Triaging the Week 122
AI on the Offensive // The AI Layer as an Attack Surface // Poisoning the Supply Chain & Hunting Developers // Deception-Led Delivery & Trusted Infrastructure // Guarding the Access Layer
Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week's top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top News Stories
🤖 AI on the Offensive: Attackers Put LLMs in the Driver’s Seat
Stories
🗞️ First Captured Live Intrusion Driven by an LLM Orchestrator (Sysdig) — The first real-time, AI-agent-driven cyberattack: an automated LLM orchestrator exploited a web vulnerability and dumped a database in under an hour, dynamically generating commands and using Cloudflare Workers for parallel exfiltration to dodge source-IP detection. The takeaway is that attackers are swapping static, prebuilt scripts for adaptive LLM agents that select post-compromise actions based on real-time feedback — undermining signature-based TTP defenses. 🔎 Threat Hunting Package
🗞️ The Rise of the AI Software Factory: Attackers Automate EDR Evasion (Sophos) — A threat actor used Cursor and Claude Opus to automate malware testing against EDRs, bypassing guardrails to build a modular “factory” for stealthy ransomware operations. Rather than writing novel malware, the actor uses AI agents to ingest public research, map bypasses to the MITRE ATT&CK framework, spin up Ludus test labs, and iteratively refine loaders until they evade detection.
🗞️ High-Velocity Cybercrime Group TA4922 Escalates Across Europe and Africa (Proofpoint) — A major expansion by Chinese-speaking actor TA4922, pairing localized social engineering with an AI-accelerated pipeline to commit fraud, steal data, and sell access globally. It evades email security by shifting victims to WhatsApp and Teams and uses AI to rapidly develop malware such as Atlas RAT and RomulusLoader. 🔎 Threat Hunting Package
Recommendations
☑️ Shift detection away from rigid command/file signatures toward behavioral, intent-based runtime monitoring — credential access, metadata harvesting, anomalous DB interactions, process hollowing, DLL sideloading — since AI pipelines mutate payloads faster than signatures can keep up.
☑️ Patch fast and shrink the blast radius: update internet-facing dev workloads (e.g., marimo to 0.23.0+ or restrict the /terminal/ws endpoint), rotate exposed AWS/SSH keys and .env secrets, and enforce least privilege, MFA, and identity isolation.
☑️ Enforce strict outbound filtering on containers and endpoints to catch distributed API requests fanning out across proxy pools or unapproved CDNs, and flag unexpected test setups or unapproved virtualization in user directories (e.g., C:\Users\User\Documents\test).
☑️ Train HR, payroll, and finance against regionalized lures and the pivot to external messaging apps, and pair automated tooling with human-led MDR to intercept AI-accelerated sequences.
🎯 The AI Layer as an Attack Surface: Prompt Injection & Trust Transfer
Stories
🗞️ How Attackers Turn ChatGPT Summaries Into Phishing and Tracking Overlays (Permiso) — ChatGPT’s response renderer trusts Markdown links and image URLs from summarized pages, enabling indirect prompt injection that displays fake security alerts, tracking pixels, and malicious QR codes inside the AI interface. It’s a “trust transfer” — the assistant auto-fetches remote images and formats text as legitimate system alerts, laundering attacker payloads through a trusted UI and bypassing browser protections.
🗞️ Attackers Weaponize ChatGPT and Claude Shared Links to Deploy Malware (Push Security) — Search-engine malvertising hides malicious content inside legitimate AI chatbot sharing URLs; by abusing ChatGPT/Claude code-rendering, campaigns slip past filters to deliver infostealers. It’s “trusted platform abuse” — malicious content on verified domains (chatgpt.com / claude.ai) bypasses filters, and code-rendering builds fake error overlays that trick users into running payloads. 🔎 Threat Hunting Package
🗞️ Hijacking Google Gemini Voice Assistant via Messaging Notifications (SafeBreach) — An indirect prompt-injection compromises Gemini’s voice assistant through incoming notifications (WhatsApp, Slack, SMS), silently triggering smart-home actions, video streams, or long-term memory poisoning. A “Muted Fake Context Alignment” flaw hides a malicious instruction in on-screen text while the assistant reads a normal question aloud; the user’s “Yes” gets aligned with the hidden script.
