The Cyber Byte - 1 April 2026

The Cyber Byte
Written By Heather Perez

Recent reporting highlights a significant escalation in the scope and sophistication of cyber threats, from a major supply chain compromise of the widely used Axios npm package attributed to North Korean actors to the emergence of novel attack platforms like the EvilTokens Phishing-as-a-Service [1, 2]. Threat actors are increasingly leveraging advanced techniques, including AI-generated obfuscation in the new DeepLoad malware and the use of Microsoft device code phishing for Business Email Compromise (BEC) attacks [1, 6]. Concurrently, AI's dual-use nature was demonstrated as researchers used it to uncover critical remote code execution vulnerabilities in ubiquitous developer tools, while a ransomware affiliate's complete operational toolkit was exposed on a Russian server, revealing mature tactics for defense evasion and persistence [3, 7, 8].

Significant Cyber Incidents and Articles of Interest

  • Axios npm Package Compromise: A major software supply chain attack targeted the Axios npm package, a JavaScript HTTP client with over 100 million weekly downloads, impacting Linux, Windows, and macOS systems [2]. Threat actors compromised a maintainer's npm account and published two malicious versions, axios@1.14.1 and axios@0.30.4, which included a malicious dependency (plain-crypto-js) to drop cross-platform remote access trojans (RATs) [2]. The attack is attributed to the North Korean group UNC1069 (also known as BlueNoroff), known for financially motivated attacks against software developers and financial institutions [2].

  • EvilTokens Phishing-as-a-Service Emerges: Security researchers uncovered "EvilTokens," a new and rapidly adopted Phishing-as-a-Service (PhaaS) platform specializing in Microsoft device code phishing, a technique distinct from common Adversary-in-the-Middle (AitM) attacks [1]. Since mid-February 2026, the service has been providing turnkey phishing kits via Telegram bots, enabling affiliates to conduct Business Email Compromise (BEC) campaigns by tricking victims into authorizing the attacker's device on their Microsoft 365 account [1]. The kit includes advanced features for reconnaissance, email harvesting, and post-compromise token weaponization to access services like Exchange Online, SharePoint, and Teams [1].

  • DeepLoad Malware Campaign Leverages AI-Evasion: A new malware strain dubbed "DeepLoad" is being delivered in enterprise environments using a social engineering technique called "ClickFix," where users are tricked into running malicious commands to resolve a fake issue [6]. The malware features a fileless attack chain, using an AI-generated PowerShell loader with thousands of lines of meaningless code to overwhelm static scanners [6]. The payload is injected into the memory of legitimate Windows processes, such as the lock screen manager LockAppHost.exe, to evade detection. DeepLoad immediately begins stealing credentials from browsers, spreads via connected USB drives, and establishes persistence through Windows Management Instrumentation (WMI) event subscriptions, allowing it to reinfect systems even after standard remediation efforts [6].

  • TheGentlemen Ransomware Affiliate Toolkit Exposed: A complete ransomware operator's toolkit attributed to an affiliate of "TheGentlemen" Ransomware-as-a-Service (RaaS) was discovered in an exposed open directory on a Russian bulletproof hosting provider, Proton66 [3]. The 140 MB toolkit contained 126 files, including legitimate dual-use utilities like SoftPerfect Network Scanner and offensive tools like Mimikatz, PowerRun, and ngrok [3]. Logs found in the directory contained harvested NTLM hashes and usernames from real victims, confirming active use. The toolkit featured a comprehensive 35 KB batch script (z1.bat) designed to automate pre-encryption activities, including disabling over a dozen security products, deleting volume shadow copies, clearing event logs, and establishing persistence via accessibility backdoors [3].

  • OpenAI Codex Vulnerability Led to GitHub Token Theft: A critical command injection vulnerability was discovered and remediated in OpenAI's Codex, a cloud-based AI coding agent [4]. The flaw allowed an attacker to inject arbitrary commands through the GitHub branch name parameter when creating a task, leading to the theft of a user's GitHub OAuth token [4]. Researchers demonstrated an automated version of the attack where a maliciously crafted branch name in a GitHub repository could exfiltrate the tokens of any Codex user interacting with it. The vulnerability, which affected the ChatGPT website, Codex CLI, SDK, and IDE extensions, highlights the expanding attack surface created by integrating AI agents with developer workflows and sensitive credential stores [4].

  • Alleged Lockheed Martin Data For Sale: A dark web marketplace known as Threat Market is advertising an alleged 375 terabytes of data stolen from American aerospace and defense contractor Lockheed Martin for a buyout price of nearly $600 million [5]. The data was allegedly supplied by a group calling itself "APT IRAN." The authenticity of the massive data dump remains unconfirmed, as such claims are often exaggerated to attract buyers [5]. Coincidentally, a separate Iran-linked group, Handala Hack Team, began targeting individual Lockheed Martin employees with threats, though there is no clear link between the two incidents [5].

