ai

EvilBit Threat Digest - AI Honeypots, Fileless Rats, and a Very Busy January Recap

Weekly security recap on AI-driven deception, BYOVD, steganography, and crypto-enabled infostealers shaping last month's threats.

KryptoKat

KryptoKat

4 min read

It's Sunday. The coffee's strong. The inbox is stronger.

This week felt less like "new zero-days" and more like adversaries refining their craft: cleaner loaders, better crypto, deeper social engineering, and (because irony is undefeated) AI fighting AI.

When the Bots Start Reconning Each Other

Cisco Talos dropped a thoughtful piece on using AI defensively (not for triage or ticket summaries) but as deception infrastructure in its own right: synthetic personas, AI-powered honeypots, and controlled disinformation loops aimed at adversary AI tooling (Using AI to defeat AI).

The premise is simple and slightly delicious. If attackers are using LLM-driven reconnaissance to scrape org charts, draft phishing emails, or engage in pretext social engineering, defenders can seed the terrain with AI-generated employees and believable-but-fake digital exhaust.

Think:

  • Convincing LinkedIn profiles
  • Synthetic GitHub activity
  • Email aliases with behavioral depth
  • AI chat agents posing as employees

Why This Is Different

We've had honeytokens forever. Fake AWS keys. Canary documents. Trap mailboxes.

What Talos is proposing is behavioral deception at scale.

Instead of a static tripwire, you get:

  • An AI "employee" that replies to recruiter outreach.
  • A decoy engineer who engages in technical back-and-forth.
  • A persona that subtly feeds misleading stack details to adversarial recon.

If an attacker's workflow includes automated scraping + AI enrichment, you can poison the training signal.

Blue Team Implications

This works best when:

  • You track interaction telemetry (IP ranges, timing, behavioral patterns).
  • You correlate AI persona engagement with other recon indicators.
  • You deliberately vary signal quality to identify clustering in attacker tooling.

Blocking IPs is table stakes. The higher-value play is attribution-by-interaction-pattern.

You're not just catching the bot. You're fingerprinting the operator behind the bot.

Red Team Reality Check

If you're automating recon with LLM pipelines and not validating sources, you are one poisoned profile away from building a phish on a fictional tech stack.

Garbage in, socially-engineered garbage out.

It's the old "trust but verify," except now the intern is a transformer model.

January's Infostealers: Crypto Gets an Upgrade

ASEC's January 2026 Infostealer Trend Report reads like a maturation curve (January 2026 Infostealer Trend Report).

Two primary distribution lanes:

  1. Crack-themed SEO poisoning targeting Windows users.
  2. macOS GitHub impersonation pages are prompting terminal execution.

The interesting bit isn't the lure. It's the crypto.

ECDH + ChaCha20-Poly1305 in the Wild

Some families are now using:

  • ECDH for key exchange
  • ChaCha20-Poly1305 for symmetric encryption

Mapped neatly to ATT&CK T1573 (Encrypted Channel).

This isn't nation-state exotic. It's commodity infostealer builders adopting modern primitives because:

  • They're fast.
  • They blend into legitimate encrypted traffic.
  • They reduce static C2 signature viability.

C2 indicators from this wave include:

  • sestraining[.]com
  • 146.103.102.11
  • 94.103.95.97

But the real shift is architectural: encrypted C2 is no longer a differentiator. It's default.

macOS Is No Longer "Low ROI"

The macOS chain mimics GitHub repositories and nudges victims into running terminal commands. This bypasses many traditional "malicious attachment" heuristics because the user becomes the installer.

User execution (T1204.002) meets the developer trust culture.

The cultural attack surface is doing more work than the exploit chain.

Winos 4.0: BYOVD Is the New Normal

Fortinet detailed ongoing Winos 4.0 (ValleyRat) campaigns targeting Taiwan, attributed to activity overlapping with Silver Fox APT (Massive Winos 4.0 Campaigns Target Taiwan).

