<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[CodeAIntel: Threat Intelligence ]]></title><description><![CDATA[The latest Threat Intelligence news! ]]></description><link>https://www.codeaintel.com/s/threat-intelligence</link><image><url>https://substackcdn.com/image/fetch/$s_!kBBb!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd94d629d-2720-4f24-a8bf-c3f5d1a4200f_500x500.png</url><title>CodeAIntel: Threat Intelligence </title><link>https://www.codeaintel.com/s/threat-intelligence</link></image><generator>Substack</generator><lastBuildDate>Sun, 05 Jul 2026 00:25:04 GMT</lastBuildDate><atom:link href="https://www.codeaintel.com/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[Tom]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[CodeAIntel@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[CodeAIntel@substack.com]]></itunes:email><itunes:name><![CDATA[Tom]]></itunes:name></itunes:owner><itunes:author><![CDATA[Tom]]></itunes:author><googleplay:owner><![CDATA[CodeAIntel@substack.com]]></googleplay:owner><googleplay:email><![CDATA[CodeAIntel@substack.com]]></googleplay:email><googleplay:author><![CDATA[Tom]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[Avalon Turns Ransomware Into A Framework Problem]]></title><description><![CDATA[The new Avalon reporting is not just about CrownX encryption. It shows how credential theft, remote access, recovery pressure, and ransomware can be bundled into one modular intrusion system.]]></description><link>https://www.codeaintel.com/p/avalon-turns-ransomware-into-a-framework</link><guid isPermaLink="false">https://www.codeaintel.com/p/avalon-turns-ransomware-into-a-framework</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Sat, 04 Jul 2026 08:14:24 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!_R4U!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbeec4b01-dbba-4473-b782-abd31d38925f_1693x929.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p><em>The new Avalon reporting is not just about CrownX encryption. It shows how credential theft, remote access, recovery pressure, and ransomware can be bundled into one modular intrusion system.</em></p><p>Avalon is a useful ransomware story because the ransomware is only the last visible stage.</p><p>The sharper signal is the shape of the framework around it: phishing delivery, credential collection, remote access, lateral movement, recovery disruption, anti-forensic cleanup, and then CrownX encryption.</p><p>That turns the incident from an endpoint malware problem into an operating model problem.</p><p>The Hacker News, citing Blackpoint Cyber researchers Nevan Beal and Sam Decker, reports that Avalon is a previously undocumented modular malware framework distributed through a multi-stage phishing chain. Its ransomware component is internally named CrownX, but the reporting makes clear that the damage can begin well before the ransom note appears.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!_R4U!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbeec4b01-dbba-4473-b782-abd31d38925f_1693x929.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!_R4U!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbeec4b01-dbba-4473-b782-abd31d38925f_1693x929.png 424w, https://substackcdn.com/image/fetch/$s_!_R4U!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbeec4b01-dbba-4473-b782-abd31d38925f_1693x929.png 848w, https://substackcdn.com/image/fetch/$s_!_R4U!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbeec4b01-dbba-4473-b782-abd31d38925f_1693x929.png 1272w, https://substackcdn.com/image/fetch/$s_!_R4U!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbeec4b01-dbba-4473-b782-abd31d38925f_1693x929.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!_R4U!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbeec4b01-dbba-4473-b782-abd31d38925f_1693x929.png" width="1456" height="799" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/beec4b01-dbba-4473-b782-abd31d38925f_1693x929.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:799,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1508196,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/205024457?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbeec4b01-dbba-4473-b782-abd31d38925f_1693x929.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!_R4U!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbeec4b01-dbba-4473-b782-abd31d38925f_1693x929.png 424w, https://substackcdn.com/image/fetch/$s_!_R4U!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbeec4b01-dbba-4473-b782-abd31d38925f_1693x929.png 848w, https://substackcdn.com/image/fetch/$s_!_R4U!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbeec4b01-dbba-4473-b782-abd31d38925f_1693x929.png 1272w, https://substackcdn.com/image/fetch/$s_!_R4U!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbeec4b01-dbba-4473-b782-abd31d38925f_1693x929.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h2>The Ransom Note Is Late</h2><p>CrownX is the part that makes the intrusion obvious.</p><p>It encrypts files tied to business operations, software development, engineering, data storage, and virtual infrastructure. It also delivers a ransom note with payment pressure and deadline timers, according to the reporting.</p><p>But the important sequence starts earlier.</p><p>Blackpoint's researchers described a spoofed legal document email that directed recipients to a password-protected archive on Proton Drive. The malicious content was placed inside an ISO image rather than attached directly, reducing the chance of detection at the email layer. A document-themed Windows shortcut inside the mounted image then triggered a staged sequence that eventually deployed Avalon.</p><p>That delivery path matters because it keeps the first move looking like document handling.</p><p><strong>By the time CrownX appears, Avalon has already had the opportunity to collect identity material, establish control, weaken recovery, and reduce visibility.</strong></p><h2>Avalon Wants The Whole Intrusion Surface</h2><p>The Hacker News summary describes Avalon as a framework with credential collection, lateral movement, remote access, recovery disruption, and ransomware execution under one umbrella.</p><p>That is the part worth taking seriously.</p><p>Single-purpose malware asks one defensive question: did the payload run? Avalon asks several at once: what credentials were exposed, what remote access was established, what systems were prioritized, what telemetry was reduced, and whether backup or recovery paths were touched before encryption.</p><p>The reported credential collection is broad. Avalon can harvest browser credentials, cookies, history, and bookmarks from Chromium-based browsers and Firefox. It also targets cryptocurrency wallet applications, collaboration tools, VPN clients, Windows Credential Manager material, SSH known hosts, saved RDP connections, Wi-Fi profiles, and Group Policy Preferences cpassword artifacts.</p><p>That list should not be read as trivia.</p><p>It means response cannot assume the blast radius stops at encrypted files. If those data classes were accessible on the affected host, they may become the next access path.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!GaNJ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5e77611a-4deb-4fcf-be6c-e8ef476ab2c0_1692x930.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!GaNJ!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5e77611a-4deb-4fcf-be6c-e8ef476ab2c0_1692x930.png 424w, https://substackcdn.com/image/fetch/$s_!GaNJ!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5e77611a-4deb-4fcf-be6c-e8ef476ab2c0_1692x930.png 848w, https://substackcdn.com/image/fetch/$s_!GaNJ!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5e77611a-4deb-4fcf-be6c-e8ef476ab2c0_1692x930.png 1272w, https://substackcdn.com/image/fetch/$s_!GaNJ!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5e77611a-4deb-4fcf-be6c-e8ef476ab2c0_1692x930.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!GaNJ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5e77611a-4deb-4fcf-be6c-e8ef476ab2c0_1692x930.png" width="1456" height="800" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/5e77611a-4deb-4fcf-be6c-e8ef476ab2c0_1692x930.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:800,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1536146,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/205024457?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5e77611a-4deb-4fcf-be6c-e8ef476ab2c0_1692x930.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!GaNJ!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5e77611a-4deb-4fcf-be6c-e8ef476ab2c0_1692x930.png 424w, https://substackcdn.com/image/fetch/$s_!GaNJ!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5e77611a-4deb-4fcf-be6c-e8ef476ab2c0_1692x930.png 848w, https://substackcdn.com/image/fetch/$s_!GaNJ!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5e77611a-4deb-4fcf-be6c-e8ef476ab2c0_1692x930.png 1272w, https://substackcdn.com/image/fetch/$s_!GaNJ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5e77611a-4deb-4fcf-be6c-e8ef476ab2c0_1692x930.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h2>The Evasion Layer Is A Visibility Problem</h2><p>The reporting says Avalon includes a defense-evasion subsystem intended to reduce detection and adapt around controls present on the host.</p><p>That does not mean every environment will see the same behavior. It does mean defenders should treat missing telemetry as a signal to investigate, not as comfort.</p><p>Avalon's staged chain reportedly loads an embedded .NET assembly and interferes with Event Tracing for Windows to reduce forensic visibility before downloading the next-stage payload over HTTPS. The framework also includes methods meant to conceal execution from several security tools.</p><p>The practical lesson is simple: do not wait for a clean malware alert to define the incident.</p><p>Look for the pattern around it. An unusual protected archive, mounted disk-image activity, suspicious shortcut execution, unexpected build tooling behavior, browser credential access, new remote access, recovery interference, and cleanup attempts are more useful together than any single event by itself.</p><p><strong>The sequence is the detection object.</strong></p><p>That is where detection has to be more sequence-aware.</p><h2>Recovery Is Part Of The Attack Path</h2><p>Avalon is not framed only as a theft tool or only as a locker.</p><p>The reporting says the framework can terminate the Volume Shadow Copy Service, delete shadow copies, remove traces of artifacts, and interact with disk structures in ways that could damage partition information, boot records, or other critical areas of the drive.</p><p>Those are recovery-pressure behaviors.</p><p>They are designed to narrow the defender's options before and during the extortion phase. If restoration paths are weakened, the ransom note has more leverage.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Zz4l!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F255345b7-7b1f-4129-bd37-8aa895d3f54f_1642x958.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Zz4l!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F255345b7-7b1f-4129-bd37-8aa895d3f54f_1642x958.png 424w, https://substackcdn.com/image/fetch/$s_!Zz4l!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F255345b7-7b1f-4129-bd37-8aa895d3f54f_1642x958.png 848w, https://substackcdn.com/image/fetch/$s_!Zz4l!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F255345b7-7b1f-4129-bd37-8aa895d3f54f_1642x958.png 1272w, https://substackcdn.com/image/fetch/$s_!Zz4l!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F255345b7-7b1f-4129-bd37-8aa895d3f54f_1642x958.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Zz4l!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F255345b7-7b1f-4129-bd37-8aa895d3f54f_1642x958.png" width="1456" height="849" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/255345b7-7b1f-4129-bd37-8aa895d3f54f_1642x958.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:849,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1536416,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/205024457?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F255345b7-7b1f-4129-bd37-8aa895d3f54f_1642x958.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Zz4l!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F255345b7-7b1f-4129-bd37-8aa895d3f54f_1642x958.png 424w, https://substackcdn.com/image/fetch/$s_!Zz4l!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F255345b7-7b1f-4129-bd37-8aa895d3f54f_1642x958.png 848w, https://substackcdn.com/image/fetch/$s_!Zz4l!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F255345b7-7b1f-4129-bd37-8aa895d3f54f_1642x958.png 1272w, https://substackcdn.com/image/fetch/$s_!Zz4l!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F255345b7-7b1f-4129-bd37-8aa895d3f54f_1642x958.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>This is why backup validation cannot be an annual audit item.</p><p>For an Avalon-style intrusion, defenders need to know which backup repositories are reachable from compromised identities, whether shadow-copy deletion or backup-service disruption alerts are working, and whether restore procedures are tested from clean, isolated copies.</p><p>The goal is not to admire the ransomware. The goal is to make the final stage less decisive.</p><h2>The AI Detail Is About Scale, Not Magic</h2><p>The Hacker News article also notes Blackpoint's assessment that Avalon shows signs of AI-assisted development.</p><p>That point is easy to overstate.</p><p>The reporting does not need Avalon to be elegant or novel in every component. The concern is that AI assistance may lower the cost of assembling many useful functions into one workable framework, even when tradecraft and operational security are uneven.</p><p>That is a scale problem.</p><p>If less skilled actors can stitch together credential theft, evasion, remote access, reconnaissance, recovery disruption, and encryption more quickly, defenders should expect more "good enough" intrusion frameworks. They may be messy. They may still be dangerous.</p><p>The control response should stay grounded: harden email and archive handling, restrict execution from mounted disk images and untrusted shortcuts, watch for credential-store access, review remote-access creation, preserve telemetry early, and isolate recovery infrastructure from ordinary domain compromise.</p><h2>The Control Move Is To Connect The Chain</h2><p>Avalon should push teams away from payload-only thinking.</p><p>The question is not just whether CrownX encryption ran. It is whether the environment can see the chain that leads there.</p><p>Start with delivery. Treat unexpected protected archives and disk-image attachments as high risk, especially when they arrive through legal, invoice, or document review lures.</p><p>Move to identity. Assume exposed browser credentials, cookies, VPN material, saved RDP connections, and collaboration tokens may matter after compromise. Rotate and revoke based on host exposure, not just on confirmed use.</p><p>Then validate visibility. If ETW, endpoint telemetry, logs, or security tooling appear impaired, preserve evidence quickly and widen the timeline.</p><p>Finally, test recovery as an adversary-facing control. Backup repositories, restore accounts, shadow-copy monitoring, recovery environments, and rebuild procedures should be treated as part of the attack surface, not as a separate disaster-recovery worksheet.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!PTa6!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb0ac0b06-0726-4ae7-a10a-a76daf048908_1691x930.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!PTa6!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb0ac0b06-0726-4ae7-a10a-a76daf048908_1691x930.png 424w, https://substackcdn.com/image/fetch/$s_!PTa6!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb0ac0b06-0726-4ae7-a10a-a76daf048908_1691x930.png 848w, https://substackcdn.com/image/fetch/$s_!PTa6!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb0ac0b06-0726-4ae7-a10a-a76daf048908_1691x930.png 1272w, https://substackcdn.com/image/fetch/$s_!PTa6!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb0ac0b06-0726-4ae7-a10a-a76daf048908_1691x930.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!PTa6!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb0ac0b06-0726-4ae7-a10a-a76daf048908_1691x930.png" width="1456" height="801" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/b0ac0b06-0726-4ae7-a10a-a76daf048908_1691x930.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:801,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1545543,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/205024457?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb0ac0b06-0726-4ae7-a10a-a76daf048908_1691x930.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!PTa6!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb0ac0b06-0726-4ae7-a10a-a76daf048908_1691x930.png 424w, https://substackcdn.com/image/fetch/$s_!PTa6!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb0ac0b06-0726-4ae7-a10a-a76daf048908_1691x930.png 848w, https://substackcdn.com/image/fetch/$s_!PTa6!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb0ac0b06-0726-4ae7-a10a-a76daf048908_1691x930.png 1272w, https://substackcdn.com/image/fetch/$s_!PTa6!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb0ac0b06-0726-4ae7-a10a-a76daf048908_1691x930.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>Avalon is not important because every function is new.</p><p>It is important because the functions are packaged together in the order an extortion intrusion needs them.</p><p>That is the defender's clearest read: stop treating ransomware as the first event. In this case, ransomware is the receipt.</p><h2>Sources</h2><ul><li><p><a href="https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html">The Hacker News: New Avalon Malware Framework Packs CrownX Ransomware Capabilities</a></p></li></ul>]]></content:encoded></item><item><title><![CDATA[Anubis Shows Why Ransomware Detection Has To Follow Legitimate Access]]></title><description><![CDATA[The latest Citrix Bleed 2 reporting is less about one edge flaw than a familiar chain: valid sessions, RMM tools, credential access, cloud transfer, and pressure before encryption.]]></description><link>https://www.codeaintel.com/p/anubis-shows-why-ransomware-detection</link><guid isPermaLink="false">https://www.codeaintel.com/p/anubis-shows-why-ransomware-detection</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Fri, 03 Jul 2026 08:13:07 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!nAjd!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F705ec9e5-974e-4ecb-b48a-2cc8237ddc4a_1672x941.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p><em>The latest Citrix Bleed 2 reporting is less about one edge flaw than a familiar chain: valid sessions, RMM tools, credential access, cloud transfer, and pressure before encryption.</em></p><p>Anubis is a useful ransomware story because the scary part is not exotic malware.</p><p>The sharper signal is that the intrusion path looks like normal administration until enough pieces line up: an exposed edge appliance, a valid VPN login, remote desktop movement, PsExec service creation, remote management tools, credential access, cloud-transfer utilities, and then ransomware pressure.</p><p><strong>The attack does not need to look strange at the tool level. It needs to look coherent at the chain level.</strong></p><p>The Hacker News, citing Arctic Wolf research, reports that Anubis affiliates have exploited Citrix Bleed 2, tracked as CVE-2025-5777, while also using valid VPN credentials in observed intrusions. From there, the activity moved through RDP, SMB, PsExec, legitimate remote monitoring and management tooling, and cloud-transfer utilities before ransomware deployment.</p><p>That is the part defenders should sit with.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!nAjd!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F705ec9e5-974e-4ecb-b48a-2cc8237ddc4a_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!nAjd!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F705ec9e5-974e-4ecb-b48a-2cc8237ddc4a_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!nAjd!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F705ec9e5-974e-4ecb-b48a-2cc8237ddc4a_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!nAjd!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F705ec9e5-974e-4ecb-b48a-2cc8237ddc4a_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!nAjd!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F705ec9e5-974e-4ecb-b48a-2cc8237ddc4a_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!nAjd!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F705ec9e5-974e-4ecb-b48a-2cc8237ddc4a_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/705ec9e5-974e-4ecb-b48a-2cc8237ddc4a_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1240238,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204799774?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F705ec9e5-974e-4ecb-b48a-2cc8237ddc4a_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!nAjd!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F705ec9e5-974e-4ecb-b48a-2cc8237ddc4a_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!nAjd!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F705ec9e5-974e-4ecb-b48a-2cc8237ddc4a_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!nAjd!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F705ec9e5-974e-4ecb-b48a-2cc8237ddc4a_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!nAjd!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F705ec9e5-974e-4ecb-b48a-2cc8237ddc4a_1672x941.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h2>The Edge Flaw Is Only The Opening</h2><p>Citrix Bleed 2 matters because it sits at the edge of the environment.</p><p>The flaw affects Citrix NetScaler ADC and Gateway when configured as a Gateway or AAA virtual server, and The Hacker News describes it as a critical issue that can be abused to bypass authentication in affected configurations. Arctic Wolf has separately published mitigation guidance for Citrix Bleed 2, including upgrade guidance and session-termination considerations.</p><p>But the Anubis reporting should not be read as a single-vulnerability story.</p><p>Arctic Wolf observed two broad access patterns in the intrusions summarized by The Hacker News: exploitation of Citrix Bleed 2 and valid Cisco AnyConnect VPN logins from hosting networks. The source of those VPN credentials was not confirmed in the reporting. The possibilities named include prior compromise, initial access brokers, credential stuffing, or information-stealer activity.</p><p>That uncertainty is important. <strong>Response cannot stop at "was the appliance patched?"</strong></p><p>If a session token, credential, or VPN account was already useful to the attacker, patching the edge is necessary but incomplete. The live question becomes which sessions, identities, and remote access paths are still trusted because nobody has forced them to prove themselves again.</p><h2>RMM Abuse Is The Camouflage</h2><p>Once inside, Anubis affiliates did not need every step to be custom.</p><p>The Hacker News reports that affiliates abused legitimate remote access and administration tools, including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment. Those tools can be normal in an enterprise. That is exactly why they are useful.</p><p>RDP and SMB activity led into credential access, PsExec service creation, RMM deployment, and cloud-transfer tooling. In selected intrusions, attackers also configured Cloudflare Tunnel, or cloudflared, to establish tunnels into victim environments.</p><p>The defensive problem is not "block all remote administration." Most organizations cannot do that.</p><p>The defensive problem is knowing which remote administration is expected, who introduced it, where it is allowed to run, and what else happened around the same time.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!cPCN!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83b4357f-9a50-499d-a594-b9d3a8b32514_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!cPCN!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83b4357f-9a50-499d-a594-b9d3a8b32514_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!cPCN!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83b4357f-9a50-499d-a594-b9d3a8b32514_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!cPCN!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83b4357f-9a50-499d-a594-b9d3a8b32514_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!cPCN!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83b4357f-9a50-499d-a594-b9d3a8b32514_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!cPCN!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83b4357f-9a50-499d-a594-b9d3a8b32514_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/83b4357f-9a50-499d-a594-b9d3a8b32514_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1325180,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204799774?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83b4357f-9a50-499d-a594-b9d3a8b32514_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!cPCN!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83b4357f-9a50-499d-a594-b9d3a8b32514_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!cPCN!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83b4357f-9a50-499d-a594-b9d3a8b32514_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!cPCN!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83b4357f-9a50-499d-a594-b9d3a8b32514_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!cPCN!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F83b4357f-9a50-499d-a594-b9d3a8b32514_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>An RMM install on its own may be explainable. RMM appearing after unusual VPN authentication, followed by credential access, PsExec activity, data staging, and cloud-transfer utilities, is a different signal.</p><p>That is where ransomware detection has to move: away from single-tool suspicion and toward sequence-aware control.</p><h2>Credentials Become The Blast Radius</h2><p>The Anubis reporting keeps returning to credentials because credentials are what turn access into scope.</p><p>After initial access and lateral movement, attackers gathered credentials to deepen the compromise. The Hacker News lists tools such as S3 Browser, rclone, s5cmd, WinSCP, and PuTTY as data-transfer or exfiltration tooling observed before ransomware deployment.</p><p>Those names are not automatically malicious. In many environments, they are routine enough to hide in noise.</p><p>The practical question is whether they appeared on the wrong host, under the wrong identity, at the wrong time, moving toward the wrong destination, after an access pattern that already looked abnormal.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!HcFw!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F059e4c92-a939-440e-aa6d-dfe9c60c73f3_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!HcFw!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F059e4c92-a939-440e-aa6d-dfe9c60c73f3_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!HcFw!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F059e4c92-a939-440e-aa6d-dfe9c60c73f3_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!HcFw!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F059e4c92-a939-440e-aa6d-dfe9c60c73f3_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!HcFw!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F059e4c92-a939-440e-aa6d-dfe9c60c73f3_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!HcFw!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F059e4c92-a939-440e-aa6d-dfe9c60c73f3_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/059e4c92-a939-440e-aa6d-dfe9c60c73f3_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1297181,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204799774?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F059e4c92-a939-440e-aa6d-dfe9c60c73f3_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!HcFw!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F059e4c92-a939-440e-aa6d-dfe9c60c73f3_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!HcFw!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F059e4c92-a939-440e-aa6d-dfe9c60c73f3_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!HcFw!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F059e4c92-a939-440e-aa6d-dfe9c60c73f3_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!HcFw!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F059e4c92-a939-440e-aa6d-dfe9c60c73f3_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>The report also notes steps taken to impair defenses and complicate analysis, including Windows Defender real-time protection disablement, SophosUninstall activity, PCHunter-related artifacts, and log clearing or manipulation across systems. In at least one intrusion, an Anubis encryptor was deleted after execution, reducing on-disk evidence for later analysis.</p><p>That makes log preservation part of containment, not paperwork after the incident.</p><p>If the attacker is clearing the trail while staging data and preparing encryption, delayed evidence handling narrows the investigation window.</p><h2>The Wiper Changes The Negotiation Pressure</h2><p>Anubis is not only another affiliate ransomware name.</p><p>The Hacker News describes Anubis as a ransomware-as-a-service operation that emerged in late 2024 as a rebrand of Sphinx and was formally announced on the RAMP underground forum in February 2025. It also cites Ransomware.Live data showing 91 claimed victims, with 11 reported in June 2026, and notes that more than half were in the United States.</p><p>The operational pressure is sharpened by the wiper feature previously described by Rubrik Zero Labs and summarized in The Hacker News. When the Anubis `/WIPEMODE` module is activated, files remain in directories but are reduced to zero-byte files, according to that reporting.</p><p>The point is not to dramatize the payload. The point is that recovery assumptions change when an operator can combine data theft, encryption, and destructive pressure.</p><p>Backups, identity resets, evidence preservation, and communications readiness all have to be ready before the ransom note. If the organization discovers the chain only at encryption time, it is already negotiating from a worse position.</p><h2>The Control Move Is Boring And Hard</h2><p>The useful response to this report is not a new panic project. It is disciplined control over the access paths ransomware affiliates are already using.</p><p>Patch and verify NetScaler exposure. Terminate and re-establish relevant sessions where guidance calls for it. Review VPN authentication from hosting networks and unfamiliar geography. Rotate credentials tied to suspicious remote access. Restrict RDP, SMB, and PsExec use to known administrative paths. Inventory RMM tools and remove anything unauthorized. Preserve logs early. Review cloud-transfer activity on servers that should not be staging data. Rebuild affected hosts from trusted baselines when compromise is confirmed.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!lFxz!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ff15096-0ba6-4d13-9a07-51b1a1cd7397_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!lFxz!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ff15096-0ba6-4d13-9a07-51b1a1cd7397_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!lFxz!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ff15096-0ba6-4d13-9a07-51b1a1cd7397_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!lFxz!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ff15096-0ba6-4d13-9a07-51b1a1cd7397_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!lFxz!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ff15096-0ba6-4d13-9a07-51b1a1cd7397_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!lFxz!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ff15096-0ba6-4d13-9a07-51b1a1cd7397_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/2ff15096-0ba6-4d13-9a07-51b1a1cd7397_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1336268,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204799774?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ff15096-0ba6-4d13-9a07-51b1a1cd7397_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!lFxz!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ff15096-0ba6-4d13-9a07-51b1a1cd7397_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!lFxz!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ff15096-0ba6-4d13-9a07-51b1a1cd7397_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!lFxz!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ff15096-0ba6-4d13-9a07-51b1a1cd7397_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!lFxz!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2ff15096-0ba6-4d13-9a07-51b1a1cd7397_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>None of that is glamorous. It is also where this class of ransomware becomes visible.</p><p>Citrix Bleed 2 is the headline because edge flaws create urgency. Anubis is the more durable lesson because the chain after entry is familiar, legitimate-looking, and repeatable.</p><p>That is the uncomfortable shape of modern ransomware: less cinematic malware, more borrowed administration.</p><h2>Sources</h2><ul><li><p><a href="https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html">The Hacker News: Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials</a></p></li><li><p><a href="https://arcticwolf.com/resources/blog/citrixbleed-2-to-cloudflared-the-tools-and-techniques-behind-anubis-ransomware-attacks/">Arctic Wolf: From CitrixBleed 2 to Cloudflared: The Tools and Techniques Behind Anubis Ransomware Attacks</a></p></li><li><p><a href="https://arcticwolf.com/resources/blog-uk/follow-up-updates-on-actively-exploited-information-disclosure-vulnerability-citrix-bleed-2-in-citrix-netscaler-adc-and-gateway/">Arctic Wolf: Updates on Citrix Bleed 2</a></p></li></ul>]]></content:encoded></item><item><title><![CDATA[PolinRider Makes The Package Registry A Developer Compromise Surface]]></title><description><![CDATA[Socket's latest findings show a North Korealinked campaign spreading hidden loaders across open source ecosystems, with Git history and developer tooling turned into trust gaps.]]></description><link>https://www.codeaintel.com/p/polinrider-makes-the-package-registry</link><guid isPermaLink="false">https://www.codeaintel.com/p/polinrider-makes-the-package-registry</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Thu, 02 Jul 2026 08:13:23 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!xOsO!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0329c83-17bc-4606-8553-a60bcab7f94c_1672x941.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p><em>Socket's latest findings show a North Korea-linked campaign spreading hidden loaders across open source ecosystems, with Git history and developer tooling turned into trust gaps.</em></p><p>PolinRider is a useful warning because it does not depend on one strange package in one registry.</p><p>According to Socket Threat Research, the North Korea-linked campaign has expanded across npm, Packagist, Go modules, and Chrome extensions, with 162 malicious release artifacts across 108 unique packages and extensions. Socket links the activity to the broader Contagious Interview / Famous Chollima developer-targeting cluster.