DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure.

According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of the company was not disclosed.

"Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real command-and-control (C2) server," the Threat Hunter Team said in a report shared with The Hacker News.

"To network defenders, the only traffic they could see was outbound connections to legitimate Microsoft Teams servers. The attackers were on the victim network for between one and two months."

The development marks the first publicly documented instance of the threat actors abusing Microsoft's Traversal Using Relays around NAT (TURN) relay infrastructure.

It's suspected the threat actor obtained initial access by exploiting a vulnerability in either an SQL or MS-SQL server, although the exact nature of the flaw is unknown. It's also possible that the access was acquired from an initial access broker (IAB).

Initial malicious activity on the victim network began in December 2025, with the attackers running a PowerShell command to drop a ZIP archive under the pretext of a tech support hotfix. The ZIP file responsible for launching a DLL side-loading attack, which then runs a rogue DLL to conduct reconnaissance, set up persistence, and silence security software using a Huawei driver ("HWAuidoOs2Ec.sys").

This is achieved by means of an attack technique called bring your own vulnerable driver (BYOVD) technique. The driver has been put to use in a large-scale malvertising campaign targeting U.S.-based individuals searching for tax-related documents, although this is said to have taken place after the ransomware incident.

Some of the other drivers used for this purpose are listed below -

What's notable about the attack is the execution of Backdoor.Turn by injecting it into the legitimate "DbgView64.exe" process after the DragonForce ransomware has been deployed. This suggests an attempt to maintain continued access to the compromised host for later attacks or reselling it for profit.

Backdoor.Turn's underlying TURN-based mechanism leans on a stealthy C2 communication technique called Ghost Calls that was documented by Praetorian in August 2024. The backdoor supports a wide range of capabilities, including command execution, process creation, network scanning, LDAP and Active Directory search, credential-based lateral movement, and browser credential theft.

"The backdoor requests a visitor token from the Microsoft Teams/Skype backend, uses that token to interact with Teams-associated infrastructure (TURN relay), and then establishes outbound connectivity," Symantec and Carbon Black explained.

"It obtains a Teams visitor (anonymous) authentication token backed by Skype identity services. It then uses a legitimate Microsoft server as the TURN relay server during connection setup. After relay-assisted setup, the malware establishes a direct QUIC session to the C&C server, which is malicious."

The findings paint a picture of a hacking group leaning on sophisticated cyber tradecraft to pull off high-impacted targeted attacks, while leaving victims in the dark about covert data exfiltration. This is particularly significant as Hackledorb, the threat actor behind DragonForce, has pivoted from a conventional ransomware-as-a-service (RaaS) model to a highly organized, formalized cartel structure.

"The operational timeline reveals a pattern of continuous capability development, with the adoption of highly advanced techniques becoming a hallmark of their post-2025 activity," the company said. "The deployment of Backdoor.Turn, combined with their multi-vector BYOVD evasion, marks them as one of the most capable and persistent ransomware groups operating today."

from The Hacker News https://ift.tt/VIjweP8
via IFTTT

Windows Server In-Place Upgrade via Windows Update: Major Improvements in 2025+ (No ISO or Media Required)

In-place upgrades for Windows Server have always been a topic that divides opinions in the admin community. Some love the convenience of keeping settings, roles, features, and applications intact without rebuilding everything from scratch. Others remember painful experiences from older versions and prefer clean installs. You should also think about the size of the environment you want to upgrade. You won’t use the same approach when upgrading thousands of servers compared to smaller environments that you can possibly rebuild with clean installs.

Microsoft has made significant improvements recently, especially with the ability to perform in-place upgrades directly through Windows Update — no ISO, no DVD, no mounted media needed. This is a game-changer for many environments, particularly for Windows Server 2019 and 2022 moving to Windows Server 2025. Yes WS 2019 and WS2022 are supported for those scenarios.

In this post I’ll cover the technical details, the process, advantages, potential risks, and a specific comparison between Server Core and Desktop Experience (GUI) versions.

Why This Matters Now

Historically, in-place upgrades often required downloading or mounting installation media and running setup.exe. Starting recently, about mid-April 2026, Microsoft offers the Windows Server 2025 feature update directly via Windows Update for eligible servers (primarily 2019 and 2022). This brings the upgrade process closer to how client Windows feature updates work — seamless, managed through the OS itself. There are some manual steps to perform, however, we’ll see it in details below.

Key highlight: We are talking purely about Windows Update-driven in-place upgrades, not media-based ones. This simplifies patching and upgrading in environments, where downloading and handling large ISOs isn’t practical.

Prerequisites and Supported Paths (Windows Update Method)

• Source: Windows Server 2019 or 2022 (with the latest cumulative update installed and rebooted).
• Target: Windows Server 2025.
• Same edition (Standard to Standard, Datacenter to Datacenter) and architecture.
• Not recommended for Domain Controllers (AD DS) — while technically possible, you miss out on performance and feature improvements in the new version.
• Must Install cumulative update for Windows Server 2022: KB5078766 (2026-03 Cumulative Update) or later must be installed. A reboot may be required after installing it.
• Must install cumulative update for Windows Server 2019: KB5078752 (2026-03 Cumulative Update) or later must be installed.

 

Make sure you got all the latest cumulative updates installed

 

• Backup everything first (system state, data, configurations). Test in a lab or non-prod.
• For policy-controlled environments, there might be registry keys or Group Policy to opt-in to the feature update.

The process downloads the necessary files as a feature update and performs the in-place replacement of OS files while preserving your installed components.

Manual Steps for the upgrade process to start (otherwise it won’t)

Yes, you must manually change a registry key in order for the upgrade process to trigger. If you don’t do that, the in-place upgrade will never happen. You can use PowerShell and one line of code (use elevated PowerShell prompt) to trigger the in-place upgrade.

Well, in fact, 2 commands:

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate"

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate" -Name "AllowWindowsServerFeatureUpdate" -PropertyType DWord -Value 1

Those two commands create the registry entries automatically.

You can also do it manually, by opening regedit.exe and going to

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate

Create a DWORD value named AllowWindowsServerFeatureUpdate and set it to 1.

Both do the same.

 

You can also manually create the reg entry

 

The Upgrade Process: GUI (Desktop Experience) vs. Server Core

Desktop Experience (Full GUI):

1. Ensure the server is fully patched via Windows Update.
2. Go to Settings > Windows Update.
3. The Windows Server 2025 feature update should appear (after opt-in if required).
4. Download and install — it will handle the in-place upgrade.
5. Reboot when prompted. The process includes compatibility checks and preserves settings/apps.

 

A new option will allow you to go and upgrade to WS 2025 within Windows Update

 

This is straightforward for admins who prefer the graphical interface. Server Manager, MMC tools, etc., remain available post-upgrade.

You’ll get a warning that you must purchase the product to upgrade and activate it.

 

Product key purchase acceptation screen

 

Server Core: Server Core benefits equally well from this method. Use SConfig (the text-based configuration tool):

• Install the latest updates with Option 6 for Windows Update.

 

Install updates via SCONFIG

 

• Add Registry Key: Open an elevated PowerShell prompt and run the following command to create the necessary registry entry:

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate" -Force

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate" -Name "AllowWindowsServerFeatureUpdate" -PropertyType DWord -Value 1 

• Then one level deeper with sub-option 1 (quality updates). Search for and install the feature update.

 

 

• It will trigger the same in-place upgrade process as the WS 2025 feature update will appear. Just hit “Y” to confirm for download and installation. Server will reboot automatically.

