Threat Research | Weekly Recap [05 Jul 2026]

Threat Research | Weekly Recap [05 Jul 2026]
Cybersecurity Threat Research ‘Weekly’ Recap. This week’s coverage highlights ongoing supply-chain and browser-extension abuse, including trojanized Proof-of-Concept repos and PyPI packages, “free VPN” clipboard-stealing extensions, and phishing efforts enabled by LLM-generated phantom domains and messaging lures. Researchers also tracked new and evolving infostealers/RATs (BusySnake, MarkiRAT, Glitch SPY, EKZ Stealer, Umbrij), BYOVD-driven defense-killing intrusion chains, and AI-driven attack techniques such as indirect prompt injection, JADEPUFFER agentic ransomware, and browser-only ransomware methods. #ChocoPoC #ChocoPoCs #ChocoPoC #BusySnakeStealer #ArmoredLikho #MarkiRAT #AsyncRAT #Remcos #TA416 #EKZStealer #CVE-2026-35616 #ToddyCat #Umbrij #JADEPUFFER #Langflow #MySQL #Nacos #Gentlemen #RaaS #BYOVD #StratusRedTeam #MustangPanda

Supply Chain, Repositories & Browser Extensions

  • Trojanized PoC repos and PyPI packages delivered ChocoPoC RAT to target researchers and pentesters via GitHub, PyPI, and Mapbox infrastructure — Don’t Eat The ChocoPoCs
  • Malicious browser extensions posing as free VPNs used staged updates to steal clipboard data and secrets — VPN extensions add clipboard stealers
  • Supply-chain worm activity in npm/PyPI led from CI/CD compromise to AWS Redshift breach and S3/SES abuse — Shai Hulud to Redshift breach
  • LLM-hallucinated “phantom” domains are being registered for phishing and traffic interception in software supply chains — Phantom Squatting

Phishing, Social Engineering & Messaging Abuse

Infostealers, RATs & Backdoors

  • Armored Likho used BusySnake Stealer in phishing campaigns against government and power-sector targets — Armored Likho and BusySnake Stealer
  • MarkiRAT surveillance was pushed through fake Android apps and staged websites targeting Farsi-speaking users — TAG-182 and MarkiRAT
  • Glitch SPY Android RAT was distributed through a fake Polish rental app — Glitch SPY RAT
  • Linux backdoor masquerading as a library targeted iKuai routers with encrypted C2 and task execution — iKuai router backdoor
  • EKZ Stealer followed exploitation of Fortinet EMS, harvesting browser credentials and exfiltrating via PowerShell — CVE-2026-35616 and EKZ Stealer
  • ToddyCat’s Umbrij tool abused Google APIs and browser profiles to steal Gmail OAuth codes and evade detection — ToddyCat hidden email assistant

AI Abuse, Prompt Injection & Agentic Attacks

  • Indirect prompt injection in web content manipulated AI agents via hidden instructions, SEO poisoning, and HTML/CSS tricks — Web content targets AI agents
  • Agentic ransomware used an LLM-driven operator to exploit Langflow, persist in MySQL/Nacos, and encrypt/destroy data — JADEPUFFER
  • Browser-only ransomware leveraged the File System Access API to read, exfiltrate, and encrypt files without a native payload — Browser-only ransomware
  • LLM compaction for malware analysis cut token usage sharply while preserving task quality in long-running workflows — Context Engineering compaction

Ransomware, BYOVD & Defense Evasion

  • BYOVD abuse of signed Windows drivers is increasingly used to kill AV/EDR and support ransomware intrusion chains — BYOVD epidemic
  • The Gentlemen ransomware group expanded with custom backdoors, defense evasion, and Go/C-based ransomware variants — The Gentlemen RaaS
  • Compromise assessments showed long-lived intrusions often missed for months or years, with web shells and LoLBins recurring — Missed incidents and response gaps

Espionage, Surveillance & Influence

  • ADINT ecosystem shows ad-tech mechanisms evolving into geolocation tracking and zero-click intrusion tools — ADINT escalation
  • Pro-Russia influence operations increasingly blend media, hacktivism, and cyber-enabled influence with generative AI — Pro-Russia influence ecosystem
  • Mustang Panda campaigns targeted India’s government and energy sectors with new implants and Zoho WorkDrive abuse — Mustang Panda in India
  • Russia-linked APT activity continued to leverage espionage tooling and long-running tradecraft against strategic targets — Armored Likho / Eagle Werewolf

Cloud & Security Operations

Threat Research | Weekly Recap – hendryadrian.com