ZeroDay Field Notes - Preloaded Hardware, Fileless RMM Drops, and Supply-Chain Backdoors

Disk is for chumps. This week's haul: phones that came compromised out of the box, in-memory loaders dressed up as Adobe Reader, an RMM tool the security team already allowlisted, and an npm package that drops your SSH key while you blink. Skip the download dance, ride somebody else's signed binary, let the supply chain do the rest. Stuff worth stealing for your next engagement, in order.

LunaSpy ships preinstalled

F6's research traces an unusual delivery method for LunaSpy: the operators just hand the victim a phone with the implant already baked in. The pitch is "secure device for sensitive comms," which apparently lands on Russian banking customers about 300 times across February and March. Four background services hoover up mic, camera, screen, SMS, contacts, SIM, battery, and network details. Pick a sensor, it's gone. C2 rotates. Self-defense, anti-removal, and heavy Accessibility Service abuse let it bypass UI restrictions like a teenager bypassing parental controls.

For red-team mobile work, "factory reset" is theater. Chain a social-engineering handoff with a preloaded device and you've shortcut the entire install phase. Blue will burn those C2 domains; rotate yours faster than they can block.

Fileless loader drops ScreenConnect with PEB and COM tricks

Zscaler ThreatLabz caught a multi-stage in-memory loader hiding behind a fake Adobe Acrobat Reader page on eshareflies[.]im/ad/. PEB manipulation for EDR evasion, auto-elevated COM objects to skip the UAC prompt, then a renamed installer pulled from x0[.]at/qOfN.msi lands ConnectWise ScreenConnect for persistence. PowerShell with -ExecutionPolicy Bypass is the predictable glue. They even split method names across string concats like "Lo"+"ad" to dodge static analysis, which is petty in the best way.

Operator angle: ScreenConnect already lives in most enterprises. Drop the loader without tripping process-creation telemetry and you inherit a signed binary that's pre-blessed on half the ACLs. Test PEB spoofing against your current EDR before the next gig, and swap the redirectors for your own.

RondoDox botnet keeps evolving its IoT mining/DDoS combo

Bitsight walks through RondoDox's "exploit shotgun" across 174 known CVEs. It hammers Netgear, Linksys, and Edimax edge junk and lands wherever lands, healthcare and education and cloud included. Multi-stage infection, aggressive anti-analysis, and competitor-removal logic that boots other malware off the box like an annoyed roommate. Persistence in crontab, init.d, and a couple of filesystem corners nobody audits. Double duty: DDoS plus Monero mining via XMRig dropped as softirq, because of course.

For red-team infrastructure, this is a live case study in resilient IoT C2. Hardcoded port 8443 raw TCP and the literal string rondo in the binary are gift-wrapped detection; don't copy those. The competitor-removal routine is worth lifting, though. It keeps the box tidy. But remember to be careful not to borrow the careless shotgun approach; indiscriminate deployment could be the difference between fun and felony. Spin narrow. A web that catches everything also gets noticed by everything.

MSBuild still wearing the LOLBin crown

AhnLab's teardown catches attackers running arbitrary C# in-memory through MSBuild.exe (LOLBAS page). Inline tasks, DLL side-loading, just enough obfuscation to slide past Windows Defender on Win11. The giveaway is process trees where MSBuild spawns cmd or PowerShell from a path that has nothing to do with Visual Studio.

Steal it for your next .NET payload. The technique has been around forever and keeps working because most shops still treat MSBuild as a dev-only binary. If it's not in your living-off-the-land matrix, fix that.

WinRAR path-traversal meets UAC-0226 GIFTEDCROOK

April's Ukraine campaign from UAC-0226 chains CVE-2025-6218 and CVE-2025-8088 for archive-based execution. Synaptic Systems walked the latest GIFTEDCROOK sample: military-themed lures, obfuscated PowerShell loaders, RC4 C2, runtime-reconstructed infrastructure, chunked exfil over Telegram. Espionage packaging, but the tradecraft is clean.

Patch your WinRAR (7.13+), obviously. For operators, archive path-traversal plus an LNK is a tidy initial-access primitive when you control the file. The RC4 keying and chunking logic are worth lifting for your own lightweight stealers.

npm typosquat drops SSH backdoor

SafeDep caught sjs-biginteger (typosquat of big.js) plus a handful of siblings, published 7 April by a throwaway account. On install it appends an attacker SSH key, commented @polymarket.support for a little extra cover, to ~/.ssh/authorized_keys, opens port 22, and ships SSH creds, .env files, and Solana wallet bits home. C2 hides behind Vercel domains dressed up as Cloudflare analytics. Linux, macOS, BSD all covered. Same crew that ran the Polymarket bot wave through a hijacked dev-protocol GitHub org back in February; the vector burned, the payload didn't.

Supply-chain ops just got another easy template. If your kit includes malicious packages, test the authorized_keys move. It's stupidly effective and leaves almost no process noise. Bonus trick: the payload runs at import time, not just postinstall, so any downstream require("sjs-biginteger") fires it again. Persistence without the loud hook. I love the authorized_keys technique because it adds nothing to the system that isn't natural, and so few people ever check their SSH keys to make sure they recognize every one of them. It's tight and surgical, with few side effects. Pull one thread at a time. Patient beats loud, and quiet beats indicted.

Cisco ISE RCE is authenticated but nasty

Two fresh bugs from Cisco PSIRT: CVE-2026-20147 (CVSS 9.9) is root command execution through a crafted HTTP request to the ISE web management interface, and CVE-2026-20148 (CVSS 9.9) is a path traversal in the same surface that an admin can flip into RCE. Both need authenticated admin creds, that's the catch. Single-node deployments can be knocked offline, which kills new endpoint auth in a hurry. Patches dropped April 15; no workarounds.

If you've already got network access or a compromised admin account, this is instant domain dominance on any ISE box. Lab it before the next engagement that touches NAC.

JanelaRAT keeps hitting LATAM fintech

Zscaler ThreatLabz first wrote this BX RAT fork up in 2023; KPMG's CTIP team refreshed the picture in mid-2025 and the operators are still working it. DLL side-loading via VMware and Microsoft signed binaries, daily C2 rotation, window-title sensing for banking apps, full keystroke/mouse/screen capture. Multi-stage VBS to BAT to payload. Mexico, Peru, Colombia, and neighbors.

The daily rotation and signed-loader pattern are worth copying for regional banking sims. If you're on the blue side of those engagements, watch for the exact window-title strings; that's the cheapest detection on the table. Neil McCauley's rule applies: nothing in your kit you can't drop in thirty seconds when the heat lands. Sticky indicators turn an op into an indictment.

Pattern of the week: supply chain and legit admin tools as the lowest-effort path in. Preloaded phones, RMM-as-C2, npm backdoors, signed LOLBins, all of it shrinks the noise floor. Steal the clean parts, tune your own tooling to match, and leave the loud IoCs for the next crew.

Pick your thread and place it deliberately. Wide nets snag more than prey, and most of what they snag bites back.

~ UncleSp1d3r