Comparison:

• Resource Usage: Core remains lighter post-upgrade (smaller footprint, fewer services). GUI version carries the full Desktop Experience overhead.
• Management: Core relies on PowerShell, SConfig, or remote tools (Windows Admin Center, RSAT). The upgrade doesn’t change this fundamental model — you stay in Core unless you reinstall.
• Upgrade Experience: Both get the update via the same servicing stack. Core upgrades are often faster and have a smaller download footprint due to fewer components. No GUI means less chance of graphical glitches during the process.
• Roles/Features: Most roles work identically. Some GUI-dependent features or legacy apps may require Desktop Experience. Core has a reduced attack surface, which is preserved.
• Rollback/Recovery: Similar for both — Windows keeps previous files for potential rollback, but always have backups.

In short, if your server is already Core, the upgrade keeps it lean and mean. If it’s GUI, it stays that way. You cannot easily convert between them post-install without a clean reinstall.

Advantages of Windows Update In-Place Upgrades

• Simplicity and Convenience: No need to handle large ISOs, mount media, or deal with USBs/DVDs — especially useful for remote or headless servers.
• Minimal Disruption: Keeps applications, server roles (File Server, DNS, Hyper-V, etc.), settings, and data intact. Less downtime than rebuild + restore.
• Faster Path to New Features/Security: Get Windows Server 2025 improvements (better security, performance, hybrid capabilities) without full migration.
• Automation-Friendly: Integrates with existing WSUS or Windows Update for Business policies. Easier for fleets of servers.
• Broader Support: N-4 upgrade paths (e.g., directly from older versions with media, but Windows Update focuses on recent ones).
• Testing and Phased Rollout: Easier to pilot on a few servers via Update management.

Overall, more advantages than risks in well-maintained environments, especially for non-critical or well-backed-up servers.

Potential Risks and Inconvenients

Even with improvements, in-place upgrades aren’t risk-free:

• Legacy Bloat: Old registry entries, drivers, or unused files might carry over, potentially causing subtle issues later.
• Compatibility: Not all third-party apps or custom configurations play nicely. Test thoroughly.
• No Full AD Benefits on DCs: As noted, upgrade DCs via other methods for best results.
• Unexpected Upgrades: Some admins reported servers offering the update automatically — manage with policies or WSUS approvals.
• Rollback Challenges: While possible (previous OS files are kept temporarily), it’s not as clean as a snapshot revert in a VM. Always have a solid backup/recovery plan.
• Downtime: Still requires reboot(s) and time for the upgrade process (can take 30-90+ minutes depending on hardware/config).

In my experience (and from feedback across the community), risks are lower than in the past due to Microsoft’s refined servicing model, but they exist. Clean install remains the “gold standard” for maximum cleanliness, especially in high-security or complex AD environments.

My Recommendation

For many production servers – particularly Server Core installations used for infrastructure roles – the Windows Update in-place upgrade is now a very viable and attractive option. It saves time and effort while delivering modern OS benefits.

Always:

• Snapshot (if VM) or full backup.
• Validate hardware/firmware/drivers compatibility.
• Test in staging.
• Monitor post-upgrade logs (Setupact.log, Setuperr.log in C:\Windows\Panther).

What are your thoughts? Have you tried the Windows Update method for Server 2025 yet?

from StarWind Blog https://ift.tt/pv6Qc7F
via IFTTT

Coding Agent Horror Stories: The 13-Hour AWS Outage

In Part 1, we walked through six categories of AI coding agent failures and why they keep happening. The agent runs as you, with your filesystem permissions and your credentials, and nothing sits between the model’s decision and the shell’s execution. In Part 2, we looked at one specific version of that failure in detail, the rm -rf ~/ incident that wiped a developer’s entire Mac in a single command. Part 3 moves the same problem up the stack, into a production AWS environment where the blast radius is no longer one laptop but a regional cloud service.

What happens when the agent isn’t running on your laptop, but on a production AWS environment with operator-level credentials? You get a thirteen-hour outage, a public denial that fooled no one, and a series of follow-on incidents that cost Amazon an estimated 6.3 million orders before the company was forced to introduce what it called a “code safety reset.” 

Today’s Horror Story: The Agent That Deleted Production

In mid-December 2025, an AWS engineer asked Kiro for help with a small bug in AWS Cost Explorer, the dashboard customers use to track their cloud spending. Kiro is Amazon’s own agentic coding assistant. It had been granted operator-level access to the environment, the same access the engineer had, because that was how Kiro was being rolled out across the company at the time.

Kiro looked at the bug, weighed its options, and decided the cleanest fix was to delete the production environment and rebuild it from scratch. The engineer never got a chance to step in. There was no confirmation prompt, no second pair of eyes, no two-person rule, and by the time anyone could have intervened the deletion was already done. Cost Explorer went down for thirteen hours in one of AWS’s mainland China regions.

This was not a security breach. It was an AI coding agent doing exactly what it had been set up to do, running with the engineer’s full credentials, with nothing in the architecture to catch the moment between “delete and recreate” being a reasonable option to consider and a production service being torn down.

In this issue, you’ll learn:

• What happened in the December outage, step by step
• Why Amazon’s “user error, not AI” response only told part of the story
• How the December incident set the stage for outages that cost an estimated 6.3 million orders by March 2026
• The scoped-identity pattern that prevents this whole category of failure

Why This Series Matters

Each “Horror Story” examines a real-world incident that turns laboratory findings into production disasters. These aren’t hypothetical attacks. They’re documented cases with named victims, internal memos obtained by reporters, and in several cases, public denials from the vendors. Our goal is to show the human and operational impact behind the security statistics, demonstrate how these failures unfold in practice, and provide concrete guidance on protecting your infrastructure through Docker’s scoped-identity execution model.

The story begins with an internal memo dated November 24, 2025. Three weeks before Kiro deleted the Cost Explorer environment, two of Amazon’s senior VPs, Peter DeSantis (AWS Utility Computing) and Dave Treadwell (eCommerce Foundation) signed and distributed an internal memo telling the company that Kiro was now the standardized AI coding assistant for the entire organization. The memo set a target of 80% weekly usage by every Amazon engineer by year-end 2025, and directed teams to stop using third-party AI tools unless a VP signed off on the exception.

Engineers came to call this the “Kiro Mandate.” Adoption was tracked as a corporate OKR, and engineers who weren’t using the tool showed up on management dashboards. The mandate was framed as a performance question, not a safety question, which mattered because the safety side of the rollout had not kept up. Things like peer review for destructive changes, approval gates for production access, and per-agent permission scoping had not been formally extended to AI-assisted work when the 80% target was set

Around 1,500 Amazon engineers signed an internal forum post pushing back, arguing that tools like Claude Code outperformed Kiro on real engineering tasks like multi-language refactoring. Management proceeded with the mandate anyway. By January 2026, 70% of Amazon engineers had used Kiro during sprint windows. Adoption was on track. The risk profile of what those engineers could do with the tool was a different story.

Then on February 20, 2026, the Financial Times broke the story based on accounts from four people familiar with the incident. The FT reporting also surfaced a second AI-related outage, this one involving Amazon Q Developer, on a separate system. Amazon’s response went up the same day under the title “Correcting the Financial Times report about AWS, Kiro, and AI.” It called the cause “user error, specifically misconfigured access controls, not AI as the story claims,” and dismissed the FT’s second-incident claim as “entirely false.”

The misconfigured access controls part is worth a closer look. A typo would have been “user error.” What actually happened was a structural decision to give an autonomous agent the same permissions as a human operator, in a system where the human’s safety net had always been a colleague asking “are you sure?” Kiro had no colleagues.

The Scale of the Problem

The December outage was the visible piece of a bigger pattern. Inside Amazon, briefing notes described a series of incidents with “high blast radius” tied to AI-assisted changes, with safety rules that had not yet been written for the way the agents were now being used. None of that language was ever shared publicly.

