Part 1 of our technical deep dive into EvilTokens: blog.sekoia.io/new-widespre...

We assess that EvilTokens is the first PhaaS to offer #AI-augmented post-compromise tooling, representing a significant shift in the BEC ecosystem by making advanced, victim-tailored fraud capabilities accessible to a broad audience of financially-motivated threat actors.

TDR analysts gained access to the #EvilTokens backend JavaScript and implemented device code phishing functions and token weaponisation.

This script also includes #LLM #prompts to analyse large volumes of emails, construct BEC attack scenarios, and draft targeted #BEC emails.

The EvilTokens PhaaS runs via fully featured Telegram bots and continuously enhances its phishing kit with new capabilities.

Part 2 of our #EvilTokens analysis is live. TDR analysts uncovered the AI-augmented features that automate and scale #BEC workflows, marking a breakthrough in the #PhaaS ecosystem.

blog.sekoia.io/eviltokens-a...

As usual, IoCs are available in our Community GitHub repository:
github.com/SEKOIA-IO/Co...

Our report offers a technical analysis of the EvilTokens kit, its delivery campaigns, and the adversary's infrastructure.

Active since late February 2026 and rapidly adopted by cybercriminals, TDR analysts believe EvilTokens will become a serious competitor in the phishing and BEC landscape.

EvilTokens device code phishing pages allows attackers to capture Microsoft refresh and access token, weaponise them, harvest victims' mailbox, and automatically craft BEC emails using AI.

#TDR analysts uncovered an emerging Phishing-as-a-Service (#PhaaS) platform called #EvilTokens, which offers device code phishing pages and AI-augmented features to automate and scale #BEC workflows.
⬇️
blog.sekoia.io/new-widespre...

Agile and persistent, Silver Fox successfully blends into the noise of traditional cybercrime while maintaining the capacity for advanced intelligence collection.

🛠️ RMM Abuse: Transitioned from deploying #ValleyRAT via malicious PDFs to abusing Chinese #RMM tools.
🐍 Custom Payloads: Recently observed dropping a custom Python-based stealer embedded in a Python installer.

Key findings:
🎣 Deceptive Lures: Consistently impersonates national taxation authorities or uses fake payroll documents to trick victims into executing payloads.
🌊 3-Wave Arsenal Evolution: Between 2025 and 2026, their attack chains shifted significantly to evade detection.

In this deep-dive analysis, our Threat Detection & Research (#TDR) team unmasks their massive 2025-2026 campaign and rapidly evolving infection chains.

#SilverFox is a China-based intrusion set operating on a unique "dual-track" model. While often tracked for their APT-style espionage, our telemetry shows they continuously run broad, opportunistic cybercrime campaigns targeting entities across South Asia. blog.sekoia.io/silver-fox-t...

🔐 Custom Obfuscation: Leverages non-standard Base64 encoding with randomized shifts to evade automated detection.
🖼️ Steganography: Hides payloads within innocuous-looking icon images retrieved from the C2.

🎭 Advanced Evasion: Packed with TextShell for enhanced obfuscation (custom LZMA); utilizes API "hammering" and anti-debug traps to bypass detection and delay manual analysis.

In this deep-dive analysis, our Threat Detection & Research (TDR) team uncovers a sophisticated, multi-stage infection designed to bypass security controls. Key findings:

📦 Deceptive Distribution: Spreads via fake sites impersonating IT tools like PuTTY or WinSCP.

#OysterLoader (aka #Broomstick or #Cleanup) is not just another downloader. Often serving as a precursor to #Rhysida #ransomware campaigns or distributing commodity malware such as #Vidar, this threat has evolved significantly as we enter 2026.

blog.sekoia.io/oysterloader...

#Reverse

As usual, IoCs are available in our Community GitHub repository:

github.com/SEKOIA-IO/Co...

The attacker is abusing the open-source URL shortener YOURLS as a Traffic Distribution System (TDS), filtering visitors by device type and protecting their infrastructure.

To our knowledge, this is the first time cybercriminals have used YOURLS as a TDS.

We named the framework "IClickFix" after its characteristic HTML the tag "ic-tracker-js".

In November 2025, we unveiled IClickFix via an internal tool detecting watering hole attacks and YARA rules tuned to identify ClickFix pages.

#TDR analysts deep dived into a widespread malicious JavaScript framework injected into 3,800+ WordPress sites to distribute #NetSupport RAT via the #ClickFix social engineering tactic.

blog.sekoia.io/meet-iclickf...

This research highlights how defensive kernel mechanisms can be repurposed to strengthen behavioural detection on Linux endpoints.

The blog post dives into how #Landlock, originally designed as a security hardening mechanism, can also become a powerful source of telemetry for detection engineering on #Linux systems.

🐧 Leveraging #Landlock Telemetry for #Linux Detection Engineering

Sekoia #TDR explores how Linux Landlock telemetry can be leveraged to build high-fidelity, low-noise detections by observing sandbox policy violations.

blog.sekoia.io/leveraging-l...

In the third part of our series “Advent of Configuration Extraction”, we dissect #SNOWLIGHT, a lightweight ELF downloader designed to retrieve and execute a remote payload on #Linux systems.

buff.ly/Crz8rDh

In the second part, we unwrap #QuasarRAT, a popular .NET remote access trojan, and show how to extract its encrypted configuration out of the binary.

buff.ly/agWWCnp

The first part introduces #Assemblyline, the analysis pipeline used by #TDR and more specifically, the configextractor service.

buff.ly/mpEzALh

The series outlines the methodology we employ at Sekoia’s Threat Detection & Research (#TDR) team to automate the extraction of #malware configuration data, from initial analysis to the production of usable intelligence.