SANS ISC documented fresh AutoIt3-compiled droppers that embed payloads with FileInstall, write obfuscated bytes to %TEMP%, allocate RWX memory with VirtualAlloc, then execute shellcode via CallWindowProc. The samples include commodity payloads (e.g., Quasar RAT, Phantom stealer). DFIR teams should assume more of these will show up in email/download chains and prepare hunts and triage checklists now (SANS ISC diary). (isc.sans.edu)

Intrusion Flow

• Delivery: compiled AutoIt3 PE executable. AutoIt’s compiler bundles the tokenized script and any files added via FileInstall into the binary, enabling single-file distribution (AutoIt compiler docs). (autoitscript.com)
• Drop/Stage: the script calls FileInstall to extract embedded files at runtime; in the analyzed sample, it wrote artifacts like “inhumation” and “buncal” into %TEMP% (FileInstall reference; SANS ISC diary). (autoitscript.com)
• Decode: simple string arithmetic deobfuscates API names and payload bytes (e.g., shift by −1 per character), yielding resolved imports such as kernel32/user32 and shellcode buffers (SANS ISC diary). (isc.sans.edu)
• Load: the script allocates memory with VirtualAlloc using MEM_COMMIT | MEM_RESERVE (0x3000) and PAGE_EXECUTE_READWRITE (0x40), then copies the shellcode into the buffer (VirtualAlloc documentation). (learn.microsoft.com)
• Execute: CallWindowProc is invoked with a pointer into the shellcode, executing on the current GUI thread without creating a new thread-behavior that can blend in with benign GUI activity (CallWindowProc documentation; prior SANS note on this technique). (learn.microsoft.com)

Key Artifacts to Pull

• Disk
  • %TEMP% artifacts named by the script (e.g., embedded files like “inhumation”, “buncal”) and the original AutoIt3-compiled loader executable. Parse MFT/USN timestamps and look for same-second write/execute patterns (SANS ISC diary). (isc.sans.edu)
  • Prefetch for the loader EXE to confirm first/last run, run count, and child DLLs. PECmd supports all modern Prefetch formats (PECmd). (github.com)
  • Program execution artifacts: Amcache.hve commonly records executed PE metadata including path and SHA-1; use it to corroborate execution of the loader (Amcache background and path). (cybertriage.com)
• Memory
  • Dump live memory if possible. Look for RWX regions and injected code; Volatility’s malfind helps surface suspicious VADs with PAGE_EXECUTE permissions (Volatility malfind). (github.com)
• Logs/Telem
  • Sysmon Event ID 1 (process creation) for the loader and its child processes; Event ID 11 (FileCreate) for new files in %TEMP%. Enable network (ID 3) if applicable. Confirm Sysmon schema and event semantics in Microsoft’s reference (Sysmon docs). (learn.microsoft.com)

Detection Notes

• Static triage
  • AutoIt compiled loaders can often be identified by tooling and YARA. Community YARA rules flag AutoIt-compiled PEs; the ecosystem reports broad sightings of such rules in the wild (MalwareBazaar YARA: AutoIT_Compiled). (bazaar.abuse.ch)
  • Indicators in extracted content: look for tokens/FileInstall references, kernel32/user32 API usage via DllCall, and strings like VirtualAlloc/CallWindowProc after deobfuscation. Extraction/decompilation helpers exist, e.g., AutoIt-Ripper and myAut2Exe (use in a lab VM) (AutoIt-Ripper; myAut2Exe). (github.com)
• Behavior hunts (host)
  • Group signals: short-lived loader that (a) creates extensionless temp files, (b) immediately reads them, (c) spawns no obvious child interpreters, and (d) exhibits GUI-thread API usage. Correlate Sysmon ID 1 + 11 with the loader image path and %TEMP% targets (Sysmon docs). (learn.microsoft.com)
• Behavioral rationale
  • CallWindowProc is a legitimate GUI API that can invoke an arbitrary function pointer; adversaries use it to execute payloads without CreateThread, which can sidestep common thread-creation detections (CallWindowProc; SANS technique overview). (learn.microsoft.com)

