🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• NCSC - Casus: kwetsbaarheden Ivanti EPMM systemen - Case: Vulnerabilities in Ivanti EPMM systems - On January 29th, the NCSC discovered the exploitation of two Ivanti EPMM vulnerabilities. - NCSC (National Cyber Security Centre) 🔍 Show Kagi Synopsis
  The cybersecurity article details the exploitation of two critical vulnerabilities, **CVE-2026-1281** and **CVE-2026-1340**, in **Ivanti Endpoint Manager Mobile (EPMM)** systems 【1】.
  
  **What Happened:**
  Unauthenticated attackers exploited these vulnerabilities to execute arbitrary code. The exploitation was detected by the NCSC on January 29, 2026, with evidence suggesting exploitation may have begun as early as January 28, 2026, and potentially as far back as August 2025, indicating a possible zero-day attack 【1】.
  
  **Who is Affected:**
  **Multiple Dutch organizations** have been confirmed as targets. The full scope of the abuse within the Netherlands is still under investigation 【1】.
  
  **Security Implications:**
  Successful exploitation grants attackers access to the **MobileIron File Service (MIFS) database**. This database contains sensitive information, including account details, encrypted passwords, personal data, IMEI numbers, and access tokens. This compromised data can be used for **further network movement and data exfiltration** 【1】.
  
  **Technical Details:**
  The vulnerabilities allow for **Remote Code Execution (RCE)** and provide unauthorized access to sensitive data stored within the MIFS database 【1】.
  
  **What Defenders Should Know:**
  Defenders should **assume a breach scenario**, meaning they must operate under the assumption that their systems may have already been compromised, even after applying patches. This is because attackers might retain access even after vulnerabilities are remediated 【1】. The NCSC, in collaboration with Ivanti, has released a scanscript (Exploitation Detection RPM Package) to aid in detecting compromises. Organizations are strongly advised to use the latest version of this script (released February 12, 2026) and to conduct thorough investigations, extending forensic analysis back to August 2025. If new findings emerge, organizations should contact the NCSC for assistance 【1】.
• Delegation Part Two: (In)sensitive accounts - Silverfort 🔍 Show Kagi Synopsis
  The cybersecurity article discusses a Kerberos delegation vulnerability, **CVE-2025-60704**, which allows adversaries to escalate privileges from a less privileged user to a domain administrator 【1】.
  
  **What Happened:**
  The vulnerability exploits a common misconception that Kerberos delegation risks are limited to user accounts. In reality, **computer accounts can also be delegated on behalf of**, creating a significant security gap 【1】.
  
  **Who is Affected:**
  This vulnerability affects organizations that utilize **Active Directory** and have not properly secured their sensitive machine accounts. Specifically, adversaries can target **sensitive machine identities**, such as those belonging to domain controllers, Public Key Infrastructure (PKI) servers, or other identity management systems 【1】.
  
  **Security Implications:**
  The primary security implication is the potential for adversaries to gain **domain-wide control** by exploiting delegation on these sensitive machine accounts 【1】. This can lead to a complete compromise of the network.
  
  **Technical Details:**
  The Active Directory Users and Computers (ADUC) interface does not offer a straightforward way to mark computer accounts as sensitive and non-delegable, unlike user accounts. However, the underlying protection mechanism, the `ADS_UF_NOT_DELEGATED` bit within the `userAccountControl` attribute, can be set on computer accounts using PowerShell 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware that many environments likely have sensitive machine accounts that are **unprotected from delegation**. To mitigate this risk, organizations should:
  - **Identify sensitive machine accounts**: This includes Tier 0 infrastructure, PKI servers, and identity management systems 【1】.
  - **Configure these accounts as not delegable**: This can be achieved using the PowerShell command `Set-ADAccountControl -Identity “<MachineName>$” -AccountNotDelegated $true` 【1】.
  - **Audit existing delegation configurations**: It is crucial to review current settings before implementing the non-delegable configuration to prevent disruption of legitimate services 【1】.
• Notepad++ v8.9.2 release - Double‑Lock Update Security | Notepad++ - Notepad++ 🔍 Show Kagi Synopsis
  Notepad++ has released version **8.9.2**, which introduces a "Double-Lock Update Security" to address a vulnerability where the update process was previously hijacked by state-sponsored hackers 【1】.
  
  **What Happened:**
  The update mechanism for Notepad++ was compromised, allowing malicious actors to potentially distribute harmful updates. This new release implements a "double lock" system to secure the update process 【1】.
  
