InfoSec Briefing - April 02, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. Today's security briefing covers developments from Wednesday, April 01, 2026, with 7 articles analyzed. All attribution is by the article authors. All article analysis is automated.

0x3oBAD reports on a sophisticated attack campaign by the China-linked APT group Mustang Panda using a PlugX malware variant. The attack chain utilized malicious link files, PowerShell scripts, and DLL side-loading via legitimate executable ErsChk.exe, followed by multi-stage decryption to deploy a reflective PlugX loader that establishes command and control communication with advanced obfuscation, in-memory execution, and evasion techniques including dynamic API resolution through hashing.

A hosting provider detected a malicious Notepad++ update distributed through a compromised software distribution channel. Attackers accessed shared hosting accounts from Taiwan, Vietnam, Singapore, Hong Kong, Japan, and China using ProtonVPN, deploying PHP tunnels on the hosting infrastructure, with the provider identifying malicious PHP files through specific SHA-256 hashes and attacker IP addresses.

BleepingComputer reports that Cisco suffered a breach resulting in theft of source code from over 300 GitHub repositories after threat actors exploited stolen credentials from a supply chain attack involving Trivy. The attack chain involved a malicious GitHub Action plugin that distributed the TeamPCP Cloud Stealer infostealer, compromising Trivy's CI/CD pipeline and subsequently providing access to Cisco's development environment and AWS keys.

According to Google Threat Intelligence Group and Mandiant, North Korea-nexus threat actor UNC1069 compromised the widely used axios NPM package on March 31, 2026, by introducing a malicious dependency called plain-crypto-js into axios releases 1.14.1 and 0.30.4. The attack deployed WAVESHAPER.V2 RAT across Windows, macOS, and Linux systems, affecting hundreds of millions of users and enabling reconnaissance, command execution, and secret theft through supply chain compromise.

Patrick Wardle and the Objective-See Foundation published a reverse engineering analysis of Apple's native protections against ClickFix attacks in macOS 26.4. The analysis reveals Apple implemented protections using new reserved Endpoint Security events, types 148 and 149, within the xprotectd component that detect when users attempt to paste terminal commands from applications like Safari, though these protections are not accessible to third-party security tools.

A developer has released WinDbg MCP, a newly developed tool that exposes all pybag Windows debugger functions as a Model Context Protocol server. This enables AI coding assistants and custom agents to programmatically control user-mode processes, kernel sessions, and crash dump analysis, providing 55 distinct debugger functions accessible through typed tool calls with structured JSON responses.

GReAT analyzes CrystalX RAT, a Malware-as-a-Service platform active since March 2026 that combines traditional RAT capabilities including stealer, keylogger, clipper, and spyware functions with unique prankware features. Dozens of victims have been identified primarily in Russia, though the platform poses a global threat with no regional limitations, and the MaaS model indicates an evolving threat requiring monitoring of command and control infrastructure and implant hashes.

That concludes today's briefing.

📰 Articles Covered

No Paste for You! - Reverse Engineering Apple's ClickFix Protections - The content is controlled by **Patrick Wardle** and the **Objective-See Foundation**.

The **ClickFix attack technique** involves tricking users into copying and pasting malicious commands into their terminal, which can bypass operating system protections like macOS's Gatekeeper and Notarization 【1】. This technique is being adopted by various threat actors, from opportunistic cybercriminals to more sophisticated groups 【1】.

**Who is Affected:**
**macOS and Windows users** are affected by the ClickFix attack technique 【1】.

**Security Implications:**
The primary security implication is the **bypass of OS-level protections**, allowing attackers to execute malicious code even when security features are in place 【1】. This makes it a significant threat for users who might be tricked into executing commands without fully understanding the consequences.

**Technical Details:**
Apple has introduced native protection against ClickFix in **macOS 26.4**. This protection is integrated into the operating system and warns users when they attempt to paste terminal commands from certain applications, such as Safari 【1】.

