ZeroDay Field Notes - Shells in the Shadows: When Proxies Meet Zero-Days

Alright, operators, this week was all about quiet upgrades. No headline-grabbing breaches, but a bunch of sneaky moves that could make your next op a lot more interesting. Loaders are getting smarter, supply chains are buckling under nation-state pressure, and people are getting creative with poisoning AI data. Let's break down the tools and tricks you actually need to care about.

Proxy Plays and Malware Mates

Let's start with the underworld's new favorite duo: GhostSocks, a SOCKS5 proxy malware that teams up with LummaC2 infostealers. It first popped up on Russian forums in late 2023, then hit English-speaking markets by mid-2024. The real story is how it plugs into Lumma: infected machines become backconnect proxies, so operators can breeze past geo-blocks and IP checks. That means easier credential abuse, like banking logins with no friction. It's sold as a service for $150 in Bitcoin, comes with anti-analysis tricks like cursor checks to dodge sandboxes, and uses encrypted C2 on weird ports.

If you're on offense, this is red-team gold; drop it next to your favorite stealer for easy pivots. On defense, start hunting for C2 IPs (185.246.112.40 from MISP, plus 91.142.74.28 and 195.200.28.33 from Infrawatch) and mutexes. The C2 setup uses relay nodes and expects X-Api-Key headers with 8-char alphanumeric strings; if you mess up the key, you get a Forbidden: Invalid API Key on port 30001, which is a handy signature. EDR rules can catch the execution patterns early. Infrawatch has the full TTPs and MITRE mappings, and SpyCloud dropped extra YARA rules and persistence analysis last September. Lumma's not new, but this proxy twist makes it a lot harder to block at the network layer.

Blue team update: self-spreading SSH worms are back. DShield sensors spotted one hammering IoT boxes like Raspberry Pis with credential stuffing, then using ZMap and sshpass to move sideways. It sets up encrypted IRC C2 and proxies, and signs its payloads to slip past basic scans. We've talked SSH risks before, but this one is fast, four seconds from infection to botnet. MITRE hits include T1110 (brute force) and T1570 (lateral tool transfer). Bottom line: lock down your SSH keys or you're just free infrastructure. CyberPress and SANS have hunt queries if you want to dig deeper.

Supply Chain Sabotage and Zero-Day Shenanigans

Nothing says "high-value target access" like hijacking a dev tool's update infrastructure. Lotus Blossom (PRC-linked APT, also tracked as Billbug, Raspberry Typhoon, Spring Dragon) compromised the shared hosting provider behind Notepad++ from June to December 2025, selectively dropping Chrysalis backdoors and Cobalt Strike beacons via the WinGUp updater. They didn't intercept traffic in transit; they owned the hosting environment itself, giving them server-side control to redirect update requests for specific targets. The victims were primarily sysadmins and engineers in gov, telecom, and critical infra, initially focused on Southeast Asia, but Unit 42 confirmed broader targeting across the US and Europe. Rapid7 published the first Chrysalis analysis and Lotus Blossom attribution; Kaspersky provided independent target telemetry. CVE-2025-15556 (WinGUp verification bypass, CVSS 7.7) and CVE-2026-25926 (Unsafe Search Path, CVSS 7.3) are the tracked flaws. Hunt the Global\Jdhfv_1.0.1 mutex.

Patch to v8.9.1 or later, now. The bug's fixed, but the way they pulled this off, compromising hosting to hijack updates and sideloading DLLs with real Bitdefender files, is a playbook purple teams should study. Rapid7's Chrysalis writeup is the go-to for technical details, and Unit 42's report has more on who got hit and XQL queries for Cortex users. We've seen supply chain hits before, but this kind of precision targeting is next-level.