  **Who is Affected:**
  Users of Notepad++ are potentially affected by the previous vulnerability. The new release aims to protect all users by securing the update mechanism 【1】.
  
  **Security Implications:**
  The previous hijacking of the update process posed a significant security risk, as it could have led to the distribution of malware or unauthorized code through seemingly legitimate updates. The "double lock" system is designed to make this type of attack unexploitable 【1】.
  
  **Technical Details:**
  The security enhancements in version 8.9.2 involve two independent verification steps:
  - **Verification of the signed XML:** The XML data returned by the update server (_notepad-plus-plus.org_) is now signed using XMLDSig, and this signature and certificate verification will be enforced 【1】.
  - **Verification of the signed installer:** The installer downloaded from _github.com_ is already signed, a feature implemented in version 8.8.9 【1】.
  
  Additionally, the WinGUp auto-updater has been reinforced by:
  - Removing the `libcurl.dll` dependency to prevent DLL side-loading risks 【1】.
  - Removing two unsecured cURL SSL options: `CURLSSLOPT_ALLOW_BEAST` and `CURLSSLOPT_NO_REVOKE` 【1】.
  - Restricting plugin management execution to only allow programs signed with the same certificate as WinGUp (i.e., signed Notepad++ plugins) 【1】.
  
  **What Defenders Should Know:**
  Defenders should ensure that users update to Notepad++ version 8.9.2 or later to benefit from the enhanced security measures 【1】. It is also possible to exclude the auto-updater during installation or deploy the MSI package with the `NOUPDATER=1` command-line argument if desired 【1】.
• UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day - Google Cloud 🔍 Show Kagi Synopsis
  A sophisticated threat actor, identified as **UNC6201**, has been actively exploiting a critical **zero-day vulnerability (CVE-2026-22769)** in **Dell RecoverPoint for Virtual Machines** since at least mid-2024 【1】. This vulnerability carries a **CVSSv3.1 score of 10.0**, indicating the highest level of severity 【1】.
  
  **What Happened:**
  UNC6201 has leveraged this zero-day to gain unauthorized access and execute malicious activities. Their operations involve achieving lateral movement within compromised networks, establishing persistent access, and deploying various malware, including SLAYSTYLE, BRICKSTORM, and a newly discovered backdoor named GRIMBOLT 【1】.
  
  **Who is Affected:**
  The primary targets are organizations utilizing **Dell RecoverPoint for Virtual Machines** 【1】. UNC6201 has been observed initially compromising **edge appliances** and then pivoting into **VMware virtual infrastructure** 【1】.
  
  **Security Implications:**
  The exploitation of this zero-day has severe security implications, enabling UNC6201 to:
  - **Achieve lateral movement** within victim networks 【1】.
  - **Maintain persistent access**, making it difficult to eradicate 【1】.
  - **Deploy a range of malware**, including custom backdoors like GRIMBOLT 【1】.
  - Utilize novel tactics such as "Ghost NICs" and iptables for Single Packet Authorization (SPA) to further their operations within VMware environments 【1】.
  
  **Technical Details:**
  The exploitation process involves:
  - **Initial Access:** Exploiting the Apache Tomcat Manager interface, often using default administrative credentials 【1】.
  - **Malware Deployment:** Uploading malicious WAR files through the compromised Tomcat Manager 【1】.
  - **Persistence:** Modifying the `convert_hosts.sh` script to ensure continued access 【1】.
  - **GRIMBOLT Backdoor:** This backdoor is written in C# and compiled using native ahead-of-time (AOT) compilation, which is designed to hinder static analysis and boost performance 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware of the following:
  - **Vulnerability:** The critical zero-day vulnerability CVE-2026-22769 in Dell RecoverPoint for Virtual Machines 【1】.
  - **Threat Actor:** UNC6201, a suspected PRC-nexus threat cluster 【1】.
  - **Indicators of Compromise (IOCs):** Specific file hashes and network indicators detailed in the article are crucial for detection 【1】.
  - **Mitigation:** Dell has released security advisories and patches for CVE-2026-22769; applying these is essential 【1】.
  - **Hardening and Detection:** The article provides actionable guidance for hardening systems and opportunities for detection 【1】.
  - **Novel Tactics:** Be vigilant for advanced techniques like "Ghost NICs" and iptables-based SPA within VMware environments 【1】.
• Announcing the "AI Agent Standards Initiative" for Interoperable and Secure Innovation - NIST 🔍 Show Kagi Synopsis
  The National Institute of Standards and Technology (NIST), through its Center for AI Standards and Innovation (CAISI), has launched the **"AI Agent Standards Initiative"** 【1】.
  