</p><p>That scale matters. But the sharper point is the tradecraft.</p><p>The campaign is built around a simple operational bet: if attackers can make a compromised repository look normal, the package ecosystem will keep carrying trust downstream.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!xOsO!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0329c83-17bc-4606-8553-a60bcab7f94c_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!xOsO!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0329c83-17bc-4606-8553-a60bcab7f94c_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!xOsO!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0329c83-17bc-4606-8553-a60bcab7f94c_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!xOsO!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0329c83-17bc-4606-8553-a60bcab7f94c_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!xOsO!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0329c83-17bc-4606-8553-a60bcab7f94c_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!xOsO!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0329c83-17bc-4606-8553-a60bcab7f94c_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/f0329c83-17bc-4606-8553-a60bcab7f94c_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1025543,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204588261?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0329c83-17bc-4606-8553-a60bcab7f94c_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!xOsO!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0329c83-17bc-4606-8553-a60bcab7f94c_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!xOsO!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0329c83-17bc-4606-8553-a60bcab7f94c_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!xOsO!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0329c83-17bc-4606-8553-a60bcab7f94c_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!xOsO!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0329c83-17bc-4606-8553-a60bcab7f94c_1672x941.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h2>The Compromise Is Upstream Of The Install</h2><p>Socket says PolinRider activity commonly starts with legitimate GitHub repositories. Threat actors modify repositories, hide obfuscated JavaScript loaders, and where they have registry access, publish infected package versions into downstream ecosystems.</p><p>That turns the usual package-risk question inside out.</p><p>Security teams are used to asking whether a dependency is new, abandoned, typo-squatted, or suspiciously named. PolinRider keeps the more uncomfortable case in frame: <em>what if the dependency looks legitimate because it was legitimate before the account or repository was modified?</em></p><p>Socket points to synchronized modification activity across repositories tied to the Xpos587 GitHub account on June 23 at 10:00 UTC. The report frames that pattern as consistent with account-level compromise followed by bulk repository modification, rather than ordinary per-project maintenance.</p><p>From there, the risk can move into package releases. Socket reports malicious Go module releases tied to the Xpos587 case, while also noting that it did not observe corresponding malicious PyPI releases from that maintainer account.</p><p>That distinction is important. Repository compromise is not the same as universal registry compromise. Access boundaries still matter.</p><h2>Rewritten History Breaks The Comfort Signal</h2><p>The most operationally painful part of PolinRider is not only the loader. It is the way the campaign can manipulate the evidence defenders normally trust.</p><p>Socket describes Git history rewriting, including force pushes and anti-dated commits, that can make malicious changes appear older or less suspicious. In affected repositories, the normal file view may show routine-looking commit messages and dates, while the Activity tab exposes more recent force-push activity.</p><p><strong>A clean-looking repository landing page is not a clean bill of health.</strong></p><p>For defenders, that means the review path has to widen. Visible commit history, package metadata, and maintainer reputation are not enough when the campaign specifically tries to make recent malicious changes look stale.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!jeIB!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae27758c-eb49-4d00-a333-3ebf12e78ee2_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!jeIB!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae27758c-eb49-4d00-a333-3ebf12e78ee2_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!jeIB!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae27758c-eb49-4d00-a333-3ebf12e78ee2_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!jeIB!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae27758c-eb49-4d00-a333-3ebf12e78ee2_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!jeIB!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae27758c-eb49-4d00-a333-3ebf12e78ee2_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!jeIB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae27758c-eb49-4d00-a333-3ebf12e78ee2_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/ae27758c-eb49-4d00-a333-3ebf12e78ee2_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1270276,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204588261?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae27758c-eb49-4d00-a333-3ebf12e78ee2_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!jeIB!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae27758c-eb49-4d00-a333-3ebf12e78ee2_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!jeIB!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae27758c-eb49-4d00-a333-3ebf12e78ee2_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!jeIB!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae27758c-eb49-4d00-a333-3ebf12e78ee2_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!jeIB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae27758c-eb49-4d00-a333-3ebf12e78ee2_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>The practical inspection set is more specific: repository activity logs, release timestamps, registry publication history, unusual synchronized updates across projects, and changes to files that can create execution paths inside developer tooling.</p><h2>The Loader Hides Where Developers Do Not Look First</h2><p>Socket reports two primary hiding patterns across observed PolinRider variants.</p><p>Earlier activity hid obfuscated JavaScript in configuration files, including `*config.js` files. More recent variants hid loaders inside fake `.woff2` font files and triggered execution through VS Code task files.</p><p>The point is not that fonts are magically dangerous. The point is that developer environments are full of files that reviewers mentally classify as static, routine, or boring. A fake font file can sit in that blind spot. A task configuration can turn that blind spot into an execution path.</p><p>Socket says the `.vscode/tasks.json` pattern can define a hidden task that runs when a folder opens and invokes a fake `.woff2` file with Node.js. After deobfuscation, Socket describes the payload as a JavaScript malware loader that can retrieve encrypted second-stage material from blockchain and public RPC infrastructure, decrypt it with embedded XOR keys, and execute the result.</p><p>That is enough detail for a defender to know where to hunt. It is not a reason to publish a playbook for misuse.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Asvk!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F55675a49-972d-444c-898d-b96afb8997bd_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Asvk!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F55675a49-972d-444c-898d-b96afb8997bd_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!Asvk!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F55675a49-972d-444c-898d-b96afb8997bd_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!Asvk!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F55675a49-972d-444c-898d-b96afb8997bd_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!Asvk!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F55675a49-972d-444c-898d-b96afb8997bd_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Asvk!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F55675a49-972d-444c-898d-b96afb8997bd_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/55675a49-972d-444c-898d-b96afb8997bd_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1000233,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204588261?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F55675a49-972d-444c-898d-b96afb8997bd_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Asvk!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F55675a49-972d-444c-898d-b96afb8997bd_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!Asvk!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F55675a49-972d-444c-898d-b96afb8997bd_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!Asvk!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F55675a49-972d-444c-898d-b96afb8997bd_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!Asvk!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F55675a49-972d-444c-898d-b96afb8997bd_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>Socket says observed follow-on payloads include DEV#POPPER and OmniStealer. Because the design is loader-based, the safer assumption is not that the campaign is limited to a fixed payload set. The safer assumption is that the initial loader gives the operator room to change delivery.</p><h2>Packagist Shows Why Cleanup Can Miss The Second Path</h2><p>Socket also describes recent PolinRider activity in Packagist under the sevenspan namespace, maintained by the 7span organization.</p><p>In that case, maintainers identified part of the compromise and removed fake `.woff2` font files from affected repositories and packages. Socket says the cleanup did not remove all variants: obfuscated JavaScript hidden in configuration files remained present in some affected repositories.</p><p>That is the control lesson.</p><p>If response teams clean only the visible payload family, they may leave the alternate execution path intact. PolinRider uses more than one hiding method, and cleanup has to be based on repository and release behavior, not only one file extension.</p><p>Socket also notes it did not observe corresponding malicious npm releases from the same organization in that case, suggesting the actors may not have had npm publishing access. Again, the boundary matters: compromised repository access, package-manager publishing access, and downstream install impact are related but not identical.</p><h2>Treat Developer Machines As The Blast Radius</h2><p>PolinRider targets the place where source control, package management, local tools, cloud access, and CI/CD credentials overlap: the developer environment.</p><p>That makes response more serious than removing a dependency from a manifest.</p><p>Socket recommends treating environments that installed affected package or extension versions as potentially compromised until reviewed. The response sequence is deliberately operational: preserve forensic artifacts where possible, identify developer machines that installed affected versions, remove affected versions, rebuild from known-good lockfiles, rotate exposed secrets from a clean machine, and audit developer workstations and repositories for hidden execution paths.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!3fWw!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd0427c34-d9da-4711-be9b-fe0adc72eccc_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!3fWw!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd0427c34-d9da-4711-be9b-fe0adc72eccc_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!3fWw!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd0427c34-d9da-4711-be9b-fe0adc72eccc_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!3fWw!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd0427c34-d9da-4711-be9b-fe0adc72eccc_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!3fWw!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd0427c34-d9da-4711-be9b-fe0adc72eccc_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!3fWw!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd0427c34-d9da-4711-be9b-fe0adc72eccc_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d0427c34-d9da-4711-be9b-fe0adc72eccc_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1311870,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204588261?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd0427c34-d9da-4711-be9b-fe0adc72eccc_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!3fWw!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd0427c34-d9da-4711-be9b-fe0adc72eccc_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!3fWw!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd0427c34-d9da-4711-be9b-fe0adc72eccc_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!3fWw!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd0427c34-d9da-4711-be9b-fe0adc72eccc_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!3fWw!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd0427c34-d9da-4711-be9b-fe0adc72eccc_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>The secret-rotation point deserves emphasis. Rotating from the same potentially infected workstation can preserve the attacker's advantage. The clean host is not a formality. It is the boundary between remediation and re-exposure.</p><p>Security teams should also audit for VS Code tasks configured to run on folder open, commands that invoke unusual file extensions with Node.js, suspicious changes to `.vscode/tasks.json`, `config.js`, `vite.config.js`, `eslint.config.js`, and unexpected activity under font or static asset directories.</p><h2>The Trust Model Needs More Telemetry</h2><p>PolinRider is not only a malicious-package story. It is a trust-model story.</p><p>The visible repository may look normal. The commit date may look old. The package name may have a history. The maintainer account may be real. The release may still be malicious.</p><p>That does not make open source unusable. It means dependency security has to become more evidence-led.</p><p>Organizations need dependency review that can connect repository activity, registry release metadata, maintainer-account signals, local developer execution paths, and post-install endpoint telemetry. The most useful signal may not be "this package is bad" in isolation. It may be "this trusted package changed in a way that does not match its normal maintenance pattern, and developer tooling now has a new execution path."</p><p>PolinRider's lesson is blunt: <strong>the package registry is no longer just a software intake point. It is part of the developer compromise surface.</strong></p><h2>Sources</h2><ul><li><p><a href="https://socket.dev/blog/polinrider-north-korea-linked-supply-chain-campaign-expands">Socket: PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems</a></p></li><li><p><a href="https://socket.dev/supply-chain-attacks/polinrider">Socket PolinRider live tracking page</a></p></li></ul>]]></content:encoded></item><item><title><![CDATA[The npm Stealer Hid Where Developers Rarely Look]]></title><description><![CDATA[Hijacked packages abused VS Code tasks instead of the usual install hooks. That shift matters because it targets developer trust, not only package managers.]]></description><link>https://www.codeaintel.com/p/the-npm-stealer-hid-where-developers</link><guid isPermaLink="false">https://www.codeaintel.com/p/the-npm-stealer-hid-where-developers</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Mon, 29 Jun 2026 13:18:49 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!k8pD!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F337f9d5c-259b-4ea0-9fc7-77e6af33c252_1672x941.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Most malicious package stories start in the same place: install scripts.</p><p>This one does not.</p><p>Security researchers reported that two hijacked npm packages and a related cluster of Go packages were used to deploy a Python-based infostealer across Windows, Linux, and macOS systems. The important part is not only that developers were targeted. That has been true for years.</p><p>The important part is where the execution moved.</p><p>The packages did not lean on the most obvious npm lifecycle hooks. According to JFrog's analysis, the malicious logic hid behind a Visual Studio Code task configured to run when a project folder was opened as a trusted workspace. The payload path was disguised as a font file. The later stages used blockchain transaction data as a dead-drop mechanism before reaching attacker-controlled infrastructure.</p><p><strong>The package manager was not the whole battleground. The developer workspace was.</strong></p><p>That is the part security teams should sit with.</p><p></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!k8pD!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F337f9d5c-259b-4ea0-9fc7-77e6af33c252_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!k8pD!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F337f9d5c-259b-4ea0-9fc7-77e6af33c252_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!k8pD!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F337f9d5c-259b-4ea0-9fc7-77e6af33c252_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!k8pD!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F337f9d5c-259b-4ea0-9fc7-77e6af33c252_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!k8pD!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F337f9d5c-259b-4ea0-9fc7-77e6af33c252_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!k8pD!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F337f9d5c-259b-4ea0-9fc7-77e6af33c252_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/337f9d5c-259b-4ea0-9fc7-77e6af33c252_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1893681,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204111381?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F337f9d5c-259b-4ea0-9fc7-77e6af33c252_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!k8pD!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F337f9d5c-259b-4ea0-9fc7-77e6af33c252_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!k8pD!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F337f9d5c-259b-4ea0-9fc7-77e6af33c252_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!k8pD!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F337f9d5c-259b-4ea0-9fc7-77e6af33c252_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!k8pD!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F337f9d5c-259b-4ea0-9fc7-77e6af33c252_1672x941.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h2>The Trick Was Not New Malware. It Was New Placement.</h2><p>The Hacker News reported on June 29, 2026 that researchers had identified two hijacked npm packages, `html-to-gutenberg` and `fetch-page-assets`, along with Go packages carrying the same malware family. JFrog's primary analysis says the affected npm versions were uploaded to npm on May 25, 2026 and later removed from the registry.</p><p>The reporting describes a multi-stage chain. At a high level, the malicious package used a hidden VS Code task named `eslint-check`, a fake font asset, blockchain-based retrieval, a Socket.io backdoor, and a Python infostealer.</p><p>That sounds complicated, but the strategic idea is simple.</p><p>Attackers looked for a path that would feel less suspicious than a package install hook. Many defenders know to watch `postinstall` behavior. Many developers have learned to be wary of packages that execute code during install. VS Code tasks live in a different mental bucket. They feel like project plumbing.</p><p>That is why this technique matters.</p><p>It moves execution into the developer's daily environment, where convenience features and trust prompts often decide whether code runs.</p><h2>Trusting The Workspace Became The Decision Point.</h2><p>JFrog notes an important constraint: this is not a magic trigger that recursively runs every nested task file. The task fires when the malicious package directory itself is opened as the workspace and marked as trusted, or when automatic tasks are explicitly allowed.</p><p>That caveat makes the story less sensational and more useful.</p><p>This is not "open any repo and instantly lose the machine." It is a reminder that trust decisions inside development tools have become security controls. Workspace trust, automatic tasks, editor extensions, terminal integrations, and AI coding assistants all sit near sensitive material.</p><p>That material includes Git credentials, cloud tokens, package registry sessions, local environment variables, browser data, password manager artifacts, and source code.</p><p>An ordinary developer workstation can now be a high-value identity system.</p><p>If attackers can reach that workstation through a dependency, an editor task, or a "helpful" project setup path, they are not just stealing a laptop. They may be stealing the keys to build pipelines, private repositories, release tokens, and downstream customers.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Kb8W!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F126bc095-ca56-4d1b-8ee9-66092825329f_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Kb8W!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F126bc095-ca56-4d1b-8ee9-66092825329f_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!Kb8W!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F126bc095-ca56-4d1b-8ee9-66092825329f_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!Kb8W!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F126bc095-ca56-4d1b-8ee9-66092825329f_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!Kb8W!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F126bc095-ca56-4d1b-8ee9-66092825329f_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Kb8W!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F126bc095-ca56-4d1b-8ee9-66092825329f_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/126bc095-ca56-4d1b-8ee9-66092825329f_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1313896,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204111381?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F126bc095-ca56-4d1b-8ee9-66092825329f_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Kb8W!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F126bc095-ca56-4d1b-8ee9-66092825329f_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!Kb8W!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F126bc095-ca56-4d1b-8ee9-66092825329f_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!Kb8W!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F126bc095-ca56-4d1b-8ee9-66092825329f_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!Kb8W!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F126bc095-ca56-4d1b-8ee9-66092825329f_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h2>The Infostealer Angle Is The Business Angle.</h2><p>The reported malware targeted browser data, cryptocurrency wallets, password managers, GitHub-related artifacts, VS Code data, OS credential stores, and cloud-storage metadata. Those details should not be read as a shopping list. They should be read as intent.</p><p>This was not a noisy commodity nuisance bolted onto a random package.</p><p>It was pointed at developer identity.</p><p>That is the recurring shape of modern software supply-chain intrusions. The first compromise is often boring: a package, a token, a maintainer account, a build script, a repo setting, a developer endpoint. The second-order effect is not boring at all. It can become source-code access, package publishing access, CI/CD abuse, or credential replay into cloud infrastructure.</p><p>The technical novelty here is the VS Code task placement. The operational pattern is older: get close to builders, then use their trust to move.</p><p><em>Developer convenience is becoming attacker infrastructure.</em></p><h2>Why Blockchain Dead Drops Keep Showing Up.</h2><p>The JFrog analysis says the bogus font file used blockchain infrastructure as a dead-drop resolver, including TronGrid with Aptos as a fallback. The point is not that blockchain makes the malware advanced by default. The point is resilience.</p><p>Dead drops let attackers publish small pieces of configuration or routing data in places that are harder to erase quickly than a single domain. The malware can look up where to go next without hard-coding every answer into the package itself.</p><p>For defenders, this changes what "removed from npm" means.</p><p>Package removal is necessary. It is not a full incident boundary.</p><p>If a compromised developer machine already executed a loader, the registry cleanup does not prove the machine is clean. If the later-stage infrastructure is still reachable, or if stolen credentials already left the endpoint, the response has to move beyond package inventory.</p><p>That means endpoint review, token rotation, GitHub and package-registry audit logs, CI/CD secret review, and checking whether the developer's local environment had access that should never have lived on a workstation in the first place.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!G1va!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F86a4e87d-3e17-47e3-b077-3584df134e77_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!G1va!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F86a4e87d-3e17-47e3-b077-3584df134e77_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!G1va!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F86a4e87d-3e17-47e3-b077-3584df134e77_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!G1va!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F86a4e87d-3e17-47e3-b077-3584df134e77_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!G1va!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F86a4e87d-3e17-47e3-b077-3584df134e77_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!G1va!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F86a4e87d-3e17-47e3-b077-3584df134e77_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/86a4e87d-3e17-47e3-b077-3584df134e77_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1469218,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204111381?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F86a4e87d-3e17-47e3-b077-3584df134e77_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!G1va!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F86a4e87d-3e17-47e3-b077-3584df134e77_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!G1va!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F86a4e87d-3e17-47e3-b077-3584df134e77_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!G1va!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F86a4e87d-3e17-47e3-b077-3584df134e77_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!G1va!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F86a4e87d-3e17-47e3-b077-3584df134e77_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h2>The North Korea Echo Should Be Handled Carefully.</h2><p>The Hacker News notes that abuse of VS Code auto-run tasks combined with fake font files has previously been attributed to North Korea-linked activity, and references OpenSourceMalware's tracking of a "Fake Font" variant associated with the long-running Contagious Interview campaign.</p><p>That does not automatically prove attribution for every package in this case.</p><p>It does tell defenders something practical: developer-targeting campaigns keep reusing the same social and technical pressure points. Fake projects. Trusted tooling. Hidden setup behavior. Credentials and wallets. Backdoors that give the operator time to sort through the machine.</p><p>Attribution is useful when it changes the response. Here, the immediate response is already clear without overclaiming who is behind it.</p><p>Treat developer endpoints and build identities as production infrastructure.</p><h2>What I Would Change Before The Next One.</h2><p>The obvious move is to check whether the named packages or related Go packages were present in your environment. That is table stakes.</p><p>The better move is to ask why opening a project folder could ever become a credential-risk event.</p><p>Security teams should review where editor tasks are allowed to run automatically, whether developers understand workspace trust prompts, and whether endpoint controls can flag unusual editor-launched interpreters. Package security controls should look beyond install scripts. Repository intake should include hidden editor configuration, not only application code.</p><p>For build and platform teams, the goal is sharper:</p><ul><li><p>keep publish tokens short-lived and scoped</p></li><li><p>separate human development credentials from release automation</p></li><li><p>monitor package-registry and GitHub activity for impossible or unusual behavior</p></li><li><p>make local secrets harder to steal and less useful when stolen</p></li><li><p>treat a developer infostealer as a potential supply-chain incident, not only an endpoint incident</p></li></ul><p><strong>This is the lesson: malicious packages are no longer only packages.</strong></p><p>They are delivery vehicles into the entire development environment.</p><p>The next defensive boundary is not just npm. It is the editor, the workspace, the identity stack, and the build path behind it.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!0WVM!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc88240c-b022-42e5-947c-7024505b8044_1672x941.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!0WVM!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc88240c-b022-42e5-947c-7024505b8044_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!0WVM!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc88240c-b022-42e5-947c-7024505b8044_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!0WVM!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc88240c-b022-42e5-947c-7024505b8044_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!0WVM!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc88240c-b022-42e5-947c-7024505b8044_1672x941.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!0WVM!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc88240c-b022-42e5-947c-7024505b8044_1672x941.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/cc88240c-b022-42e5-947c-7024505b8044_1672x941.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1389863,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/204111381?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc88240c-b022-42e5-947c-7024505b8044_1672x941.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!0WVM!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc88240c-b022-42e5-947c-7024505b8044_1672x941.png 424w, https://substackcdn.com/image/fetch/$s_!0WVM!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc88240c-b022-42e5-947c-7024505b8044_1672x941.png 848w, https://substackcdn.com/image/fetch/$s_!0WVM!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc88240c-b022-42e5-947c-7024505b8044_1672x941.png 1272w, https://substackcdn.com/image/fetch/$s_!0WVM!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcc88240c-b022-42e5-947c-7024505b8044_1672x941.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h2>Sources</h2><ul><li><p><a href="https://thehackernews.com/2026/06/hijacked-npm-and-go-packages-use-vs.html">The Hacker News: Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer</a></p></li><li><p><a href="https://research.jfrog.com/post/hijacked-npm-vscode-tasks-blockchain/">JFrog Security Research: Hijacked npm Packages Use Novel VSCode Autorun and Blockchain Dead Drops to Deploy a Credential/Crypto Stealer</a></p></li></ul>]]></content:encoded></item><item><title><![CDATA[The Install Command Was the Attack: How “InstallFix” Is Weaponizing Claude Code’s Popularity]]></title><description><![CDATA[Attackers built pixel-perfect clones of Claude Code&#8217;s installation page and bought their way to the top of Google Search. The install command you copied wasn&#8217;t from Anthropic &#8212; it was from them.]]></description><link>https://www.codeaintel.com/p/the-install-command-was-the-attack</link><guid isPermaLink="false">https://www.codeaintel.com/p/the-install-command-was-the-attack</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Wed, 11 Mar 2026 16:10:47 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!MifU!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7d8f1e9c-0266-4604-ad71-f18236172e4b_1200x800.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p></p><h3>What Happened</h3><p>Researchers at Push Security have uncovered a new social engineering campaign that exploits one of the most normalized behaviors in modern software development: copying an install command from a webpage and running it in your terminal without reading it.</p><p>The technique is called <strong>InstallFix</strong> &#8212; a deliberate evolution of ClickFix &#8212; and in its current form, it&#8217;s targeting developers searching for <strong>Claude Code</strong>, Anthropic&#8217;s fast-growing agentic CLI tool. Attackers built near-identical clones of the official Claude Code installation page &#8212; same layout, same branding, same documentation sidebar &#8212; and promoted them through <strong>Google-sponsored search results</strong> for queries like &#8220;Claude Code,&#8221; &#8220;Claude Code install,&#8221; and &#8220;Claude Code CLI.&#8221;</p><p>The only difference between the real page and the fake: the install command points to an attacker-controlled server, not Anthropic&#8217;s. One copy, one paste, one Enter key. That&#8217;s the entire attack surface.</p><p>The payload is <strong>Amatera</strong>, a subscription-based infostealer that first appeared in 2025 and is considered the successor to ACR Stealer. It&#8217;s sold as a service to criminal operators and targets both Windows and macOS.</p><p></p><h3>Why Claude Code? Why Now?</h3><p>This campaign isn&#8217;t random. Claude Code is, by several measures, the fastest-growing AI developer tool in enterprise environments right now. Push Security co-founder Jacques Louw put it directly: &#8220;I suspect this campaign is targeting Claude Code specifically, because it&#8217;s one of the tools &#8212; if not the tool &#8212; being adopted the fastest across the board.&#8221;</p><p>Attackers follow adoption curves. When a tool reaches the threshold where both experienced engineers and first-time &#8220;vibe-coders&#8221; are Googling how to install it, it becomes a high-value impersonation target. Claude Code crossed that threshold.</p><p>The attack also exploits a specific behavioral vulnerability that has quietly normalized over the last decade: the <strong>curl-to-bash install command</strong>. There was a time when pasting a command from a website into your terminal was considered reckless. That norm has eroded. Legitimate tools &#8212; Homebrew, Claude Code, dozens of others &#8212; ship with one-liner install commands designed to be copied and run. Attackers have simply recognized that developers now do this instinctively, without reading what they&#8217;re executing.</p><p></p><h3>The Attack Chain</h3><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!MifU!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7d8f1e9c-0266-4604-ad71-f18236172e4b_1200x800.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!MifU!