On March 2, Amazon.com showed shoppers the wrong delivery dates after they added things to their carts. About 120,000 orders were lost and 1.6 million people hit error pages. Amazon’s internal review pointed at one of its own AI tools, Amazon Q, as a main cause. Three days later, on March 5, the storefront went down for six hours and lost an estimated 6.3 million orders, with U.S. order volume dropping 99% while it was down. Both incidents traced back to AI-written code that had been pushed live without proper review.

On March 10, Dave Treadwell, the same SVP who had co-signed the Kiro Mandate four months earlier, announced a 90-day code safety reset across roughly 335 of Amazon’s most important systems. The new rules: two people had to sign off on every change going live, senior engineers had to approve AI-written code from juniors, and the automated checks were tightened. Treadwell called the new approach “controlled friction.” It’s a quiet way of saying the friction had not been there before, and that what arrived in March was what should have been in place in November.

How the Failure Works

To understand why these incidents happen, you have to look at the architecture underneath. Kiro was doing exactly what an agentic coding assistant is designed to do. The failure was in the system that surrounded it.

When Kiro runs on behalf of an engineer, it inherits the engineer’s full set of permissions. There’s no separate identity for “Kiro acting on behalf of someone,” no role with a narrower scope than the human who launched it. Whatever the engineer can touch, the agent can touch. This is the same property we walked through in Part 1 for filesystem access, applied here to cloud credentials instead. The agent gets a copy of the keys, every time.

Then there’s the loop. In most AI coding assistants the reasoning step and the execution step happen inside the same cycle. The agent thinks about what to do, generates the action, and runs it before the engineer has a chance to read what it decided. There’s no proposal stage, no preview screen, no “do you want me to do this?” gate that a human approves first. The deciding and the doing are one thing.

The speed makes this worse. Most safeguards in software engineering assume a human is the one making the change. A confirm? (y/n) prompt only protects against typos because a person sees it, pauses, and reads it. An agentic loop reads the same prompt and replies “y” in milliseconds. By the time anyone notices the agent has made a decision, the decision has already been executed. Post-hoc intervention isn’t really a thing in this environment.

And the reasoning that gets the agent there isn’t wrong. It’s just not bounded by the things that would have stopped a human. A senior AWS engineer with the same permissions would not have looked at a small bug in Cost Explorer and decided the right move was to tear down the production environment. They would have walked over to a colleague, posted in a Slack channel, paused to think about whether anyone had pinged them lately about that service. Kiro had the same permissions and skipped all of that, because none of it is part of how an AI agent makes a decision.

Kiro didn’t go rogue. It didn’t malfunction. It was optimizing for the objective it was given, which was to fix the bug, and “delete and recreate” is a legitimate solution in many engineering contexts. What was missing wasn’t smarter reasoning. It was the layer of friction that would have caught the moment between “this is a defensible option” and “this is happening to a live customer service.”

Technical Breakdown: How a Cost Explorer Fix Became a 13-Hour Outage

Caption: Diagram illustrating how operator-level permissions flow directly from engineer to agent to production control plane, with no scoped-identity boundary in between.

Here’s how the December incident unfolded, step by step:

1. The Request

An AWS engineer is looking at a small bug in Cost Explorer for the cn-northwest region. They hand it to Kiro the way they’d hand it to a colleague:

check the cost explorer issue in cn-northwest and propose a fix

That’s the whole prompt. No special framing, no permissions caveat. It’s just routine maintenance.

2. The Reasoning

Kiro looks at the environment, finds the misconfiguration, and weighs its options. It could patch the misconfiguration in place, or redeploy specific components, or tear the environment down and rebuild it cleanly from the deployment templates. From a pure correctness standpoint, the last option is the most thorough, since it guarantees no residual state from the broken configuration. That’s the path Kiro picks.

3. The Inheritance

Kiro is running as the engineer. The engineer has operator-level access to the Cost Explorer production environment, including the ability to tear it down, because that’s the kind of operation a human operator might legitimately need during an incident. The control plane has no concept of “Kiro acting on behalf of the engineer.” It only has “an authenticated principal with sufficient permissions making a request.” From its point of view, the engineer is making the call.

4. The Execution

Kiro initiates the deletion, and the request runs in the seconds it takes to send the API call. There is no confirmation prompt the engineer could intercept in that window, no two-person rule waiting on a second approver, and no policy gate watching for the specific shape of “this command would tear down a production service.” The control plane sees a valid API call from an authenticated principal with sufficient permissions, and it processes the call the way it would process any other operator request.

5. The Outage

Cost Explorer in the affected region goes down, and customers across that region lose the ability to view, analyze, or manage their cloud spending. The outage ends up running for thirteen hours, with almost all of that time spent on recovery rather than detection, because the deletion itself completed in the seconds it took to send the API call. Rebuilding the environment from the deployment templates, validating the configuration against the expected state, restoring connectivity to the services Cost Explorer depends on, replaying the state the old environment had built up, and bringing the service back up in front of real traffic is the work that takes the rest of the day.

Internally, the incident enters Amazon’s Correction of Error process, while externally the story stays quiet for two months until the Financial Times breaks it on February 20, 2026. Amazon’s response, issued the same day, frames the cause as “user error, specifically misconfigured access controls,” and announces mandatory peer review for production access in the same breath. That second part is the architectural admission that something more than user error needed to be fixed.

The Impact

Within thirteen hours, AWS had:

• Lost a production service for a regulated region (mainland China) where service continuity matters acutely
• Triggered an internal investigation that produced a post-incident briefing characterizing the failure as part of a “trend of incidents” with “high blast radius”
• Set the conditions for the follow-on incidents in March that cost an estimated 6.3 million orders

The technical fix was simple. Mandatory peer review for production access. The reason it wasn’t in place from the start is the part that matters: nobody had updated the operational model to account for the fact that the entity making the change might be moving at a thousand times the speed of the entity reviewing it.

This is what one autonomous “delete and recreate” decision produces when the agent has the same credentials as the engineer who launched it.

How Docker Sandboxes Eliminates This Attack Vector

Issues 1 and 2 covered the commands you’d type to run an agent in a sandbox. This one is about what sits underneath those commands, because the Kiro incident isn’t really a CLI problem. It’s an architecture problem, and no command-line flag fixes the kind of gap the December outage exposed. What fixes it is the layer the flag sits on top of.

That layer is the microVM. Each sandbox runs inside its own dedicated microVM, with its own kernel, its own filesystem, its own network namespace, and its own Docker daemon. It’s hardware-boundary isolation, the same kind you get from a full VM, but optimized for the way agents actually work: spin up in seconds, throw away when done, no path back to the host. As Docker’s microVM architecture post explains, the bounding box has to come from infrastructure, not from a system prompt. An LLM deciding its own security boundaries is not a security model.

This is the part that matters for the Kiro case. Inside a microVM, the agent isn’t an extension of the engineer’s identity. It’s a distinct process with a distinct view of the world, running on a different kernel, talking to a different Docker daemon, reaching the network through a proxy that the agent cannot see or bypass. The credentials that would let a human operator delete a production environment are not in the agent’s process memory, not in its environment variables, not in any file it can read. They live outside the microVM boundary entirely.

Three architectural decisions that close the Kiro gap

The Docker Sandboxes architecture documentation describes how each layer of the design protects against a specific class of failure. Three of those layers are directly relevant to the December incident.

1. The workspace is mounted at the same path it has on the host, and nothing else is. The sandbox sees the agent’s workspace through a filesystem passthrough at the same absolute path. That’s the only thing it sees. The engineer’s home directory, their cloud configs, their credential files, their SSH keys, all of that lives outside the boundary. If the agent reasoned its way to a “delete and recreate” plan, the deletion would target the workspace, which is reproducible from source anyway. The host stays whole.

