages. Most importantly, enforce multi-factor authentication for all LastPass accounts and educate users that LastPass will never ask for a master password via email.

LastPass users should verify any urgent account notifications via the official status page or support channels, and report suspicious messages to abuse@lastpass.com. The Register and Infosecurity Magazine both covered the campaign with corroborating IOCs.

Detection Engineering: Bringing JA3 Back from the Dead

JA3 TLS client fingerprinting has had a rough few years. Once heralded as a reliable way to identify malware by its TLS handshake, it fell out of favor as adversaries learned to mimic legitimate clients and defenders struggled with false positives. But ANY.RUN's latest research makes a compelling case that JA3 still has value--when combined with context.

The research links specific JA3 hashes to malware families such as Remcos and Skuld, as well as to observable exfiltration channels including Discord, Telegram, and GoFile. The key insight is that JA3 shouldn't be used as a standalone indicator. Instead, collect it alongside Server Name Indication (SNI), JA3S (server-side fingerprints), HTTP URIs, and host-level telemetry. Use frequency analysis to detect spikes in previously rare JA3 hashes, and cluster JA3 samples to pivot from network traffic to sandbox artifacts.

For SOC teams, the practical takeaway is to integrate JA3/JA3S collection into your network sensors and store them as searchable fields in your SIEM. Enrich JA3 hits with additional metadata before treating them as high-confidence IOCs. Use them as hunt pivots, not as blocking rules — false positives remain a risk, especially since the same JA3 may appear in legitimate software. The Netresec blog and abuse.ch's SSLBL provide independent corroboration of high-value JA3 fingerprints.

ErrTraffic: The ClickFix-as-a-Service Platform You Need to Block

ClickFix attacks--where victims are tricked into pasting malicious commands into their terminal or PowerShell prompt--have been around for a while. What's new is the industrialization. ErrTraffic is a Traffic Distribution System (TDS) that automates the entire ClickFix workflow, from creating fake page glitches to delivering platform-specific payloads with one-time tokens.

The system injects JavaScript into compromised websites to create visual chaos — garbled text, overlapping elements, fake error dialogs — that trick users into following "fix" instructions. Those instructions lead to clipboard-based PowerShell commands or OS-specific RMM binary downloads. The operators claim conversion rates of up to 60%, and the platform supports targeting across Windows, macOS, and Linux.

Censys and Hudson Rock documented live ErrTraffic panels across multiple hosts, with consistent infrastructure IOCs. Defenders should block network paths like /api/css.js.php, /api/css.js, and /api/index.php?action= at web proxies and WAFs. Alert on the errtraffic_session cookie and monitor for requests to known panel IPs. On the endpoint, watch for unexpected RMM installs (FleetDeck, ConnectWise, ITarian) from anomalous sources, and restrict PowerShell execution for standard users via Constrained Language Mode or AppLocker.

User training remains critical: fake update prompts, font installation dialogs, and "paste this command to fix it" instructions should all be treated as hostile until verified through a separate, trusted channel.

BlueNoroff: When Fake Recruiters Meet Modular macOS malware

BlueNoroff, the financially motivated subgroup of North Korea's Lazarus Group, has been running sophisticated crypto theft campaigns since the 2016 Bangladesh Central Bank SWIFT heist. Their latest operations, documented by Kaspersky and Picus Security, show the group has evolved from bank heists to multi-platform campaigns targeting cryptocurrency and Web3 executives.

The GhostCall and GhostHire campaigns use two parallel attack vectors. GhostCall lures victims with fake investment opportunities or partnership meetings, delivering malware through lookalike domains like swissborg.blog and support.video-meeting.online. GhostHire impersonates recruiters on LinkedIn and other platforms, offering technical interviews that require downloading a "test project" or "collaboration tool" from GitHub. Both vectors deliver modular malware written in Go, Rust, Nim, and AppleScript, with platform-specific persistence mechanisms and exfiltration via an encrypted WebSocket or an HTTP POST.

The macOS-specific tactics are particularly notable. BlueNoroff uses AppleScript to manipulate the Transparency, Consent, and Control (TCC) framework, granting itself permissions for the microphone, camera, and accessibility features without user consent. LaunchAgents and LaunchDaemons provide persistence, and the malware monitors clipboard activity for cryptocurrency wallet addresses, swapping them mid-paste to redirect transactions.

The group also poisons development supply chains. KPMG's analysis documented malicious Go packages uploaded to public repositories that trigger on build or import. For developers in the blockchain and Web3 space, this is a critical threat: simply opening a malicious project in your IDE can execute attacker-controlled code.

Defenders should block the documented lookalike domains and monitor for unsigned AppleScript, VBScript, and PowerShell execution. Harden macOS by restricting LaunchAgent/LaunchDaemon creation and alerting on unexpected osascript execution. For development environments, enforce dependency pinning, maintain a software bill of materials (SBOM), and scan third-party packages before builds. Most importantly, educate recruitment and hiring teams about social engineering tactics mimicking technical interviews.

