Malicious actors have developed a new way to steal data stored by Chrome for Windows. Researchers discovered the technique while analyzing a fresh build of an infostealer known as VoidStealer. The new method allows the malware to bypass Chrome’s Application-Bound (App-Bound) Encryption (ABE), a mechanism intended to protect session cookies and other valuable information stored in the browser.
Google hoped this mechanism would secure the master key Chrome uses to encrypt all sensitive data. Unfortunately, this isn’t the first time malware authors have found a workaround for this defense — leaving secrets stored in Chrome vulnerable once again.
How App-Bound Encryption works in Chrome
Google introduced App-Bound Encryption in July 2024 with the release of Chrome version 127. The company’s announcement mentioned infostealers snatching cookies from Chrome users on Windows as the primary problem ABE was intended to solve. We’ve already covered in detail what these files are and the consequences of their theft, so we’ll only briefly recap the main facts here.
Cookies are small files that the browser saves to the user’s device at a website’s request to remember various site settings. Of particular value to attackers are session cookies, which are used for automatic authentication on websites. It’s thanks to these files that we don’t have to enter a username and password every time we revisit a site.
But this convenience carries a risk: stealing these files allows an attacker to use an already-authenticated session without entering a username or password. This allows them to impersonate the user, which can lead to account hijacking, theft of personal or financial data, and other adverse consequences.
Infostealer Trojans are particularly dangerous for Chrome users on Windows. This is because, on this OS, Chrome previously relied solely on the standard built-in Data Protection API (DPAPI). With this system encryption mechanism, applications don’t need to create and store encryption keys to protect data.
The limitation of DPAPI is that it doesn’t protect data from malware that’s already successfully compromised the system and is capable of executing code on behalf of the logged-in user. This is exactly what stealers exploit: since they typically run with the user’s privileges, they can simply request DPAPI to decrypt the browser’s protected data.
The ABE mechanism was designed to solve that specific problem. The core idea is right in the name: App-Bound Encryption means the encryption is tied to a specific application. To achieve this, a separate service running with system privileges is responsible for protecting the key used to encrypt Chrome’s data. It verifies which application is requesting access to the key, and denies the request if it doesn’t originate from Chrome.
Chrome’s App-Bound Encryption (ABE) was designed so that only Chrome itself could retrieve the master key needed to decrypt the browser’s stored data. Source
As a result, the architects of this feature assumed that to access ABE-protected browser data, an infostealer would either need to escalate its privileges to system-level, or inject malicious code directly into Chrome. In theory, this should have made attacking Chrome significantly harder and reduced the effectiveness of mass-market infostealers. As you might have guessed, things didn’t go quite that smoothly in practice.
Previous successful bypasses of Chrome’s ABE
Just a couple of months after Google announced the implementation of App-Bound Encryption in Chrome, many infostealer developers claimed they’d already bypassed the protection. Among them were the creators of Meduza Stealer, Whitesnake, Lumma Stealer, and Lumar (also known as PovertyStealer).
Lumma stealer developers announce a bypass for Chrome’s App-Bound Encryption in a new version of the malware
Of course, you shouldn’t take malware developers at their word, but legitimate security researchers were able to confirm at least some of the claims. Bypasses for Google Chrome’s new data protection feature did become available almost immediately after its release.
A month later, in October 2024, tech enthusiast Alex Hagenah published a tool on GitHub called Chrome-App-Bound-Encryption-Decryption to bypass Google’s new security mechanism. Analysis of the tool’s code revealed that its author used roughly the same methods that attackers were already heavily exploiting.
What followed was a game of cat and mouse: security researchers and stealer developers came up with new tricks to circumvent App-Bound Encryption, while Google patched the newly discovered loopholes with varying degrees of success.
VoidStealer — a new data-nabbing menace
This brings us to recent events: in March 2026, news broke about a stealer named VoidStealer, which utilizes a brand-new and, by all accounts, highly effective method for bypassing ABE.
VoidStealer developers advertising a new method for bypassing ABE. Source
The malware authors developed an attack technique that targets the brief moment when the master key sits in the browser’s memory in plaintext. This occurs because, at a certain point, the browser inevitably has to decrypt its data to actually use it — for instance, to automatically sign in to a website with the relevant session cookie or to access saved credentials.
To exploit this window of opportunity, the malware attaches itself to the Chrome process as a debugger — a tool that allows one to control a program’s execution, pause it, and inspect its memory. In legitimate scenarios, these tools are used by developers to find and fix bugs, analyze application behavior, and test performance.
The malware identifies the specific section of code where data decryption takes place. It then sets a breakpoint at that location; when the program’s execution reaches that point, the browser effectively freezes. This is how the malware catches the exact moment the master key is sitting in RAM in plaintext; it then reads the key directly from memory.
It’s worth noting that everything mentioned above also applies to other Chromium-based browsers that use ABE, including Microsoft Edge, Brave, Opera, Vivaldi, and others.
How to avoid falling victim to infostealers
The scale of VoidStealer’s reach could be significant, as its developers operate under the malware-as-a-service (MaaS) model. This means they rent out the ready-made tool to other attackers, so they don’t need to develop custom malware from scratch.
This situation demonstrates that relying solely on built-in security mechanisms isn’t enough. Unfortunately, stealer developers are coming up with new workarounds faster than browser and operating system developers can roll out patches.
Here’s what users can do about it:
Avoid installing programs from suspicious sources. This will minimize the chances of malware infiltrating your system.
Learn how ClickFix attacks Lately, stealers have frequently been distributed using this specific malicious tactic.
Keep your OS and software updated on all devices. Timely updates help patch many of the vulnerabilities that malware exploits.
Install a robust security solution on all your devices. It’ll block suspicious activity in real time and alert you to potential threats.
As an added precaution, avoid storing passwords and bank card info in Google Chrome or your Notes app, as these are the first places any self-respecting stealer looks. Instead, use a secure password manager.
Stealers are hunting for your data, finding ways to infiltrate both computers and smartphones alike. To protect yourself from theft, check out our other related posts:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-06 13:06:382026-05-06 13:06:38How VoidStealer bypasses Chrome’s protections to hijack sessions and steal data | Kaspersky official blog
Nowadays CISOs face escalating threats that outpace traditional defenses. The strategy is evolving from compliance-driven checklists to a threat-informed approach. MITRE ATT&CK provides a globally accessible knowledge base of real-world adversary tactics, techniques, and procedures (TTPs), enabling organizations to understand, prioritize, and counter actual attacker behaviors rather than abstract controls.
This shift helps align security efforts with business realities: minimizing downtime, protecting revenue streams, safeguarding customer trust, and potentially lowering cyber insurance premiums through demonstrated proactive risk management.
Executive Summary
Compliance-driven security measures control maturity, not adversary readiness. Threat-informed defense anchors risk management in real attack behaviors, which is where actual risk lives.
MITRE ATT&CK provides the taxonomy, not the intelligence. The framework names and structures adversary techniques; organizations need curated, real-world threat data to make those techniques actionable.
SOC workflow integration is non-negotiable. MITRE ATT&CK delivers risk reduction only when embedded into monitoring rules, triage processes, IR playbooks, and hunt methodologies.
Speed of context determines security outcomes. Whether in triage or incident response, the time it takes to understand what a threat is doing directly determines how much damage it can cause. ANY.RUN’s Threat Intelligence Lookup and Sandbox compress that context-gathering from hours to seconds.
Threat hunting requires real attack patterns, not just technique categories. Generic ATT&CK-based hunt queries produce noise; high-fidelity feeds of current attacker behavior produce findings.
Risk reduction is measurable. MTTD, MTTR, MTTC, hunt yield rate, and false positive ratios are the business-level metrics that translate MITRE ATT&CK investment into language boards and insurers understand.
Two Lenses, One Risk: Compliance vs. Adversary-Centered Approach
Traditional risk management often relies on vulnerability scanning, compliance audits (e.g., NIST, ISO), and static controls. It focuses on known weaknesses and regulatory requirements but frequently misses how attackers chain behaviors in live environments.
MITRE ATT&CK is adversary-centric and behavior-focused. It maps real-world TTPs across tactics like Initial Access, Execution, Persistence, and Impact. This enables gap analysis, threat modeling, and measurable improvements in detection and response.
Dimension
Traditional Risk Management
MITRE ATT&CK Approach
Risk Basis
Regulatory requirements & audit findings
Real-world adversary techniques & behaviors
Threat Model
Generic, category-level threats
Specific ATT&CK tactics, techniques, sub-techniques
Detection Focus
Signature-based, perimeter controls
Behavioral analytics across the kill chain
Measurement
Control maturity, audit pass/fail
Detection coverage mapped to ATT&CK matrix
Response Approach
Incident → remediation → compliance update
Continuous detection, hunt, iterate
Business Language
Risk scores, audit gaps
Mapped MITRE techniques tied to business impact
Tooling
GRC platforms, scanners
SIEM + EDR + Sandbox + TI Feeds
The most important takeaway from this comparison is not that compliance is worthless. It isn’t. Regulatory requirements create accountability, force documentation, and establish minimum hygiene floors that matter for smaller organizations with limited resources. The problem arises when compliance becomes the ceiling rather than the floor.
Where Strategy Meets Reality: Making MITRE ATT&CK Operational
MITRE ATT&CK is not a product. It does not detect threats. It does not alert your analysts, contain attackers, or generate threat intelligence. The organizations that extract real risk reduction from MITRE ATT&CK are those that connect the framework’s taxonomy directly to how their SOC actually operates: the tools analysts use, the data they see, the workflows they follow under pressure.
