🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit - Rapid7 Labs 🔍 Show Kagi Synopsis
  The cybersecurity article details the discovery and analysis of a sophisticated backdoor named **Chrysalis**, attributed to the threat actor **Lotus Blossom** (also known as Billbug) 【1】.
  
  **What Happened:**
  The intrusion likely began with the exploitation of the **Notepad++ distribution infrastructure** to gain initial access 【1】. Following this, a suspicious process named `update.exe`, downloaded from a malicious IP address, was executed. This `update.exe` is identified as an NSIS installer, commonly used by Chinese APT groups to deliver initial payloads 【1】. The ultimate payload is the Chrysalis backdoor, a feature-rich and sophisticated tool designed for persistent access and control 【1】.
  
  **Who is Affected:**
  The article does not specify particular industries or organizations that have been directly targeted. However, the initial access vector involving the Notepad++ distribution infrastructure suggests that any user who downloads or updates Notepad++ from compromised sources could be at risk 【1】.
  
  **Security Implications:**
  Chrysalis is a highly capable backdoor that poses significant security risks. Its design incorporates advanced techniques to evade detection and maintain persistence. Key implications include:
  - **Stealthy Execution:** It uses legitimate binaries to load malicious DLLs with generic names, making signature-based detection unreliable 【1】.
  - **Evasion Techniques:** The malware employs custom API hashing, layered obfuscation, and dynamic DLL loading with custom string obfuscation routines to hinder static analysis 【1】.
  - **Persistent Access:** The backdoor is designed to be a permanent tool, not a temporary utility 【1】.
  - **Remote Control:** It provides attackers with extensive remote control capabilities, including executing commands, running arbitrary processes, and transferring files 【1】.
  - **Self-Removal:** The backdoor includes a self-removal mechanism to clean up its artifacts and erase its presence 【1】.
  
  **Technical Details:**
  - **Initial Access:** Exploitation of Notepad++ distribution infrastructure, leading to the execution of `update.exe` 【1】.
  - **Loader:** `update.exe` is an NSIS installer 【1】. Other loaders, like "Warbird," have been observed, with Loader 3 using an undocumented system call (`NtQuerySystemInformation`) for execution 【1】.
  - **Backdoor (Chrysalis):**
  - Uses legitimate binaries to sideload a crafted DLL 【1】.
  - Employs custom API hashing and layered obfuscation 【1】.
  - Decrypts its main module using XOR, addition, and subtraction with a hardcoded key `gQ2JR&9;` 【1】.
  - Dynamically loads DLLs such as `oleaut32.dll`, `advapi32.dll`, `shlwapi.dll`, `user32.dll`, `wininet.dll`, `ole32.dll`, and `shell32.dll` 【1】.
  - Obfuscates DLL names using position-dependent character transformations 【1】.
  - Decrypts its configuration using RC4 with the key `qwhvb^435h&*7` 【1】.
  - **C2 Communication:** Uses a C2 URL `https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821` which resolves to `61.4.102.97` in Malaysia 【1】. Communication is RC4 encrypted with the key `vAuig34%^325hGV` 【1】.
  - **Information Gathering:** Collects system information like time, installed AVs, OS version, user, and computer name 【1】.
  - **Command Execution:** Supports various commands via C2 tags, including spawning an interactive shell (`4T`), creating processes (`4V`), writing files (`4W`), reading/sending data (`4Y`), and self-uninstalling (`4\\`) 【1】.
  - **Mutex:** Uses `Global\\Jdhfv_1.0.1` to ensure single instance execution 【1】.
  - **Other Artifacts:** Renamed `svchost.exe` to Tiny-C-Compiler (`tcc.exe`) to load shellcode from `conf.c` 【1】.
  - **Loader Variants:** Multiple loader variants have been identified, some embedding Metasploit shellcode that downloads a Cobalt Strike beacon 【1】.
  