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7d8f1e9c-0266-4604-ad71-f18236172e4b_1200x800.png 424w, https://substackcdn.com/image/fetch/$s_!MifU!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7d8f1e9c-0266-4604-ad71-f18236172e4b_1200x800.png 848w, https://substackcdn.com/image/fetch/$s_!MifU!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7d8f1e9c-0266-4604-ad71-f18236172e4b_1200x800.png 1272w, https://substackcdn.com/image/fetch/$s_!MifU!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7d8f1e9c-0266-4604-ad71-f18236172e4b_1200x800.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!MifU!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7d8f1e9c-0266-4604-ad71-f18236172e4b_1200x800.png" width="1200" height="800" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7d8f1e9c-0266-4604-ad71-f18236172e4b_1200x800.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:800,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:82841,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/190619800?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7d8f1e9c-0266-4604-ad71-f18236172e4b_1200x800.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!MifU!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7d8f1e9c-0266-4604-ad71-f18236172e4b_1200x800.png 424w, https://substackcdn.com/image/fetch/$s_!MifU!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7d8f1e9c-0266-4604-ad71-f18236172e4b_1200x800.png 848w, https://substackcdn.com/image/fetch/$s_!MifU!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7d8f1e9c-0266-4604-ad71-f18236172e4b_1200x800.png 1272w, https://substackcdn.com/image/fetch/$s_!MifU!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7d8f1e9c-0266-4604-ad71-f18236172e4b_1200x800.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong><br>Stage 1 &#8212; Malvertising</strong></p><p>The fake pages are distributed exclusively through Google Ads. Sponsored search results for Claude Code-related queries surface the cloned installation pages at the top of results &#8212; above the legitimate Anthropic documentation. The domains are hosted on infrastructure from <strong>Cloudflare Pages, Squarespace, and Tencent EdgeOne</strong>, all legitimate providers, making the hosting itself look credible.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!IdJY!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb08305d-1a0d-4569-b44a-a7bde90c5ca0_1200x800.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!IdJY!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb08305d-1a0d-4569-b44a-a7bde90c5ca0_1200x800.png 424w, https://substackcdn.com/image/fetch/$s_!IdJY!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb08305d-1a0d-4569-b44a-a7bde90c5ca0_1200x800.png 848w, https://substackcdn.com/image/fetch/$s_!IdJY!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb08305d-1a0d-4569-b44a-a7bde90c5ca0_1200x800.png 1272w, https://substackcdn.com/image/fetch/$s_!IdJY!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb08305d-1a0d-4569-b44a-a7bde90c5ca0_1200x800.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!IdJY!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb08305d-1a0d-4569-b44a-a7bde90c5ca0_1200x800.png" width="1200" height="800" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/eb08305d-1a0d-4569-b44a-a7bde90c5ca0_1200x800.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:800,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:64962,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/190619800?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb08305d-1a0d-4569-b44a-a7bde90c5ca0_1200x800.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!IdJY!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb08305d-1a0d-4569-b44a-a7bde90c5ca0_1200x800.png 424w, https://substackcdn.com/image/fetch/$s_!IdJY!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb08305d-1a0d-4569-b44a-a7bde90c5ca0_1200x800.png 848w, https://substackcdn.com/image/fetch/$s_!IdJY!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb08305d-1a0d-4569-b44a-a7bde90c5ca0_1200x800.png 1272w, https://substackcdn.com/image/fetch/$s_!IdJY!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Feb08305d-1a0d-4569-b44a-a7bde90c5ca0_1200x800.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p><strong>Stage 2 &#8212; The Clone</strong></p><p>The fake installation page is a pixel-perfect replica of the real thing. Layout, branding, documentation sidebar &#8212; all present. The only modification is the install command itself, which replaces the legitimate Anthropic endpoint with an attacker-controlled domain. Push Security confirmed the C2 domain <strong>claude[.]update-version[.]com</strong> was used to deliver the Amatera payload.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!wb2e!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F32b0387c-a7eb-4f83-a428-b26b21c493a3_1200x800.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!wb2e!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F32b0387c-a7eb-4f83-a428-b26b21c493a3_1200x800.png 424w, https://substackcdn.com/image/fetch/$s_!wb2e!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F32b0387c-a7eb-4f83-a428-b26b21c493a3_1200x800.png 848w, https://substackcdn.com/image/fetch/$s_!wb2e!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F32b0387c-a7eb-4f83-a428-b26b21c493a3_1200x800.png 1272w, https://substackcdn.com/image/fetch/$s_!wb2e!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F32b0387c-a7eb-4f83-a428-b26b21c493a3_1200x800.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!wb2e!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F32b0387c-a7eb-4f83-a428-b26b21c493a3_1200x800.png" width="1200" height="800" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/32b0387c-a7eb-4f83-a428-b26b21c493a3_1200x800.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:800,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:69414,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/190619800?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F32b0387c-a7eb-4f83-a428-b26b21c493a3_1200x800.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!wb2e!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F32b0387c-a7eb-4f83-a428-b26b21c493a3_1200x800.png 424w, https://substackcdn.com/image/fetch/$s_!wb2e!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F32b0387c-a7eb-4f83-a428-b26b21c493a3_1200x800.png 848w, https://substackcdn.com/image/fetch/$s_!wb2e!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F32b0387c-a7eb-4f83-a428-b26b21c493a3_1200x800.png 1272w, https://substackcdn.com/image/fetch/$s_!wb2e!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F32b0387c-a7eb-4f83-a428-b26b21c493a3_1200x800.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p><strong>Stage 3 &#8212; Platform-Specific Execution</strong></p><p>On <strong>macOS</strong>, the malicious one-liner pulls a second-stage script from an attacker-controlled domain using a base64-encoded payload &#8212; designed to look like noise rather than a readable command string.</p><p>On <strong>Windows</strong>, the command abuses <code>mshta.exe</code> &#8212; a legitimate Microsoft utility for executing HTML applications &#8212; to retrieve the malware and triggers <code>conhost.exe</code> to support execution of the final Amatera payload.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!cNV4!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F30477edd-eaa1-4435-b7b8-df6689b41179_1200x800.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!cNV4!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F30477edd-eaa1-4435-b7b8-df6689b41179_1200x800.png 424w, https://substackcdn.com/image/fetch/$s_!cNV4!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F30477edd-eaa1-4435-b7b8-df6689b41179_1200x800.png 848w, https://substackcdn.com/image/fetch/$s_!cNV4!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F30477edd-eaa1-4435-b7b8-df6689b41179_1200x800.png 1272w, https://substackcdn.com/image/fetch/$s_!cNV4!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F30477edd-eaa1-4435-b7b8-df6689b41179_1200x800.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!cNV4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F30477edd-eaa1-4435-b7b8-df6689b41179_1200x800.png" width="1200" height="800" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/30477edd-eaa1-4435-b7b8-df6689b41179_1200x800.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:800,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:89008,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/190619800?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F30477edd-eaa1-4435-b7b8-df6689b41179_1200x800.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!cNV4!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F30477edd-eaa1-4435-b7b8-df6689b41179_1200x800.png 424w, https://substackcdn.com/image/fetch/$s_!cNV4!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F30477edd-eaa1-4435-b7b8-df6689b41179_1200x800.png 848w, https://substackcdn.com/image/fetch/$s_!cNV4!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F30477edd-eaa1-4435-b7b8-df6689b41179_1200x800.png 1272w, https://substackcdn.com/image/fetch/$s_!cNV4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F30477edd-eaa1-4435-b7b8-df6689b41179_1200x800.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p><strong>Stage 4 &#8212; Amatera: Full Credential Harvest</strong></p><p>Amatera is not a blunt instrument. It targets specifically:</p><ul><li><p>Browser saved passwords, cookies, and session tokens</p></li><li><p>Autofill data</p></li><li><p>Cryptocurrency wallet contents and keys</p></li><li><p>General system profiling data</p></li></ul><p>The session token theft is the critical capability. With active session cookies, attackers can authenticate directly to cloud dashboards, AWS consoles, internal admin panels, CI/CD platforms, and SaaS tools &#8212; without ever needing a password. No phishing required. No MFA prompt triggered. The session is already authenticated.</p><p>Amatera communicates with its C2 using hardcoded IP addresses belonging to legitimate CDNs, making the traffic nearly impossible to block without also disrupting legitimate services. Its evasion techniques include direct NTSockets for C2 communication, dynamic API resolution with WoW64 Syscalls, and multi-stage infection chains with dynamic payload delivery.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!0giC!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9711c803-7d43-4213-bc92-019bed540e53_1200x800.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!0giC!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9711c803-7d43-4213-bc92-019bed540e53_1200x800.png 424w, https://substackcdn.com/image/fetch/$s_!0giC!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9711c803-7d43-4213-bc92-019bed540e53_1200x800.png 848w, https://substackcdn.com/image/fetch/$s_!0giC!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9711c803-7d43-4213-bc92-019bed540e53_1200x800.png 1272w, https://substackcdn.com/image/fetch/$s_!0giC!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9711c803-7d43-4213-bc92-019bed540e53_1200x800.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!0giC!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9711c803-7d43-4213-bc92-019bed540e53_1200x800.png" width="1200" height="800" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/9711c803-7d43-4213-bc92-019bed540e53_1200x800.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:800,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:78982,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/190619800?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9711c803-7d43-4213-bc92-019bed540e53_1200x800.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!0giC!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9711c803-7d43-4213-bc92-019bed540e53_1200x800.png 424w, https://substackcdn.com/image/fetch/$s_!0giC!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9711c803-7d43-4213-bc92-019bed540e53_1200x800.png 848w, https://substackcdn.com/image/fetch/$s_!0giC!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9711c803-7d43-4213-bc92-019bed540e53_1200x800.png 1272w, https://substackcdn.com/image/fetch/$s_!0giC!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9711c803-7d43-4213-bc92-019bed540e53_1200x800.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p><strong>Stage 5 &#8212; The Cover-Up</strong></p><p>After infection, the fake page redirects the victim to the legitimate Claude Code site. A developer who followed the instructions and then sees the real Anthropic documentation loads normally has no reason to believe anything went wrong. The infection is silent. The redirect is seamless. The attacker moves on.</p><p></p><h3>This Is Bigger Than One Page</h3><p>Push Security identified this as a campaign architecture, not a single incident. Beyond the Claude Code clone, researchers found:</p><ul><li><p><strong>Fake Homebrew installation pages</strong> delivering the Cuckoo infostealer using the same copy-paste install command mechanic</p></li><li><p><strong>Malicious npm packages</strong> impersonating Claude Code&#8217;s official package name, targeting developers who trust or mistype a package name</p></li><li><p><strong>Fake Claude artifacts</strong> posted directly to claude.ai&#8217;s own domain &#8212; user-generated content that inherits the domain&#8217;s trust &#8212; containing malicious terminal commands disguised as macOS utilities, promoted via Google Ads and viewed over <strong>15,000 times</strong> before takedown</p></li></ul><p>The pattern is structural. Four out of five ClickFix-style lures are now distributed via search engines, according to Push. Any popular tool with a copy-paste install command and a clonable documentation page is a target.</p><p></p><h3>The Underlying Problem</h3><p>The current web security model, as Push frames it, &#8220;boils down to &#8216;trust the domain.&#8217;&#8221; Developers have been trained to validate the URL and trust the content. InstallFix operates entirely within that trust boundary &#8212; the malicious page lives on a clean domain, uses legitimate CDN hosting, and serves content that is visually indistinguishable from the real thing.</p><p>The threat is compounded by the democratization of developer tooling. Claude Code, like many CLI tools, is now being installed by non-developers &#8212; product managers, analysts, operators &#8212; who have even less context for evaluating whether an install command looks suspicious. The attack surface is expanding as the tools expand their audience.</p><p></p><h3>What To Do Now</h3><p><strong>For developers and engineers:</strong></p><ul><li><p><strong>Never trust Google sponsored results</strong> for CLI tool installation. Navigate directly to the official documentation domain &#8212; for Claude Code, that&#8217;s <code>docs.anthropic.com</code>. Treat any sponsored link for a developer tool as potentially malicious.</p></li><li><p><strong>Read the install command before running it.</strong> If the domain in the command isn&#8217;t the official one, stop. The legitimate Claude Code install command points to Anthropic infrastructure &#8212; not to <code>update-version[.]com</code> or any other third-party host.</p></li><li><p><strong>Audit your active sessions.</strong> If you&#8217;ve recently installed Claude Code or any CLI tool via a command copied from a search result, rotate your credentials, invalidate active sessions, and treat your browser credential store as potentially compromised.</p></li></ul><p><strong>For security teams:</strong></p><ul><li><p>Hunt for <code>mshta.exe</code> spawning unexpected child processes &#8212; a reliable indicator of InstallFix execution on Windows endpoints.</p></li><li><p>Monitor for outbound connections to <code>claude[.]update-version[.]com</code> and flag base64-encoded payloads being piped through curl on macOS endpoints.</p></li><li><p>Treat npm package installs and curl-to-bash commands as execution events worth logging, especially in developer environments with cloud credential access.</p></li></ul><p></p><p></p><p></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p>]]></content:encoded></item><item><title><![CDATA[APT37's "Ruby Jumper" Uses USB Drives to Breach Networks That Were Never Online ]]></title><description><![CDATA[North Korea's elite hacking group built a five-tool malware framework specifically engineered to cross the one boundary the internet can't reach &#8212; the physical air gap. A USB drive is now a weapon.]]></description><link>https://www.codeaintel.com/p/apt37s-ruby-jumper-uses-usb-drives</link><guid isPermaLink="false">https://www.codeaintel.com/p/apt37s-ruby-jumper-uses-usb-drives</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Fri, 27 Feb 2026 22:47:21 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!J6vK!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb42bf72f-a75d-49b0-b16b-8ed91b914da3_1600x900.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!J6vK!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb42bf72f-a75d-49b0-b16b-8ed91b914da3_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!J6vK!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb42bf72f-a75d-49b0-b16b-8ed91b914da3_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!J6vK!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb42bf72f-a75d-49b0-b16b-8ed91b914da3_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!J6vK!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb42bf72f-a75d-49b0-b16b-8ed91b914da3_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!J6vK!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb42bf72f-a75d-49b0-b16b-8ed91b914da3_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!J6vK!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb42bf72f-a75d-49b0-b16b-8ed91b914da3_1600x900.png" width="1200" height="675" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/b42bf72f-a75d-49b0-b16b-8ed91b914da3_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:209448,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/189409862?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb42bf72f-a75d-49b0-b16b-8ed91b914da3_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!J6vK!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb42bf72f-a75d-49b0-b16b-8ed91b914da3_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!J6vK!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb42bf72f-a75d-49b0-b16b-8ed91b914da3_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!J6vK!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb42bf72f-a75d-49b0-b16b-8ed91b914da3_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!J6vK!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb42bf72f-a75d-49b0-b16b-8ed91b914da3_1600x900.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3>What Happened</h3><p>In December 2025, Zscaler ThreatLabz uncovered a new campaign by <strong>APT37</strong> &#8212; the DPRK-backed espionage group also known as ScarCruft, Ruby Sleet, and Velvet Chollima. The campaign, named <strong>Ruby Jumper</strong>, introduces five previously undocumented malware tools designed to do one thing: move data and commands between internet-connected machines and systems that have never touched a network.</p><p>Air-gapped computers &#8212; the kind used in military installations, nuclear facilities, classified R&amp;D labs, and critical infrastructure &#8212; are isolated at the hardware level. No Wi-Fi. No Ethernet. No Bluetooth. The only way in has always been physical. APT37 built an entire automated toolkit around that fact.</p><p>The result is a fully operational framework that turns any shared USB drive into a covert two-way command channel &#8212; invisible to network monitoring tools, invisible to cloud security stacks, and nearly invisible to the users carrying the drive between machines.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!6RzC!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19a70655-7b77-4bcb-964b-f300de24e51d_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!6RzC!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19a70655-7b77-4bcb-964b-f300de24e51d_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!6RzC!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19a70655-7b77-4bcb-964b-f300de24e51d_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!6RzC!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19a70655-7b77-4bcb-964b-f300de24e51d_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!6RzC!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19a70655-7b77-4bcb-964b-f300de24e51d_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!6RzC!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19a70655-7b77-4bcb-964b-f300de24e51d_1600x900.png" width="1200" height="675" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/19a70655-7b77-4bcb-964b-f300de24e51d_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:274329,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/189409862?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19a70655-7b77-4bcb-964b-f300de24e51d_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!6RzC!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19a70655-7b77-4bcb-964b-f300de24e51d_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!6RzC!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19a70655-7b77-4bcb-964b-f300de24e51d_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!6RzC!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19a70655-7b77-4bcb-964b-f300de24e51d_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!6RzC!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F19a70655-7b77-4bcb-964b-f300de24e51d_1600x900.png 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3>The Attack Chain</h3><p><strong>Stage 1 &#8212; Initial Access: The LNK File</strong></p><p>The infection begins with a malicious Windows shortcut (<code>.LNK</code>) file, APT37&#8217;s signature entry vector. When opened, it silently launches PowerShell and a two-stage shellcode loader. Each stage decrypts the next using a single 1-byte XOR key, injecting code into a legitimate Windows system process to evade detection.</p><p><strong>Stage 2 &#8212; RESTLEAF: The First Implant</strong></p><p>RESTLEAF establishes the first foothold. It connects to <strong>Zoho WorkDrive</strong> &#8212; a legitimate cloud storage service &#8212; using hardcoded OAuth tokens to authenticate and pull further shellcode. This is the first documented instance of APT37 abusing Zoho&#8217;s platform. Because the traffic looks like routine SaaS usage, it blends seamlessly into enterprise environments. RESTLEAF creates timestamped &#8220;lion&#8221;-prefixed beacon files in a WorkDrive folder named &#8220;Second&#8221; to signal operator availability.</p><p><strong>Stage 3 &#8212; SNAKEDROPPER: The Ruby Trojan</strong></p><p>RESTLEAF loads SNAKEDROPPER, which silently installs a fully self-contained <strong>Ruby 3.3.0 runtime</strong> into <code>%PROGRAMDATA%\usbspeed</code>. The legitimate <code>rubyw.exe</code> binary is renamed to <code>usbspeed.exe</code> to masquerade as a USB utility. SNAKEDROPPER then:</p><ul><li><p>Hijacks Ruby&#8217;s auto-loaded <code>operating_system.rb</code> so malicious logic runs every time the interpreter starts</p></li><li><p>Establishes a scheduled task named <code>rubyupdatecheck</code> that fires every <strong>five minutes</strong> for persistence</p></li><li><p>Drops additional Ruby-named binaries that actually contain shellcode payloads</p></li></ul><p><strong>Stage 4 &#8212; THUMBSBD: The Air Gap Bridge</strong></p><p>This is the operational centerpiece of Ruby Jumper. THUMBSBD acts as a covert relay, using removable media as a bi-directional command channel between the infected internet-connected machine and any air-gapped system.</p><p>When a USB drive is inserted into the infected internet-facing machine, THUMBSBD copies staged command files into a <strong>hidden </strong><code>$RECYCLE.BIN</code><strong> directory</strong> on the drive &#8212; a location invisible under default Windows Explorer settings. When that same drive is plugged into an air-gapped machine (also running THUMBSBD), the implant:</p><ol><li><p>Reads files from the hidden <code>$RECYCLE.BIN</code></p></li><li><p>Decrypts them using XOR key <code>0x83</code></p></li><li><p>Executes the operator&#8217;s commands: file exfiltration, system reconnaissance, arbitrary execution</p></li><li><p>Stages results back into <code>$RECYCLE.BIN</code> on the drive</p></li></ol><p>When the USB is returned to the internet-connected machine, THUMBSBD exfiltrates the results to the cloud C2. The USB drive has become a fully automated, human-unaware command-and-control relay.</p><p><strong>Stage 5 &#8212; VIRUSTASK: The Spreader</strong></p><p>VIRUSTASK ensures the infection doesn&#8217;t stop at one air-gapped machine. When removable media is inserted, it:</p><ul><li><p>Checks for at least <strong>2GB of free space</strong> before proceeding</p></li><li><p>Creates a hidden folder named <code>$RECYCLE.BIN.USER</code> at the drive root (mimics Windows Recycle Bin, invisible by default)</p></li><li><p><strong>Hides all legitimate user files</strong> and replaces them with identically named LNK shortcuts</p></li><li><p>When an unsuspecting user on a new machine opens what they believe is their own file, they launch the Ruby runtime &#8212; infecting the new host</p></li></ul><p><strong>Stage 6 &#8212; FOOTWINE + BLUELIGHT: Full Surveillance</strong></p><p>Once access is established, THUMBSBD delivers <strong>FOOTWINE</strong> &#8212; a Windows backdoor disguised as an Android APK (<code>foot.apk</code>). FOOTWINE provides full surveillance capability:</p><ul><li><p>Keylogging</p></li><li><p>Screenshot capture</p></li><li><p>Audio and video recording (microphone + camera)</p></li><li><p>File and registry manipulation</p></li><li><p>Remote shell access</p></li><li><p>Encrypted C2 over a custom XOR-based TCP protocol</p></li></ul><p>The older <strong>BLUELIGHT</strong> backdoor &#8212; a long-standing APT37 tool &#8212; also deploys here, using <strong>Google Drive, OneDrive, pCloud, and Backblaze</strong> as C2 channels. Its use confirmed Zscaler&#8217;s attribution to APT37.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!_Qg4!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F078e10e3-d0d3-44cd-9c5f-ac4be922b939_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!_Qg4!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F078e10e3-d0d3-44cd-9c5f-ac4be922b939_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!_Qg4!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F078e10e3-d0d3-44cd-9c5f-ac4be922b939_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!_Qg4!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F078e10e3-d0d3-44cd-9c5f-ac4be922b939_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!_Qg4!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F078e10e3-d0d3-44cd-9c5f-ac4be922b939_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!_Qg4!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F078e10e3-d0d3-44cd-9c5f-ac4be922b939_1600x900.png" width="1200" height="675" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/078e10e3-d0d3-44cd-9c5f-ac4be922b939_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:290906,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/189409862?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F078e10e3-d0d3-44cd-9c5f-ac4be922b939_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!_Qg4!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F078e10e3-d0d3-44cd-9c5f-ac4be922b939_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!_Qg4!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F078e10e3-d0d3-44cd-9c5f-ac4be922b939_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!_Qg4!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F078e10e3-d0d3-44cd-9c5f-ac4be922b939_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!_Qg4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F078e10e3-d0d3-44cd-9c5f-ac4be922b939_1600x900.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3>Why This Is Different</h3><p>Air gap attacks are not new. Stuxnet did it in 2010. What makes Ruby Jumper operationally significant is the <strong>automation and scale</strong>.</p><p>Most air gap attacks require a human insider to physically carry a compromised device. Ruby Jumper removes the human element from the relay. Any shared USB drive &#8212; carried by a well-intentioned IT staffer, a contractor, or an engineer transferring files for patching &#8212; becomes an automated C2 relay without the carrier ever knowing. The malware self-propagates to new air-gapped hosts through VIRUSTASK, meaning a single infected drive can compromise an entire secure enclave over time.</p><p>The choice of cloud services as C2 &#8212; Zoho, Google Drive, OneDrive &#8212; is equally deliberate. These are services that organizations actively whitelist. Blocking them would break business operations. APT37 is exploiting the operational dependency organizations have on legitimate SaaS platforms.</p><p></p><h3>Who Is APT37?</h3><p>APT37 (ScarCruft / Ruby Sleet / Velvet Chollima) is a DPRK state-sponsored cyber espionage group active since at least 2012. Historically focused on South Korean government entities, defense organizations, and individuals of interest to Pyongyang, the group has expanded its targeting to include critical infrastructure operators, research institutions, and international policy organizations.</p><p>Ruby Jumper represents a significant capability investment &#8212; the development of five entirely new malware tools, each engineered for a specific role in a complex multi-stage chain. This is not opportunistic crime. This is a deliberate, patient, state-funded operation targeting organizations that believed their air gap made them unreachable.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!XevK!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F94ddae59-9383-4aad-a1f9-48e180f1445f_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!XevK!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F94ddae59-9383-4aad-a1f9-48e180f1445f_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!XevK!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F94ddae59-9383-4aad-a1f9-48e180f1445f_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!XevK!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F94ddae59-9383-4aad-a1f9-48e180f1445f_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!XevK!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F94ddae59-9383-4aad-a1f9-48e180f1445f_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!XevK!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F94ddae59-9383-4aad-a1f9-48e180f1445f_1600x900.png" width="1200" height="675" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/94ddae59-9383-4aad-a1f9-48e180f1445f_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:227724,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/189409862?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F94ddae59-9383-4aad-a1f9-48e180f1445f_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!XevK!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F94ddae59-9383-4aad-a1f9-48e180f1445f_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!XevK!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F94ddae59-9383-4aad-a1f9-48e180f1445f_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!XevK!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F94ddae59-9383-4aad-a1f9-48e180f1445f_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!XevK!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F94ddae59-9383-4aad-a1f9-48e180f1445f_1600x900.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3>Indicators of Compromise</h3><p>Certainly! Here is the list in a standard Markdown list format, with the indicators formatted as code blocks for easy individual copying:</p><h3>Host Indicators</h3><ul><li><p><strong>Indicator:</strong> <code>709d70239f1e9441e8e21fcacfdc5d08</code></p><ul><li><p><strong>Filename:</strong> (None)</p></li><li><p><strong>Description:</strong> Windows shortcut</p></li></ul></li><li><p><strong>Indicator:</strong> <code>ad556f4eb48e7dba6da14444dcce3170</code></p><ul><li><p><strong>Filename:</strong> viewer.dat</p></li><li><p><strong>Description:</strong> Binary (Shellcode+RESTLEAF)</p></li></ul></li><li><p><strong>Indicator:</strong> <code>098d697f29b94c11b52c51bfe8f9c47d</code></p><ul><li><p><strong>Filename:</strong> (None)</p></li><li><p><strong>Description:</strong> Binary (Shellcode+SNAKEDROPPER)</p></li></ul></li><li><p><strong>Indicator:</strong> <code>4214818d7cde26ebeb4f35bc2fc29ada</code></p><ul><li><p><strong>Filename:</strong> ascii.rb</p></li><li><p><strong>Description:</strong> Binary (Shellcode+ThmubsBD)</p></li></ul></li><li><p><strong>Indicator:</strong> <code>5c6ff601ccc75e76c2fc998o8d8cc9a9</code></p><ul><li><p><strong>Filename:</strong> bundler_index_client.rb</p></li><li><p><strong>Description:</strong> Binary (Shellcode+VIRUSTASK)</p></li></ul></li><li><p><strong>Indicator:</strong> <code>476bce9b9a387c5f39461d781e7e22b9</code></p><ul><li><p><strong>Filename:</strong> foot.apk</p></li><li><p><strong>Description:</strong> Binary (Shellcode+FOOTWINE)</p></li></ul></li><li><p><strong>Indicator:</strong> <code>585322a931a49f4e1d78fb0b3f3c6212</code></p><ul><li><p><strong>Filename:</strong> footaaa.apk</p></li><li><p><strong>Description:</strong> Binary (Shellcode+BLUELIGHT)</p></li></ul></li></ul><div><hr></div><h3>What To Do Now</h3><p><strong>For air-gapped / high-security environments:</strong></p><ul><li><p>Implement hardware-level USB port controls &#8212; restrict which devices can connect and to which systems</p></li><li><p>Enforce a clean USB policy: drives that touch internet-connected systems must never enter air-gapped environments without a sanitization workflow</p></li><li><p>Monitor for the <code>rubyupdatecheck</code> scheduled task and audit all newly created scheduled tasks</p></li><li><p>Hunt for <code>%PROGRAMDATA%\usbspeed</code> and hidden <code>$RECYCLE.BIN.USER</code> directories on endpoints and removable media</p></li></ul><p><strong>For all enterprise environments:</strong></p><ul><li><p>Audit cloud storage access from endpoints &#8212; Zoho WorkDrive, Google Drive, OneDrive, pCloud, Backblaze are all being abused as C2</p></li><li><p>Inspect LNK files in email attachments and downloaded content &#8212; APT37 consistently uses malicious shortcut files as the first entry point</p></li><li><p>Monitor for <code>usbspeed.exe</code>, unusual Ruby runtime processes, and <code>operating_system.rb</code> modifications</p></li><li><p>Block or alert on <code>HKCU\SOFTWARE\Microsoft\TnGtp</code> registry key creation<br></p></li></ul><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!1G7a!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0afd75c3-de23-4699-b6e7-5f82b51057c8_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!1G7a!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0afd75c3-de23-4699-b6e7-5f82b51057c8_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!1G7a!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0afd75c3-de23-4699-b6e7-5f82b51057c8_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!1G7a!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0afd75c3-de23-4699-b6e7-5f82b51057c8_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!1G7a!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0afd75c3-de23-4699-b6e7-5f82b51057c8_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!1G7a!