Response Guidance

• Triage and containment
  • If the loader executed, isolate the endpoint, capture memory, and acquire a full disk image or triage package including %TEMP%, user profile AppData, Prefetch, Amcache.hve, and relevant Event Logs/Sysmon. Prioritize memory due to ephemeral RWX buffers (Volatility malfind). (github.com)
• Analysis workflow
  1. Identify the loader: check signature and entropy; run Detect-It-Easy or similar to fingerprint the packer/interpreter; scan with AutoIt-specific YARA (Detect-It-Easy project page; YARA AutoIT_Compiled). (github.com)
  2. Extract embedded resources: attempt AutoIt-Ripper/myAut2Exe; search for AU3 headers and exported resources; validate any decoded shellcode buffers before execution in a sandbox (AutoIt-Ripper; myAut2Exe). (github.com)
  3. Confirm behavior/lateral artifacts: correlate FileCreate in %TEMP% and subsequent memory execution; if payload families are indicated (e.g., Quasar/Phantom), pivot to family-specific hunts (SANS ISC diary discussion of payloads). (isc.sans.edu)
• Hardening and prevention
  • Application control: allow-list legitimate AutoIt use; block unsigned AutoIt-compiled executables from user-writeable paths. Preferably, distribute approved .a3x/.exe only via trusted software channels (AutoIt compiler behavior and formats). (autoitscript.com)
  • Telemetry: ensure Sysmon/EDR capture of process, file, and network activity; many detections for shellcode allocation hinge on correlating VirtualAlloc + immediate RWX execution with unusual temp-file stages (Sysmon overview; VirtualAlloc documentation). (learn.microsoft.com)

Takeaways

• Treat AutoIt3-compiled PEs that write to %TEMP% and then allocate RWX memory as high-priority investigations. Hunt for FileInstall use, temp-file stages, VirtualAlloc with RWX, and CallWindowProc execution. Instrument Sysmon, build YARA for AutoIt loaders, and keep an extraction/deobfuscation toolchain ready (SANS ISC diary; VirtualAlloc; CallWindowProc; AutoIt FileInstall). (isc.sans.edu)

Koi and Malwarebytes disclosed a long-running extension operation (“ShadyPanda”) where multiple Chrome/Edge add-ons accumulated trust for years and then flipped to spyware/RCE via hourly command tasks. The operators reached ~4.3M installs across phases; one cluster polls api.extensionplay[.]com hourly to fetch and execute arbitrary JavaScript, and another (e.g., WeTab) streams browsing data in real time. Google removed affected Chrome Web Store items; at disclosure time some Microsoft Edge Add-ons remained available. Treat this as a browser-level backdoor that bypasses traditional endpoint controls and exposes SaaS sessions and cookies. (Koi, Malwarebytes, BleepingComputer, SecurityWeek, The Register).

Google published the Android Security Bulletin for December 2025 with patch levels 2025-12-01 and 2025-12-05. The most severe issue is a critical Framework vulnerability that enables remote denial of service; Google also notes two CVEs under limited, targeted exploitation. Source code patches land in AOSP within 48 hours of publication, then vendors integrate and ship updates. Verify exposure by checking each device’s reported patch level. (Android bulletin, Dec 1, 2025; Google Support: check patch level)

CISA has added CVE-2021-26829-a stored cross-site scripting flaw in OpenPLC ScadaBR’s system_settings.shtm-to the Known Exploited Vulnerabilities (KEV) catalog, with a federal remediation due date of December 19, 2025 (date added November 28, 2025) (NVD record with KEV metadata). The bug affects ScadaBR through 1.12.4 on Windows and through 0.9.1 on Linux (NVD). Forescout’s honeypot reporting shows hacktivists moving from initial access to disruptive actions in roughly a day, including use of default credentials and UI defacement via this XSS vector (Forescout Vedere Labs; The Hacker News summary, Nov 30, 2025). ScadaBR deployments often run on Apache Tomcat; Tomcat access logs default under $CATALINA_BASE/logs and can be configured with the AccessLogValve (Tomcat 8.5 docs).

Help Net Security’s November 28 roundup highlighted two releases we should operationalize in IR: Action1’s Intune-integrated third-party patching with risk-based prioritization, and Synack’s agentic AI “Sara Pentest.” Used together, they tighten mean time to remediate across Windows/macOS/Linux and turn pentest output into triage signals you can act on during containment and eradication (Help Net Security, Nov 28, 2025).

