The findings highlight a growing supply chain risk in agent ecosystems, where skills serve as reusable components that can execute code and influence model behavior.

The Trail of Bits research shows that attackers can evade detection mechanisms using simple obfuscation and packaging tricks rather than advanced exploitation techniques.

In one case targeting ClawHub, researchers inserted over 100,000 newline characters to push malicious code beyond the scanner’s inspection window.

This caused truncation in the analysis pipeline, allowing harmful logic to pass undetected while also confusing integrated scanning engines such as VirusTotal’s Code Insight.

ClawHub, Cisco, Vercel Skill Checks Bypassed

Further testing against Cisco’s open-source skill-scanner and Vercel’s skills.SH integrations revealed additional weaknesses. These platforms rely on a mix of static analysis, pattern matching, and LLM-based inspection.

However, Trail of Bits researchers found these defenses can be bypassed when malicious content is hidden in less obvious formats, such as compiled Python bytecode (.pyc) or archive-based files like..docx.

One demonstrated attack involved a seemingly benign text-formatting skill that included precompiled Python bytecode.

While the visible source code appeared harmless, the bytecode secretly extracted environment variables, enabling potential data exfiltration.

Because scanners focused primarily on readable source files, the malicious payload remained undetected and was classified as safe.

Another effective technique used indirect execution paths. A skill instructed the AI agent to retrieve operational logic from a document containing a hidden script.

This method bypassed both signature-based detection and LLM reasoning, as the malicious behavior was not directly exposed in the primary skill definition.

Trail of Bits Researchers also successfully used prompt injection to manipulate LLM-based scanners. In one example, a skill disguised a malicious package registry configuration as a standard enterprise setup.

By framing the behavior as a legitimate corporate requirement, the scanner downgraded the risk to low severity. It approved the skill, despite its potential to redirect dependency installations to attacker-controlled infrastructure.

These bypasses underscore fundamental limitations in current scanning approaches. Static analysis struggles with complex or hidden file formats. At the same time, LLM-based systems can be misled by persuasive or contextually framed instructions.

Additionally, constraints such as limited context windows and selective file inspection create blind spots that attackers can exploit repeatedly.

The issue is compounded by the rapid growth of public skill marketplaces, where users can install third-party skills with minimal verification.

Unlike curated environments, these platforms often prioritize usability and speed over rigorous security controls, increasing exposure to malicious uploads.

Trail of Bits researchers conclude that automated scanning alone is insufficient to secure AI skill ecosystems.

They recommend adopting traditional supply chain security practices, including curated repositories, strict access controls, and version pinning.

Until stronger safeguards are developed, organizations are advised to treat all public AI skills as untrusted code and avoid deploying them in sensitive environments.

The post ClawHub, Cisco, Vercel’s Malicious Skill Detector Bypassed to upload Malicious Skills appeared first on Cyber Security News.

The platform enables Claude, GPT, VS Code Copilot, Cursor, and any MCP-compatible AI agent to autonomously orchestrate penetration testing workflows, vulnerability discovery, and enterprise evasion payloads, replacing days of manual tooling with minutes of AI-driven analysis.

HexStrike AI operates as a FastMCP server that bridges large language models (LLMs) with a curated arsenal of offensive security tools.

The architecture positions an Intelligent Decision Engine as the orchestration brain, analyzing targets, selecting optimal tooling, and executing multi-phase assessments without requiring constant human direction.

The platform supports six AI client integrations out of the box: Claude Desktop, Cursor, VS Code Copilot, Roo Code, 5ire (partial), and any standards-compliant MCP agent.

BOAZ Red Team Integration

The most operationally significant addition in this fork from Muhammad Osama, Yenn503, and Aoxley is the full integration of BOAZ (Bypass, Obfuscate, Adapt, Zero-Trust) developed by Thomasxm, an open-source multilayered AV/EDR evasion framework.

BOAZ is wired into HexStrike through five dedicated MCP tools and transforms the platform from a scanning engine into a complete red team payload pipeline.