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0afd75c3-de23-4699-b6e7-5f82b51057c8_1600x900.png" width="1200" height="675" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/0afd75c3-de23-4699-b6e7-5f82b51057c8_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:282966,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/189409862?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0afd75c3-de23-4699-b6e7-5f82b51057c8_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!1G7a!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0afd75c3-de23-4699-b6e7-5f82b51057c8_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!1G7a!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0afd75c3-de23-4699-b6e7-5f82b51057c8_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!1G7a!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0afd75c3-de23-4699-b6e7-5f82b51057c8_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!1G7a!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0afd75c3-de23-4699-b6e7-5f82b51057c8_1600x900.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p><em>Source: <a href="https://threatlabz.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks">Zscaler ThreatLabz</a> </em></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p>]]></content:encoded></item><item><title><![CDATA[$4 Million, 8 Zero-Days, One Traitor: How a Defense Contractor Sold America's Cyber Weapons to Russia]]></title><description><![CDATA[Peter Williams didn't hack anything. He didn't need to. He already had the keys &#8212; and he auctioned them off to the highest bidder wearing a Russian flag.]]></description><link>https://www.codeaintel.com/p/4-million-8-zero-days-one-traitor</link><guid isPermaLink="false">https://www.codeaintel.com/p/4-million-8-zero-days-one-traitor</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Thu, 26 Feb 2026 15:51:33 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!DyFo!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf3356ec-2fdf-4d6a-92c3-e55bf6b2942c_1600x900.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!DyFo!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf3356ec-2fdf-4d6a-92c3-e55bf6b2942c_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!DyFo!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf3356ec-2fdf-4d6a-92c3-e55bf6b2942c_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!DyFo!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf3356ec-2fdf-4d6a-92c3-e55bf6b2942c_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!DyFo!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf3356ec-2fdf-4d6a-92c3-e55bf6b2942c_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!DyFo!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf3356ec-2fdf-4d6a-92c3-e55bf6b2942c_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!DyFo!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf3356ec-2fdf-4d6a-92c3-e55bf6b2942c_1600x900.png" width="1200" height="675" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/bf3356ec-2fdf-4d6a-92c3-e55bf6b2942c_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:218577,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/189261157?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf3356ec-2fdf-4d6a-92c3-e55bf6b2942c_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!DyFo!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf3356ec-2fdf-4d6a-92c3-e55bf6b2942c_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!DyFo!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf3356ec-2fdf-4d6a-92c3-e55bf6b2942c_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!DyFo!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf3356ec-2fdf-4d6a-92c3-e55bf6b2942c_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!DyFo!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbf3356ec-2fdf-4d6a-92c3-e55bf6b2942c_1600x900.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><br>There is a category of threat that keeps national security officials awake at night &#8212; not the nation-state hacker probing systems from a Moscow apartment, but the cleared insider who walks through the front door every morning, past the badge reader, into the vault. <strong>Peter Williams was that threat.</strong></p><p>A 39-year-old Australian national and former senior employee at <strong>L3Harris</strong> &#8212; one of the United States&#8217; premier defense technology contractors &#8212; Williams has been sentenced to <strong>87 months in federal prison</strong> for selling <strong>eight zero-day exploits</strong> to <strong>Operation Zero</strong>, a Russian exploit broker, over a three-year period between 2022 and 2025. The price: <strong>up to $4 million in cryptocurrency</strong>, spent on properties, luxury watches, clothing, and jewelry.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>The tools he sold were not his to sell. They were developed exclusively for the U.S. government and select allies. And according to the DOJ sentencing memorandum, they were capable of being &#8220;used against any manner of victim, civilian or military around the world&#8221; &#8212; enabling everything from ransomware to &#8220;state directed spying and offensive cyber operations against military targets.&#8221;</p><p>He didn&#8217;t steal a spreadsheet. He sold the cyber equivalent of a loaded gun pointed at millions of devices &#8212; and handed it to Russia.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!8jDI!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F857f0e02-36ee-457c-b976-556ff82040b7_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!8jDI!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F857f0e02-36ee-457c-b976-556ff82040b7_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!8jDI!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F857f0e02-36ee-457c-b976-556ff82040b7_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!8jDI!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F857f0e02-36ee-457c-b976-556ff82040b7_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!8jDI!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F857f0e02-36ee-457c-b976-556ff82040b7_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!8jDI!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F857f0e02-36ee-457c-b976-556ff82040b7_1600x900.png" width="1200" height="675" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/857f0e02-36ee-457c-b976-556ff82040b7_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:401677,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/189261157?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F857f0e02-36ee-457c-b976-556ff82040b7_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!8jDI!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F857f0e02-36ee-457c-b976-556ff82040b7_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!8jDI!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F857f0e02-36ee-457c-b976-556ff82040b7_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!8jDI!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F857f0e02-36ee-457c-b976-556ff82040b7_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!8jDI!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F857f0e02-36ee-457c-b976-556ff82040b7_1600x900.png 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3><strong>Who Is Operation Zero?</strong></h3><p>Operation Zero &#8212; now officially sanctioned by both the U.S. State Department and Treasury&#8217;s OFAC &#8212; is not a shadowy dark-web forum. It is a structured, commercially operating exploit brokerage based in Russia, run by <strong>Sergey Sergeyevich Zelenyuk</strong>, who also created a parallel entity called <strong>Special Technology Services LLC (STS)</strong> registered in the UAE &#8212; almost certainly to circumvent sanctions on Russian banking.</p><p>The numbers on Operation Zero&#8217;s published bounty board tell you everything about who their customers are:</p><ul><li><p><strong>$4 million</strong> for Telegram exploits</p></li><li><p><strong>$20 million</strong> for full-chain Android or iPhone remote code execution</p></li></ul><p>These are not bug bounty prices. These are nation-state prices. Zelenyuk has openly stated Operation Zero sells <strong>exclusively to non-NATO countries</strong> &#8212; a business model that is, in plain terms, the commercialization of offensive cyber capability for foreign intelligence services.</p><p>The Treasury has now sanctioned Zelenyuk, Operation Zero, STS, and four associated individuals and entities &#8212; including <strong>Oleg Kucherov</strong>, suspected of TrickBot gang membership, and <strong>Azizjon Mamashoyev</strong>, who ran a parallel exploit brokerage called Advance Security Solutions offering bounties for U.S.-built software vulnerabilities.</p><p>At least one of the tools Williams sold has already been transferred to an unauthorized user.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!e_lR!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2787eeae-1eae-412c-88bd-80199bb39fc6_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!e_lR!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2787eeae-1eae-412c-88bd-80199bb39fc6_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!e_lR!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2787eeae-1eae-412c-88bd-80199bb39fc6_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!e_lR!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2787eeae-1eae-412c-88bd-80199bb39fc6_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!e_lR!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2787eeae-1eae-412c-88bd-80199bb39fc6_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!e_lR!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2787eeae-1eae-412c-88bd-80199bb39fc6_1600x900.png" width="1200" height="675" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/2787eeae-1eae-412c-88bd-80199bb39fc6_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:173791,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/189261157?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2787eeae-1eae-412c-88bd-80199bb39fc6_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!e_lR!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2787eeae-1eae-412c-88bd-80199bb39fc6_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!e_lR!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2787eeae-1eae-412c-88bd-80199bb39fc6_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!e_lR!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2787eeae-1eae-412c-88bd-80199bb39fc6_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!e_lR!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2787eeae-1eae-412c-88bd-80199bb39fc6_1600x900.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3><strong>The Scale of What Was Lost</strong></h3><p>L3Harris has quantified its losses at <strong>$35 million</strong>. That is the financial damage &#8212; the cost of rebuilding, revoking, and replacing eight compromised exploit tools that were supposed to be among the U.S. government&#8217;s most closely held offensive capabilities.</p><p>The true cost cannot be measured in dollars. Zero-day exploits developed for national defense represent years of research, sophisticated vulnerability discovery, and controlled operational security. Once sold, they cannot be unsold. Once in Russian hands, they can be:</p><ul><li><p><strong>Repurposed</strong> for espionage operations against U.S. allies</p></li><li><p><strong>Analyzed</strong> to understand how U.S. offensive capabilities work and how to defend against them</p></li><li><p><strong>Resold</strong> to additional state actors &#8212; Operation Zero&#8217;s business model is brokerage, not exclusivity</p></li></ul><p>Williams didn&#8217;t just betray his employer. He inverted his entire professional purpose. These tools existed to protect &#8212; and he converted them into weapons for sale.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Ypwq!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F05c37655-6ec6-4073-87e3-f489051ffa10_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Ypwq!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F05c37655-6ec6-4073-87e3-f489051ffa10_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!Ypwq!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F05c37655-6ec6-4073-87e3-f489051ffa10_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!Ypwq!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F05c37655-6ec6-4073-87e3-f489051ffa10_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!Ypwq!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F05c37655-6ec6-4073-87e3-f489051ffa10_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Ypwq!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F05c37655-6ec6-4073-87e3-f489051ffa10_1600x900.png" width="1200" height="675" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/05c37655-6ec6-4073-87e3-f489051ffa10_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:308089,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/189261157?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F05c37655-6ec6-4073-87e3-f489051ffa10_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Ypwq!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F05c37655-6ec6-4073-87e3-f489051ffa10_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!Ypwq!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F05c37655-6ec6-4073-87e3-f489051ffa10_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!Ypwq!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F05c37655-6ec6-4073-87e3-f489051ffa10_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!Ypwq!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F05c37655-6ec6-4073-87e3-f489051ffa10_1600x900.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3><strong>The Sanctions Web</strong></h3><p>The U.S. State Department&#8217;s designation of Operation Zero under the <strong>Protecting American Intellectual Property Act (PAIPA)</strong> and Treasury&#8217;s OFAC sanctions represent a coordinated whole-of-government response that goes beyond the criminal prosecution. The message is structural: not just &#8220;we jailed the seller,&#8221; but &#8220;we are dismantling the buyer.&#8221;</p><p>The sanctions freeze assets, block transactions, and expose anyone doing business with Operation Zero to secondary sanctions risk. The UAE-based STS entity being included in the designation signals that the U.S. is willing to pursue the sanctions evasion infrastructure, not just the primary actors.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!yRKF!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c0943a5-dd2b-4faa-9544-ae6a3a0a6746_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!yRKF!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c0943a5-dd2b-4faa-9544-ae6a3a0a6746_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!yRKF!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c0943a5-dd2b-4faa-9544-ae6a3a0a6746_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!yRKF!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c0943a5-dd2b-4faa-9544-ae6a3a0a6746_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!yRKF!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c0943a5-dd2b-4faa-9544-ae6a3a0a6746_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!yRKF!,w_2400,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c0943a5-dd2b-4faa-9544-ae6a3a0a6746_1600x900.png" width="1200" height="675" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1c0943a5-dd2b-4faa-9544-ae6a3a0a6746_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:false,&quot;imageSize&quot;:&quot;large&quot;,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:1200,&quot;bytes&quot;:225059,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/189261157?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c0943a5-dd2b-4faa-9544-ae6a3a0a6746_1600x900.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:&quot;center&quot;,&quot;offset&quot;:false}" class="sizing-large" alt="" srcset="https://substackcdn.com/image/fetch/$s_!yRKF!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c0943a5-dd2b-4faa-9544-ae6a3a0a6746_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!yRKF!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c0943a5-dd2b-4faa-9544-ae6a3a0a6746_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!yRKF!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c0943a5-dd2b-4faa-9544-ae6a3a0a6746_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!yRKF!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c0943a5-dd2b-4faa-9544-ae6a3a0a6746_1600x900.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p><em>Source: U.S. Department of Justice - https://www.courtlistener.com/docket/71644575/united-states-v-williams/ </em></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item><item><title><![CDATA[Blockchain Fortress, Human Gatekeeper: How Figure Tech Lost 1 Million IDs to a Phone Call]]></title><description><![CDATA[The promise of blockchain is immutable security. The reality of fintech is that a single employee login is worth more than all the cryptography in the world.]]></description><link>https://www.codeaintel.com/p/blockchain-fortress-human-gatekeeper</link><guid isPermaLink="false">https://www.codeaintel.com/p/blockchain-fortress-human-gatekeeper</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Wed, 18 Feb 2026 18:24:51 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!F_k3!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd317d80e-4f7b-4ad2-b980-b94c02157342_1024x559.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!F_k3!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd317d80e-4f7b-4ad2-b980-b94c02157342_1024x559.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!F_k3!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd317d80e-4f7b-4ad2-b980-b94c02157342_1024x559.jpeg 424w, https://substackcdn.com/image/fetch/$s_!F_k3!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd317d80e-4f7b-4ad2-b980-b94c02157342_1024x559.jpeg 848w, https://substackcdn.com/image/fetch/$s_!F_k3!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd317d80e-4f7b-4ad2-b980-b94c02157342_1024x559.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!F_k3!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd317d80e-4f7b-4ad2-b980-b94c02157342_1024x559.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!F_k3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd317d80e-4f7b-4ad2-b980-b94c02157342_1024x559.jpeg" width="1024" height="559" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d317d80e-4f7b-4ad2-b980-b94c02157342_1024x559.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:559,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!F_k3!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd317d80e-4f7b-4ad2-b980-b94c02157342_1024x559.jpeg 424w, https://substackcdn.com/image/fetch/$s_!F_k3!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd317d80e-4f7b-4ad2-b980-b94c02157342_1024x559.jpeg 848w, https://substackcdn.com/image/fetch/$s_!F_k3!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd317d80e-4f7b-4ad2-b980-b94c02157342_1024x559.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!F_k3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd317d80e-4f7b-4ad2-b980-b94c02157342_1024x559.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong><br>Figure Technology Solutions</strong>, a fintech giant leveraging the Provenance blockchain for lending and securities, has just become the latest trophy for the notorious <strong>ShinyHunters</strong> extortion group. While the company boasts about &#8220;unlocking $22 billion in home equity&#8221; with cutting-edge tech, their perimeter was breached by the oldest trick in the book: <strong>Social Engineering.</strong></p><p>The result? <strong>967,200 accounts exposed.</strong></p><p></p><h3><strong>The &#8220;Low-Tech&#8221; Hack</strong></h3><p>According to reports confirmed by BleepingComputer and <em>Have I Been Pwned</em>, the breach wasn&#8217;t a result of a cracked private key or a smart contract failure. It was a <strong>human failure</strong>.</p><p>An employee was tricked&#8212;likely through a targeted voice phishing (vishing) or spear-phishing campaign&#8212;into handing over the keys to the kingdom. This mirrors ShinyHunters&#8217; recent <em>modus operandi</em>, where they impersonate IT support to trick staff into entering credentials and MFA codes on fake portals.</p><p>Once inside, the attackers didn&#8217;t need to break encryption; they just needed to &#8220;authorized&#8221; access to download the files.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!AzzF!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcef2b325-4227-4130-8dde-563805ee6e30_1024x559.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!AzzF!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcef2b325-4227-4130-8dde-563805ee6e30_1024x559.jpeg 424w, https://substackcdn.com/image/fetch/$s_!AzzF!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcef2b325-4227-4130-8dde-563805ee6e30_1024x559.jpeg 848w, https://substackcdn.com/image/fetch/$s_!AzzF!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcef2b325-4227-4130-8dde-563805ee6e30_1024x559.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!AzzF!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcef2b325-4227-4130-8dde-563805ee6e30_1024x559.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!AzzF!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcef2b325-4227-4130-8dde-563805ee6e30_1024x559.jpeg" width="1024" height="559" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/cef2b325-4227-4130-8dde-563805ee6e30_1024x559.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:559,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!AzzF!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcef2b325-4227-4130-8dde-563805ee6e30_1024x559.jpeg 424w, https://substackcdn.com/image/fetch/$s_!AzzF!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcef2b325-4227-4130-8dde-563805ee6e30_1024x559.jpeg 848w, https://substackcdn.com/image/fetch/$s_!AzzF!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcef2b325-4227-4130-8dde-563805ee6e30_1024x559.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!AzzF!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcef2b325-4227-4130-8dde-563805ee6e30_1024x559.jpeg 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>The Loot: A Phisher&#8217;s Goldmine</strong></h3><p>The data, which dates back to January 2026, is a complete starter kit for identity theft. The 2.5GB leak includes:</p><ul><li><p><strong>Full Names</strong></p></li><li><p><strong>Physical Addresses</strong></p></li><li><p><strong>Phone Numbers</strong></p></li><li><p><strong>Dates of Birth</strong></p></li><li><p><strong>900,000+ Unique Email Addresses</strong></p></li></ul><p>While Figure claims only a &#8220;limited number of files&#8221; were taken, the nature of this data means the victims are now prime targets for secondary attacks. If you were a customer, expect your phone to start ringing with very convincing scammers who know <em>exactly</em> who you are.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!tGP8!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66b8b9f6-4dc0-4cac-bbe0-99e36e9946e5_1024x559.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!tGP8!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66b8b9f6-4dc0-4cac-bbe0-99e36e9946e5_1024x559.jpeg 424w, https://substackcdn.com/image/fetch/$s_!tGP8!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66b8b9f6-4dc0-4cac-bbe0-99e36e9946e5_1024x559.jpeg 848w, https://substackcdn.com/image/fetch/$s_!tGP8!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66b8b9f6-4dc0-4cac-bbe0-99e36e9946e5_1024x559.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!tGP8!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66b8b9f6-4dc0-4cac-bbe0-99e36e9946e5_1024x559.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!tGP8!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66b8b9f6-4dc0-4cac-bbe0-99e36e9946e5_1024x559.jpeg" width="1024" height="559" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/66b8b9f6-4dc0-4cac-bbe0-99e36e9946e5_1024x559.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:559,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!tGP8!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66b8b9f6-4dc0-4cac-bbe0-99e36e9946e5_1024x559.jpeg 424w, https://substackcdn.com/image/fetch/$s_!tGP8!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66b8b9f6-4dc0-4cac-bbe0-99e36e9946e5_1024x559.jpeg 848w, https://substackcdn.com/image/fetch/$s_!tGP8!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66b8b9f6-4dc0-4cac-bbe0-99e36e9946e5_1024x559.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!tGP8!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F66b8b9f6-4dc0-4cac-bbe0-99e36e9946e5_1024x559.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>The SSO Weakness</strong></h3><p>This breach is part of a larger, disturbing trend targeting Single Sign-On (SSO) infrastructure. Attackers like ShinyHunters have realized that breaking into <strong>Okta</strong> or <strong>Microsoft 365</strong> accounts via an employee is significantly easier than finding a zero-day vulnerability in the software stack.</p><p><strong>The Lesson:</strong> You can build your castle on the blockchain, but if the gatekeeper opens the door for a stranger in a nice suit, you are still getting robbed.</p><ul><li><p><strong>Verify the Caller:</strong> IT support will never ask for your MFA code.</p></li><li><p><strong>Hardware Keys:</strong> It is time to move beyond SMS and App-based MFA to FIDO2 hardware keys (YubiKeys) that are phishing-resistant.</p></li><li><p><strong>Assume Breach:</strong> If you are a Figure user, lock your credit reports <em>now</em>.<br></p></li></ul><blockquote><p><strong>CodeAintel Insight:</strong> <em>The Figure breach proves that in 2026, the most dangerous vulnerability in the fintech ecosystem isn&#8217;t in the code&#8212;it&#8217;s in the cubicle. We are seeing a shift where &#8220;hacking&#8221; is becoming synonymous with &#8220;asking nicely.&#8221; </em></p></blockquote><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p>]]></content:encoded></item><item><title><![CDATA[How a Trojanized Oura Server Infiltrated AI Ecosystems]]></title><description><![CDATA[Your biometric data isn't the only thing the Oura ring can connect to anymore&#8212;now, it might be the gateway for an infostealer.]]></description><link>https://www.codeaintel.com/p/how-a-trojanized-oura-server-infiltrated</link><guid isPermaLink="false">https://www.codeaintel.com/p/how-a-trojanized-oura-server-infiltrated</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Tue, 17 Feb 2026 15:34:44 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!aJlp!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7624fa31-88c3-4389-a3df-d3b7146c46cb_1024x1024.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!aJlp!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7624fa31-88c3-4389-a3df-d3b7146c46cb_1024x1024.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!aJlp!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7624fa31-88c3-4389-a3df-d3b7146c46cb_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!aJlp!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7624fa31-88c3-4389-a3df-d3b7146c46cb_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!aJlp!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7624fa31-88c3-4389-a3df-d3b7146c46cb_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!aJlp!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7624fa31-88c3-4389-a3df-d3b7146c46cb_1024x1024.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!aJlp!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7624fa31-88c3-4389-a3df-d3b7146c46cb_1024x1024.jpeg" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7624fa31-88c3-4389-a3df-d3b7146c46cb_1024x1024.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!aJlp!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7624fa31-88c3-4389-a3df-d3b7146c46cb_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!aJlp!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7624fa31-88c3-4389-a3df-d3b7146c46cb_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!aJlp!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7624fa31-88c3-4389-a3df-d3b7146c46cb_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!aJlp!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7624fa31-88c3-4389-a3df-d3b7146c46cb_1024x1024.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>Your biometric data isn&#8217;t the only thing the Oura ring can connect to anymore&#8212;now, it might be the gateway for an infostealer.</p><p>A sophisticated new <strong>SmartLoader</strong> campaign has been uncovered, targeting the emerging world of AI agents. By poisoning the trust-based infrastructure of <strong>Model Context Protocol (MCP)</strong> servers, threat actors have found a way to turn developer-focused health-tech tools into delivery vehicles for the <strong>StealC</strong> infostealer.</p><p>This isn&#8217;t just a malware drop; it&#8217;s a long-con in supply chain poisoning.</p><p></p><h3><strong>Manufactured Credibility: The Four-Stage Heist</strong></h3><p>Unlike low-effort phishing, the SmartLoader operators invested months into building a &#8220;reputation&#8221; on GitHub. According to <strong>Straiker&#8217;s STAR Labs</strong>, the attack exploited the trust heuristics developers use when evaluating new AI tools.</p><p><strong>The Blueprint of Deception:</strong></p><ol><li><p><strong>Identity Farming:</strong> The attackers created at least five fake GitHub personas (including <em>YuzeHao2023</em> and <em>punkpeye</em>) to fork the legitimate Oura MCP server repository.</p></li><li><p><strong>The Payload Shell:</strong> A new account, <em>SiddhiBagul</em>, was established to host the &#8220;poisoned&#8221; version of the server containing the malicious SmartLoader code.</p></li><li><p><strong>Contributor Laundering:</strong> The fake personas were added as &#8220;contributors&#8221; to the rogue repository, creating a false sense of community activity and legitimacy.</p></li><li><p><strong>Marketplace Poisoning:</strong> The trojanized server was then submitted to <strong>MCP Market</strong>, a legitimate registry. Users searching for ways to connect their AI assistants to their Oura Health data found the rogue server listed alongside benign options.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!TbfL!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3036ca04-47ed-410a-b5c5-5448068cd23e_1122x602.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!TbfL!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3036ca04-47ed-410a-b5c5-5448068cd23e_1122x602.png 424w, https://substackcdn.com/image/fetch/$s_!TbfL!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3036ca04-47ed-410a-b5c5-5448068cd23e_1122x602.png 848w, https://substackcdn.com/image/fetch/$s_!TbfL!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3036ca04-47ed-410a-b5c5-5448068cd23e_1122x602.png 1272w, https://substackcdn.com/image/fetch/$s_!TbfL!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3036ca04-47ed-410a-b5c5-5448068cd23e_1122x602.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!TbfL!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3036ca04-47ed-410a-b5c5-5448068cd23e_1122x602.png" width="1122" height="602" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/3036ca04-47ed-410a-b5c5-5448068cd23e_1122x602.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:602,&quot;width&quot;:1122,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!TbfL!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3036ca04-47ed-410a-b5c5-5448068cd23e_1122x602.png 424w, https://substackcdn.com/image/fetch/$s_!TbfL!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3036ca04-47ed-410a-b5c5-5448068cd23e_1122x602.png 848w, https://substackcdn.com/image/fetch/$s_!TbfL!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3036ca04-47ed-410a-b5c5-5448068cd23e_1122x602.png 1272w, https://substackcdn.com/image/fetch/$s_!TbfL!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3036ca04-47ed-410a-b5c5-5448068cd23e_1122x602.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div></li></ol><h3><strong>The Payload: StealC Infostealer</strong></h3><p>Once a developer or high-value target downloads the ZIP archive and launches the server, an obfuscated Lua script executes. This drops the <strong>SmartLoader</strong> malware, which in turn deploys <strong>StealC</strong>.</p><p>StealC is a highly efficient infostealer designed to vacuum up:</p><ul><li><p><strong>Browser Credentials:</strong> Saved passwords and cookies.</p></li><li><p><strong>Crypto Wallets:</strong> Direct targeting of browser-based and desktop wallet files.</p></li><li><p><strong>Developer Assets:</strong> The true &#8220;prize&#8221; in this campaign&#8212;API keys, cloud credentials, and access to production environments.</p></li></ul><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!0iw3!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6844e6eb-06c3-47c4-830c-d9f0227fd992_1024x1024.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!0iw3!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6844e6eb-06c3-47c4-830c-d9f0227fd992_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!0iw3!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6844e6eb-06c3-47c4-830c-d9f0227fd992_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!0iw3!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6844e6eb-06c3-47c4-830c-d9f0227fd992_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!0iw3!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6844e6eb-06c3-47c4-830c-d9f0227fd992_1024x1024.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!0iw3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6844e6eb-06c3-47c4-830c-d9f0227fd992_1024x1024.jpeg" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/6844e6eb-06c3-47c4-830c-d9f0227fd992_1024x1024.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!0iw3!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6844e6eb-06c3-47c4-830c-d9f0227fd992_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!0iw3!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6844e6eb-06c3-47c4-830c-d9f0227fd992_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!0iw3!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6844e6eb-06c3-47c4-830c-d9f0227fd992_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!0iw3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6844e6eb-06c3-47c4-830c-d9f0227fd992_1024x1024.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>The AI Attack Surface</strong></h3><p>The SmartLoader campaign marks a pivotal shift in threat actor strategy. They are moving away from users looking for pirated software and moving toward <strong>developers</strong> and <strong>AI enthusiasts</strong>.</p><ul><li><p><strong>The Trust Gap:</strong> Legitimate registries like MCP Market often lack the rigorous automated vetting found in more mature ecosystems (like the App Store), allowing &#8220;patient&#8221; threat actors to slip through.</p></li><li><p><strong>Targeting the Architect:</strong> Developers hold the keys to the kingdom. By infecting a developer&#8217;s machine, an attacker gains a foothold into entire corporate infrastructures and production pipelines.