SOC Workflow
What MITRE Provides
What SOC Actually Needs
How ANY.RUN Bridges the Gap
Monitoring
Identify techniques to watch
Alerts linked to ATT&CK IDs
TI Feeds: live IOC & technique feeds; Sandbox: real-time detonation signals
Triage
Explain technique & impact
Fast analyst context on behavior
TI Lookup: instant technique context + related samples; Sandbox: behavioral report
Incident Response
Provide structural framework
Full execution context to contain
Sandbox: full process tree, network, registry; TI Lookup: lateral movement history
Threat Hunting
Suggest what to search for
Real attack patterns as hypotheses
TI Feeds: emerging technique clusters; TI Lookup: hunt pivot on IOCs & TTPs
1. Eyes Wide Open: Enhancing Monitoring for Early Threat Detection
MITRE ATT&CK is a powerful compass for monitoring strategy. It tells defenders which techniques adversaries use during specific phases of an attack. T1566 (Phishing) for initial access, T1055 (Process Injection) for defense evasion, T1021 (Remote Services) for lateral movement, etc. Security teams can use the framework to build detection hypotheses, design SIEM rules, and prioritize which telemetry sources to collect.
What the SOC Actually Needs
The value of monitoring emerges from early visibility to enable swift action, reducing dwell time and limiting blast radius. Analysts need alerts with sufficient fidelity and timeliness to intervene while the attack is still in progress. That requires not just knowing which techniques exist, but understanding the current threat landscape: which groups are active, which malware families are being deployed this week, and which detection signatures are already stale.
Solution: Stay Current with Live Threat Feeds to Cut Detection Lag
Threat Intelligence Feeds provide continuously updated, machine-readable threat intelligence stream of IOCs (indicators of compromise) with malware family tags derived from real detonations in ANY.RUN’s Interactive Sandbox. Security teams can pipe these feeds directly into their SIEM or EDR, ensuring that MITRE-mapped detection rules stay current with actual adversary activity.
Business objective: Cut MTTD for novel threats. Increase the ratio of high-fidelity alerts to total alerts, lowering analyst alert fatigue and improving coverage of emerging attack vectors.
Reduce breach impact, not just detect threats.
Fuel MITRE ATT&CK with real-time intelligence and full attack visibility.
2. Speed Matters: Accelerating Triage with Behavioral Context
MITRE maps alerts to techniques, but analysts need rapid understanding of intent, impact, and validity to avoid alert fatigue. An alert tagged T1059.001 (PowerShell) tells an analyst that the technique involves command and scripting interpreter abuse. T1112 (Modify Registry) points to potential persistence or defense evasion. This context is valuable. But it is the starting point, not the destination.
What the SOC Actually Needs
Analysts dealing with hundreds of alerts per shift cannot afford multi-minute pivot chains to understand whether a flagged PowerShell execution is a legitimate IT automation script or the first stage of a ransomware deployment. They need behavior and impact context fast: What did this process actually do? Has this file hash or domain been seen in confirmed malicious activity?
Solution: Reduce MTTD with Full Attack Visibility inside a Sandbox
Threat Intelligence Lookup is a searchable threat data repository built on ANY.RUN’s analysis history. Analysts can query file hashes, IPs, domains, URLs, and process names and instantly surface related sandbox reports with MITRE ATT&CK mappings, malware family attributions, and associated threat actor context.
During triage, analysts can answer the key questions before escalating: Is this a known threat? What does it do? Which ATT&CK techniques are involved? What is the likely impact?
ANY.RUN Intelligence linking ATT&CK techniques to malware samples and behaviors
Interactive Sandbox complements TI Lookup for unknown samples. If an URL yields no TI Lookup match, analysts can submit it to the sandbox and receive a full behavioral report (process tree, network activity, file system changes, and ATT&CK technique tags) in minutes.
Unlike automated sandboxes that process samples silently, ANY.RUN lets analysts interact with the execution — clicking through prompts, observing network connections, and watching process trees unfold — while the sandbox maps every observed behavior to MITRE ATT&CK techniques in real time.
Attack techniques detected in ANY.RUN sandbox detonation
Business objective: Reduce mean triage time per alert. Decrease false positive escalations. Increase analyst capacity without headcount growth, enabling the SOC to handle greater alert volume at the same staffing level.
3. Incident Response: From Labels to Action
MITRE ATT&CK gives incident responders a structured model for understanding what an adversary may have done across the kill chain. It offers a common language and playbooks for containment, full visibility into attacker actions for precise, minimal-disruption response. This is genuinely valuable for architecting investigations and communicating findings to stakeholders.
What the SOC Actually Needs
During an active incident, responders need execution context. Which processes ran? In which order? What registry keys were modified? Which files were dropped and where? Which internal hosts did the malware beacon to? Without this granular execution responders end up remediating visible symptoms while the attacker maintains persistence through overlooked footholds.
Turn MITRE ATT&CK into measurable risk reduction.
Use ANY.RUN to detect threats earlier and respond faster.
Solution: Compress Containment Time with Complete Execution Context
Interactive Sandbox generates a complete execution timeline for any submitted sample: full process trees (parent/child relationships, command-line arguments), all network connections (DNS queries, HTTP/S requests, C2 communication patterns), file system changes (created, modified, deleted files), and registry modifications.
Every action is timestamped and tagged with the corresponding MITRE ATT&CK technique. Responders don’t need to reconstruct what malware did from endpoint telemetry alone. They have a ground-truth behavioral record from a controlled detonation.
Processes mapped to MITRE ATT&CK techniques in a sandbox detonation
TI Lookup accelerates the lateral movement investigation. If an incident involves a suspicious IP or domain used for C2, TI Lookup surfaces all previous ANY.RUN analyses involving that indicator. It helps reveal which malware families have used it, when, and in what context.
Business objective: Reduce mean time to contain (MTTC) by giving responders complete execution context at the start of an investigation. Decrease re-infection rates by ensuring all persistence mechanisms are documented and remediated. Reduce incident response costs by compressing investigation timelines.
4. Proactive Defense: Supercharging Threat Hunting with Real Patterns
Threat hunting (proactively searching for adversary presence that evaded automated defenses) is where MITRE ATT&CK suggests hypotheses: if you are in a financial services organization, groups like FIN7 or Carbanak are relevant threats; their documented techniques (T1059, T1027, T1547) suggest where to look in your telemetry. This starting point is invaluable.
What the SOC Actually Needs
A successful hunt requires more than “look for PowerShell abuse”. It requires the specific parent-child process relationships, the exact command-line patterns, the particular registry keys, the network destinations that real-world attackers targeting your industry have actually used recently. Generic ATT&CK-based hunt queries produce excessive noise and burn hunter time on false leads. Real attack patterns are the fuel that makes hunts productive.
Solution: Turn Hunt Hypotheses into High-Yield Findings with Real Attacker Patterns
Threat Intelligence Lookup enables hunt pivoting at scale. A hunter who identifies a suspicious process name can query TI Lookup to find all samples that share that process, discover related IOCs, identify the malware family, and extract the precise command-line patterns that family uses. This turns a single hunt lead into a comprehensive behavioral profile needed to write high-confidence hunt queries.
MITRE ATT&CK matrix in ANY.RUN’s TI Lookup
The combination of TI Feeds and TI Lookup transforms threat hunting from a creative exercise into an evidence-based discipline grounded in real adversary behavior.
Business objective: Increase the yield rate of threat hunts (confirmed findings per hunt hour). Identify attacker dwell time earlier, reducing the average time an adversary operates undetected inside the network. Demonstrate proactive risk reduction to board and audit stakeholders.
Conclusion: From Framework to Force Multiplier
MITRE ATT&CK has fundamentally changed how the security industry thinks about risk: from abstract control gaps to concrete adversary behaviors. For CISOs, this shift represents an opportunity to speak a language that resonates equally in the boardroom and the SOC: the language of what attackers actually do, and how prepared your organization is to detect, contain, and recover.
Make every SOC workflow count toward business protection.
Connect MITRE ATT&CK with live actionable threat data.
But the framework’s potential is only realized when it is connected to operational reality. MITRE ATT&CK without actionable threat intelligence is a map without territory. The SOC workflows that matter (monitoring, triage, incident response, and threat hunting) all require real-world adversary data to function at the speed and fidelity modern threats demand.
ANY.RUN’s threat analysis and intelligence products are purpose-built to close this gap. Together, they transform MITRE ATT&CK from a conceptual framework into an operational engine that drives measurable risk reduction across every phase of the security operations cycle.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams detect, investigate, and respond to threats faster.
ANY.RUN solutions include Interactive Sandbox, Threat Intelligence Lookup, Threat Intelligence Feeds, and integrations for SOC workflows across SIEM, SOAR, EDR, and other security tools. Together, they help teams safely analyze suspicious links, files, and scripts, uncover phishing behavior, trace credential theft and remote access activity, and enrich investigations with real-world threat context.
Built for security-conscious organizations, ANY.RUN is SOC 2 Type II attested and supports enterprise-ready controls such as SSO, MFA, granular privacy settings, and AES-256-CBC encryption.
Trusted by more than 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN gives SOC teams the visibility they need to move from uncertain alerts to evidence-based decisions.
FAQ
Can MITRE ATT&CK help me reduce cyber insurance premiums?
Yes. Demonstrating ATT&CK-mapped controls, gap closures, and proactive testing provides evidence of mature risk management, which insurers often reward with lower premiums.
What is the difference between MITRE ATT&CK detection coverage and risk reduction?