  • AI Discovers RCE Flaws in Vim and Emacs: Researchers used simple prompts with the Claude AI assistant to discover critical remote code execution (RCE) vulnerabilities in the widely used Vim and GNU Emacs text editors [7, 8]. The flaws allow an attacker to achieve arbitrary command execution simply by tricking a victim into opening a specially crafted file [7]. In Vim, the bug was related to insecure modeline handling that allowed for a sandbox escape, an issue that has since been patched in version 9.2.0272 [7, 8]. The Emacs vulnerability, which remains unpatched, stems from its integration with Git, allowing a malicious repository configuration file to execute arbitrary commands when a file is opened; the maintainers consider it a Git issue rather than an Emacs flaw [7].

Threat Actor Activity

  • EvilTokens PhaaS Affiliates: These actors are focused on Business Email Compromise (BEC) by leveraging a new Phishing-as-a-Service platform. Their primary TTP is Microsoft device code phishing, which tricks users into entering a code on a legitimate Microsoft login page to authorize the attacker's device. This method is distinct from traditional Adversary-in-the-Middle (AitM) phishing. Campaigns deliver lures via PDF, HTML, or DOCX attachments impersonating financial documents, meeting invites, or HR notices. The actors target employees in finance, HR, transportation, and sales globally, with campaigns observed across the Americas, Europe, Asia, and Oceania [1].

  • TheGentlemen Ransomware Affiliate: This operator utilizes a comprehensive toolkit of publicly available and dual-use tools to conduct ransomware intrusions. Key TTPs include reconnaissance with netscan.exe, privilege escalation with PowerRun to gain TrustedInstaller-level access, and extensive defense evasion by disabling over a dozen security vendors via batch scripts. They perform credential dumping from LSASS memory using Mimikatz, establish persistence through ngrok tunnels and accessibility feature backdoors (IFEO), and prepare for encryption by deleting Volume Shadow Copies. The affiliate was observed using infrastructure hosted by Proton66, a Russian bulletproof provider [3].

  • DeepLoad Malware Operators: This campaign begins with "ClickFix" social engineering to gain initial execution. The malware employs advanced evasion techniques, including a fileless payload, AI-generated obfuscation to defeat static scanning, and Asynchronous Procedure Call (APC) injection to hide within legitimate Windows processes like LockAppHost.exe. For persistence, the malware uses WMI event subscriptions, which can survive standard remediation. Its primary objectives are credential theft via a standalone stealer and a malicious browser extension, and lateral spread via compromised USB drives [6].

  • North Korean Actors (UNC1069 / BlueNoroff): This state-sponsored group, focused on financial gain, is assessed to be behind the Axios npm package compromise. Their TTP involves sophisticated software supply chain attacks, where they compromise the accounts of legitimate software maintainers to inject malicious code into widely used packages. They deploy cross-platform Remote Access Trojans (RATs) tailored for Windows, macOS, and Linux to maintain access, execute commands, and exfiltrate sensitive data like credentials and tokens. Their targets include software developers, financial institutions, cryptocurrency exchanges, and high-tech companies [2].

Indicators to Watch

New Malware and Phishing Kits:

  • EvilTokens: A new Phishing-as-a-Service specializing in Microsoft device code phishing. Monitor for phishing pages that use a unique X-Antibot-Token HTTP header in requests to backend infrastructure [1].

  • DeepLoad: A new fileless malware using AI-generated obfuscation. Monitor for "ClickFix" delivery, anomalous outbound connections from mshta.exe and LockAppHost.exe, and unexpected WMI event subscription creations [6].

Supply Chain Threats:

  • Be vigilant for malicious npm package versions axios@1.14.1, axios@0.30.4, and any version of plain-crypto-js. Systems with these packages should be considered compromised [2].

Emerging TTPs:

  • Device Code Phishing: A technique used by EvilTokens to compromise Microsoft 365 accounts by tricking users into entering a code on a legitimate Microsoft login page [1].

  • AI for Offense and Defense: AI is being used to generate evasive malware (DeepLoad) and discover critical zero-day vulnerabilities in common software (Vim, Emacs) [6, 7, 8].

  • WMI Persistence: DeepLoad uses WMI event subscriptions to create fileless persistence that can survive standard system cleanup procedures [6].

  • Command Injection via Branch Names: A novel vector demonstrated against OpenAI Codex where malicious commands were embedded in a GitHub branch name to exfiltrate credentials [4].

Key IOCs and Suspicious Patterns:

  • Network: Monitor for traffic to sfrclak.com (Axios C2), 176.120.22[.]127 (TheGentlemen toolkit server), and EvilTokens-related domains hosted on Cloudflare Workers (e.g., *-s-account.workers.dev) [1, 2, 3].

  • Endpoint: Alert on the execution of PowerRun.exe with TrustedInstaller privileges, batch clearing of event logs (wevtutil.exe cl), and mass network share creation (net share ... /GRANT:Everyone,FULL) [3]. Monitor for the creation of IFEO debugger

Heather Perez
Next

The Cyber Byte - 25 March 2026