Cybersecurity Threat Research ‘Weekly’ Recap. This week’s coverage spans supply-chain and DevOps attacks, credential-harvesting phishing, and exploitation of widely used software to steal tokens, deploy backdoors, or monetize access. It also highlights nation-state and fraud ecosystems, alongside Windows and macOS tradecraft that focus on evasion, persistence, and stealthy command-and-control.
#MiasmaMiniShaiHulud #GuardDog3 #Klue #Salesforce #Gong #OpenClaw #OperationDragonReturn #DcRAT #STOCKSTAY #Turla #Gamaredon #CLSTA1062 #TinyRCT #AWSCOnsoleAiTM #EvilTokens #DCloudUniApp #GhostStadium #BackdoorMistic #Edgecution #StrikeShark #SharkLoader #OXLOADER #CASTLESTEALER #QuimaRAT #COMAbuse #Qakbot #Attor #macOSGaslight #AsynRAT #OperationEndgame #StealC #Amadey #MicrosoftEntra #NestedAppAuthentication
Supply Chain, Package Poisoning, and DevOps Theft
- Miasma Mini Shai-Hulud compromised npm and Go packages to steal developer and CI/CD secrets via GitHub Actions abuse and hidden payloads (linked title).
- GuardDog 3.0 revamped package malware detection with YARA, sandboxing, and broader support for npm, PyPI, and Go scanning (linked title).
- Klue supply chain compromise exposed Salesforce and Gong tokens, enabling CRM data theft and extortion (linked title).
- OpenClaw AI marketplace abuse showed malicious skills can become a new supply chain vector for infostealers and financial fraud (linked title).
Espionage, APTs, and Nation-State Operations
- Operation DragonReturn used a fake Indian tax utility and DcRAT to spy on finance and tax targets in India (linked title).
- STOCKSTAY expanded Turla‘s espionage toolkit with a .NET backdoor aimed at Ukraine and Europe (linked title).
- Gamaredon remained aggressive against Ukrainian government and military targets, increasingly using legitimate services and cloud storage for C2 and exfiltration (linked title).
- CL-STA-1062 targeted Southeast Asian governments and critical infrastructure with web shells, open-source tools, and the TinyRCT backdoor (linked title).
- Nation-state activity against water and wastewater systems highlighted OT exposure, weak credentials, and IT/OT segmentation gaps as persistent strategic risks (linked title).
Phishing, Credential Theft, and Account Takeover
- AWS console AiTM phishing harvested credentials and MFA codes in real time, with SendGrid-themed lures and gated targeting logic (linked title).
- EvilTokens hid Microsoft 365 takeover flows with browser-side AES-GCM decryption to evade static analysis (linked title).
- Fake domain renewal emails used countdown pressure and redirect chains to trick site owners into paying scammers (linked title).
- Income tax themed phishing pushed staged malware through fake government portals and archive-based payloads (linked title).
- WhatsApp VBScript lures silently installed ManageEngine Endpoint Central for remote access across multiple countries (linked title).
Exploitation, Backdoors, and Ransomware Access
- Langflow CVE-2026-55255 was actively exploited for IDOR-based token theft, while CVE-2026-33017 drove the main monetization path (linked title).
- Langflow CVE-2026-33017 was also used to deploy a cryptomining toolchain that disabled defenses and spread via reused SSH keys (linked title).
- Cisco Catalyst SD-WAN Manager CVE-2026-20245 was exploited for root access after rogue peering and password manipulation, followed by heavy cleanup (linked title).
- Backdoor.Mistic emerged as a stealthy backdoor tied to broader access-broker activity and opportunistic multi-sector intrusions (linked title).
- Payouts King-linked actors used the Edgecution browser extension to deliver a Python backdoor via Microsoft Edge native messaging (linked title).
- StrikeShark used SharkLoader to deliver Cobalt Strike Beacon through public-facing app exploitation and DLL sideloading (linked title).
- OXLOADER distributed CASTLESTEALER via malicious Google Ads and staged files with strong anti-analysis features (linked title).
- QuimaRAT surfaced as a cross-platform Java-based MaaS RAT for Windows, macOS, and Linux (linked title).
Scams, Fraud, and Fake Ecosystems
- DCloud Uni-App powered a massive scam ecosystem with fake exchanges, wallet drainers, and phishing domains tied to multiple shell companies (linked title).
- GHOST STADIUM built a FIFA 2026 ticket-fraud phishing network using more than 300 domains and a pixel-perfect fake site (linked title).
Windows Tradecraft and Analyst Evasion
- COM abuse remains a core Windows technique for execution, persistence, WMI access, and BITS transfers, with malware families like Qakbot and Attor using it heavily (linked title).
- macOS.Gaslight used a Rust backdoor, Telegram C2, and a prompt-injection payload to mislead LLM-assisted analysis (linked title).
- AsynRAT was deployed in an AI-hype lure campaign using staged scripts, scheduled tasks, and disguised system artifacts (linked title).
Operations, Disruption, and Defense Research
- Operation Endgame disruptions hit the StealC ecosystem, seizing millions of credentials and impacting infrastructure tied to StealC and Amadey (linked title).
- Microsoft Entra Conditional Access bypass research showed Nested App Authentication could mint Graph tokens, later patched by Microsoft (linked title).