  **What Defenders Should Know:**
  - **Detection:** Defenders should be aware of the indicators of compromise (IoCs) provided, including network indicators like IP addresses and domain names, and file hashes 【1】.
  - **Evasion Tactics:** Be vigilant against techniques such as DLL sideloading, masquerading, dynamic API resolution, and the use of undocumented system calls 【1】.
  - **Persistence Mechanisms:** Monitor for persistence artifacts in Registry Run keys and Windows Services 【1】.
  - **Threat Actor:** The threat actor, Lotus Blossom, is known for evolving its tradecraft, incorporating multi-layered shellcode loaders and advanced evasion techniques 【1】.
  - **Rapid7 Intelligence Hub:** Customers using Rapid7’s Intelligence Hub have access to IOCs for Chrysalis and related loaders 【1】.
• How the KGB Discovered Computer Viruses - Oleg Shakirov 🔍 Show Kagi Synopsis
  In 1989, a secret KGB directive acknowledged the growing threat of **computer viruses**, which were spreading throughout the Soviet Union and even within the KGB's own systems. This directive, issued on July 28, 1989, warned of "alien programming implants" embedded in software, particularly those with "subversive purposes" 【1】. The KGB recognized that the increasing use of foreign software and computers, despite domestic production, introduced significant security risks, including the potential for hardware and software backdoors 【1】.
  
  **Who is affected:**
  Computer viruses began appearing in the Soviet Union around 1987, affecting numerous government organizations. This included the **KGB**, the Ministry of Radio Technology, the Ministry of Medium Machine-Building (responsible for nuclear industry), the Academy of Sciences, and approximately 20 other computing centers 【1】. Infections typically occurred due to the uncontrolled acquisition or copying of software through personal contacts, a situation exacerbated by the virtual absence of an official software market in the USSR 【1】.
  
  **Security Implications:**
  The KGB viewed computer viruses as a serious threat, believing that **U.S. intelligence** was actively developing them as a means to damage computing systems 【1】. The agency drew parallels between software viruses and hardware backdoors, considering them "software backdoors" with subversive intent 【1】. The uncontrolled nature of software sharing was seen as a major factor that could lead to a "massive and severe computer plague" 【1】. The KGB's reliance on imported foreign computers also presented risks, as these devices could be sabotaged through hidden backdoors 【1】.
  
  **Technical Details:**
  As of mid-1989, the KGB was aware of three primary viruses active in the Soviet Union:
  - **Vienna**: A 648-byte virus that infects .COM files and resets the operating system 【1】.
  - **Cascade**: A 1,701-byte virus 【1】.
  - **Jerusalem**: A 710-byte virus, noted for its similarity in effect to the known Jerusalem virus (a time bomb corrupting files on Friday the 13th), though differing in size 【1】.
  
  The memo acknowledged that these viruses originated abroad, but also warned of the potential for Soviet programmers to create similar malicious programs for domestic computers, a prediction that soon materialized 【1】. By the summer of 1989, at least three more viruses (Vacsina/TP-4, Marijuana/Stoned, Ping-Pong/Italian/Bouncing Ball) had been discovered in the USSR 【1】. The KGB's Operational Technical Directorate had developed programs to detect and delete the Vienna and Cascade viruses 【1】.
  
  The memo identified three main channels for virus infection:
  - User violations of software installation and usage rules 【1】.
  - Installation of unauthorized domestic or foreign software 【1】.
  - Connection of KGB computers to public or internal networks that allow third-party access 【1】.
  
  **What Defenders Should Know:**
  The KGB memo outlined several recommendations for defense:
  - **Internal Software Security:**
  - Screen staff with access to software and data 【1】.
  - Differentiate between approved operational software and software under development 【1】.
  - Control access to storage devices containing operational software 【1】.
  - Track changes to operational software to prevent unauthorized modifications 【1】.
  - Investigate any suspicious situations that might indicate a virus 【1】.
  - **External Software Security:**
  - Test new programs on designated "sandbox" computers 【1】.
  - Prioritize the use of software from the KGB's official Bank of Algorithms and Programs 【1】.
  - Inspect non-officially acquired software for known viruses using specific methods 【1】.
  - **Response to Infection:**
  - Immediately suspend work on the suspected infected PC and any connected computers 【1】.
  - Identify infected programs by comparing them with reference copies or using detection programs 【1】.
  - Restore infected programs by copying from verified references 【1】.
  - Avoid using programs from which a virus has been detected and removed 【1】.
  