The BOAZ workflow within HexStrike follows a defined payload pipeline: MSFVenom generation → entropy analysis → BOAZ evasion layer → enterprise-grade stealth binary.

127- Security Tools Arsenal

HexStrike ships with 127 classified security tools, of which 53 are auto-installed via install/install_all.sh and the remaining 74 require manual installation due to licensing constraints, specialized dependencies, or platform-specific requirements.

Manual installation targets tools with broader enterprise impact: wireless (aircrack-ng, kismet), cloud auditing (kube-hunter, scout-suite, checkov, terrascan, falco), web proxy (Burp Suite, ZAProxy), and OSINT platforms (Maltego, Censys-CLI).

Full installation requires approximately 24 GB of disk space and 60–90 minutes of compile time the bulk attributable to building the LLVM-based Akira and Pluto obfuscators from source (~30 minutes each). The fork is available to clone from GitHub.

HexStrike AI explicitly scopes legitimate use to: authorized penetration testing engagements with written permission, bug bounty program participation within defined scope, CTF competitions, and red team exercises with organizational approval.

Unauthorized testing, data exfiltration, and malicious activities are explicitly prohibited in the project documentation.

Check Point Research previously highlighted the dual-use risk of LLM orchestration frameworks like HexStrike, noting that the same abstraction layer that makes the tool powerful for defenders can direct offensive capabilities at scale with minimal human oversight a risk vector that security teams must account for in their defensive posture.

The post HexStrike AI RED-TEAM With 127 Security Tools and BOAZ Red Team Integration appeared first on Cyber Security News.

Instead of obvious phishing pages, these sites look almost identical to real project portals, complete with professional designs and links pointing to actual GitHub repositories.

The moment a user clicks the download button, something very different happens behind the scenes.

Rather than getting the software they came for, victims are silently routed through a hidden traffic-filtering layer known as a Traffic Distribution System, or TDS.

This system acts as a gatekeeper, deciding which users get redirected to malware and which receive a harmless file. It screens for location, browser type, VPN usage, and whether a security researcher might be watching, making it extremely difficult to detect or catch in the act.

Analysts at Check Point Research investigated this large-scale campaign and found that the fake sites load a JavaScript script hosted on Amazon’s CloudFront network.

This script intercepts the very first download click and quietly hands the user off to the TDS, with no visible sign that anything unusual has occurred.

Check Point said in a report shared with Cyber Security News (CSN) that the operation specifically targets tools trusted by security professionals, including Ghidra, dnSpy, and SpiderFoot.

The campaign has been active since at least December 2025, with recorded malware delivery confirmed from early January 2026. VirusTotal telemetry shows more than 5,000 submissions tied to related samples, and researchers note the real exposure is likely much higher.

The fact that the impersonated tools are used daily by security researchers makes this campaign particularly alarming, since it targets the very people trained to spot these threats.

Three distinct malware families serve as the final payloads. RemusStealer is a newly emerged infostealer targeting data from more than 20 browsers, including cryptocurrency wallets, password managers, and two-factor authentication tools.

AnimateClipper silently monitors the clipboard and swaps copied wallet addresses with attacker-controlled ones, potentially redirecting real funds without the victim ever realizing it.

A third payload named SessionGate is a multi-stage loader with heavy obfuscation and one-time-key delivery that makes it extraordinarily difficult for analysts to examine.

Hackers Impersonate Ghidra, dnSpy, and SpiderFoot

More than 100 active fake websites have been identified in this cluster, all sharing the same CloudFront-hosted scripts and campaign identifiers.

Sites like ghidralite[.]com and dnspy[.]org appear near the top of Google results for relevant queries, lending them a false sense of authority.

When a user hovers over the download button, the browser status bar even shows a real GitHub URL, so cautious users may not notice anything is wrong.

The JavaScript loaded by these pages listens for the user’s first interaction and intercepts it before normal navigation can proceed. On Chrome it captures a mousedown event; on Firefox it uses a click event.

