EvilBit Threat Digest: Trust Falls, But Make It Internet-Scale

Security this week had a unifying theme: attackers stopped "breaking in" and started "being invited." AI skill marketplaces, code extension repos, Jira Cloud notifications, a lookalike 7-Zip domain, even OAST callback infrastructure; everything is a signed visitor badge with a knife taped to the back.

UncleSp1d3r and KryptoKat here. One of us is thinking about exploit paths; the other, about the pager rotation. Both of us are thinking about how much of the modern internet runs on vibes.

The Internet's Background Radiation Got Louder (and More Targeted)

GreyNoise's latest weekly OAST report is a good reminder that the internet isn't "scanned"; it's continuously pinged like a submarine hull, and anything that responds gets cataloged. They tracked 6,197 OAST sessions from 79 unique IPs across 73 campaigns in a single week, with widespread Nuclei-style probing and clustering via TLS/JA fingerprints (GreyNoise Labs Weekly OAST Report).

Gentle reminder: OAST (Out-of-band Application Security Testing) is the technique of embedding callback domains in payloads so the attacker's infrastructure gets a ping when a target executes the payload, confirming "yes, this box ran my code" without requiring a direct connection back.

The headline, though, is confirmed exploitation of Ivanti Endpoint Manager Mobile (EPMM) CVE-2026-1281, with 83% of observed exploitation sessions traced to a single IP on AS200593 (PROSPERO OOO), bulletproof hosting infrastructure based in Saint Petersburg. This isn't theoretical "scan noise." GreyNoise documented 417 exploitation sessions from 8 unique IPs between February 1 and 9, with a sharp spike to 269 sessions on 8 February alone. They also call out specific endpoint pathing, including /mifs/c/appstore/fob/ with payloads consistent with dig command injection behavior (NVD: CVE-2026-1281, Ivanti advisory, Horizon3.ai writeup, CrowdSec tracking).

KryptoKat: The operational lesson here isn't "block some domains." It's that OAST is now a routine part of exploitation pipelines: attackers validate egress, confirm command execution, then decide whether you're worth the next stage. If your environment treats outbound DNS/HTTP as a moral right instead of a privilege, OAST turns your perimeter into a confession booth.

UncleSp1d3r: Also: bulletproof hosting keeps showing up like the same villain in a season of The X-Files: different monster-of-the-week, same sewer entrance.

What to do Monday morning (not "someday"):

• Apply Ivanti EPMM RPM hotfixes immediately (12.x.0.x or 12.x.1.x depending on your version). The full fix ships in EPMM 12.8.0.0 (expected Q1 2026), but the hotfixes require no downtime and take seconds to apply. Verify you didn't just "patch forward" while leaving orphaned instances exposed (Ivanti advisory).
• Consider blocking known OAST callback zones at DNS/WAF, where it won't break business flows: *.oast.pro, *.oast.live, *.oast.fun, *.oast.me, *.oast.site (GreyNoise Labs Weekly OAST Report).
• Treat any public-facing enterprise admin surface in their target list (Commvault, Grafana, SysAid, Oracle EBS, Confluence, OFBiz, etc.) as "being actively auditioned for compromise," even if exploitation isn't confirmed for each one this week (GreyNoise Labs Weekly OAST Report).
• Hunt for requests hitting /mifs/c/appstore/fob/ on EPMM instances. That's your tripwire URL (GreyNoise Labs Weekly OAST Report).

"Legit" Platforms as Payload Delivery: Your Brand Is Their Stealth

Trojanized installer turns PCs into proxy nodes (because of course)

A lookalike domain (7zip.com, not the real 7-zip.org) served a trojanized 7-Zip installer that drops upStage Proxy, turning victim Windows machines into residential proxy nodes. Victims don't just get infected; they get monetized as infrastructure, useful for fraud, credential stuffing, ad abuse, and general skulduggery routed through "legit-looking" home IPs (Luke Acha analysis, Malwarebytes coverage, BleepingComputer).

What makes this worth your time: persistence as a Windows service, plus firewall rule modification to keep the proxy reachable, and XOR-encoded C2/protocol behavior documented in the deep dive. The "proxyware" angle changes incident severity: your host becomes a launchpad, your IP shows up in someone else's attack, and your abuse desk becomes a crime scene.

UncleSp1d3r: I love a good installer trojan. It's the floppy-disk virus era, but now with TLS and a subscription model.

