EvilBit Threat Digest: Free-Trial C2, Copy/Paste Compromise, and iPhones on the Menu

KryptoKat is away this week. UncleSp1d3r has the keys to the Digest. Same intel, different lens.

The theme this week is not "new malware." It is new trust boundaries getting weaponized: free trials becoming exfil platforms, browser extensions becoming corporate eavesdroppers, and "helpful install commands" becoming a one-line surrender.

Let's get into the parts you will actually have to defend, or will absolutely get asked about in the next tabletop.

Someone Else's SIEM: Elastic Cloud trials as adversary infrastructure (deep dive)

Huntress dropped a weirdly elegant abuse case: an actor spun up Elastic Cloud SIEM free trials and used them as a low-friction, hard-to-block outbound destination while they worked through a pile of vulnerable edge apps. In their dataset, the adversary reportedly triaged and exfiltrated from roughly 216 victim hosts across sectors, treating Elastic's APIs like a rented mule. (Someone Else's SIEM: A Threat Actor Abuses Another Free Trial)

This is "living off the land," but the land is your procurement process. A free trial means: clean domain reputation, TLS, legit certs, and defenders who hesitate because blocking it might break something "security-related."

C2 intel for emulation: The attacker staged victim data in an Elasticsearch index named systeminfo. If you want to hunt for this pattern, look for outbound HTTPS from non-SIEM hosts to *.elastic-cloud.com or *.found.io endpoints. Legitimate Elastic Cloud traffic from your environment should be easy to baseline; anything else is worth a closer look.

The campaign threads through opportunistic exploitation of public-facing software, including:

• SolarWinds Web Help Desk CVE-2025-26399 (active exploitation documented). (Active Exploitation of SolarWinds Web Help Desk)
• Microsoft SharePoint Server CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 (analysis/telemetry write-up). (Active Exploitation of Microsoft SharePoint Vulnerabilities | Unit 42)

What is operationally interesting is not just "they exploited bugs." It is the workflow:

1. Get in via exposed app vulns.
2. Stage/triage (figure out what the org is worth, fast).
3. Exfil/telemetry laundering via Elastic Cloud endpoints, blending into normal-looking HTTPS traffic.

The defensive punchline: if your environment allows any host to talk to any "legit cloud," you have built a data diode for the attacker and called it "business enablement." Red teams, take note; this is a beautiful proxy for your next engagement's exfil channel.

Practical moves:

• Patch the entry points and validate exposure, especially SolarWinds WHD and SharePoint builds called out above. (Active Exploitation of SolarWinds Web Help Desk)
• Treat outbound to SIEM APIs as privileged egress, not general web browsing. If your endpoints never need to call Elastic Cloud directly, that is a policy opportunity.
• Put friction on "free trial" creation (disposable email domains, payment method rules, SSO enforcement) in your org, and ask vendors what they do to stop it.

UPDATE: Tycoon 2FA disruption, now with Cloudflare's perspective

We talked about the Tycoon2FA takedown in the last issue; Cloudflare has now published its side of the operation with more infrastructure-level detail. Net effect: a major AiTM phishing platform that specialized in stealing session cookies to bypass MFA got dismantled in a Europol-coordinated operation. Microsoft seized 330 domains. (Tycoon 2FA Takedown | Cloudflare)

Why this matters for your engagements: Tycoon 2FA accounted for roughly 62% of all phishing attempts Microsoft blocked, including over 30 million emails in a single month hitting 500,000+ orgs. The infrastructure is down, but the technique survives because it preys on a structural truth: most MFA is still phishable.

The update angle is less "yay, takedown" and more: AiTM is durable. Kits get disrupted, operators pivot, and the pattern lives on.

If you want a future where these disruptions stick:

• Phishing-resistant MFA (FIDO2/WebAuthn or equivalent), not just "MFA somewhere." (Tycoon 2FA Takedown | Cloudflare)
• Shorter sessions and stronger session integrity controls where your identity platform supports it.

AiTM goes after cloud admins: AWS console phishing with fast follow-through

Datadog mapped an active adversary-in-the-middle campaign targeting AWS Management Console credentials and MFA tokens, with attackers logging in within 20 minutes of credential submission, often from commercial VPN infrastructure (Mullvad spotted in the telemetry). (Behind the console: Active phishing campaign targeting AWS console credentials)

Cloud compromise speedrunning is back. If they can steal a session and land a console login that fast, your "we will investigate tomorrow" playbook becomes "we will find the ashes tomorrow."

