EvilBit Threat Digest - Proxies, Poisoned Installers, and the Taxman's PDF

There's a special kind of modern dread that kicks off with "Why's our employee login coming from Myanmar?" and wraps up with "Oh. Because we took an IP address at face value."

Then there's the other dread: "Why does this totally normal installer have thoughts about PowerShell?" Spoiler: it's not really an installer. It's a delivery vehicle dressed up in a tie.

This week: traffic origin lies (and they're convincing), phishing gets patient (and registry-shaped), and the "trusted platform" bingo card keeps getting filled.

Traffic Origin is a Story (Not a Coordinate)

Silent Push shared a handy combo: traffic origin analysis and residential proxy intel to expose a sketchy Chinese VPN service ("LVCHA VPN") and its proxy setup (especially Asocks). The kicker? If your fraud controls still think geolocation equals truth, you're basically playing chess with a Magic 8-Ball.
Silent Push Traffic Origin Data Combined with Residential Proxy Data Uncovers Suspicious Chinese VPN

The main point isn't just to "block China" (nice job, you've cut off half the internet's supply chain). It's really about creating ways to tell apart real residential users from rented residential exit nodes. You need to mix in different signals, such as ASN/hosting patterns, proxy reputation, speed, travel impossibility, device posture, and behavior baselines. Why? Because threat actors aren't just faking IP addresses anymore; they're straight-up buying your trust.

Silver Fox's Tax Season: Slow Beacons, Sticky Persistence

CloudSEK's report on Silver Fox targeting India really makes you rethink blaming users for clicking on things. Instead, we should look at ourselves for creating systems that still make clicking a solid business model. The lures are all about taxes, the execution is staged, and the payload (Valley RAT) focuses on staying power instead of flashy tricks.
Silver Fox Targeting India Using Tax-Themed Phishing Lures

What's really concerning here is the tempo. CloudSEK points out the delayed C2 communication and retry/fallback behavior, your IR team handles the obvious, and the RAT just… hangs around. Mix that with multi-tier infrastructure, and you've got a campaign that's less about "smash and grab" and more like "move in, change the locks, pay the utilities."

Pay attention to those persistent notes: registry abuse (think suspicious executable blobs and odd value types), plus tradecraft that prefers to hang out in memory. When you spot patterns like memory being allocated with execute permissions followed by thread creation in common processes (explorer.exe gets mentioned), you're not dealing with a script kiddie; you're facing someone who plans to stick around after your first sweep.

Defender framing: remember to hunt for mechanics, not just brand names. The brand is "Valley RAT." The mechanics include unusual registry persistence, staged loaders, signed-binary proxy execution patterns, and patient outbound behavior that only seems odd if you're tracking time. If your detections assume malware is in a hurry, this campaign will definitely teach them some manners.

Updates: "Trusted" Delivery Channels Keep Shipping Trouble

EmEditor supply chain: more breadcrumbs, same genre

Since we last chatted about the EmEditor installer issue, Stormshield has shared more details from their investigation and updated indicators. They're highlighting that the bad guys are still active. Supply chain incidents don't just end when the first blog post goes up; they wrap up when the last compromised redirect, mirror, or lookalike domain gets shut down.
Investigation into the EmEditor Supply Chain attack

If you're nailing software integrity: (1) check where installers are from (not just the filename), and (2) treat "we cleaned it" as a guess until the telemetry agrees.

Bing Ads → Azure-hosted tech support scams: the cloud as camouflage (again)

Since our last issue, Netskope has highlighted more shady Bing ads that send users to Microsoft-style tech support scams hosted on Azure Blob Storage. It's not a complex scheme; it's super smooth. Ads spread the word, Azure gives it a trustworthy vibe, and victims end up handing over cash and access because the page looks like Microsoft and loads fast.
Malicious Bing Ads Lead to Widespread Azure Tech Support Scams

This isn't just "consumer nonsense." In the business world, it's a heads-up that browser trust signals and "big cloud hostname" reputation can be twisted into a believable excuse, especially when the scam pulls the user into a call center workflow where your web filters aren't even around anymore.

Encrypted Chats Don't Survive a Compromised Endpoint

Hudson Rock's piece is pretty grim, but it drives home a clear security lesson: encryption keeps your data safe while it's moving and when it's stored, but it won't save you from "the attacker sitting at your keyboard wearing your socks." They explain how an infostealer infection on one machine revealed an ISIS cell's XMPP chats and operational info, highlighting how compromising endpoints can wreck OPSEC, even if the messaging protocol claims to have strong encryption.
Killings, Torturing, and Smuggling: How an Infostealer Exposed an ISIS Cell's XMPP Network

For defenders, let's get real: infostealers aren't just after passwords anymore; they're after everything. They grab session tokens, chat logs, autofill data, saved credentials, clipboard history, and screenshots. It's like a vacuum cleaner on a mission. If you want one solid tip: handle infostealer containment like it's a full-blown identity crisis, not just a malware cleanup. Credentials, tokens, and authenticated sessions are where the real damage happens.

Retail Fraud at Industrial Scale: 2,000+ Fake Stores

CloudSEK found over 2,000 fake holiday-themed e-commerce sites impersonating major brands. These sites pop up during peak shopping times like Black Friday and festive sales, and they're designed to steal payment info and identities. Sure, it's about consumers, but it also ties into brand protection, phishing defense, and the fact that employees shop on work devices more than policy makers like to admit.
CloudSEK Detects Over 2,000 Holiday-Themed Fake Stores Exploiting Black Friday and Festive Sales

Just a heads-up: this was originally dated late 2025, but the technique is still relevant; domain impersonation kits and "urgency UX" (like countdown timers and fake purchase popups) are pretty much timeless. If you're running user awareness, consider this your early seasonal reminder that "too good to be true" is a go-to trick for threat actors.

Closing: Verify the "Where," the "What," and the "Who"

This week's theme is all about authentication, but not the kind your SSO vendor pushes. Traffic origin can be faked. Installers can fib. Encrypted chats can reveal everything if the endpoint's compromised. The usual mistake is treating one signal as proof.

So, pick three things to stick to: verify software origin, think of identity as something alive (including tokens and sessions), and treat "location" as a hint, not a final answer.

Until Sunday, keep your logs handy and your assumptions in check!

~ KryptoKat