Intrusion Flow

Unpatched third-party applications remain one of the most common footholds; CISA’s KEV catalog is the authoritative list of CVEs actively exploited in the wild and should drive emergency patching during an incident (CISA KEV overview). Typical flow we see:

Holiday IR Playbook: Web Skimming and Credential-Stuffing at Retail Scale

Retailers see elevated risk during Black Friday and Cyber Monday, with advisories emphasizing exposure management (fix misconfigurations, enforce MFA, patch web apps and infrastructure) and pre-staging detections for web skimming and credential-stuffing to shorten time-to-containment. (cybersecasia.net)

Intrusion Flow

• Client-side web skimming (Magecart-style)

  • Initial access: exploit public-facing apps/CMS, stolen admin creds, or supply-chain injection to place malicious JavaScript. (trustwave.com)
  • Data capture: injected script hooks payment/checkout DOM, validates card data (e.g., Luhn), and encodes exfil (often Base64). (trustwave.com)
  • Exfiltration: outbound beacons via XHR/WebSocket/IMG requests, sometimes disguised as analytics or image loads. (akamai.com)
  • Server-side variants: malware persists in templates/filesystems or databases; data is staged and periodically exfiltrated to reduce noise. (sansec.io)

• Credential-stuffing → ATO (account takeover)

CERT-FR issued a bulletin on November 27, 2025 describing an active supply-chain campaign against npm packages that began on November 23, 2025, has affected 700+ packages, executes via a preinstall script to harvest secrets, self-propagate, and in some cases destroy user data; they advise hunting for bun_environment.js, auditing installed versions, temporarily freezing updates, and rotating exposed secrets. (cert.ssi.gouv.fr)

Intrusion Flow

• Initial execution (developer laptop or CI): Compromised npm package versions add a package.json preinstall that runs setup_bun.js, which installs or locates the Bun runtime and launches a large payload bun_environment.js. (wiz.io)
• Credential theft and exfiltration: The payload enumerates environment variables and config files and invokes TruffleHog to capture credentials, then exfiltrates to attacker-created GitHub repositories often labeled with Shai-Hulud-themed descriptions; cross-victim exfiltration has been observed. (cert.ssi.gouv.fr)
• Persistence and remote control: The malware registers a self-hosted runner named “SHA1HULUD” and drops a .github/workflows/discussion.yaml workflow so that creating a GitHub Discussion executes arbitrary commands on the victim’s self-hosted runner; a formatter_*.yml workflow is used to collect GitHub Actions secrets into actionsSecrets.json. (wiz.io)
• Self-replication: Stolen npm tokens and GitHub access allow the actor to publish trojanized versions of additional packages under compromised maintainers, driving rapid worm-like spread across ecosystems. (wiz.io)
• Destructive fallback: Analyses report a “dead man’s switch” that may delete user data (e.g., the home directory) when the malware cannot exfiltrate or persist; CERT-FR also warns about possible user-data deletion. (about.gitlab.com)

Key Artifacts to Pull

• Project and dependency state:
  • package.json, package-lock.json, yarn.lock, pnpm-lock.yaml (to diff against clean versions announced by vendors such as Postman and PostHog). (blog.postman.com)
• On-disk indicators:
  • setup_bun.js and bun_environment.js in package tarballs or node_modules; auxiliary files cloud.json, contents.json, environment.json, truffleSecrets.json. (wiz.io)
  • Suspicious GitHub workflows: .github/workflows/discussion.yaml and formatter_*.yml. (wiz.io)
• GitHub infrastructure state:
  • Presence of self-hosted runners named “SHA1HULUD.” Use the GitHub REST API to list runners at org/repo scope during triage. (wiz.io)
• Package manager caches and global install context:
  • npm cache directory (default on POSIX: ~/.npm with _cacache) for corroborating when/what versions were fetched. (docs.npmjs.com)

Example triage commands (read-only where possible):

Wireshark 4.6.1 and 4.4.11 shipped on November 19, 2025 with fixes for two dissector crash issues; installers for Windows and macOS plus source are available now (Wireshark news). The patched issues are BPv7 (Bundle Protocol v7) and Kafka dissectors that could crash when parsing crafted traffic or trace files (wnpa-sec-2025-05, wnpa-sec-2025-06). Wireshark notes discovery during internal testing and no known in-the-wild exploitation, but a crash during triage still means lost analyst time and potentially missed signal (BPv7 advisory, Kafka advisory). The 4.6.1 release is also the first maintenance for the 4.6 branch (4.6.1 release notes).