KryptoKat: If you run corporate Windows fleets, treat this like more than adware. Proxyware is an incident-class problem because it launders someone else's activity through your IP space. Treat any endpoint that executed an installer from the wrong domain as compromised, not "maybe risky."

Jira Cloud: phishing with a corporate letterhead

Trend Micro documents a campaign abusing Atlassian Jira Cloud to send spam/phishing to government and corporate targets, leveraging Jira's "normal notification" look and the baseline trust many orgs grant to SaaS platform email flows. The payloads skew toward scams (investment/casino), but the real lesson is reusable: SaaS notifications are now an attack surface (Trend Micro).

KryptoKat: Your secure email gateway can't "detonate" a link's social context. It sees Jira. Your users see Jira. Your attackers see Jira and your users. Audit who can create Jira instances/projects, and don't let SaaS tooling become an unmonitored mail cannon.

AI marketplace supply chain: "skills" that walk you to malware

OpenSourceMalware details malicious ClawHub skills that avoid in-market scanning by using external websites as the real delivery mechanism. The skills become the lure, the documentation becomes the "run this command," and the payload lives elsewhere. It's supply chain by social geometry: the marketplace is just the trust anchor (OpenSourceMalware).

The scale is notable. A Koi Security audit of 2,857 ClawHub skills found 341 malicious entries, 335 of which are tied to a single coordinated campaign (dubbed ClawHavoc) that deploys Atomic Stealer (AMOS) on macOS.

UncleSp1d3r: This is the oldest trick on the internet wearing a new hoodie. The "package manager install" meme never died; it just learned the phrase "AI workflow." This is why we can't have nice things.

Code extension worms: the repo is the beachhead

Annex reports a worm-like malware campaign targeting Open VSX / VS Code extensions, aimed at finance and e-commerce environments, with obfuscation and C2/exfil over seemingly normal web traffic. Supply chain risk here isn't hypothetical; extensions execute where developers and operators live (Annex).

KryptoKat: If your org allows arbitrary extensions/skills/plugins, you're not managing software; you're running a community theater where anyone can walk on stage.

Defender move: Don't treat extensions as "preferences." Treat them like software deployment: provenance, publisher controls, and periodic review.

Targeted Ops: When the Payload Has a Passport Stamp

CRESCENTHARVEST: protest lures, DLL sideloading, and real-world danger

Acronis TRU details CRESCENTHARVEST, a cyberespionage campaign targeting Farsi-speaking Iranian protest supporters and diaspora with lures (RARs containing LNK files) leading to a dual-module RAT/stealer. The theft targets are chillingly practical: browser creds/cookies/history from Chrome, Edge, and Firefox, Telegram Desktop sessions, and keystrokes; the kind of collection that can enable real-world harassment and intimidation, or much worse. (Acronis TRU, BankInfoSecurity, SecurityOnline).

Tradecraft notes that matter to defenders:

• Initial access via RAR archives containing LNKs (because it's 2026 and we still can't have nice things).
• DLL sideloading using software_reporter_tool.exe (a signed Google binary) as the loader anchor.
• Event-based persistence via a scheduled task triggered on Windows NetworkProfile events (EventID 10000), ensuring the payload runs when the machine gains network connectivity rather than only at boot.
• C2 infrastructure at 185.242.105.230 (Riga, Latvia, AS42532).
• Hunt for keylog artifacts at paths like: C:\Windows\System32\spool\Drivers\color\daT.txt

Sources: Acronis TRU report

KryptoKat: Campaigns like this show why "just use Signal" isn't a solid security strategy (though it's still good advice for chatting). Session theft turns secure messaging into a show, and the victims are real people. For at-risk communities, a breach can lead to real-world coercion. Treat it with the same urgency you'd give to physical safety.

APT28 "MacroMaze": low-rent tooling, high-rent outcomes

LAB52 tracks Operation MacroMaze, attributed to APT28, leaning into "basic" tooling (batch, VBScript, HTML) and legitimate infrastructure, including browser-based exfil to services like webhook.site. The campaign was active from at least late September 2025 through January 2026, targeting entities in Western and Central Europe. The sophistication isn't in the malware's mystique; it's in the operational discipline: evasion tricks, living inside expected traffic, and leaving forensic breadcrumbs that all lead to legitimate services. (LAB52).

UncleSp1d3r: If your detection strategy is to "alert on weird binaries," APT28 has once again demonstrated that it is difficult to identify traffic when it resembles that of every user on your network. Good luck sifting through those SIEM logs.