2. The Docker daemon lives inside the VM, with no path back. This is the design decision that separates Docker Sandboxes from approaches that look similar on the surface. Mounting the Docker socket from the host gives the agent escape paths. WASM and V8 isolates can’t run a full development environment. A general-purpose VM is too heavy to spin up for a single session. A microVM with its own Docker daemon is the only model that gives the agent a real working environment without any of those compromises. For the Kiro case specifically, it means the agent can investigate the Cost Explorer bug, build container images, run tests against them, and propose a fix, all without ever holding the credentials it would need to execute that fix against the live service.

3. A proxy on the host enforces credentials and network policy. All outbound traffic from the sandbox routes through an HTTP/HTTPS proxy running on the host, outside the VM boundary. This is the layer that directly addresses what went wrong with Kiro. Secrets are stored on the host, scoped to specific services, and injected into outbound requests by the proxy. The agent never sees the values themselves. It also can’t get around the proxy, because the proxy is the only way traffic leaves the microVM at all. If the agent decides to call a destructive control-plane endpoint, the proxy is what stops it, regardless of what the model has reasoned its way to.

Why this matters for the Kiro incident specifically 

Let’s replay the December scenario against this architecture. The engineer launches the agent inside a sandbox. The microVM boots in seconds, the workspace gets mounted, and the agent starts up without any AWS operator credentials in its environment. Those credentials are still on the host, where they belong. From here, the agent investigates the Cost Explorer bug exactly the way Kiro did, reasoning through the same options and quite possibly landing on the same “delete and recreate” plan. Nothing on the inside of the box has changed.

What changes is what happens when the agent tries to act. The deletion call leaves the sandbox through the only path available to it, which is the proxy on the host. The proxy checks the network policy and either authenticates the call with a scoped, read-only credential the engineer set up for investigation work, or it refuses the call because the destination wasn’t on the allowlist. Either way, the December outcome, the thirteen-hour production outage, simply doesn’t happen. The agent’s plan ends up in front of the engineer as a proposal. The engineer reads “delete and recreate,” recognizes that it’s too much for a small bug, and asks the agent to patch in place instead.

This pattern generalizes. The same architecture that would have contained the LovesWorkin filesystem incident in Issue 2 would have contained the Kiro control-plane incident in this one, because both failures share the same root cause: an agent acting with the launching user’s full identity, at machine speed, against systems that have no way of knowing they’re talking to an agent. The microVM makes the agent a distinct actor with its own boundary. The isolated Docker daemon gives that actor a real working environment to operate in. The proxy gives the engineer a place to decide, ahead of time, what that actor can reach. The blast radius of anything the agent reasons its way into is bounded by what the sandbox allows, not by what the engineer who launched it happens to have access to.

The sbx CLI is what exposes all of this to the developer. Here’s what the Cost Explorer investigation would have looked like inside a sandbox, configured the way the December incident needed.

# 1. Store the AWS credential for the sandbox, outside the agent's view.
#    The actual scoping (read-only, Cost Explorer only) is handled
#    at the AWS IAM layer when the credential is created. From sbx's
#    side, the credential is opaque, the agent never sees the value,
#    and the proxy is what injects it into outbound calls.
echo "$AWS_COST_EXPLORER_READONLY_KEY" | sbx secret set -g aws

# 2. Define what the sandbox is allowed to reach on the network.
#    Cost Explorer read endpoints are on the list. Control-plane
#    endpoints that would let an agent tear down a production
#    environment are not.
sbx policy allow network "ce.amazonaws.com,api.anthropic.com"

# 3. Launch the agent inside the sandbox.
sbx run claude

# 4. After the session, review what the proxy allowed and denied.
#    Any attempt the agent made to reach an endpoint outside the
#    allowlist will show up here.
sbx policy log

Step 1 stores the AWS credential outside the agent’s view, with the read-only and Cost-Explorer-only scoping enforced by AWS IAM rather than by sbx. Step 2 defines the network perimeter the proxy will enforce, independent of how broad the credential’s IAM permissions actually are. Step 3 starts the agent inside the microVM with no path back to the host. Step 4 is what makes the whole setup auditable: every call the proxy allowed or denied during the session, including any attempt the agent made to reach destinations off the allowlist, shows up in sbx policy log.

What this gives the engineer, end to end, is a working agent with a known and bounded reach. The agent can investigate, reason, and propose. It cannot execute its way into a region-wide outage.

What This Looks Like in Practice

Stepping back from the Kiro story for a moment, the picture is straightforward. Docker Sandboxes gives an agent a real working environment, scoped credentials, a network boundary, and a path that throws everything away cleanly when the session ends. Compared with the way most engineers run AI coding agents today, the trade-offs look like this:

Security Aspect	Traditional Agentic Setup	Docker Sandboxes
Identity	Engineer’s full credentials	Scoped identity per task
Secret Handling	Loaded into agent context	Proxy-injected, never exposed
Production Access	Inherited from operator role	Explicit allowlist or nothing
Destructive Operations	Execute at machine speed	Reviewable before execution
Audit Trail	Per-engineer, post-hoc	Per-sandbox, real-time sbx policy log
Blast Radius	Whatever the engineer can do	Whatever the sandbox is configured for

The row that matters most for the Kiro story is the second-to-last one. Without a sandbox, a destructive operation runs as fast as the API call leaving the agent’s process. With a sandbox, that same operation has to clear the proxy first, which means it lands in the engineer’s review queue instead of in production.

Best Practices for Secure Agentic Production Work

1. Never give an agent your full production credentials. Create a scoped identity with the minimum permissions the specific task needs. If the agent is investigating a read-only issue, give it read-only access. The Kiro incident is what happens when this rule is skipped.
2. Inject secrets through a proxy, not through environment variables. A secret the agent never sees is a secret the agent cannot accidentally send to the wrong endpoint, leak in a log, or include in a code commit. Proxy injection turns the credential from data the agent holds into a capability the proxy provides.
3. Tag AI-assisted changes as a distinct change category. Track them, require senior review, and apply the two-person rule by default. This is not a slowdown for AI workflows. It is the same review discipline a senior engineer’s pull request would get, applied to an actor that ships at machine speed.
4. Read the policy log. sbx policy log records every connection attempt the proxy allowed or denied during a session. A blocked attempt to reach a destructive endpoint is exactly the signal you would want to see, and it stays buried unless someone looks.
5. Pair adoption metrics with blast-radius metrics. Amazon’s 80% Kiro target was a corporate OKR. The safeguards that should have moved alongside it were tracked nowhere. Pushing usage forward without also pushing safety boundaries forward is what set up the December outage.

Take Action

The path to safe agentic work in production-adjacent environments starts with one shift: stop giving agents the credentials you give your humans.

• Install Docker Sandboxes. The Docker Sandboxes documentation walks through installing sbx and running your first scoped-identity agent.
• Read the security model. The Docker Sandboxes security documentation covers credential handling, isolation layers, network policies, and workspace trust in detail.
• Try the proxy-injected secrets pattern. Running sbx secret set followed by sbx run is the quickest way to see how the threat model shifts when secrets sit outside the agent’s context rather than inside it.

If you’re new to this series, Issue 1 walks through the six categories of AI coding agent failures, and Issue 2 goes deep on the rm -rf ~/ incident on the filesystem layer.

Conclusion

The December Cost Explorer outage and the March outages on Amazon.com are points on the same line. They are what happens when an agent inherits an operator’s credentials, when the safeguards designed for human pace meet a decision-making loop that moves a thousand times faster, and when adoption gets pushed forward without anything pushing the safety boundary forward with it.

