EvilBit Threat Digest - Supply Chains, Session Tokens, and a Page Cache That Doesn't Care About Containers

The dominant story this issue is CVE-2026-31431 ("Copy Fail"). An eight-year-old Linux kernel regression that turns any unprivileged shell into root, traverses container boundaries because the page cache is a host-global resource, and shipped in every mainline distro since 2017. CISA gave federal agencies until Thursday. Everything else on this week's stream, the AiTM phishing at scale, the cloud-worm credential theft, the laptop-farm sentencings, is real and worth your time. None of it is going to ruin your week the way an unpatched node will.

Trusted Infrastructure That Still Bites

Microsoft Defender researchers unpacked a large-scale adversary-in-the-middle campaign that hit over 35,000 users across 13,000 organizations between April 14 and April 16, concentrated in U.S. healthcare and finance (92% of targets U.S.-based, healthcare/life sciences 19%, financial services 18%). The lure: emails pretending to be corporate "code of conduct" updates, carrying PDF attachments that ultimately lead to Cloudflare CAPTCHA-evasion landing pages and session-proxy token theft. Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise

The report lists three IOC domains. Mitigations are familiar but worth repeating: enable Zero-Hour Auto Purge, turn on SmartScreen, push passwordless where you can, and tighten Exchange Online Protection plus Defender for Office 365 policies. If your org still leans on legacy MFA, this is another reminder that session hijacking laughs at it.

CYFIRMA published a related line of research, Beyond MFA: Identity Abuse Through Token Interception and Consent Manipulation, covering the same trusted-infrastructure pattern. Attackers stitch together legitimate Azure Blob Storage, SharePoint, OneDrive, and Entra ID components for the entire kill chain, from delivery through token theft and persistence. Concrete controls: disable OAuth 2.0 Device Code Flow unless you have a documented business need, revoke rogue OAuth apps, restrict anonymous Blob access, and enable Continuous Access Evaluation.

Both reports point at the same trend: phishers have largely given up on convincing users, and are letting trusted Microsoft infrastructure do the heavy lifting instead.

Cloud Worms and Modular RATs

SentinelOne documented PCPJack, a credential-stealing worm that spreads through exposed Docker, Kubernetes, Redis, MongoDB, and RayML instances. It evicts competing malware (specifically TeamPCP samples), then quietly harvests creds from developer tools, productivity suites, and financial apps before exfiltrating via Telegram with ChaCha20-Poly1305 over X25519. The operators appear comfortable turning stolen data into fraud, spam, or extortion fodder. Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

Hunting note: PCPJack and Copy Fail are a nasty pairing. PCPJack lands the unprivileged shell on a containerized workload through an exposed Redis or Kubernetes API; Copy Fail turns that shell into host root before your runtime detection finishes loading rules. If your container image inventory is unpatched on the kernel side, treat any cloud-service exposure finding as a critical, not a high.

Seqrite's separate Operation GriefLure report describes a China-nexus spearphishing campaign aimed at senior executives at Viettel (Vietnam's MoND-linked military-telecom carrier) and St. Luke's Medical Center Quezon City in the Philippines. The delivery vehicle is nested RAR archives containing LNK files that abuse ftp.exe (see its LOLBAS entry) for living-off-the-land execution. The modular RAT that follows steals credentials from Chrome, FileZilla, Sunlogin, and WeChat while taking opportunistic screenshots. Block the C2 domain whatsappcenter[.]com (KAOPU-HK bulletproof hosting) and hunt for the specific LNK SHA256 hashes if you operate in APAC.