The underlying mechanism for this protection appears to be related to new **Endpoint Security (ES) events**. Specifically, in macOS 26.3, a new ES event string, `es_event_paste_t`, was discovered within the `xprotectd` component 【1】. Further analysis in macOS 26.4 revealed that `xprotectd` subscribes to two new, undocumented ES events: `ES_EVENT_TYPE_RESERVED_0` (type 148) and `ES_EVENT_TYPE_RESERVED_1` (type 149) 【1】. These events are not directly subscribable by third-party tools, suggesting they are reserved for Apple's internal use 【1】.

Debugging these system binaries requires disabling **System Integrity Protection (SIP)** and **Apple Mobile File Integrity (AMFI)** 【1】. By examining the `es_new_client` function, which establishes event handlers, researchers were able to identify the memory address of the callback function (`0x000000010001ec94`) responsible for handling these reserved paste events 【1】. The callback receives an `es_message_t` which contains event-specific data 【1】.

**What Defenders Should Know:**
Defenders should be aware of the **ClickFix attack technique** and its ability to circumvent traditional security measures 【1】. While Apple has implemented native protections in recent macOS versions, these protections rely on new Endpoint Security events that are not accessible to third-party security solutions 【1】. This means that while macOS users may receive warnings, the underlying detection and prevention capabilities might be limited for security tools that cannot monitor these specific reserved ES events. Understanding the mechanics of how these paste events are handled by `xprotectd` can provide insights into potential detection strategies, although direct subscription to these events is not possible 【1】.
windbg-mcp: An MCP (Model Context Protocol) server that turns all pybag Windows debugger functions into native MCP tools. control user-mode processes, kernel sessions, and crash dump an - The content at the provided URL is controlled by an individual user account, as indicated by the repository's owner.

The cybersecurity article details **WinDbg MCP**, a tool that exposes every pybag Windows debugger function as a native Model Context Protocol (MCP) server. This allows MCP-compatible clients, such as AI coding assistants and custom agents, to gain full control over user-mode processes, kernel sessions, and crash dump analysis through typed tool calls with structured JSON responses. 【1】

### What Happened

The article describes the development and functionality of WinDbg MCP, a system that bridges the gap between the powerful WinDbg debugger and modern AI development environments. It enables AI agents to interact with and control Windows debugging processes programmatically. 【1】

### Who is Affected

* **Developers and Security Researchers:** Those who use AI-powered coding assistants (like Claude Desktop, Claude Code, Cursor, Continue.dev) or custom agents for debugging, exploit development, and system analysis on Windows. 【1】
* **System Administrators and Incident Responders:** Individuals who might leverage AI tools for analyzing system crashes or investigating security incidents on Windows. 【1】

### Security Implications

The primary security implication is the **enhanced capability for both offensive and defensive security operations**.

* **Offensive:** Malicious actors could potentially use this tool to automate the analysis of vulnerabilities, develop exploits, or gain deeper control over compromised systems by integrating WinDbg functionalities into their attack frameworks. 【1】
* **Defensive:** Security professionals can use WinDbg MCP to accelerate malware analysis, reverse-engineer malicious software, and automate the investigation of system compromises. The ability to programmatically control a debugger allows for more sophisticated and efficient analysis of complex threats. 【1】

### Technical Details

WinDbg MCP acts as a server that translates debugger commands into MCP tool calls. It requires:

* **Windows Operating System:** As it relies on Microsoft Debugging Tools for Windows. 【1】
* **Python 3.10+:** The server is implemented in Python. 【1】
* **Microsoft Debugging Tools for Windows:** Installed as part of the Windows SDK. 【1】

The tool exposes **55 distinct debugger tools** categorized into:

* **Session Management:** Creating, attaching to, and loading dumps of processes. 【1】
* **Execution Control:** Resuming, stepping, tracing, and setting execution to specific points. 【1】
* **Breakpoints:** Setting software and hardware breakpoints with various conditions and actions. 【1】
* **State Captures:** Saving and retrieving register states, stack information, and memory dumps at breakpoint hits. 【1】
* **Memory Operations:** Reading, writing, and inspecting process memory. 【1】
* **Register Access:** Getting, setting, and inspecting CPU registers. 【1】
* **Symbols & Disassembly:** Resolving symbol names, finding symbols, and disassembling code. 【1】
* **Modules:** Listing and inspecting loaded modules, their exports, and imports. 【1】
* **Threads & Stack:** Managing threads, inspecting call stacks, and accessing TEB/PEB. 【1】
* **Process & Utility:** Getting process handles, bitness, and executing raw WinDbg commands. 【1】