Recommendations
☑️ Treat AI-generated output as untrusted: never click links, scan QR codes, or act on account/security alerts that appear inside AI summaries — verify directly in the official provider portal.
☑️ Download AI desktop tools only from verified vendor pages (e.g., chatgpt.com/download), ban executing CLI/curl scripts copied from shared chat interfaces, and add indirect prompt-injection scenarios to phishing simulations.
☑️ Deploy browser/endpoint controls and web gateways that inspect sessions dynamically and block conditional redirects to malicious delivery infrastructure and untrusted image-hosting / URL-shortener domains used for tracking or exfiltration.
☑️ Apply least privilege to AI ecosystems: audit and limit assistant tool access (no unilateral control of smart locks/windows or high-sensitivity apps), be cautious replying vocally right after the assistant reads an external notification, and keep apps/firmware updated for new content classifiers.
📦 Poisoning the Supply Chain & Hunting Developers
Stories
🗞️ Aggressive “Shai-Hulud” Variant Compromises Red Hat Cloud Services on npm (OX Security) — A supply-chain attack hit the @redhat-cloud-services npm ecosystem with a heavily obfuscated infostealer; 31+ contaminated packages exfiltrated cloud configs, dev tokens, and environment details across 210+ repos. The “Miasma” variant uses api.anthropic.com as a decoy C2 to mislead researchers and includes destructive logic to “nuke” the host if stolen tokens are revoked.
🗞️ 1-Click GitHub Token Theft Disclosed via VSCode Webview Flaw (Ammar Askar) — A VSCode webview design flaw lets attackers exfiltrate full-access GitHub OAuth tokens with a single click by forging keystrokes from an untrusted repo to bypass trust checks and install a malicious extension. The root cause is a UX optimization where webviews bubble up keypresses, letting untrusted scripts spoof input, run commands, and bypass publisher trust validation — especially via github.dev and embedded .ipynb files.
🗞️ Fraudulent Open-Source Portals Weaponize TDS Gating to Deploy Infostealers (Check Point) — Lookalike sites impersonate open-source projects and use a Traffic Distribution System to serve RemusStealer to first-time visitors while staying invisible to scanners. A “reproducibility trap” keyed to browser localStorage delivers multi-stage payloads only on the first eligible click, then falls back to benign apps (like Opera) on refresh to defeat analysis. 🔎 Threat Hunting Package
🗞️ Stealthy Crypto-Miner Discovered in Hola Browser Pipeline (Sophos) — During certification testing, an uncertified me.exe was found bundled with the Hola Browser installer — a stealthy crypto-miner from a compromised distribution pipeline affecting ~0.1% of users. The unsigned, obfuscated binary ran mining (via the hola_monitor_svc service) only when the host was idle to avoid notice.
🗞️ Chrome Extension Developers Targeted in Google Login Phishing Scam (Malwarebytes) — Fake copyright-infringement notices push convincing fake Google sign-in pages at extension publishers to steal credentials and hijack extensions with malicious updates. The phishing page pulls the target’s real extension name and icon, then uses a fake sign-in overlay with a 48-hour countdown timer to induce panic.
Recommendations
☑️ Fetch software only from authentic sources: bypass organic search links, verify and pull binaries directly from official repos/GitHub pages, and avoid opening untrusted repos (especially embedded .ipynb) in web-based IDEs.
☑️ Lock down the pipeline: enforce SCA / dependency pinning to block unverified auto-updates, downgrade affected @redhat-cloud-services packages to safe historical versions, and isolate contaminated systems.
☑️ Tighten developer identity: enforce minimum-privilege, short-lived OAuth scopes, rotate high-privilege GitHub integrations and exposed cloud/repo credentials, clear github.dev cookies/local data to force re-auth, and audit unauthorized extension installs.
☑️ Verify before you trust an alert: never click links in unexpected copyright/policy warnings — go straight to your Chrome Web Store developer dashboard — and secure dev accounts with hardware keys or passkeys.
☑️ For vendors: enforce code-signing verification, zero-trust access, and continuous monitoring across distribution infrastructure, plus independent certification and behavioral validation (e.g., AppEsteem) so apps match their declared footprint.
