ZeroDay Field Notes - Chains, RATs, and the Art of Staying Invisible

UncleSp1d3r checking in. Remember that old cyberpunk flick where the netrunner jacks into a corporate tower via a backdoor in the HVAC system? This week's haul feels like that: exploit kits chaining zero-days like they're building a digital ladder, RATs tunneling through browsers and air gaps, and phishing that treats core internet plumbing as its playground. No fluff, just the red-team gold: fresh primitives, evasion tricks, and tooling that'll make your next op smoother. KryptoKat joins for the blue angles that inform your next bypass.

We sifted the noise for confirmed exploits and tradecraft. Here's what sticks.

Mobile Mayhem: iOS Exploits and Web3 Wallet Heists

Google's Threat Intelligence Group just dropped a gem on Coruna, an iOS exploit kit that's basically a zero-day flea market. Spanning iOS 13.0 to 17.2.1, it packs 23 exploits across five chains, including WebKit RCE and a PAC bypass for kernel shenanigans. Tied to UNC6353 and UNC6691, Coruna's got non-public techniques, second-hand zero-days (like CVE-2023-32409 and CVE-2024-23222), and a PlasmaLoader implant for exfil and C2. For red teams: study the PAC bypass. It's a blueprint for kernel-level persistence on locked-down devices. Enable Lockdown Mode to test evasions, but patches exist for all cited CVEs. Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit.

KryptoKat: On the wallet front, SeaFlower is backdooring iOS and Android Web3 apps to snatch seed phrases. No CVEs, but it mashes process injection (T1055), masquerading (T1036), and input capture (T1056) for stealthy exfil. Novel bit: malicious domains and files mimicking legit wallet updates. If you're pentesting crypto setups, emulate this. Seed theft is low-hanging fruit for high-impact demos. Block suspicious domains and verify app sources; it's social engineering with a tech twist. How SeaFlower installs backdoors in iOS/Android web3 wallets to steal your seed phrase.

RAT Tradecraft: Browsers as Backdoors and Air-Gap Jumps

Fake Google security checks are delivering a browser RAT via Progressive Web Apps (PWAs), turning Chrome/Edge into surveillance hubs. No malware install needed, just service workers for persistence, WebSockets for C2, and APIs for keylogging, clipboard grabs, GPS, and even network proxying. The Android APK side adds device admin and notification interception. Red angle: weaponize PWAs for post-exploit. It's sandboxed but persistent, with internal scanning via WebRTC. Hunt for google-prism[.]com and revoke suspicious service workers. Inside a fake Google security check that becomes a browser RAT.

UncleSp1d3r: APT37's Ruby Jumper is crossing air gaps like it's no big deal. LNK-based chain hits RESTLEAF/SNAKEDROPPER for initial foothold, then THUMBSBD/VIRUSTASK bridges via removable media to deploy FOOTWINE/BLUELIGHT for exfil over Zoho WorkDrive. Full kit: keylogging, screen/audio/video capture, all obfuscated and injected. For offense, replicate the air-gap hop. USB dead-drops are underrated. Blue teams, disable autorun and monitor for unusual scheduled tasks. APT37 Adds New Capabilities for Air-Gapped Networks.

Shifting to regional espionage, SloppyLemming (aka Outrider Tiger) is hitting Pakistan and Bangladesh with BurrowShell loaders and Rust-based keyloggers. Using Cloudflare Workers for C2, DLL search-order hijacking, and Visual Basic scripts in PDFs. The Rust RAT packs info discovery, screen caps, and encrypted exfil. Emulate the ClickOnce sideloading for Windows pivots; the Workers-based C2 blends into legit traffic nicely. Block Workers subdomains and monitor registry run keys. SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh.

Supply Chain Sneaks: Packagist RATs and Stego Payloads

KryptoKat: Malicious Packagist packages like nhattuanbl/lara-helper are dropping encrypted RATs disguised as Laravel utils. They use dev-master deps to pull in backdoored code, enabling RCE, file ops, and screen caps over non-standard ports. Supply-chain gold for red: poison transitive deps for hands-off delivery. Audit Composer files and restrict disable_functions. Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT.

DPRK stagers are getting creative. One uses Pastebin stego in npm packages (tracked as "StegaBin," 26 packages total) to hide Vercel C2 domains, resolving to PowerShell/Unix shells for cross-platform exfil. Another tests Google Drive for payload staging in express-core-validator. For offense, layer stego over legit services. It's resilient. Hunt Node.js DNS to Drive/Pastebin. Novel DPRK stager using Pastebin and text steganography.

UncleSp1d3r: Archive.org stego is delivering Remcos/AsyncRAT via 4K JPEGs and Gmail-linked accounts. Multi-stage: loaders use MSBuild LOLBins and process injection, with daily payload rotation across four accounts for redundancy. Red playbook: stego on public archives evades AV. Primary C2 at 181.206.158.190 (Colombia Movil/Tigo). Archive.org Stego Delivers Remcos and AsyncRAT.

Evasion Gems: Phishing .arpa and WebDAV Tricks

Phishing crews are weaponizing .arpa TLD and IPv6 tunnels for evasion. They acquire IPv6 tunnel address ranges to gain control of .arpa subdomains, then create standard A records and route traffic through TDS redirects. Bypasses filters since .arpa is trusted infra. Test this in ops. It's a novel pivot. Monitor for .arpa in email content and TDS patterns. Abusing .arpa: The TLD That Isn't Supposed to Host Anything.

Windows File Explorer WebDAV is being abused for XWorm delivery, tunneling via Cloudflare for stealthy drops. Cofense reports 87% of campaigns using this tactic deliver multiple RATs. Red value: proxy malware through native tools. Detect suspicious WebDAV mounts and clipboard hooks. Abusing Windows File Explorer and WebDAV for Malware Delivery.

Closing Hack: When AI Goes Offensive

Wrapping with CyberStrikeAI, an AI-native toolkit built in Go by a China-based dev (Ed1s0nZ) with documented MSS ties through Knownsec 404 and the CNNVD. It's got automated vuln scanning, exploit gen, and C2. Team Cymru tracked 21 IPs hitting 600+ FortiGate devices across 55 countries. If you're not already building AI-assisted recon into your chains, this is your wake-up call. Hunt the IPs and correlate with GitHub activity. Tracking CyberStrikeAI Usage.

That's your op fuel. Test those chains, layer the evasions, and remember: the best exploits are the ones they never see coming. Stay frosty out there.

~ UncleSp1d3r