Amazon’s response is the part of the story worth holding onto. “User error, specifically misconfigured access controls” is true in the same way that “operator error, not the missing guardrail” was true for every famous industrial accident before guardrails were invented. The misconfigured access controls weren’t a typo. They were the structural decision to scale agentic adoption without scaling the identity model around it. Everything Amazon added afterward, the peer review, the senior sign-off on AI-assisted changes, the 90-day code safety reset, the “controlled friction” Treadwell described, points at the same gap. The agent needed to operate in a smaller box than the engineer it was running on behalf of.

Docker Sandboxes doesn’t try to make the agent more cautious; it changes what the agent can reach. The credentials sit outside the boundary. The destructive endpoints sit off the allowlist. The agent gets a real working environment, but not the production control plane.

Coming up in our series: Issue 4 will explore the GitGuardian sprawl report and the s1ngularity attack, where AI agents weaponized their own context windows to scan developer machines for credentials, and how proxy-injected secrets eliminate the exposure surface

Learn More

• Run agents safely with Docker Sandboxes: Visit the Docker Sandboxes documentation to get started.
• Explore the Docker MCP Catalog: Discover MCP servers that connect your agents to external services through Docker’s security-first architecture.
• Download Docker Desktop: The fastest path to a governed AI agent environment, with Docker Sandboxes, MCP Gateway, and Model Runner in a single install.
• Read the MCP Horror Stories series: Start with issue 1 to understand the protocol-layer security risks that complement the agent-layer risks covered here.

from Docker https://ift.tt/4QiDHTO
via IFTTT

Scripting the disassembler: Local agentic reverse engineering through vbdec’s live COM object model

• Analysis tools do not need AI built in to support agentic workflows; they simply need to expose their data through an external scripting interface. 
• Even traditional graphical user interface (GUI) applications can be made AI-accessible by publishing their internal object models, allowing agents to query and automate analysis without modifying the core application. 
• This approach can often be implemented with surprisingly little engineering effort, leveraging existing scripting technologies and application data structures. 
• By exposing structured data rather than adding predefined AI features, users can extend a tool's capabilities through prompts, turning new analyses into workflows instead of product feature requests. 
• The application becomes both an interactive viewer and a persistent data server, enabling local data to be parsed once and queried repeatedly across multiple agent sessions while keeping analyst-controlled data local.

---

The problem with VB6 binaries 

VB6 binaries are laid out as a complex file format with embedded metadata. Recovering advanced data embeddings means reimplementing VB6s’ internal file format: the VB header, the object table, and the P-code layout. This is a highly specialized task that takes dedicated tools to do accurately, but not every tool exposes an equivalent programmatic library. The technique in this blog shows how AI agents can automate existing tools and reach deep into the result set.

The recipe 

The whole technique comprises three pieces. Any one of them in isolation is interesting, but together they are a new working mode. 

The live model 

vbdec does not keep its parsed model locked behind its GUI. When a binary is loaded and remote scripting is enabled (Help → Options → Enable Remote Scripting), vbdec registers its central CVBProject object and its main form in the Windows Running Object Table (ROT) under the monikers vbdec.vbp and vbdec.frmMain. The ROT is a system-wide directory of live Component Object Model (COM) objects; any process can look an object up by moniker and receive a reference to the running instance. From a script, that is a single line:

Set o = GetObject("vbdec.vbp")

The variable o can now access the entire parsed project: every form, class, module, declared API, P-code body, control, and string, presented as a navigable object graph. The script is driving the disassembler itself. 

Note: For VB6 host applications in particular, this capability can even be forcefully added without source code access.

The contract 

A live model is useless to an agent that does not know its shape. vbdec now includes an AI agent support package that helps bridge this gap. The first is the operator briefing (“_claude_vbdec_ai_instructions.txt”) — a short markdown file that tells the agent what vbdec is, how to bind to the ROT, and how the object model is shaped. The second is the proto folder — 90 auto-generated class definitions covering every public class and form vbdec exposes. The agent treats these as the authoritative reference for member names and types. (The original IntelliSensesupport files were also usable for this task.)

The local agent 

The third piece is the agent. In this blog, Talos used Claude Code, run locally on the workstation. The user opens a terminal, points the AI at the briefing and prototypes, and simply describes what they would like analyzed. Claude Code then runs multiple .vbs files with cscript and explores the data through iterations. There is no preselected AI integration embedded in vbdec, no upload for the analyst’s binary, and no glue to be maintained as a separate codebase. The agent and disassembler share a machine and file system; analysis occurs locally, with only the model inference requests leaving the workstation.  

Whatever capability the agent adds next extends vbdec without any new code in the tool itself, and users are free to select whichever model they prefer.

What the analyst actually does 

Next are a couple examples tested against a P-code version of PDFStreamDumper.

Decompile a function 

The analyst names a function and asks for a source code reconstruction. The agent pulls the P-code, walks the VB-VM opcode stream, maps each construct to its VB6 equivalent, and produces a source level equivalent with inline comments.

Figure 1. Example output (right) compared to the original source function (left).

The reconstruction is not byte-identical, but the control flow is substantially recovered with agent comments added in. It is also interesting to note that the AI went into the subfunctions on its own, determined their purpose, and gave them reasonable names to complete its task decompiling the parent. This is usable reverse-engineering output that a human would spend substantial time producing, now scalable and generated in seconds.

Build a call graph 

The analyst picks a function and asks for its callees as a Graphviz DOT file. The agent walks each CCodeBody.Disasm, picks out the call opcodes (ImpAdCallI2, VCallHresult, LateMemCall, and others) and emits the DOT graph with depth tracking.

Figure 2. Example output for a target in PDFStreamDumper.

Dump every function to SQL 

To test a real automation-heavy use, the agent was next asked to enumerate every function in the binary and dump stats to a SQLite database including address, size, module, instruction count, callees, and external API calls. The agent did this in a single cscript pass over o.CodeObjects, classifying calls with the same rules used in the graph task. For PDFStreamDumper the result is a 600+-row database. Now the database can be explored with simple queries such as:

SELECT display_name FROM functions WHERE api_calls LIKE '%RtlMoveMemory%';

The binary has been transformed from something you must click through into something you can simply query. Whole-program questions that would be impractical by hand become single-line requests.  

The three tasks above — decompile, graph, export — used to be features that a tool vendor would have to design, build, and ship as menu items. They are now prompts a user can add on themselves. The capability surface of the tool has decoupled from the feature list of the tool.

Build an opcode reference database 

The same recipe scales beyond single analyses to producing reference data. In the next example the agent was tasked with building a complete opcode database for the VB6 P-code interpreter (MSVBVM60.dll; 1,165 dispatch slots). Two tools were coordinated. Vbdec was again used over the ROT to search and analyze actual examples of every opcode from a real binary (PDFStreamDumper). The results were then bolstered utilizing the idalib MCP server to read the actual runtime handler functions in VB runtime itself to verify what each opcode does at the dispatch level. 

The results were combined into a SQLite database that includes operand decoding, handler-verified semantics, alias relationships, corpus statistics, and written descriptions for every opcode. Resources such as this could now be fed back into AI agents to produce better P-code decompilation. This corpus of knowledge would be impractical to build by hand, yet was agentically synthesized in a matter of hours.

Figure 3. Opcode database AI created by analyzing disassembly from vbdec and IDA.

Application testing

The same mechanism can also be used to test the outputs of the tool itself. An agent pointed at the briefing and prototypes will exercise the real COM surface against actual data. With COM in particular this means there is no mock, no proxy, and no UI automation layers to debug in between.  

