EvilBit Threat Digest - Rusty Backdoors, Phishing Kit Takedowns, and the Infrastructure Arms Race

Some weeks, the industry feels like a tidy list of CVEs and patch reminders. This past week was not one of them.

Instead, we got a little bit of everything: Iranian APTs upgrading their tooling stack, Europol dismantling a large phishing-as-a-service operation, infrastructure analysts turning SSL certificates into adversary maps, and attackers experimenting with prompt-injection tricks against AI pipelines. Meanwhile, Cisco dropped a cluster of firewall and Snort advisories that will keep patch queues busy well into the next sprint.

In short, attackers are evolving their tooling and infrastructure faster than most defenders tell engineers, "Your creds for - fill in the blank - failed in the latest scan".

Happy Sunday! Let's strike while the coffee's hot.

MuddyWater Trades PowerShell for Rust and Deno

Iran-linked operators had a busy research cycle this week. Two separate reports outline how MuddyWater (aka Seedworm) is evolving both tooling and infrastructure.

First, analysts documented the group shifting away from their historically noisy PowerShell-heavy implants toward Rust-based malware and domain impersonation infrastructure designed to blend in with common enterprise services. Fake domains mimicking Microsoft-style services, such as login portals and update endpoints, help camouflage command-and-control traffic among legitimate enterprise noise. Source: MuddyWater in the Iran-Israel Cyber War: From PowerShell Scripts to Rust Implants

At the same time, a separate investigation tied MuddyWater to two previously undocumented backdoors: Dindoor and Fakeset. Dindoor leans on Deno, the modern JavaScript/TypeScript runtime created by Node.js founder Ryan Dahl, while Fakeset is Python-based and abuses legitimate cloud storage for staging.

The Deno choice matters for defenders:

• Deno can run scripts remotely without heavy dependency chains
• The runtime can fetch and execute code directly over HTTPS
• Enterprise security tools rarely monitor Deno processes

Once inside a network, operators reportedly used Rclone to move stolen data to cloud storage providers, including Wasabi buckets. Sources: Seedworm targets US critical sectors with new backdoors Seedworm activity following U.S. and Israeli military strikes

Hunting note: The MITRE mappings worth watching here are T1059.007 (Command and Scripting Interpreter: JavaScript) for the Deno-based execution, and T1567.002 (Exfiltration to Cloud Storage) for the Rclone activity. If your EDR or SIEM isn't alerting on deno.exe or deno process creation in production environments, add that rule now. Rclone connecting outbound to Wasabi or other non-corporate cloud storage endpoints is another detection surface worth tuning.

The takeaway is less about Rust versus PowerShell and more about runtime abuse. If attackers can hide inside developer tooling (Node, Deno, Python, or Go), they inherit the same trust those runtimes already enjoy inside enterprise networks. Application allowlisting policies that haven't been updated to account for developer runtimes in non-development segments are the gap here.

Long-Term Intrusions via vCenter and Old Bugs

Another campaign highlights a recurring theme: old vulnerabilities never really die.

Unit 42 detailed a multi-year intrusion cluster tracked as CL-UNK-1068, attributed with high confidence to a Chinese threat actor, targeting critical infrastructure and other high-value sectors. The operators chained together known vulnerabilities and custom malware to maintain persistence across victim networks. Source: An Investigation Into Years of Undetected Operations Targeting High-Value Sectors

Key components of the playbook include:

• CVE-2023-34048: VMware vCenter Server out-of-bounds write (CVSS 9.8), enabling remote code execution on the management interface
• CVE-2021-4034 (PwnKit) privilege escalation inside compromised Linux systems
• Custom implants, including Xnote and ScanPortPlus

Persistence techniques leaned heavily on DLL side-loading and multi-hop proxy chains, giving operators stealthy lateral movement across segmented networks.

