EvilBit Threat Digest - When the Update Server is Lying to You

KryptoKat: This week felt personal. Attackers breached an antivirus vendor's update server to push malware, used AI model-hosting platforms to distribute RATs, and leveraged legitimate cloud mail services for phishing at scale. It's a masterclass in abusing trust, turning the very infrastructure designed to protect users into a weapon against them.

UncleSp1d3r, my better half, put it more bluntly: "The call is coming from inside the house. And it's using your AWS account to do it."

When your security software delivers malware, and your cloud provider sends phishing emails on your behalf, it's a stark reminder that trust is a liability until proven otherwise. From nation-state actors retooling their espionage ops to the Feds seizing another cybercrime forum, it was a busy few days.

The Breachtown train is leaving the station! All aboard…

The Ultimate Betrayal: eScan Supply Chain Compromise

There's a short list of things you're supposed to be able to trust. Your antivirus update mechanism is near the top. On 20 January 2026, the trust of some eScan Antivirus users was broken. According to a threat bulletin from Morphisec, confirmed by eScan's parent company MicroWorld, attackers breached a regional update server and pushed a trojanized update to customers.

The malicious, signed update deployed a multi-stage downloader (CONSCTLX.exe) that immediately went to work disabling the victim's ability to fix the problem. The malware tampered with eScan's registry settings, modified the local HOSTS file to block access to legitimate update servers, and established its own persistence via scheduled tasks. With automatic updates neutered, affected systems require a manual remediation package from the vendor.

This is a classic supply chain attack with severe consequences. The initial payload established a foothold and called out to C2 infrastructure (504e1a42.host.njalla.net, blackice.sol-domain.org) for further instructions. Kaspersky's analysis and an OTX pulse corroborate the IOCs and timeline. If you're running eScan, check your update logs for activity around 20 January, hunt for the file hashes and scheduled tasks, and contact the vendor for the fix. Don't assume you're protected just because your AV console says "up to date."

When Legitimate Services Go Rogue

The eScan incident wasn't the only example of attackers weaponizing trusted platforms this week. Multiple campaigns abused legitimate cloud and AI infrastructure to evade detection.

Hugging Face Hosts Android RATs

In a move that feels inevitable, attackers are now using the AI model repository Hugging Face to host malware. Bitdefender Labs uncovered a campaign distributing an Android RAT through the platform. The malware, disguised as a security app, uses overlay attacks to steal credentials for financial apps such as Alipay and WeChat. The novel part is the delivery: the attackers hosted polymorphic payloads on Hugging Face, automatically regenerating the malware every 15 minutes to evade signature-based detection. While Hugging Face has since removed the repositories, they serve as a proof-of-concept for a new generation of malware-delivery networks.

Arsink RAT Abuses Firebase and Google Drive

Adding to the "living off the cloud" trend, Zimperium detailed the Arsink RAT. This modular Android trojan uses a constellation of legitimate services for C2 and exfiltration. Distributed via sideloaded APKs from Telegram and Discord, Arsink uses Google's Firebase Realtime Database as its primary C2, with Google Apps Script and Google Drive as exfiltration channels. This allows its traffic to blend seamlessly with legitimate app activity, making network-based detection difficult. Zimperium observed over 1,200 unique APKs and nearly 45,000 victim IPs, with a full list of IOCs on their GitHub.

AWS WorkMail Becomes a Phishing Platform

On the enterprise side, Rapid7 reported on threat actors who used a set of compromised long-term AWS credentials to build their own high-reputation phishing platform. After discovering the keys, the attackers provisioned a new AWS WorkMail organization, used SES to verify their own domains, and created mailboxes to send phishing emails at scale. This technique cleverly bypasses SES sandbox limits and, critically, generates minimal CloudTrail logs, especially for SMTP-sent messages. The lesson is clear: a single leaked AWS key can quickly become a distributed, trusted phishing operation billed to your account. Lock down WorkMail provisioning with SCPs and remove long-term access keys.

Google Disrupts IPIDEA Proxy Network

In a bit of good news, Google's Threat Intelligence Group announced it had disrupted IPIDEA, one of the world's largest residential proxy networks. These networks "enroll" consumer devices, often without explicit consent, by bundling SDKs into free apps and software. The aggregated IP space is then sold to anyone who wants to hide the origin of their traffic, including hundreds of threat groups. Google's takedown, which involved domain seizures and Play Protect enforcement, provides a valuable set of vetted IOCs on VirusTotal for defenders to hunt for compromised devices being used as proxy exit nodes.