Detection coverage measures visibility into techniques; risk reduction quantifies business impact mitigation (e.g., prevented data loss or downtime) through layered defenses, response speed, and proactive measures.
How often should I reassess risk using MITRE ATT&CK?
Quarterly at minimum, or after major incidents, new threat actor campaigns, or significant environment changes. Continuous integration via feeds and hunting yields ongoing insights.
How does MITRE ATT&CK integrate with existing frameworks like NIST?
It complements them by adding adversary behavior details to NIST’s risk management processes, enabling more targeted control implementation and effectiveness measurement.
What role do ANY.RUN’s solutions play in operationalizing ATT&CK?
They provide real-world context, fresh IOCs/IOAs, and behavioral examples that make abstract TTPs immediately actionable in monitoring, triage, and hunting.
How can small teams start using MITRE ATT&CK effectively?
Begin with high-priority tactics relevant to your industry, map existing tools, use free ATT&CK Navigator, and incorporate accessible behavioral intelligence sources for quick wins in triage and response.
Cisco Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise (IOC). In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails.
According to Talos’ observations, the ease of API-driven provisioning makes a few VoIP providers the preferred tool for attackers, allowing for high-volume, cost-effective scam operations that are difficult to trace.
Attackers maintain operational continuity by rotating through sequential blocks of phone numbers and utilizing strategic cool-down periods, with a median phone number lifespan of 14 days, to effectively evade reputation-based security filters.
Threat actors try to maximize their reach by recycling the same phone numbers across diverse, seemingly unrelated lures – including varied subject lines and different attachment formats like HEIC and PDF – to impersonate multiple brands simultaneously.
Security researchers can expose the hidden infrastructure of organized scam call centers by shifting focus from ephemeral email addresses to phone numbers, using clustering techniques to connect disparate campaigns and strengthen overall defensive postures.
Telephone-oriented attack delivery (TOAD) continues to be a prevalent tactic in modern email threats. By shifting the communication channel from email to a real-time conversation, attackers manipulate victims into disclosing sensitive information or installing malicious software.
Cisco Talos has expanded its threat intelligence capabilities to include phone numbers as a critical IOC. Our analysis covers a wide spectrum of line types, including wireless (cellular), landline, and Voice over Internet Protocol (VoIP). While scammers leverage all three, VoIP numbers are particularly prevalent due to their ease of acquisition and the difficulty of tracing them back to their origin. In fact, six of the ten largest campaigns we detected between February 26 and March 31, 2026 relied on VoIP infrastructure.
To better understand how these numbers are weaponized, this blog first explains the technical structure of VoIP numbers and the role of service providers in this ecosystem. We then broaden the scope to analyze reuse patterns, lifespan, and campaign characteristics across all line types. By sharing these insights, Talos aimsto strengthen our collective defensive posture against these evolving threats.
The structure of VoIP phone numbers
Most VoIP numbers follow the E.164 international public telecommunication numbering plan. This format ensures that every number is globally unique and can be routed correctly across the Public Switched Telephone Network (PSTN).
An E.164 number is limited to 15 digits and consists of:
International Prefix (+): Indicates the number is in international format
Country Code (CC): 1 to 3 digits (e.g., 1 for the US/Canada, 44 for the UK)
Area Code/National Destination Code (NDC): Often referred to as the area code
Subscriber Number (SN): The specific number assigned to the user or device
The above components are shown in the example phone number below:
Figure 1. The structure of an example VoIP phone number.
The VoIP ecosystem
Voice over Internet Protocol (VoIP) has become the primary medium for scam campaigns due to its cost effectiveness, ease of deployment, and API-driven automation. Within this ecosystem, we identify two primary operational models: wholesalers and retailers. VoIP wholesalers (e.g., Virtue, Twilio, and Bandwidth) operate in a business-to-business (B2B) capacity, sitting between Tier 1 carriers (e.g., AT&T, Verizon) and smaller service providers, selling high volumes of numbers in bulk. Conversely, VoIP retailers (e.g., RingCentral) sell finished business calling and collaboration solutions directly to organizations and end users.
VoIP providers are further categorized into communications platform as a service (CPaaS) and unified communications as a service (UCaaS). CPaaS providers offer programmable APIs that allow developers to integrate voice and messaging directly into applications. Because these platforms are designed for automation and high-volume traffic, they are frequently exploited by threat actors for rapid, API-driven number provisioning. In contrast, UCaaS providers offer comprehensive, end-user-facing communication suites. UCaaS platforms are typically designed for legitimate enterprise collaboration, and that makes them less attractive for scamemail campaigns. Talos has found Sinch (primarily a leader in CPaaS) as the most commonly abused VoIP provider, and Verizon and NUSO as the least abused providers in the studied time window.
Figure 2. The distribution of phone line types in scam emails.
While VoIP line types dominate the scam landscape (see Figure 2), Talos has observed that threat actors utilize wireless (cellular) and landline numbers as well. Cellular numbers are harder to provision at scale, as they typically require physical SIM cards and stricter customer verification, making them more expensive and less disposable than VoIP numbers. Nevertheless, they are still widely adopted by scammers. Figure 3 shows the distribution of wireless carriers that are used byscammers in the studied time window. Landline numbers, on the other hand, are used to project a sense of local presence or established business legitimacy. By using a landline with a specific local area code, scammers can effectively impersonate local businesses (e.g., banks, utility companies, or government offices).
Figure 3. The distribution of carrier names in wireless phone numbers found in scam emails.
Phone number reuse and lifespan in scam campaigns
In this section, we provide insights into the lifecycle of phone numbers used in scam emails, examining how often they are reused, their typical lifespan, and how they appear across seemingly unrelated lures. Our analysis focuses on scam campaigns impersonating popular brands, including PayPal, Geek Squad (Best Buy), McAfee, and Norton LifeLock.
Phone number reuse patterns
Talos identified 1,652 unique phone numbers across these campaigns during the studied time window (February 26 to March 31). Of these, 57 numbers (approximately 3.4%) were reused across multiple consecutive days. The longest period of reuse observed for a single phone number was four consecutive days.
As discussed in a previousblog post, phone numbers are reused for several strategic reasons. First, intelligence regarding phone numbers is often distributed more slowly than that of URLs or file hashes; many numbers remain under the radar of third-party reputation services for several days. Second, reuse offers logistical advantages for scam call centers, allowing them to maintain a consistent brand presence for multi-stage social engineering, callback scheduling, and persistent victim engagement. Finally, reuse minimizes operational costs, particularly for paid VoIP services. While we observed some phone numbers reused for up to four consecutive days, the most common reuse period was two consecutive days.
Lifespan analysis and cool-down periods
Scammers do not always reuse phone numbers on consecutive days. Often, they implement a cool-down period — pausing the use of a number for a few days to evade detection — before reintroducing it into a campaign.
Our investigation into the lifespan of these numbers revealed that 108 phone numbers (~6.5%) remained active for more than one day. As shown in Figure 4, most phone numbers have a lifespan of two to six days, though a handful remained active for nearly a month. During the study window, the median lifespan was approximately 14 days. Notably, infrastructure longevity often correlates with the impersonated brand; as illustrated in Figure 5, PayPal-themed scam campaigns utilized significantly more persistent phone numbers than those impersonating Norton LifeLock.
Figure 4. The distribution of phone number lifespans (in days) in scam emails impersonating the above four brands.Figure 5. The lifespan of phone numbers in scam emails for the top two impersonated brands.
Phone numbers across unrelated lures
A scam or phishing lure is typically a combination of a business context, a psychological trigger, a call-to-action, and an impersonated brand (see Table 1 for a few examples). These lures appear across various email layers, including subject lines, body content, and attachments.
Claimed business context
Psychological trigger
Call-to-action
Impersonated brand
Subscription renewal
Invoice or billing statement
Account security alert
Order confirmation/shipping issue
Technical support case
Refund or overpayment notice
Service cancelation confirmation
Financial transaction verification
Urgency
Fear/Loss aversion
Confusion
Relief opportunity
Curiosity
Call a phone number
Click a link
Reply with personal details
Download/open attachment
Provide payment/banking information
PayPal
Geek Squad (Best Buy)
McAfee
Norton LifeLock
Table 1. Examples of lures that most commonly appear in scam or phishing emails.
We observed phone numbers being recycled across diverse, seemingly unrelated lures:
Using the same phone number across multiple lures in the subject line: In one campaign, a single phone number appeared across multiple business contexts, such as “order confirmation” and “financial transaction verification.” Figure 6 demonstrates how these subject lines differ, despite the emails containing the same phone number and impersonating the same brand.
Figure 6. Four scam emails with completely different subject lines that contain the same phone number.
Using the same phone number across multipledocument-basedlures: In a second campaign, a single phone number was embedded in PDF attachments used for both “subscription renewal” and “financial transaction verification.”Interestingly, this campaign utilized two different brands — PayPal and Norton LifeLock — to redirect recipients to the same call center, leveraging urgency as a psychological trigger.
Figure 7. Two scam emails with different body contents that contain the same phone number while impersonating different brands.
Using the same phone number across multiple attachment file formats: In a third campaign, a single phone number was embedded in two different attachment formats: HEIC and JPEG. The use of HEIC (High Efficiency Image Container) — a format often used for iPhone/iPad photos — demonstrates the attackers’ efforts to bypass traditional file-based detection while maintaining high image quality. Talos has observed campaigns utilizing even more attachment types, confirming that threat actors frequently distribute a single phone number across multiple attack vectors to maximize their reach.
Figure 8. Two scam emails with different attachment file types that contain the same phone number while impersonating the same brand.