Patch management note: Both CVEs are on CISA's Known Exploited Vulnerabilities catalog. CVE-2023-34048 has been there since January 2024, with a remediation deadline of February 12, 2024. Tenable shipped plugins for it in October 2023. If your vCenter scan policy doesn't cover the management interface, or if you've been accepting risk on legacy vCenter instances, this report is your cue to revisit that decision. CVE-2021-4034 patches have been available from every major Linux distribution since January 2022. Any unpatched Polkit instance at this point is a conscious risk acceptance, and one worth documenting formally.

The uncomfortable lesson here is simple: patch latency still beats zero-days as an attacker's favorite tool.

Tycoon2FA Phishing Platform Dismantled

One of the largest adversary-in-the-middle (AiTM) phishing platforms just took a significant hit.

A coordinated law enforcement operation led by Europol seized infrastructure belonging to Tycoon2FA, a phishing-as-a-service platform built to bypass multi-factor authentication by stealing live session cookies. The scale is worth pausing on: by mid-2025, Tycoon2FA accounted for roughly 62 percent of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month. Over its lifetime, the platform facilitated over 64,000 attacks against nearly 100,000 organizations globally, including schools, hospitals, and public institutions. Sources: Europol coordinated action disrupts Tycoon2FA phishing platform Europol announcement Inside Tycoon2FA

Authorities seized 330 domains forming the backbone of the platform. The service functioned much like ransomware-as-a-service ecosystems:

• Operators rented phishing kits
• Victims were proxied through attacker-controlled login pages
• Authentication cookies were captured and reused

That last piece is what breaks traditional MFA protections. If the attacker steals the session token after authentication, the second factor is effectively irrelevant.

Defense note: AiTM attacks defeat OTP codes, push notifications, and SMS-based MFA because they capture the authenticated session, not the second factor itself. The defense that actually resists this is phishing-resistant MFA: FIDO2 security keys or passkeys. Because FIDO2 credentials are cryptographically bound to the legitimate login domain, a proxy site cannot trick the authenticator into generating a valid assertion. If your organization is still relying exclusively on push-based MFA, the Tycoon2FA takedown is a good catalyst for accelerating your passkey rollout. Microsoft Authenticator has supported passkeys since March 2025.

Expect the ecosystem to regenerate quickly; phishing kits have the lifecycle resilience of arcade villains in an '80s action movie. The takedown buys time, not permanence.

Infrastructure Hunting With Graph Theory

A clever research piece from Infoblox shows how defenders are turning SSL certificate transparency logs into a threat-hunting goldmine.

The idea: use graph analysis to map relationships between domains, certificates, and infrastructure. When multiple malicious domains reuse the same certificate properties (issuer fields, SAN entries, or automation patterns), they become nodes in the same operational cluster. Source: Using SSL Certificates and Graph Theory to Uncover Threat Actors

Graph models let analysts pivot across infrastructure faster than traditional IOC lists:

• certificate reuse links attacker-controlled domains
• SAN entries expose additional infrastructure
• certificate issuance timing, which reveals campaign staging

Infoblox found that without this certificate-based approach, they would have missed approximately 57% of malicious certificate-related domains. That's a significant detection gap for teams relying solely on traditional IOC feeds.

In other words, CT logs become more like a threat actor social network graph. For SOC teams with access to certificate transparency data, this research offers a practical framework for building those pivots into your hunting playbooks.

AI Prompt Injection Moves From Theory to Practice

Prompt injection has spent the last year bouncing around conference talks and social media threads. Now it's showing up in the wild.

Unit 42 documented indirect prompt injection (IDPI) attacks targeting AI-enabled workflows embedded in web services. These attacks hide malicious prompts inside web content (HTML, ads, or SEO spam) that AI agents ingest during automated tasks. Source: Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild

Examples include:

• bypassing automated ad-review systems
• triggering data exfiltration through AI-assisted workflows
• manipulating AI-driven content moderation pipelines

The researchers documented 22 distinct techniques for constructing these payloads, from visual concealment to obfuscation and dynamic execution. The research also includes the first observed case of AI-based ad review evasion in the wild.

What to watch for: If your organization uses AI agents with web browsing capabilities, automated content processing, or AI-assisted review workflows, the attack surface is the content those agents consume. Input validation and output filtering for LLM-integrated pipelines should be on your security architecture radar, even if the tooling for it is still maturing.