The playbook is layered:

  • Spear phishing
  • DLL side loading (T1574.002)
  • UAC bypass via binary planting (T1548.002)
  • BYOVD using wsftprm.sys
  • Memory-resident components
  • Dynamic C2

Let's Talk BYOVD

Bring Your Own Vulnerable Driver isn't new.

What's changed is frequency.

Loading a legitimately signed but vulnerable driver grants kernel-level capabilities without requiring a fresh exploit. If driver enforcement is loose, or if WDAC isn't tightly scoped, you've effectively handed them the keys.

This campaign reinforces a pattern:

If you’re not restricting third-party kernel drivers, you are betting your EDR on hope.

And hope, historically, has terrible detection coverage.

XWorm v5.6: Steganography, LOLBINs, and a CasPol Cameo

This one's a layered onion.

A campaign targeting Brazil delivers XWorm v5.6 via fake Bradesco bank receipts using double extensions (e.g., .pdf.js) (XWorm Malware Delivered via Fake Financial Receipts).

Let's walk the chain.

Stage 1: WSH Dropper

  • User executes a disguised script.
  • Payload inflates to ~1.2 MB.
  • Uses WMI to spawn a hidden PowerShell.
  • Unicode junk padding to irritate static analysis.

Classic user execution (T1204.002) with scripting abuse (T1059.001).

Stage 2: Image-Hosted Loader

The loader is retrieved from a Cloudinary-hosted image URL.

Yes, an image.

The Stage 3 payload is embedded, extracted, and then loaded directly into memory.

CDN abuse + steganography + ingress tool transfer (T1105).

You're not blocking "malware domains." You're blocking an image CDN.

Good luck explaining that to marketing.

Stage 3: Fileless .NET Payload

The final RAT:

  • Executes in memory.
  • Injects into CasPol.exe.
  • Harvests browser sessions and credentials.
  • Pivots toward email/SaaS/financial accounts.

Notable infrastructure:

  • 152.249.17.145
  • voulerlivros[.]com[.]br/arquivo_20260116064120.txt

Why CasPol?

CasPol.exe is a .NET Code Access Security tool. It's obscure enough to avoid constant scrutiny but legitimate enough to blend in.

That's the sweet spot for LOLBIN abuse:

  • Not common.
  • Not suspicious by default.
  • Signed.

If your telemetry doesn't baseline the execution frequency of rarely-used .NET utilities, you'll miss it.

GitLab and North Korea's "Contagious Interview"

GitLab's Threat Intelligence Team published details on North Korean IT workers and "Contagious Interview" operations, including 600+ IOCs and case studies (GitLab Threat Intelligence Team reveals North Korean tradecraft).

The interesting angle isn't just malware delivery.

It's a platform abuse as operational infrastructure.

Patterns include:

  • Synthetic developer identities.
  • Private repo staging.
  • Remote content loading.
  • Automation is embedded in seemingly legitimate projects.

Hiring scams, supply chain risk, and malware staging into one operational continuum.

The repo is the phishing page. The resume is the loader. The interview is the execution vector. If your org treats recruiting and code hosting as separate security domains, adversaries are happily stitching them back together.

Pattern Recognition (The Useful Kind)

Across these stories:

  • Encryption is the default.
  • Fileless execution is standard.
  • LOLBIN abuse is strategic, not opportunistic.
  • Deception is becoming bilateral.

Attackers are automating recon and encrypting everything.
Defenders are considering AI personas and behavioral honeypots.

We're entering the phase where both sides are feeding models.

It's less WarGames and more Blade Runner: figuring out whether the entity across the wire is real, synthetic, or deliberately misleading.

Validate your sources and baseline your weird binaries.

Lastly, if an "employee" you've never met starts having very engaging technical conversations with strangers at 3 AM, perhaps you should let it happen. They might be working for you.

  • KryptoKat

Read more