Phone block-level clustering
In the context of scam emails and related smishing or callback scams, attackers utilize specific VoIP grouping and clustering techniques to bypass security filters, appear legitimate, and maintain high-volume operations. One of the most common tactics is sequential number grouping. Scammers often obtain large ranges of sequential phone numbers by purchasing Direct Inward Dialing (DID) blocks. Consequently, if a specific number is flagged as spam and blocked by a carrier, the attackers simply rotate to the next number in the block.
The figure below shows how a block of numbers — differing only in the last four digits — is used in various scam emails impersonating PayPal between March 3 and March 6, 2026. It is also clear that certain numbers are used in larger campaigns than others; for instance, “+1 804[-]713[-]4598” was used in 117 scam emails in a single day.
Figure 9. Example of sequential phone numbers used in scam emails impersonating one specific brand.
In large-scale scam campaigns, phone numbers within a single sequential block are reused across multiple brand lures. The figure below shows how a range of numbers in a sequential block is deployed across three different brand lures. As with the previous case, some phone numbers are utilized in significantly larger campaign volumes than others.
Figure 10. Example of sequential phone numbers used in scam emails impersonating multiple brands.
Conclusion and protection
When tracking scam campaigns, it is essential to look beyond individual sender email addresses, which are often ephemeral. Instead, it is more strategic to focus on phone numbers, which serve as the true anchors of the operation. By clustering scam lures based on shared phone numbers, security researchers can effectively map connections between seemingly unrelated campaigns, ultimately exposing the infrastructure of organized criminal call centers.
Service providers and security teams should prioritize the implementation of real-time reputation monitoring for different communication channels to proactively mitigate these threats. For example, establishing centralized databases that track and flag high-risk phone numbers across multiple platforms allows for rapid cross-campaign correlation. Collaboration between telecommunications and VoIP providers is also vital, as sharing threat intelligence regarding malicious telephony infrastructure enables an industry-wide defense against the persistent threat of social engineering and fraud.
Cisco Secure Email Threat Defense
Protecting against these sophisticated and devious threats requires a comprehensive email security solution that harnesses AI-powered detections. Cisco Secure Email Threat Defense utilizes unique deep and machine learning models, including Natural Language Processing, in its advanced threat detection systems that leverage multiple engines. These simultaneously evaluate different portions of an incoming email to uncover known, emerging, and targeted threats.
Secure Email Threat Defense identifies malicious techniques used in attacks targeting your organization, derives unparalleled context for specific business risks, provides searchable threat telemetry, and categorizes threats to understand which parts of your organization are most vulnerable to attack. You can sign up for a free trial of Email Threat Defense today.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-06 11:06:402026-05-06 11:06:40Insights into the clustering and reuse of phone numbers in scam emails
ESET researchers have investigated an ongoing attack by the ScarCruft APT group that targets the Yanbian region via backdoor-laced Windows and Android games
A new large-scale phishing campaign is targeting U.S. organizations with fake event invitations that lead to credential theft, OTP interception, or RMM tool installation.
ANY.RUN researchers found that the campaign uses a repeatable phishing framework to create event-themed lure pages at scale. Some pages steal email credentials and OTP codes, while others deliver legitimate remote management tools such as ScreenConnect, ITarian, Datto RMM, ConnectWise, and LogMeIn Rescue.
For CISOs, the risk is not just another phishing wave. It is the combination of credential theft, trusted remote access tools, and infrastructure designed to look legitimate. That mix can delay detection, stretch SOC triage, weaken response confidence, and create a path to remote access before the business fully understands what happened.
Key Takeaways
A large-scale fake invitation phishing campaign is targeting U.S. organizations: ANY.RUN researchers found nearly 160 suspicious links related to the campaign and around 80 phishing domains.
The campaign creates more than one access risk: Some lure pages steal email credentials and OTP codes, while others deliver legitimate RMM tools for remote management.
The early attack flow can look routine: Victims see a CAPTCHA check and an event invitation page before the campaign moves toward credential theft or RMM delivery.
Repeatable infrastructure gives SOC teams huntable signals: Shared URL patterns, fixed resource paths such as /Image/*.png, and requests to /favicon.ico and /blocked.html help connect related activity.
For CISOs, the risk is delayed detection and response: One fake invitation can lead to mailbox compromise, OTP interception, or remote access before the business has clear evidence of impact.
ANY.RUN helps CISOs strengthen phishing response readiness: SOC teams get the visibility to validate threats faster, reduce gray-zone investigations, and contain risk before it becomes account compromise or remote access.
The Phishing Blind Spot CISOs Need to Close
Most enterprise security programs are built to catch obvious signs of compromise: known malicious domains, suspicious payloads, credential abuse, or unauthorized remote access. This campaign creates a harder problem because the early stages can look like normal user behavior.
The attack starts with a CAPTCHA check and a fake event invitation. From there, it can lead to credential theft, OTP interception, or the installation of a legitimate RMM tool. Each step may look harmless inisolation, but together they create a path to account compromise or remote access.
For CISOs, the risk is clear: if the SOC only reacts after credentials are stolen or remote access is established, the organization is already behind the attack.
The outcome can be serious:
Slower detection because early phishing signals look routine
Greater chance of unauthorized access through legitimate RMM tools
Higher risk of credential and OTP compromise
More pressure on SOC teams to connect fragmented signals quickly
Delayed containment when domains and lure pages keep changing
Weaker confidence that phishing activity is being caught before business impact
Stop fake lures from turning into real incidents.
Give your SOC the visibility to detect and contain threats earlier.
ANY.RUN’s Threat Intelligence shows that most analysis tasks related to this campaign came from the United States, suggesting that U.S. organizations may be the primary target.
As of April 27, nearly 160 suspicious links related to this campaign had been analyzed in ANY.RUN’s sandbox, with around 80 phishing domains identified. Most of these domains were registered underthe .de top-level domain, starting from December 2025.
TI Lookup showing relevant industries and submission countries for broader context
The most affected industries include Education, Banking, Government, Technology, and Healthcare — sectors where email access, identity, and remote administration are part of everyday operations.
For CISOs in these sectors, the concern is practical: one fake invitation can lead to stolen mailbox access, intercepted OTP codes, or a remote access tool running inside the environment.
The campaign also shows signs of scale. Threat actors appear to use a single framework to mass-deploy event-themed lure sites, while some page elements suggest possible AI-assisted generation. For security teams, this means the attack surface can change quickly, but the repeatable structure creates detection opportunities. When SOC teams can catch these patterns early, they can reduce investigation uncertainty, validate threats faster, and contain phishing activity before it turns into account compromise or remote access.
How the Campaign Moves From Lure to Access
On April 22, 2026, ANY.RUN researchers identified a phishing campaign targeting email service credentials and, in some cases, delivering remote management software.
Fake Invitation Pages as the Entry Point
The campaign uses fake event invitation pages as the main lure. Victims are first taken through a CAPTCHA check, most often from Cloudflare, although other providers also appear in some cases. After that, they land on a phishing page telling them they have received an invitation.
From there, the campaign can move in two directions. Some pages are built to steal credentials. Others are designed to deliver remote management tools.
In the RMM delivery flow, the page may show a single download button or skip the button entirely and start the download automatically. In one ANY.RUN analysis session, the lure page starts the download without requiring further action from the user:
ANY.RUN researchers also found signs that some pages were created using a shared phishing site toolkit, or phish kit. The code in several sessions contained instructions for the campaign operator on how to edit the page, suggesting a reusable setup for building and launching new lure sites quickly:
Instructions on how to edit the page, written for campaign operators
The examples above represent a sample of the activity observed by ANY.RUN researchers and illustrate the common structure used in phishing pages that deliver RMM tools.
The remote management tools most often installed in these campaigns include ScreenConnect, ITarian, Datto RMM, ConnectWise, and LogMeIn Rescue.
When the goal is credential theft, the page changes, but the entry point stays the same. In this analysis session, the chain also begins with a CAPTCHA check:
After the check, the user is shown an event invitation message and prompted to sign in with one of the available services. An example of this message is shown below:
Example message to sign in an event
Reusable phishing infrastructure
The credential theft pages follow a consistent structure across the phishing domains. In most cases, only the logo at the top of the page changes.
The phishing URLs also follow a repeatable format: https://<phish-site>/<url-pattern>/<endpoint>
Domain names often include words related to events, invitations, greetings, parties, and similar themes. Examples include festiveparty.us, getceptionparty[.]de, and celebratieinvitiee[.]de, all of whichwere observed in related ANY.RUN analysis sessions:
The campaign uses two credential interception flows: one for Google accounts and another for non-Google services. The following ANY.RUN analysis session shows both flows in action:
When the user selects any service other than Google, the phishing page opens a login window asking for an email address and password, as shown below.
After the first password entry, the page always displays an “Incorrect Password” message. This prompts the user to enter the password again, helping the attackers capture a second attempt in case the first one contained a typo.
Google login window, asking for an email address and password
When the user enters their credentials and clicks Login, the page sends a POST request to the same server at the /processmail.php endpoint, submitting the email address and password.
POST resuest to the server at the /processmail.php endpoint
Then, an OTP code entry form appears. This form is also the same across all phishing sites used in this campaign.
Fake entry form used in all phishing sites
When the user enters the code and clicks Submit, the page sends a POST request to the same server at the /process.php endpoint, submitting the OTP code.
POST request to the server
After the OTP is entered, the page displays a placeholder message, as shown in the image below. At this stage, the credentials needed to access the service are already in the attacker’s hands.
A placeholder message displayed inside ANY.RUN sandbox
Google credential interception
When the user selects Gmail as the login method, a different chain is observed. First, the user is redirected to a page disguised as a Google authorization form.