  - **What Happened:** NIST has initiated a program to develop industry-led standards and protocols for AI agents. These agents are designed to perform autonomous actions on behalf of users. The goal is to ensure these agents are secure, interoperable, and widely adopted with public trust 【1】.
  
  - **Who is Affected:** This initiative affects **developers, users, and stakeholders within the AI industry**. The broader public will also benefit from more reliable and secure AI agents 【1】.
  
  - **Security Implications:** The primary security implication is to **ensure AI agents function securely and reliably**. This initiative aims to build public trust and prevent a fragmented AI ecosystem that could arise from a lack of confidence in agent interoperability and reliability 【1】.
  
  - **Technical Details:** The initiative will focus on developing **standards and open-source protocols for AI agents**. It will also advance research in **AI agent security and identity** to promote trusted adoption 【1】.
  
  - **What Defenders Should Know:** Defenders and stakeholders should stay informed about NIST's upcoming deliverables, guidelines, and opportunities for public input. This includes responding to Requests for Information (RFIs) concerning AI agent security and identity, and participating in listening sessions. The initiative also emphasizes U.S. leadership in international standards bodies and community-led open-source protocol development 【1】.
• BYOVD: Use 360 ​​WFP driver to block EDR/XDR network connection. - infosec.pub 🔍 Show Kagi Synopsis
  A Proof of Concept (PoC) exploit has been developed that demonstrates the misuse of **360 Security's WFP driver IOCTL interfaces**【1】. This vulnerability allows a process with administrator privileges to **block or throttle network access for arbitrary target processes**【1】.
  
  **What Happened:**
  The exploit targets two device objects, `\.360TdiFilter` and `\.360TdiSpeed`, within the 360 Security WFP driver【1】. The driver's `IrpMjDeviceControl` function does not authenticate the caller or validate the source of the request. This allows any process with administrator privileges to interact with these devices and issue specific IOCTL commands (0x220804 and 0x220444) to manipulate WFP filtering rules, effectively blocking or throttling network traffic for other processes【1】.
  
  **Who is Affected:**
  **Any administrator-privileged process** on a system with 360 Security installed can be used to exploit this vulnerability【1】. The PoC specifically targets a process path (e.g., `notepad.exe`), but the exploit can be directed at any process on the system【1】.
  
  **Security Implications:**
  The primary security implication is the **elevation or misuse of administrative privileges** to arbitrarily block network access for other processes【1】. This bypasses authentication mechanisms for IOCTL commands and can lead to denial-of-service conditions at the network level【1】. Attackers could dynamically modify WFP filters without proper controls, causing persistent or widespread network outages for targeted applications【1】.
  
  **Technical Details:**
  The exploit involves opening the device objects and constructing an input data structure named `PACK`. This structure contains fields such as `szNtPath`, `szPath`, `bCancelFlag`, `qwBlockCnnt`, `nLimitSend`, and `nLimitRecv`【1】. When the `qwBlockCnnt` field is set to `LLONG_MAX`, the WFP callout returns `FWP_ACTION_BLOCK`, which blocks all connections for the targeted process【1】. The specific IOCTLs used are `0x220804` for setting block/throttle actions and `0x220444` for modifying WFP filtering rules【1】. The demonstration involves opening `\.360TdiFilter`, preparing the input, and issuing IOCTL `0x220804` to block a target process【1】.
  
  **What Defenders Should Know:**
  Defenders should implement robust security practices, including:
  - **Validating device object and caller identity** within IOCTL handlers【1】.
  - Implementing **least privilege checks** to restrict access to sensitive functions【1】.
  - **Restricting access to sensitive IOCTLs** and employing authentication, logging, and integrity checks【1】.
  - **Monitoring for anomalous device usage**【1】.
  - Considering the use of **robust WFP policy management** and applying defense-in-depth strategies around network filtering components【1】.
• adwsdomaindump: Active Directory information dumper via ADWS for evasion purposes - mverschu (GitHub) 🔍 Show Kagi Synopsis
  The cybersecurity article describes **ADWSDomainDump**, a tool that dumps information from Active Directory using Active Directory Web Services (ADWS) 【1】. It is a fork of the `ldapdomaindump` tool, adapted to use ADWS instead of LDAP 【1】.
  