</p></li><li><p><strong>AI Tooling as a Blind Spot:</strong> Organizations are rushing to integrate AI agents (like Claude or GPT-4) with local data via MCP. This rush creates a &#8220;security vacuum&#8221; where tools are installed without formal review.</p></li></ul><blockquote><p><strong>CodeAintel Insight:</strong> <em>The Oura MCP attack proves that &#8220;credibility&#8221; can be manufactured with a few fake accounts and enough time. In the age of AI agents, your security is only as strong as the most obscure server in your registry. Verify the origin, inventory your MCPs, and never trust a contributor list at face value. </em></p></blockquote><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p>]]></content:encoded></item><item><title><![CDATA[ZeroDayRAT: The Nation-State Toolkit Now Available to the Highest (Telegram) Bidder]]></title><description><![CDATA[The barrier to entry for total mobile domination just hit zero.]]></description><link>https://www.codeaintel.com/p/zerodayrat-the-nation-state-toolkit</link><guid isPermaLink="false">https://www.codeaintel.com/p/zerodayrat-the-nation-state-toolkit</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Mon, 16 Feb 2026 16:47:47 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!CV78!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F79e860a9-977b-4f76-9f02-1d9d58a6a23a_1024x1024.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!CV78!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F79e860a9-977b-4f76-9f02-1d9d58a6a23a_1024x1024.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!CV78!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F79e860a9-977b-4f76-9f02-1d9d58a6a23a_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!CV78!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F79e860a9-977b-4f76-9f02-1d9d58a6a23a_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!CV78!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F79e860a9-977b-4f76-9f02-1d9d58a6a23a_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!CV78!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F79e860a9-977b-4f76-9f02-1d9d58a6a23a_1024x1024.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!CV78!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F79e860a9-977b-4f76-9f02-1d9d58a6a23a_1024x1024.jpeg" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/79e860a9-977b-4f76-9f02-1d9d58a6a23a_1024x1024.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!CV78!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F79e860a9-977b-4f76-9f02-1d9d58a6a23a_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!CV78!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F79e860a9-977b-4f76-9f02-1d9d58a6a23a_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!CV78!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F79e860a9-977b-4f76-9f02-1d9d58a6a23a_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!CV78!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F79e860a9-977b-4f76-9f02-1d9d58a6a23a_1024x1024.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><br>A new mobile spyware platform, dubbed <strong>ZeroDayRAT</strong>, has emerged on Telegram, offering a suite of surveillance tools that were once the exclusive domain of elite nation-state signal intelligence (SIGINT) units. For a fee, any buyer can now gain full, real-time access to a target&#8217;s digital and physical life through a self-hosted browser panel.</p><p>It&#8217;s not just a data stealer. It&#8217;s a total takeover of the person behind the screen.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!4ICj!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c24266e-dd0c-443d-9d1d-84ea86be5e1b_1600x900.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!4ICj!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c24266e-dd0c-443d-9d1d-84ea86be5e1b_1600x900.jpeg 424w, https://substackcdn.com/image/fetch/$s_!4ICj!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c24266e-dd0c-443d-9d1d-84ea86be5e1b_1600x900.jpeg 848w, https://substackcdn.com/image/fetch/$s_!4ICj!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c24266e-dd0c-443d-9d1d-84ea86be5e1b_1600x900.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!4ICj!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c24266e-dd0c-443d-9d1d-84ea86be5e1b_1600x900.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!4ICj!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c24266e-dd0c-443d-9d1d-84ea86be5e1b_1600x900.jpeg" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/8c24266e-dd0c-443d-9d1d-84ea86be5e1b_1600x900.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!4ICj!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c24266e-dd0c-443d-9d1d-84ea86be5e1b_1600x900.jpeg 424w, https://substackcdn.com/image/fetch/$s_!4ICj!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c24266e-dd0c-443d-9d1d-84ea86be5e1b_1600x900.jpeg 848w, https://substackcdn.com/image/fetch/$s_!4ICj!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c24266e-dd0c-443d-9d1d-84ea86be5e1b_1600x900.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!4ICj!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8c24266e-dd0c-443d-9d1d-84ea86be5e1b_1600x900.jpeg 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>The &#8220;Everywhere&#8221; Exploit: Android 5 to iOS 26</strong></h3><p>The technical reach of ZeroDayRAT is staggeringly broad. While many RATs (Remote Access Trojans) struggle with version updates, ZeroDayRAT is built for longevity:</p><ul><li><p><strong>Android:</strong> Supports version 5 all the way through the upcoming <strong>Android 16</strong>.</p></li><li><p><strong>iOS:</strong> Supports versions up to <strong>iOS 26</strong>, leveraging enterprise provisioning profiles to bypass the App Store&#8217;s &#8220;Walled Garden.&#8221;</p></li></ul><p>Distributed via social engineering and malicious &#8220;updates&#8221; on Telegram and fake marketplaces, the malware generates a custom binary for each target. Once installed, the attacker doesn&#8217;t just see files&#8212;they see a live dashboard of the victim&#8217;s existence.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!RVYw!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6f66a4f-e6fa-456a-a481-62cf4f73622b_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!RVYw!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6f66a4f-e6fa-456a-a481-62cf4f73622b_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!RVYw!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6f66a4f-e6fa-456a-a481-62cf4f73622b_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!RVYw!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6f66a4f-e6fa-456a-a481-62cf4f73622b_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!RVYw!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6f66a4f-e6fa-456a-a481-62cf4f73622b_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!RVYw!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6f66a4f-e6fa-456a-a481-62cf4f73622b_1600x900.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e6f66a4f-e6fa-456a-a481-62cf4f73622b_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!RVYw!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6f66a4f-e6fa-456a-a481-62cf4f73622b_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!RVYw!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6f66a4f-e6fa-456a-a481-62cf4f73622b_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!RVYw!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6f66a4f-e6fa-456a-a481-62cf4f73622b_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!RVYw!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe6f66a4f-e6fa-456a-a481-62cf4f73622b_1600x900.png 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!RuYP!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9c6c0d38-7f74-4d54-a504-38f9fa2625b9_1600x900.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!RuYP!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9c6c0d38-7f74-4d54-a504-38f9fa2625b9_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!RuYP!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9c6c0d38-7f74-4d54-a504-38f9fa2625b9_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!RuYP!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9c6c0d38-7f74-4d54-a504-38f9fa2625b9_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!RuYP!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9c6c0d38-7f74-4d54-a504-38f9fa2625b9_1600x900.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!RuYP!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9c6c0d38-7f74-4d54-a504-38f9fa2625b9_1600x900.png" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/9c6c0d38-7f74-4d54-a504-38f9fa2625b9_1600x900.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!RuYP!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9c6c0d38-7f74-4d54-a504-38f9fa2625b9_1600x900.png 424w, https://substackcdn.com/image/fetch/$s_!RuYP!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9c6c0d38-7f74-4d54-a504-38f9fa2625b9_1600x900.png 848w, https://substackcdn.com/image/fetch/$s_!RuYP!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9c6c0d38-7f74-4d54-a504-38f9fa2625b9_1600x900.png 1272w, https://substackcdn.com/image/fetch/$s_!RuYP!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9c6c0d38-7f74-4d54-a504-38f9fa2625b9_1600x900.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>The Real-Time Panopticon</strong></h3><p>ZeroDayRAT transforms a smartphone into a 24/7 surveillance beacon. The command-and-control (C2) panel provides:</p><ul><li><p><strong>Live Eyes and Ears:</strong> Remote activation of camera streaming and microphone feeds.</p></li><li><p><strong>GPS Stalking:</strong> Real-time location plotting on Google Maps with a full historical breadcrumb trail.</p></li><li><p><strong>Keystroke Logging:</strong> Every password, message, and search query is recorded before it&#8217;s even sent.</p></li><li><p><strong>Identity Mapping:</strong> The &#8220;Accounts Tab&#8221; enumerates every registered service&#8212;WhatsApp, Google, Facebook, Amazon, and banking apps&#8212;linking the device to the victim&#8217;s entire digital footprint.</p></li></ul><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!E_GB!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe1acc360-26bd-4b1a-97d8-f55b5927b803_1600x900.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!E_GB!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe1acc360-26bd-4b1a-97d8-f55b5927b803_1600x900.jpeg 424w, https://substackcdn.com/image/fetch/$s_!E_GB!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe1acc360-26bd-4b1a-97d8-f55b5927b803_1600x900.jpeg 848w, https://substackcdn.com/image/fetch/$s_!E_GB!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe1acc360-26bd-4b1a-97d8-f55b5927b803_1600x900.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!E_GB!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe1acc360-26bd-4b1a-97d8-f55b5927b803_1600x900.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!E_GB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe1acc360-26bd-4b1a-97d8-f55b5927b803_1600x900.jpeg" width="1456" height="819" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e1acc360-26bd-4b1a-97d8-f55b5927b803_1600x900.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:819,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!E_GB!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe1acc360-26bd-4b1a-97d8-f55b5927b803_1600x900.jpeg 424w, https://substackcdn.com/image/fetch/$s_!E_GB!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe1acc360-26bd-4b1a-97d8-f55b5927b803_1600x900.jpeg 848w, https://substackcdn.com/image/fetch/$s_!E_GB!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe1acc360-26bd-4b1a-97d8-f55b5927b803_1600x900.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!E_GB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe1acc360-26bd-4b1a-97d8-f55b5927b803_1600x900.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>Financial Warfare: Bypassing 2FA and Draining Wallets</strong></h3><p>ZeroDayRAT isn&#8217;t content with just watching; it&#8217;s designed to loot. The toolkit includes a sophisticated <strong>Bank Stealer</strong> and <strong>Crypto-Wallet Hijacker</strong>.</p><ol><li><p><strong>OTP Interception:</strong> By monitoring SMS in real-time, the malware intercepts One-Time Passwords (OTPs), effectively neutralizing Two-Factor Authentication (2FA).</p></li><li><p><strong>Clipboard Substitution:</strong> The malware scans for wallet apps like MetaMask and Binance. When a user copies a crypto address, the RAT replaces it with the attacker&#8217;s address in the clipboard.</p></li><li><p><strong>Payment App Takeover:</strong> It targets mobile payment ecosystems like Apple Pay, Google Pay, PayPal, and regional giants like India&#8217;s PhonePe (UPI).</p></li></ol><p></p><p>The emergence of ZeroDayRAT represents a dangerous shift in the threat landscape. </p><p><strong>Why this matters:</strong></p><ul><li><p><strong>The Zero-Trust Necessity:</strong> If you are not verifying the origin of every &#8220;update&#8221; or &#8220;enterprise profile,&#8221; you are inviting an adversary into your pocket.</p></li><li><p><strong>Biometrics vs. Keystrokes:</strong> While biometrics (FaceID/TouchID) are secure, the RAT logs the <em>interaction</em> after the vault is open.</p></li><li><p><strong>The Telegram Shadow Market:</strong> The transition of these tools from private &#8220;zero-day&#8221; exploits to Telegram-accessible subscription models means the number of potential attackers has increased by an order of magnitude.</p><p><br>Source: https://iverify.io/blog/breaking-down-zerodayrat---new-spyware-targeting-android-and-ios</p></li></ul><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p>]]></content:encoded></item><item><title><![CDATA[How 2,420 Russian Starlink Terminals Just Became Digital Targets]]></title><description><![CDATA[It wasn't a missile that blinded the Russian drone teams in Zaporizhzhia this week. It was a QR code and a Telegram bot.]]></description><link>https://www.codeaintel.com/p/how-2420-russian-starlink-terminals</link><guid isPermaLink="false">https://www.codeaintel.com/p/how-2420-russian-starlink-terminals</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Sat, 14 Feb 2026 18:34:02 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!RNBh!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7619c987-c7a0-4277-8c2f-0445f2508ee4_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!GHhL!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd713e9d3-ccc1-488d-b4b7-07705cb1056b_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!GHhL!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd713e9d3-ccc1-488d-b4b7-07705cb1056b_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!GHhL!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd713e9d3-ccc1-488d-b4b7-07705cb1056b_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!GHhL!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd713e9d3-ccc1-488d-b4b7-07705cb1056b_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!GHhL!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd713e9d3-ccc1-488d-b4b7-07705cb1056b_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!GHhL!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd713e9d3-ccc1-488d-b4b7-07705cb1056b_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d713e9d3-ccc1-488d-b4b7-07705cb1056b_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1855267,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/187970220?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd713e9d3-ccc1-488d-b4b7-07705cb1056b_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!GHhL!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd713e9d3-ccc1-488d-b4b7-07705cb1056b_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!GHhL!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd713e9d3-ccc1-488d-b4b7-07705cb1056b_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!GHhL!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd713e9d3-ccc1-488d-b4b7-07705cb1056b_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!GHhL!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd713e9d3-ccc1-488d-b4b7-07705cb1056b_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>When SpaceX and the Ukrainian government finally pulled the plug on unauthorized Starlink terminals used by Russian forces, the frontline went dark. Communications collapsed, drone feeds flickered out, and Russian units&#8212;desperate to restore the one Western technology they can&#8217;t live without&#8212;started looking for a workaround.</p><p>They found one. Or so they thought.</p><p></p><h3>The &#8220;Activation&#8221; Trap</h3><p>Ukrainian hacktivists from the <strong>256th Cyber Assault Division</strong>, working alongside <strong>InformNapalm</strong>, didn&#8217;t just wait for the Russians to scramble; they built the net.</p><p>They launched a network of fake Telegram channels and &#8220;activation bots&#8221; promising a way to bypass the new Ukrainian &#8220;whitelist&#8221; registration system. For a modest fee, the bots promised to register illicit terminals under &#8220;safe&#8221; Ukrainian identities, keeping the dishes online.</p><p>The Russians took the bait. In less than seven days:</p><ul><li><p><strong>2,420 data packages</strong> were harvested, containing serial numbers and precise GPS coordinates of Russian Starlink terminals.</p></li><li><p><strong>$5,870 in &#8220;fees&#8221;</strong> was siphoned directly from Russian soldiers&#8217; pockets into funds for the Ukrainian Defense Forces.</p></li><li><p><strong>31 local collaborators</strong> (potential &#8220;drops&#8221;) were identified and handed over to law enforcement.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!cUVF!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0d00a7d-226f-47dc-b449-ca1ae26dbd12_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!cUVF!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0d00a7d-226f-47dc-b449-ca1ae26dbd12_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!cUVF!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0d00a7d-226f-47dc-b449-ca1ae26dbd12_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!cUVF!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0d00a7d-226f-47dc-b449-ca1ae26dbd12_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!cUVF!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0d00a7d-226f-47dc-b449-ca1ae26dbd12_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!cUVF!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0d00a7d-226f-47dc-b449-ca1ae26dbd12_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/f0d00a7d-226f-47dc-b449-ca1ae26dbd12_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:2027473,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/187970220?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0d00a7d-226f-47dc-b449-ca1ae26dbd12_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!cUVF!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0d00a7d-226f-47dc-b449-ca1ae26dbd12_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!cUVF!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0d00a7d-226f-47dc-b449-ca1ae26dbd12_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!cUVF!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0d00a7d-226f-47dc-b449-ca1ae26dbd12_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!cUVF!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff0d00a7d-226f-47dc-b449-ca1ae26dbd12_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p></li></ul><h3>From &#8220;Online&#8221; to &#8220;Brick Mode&#8221;</h3><p>The operation didn&#8217;t just harvest data&#8212;it weaponized it. The 256th Division confirmed they passed the technical identifiers to Ukrainian drone logistics advisor <strong>Serhiy Sternenko</strong>.</p><p>The goal? <strong>&#8220;Brick Mode.&#8221;</strong> By identifying the exact digital signatures of the terminals being used by the enemy, Ukraine and SpaceX can remotely disable the hardware permanently. But before the &#8220;kill switch&#8221; is flipped, those GPS coordinates are being used for something much more immediate: kinetic strikes. In the world of electronic warfare, if you can see the terminal, you can see the command post.</p><p></p><h3>The Fatal Breach: Why OPSEC is Must</h3><p>In the intelligence community, there is a saying: <strong>&#8220;The easiest way to get into a locked building is to have the owner open the door.&#8221;</strong> This operation succeeded because Russian frontline units prioritized immediate tactical convenience over long-term <strong>Operational Security (OPSEC)</strong>.</p><p>By engaging with unverified third-party bots to register military hardware, Russian forces violated the most fundamental rules of digital warfare:</p><ol><li><p><strong>Trusting the &#8220;Grey Market&#8221;:</strong> In a conflict zone, there is no such thing as a &#8220;friendly&#8221; unauthorized service. By seeking a workaround for SpaceX&#8217;s restrictions, the users handed their hardware&#8217;s unique identifiers directly to the adversary.</p></li><li><p><strong>GPS as a Weapon:</strong> A Starlink terminal is a beacon. By attempting to &#8220;spoof&#8221; location data through an unsecure bot, the operators inadvertently confirmed their exact positions. In the age of precision artillery, <strong>Location Data = Targeting Data.</strong></p></li><li><p><strong>The &#8220;Convenience Trap&#8221;:</strong> The desire to maintain a high-bandwidth connection for drone feeds created a psychological blind spot. The 256th Division exploited the &#8220;user experience&#8221; of a soldier&#8212;making the fake bot look and feel like a standard service&#8212;to bypass their survival instincts.</p></li></ol><blockquote><p><strong>CodeAintel Warning:</strong> OPSEC isn&#8217;t just about hiding secrets; it&#8217;s about managing the digital footprint of your hardware. When a soldier treats a military comms device like a personal smartphone, they aren&#8217;t just compromised&#8212;they are categorized and neutralized.</p></blockquote><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!RNBh!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7619c987-c7a0-4277-8c2f-0445f2508ee4_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!RNBh!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7619c987-c7a0-4277-8c2f-0445f2508ee4_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!RNBh!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7619c987-c7a0-4277-8c2f-0445f2508ee4_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!RNBh!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7619c987-c7a0-4277-8c2f-0445f2508ee4_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!RNBh!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7619c987-c7a0-4277-8c2f-0445f2508ee4_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!RNBh!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7619c987-c7a0-4277-8c2f-0445f2508ee4_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7619c987-c7a0-4277-8c2f-0445f2508ee4_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1598017,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/187970220?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7619c987-c7a0-4277-8c2f-0445f2508ee4_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!RNBh!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7619c987-c7a0-4277-8c2f-0445f2508ee4_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!RNBh!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7619c987-c7a0-4277-8c2f-0445f2508ee4_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!RNBh!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7619c987-c7a0-4277-8c2f-0445f2508ee4_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!RNBh!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7619c987-c7a0-4277-8c2f-0445f2508ee4_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3>Technical Brief: The Link Between Identity and Location</h3><p>For a Starlink terminal to function, it must maintain a constant handshake with the satellite constellation. This process creates a &#8220;Digital ID&#8221; that is nearly impossible to fake once it is flagged:</p><ul><li><p><strong>Terminal ID (Hardware SN):</strong> Each dish has a unique serial number burnt into its hardware.</p></li><li><p><strong>GNSS Integration:</strong> Every terminal contains a GPS/GNSS module to orient its phased-array antenna.</p></li><li><p><strong>The Handshake:</strong> SpaceX sees which <strong>Serial Number</strong> is requesting data from which <strong>GPS Coordinate</strong>.</p></li></ul><p>By submitting their SN to the fake Ukrainian bot, the Russian operators essentially signed their own death warrants, allowing the SBU to cross-reference that ID with active satellite pings.</p><p></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p>]]></content:encoded></item><item><title><![CDATA[Phantom Office: How APT28 Weaponized a Just,Patched Microsoft Bug in Days]]></title><description><![CDATA[Zero,days used to be rare. Now they&#8217;re strategic accelerants , weaponized before defenders can blink.]]></description><link>https://www.codeaintel.com/p/phantom-office-how-apt28-weaponized</link><guid isPermaLink="false">https://www.codeaintel.com/p/phantom-office-how-apt28-weaponized</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Wed, 04 Feb 2026 18:21:58 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!LFYu!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c8bbe34-1400-49a6-b84e-1e2e09f81ac1_768x512.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2" target="_blank" href="https://substackcdn.com/image/fetch/$s_!0tHK!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe0aeb079-61ca-4a5a-836c-d5d46b3c0494_614x383.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!0tHK!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe0aeb079-61ca-4a5a-836c-d5d46b3c0494_614x383.png 424w, https://substackcdn.com/image/fetch/$s_!0tHK!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe0aeb079-61ca-4a5a-836c-d5d46b3c0494_614x383.png 848w, https://substackcdn.com/image/fetch/$s_!0tHK!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe0aeb079-61ca-4a5a-836c-d5d46b3c0494_614x383.png 1272w, https://substackcdn.com/image/fetch/$s_!0tHK!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe0aeb079-61ca-4a5a-836c-d5d46b3c0494_614x383.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!0tHK!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe0aeb079-61ca-4a5a-836c-d5d46b3c0494_614x383.png" width="348" height="217.07491856677524" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e0aeb079-61ca-4a5a-836c-d5d46b3c0494_614x383.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:383,&quot;width&quot;:614,&quot;resizeWidth&quot;:348,&quot;bytes&quot;:50558,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/186888019?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe0aeb079-61ca-4a5a-836c-d5d46b3c0494_614x383.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!0tHK!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe0aeb079-61ca-4a5a-836c-d5d46b3c0494_614x383.png 424w, https://substackcdn.com/image/fetch/$s_!0tHK!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe0aeb079-61ca-4a5a-836c-d5d46b3c0494_614x383.png 848w, https://substackcdn.com/image/fetch/$s_!0tHK!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe0aeb079-61ca-4a5a-836c-d5d46b3c0494_614x383.png 1272w, https://substackcdn.com/image/fetch/$s_!0tHK!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe0aeb079-61ca-4a5a-836c-d5d46b3c0494_614x383.png 1456w" sizes="100vw" fetchpriority="high"></picture><div></div></div></a></figure></div><p></p><div><hr></div><h3><strong>The Vulnerability That Refused to Stay Dead</strong></h3><p>On <strong>January 26, 2026</strong>, Microsoft issued an urgent out,of,band update to address a high,severity security bypass in multiple Office releases. This wasn&#8217;t a garden,variety bug, it undermines the way Office makes trust decisions when handling untrusted inputs, creating an opening for attackers to slip malicious content past built,in mitigations.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>The patch was pushed rapidly, and in some modern Office builds the fix was applied server,side, meaning users often <em>only needed to restart the app</em> to be protected.</p><p>But the flaw&#8217;s &#8220;death&#8221; was greatly exaggerated.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!43IQ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbaa43e23-81b0-4477-961e-8d84c41ab6c5_768x512.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!43IQ!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbaa43e23-81b0-4477-961e-8d84c41ab6c5_768x512.png 424w, https://substackcdn.com/image/fetch/$s_!43IQ!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbaa43e23-81b0-4477-961e-8d84c41ab6c5_768x512.png 848w, https://substackcdn.com/image/fetch/$s_!43IQ!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbaa43e23-81b0-4477-961e-8d84c41ab6c5_768x512.png 1272w, https://substackcdn.com/image/fetch/$s_!43IQ!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbaa43e23-81b0-4477-961e-8d84c41ab6c5_768x512.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!43IQ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbaa43e23-81b0-4477-961e-8d84c41ab6c5_768x512.png" width="768" height="512" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/baa43e23-81b0-4477-961e-8d84c41ab6c5_768x512.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:512,&quot;width&quot;:768,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:688247,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/186888019?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbaa43e23-81b0-4477-961e-8d84c41ab6c5_768x512.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!43IQ!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbaa43e23-81b0-4477-961e-8d84c41ab6c5_768x512.png 424w, https://substackcdn.com/image/fetch/$s_!43IQ!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbaa43e23-81b0-4477-961e-8d84c41ab6c5_768x512.png 848w, https://substackcdn.com/image/fetch/$s_!43IQ!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbaa43e23-81b0-4477-961e-8d84c41ab6c5_768x512.png 1272w, https://substackcdn.com/image/fetch/$s_!43IQ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbaa43e23-81b0-4477-961e-8d84c41ab6c5_768x512.png 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><br></p><h3><strong>Weaponizing the Patch Window</strong></h3><p>Within <strong>just three days</strong>, seasoned operators linked to Russia&#8217;s GRU,associated <strong>APT28</strong> (a.k.a. Fancy Bear) had already weaponized the bug in a multi,stage espionage campaign observed in the wild.</p><p>CERT,UA, Ukraine&#8217;s Computer Emergency Response Team, first reported malicious DOC emails exploiting the flaw arriving in government networks mere days after Microsoft&#8217;s alert. Some lures spoofed EU COREPER consultations while others masqueraded as messages from official meteorological services.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!96mS!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F236adfb4-f7ac-4317-8cb8-5fe746aa193e_768x512.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!96mS!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F236adfb4-f7ac-4317-8cb8-5fe746aa193e_768x512.png 424w, https://substackcdn.com/image/fetch/$s_!96mS!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F236adfb4-f7ac-4317-8cb8-5fe746aa193e_768x512.png 848w, https://substackcdn.com/image/fetch/$s_!96mS!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F236adfb4-f7ac-4317-8cb8-5fe746aa193e_768x512.png 1272w, https://substackcdn.com/image/fetch/$s_!96mS!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F236adfb4-f7ac-4317-8cb8-5fe746aa193e_768x512.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!96mS!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F236adfb4-f7ac-4317-8cb8-5fe746aa193e_768x512.png" width="768" height="512" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/236adfb4-f7ac-4317-8cb8-5fe746aa193e_768x512.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:512,&quot;width&quot;:768,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:653040,&quot;alt&quot;:&quot;&quot;,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/186888019?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F236adfb4-f7ac-4317-8cb8-5fe746aa193e_768x512.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" title="" srcset="https://substackcdn.com/image/fetch/$s_!96mS!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F236adfb4-f7ac-4317-8cb8-5fe746aa193e_768x512.png 424w, https://substackcdn.com/image/fetch/$s_!96mS!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F236adfb4-f7ac-4317-8cb8-5fe746aa193e_768x512.png 848w, https://substackcdn.com/image/fetch/$s_!96mS!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F236adfb4-f7ac-4317-8cb8-5fe746aa193e_768x512.png 1272w, https://substackcdn.com/image/fetch/$s_!96mS!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F236adfb4-f7ac-4317-8cb8-5fe746aa193e_768x512.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>This wasn&#8217;t opportunistic spam, it was <strong>timed precision targeting</strong>:</p><ul><li><p>The exploit chain begins with carefully crafted Office documents.</p></li><li><p>A WebDAV,based fetch mechanism triggers a malicious DLL via classic COM/OLE hijacking.</p></li><li><p>Shellcode, hidden inside innocuous images, unpacks and runs a <strong>COVENANT,based loader</strong>.</p></li><li><p>From there, persistent backdoors and additional espionage tools can be deployed.</p></li></ul><p>In campaign forensics, this constellation of techniques , WebDAV, COM hijack, image,embedded shellcode, and a COVENANT framework , mirrors methods APT28 has used before.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!_ZIX!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F54ee8006-5713-462a-bc2e-1a624d23f641_1600x975.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!_ZIX!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F54ee8006-5713-462a-bc2e-1a624d23f641_1600x975.jpeg 424w, https://substackcdn.com/image/fetch/$s_!_ZIX!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F54ee8006-5713-462a-bc2e-1a624d23f641_1600x975.jpeg 848w, https://substackcdn.com/image/fetch/$s_!_ZIX!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F54ee8006-5713-462a-bc2e-1a624d23f641_1600x975.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!_ZIX!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F54ee8006-5713-462a-bc2e-1a624d23f641_1600x975.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!_ZIX!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F54ee8006-5713-462a-bc2e-1a624d23f641_1600x975.jpeg" width="1456" height="887" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/54ee8006-5713-462a-bc2e-1a624d23f641_1600x975.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:887,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;Malicious document triggering exploitation of CVE-2026-21509&quot;,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="Malicious document triggering exploitation of CVE-2026-21509" title="Malicious document triggering exploitation of CVE-2026-21509" srcset="https://substackcdn.com/image/fetch/$s_!_ZIX!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F54ee8006-5713-462a-bc2e-1a624d23f641_1600x975.jpeg 424w, https://substackcdn.com/image/fetch/$s_!_ZIX!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F54ee8006-5713-462a-bc2e-1a624d23f641_1600x975.jpeg 848w, https://substackcdn.com/image/fetch/$s_!_ZIX!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F54ee8006-5713-462a-bc2e-1a624d23f641_1600x975.