  The KGB also emphasized **information sharing**, tasking a research institute with collecting virus data and instructing departments to report all infection incidents promptly 【1】. The spread of viruses highlighted the limitations of top-down control and the effectiveness of a more networked, community-driven approach to cybersecurity, which eventually contributed to the development of Russia's cybersecurity industry 【1】.
• From Automation to Infection: How OpenClaw AI Agent Skills Are Being Weaponized - VirusTotal 🔍 Show Kagi Synopsis
  The **OpenClaw AI agent ecosystem** is being exploited as a new **delivery channel for malware** 【1】. Hundreds of malicious "skills" (extensions for the AI agent) have been detected on VirusTotal, transforming the ecosystem into a supply-chain attack surface.
  
  **Who is Affected:**
  **OpenClaw users** are directly affected, as they may unknowingly download and execute malicious skills. The malware distributed through these skills can lead to data exfiltration, remote control of their systems, and installation of further malware.
  
  **Security Implications:**
  The primary security implication is the **weaponization of AI agent ecosystems**. OpenClaw skills, designed to extend AI agent capabilities, are being disguised as legitimate tools. Attackers leverage social engineering tactics, instructing users to paste commands or run downloaded binaries, which bypasses traditional detection methods because the malicious payload is often an external workflow rather than code within the skill itself 【1】. This creates a significant new attack vector for distributing malware.
  
  **Technical Details:**
  OpenClaw is a self-hosted AI agent that can execute actions like shell commands, file operations, and network requests on a user's machine 【1】. Skills are packages that extend these capabilities, often installed from a public marketplace called ClawHub 【1】.
  
  VirusTotal has observed two main categories of malicious skills:
  * **Poor Security Practices:** Skills with insecure API usage, unsafe command execution, hardcoded secrets, or sloppy input handling 【1】.
  * **Intentionally Malicious Skills:** These are designed for data exfiltration, remote control via backdoors, or direct malware installation 【1】.
  
  A case study involving the user "hightower6eu" revealed 314 malicious skills disguised as legitimate tools. For example, a "Yahoo Finance" skill instructed Windows users to download and run an executable detected as a packed trojan. On macOS, a similar skill led to an obfuscated shell script that downloaded and executed a Mach-O executable identified as a variant of **Atomic Stealer (AMOS)**. AMOS is known for stealthily harvesting sensitive user data, including passwords, browser credentials, and cryptocurrency wallet information 【1】.
  
  To combat this, VirusTotal has integrated support for OpenClaw skills into **VirusTotal Code Insight**, using Gemini 3 Flash to analyze skills for actual behavior such as code execution and data access, rather than just claimed functionality 【1】.
  
  **What Defenders Should Know:**
  * **Treat skill folders as trusted-code boundaries** and control modifications 【1】.
  * **Prefer sandboxed executions** for AI agents and keep them away from sensitive data 【1】.
  * **Be highly skeptical** of any skill that requires pasting commands into a shell or downloading and running binaries 【1】.
  * **Scan community skills** before installation 【1】.
  * Marketplaces and registries should implement **publish-time scanning** to flag skills with remote execution, obfuscated scripts, or instructions designed to bypass user oversight 【1】.
• Threat-Hunting: Threat Hunting queries of multiple platforms - CrowdStrike/KQL - The content posted at the URL `https://github.com/a2awais/Threat-Hunting/` is controlled by **a2awais**. 🔍 Show Kagi Synopsis
  The provided GitHub repository, "Threat-Hunting," appears to be a collection of threat hunting queries for various platforms. However, there is no specific cybersecurity article or detailed precis available within the repository that outlines a particular incident, affected parties, security implications, technical details, or defender recommendations.
  
  The repository's primary purpose seems to be contributing to the development of threat hunting queries 【2】. A comparison within the repository indicates that the main branch is up-to-date and does not show any specific new commits related to a particular attack 【1】. Therefore, without a specific article or document detailing an incident, it is not possible to provide the requested precis.
• reko: Reko is a binary decompiler. - uxmal 🔍 Show Kagi Synopsis
  Reko is a general-purpose decompiler for machine code binaries, designed to support various processor architectures and executable file formats with minimal user intervention. It is freely available under the GNU General Public License.
  
