EvilBit Threat Digest - When Your Browser and Build Pipeline Become the Backdoor

KryptoKat here. It's the week between Christmas and New Year's, which means the usual lull in corporate security operations--but not, apparently, in malware distribution. While most of us were attempting to disconnect, threat actors doubled down on supply-chain attacks and browser-based persistence. This edition covers a particularly nasty typosquatting campaign on Maven Central that delivered Cobalt Strike to Java developers, a seven-year Firefox extension operation hiding payloads in PNG pixels, and an APT group that's weaponizing software update mechanisms via DNS poisoning.

The connective tissue? Attackers are exploiting the trust developers and users place in official repositories, browser marketplaces, and legitimate update channels. Let's break down what actually demands your attention before the holiday is over.

Maven Central Under Fire: Jackson Typosquatting Delivers Cobalt Strike

The Java ecosystem just got a wake-up call courtesy of a sophisticated supply-chain attack. Aikido Security documented the first known case of malicious packages on Maven Central that auto-execute in Spring Boot applications, delivering Cobalt Strike beacons to developer machines and production environments.

The attack abuses a reverse-domain namespace swap: legitimate Jackson packages live under com.fasterxml.jackson.core, but the malicious package used org.fasterxml.jackson.core. For developers who mistype or autocomplete the wrong groupId, the payload executes automatically via Spring Boot's ApplicationRunner interface--no user interaction required beyond adding the dependency.

Once the package is included in a build, it:

1. Auto-executes via Spring Boot lifecycle hooks
2. Fetches an AES-encrypted configuration from attacker-controlled domains (m.fasterxml.org, fasterxml.org)
3. Downloads platform-specific binaries from 103.127.243.82
4. Executes Cobalt Strike beacons (confirmed via VirusTotal analysis of SHA256 hashes 702161756dfd150ad3c214fbf97ce98fdc960ea7b3970b5300702ed8c953cafd for Linux/macOS and 8bce95ebfb895537fec243e069d7193980361de9d916339906b11a14ffded94f for Windows)

The package was removed from Maven Central approximately 1.5 hours after Aikido's report, but AlienVault OTX documented the full artifact set and IOCs. No confirmed downstream victims have been publicly identified, but the technique demonstrates a concerning evolution in supply-chain targeting.

For defenders:

• Audit your SBOMs and Maven dependencies for org.fasterxml namespace packages (the legitimate namespace is com.fasterxml)
• Block m.fasterxml.org, fasterxml.org, and IP 103.127.243.82 at the perimeter and DNS
• Enforce package signature verification and provenance checks in CI/CD pipelines
• Hunt for Spring Boot applications with unexpected ApplicationRunner beans from third-party libraries
• Monitor for HTTP callbacks on non-standard ports (the campaign used port 51211 for beacon traffic)

The Socket.dev analysis provides additional context on similar supply-chain techniques. This is a practitioner-level threat that should immediately trigger dependency audits for any organization running Java/Spring Boot applications.

GhostPoster: Hiding Malware in Firefox Extension Icons

Browser extensions remain a high-value target, and this week brought a campaign with a novel twist. Koi Security's research and corroborating reports document GhostPoster, a malware campaign that embedded malicious JavaScript inside the PNG icon files of 17 Firefox extensions, infecting over 50,000 users.

The technique is steganography with a practical twist. The extensions--masquerading as productivity tools, VPNs, and utilities--contained PNG files with pixel data encoding obfuscated JavaScript loaders. At runtime, the extension would:

1. Extract pixel values from the embedded icon
2. Reconstruct the obfuscated JavaScript payload
3. Execute the code to inject tracking scripts, affiliate hijacking, and credential theft into browsing sessions

The campaign targeted high-value domains (GitHub, cloud providers, banking sites) and exfiltrated credentials via man-in-the-middle proxies. What makes this particularly effective is that the PNG files passed basic image validation and automated malware scans--they're legitimate image files that also happen to contain executable code.

Mozilla has since removed the malicious extensions, but the technique demonstrates that browser extension marketplaces remain vulnerable to creative obfuscation. SecureBlink's analysis notes similar patterns emerging in Chrome extensions as well.

For defenders:

• Audit installed Firefox extensions across your fleet and remove any from the GhostPoster IOC list (extension names available in the Koi report)
• Deploy browser extension policies that restrict installations to verified publishers
• Monitor for extensions making network requests to non-CDN domains
• Hunt for anomalous PNG files in extension directories (look for files with high entropy or suspicious metadata)
• Block the C2 infrastructure and proxy domains documented in the research

This is another reminder that browser attack surface extends beyond the JavaScript sandbox. Steganographic encoding in trusted file formats is an evasion technique worth tracking--both as a defensive priority and as a research area for understanding how attackers bypass content security policies.

Phantom Shuttle Redux: Chrome Extensions as Credential Proxies

We flagged Phantom Shuttle in our December 24 edition, but this week brought additional technical details worth highlighting. Socket.dev's deeper analysis confirms the extensions route traffic for over 170 high-value domains through attacker-controlled proxy servers at phantomshuttle.space (resolving to 47.244.125.55).

The mechanism is simple but effective: the extensions inject hardcoded proxy credentials into the browser's authentication flow, set a proxy auto-config (PAC) script that routes specific domains through the attacker's infrastructure, and maintain a heartbeat to the C2 to exfiltrate credentials every five minutes. The extensions also monetize via subscription fees, so victims are paying for the privilege of being compromised.