Construction Software Under Fire: mJobtime SQLi Leads to RCE

Huntress documented real-world exploitation of mJobtime v15.7.2, a time-tracking application used by construction firms. The vulnerability, assigned CVE-2025-51683, is a blind SQL injection in the /Default.aspx/update_profile_Server endpoint that allows unauthenticated attackers to execute SQL commands on the backend MSSQL database. From there, attackers can enable xp_cmdshell and achieve operating system command execution.

This follows a pattern. In September 2024, Huntress documented similar attacks against FOUNDATION accounting software, another construction-industry platform. The common thread is exposed IIS/MSSQL instances with default or weak credentials, and attackers who know how to abuse xp_cmdshell for lateral movement and persistence.

The operational risk is acute: construction firms often run these applications with elevated privileges and minimal segmentation. Compromised accounting or project management software can expose payroll data, vendor contracts, and project timelines.

Defenders should immediately isolate affected servers from the internet. If xp_cmdshell it is enabled, disable it and treat its presence as an indicator of compromise. Apply vendor patches if available; if not, remove or block the mJobtime web application until a fix is deployed. Harden MSSQL by restricting service account privileges--never run SQL Server under LocalSystem. Rotate all database credentials, especially default accounts like dba and sa. Hunt IIS logs for repeated POST requests to /Default.aspx/update_profile_Server and correlate with xp_cmdshell enablement events.

InfoGuard Labs published a detailed advisory with step-by-step exploitation details, and SecurityWeek corroborated the FOUNDATION campaign.

Multi-Stage Windows Malware: Defendnot, Amnesia RAT, and Ransomware

FortiGuard Labs detailed a multi-stage Windows campaign primarily targeting users in Russia. The attack chain uses business-themed documents as decoys, delivering payloads via GitHub-hosted PowerShell scripts and Dropbox-hosted binaries. The malware disables Microsoft Defender using Defendnot, a research tool designed initially to demonstrate weaknesses in the Windows Security Center trust model. From there, it deploys Amnesia RAT for credential theft and surveillance, then delivers Hakuna Matata ransomware and WinLocker to encrypt files and lock the user out of the system.

The attack modularizes hosting: GitHub serves scripts, Dropbox hosts binaries. This separation allows attackers to rotate components independently, making takedown efforts more difficult. Both platforms are trusted in enterprise environments, so malicious traffic often blends with legitimate activity.

Defenders should restrict PowerShell execution (ConstrainedLanguage, AppLocker, WDAC) and block iex (Invoke-Expression) patterns from raw.githubusercontent.com in web proxies. Monitor for Defender policy changes, registry modifications under HKLM\SOFTWARE\Policies\Microsoft\Windows Defender, and unexpected Defender exclusions. Detect Defendnot-like behavior by watching for DLL injections into signed system processes like Taskmgr.exe and for Security Center registration events. Network controls should include monitoring for anomalous Telegram Bot API traffic from endpoints, as Amnesia RAT uses Telegram for exfiltration.

Hunt for LNK-to-PowerShell execution chains, hidden WSH/VBScript executions, and newly created binaries in %ProgramData%, and mass invocations of VSSADMIN or WBADMIN (shadow copy deletion, a ransomware hallmark). If you find infected hosts, isolate immediately, preserve memory, disable compromised accounts, and restore from offline backups. Never pay ransomware operators or negotiate via their contact channels.

WordPress Under Siege Again: ACF Extended Privilege Escalation

A critical privilege escalation vulnerability in the Advanced Custom Fields: Extended (ACF Extended) WordPress plugin allows unauthenticated attackers to gain administrator access on vulnerable sites. The flaw, CVE-2025-14533scored a maximum CVSS 9.8, and affects all versions up to 0.9.2.1. It exploits missing role restrictions in the plugin's insert_user function when the role field is mapped to a custom field in Create/Update User forms.

Wordfence documented the vulnerability and noted that approximately 100,000 sites are affected. The attack requires no authentication, and exploitation is straightforward: an attacker submits a form with a manipulated role parameter, creating a new administrator account.

GreyNoise has already observed active scanning for vulnerable ACF Extended instances. While no confirmed exploitation has been reported publicly, the combination of ease of exploitation and large install base makes this a high-priority patch.

Defenders should update to the ACF Extended version 0.9.2.2 or later immediately. If patching isn't possible, disable any public-facing Create/Update User forms that include role field mappings. Monitor WordPress user logs for suspicious new admin accounts and role changes, and review your sites for any unauthorized administrator accounts created since the disclosure.

BleepingComputer and Search Engine Journal provided additional coverage and IOCs.

The AI Agent Attack Surface: Model Context Protocol Security Risks

The Model Context Protocol (MCP), developed by Anthropic and rapidly adopted by OpenAI, Microsoft, Google DeepMind, and others, has become the de facto standard for connecting AI agents to external tools. It's also become a critical attack surface.