Dell RecoverPoint for VMs just took a direct hit with a CVSS 10.0 zero-day (CVE-2026-22769). Hardcoded creds in Tomcat Manager mean root access for anyone who knows where to look, and UNC6201 (PRC-linked, overlaps with UNC5221/Silk Typhoon) has been exploiting this since mid-2024. They drop SLAYSTYLE web shells through the /manager/text/deploy endpoint, then set up BRICKSTORM and GRIMBOLT for persistence. The move into VMware vCenter/ESXi uses 'Ghost NICs', temporary virtual interfaces that get wiped to hide tracks, and iptables SPA. GRIMBOLT is a C# backdoor compiled AOT and packed with UPX, so there's no CIL metadata and static analysis gets messy. Mandiant saw BRICKSTORM getting swapped for GRIMBOLT starting September 2025. Patch to 6.0.3.1 HF1, and use the YARA rules from Google Cloud's blog to hunt. CISA put this in KEV. This is the next step up from old VMware exploits: custom malware built to slip past EDR on appliances.

Loaders, Stealers, and AI Poison

Shifting to loaders: OysterLoader (aka Broomstick/CleanUp) powers Rhysida ransomware operations via API flooding for evasion, custom hashing, and steganographic payloads hidden in images, encrypted with RC4 and a hardcoded key. Sekoia's unpack shows a four-stage chain: the TextShell packer loads obfuscated shellcode into memory, a custom LZMA decompressor extracts the next stage, an intermediate downloader handles environment checks and C2 comms, and the core DLL payload drops to AppData and persists via scheduled tasks that fire every 13 minutes. Perfect for red teams dodging EDR. Rhysida ties (and possible WIZARD SPIDER ecosystem overlap) make it relevant; hunt C2 like grandideapay[.]com and the /api/v2/init endpoint pattern. Sekoia's report has the full breakdown, MITRE T1027 (obfuscation) heavy.

DigitStealer's macOS infostealer just got a backend upgrade. Operator habits exposed a cluster of 8 IPs and over 20 domains, all sitting in a Swedish ASN with Njalla nameservers and Tucows regs. It goes after 18 crypto wallets, Ledger Live, browser data, and Keychain on M2 Macs, using JXA/osascript for execution, 10-second C2 polling, and crypto challenge/response for sessions. We've called out DigitStealer before, but now you can block the whole cluster and get ahead of their campaigns. Cyber and Ramen are tracking this new setup.

Poison Fountain's anti-AI push is ramping up, now feeding 2GB a day of poisoned data to web crawlers through reverse proxies on real domains. You can join in with plug-and-play Apache or Nginx configs, and the goal is to hit 1TB a day by December. No CVE, but T1195 (supply chain) fits. It dodges filters and could force LLMs to retrain. Forbes and Microsoft both covered the evasion tricks.

Exploit Chains and Tooling Tidbits

Ivanti EPMM is getting hit with 'sleeper shells' via CVE-2026-1281 and 1340 (both CVSS 9.8). Persistent backdoors are being dropped from a bulletproof IP (193.24.123.42, AS200593 PROSPERO OOO, Saint Petersburg) that's also going after Oracle and GLPI. GreyNoise tracked the attacks using OAST and dig command injection on the /mifs/c/appstore/fob/ path. To fix: apply the correct RPM hotfix for your version (12.x.0.x or 12.x.1.x), but remember: these patches don't stick after upgrades, so you'll need to reapply them every time. The real fix is coming with EPMM 12.8.0.0, but it's not out yet. If you think you're compromised, spin up a new instance and migrate; don't bother cleaning. GreyNoise also flagged mismatched public IOCs. We've seen Ivanti get hit before, but this time it's all about single IPs running multi-vuln exploits.

Monero miners are abusing WinRing0.sys (CVE-2020-14979) for BYOVD escalation, dropping fake binaries to stick around. Trellix found 22 MITRE techniques in play; look for high CPU and Kryptex pool traffic. Trellix's write-up goes deep on the whole chain.

Threat Loom is a new open-source AI tool that pulls in threat feeds, LLM summaries, and MITRE mappings. It's Docker-ready, so you can drop it into your intel dashboard. Still early days, but purple teams should check it out. Code's up on GitHub.

Wrapping Up: The Slow Burn

This week feels like the calm before the storm: proxies making ops stealthier, zero-days hitting core infrastructure, and AI sabotage that could mess with model reliability for a long time. As always, whoever adapts fastest wins. Stay sharp.

~ UncleSp1d3r