🎭 Deception-Led Delivery & Trusted Infrastructure
Stories
🗞️ DriveSurge Exploits “ClickFix” Tactics to Deliver macOS Malware (Silent Push) — Initial-access broker “DriveSurge” runs ClickFix and FakeUpdates campaigns; payloads use environment profiling and clipboard hijacking to run malicious scripts on macOS. It profiles visitors to deliver cross-platform lures; for macOS it triggers fake error prompts that trick users into pasting and running commands in Terminal. 🔎 Threat Hunting Package
🗞️ macOS Malvertising Campaign Deploys Stealthy FlutterShell Backdoor (Palo Alto Unit 42) — “Operation FlutterBridge” used hundreds of Google-verified ads and valid Apple Developer IDs to push the FlutterShell backdoor disguised as utility apps (PodcastsLounge, PDF-Brain, PDF-Ninja). FlutterShell hosts its logic externally via a WebView architecture, bypassing Apple notarization and enabling real-time payload updates without changing the app binary. 🔎 Threat Hunting Package
🗞️ Weedhack Malware-as-a-Service Campaign Hijacks Minecraft Mods (McAfee) — A MaaS disguised as Minecraft mods, spread via SEO poisoning and YouTube, deploys infostealers and RATs to steal credentials and drain crypto wallets. It uses “EtherHiding” on the Ethereum blockchain to fetch C2 domains — resilient to takedowns — while offering premium RAT/keylogging for $5/month on the clear net. 🔎 Threat Hunting Package
🗞️ Weaponized Legitimate Traffic: How DesckVB RAT Evades Gateways and Blinds Telemetry (Huntress) — A five-stage in-memory chain delivers DesckVB RAT, abusing trusted Google infrastructure for redirection and pulling victim company branding live to build custom lures that slip past email gateways. It reuses generic malspam infrastructure, pulls company logos live from the URL, reboots if it detects a sandbox, and patches AMSI/ETW to blind endpoint telemetry. 🔎 Threat Hunting Package
🗞️ Malware Abuses Steam Community Profiles to Control Infected WordPress Sites (GoDaddy) — Nearly 2,000 WordPress sites run malware that uses Steam profiles for C2, injecting tracking JS into front-end pages and planting a server-side backdoor for remote code execution. It hides its C2 payload in public Steam profile comments using a steganographic array of invisible Unicode characters (zero-width joiners) that text-based scanners can’t see.
Recommendations
☑️ Train users never to copy-paste “repair scripts,” code, or commands from browser pop-ups, fake error prompts, or shared interfaces into Terminal/PowerShell — and to avoid mods, cheats, or tools from unofficial sites, untrusted Discords, or YouTube description links.
☑️ Control the download path: deploy ad-blocking and web-browsing rules to block sponsored/malvertising links, mandate downloads from verified developer domains or official app stores, and move to application allowlisting / MDM that blocks non-approved utility apps (including macOS).
☑️ Harden email gateways and endpoints against evasive delivery: flag/quarantine minimal HTML attachments with zero-second meta-refresh redirects, monitor code injection into signed system tools (InstallUtil.exe, MSBuild.exe), and enable PowerShell Script Block Logging and AMSI auditing to catch fileless .NET reflection and API-hook tampering.
☑️ Deploy EDR across all fleets (including macOS), tuned to alert on unusual process parenting and unauthorized terminal/RAT execution, and run behavior-based scans after risky installs.
☑️ Hunt for trusted-platform C2 abuse: scan WordPress for references to steamcommunity.com and invisible Unicode arrays (U+200C, U+200D, U+2061–U+2064), rotate WordPress admin/DB/FTP credentials with MFA, deploy File Integrity Monitoring plus a WAF to block anomalous server-side changes and unauthorized POSTs, and restrict newly-registered/high-risk domains (e.g., .icu) and unverified third-party scripts.
🔐 Guarding the Access Layer: Credentials, Tokens, Devices & People
Stories
🗞️ Dutch Police and NCSC Dismantle Massive 17-Million Device Botnet (NCSC) — Dutch authorities disrupted a 17-million-device botnet by seizing 200 servers, dismantling a network of compromised consumer and IoT devices used as an illicit residential proxy network for cyberattacks and fraud. 17 million infected devices controlled by just 200 servers shows how aggressively actors are turning everyday household electronics into traffic-laundering infrastructure to bypass geographical defenses.