  **What Happened:**
  The tool was developed to extract information from Active Directory by leveraging ADWS 【1】.
  
  **Who is Affected:**
  Organizations that use **Active Directory** are potentially affected, as this tool is designed to interact with and extract data from it 【1】.
  
  **Security Implications:**
  The primary security implication is the potential for **unauthorized information disclosure** from Active Directory environments. The tool's ability to bypass security measures like Microsoft Defender for Endpoint and CrowdStrike Falcon suggests it could be used by attackers to gather intelligence without immediate detection 【1】. This information could then be used for further, more targeted attacks.
  
  **Technical Details:**
  - **Functionality:** ADWSDomainDump connects to an ADWS host (typically on port 9389) and performs a domain dump 【1】.
  - **Installation:** It can be installed using `pipx` 【1】.
  - **Usage:** The tool requires credentials (username and password) and the IP address or hostname of a domain controller 【1】.
  - **Evasion Capabilities:** It has demonstrated the ability to bypass **Microsoft Defender for Endpoint** and **CrowdStrike Falcon** 【1】.
  - **Underlying Technology:** It is an adaptation of `ldapdomaindump`, switching the protocol from LDAP to ADWS 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that tools like ADWSDomainDump exist and can potentially evade common Endpoint Detection and Response (EDR) solutions 【1】. This highlights the need for:
  - **Robust monitoring:** Implementing comprehensive logging and monitoring that goes beyond signature-based EDR detection.
  - **Network traffic analysis:** Scrutinizing network traffic for unusual ADWS activity.
  - **Credential security:** Enforcing strong password policies and multi-factor authentication to prevent credential compromise.
  - **Regular security assessments:** Conducting penetration tests and vulnerability assessments that specifically look for weaknesses in Active Directory security and the effectiveness of deployed security tools.
  - **Understanding ADWS:** Familiarizing security teams with the ADWS protocol and its potential misuse.
• Process Preluding: Child Process Injection Before The Story Begins - Origin Technology and Prelude 🔍 Show Kagi Synopsis
  The cybersecurity article discusses a technique known as **Process Preluding**, which allows adversaries to inject code into a child process before security software is alerted to its existence 【1】.
  
  **What Happened:**
  Process Preluding exploits a timing vulnerability in the Windows process creation process, specifically when using legacy APIs like `NtCreateUserProcess` 【1】. This technique allows attackers to insert malicious code into a newly created process before endpoint security products can monitor its activities 【1】.
  
  **Who is Affected:**
  This vulnerability affects **Windows 10 and Windows 11 systems** 【1】. Additionally, any **endpoint security solutions** that do not adequately address the timing discrepancies in legacy process creation callbacks are susceptible 【1】.
  
  **Security Implications:**
  The primary security implication is the ability for attackers to **execute arbitrary code undetected** 【1】. This can be used for various malicious purposes, such as deploying malware or stealing sensitive data, without triggering standard security alerts like `VirtualProtectEx` or `WriteProcessMemory` events 【1】.
  
  **Technical Details:**
  The exploit capitalizes on a narrow window that exists between the creation of a process object and the initiation of its first thread and associated callbacks 【1】. Attackers can leverage legacy `NtCreateProcess` to create a process with a section object, write their shellcode into it, and even establish a malicious entry point (e.g., by overwriting `PostProcessInitRoutine`) before the security software becomes aware of the process 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware that **traditional process creation notifications can be bypassed** using this method 【1】. Potential mitigation strategies include:
  - Enabling Threat-Intelligence logging earlier in the process 【1】.
  - **Flagging or blocking processes created via legacy APIs**, which can be identified by the absence of `GUID_ECP_CREATE_USER_PROCESS` 【1】.
  - Ensuring that security products are designed to **correctly handle the process handle creation callback** to detect processes in their pre-creation phase 【1】.
• Your car is spying on you – and Israeli firms are leading the surveillance race - Haaretz 🔍 Show Kagi Synopsis
  The article discusses how **Israeli companies are at the forefront of developing and selling advanced cyber tools that can exploit car technology for surveillance purposes** 【1】. This practice, termed CARINT, transforms vehicles into potent intelligence-gathering devices 【1】.
  
  **What Happened:**
  Israeli firms have created sophisticated cyber tools capable of hacking into a car's systems. These tools leverage data transmitted from the car's SIM card to the cloud, including information from hands-free systems and tire-pressure sensors, to collect intelligence on individuals 【1】.
  
