EvilBit Threat Digest - EvilBit Threat Digest: When Infrastructure Becomes a Weapon and Trust Turns Toxic

KryptoKat: The past few days has demonstrated what happens when threat actors shift from opportunistic scanning to deliberate, infrastructure-aware campaigns. Russia's Sandworm APT wiped data from Poland's power grid, nation-state groups ran coordinated phishing operations against government targets, supply-chain attacks evolving to abuse machine learning model formats, and browser extensions transformed into full-featured C2 platforms with clipboard hijacking and cookie exfiltration.

The common thread in all of these occurrences is sophistication. Attackers are no longer just exploiting vulnerabilities; they're building ecosystems that weaponize the infrastructure we depend on: npm registries, AI model repositories, browser extension stores, and the NVD itself.

All aboard the Midweek Threat Digest Express!

Sandworm Strikes Poland's Power Grid with DynoWiper

ESET Research attributed a late-2025 data-wiping attack against Polish energy infrastructure to Sandworm, the Russia-aligned APT responsible for NotPetya, Industroyer, and a decade of disruptive attacks against critical infrastructure in Eastern Europe.

The malware, named DynoWiper (detected as Win32/KillFiles.NMO), is a destructive wiper designed to erase data from compromised systems. ESET reports no confirmed service disruption, but the timing and targeting align with Sandworm's operational playbook: strategic strikes during periods of geopolitical tension to degrade adversary capability and morale.

The attack underscores a persistent reality: critical infrastructure remains a primary target for nation-state actors, and wipers remain a tool of choice when the goal is disruption rather than espionage. ESET provides a SHA1 hash for detection ([hash from report]), and organizations in the energy sector should assume this is reconnaissance for future operations.

For defenders, the mitigations are layered. Apply Microsoft security updates for CVE-2025-50165 (referenced in the ESET report). Deploy vendor signatures that detect Win32/KillFiles.NMO and block the SHA1 sample. Isolate suspected infected hosts immediately and preserve forensic evidence. Ensure offline, tested backups exist before remediation. Harden network segmentation and restrict administrative access to OT/ICS components with multi-factor authentication and least privilege.

Sandworm isn't slowing down, and Poland's power grid won't be the last target. If you're defending critical infrastructure, treat every endpoint as a potential beachhead and every backup as a recovery lifeline.

Nation-State Phishing: Vortex Werewolf, Erudite Mogwai, and the APT Playbook

Three separate campaigns documented this week show how nation-state actors are refining their initial access tradecraft with Telegram-themed lures, custom loaders, and Tor-based persistence.

Vortex Werewolf: Telegram Phishing Meets Tor Hidden Services

BI.ZONE documented a new espionage cluster, Vortex Werewolf, targeting Russian government and defense-industrial organizations. The campaign uses fake Telegram download pages to harvest credentials and deliver ZIP archives containing LNK files that deploy Tor and OpenSSH for persistent covert access.

The operational model is elegant: phishing pages at domains like trustedfiles[.]org, guardedcloud[.]net, and documtransfer[.]net mimic Telegram's download interface. Victims who enter credentials have their accounts compromised immediately. Those who download the "update" receive a malicious LNK that launches PowerShell to install Tor and configure an SSH backdoor accessible only via a hidden .onion address.

The use of Tor Hidden Services for C2 provides resilience against takedown and makes network monitoring nearly useless unless you're detecting Tor traffic at the client. The persistence mechanism (scheduled tasks that launch OpenSSH via Tor) ensures the attacker can regain access even after remediation attempts that miss the scheduled task.

For defenders, block the identified domains (trustedfiles[.]org, guardedcloud[.]net, documtransfer[.]net, biavid[.]info, safedatabox[.]net, documshare[.]org) at DNS and web gateways. Monitor for Tor traffic or obfs4 bridge connections from endpoints. Alert on scheduled task creation with unusual executable paths in %APPDATA%. Hunt for PowerShell spawning from LNK files with encoded commands. Verify Telegram login alerts and check for unauthorized active sessions. The BI.ZONE report includes extensive IOCs and detection guidance corroborated by CISOCLUB and Anti-Malware.ru.

Erudite Mogwai and NGC6061: Phishing the Russian Government with TripleDES Loaders

Two campaigns targeting Russian government agencies demonstrate the continued evolution of LNK-based delivery chains.

Solar 4RAYS documented Erudite Mogwai, a targeted phishing campaign (August 2024–May 2025) that used single-use links hosted on compromised victim infrastructure. The LNK shortcuts launch indirect command chains via conhost.exe, executing VBS/.NET loaders (TADS), an in-memory .NET plugin (Scythe) for scheduled-task persistence, and a Golang backdoor (Pinocchio, a modified OrcaC2 Puppet implant).

The campaign's use of compromised infrastructure for staging and single-use delivery links complicates attribution and takedown. The Golang payload communicates via WebSocket to C2 at ftp.media-storage.myftp.info and 192.124.176.43, and includes sandbox checks and delayed execution to evade automated analysis.