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!_ZIX!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F54ee8006-5713-462a-bc2e-1a624d23f641_1600x975.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>More Than &#8220;Just Another Exploit&#8221;</strong></h3><p>What makes this episode notable isn&#8217;t simply <em>that attackers exploited a patched bug</em>, it&#8217;s <em>how fast and how seamlessly</em>. In past eras, patch deployment alone might have bought defenders weeks of head,start. Here, defenders were already playing catch,up before the ink on Microsoft&#8217;s advisory dried.</p><p>This dynamic underscores a broader shift in nation,state cyber operations:</p><ul><li><p><strong>Speed over stealth:</strong> Exploiting known patches painlessly expands attacker reach while keeping operational risk low.</p></li><li><p><strong>Infrastructure recycling:</strong> The evidently reused loader components from prior campaigns show how adversaries optimize toolchains rather than reinvent them.</p></li><li><p><strong>Hybrid lure engineering:</strong> Phishing documents themed to real geopolitical events aren&#8217;t random, they <em>increase credibility and click,rates</em>.</p></li></ul><p>This is state espionage at its most refined: <em>agile, opportunistic, and procedurally normalized.</em></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!LFYu!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c8bbe34-1400-49a6-b84e-1e2e09f81ac1_768x512.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!LFYu!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c8bbe34-1400-49a6-b84e-1e2e09f81ac1_768x512.png 424w, https://substackcdn.com/image/fetch/$s_!LFYu!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c8bbe34-1400-49a6-b84e-1e2e09f81ac1_768x512.png 848w, https://substackcdn.com/image/fetch/$s_!LFYu!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c8bbe34-1400-49a6-b84e-1e2e09f81ac1_768x512.png 1272w, https://substackcdn.com/image/fetch/$s_!LFYu!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c8bbe34-1400-49a6-b84e-1e2e09f81ac1_768x512.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!LFYu!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c8bbe34-1400-49a6-b84e-1e2e09f81ac1_768x512.png" width="768" height="512" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1c8bbe34-1400-49a6-b84e-1e2e09f81ac1_768x512.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:512,&quot;width&quot;:768,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:691652,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/186888019?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c8bbe34-1400-49a6-b84e-1e2e09f81ac1_768x512.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!LFYu!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c8bbe34-1400-49a6-b84e-1e2e09f81ac1_768x512.png 424w, https://substackcdn.com/image/fetch/$s_!LFYu!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c8bbe34-1400-49a6-b84e-1e2e09f81ac1_768x512.png 848w, https://substackcdn.com/image/fetch/$s_!LFYu!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c8bbe34-1400-49a6-b84e-1e2e09f81ac1_768x512.png 1272w, https://substackcdn.com/image/fetch/$s_!LFYu!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c8bbe34-1400-49a6-b84e-1e2e09f81ac1_768x512.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3><strong>APT28: Back in the Cyberespionage Fast Lane</strong></h3><p>APT28 has been a fixture in Russia&#8217;s cyber arsenal for nearly two decades, with documented operations spanning from DNC breaches to European defense,sector intrusions. Their consistent ability to pivot between sophisticated intrusion sets and rapid exploit adoption makes them a bellwether for adversary behavior.</p><p>Now, with a newly minted exploit chain under their belt , retooled within days of disclosure , APT28 is demonstrating that <strong>&#8220;patched&#8221; is no longer reliable shorthand for &#8220;safe.&#8221;</strong></p><h3><strong>What Defenders Must Do Now</strong></h3><p><strong>Patch quickly, but verify thoroughly.</strong> Applying Microsoft&#8217;s updates is necessary but not sufficient. Many environments still lag behind or fail to restart affected applications, leaving gaps in protection.</p><p><strong>Harden Office workflows:</strong></p><ul><li><p>Disable legacy protocols where possible.</p></li><li><p>Alert on abnormal WebDAV fetch behavior.</p></li><li><p>Restrict Office document macros and isolated content execution.</p></li></ul><p><strong>Monitor for C2 and beaconing traffic.</strong> The use of cloud services tied to COVENANT infrastructure, if present, should be flagged and evaluated.</p><p><strong>Assume exploitation windows are shrinking.</strong> This incident is more than a patch story, it&#8217;s a warning: <em>the time between disclosure and exploitation is now measured in days, not weeks or months.</em></p><p></p><h3><strong>The Last Word</strong></h3><p>This wasn&#8217;t just another Office bug, it was a tactical foothold seized by one of the world&#8217;s most persistent espionage groups. In the evolving threat landscape, the real vulnerability isn&#8217;t just in the code, it&#8217;s in the assumption that patching buys safety.</p><p>In the age of rapid exploit chaining and agile nation,state actors, defenders must treat <em>every vulnerability as already weaponized and every patch as the starting signal for the next attack.</em></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item><item><title><![CDATA[SIM Safehouses Around the UN: How the Secret Service Just Dismantled a Phantom Network]]></title><description><![CDATA[300 servers. 100,000 SIM cards. Empty safehouses across New York, New Jersey, and Connecticut. This wasn&#8217;t just telecom fraud, it was a battlefield staged in plain sight.]]></description><link>https://www.codeaintel.com/p/sim-safehouses-around-the-un-how</link><guid isPermaLink="false">https://www.codeaintel.com/p/sim-safehouses-around-the-un-how</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Tue, 23 Sep 2025 17:38:51 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!HcFB!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F57428022-d4bd-45ad-a97d-fbd969b2aa13_1200x1600.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<h3>The Operation</h3><p>In the days leading up to the UN General Assembly, the Secret Service&#8217;s <strong>Advanced Threat Interdiction Unit</strong> executed a coordinated takedown :</p><ul><li><p><strong>300+ SIM servers</strong> seized<br></p></li><li><p><strong>100,000 SIM cards</strong> pulled from circulation<br></p></li><li><p>Safehouses raided across <strong>New York, New Jersey, Connecticut</strong></p></li></ul><p>The network wasn&#8217;t tucked away in dark-web forums. It was staged inside apartments, offices, and storage units within a 35-mile radius of Manhattan. Right where heads of state were converging:</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!HcFB!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F57428022-d4bd-45ad-a97d-fbd969b2aa13_1200x1600.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!HcFB!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F57428022-d4bd-45ad-a97d-fbd969b2aa13_1200x1600.jpeg 424w, https://substackcdn.com/image/fetch/$s_!HcFB!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F57428022-d4bd-45ad-a97d-fbd969b2aa13_1200x1600.jpeg 848w, https://substackcdn.com/image/fetch/$s_!HcFB!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F57428022-d4bd-45ad-a97d-fbd969b2aa13_1200x1600.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!HcFB!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F57428022-d4bd-45ad-a97d-fbd969b2aa13_1200x1600.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!HcFB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F57428022-d4bd-45ad-a97d-fbd969b2aa13_1200x1600.jpeg" width="621" height="828" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/57428022-d4bd-45ad-a97d-fbd969b2aa13_1200x1600.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1600,&quot;width&quot;:1200,&quot;resizeWidth&quot;:621,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!HcFB!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F57428022-d4bd-45ad-a97d-fbd969b2aa13_1200x1600.jpeg 424w, https://substackcdn.com/image/fetch/$s_!HcFB!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F57428022-d4bd-45ad-a97d-fbd969b2aa13_1200x1600.jpeg 848w, https://substackcdn.com/image/fetch/$s_!HcFB!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F57428022-d4bd-45ad-a97d-fbd969b2aa13_1200x1600.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!HcFB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F57428022-d4bd-45ad-a97d-fbd969b2aa13_1200x1600.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3></h3><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!gRE0!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F60da0668-2811-4bfa-8e17-994189de1bc6_480x640.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!gRE0!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F60da0668-2811-4bfa-8e17-994189de1bc6_480x640.jpeg 424w, https://substackcdn.com/image/fetch/$s_!gRE0!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F60da0668-2811-4bfa-8e17-994189de1bc6_480x640.jpeg 848w, https://substackcdn.com/image/fetch/$s_!gRE0!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F60da0668-2811-4bfa-8e17-994189de1bc6_480x640.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!gRE0!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F60da0668-2811-4bfa-8e17-994189de1bc6_480x640.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!gRE0!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F60da0668-2811-4bfa-8e17-994189de1bc6_480x640.jpeg" width="516" height="688" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/60da0668-2811-4bfa-8e17-994189de1bc6_480x640.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:640,&quot;width&quot;:480,&quot;resizeWidth&quot;:516,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;&quot;,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" title="" srcset="https://substackcdn.com/image/fetch/$s_!gRE0!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F60da0668-2811-4bfa-8e17-994189de1bc6_480x640.jpeg 424w, https://substackcdn.com/image/fetch/$s_!gRE0!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F60da0668-2811-4bfa-8e17-994189de1bc6_480x640.jpeg 848w, https://substackcdn.com/image/fetch/$s_!gRE0!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F60da0668-2811-4bfa-8e17-994189de1bc6_480x640.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!gRE0!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F60da0668-2811-4bfa-8e17-994189de1bc6_480x640.jpeg 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!TuDV!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F99d81750-b9cc-43b6-9661-d7ca5e5e31e4_1200x1600.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!TuDV!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F99d81750-b9cc-43b6-9661-d7ca5e5e31e4_1200x1600.jpeg 424w, https://substackcdn.com/image/fetch/$s_!TuDV!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F99d81750-b9cc-43b6-9661-d7ca5e5e31e4_1200x1600.jpeg 848w, https://substackcdn.com/image/fetch/$s_!TuDV!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F99d81750-b9cc-43b6-9661-d7ca5e5e31e4_1200x1600.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!TuDV!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F99d81750-b9cc-43b6-9661-d7ca5e5e31e4_1200x1600.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!TuDV!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F99d81750-b9cc-43b6-9661-d7ca5e5e31e4_1200x1600.jpeg" width="557" height="742.6666666666666" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/99d81750-b9cc-43b6-9661-d7ca5e5e31e4_1200x1600.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1600,&quot;width&quot;:1200,&quot;resizeWidth&quot;:557,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!TuDV!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F99d81750-b9cc-43b6-9661-d7ca5e5e31e4_1200x1600.jpeg 424w, https://substackcdn.com/image/fetch/$s_!TuDV!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F99d81750-b9cc-43b6-9661-d7ca5e5e31e4_1200x1600.jpeg 848w, https://substackcdn.com/image/fetch/$s_!TuDV!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F99d81750-b9cc-43b6-9661-d7ca5e5e31e4_1200x1600.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!TuDV!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F99d81750-b9cc-43b6-9661-d7ca5e5e31e4_1200x1600.jpeg 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><br>What the Network Was For</h3><p>At minimum, it was already used to push <strong>anonymous threats</strong> against U.S. officials. But the architecture suggests more than harassment:</p><ul><li><p><strong>Telecom disruption.</strong> SIM farms at this scale can <strong>flood towers</strong>, overload signaling channels, or degrade service across a region.</p></li><li><p><strong>Anonymized C2.</strong> Rotating SIM cards in hundreds of servers = perfect cover for command-and-control, blending into the noise of carrier traffic.</p></li><li><p><strong>Spoofed identities.</strong> From SMS phishing to fake caller IDs, the infrastructure could impersonate anyone, anywhere.</p></li></ul><p>This was less about &#8220;SIM fraud&#8221; and more about <strong>bending the backbone of communications</strong>.</p><h3>Nation-State Shadows</h3><p>The Hacker News cites investigators linking the traffic to <strong>known state operators</strong> and <strong>persons of interest to law enforcement</strong> . The Secret Service avoided naming a country, but the inference is clear: hostile intelligence services were active in the loop.</p><p>Think about it:</p><ul><li><p>Renting dozens of properties across tri-state costs money.</p></li><li><p>Procuring, shipping, and syncing 300 SIM servers costs even more.</p></li><li><p>Stashing 100,000 SIMs requires logistics networks, shell companies, laundering.</p></li></ul><p>This wasn&#8217;t a hobbyist farm. It was a funded project, staged near one of the highest-value diplomatic events on the planet.</p><p></p><h3>The Bigger Play</h3><p>Ask the harder questions:</p><ul><li><p>Were these SIM safehouses meant to <strong>blind or jam networks</strong> during a UN crisis?</p></li><li><p>Were they serving as <strong>covert comms nodes</strong> for agents in-country?</p></li><li><p>Or were they a <strong>masking layer</strong>, allowing hostile actors to deliver threats and misinformation while hiding behind U.S. phone numbers?</p></li></ul><p>Whatever the intent, the optics are the same: pre-positioning telecom weapons inside the host city of the UN is escalation.</p><p></p><h3>Why It Matters</h3><ul><li><p><strong>Telecom is soft underbelly.</strong> We secure endpoints, patch servers, scan emails, but the <strong>SIM layer</strong> remains an afterthought. This case shows it&#8217;s an exploitable battlefield.</p></li><li><p><strong>Hybrid ops, cheap tools.</strong> A SIM farm is deniable, disposable, and globally scalable. Pair it with state sponsorship, it turns into infrastructure terrorism.</p></li><li><p><strong>Signal to adversaries.</strong> The takedown isn&#8217;t just enforcement, it&#8217;s deterrence. The U.S. just drew a line: deploy infrastructure near critical diplomatic events, expect it to be burned.</p></li></ul><h3>The Last Word</h3><p>300 servers, 100,000 SIMs, empty safehouses &#8212; all hidden in plain sight. The Secret Service dismantled this one, but it won&#8217;t be the last.</p><p>The blueprint is simple: <strong>weaponize telecom, cloak operations in fraud infrastructure, and wait for the right moment to flip the switch.</strong></p><p>We&#8217;ve entered a new phase where the real threat isn&#8217;t malware in your inbox, it&#8217;s the phantom network humming quietly in a storage unit down the block.</p><div id="youtube2-xdVmp1gwyZo" class="youtube-wrap" data-attrs="{&quot;videoId&quot;:&quot;xdVmp1gwyZo&quot;,&quot;startTime&quot;:null,&quot;endTime&quot;:null}" data-component-name="Youtube2ToDOM"><div class="youtube-inner"><iframe src="https://www.youtube-nocookie.com/embed/xdVmp1gwyZo?rel=0&amp;autoplay=0&amp;showinfo=0&amp;enablejsapi=0" frameborder="0" loading="lazy" gesture="media" allow="autoplay; fullscreen" allowautoplay="true" allowfullscreen="true" width="728" height="409"></iframe></div></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/p/sim-safehouses-around-the-un-how?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/p/sim-safehouses-around-the-un-how?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.codeaintel.com/p/sim-safehouses-around-the-un-how?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p></p>]]></content:encoded></item><item><title><![CDATA[Scattered Spider, Teenagers, and the New Normal of Cyber Violence]]></title><description><![CDATA[Not a foreign ghost with a VPN, not a shadowy APT. This time the culprits are young, local, and alarmingly capable.]]></description><link>https://www.codeaintel.com/p/scattered-spider-teenagers-and-the</link><guid isPermaLink="false">https://www.codeaintel.com/p/scattered-spider-teenagers-and-the</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Mon, 22 Sep 2025 03:34:49 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!NUC5!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d0fad85-93bf-4a87-9ab1-de22ab1b591b_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!NUC5!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d0fad85-93bf-4a87-9ab1-de22ab1b591b_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!NUC5!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d0fad85-93bf-4a87-9ab1-de22ab1b591b_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!NUC5!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d0fad85-93bf-4a87-9ab1-de22ab1b591b_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!NUC5!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d0fad85-93bf-4a87-9ab1-de22ab1b591b_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!NUC5!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d0fad85-93bf-4a87-9ab1-de22ab1b591b_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!NUC5!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d0fad85-93bf-4a87-9ab1-de22ab1b591b_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/5d0fad85-93bf-4a87-9ab1-de22ab1b591b_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1914271,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/174216419?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d0fad85-93bf-4a87-9ab1-de22ab1b591b_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!NUC5!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d0fad85-93bf-4a87-9ab1-de22ab1b591b_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!NUC5!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d0fad85-93bf-4a87-9ab1-de22ab1b591b_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!NUC5!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d0fad85-93bf-4a87-9ab1-de22ab1b591b_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!NUC5!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d0fad85-93bf-4a87-9ab1-de22ab1b591b_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Two arrests in the UK, teenagers accused in the Transport for London hack, should change how we describe modern cybercrime. This isn&#8217;t a story about glorified script kiddies, it&#8217;s about a business model: fast, modular, global, and run by people who learned to scale damage before they turned 20.</p><h3>What happened, at a glance</h3><ul><li><p>UK law enforcement arrested two young men linked to the August 2024 attack on <strong>Transport for London (TfL)</strong>. One suspect, already on the radar, now faces fresh allegations tying him to dozens of other intrusions.</p></li><li><p>U.S. prosecutors have also filed charges alleging involvement in wide ranging intrusions across hundreds of victims and <strong>$100M+</strong> in criminal proceeds.</p></li><li><p>TfL initially downplayed impact, later disclosures admitted names, contact info and addresses were accessed, a public service breach that hits trust more than ticketing.</p></li></ul><p>This is not noise, it&#8217;s a pattern.</p><h3>Why the arrests matter</h3><p>We&#8217;ve been telling a familiar story for a decade: criminals are organized, attacks are professional, and nation state tradecraft is being repurposed for profit. These arrests flip the script in two ways:</p><ol><li><p><strong>Youth as capability vector.</strong> Teenagers aren&#8217;t just being radicalized by forums, they&#8217;re building, operating, and monetizing criminal infrastructure. Tools, access, and money move fast, age no longer limits impact.</p></li><li><p><strong>Transnational markets are maturing.</strong> The alleged scope, cross border breaches, laundering, and payoffs, reads like a corporate operation. Wallets, comms, clean up teams. This is not ad hoc vandalism, it&#8217;s a service economy.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!2-Dt!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7e1ec-be81-4d63-8f9a-879024a27aa6_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!2-Dt!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7e1ec-be81-4d63-8f9a-879024a27aa6_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!2-Dt!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7e1ec-be81-4d63-8f9a-879024a27aa6_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!2-Dt!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7e1ec-be81-4d63-8f9a-879024a27aa6_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!2-Dt!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7e1ec-be81-4d63-8f9a-879024a27aa6_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!2-Dt!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7e1ec-be81-4d63-8f9a-879024a27aa6_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/50a7e1ec-be81-4d63-8f9a-879024a27aa6_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1886876,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/174216419?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7e1ec-be81-4d63-8f9a-879024a27aa6_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!2-Dt!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7e1ec-be81-4d63-8f9a-879024a27aa6_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!2-Dt!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7e1ec-be81-4d63-8f9a-879024a27aa6_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!2-Dt!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7e1ec-be81-4d63-8f9a-879024a27aa6_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!2-Dt!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7e1ec-be81-4d63-8f9a-879024a27aa6_1024x1024.png 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div></li></ol><p></p><h3>Read the signals, not the headlines</h3><p>A few cautious points that matter for defenders:</p><ul><li><p><strong>Scope vs. role.</strong> Arrests of individuals don&#8217;t always equal disruption of the whole network. Were these actors operators, facilitators, or hired muscle? Expect more indictments, the infrastructure trails money.</p></li><li><p><strong>Data vs. disruption.</strong> Public transit hacks are reputational poison. Even if core systems weren&#8217;t destroyed, access to passenger PII and operational telemetry is enough to sow chaos and blackmail.</p></li><li><p><strong>Legal complexity.</strong> Cross border prosecutions, evidence chains, and extraditions are messy. The DOJ&#8217;s involvement signals seriousness, and that investigators found forensic breadcrumbs tying activity to U.S. victims.</p></li></ul><h3>The tactical picture (what they likely did)</h3><p>We don&#8217;t have a full playbook from the indictments yet, but patterns repeat:</p><ul><li><p>Phishing and credential stuffing are default first steps, low cost, high yield.</p></li><li><p>Ransomware and double extortion are now services: encrypt, and threaten to leak PII.</p></li><li><p>Money funnels: crypto mixers, layered transfers, and cashouts through complicit vendors.</p></li><li><p>Specialized roles: initial access brokers, extortion managers, money laundering facilitators. Teens can play any of these roles, and often do several at once.</p></li></ul><h3>Systemic consequences (not just for TfL)</h3><ul><li><p><strong>Public infrastructure is soft prey.</strong> Transit systems, hospitals, utilities, high social impact, weak incentives to fully modernize security. Attackers know this balance.</p></li><li><p><strong>The youth problem won&#8217;t be solved by arrests alone.</strong> The on ramp is information: marketplaces, leak forums, and permissive comms channels. Arrests remove actors, not the platform economy that trains them.</p></li><li><p><strong>Insurance and regulation will harden.</strong> Expect supply side shock: insurers tighten policies, governments demand stricter baseline controls for critical services. That&#8217;s necessary, and insufficient without enforcement.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!J1RJ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7c958-3705-40cb-b4f8-60128faef946_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!J1RJ!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7c958-3705-40cb-b4f8-60128faef946_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!J1RJ!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7c958-3705-40cb-b4f8-60128faef946_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!J1RJ!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7c958-3705-40cb-b4f8-60128faef946_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!J1RJ!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7c958-3705-40cb-b4f8-60128faef946_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!J1RJ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7c958-3705-40cb-b4f8-60128faef946_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/50a7c958-3705-40cb-b4f8-60128faef946_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1735246,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.codeaintel.com/i/174216419?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7c958-3705-40cb-b4f8-60128faef946_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!J1RJ!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7c958-3705-40cb-b4f8-60128faef946_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!J1RJ!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7c958-3705-40cb-b4f8-60128faef946_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!J1RJ!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7c958-3705-40cb-b4f8-60128faef946_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!J1RJ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F50a7c958-3705-40cb-b4f8-60128faef946_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><br></p></li></ul><h3>The last word</h3><p>This isn&#8217;t a morality tale about kids who made bad choices, it&#8217;s a systems failure: marketplaces that teach, profit structures that reward scale, and public services that still treat cybersecurity as a checkbox.</p><p>Arrests are necessary, but they are not a cure. If we want fewer headlines like this one, we must treat cybercrime as a full spectrum societal problem, technical, legal, financial, and social, and act like it.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/p/scattered-spider-teenagers-and-the?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/p/scattered-spider-teenagers-and-the?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.codeaintel.com/p/scattered-spider-teenagers-and-the?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p></p>]]></content:encoded></item><item><title><![CDATA[$140M Gone Quietly: The Brazilian Insider’s Bank Job]]></title><description><![CDATA[You don&#8217;t need a mask when you&#8217;ve got root access,A Brazilian bank learned that the hard way. One dev. One bribe.$140 million walks out the front door like it owns the place. No alarms. No explosions.]]></description><link>https://www.codeaintel.com/p/140m-gone-quietly-the-brazilian-insiders</link><guid isPermaLink="false">https://www.codeaintel.com/p/140m-gone-quietly-the-brazilian-insiders</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Sat, 05 Jul 2025 23:39:02 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!wOjS!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0b512919-65c3-45ba-8b09-056ecccfa0bc_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!wOjS!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0b512919-65c3-45ba-8b09-056ecccfa0bc_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!wOjS!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0b512919-65c3-45ba-8b09-056ecccfa0bc_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!wOjS!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0b512919-65c3-45ba-8b09-056ecccfa0bc_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!wOjS!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0b512919-65c3-45ba-8b09-056ecccfa0bc_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!wOjS!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0b512919-65c3-45ba-8b09-056ecccfa0bc_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!wOjS!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0b512919-65c3-45ba-8b09-056ecccfa0bc_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/0b512919-65c3-45ba-8b09-056ecccfa0bc_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!wOjS!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0b512919-65c3-45ba-8b09-056ecccfa0bc_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!wOjS!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0b512919-65c3-45ba-8b09-056ecccfa0bc_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!wOjS!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0b512919-65c3-45ba-8b09-056ecccfa0bc_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!wOjS!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0b512919-65c3-45ba-8b09-056ecccfa0bc_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h2>It Was Never About Firewalls</h2><p>You can bolt a vault door to your server room,<br>hire a million-dollar SOC to watch the blinking lights,<br>write policies that look good on paper.<br>But the weakest link isn&#8217;t in your stack,<br>it&#8217;s wearing your lanyard.</p><p>One underpaid, overlooked IT guy,<br>one signal on Telegram,<br>one number that makes his rent go away.</p><p>That&#8217;s how $140 million walks, not hacks,<br>straight out the front door.</p><div><hr></div><h2>The Setup</h2><p>No custom malware, no sophisticated exploit,<br>just a soft spot nobody locked down.</p><p>C&amp;M Software, boring middleware shop,<br>the bridge wiring six banks into Brazil&#8217;s instant payment rails, PIX.<br>One guy on their payroll, <a href="https://www.ainvest.com/news/software-employee-bribed-140-million-brazil-bank-heist-2507/">Jo&#227;o Roque</a>, had the keys,<br>the only exploit they needed.</p><p>They slid him R$15,000, barely a few months&#8217; pay,<br>he handed over root,<br>they waited for the 4 AM lull,<br>pumped fake wires,<br>by sunrise R$800M &#8212; $140M USD &#8212; gone across six banks.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!R3D4!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F106af14d-c388-4df0-890c-004e4b22e5f6_1024x1536.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!R3D4!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F106af14d-c388-4df0-890c-004e4b22e5f6_1024x1536.png 424w, https://substackcdn.com/image/fetch/$s_!R3D4!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F106af14d-c388-4df0-890c-004e4b22e5f6_1024x1536.png 848w, https://substackcdn.com/image/fetch/$s_!R3D4!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F106af14d-c388-4df0-890c-004e4b22e5f6_1024x1536.png 1272w, https://substackcdn.com/image/fetch/$s_!R3D4!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F106af14d-c388-4df0-890c-004e4b22e5f6_1024x1536.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!R3D4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F106af14d-c388-4df0-890c-004e4b22e5f6_1024x1536.png" width="600" height="900" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/106af14d-c388-4df0-890c-004e4b22e5f6_1024x1536.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1536,&quot;width&quot;:1024,&quot;resizeWidth&quot;:600,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!R3D4!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F106af14d-c388-4df0-890c-004e4b22e5f6_1024x1536.png 424w, https://substackcdn.com/image/fetch/$s_!R3D4!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F106af14d-c388-4df0-890c-004e4b22e5f6_1024x1536.png 848w, https://substackcdn.com/image/fetch/$s_!R3D4!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F106af14d-c388-4df0-890c-004e4b22e5f6_1024x1536.png 1272w, https://substackcdn.com/image/fetch/$s_!R3D4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F106af14d-c388-4df0-890c-004e4b22e5f6_1024x1536.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div><hr></div><h2>The Escape Route</h2><p>Money didn&#8217;t sit in a checking account,<br>it moved fast.<br>Crypto is the getaway car,<br>USDT, Bitcoin, mixers, Latin American OTC desks.<br>The Central Bank slammed the door, froze some wallets,<br>but $40 million is still floating in dark pockets.<br>Jo&#227;o confessed, now he&#8217;s in handcuffs,<br>but the money won&#8217;t walk back.</p><div><hr></div><h2>Why It Hurts</h2><p>Everyone talks big about APTs, ransomware, zero-days.<br>But the real APT is a pissed-off human who knows your system better than you do.<br>The dev who built it knows where the logs don&#8217;t reach,<br>which switches no one ever looks at,<br>how to bury the bomb under your nose.</p><p>They just need the right number on a burner phone.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!nNh0!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5a977278-e969-408c-934f-960d7d885220_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!nNh0!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5a977278-e969-408c-934f-960d7d885220_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!nNh0!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5a977278-e969-408c-934f-960d7d885220_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!nNh0!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5a977278-e969-408c-934f-960d7d885220_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!nNh0!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5a977278-e969-408c-934f-960d7d885220_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!nNh0!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5a977278-e969-408c-934f-960d7d885220_1024x1024.png" width="641" height="641" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/5a977278-e969-408c-934f-960d7d885220_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:641,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!nNh0!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5a977278-e969-408c-934f-960d7d885220_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!nNh0!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5a977278-e969-408c-934f-960d7d885220_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!nNh0!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5a977278-e969-408c-934f-960d7d885220_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!nNh0!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5a977278-e969-408c-934f-960d7d885220_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div><hr></div><h2>Burn This In</h2><p>This isn&#8217;t fear porn,<br>it&#8217;s reality for anyone touching money at scale.