On November 5, 2025, GitHub disabled creation of classic npm tokens and tightened controls on granular tokens; write-capable granular tokens now enforce 2FA by default and are limited to a maximum 90-day lifetime, with a seven-day default for new write tokens. GitHub also indicated that local publishing sessions would shift to two-hour tokens, and initially targeted November 19 for revoking all remaining classic tokens. Validate the current cutoff in your environment-GitHub’s community channel noted a possible shift to December 9 to coincide with CLI improvements-then proceed as if long-lived classic credentials are dead and rotation is mandatory. (GitHub Changelog, Nov 5, GitHub Changelog, Sep 29, GitHub Community discussion, Nov 13). (github.blog)

Trend Micro’s latest research reconstructs an end-to-end “scam assembly line” where threat actors chain large language model (LLM) lure generation, synthetic voice/video, and low-code automation (n8n) to spin up convincing phishing and merchandise scams at scale with minimal effort. The demo highlights modular pipelines that can swap prompts, assets, and delivery channels while hiding behind disposable infrastructure and cloud services (Trend Micro, Nov 18, 2025).

Intrusion Flow

• Lure generation and refinement
  • Actors use LLMs to draft spear-phishing or promo copy and iteratively “jailbreak” guardrails through multi-turn prompt patterns, improving persuasion and filter evasion (Microsoft Security on Crescendo jailbreaks; OpenAI/Microsoft disruption of state-linked misuse).
• Synthetic assets
  • Deepfake voice and avatar video are used to front fake product ads, support calls, or romance/investment pitches, with measurable rise in AI-voice fraud calls reported in 2024-2025 (Hiya Q4 2024 call threat report release; FTC consumer alert and challenge outcomes on voice-clone detection/watermarking).
• Automation pipeline (orchestrator)
  • Low-code platforms like n8n can chain text, image, TTS, and video services into agentic workflows that batch-produce lures and publish them across email, web, and social channels (Trend Micro lab pipeline).
• Delivery and infrastructure
  • Distribution leans on clusters of newly registered or short-lived domains and lookalikes; domain age and deceptive links remain top phishing indicators in enterprise telemetry (Cloudflare phishing report). Short-lived domains are common-Spamhaus observed ~89% of studied phishing domains active for <48 hours, reflecting a churn model that evades daily snapshots and takedown latency (Spamhaus passive DNS research; DarkDNS paper on visibility gaps for transient domains). Some campaigns also rent fast-flux and bulletproof hosting to rotate IPs and extend uptime (Bitsight fast-flux investigation).
• Monetization and follow-through
  • Voice-cloned robocalls and impersonation continue despite new U.S. prohibitions on AI-voice robocalls under the TCPA, raising both criminal and regulatory exposure for operators and facilitators (AP coverage of FCC ruling).

Key Artifacts to Pull

• Email and messaging
  • Full RFC822 source with Received chain, DKIM/DMARC/SPF results, display-name vs. header anomalies, and any URL shorteners or tracking parameters aligned to the same infrastructure cluster (Cloudflare phishing indicators include domain age and deceptive links).
• Web infrastructure
  • Server and CDN logs for landing pages; TLS cert details; hosting ASNs; shared analytics IDs; favicon/screenshot hashes for kit clustering; newly registered domain (NRD) metadata and WHOIS; passive DNS pivoting across A/AAAA/CNAME/NS records to reveal rotating IP sets and lookalikes (Spamhaus: short duty cycle on phishing domains; DarkDNS transient-domain visibility; Bitsight fast-flux characteristics).
• Synthetic media
  • Original audio/video files when available; obtain transcoding logs from comms platforms; evaluate for liveness/clone indicators per emerging techniques (e.g., real-time clone detection and watermarked provenance described in FTC challenge winners) (FTC consumer alert).
• Automation backends (self-hosted n8n or similar)
  • If your environment runs n8n, collect workflow JSON, execution logs, credentials vault exports, environment variables, and API audit logs. The public REST API exposes workflow administration; disable if unused and scope API keys tightly (n8n API docs; disable public API guidance).
  • Validate patch levels against recent n8n CVEs that could aid takeover or phishing distribution, such as open-redirect in login (<1.98.0), DoS via binary-data endpoint (<1.99.0), stored XSS in LangChain Chat Trigger (<1.107.0), symlink traversal in file node (<1.106.0), and RCE via Git node pre-commit (<1.113.0) (NVD CVE-2025-49592; CVE-2025-49595; CVE-2025-58177; CVE-2025-57749; CVE-2025-62726).