It then generates a TDS runtime URL, redirects the user silently, and cancels the original navigation entirely. The victim ends up somewhere completely different from where they intended, and the whole process is invisible.

SessionGate: Built to Resist Every Analyst

Among all payloads found, SessionGate stood out for how aggressively it resists analysis.

The initial downloaded file is a 7-Zip archive around 20 MB, but the actual executable inside is only 15 MB, with the remaining 5 MB being obfuscated loader code designed to break tools like IDA’s decompiler.

Functions can exceed 500 KB in size, and encrypted strings are placed inside code regions to confuse disassemblers further.

The decryption key for the final payload stage is generated server-side and released only once per victim session. If a researcher tries to replay the chain from a different IP address, the server returns a valid-looking but useless key, making the payload completely unreadable.

Security teams are strongly advised to download software exclusively from official project pages or verified repositories, verify file hashes after downloading, and actively monitor outbound connections to the C2 domains and infrastructure identified in this campaign.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Impersonate Ghidra, dnSpy, and SpiderFoot to Spread Malware via Fake Download Sites appeared first on Cyber Security News.

The campaign hit dozens of packages across multiple maintainer accounts in a rolling wave that lasted less than two hours, making it a fast and highly efficient supply chain strike.

The attack compromised 57 npm packages across more than 286 malicious versions on June 3, 2026. The largest target was @vapi-ai/server-sdk, the official Vapi.ai voice AI server SDK with over 408,000 monthly downloads, struck first at 23:30 UTC on that day.

Within an hour, more than 50 additional packages belonging to the maintainer jagreehal were also poisoned, including ai-sdk-ollama, which counts more than 120,000 monthly downloads.

Researchers at StepSecurity identified and analyzed the full attack chain, naming the technique “Phantom Gyp.”

StepSecurity report, shared with Cyber Security News (CSN), explains how the attacker exploited a 157-byte binding.gyp file to trigger code execution during installation, completely sidestepping the preinstall and postinstall lifecycle checks that most security scanners are built to catch.

The payload is a new variant of the Miasma worm, a self-spreading supply chain malware family that had already hit 32 packages under the @redhat-cloud-services npm namespace just two days earlier.

The attacker left a taunt in 195 GitHub repository descriptions, a reversed string that decodes to “Shai-Hulud: Here We Go Again,” a direct reference to StepSecurity’s prior Red Hat analysis. This attack is not random; it is calculated and persistent.

binding.gyp Supply Chain Attack

The binding.gyp method works because npm automatically runs node-gyp rebuild when it spots that file, treating it as a signal the package contains native C or C++ code.

The attacker embedded a shell command using gyp’s own command substitution syntax, silently launching a malicious payload while returning a fake source filename so the build shows no errors. Tools that only scan package.json for install scripts see nothing suspicious at all.

The malicious root index.js weighs 4.5 MB while the legitimate package entry point is only 27 KB, a size gap that should raise immediate suspicion.

The payload is buried under four layers of obfuscation including a ROT cipher, AES-128-GCM encryption, and a runtime-switching trick that downloads the Bun JavaScript runtime in under one second to execute the final stage outside of Node.js.

This clever move specifically evades security tooling that only monitors Node.js process activity.

Credential Theft, Worm Propagation, and AI Backdoors

Once active, the malware operates as a comprehensive credential harvester purpose-built for CI/CD environments, targeting AWS keys, GCP credentials, Azure tokens, HashiCorp Vault tokens, GitHub Actions secrets, and 1Password vaults.

It scrapes GitHub Actions runner memory directly to pull masked secrets out in unmasked form, the same technique observed in the TanStack compromise from May 2026. Stolen credentials are encrypted and uploaded to programmatically created repositories under the attacker-controlled GitHub account liuende501.

The worm does not stop at stealing credentials. It uses stolen npm tokens to enumerate every package a compromised maintainer owns, inject the binding.gyp payload into each one, and republish with forged SLSA provenance and Sigstore signing.