Similarly, Solar 4RAYS reported NGC6061, a series of phishing attacks against Russian government organs (September 2024–mid-September 2025) using password-protected archives with self-extracting LNK shortcuts. The LNKs run PowerShell to split, decode (base64), and TripleDES-decrypt embedded payloads, ultimately delivering C++ reverse shells and Metasploit TCP reverse agents via DLL side-loading (KeyScrambler/KeyScramblerIE pairing).

For defenders, the mitigations span detection and hardening. Block and monitor connections to identified C2 IPs and domains. Treat password-protected archives from external senders as high risk; block or detonate in a sandbox before delivery. Detect and block execution of LNK files from user mail/profile directories. Enable PowerShell logging (module/ScriptBlockLogging/transcript) and alert on powershell.exe -exec bypass or large TripleDES/base64 decode activity. Apply application allowlisting to signed installers and detect DLL side-loading by validating loaded DLLs against known-good versions.

Supply Chain Attacks: npm Worms, Pickle Payloads, and Repo Squatting

This week's supply-chain stories show attackers moving beyond simple typosquatting to self-propagating registry worms, malicious AI model files, and repo squatting with GPU-based anti-analysis.

Shai-Hulud: The npm Registry Worm

Abstract Security documented a Shai-Hulud npm worm variant that executes during pre-install, drops a Bun-based loader (setup_bun.js), installs a Bun runtime, steals credentials, and self-propagates via compromised npm packages.

The worm runs before the package is even installed, making traditional post-install defenses useless. The Bun runtime provides a legitimate execution environment that bypasses many security tools. And the self-propagation mechanism means a single compromised developer workstation can seed infections across an entire organization's internal registry.

For defenders, generate SBOMs without executing package code (use package-lock-only approaches and tools that avoid running package install scripts). Immediately rotate/revoke exposed credentials and tokens (npm tokens, GitHub PATs, cloud keys) from a clean, isolated machine. Pause or gate npm installs in CI/CD until packages are verified; use lockfiles (package-lock.json) to pin exact versions. Quarantine new packages behind an internal registry/mirror until validated. Abstract Security released a non-executing SBOM script for safe triage.

ReversingLabs: Malicious ML Models via Pickle Deserialization

ReversingLabs' 2026 Supply Chain Security report documented a surge in supply-chain threats, including nullifAI, a campaign that abused Pickle/PyTorch model serialization to deliver malware via Hugging Face.

The attack exploits how Python's pickle module deserializes arbitrary code during model loading. Attackers uploaded malicious model files to Hugging Face that, when loaded by data scientists or ML engineers, executed embedded payloads. The models appeared legitimate — correct file structure, plausible metadata — but contained executable code in the serialized data stream.

ReversingLabs also documented the Shai-hulud npm worm (confirming Abstract Security's findings) and a massive increase in malicious npm package detections. The report notes that 2025 saw supply-chain threats scale and diversify, with attackers targeting npm, PyPI, VS Code Marketplace, NuGet, and Hugging Face.

For defenders, block or avoid loading Pickle/PyTorch model files from untrusted sources; require signed/verified models and provenance. Treat developer marketplaces (extensions, plugins) as untrusted inputs; enforce a CI gate that validates extension content. Harden CI/CD and registry accounts with MFA, limit token scopes, rotate secrets, and monitor for account takeover. Scan artifacts with policies that detect executable code in serialized model files. Implement continuous SBOMs and binary inspection.

GitHub Desktop Repo Squatting with GPUGate Anti-Analysis

GMO Cybersecurity documented a repo-squatting and malvertising campaign using fake GitHub Desktop installers as multi-stage .NET loaders. The campaign used GPUGate anti-analysis techniques (GPU/OpenCL computation to impede sandbox detection) to deliver HijackLoader.

Attackers registered repo names and domains that mimicked official GitHub Desktop releases, then purchased search ads to direct users to malicious installers. The installers were code-signed (stolen or purchased certificates), passed initial reputation checks, and deployed payloads only after GPU/OpenCL verification confirmed the environment was a real endpoint, not a sandbox.

For defenders, only download installers from official vendor release pages and verify checksums/signatures. Block or closely monitor downloads from the listed malicious domains/IPs. Detect and alert on creation of persistence artifacts (scheduled task names like WinSvcUpd, marker files such as adm_marker.tmp, new Defender exclusions). Hunt for listed file hashes and filenames on endpoints. Use physical hardware or sandboxing that includes GPU/OpenCL support for deeper dynamic analysis. Train developers to inspect README links and prefer official release artifacts.

Browser Extensions as C2 Platforms: Clipboard Hijacking and Cookie Theft

Symantec documented multiple Chrome extensions with undocumented capabilities: remote clipboard read/write to HTTP endpoints, cookie harvesting and exfiltration, a built-in C2 framework with DGA fallback, remote JavaScript execution in browser tabs, and ad/search hijacking.