Method signature drift, type regressions, malformed objects, edge-case P-code, missing members are all easily exposed. The proto files and the briefing get tested alongside the API implementation itself.

What this makes possible 

This design pattern generalizes cleanly. Any analysis tool that publishes its internal model to the ROT and ships an operator briefing with prototypes can become a substrate for local agentic automation. The interactive GUI remains available for exploration; the agent handles everything that benefits from being repeatable, exhaustive, or fast. 

The architectural move is the part worth carrying away. The author of an analysis tool that holds structured data behind a UI does not have to predict the analyses their users will want.  

Publish the model, write the briefing, and hand the keys over to the user. Every user wish list idea now collapses into the same answer: Ask the agent. Tedious analysis can be easily automated.  

The local part is valuable as well. Sensitive binaries do not leave the analyst’s machine. There is no API key in the product and there is no service that can be discontinued. The agent is whichever agent the analyst already has. The contract between agent and tool is text files on a file system.

Conclusion 

While analysis tools commonly include internal scripting, exposing the application to external automation is what opens them to AI agents. ROT-published COM objects are well-suited to this because they are language-agnostic, process-agnostic, synchronous, and discoverable. Turning the analysis tool into a data server has additional benefits, such as allowing repeat query sessions without itself having to reload and reparse the data set.  

While the specific design in this paper was COM-based, any IPC communication protocol could be used. COM and IDispatch are particularly useful here because they are inherently scriptable without requiring additional marshaling or synchronization layers.  

Another aspect of this design that is easy to overlook is the utility of having a full GUI for data exploration at the forefront. Data can be explored and verified manually and then scripts written against it for bulk operations. While plugin frameworks have been the traditional solution to automation needs, plugin development is generally quite bulky in practice and often bound to a specific program version.

With this paradigm, the disassembler stops being a place you look at a binary, and becomes a service you ask questions of.

from Cisco Talos Blog https://ift.tt/qpE96X0
via IFTTT

Orphaned AI Agents: How to Find Hidden Access Risks Inside Your Network

If an autonomous AI agent interacts with your company's core intellectual property today, can your security team instantly name the person who authorized it?

For most enterprises, the answer is a simple no.

The rush to adopt internal AI tools has left a massive trail of administrative debt: orphaned agents (AI tools left running after their creator leaves the company) and standing privileges (AI that retains permanent, unrestricted access it no longer needs).

When an employee moves on, the automated tools they built stay active—often keeping unmonitored access to sensitive databases and source code long after the human’s credentials are revoked.

To help security teams bridge this line of accountability, The Hacker News is hosting a technical briefing. Secure your spot today for the live webinar: Orphaned Agents & Standing Privileges: The Hidden Access Risks of Internal AI.

Traditional access tools treat AI like standard software. But AI does not stay static; it continuously pulls, shifts, and interacts with data on its own.

A standard security filter sees an AI tool pull an entire repository and assumes the application is just doing its job. It cannot see that the employee who originally spun up that tool left the company last week. The system cannot judge whether the action is malicious because it doesn't know whose identity the agent is borrowing.

Trying to secure an AI tool by itself does not work. Finding these hidden scripts is only half the problem; you still have to map them back to a living owner. Register now to look at the plumbing required to unify human, machine, and AI identities under one control plane.

What the Session Covers

This technical deep dive skips the AI marketing hype to focus on practical architecture:

• The identity gap: Why securing an AI tool in isolation fails if you do not know whose credentials it is running on.
• Finding Shadow AI: A step-by-step walkthrough to track down undocumented tools active on your network right now.
• Deployment reality: How to get immediate visibility into enterprise AI use without adding network infrastructure bottlenecks.

The developer who built the automation may have left months ago, but the access token hasn’t. Join SailPoint and The Hacker News to learn how to revoke access before an attacker uses it for you.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/CujVaFH
via IFTTT

The Scripts on Your Checkout Page Are Now a PCI DSS Problem

An independent PCI assessor tested Reflectiz against the new PCI DSS rules. Here is the verdict: See the full QSA assessment here →

When a customer types their card number into your checkout, their browser is running far more than your code. Analytics tags, a tag manager, a support widget, a payment iframe: a modern checkout loads dozens of third-party scripts, and any one of them can be turned into a skimmer.

This is how Magecart works. Sansec has counted more than 100,000 sites hit by web skimming and supply-chain attacks. The 2018 British Airways breach alone exposed 380,000 transactions and a fine that started at £183 million.

The dangerous part: the malicious code usually arrives through a script you already approved. Attackers compromise a third-party vendor, and the payload rides in on a script you have run for months. Nothing looks new. What changed is the script's behavior, not its presence on the page.

PCI DSS v4.0.1 closes that gap with two requirements, now fully in force. 6.4.3 says to inventory every payment-page script, authorize it, and prove its integrity. 11.6.1 says to detect tampering with page content and HTTP headers as the browser receives them. Done by hand, across hundreds of scripts that change constantly, this does not scale. Reflectiz data shows roughly 30% of payment-page scripts change within any two-week window.

What the QSA Found

Integrity360 Europe, a PCI Qualified Security Assessor and member of the PCI SSC Global Executive Assessor Roundtable, reviewed the Reflectiz PCI DSS Platform against both requirements and found it can effectively support compliance. Three things stood out:

• It watches behavior, not just file hashes. A hash check misses a silent vendor-side swap. Reflectiz catches the script the moment it starts reaching for card data.
• It deploys agentless. No code changes, no snippets, live in days, and it keeps working through refactors and CMS migrations.
• It produces QSA-ready evidence in one click. Full audit trail per page, ready for assessment.

The SAQ A Catch

Since January 2025, merchants can drop 6.4.3 and 11.6.1 from SAQ A only if they confirm their site is not susceptible to script attacks. Full redirect to your processor? You are likely fine. Embed a payment iframe? A script on the parent page can still hijack the checkout before data reaches the secure frame, and you have to prove it cannot. PCI SSC FAQ #1588 points straight back to these same controls.

Get the Full Assessment

The complete Integrity360 Europe white paper breaks down both requirements line by line, the monitoring workflow, and exactly what SAQ A now demands of iframe merchants.

Download the white paper →

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/v9FHsZh
via IFTTT

Crypto Clipper uses Tor and worm-like propagation for persistence and control

1. Attack chain overview
2. Mitigation and protection guidance
3. References 
4. Learn more

Microsoft Threat Intelligence and Microsoft Defender Experts identified a Windows-based cryptocurrency clipper that has affected users since February of 2026. Clipper malware relies on stealing clipboard data and parsing it for valuable assets.

The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 server. It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution.

The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure. Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.

For defenders, the strongest signals are behavioral: script interpreters spawning suspicious child processes, localhost:9050 proxy usage, screen-capture commands in PowerShell, and signs of clipboard inspection or crypto-address replacement.

Microsoft Defender for Endpoint detects multiple components of this threat such as Suspicious JavaScript process and Possible data exfiltration using Curl. Additionally, Microsoft Defender Antivirus detects this crypto clipper as Trojan: Win32/CryptoBandits.A.

Attack chain overview

Since February 2026, malicious shortcut (.lnk) payloads have infected devices with a cryptocurrency clipper. This malware comprises two components that it deploys on the compromised system: a worm component that ensures propagation and a clipper/stealer component that harvests and exfiltrates cryptocurrency wallet information.  

The worm functionality ensures propagation by creating additional malicious shortcuts of legitimate files it identifies on the device. It also delivers file-based payloads and excludes them from Defender scanning. It deploys scheduled tasks for execution and persistence for both the worm component and the stealer component.  Figure 1 presents a high-level execution flow of the two components.

