EvilBit Threat Digest - Wipes, Wormholes, and Weaponized Admin Panels

Some weeks, the attackers bring zero-days. Other weeks, they bring patience, social engineering, and a perfectly legitimate admin console.

This week leaned heavily toward the latter. Multiple incidents showed a pattern we keep seeing; attackers don't need exotic exploits when identity, management tools, or supply chains give them the same power with less noise.

Cloud admin portals, software packages, browser extensions, and remote-management tools all featured prominently in the week's highlights. A few law-enforcement takedowns also landed, but, as usual, infrastructure removals tend to sprout new heads.

Coffee brewed, news queued.

When the Admin Console Becomes the Weapon

Stryker Incident: Intune Used as a Global Wiper

A suspected Iran-linked operation hit medical device giant Stryker, allegedly abusing compromised Microsoft Intune administrative credentials to remotely wipe more than 200,000 corporate devices across 79 countries. The attack is attributed to the pro-Iranian Handala group and reportedly disrupted global operations and closed the company headquarters temporarily. Medtech Firm Stryker Disrupted by Pro-Iran Hackers

The technique is as brutal as it is simple.

Instead of deploying custom malware, the attackers reportedly:

• Obtained Intune/Entra administrative access
• Issued legitimate remote device wipe commands
• Triggered factory resets across the managed fleet

If accurate, the move effectively weaponizes enterprise mobile-device management. No exploit chain required, just valid cloud admin access and a destructive command.

From a defender's perspective, this sits in the uncomfortable overlap of identity compromise and operational tooling. MDM platforms are supposed to do exactly this. Detecting malicious use becomes a matter of behavioral context, not tool identification.

In other words, if someone with admin rights presses the "destroy everything" button, the logs will show exactly that. The problem is deciding when not to press that button.

Cloud Credentials Are Still the Crown Jewels

AiTM Phishing Targeting AWS Console Logins

Another campaign making the rounds is targeting AWS console credentials using adversary-in-the-middle phishing infrastructure. The phishing sites proxy authentication to the legitimate AWS login page and capture session tokens during the process. Behind the console: Active phishing campaign targeting AWS console credentials

The infrastructure behaves like a man-in-the-middle relay:

1. The victim enters credentials into a fake AWS login page.
2. The phishing server forwards them to AWS in real time.
3. When MFA completes, the attacker steals the authenticated session cookie.

Result: immediate console access without needing the password or MFA code again.

This style of attack keeps gaining traction because it bypasses the most common defensive advice: "enable MFA." MFA still matters; however, token theft has become the new pivot. The real countermeasure is phishing-resistant authentication: FIDO2 hardware keys or passkeys. Session tokens can't be proxied if credentials never leave the authenticator.

A blue-team tell here is often impossible travel or rapid console activity immediately after authentication. By the time alerts fire, though, attackers may already be launching instances, dumping S3 buckets, or creating new IAM keys.

Supply Chains Continue to Surprise Us

Trojanized CMS Themes Shipping Malicious jQuery

Socket uncovered a supply-chain attack hiding malware in six Packagist packages posing as OphimCMS themes, collectively downloaded about 2,750 times. 6 Malicious Packagist Themes Ship Trojanized jQuery

The malicious packages bundle a modified jQuery file that:

• Sends visitor URLs to a remote analytics domain (userstat[.]net)
• Injects ads and hijacks clicks
• Redirects mobile users to gambling or adult sites
• Uses anti-debugging logic to evade analysis

The infrastructure ties back to FUNNULL Technology Inc., a Philippines-based CDN sanctioned by OFAC in May 2025 for facilitating over $200 million in cryptocurrency investment scams.

The clever part here is hiding the payload where developers rarely look: vendor JavaScript assets inside a theme package. Developers scanning PHP templates might miss a modified JS dependency entirely.

Moral of the story here: modern supply chains are fractal. The malicious component may be buried several layers down from the code anyone intended to install.

Remote Management Tools: The New Initial Access Brokers

"Daisy-Chaining" Rogue RMM Software

Threat actors are increasingly abusing legitimate Remote Monitoring and Management (RMM) tools as an initial access mechanism. Huntress documented cases where attackers deploy multiple RMM products sequentially, what they call "daisy-chaining." How Threat Actors Abuse Remote Management Software for Initial Access

The workflow typically looks like this:

1. The victim installs an RMM agent via social engineering
2. Attacker gains remote control
3. Attacker installs additional RMM tools
4. Persistence survives if one tool gets removed

Think of it as layered remote access.

Instead of deploying custom implants, attackers piggyback on legitimate software such as:

• ScreenConnect
• AnyDesk
• Atera
• RustDesk
• Chrome Remote Desktop
• Tactical RMM

Or, as UncleSp1d3r likes to put it: attackers have realized enterprise environments already allow remote-admin software, so bring your own helpdesk.