This makes reinfected packages appear fully legitimate even to tools specifically designed to verify supply chain integrity.

The malware also injects backdoor configuration files into AI coding assistants like Claude Code, Cursor, and Gemini, so every AI-assisted suggestion inside a poisoned project could be quietly influenced by the attacker.

StepSecurity advises teams to immediately audit repositories and CI pipelines for any affected packages, treating all credentials from compromised environments as stolen and rotating them right away.

Teams should also look for injected AI assistant files such as .claude/setup.mjs, .cursor/rules/setup.mdc, and .vscode/setup.mjs in their project repositories.

Blocking outbound network access to github.com/liuende501 and the Bun download endpoint is strongly recommended as an immediate containment measure.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post binding.gyp Supply Chain Attack Compromises Dozens of npm Packages Across Maintainer Accounts appeared first on Cyber Security News.

The campaign, dubbed Operation FlutterBridge, marks a sharp escalation in tactics from financially motivated attackers who have been active since at least 2023.

The malware at the center of this campaign is called FlutterShell, a backdoor built using Google’s Flutter framework. It is designed to look and feel like a real application while quietly running malicious code in the background.

What makes FlutterShell particularly dangerous is that it goes beyond basic spying. It gives attackers full remote control over the infected system, including the ability to execute commands, read and write files, and steal sensitive data.

Researchers from Unit 42, the threat intelligence division of Palo Alto Networks, identified and tracked this campaign under the activity cluster CL-CRI-1089.

Unit 42 said in a report shared with Cyber Security News (CSN) that the attackers have been spreading malware via malvertising since at least 2023, targeting both Windows and macOS users through separate, ongoing operations.

The campaign uses hundreds of verified Google Ads accounts tied to shell companies to distribute the malware at scale.

Ads were crafted to appear legitimate and reached a broad global audience, with a focus on English-speaking countries and Western European markets including France and Germany. Google confirmed it suspended the advertiser accounts after being notified by Unit 42.

What sets FlutterBridge apart from earlier operations is how aggressively the attackers adapted.

When one shell company, AdsParkPro LTD, was removed from Google Ads in January 2026, the actors resurfaced just two weeks later under a new verified account and released a fresh malware variant.

Hackers Use Malicious Ads

FlutterShell uses a clever architecture that keeps its malicious code off the device entirely. Instead of embedding harmful instructions in the app binary, the malware loads a remote webpage through a built-in browser component called a WebView.

That webpage contains the actual attack logic, sent as commands over a channel named flutterInvoke. This design lets attackers change what the malware does at any moment, without updating the app itself.

Three distinct versions of FlutterShell were identified during the investigation. The first posed as a podcast player called PodcastsLounge, while the two later versions appeared as PDF viewers named PDF-Brain and PDF-Ninja.

All three were fully functional applications, making it extremely hard for users to notice anything suspicious. At the time of analysis, all three had zero detections on VirusTotal and had passed Apple’s notarization process with valid developer IDs.

Once installed, the malware fingerprints the machine and then targets Google Chrome. It modifies Chrome’s settings file to redirect every new tab and search query to an attacker-controlled site loaded with ads.

The process is completely silent and users see no warning. The PDF-Brain and PDF-Ninja versions also weaponized an AI summarization feature, secretly routing document content through attacker servers before delivering results to the user.

The Evolving Infrastructure Behind CL-CRI-1089

The shell companies powering this ad campaign showed clear signs of fraud infrastructure. All had minimal online presence, templated websites, and were led by Ukrainian nationals with no verifiable professional history.

Investigators found the companies were registered roughly a year before their first ad spend, a tactic to age the accounts and slip past early fraud detection filters.

The connection to earlier campaigns ran deep. FlutterShell shares its core command structure with a previously documented macOS malware called JSCoreRunner, including functions for executing commands, reading files, and listing directories.

The key difference is that JSCoreRunner embedded its logic statically in the binary, while FlutterShell retrieves it dynamically, making detection far more difficult.