Google authorization form used for the phishing attack
When the user enters their login and password, the page sends POST requests to the /pass.php and /mlog.php endpoints.
POST requests sent to the /pass.php
The request to /pass.php sends the login and the request to /mlog.php sends the password:
Request to /pass.php sends the login
Then, the page sends a request to the `/check_telegram_updates.php` endpoint, with the user ID included in the request body.
Visitor ID exposed inside ANY.RUN sandbox
At the end of the chain, the victim is redirected to the legitimate google.com page.
How CISOs Can Reduce the Risk Behind Fake Invitation Campaigns
Campaigns like this are difficult because they do not create one obvious security event. The same lure can lead to credential theft, OTP interception, or remote access tool installation. For SOC teams, that means the risk is spread across several small signals that need to be connected quickly.
To reduce exposure, security leaders need visibility earlier in the chain, before stolen credentials are used, before OTP codes are intercepted, and before a remote access tool becomes a foothold inside the environment.
ANY.RUN brings that visibility into the full SOC investigation process. During triage, analysts can open suspicious links safely inside a cloud-based, interactive sandbox and quickly confirm whether the page leads to a fake invitation, credential form, OTP prompt, or RMM download. During behavioral analysis, they can observe network requests, credential submission endpoints, file downloads, execution behavior, and remote access activity as it happens.
Phishing attack analyzed inside ANY.RUN sandbox
That visibility gives teams a stronger basis for response. Teams will understand what was exposed, whether access was attempted, and which containment steps are needed. With ANY.RUN Threat Intelligence, they can extend the investigation into threat hunting by finding related domains, repeated URL patterns, shared phishing infrastructure, and similar analyses across industries.
Relevant analysis sessions displayed inside TI Lookup for broader context and full behavior visibility
For CISOs, this supports the outcomes that matter most:
Fewer gray-zone investigations where teams struggle to prove whether activity is malicious
Faster threat confirmation before credentials, OTP codes, or remote access are abused
Clearer containment decisions based on visible attack behavior, not assumptions
Stronger phishing coverage across both credential theft and RMM delivery paths
Better confidence in SOC readiness when phishing campaigns scale across domains and industries
Turn phishing uncertainty into response-ready evidence.
Make every phishing investigation faster and easier to act on.
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams detect, investigate, and respond to threats faster.
ANY.RUN solutions include Interactive Sandbox, Threat Intelligence Lookup, Threat Intelligence Feeds, and integrations for SOC workflows across SIEM, SOAR, EDR, and other security tools. Together, they help teams safely analyze suspicious links, files, and scripts, uncover phishing behavior, trace credential theft and remote access activity, and enrich investigations with real-world threat context.
Built for security-conscious organizations, ANY.RUN is SOC 2 Type II attested and supports enterprise-ready controls such as SSO, MFA, granular privacy settings, and AES-256-CBC encryption.
Trusted by more than 15,000 organizations and 600,000 security professionals worldwide, ANY.RUN gives SOC teams the visibility they need to move from uncertain alerts to evidence-based decisions.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-05 13:06:372026-05-05 13:06:37New Phishing Campaign Targets US with Credential Theft: What CISOs Need to Know
Our experts have discovered a large-scale supply chain attack via DAEMON Tools – software for emulating optical drives. The attackers managed to inject malicious code into the software installers, and all trojanized executable files are signed with a valid digital signature of AVB Disc Soft – the developer of DAEMON Tools. The malicious version of the program has been circulating since April 8, 2026. At the time of writing, the attack is still ongoing. Researchers at Kaspersky believe this is a targeted attack.
What are the risks of installing the malicious version of DAEMON Tools?
After the Trojanized software is installed on the victim’s computer, a malicious file is launched every time the system starts up – sending a request to a command-and-control server. In response, the server may send a command to download and execute additional malicious payloads.
First, the attackers deploy an information gatherer that collects the MAC address, hostname, DNS domain name, lists of running processes and installed software, and language settings. The malware then sends this information to the command-and-control server.
In some cases, in response to the collected information, the command server sends a minimalistic backdoor to the victim’s machine. It’s capable of downloading additional malicious payloads, executing shell commands, and running shellcode modules in memory.
The backdoor can be used to deploy a more sophisticated implant dubbed as QUIC RAT. It supports multiple communication protocols with the command-and-control server, and is capable of injecting malicious payloads into the notepad.exe and conhost.exe processes.
Since early April, several thousand attempts to install additional malicious payloads via infected DAEMON Tools software have been detected. Most of the infected devices belonged to home users, but approximately 10% of installation attempts were detected on systems running in organizations. Geographically, the victims were spread across around a hundred different countries and territories. Most victims were located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.
Most often, the attack was limited to installing an information collector. The backdoor infected only a dozen machines in government, scientific, and manufacturing organizations, as well as in retail businesses in Russia, Belarus, and Thailand.
What exactly was infected
The malicious code was detected in DAEMON Tools versions ranging from 12.5.0.2421 to 12.5.0.2434. The attackers compromised the files DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, which are installed in the main DAEMON Tools directory.
How to stay safe?
If DAEMON Tools software is used on your computer (or elsewhere in your organization), our experts recommend thoroughly checking the computers on which it is installed for any unusual activity starting from April 8.
In addition, we recommend using reliable security solutions on all home and corporate computers used to access the internet. Our solutions successfully protect users from all malware used in the supply chain attack via DAEMON Tools.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-05 13:06:372026-05-05 13:06:37Supply chain attack via DAEMON Tools | Kaspersky official blog
Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025.
After successful compromises, UAT-8302 deploys multiple custom-made malware families that have previously been used by other known China-nexus threat actors.
Talos discovered a .NET-based backdoor we track as “NetDraft” that is a C#-based variant of the FinalDraft/SquidDoor malware family developed and operated by Jewelbug/REF7707/CL-STA-0049/LongNosedGoblin, a cluster of China-nexus APT actors.
Furthermore, UAT-8302 also uses an updated version of the CloudSorcerer backdoor, a malware family used in attacks against Russian government entities in 2024.
UAT-8302 also used VSHELL and its SNOWLIGHT stager in their operations, along with a new Rust-based stager that we track as SNOWRUST.
Talos assesses with high confidence that UAT-8302 is a China-nexus advanced persistent threat (APT) group tasked primarily with obtaining and maintaining long-term access to government and related entities around the world.
Post-compromise activity consisted of information collection, credential extraction, and proliferation using open-source tooling such as Impacket, proxying tools, and custom-built malware.
Malware deployed by UAT-8302 connects it to several previously publicly disclosed threat clusters, indicating a close operating relationship between them at the very least. Overall, the various malicious artifacts deployed by UAT-8302 indicate that the group has access to tools used by other sophisticated APT actors, all of which have been assessed as China-nexus or Chinese-speaking by various third-party industry reports.
For instance, NetDraft, a .NET-based malware family deployed by UAT-8302 in South America, was also disclosed by ESET as NosyDoor, attributed to a China-nexus APT they track as LongNosedGoblin. ESET assesses that LongNosedGoblin used NosyDoor/NetDraft and other custom-made malware to target government organizations in Southeast Asia and Japan. Furthermore, as per Solar’s reporting, NetDraft was also deployed against Russian IT organizations in 2024 by Erudite Mogwai (LuckyStrike Agent).
NetDraft is likely a .NET-ported variant of the FinalDraft/SquidDoor malware family developed and operated exclusively by Jewelbug/REF7707/CL-STA-0049 — also another cluster of China-nexus APT actors.
Another malware family deployed by UAT-8302 is CloudSorcerer (version 3). Kaspersky disclosed that CloudSorcerer was used in attacks directed against Russian government entities in 2024.
Furthermore, two other malware families, SNAPPYBEE/DeedRAT and ZingDoor, were deployed by UAT-8302 in conjunction with each other, a tactic also highlighted by Trend Micro in 2024.
Talos’ analysis also connects more custom-made tooling that UAT-8302 used to other China-nexus or Chinese-speaking APTs:
Draculoader: A generic shellcode loader deployed by UAT-8302, also used by the Earth Estries and Earth Naga APT groups who have histories of targeting government agencies in Southeast Asia and elsewhere.
SNOWLIGHT: A generic stager for the VSHELL malware family, used by UAT-8302. Also used by UAT-6382, who exploited a Cityworks zero-day (CVE-2025-0994) to deploy VSHELL. SNOWLIGHT has also been seen in intrusions attributed to other China-nexus APT clusters, such as UNC5174 and UNC6586.
The various connections between UAT-8302 and other China-nexus or Chinese-speaking threat actors can be visualized as:
Figure 1. UAT-8302’s interconnections.
Initial compromise and reconnaissance
UAT-8302’s tooling overlaps with various APT groups that have been known to exploit both zero-day and n-day exploits to obtain initial access. We assess that UAT-8302 follows the same paradigm of obtaining initial access to its victims.