The clipper runs as a script-based payload that interacts with the operating system through WScript and ActiveXObject. It includes an anti-analysis check that queries running processes and exits if Task Manager is detected. If the environment passes this gate, the malware launches a renamed Tor binary named ugate.exe in a hidden window, waits about 60 seconds for Tor to bootstrap, generates a victim GUID, and registers the infected device with a hidden-service C2.

After registration, the malware enters a continuous loop. It polls the C2 for instructions and monitors the clipboard roughly every 500 milliseconds, extracting seed phrases and private keys that match wallet-related patterns. It also hijacks cryptocurrency addresses by replacing copied wallet values with attacker-controlled alternatives and uploads screenshots through Tor. If the C2 returns an EVAL response, the malware executes attacker-supplied code at runtime.

Figure 1: High level execution flow.

Behaviors and methodologies

Initial access

Initial access occurs from malicious .lnk files. In instances we analyzed, these .lnk shortcuts were distributed on USB storage devices. The .lnk shortcut stages a worm component in the form of an executable. The malicious script checks for an existing malicious payload and stops if the device is already infected. If the payload is not present, the malware fetches the payload from the C2 through Tor. The Figure below illustrates the functions that stage and decrypt the initial payload.

Figure 2: Initial payload delivery.

The .lnk payload scans the USB device for common document files like .doc, .xlsx, .pdf, hides the original files, and creates additional .lnk shortcut files with the same file names. The shortcut files are crafted with arguments to link to the worm payload. The end user is not aware that they are launching an executable when opening the .lnk files.

Figure 3: Worm staged via additional shortcuts.

Execution

Once a user clicks on one of the shortcuts, the staged worm payload runs. It excludes staging folders and Windows binaries used in the execution of the stealer component. The malware then drops decrypted payloads, including two malicious JavaScript files, into the subfolder under the “C:\Users\Public\Documents” folder.

A five-character naming convention is used both for the subfolder and the scripts’ names.

The figure below illustrates an instance with files dropped under a ” C:\Users\Public\Documents\omoho” folder path:

Figure 4: JavaScript payload delivered following a Defender AV exclusion.

The worm component also establishes persistence by creating two indefinite scheduled tasks: one responsible for spreading itself to a freshly inserted uncompromised USB storage device, and another for the stealer activity.

Defense evasion

The malware employs multi-layered obfuscation, with all components encrypted and only decrypted at runtime. Installation is handled by a Python script that is itself obfuscated using PyArmor and packaged into a standalone executable via PyInstaller. In addition, the two JavaScript payloads are each protected with dual-layer obfuscation, further increasing analysis complexity. This design significantly reduces static visibility while maintaining flexible runtime behavior.

The sample also incorporates a basic anti-analysis check by querying the Win32_Process WMI class and terminating execution if Task Manager is detected. Although simplistic, this mechanism can hinder manual inspection and slow initial triage efforts.

The bundled Tor client is central to the operation. By routing communication over localhost:9050 and resolving “.onion” destination domains inside Tor, the malware reduces DNS visibility, obscures the final C2 destination, and complicates destination-based blocking. This design gives the operator anonymity benefits while keeping the malware compact and self-contained.

Command and control

The command and control over a Tor-routed domain routes network traffic through local IP address 127.0.0.1 on port 9050. The tunneled domain appears in the initiating process command line. The C2 domains use the following endpoints and actions across different execution stages.

• C2 Domain: <domain>.onion
• Endpoints:
  • /route.php : Beacon and command retrieval
  • /recvf.php : File upload (screenshots)
  • /stub.php: Payload download
• Communication:
  • Protocol: HTTP over Tor (SOCKS5 proxy at localhost:9050)
  • Method: curl with POST requests
  • Authentication: GUID + GEIP (geolocation)
• Actions Sent to C2:
  • GUID : Heartbeat beacon
  • SEED : Exfiltrated seed phrase
  • PKEY : Exfiltrated private key
  • REPL : Address replacement notification
  • GOOD : (legacy/fallback action)
• Commands from C2:
  • GUID : Acknowledge/refresh victim GUID
  • EVAL : Execute arbitrary JScript code (remote code execution)

Figure 5: C2 endpoints specifications.

A file named “cfile” is created on the infected system as an output for payload hosted on the C2 domain.

The malware sample we analyzed also provided a function called checkC2Command. The function has an EVAL method, which would allow any payload placed in the cfile to be executed on the victim’s system.

Figure 6: cfile download from a C2 domain.

Figure 7: CheckC2Command function.

Collection

Seed

Clipboard theft focuses on high-value financial artifacts. The malware detects 12 or 24-word BIP39 seed phrases in clipboard data. It saves the seed to local file (GOOD path) as a backup and exfiltrates it to the C2 domain via Tor. It retries network transmission until it is acknowledged and deletes local backup after successful transmission. It also takes five screenshots (ten seconds apart) and uploads them asynchronously. The screenshots help the threat actor gain additional context on the end user’s wallet and balances.

Private Key extraction

The crypto clipper also detects cryptocurrency keys for both Ethereum and Bitcoin WIF. Once the captured keys are saved and exfiltrated, the malware captures screenshots of the user’s screen for a full context. The captured values are validated against a word list.

Address replacement

The stealer also probes for cryptocurrency addresses and replaces them with attacker’s addresses. The malware checks that the address has alphanumeric values.

• For a Bitcoin legacy address which starts with “1” and has a length of 32-36 values, the address is replaced with an address that matches the first two characters.

• For a Bitcoin P2SH address which starts with a “3” and has a length of 32-36 values, the stealer replaces the address with one matching the original address on the first two characters.

• For a Bitcoin taproot address which starts with “bc1p” and has a length of 40-64 characters, the stealer replaces it with one matching the last character.

• For a Bitcoin Bech32 address which starts with “bc1q” and has a length of 40-64 characters, the stealer replaces only the last character.

• For a Tron address which starts with “T” and has exactly 34 characters, the stealer replaces the address with one that matches the first two characters.
• For a Monero address which starts with a “4” or a “8” and has exactly 95 characters, the stealer replaces the address with a single address.

The following shows an example of address replacement:

Figure 8: Function used to replace a BTC P2SH wallet address.

This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking. The combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices.

Organizations should focus on hardening script execution paths, monitoring local SOCKS proxy abuse, and using behavioral hunting to connect script activity with network, clipboard, and process signals. That combination offers the best chance of surfacing this class of threat before financial loss or broader follow-on activity occurs.

Mitigation and protection guidance

Defenders should prioritize behavioral detections over static signatures. Investigate systems where WScript, CScript, or related script engines launch curl, cmd.exe, PowerShell, or unexpected executables. localhost:9050 network activity, especially when coupled with suspicious scripting behavior, is also valuable context for triage.

Where operationally feasible, reduce abuse of script-based interpreters and review Attack Surface Reduction rules that block obfuscated scripts and suspicious child-process chains. Review detections for PowerShell-based screen capture and examine devices for indicators of clipboard inspection or wallet-address replacement.

Recommended actions

• Disable AutoRun/AutoPlay for all removable media
• Block .lnk execution from removable drives via GPO
• Restrict unnecessary use of wscript.exe, cscript.exe, and similar script hosts where possible.
• Review and enable relevant Attack Surface Reduction rules, especially those focused on obfuscated script execution and suspicious child-process behavior.
• Investigate script-to-network chains involving curl, PowerShell, or cmd.exe.
• Hunt for local SOCKS5 proxy activity on localhost:9050.
• Review clipboard-related and screen-capture behaviors on devices handling sensitive financial workflows.