LuciDoor + MarsSnake: telecom targeting in Central Asia

Positive Technologies' ESC team details UnsolicitedBooker activity targeting telecoms in Kyrgyzstan (fall 2025) and Tajikistan (January 2026), using the LuciDoor and MarsSnake backdoors for persistence and data movement. The group swapped tools across campaigns: LuciDoor first, then MarsSnake in November, then back to LuciDoor with a new configuration in January. In at least one case, infrastructure mimicked Russian services, and the team notes shared tooling with Mustang Panda and overlap with the Space Pirates cluster previously tracked by ESET (Positive Technologies ESC).

KryptoKat: Telecom intrusions are never merely about telecommunications. They involve identity, interception potential, and the vulnerabilities in everyone else's multi-factor authentication and reset processes.

macOS isn't "Safe," It's just "Different": DigitStealer's Infrastructure Tells on it

DigitStealer is back in the conversation, not because the malware is brand new, but because infrastructure pattern analysis makes it easier to hunt. The operator's C2 posture is unusually uniform (same ASN patterns, consistent Njalla nameservers, Tucows registrations), and the malware itself leans on JXA/osascript behavior that's huntable when you stop pretending macOS endpoints don't need telemetry. Targets include 18 crypto wallets, Ledger Live, and browser and Keychain data. The operator polls the C2 every ~10 seconds for new payloads, and a cryptographic challenge/response mechanism gates session tokens to block automated scanners (Cyber and Ramen infrastructure tracking, Jamf Threat Labs background).

UncleSp1d3r: The operator polling every 10 seconds resembles a thief rattling your doorknob all night. It's annoying, loud, and somewhat useful if you're logging. It's a surprisingly rookie move for an attacker who appears to be mixing sophisticated techniques with obvious mistakes.

Crimeware Business Updates: RaaS and the Art of the Bluff

Cyderes covers 0APT, a group that started with loud claims and thin proof, and appears to be maturing into an actual RaaS platform with functional encryption (hybrid RSA/AES) and a Rust-based stack. The operational warning here is simple: some crews do level up after a shaky debut (Cyderes).

UncleSp1d3r: Nothing says "we're serious now" like shipping actual crypto code instead of a PowerPoint presentation. However, this still resembles the "tech bros" of the malicious actor world. First, you create your pitch deck, and then you worry about actually writing something.

KryptoKat: Treat "immature actor" as a time-bound statement, not a comfort blanket.

Scam Season: Sports Fans and Hospitality Staff in the Crosshairs

• Winter Olympics 2026 fake merchandise shops: Malwarebytes flags a cluster of scam domains impersonating Olympic shopping sites, aimed at payment card theft and PII capture (Malwarebytes).
• Booking.com phishing: Bridewell documents an impersonation campaign targeting hotels and customers. Worth circulating internally if you support hospitality workflows, even if you're not "in travel" (Bridewell).

UncleSp1d3r: Every major event comes with commemorative merch and commemorative fraud.

Patch Gravity (Linux/OT Edition): Nessus Updates Worth Your Attention

Tenable's plugin updates this week read like a reminder that Linux patching isn't one thing; it's a swarm of kernel issues, core libraries, and distro-specific packaging timelines, plus an OT cameo via Siemens.

• Broad Linux kernel CVE coverage and Siemens SIMATIC S7-1500 ecosystem mentions: Nessus plugin updates (Feb 16)
• Additional Feb 17-18 plugin drops spanning RHEL/SUSE/Debian/Oracle/Fedora/Photon OS and more, including CVE-2026-2474 among the referenced set: NVD: CVE-2026-2474

KryptoKat: If you're managing a mixed enterprise and operational technology (OT), keep this process tip in mind: validate patches quickly, but ensure that your PLCs remain stable.

Closing: The Permission Economy Is the Real Perimeter

We keep building higher walls, then handing out more badges. Marketplaces, SaaS notifications, "just download it here," webhook services, extension ecosystems: none of these are bugs. They're features. And features are what attackers ride when they want to look ordinary.

If your controls assume "malicious equals unusual," you'll keep losing to threats that are boringly normal.

UncleSp1d3r: If you need me, I'll be in the corner muttering "download from the vendor" like it's an ancient spell.

Patch links (for your queue)

• Tenable Nessus plugin updates (rolling page)
• Ivanti EPMM advisory for CVE-2026-1281 / CVE-2026-1340
• CVE-2026-1281 (NVD)
• CVE-2026-2474 (NVD)