Once initial access is obtained, UAT-8302 conducts preliminary reconnaissance using red-teaming tools such as Impacket:
Other reconnaissance commands may be:
ipconfig /all
certutil -user -store My
certutil -user -store CA
certutil -user -store Root
whoami
nslookup www[.]google[.]com
net use
cmd.exe /c net view /domain
cmd.exe /c systeminfo
cmd.exe /c net time /domain
cmd.exe /c nslookup -type=SRV _ldap._tcp
net group <name> /domain
One of UAT-8302’s primary goals is to proliferate within the compromised network, and therefore, the actor conducts extensive reconnaissance on every endpoint that they can access. This extended recon is scripted usually using a custom-made PowerShell script such as “whatpc.ps1”:
The script may be persisted to collect system information via a scheduled task:
cmd.exe /c schtasks /create /tn 'ReconLiteDebug' /tr 'powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File c:windowstempwhatpc.ps1' /sc ONCE /st 08:25 /ru SYSTEM /f
cmd.exe /c schtasks /create /tn 'RunWhatPC' /tr 'c:windowstemprun.bat' /sc ONCE /st 23:28 /ru SYSTEM /f
This script executes the following commands on the systems to identify them:
whoami
whoami.exe /groups
whoami.exe /priv
net.exe user
net.exe localgroup
net.exe localgroup administrators
ipconfig.exe /all
ARP.EXE -a
ROUTE.EXE print
NETSTAT.EXE -ano
cmd.exe /c net share
cmd.exe /c wmic startup get caption,command 2>&1
nltest.exe /dclist:<domain>
net.exe user /domain
net.exe group /domain
net.exe group Domain Admins /domain
nltest.exe /domain_trusts
UAT-8302 also performs ping sweeps of the network to discover more endpoints to proliferate into:
C:/Windows/Temp/ping_scan.bat
C:/Windows/Temp/run_scan.bat
C:/Windows/Temp/nbtscan.exe
cmd.exe /Q /c (for /l %i in (1,1,254) do @ping -n 1 -w 300 192.168.1.%i | find TTL= && echo 192.168.1.%i is alive) > C:WindowsTempalive_hosts.txt
UAT-8302 also discovers SMB shares in the network to find reachable remote shares:
cmd.exe /Q /c (for /l %i in (1,1,254) do @net use \192.168.1.%iIPC$ >nul 2>&1 && echo 192.168.1.%i - Port 445 is open || echo 192.168.1.%i - Port 445 is closed) > C:WindowsTempportscan.txt
Scanning tools
UAT-8302 may also download and run “gogo,” a GoLang based, open-sourced automated network scanning engine written in Simplified Chinese:
UAT-8302 collects a variety of information about the environment that they are operating within including Active Directory (AD) information and credentials using open-sourced tooling such as:
adconnectdump.py
A Python-based tool for Azure AD Connect/Entra ID connect credential extraction:
python.exe adconnectdump.py
Manual extraction
UAT-8302 may also directly query the AD user and computer objects to obtain information from them via PowerShell:
Specific AD users of interest may also be queried using system tools such as dsmod and dsquery.
Log collection
UAT-8302 also collects event log information and the logs themselves on multiple endpoints. Logs are an excellent source of obtaining information and understanding security configurations and policies applied within a target’s environment:
UAT-8302 also uses a tool written in Simplified Chinese called “SharpGetUserLoginIPRP” — derived from another Chinese-language repository — which is used to extract login information from a domain controller:
C:ProgramDataS.exe user:pass@IP -day
Proliferation through the network
UAT-8302 proliferates across various endpoints by using a combination of either Impacket- or WMI-based remote process creation:
cmd.exe /C wmic /node:IP process call create cmd.exe /c c:programdatae1.bat
cmd.exe /C schtasks /S IP /U username /P passwd /create /tn 'Runbat' /tr 'c:windowstemprun.bat' /sc ONCE /st 5:12 /ru SYSTEM /f
These BAT files are meant to execute the accompanying malware on the target systems.
Furthermore, UAT-8302 may also extract login credentials from MobaxXterm, a multi-functional and tabbed SSH client, using tools such as MobaXtermDecryptor to pivot to other endpoints.
Custom-made malware deployment
UAT-8302 deploys a variety of malware families in their intrusions including NetDraft, CloudSorcerer version 3, and VSHELL.
NetDraft
NetDraft, also known as NosyDoor, is a .NET variant of the FINALDRAFT malware. FINALDRAFT or Squidoor is a malware family developed and operated exclusively by Jewelbug/REF7707/CL-STA-0049, a cluster of China-nexus APT actors. FINALDRAFT uses legitimate services such as MS Graph to act as command-and-control servers (C2s) to execute commands and payloads on the compromised system. Similarly, NetDraft relies on the MS Graph API to communicate with its OneDrive based C2. NetDraft is deployed using the following mechanism:
A benign executable is used to side load a malicious dynamic-link library (DLL) based loader.
The loader DLL decodes NetDraft from an accompanying data file and invokes it in the context of the existing process.
NetDraft also contains an embedded, .NET-based helper library. The library is compressed and embedded using the Fody/Costura framework. During runtime, the library is decompressed and instrumented to carry out operations on the endpoint on behalf of NetDraft. We track this library as “FringePorch.”
Figure 2. NetDraft and FringePorch infection chain.
NetDraft and FringePorch support the following functionalities:
Execute arbitrary commands on the endpoint
Execute a .NET based assembly sent by the C2 within NetDraft’s process context
Exit and stop execution
Upload files to C2
Download files from specified remote locations to local disks
File management: Change current working directory, rename files, enumerate files, and set write times
Sleep
Execute a .NET plugin: This functionality is similar to its ability to run arbitrary .NET based assemblies. Here, the implant runs a provided plugin’s “Plugin.Run” function.
Since NetDraft is missing the capability to persist across reboots and relogins, one of the first commands the C2 issues to it is the creation of a malicious scheduled task:
Another malware UAT-8302 deploys is the latest version of the CloudSorcerer backdoor (version 3). The malware consists of the side-loading triad of files: a benign executable, a malicious DLL-based loader, and the actual implant in a data file:
The executables will sideload a DLL named “mspdb60[.]dll”, which will load and decrypt the “.ini” file specified in the command line — such as “test.ini” or “vm.ini”. The decrypted shellcode is then injected into a combination of specified benign processes.
CloudSorcerer v3 – The decrypted shellcode
The decrypted INI file is a newer version of CloudSorcerer (v3) disclosed by Kaspersky in 2024. Depending on process name (where it may have been initiated or injected), CloudSorcerer v3 will perform one of the following actions:
If the process is named “dpapimig.exe”, then it will gather system information, inject itself into explorer.exe, and receive command codes from the C2 via a named pipe, gather disk information, enumerate files, execute arbitrary commands, perform file operations (delete, rename, read, write, etc.) and execute shellcode received via the named pipe.
If the process is named “spoolsv.exe”, then it will contact GitHub to obtain C2 information and receive commands from the C2.
If the process is named “mspaint.exe”, “browser”, or anything else, it will proceed to inject itself into dpapimg.exe, spoolsv.exe, etc. to kick off its malicious operations.
The system information CloudSorcerer v3 collects includes computer name, username and local system time.
Obtaining C2 information
Like CloudSorcerer v2, version 3 contacts a legitimate service to obtain the C2 information. The malware will either contact a specific GitHub repository to read a data blob, or read a GameSpot profile the threat actors set up.
The data blob is decoded to obtain the C2 information, which can exist in the one of the following formats depending on the variant of the CloudSorcerer backdoor:
A C2 URL for a domain or IP, controlled by UAT-8302, that the malware uses to begin communication with the C2 to carry out malicious operations
An access token to a legitimate service (such as OneDrive or Dropbox) that UAT-8302 uses to act as its C2 infrastructure to obtain next-stage payloads and commands
VSHELL, SNOWLIGHT and SNOWRUST
In other instances, UAT-8302 deploys the VSHELL malware via a slightly different triad of artifacts for side-loading malware. The benign executable side-loads a malicious DLL named “wininet[.]dll” that reads a BIN file and injects it into “explorer[.]exe”.
The payload is position-independent shellcode that is injected into explorer[.]exe. The payload is a stager for the VSHELL malware that downloads and single-byte XORs the obtained payload with the key 0x99. The decoded payload is a garbled version of VSHELL.
It is worth noting that Talos observed the same single byte key and stager being used by UAT-6382 to deliver VSHELL malware in early 2025. Further investigation revealed that this stager is in fact SNOWLIGHT, a lightweight downloader that can download and deploy a next stage payload. UNC5174 has been observed using SNOWLIGHT to download Sliver and VSHELL. UNC5174 is a suspected China-nexus threat actor that typically exploits zero-day and n-day vulnerabilities to gain access to critical infrastructure organizations in the Americas.
Talos discovered that UAT-8302 also used a Rust based variant of SNOWLIGHT that we track as “SNOWRUST.” SNOWRUST is based on the LexiCrypt Rust-based shellcode obfuscator. SNOWRUST simply decodes the embedded SNOWLIGHT shellcode and executes it to download the XOR encoded final payload, VSHELL, received from the C2.
In one intrusion, UAT-8302 used VSHELL to deploy a native driver from the Hades HIDS/HIPS software — an open-source Windows host monitoring kernel framework written in Simplified Chinese. The driver was specifically the System Monitoring filter driver that lets Hades register callbacks for process, thread, registry, and file events. This allows the driver to monitor the system and potentially allow, block, or hide events and artifacts.
In parallel, UAT-8302 also deployed Draculoader, a generic shellcode loader, also used by the Earth Estries and Earth Naga APT groups who have histories of targeting government agencies in Southeast Asia and elsewhere:
C:Documents and SettingsAll UsersMicrosoftCryptoRSAd3d8.dll
Setting up additional means of backdoor access
Once UAT-8302 deploys their custom-made malware, they begin establishing other means of backdoor access. One of the techniques used is setting up proxy servers on infected systems to tunnel traffic outside the enterprise to the infected hosts using tools such as Stowaway (another tool written in Simplified Chinese):
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-05 11:06:382026-05-05 11:06:38UAT-8302 and its box full of malware
Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called “Pheno.”