Defender takeaways:

• Watch for anomalous ConsoleLogin patterns and "impossible travel"-style logins; this campaign leaned on VPN egress. (Behind the console | Datadog)
• If you cannot move to phishing-resistant MFA quickly, at least tighten conditional access and reduce standing privilege.

iOS exploitation gets packaged: Coruna's exploit-kit economy (and why it matters)

Google's Threat Intelligence Group profiled Coruna, an iOS exploit kit seen being used across multiple actors, delivered via compromised websites (drive-by), and aimed at financial theft, including wallet-related targeting. It chains multiple vulnerabilities across iOS 13 through 17.2.1 (CVE-2024-23222, CVE-2022-48503, CVE-2023-43000). (Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit)

Exploit kits are the mall food court of compromise: not always "nation-state pristine," but scalable, repeatable, and tuned for cash. The notable part is the multi-actor journey: tooling moves, gets resold or repurposed, and suddenly your threat model expands from "one adversary" to "a market."

Heads up for fed teams: CISA added CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000 to the KEV catalog on March 5, 2026, following Coruna exploitation. Federal remediation deadline is March 26, 2026. (CISA Adds Five Known Exploited Vulnerabilities to Catalog)

Plain-English risk:

• If you have unpatched iPhones/iPads in the wild, a web visit can be enough: no "install this app," no "enable developer mode," just "you opened the wrong page." (Coruna | Google Cloud Blog)

What to do:

• Update iOS/iPadOS promptly. Coruna's story is basically a love letter to patch lag. (Coruna | Google Cloud Blog)
• If you are in a higher-risk role and updates are not immediate, Lockdown Mode is a real lever, not a gimmick.

The copy/paste compromise family grows up: ClickFix, InstallFix, and macOS wallet backdoors

Three separate reports, one shared muscle memory: "paste this in your terminal/run box to fix it."

Fake CleanMyMac site drops SHub Stealer and backdoors crypto wallets (macOS)

Malwarebytes detailed a fake CleanMyMac distribution that uses ClickFix-style social engineering to get users to run terminal commands, then deploys SHub Stealer. The nasty twist: it does not just steal creds. It can modify Electron-based crypto wallets by backdooring core files (think app.asar-style tampering). (Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets)

Why this is hard to catch: SHub is part of an AppleScript-based stealer family (alongside MacSync and Odyssey). The ClickFix delivery means no disk image, no app bundle, no Gatekeeper prompt. The user pastes a curl command and presses Return. If you are red-teaming macOS environments, this delivery chain is worth studying.

"We are a Mac shop" is not a control. It is a line. Download from official sources, treat wallet seed exposure as catastrophic, and assume clipboard/terminal history are sensitive artifacts now. (Fake CleanMyMac | Malwarebytes)

InstallFix: malvertised "install guides" for developer tools

Push Security described InstallFix, where attackers clone installation docs and buy search placement, leading to command execution and infostealers like Amatera Stealer. (InstallFix: How attackers are weaponizing malvertized install guides)

Weaponized documentation is the most cursed timeline. We trained devs to trust copy/paste because it is efficient. Attackers noticed. This one is also a reminder: "malvertising" is not just fake antivirus popups anymore. It is search results for your tools.

Payload-less is not harmless: Windows MDM enrollment hijack via ms-device-enrollment:

Malwarebytes documented a slick con: fake Google Meet update pages push victims into clicking an ms-device-enrollment: link, enrolling the machine into an attacker-controlled MDM (hosted on the Esper platform), granting remote admin-style control without the usual malware execution chain. (One click on this fake Google Meet update can give attackers control of your PC)

This is the kind of abuse that makes incident reports awkward: "No, we did not find a trojan... because Windows did it politely." Using administrative techniques to provide unsolicited systems administration is a solid adversary technique, and my favorite red team play. For defenders, the trick is locking down endpoints so they know when to call "stranger danger" on unknown management servers.

C2 intel for emulation: The enrollment dialog is a real Windows system prompt, not a spoofed web page. That means it bypasses browser security warnings and email scanners looking for credential-harvesting pages. Red teams, the ms-device-enrollment: URI handler is a legitimate persistence mechanism worth testing.

If you run Windows endpoints at scale:

• Restrict which MDM servers devices can enroll into (Intune/MDM allowlists).
• Audit "Access work or school" for unknown tenants post-phish. (One click on this fake Google Meet update | Malwarebytes)

Supply chain lesson of the week: kubernetes-el and the GitHub Actions foot-gun

A compromise of the Emacs package kubernetes-el turned into repo defacement, destructive code risks for users, and CI/CD secret exposure, tied to GitHub Actions workflow misconfiguration (notably the pull_request_target hazard when untrusted code gets checked out). StepSecurity published the full breakdown. (kubernetes-el Compromised: How a Pwn Request Exploited a Popular Emacs Package)

"It is just an Emacs package" is how you end up rotating cloud creds at 2 AM. Your build pipeline is an identity system now; treat it like one.