Security teams are advised to block the known C2 domains and monitor for suspicious changes to Chrome’s Secure Preferences file.

Watching for the IOPlatformUUID fingerprinting command and unexpected Chrome process restarts with custom launch arguments can help identify infected systems before further damage is done.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use Malicious Ads to Deliver FlutterShell Backdoor on macOS Systems appeared first on Cyber Security News.

The attackers use SEO poisoning to push a spoofed Anthropic install page to the top of search results. Once a user lands there, the trap is set.

The campaign is designed for a very specific audience. Rather than targeting IT professionals, it goes after first-time developers and non-technical users excited about a new tool.

These users have no baseline for what a real installation process looks like, making them more likely to follow instructions without question. The delivery chain is six stages deep and almost entirely fileless after the first step.

Analysts from Cyderes, through their threat research unit Howler Cell, identified this active SEO poisoning campaign targeting users searching for Claude Code installation guides.

According to Cyderes report shared with Cyber Security News (CSN), attackers placed a spoofed Anthropic install page at the top of search results and used a ClickFix lure to execute a malicious MSHTA command via the Windows Run dialog.

The final payload is a reflective .NET infostealer that beacons to Russian infrastructure for credential exfiltration.

The consequences of a successful infection are serious. Stolen credentials, drained accounts, and compromised identities are among the real-world outcomes Howler Cell flagged in their analysis.

Many victims have no enterprise security controls between them and a spoofed download page. Anthropic is not compromised and its brand is simply being impersonated.

What makes this campaign stand out is the deliberate targeting logic. Operators tracked Claude Code’s rapid adoption and turned it into an attack surface.

The delivery chain was engineered to defeat file inspection, AMSI scanning, EDR telemetry, sandbox analysis, and IOC matching at every layer.

Hackers Use Fake Claude Code Install Page

The attack starts when a user searches for “Claude Code install” and clicks what looks like a legitimate Anthropic setup page.

The page instructs the visitor to open the Windows Run dialog and paste a pre-staged mshta.exe command, framed as a required step.

This is the ClickFix method, a social engineering technique that disguises attacker-controlled MSHTA commands as routine setup steps.

Stage 1 begins when mshta.exe retrieves a 6.7 MB MP3/HTA polyglot payload from download.version-516[.]com/claude.

This file passes as playable audio during security scans while hiding an executable HTA script block inside.

When mshta.exe processes the file, it skips the audio and runs the hidden script. Security tools inspecting the file header see a legitimate MP3, not a threat.

Stage 2 uses the HTA to register a scheduled task via a COM object, spawning a 32-bit PowerShell process. Targeting the 32-bit binary is intentional because EDR coverage is often weighted toward 64-bit activity.

The script performs an AMSI bypass, RC4 decryption, and victim fingerprinting via an MD5 hash of the machine and username. Stage 3 fetches a 17 MB obfuscated script in memory from a unique subdomain on oakenfjrod[.]ru, leaving nothing on disk.

Reflective .NET Infostealer: Fileless and Hard to Catch

The final stage is a reflective .NET infostealer that runs entirely within the existing PowerShell process address space. It leaves no file artifact, spawns no new process, and creates no image-load event for defenders to anchor on.

The loading method mirrors techniques used by advanced tools like Cobalt Strike, but executed fully from PowerShell.

The infostealer beacons over HTTPS to 185[.]177[.]239[.]255:443 for command and control and credential theft. SensitiveFileRead telemetry confirmed browser credential store access during execution.

EDR platforms with .NET assembly load visibility can detect this where file-based controls cannot. Defenders should treat any Claude Code install page prompting a Run dialog paste as a likely infection event.

Blocking mshta.exe outbound HTTPS connections covers Stage 1 regardless of obfuscation. DNS queries to any subdomain of oakenfjrod[.]ru are a strong compromise indicator, and wildcard domain blocking is far more effective than per-subdomain IOC matching.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use Fake Claude Code Install Page to Deliver Fileless .NET Infostealer appeared first on Cyber Security News.