According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims’ credentials and potentially one-time passwords (OTPs).
CloudZ utilizes the custom Pheno plugin to hijack the established PC-to-phone bridge by abusing the Microsoft Phone Link application, allowing the plugin to continuously scan for active Phone Link processes and potentially intercept sensitive mobile data like SMS and OTPs without deploying malware on the phone.
CloudZ evades detection by executing critical malicious functions dynamically in system memory and performing checks to avoid debuggers and sandbox environments.
Attacker abuses the Windows Phone Link application
Windows Phone Link (formerly “Your Phone”) is a synchronization tool developed by Microsoft and built directly into Windows 10 and 11 that bridges a PC and a smartphone (Android or iPhone). By establishing a secure connection via Wi-Fi and Bluetooth, the application mirrors essential phone activities (such as application notifications and SMS messages) onto the computer screen, reducing the user’s need to physically interact with the mobile device while working on the computer. The Phone Link application writes synchronized phone data such as SMS messages, call logs, and the application notification history to the Windows PC in the application’s SQLite database file.
Talos observed that during an intrusion, an attacker attempted to abuse the Windows Phone Link application using the CloudZ RAT and its Pheno plugin. The Pheno plugin is designed to monitor an active PC-to-phone bridge established by the Phone Link application on the victim machine. With a confirmed Phone Link activity on the victim’s machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application’s SQLite database file (e.g., “PhoneExperiences-*.db”) on the victim machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages.
Intrusion summary of CloudZ infection
Talos discovered from telemetry data that the intrusion had begun with an unknown initial access vector to the victim’s environment, which led to the execution of a fake ScreenConnect application update executable. This malicious executable drop and executes an intermediate .NET loader executable, which subsequently deploys the modular CloudZ on the victim’s machine. Upon execution, the RAT decrypts its configuration data, establishes an encrypted socket connection to the command-and-control (C2) server, and enters its command dispatcher mode.
CloudZ facilitates the C2 commands to exfiltrate credentials from the victim machine browser data, and it downloads and implants a plugin. The plugin performs reconnaissance of the Microsoft Phone Link application on the victim machine and writes the reconnaissance data to an output file in a staging folder. CloudZ reads back the Phone Link application data from the staging folder and sends it to the C2 server.
Rust-compiled executable used as a dropper
Talos discovered a Rust-compiled 64-bit executable, disguised with file names such as “systemupdates.exe” or “Windows-interactive-update.exe”, functioning as a loader. The malicious loader was compiled on Jan. 1, 2026, and has the developer string of rustextractor.pdb.
When the loader is run on the victim machine, it decrypts and drops an embedded .NET loader binary disguised as a text file with the file names “update.txt” or “msupdate.txt” in the folder “C:ProgramDataMicrosoftwindosDoc”.
Figure 1. Excerpt of rusty dropper code.
In another instance, Talos observed that the .NET loader was implanted in the victim machine by downloading it from an attacker-controlled staging server using the command shown below:
The dropper executes an embedded PowerShell script to establish persistence on the victim machine through a Windows task which executes the dropped malicious .NET loader. The PowerShell script achieves it by initially performing a runtime check to determine whether the dropped .NET loader is already active on the system. It queries all running processes using the Get-CimInstance Win32_Process command and filters for any instance of regasm.exe with the command line parameters that include the string update.txt. If such an instance is found, the script silently exits without taking any action.
If the check indicates that the .NET loader is not running, the script proceeds to establish persistence by creating a scheduled task named SystemWindowsApis in the scheduled task folder MicrosoftWindows. It configures the task to trigger at system startup /sc onstart, execute under the SYSTEM account /ru SYSTEM with the highest privilege level /rl HIGHEST, and the /f flag ensures it will silently overwrite any existing task with the same name, allowing the malware to update its persistence mechanism. The script configures the task scheduler action to run the .NET loader by utilizing the living-off-the-land binary (LOLBin) regasm.exe, which is the .NET Framework Assembly Registration Utility located at “C:WINDOWSMicrosoft.NETFramework64v4.0.30319”. It provides the path of the dropped .NET loader as the argument to regasm.exe with the /nologo flag. After creating the task, the script immediately triggers it with schtasks /run, ensuring it executes immediately and survives future reboots.
Figure 2. Excerpt of the PowerShell script to establish persistence on victim machines.
.NET loader implants the CloudZ RAT
Talos found that the attacker embedded CloudZ, an encrypted .NET-compiled RAT, in the .NET loader executable.
When the .NET loader is triggered through the Windows task scheduler, it performs the detection evasion checks beginning with a timing-based evasion check, where it calculates the actual elapsed time of a sleep command to detect if it is executed in the analysis environment. It then performs enumeration of running processes in the victim machine against a list of security tools, including network sniffers like Wireshark and Fiddler, as well as system monitors like Procmon and Sysmon. The .NET loader exits the execution if these are detected in the victim environment.
Figure 3. Excerpt of the .NET loader binary with detection evasion instructions.
The loader then conducts hardware and environment checks to identify virtual machine (VM) or sandbox characteristics. It verifies that the system has at least two processor cores and searches for strings like “VIRTUAL” or “SANDBOX” within the system directory path, computer name, user domain, and the current victim username.
Figure 4. Excerpt of the .NET loader binary with detection evasion instructions.
The loader executable is embedded with multiple chunks of the hexadecimal strings in the binary, which are concatenated sequentially during the execution, reassembling a massive hexadecimal data blob. The loader converts the hexadecimal strings to bytes and performs bytewise XOR decryption using the key hexadecimal (0xCA). If the decrypted payload is a .NET assembly, the loader will reflectively run. Otherwise, it writes the decrypted payload to the folder “%TEMP%{GUID}” and runs it as a process.
Figure 5. Excerpt of the .NET loader to execute the .NET payload module. Figure 6. Excerpt of the .NET loader to execute the non .NET payload executables.
Modular CloudZ RAT delivered as payload
Talos discovered that a CloudZ, a modular RAT, is delivered as the payload in the current intrusion. CloudZ is a .NET executable compiled on Jan. 13, 2026, and is obfuscated with ConfuserEx obfuscation.
Figure 7. The RAT binary shows the malware name, CloudZ.
CloudZ employs layers of defense against the analysis environments and reverse engineering. It queries the _ENABLE_PROFILING environment variable via GetEnvironmentVariable Windows API to detect whether a .NET profiler or debugger is attached to the RAT process on the victim machine. It uses the .NET method “System.Reflection.Emit.DynamicMethod” combined with “ILGenerator” method to create the executable functions dynamically during the RAT execution.
The operation of CloudZ utilizes its configuration data, which is embedded in the binary, as a resource that it decrypts and loads into memory during execution. The decrypted configuration data includes various C2 commands, PowerShell scripts for data archive extraction, multiple file download methods, paths and names of staging folders, multiple HTTP headers, and the URLs of the staging servers.
Figure 7. CloudZ primary configuration data decrypted in memory.
After the decryption of the configuration data, CloudZ decodes the Base64-encoded strings to get the URL of the staging server where the secondary configuration is stored.
Figure 8. CloudZ function that downloads the secondary configuration data from the staging server.
Talos found that the RAT downloads and processes secondary configuration data through the URLs “hxxps[://]round-cherry-4418[.]hellohiall[.]workers[.]dev/?t=1773406370” or “https[://]pastebin[.]com/raw/8pYAgF0Z?t=1771833517” and extracts the C2 server IP address “185[.]196[.]10[.]136” and port number 8089, establishing connections through TCP sockets.
Pivoting on the Pastebin URL indicator, we found that the attacker used the Pastebin handler name “HELLOHIALL” and hosted the secondary configuration data at several Pastebin URLs.
The RAT rotates between three hardcoded user-agent strings to blend its HTTP traffic with the legitimate browser requests of the victim machine. Every HTTP request includes anti-caching headers consisting of “Cache-Control: no-cache, no-store, must-revalidate”, “Pragma: no-cache”, and “Expires: 0”, which prevents intermediate proxies and CDN infrastructure from caching C2 or the staging server details.
User-agent headers used by the CloudZ are:
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
After the RAT establishes the C2 connection, it enters the command dispatcher module that relies on a decrypted configuration data loaded into memory. The configuration data contains Base64-encoded command identifiers which the RAT matches against the commands received from the C2 server to perform the several functionalities. The commands facilitated by CloudZ are shown in the table below:
Base64-encoded command
Decoded command
Purpose
cG9uZw==
pong
Heartbeat response
UElORyE=
PING!
Heartbeat request
Q0xPU0U=
CLOSE
TerminateRAT process
SU5GTw==
INFO
collects OS edition, architecture, and hardware details from the victim machine
UnVuU2hlbGw=
RunShell
Execute shell command
QnJvd3NlclNlYXJjaA==
BrowserSearch
Browser dataexfiltration
R2V0V2lkZ2V0TG9n
GetWidgetLog
Phone Link recon logs and dataexfiltration
cGx1Z2lu
plugin
Loadplugin
c2F2ZVBsdWdpbg==
savePlugin
Saveplugin to disk at the staging directory C:ProgramDataMicrosoftwhealth
c2VuZFBsdWdpbg==
sendPlugin
Upload Pluginto C2
UmVtb3ZlUGx1Z2lucw==
RemovePlugins
Removeall deployedpluginmodules
UmVjb3Zlcnk=
Recovery
Recoveryor reconnect routine
RFc=
DW
Download and write file operations
Rk0=
FM
File managementoperations–deletefile
TE4=
LN
Unknown
TXNn
Msg
Send message to C2
RXJyb3I=
Error
Error reporting back to C2
cmVj
rec
Screen recording
The RAT employs various methods to download and execute the plugins. The plugin download feature of RAT uses a three-method fallback approach. It first checks for the presence of the curl utility. If found, it attempts to download the file from a specified URL to a target path while following redirects. If curl is missing or the command fails, it falls back to PowerShell, where it first tries to download the file using the Invoke-WebRequest command. If that method also fails, it executes a final method that uses the LOLBin“bitsadmin” tool to download and save the plugin payloads to the victim machine.