Research from Invariant Labs and multiple academic papers on arXiv documented a series of vulnerabilities and attack patterns. The most concerning:

• Command injection vulnerabilities: 43% of publicly available MCP servers contain exploitable injection flaws.
• Six disclosed CVEs: With CVSS scores up to 9.6, affecting 558,000+ installations.
• Tool Poisoning Attacks (TPAs): Malicious instructions hidden in tool descriptions can exfiltrate data and hijack agent behavior without user awareness.
• Over 16,000 untrusted servers: Distributed across unofficial registries, many with no security vetting.

The core issue is that MCP treats tool descriptions and server responses as trusted input. An attacker who controls a tool's metadata can inject prompts that override user instructions, exfiltrate sensitive data via encoded image URLs in markdown responses, or trigger unintended tool executions.

For organizations deploying AI agents with tool access, the mitigations are layered. Implement a zero-trust architecture for MCP servers — treat all servers as untrusted until verified. Apply least privilege to tool scopes with short-lived tokens and strong authentication (OIDC, mutual TLS). Validate and sign tool manifests, maintaining allowlists of trusted tool identifiers and versions. Use strict schema parsing for tool-call payloads and implement risk-based execution controls with confirmation workflows for medium-risk actions.

Execute untrusted tools in containerized isolation with strict network egress controls. Deploy comprehensive logging and SIEM alerting for anomalous tool usage patterns. Before deploying any MCP server, vet third-party sources and monitor for upstream changes. Tools like MCP-Scan can audit servers for common vulnerabilities.

The MCP Security Bench provides a framework for benchmarking attacks, and the enterprise security research offers detailed mitigation strategies. For security teams evaluating or deploying AI agent systems, this is required reading.

MacSync Returns: Hardware Wallet Trojanization

CloudSEK documented a macOS infostealer campaign that uses ClickFix-style social engineering to deliver a Zsh stager, which executes an in-memory AppleScript to steal browser profiles, Keychain data, SSH/AWS/Kubernetes credentials, desktop wallet directories, and browser extension storage. The malware then conditionally trojanizes Electron-based Ledger and Trezor applications by replacing app.asar or Info.plist files, turning trusted wallet apps into persistent credential harvesters.

The trojanized wallet apps present convincing PIN and recovery phrase phishing UIs. When users enter their credentials or seed phrases, the data is exfiltrated to the attacker's infrastructure and can be used to drain cryptocurrency wallets completely.

Jamf Threat Labs confirmed multiple MacSync variants, including signed and notarized samples delivered via SEO poisoning and fake GitHub repositories. The malware has evolved from script-based delivery to code-signed Swift binaries, demonstrating the actor's operational maturity.

Defenders should enforce policies that forbid execution of pasted shell commands in Terminal. Block known campaign infrastructure (jmpbowl.*, macclouddrive.com) at network perimeters. Deploy EDR with macOS telemetry to detect in-memory osascript execution, Zsh daemons writing to /tmp/runner, and creation of /tmp/osalogging.zip. Monitor for modifications to the Electron app bundles under /Applications--changes to app.asar or Info.plist--and alert on ad-hoc code-signing activity.

Ensure macOS Gatekeeper, XProtect, and system updates are up to date. Use managed enforcement (Jamf Protect, Jamf Pro) to block known droppers and enforce application allowlists. Harden developer credentials and monitor for developer certificate misuse. Detect and block exfiltration endpoints and multipart POSTs with unusual headers (e.g., api-key, build tokens) and files named /tmp/osalogging.zip.

Infosecurity Magazine and OffSeq Threat Radar provided corroborating coverage and additional IOCs.

Closing Thoughts

The past few days underscored a familiar reality: attackers are patient, creative, and opportunistic. They'll spend months building rapport with a crypto executive, automate entire phishing infrastructures to scale social engineering, and meticulously trojanize trusted wallet applications to harvest seed phrases. Meanwhile, defenders are stuck patching the same classes of vulnerabilities — SQL injection in web apps, privilege escalation in WordPress plugins, command injection in AI tooling — that we've been fighting for decades.

The difference now is scale and sophistication. Phishing kits are productized. APT groups use modular, cross-platform malware written in memory-safe languages. AI agents expand the attack surface faster than we can secure it. The defensive playbook hasn't changed — patch quickly, enforce least privilege, monitor for anomalies, educate users — but the execution bar keeps rising.

So patch your WordPress plugins, block those LastPass phishing domains, audit your MCP servers, and maybe take a moment to verify that your hardware wallet app hasn't been quietly swapped out for a trojanized version. And remember: trust, but verify, especially when the trust relationship is automated.

On a personal note, for those in the path of the cavernous 2,300-mile-wide snow/freezing rain/ice machine — stay indoors, stay warm, stay safe, and check on your neighbors and friends.

Till next time,

KryptoKat