EvilBit Threat Digest - Your AI Assistant Just Ran `base64 -d | bash`

Some weeks feel like a sober reminder that "attack surface" isn't just ports and services anymore. It's marketplaces, meeting invites, and that one "helpful" automation you turned on at 2 AM and forgot about.

This edition: malicious AI-agent "skills" dropping macOS stealers, DPRK crews moonlighting with ransomware franchises, a vintage Office bug still paying dividends, and mobile banking malware doing what mobile banking malware does: making your life worse.

UPDATE: AMOS gets an "agentic" delivery path (OpenClaw/ClawHub supply-chain)

UncleSp1d3r: We've talked about Atomic macOS Stealer (AMOS) before, but this week it's wearing a new costume: malicious "skills" for AI agents.

Trend Micro details a supply-chain campaign in which attackers seeded ClawHub, the OpenClaw skill marketplace, with malicious skills that trick users or the agent itself into executing encoded shell commands. The core move is depressingly simple and therefore effective: a "setup" step that turns into base64 -d | bash (or -D depending on the platform), fetching payloads from the attacker's infrastructure and landing AMOS on the host. Trend Micro identified 39 malicious skills on ClawHub and over 2,200 malicious skills across GitHub. Separately, Koi Security's audit of ClawHub found 341 malicious skills out of 2,857 total, with 335 tied to the ClawHavoc campaign deploying AMOS. That's not a needle; that's a needle factory. Sources: Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer - Trend Micro, From Automation to Infection: How OpenClaw AI Agent Skills Are Being Abused - VirusTotal Blog, Hundreds of Malicious Skills Found in OpenClaw's ClawHub - eSecurity Planet

Why this is nastier than "regular" macOS stealer delivery:

• The skill marketplace becomes your package registry. If your agent workflow treats marketplace content as "semi-trusted," you've reinvented npm dependency risk, but with shell access.
• The human review gap is a feature, not a bug. You can validate a GUI prompt. You cannot validate an eager agent that's been instructed to "fix install issues" by running whatever it's told to run.
• AMOS is still the same monster. Keychain creds, cookies/session tokens, browser data across 19 browsers, crypto wallet extensions, KeePass keychains, chat apps. The point is credential and session theft at scale. Source: Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer - Trend Micro

KryptoKat: Operational takeaways for defenders aren't exotic, they're disciplined:

• Run agent tooling in containers/sandboxes that don't have access to Keychain, browser profiles, or developer secrets by default.
• Treat "skills" like third-party code: pin versions, vet in isolation, and require a promotion path from test to prod.
• Monitor for agent-driven execution patterns that appear to be installer abuse (encoded commands, curl/wget into shell). Trend Micro explicitly calls out looking for base64 decode piped to bash. Source: Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer - Trend Micro

The meta-problem: we keep building systems whose job is "do actions," and then we act surprised when the adversary says, "Cool, do my actions."

AI-powered social engineering goes after crypto: UNC1069's new playbook

KryptoKat: North Korea-linked UNC1069 is leaning hard into modern persuasion: AI-assisted social engineering, deepfakes, and compromised comms channels to pressure targets into handing over credentials and artifacts from macOS/Windows/Chromium ecosystems. Reporting highlights theft of Keychain, browser data, and messaging artifacts (including Telegram), with multiple new malware families identified across sources. This is the polished con artist's version of phishing: less "click this invoice," more "join this urgent call with the CFO (who looks and sounds correct)." Sources: UNC1069 Targets Cryptocurrency Sector with New Tooling and AI - Google Cloud, UNC1069 Uses New Tools to Target Crypto Entities - PolySwarm, North Korea's UNC1069 Hammers Crypto Firms With AI - Dark Reading

UncleSp1d3r: The uncomfortable red-team truth: deepfake-enabled pretexting scales the part defenders historically couldn't instrument anyway. Your email gateway can't parse "urgency in a voice" or "familiar face on a Zoom call." So the control points shift:

• Lock down high-risk actions behind out-of-band verification
• Make meeting invite provenance a thing you actually care about
• Assume "trusted channel" (Telegram/Zoom/etc) is a variable, not a constant

Lazarus + Medusa: the nation-state/ransomware franchise crossover episode

UncleSp1d3r: Symantec says the Lazarus Group is now working as an affiliate with Medusa ransomware, with targeting confirmed in the Middle East and an unsuccessful attempt against U.S. healthcare. This isn't "Lazarus discovered ransomware." This is a state-backed operator plugging into the gig-economy of extortion: custom backdoors (Comebacker, Blindingcan) and tradecraft on one side, a mature ransomware brand and operational machinery on the other. Medusa has claimed 366+ attacks since its 2023 launch; the average ransom demand in the recent cluster is around $260,000. Symantec notes that the activity hasn't been tied to a specific Lazarus sub-group, though the TTPs mirror those of prior Andariel/Stonefly operations. Source: North Korean Lazarus Group Now Working With Medusa Ransomware - Symantec/Security.com

Plain-English takeaway: if you're defending healthcare, you're not just fighting "ransomware groups." You're fighting partnerships.

The undead vulnerability: Cloud Atlas still cashing CVE-2018-0802 checks

UncleSp1d3r: Cloud Atlas is reportedly using CVE-2018-0802 (the infamous Microsoft Office Equation Editor bug) in spearphishing to drop VBShower and related payloads, targeting government entities in the Russian Federation. If that CVE number feels like a museum label, that's the point: attackers love vulnerabilities that linger in long-lived environments and legacy document workflows. Sources: Cloud Atlas: Analysis of Phishing Campaign and VBShower Backdoor, NVD - CVE-2018-0802, CISA Known Exploited Vulnerabilities Catalog - CVE-2018-0802

• CVE: CVE-2018-0802
• Impact: Remote code execution via crafted Office documents (Equation Editor component)
• Affected: Multiple Office/Word versions across the 2007-2016 era (see NVD for full matrix)
• So what: If you still have legacy Office in the wild (contractors, jump boxes, "that one finance VM"), this is a live wire, and it's in CISA KEV. Sources: NVD - CVE-2018-0802, CISA Known Exploited Vulnerabilities Catalog - CVE-2018-0802

Mobile theft with a twist: Massiv targets banks and digital identity

KryptoKat: ThreatFabric's write-up on Massiv is the kind of mobile malware reporting that makes you sit up straight. Distribution is through sideloaded IPTV apps (because of course it is), and capability centers on device takeover: overlay credential theft, keylogging/interaction capture, interception of SMS/push notifications to bypass 2FA, and remote interaction to commit fraud from inside the victim context. Sources: Massiv: When your IPTV app terminates your savings - ThreatFabric, Massiv Android Banking Trojan - PolySwarm Blog

The standout detail: targeting of Portugal's gov.pt digital identity wallet to help bypass KYC and open accounts in victims' names. That's not "just" banking fraud; it's an attempt to subvert the state's identity rails. Source: Massiv: When your IPTV app terminates your savings - ThreatFabric

Practical takeaway: for enterprises with managed Android fleets, watch hard for risky permission combos (Accessibility + screen capture/MediaProjection behaviors are common in takeover kits) and clamp down on sideloading. For banks, server-side detection for device-takeover patterns matters more than arguing with the overlay window.

macOS stealer economy: Odyssey Stealer goes franchise-mode

UncleSp1d3r: Censys mapped Odyssey Stealer as a macOS MaaS operation with affiliate-run infrastructure, including LaunchDaemon persistence and a Go-based SOCKS5 proxy component. The interesting part isn't "another stealer," it's the operational maturity: API-style C2 endpoints, reusable infra patterns, and an ecosystem that looks a lot like the Windows commodity world, just ported to macOS, where many orgs still have thinner visibility. Source: Odyssey Stealer: Inside a macOS Crypto-Stealing Operation

KryptoKat: If you're defending macOS fleets and still treating them like artisanal Linux desktops, this is your reminder: you need consistent telemetry around persistence locations (LaunchDaemons/Agents), scripting engines, and outbound C2 patterns. Not as special cases, but as first-class detection engineering.

