Cyber Security News Daily Recap

Threat Research | Weekly Recap [05 Apr 2026]

admin
Threat Research | Weekly Recap [05 Apr 2026]

Cybersecurity Threat Research ‘Weekly’ Recap. The weekly roundup highlights supply-chain compromises (Mar 2026), Yurei operator toolkit exposure, multi‑stage TeamPCP attacks, RAT ecosystems such as CrystalX/NetSupport/Resoker/Xloader, DPRK modular malware with TA416 and Kimsuky campaigns, BRICKSTORM in virtualization, EvilTokens phishing, Tycoon 2FA infrastructure, and AI‑platform leaks (Claude Code, ChatGPT/Codex), along with detection and defense updates from Elastic, Microsoft and Validin. #TeamPCP #Yurei #CrystalX #NetSupport #Resoker #Xloader #TA416 #Kimsuky #DPRK #BRICKSTORM #EvilTokens #CocaCola #Ferrari #Tycoon #ClaudeCode #ChatGPT #Codex #BPFDoor #MythicLikho

Supply‑chain & developer‑tool compromises

  • Wave of high‑profile software supply‑chain attacks in March 2026 abused maintainer accounts and registry publishes to deliver cross‑platform RATs and credential stealers via npm/PyPI — Supply‑chain surge (Mar 2026)
  • Compromised axios releases injected a typosquatted dependency (plain‑crypto‑js) with a postinstall dropper that fetched platform RATs; broad mitigations include pinning/downgrading, rotating tokens, and blocking C2s — Axios npm compromise (Unit42)
  • Multi‑stage operation by TeamPCP trojanized Trivy, LiteLLM, Telnyx and other tooling to exfiltrate cloud secrets at scale and deploy decentralized C2/wipers — TeamPCP multi‑stage supply‑chain attacks

Ransomware, RATs & operator toolkits

  • Open directories revealed a full operator toolkit for the double‑extortion Yurei ransomware (PowerShell scripts, credential ZIPs, RDP/remote tools and the StrangerThings.exe binary) — Yurei operator toolkit exposed
  • Proliferation of RATs and MaaS: active campaigns and builders include CrystalX MaaS, abuse of legitimate NetSupport as a RAT, Telegram‑controlled Resoker, and heavily obfuscated Xloader network protocols — RAT ecosystem: CrystalX / NetSupport / Resoker / Xloader
  • DeepLoad fileless ClickFix campaign uses AI‑evasion, in‑memory injection and WMI/USB persistence to survive cleanup — enable script logging, audit WMI and rotate exposed creds — DeepLoad ClickFix fileless campaign

Nation‑state activity & targeted espionage

  • North Korea’s cyber program favors a modular, mission‑aligned malware ecosystem where disposable toolchains enable parallel espionage, revenue and disruptive ops, complicating attribution — DPRK malware modularity
  • TA416 resumed systematic targeting of European (and Middle Eastern) government/diplomatic entities using web‑bug recon, OAuth tricks, LNK/ZIP chains and a custom PlugX backdoor via DLL sideloading — TA416 resumes European espionage
  • Kimsuky updated an LNK→XML→VBS→PS1 chain to deliver a Python backdoor/downloader (Dropbox staging, custom C2) to exfiltrate system info — Kimsuky LNK chain → Python backdoor

ICS / OT and virtualization threats

  • Thousands of internet‑exposed ICS/OT devices (Hitachi RTU560, Moxa NPort, Rockwell 1756) are being scanned and targeted using default creds, firmware corruption and protocol exploits — harden and monitor exposed OT assets — Internet‑exposed ICS risks (Team Cymru)
  • BRICKSTORM operations target VMware vSphere control plane and Photon OS; recommended defenses include Photon‑level firewalling/logging, strict segmentation, VM encryption and remote forensic logging — vSphere & BRICKSTORM defender guide

Phishing, OAuth/device‑code fraud & 2FA interception

  • New Phishing‑as‑a‑Service EvilTokens offers turnkey device‑code/OAuth phishing pages and backends (PRT conversion, cookie gen), deployed across 1,000+ domains — EvilTokens device‑code phishing
  • Coordinated job‑lure campaigns impersonating Coca‑Cola and Ferrari use polished career/booking pages and real‑time phishing (fake Chrome windows, social‑login interception) to harvest creds and MFA tokens — Job‑lure credential traps (Coca‑Cola / Ferrari)
  • After a global takedown, Tycoon 2FA infrastructure operators pivoted to new proxies/ASNs but maintained real‑time WebSocket capture and persistent kit fingerprints; detection/IOCs available — Tycoon 2FA infrastructure update

AI platform security & product leaks

  • Anthropic accidentally leaked the full Claude Code client source via a public source map (~513k lines); mirrors and forks appeared and actors used the leak as a lure to deliver droppers — Anthropic Claude Code leak
  • Check Point found a hidden DNS‑based outbound channel in ChatGPT’s isolated code execution runtime that could exfiltrate messages/files or enable a remote shell from a malicious prompt or backdoored GPT — ChatGPT runtime DNS exfiltration
  • OpenAI Codex app‑server can be started without authentication and exposes a JSON‑RPC exec method; restrict binding/use WS auth to avoid unauthenticated RCE — Codex app‑server exposure (RCE)

Stealthy implants, kernel/BPF techniques & persistence

  • BPFDoor‑derived implants (icmpShell/httpShell and Rapid7 variants) use custom BPF filters, protocol sniffing and tunneled C2 to achieve stealthy shells; notable artifacts include RC4 key “icmp” and ICMP seq 1234 — BPFDoor variants whitepaper
  • ReflectPulse (Mythic Likho) loaders extract/encrypt configs, XOR‑repack parameters and can wait for encrypted agent modules from C2 to hinder memory forensics — ReflectPulse / Mythic Likho loader analysis

Vulnerabilities, 0‑days & active exploitation

  • Check Point discovered a TrueConf 0‑day (CVE‑2026‑3502) abused in “Operation TrueChaos” to push Havoc to Southeast Asian government targets via the product update mechanism — TrueConf 0‑day (TrueChaos)
  • Weekly vulnerability highlights include critical RCEs across AI frameworks, VMware, Kubernetes, EV charging and ICS (notable: Wazuh, Cisco FMC, Langflow deserialization); broadened attack surface increases exploitation risk — Week in vulnerabilities

Detection, analytics & platform updates

  • Elastic’s Higher‑Order Detection Rules correlate alerts across entities and telemetry (endpoint, network, observability) to reduce triage noise and surface higher‑confidence incidents — Higher‑order detection rules (Elastic)
  • Microsoft Security Copilot / Defender coverage now includes hunting/detections for cookie‑controlled PHP webshells, cron persistence and hosting‑panel abuse to accelerate webshell triage — PHP webshell tradecraft & Copilot coverage
  • Validin beta Webhooks enable real‑time HMAC‑signed YARA event ingestion to Slack/endpoints for automated workflows and threat alerts — Validin Webhooks (beta)

Abuse of legitimate platforms & tracking infrastructure

  • Keitaro tracking platform is widely abused for spam/malvertising and traffic distribution (cloaking, conditional redirects, stolen licenses); researchers published domains, IPs and cookie signatures for detection — Keitaro abuse & TDS findings
  • Using nulled/cracked WordPress plugins remains a high‑risk vector—pirated plugins often include backdoors/malware and break update paths; remove and replace with legitimate alternatives — Risks of nulled WordPress plugins

Threat Research | Weekly Recap – hendryadrian.com