EvilBit Threat Digest - Ghosts in the Pipeline

Sometimes, you get a zero-day with a clean CVE and a vendor advisory by lunch; and other times, you face the fact that the more difficult problem is trust itself.

There was quite a bit of noise this week, but the signal was clearer than usual: attackers kept landing inside the assumptions defenders still treat as routine. Mutable tags. Package registries. Legitimate remote admin tools. Blockchain infrastructure that looks like ordinary API traffic. None of that should feel surprising in 2026, and yet plenty of teams still defend as if trust, once given, will politely stay where it was put. Jane Austen would have had notes.

Supply Chain: Trust Is Still the Soft Spot

The clearest lesson this week came from software delivery, not from a memory corruption bug.

StepSecurity reported that xygeni/xygeni-action was compromised on 3 March 2026, after an attacker used stolen maintainer credentials and a compromised GitHub App token to move the mutable v5 tag to a backdoored commit. Any repository calling @v5 could execute attacker-controlled code without a visible workflow-file change. That is the part defenders should linger on: the workflow can look untouched while the tag underneath it quietly changes shape. If your review process stops at "the YAML did not change," the attacker is already a step ahead. (StepSecurity)

The package ecosystem, meanwhile, was in one of its less charming moods.

• StepSecurity documented a compromised bittensor-wallet 4.0.2 release on PyPI that was live for about 48 hours before it was yanked. The malicious version had direct access to wallet private keys and used multiple exfiltration paths, including HTTPS, DGA domains, and DNS tunneling. (StepSecurity)
• Endor Labs tracked 11 compromised npm package versions tied to a GlassWorm-linked campaign. The affected packages reached roughly 134,000 developers, and the attack used preinstall hooks, staged dependency chains, and a Solana-based C2 pattern that made detection and containment harder for defenders. (Endor Labs)

For defenders, the fix is not a patch. It is policy, inventory discipline, and rather less optimism than most build systems currently enjoy.

Blue team note: Find every GitHub Action still pinned to a mutable tag instead of a commit SHA, then treat that list like an exposure register. For package managers, flag install hooks and unexpected outbound DNS from build runners. If your CI egress policy still trusts "developer tooling" by default, it is overdue for a harder conversation.

C2 Has Moved into Stranger Terrain

Network defenders still like clear categories. This traffic is "web." That traffic is "DNS." This artifact is "host only." Malware has been ignoring those filing cabinets for years, just as everyone in Sneakers treated a voiceprint as a permanent truth.

Derp's 3 March analysis of OCRFix showed a three-stage botnet storing C2 URLs in BNB Smart Chain testnet smart contracts. Each stage resolves its current destination through standard JSON-RPC eth_call requests, which means the traffic can resemble ordinary blockchain-node activity unless defenders are inspecting response content and monitoring for known contract lookups. (Derp)

Nextron's 20 March write-up on RegPhantom pushed the same theme in the opposite direction. The rootkit uses the Windows registry as a covert trigger path, blocks the write so the value never persists, and then loads its payload in a way that reduces the usual forensic trail. Nextron also documented CFG obfuscation with opaque predicates and duplicated basic blocks, which is a useful reminder that stealth is now as much about starving your tooling as it is about hiding from an analyst. (Nextron Systems)

That boundary between host and network keeps getting thinner. One campaign hides its coordinates in blockchain responses. Another turns registry operations into an execution channel. If your detections still assume C2 must announce itself as a domain, a socket, or a file on disk, you are defending the last war's architecture diagram, and the attackers have already moved on to the sequel.

Phishing Still Works, It Just Looks More Professional

Trend Micro's 19 March research on PureLog is worth attention because the mechanics are disciplined rather than flashy. The campaign delivers PureLog Stealer entirely in memory, uses copyright-themed lures tailored to the victim's language, tampers with AMSI before payload execution, and chains loaders to keep the final malware off disk. For defenders, the takeaway is straightforward: if your visibility leans too heavily on on-disk artifacts or default AMSI coverage, this campaign was built to slip past the front desk. (Trend Micro)

Microsoft's 19 March tax-season write-up showed the same principle applied at scale with more pedestrian tooling. Across several February and March campaigns, threat actors used tax-themed lures to deliver ScreenConnect, SimpleHelp, and Datto. RMM abuse is not new, but it remains one of the easiest ways to turn inbox access into persistent control, especially when the lure lands during a filing deadline and the software is signed, familiar, and therefore trusted a little longer than it should be. (Microsoft)

Group-IB's research on shipment-tracking scams in the Middle East and Africa adds a useful detail: some kits now keep a persistent WebSocket open and stream keystrokes, card data, and one-time passcodes in real time instead of waiting for the victim to click "submit." That shrinks the defender's reaction window and makes session-based fraud much harder to interrupt once the victim starts typing. (Group-IB)

The lure still matters, of course. It always will. But the bigger shift is operational tempo. Defenders are no longer dealing with a simple handoff at the end of the interaction. In many of these campaigns, the theft is happening while the victim is still in the middle of the session, which is a thoroughly modern way to make an old fraud problem nastier.

Browsers, Phones, and the Patch Queue

Two patch stories deserve immediate triage.

First, Google pushed an emergency Chrome update on 12 March 2026, with stable desktop versions 146.0.7680.75 and 146.0.7680.76. Google updated the advisory on 13 March to clarify that CVE-2026-3909 would instead be fixed in a future release; the in-the-wild issue addressed in this build was CVE-2026-3910. That still moves this update out of the "next reboot is fine" bucket and into the "today" bucket for managed desktop fleets. (Google Chrome Releases)

Second, Apple released fixes on 11 February 2026 for CVE-2026-20700 and related issues after reporting that the flaw may have been used in highly targeted attacks against specific individuals on versions of iOS before iOS 26. Lookout notes that CVE-2026-20700 is in CISA's Known Exploited Vulnerabilities catalog and points administrators to iOS 26.3, or iOS 18.7.5 for legacy hardware, as the relevant compliance floor. For federal teams, the 5 March 2026 KEV deadline has already passed. For everyone else, that is still a useful line in the sand for exception handling. (Apple, Lookout)

This is where the weekly patch-management sermon writes itself: a vendor saying "fixed" is not the same thing as your environment being safe. Make sure the update reaches the actual devices, not just the dashboard slide and the meeting where everyone agrees to feel better. To borrow from Dickens, that is the sort of distinction between appearance and reality that tends to arrive with a bill attached.

Closing Thoughts

This week did not really belong to one malware family or one bug class. It belonged to an abused trust relationship.

Tags that move. Packages that inherit confidence from the registry around them. RMM tools that borrow legitimacy from their intended use. Blockchain traffic passes for ordinary infrastructure until you read the response closely enough. Registry writes that never land, but still does the job.

Security teams tend to build controls around obvious malice. The better lesson this week is to build stronger controls around mutable trust, because attackers have become very good at hiding within the things your environment still labels as normal. That may not be new, exactly, but this week's cast gave it all the subtlety of a flickering CRT and still managed to get by on familiarity.

Eyes on the network. Claws ready.

- KryptoKat