The extensions, including Good Tab, Children Protection, DPS Websafe, and Stock Informer, had a combined user count of over 100,000. The capabilities included:

• Clipboard exfiltration: Reading clipboard data and POSTing it to api.office123456.com and other attacker-controlled endpoints, exposing passwords, crypto wallet addresses, and sensitive copied data
• Cookie harvesting: Exfiltrating browser cookies to enable session hijacking
• C2 framework: A domain generation algorithm (DGA) provided fallback C2 domains if the primary infrastructure was taken down
• Remote JS execution: Injecting and executing JavaScript in open tabs for credential theft and transaction manipulation

The research builds on earlier work around EchoLeak in Microsoft 365 Copilot, and references CVE-2020-28707 (a Stockdio WordPress plugin XSS) as an enabling component for one extension.

For defenders, immediately remove/uninstall the listed malicious extensions (Good Tab, Children Protection, DPS Websafe, Stock Informer) from affected browsers. Block or monitor outbound requests to api.office123456.com, codon.vn/ext/xmshield.json, trk.entiretrack.com, www.dpswebsafe.com, searchingpart.com, and *.live/*.json patterns at the network boundary. Harden browser configuration by restricting extension installation, reviewing extension permissions for clipboard/cookies/tab access, and enforcing enterprise extension policies (GPO/Chrome Enterprise). Update vulnerable components (Stockdio Historical Chart plugin to >= 2.8.1). Monitor for signs of session hijacking and unexpected JS execution in browser tabs.

Offensive Tooling: PeckBirdy and the LOLBins Exploitation Framework

Trend Micro documented PeckBirdy, a JScript-based framework that abuses LOLBins (mshta.exe, WScript) and multiple execution contexts (browser, MSHTA, WScript, ASP, .NET, Node) to deliver modular backdoors (HOLODONUT, MKDOOR) and loaders (NEXLOAD).

The framework is a powerhouse of evasion. It supports execution across at least six different runtime contexts, uses GPU/OpenCL (GPUGate-style techniques) to impede sandbox analysis, features backup C2 channels (HTTP, ICMP, DNS tunneling, P2P mesh), and includes over 30 plugins for credential harvesting, container escapes, and ransomware deployment.

Campaigns attributed to China-aligned threat groups (including UNC3569, Earth Baxia, TheWizard, Earth Minotaur, and Earth Lusca) targeted gambling and regional government/education sectors in Asia. Attackers used social-engineered fake Chrome update pages and exploited CVE-2020-16040 to drop payloads.

For defenders, patch Chrome to version >= 87.0.4280.88 (CVE-2020-16040 remediated). Block/monitor mshta.exe, wscript.exe, and other LOLBins where possible; apply application control (allow-listing). Hunt for and block identified C2 domains and IPs at perimeter (DNS/HTTP/Proxy) and in EDR/XDR telemetry. Add file-hash and YARA/behavior detections for listed SHA256s (PeckBirdy scripts, NEXLOAD, GRAYRABBIT) and monitor for Donut/reflective .NET execution patterns. Monitor for processes that disable AMSI/ETW or add Defender exclusions.

Trend Micro provides an embedded IOC file with domains, IPs, and SHA256s. This is red-team-level tradecraft deployed at scale, and defenders need to move beyond signature-based detection to behavioral analysis.

NIST Rethinks the NVD: What It Means for Vulnerability Management

NIST announced it is reassessing how it performs vulnerability enrichment for the National Vulnerability Database. Facing a surge in CVE submissions and resource constraints, NIST plans to prioritize enrichment work (e.g., CVEs in CISA KEV, federal software, NIST-critical software) and shift operational enrichment responsibilities to CVE Numbering Authorities (CNAs) after publishing guidance.

For defenders, this is an operational change, not a software vulnerability. Review and update internal vulnerability-intake pipelines to ingest multiple enrichment sources (NVD, CISA KEV, vendor advisories, CNA feeds). Prioritize internal asset-to-software mapping using NIST's "critical software" definitions and CISA KEV to triage detected CVEs until CNA enrichment is available. Add or maintain local enrichment (store vendor advisories, exploitability notes, mitigations) for high-risk assets where NVD enrichment may be delayed. Engage the CNAs and vendors in your environment to understand their enrichment plans and SLAs.

The shift reflects a broader reality: the CVE ecosystem is under stress, and defenders can't rely on a single source of truth. Treat vulnerability management as a multi-source data problem, and build your pipelines accordingly.

Closing Thoughts: Infrastructure as Weapon

Attackers don't simply exploit vulnerabilities. They weaponize the infrastructure we depend on. npm registries become distribution networks for self-propagating worms. AI model repositories deliver malware via serialized payloads. Browser extension stores turn into C2 platforms. And the NVD itself is being restructured under the strain of an accelerating pace of vulnerability disclosures.

The defensive playbook remains the same: verify everything, trust nothing, and assume compromise at every layer. Patch your systems, audit your supply chains, monitor your browser extensions, and prepare for the NVD to stop being a single source of truth.

And maybe take a moment to verify that your AI model isn't executing arbitrary code when you load it.

Thank you for taking this ride with me. Stay aware, stay safe.

— KryptoKat