BYOVD to Blockchain C2: How Attackers Hijack Teams, Telegram & React

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Fake-App Lures + Kernel Tricks Go Mainstream

Attackers are packaging remote-access trojans inside “popular” apps while crippling defenses with bring-your-own-vulnerable-driver (BYOVD) tricks. The result: one-click installs that quietly gain persistence, elevate privileges, and phone home.

• Silver Fox → ValleyRAT via fake Teams/Telegram
  SEO-poisoned “Microsoft Teams” and a trojanized Telegram installer deploy ValleyRAT (Winos 4.0). The chain disables AV (Defender exclusions), sideloads DLLs via rundll32.exe, and in the Telegram variant abuses a vulnerable driver (NSecKrnl64.sys) to tamper with protections and persist with scheduled tasks.

2. Dev Environments Under Siege

Compromised IDE extensions and update flows are turning developer workstations into initial access beachheads—exfiltrating creds, cookies, and wallets, then laterally infecting code and repos.

• Malicious VS Code extensions (Bitcoin Black, Codo AI)
  Extensions published by “BigBlack” abuse activation hooks to fetch a DLL and sideload via a bundled Lightshot binary. Steals browser sessions and crypto wallets, drops “Evelyn” data cache, and calls unusual C2 (e.g., syn1112223334445556667778889990[.]org).

3. Framework RCE + Web3 C2: Fast, Hands-On Exploitation

Zero-auth RCE in modern JavaScript stacks is being paired with blockchain-resilient C2 and multi-persistence loaders—yielding rapid, durable compromises.

• React2Shell → EtherRAT (DPRK)
  CVE-2025-55182 in React Server Components is exploited to run a Node-based RAT that resolves C2 via Ethereum smart contracts (majority vote across public RPCs), polls every 500ms for JS tasking, and survives reboots with five separate persistence mechanisms.

4. Identity & Admin Plane Under Direct Fire

Vendors shipped high-severity bugs in SSO, admin dashboards, and remote modules. These are high-impact because they intersect daily admin workflows.

• Fortinet / Ivanti / SAP criticals
  Fortinet SSO signature-verification flaws enable FortiCloud SSO bypass on multiple products; Ivanti EPM stored-XSS poisons admin dashboards and chains to RCE; SAP issues span Solution Manager code injection and Tomcat deserialization in Commerce Cloud. All are prime candidates for quick weaponization.

Proactive Steps for the Week

Patch & mitigate, in this order: React/Next.js RSC (CVE-2025-55182), Fortinet SSO issues, Ivanti EPM (all December advisories), SAP notes (Solution Manager/Commerce Cloud), remove/ban the flagged VS Code extensions.

Block BYOVD paths: enforce Microsoft vulnerable driver blocklist; add explicit blocks for NSecKrnl64.sys. Alert on unsigned driver loads and sudden kernel-mode installs.

Clamp software distribution: only allow Teams/Telegram installers from vendor-pinned URLs; deny execution from Downloads/Temp for installer names; monitor Defender exclusion changes and new Scheduled Tasks.

Harden dev endpoints: restrict extension installs to approved publishers; watch VS Code * activation events making network calls; detect DLL sideloading from %TEMP%\Lightshot\. Rotate developer tokens/secrets.

Threat-hunt quickly:

• Web stacks: look for whoami/id post-exploitation commands, files like /tmp/pwned.txt, unexpected Node runtimes under app users.
• Persistence: user-level systemd services, XDG autostart, cron, .bashrc injections; suspicious rundll32.exe loading from user paths.
• C2: Ethereum RPC bursts from servers, odd JA3/SNI to previously unseen endpoints, the listed VS Code C2 domains/ports.

Identity controls: temporarily disable FortiCloud SSO where feasible; enforce MFA on all admin planes; review SAML logs for anomalies and Ivanti dashboards for injected content.