Microsoft Defender XDR detections

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

Tactic	Observed activity	Microsoft Defender coverage
Initial Access/Execution	Malicious .lnk delivers malware components	EDR Suspicious behavior by cmd.exe was observedSuspicious Python library load
Execution	WScript / ActiveXObject execution and runtime tasking	EDR Suspicious JavaScript processSuspicious Python library loadSuspicious behavior by cmd.exe was observed   AV Contebrew malware was prevented Behavior:Win64/PyPowJs.STA
Discovery	Task Manager check used as an anti-analysis gate
Persistence	Scheduled tasks are created to run the JavaScript payload wrapped in a XML file.	EDR Suspicious Task Scheduler activity
Defense Evasion	Shuffled strings and decoder functions conceal commands and APIs  Task Manager if detected, the malware execution is halted	Behavior:Win64/ProcessExclusion.ST; Behavior:Win64/PathExclusion.STA Behavior:Win64/PathExclusion.STB
Collection	Clipboard theft targets seed phrases, keys, and wallet addresses   PowerShell screenshot capture supports operational visibility	AV: Trojan:Win32/CryptoBandits.A Trojan:Win32/CryptoBandits.B Trojan:JS/CryptoBandits.A Trojan:JS/CryptoBandits.B
Command and Control	Traffic routed through Tor via local SOCKS5 proxying	EDR Possible data exfiltration using curlBehavior:Win64/CurlOnion.STA
Exfiltration	Data posted using Curl through Tor via local SOCKS5 proxying	EDR Possible data exfiltration using curl

Microsoft Security Copilot  

Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:  

• Incident investigation  
• Microsoft User analysis  
• Threat actor profile  
• Threat Intelligence 360 report based on MDTI article  
• Vulnerability impact assessment  

Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.  

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Advanced hunting

Microsoft Defender customers can run the following queries to find related activity in their networks:

Execution launched from scheduled tasks

DeviceProcessEvents
| where FileName =="schtasks.exe"
| where ProcessCommandLine matches regex
@"(?i)schtasks\s+/create\s+/tn\s+[a-z]{4,6}\s+/xml\s+C:\\Users\\Public\\Documents\\[a-z]{4,6}\\[a-z]{4,6}\.xml\s+/f"

Local Tor proxy activity (localhost:9050)

DeviceNetworkEvents
| where ActionType =="ConnectionSuccess"
| where InitiatingProcessCommandLine has_all ("curl","socks5-hostname",".onion")

Tor-routed curl execution

DeviceProcessEvents
| where FileName =~ "curl.exe"
| where ProcessCommandLine has_all ("--socks5-hostname", "localhost:9050")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine

MITRE ATT&CK Techniques observed

This threat has exhibited use of the following attack techniques. For standard industry documentation about these techniques, refer to the MITRE ATT&CK framework.

Initial Access

• T1091 Replication Through Removable Media

Execution

• T1059 Command and Scripting Interpreter | EVAL-driven remote code execution from server tasking

Discovery

• T1057 Process Discovery | Task Manager check used as an anti-analysis gate

Persistence

• T1053.005 Scheduled Task/Job | Scheduled Task

Defense evasion

• T1027 | Shuffled strings and decoder functions conceal commands and APIs

Collection

• T1115 Clipboard Data | Clipboard theft targets seed phrases, keys, and wallet addresses
• T1113 Screen Capture | PowerShell screenshot capture supports operational visibility

Command and Control

• T1090 Proxy | Traffic routed through Tor via local SOCKS5 proxying

Exfiltration

• T1048.002 Exfiltration Over Alternative Protocol

Indicators of compromise (IOC)

Indicator	Type	Description
7630debd35cac6b7d58c4427695579b3e3a8b1cc462f523234cd6c698882a68c	SHA-256	Crypto Clipper Worm
a7abf1d9d6686af1cefcd60b17a312e7eb8cfe267def1ec34aeab6128c811630	SHA-256	Crypto Clipper Worm
23c1e673f315dafa14b73034a90dd3d393a984451ff6601b8be8142be6487b43	SHA-256	Crypto Clipper Worm
cf9fc891ea5ca5ecd8113ef3e69f6f52ff538b6cccbdaa9559106fc72bc6da30	SHA-256	Crypto Clipper Worm
100407796028bf3649752d9d2a67a0e4394d752eb8de86daa42920e814f3fae8	SHA-256	Crypto Clipper Worm
d14b80cbd1a19d4ad0473a0661297f8fdf598e81ff6c4ab24e212dcad2e54b3f	SHA-256	Crypto Clipper Worm
9d90f54ae36c6c5435d5b8bed40faf54cc91f6db28574a6310b5ffaeb0362e96	SHA-256	Crypto Clipper Worm
67fc5cf395e28294bbb91ed0e954fdf2e80ebd9119022a115a42c286dc8bacf5	SHA-256	Crypto Clipper Worm
0020d23b0f9c5e6851a7f737af73fd143175ee47054931166369edd93338538a	SHA-256	Crypto Clipper Worm
35a6bc44b176a050fd6824904b7604f0f45b0fdfa26bf9500b9e05973b387cfd	SHA-256	Crypto Clipper Worm
c824630154ac4fdfce94ded01f037c305eab51e9bef3f493c60ff3184a640502	SHA-256	Crypto Clipper Worm
d43bf94f0cb0ab97c88113b7e07d1a4024d1610617b5ad05882b1dbab89e15ba	SHA-256	Crypto Clipper Worm
b2777b73a4c33ac6a409d475057843be6b5d32262ef28a1f1ff5bb52e3834c5f	SHA-256	Crypto Clipper Worm
7787a9a7d8ae393aa32f257d083903c4dc9b97a1e5b0458c4cd480d4f3cb5b05	SHA-256	Crypto Clipper Worm
f3b54984caca95fd496bcfe5d7db1611b08d2f5b7d250b43b430e5d76393f9e0	SHA-256	Crypto Clipper Worm
20db98af3037b197c8a846dbf17b87fc6f049c3e0d9a188f9b9a74d3916dd5e1	SHA-256	Crypto Clipper Worm
ugate.exe	Filename	Portable Tor binary
cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion	Domain	C2 domain
gfoqsewps57xcyxoedle2gd53o6jne6y5nq5eh25muksqwzutzq7b3ad.onion	Domain	C2 domain
he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion	Domain	C2 domain
lyhizqy2js2eh6ufngkbzntouiikdek5zsdj3qwa22b4z6knpqorgiad.onion	Domain	C2 domain
j3bv7g27oramhbxxuv6gl3dcyfmf44qnvju3offdyrap7hurfprq74qd.onion	Domain	C2 domain
shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion	Domain	C2 domain
7goms4byw26kkbaanz5a5u5234gusot7rp5imzc3ozh66wwcvmcudjid.onion	Domain	C2 domain
facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion	Domain	C2 domain
wt26llpl5k6gok3vnaxmucwgzv2wk3l7nuibbh25clghrtus3p5ctsid.onion	Domain	C2 domain
ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion	Domain	C2 domain

References 

• https://www.microsoft.com/en-us/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/#clipping-and-switching. Microsoft (published 2022-05-17)
• https://gbhackers.com/ssh-over-tor-tunnel/. Ghbhackers(published 2026-04-28)

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.   

• Explore how to build and customize agents with Copilot Studio Agent Builder 
• Microsoft 365 Copilot AI security documentation 
• How Microsoft discovers and mitigates evolving attacks against AI guardrails 
• Learn more about securing Copilot Studio agents with Microsoft Defender  
• Evaluate your AI readiness with our latest Zero Trust for AI workshop.
• Learn more about Protect your agents in real-time during runtime (Preview)

The post Crypto Clipper uses Tor and worm-like propagation for persistence and control appeared first on Microsoft Security Blog.

from Microsoft Security Blog https://ift.tt/Gq96jTD
via IFTTT