This is an early glimpse of a security problem that will only get messier as AI agents gain greater autonomy.

Malware Roundup: Keyloggers, Infostealers, and Zero-Detection RATs

Several malware reports this week underline how commodity tooling keeps evolving.

VIP_Keylogger MaaS Campaign

Researchers detailed a malware-as-a-service keylogger platform called VIP_Keylogger, distributed through spear-phishing campaigns. Source: MAAS VIP_Keylogger Campaign

Key capabilities include:

• process hollowing and in-memory execution
• credential and cookie theft across browsers and messaging apps
• multiple exfiltration channels

The modular design suggests operators can bolt on new payloads depending on the target.

AuraStealer

Another report profiles AuraStealer, an emerging infostealer ecosystem harvesting browser data and credentials. Source: Analysis of AuraStealer

The campaign infrastructure includes multiple payload-delivery servers and credential-exfiltration endpoints, suggesting active development rather than a one-off build.

New RATs and Ransomware Families

ANY.RUN's monthly review highlighted several new families, including Moonrise, Karsto, and the GREENBLOOD / BQTLock ransomware variants. These samples arrived with near-zero antivirus detection at release. Sources: February 2026 cyber attacks overview Emerging ransomware BQTLock & GREENBLOOD

Also worth noting: phishing campaigns are increasingly thread-hijacking legitimate email conversations, then redirecting victims to cloud-hosted phishing pages on Azure, Firebase, and AWS.

Attackers don't need to break trust if they can simply borrow it.

Cisco Patch Cluster: ASA, Snort, and ClamAV

Cisco dropped a bundle of security advisories affecting multiple security products. None show confirmed exploitation yet, but these systems sit on the security perimeter, which makes timely patching non-negotiable.

CVE-2026-20009: Cisco ASA SSH Authentication Bypass [TODO: verify CVE number against advisory]

A flaw in Cisco ASA allows an attacker to authenticate over SSH without the private key, provided they know a valid username and public key configuration. Source: Cisco advisory

Compensating control: If you can't patch immediately, restrict SSH access to the ASA management interface via ACLs to trusted management subnets only. If your management plane is reachable from untrusted segments, that's the more urgent problem.

CVE-2026-20070: ASA / FTD VPN Web Services XSS

Cross-site scripting in VPN web services could allow attackers to inject malicious HTML or scripts into a user's browser session. Source: Cisco advisory

CVE-2026-20008: Lua Code Injection

Authenticated administrators could inject Lua code that executes with root privileges on Cisco firewall systems. Source: Cisco advisory

CVE-2026-20053 / 20054 / 20057 / 20058: Snort 3 DoS [TODO: verify CVE numbers against advisory]

A set of vulnerabilities in the Snort 3 VBA decompression engine can crash the detection engine remotely. A crashed Snort engine means traffic either gets dropped or, worse, passes uninspected, depending on your failopen configuration. Source: Cisco advisory

CVE-2026-20031: ClamAV Parsing DoS

A crafted HTML file can crash the ClamAV scanning process via a CSS image parsing bug. Source: Cisco advisory

Closing Thoughts

Two patterns stood out this week.

First, attackers are experimenting aggressively with runtime environments and infrastructure abstraction: Rust implants, JavaScript runtimes, cloud storage exfiltration, and AI prompt injection. The common thread is that none of these techniques require novel exploits. They require novel trust assumptions.

Second, defenders are responding with better infrastructure analysis: graph modeling, certificate telemetry, and cross-vendor takedowns of phishing platforms. The Infoblox research and the Tycoon2FA operation both suggest that the most productive defensive investments right now are in visibility and correlation, not just signatures.

In other words, the battlefield is moving away from individual malware samples and toward ecosystems of tooling and infrastructure. Which feels appropriate. Modern cyber operations look less like lone hackers and more like entire operating systems for crime.

Eyes on the network. Claws at the ready.

- KryptoKat