ZeroDay Field Notes - Tradecraft, Takeovers, and the Tools That Keep Giving

Remember that time you thought your firmware was just sitting pretty in non-volatile memory? Yeah, about that. This week's findings hit like punching Open Firmware commands into my trusty Power Mac 8500 to see what breaks. Same boot-level attack surface, same "nobody's watching this layer" complacency; just swap the Forth prompt for UEFI hooks, and the stakes get real.

And while I might enjoy geeking out over firmware forensics, the real action's in the RAT race: Android trojans tapping cards over NFC, Windows access sold by the sinkhole, and AI agents turning into credential vacuums.

Let's cut through the noise.

Offensive Gems: From UEFI Hooks to RAT Reversing

Start with the classics, getting a fresh coat of analysis. An independent researcher dropped opcode-level notes on MoonBounce, the 2022 UEFI implant that's still teaching lessons in persistence. It inline-hooks EFI boot services like AllocatePool and ExitBootServices to stage shellcode, then hands off to kernel hooks in ntoskrnl.exe. Kaspersky's original Securelist post corroborates the CORE_DXE MD5, and Binarly's take adds depth to the vendor-agnostic impact. Malware Analysis Space: Revisiting MoonBounce, Kaspersky Securelist.

For red teamers, this is gold. Surviving disk swaps via SPI flash? That's the kind of stealth that turns a compromise into tenancy. Defenders, enable Secure Boot and Boot Guard, and get firmware scanners rolling. Hunt kernel hooks and monitor for unusual ExAllocatePool calls.

Switch gears to RAT tradecraft. KazakRAT, linked to APT36 (Transparent Tribe), targets Windows and Android with unencrypted HTTP C2 that's ripe for emulation or sinkholing. Ctrl-Alt-Int3l sinkholed a domain and watched victims beacon in, then PoC'd a full C2 emulator in Python. IOCs are solid: domains like server.fsocmicrsoft[.]com, IPs including 181.174.164.193, and a YARA rule for the DLL variants. Ctrl-Alt-Int3l: Attack on *stan, YARA Rule.

Operational win: emulate to intercept. Block those C2s, hunt rundll32 persistence in Run keys, and deploy the YARA for endpoint sweeps.

UAT-8099 (BadIIS operators) increased persistence by using hidden local accounts and region-specific binaries for SEO fraud. Talos dissected Windows and ELF variants, providing Snort SIDs and hashes. Cisco Talos: Dissecting UAT-8099, IOCs.

Red-blue relevant: hunt hidden accounts (e.g., admin$, mysql$), scan for BadIIS DLLs like fasthttp.dll. Egress filter those C2 domains.

MoonPeak

MoonPeak deserves attention. UAT-5394 (DPRK-linked) took XenoRAT and did what nation-states do best: made it theirs. Custom C2 infrastructure, LNK/PowerShell delivery chains, and enough refinement to separate it from stock XenoRAT detections. Talos provides IPs and hashes.

Defenders: constrain PowerShell to ConstrainedLanguage mode, enable script block logging, and alert on outbound to high ports. Stock XenoRAT signatures won't catch this; look for the behavioral overlap. Cybersec Sentinel: MoonPeak, Cisco Talos.

Mobile Mayhem: NFC Taps and Hugging Face Hugs

NFCShare trojan reads payment cards via ISO-DEP on Android, prompts for PINs, and exfils over WebSocket to 38.47.213.197:7068. Masquerades as Nexi/Deutsche Bank support. D3Lab and AlienVault supply hashes and package name (com.modol.nap). D3Lab: NFCShare Trojan, OTX Pulse.

Block that WebSocket endpoint and hunt NFC exfil. Fraud teams should monitor for unusual card-not-present spikes.

Update on Hugging Face RATs: Attackers are abusing Hugging Face datasets to host Android RAT payloads with server-side polymorphism — new APKs are rebuilt and committed roughly every 15 minutes. Bitdefender counted over 6,000 commits in 29 days. Same malicious functionality every time, just enough variation to burn your hash-based IOCs before your SIEM indexes them. When Hugging Face took the repo down, the operation just moved to a new one under a different app name with the same code. C2 at 154.198.48.57:5000. Bitdefender Labs.