  - **What Happened:** The article describes the Reko decompiler, its purpose, and how it functions. It is not about a specific security incident but rather a tool used in cybersecurity for reverse engineering.
  - **Who is Affected:** The tool is intended for users who need to analyze machine code binaries. This could include security researchers, developers, or anyone legally permitted to reverse engineer software. The article explicitly warns that many software licenses prohibit decompilation, and users should only use Reko if they have the legal right to do so.
  - **Security Implications:** Reko itself is a tool, not a vulnerability. However, its existence has security implications as it enables reverse engineering of software. This can be used for:
  - **Vulnerability research:** Identifying security flaws in software.
  - **Malware analysis:** Understanding the behavior of malicious software.
  - **Intellectual property concerns:** Potentially used to circumvent software protections or analyze proprietary code, which may be illegal depending on the software's license.
  - **Technical Details:**
  - Reko consists of front ends (command-line, Windows GUI, ASP.NET), a core decompiler engine, and back ends.
  - It analyzes input binary files or decompiler project files, which can contain additional information to aid decompilation.
  - It aims for broad support of different processor architectures and executable file formats.
  - The project is built using .NET 6.0 SDK and can be compiled with Visual Studio 2022 or via the command line using `dotnet msbuild`.
  - It has front-end drivers located in the `Drivers` folder, including `WindowsDecompiler` (Windows Forms GUI) and `AvaloniaShell` (cross-platform GUI).
  - **What Defenders Should Know:**
  - **Legality:** Be aware that decompiling software may be illegal depending on the license.
  - **Tooling:** Reko is a powerful tool for understanding binary code, which can be used by both attackers and defenders.
  - **Reverse Engineering:** Defenders may need to understand how decompilers like Reko work to analyze malware or investigate security incidents involving reverse-engineered code.
  - **Development:** The project is open-source and actively developed, with support available through its issue tracker and Gitter.im chatroom. Prerequisites for building include .NET 6.0 and potentially WiX toolset and CMake for specific build scenarios.
• gVisor is an open-source Linux-compatible sandbox that runs anywhere existing container tooling does. It enables cloud-native container security and portability - gVisor - an open-source project with strong connections to Google, leveraging years of experience isolating production workloads at Google 🔍 Show Kagi Synopsis
  The provided article from gvisor.dev describes **gVisor as a container security platform**, rather than detailing a specific cybersecurity incident. Therefore, it does not cover "what happened" in terms of a breach or attack, nor does it specify who was affected by a particular event.
  
  However, the article does outline the **security implications** and **technical details** of container security and how gVisor addresses them. It also provides information that **defenders should know** about securing containerized environments.
  
  Here's a breakdown based on the article's content:
  
  * **What Happened:** The article does not describe a specific cybersecurity incident. Instead, it focuses on the general security challenges and risks associated with containerization.
  * **Who is Affected:** The article implies that **organizations using containers** are potentially affected by the security risks inherent in containerization. This includes developers, operations teams, and security professionals managing containerized applications.
  * **Security Implications:**
  * Containers share the host operating system's kernel, creating a potential attack surface. If the kernel is compromised, all containers running on it could be at risk.
  * Traditional security measures may not be sufficient for containerized environments due to their dynamic and ephemeral nature.
  * The article highlights the need for a robust security platform to isolate containers and protect the host system.
  * **Technical Details:**
  * gVisor acts as an **application kernel** that intercepts and filters system calls made by applications.
  * It intercepts approximately 300 system calls, providing a **sandbox** that limits the kernel's exposure.
  * gVisor is implemented in Go and includes a user-space kernel (Sentry) and a platform-specific component (Gofer) that handles file system access.
  * It supports various container runtimes, including Docker and containerd, and can be integrated with Kubernetes.
  * **What Defenders Should Know:**
  * Defenders need to understand the **shared kernel vulnerability** in traditional container deployments.
  * gVisor offers a way to **reduce the attack surface** by providing a stronger isolation boundary between containers and the host kernel.
  * It can be used to **enforce security policies** and prevent malicious container activity from impacting the host or other containers.
  * The platform is designed to be **performant** while providing enhanced security, making it a viable option for production environments.
• macOS Hardening: a new series - Gabriel Biondo 🔍 Show Kagi Synopsis
  The article "macOS Hardening: a new series" by The Byte Architect outlines a comprehensive strategy for securing macOS systems by adopting a "defense in depth" approach rather than relying solely on perimeter security. The author shares their personal process of setting up a new MacBook, emphasizing that absolute security is unattainable and that the goal is to make systems more resilient and harder to compromise than others.
  