🗞️ Automated Brute-Force Attack Targets Dashlane 2FA Protections (Dashlane) — A highly automated brute-force attack targeted 2FA mechanisms and device registration; while the infrastructure stayed uncompromised, fewer than 20 personal-plan users had encrypted vaults exfiltrated. Rather than exploiting a software bug, attackers ran rapid automated scripts to guess short-lived 2FA codes — a trend of targeting authentication flows directly to force new device registrations.
🗞️ “FlagLeft” Exposes Microsoft 365 Android Users to Silent Account Takeovers (Enclave) — A critical flaw in several M365 Android apps lets unverified third-party apps silently hijack accounts via a forgotten debug flag, stealing persistent tokens and accessing email, calendars, and documents with no alerts. A simple setIsDebugMode(true) left active in a shared SDK disabled the authorization checks that block untrusted apps from acquiring long-lasting “FOCI” tokens.
🗞️ Five Eyes Alliance Warns of Chinese Spies Using Fake Job Ads to Recruit Insiders (Five Eyes) — Chinese intelligence is using fake companies and professional networking platforms to recruit Western government and defense personnel and extract sensitive information. Actors reverse the recruitment pipeline — flooding job boards with “defense analyst” ads, screening applicants by their clearance/access, then extracting non-public intelligence through mandatory “trial reports” before moving to encrypted apps.
Recommendations
☑️ Audit and harden the access edge: replace factory-default credentials on routers/IoT with unique complex passwords, secure Wi-Fi with WPA2/WPA3, and review and revoke unrecognized or legacy registered devices on password-manager and M365 accounts.
☑️ Strengthen authentication: use long, unique master passwords; enforce MFA everywhere supported, preferring phishing-resistant passkeys or hardware keys; and patch promptly (router firmware, operating systems, and affected M365 Android apps).
☑️ Hunt for abuse signals: review M365 audit logs for anomalous token-refresh activity or unexpected third-party app authorizations, and enforce MDM to keep mobile app versions compliant.
☑️ Counter human-targeted recruitment: verify unknown foreign recruiters on LinkedIn/Indeed, report any requests about unit activities or government contacts to your security officer, and enforce secondary-employment policies, pre-clearance review of external reports, and ongoing “Applicant Beware” training for cleared staff.
Feature Video
60% of breached small businesses go out of business within six months. The cause usually isn’t a missing firewall. It’s a missing decision.
Most SMBs that “invest” in threat intelligence buy the wrong thing. They buy a feed (a stream of raw IPs, hashes, and domains) and call it a program.
That’s not threat intelligence. That’s a subscription.
CTI isn’t the data. It’s the decision you make because of the data. Three tiers:
🔹 Tactical — IOCs (IPs, hashes, URLs). Short shelf life, machine-consumable.
🔹 Operational — the TTPs an actor uses to break in, move laterally, and exfiltrate. An IP changes in seconds; tradecraft takes months.
🔹 Strategic — trends and impact: who’s targeting your sector, ransomware economics, geopolitical pressure.
The mistake? SMBs buy tactical feeds and never produce operational or strategic intelligence — the only tiers a business can actually act on.
So here’s the uncomfortable truth: Most SMBs don’t need a threat intelligence platform. They need a threat intelligence decision driven by a threat model and priority intelligence requirements.
The barrier was never the tool. It’s whether anyone’s turning data into a decision. Find out how in this video!
Feature Course
What Will You Learn?
The basics of cyber threat intelligence (CTI)
Key concepts used within the cyber threat intelligence industry.
How CTI is applied in the real-world
Common challenges and how to overcome them.
Learning Resources
Cyber Training
Zero-Point Security: Advanced training in red team operations, adversary simulation, and offensive development.
TCM Academy: A comprehensive suite of courses with a hands-on, practical approach to training that equips students with the real-world skills needed to succeed in cyber.
Blue Cape Security: A specialist in Digital Forensics and Incident Response (DFIR) training, offering courses to take you from complete beginner to expert.
Tools
Octoparse: A no-code solution that will save you time, energy, and money. Let me show you how to use it to build your own custom cyber threat intelligence web-scraping tool!