Malware Activity
Modern Supply‑Chain Attacks Using Signed Artifacts and Living‑off‑the‑Land Techniques
Recent cyber incidents show how attackers are increasingly exploiting trust in legitimate software rather than relying on obvious hacks. In the Mini Shai‑Hulud campaign, threat actors compromised popular open‑source developer tools by hijacking trusted automated release pipelines, allowing malicious updates to be published with valid security signatures. Once installed, this hidden malware quietly stole cloud credentials, developer tokens, and CI/CD secrets. This enabled the attack to spread further across software ecosystems while remaining extremely difficult to detect. In parallel, attackers abused the trusted Windows utility HWMonitor by bundling a hidden malicious component with a legitimate installer. This caused the software to unknowingly load malware through a common Windows behavior known as DLL sideloading. This gave attackers full remote access to infected systems while the legitimate software continued to function normally. Together, these incidents highlight a growing risk: software can be authentic, signed, and widely trusted, yet still deliver serious compromises. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheHackerNews: Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages article
- CyberSecurityNews: Hackers Abuse Legitimate HWMonitor Binary to Load Malicious DLL Payload article
Threat Actor Activity
AI Used by Hackers to Develop First Known Zero-Day Exploit Used in the Wild
Google’s Threat Intelligence Group (GTIG) reports the first observed case of a zero-day exploit likely developed with an AI system for real-world vulnerability discovery and exploit generation. An unknown cybercrime actor used a Python-based exploit to bypass two-factor authentication (2FA) on a popular open-source web-based system administration tool, as part of a “mass vulnerability exploitation operation.” The script showed strong hallmarks of LLM-generated code, including verbose educational docstrings, a fabricated CVSS score, and highly structured “textbook” Python formatting. The 2FA bypass required valid credentials and exploited a high-level logic flaw based on a hard coded trust assumption, exactly the kind of semantic bug LLMs are good at spotting. Google worked with the vendor to patch the zero-day and disrupt the campaign. This is an example of how AI is accelerating into the full exploit lifecycle and ultimately compressing timelines for attackers. Beyond this incident, Google notes AI is also being used to build polymorphic and autonomous malware, underscoring that defenders must assume faster, AI-assisted attacks and cannot “opt out” of this new reality. Ankura CTIX Analysts will continue to monitor how AI is being leveraged by Threat Actors and being integrated into their campaigns.
Vulnerabilities
Chaotic Eclipse Leaks New Windows Zero-Days Targeting BitLocker and SYSTEM Privileges
Anonymous researcher Chaotic Eclipse, also known as Nightmare-Eclipse, has released proof-of-concept exploits and technical details for two (2) new Windows zero-days dubbed YellowKey and GreenPlasma, continuing a public disclosure campaign that previously exposed the BlueHammer, RedSun, and UnDefend Microsoft Defender flaws. YellowKey is a BitLocker bypass affecting Windows 11 and Windows Server 2022/2025 that abuses NTFS transactional logging and the Windows Recovery Environment (WinRE) to launch a command shell with access to an unlocked BitLocker-protected drive. The exploit uses specially crafted FsTx files placed on a USB device or EFI partition to manipulate recovery behavior and replace the normal WinRE interface with cmd.exe. Independent researchers Kevin Beaumont and Will Dormann confirmed key aspects of the attack, with Dormann noting that NTFS transaction replay from one volume appears capable of modifying files on another volume. While the currently released exploit mainly impacts TPM-only BitLocker deployments and requires physical access to the original device, Chaotic Eclipse claimed the underlying flaw could also affect TPM+PIN configurations. The second vulnerability, GreenPlasma, targets the Windows Collaborative Translation Framework (CTFMON) and allows arbitrary memory section creation within SYSTEM-writable directory objects, potentially enabling privilege escalation to SYSTEM by manipulating trusted services or drivers. Although the PoC is incomplete, the researcher suggested it could be adapted into a full privilege escalation exploit. The disclosures have renewed concerns around BitLocker protections, particularly after researchers from Intrinsec demonstrated a downgrade-based BitLocker bypass using
- Bleeping Computer: Windows YellowKey/GreenPlasma Vulnerabilities Article
- The Hacker News: Windows YellowKey/GreenPlasma Vulnerabilities Article
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