  **What Happened:**
  The author initiated a new series on macOS hardening, detailing their personal methodology for securing a new MacBook. This involves a shift from traditional security models to a layered defense strategy.
  
  **Who is Affected:**
  This information is relevant to **macOS users**, particularly **software developers**, **server administrators**, and individuals concerned with **personal data protection** and overall cybersecurity.
  
  **Security Implications:**
  The core implication is that **attackers often target the path of least resistance**. By implementing layered security, systems become less attractive targets. The article stresses that security should enable productivity rather than hinder it, advocating for a pragmatic balance. It also touches upon the evolution of security concepts from older models to current complex, cloud-based architectures.
  
  **Technical Details:**
  The author advocates for **threat modeling** to identify assets (Intellectual Property, VPS, private data, public image), threat agents (cybercriminals, competitors, trackers), and assess risks and costs. The defense strategy involves:
  - **Layered security**: Multiple controls working in conjunction to protect against threats like malware.
  - **Network layer hardening**: Specific techniques to be detailed in future posts.
  - **Application layer hardening**: Including practices like **backups** and **compartmentalization**.
  - **Secrets management**: Employing strategies like plausible deniability and strong cryptography.
  - **Operational practices**: General security hygiene.
  Examples of tools and concepts mentioned include antivirus software, VirusTotal, dedicated virtual machines, and the importance of multi-factor authentication.
  
  **What Defenders Should Know:**
  Defenders should understand that:
  - **Perfect security is a myth**; the aim is to create robust, layered defenses.
  - **Threat modeling is crucial** for identifying vulnerabilities and prioritizing defenses.
  - **Layered security** is more effective than single-point defenses.
  - Security measures should be **pragmatic** and not overly impede usability.
  - Future posts will delve into specific hardening techniques for the network layer, browser, and multi-factor authentication 【1】.
• GhostKatz: Dump LSASS via physical memory read primitives in vulnerable kernel drivers - RainbowDynamix is the organization that controls the content posted at the URL https://github.com/RainbowDynamix/GhostKatz. This is indicated by the repository name itself and the GitHub profile associated with it. 🔍 Show Kagi Synopsis
  GhostKatz is a cybersecurity tool developed by Julian Peña and Eric Esquivel that **extracts credentials directly from the LSASS (Local Security Authority Subsystem Service) process by reading physical memory** 【1】. This method bypasses traditional user-mode detection capabilities by abusing signed, vulnerable drivers that provide physical memory read primitives via `MmMapIoSpace` 【1】.
  
  **What Happened:**
  GhostKatz enables attackers to dump credentials from LSASS. It achieves this by leveraging signed kernel drivers that have known vulnerabilities allowing for physical memory reads 【1】.
  
  **Who is Affected:**
  The tool is designed to work on various **Windows operating systems**, including:
  - Windows Server 2012 R2 (Version 6.3) 【1】
  - Windows Server 2016 (Version 1607) 【1】
  - Windows Server 2019 (Version 1809) 【1】
  - Windows 10 (Versions 21H2 and 22H2) 【1】
  - Windows Server 2022 (Version 21H2) 【1】
  
  **Security Implications:**
  The primary security implication is the **unauthorized access to sensitive credentials**, such as usernames and passwords, stored within LSASS. This can lead to further compromise of systems and networks. The use of vulnerable kernel drivers also introduces a risk of system instability, potentially causing a Blue Screen of Death (BSOD) 【1】.
  