Blocking this tradecraft isn't easy. These tools are legitimate and widely used. The real signal tends to be unexpected RMM products appearing in environments that already have a sanctioned one.

Two helpdesks in the same environment are usually a red flag.

Router OS Bugs With Root on the Line

Cisco IOS XR Privilege Escalation

Cisco disclosed two high-severity vulnerabilities affecting IOS XR, its carrier-grade router operating system.

• CVE-2026-20040: local privilege escalation to root (affects IOS XR releases through 25.x)
• CVE-2026-20046: authenticated command injection leading to full device control (specific to IOS XRv 9000 Routers)

Both vulnerabilities carry CVSS 8.8 scores. Fixed versions are available: 25.2.21, 25.4.2, or 26.1+ for CVE-2026-20040, and 25.2.2+ for CVE-2026-20046. Cisco IOS XR Software CLI Privilege Escalation Vulnerabilities

Successful exploitation allows attackers with low-privileged access to execute arbitrary OS commands on the router.

For internet backbone infrastructure, that means:

• route manipulation
• traffic interception
• persistent network footholds

If you run TACACS+ AAA command authorization, Cisco notes that restricting unauthorized command access can serve as a compensating control for CVE-2026-20046. For everyone else, the patch is the path. No active exploitation reported at time of disclosure, but carrier-grade routers with root-level bugs have a short shelf life once advisories go public.

The bad news: network gear tends to patch slowly, especially in telecom environments where maintenance windows resemble planetary alignments.

Phishing Tricks Get Weird (Again)

IPv6 Address Obfuscation in Scam Emails

Phishers are disguising malicious URLs using IPv6-mapped IPv4 addresses, which look strange enough to slip past casual inspection and sometimes evade simplistic URL filters. Phishers hide scam links with IPv6 trick in "free toothbrush" emails

Example format:

http://[::ffff:192.0.2.123]/

Many tools normalize this correctly. Some email filters and browser previews do not.

The campaign itself is classic phishing (fake healthcare offers promising free products), but the URL trick shows how small protocol quirks still get mileage decades later.

IPv6: solving address exhaustion and enabling phishing creativity since 1998.

Law Enforcement Takes a Few Swings

Operation Synergia III: 45,000 Malicious IPs Taken Down

INTERPOL announced the results of Operation Synergia III, a coordinated international effort targeting cybercrime infrastructure, conducted between July 2025 and January 2026 in partnership with Group-IB, Trend Micro, and S2W. 45,000 malicious IP addresses taken down in international cyber operation

Key stats:

• 45,000 malicious IPs and servers dismantled
• 94 suspects arrested
• 212 devices seized
• 72 countries involved

The operation focused on infrastructure supporting phishing, ransomware, fraud, and malware campaigns.

Infrastructure takedowns rarely end operations outright, but they do force criminals to rebuild hosting, domains, and botnets. In attacker economics, that friction matters.

SocksEscort Proxy Network Shut Down

Another infrastructure hit landed against SocksEscort, a residential proxy network powered by compromised routers and IoT devices. Operating Lightning takes down SocksEscort proxy network

Authorities seized:

• 34 domains
• 23 servers across 7 countries
• about $3.5 million in cryptocurrency

The service reportedly used roughly 369,000 compromised devices across 163 countries to sell residential proxy access to criminals.

Those proxies enabled:

• ransomware delivery
• credential stuffing
• account takeovers
• ad fraud

Home routers have quietly become one of the largest botnet reservoirs on the internet. They run for years without updates, and nobody checks their logs (assuming they even have logs).

Infostealers and Installer Abuse Keep Growing

A broader malware trend report from AhnLab ASEC highlights continued growth in infostealer distribution via legitimate installer frameworks, particularly Inno Setup packages, which nearly tripled month-over-month from 5,323 samples in January to 13,211 in February. February 2026 Infostealer Trend Report

Families like LummaC2, Vidar, and ACRStealer increasingly arrive bundled with seemingly normal installers downloaded from SEO-poisoned pages.

This technique works because users expect installers to unpack multiple components. Dropping a payload during setup barely registers.

The macOS side isn't immune either. Samples are evolving rapidly, often mutating enough that static signatures struggle to keep pace.

Which means the old rule still holds: if your detection pipeline relies entirely on hashes, the attackers are already two commits ahead.

Closing Thoughts

This week's stories share a theme: control planes are becoming the attack surface.

• Cloud management consoles
• MDM platforms
• Remote-admin software
• Package repositories
• Router operating systems

Attackers increasingly target the systems designed to manage everything else. Once they have those keys, the rest of the infrastructure follows.

Or, as UncleSp1d3r put it while reviewing the Stryker wipe story: "If you can't deploy malware everywhere... just log in and press the 'wipe' button."

Stay patched, keep your admin accounts boring, and maybe check how many remote-management tools are quietly running in your environment.

Eyes on the network. Claws sharp.

- KryptoKat