It communicates using **JSON-RPC 2.0** over standard input/output (stdio), making it language-agnostic for custom integrations. 【1】

### What Defenders Should Know

Defenders should be aware that WinDbg MCP significantly lowers the barrier to programmatic debugging on Windows. This means:

* **Automated Analysis:** Complex debugging tasks, such as exploit verification, crash dump analysis, heap spray verification, ASLR checks, and thread inspection, can be automated and integrated into AI-driven workflows. 【1】
* **Enhanced Threat Hunting:** Incident responders can use these tools to quickly analyze malware behavior, understand exploit chains, and investigate system anomalies by leveraging AI to guide the debugging process. 【1】
* **Symbol Path Configuration:** For effective symbol resolution, defenders may need to configure the Microsoft symbol server using raw WinDbg commands like `.sympath srv*C:\\symbols*https://msdl.microsoft.com/download/symbols` and `.reload`. 【1】
* **Timeout Tuning:** When debugging long-running processes or complex scenarios, adjusting the `timeout` parameter for the `go()` command is crucial to prevent premature termination of the debugging session. 【1】
* **Raw Command Escape Hatch:** The `raw` tool provides access to any WinDbg command not directly exposed by the MCP interface, offering flexibility for advanced or specialized debugging needs. 【1】
An analysis of CrystalX commercial RAT with prankware features - GReAT

The cybersecurity article discusses the **CrystalX RAT**, a sophisticated Malware-as-a-Service (MaaS) platform that became active in March 2026.

- **What Happened**: CrystalX RAT, initially known as Webcrystal RAT, was rebranded and aggressively marketed on platforms like Telegram and YouTube. It operates as a MaaS, offering a combination of Remote Access Trojan (RAT) functionalities, including stealer, keylogger, clipper, and spyware capabilities. A distinctive feature is its inclusion of "prankware" functions intended to annoy and troll users. The exact initial infection vector is not specified.

- **Who is Affected**: Dozens of victims have been identified, primarily located in **Russia**. However, the MaaS platform has no regional limitations and is considered a **global threat**.

- **Security Implications**: The CrystalX RAT poses significant security risks. It can **steal credentials**, **monitor user activities**, **disrupt systems**, and cause distress through its prank features. The active development of new implant versions indicates a growing and evolving threat.

- **Technical Details**: The CrystalX RAT is a MaaS platform with extensive RAT capabilities. It uniquely incorporates a suite of "prankware" features alongside traditional malicious functions like stealing information, logging keystrokes, and spying on users.

- **What Defenders Should Know**: Defenders need to be aware of CrystalX RAT's **MaaS model**, which implies a service-oriented approach to malware distribution. They should also be cognizant of its **broad feature set**, including the unusual prank commands. Monitoring provided **Indicators of Compromise (IoCs)**, such as Command and Control (C2) infrastructure domains and specific implant hashes, is crucial for detection and defense 【1】.
PlugX : Mustang Panda APT - 0x3oBAD

This cybersecurity article details a sophisticated attack campaign by the China-linked APT group **Mustang Panda**, utilizing a **PlugX malware variant** 【1】.

**What Happened:**
The attack begins with a malicious `.lnk` file that triggers a PowerShell script. This script then extracts a hidden payload from a decoy archive, employing obfuscated methods to write it to disk. The unpacked payload is executed, leading to a DLL side-loading technique where a legitimate executable, `ErsChk.exe`, is tricked into loading a malicious DLL, `Eraser.dll`. Within this DLL, a function named `eraserInit` acts as a stealthy loader. It decrypts another payload, `Eraser.dat`, in memory and executes it using the `RtlRegisterWait` function within a thread pool worker thread. This shellcode loader then decrypts and transfers control to the final PlugX DLL payload. This final payload functions as a reflective loader, reconstructing the Portable Executable (PE) image in memory, dynamically resolving APIs through hashing (a DJB2 variant and ROL-13), and establishing communication with Command and Control (C2) servers. Persistence is maintained by creating or modifying a registry key in `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` 【1】.