Detection Notes

• Cluster the infrastructure, not the copy
  • Prioritize hunts for NRDs and lookalikes seen in email and web logs within their first 72 hours; many phishing domains die in under two days, so velocity detection matters (Spamhaus 48-hour activity finding).
• Example Splunk: clicks to NRDs (domain age < 7 days) from mail links

  index=proxy OR index=web (http_status=200 OR http_status=302)
  | eval host=coalesce(cs_host, dest_host, uri_host)
  | lookup whois_domains domain as host OUTPUT domain_age_days
  | where domain_age_days <= 7
  | stats count dc(src_ip) dc(user) values(referer) by host
  | sort - count
  

• Example pDNS pivot: fast-flux / low-TTL clusters

  -- Pseudo-SQL over PDNS
  SELECT qname, count(DISTINCT rrdata) AS ips, min(ttl) AS min_ttl,
         count(DISTINCT resolver) AS resolvers
  FROM pdns WHERE first_seen > now() - interval '48 hours'
  GROUP BY qname HAVING ips >= 10 OR min_ttl <= 120 ORDER BY ips DESC;
  

  Use ASN and nameserver co-occurrence to fingerprint rotating hosting and kit reuse (Bitsight fast-flux traits).
• Voice/phone fraud signals
  • Blend call intelligence with IT telemetry (voice events + subsequent login attempts or payment flows); vendors observed rising deepfake call losses in late 2024 (Hiya report summary). U.S. enforcement has made AI-voice robocalls illegal, aiding attribution and disruption (AP on FCC action).
• Model/agent risk in your stack
  • Treat AI assistants as part of the attack surface; indirect prompt injection remains a practical vector against summarizers and mail triage tools (Mozilla 0Din finding on Gemini Workspace summarizer manipulation; CISA multi-nation guidance for using AI securely).

Response Guidance

• Triage fast, contain faster
  • Quarantine endpoints that interacted with suspected NRDs/lookalikes; block and sinkhole the domain cluster and any shared IPs/NS immediately to beat the 48-hour churn (Spamhaus short-lived domain analysis).
• Eradicate pipeline footholds
  • If n8n (or similar) is present internally, rotate API keys, disable the public API where unused, and patch to remediate recent CVEs; export workflow JSON for IR timelines and disable active lures (n8n API; disable public API; NVD/GitLab advisories).
• Takedown and legal levers
  • Submit abuse to registrars/hosts with evidence of brand impersonation, fast-flux indicators, and victim impact. For AI-voice robocalls, cite the FCC prohibition when engaging telecom partners and state AGs to expedite blocks and civil actions (AP on FCC ban).
• Harden controls for the next wave
  • Enforce NRD/“confusable” domain blocks or holds at the gateway; several providers support lookalike and scam categories to preempt clicks (Cloudflare brand impersonation defenses; Cloudflare Gateway “Scam” category).
  • Sandbox or disable AI auto-summarization on untrusted content; adopt allow-lists and content provenance where available (CISA secure AI use).
  • Train helpdesk/finance to challenge-response on voice instructions; FTC guidance highlights real-time liveness/clone detection and watermarking concepts that can be integrated into call flows (FTC consumer alert).

Takeaways

• Hunt infrastructure clusters: NRDs, lookalikes, and fast-flux indicators are your highest-leverage pivots in the first 48 hours (Spamhaus; Bitsight).
• Treat low-code orchestrators as Tier-1 assets: lock down n8n APIs, rotate credentials, and patch recent CVEs before they become distribution points (n8n docs; NVD/GitLab).
• Don’t trust “smart” summarizers by default: indirect prompt injection against AI assistants is practical; sandbox or disable on untrusted mail/web (Gemini finding via 0Din; CISA).
• Use telecom and legal levers early for voice-clone fraud; the policy environment now supports faster blocking of AI-voice robocalls (AP on FCC rule).