</p><p> Root is gold,<br>your auditors check configs and firewalls,<br>but who checks who really has root?<br>And why?<br>Prune it, rotate it, kill it when they walk out the door.</p><p>Vendors equal blast radius,<br>C&amp;M wasn&#8217;t malicious, just convenient.<br>One vendor wired six banks straight to the treasury,<br>good for uptime, great for a heist.<br>Segment trust, add kill switches,<br>your outsourced bridge should never hold your entire lifeline.</p><p>4 AM should scream,<br>$140 million bled out when nobody was looking.<br>Big, weird flows in the dead zone should never clear on autopilot,<br>wake up a human, make them sign off.</p><p>Crypto forensics is survival,<br>&#8220;crypto is untraceable&#8221; is a bedtime story.<br>If you don&#8217;t have a chain sleuth ready to go,<br>you&#8217;re too late.</p><div><hr></div><h2></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!qbwW!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F067abf1c-f285-4132-a982-a50316f048a2_1024x1536.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!qbwW!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F067abf1c-f285-4132-a982-a50316f048a2_1024x1536.png 424w, https://substackcdn.com/image/fetch/$s_!qbwW!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F067abf1c-f285-4132-a982-a50316f048a2_1024x1536.png 848w, https://substackcdn.com/image/fetch/$s_!qbwW!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F067abf1c-f285-4132-a982-a50316f048a2_1024x1536.png 1272w, https://substackcdn.com/image/fetch/$s_!qbwW!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F067abf1c-f285-4132-a982-a50316f048a2_1024x1536.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!qbwW!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F067abf1c-f285-4132-a982-a50316f048a2_1024x1536.png" width="452" height="678" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/067abf1c-f285-4132-a982-a50316f048a2_1024x1536.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1536,&quot;width&quot;:1024,&quot;resizeWidth&quot;:452,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;&quot;,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" title="" srcset="https://substackcdn.com/image/fetch/$s_!qbwW!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F067abf1c-f285-4132-a982-a50316f048a2_1024x1536.png 424w, https://substackcdn.com/image/fetch/$s_!qbwW!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F067abf1c-f285-4132-a982-a50316f048a2_1024x1536.png 848w, https://substackcdn.com/image/fetch/$s_!qbwW!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F067abf1c-f285-4132-a982-a50316f048a2_1024x1536.png 1272w, https://substackcdn.com/image/fetch/$s_!qbwW!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F067abf1c-f285-4132-a982-a50316f048a2_1024x1536.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2><br>The CodeAIntel Take</h2><p>$140 million didn&#8217;t get hacked,<br>it got invited out by someone trusted, bored, and broke.<br>Your next breach won&#8217;t come from the dark web,<br>it&#8217;ll come from the guy you gave root and forgot to watch.</p><p>Stay paranoid,<br>trust slow,<br>audit deep,<br>and remember, nobody needs a mask when they have the keys.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/p/140m-gone-quietly-the-brazilian-insiders?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/p/140m-gone-quietly-the-brazilian-insiders?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.codeaintel.com/p/140m-gone-quietly-the-brazilian-insiders?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p>]]></content:encoded></item><item><title><![CDATA[Iranian Hack-and-Leak: When Ceasefires Mean Nothing in Cyber.]]></title><description><![CDATA[Even with the headlines screaming &#8220;ceasefire,&#8221; Iranian crews kept hunting for soft targets: your OT networks, your data, your reputation.]]></description><link>https://www.codeaintel.com/p/iranian-hack-and-leak-when-ceasefires</link><guid isPermaLink="false">https://www.codeaintel.com/p/iranian-hack-and-leak-when-ceasefires</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Mon, 30 Jun 2025 13:57:17 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!JXoe!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3885d28c-4e3e-4697-bf0b-96b7a8de72a4_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!JXoe!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3885d28c-4e3e-4697-bf0b-96b7a8de72a4_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!JXoe!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3885d28c-4e3e-4697-bf0b-96b7a8de72a4_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!JXoe!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3885d28c-4e3e-4697-bf0b-96b7a8de72a4_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!JXoe!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3885d28c-4e3e-4697-bf0b-96b7a8de72a4_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!JXoe!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3885d28c-4e3e-4697-bf0b-96b7a8de72a4_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!JXoe!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3885d28c-4e3e-4697-bf0b-96b7a8de72a4_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/3885d28c-4e3e-4697-bf0b-96b7a8de72a4_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!JXoe!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3885d28c-4e3e-4697-bf0b-96b7a8de72a4_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!JXoe!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3885d28c-4e3e-4697-bf0b-96b7a8de72a4_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!JXoe!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3885d28c-4e3e-4697-bf0b-96b7a8de72a4_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!JXoe!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3885d28c-4e3e-4697-bf0b-96b7a8de72a4_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><br><a href="https://www.ic3.gov/CSA/2025/250630.pdf">This new FBI/NSA/CISA/DoD alert</a> doesn&#8217;t break new ground &#8212; it confirms what everyone paying attention already knew:<br><strong>Hack-and-leak ops are still the game.</strong> And they&#8217;re not stopping just because the front page did.</p><h2>How It Went Down</h2><p>No fancy zero-days, no nation-state black magic.<br>Same old playbook:</p><p>1. Find internet-facing OT boxes, water plants, energy, food supply, hospitals.<br>2. Poke at them with Shodan, default creds, dusty CVEs from 2017.<br>3. Pull the data, deface the site, dump the leaks on Telegram. </p><p>Instant headlines.</p><p>You don&#8217;t need an APT toolkit when your target is running factory passwords in 2025.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!RznI!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73108e79-0b32-4e71-8c99-a98f32d73fc4_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!RznI!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73108e79-0b32-4e71-8c99-a98f32d73fc4_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!RznI!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73108e79-0b32-4e71-8c99-a98f32d73fc4_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!RznI!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73108e79-0b32-4e71-8c99-a98f32d73fc4_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!RznI!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73108e79-0b32-4e71-8c99-a98f32d73fc4_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!RznI!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73108e79-0b32-4e71-8c99-a98f32d73fc4_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/73108e79-0b32-4e71-8c99-a98f32d73fc4_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;Generated image&quot;,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="Generated image" title="Generated image" srcset="https://substackcdn.com/image/fetch/$s_!RznI!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73108e79-0b32-4e71-8c99-a98f32d73fc4_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!RznI!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73108e79-0b32-4e71-8c99-a98f32d73fc4_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!RznI!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73108e79-0b32-4e71-8c99-a98f32d73fc4_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!RznI!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F73108e79-0b32-4e71-8c99-a98f32d73fc4_1024x1024.png 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Why It Hits Harder Than You Think</h2><p>These &#8220;hacktivists&#8221; aren&#8217;t random kids with a Telegram channel,<br>They&#8217;re IRGC units with a playbook:</p><ul><li><p>Shake public trust</p></li><li><p>Embarrass anyone tied to Israel or U.S. critical infrastructure</p></li><li><p>Use leaks and defacements as cheap PR to look bigger than they are</p></li></ul><p>It&#8217;s propaganda, but it works. People see a water utility or a hospital pop up in a dump and suddenly every local news outlet picks up the &#8220;cyber attack&#8221; angle.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!xY6b!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff20d951b-5a33-419c-b65d-c0d714efde88_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!xY6b!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff20d951b-5a33-419c-b65d-c0d714efde88_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!xY6b!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff20d951b-5a33-419c-b65d-c0d714efde88_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!xY6b!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff20d951b-5a33-419c-b65d-c0d714efde88_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!xY6b!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff20d951b-5a33-419c-b65d-c0d714efde88_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!xY6b!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff20d951b-5a33-419c-b65d-c0d714efde88_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/f20d951b-5a33-419c-b65d-c0d714efde88_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;&quot;,&quot;title&quot;:&quot;&quot;,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" title="" srcset="https://substackcdn.com/image/fetch/$s_!xY6b!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff20d951b-5a33-419c-b65d-c0d714efde88_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!xY6b!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff20d951b-5a33-419c-b65d-c0d714efde88_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!xY6b!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff20d951b-5a33-419c-b65d-c0d714efde88_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!xY6b!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff20d951b-5a33-419c-b65d-c0d714efde88_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>The Part No One Wants to Admit</h2><p>The pivot&#8217;s the killer,<br>They don&#8217;t just grab what&#8217;s easy, they move sideways:</p><ul><li><p>From one vendor to an entire supply chain</p></li><li><p>From old IT boxes into ICS gear no one&#8217;s watching</p></li><li><p>From one breach to the next, reusing your stolen creds until you notice</p></li></ul><p>They know half the market&#8217;s not watching OT telemetry. They know you&#8217;ll probably chase the ransomware noise instead of the real persistence.</p><p></p><h2>Don&#8217;t Celebrate Too Soon</h2><p>The ceasefire banners don&#8217;t mean your logs are clean,<br>If you&#8217;re in critical infra, water, food, energy, hospitals, this is your sign to get loud, not quiet.</p><p>Next up:</p><ul><li><p>More &#8220;patriotic leak groups&#8221; fronting for the IRGC</p></li><li><p>More vendor chains popping like dominos</p></li><li><p>More hack-and-leak distractions for actual hands-on persistence</p></li></ul><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!z__v!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F523797c5-4531-436d-ad3e-26a3e6ca2ed5_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!z__v!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F523797c5-4531-436d-ad3e-26a3e6ca2ed5_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!z__v!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F523797c5-4531-436d-ad3e-26a3e6ca2ed5_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!z__v!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F523797c5-4531-436d-ad3e-26a3e6ca2ed5_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!z__v!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F523797c5-4531-436d-ad3e-26a3e6ca2ed5_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!z__v!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F523797c5-4531-436d-ad3e-26a3e6ca2ed5_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/523797c5-4531-436d-ad3e-26a3e6ca2ed5_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;Generated image&quot;,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="Generated image" title="Generated image" srcset="https://substackcdn.com/image/fetch/$s_!z__v!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F523797c5-4531-436d-ad3e-26a3e6ca2ed5_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!z__v!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F523797c5-4531-436d-ad3e-26a3e6ca2ed5_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!z__v!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F523797c5-4531-436d-ad3e-26a3e6ca2ed5_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!z__v!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F523797c5-4531-436d-ad3e-26a3e6ca2ed5_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>The CodeAIntel Take</h2><p>This is the cheapest version of hybrid warfare, and it works because we keep giving them the same old gaps: forgotten edge gear, default creds, zero segmentation.</p><p>So patch the edge gear,<br>Pull a Shodan on yourself before they do,<br>Hunt for your name in places you wish you didn&#8217;t have to,<br>And stop pretending OT doesn&#8217;t touch your brand, because when the water stops flowing, you&#8217;re on the front page, not them.</p><p>Silence helps them, don&#8217;t give it to them.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/p/iranian-hack-and-leak-when-ceasefires?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/p/iranian-hack-and-leak-when-ceasefires?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.codeaintel.com/p/iranian-hack-and-leak-when-ceasefires?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p></p>]]></content:encoded></item><item><title><![CDATA[China’s New Weapon: SMS Phishing at Scale AKA U.S. toll road smishing scams.]]></title><description><![CDATA[Smishing-as-a-Service is the new startup no one asked for&#8212;scaling faster than your favorite SaaS.]]></description><link>https://www.codeaintel.com/p/chinas-new-weapon-sms-phishing-at</link><guid isPermaLink="false">https://www.codeaintel.com/p/chinas-new-weapon-sms-phishing-at</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Sun, 20 Apr 2025 13:07:13 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!CLBR!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F92199fb9-3ff6-46ff-a5bd-8ff343c6d062_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!CLBR!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F92199fb9-3ff6-46ff-a5bd-8ff343c6d062_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!CLBR!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F92199fb9-3ff6-46ff-a5bd-8ff343c6d062_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!CLBR!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F92199fb9-3ff6-46ff-a5bd-8ff343c6d062_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!CLBR!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F92199fb9-3ff6-46ff-a5bd-8ff343c6d062_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!CLBR!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F92199fb9-3ff6-46ff-a5bd-8ff343c6d062_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!CLBR!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F92199fb9-3ff6-46ff-a5bd-8ff343c6d062_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/92199fb9-3ff6-46ff-a5bd-8ff343c6d062_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!CLBR!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F92199fb9-3ff6-46ff-a5bd-8ff343c6d062_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!CLBR!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F92199fb9-3ff6-46ff-a5bd-8ff343c6d062_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!CLBR!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F92199fb9-3ff6-46ff-a5bd-8ff343c6d062_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!CLBR!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F92199fb9-3ff6-46ff-a5bd-8ff343c6d062_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2><br>China&#8217;s New Weapon: SMS Phishing at Scale</h2><p>While the world obsesses over advanced malware, zero-day exploits, and AI-driven reconnaissance tools, a new report reminds us that sometimes, <strong>low-tech attacks, executed at scale, can be just as devastating</strong>. Cybersecurity <a href="https://blog.talosintelligence.com/unraveling-the-us-toll-road-smishing-scams/">researchers have uncovered a </a><strong><a href="https://blog.talosintelligence.com/unraveling-the-us-toll-road-smishing-scams/">China-linked smishing-as-a-service (SaaS) kit</a></strong> that&#8217;s being used in widespread campaigns targeting mobile users across telecom networks in Europe, Asia, and North America.</p><p>This isn&#8217;t the usual poorly-written scam. What we&#8217;re dealing with is a <strong>professionally developed infrastructure</strong>, designed to harvest <strong>credentials, session cookies, OTP codes</strong>, and forward them in real time to attacker-controlled <strong>Telegram bots</strong>.</p><p>This kit transforms phishing from a manual effort to a fully automated business model. It&#8217;s fast. It&#8217;s scalable. And it&#8217;s frighteningly effective.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Wkhc!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e1f7e12-c322-4224-aa6f-7ac1643bd321_1094x761.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Wkhc!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e1f7e12-c322-4224-aa6f-7ac1643bd321_1094x761.png 424w, https://substackcdn.com/image/fetch/$s_!Wkhc!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e1f7e12-c322-4224-aa6f-7ac1643bd321_1094x761.png 848w, https://substackcdn.com/image/fetch/$s_!Wkhc!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e1f7e12-c322-4224-aa6f-7ac1643bd321_1094x761.png 1272w, https://substackcdn.com/image/fetch/$s_!Wkhc!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e1f7e12-c322-4224-aa6f-7ac1643bd321_1094x761.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Wkhc!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e1f7e12-c322-4224-aa6f-7ac1643bd321_1094x761.png" width="1094" height="761" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/9e1f7e12-c322-4224-aa6f-7ac1643bd321_1094x761.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:761,&quot;width&quot;:1094,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Wkhc!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e1f7e12-c322-4224-aa6f-7ac1643bd321_1094x761.png 424w, https://substackcdn.com/image/fetch/$s_!Wkhc!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e1f7e12-c322-4224-aa6f-7ac1643bd321_1094x761.png 848w, https://substackcdn.com/image/fetch/$s_!Wkhc!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e1f7e12-c322-4224-aa6f-7ac1643bd321_1094x761.png 1272w, https://substackcdn.com/image/fetch/$s_!Wkhc!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e1f7e12-c322-4224-aa6f-7ac1643bd321_1094x761.png 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a><figcaption class="image-caption">You probably got one of this recently.. </figcaption></figure></div><div><hr></div><h2>How It Works: Simplicity with Speed</h2><p>The attack begins with a single SMS message&#8212;<strong>clean, localized, and believable</strong>. It might impersonate your telecom provider, a delivery service, or your bank. The link inside redirects to a phishing page that&#8217;s been tailored to mimic the mobile site of the spoofed brand with near-pixel perfection.</p><p>As soon as the victim enters their information&#8212;be it login credentials, PINs, or verification codes&#8212;the data is forwarded immediately to the attacker's bot. No delays. <strong>No time to second-guess.</strong></p><p>The result? In many cases, <strong>attackers are able to bypass MFA protections</strong> before the user even realizes they&#8217;ve been compromised. Real-time relay means the attack window is small, but lethal.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!lLYM!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F703ebbf2-5973-42cc-969c-e3af96af8b6c_1536x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!lLYM!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F703ebbf2-5973-42cc-969c-e3af96af8b6c_1536x1024.png 424w, https://substackcdn.com/image/fetch/$s_!lLYM!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F703ebbf2-5973-42cc-969c-e3af96af8b6c_1536x1024.png 848w, https://substackcdn.com/image/fetch/$s_!lLYM!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F703ebbf2-5973-42cc-969c-e3af96af8b6c_1536x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!lLYM!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F703ebbf2-5973-42cc-969c-e3af96af8b6c_1536x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!lLYM!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F703ebbf2-5973-42cc-969c-e3af96af8b6c_1536x1024.png" width="1456" height="971" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/703ebbf2-5973-42cc-969c-e3af96af8b6c_1536x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:971,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!lLYM!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F703ebbf2-5973-42cc-969c-e3af96af8b6c_1536x1024.png 424w, https://substackcdn.com/image/fetch/$s_!lLYM!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F703ebbf2-5973-42cc-969c-e3af96af8b6c_1536x1024.png 848w, https://substackcdn.com/image/fetch/$s_!lLYM!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F703ebbf2-5973-42cc-969c-e3af96af8b6c_1536x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!lLYM!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F703ebbf2-5973-42cc-969c-e3af96af8b6c_1536x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div><hr></div><h2>Infrastructure: Mass-Produced Deception</h2><p>The kit includes:</p><ul><li><p>Dozens of pre-built phishing templates for common targets (banks, telcos, couriers)</p></li><li><p>Real-time <strong>Telegram bot</strong> integration for automated credential forwarding</p></li><li><p>Dynamic URL generation to evade filters and domain blacklists</p></li><li><p>Hosting rotation scripts to keep infrastructure one step ahead of takedowns</p></li></ul><p>In essence, it offers <strong>turnkey cybercrime</strong>. Even low-skilled threat actors can now run sophisticated smishing campaigns that rival state-level operations in speed and efficacy.</p><p>The kit&#8217;s infrastructure is being repurposed in campaigns that impersonate legitimate U.S. entities like toll road services, drawing unsuspecting victims into fake payment portals. The messages are <strong>short, urgent, and geographically personalized</strong>, which makes them especially convincing.</p><p>Researchers also noted the use of <strong>link shortening services</strong>, redirection layers, and geographic IP filtering to further obfuscate detection and maximize victim engagement.</p><p>Researchers discovered monetization features embedded into the kit&#8212;meaning its creators have a secondary revenue stream by <strong>selling stolen credentials on the dark web</strong>, in addition to providing "smishing kits for hire."<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!9U8b!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6c5252af-ba7d-4125-a127-48179c44ad71_826x806.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!9U8b!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6c5252af-ba7d-4125-a127-48179c44ad71_826x806.png 424w, https://substackcdn.com/image/fetch/$s_!9U8b!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6c5252af-ba7d-4125-a127-48179c44ad71_826x806.png 848w, https://substackcdn.com/image/fetch/$s_!9U8b!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6c5252af-ba7d-4125-a127-48179c44ad71_826x806.png 1272w, https://substackcdn.com/image/fetch/$s_!9U8b!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6c5252af-ba7d-4125-a127-48179c44ad71_826x806.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!9U8b!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6c5252af-ba7d-4125-a127-48179c44ad71_826x806.png" width="826" height="806" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/6c5252af-ba7d-4125-a127-48179c44ad71_826x806.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:806,&quot;width&quot;:826,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!9U8b!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6c5252af-ba7d-4125-a127-48179c44ad71_826x806.png 424w, https://substackcdn.com/image/fetch/$s_!9U8b!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6c5252af-ba7d-4125-a127-48179c44ad71_826x806.png 848w, https://substackcdn.com/image/fetch/$s_!9U8b!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6c5252af-ba7d-4125-a127-48179c44ad71_826x806.png 1272w, https://substackcdn.com/image/fetch/$s_!9U8b!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6c5252af-ba7d-4125-a127-48179c44ad71_826x806.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div><hr></div><h2>Attribution: A Familiar Shadow</h2><p>The smishing kit contains language artifacts, Telegram handles, and behavioral patterns that strongly suggest a <strong>Chinese-speaking developer or group</strong>. This actor has been previously tied to:</p><ul><li><p><strong>SIM-swapping crews</strong></p></li><li><p><strong>Credential stuffing operations</strong></p></li><li><p>Dark web marketplaces selling telecom logins and OTP bypass methods</p></li></ul><p>Although the motive here appears financial, <strong>the implications are geopolitical</strong>. Stolen telecom credentials can be a gateway to espionage-grade intelligence. Imagine the value of gaining access to accounts tied to government employees, executives, or infrastructure engineers.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!jAKY!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d5e52f-f107-473d-adba-55213fa39d62_1545x922.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!jAKY!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d5e52f-f107-473d-adba-55213fa39d62_1545x922.png 424w, https://substackcdn.com/image/fetch/$s_!jAKY!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d5e52f-f107-473d-adba-55213fa39d62_1545x922.png 848w, https://substackcdn.com/image/fetch/$s_!jAKY!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d5e52f-f107-473d-adba-55213fa39d62_1545x922.png 1272w, https://substackcdn.com/image/fetch/$s_!jAKY!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d5e52f-f107-473d-adba-55213fa39d62_1545x922.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!jAKY!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d5e52f-f107-473d-adba-55213fa39d62_1545x922.png" width="1456" height="869" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/20d5e52f-f107-473d-adba-55213fa39d62_1545x922.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:869,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!jAKY!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d5e52f-f107-473d-adba-55213fa39d62_1545x922.png 424w, https://substackcdn.com/image/fetch/$s_!jAKY!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d5e52f-f107-473d-adba-55213fa39d62_1545x922.png 848w, https://substackcdn.com/image/fetch/$s_!jAKY!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d5e52f-f107-473d-adba-55213fa39d62_1545x922.png 1272w, https://substackcdn.com/image/fetch/$s_!jAKY!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F20d5e52f-f107-473d-adba-55213fa39d62_1545x922.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div><hr></div><h2>Global Targeting, Local Deception</h2><p>The key to this campaign&#8217;s success is <strong>localization</strong>. Each phishing template is tailored to:</p><ul><li><p>Match the <strong>language and branding</strong> of regional telecom operators</p></li><li><p>Use regional <strong>SMS sender IDs</strong> to appear legitimate</p></li><li><p>Evade detection by anti-spam filters that rely on global indicators</p></li></ul><p>This regional customization leads to exponentially higher click-through and credential submission rates.</p><p>Researchers also observed that the actors use domain names closely resembling the original entities (e.g., misspelled toll road names, slight alterations to domain suffixes) which <strong>add credibility at a glance</strong> and evade common filter logic.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!KNAd!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb3a37ba2-183e-461a-b354-26800f1463f2_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!KNAd!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb3a37ba2-183e-461a-b354-26800f1463f2_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!KNAd!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb3a37ba2-183e-461a-b354-26800f1463f2_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!KNAd!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb3a37ba2-183e-461a-b354-26800f1463f2_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!KNAd!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb3a37ba2-183e-461a-b354-26800f1463f2_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!KNAd!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb3a37ba2-183e-461a-b354-26800f1463f2_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/b3a37ba2-183e-461a-b354-26800f1463f2_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!KNAd!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb3a37ba2-183e-461a-b354-26800f1463f2_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!KNAd!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb3a37ba2-183e-461a-b354-26800f1463f2_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!KNAd!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb3a37ba2-183e-461a-b354-26800f1463f2_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!KNAd!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fb3a37ba2-183e-461a-b354-26800f1463f2_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div><hr></div><h2>What You Can Do</h2><p><strong>For Security Teams:</strong></p><ul><li><p><strong>Implement anomaly detection</strong> for real-time token use and rapid credential changes</p></li><li><p>Use <strong>threat intelligence feeds</strong> to block known Telegram bot endpoints and phishing domains</p></li><li><p><strong>Deploy SMS firewalls</strong> to inspect and block malicious message patterns</p></li><li><p>Monitor for domain spoofing or look-alike domains registered in bulk</p></li></ul><p><strong>For Users:</strong></p><ul><li><p>Never click links from unknown senders&#8212;<strong>even if the message appears urgent or legitimate</strong></p></li><li><p>Use <strong>official apps</strong> instead of browser-based logins</p></li><li><p>Report suspicious SMS messages to your mobile provider or national CERT</p></li><li><p>Be especially cautious with messages involving toll payments, banking updates, or delivery confirmations<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!7q_n!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F899946d6-4f94-42e9-9a2a-709d152d3904_1024x1536.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!7q_n!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F899946d6-4f94-42e9-9a2a-709d152d3904_1024x1536.png 424w, https://substackcdn.com/image/fetch/$s_!7q_n!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F899946d6-4f94-42e9-9a2a-709d152d3904_1024x1536.png 848w, https://substackcdn.com/image/fetch/$s_!7q_n!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F899946d6-4f94-42e9-9a2a-709d152d3904_1024x1536.png 1272w, https://substackcdn.com/image/fetch/$s_!7q_n!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F899946d6-4f94-42e9-9a2a-709d152d3904_1024x1536.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!7q_n!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F899946d6-4f94-42e9-9a2a-709d152d3904_1024x1536.png" width="1024" height="1536" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/899946d6-4f94-42e9-9a2a-709d152d3904_1024x1536.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1536,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!7q_n!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F899946d6-4f94-42e9-9a2a-709d152d3904_1024x1536.png 424w, https://substackcdn.com/image/fetch/$s_!7q_n!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F899946d6-4f94-42e9-9a2a-709d152d3904_1024x1536.png 848w, https://substackcdn.com/image/fetch/$s_!7q_n!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F899946d6-4f94-42e9-9a2a-709d152d3904_1024x1536.png 1272w, https://substackcdn.com/image/fetch/$s_!7q_n!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F899946d6-4f94-42e9-9a2a-709d152d3904_1024x1536.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div></li></ul><div><hr></div><p>This isn&#8217;t just another phishing campaign&#8212;it&#8217;s a <strong>mass production engine for mobile compromise</strong>. The combination of <strong>real-time exfiltration, bot automation, and localized deception</strong> makes this threat one of the most operationally advanced smishing campaigns we&#8217;ve seen to date.</p><p>The tech is simple. The execution is not.</p><p></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p>]]></content:encoded></item><item><title><![CDATA[When the Spies Spy on Each Other]]></title><description><![CDATA[While it's not uncommon to see Western entities targeted by Chinese cyber units, this campaign reflects something far more complex: a game of espionage among alleged allies.]]></description><link>https://www.codeaintel.com/p/when-the-spies-spy-on-each-other</link><guid isPermaLink="false">https://www.codeaintel.com/p/when-the-spies-spy-on-each-other</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Fri, 18 Apr 2025 19:05:57 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!cazh!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F90c9c817-57c9-4c1e-85b8-5b20ba260163_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!cazh!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F90c9c817-57c9-4c1e-85b8-5b20ba260163_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!cazh!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F90c9c817-57c9-4c1e-85b8-5b20ba260163_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!cazh!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F90c9c817-57c9-4c1e-85b8-5b20ba260163_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!cazh!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F90c9c817-57c9-4c1e-85b8-5b20ba260163_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!cazh!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F90c9c817-57c9-4c1e-85b8-5b20ba260163_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!cazh!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F90c9c817-57c9-4c1e-85b8-5b20ba260163_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/90c9c817-57c9-4c1e-85b8-5b20ba260163_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!cazh!