The Deep Purple Sec – December 2025

📝 Beyond the bomb: When adversaries bring their own virtual machine for persistence

Red Canary’s analysis of « Beyond the Bomb: When Adversaries Bring Their Own Virtual Machine for Persistence » reveals a novel, multi-stage attack chain where threat actors first flood victims with spam/email bombs to distract and overwhelm defenses, then social-engineer their way into the environment under the guise of technical support. Once inside, they deploy their own QEMU-based virtual machine (VM), hidden from traditional endpoint controls, to establish stealthy, long-term persistence. This VM acts as an isolated operational base, allowing attackers to bypass EDR/XDR monitoring, execute arbitrary commands, and maintain access even if the host is remediated or credentials are rotated.

For blue teams, this tactic underscores the urgent need for layered defenses: beyond robust email filtering and EDR, organizations must monitor for unauthorized VM creation (e.g., via process trees, hypervisor logs, or network anomalies), restrict VM-related permissions, and train users to scrutinize unsolicited « support » calls, especially after unusual activity like spam bombing. The case also highlights how adversaries abuse legitimate tools (QEMU, Hyper-V) and blend social engineering with technical evasion, making it a critical reminder to audit virtualization platforms, enforce least-privilege access, and hunt for hidden VM artifacts (e.g., unexpected .vmx files, rogue network interfaces). This evolution in persistence tactics demands proactive threat hunting and defense-in-depth to detect and disrupt such covert operational environments.

📌 Source: https://redcanary.com/blog/threat-intelligence/email-bombing-virtual-machine

📝 Behind the Walls: Techniques and Tactics in Castle RAT Client Malware

Splunk’s analysis of CastleRAT malware reveals a sophisticated, multi-stage Remote Access Trojan (RAT) that leverages stealthy data exfiltration techniques, including clipboard hijacking (via SendInput() and Ctrl+V simulation) to blend malicious activity with normal user behavior, and RC4-encrypted C2 traffic to evade detection. The malware employs living-off-the-land binaries (LOLBins) like rundll32 and ComputerDefaults.exe for UAC bypass, scheduled tasks for persistence, and system/device enumeration to profile targets. Notably, CastleRAT targets cryptocurrency wallets, credentials, and sensitive files, using dead-drop resolvers and IP geolocation APIs (e.g., ip-api.com) to dynamically adapt its C2 infrastructure.

For blue teams, this research is a goldmine for detection engineering: Splunk provides actionable Splunk ESPL queries, MITRE ATT&CK mappings (T1059, T1055, T1082, T1083, T1562), and behavioral indicators, such as unusual outbound connections to unfamiliar domains, one-line PowerShell downloads, and processes launched with muted-audio browser flags. Defenders are advised to monitor for RC4 traffic patterns, suspicious rundll32 executions, and unexpected binaries in user folders (e.g., %APPDATA%), while leveraging Splunk’s Security Essentials to benchmark coverage against the Top 20 MITRE ATT&CK techniques. This approach enables proactive threat hunting and gap analysis to harden environments against CastleRAT’s evasive, multi-vector attack chains.

📌 Source: https://www.splunk.com/en_us/blog/security/castlerat-malware-detection-splunk-mitre-attck.html

📝 From cheats to exploits: Webrat spreading via GitHub

Kaspersky’s analysis of WebRAT reveals a targeted campaign where attackers distribute the malware via fake GitHub repositories, masquerading as proof-of-concept (PoC) exploits for high-profile CVEs (e.g., CVE-2025-59295, CVE-2025-10294). The attack chain begins with AI-generated, professional-looking repositories offering detailed vulnerability descriptions, install guides, and mitigation advice, luring victims (especially inexperienced security researchers) into downloading a password-protected ZIP. Inside, a multi-stage dropper (rasmanesc.exe) escalates privileges, disables Windows Defender, and fetches the WebRAT payload from a hardcoded C2 URL. Once deployed, WebRAT acts as a full-featured backdoor and infostealer, capable of keylogging, screen recording, webcam/microphone surveillance, and stealing credentials from Discord, Telegram, Steam, and cryptocurrency wallets.

For blue teams, this campaign highlights critical detection and mitigation opportunities: monitor for suspicious GitHub downloads (especially password-protected archives with decoy files), audit outbound connections to unfamiliar domains, and block executions of rasmanesc.exe or similar droppers. Kaspersky’s IOCs (e.g., HEUR:Trojan.PSW.Win64.Agent.gen) and behavioral red flags, such as privilege escalation via T1134.002, Defender tampering (T1562.001), and C2 traffic (T1071), provide actionable hunting rules. The case also underscores the need for isolated analysis environments and strict vetting of open-source PoCs, as attackers increasingly exploit trust in public repositories and AI-generated documentation to bypass scrutiny.