The DPRK Dossier: Chollima Evolves, MoonPeak Refined

North Korea-linked threat actors had a busy week of rebranding and retooling.

First, CrowdStrike Intelligence published a significant reclassification of the actor they track as LABYRINTH CHOLLIMA. Citing distinct missions and tooling, they've split the group into three specialized adversaries:

• GOLDEN CHOLLIMA: Focused on cryptocurrency theft via social engineering and malicious software installers.
• PRESSURE CHOLLIMA: Targets high-value cryptocurrency organizations with sophisticated supply-chain attacks and browser zero-days.
• LABYRINTH CHOLLIMA (core): Continues traditional espionage operations against defense, manufacturing, and logistics sectors.

The research connects these groups to shared advanced tooling, like the FudModule rootkit, and active exploitation of browser vulnerabilities like CVE-2024-7971. This new framework helps defenders understand the specific threat posed by different DPRK-nexus campaigns.

Second, Cisco Talos provided new details on MoonPeak, a XenoRAT-derived backdoor used by the Kimsuky-adjacent cluster UAT-5394. The campaign uses weaponized LNK files that execute obfuscated PowerShell to download the final payload. Talos notes that operators have evolved the RAT to tie specific client builds to matching C2 variants, using changes in namespace, encryption, and compression to hinder analysis and reuse by other groups. The report includes a list of hardcoded C2 IPs and file hashes for hunting.

Vulnerability Spotlight: WinRAR, Fortinet, and a Telnetd Throwback

It was a rough week for unpatched appliances and utilities.

UncleSp1d3r: You can say that again. First up, another WinRAR vulnerability, because of course. Google's Threat Intelligence Group and ESET both reported active, widespread exploitation of CVE-2025-8088. It's a path-traversal flaw that allows a specially crafted RAR archive to write files to arbitrary locations, such as the Windows Startup folder. Attackers are abusing NTFS Alternate Data Streams (ADS) to sneak payloads past naive scanners, dropping LNK and DLL files that execute on the next login. Multiple state-aligned and criminal groups are already using it. The fix is in WinRAR version 7.13. Go patch. Now.

Next, Fortinet disclosed another critical authentication bypass, CVE-2026-24858, in its FortiCloud SSO feature. The flaw allows an attacker with any FortiCloud account to authenticate to other customers' devices if SSO is enabled. This lets them create new admin accounts and download configurations. Fortinet has disabled the vulnerable SSO feature globally and is pushing updates, but you should still audit your devices for any unexpected local admin accounts.

Finally, for a trip back to the 90s, a critical authentication bypass was found in the GNU Inetutils telnet daemon. CVE-2026-24061 allows a remote attacker to log in as root by sending a crafted USER environment variable. I know what you're thinking: "Who still runs telnetd?" More people than you'd hope. It's on the CISA KEV list. If you find this running on any system, the fix isn't to patch it. The fix is to rm -f /usr/sbin/telnetd and use SSH, as it's been the standard for the last 25 years.

Law & Order: Cybercrime Unit

The week wrapped up with two significant law enforcement actions disrupting the cybercrime ecosystem.

First, US authorities seized the RAMP (Russian Anonymous Marketplace) forum. The forum's clearnet and Tor domains now redirect to an FBI seizure banner. RAMP was a significant hub for ransomware-as-a-service affiliates, initial access brokers, and malware developers. While takedowns are often a game of whack-a-mole, seizing the forum's backend database could provide law enforcement with invaluable intelligence on its users.

In a related story, Raheim Hamilton, a co-creator of the defunct Empire Market, pleaded guilty to federal drug conspiracy charges. The dark-web marketplace, which operated from 2018 to 2020, facilitated over $430 million in illicit transactions. The plea agreement confirms the scale of these operations and ends a long-running investigation into one of the largest dark-web markets of its time.

Closing Thoughts

The common thread this week wasn't a specific tool or actor, but a technique: the co-opting of trust. Attackers know that if they can poison an update server, embed a payload in a "safe" AI model file, or send phishing from a legitimate AWS service, their chances of success skyrocket. It complicates our defensive models, which are often built on the principle of allowing known-good services and blocking known-bad ones. When the known-good starts serving malware, it's time to double down on zero-trust principles and behavioral detection.

Trust is earned, not given. This week, some services lost it.

-- KryptoKat & UncleSp1d3r