Cisco Talos also published fresh details on China-nexus actor UAT-8302 (also tracked as LongNosedGoblin, Jewelbug, REF7707, and CL-STA-0049; ESET tracks the .NET variant of FinalDraft as NosyDoor). The group uses a mix of custom malware (NetDraft, CloudSorcerer v3, VSHELL) and open-source tools for government espionage in South America (since late 2024) and southeastern Europe (2025). DLL side-loading, PowerShell, LSASS dumping, and DNS-based C2 feature heavily. UAT-8302 and its box full of malware

Legal and Law-Enforcement Outcomes

Two Americans, Matthew Isaac Knoot and Erick Ntekereze Prince, each received 18-month prison sentences for running "laptop farms" that let North Korean IT workers fraudulently land remote jobs at nearly 70 U.S. companies. The scheme generated over $1.2 million for the DPRK while opening corporate networks to further compromise. The DOJ press release is blunt: verify identities and locations of remote hires, watch for unauthorized RDP and remote-management tools on contractor endpoints, and audit network access tied to payroll. Two U.S. Nationals Sentenced for Facilitating Fraudulent Remote Information Technology Worker Schemes for the DPRK

On the ransomware front, Deniss Zolotarjovs (a Latvian national living in Moscow at the time of his arrest) was sentenced to 102 months for acting as a negotiator in a prolific Russian ransomware group tied to former Conti leadership. The cluster operates under multiple brands (Conti, Karakurt, Royal, TommyLeaks, SchoolBoys, Akira) and is linked to data theft from at least 54 companies and hundreds of millions of dollars in losses. Member of Prolific Russian Ransomware Group Sentenced to Prison

A former government contractor, Sohaib Akhter, was convicted of destroying roughly 96 federal databases in retaliation immediately after being fired in February 2025; sentencing is scheduled for September 9, 2026. His twin brother Muneeb (already a convicted felon from a 2016 State Department case) is named as a co-defendant. Three defender lessons in one indictment: JIT privileged access, immediate revocation on termination, immutable backups. Federal Jury Convicts Virgina Man on Charges Relating to the Deletion of U.S. Government Databases

Copy Fail: Eight Years of algif_aead, Two Weeks to Patch

CISA added CVE-2026-31431 to the Known Exploited Vulnerabilities catalog on May 1, with a federal remediation deadline of May 15 under BOD 22-01. If you're reading this on Sunday, civilian agencies have four working days. Everyone else should treat that same window as the deadline you have to explain in writing if you miss. Microsoft's writeup has the deepest technical detail; Tenable's FAQ has the patched-kernel matrix; Xint's "732 Bytes to Root" is where the PoC lives; BleepingComputer's KEV story tracks the exploitation timeline.

The bug lives in algif_aead, the AEAD socket frontend of the AF_ALG userspace crypto API. A 2017 in-place AEAD optimization (commit 72548b093ee3) made decryption operate on an identical source/destination scatterlist, with sg_chain() splicing user-supplied tag pages directly into a writable destination scatterlist instead of copying them out. Combine that with splice() from a file descriptor, and the page-cache pages of any user-readable file land as live entries in a writable SG list. The authencesn template then performs an unconditional 4-byte scratch write at offset assoclen + cryptlen (Extended Sequence Number rearrangement for IPsec HMAC) and never restores it. The fix, mainline commit a664bf3d603d, reverts to out-of-place operation.

The exploit primitive is what makes this nasty: a deterministic, attacker-controlled 4-byte write into the page cache of any file the calling user can read, including /usr/bin/su. It doesn't need a race window, a spray primitive, a namespace trick, or any capability bits. AF_ALG sockets are exposed to unprivileged users by default. The public PoC fits in 732 bytes of Python; Go and Rust ports are already in the wild. CVSS is 7.8 (AV:L/AC:L/PR:L/UI:N), which understates the impact in any multi-tenant environment.

Why containers don't save you: the page cache is host-global. A tenant pod with shell access can corrupt the host's cached copy of a setuid binary, and the next time root runs su on the node, the corrupted page is what executes. Microsoft explicitly calls out Kubernetes node compromise. gVisor and Kata should be architecturally insulated (separate syscall/kernel surface), but no vendor has published a confirming advisory yet, treat both as untested. For everyone else: an unpatched kernel under a containerized workload is a host RCE, not a container RCE.