**Who is Affected:**
The primary targets of this campaign are **government entities, diplomatic organizations, and non-governmental organizations (NGOs)** 【1】.

**Security Implications:**
The security implications are severe, including the potential for **significant data theft, complete system compromise, and prolonged surveillance** 【1】.

**Technical Details:**
- **Initial Access:** Malicious `.lnk` file executing a PowerShell script.
- **Payload Delivery:** Decoy archive containing a concealed payload, unpacked using obfuscated methods.
- **DLL Side-Loading:** `ErsChk.exe` loads `Eraser.dll`.
- **Stealthy Loader:** `eraserInit` function decrypts `Eraser.dat` in memory.
- **Execution Method:** Abuse of `RtlRegisterWait` within a thread pool worker thread.
- **Final Payload:** Reflective loader that reconstructs PE in memory.
- **API Resolution:** Dynamic resolution using hashing (DJB2 variant and ROL-13).
- **Command and Control (C2):** Communication established with C2 servers.
- **Persistence:** Modification of the `HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` registry key 【1】.

**What Defenders Should Know:**
Defenders need to be aware of the **multi-stage nature of this attack** and its heavy reliance on **obfuscation techniques**. These include API hashing, string encoding, and control-flow flattening. The malware uses **dynamic API resolution** (via PEB traversal) and **stealthy execution methods** such as thread pool abuse and reflective loading. Static analysis is challenging due to these obfuscation and anti-analysis techniques, making **dynamic analysis and behavioral monitoring crucial for effective threat hunting**. Detection strategies should focus on identifying the initial PowerShell script, the DLL side-loading activity, unusual memory operations, and network indicators related to C2 communication 【1】.
Notepad++ compromise IoCs - Unknown hosting provider

A cybersecurity incident occurred involving a **malicious Notepad++ update** 【1】. The hosting provider detected attacker activity within their infrastructure, but the malicious update was not hosted on their servers, which limited their visibility into the complete attack chain and the full impact on end-users 【1】.

**Who is affected:**
The direct impact on end-users is not fully detailed, as the malicious update was not hosted on the provider's infrastructure 【1】. However, the hosting provider observed attacker-controlled shared hosting accounts being accessed from various geographic regions, including **Taiwan, Vietnam, Singapore, Hong Kong, Japan, and China**, often using **ProtonVPN** 【1】.

**Security implications:**
The incident highlights the potential for malicious actors to compromise software distribution channels, leading to widespread compromise if not detected. The use of VPNs and dynamic IP addresses by attackers makes attribution and tracking more challenging 【1】.

**Technical details:**
The incident involved malicious actors using specific **IP addresses** and **User-Agent strings** to communicate with a **PHP tunnel** 【1】. Malicious **PHP files** with identified **SHA-256 hashes** were discovered on shared hosting environments 【1】. The attacker-controlled shared hosting accounts were accessed from multiple countries using ProtonVPN, with varying source IPs across different sessions 【1】.

**What defenders should know:**
Defenders should be aware of the observed **malicious actor infrastructure IPs**, the **User-Agent strings** associated with the PHP tunnel, and the **SHA-256 hashes of malicious PHP files** 【1】. It is important to note that the observed IP addresses are indicators of the attacker's access to the hosting environment and may not definitively indicate end-user compromise, as these IPs can change frequently 【1】. The information is provided on an as-is basis, reflecting the data available at the time of the investigation 【1】.
Cisco source code stolen in Trivy-linked dev environment breach - BleepingComputer

A cybersecurity incident has affected **Cisco**, resulting in the **theft of source code** from its internal development environment 【1】. The breach was facilitated by threat actors who exploited stolen credentials obtained from a previous supply chain attack involving **Trivy** 【1】.

**Who is Affected:**
The compromised source code belongs to **Cisco** and its **customers**, which include **banks, BPOs, and US government agencies** 【1】. Over **300 GitHub repositories** were cloned, encompassing code for both released and unreleased products, including AI-powered offerings 【1】.

