AI-Powered Evasion, Fake Image Tools, and JS Backdoors: Inside This Week’s ThreatsDay Cyber Bulletin

The Headline That Actually Matters: AI Is Now Testing Your Defenses

An unknown threat actor was caught using Cursor and Anthropic Claude Opus to automate Active Directory discovery and systematically test EDR evasion techniques. The result? A Python framework that generates Go and Rust payloads across nearly 80 modules covering 70+ techniques — all engineered to slip past sandboxes, antivirus, and endpoint detection.

Sophos, who analyzed the activity, noted something important: AI wasn’t writing the malware. It was coordinating the workflow and running structured engineering test cycles with human review in the loop. Think of it less as “AI hacker” and more as “AI QA engineer for ransomware.”

The C2 mechanism? A Telegram bot. Naturally.

“The use of AI agents to accelerate tool development and test evasion techniques lowers the barrier to entry for sophisticated red team-style attacks.” — Sophos

The framework is linked to known ransomware deployment and data theft operations. This isn’t a proof-of-concept. It’s production.

Fake Image Tools Are the New Phishing Bait

A new ClickFix variant called BackgroundFix is dressing up as free background-removal tools. The sites look completely legitimate — upload buttons, progress bars, download prompts. All fake. What you actually get is CastleLoader, which drops both NetSupport RAT and a custom .NET stealer called CastleStealer.

Huntress attributed the activity to a threat cluster called GrayBravo. The campaign is a clean example of how social engineering has evolved: instead of suspicious email attachments, attackers now build convincing SaaS-looking frontends that do nothing except deliver malware.

If a free tool asks you to run something to “complete your download,” close the tab.

JavaScript Backdoors Hitting Energy and Finance

Intrinsec flagged multiple malspam campaigns distributing a JavaScript-coded backdoor targeting energy and finance ministries, including organizations in the CIS region. The campaigns, observed in March 2026, are assessed to be financially motivated — aimed at email account compromise (EAC) and business email compromise (BEC).

JS-based backdoors are particularly slippery. They blend into environments where JavaScript execution is expected, making detection harder without behavioral analysis. The targeting of ministries suggests this isn’t opportunistic noise — it’s deliberate.

The Supply Chain Keeps Leaking

This week’s supply chain roundup is exhausting in the best possible way.

OpenAI Codex authentication tokens were stolen via a malicious npm package called codexui-android. A separate npm package stole files directly from the Claude AI user directory via GitHub. The Red Ha actor compromised Red Hat npm packages with a credential-stealing worm. And GlassWorm malware infrastructure was taken down in a developer supply chain attack disruption.

RubyGems responded with something actually useful: a cooldown filter in Bundler 4.0.13 that refuses to resolve package versions until they’ve been public for a minimum number of days. Opt-in, non-breaking, and genuinely clever. It won’t stop everything, but it adds friction where friction is needed.

Steam Profiles Are Now Malware Infrastructure

GoDaddy researchers identified malware using Steam Community profile comments to host encoded payloads targeting WordPress sites. The technique uses invisible Unicode characters to hide malicious URLs inside comments — steganography in plain sight on a platform with a trusted reputation and high uptime.

The malware does two things: injects client-side JavaScript into WordPress pages by fetching decoded URLs from Steam profiles, and installs a cookie-authenticated server-side backdoor for remote PHP file modification.

Approximately 1,980 WordPress sites have been detected with this infection. Initial access vectors likely include stolen credentials, vulnerable plugins, or supply chain compromise. The campaign has been active since July 2025.

Valve’s platform as dead-drop infrastructure is a genuinely novel abuse vector. Expect imitation.

Nation-State Groups Are Blending Into Your Cloud Traffic

APT29, APT33, and UTA0355 have been caught using ROADtools — a legitimate Python-based red-team framework — to conduct cloud intrusions while mimicking normal Microsoft API traffic. Palo Alto Networks Unit 42 noted that attackers can configure user-agent strings to further blend in, making detection without behavioral baselines nearly impossible.

The lesson isn’t “ROADtools is dangerous.” The lesson is that nation-state actors are increasingly choosing legitimacy as a camouflage strategy. If your detection relies on known-bad signatures, you’re already behind.

Cisco, Linux, and the Patch Queue That Never Ends

Cisco patched a high-severity SSRF flaw in Unified Communications Manager (CVE-2026-20230, CVSS 8.6). Proof-of-concept code is already public. No active exploitation confirmed yet — but that window closes fast.

CISA added a Linux Kernel privilege escalation flaw (CVE-2022-0492, CVSS 7.8) to its Known Exploited Vulnerabilities catalog, with a remediation deadline of June 5, 2026. Kaspersky observed it being exploited alongside two other container escape CVEs. If you’re running containerized workloads and haven’t patched this, you’re overdue.

Data Extortion Without Ransomware Is Accelerating

Unit 42 flagged a rising trend: pure data exfiltration attacks that skip ransomware entirely. No encryption, no ransom note — just quiet theft and leverage. In 2025, construction firms saw a 44% year-over-year increase as targets, driven by valuable bidding data and financial blueprints.

Healthcare and professional services remain primary targets. The shift makes sense from an attacker’s perspective: ransomware triggers incident response and law enforcement attention. Data theft is quieter, harder to detect, and still highly monetizable.

Quick Hits Worth Knowing

• Russia’s FSB disclosed a large-scale mobile spyware operation targeting high-ranking officials, allegedly leveraging capabilities of major international IT corporations. No attribution made public. Investigation ongoing.
• U.S. Treasury sanctioned Nobitex, Iran’s largest crypto exchange, along with three others — Wallex, Bitpin, and Ramzinex — for facilitating IRGC-linked ransomware payments and sanctions evasion. The four exchanges collectively processed ~$7.7 billion, or 78% of Iran’s 2025 attributed crypto volume.
• DriveSurge, a pay-per-install malware distribution cluster, has compromised thousands of websites using ClickFix and FakeUpdates lures routed through a traffic distribution system called ZTDS — active since at least 2015, still very much operational.
• FalkonC2, a commercial hacking framework, rotates its C2 every 72 hours, runs in memory, and specifically hunts for QuickBooks and Sage50 accounting data. Active infections detected across the U.S., Australia, Netherlands, and Poland.
• Google made Device Bound Session Credentials (DBSC) generally available for Workspace users, binding session cookies to authenticated devices. A meaningful step against session hijacking malware.
• Adobe infrastructure is being abused in LinkedIn phishing campaigns that capture credentials and redirect victims to the real LinkedIn site — using Adobe Target as a redirect layer to avoid detection.
• ESET identified three Iran-aligned threat clusters — Rusty Boots, MoKhargosh, and MOON Badr — targeting Israeli organizations between October 2025 and March 2026, deploying bootkits, wipers, and espionage backdoors.
• CISA warned about attacks on internet-exposed automatic tank gauge systems at fuel facilities, exploiting hard-coded credentials and SQL injection to gain full administrator access.

The Bigger Picture

Anthropic’s Project Glasswing expansion — now covering 150 organizations across 15 countries — signals something the industry is quietly grappling with: AI is surfacing vulnerabilities faster than teams can patch them. The Cloud Security Alliance, SANS, and OWASP put it plainly: organizations are “likely to be overwhelmed” as the time between disclosure and weaponization compresses toward zero.

The XSS forum takedown from July 2025 didn’t kill the cybercrime underground. It fragmented it into smaller, harder-to-track communities — some potentially law enforcement honeypots, others run by former moderators with grudges and better operational security.

Same mess. New wrapper. The tape is holding — barely.

Stay sharp. Patch fast. And maybe don’t use that free background-removal tool.