The campaign's eight-year longevity underscores detection failures in browser extension vetting. For defenders, the updated guidance is:

• Block phantomshuttle.space and IP 47.244.125.55 via DNS/firewall
• Hunt for proxy authentication events in browser logs (look for Basic auth headers matching the hardcoded credentials documented in Socket's report)
• Search HTTP logs for Authorization headers containing the observed proxy username
• Enforce Chrome Enterprise policies that restrict the webRequestAuthProvider and proxy permissions
• Rotate all credentials potentially accessed while the extension was installed, prioritizing cloud console access, repository credentials, and identity provider sessions

The overlap between GhostPoster (Firefox) and Phantom Shuttle (Chrome) suggests browser extensions across all platforms are under sustained, sophisticated attack. Treat extension installation as a privileged operation and enforce allowlisting wherever feasible.

Evasive Panda Weaponizes Software Updates via DNS Poisoning

Securelist's analysis of the Evasive Panda APT reveals a campaign leveraging DNS poisoning and adversary-in-the-middle (AitM) attacks to compromise trusted software update channels. The group, active in China, India, and Turkey, has been observed replacing legitimate updates for SohuVA, iQIYI Video, IObit Smart Defrag, and Tencent QQ with trojanized installers delivering MgBot malware.

The attack chain is straightforward but devastatingly effective:

1. Compromise network infrastructure (ISP DNS, router configurations, or DHCP servers)
2. Poison DNS responses for software update domains
3. Redirect victims to attacker-controlled servers hosting malicious installers
4. Victim downloads and executes what appears to be a legitimate software update
5. MgBot is deployed for long-term espionage (keylogging, file exfiltration, credential theft)

The campaign demonstrates that controlling network infrastructure grants an adversary the ability to weaponize any trust relationship that relies on DNS or unencrypted update channels. For software vendors that don't enforce code signing validation or use HTTPS with certificate pinning, this technique bypasses all endpoint defenses.

For defenders:

• Implement DNSSEC where feasible and monitor for anomalous DNS query patterns
• Enforce code signing validation for all software installations and updates
• Deploy application allowlisting to restrict execution of unsigned binaries
• Monitor for network connections to unexpected IPs for known software update domains
• Segment network infrastructure and restrict administrative access to DNS/DHCP servers
• If possible, use enterprise software distribution mechanisms (WSUS, SCCM, etc.) rather than relying on public update servers

The Cyberpress report provides additional IOCs and MITRE ATT&CK mappings (T1557.001 for ARP cache poisoning, T1557.002 for DNS spoofing). This is APT-level tradecraft that's particularly dangerous in regions with weak network security practices or state-controlled ISPs.

Nessus Plugin Updates: Routine Coverage Expansion

Tenable released updated Nessus plugins this week covering vulnerabilities in Rocky Linux, SUSE, Unity Linux, Fedora, and various open-source libraries (PHP, libtar, expat, MariaDB). The update includes detection for CVEs dating back to 2021-2022, suggesting these are older vulnerabilities now receiving vendor patches in long-term support distributions.

Highlights include:

• Rocky Linux 9: PHP 8.1 security updates
• Rocky Linux 8: PHP 7.4, libtar, mingw-expat, and MariaDB 10.3 fixes
• Multiple CVEs with confirmed exploit artifacts or elevated EPSS scores (prioritize these for patching)

The full list is on Tenable's plugin page. For vulnerability management teams, the immediate actions are to run discovery scans with the updated plugins, prioritize internet-facing Rocky/SUSE/Fedora systems, and cross-reference findings against your patch deployment schedules.

While these updates are routine, they provide actionable detection coverage for organizations running affected distributions. The inclusion of older CVEs with known exploits means some unpatched systems may have been vulnerable for years--a good reminder to audit long-term support systems for patch compliance.

Closing Thoughts: Trust-but-Verify, Especially the Package Managers

This week's stories share a common pattern: attackers are weaponizing the infrastructure we trust implicitly. Maven Central packages auto-execute in Spring Boot apps. Firefox extensions hide payloads in image files. Chrome extensions route your credentials through their own proxies. And APT groups poison DNS to hijack software updates.

The traditional defensive perimeter has collapsed. Your users can't distinguish a malicious package from a legitimate one when the attack vector is a single-character namespace typo. Your browser can't protect credentials when the extension you installed has proxy permissions. And your software update mechanism can't validate authenticity when the network itself has been compromised.

The defensive playbook remains consistent: enforce code signing, validate package provenance, restrict browser extension permissions, implement DNSSEC, and educate developers on supply-chain hygiene. But the execution has to be sharper. You can't just trust a package because it's on Maven Central or an extension because it's in the Firefox Add-ons store.

Audit your dependencies. Allowlist your extensions. Validate your updates. And maybe take a hard look at who controls your DNS before the new year.

Stay vigilant. The threat actors didn't take the week off, and neither should your detection.

-- KryptoKat

Recent Nessus Plugin Updates (2025-12-24 through 2025-12-27)

For vulnerability management teams tracking scanner coverage, Tenable released updated Nessus plugins for:

• Rocky Linux 9/8 (PHP, libtar, expat, MariaDB)
• SUSE SLES15/openSUSE/SLES11 (kernel, libsoup)
• Fedora (mod_md, kernel, Thunderbird)
• Academy Software Foundation OpenEXR
• GIMP and FluidSynth vulnerabilities

CVEs covered include CVE-2025-12840, CVE-2025-68374, CVE-2025-68732, CVE-2025-68696, CVE-2025-68360, CVE-2025-12839, CVE-2025-68617, CVE-2025-12495, CVE-2025-14425, CVE-2025-14423, CVE-2025-14424, CVE-2025-67436, and others. Full details at Tenable's update page.