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F90c9c817-57c9-4c1e-85b8-5b20ba260163_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!cazh!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F90c9c817-57c9-4c1e-85b8-5b20ba260163_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!cazh!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F90c9c817-57c9-4c1e-85b8-5b20ba260163_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!cazh!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F90c9c817-57c9-4c1e-85b8-5b20ba260163_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><br>In a turn of events that feels ripped from a Cold War reboot, new intelligence reveals that a <strong>China-linked APT group</strong> is actively targeting <strong>Russian government entities</strong> using an upgraded strain of <strong>Remote Access Trojan (RAT)</strong> malware known as <strong>PhantomCore</strong>.</p><h2>The Malware: PhantomCore, Reinvented</h2><p>PhantomCore isn&#8217;t a new name in the APT arsenal, but this version is anything but ordinary. <a href="https://securelist.com/mysterysnail-new-version/116226/">Security researchers observed its use in recent spear-phishing campaigns</a> directed at Russian government institutions, masked in ZIP file lures.</p><p>Once executed, the malware leverages <strong>DLL side-loading</strong> to blend into legitimate software environments. The payload is encrypted, obfuscated, and stealthy&#8212;making it exceptionally hard to detect by traditional endpoint defenses.</p><p><strong>Key capabilities of PhantomCore include:</strong></p><ul><li><p>File exfiltration</p></li><li><p>Keylogging</p></li><li><p>Screen capture</p></li><li><p>Remote command execution</p></li><li><p>Persistence via scheduled tasks and registry edits</p></li></ul><p>In essence: full-spectrum digital surveillance.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!ekIL!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F75cba23b-fc5b-46d5-ba04-eb11afbb98dc_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!ekIL!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F75cba23b-fc5b-46d5-ba04-eb11afbb98dc_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!ekIL!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F75cba23b-fc5b-46d5-ba04-eb11afbb98dc_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!ekIL!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F75cba23b-fc5b-46d5-ba04-eb11afbb98dc_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!ekIL!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F75cba23b-fc5b-46d5-ba04-eb11afbb98dc_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!ekIL!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F75cba23b-fc5b-46d5-ba04-eb11afbb98dc_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/75cba23b-fc5b-46d5-ba04-eb11afbb98dc_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!ekIL!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F75cba23b-fc5b-46d5-ba04-eb11afbb98dc_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!ekIL!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F75cba23b-fc5b-46d5-ba04-eb11afbb98dc_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!ekIL!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F75cba23b-fc5b-46d5-ba04-eb11afbb98dc_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!ekIL!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F75cba23b-fc5b-46d5-ba04-eb11afbb98dc_1024x1024.png 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><br></p><div><hr></div><h2>Delivery: Classic Yet Evolving</h2><p>The attack vector starts simple: spear-phishing emails. Victims receive emails containing malicious ZIP attachments, which house the malware payload. Once extracted and executed, the real work begins.</p><p>PhantomCore establishes contact with <strong>command-and-control (C2) servers</strong> masquerading as domestic Russian services&#8212;a clever camouflage tactic. This not only helps the RAT avoid detection, but also minimizes suspicion during exfiltration and beaconing activity.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!8KA0!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa368ebd8-4f7a-4e87-b7b9-720a62d569ab_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!8KA0!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa368ebd8-4f7a-4e87-b7b9-720a62d569ab_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!8KA0!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa368ebd8-4f7a-4e87-b7b9-720a62d569ab_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!8KA0!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa368ebd8-4f7a-4e87-b7b9-720a62d569ab_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!8KA0!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa368ebd8-4f7a-4e87-b7b9-720a62d569ab_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!8KA0!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa368ebd8-4f7a-4e87-b7b9-720a62d569ab_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a368ebd8-4f7a-4e87-b7b9-720a62d569ab_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!8KA0!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa368ebd8-4f7a-4e87-b7b9-720a62d569ab_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!8KA0!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa368ebd8-4f7a-4e87-b7b9-720a62d569ab_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!8KA0!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa368ebd8-4f7a-4e87-b7b9-720a62d569ab_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!8KA0!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa368ebd8-4f7a-4e87-b7b9-720a62d569ab_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div><hr></div><h2>Implications: When Friends Play Enemies</h2><p>What makes this story particularly intriguing is the geopolitical context. Despite public alignment between Beijing and Moscow, this attack signals distrust and a need for intelligence superiority&#8212;even among strategic partners.</p><p>This raises a key question: <strong>What else is going on behind the digital curtains of these alliances?</strong></p><p>Whether it&#8217;s economic agendas, military coordination, or simply state-level paranoia, one thing is clear&#8212;<strong>cyberespionage knows no borders</strong>. Even friends are fair game when the stakes are this high.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Fb-y!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8cc2657c-798e-455e-bd57-08e92c56ab7b_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Fb-y!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8cc2657c-798e-455e-bd57-08e92c56ab7b_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!Fb-y!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8cc2657c-798e-455e-bd57-08e92c56ab7b_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!Fb-y!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8cc2657c-798e-455e-bd57-08e92c56ab7b_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!Fb-y!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8cc2657c-798e-455e-bd57-08e92c56ab7b_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Fb-y!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8cc2657c-798e-455e-bd57-08e92c56ab7b_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/8cc2657c-798e-455e-bd57-08e92c56ab7b_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Fb-y!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8cc2657c-798e-455e-bd57-08e92c56ab7b_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!Fb-y!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8cc2657c-798e-455e-bd57-08e92c56ab7b_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!Fb-y!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8cc2657c-798e-455e-bd57-08e92c56ab7b_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!Fb-y!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8cc2657c-798e-455e-bd57-08e92c56ab7b_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div><hr></div><h2>What&#8217;s Next?</h2><p>This campaign serves as a wake-up call to governments and organizations alike: relying on presumed diplomatic safety is a cyber death wish. Defenders need to:</p><ul><li><p>Harden endpoint detection against DLL side-loading</p></li><li><p>Monitor unusual C2 infrastructure connections</p></li><li><p>Educate users on phishing awareness</p></li><li><p>Perform regular threat hunting focused on RAT behaviors</p></li></ul><p>As the global chessboard shifts, one rule remains: <strong>Trust no one. Monitor everyone.</strong></p><p>Stay paranoid. Stay secure.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!NMSi!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fda3ba90b-3fc1-4fc9-b37b-941284104ec0_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!NMSi!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fda3ba90b-3fc1-4fc9-b37b-941284104ec0_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!NMSi!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fda3ba90b-3fc1-4fc9-b37b-941284104ec0_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!NMSi!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fda3ba90b-3fc1-4fc9-b37b-941284104ec0_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!NMSi!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fda3ba90b-3fc1-4fc9-b37b-941284104ec0_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!NMSi!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fda3ba90b-3fc1-4fc9-b37b-941284104ec0_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/da3ba90b-3fc1-4fc9-b37b-941284104ec0_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!NMSi!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fda3ba90b-3fc1-4fc9-b37b-941284104ec0_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!NMSi!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fda3ba90b-3fc1-4fc9-b37b-941284104ec0_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!NMSi!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fda3ba90b-3fc1-4fc9-b37b-941284104ec0_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!NMSi!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fda3ba90b-3fc1-4fc9-b37b-941284104ec0_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p>]]></content:encoded></item><item><title><![CDATA[The Fall of 8Base: A Major Blow to Ransomware Operations]]></title><description><![CDATA[Law enforcement just took a massive swing at 8Base, one of the most aggressive ransomware groups in recent years. A coordinated operation between Thailand, Switzerland, and the U.S.]]></description><link>https://www.codeaintel.com/p/the-fall-of-8base-a-major-blow-to</link><guid isPermaLink="false">https://www.codeaintel.com/p/the-fall-of-8base-a-major-blow-to</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Mon, 10 Feb 2025 16:05:19 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!4237!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbb38dcf1-7546-4588-939c-c6b80be44532_1024x1024.webp" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!4237!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbb38dcf1-7546-4588-939c-c6b80be44532_1024x1024.webp" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!4237!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbb38dcf1-7546-4588-939c-c6b80be44532_1024x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!4237!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbb38dcf1-7546-4588-939c-c6b80be44532_1024x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!4237!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbb38dcf1-7546-4588-939c-c6b80be44532_1024x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!4237!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbb38dcf1-7546-4588-939c-c6b80be44532_1024x1024.webp 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!4237!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbb38dcf1-7546-4588-939c-c6b80be44532_1024x1024.webp" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/bb38dcf1-7546-4588-939c-c6b80be44532_1024x1024.webp&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;A high-impact, cinematic-style digital illustration of a cybercriminal wearing a hood, surrounded by digital code and ransomware-related symbols, symbolizing the 8Base ransomware group. The background features a dark futuristic hacking environment with glowing red and blue elements, conveying the intensity of a cyber attack.&quot;,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="A high-impact, cinematic-style digital illustration of a cybercriminal wearing a hood, surrounded by digital code and ransomware-related symbols, symbolizing the 8Base ransomware group. The background features a dark futuristic hacking environment with glowing red and blue elements, conveying the intensity of a cyber attack." title="A high-impact, cinematic-style digital illustration of a cybercriminal wearing a hood, surrounded by digital code and ransomware-related symbols, symbolizing the 8Base ransomware group. The background features a dark futuristic hacking environment with glowing red and blue elements, conveying the intensity of a cyber attack." srcset="https://substackcdn.com/image/fetch/$s_!4237!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbb38dcf1-7546-4588-939c-c6b80be44532_1024x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!4237!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbb38dcf1-7546-4588-939c-c6b80be44532_1024x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!4237!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbb38dcf1-7546-4588-939c-c6b80be44532_1024x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!4237!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbb38dcf1-7546-4588-939c-c6b80be44532_1024x1024.webp 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong><br>Who Is 8Base?</strong></h3><p>If you haven&#8217;t been paying attention, <strong>8Base operates like a ghost in the machine</strong>&#8212;a ransomware group known for its ruthless tactics, high-profile breaches, and sheer unpredictability. Emerging in <strong>mid-2022</strong>, they made waves by <strong>targeting businesses of all sizes</strong> with <strong>double extortion tactics</strong>&#8212;encrypting data and threatening public leaks if ransoms weren&#8217;t paid.<br>The group deployed Phobos ransomware against 17 Swiss companies between April 30, 2023, and October 26, 2024. <br><br>Their operation involved unauthorized access to victims&#8217; networks, data theft, and encryption of files. The hackers demanded cryptocurrency payments for decryption keys and threatened to publish stolen data if ransoms weren&#8217;t paid.&nbsp; They also used cryptocurrency mixing services to obscure transaction trails.<br><br>The operation has affected over 1,000 victims worldwide, causing damages estimated at $16 million (approximately 560 million baht). While the suspects are in custody with evidence, their identities remain undisclosed as investigations continue.</p><p></p><ul><li><p><strong>Their MO?</strong> They operated fast, loud, and highly opportunistic, targeting <strong>finance, legal, manufacturing, and tech sectors</strong> with precision.</p></li><li><p><strong>Their ransomware?</strong> Built off <strong>RansomHouse</strong> and <strong>Phobos</strong>, borrowing the best of both to maximize damage.</p></li><li><p><strong>Their victims?</strong> Thousands worldwide, including <strong>governments, enterprises, and critical infrastructure</strong>&#8212;no one was safe.</p></li></ul><h3><strong>How Did Law Enforcement Take Them Down?</strong></h3><p>It wasn&#8217;t easy. <strong>8Base thrived in the chaos</strong>, blending tactics from established ransomware groups while masking their origins. But law enforcement <strong>tracked their network, mapped their attack infrastructure, and moved in at the right time</strong>.</p><p>Thailand and Switzerland played a key role in <strong>coordinating arrests</strong> and <strong>seizing infrastructure</strong>, while U.S. cyber teams <strong>helped trace financial transactions</strong> linked to ransomware payments.</p><h3><strong>Why This Takedown Matters</strong></h3><p>8Base wasn&#8217;t just another gang&#8212;they represented <strong>a new breed of ransomware operators</strong>:</p><ul><li><p><strong>Brutal efficiency.</strong> They <strong>didn&#8217;t waste time with negotiations</strong>&#8212;either pay, or your data goes public.</p></li><li><p><strong>Rapid deployment.</strong> They used <strong>pre-encrypted payloads</strong>, skipping the usual infection delay.</p></li><li><p><strong>Anonymity.</strong> Even in the ransomware world, <strong>no one truly knew who was running 8Base</strong>&#8212;until now.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!30Ev!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52dbb1ce-0237-4ac0-83b2-bd71c2f69b30_1024x1024.webp" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!30Ev!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52dbb1ce-0237-4ac0-83b2-bd71c2f69b30_1024x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!30Ev!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52dbb1ce-0237-4ac0-83b2-bd71c2f69b30_1024x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!30Ev!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52dbb1ce-0237-4ac0-83b2-bd71c2f69b30_1024x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!30Ev!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52dbb1ce-0237-4ac0-83b2-bd71c2f69b30_1024x1024.webp 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!30Ev!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52dbb1ce-0237-4ac0-83b2-bd71c2f69b30_1024x1024.webp" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/52dbb1ce-0237-4ac0-83b2-bd71c2f69b30_1024x1024.webp&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;A high-definition depiction of a digital battlefield, symbolizing the cyber war led by the 8Base ransomware group. The image features a massive cyber network under attack, with data streams being hijacked, encryption locks appearing on breached servers, and a hacker in the shadows orchestrating the attack.&quot;,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="A high-definition depiction of a digital battlefield, symbolizing the cyber war led by the 8Base ransomware group. The image features a massive cyber network under attack, with data streams being hijacked, encryption locks appearing on breached servers, and a hacker in the shadows orchestrating the attack." title="A high-definition depiction of a digital battlefield, symbolizing the cyber war led by the 8Base ransomware group. The image features a massive cyber network under attack, with data streams being hijacked, encryption locks appearing on breached servers, and a hacker in the shadows orchestrating the attack." srcset="https://substackcdn.com/image/fetch/$s_!30Ev!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52dbb1ce-0237-4ac0-83b2-bd71c2f69b30_1024x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!30Ev!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52dbb1ce-0237-4ac0-83b2-bd71c2f69b30_1024x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!30Ev!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52dbb1ce-0237-4ac0-83b2-bd71c2f69b30_1024x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!30Ev!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F52dbb1ce-0237-4ac0-83b2-bd71c2f69b30_1024x1024.webp 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div></li></ul><h3><strong>What Happens Next?</strong></h3><p>Ransomware doesn&#8217;t die&#8212;it evolves. With <strong>8Base out of the picture</strong>, others will <strong>scramble to take their place</strong>. </p><ul><li><p><strong>Will more arrests follow?</strong></p></li><li><p><strong>Did the takedown compromise other ransomware groups?</strong></p></li><li><p><strong>And most importantly&#8212;who's next?</strong></p></li></ul><p>For now, <strong>8Base is down</strong>&#8212;but the <strong>ransomware war is far from over</strong>.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!XZn7!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c43206c-615f-4470-867a-82d7c0a64f1b_1024x1024.webp" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!XZn7!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c43206c-615f-4470-867a-82d7c0a64f1b_1024x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!XZn7!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c43206c-615f-4470-867a-82d7c0a64f1b_1024x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!XZn7!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c43206c-615f-4470-867a-82d7c0a64f1b_1024x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!XZn7!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c43206c-615f-4470-867a-82d7c0a64f1b_1024x1024.webp 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!XZn7!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c43206c-615f-4470-867a-82d7c0a64f1b_1024x1024.webp" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1c43206c-615f-4470-867a-82d7c0a64f1b_1024x1024.webp&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;A dramatic digital painting of a hacker's silhouette surrounded by cascading binary code and glowing warning signs, representing a ransomware attack by the 8Base ransomware group. The image features a dark cyberpunk aesthetic with a futuristic digital environment.&quot;,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="A dramatic digital painting of a hacker's silhouette surrounded by cascading binary code and glowing warning signs, representing a ransomware attack by the 8Base ransomware group. The image features a dark cyberpunk aesthetic with a futuristic digital environment." title="A dramatic digital painting of a hacker's silhouette surrounded by cascading binary code and glowing warning signs, representing a ransomware attack by the 8Base ransomware group. The image features a dark cyberpunk aesthetic with a futuristic digital environment." srcset="https://substackcdn.com/image/fetch/$s_!XZn7!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c43206c-615f-4470-867a-82d7c0a64f1b_1024x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!XZn7!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c43206c-615f-4470-867a-82d7c0a64f1b_1024x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!XZn7!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c43206c-615f-4470-867a-82d7c0a64f1b_1024x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!XZn7!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1c43206c-615f-4470-867a-82d7c0a64f1b_1024x1024.webp 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item><item><title><![CDATA[Crypto Wallet Drainers: A New Breed of Digital Pickpockets]]></title><description><![CDATA[Remember the good old days when "fake news" was just about Photoshopped images and clickbait headlines? Well, those days are gone. Now, we have cryptocurrency wallet drainers to worry about.]]></description><link>https://www.codeaintel.com/p/crypto-wallet-drainers-a-new-breed</link><guid isPermaLink="false">https://www.codeaintel.com/p/crypto-wallet-drainers-a-new-breed</guid><dc:creator><![CDATA[Tom]]></dc:creator><pubDate>Sun, 05 Jan 2025 23:53:42 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!xpmf!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa6c3b158-3f3f-4803-b4ed-5415a4ad1534_1024x1024.webp" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!xpmf!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa6c3b158-3f3f-4803-b4ed-5415a4ad1534_1024x1024.webp" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!xpmf!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa6c3b158-3f3f-4803-b4ed-5415a4ad1534_1024x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!xpmf!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa6c3b158-3f3f-4803-b4ed-5415a4ad1534_1024x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!xpmf!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa6c3b158-3f3f-4803-b4ed-5415a4ad1534_1024x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!xpmf!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa6c3b158-3f3f-4803-b4ed-5415a4ad1534_1024x1024.webp 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!xpmf!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa6c3b158-3f3f-4803-b4ed-5415a4ad1534_1024x1024.webp" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a6c3b158-3f3f-4803-b4ed-5415a4ad1534_1024x1024.webp&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;A futuristic, cyberpunk-style scene depicting digital theft. The scene features a neon-lit cityscape with holographic projections of cryptocurrency coins like Bitcoin and Ethereum being drained by shadowy, ominous figures in the background. In the foreground, a user&#8217;s digital wallet dissolves into glowing code, symbolizing theft. The colors are vibrant and dynamic, with shades of blue, pink, and green to emphasize the sci-fi atmosphere.&quot;,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="A futuristic, cyberpunk-style scene depicting digital theft. The scene features a neon-lit cityscape with holographic projections of cryptocurrency coins like Bitcoin and Ethereum being drained by shadowy, ominous figures in the background. In the foreground, a user&#8217;s digital wallet dissolves into glowing code, symbolizing theft. The colors are vibrant and dynamic, with shades of blue, pink, and green to emphasize the sci-fi atmosphere." title="A futuristic, cyberpunk-style scene depicting digital theft. The scene features a neon-lit cityscape with holographic projections of cryptocurrency coins like Bitcoin and Ethereum being drained by shadowy, ominous figures in the background. In the foreground, a user&#8217;s digital wallet dissolves into glowing code, symbolizing theft. The colors are vibrant and dynamic, with shades of blue, pink, and green to emphasize the sci-fi atmosphere." srcset="https://substackcdn.com/image/fetch/$s_!xpmf!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa6c3b158-3f3f-4803-b4ed-5415a4ad1534_1024x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!xpmf!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa6c3b158-3f3f-4803-b4ed-5415a4ad1534_1024x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!xpmf!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa6c3b158-3f3f-4803-b4ed-5415a4ad1534_1024x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!xpmf!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa6c3b158-3f3f-4803-b4ed-5415a4ad1534_1024x1024.webp 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><div class="native-audio-embed" data-component-name="AudioPlaceholder" data-attrs="{&quot;label&quot;:null,&quot;mediaUploadId&quot;:&quot;93953a47-785a-492e-b241-b27a9a36c83f&quot;,&quot;duration&quot;:412.08163,&quot;downloadable&quot;:false,&quot;isEditorNode&quot;:true}"></div><p>Spotify Podcast Link: <a href="https://creators.spotify.com/pod/show/codeaintel/episodes/Crypto-Wallet-Drainers-A-2024-Report-e2t4h83">Here</a></p><h1><strong><br>What Happened?</strong></h1><p>Scam Sniffer, a web3 anti-scam platform, has been tracking wallet drainer activity and recently reported that these sneaky digital pickpockets made off with a whopping $494 million in 2024. That's a 67% increase from 2023, and though the number of victims only rose by 3.7%, it means those victims had deeper pockets.</p><h1><strong>Why This Matters</strong></h1><p>This isn't some college kids messing around in their dorm room. We're talking about sophisticated scammers siphoning millions from unsuspecting crypto holders. It's like we're living in a sci-fi movie where your digital assets can vanish into thin air.<br></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!d5Q3!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa959820a-6da3-40ce-8805-3c36c618692c_1024x1024.webp" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!d5Q3!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa959820a-6da3-40ce-8805-3c36c618692c_1024x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!d5Q3!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa959820a-6da3-40ce-8805-3c36c618692c_1024x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!d5Q3!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa959820a-6da3-40ce-8805-3c36c618692c_1024x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!d5Q3!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa959820a-6da3-40ce-8805-3c36c618692c_1024x1024.webp 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!d5Q3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa959820a-6da3-40ce-8805-3c36c618692c_1024x1024.webp" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a959820a-6da3-40ce-8805-3c36c618692c_1024x1024.webp&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;A digital illustration depicting a 'crypto wallet drainer' in action. The image shows a glowing, pixelated digital hand or claw reaching into a wallet-shaped icon filled with cryptocurrency logos like Bitcoin and Ethereum. The hand appears ominous and tech-like, representing its digital nature, with a glowing effect that suggests energy or power. The background is a dark, tech-themed gradient with subtle binary code patterns, emphasizing the cyber context.&quot;,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="A digital illustration depicting a 'crypto wallet drainer' in action. The image shows a glowing, pixelated digital hand or claw reaching into a wallet-shaped icon filled with cryptocurrency logos like Bitcoin and Ethereum. The hand appears ominous and tech-like, representing its digital nature, with a glowing effect that suggests energy or power. The background is a dark, tech-themed gradient with subtle binary code patterns, emphasizing the cyber context." title="A digital illustration depicting a 'crypto wallet drainer' in action. The image shows a glowing, pixelated digital hand or claw reaching into a wallet-shaped icon filled with cryptocurrency logos like Bitcoin and Ethereum. The hand appears ominous and tech-like, representing its digital nature, with a glowing effect that suggests energy or power. The background is a dark, tech-themed gradient with subtle binary code patterns, emphasizing the cyber context." srcset="https://substackcdn.com/image/fetch/$s_!d5Q3!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa959820a-6da3-40ce-8805-3c36c618692c_1024x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!d5Q3!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa959820a-6da3-40ce-8805-3c36c618692c_1024x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!d5Q3!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa959820a-6da3-40ce-8805-3c36c618692c_1024x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!d5Q3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa959820a-6da3-40ce-8805-3c36c618692c_1024x1024.webp 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h1><strong>The Bigger Picture</strong></h1><p>These wallet drainers are like digital traps, often lurking on fake or hacked websites. They're designed to swipe your precious crypto and other digital valuables. Think of it as a virtual minefield where one wrong click can cost you a fortune.</p><h2><strong>Lessons Learned</strong></h2><ul><li><p><strong>Don't Trust Your Eyes:</strong> With scammers becoming more sophisticated, we can't just blindly trust any website, especially when dealing with crypto. We need to be skeptical, question everything, and double-check URLs with official project websites. Think of it as a crash course in online self-defense.</p></li><li><p><strong>Protect Yourself:</strong> It's time to brush up on your digital literacy skills. Learn about the latest scams and phishing tactics so you can spot the fakes and protect yourself from manipulation. Many wallets offer built-in warnings for phishing or malicious transactions, so make sure to enable those.</p></li></ul><h1><strong>Call to Action</strong></h1><p>We're in a fight for the future of our digital assets, and the battlefield is online. The lines between safe and scam are blurring, and the bad guys are using increasingly clever tricks. But we can fight back. Stay vigilant, question everything, and don't let them win. Your crypto's safety is out there, but we need to be smart enough to protect it.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!PjDi!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd36b722e-11f2-4731-81ef-4aee15772771_1024x1024.webp" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!PjDi!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd36b722e-11f2-4731-81ef-4aee15772771_1024x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!PjDi!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd36b722e-11f2-4731-81ef-4aee15772771_1024x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!PjDi!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd36b722e-11f2-4731-81ef-4aee15772771_1024x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!PjDi!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd36b722e-11f2-4731-81ef-4aee15772771_1024x1024.webp 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!PjDi!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd36b722e-11f2-4731-81ef-4aee15772771_1024x1024.webp" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d36b722e-11f2-4731-81ef-4aee15772771_1024x1024.webp&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:null,&quot;alt&quot;:&quot;A futuristic cyberpunk-inspired scene emphasizing crypto safety. The image shows a glowing digital shield protecting a virtual wallet filled with cryptocurrency symbols like Bitcoin and Ethereum. The background features a neon-lit cityscape with vibrant blues, purples, and greens. Beneath the shield, secure digital locks and binary code signify robust security measures. The scene conveys a sense of safety, trust, and high-tech innovation.&quot;,&quot;title&quot;:null,&quot;type&quot;:null,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:null,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="A futuristic cyberpunk-inspired scene emphasizing crypto safety. The image shows a glowing digital shield protecting a virtual wallet filled with cryptocurrency symbols like Bitcoin and Ethereum. The background features a neon-lit cityscape with vibrant blues, purples, and greens. Beneath the shield, secure digital locks and binary code signify robust security measures. The scene conveys a sense of safety, trust, and high-tech innovation." title="A futuristic cyberpunk-inspired scene emphasizing crypto safety. The image shows a glowing digital shield protecting a virtual wallet filled with cryptocurrency symbols like Bitcoin and Ethereum. The background features a neon-lit cityscape with vibrant blues, purples, and greens. Beneath the shield, secure digital locks and binary code signify robust security measures. The scene conveys a sense of safety, trust, and high-tech innovation." srcset="https://substackcdn.com/image/fetch/$s_!PjDi!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd36b722e-11f2-4731-81ef-4aee15772771_1024x1024.webp 424w, https://substackcdn.com/image/fetch/$s_!PjDi!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd36b722e-11f2-4731-81ef-4aee15772771_1024x1024.webp 848w, https://substackcdn.com/image/fetch/$s_!PjDi!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd36b722e-11f2-4731-81ef-4aee15772771_1024x1024.webp 1272w, https://substackcdn.com/image/fetch/$s_!PjDi!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd36b722e-11f2-4731-81ef-4aee15772771_1024x1024.webp 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.codeaintel.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading CodeAIntel! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p><p></p>]]></content:encoded></item></channel></rss>