Patched stable kernels per Tenable: 5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.22, 6.19.12, and 7.0. Distro coverage is broad: Ubuntu (24.04 LTS and back), RHEL 8/9/10.1 (RHSA-2026:13565, 13577, 13681), Oracle Linux (ELSA-2026-13565), SUSE 16, Amazon Linux 2023, AlmaLinux, CloudLinux, Debian, Fedora, and Arch all shipped within hours.

For scan coverage, Tenable's generic plugin is 309203, with distro-specific coverage at 312100 (RHEL 9), 312110 and 312180 (RHEL 8), and 312679 (Oracle Linux 9). The full plugin list is at tenable.com/cve/CVE-2026-31431/plugins.

If you can't patch immediately, the interim mitigations actually work, because the bug is in a single named module:

• Module loaded dynamically: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf && rmmod algif_aead
• Compiled in: add initcall_blacklist=algif_aead_init to the kernel command line
• Container/pod profiles: block socket(AF_ALG, ...) (domain 38) in seccomp; this is rare in legitimate workloads outside cryptsetup-style use cases

For detection, auditd or eBPF on socket() with domain=AF_ALG followed by splice() from a setuid file descriptor into that socket is a near-zero false positive signal in production workloads. Microsoft Defender ships signatures Exploit:Linux/CopyFailExpDl.A, Exploit:Python/CopyFail.A, and behavior Behavior:Linux/CVE-2026-31431, with MDE alert "Possible CVE-2026-31431 exploitation" and MDC alert "Potential exploitation detected."

Post-compromise: assume any container RCE on an unpatched node is a full host compromise. Recycle the node rather than restart the pod. The closest comparables are Dirty Cow and Dirty Pipe, both of which lived on KEV for years.

Other Critical Patches Worth Triaging

CISA also added CVE-2026-41940, a CVSS 9.8 authentication bypass in cPanel & WHM (CRLF injection in the login flow), to the KEV catalog. The flaw affects versions after 11.40, and cPanel released patched builds across all supported branches (136, 134, 132, 130, 126, 124, 118, 110, 102, 94, and 86) on April 28. In-the-wild exploitation began around February 23, two months ahead of the patch. Roughly 1.5 million instances are exposed per Shodan. FCEB deadline is May 21; public PoCs exist. cPanel & WHM Security Update 04-28-2026

Cisco pushed advisories for three authenticated flaws in IoT Field Network Director (CVE-2026-20167 DoS, CVE-2026-20168 path traversal, CVE-2026-20169 command injection) plus an authenticated file-upload XSS in Enterprise Chat and Email Lite Agent. All require valid credentials, so the operational risk is lower than the cPanel or Copy Fail items, but standard patching cadence applies and the FND command injection in particular is a clean privilege-escalation vector inside utility and industrial environments where IoT FND is operationally trusted.

Quick Hits Worth Triaging

• Kaspersky dissected the DAEMON Tools supply-chain compromise that trojanized installers from April 8 onward (versions 12.5.0.2421 through 12.5.0.2434), delivering a three-stage chain ending in a QUIC-capable RAT that injects into notepad.exe and conhost.exe. Update to 12.6.0.2445 and block the known C2.
• ESET took down 28 fraudulent Android apps (CallPhantom family) that promised fake call logs and racked up 7.3 million downloads, mostly in India and APAC, before Google removed them. Cancel any suspicious subscriptions and avoid apps that claim impossible surveillance features.
• Trend Micro tracked a malvertising campaign using fake Claude AI installer pages that ultimately drops a RedLine-linked fileless stealer via mshta.exe (see LOLBAS) with AMSI patching for evasion. Block the listed domains and IPs.

Same playbook as ever: trusted-infrastructure abuse, living-off-the-land delivery, supply-chain compromise. Adversaries keep investing because the vectors keep working. The enforcement actions against laptop-farm operators and ransomware negotiators are welcome punctuation, but they don't change the TTPs. The thing that should change your week is Copy Fail. Patch it, recycle anything that ran unpatched in a multi-tenant context, and move on.

Mind the threads. The web remembers.

~ UncleSp1d3r