As my dear KryptoKat has pointed out in the past, the word in CND is behavioral detections over hashes: alert on Accessibility/overlay grants. This campaign is a textbook example of why.

Extension Ecosystem Exploits: When Your IDE Phones Home

Three separate campaigns are hitting IDE and AI extensions this week, and the pattern matters more than any single incident.

GlassWorm is back, worming through Open VSX, stealing credentials, and using the Solana blockchain for C2. It self-propagates by stealing tokens: one compromised developer seeds the next wave. Koi Security: GlassWorm Returns, BleepingComputer.

Audit extensions, rotate tokens, block Solana RPC patterns.

ClawdBot/Moltbot skills turned malicious: 14 reported, most dropping infostealers. Cross-platform, targets crypto. Snyk: Clawdbot AI Assistant.

The AI might be using those skills, but a human wrote them. The same tactics apply whether it's a sophisticated autocomplete doing the bidding or a dude on a keyboard. At least, for now.

Secure Annex found yet more VS Code extensions with AES-encrypted loaders and Solana C2. Secure Annex.

The throughline: your development environment is target-rich. Audit extensions against a known-good list. Rotate tokens aggressively and block Solana RPC patterns at the proxy, if you can. And treat extension installs like you'd treat any other third-party code execution, because that's precisely what they are.

Breaches and Backdoors: EmEditor and Beyond

EmEditor supply-chain compromise: Repackaged MSIs with PowerShell stagers, re-signed by third parties. ReversingLabs clustered artifacts; Emurasoft confirmed redirects Dec 19-22, 2025. ReversingLabs, EmEditor Notice.

Verify signatures, block C2, hunt MSI diffs. Just the same old villainy: bad installers giving you a little more software than you wanted. Find it, kill it, clean it.

NGC3181: PostgreSQL persistence via triggers and stored functions for arbitrary SQL execution. If you're running Postgres and you're not auditing trigger definitions, this is your wake-up call. Attackers don't need shell access when your database will execute code for them. RT-Solar.

Stan Ghouls (Bloody Wolf): NetSupport RAT via spearphishing PDFs, possible IoT ties. Kaspersky.

Malware Roundup: Screens, Wallets, and Exfil

Update: macOS infostealers abuse Python and Terminal lures for creds and crypto. Microsoft details TTPs. Microsoft Security.

njRAT runs MassLogger: RAT combo for credential theft, exfil via SMTP. NetRESEC.

Indian Gov APT: Golang malware (GOGITTER, GITSHELLPAD, GOSHELL) via GitHub C2. Zscaler.

ShinyHunters SaaS theft: Vishing for SaaS access and data exfiltration. Google Threat Intelligence.

IClickFix: WordPress watering-hole for PowerShell stagers to NetSupport RAT. SEKOIA TDR.

ClearFake: Blockchain (EtherHiding) for payload retrieval. Darktrace.

One more thing worth flagging: GreyNoise is tracking Citrix recon using residential proxies and version-specific targeting. I know anything Internet-facing gets scanned, but watch for the difference between spray-and-pray and deliberate reconnaissance: one box, one port, hunting for specific versions. That's pre-operational targeting, not script kiddie noise. GreyNoise Labs.

Defenders: Watch for unusually high-volume scanning; alert on blackbox_exporter UA and /logon/LogonPoint/ probes.

Vuln Watch: Nessus and DomainTools

Nessus plugins updated to address CVE-2018-25149 (Microhard IPn4G) and CVE-2026-1788 (MediaWiki). Tenable Plugins.

DomainTools Feed API in Splunk: Ingest for DGA/typosquatting detection. DomainTools Blog.

Reflection: From Boot to Botnet

MoonBounce lives in SPI flash. GlassWorm lives in your extensions. ClawdBot lives in your AI skills. The persistence layer keeps moving up the stack, and each layer gets less scrutiny than the last. That's the pattern this week — not just new malware, but new trust boundaries being crossed.

Till next time, question everything, especially your boot process.