  **Who is Affected:**
  The primary individuals affected are **car owners**, whose vehicles are being turned into surveillance tools without their explicit knowledge or consent 【1】.
  
  **Security Implications:**
  The security implications are substantial, primarily revolving around **significant privacy concerns and the potential for misuse of the collected data** 【1】. The ability to remotely access and exploit vehicle data raises questions about data security and individual liberties.
  
  **Technical Details:**
  The article mentions that the technology exploits **data transmitted from SIM cards in cars to the cloud** 【1】. This data can include information gathered from hands-free systems and tire-pressure sensors 【1】. However, the provided text does not offer more in-depth technical specifications.
  
  **What Defenders Should Know:**
  The provided text **does not contain specific information regarding what defenders should know** about mitigating these threats or protecting against such surveillance 【1】.
• ClickFix: Stopped at ⌘+V - **Patrick Wardle** is the author of the content, and **The Objective-See Foundation** controls the content posted at the URL . 🔍 Show Kagi Synopsis
  The cybersecurity article details a social engineering tactic known as **"ClickFix" attacks**, where victims are manipulated into copying and pasting malicious commands into their terminal applications 【1】.
  
  **What Happened:**
  Attackers use deceptive methods, such as AI-generated instructions, fake support articles, or impersonations, to convince users to execute commands in their terminal 【1】.
  
  **Who is Affected:**
  These attacks affect **both macOS and Windows users**, including individuals who may not be considered advanced computer users 【1】.
  
  **Security Implications:**
  A significant security implication is that ClickFix attacks can **bypass macOS's Gatekeeper and Notarization protections** 【1】. This allows attackers to execute arbitrary commands, download and install malware, and ultimately compromise the user's system 【1】.
  
  **Technical Details:**
  The ClickFix technique exploits user trust and normal system operations rather than exploiting software vulnerabilities 【1】. A potential defense involves **intercepting paste operations** (`Command+V`) into terminal applications. This can be achieved by using global event monitors to detect the paste shortcut, identify if the target is a terminal application, and then temporarily pause the terminal to allow the user to confirm the action 【1】. It's noted that Apple's Endpoint Security framework is not sufficient for this type of detection, and analyzing clipboard content for suspicious patterns could further enhance protection 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that this attack vector relies on **social engineering and user trust** 【1】. Proposed defenses focus on monitoring and controlling paste operations into terminal applications, though these methods may have limitations such as not detecting right-click pastes and potentially generating false positives 【1】. Enhancements like clipboard content analysis are also suggested 【1】.
• STOP THE CAP: Making Entra ID Conditional Access Make Sense Offline - SpecterOps - SpecterOps 🔍 Show Kagi Synopsis
  The article discusses **CAPSlock**, a new tool designed to analyze **Microsoft Entra ID Conditional Access policies (CAPs)** offline 【1】.
  
  **What Happened:**
  The SpecterOps team developed CAPSlock to address the challenge of understanding and analyzing complex Entra ID Conditional Access policies. These policies can be difficult to interpret, especially when multiple policies overlap, potentially leading to security vulnerabilities or misconfigurations 【1】.
  
  **Who is Affected:**
  - **Red teamers and penetration testers:** The tool helps them identify potential bypasses and weaknesses in Conditional Access policies 【1】.
  - **Blue teamers and administrators:** They can use CAPSlock to audit the design and enforcement of their CAPs, ensuring they are configured correctly and effectively 【1】.
  
  **Security Implications:**
  The primary security implication highlighted is that the inherent complexity of Entra ID Conditional Access policies can obscure their actual enforcement logic. This complexity can inadvertently create security gaps or allow unintended access, which CAPSlock aims to expose 【1】.
  
  **Technical Details:**
  CAPSlock functions by processing exported CAP data, typically gathered using tools like ROADrecon. It simulates various sign-in scenarios by evaluating user, resource, device, and client application attributes. The tool differentiates between policies that are definitively applied and those that rely on runtime signals. It also handles data normalization and identifies potential enforcement gaps by analyzing a wide range of sign-in conditions 【1】.
  
