Malware Activity
The Rapid Evolution of AI‑Driven Phishing and SaaS‑Focused Attacks
Recent reporting highlights a sharp escalation in how cybercriminals are combining automation, artificial intelligence, and social engineering to carry out faster and harder‑to‑detect attacks. A new phishing‑as‑a‑service platform called Bluekit exemplifies this shift by bundling the entire phishing lifecycle into one streamlined toolkit. Complete with over forty (40) realistic templates that imitate trusted brands like Gmail, Outlook, iCloud, and GitHub. Its built‑in AI assistant helps attackers quickly draft phishing campaigns, lowering the skill and time needed to launch convincing attacks. Bluekit also automates domain setup, phishing page behavior, session tracking, and data exfiltration. Which gives attackers real‑time visibility into victim activity and stolen credentials. At the same time, groups such as Cordial Spider and Snarky Spider are abusing voice phishing and single sign‑on systems to bypass traditional defenses entirely. By impersonating IT staff over the phone and directing victims to fake SSO pages, they capture credentials and MFA codes and rapidly spread across cloud applications. Together, these trends show how attackers are exploiting trust in cloud services and human interactions, making phishing and extortion attacks faster, stealthier, and more difficult to stop with traditional security controls. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: New Bluekit Phishing Service Includes an AI Assistant, 40 Templates article
- SecurityWeek: New Bluekit Phishing Kit Features AI Assistant article
- TheHackerNews: Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks article
Threat Actor Activity
SHADOW-EARTH-053 Campaign Targets Asian Governments, NATO, and Others
Trend Micro has identified a new China-aligned espionage cluster, SHADOW-EARTH-053, targeting government and defense entities across South, East, and Southeast Asia, plus Poland. Active since at least December 2024, the group exploits N day flaws in internet-facing Microsoft Exchange and IIS servers (including ProxyLogon-style chains) to drop Godzilla web shells, then uses them to run commands, conduct reconnaissance, and deploy the ShadowPad backdoor via AnyDesk and DLL sideloading. Tooling includes open-source tunnels (IOX, GOST, Wstunnel), RingQ packing, Mimikatz for privilege escalation, and custom RDP/Sharp SMBExec for lateral movement. In at least one (1) case, React2Shell (CVE 2025 55182) was used to distribute a Linux Noodle RAT variant. Many victims overlap with a related cluster, SHADOW EARTH 054. Separately, Citizen Lab reports two (2) China-linked phishing clusters, GLITTER CARP and SEQUIN CARP, targeting journalists and civil society (including Uyghur, Tibetan, Taiwanese, and Hong Kong activists) and organizations like the International Consortium of Investigative Journalists (ICIJ). Using impersonation, AiTM phishing kits, tracking pixels, and OAuth abuse, they harvest credentials and access email accounts.
Vulnerabilities
“Copy Fail” Linux Vulnerability Actively Exploited, Enabling Cross-Platform Root Compromise
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding active exploitation of the Linux kernel vulnerability CVE-2026-31431, dubbed “Copy Fail,” which enables unprivileged or low-privileged users to escalate privileges to root across a wide range of Linux systems. Disclosed by Theori alongside a proof-of-concept exploit, the flaw exists in the kernel’s AEAD cryptographic interface and allows attackers to write controlled data to the page cache of readable or setuid-root binaries, effectively granting full system control. The vulnerability impacts nearly all major Linux distributions including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux 10.1, and SUSE Linux Enterprise 16, and affects kernels built since 2017, dramatically expanding its attack surface. While Microsoft reports that current in-the-wild activity is limited and largely tied to proof-of-concept testing, it highlights the vulnerability’s high risk due to its reliability, stealthy in-memory execution, and applicability in cloud, containerized, and multi-tenant environments, where it can facilitate container escape, lateral movement, and broader compromise. CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog mandating remediation within two (2) weeks. CTIX analysts urge impacted organizations to prioritize patching, identify vulnerable assets, restrict access, and monitor for exploitation attempts, particularly as attackers can chain the flaw with SSH access, malicious CI/CD jobs, or container footholds to achieve root shell access.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
