DFIR Radar

Interlock ransomware group pivots from user-driven attacks to zero-day exploitation, deploying AI-generated Slopoly backdoor to bypass security controls. Active campaign exploited Cisco FMC vulnerability for 36 days before patching. Key technical details: • CVE-2026-20131: Zero-day in Cisco Secure FMC enabling root RCE via crafted HTTP requests with serialized Java • Slopoly backdoor: AI-generated PowerShell C2 framework with WebSocket persistence and real-time communication • Hotta Killer: Custom utility exploiting CVE-2025-61155 in GameDriverX64.sys for kernel-level EDR disabling (T1685) • Memory-resident Java webshells intercept HTTP requests, decrypt commands, execute in-memory to evade AV • LOLBAS abuse: BITSAdmin, PowerShell, AZCopy for staging, lateral movement, and Azure Blob exfiltration (T1567.002) Attack chain methodology: • Phase 1: Shifted from drive-by downloads to direct infrastructure targeting via network edge vulnerabilities • Phase 2-3: Volatility for credential extraction, Certipy for AD CS privilege escalation, NetSupport RAT deployment • Phase 4-5: Advanced Port Scanner reconnaissance, RDP pivoting to DCs/Exchange, HAProxy nodes for exfiltration masking • Phase 6: PsExec domain-wide ransomware deployment with .interlock extension and !__README__!.txt notes Hunt for AZCopy activity to unfamiliar Azure destinations, NetSupport/AnyDesk from servers, and recurring /api/commands HTTP beaconing patterns. #DFIR_Radar

FileFix evolution: Attackers moved ClickFix social engineering from Win+R dialogs to File Explorer address bars, bypassing Mark of the Web protections. Campaign leverages trusted interfaces to execute malicious PowerShell without triggering SmartScreen warnings. Technical breakdown: • KongTuke/LandUpdate808 cluster injects JavaScript into compromised sites creating fake CAPTCHAs • HTML <input type="file"> opens explorer.exe file dialog while JS writes obfuscated PowerShell to clipboard • Users paste "verification code" into File Explorer address bar, executing commands directly (T1059.001) • Bypasses MotW since no file download occurs - payload executes from clipboard in trusted interface • Process lineage: browser spawns cmd.exe/powershell.exe/wscript.exe indicating exploitation Hunt for browsers (chrome.exe, msedge.exe) spawning scripting interpreters as child processes. Check HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths registry key for PowerShell commands or HTTP URLs - strong forensic indicator of successful FileFix execution. #DFIR_Radar

Attackers exploit five routes to access commercial LLMs for malware operations: underground offensive models, crypto payment services, free APIs, leaked keys, and exposed self-hosted servers. Five malware families now integrate live LLM calls for runtime code generation. Technical breakdown: • Malware families (MalTerminal, PROMPTSTEAL, PROMPTLOCK, PROMPTFLUX, QUIETVAULT) embed LLM APIs for dynamic payload generation, reconnaissance, and polymorphic capabilities • Free-tier abuse: HuggingFace (1M tokens/day), Groq (14.4K requests/day), Cerebras (30 RPM) require only disposable emails for access • Exposed servers: 175K+ Ollama instances, 55% of LocalAI hosts open, ~4.3TB GPU VRAM accessible via ComfyUI without authentication • API key leakage: 647 keys found in VirusTotal corpus (62% Google Gemini, 11% HuggingFace), 99.5% revocation rate indicates automated scanning by providers Attack vectors include crypto middlemen (PayWithMoon, AIMLAPI) bypassing identity verification, CVE-2026-33017 (Langflow RCE), CVE-2026-21858 "Ni8mare" (n8n CVSS 10.0), and nuclei-based automated exploitation campaigns targeting LocalAI instances. Hunt for outbound connections to inference APIs from unexpected processes, monitor for dynamic script generation patterns, and audit self-hosted LLM deployments for authentication bypass. #DFIR_Radar