  **What Defenders Should Know:**
  Defenders need to understand that Conditional Access policies are cumulative, meaning their combined effect can be intricate. The complexity can make it difficult to grasp the full enforcement logic. Tools like CAPSlock offer a proactive method for auditing and understanding these policies, enabling defenders to strengthen their security posture by identifying and rectifying potential issues before they can be exploited 【1】.
• ksentinel: Linux kernel integrity monitor for detecting syscall hooking - MatheuZSecurity 🔍 Show Kagi Synopsis
  ksentinel is a Linux kernel module designed to **detect rootkit activities** by monitoring critical kernel functions and the syscall table for unauthorized modifications 【1】.
  
  **What Happened:**
  ksentinel was developed to provide a means of detecting sophisticated rootkits that attempt to compromise system integrity and confidentiality. It focuses on identifying common rootkit techniques such as ftrace hooks, kprobes, and syscall table hijacking 【1】.
  
  **Who is Affected:**
  The tool is intended for **system administrators and security researchers** managing and analyzing Linux systems 【1】.
  
  **Security Implications:**
  The primary security implication is the **early detection of advanced rootkits** that aim to subvert system security. This allows defenders to identify potential compromises before they can cause significant damage 【1】.
  
  **Technical Details:**
  ksentinel operates by:
  - **Checking the integrity of function prologues** using FNV-1a hashing 【1】.
  - **Monitoring the 512-entry syscall table** for unauthorized changes 【1】.
  - **Verifying the LSTAR MSR** on x86_64 architectures 【1】.
  - Implementing an **anti-unload protection mechanism** 【1】.
  - Monitoring various kernel layers including the VFS, network stack, credentials, module system, tracing infrastructure, and over 500 syscall wrappers 【1】.
  It supports x86_64 and ARM64 Linux systems with kernel versions from 5.4 up to 6.12+ 【1】.
  
  **What Defenders Should Know:**
  - **ksentinel provides detection capabilities only; it does not prevent or remove rootkits** 【1】.
  - The module **assumes the kernel is clean when it is loaded**. Rootkits loaded prior to ksentinel may not be detected 【1】.
  - For optimal effectiveness, **ksentinel should be loaded as early as possible during the boot process** 【1】.
  - The unlock key for its anti-unload protection needs to be **stored securely offline** 【1】.
• Keenadu the tablet conqueror and the links between major Android botnets - AO Kaspersky Lab 🔍 Show Kagi Synopsis
  The cybersecurity article details the discovery of **Keenadu**, a sophisticated Android backdoor that infects devices by embedding itself within the device's firmware.
  
  **What Happened:**
  Keenadu compromises the `libandroid_runtime.so` library, a critical component of the Android runtime. By hooking into the `Zygote` process, it gains the ability to infect every application on the device. This allows attackers to achieve extensive remote control over the infected device. The malware is designed for various malicious activities, including data exfiltration, hijacking search engine results, monetizing app installations, and potentially stealing user credentials 【1】.
  
  **Who is Affected:**
  Keenadu has been found in devices from **multiple manufacturers**. The report indicates that over **13,715 users worldwide** have been affected. The most impacted regions include **Russia, Japan, Germany, Brazil, and the Netherlands** 【1】.
  
  **Security Implications:**
  The security implications of Keenadu are severe. It effectively **bypasses Android's app sandboxing** mechanisms, a fundamental security feature. Furthermore, it provides attackers with interfaces to **manipulate app permissions**, granting them unrestricted access to the device's resources and data 【1】.
  
  **Technical Details:**
  Keenadu operates using a **client-server architecture**, referred to as `AKClient` and `AKServer`. It employs a multi-stage loading process for its operations. The distribution methods are varied and concerning, including:
  - **Firmware compromises**: This suggests supply chain attacks where the malware is introduced during the manufacturing process 【1】.
  - **System apps**: It can be disguised as or bundled with legitimate system applications 【1】.
  - **Modified popular apps**: Attackers may distribute tampered versions of well-known applications 【1】.
  - **Other botnets**: Keenadu has also been found to be distributed by other Android botnets, such as BADBOX 【1】.
  