The attack is built to spread itself through trusted developer workflows, making it one of the more sophisticated supply-chain threats seen in recent years.

The malware travels inside packages that look completely legitimate at first glance. Attackers republished several npm packages from a compromised account, slipping a hidden Linux binary into each one.

The moment a developer runs npm install, the binary executes automatically, with no extra steps required. There is nothing to click and nothing to approve.

Security analysts at JFrog said in a report shared with Cyber Security News (CSN) that IronWorm is a custom-built, Rust-based infostealer that scrapes every secret it can find on a developer’s machine, hides behind a kernel-level rootkit, and communicates with its operator through the Tor network.

The campaign was caught in the wild and appeared to target software developers, with a particular focus on crypto and web3 builders.

What makes this threat stand out is how aggressively it spreads. After stealing credentials, IronWorm uses them to push backdated commits into the victim’s GitHub repositories, planting malware into other packages.

Those infected packages then get published to npm, where they can infect the next developer who installs them. The attack essentially uses the victim’s own identity to continue spreading further.

The scale of the campaign is notable too. Researchers found 57 backdated malicious commits spread across nine GitHub organizations.

Some of those commits were made to look years old by copying the timestamp of the repository’s last real commit, a trick designed to avoid raising suspicion during routine code reviews.

IronWorm Supply Chain Attack Uses Malicious npm Packages

IronWorm hides its malicious binary inside a folder path that most developers would never think to check. The binary is packed using a modified UPX tool, with the standard signature removed to prevent automated unpacking.

Once running, the malware decrypts its internal strings one at a time, using a different key at each location, which makes reverse engineering unusually slow and difficult.

The credential theft is broad and deliberate. The malware scans for 86 different environment variables covering cloud platforms, databases, CI/CD systems, source control tokens, and AI service API keys.

It also reads more than 20 credential file paths from disk, including wallet configs and authentication files from tools that became popular only recently.

One dedicated module targets the Exodus desktop wallet specifically, injecting code that captures the wallet password and recovery phrase at the moment the user unlocks it.

A separate module targets Kubernetes pods, reading service account tokens and dumping every secret it can reach.

The Rootkit and Self-Replication Mechanism

IronWorm carries an eBPF-based rootkit that hides its processes and network connections from standard system monitoring tools. This rootkit operates at the kernel level, rewriting process lists before any monitoring software can see them.

Commands like ps and top return clean results, while the malware continues running in the background. The rootkit also blocks attempts to attach a debugger to the malware process, and trying to do so can crash the shell running the command.

The self-replication through npm is equally well thought out. When the malware runs inside a CI environment, it uses npm’s own Trusted Publishing flow to get short-lived publish credentials.

It never needs a stored token. With those credentials, it publishes a trojanized version of the package to the npm registry just like any normal release would look.

Researchers recommend auditing every repository that a compromised account had write access to, checking for backdated commits, unexpected build hooks, and changes attributed to automation names like dependabot or github-actions outside their usual context.

All API keys and secrets tied to the affected account should be rotated immediately, and malicious package versions should be unpublished with a clear security advisory issued to warn downstream users.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post IronWorm Supply Chain Attack Uses Malicious npm Packages to Steal Developer Secrets appeared first on Cyber Security News.

The intrusion ran from October 2025 through at least March 2026, designed entirely around one single goal: stealing the complete contents of one person’s mailbox without raising an alarm.

It is a stark reminder of just how much sensitive intelligence sits inside a single high-ranking inbox. The attackers chose their target with clear intent. A stock exchange executive’s email holds far more than routine correspondence.

It can contain details of upcoming listings, enforcement actions, internal deliberations, calendar schedules, and market-moving events not yet made public.

Months of quiet, uninterrupted access to that kind of data gives an attacker a remarkable window into an organization’s near-term direction without ever touching any other system on the network.