**Security Implications:**
This incident underscores the significant risks associated with **supply chain attacks** and the compromise of **CI/CD (Continuous Integration/Continuous Deployment) environments** 【1】. The theft of source code can lead to the exposure of intellectual property, potential for further exploitation, and a loss of trust. The compromise also involved the theft of **multiple AWS keys**, which were subsequently used for unauthorized activities 【1】.

**Technical Details:**
The attack chain involved the exploitation of a **malicious GitHub Action plugin** and the compromise of Trivy's GitHub pipeline, which distributed **credential-stealing malware** 【1】. The threat actors leveraged these stolen credentials to gain access to Cisco's development environment and clone the repositories 【1】. The malware used is identified as an infostealer known as "TeamPCP Cloud Stealer" 【1】.

**What Defenders Should Know:**
Defenders need to be aware of the sophisticated tactics employed in this attack, including the exploitation of **GitHub Actions** and the use of **infostealers** 【1】. It is crucial to understand the interconnectedness of various supply chain vulnerabilities, as demonstrated by the links between Trivy, LiteLLM, and Checkmarx in this incident 【1】. Organizations should strengthen their security posture around development environments, credential management, and supply chain risk assessment to mitigate similar threats 【1】.
North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack - Google Cloud Blog, attributed to Google Threat Intelligence Group and Mandiant

A **North Korea-nexus threat actor**, identified as **UNC1069**, has compromised the widely used **axios NPM package**, a JavaScript library for making HTTP requests. This attack, which occurred on **March 31, 2026**, involved introducing a malicious dependency named `plain-crypto-js` (versions 4.2.0/4.2.1) into the axios releases 1.14.1 and 0.30.4 【1】.

**Who is affected:**
The compromise affects **hundreds of millions of users** who have downloaded the axios package 【1】. This includes developers and organizations relying on axios for their applications, potentially exposing them to the deployed malware.

**Security implications:**
The primary security implication is the **theft of secrets** and the potential for **unauthorized access and control** over compromised systems. The deployed malware, **WAVESHAPER.V2**, functions as a Remote Access Trojan (RAT), capable of reconnaissance, command execution, and file system enumeration 【1】. The attack leverages **supply-chain trust**, meaning that even systems that have not directly downloaded the malicious dependency are at risk if they use a compromised version of axios 【1】.

**Technical details:**
The malicious `plain-crypto-js` dependency utilized a `postinstall` hook to execute an obfuscated dropper script (`setup.js`). This script then loaded platform-specific payloads to deploy the WAVESHAPER.V2 backdoor on Windows, macOS, and Linux systems 【1】. The backdoor communicates with command and control (C2) servers over port 8000 using JSON beacons, disguised by a hard-coded User-Agent 【1】. The dropper also includes a self-deletion mechanism and establishes persistence on Windows systems through registry Run keys 【1】. The payloads for different operating systems include PowerShell-based scripts for Windows, Mach-O binaries for macOS, and Python scripts for Linux 【1】.

**What defenders should know:**
Defenders should be aware of the Indicators of Compromise (IOCs) associated with this attack, including network indicators like the IP address **142.11.206.73** and the domain **sfrclak.com**, as well as file names related to WAVESHAPER.V2 variants 【1】. It is crucial to **audit dependencies** for `plain-crypto-js` versions 4.2.0/4.2.1 and to **pin known-good versions of axios**, specifically avoiding versions 1.14.1 and 0.30.4 【1】. Other recommended actions include:
- **Pausing deployments** until the situation is assessed 【1】.
- **Rotating credentials** that may have been exposed 【1】.
- **Monitoring for Node.js-spawned processes** that could indicate malicious activity 【1】.
- Implementing **secret vaulting and sandboxing** for developers 【1】.
- Hardening CI/CD pipelines by **pinning dependency versions** and clearing caches 【1】.
- **Blocking C2 domains** and isolating compromised hosts 【1】.
- Employing **Endpoint Detection and Response (EDR)** solutions 【1】.