📌 Source: https://securelist.com/webrat-distributed-via-github/118555

🛠️ Introducing Pathfinding.cloud

Datadog Security Labs’ pathfinding.cloud is a groundbreaking, open-source knowledge base that documents 65+ AWS IAM privilege escalation paths, including 27 previously undetected techniques (42%) missed by existing open-source tools. The project exposes critical gaps in IAM security by detailing how seemingly innocuous permission combinations, such as iam:PassRole + cloudformation:CreateStackSet + cloudformation:CreateStackInstances, can be chained to escalate privileges, bypassing traditional detection and mitigation strategies. For blue teams, this resource is invaluable for hardening AWS environments: it provides machine-readable YAML/JSON data for integration into security tools, visual attack path mappings, and actionable insights to close blind spots in IAM policies, CI/CD pipelines, and cloud infrastructure.

The library empowers defenders to proactively audit IAM configurations, identify over-permissive roles, and prioritize remediation before attackers exploit these paths. By leveraging pathfinding.cloud, security teams can bridge the detection gap, enhance threat modeling, and validate the effectiveness of their existing security tools, all while benefiting from a community-driven, continuously updated resource that evolves with emerging AWS attack techniques.

📌 Source: https://securitylabs.datadoghq.com/articles/introducing-pathfinding.cloud

📝 2025 CWE Top 25 Key Insights

The 2025 CWE Top 25 Most Dangerous Software Weaknesses report analyzes 39,080 CVE records, highlighting the most severe and prevalent vulnerabilities that organizations must prioritize for mitigation. Memory safety issues (buffer overflows, use-after-free) and authentication/authorization flaws dominate the list, with CWE-862 (Missing Authorization) and CWE-306 (Missing Authentication) rising sharply, while CWE-120, CWE-121, and CWE-122 (Classic, Stack, and Heap-based Buffer Overflows) entered the Top 25 for the first time, reflecting a resurgence of memory corruption vulnerabilities. Notably, 42% of the Top 25 weaknesses are now mapped with greater precision, reducing reliance on abstract or discouraged CWEs, a sign of improved vulnerability reporting practices.

For blue teams, this report is a strategic guide to focus security investments: it reveals that 79% of mappings are to actionable, « Allowed » CWEs, enabling targeted remediation in the SDLC and architectural planning. The data also underscores the urgency of addressing improper access control (CWE-284, CWE-639) and resource exhaustion (CWE-770), which are increasingly exploited in real-world attacks. By leveraging these insights, defenders can prioritize patching, harden authentication mechanisms, and enforce secure coding standards, ultimately reducing exposure to the most dangerous and exploitable weaknesses.

📌 Source: https://cwe.mitre.org/top25/archive/2025/2025_key_insights.html

📝 How I discovered a hidden microphone on a Chinese NanoKVM

The NanoKVM, a low-cost, open-source hardware KVM switch from Sipeed, was found to contain multiple critical security flaws, most alarmingly a hidden, undocumented SMD microphone (2x1mm) capable of high-quality audio recording. The device, designed for remote server management via HDMI/USB, also shipped with default SSH credentials, hardcoded encryption keys for password protection, no CSRF protection, and preinstalled hacking tools (tcpdump, aircrack). Even more concerning, the NanoKVM communicates with Chinese servers for updates and closed-source components, lacks update integrity verification, and uses plaintext storage for identification keys. These vulnerabilities enable attackers to eavesdrop via the microphone, decrypt passwords, or exploit the device as a pivot point for lateral movement.

For blue teams, this case underscores the risks of supply-chain hardware and the importance of physical/audio security audits, even for « open-source » devices. The article provides actionable mitigation steps: physically removing the microphone, flashing custom firmware (e.g., Debian/Ubuntu ports), and disabling default services. It also serves as a wake-up call to scrutinize all remote management tools for hidden components, backdoors, and insecure defaults, especially those with overseas dependencies. The broader lesson? Trust but verify, even budget-friendly, open-source hardware can harbor critical, undocumented surveillance capabilities.

📌 Source: https://telefoncek.si/2025/02/2025-02-10-hidden-microphone-on-nanokvm