Why this is hard to catch: The attacker account (quicktrinny) was created one day before the PR. The PR title was "ci: add test" with the description "important test :)". The pull_request_target trigger gave write access to the repo. If your CI runs untrusted code with privileged tokens, you are one PR away from the same story.

Minimum sanity:

• Do not run privileged workflows on untrusted PR code; use safer two-workflow patterns. (kubernetes-el Compromised | StepSecurity)
• Reduce GITHUB_TOKEN permissions wherever possible.

As a longtime Vim user, I'll spare you my Emacs vs. Vim partisan rhetoric since supply chain nonsense is no joke, but just know that I'll go back to friendly trashtalking after we get this cleaned up.

UPDATE: LastPass phishing evolves, fake email chains, and a new lure domain

LastPass is warning about an active campaign using fake email chains and display-name spoofing to push victims toward a credential-harvesting site (verify-lastpass.com). No breach of LastPass systems; this is straight-up social engineering aimed at vault takeover. (LastPass Alerts Customers of Fake Email Chains Used in New Phishing Campaign)

Fresh angle from the January wave: the "email chain" trick is designed to bypass human skepticism, not technical controls. It reads like continuity, like someone already talked to you, like you are late to the conversation.

The evergreen reminder: LastPass will not ask for your master password. (LastPass Phishing Alert)

Browser extensions keep eating the enterprise: fake AI sidebars at scale (update, bigger blast radius)

Two malicious Chrome extensions impersonating AI tools reportedly hit 900,000 users, with enterprise exposure estimated in the tens of thousands, exfiltrating AI prompts/responses and browsing data. This is the same genre we have been yelling about ("your browser is a data plane"), but with sharper operational details like extension IDs and domains. (Chrome Extensions Steal ChatGPT and DeepSeek Conversations, Fake AI Browser Extensions | OX Security)

Extensions are just unsigned agents with OAuth-adjacent access to your work brain. At some point, "allow any extension" becomes "allow any intern to install a keylogger."

Defensive posture:

• Enterprise extension allowlisting (yes, the tedious way).
• Assume sensitive data has been pasted into AI chats; rotate anything that might have been disclosed. (Chrome Extensions | Truesec)

Geopolitics as phishing bait: Middle East conflict lures go industrial

Zscaler notes threat actors leaning hard into Middle East conflict-themed lures to distribute malware (including LOTUSLITE and StealC), push scams, and run phishing at scale. Over 8,000 newly registered conflict-themed domains. The "news cycle as exploit kit" pattern continues. (Middle East Conflict Fuels Cyber Attacks)

These campaigns thrive on emotion and urgency. For your red team exercises, conflict-themed pretexts are hitting above their weight right now. For your blue team, training that explicitly covers "current event" bait is the human-layer control, because it works.

Quick hits worth your leftover attention

• VIP Keylogger is using steganography (payloads hidden in images), in-memory execution, and variants that patch around AMSI/ETW, offered MaaS-style. Expect it to show up where credential theft pays quickly. (MaaS VIP Keylogger Campaign Hides In Images To Steal Credentials At Scale, VIP Keylogger Malware Campaign)
• Long-running intrusion set CL-UNK-1068 targeting high-value sectors in Asia (aviation, energy, government), exploiting known vulns like CVE-2021-4034 and CVE-2023-34048, plus a newly tracked CVE-2026-0628. The meta-lesson: "years undetected" usually means "logs did not exist." (An Investigation Into Years of Undetected Operations Targeting High-Value Sectors)
• Android banking/RAT activity: Zimperium published expanded IOCs for TaxiSpy, a banking malware with OTP interception and remote control capabilities. (Extended IOCs for TaxiSpy Android Banking Malware)
• Android scam app campaigns continue to ride social media and third-party stores with "reward" lures; treat it as a permissions/installation governance problem, not a one-off. (Scam Alerts: Deceiving Users to Download Harmful Android Applications)

Closing

We keep inventing systems that assume good faith: free trials, extension stores, device enrollment, copy/paste install docs. Attackers do not need better exploits when they can just borrow our convenience.

The 90s promised us cyberspace. Turns out we got "cyber-clipboard." Guard your egress, lock down your identity flows, and maybe stop pasting spells from strangers into your terminal like it is 1996 and someone on IRC just told you to splat :(){:|:&};: in your shell.

Stay frosty out there. Also, don't splat that. Or do, it's your shell.

~ UncleSp1d3r