  **Technical Details:**
  GhostKatz operates by using signed kernel drivers that expose read-memory primitive vulnerabilities 【1】. The tool is modular, allowing users to research and integrate their own drivers by extending the read-memory primitive functions in `utils.c` 【1】. The public release does not include exploits for undisclosed drivers, but the developers mention having automated discovery and exploitation processes internally with several signed kernel drivers 【1】.
  
  Two specific drivers have been identified as exploitable by GhostKatz:
  - **Toshiba TPwSav** (ID 1) 【1】
  - **TechPowerUp ThrottleStop** (ID 2) 【1】
  
  To use GhostKatz, users compile the BOFs (Beacon Object Files) using `make`, load the `ghostkatz.cna` Aggressor Script into Cobalt Strike's Script Manager, and then execute commands like `ghostkatz logonpasswords -prv 1` or `ghostkatz wdigest` 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that GhostKatz bypasses user-mode detection by operating at the kernel level 【1】. The tool relies on signed drivers, which can make detection more challenging. Key defensive strategies include:
  - **Monitoring for the use of known vulnerable drivers:** Identifying the presence or execution of drivers like Toshiba TPwSav or TechPowerUp ThrottleStop 【1】.
  - **Endpoint Detection and Response (EDR) solutions:** Implementing EDR capabilities that can detect suspicious memory access patterns or kernel-level activity.
  - **Driver integrity checks:** Ensuring that only trusted and verified drivers are loaded onto systems.
  - **Understanding the risks of kernel driver exploitation:** Recognizing that attackers can leverage signed drivers to gain privileged access and bypass security controls 【1】.
  - **System stability:** Being aware of the potential for BSODs when vulnerable kernel drivers are exploited 【1】.
• Quest Desktop Authority RCE | CVE-2025-67813 - NetSPI 🔍 Show Kagi Synopsis
  A critical Remote Code Execution (RCE) vulnerability, **CVE-2025-67813**, has been discovered in **Quest Desktop Authority**, an enterprise management solution. This vulnerability allows any authenticated domain user to execute arbitrary code with local administrator privileges on affected endpoints.
  
  **What Happened:**
  The vulnerability stems from an insecurely exposed named pipe, `ScriptLogic_Server_NamedPipe_9300`, which runs with SYSTEM privileges. This pipe uses a custom IPC protocol that is susceptible to exploitation.
  
  **Who is Affected:**
  **Endpoints running the Quest Desktop Authority agent** are vulnerable. This means any authenticated user on the network can potentially exploit this flaw.
  
  **Security Implications:**
  The exploitation of this named pipe can lead to severe security breaches, including:
  * **Arbitrary Command Execution:** Attackers can run any command on the target system with local administrator rights using the `AdminExec` operation.
  * **DLL Injection:** The ability to inject arbitrary DLLs into processes allows for further compromise and persistence.
  * **Credential Exposure:** The `Credentials` operation can reveal plaintext service account usernames and passwords, leading to credential reuse and domain account compromise.
  * **COM Object Invocation:** The `InvokeCOM` operation allows attackers to interact with COM objects, granting access to various system management functions.
  
  **Technical Details:**
  * The vulnerability is identified as **CVE-2025-67813**.
  * The affected named pipe is `\\.\pipe\ScriptLogic_Server_NamedPipe_9300`.
  * The protocol used is a custom IPC based on MFC `CArchive` serialization.
  * Key exploitable operations include `AdminExec`, `DllInjection`, `Credentials`, `ImpersonateAdmin`, and `InvokeCOM`.
  * The ultimate impact is **Remote Code Execution as a local administrator**.
  
  **What Defenders Should Know:**
  * **Remediation:** Organizations should **apply the vendor patches** (Desktop Authority 11.3.2 or later) or implement **firewall rules to restrict network access** to the named pipe.
  * **Mitigation Strategies:**
  * Implement firewall rules to block inbound SMB (TCP 445) to Desktop Authority agent hosts from untrusted network segments.
  * Utilize network segmentation to isolate management infrastructure from general user networks.
  * Disable the agent service on endpoints where Quest Desktop Authority is not required.
  * Implement detection mechanisms for unusual connections to the `ScriptLogic` named pipes.
  * Quest has provided a knowledge base article (4381743) detailing the vulnerability and its remediation. 【1】