  **What Defenders Should Know:**
  Defenders face a significant challenge because Keenadu, when embedded in the firmware, is **extremely difficult to remove**. Attempting to remove it without proper expertise can **"brick" the device**, rendering it unusable 【1】. Recommendations for defense include:
  - **Checking for clean firmware updates** from manufacturers 【1】.
  - **Manually flashing devices** with clean firmware, though this should be done with caution 【1】.
  - **Disabling infected system apps** if possible 【1】.
  - For apps installed from third-party sources or Google Play, **uninstallation is a viable option** 【1】.
  The article also highlights the **interconnectedness of major Android botnets**, including Triada, BADBOX, Vo1d, and Keenadu, indicating a complex and competitive malware ecosystem 【1】.
• A New RAT and a Hands-on-Keyboard Intrusion - Huntress 🔍 Show Kagi Synopsis
  The cybersecurity article details a sophisticated hands-on intrusion that began with a **ClickFix social engineering prompt**, leading to the deployment of the **Matanbuchus 3.0 MaaS loader** and a newly identified **RAT named AstarionRAT** 【1】.
  
  **What Happened:**
  The attack commenced with a social engineering tactic using a ClickFix prompt, which then delivered the Matanbuchus loader. This loader deployed AstarionRAT, a Remote Access Trojan with advanced capabilities. The attackers rapidly moved laterally within the network, achieving domain controller compromise in approximately 40 minutes. They created rogue local administrator accounts, utilized RDP and PsExec for further propagation, and attempted to evade detection by creating Defender exclusions. While some of their actions were halted by Microsoft Defender quarantines, the attackers demonstrated significant technical proficiency in their methods 【1】.
  
  **Who is Affected:**
  The primary targets appear to be **organizations using Windows domains**, with the observed intrusion affecting specific companies. The attackers leveraged compromised service accounts and created rogue administrator accounts to facilitate their spread 【1】.
  
  **Security Implications:**
  This incident highlights several critical security implications:
  - **Advanced Malware Delivery:** The use of a MaaS (Malware-as-a-Service) loader like Matanbuchus 3.0 indicates a trend towards sophisticated, multi-stage attack payloads.
  - **Layered Evasion Techniques:** AstarionRAT employs a wide array of techniques to bypass defenses, including DLL sideloading, KnownDlls unhooking to evade EDR, obfuscated strings, encryption (ChaCha20 with RSA-encrypted beacons), in-memory execution, and reflective PE loading 【1】.
  - **Rapid Lateral Movement:** The speed at which attackers gained control of domain controllers underscores the importance of swift detection and response capabilities.
  - **Sophisticated C2 Communication:** The RAT uses encrypted C2 communications with RSA-encrypted beacons and a 24-command dispatcher, making it harder to detect and analyze 【1】.
  
  **Technical Details:**
  - **Initial Access:** ClickFix social engineering prompt.
  - **Loader:** Matanbuchus 3.0, using staged MSI droppers with legitimate binaries and Windows path obfuscation.
  - **RAT:** AstarionRAT, featuring 24 commands, RSA-encrypted C2, SOCKS5 proxy, credential theft capabilities, and a reflective loader.
  - **Execution:** Stage 1 and Stage 2 payloads reconstruct the final Beacon.exe in memory. It also utilizes an embedded Lua interpreter and KnownDlls unhooking for EDR evasion 【1】.
  - **Lateral Movement:** Achieved through RDP and PsExec, with the creation of rogue local administrator accounts.
  - **C2 Communication:** Employs ChaCha20 encryption for C2 communications, with RSA-encrypted beacons and metadata beacons. The malware also includes anti-sandbox checks 【1】.
  - **Indicators of Compromise (IOCs):** Specific C2 hostnames (e.g., binclloudapp.com, marle.io), file paths in AppData, and hashes for SysUpd.
  
  **What Defenders Should Know:**
  Defenders need to be aware of and implement measures against these advanced threats:
  - **User Education:** Train users to be wary of social engineering tactics, especially those involving copy-paste prompts or multi-line commands in the Run dialog 【1】.
  - **Endpoint Hardening:** Disable the Run dialog and implement robust endpoint detection and response (EDR) solutions.
  - **Monitoring:**
  - Monitor for the creation of rogue local administrator accounts and suspicious account privilege escalations.
  - Closely observe the usage of PsExec and other legitimate administrative tools for malicious purposes.
  - Watch for suspicious MSI installations originating from non-corporate sources.
  - Monitor for attempts to manipulate KnownDlls and the deployment of reflective loaders 【1】.
  - **Network Segmentation:** Implement network segmentation to limit the blast radius of a compromise.
  - **Detection Rules:** Utilize YARA rules for AstarionRAT and the Matanbuchus loader, and map IOCs for proactive threat hunting 【1】.
  - **Incident Response:** Prioritize timeline-based containment, establish clear authority on the use of tools like PsExec, and be prepared for sophisticated EDR bypass techniques 【1】.