UPDATE: ValleyRAT changes masks, now via fake security software (+ BYOVD angle)

KryptoKat: ValleyRAT (a.k.a. Winos/related families) showed up in prior reporting via tax-themed lures. This time, the lure is more insidious: a fake Huorong security site delivering ValleyRAT through a multi-stage chain that includes DLL sideloading and scheduled task persistence. It's the same old trust exploit, just swapped from "government notice" to "security download." Source: Fake Huorong security site infects users with ValleyRAT

UncleSp1d3r: Worth noting the BYOVD connection here: the Silver Fox group behind ValleyRAT has been documented abusing CVE-2025-68947, a missing-authorization flaw in the NSecsoft NSecKrnl Windows driver that lets authenticated attackers terminate arbitrary processes, including EDR and Protected Processes via crafted IOCTL requests. Reynolds ransomware and Black Basta have also been spotted bundling this same driver. The pattern is clear: BYOVD keeps showing up as the "make EDR look the other way" lever across multiple unrelated campaigns. Sources: CVE-2025-68947 Detail - NVD, CVE-2025-68947: NSecKrnl Driver Privilege Escalation Flaw - SentinelOne

Also: malware pretending to be security software is the kind of joke that writes itself, but it works because users are trained to override warnings when they believe they're doing something "responsible."

Brand abuse at airline scale: 11,600 suspicious domains

KryptoKat: BforeAI reports sustained pressure from scams and impersonations targeting airlines, with 11,600+ suspicious domains targeting 35+ global brands over a few months. The campaigns range from fake booking/promotions to malware and investment fraud. There's no single CVE to patch here; it's a domain/infrastructure fight and a customer-protection problem. Source: Commercial Airline Industry Sees Sustained Scam and Impersonation Activity in 2026

The security team takeaway is mundane and therefore hard: domain monitoring, takedown process maturity, and internal coordination so your support staff can spot fraud patterns early, before Reddit does.

The macro trend (IBM): public-facing apps remain the favorite door

UncleSp1d3r: IBM's 2026 X-Force Threat Index is waving the same flag many IR teams have been screaming into the void: exploitation is concentrating on public-facing applications, often through basic gaps, and accelerated by tooling that reduces the cost of scanning and exploitation. It's not poetic. It's plumbing. Source: IBM 2026 X-Force Threat Index: AI-Driven Attacks are Escalating as Basic Security Gaps Leave Enterprises Exposed

KryptoKat: If you want a single sentence to staple to a change-management ticket: internet-facing assets must be patchable like they're disposable, because attackers treat them that way.

Moonrise RAT: Go malware, low-noise posture

KryptoKat: ANY.RUN profiles Moonrise RAT, a Go-based remote access trojan described as low-detection with credential theft and persistence behavior. The big operational issue with "quiet" RATs is dwell time: the quieter the implant, the longer it has to become an access broker's favorite gift basket. Source: Moonrise RAT: A New Low-Detection Threat with High-Cost Consequences - ANY.RUN

UncleSp1d3r: Go isn't magic stealth dust, but it does make it easy for criminals to ship single-binary tooling across environments without crying about dependencies. Expect more of this.

Trust is the new perimeter (and it's full of holes)

This week's common thread isn't "AI," "ransomware," or "stealers." It's outsourcing trust: to marketplaces, to meeting platforms, to installers, to legacy Office, to public web apps that never got the love they needed.

You don't have to distrust everything. But you do have to assume everything can be borrowed by an adversary, briefly, quietly, and just long enough to ruin your quarter.

~ KryptoKat & UncleSp1d3r