Critical RCE in Everest Forms Pro WordPress plugin under mass exploitation since April. Unauthenticated attackers inject PHP code via form fields to create admin accounts and achieve full site compromise. Key technical details: • CVE-2026-3300, CVSS 9.8 - affects versions ≤1.9.12, patched in 1.9.13 • Flaw in process_filter() function concatenates unsanitized user input into eval() statement • Exploits target "Complex Calculation" feature by breaking string quotes with malicious PHP • Over 29,300 blocked attempts since disclosure, peak exploitation on May 16th with 17,900 attempts Attack methodology: • Single quote injection in text/email/select/radio fields: `';[malicious_php];//` • Most common payload creates "diksimarina" admin account via wp_insert_user() • No authentication required, immediate server-side code execution • Leads to webshell deployment and persistent backdoors DFIR artifacts: • Check WordPress user tables for suspicious admin accounts, especially "diksimarina" • Review web logs for POST requests to /wp-admin/admin-ajax.php with everest_forms parameters • Monitor top attacking IPs: 202[.]56[.]2[.]126, 209[.]146[.]60[.]26, 15[.]235[.]166[.]18 Hunt for recently created WordPress admin accounts and correlate with form submission logs containing single quotes followed by PHP function calls. #DFIR_Radar

Check Point Research exposes large-scale TDS campaign impersonating security tools like Ghidra and dnSpy, distributing SessionGate framework, RemusStealer, and AnimateClipper through sophisticated click hijacking. Key technical details: • CloudFront-hosted JavaScript converts legitimate download clicks into TDS redirects using event interception (preventDefault/stopImmediatePropagation) • SessionGate uses per-client payload generation with one-time server-side key release, making analysis extremely difficult • RemusStealer targets 332+ browser extensions (wallets, password managers, 2FA) with C2 at buccstanor[.]pics:28313 and baxe[.]pics:48261 • AnimateClipper resolves C2 via BNB Smart Chain contract queries to kr.hugo-lapp[.]co Attack methodology: • High-ranking impersonation sites (ghidralite[.]com, dnspy[.]org, ilspy[.]org) capture search traffic for legitimate tools • Click events trigger gated TDS routing with anti-bot logic, VPN filtering, and frequency capping • Multi-stage delivery chains use 7-Zip SFX containers with decoy content to evade detection • SessionGate employs AES-CBC encryption with server-derived keys, heavy obfuscation breaking disassemblers DFIR artifacts: • TDS scripts follow pattern: https://d33f51dyacx7bd.cloudfront[.]net/?aydfd=<ID> • SessionGate PDB path: D:\code\cpp-downloader-scb-reg-other\Plugins\7ZipDownloader\Output\SFXWin.pdb • User-Agent: "NSIS_InetLoad (Mozilla)" for C2 communications #DFIR_Radar

New Gafgyt variant C0XMO exploits DD-WRT routers via CVE-2021-27137, features modular Python-based lateral movement and targets multiple Linux architectures. Advanced botnet shows operational evolution. Technical breakdown: • Exploits stack buffer overflow in DD-WRT UPnP service via malformed SSDP M-SEARCH requests on UDP 1900 • Multi-stage persistence: copies to /tmp/.sys, /var/tmp/.sys, /dev/shm/.sys with cron jobs every 15 minutes • Separates scanning into standalone Python script using paramiko, requests, beautifulsoup4 packages • C2 handshake uses magic string 669787761736865726500 + shared secret to 85[.]215[.]131[.]70 • Supports 19 DDoS attack methods including UDP bypass, TCP floods, NTP amplification, Cloudflare bypass Attack chain: • Initial access via CVE-2021-27137 buffer overflow targeting Japanese 🇯🇵 tech firm from Germany 🇩🇪 • Downloads architecture-specific binaries (ARM, MIPS, x86_64, PowerPC) to /tmp/.cache • Python scanner targets Telnet/SSH weak credentials + HTTP exploits (GLPI, AVTECH, Zyxel) • Terminates competing botnets and removes rival persistence mechanisms Hunt for hidden executables in /tmp/.sys, /var/tmp/.sys with 755 permissions and outbound connections to 85[.]215[.]131[.]70 or 217[.]160[.]125[.]125:15527. #DFIR_Radar