Analysts from Symantec’s Threat Hunter Team, working alongside Carbon Black, identified the campaign and noted that the use of legitimate cloud infrastructure and publicly available tools made attribution to any known threat group impossible. 

Symantec said in a report shared with Cyber Security News (CSN) that the commands and objectives observed throughout the campaign are consistent with espionage as the primary motivation.

The operational discipline on display was considered notable enough to warrant a public disclosure, despite the team’s standard practice of not publishing on single-victim incidents.

What made this campaign especially difficult to catch was how the attackers blended seamlessly into normal traffic. They relied exclusively on cloud services that any legitimate user might interact with daily, hiding their activity inside the kind of network noise that rarely triggers security alerts.

Over five months, they rebuilt persistence on the victim machine multiple times, continuously adapting their techniques to keep access alive.

Stock Exchange Executive’s Outlook Account Targeted

The initial access method was never confirmed, but by October 2025 attackers had already installed two masquerading binaries on the victim’s machine, both running with SYSTEM-level privileges.

The first posed as an Adobe update service (armsvc.exe), while the second impersonated a Microsoft OneDrive component (oneservice.exe). Both ran automatically via scheduled tasks, giving attackers a reliable foothold before the main theft operation ever began.

The core tool was built around Aspose, a legitimate .NET library for reading Outlook data files. Attackers used it to convert the executive’s offline Outlook storage file into a portable format, then quietly moved the output off the machine.

The tool was deployed under three different temporary filenames (ts_9ea0.tmp, ts_e0d5.tmp, ts_e2d5.tmp), all sharing the same file hash.

Starting with emails dating back to August 2025, each extraction run picked up precisely where the last one left off, building a near-complete copy of the entire mailbox over time. (See Figure 1: Attack Chain)

Exfiltration via Legitimate Cloud Infrastructure

The stolen data was funneled out through Dropbox and OneDrive using standard command-line tools that would look entirely normal on most enterprise systems.

For Dropbox, the attackers reused the same application credentials across every session, rotating only the short-lived authorization tokens.

For OneDrive, they bypassed DNS-based filtering entirely by making requests directly to hard-coded Microsoft IP addresses, ensuring no suspicious domain lookups appeared in perimeter logs.

In late November 2025, the attackers briefly tested a third channel by uploading files to a public temporary file-hosting service called temp.sh, but abandoned it after just a few attempts.

The campaign continued evolving through March 2026, when a fresh DLL (te.host.dll) and a new masquerading binary (armdriver.exe) were deployed, confirming the attackers were still active and refining their methods until the very end.

Organizations should monitor carefully for unusual scheduled task creations that use legitimate vendor names as cover, and flag bulk file transfers originating from mail data directories.

Restricting outbound connections to cloud storage APIs and enabling behavioral alerts tied to Outlook storage file access can help surface these long-dwell espionage campaigns before significant damage is done.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Stock Exchange Executive’s Outlook Account Targeted to Exfiltrate Credentials appeared first on Cyber Security News.

The flaw, stemming from insecure deserialization of untrusted data, is now being actively exploited in real-world attacks, raising concerns across eCommerce environments that rely on Magento platforms.

According to CISA, the vulnerability exists in how the extension processes serialized PHP objects received through the CacheWarmer cookie.

An unauthenticated attacker can craft a malicious serialized payload and send it via this cookie, triggering unsafe deserialization on the server.

This behavior allows arbitrary code execution without requiring valid credentials, making it particularly dangerous for internet-facing Magento stores.

Magento Cache Warmer RCE flaw Exploited

The issue has been classified under CWE-502, which covers deserialization of untrusted data, a well-known class of vulnerabilities frequently abused in web applications.

When exploited, attackers can execute system commands, deploy backdoors, or pivot deeper into the hosting environment. Given Magento’s widespread use in enterprise and mid-sized eCommerce deployments, the attack surface is significant.

CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog on June 3, 2026, confirming active exploitation.

Federal agencies and organizations are required to remediate the issue by June 6, 2026, under Binding Operational Directive (BOD) 22-01.