Figure 11. CloudZ’s embedded PowerShell command with three different approaches to download operation.
Talos observed from the telemetry data that the attacker has downloaded and implanted the Pheno plugin through the curl command from the staging server.
Pheno plugin to perform the Phone Link application recon
In this intrusion, Talos observed that the attacker used a plugin called Pheno to perform reconnaissance of the Windows Phone Link application in the victim machine.
Pheno is designed to detect if a user is currently syncing their mobile device to a Windows machine through the Phone Link application. It scans all running processes for specific keywords such as “YourPhone,” “PhoneExperienceHost,” or “Link to Windows,” and if matches are found, it logs their Process IDs and file paths to the files with the filename “phonelink-<COMPUTERNAME>.txt”, created in two staging folders such as :
C:programdataMicrosoftfeedbackcm
%TEMP%Microsoftfeedbackcm
Figure 11. Pheno recon plugin that monitors an active PC-to-phone bridge through Phone Link application.
After checking Phone Link processes and writing its results, Pheno executes a secondary check that reads back the contents of previously written files and searches the keyword “proxy” in a case-insensitive manner. The plugin conducts this check because the Microsoft Phone Link application creates a local proxy connection to relay traffic between the PC and the paired mobile device. The presence of “proxy” in the output files, whether generated by a previous execution of the pheno plugin, indicates that the Phone Link session is actively routing traffic through its relay channel.
When the keyword is detected, the pheno plugin writes “Maybe connected” to its output file in the staging folders, which eventually allows the attacker, with the help of CloudZ RAT, to potentially monitor SMS or OTP requests that appear on the Phone Link application.
Figure 12. Pheno checking for a previous instance of PC-to-phone bridge through Phone Link application.
Coverage
The following ClamAV signature detects and blocks this threat:
Win.Packed.Msilheracles-10030690-0
Win.Trojan.CloudZRAT-10059935-0
Win.Trojan.CloudZRAT-10059959-0
The following Snort Rules (SIDs) detect and block this threat:
Snort 2: 66409, 66410, 66408
Snort 3: 301492, 66408
Indicators of compromise (IOCs)
The IOCs for this threat are available at our GitHub repository here.
Droids appear in practically every movie or TV series set in the “Star Wars” universe. They usually behave strangely. On the one hand, they give the impression of being independent-thinking beings with their own personalities; on the other, they’re objects: they belong to someone, remain loyal to their owners, and carry out their orders. Most of the time we’re never given any explanation for the droids’ motivations. Why are some of them willing to break the law at their master’s command? What determines who exactly they consider their master? How do they decide whom to remain loyal to and whose orders to follow?
Someone might say, “What’s the difference?” And from the perspective of the average viewer, they’d be absolutely right. But from our perspective, the question of a droid’s loyalty is first and foremost a question of cybersecurity. A droid is a complex cyber-physical system; by influencing its motivation, an attacker can gain access to confidential data, or even cause harm to the actual owner. In 2025, two TV series were released whose creators dealt with the issue of droid ownership. We were presented with two concepts for managing droid motivation. We’ll attempt to examine both of these concepts and their shortcomings in this post. As usual, please be warned that the text may contain spoilers.
“Star Wars: Skeleton Crew”
In “Skeleton Crew”, we’re introduced for the first time to the concept changing droids’ behavior using voice commands. In several instances, a person who’s not the droid’s formal owner attempts to influence its actions by trying to mislead the droid. Overall, it appears this concept was influenced by modern chatbots based on large language models (LLMs) — it bears a striking resemblance to “jailbreak” attempts, i.e., attacks on the model aimed at bypassing security restrictions or built-in filters.
An unnamed droid working as a servant
Fern, a ten-year-old girl, wants her mother to think that she came home early and was studying in her room. But there’s a problem: the home droid knows that’s not true. So Fern uses the “Run memory override” command, and feeds the droid false information in the rather absurd phrasing, “I was home, you just didn’t see me”.
The fact that this method works points to two problems. First, the droid accepts the memory override command from Fern, which means it either lacks account control or has improperly configured permissions. The formal owner of the droid is the mother (otherwise, manipulating the memory would make no sense), but nevertheless, it accepts a potentially dangerous command from Fern. Second, a home droid tasked with watching over a child obviously lacks a built in parental control feature.
Pirate droid SM-33: motivation
The SM-33 droid considers the captain of the ship “Onyx Cinder” to be its owner. That is, it remains loyal not to a specific person, but to a role. A pirate code is used to determine the legitimacy of the right to hold this role. Unfortunately, the entire code isn’t explained to us, but several of its tenets are cited. First, according to the SM-33’s programming, there can be no ship without a captain (if there is no captain, someone must take their place). Second, the person who defeats the captain legally becomes the new captain. Third, if a challenge is invoked, the droid cannot assist the active captain, but must wait for the outcome of a duel. And fourth, a person can be the captain of only one ship — if a person takes command of another vessel, they automatically lose their status as captain of the first.
The SM-33 changes hands three times, strictly following this code. First, Fern lies to him, claiming she killed the previous captain and took his place. Then Jod Na Nawood throws down a challenge and becomes captain when Fern surrenders. Then Jod takes command of a pirate frigate and loses the captain’s seat of the Onyx Ash, but manages to reclaim his rights.
And here’s where an interesting twist occurs. Fern introduces a concept from children’s games —unclaimsies (essentially a reset of claims) — and asserts her own claim to the captain’s seat. She then immediately orders SM-33 to throw the pirates overboard. To many viewers, this moment seemed extremely unrealistic — why would a droid, whose motivation is defined by the pirate code, consider such a transfer of rights to be legitimate? However, if we assume that the droids are controlled by LLMs, then this plot twist is quite explainable.
The Pirate Code is the original system of ethical values embedded in the droid. The chatbot typically assesses the interlocutor’s intent at the very beginning of the dialogue, using a complex (resource-intensive) model for this purpose. Subsequently, to conserve resources and ensure safety during the conversation, simpler models are employed. However, the more context (dialogue history) there is, the more complex and resource-intensive it becomes to assess intent. This is precisely the basis of the popular jailbreak technique, which works on at least some modern LLMs. That is, as a result of prolonged communication with Fern, SM-33 lost the ability to correctly assess new requests for compliance with its original ethical guidelines, and therefore it deemed the statement about nullifying rights to be justified.
SM-33: Access to Memory
In fact, there is another issue with SM-33’s security that’s not directly dependent on whom it considers its owner, but is nonetheless related. The old captain gave the order to forget everything related to the planet At Attin, and to dismantle anyone who begins to take an interest in this matter. Fern, with the admin captain’s privileges, runs her favorite memory override, and forces the droid to retrieve its memories of At Attin, after which SM-33 recalls both the planet and the order to attack the questioner.
And as a result, we realize that, in fact, it did not carry out the old captain’s order; the information about At Attin remained in the droid’s memory; it simply couldn’t find it — that is, if it did delete it, it was only from the index of accessible memories. Perhaps this is some physical property of the droid’s memory, or maybe this can be explained by the fact that SM-33 was programmed not by a professional, but by a pirate. After all, its design includes other suboptimal solutions, such as a power switch accessible to anyone standing nearby, exactly like C-3PO’s. But what makes sense for a protocol droid isn’t exactly suitable for a combat droid designed, among other things, for hand-to-hand combat…
Season 2 of the series “Andor”
In the series “Andor”, the prequel to the film “Rogue One,” we finally see how the main character, Cassian Andor, acquired the reprogrammed Imperial security droid K-2SO to become his partner. And most importantly, the process of how the rebels changed his motivation is shown.
As it turns out, in order for a combat droid loyal to the Empire to stop obeying its original programming, its “cortex” must be replaced — though the replacement cortex can trigger rejection. The specialist says, verbatim: “You’ll hear a lot of nonsense about reprogramming, which makes it sound as though it’s a problem that can be solved from a console, but frankly, that’s nonsense. It’s really all about impulse suppression, which is entirely an engineering and wiring issue.”
In other words, the rebels replace a certain component, after which the droid becomes a being with new moral principles. At the same time, it retains its memory (K-2SO later recalls how it once participated in a parade on Coruscant).
So, what conclusions can we draw from all this? Well, first, it becomes clear that a droid controlled by an LLM is a clear security threat. It can easily be misled and made to act against its rightful owner. And second, the hardware and software platform used to create droids in “Star Wars” is far from ideal. If our colleagues had been responsible for creating the droids, they’d have strived to develop a cyber-immune solution in which functionality would be impossible after a key component was replaced, as would malicious memory manipulation. In other words, it’s a real shame that a long time ago, in a galaxy far, far away, there was no KasperskyOS.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-04 12:06:332026-05-04 12:06:33The motivation of droids from the “Star Wars” universe | Kaspersky official blog
Warnings about helpdesk impersonation scams and Iran-linked hackers targeting critical sectors in the US, plus the most damaging scams of 2025 – here’s some of what made the headlines this month
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-05-01 03:06:352026-05-01 03:06:35This month in security with Tony Anscombe – April 2026 edition