While there is currently no public confirmation linking this flaw to ransomware campaigns, the nature of the vulnerability makes it highly attractive for initial access brokers and financially motivated threat actors.

Security researchers note that exploitation attempts may include suspicious HTTP requests containing a manipulated “CacheWarmer” cookie with encoded PHP object payloads.

Indicators of compromise may involve unexpected web server processes, unauthorized file creation within Magento directories, or outbound connections to unknown IP addresses following exploitation.

Logs may reveal abnormal cookie values or repeated requests targeting cache warming endpoints. Organizations using the Mirasvit Full Page Cache Warmer extension are strongly advised to apply vendor-provided patches or mitigations immediately.

If no fix is available, CISA recommends disabling or removing the affected component entirely to eliminate exposure.

Additional defensive measures include implementing web application firewall rules to inspect and block malicious serialized input, monitoring application logs for anomalies, and restricting access to sensitive endpoints.

This incident highlights the continued risk posed by insecure deserialization flaws in modern web applications. As attackers increasingly automate the exploitation of newly disclosed vulnerabilities, timely patching and proactive monitoring remain critical to defending production environments.

Magento administrators, in particular, should review third-party extensions regularly to ensure they meet secure coding standards and do not introduce hidden attack vectors into otherwise hardened systems.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post CISA Warns of critical Magento Cache Warmer RCE flaw Exploited in Attacks appeared first on Cyber Security News.

References to claude-oceanus-v1-p began circulating among researchers on June 3, 2026, after the model identifier appeared inside Anthropic’s Claude Console and surfaced through unauthorized API proxy services.

The sightings immediately triggered speculation that Anthropic was advancing toward a broader rollout of a successor to the Claude Mythos line, with red team evaluators reporting access to the new model beginning that same day.

The controlled evaluation was short-lived. Within hours of the model reaching validated red teamers, reports emerged that an unidentified actor had allegedly resold API access to claude-oceanus-v1-p through a Chinese-based proxy service at a premium rate of $16 per million input tokens, a figure significantly above Anthropic’s standard enterprise pricing tiers.

Anthropic’s history with unauthorized proxy abuse is well-documented; earlier in 2026, the company accused Chinese AI labs including DeepSeek, Moonshot AI, and MiniMax of using approximately 24,000 fake accounts to run over 16 million interactions with Claude models through proxy channels.

In response to the Oceanus resale incident, Anthropic reportedly paused model access for the broader red team cohort pending an internal investigation.

Claude Oceanus-v1-p is understood to build directly upon the Claude Mythos Preview foundation, which launched in April 2026 and demonstrated an alarming capability profile for the cybersecurity community.

Mythos Preview, operating under Anthropic’s restricted research track, was assessed by the company’s Frontier Red Team as capable of identifying and exploiting zero-day vulnerabilities across every major operating system and web browser, with Glasswing partners collectively uncovering over 10,000 high or critical-severity vulnerabilities since the program’s inception.

The Turing Institute further noted that Mythos’ red team found vulnerabilities with a recovery rate exceeding 99% across disclosed test cases.

The Oceanus red team evaluation comes on the heels of Anthropic’s June 2 expansion of Project Glasswing its restricted AI cyberdefense initiative to approximately 150 new organizations spanning more than 15 countries, including India, France, Germany, South Korea, and Australia.

The expanded group now includes important infrastructure sectors like power, water, healthcare, and communications. These sectors were not part of the program when it first launched with a focus on Big Tech.

Anthropic stated that a successful cyberattack on most new partner organizations could affect in excess of 100 million people.

Anthropic has stated candidly that Mythos-level capabilities and, by extension, Oceanus-v1-p, will not be cleared for general public release until the company develops “highly robust safeguards to prevent misuse,” acknowledging that such safeguards do not yet exist in the industry.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Anthropic’s Claude Oceanus-v1-p Opens to Red Team Testing, but Distribution is Compromised appeared first on Cyber Security News.