Living-off-the-land (LoTL) attacks abuse legitimate tools like PowerShell, WMI, and RMM software to blend in with normal IT activity. Five key warning signs distinguish malicious use from routine admin work: the tool appearing in unexpected hands, activity originating from unusual machines, abnormal process chains, subtly off command-line syntax, and follow-on behaviors like reconnaissance or lateral movement. Defenders should pressure-test suspicious activity by examining who used the tool, where it ran, how it launched, and what happened next. Preventive measures include better process chain visibility, stronger admin activity logging, tighter control over high-risk tools, and eliminating dormant accounts and legacy systems.
Nguồn: https://www.huntress.com/blog/lotl-abuse-warning-signs. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.
A writer who covers automation spent a week using Claude Code to clean up their chaotic Windows 11 PC. The experiment covered organizing a Downloads folder by file content (not just extension), auditing startup entries and scheduled tasks, performing disk forensics to find stale VMs and LLM model files, and batch-renaming screenshots using vision capabilities. The key insight is that AI agents handle ambiguous, judgment-heavy tasks that traditional scripts cannot — like reading a PDF to determine where it belongs. The author shares the actual prompts used throughout, emphasizes a dry-run-first, human-approval workflow to avoid accidental data loss, and notes the prompts can be reused with local LLMs.
Threat actors are now using AI (vibe coding) to generate bespoke PowerShell scripts for Active Directory reconnaissance, bypassing traditional signature-based detection. Huntress analysts recovered and dissected a real AI-generated AD enumeration script (Untitled1.ps1) used in a June 2026 incident. The script exhibits clear LLM hallmarks: a 'FULLY FIXED' title from iterative prompting, an unedited placeholder server name, over-engineered five-method DC discovery, repetitive try/catch blocks, and excessive colorful console output. The script systematically dumps AD users, computers, groups, OUs, subnets, and trusts into CSVs, generates an HTML summary report, and zips everything for exfiltration. The key detection implication: since vibe-coded scripts are unique per generation, hash and static signature detection fails. Defenders must pivot to behavioral analytics targeting the underlying AD interaction patterns that AI cannot obscure.
Elastic Security Labs has uncovered a banking malware campaign (REF6045) targeting Mexican financial sector customers using ClickFix social engineering. Victims are lured to fake CAPTCHA pages and tricked into pasting malicious PowerShell commands into the Windows Run dialog. The installed SCMBANKER toolkit establishes persistence, captures keystrokes, monitors banking sessions, manipulates clipboard contents, and can deploy remote access software. Researchers also found evidence of LLM-assisted malware development. Recommended defenses include user training on fake CAPTCHA recognition, restricting PowerShell and Windows Run dialog usage, and deploying EDR solutions.
Elastic Security Labs details REF6045, a Mexican banking fraud operation deploying SCMBANKER — a PowerShell toolkit delivered via ClickFix fake-CAPTCHA pages. Once installed, the operator-assisted toolkit enables banking session monitoring, vishing overlays, browser redirects to phishing pages, clipboard hijacking of CLABE account numbers and card numbers, screenshot capture, keylogging, and silent installation of Remote Utilities for full remote access. The toolkit shows strong signs of AI-assisted development: LLM-generated code artifacts including heavy banner comments, self-documenting obfuscation, and profanity-laced comments in sensitive modules suggest the operator prompted a Spanish-language LLM for most functional scripts. Significant OPSEC failures — open directories, an exposed full web-root archive, and an unauthenticated file editor — allowed full recovery of the operation's tooling. The post includes MITRE ATT&CK mappings, IOCs, and Elastic detection rules.
Socket researchers uncovered Operation 'Muck and Load', a malware campaign that began with a malicious Go module impersonating a DNS/subdomain scanner. The module embedded hidden PowerShell execution that downloaded encrypted payloads from public dead-drop services (Pastebin, YouTube, Instagram, Telegram), ultimately deploying AsyncRAT, Quasar, Remcos RATs, Vidar infostealer, and Monero cryptominers via password-protected archives. Pivoting from the initial module revealed a GitHub lure network of 222 confirmed repositories across 190 accounts, all using automated commit-farming GitHub Actions workflows to appear active and legitimate. The repositories targeted users seeking crypto tools, wallet utilities, game cheats, and offensive tooling. At least 14 confirmed malware files were found across the network. The malicious Go module has been blocked from the Go module proxy, and GitHub has been notified. The campaign overlaps with previously reported ischhfd83-linked repository-backdoor activity.
Windows Event Viewer generates thousands of log entries but buries actionable errors in noise, making it nearly useless for most users. By exporting logs via PowerShell — including WHEA hardware errors, disk/NTFS warnings, Task Scheduler, and System/Application logs — and feeding them to Claude with a targeted prompt, it's possible to surface real problems. In one session, Claude identified a faulty USB drive causing data loss, escalating UPS overload alarms, and MSI Center exhausting UDP ports and causing intermittent network issues — all issues that had been silently logged but never noticed.
A developer with 300+ pixel art assets in Krita needed to remap colors across all files to a new palette without manually redoing each one. Using Krita's built-in Python Scripter, they wrote a script that parses two GIMP Palette (.gpl) files and replaces old colors with new ones by matching color names. The post also covers batch-exporting all .kra files to PNG via the Krita command line and a PowerShell script for recursive export.

A new wave of ClickFix attacks uses fake Google reCAPTCHA and Cloudflare verification pages to trick users into running malicious PowerShell commands. The campaigns share common infrastructure — Cloudflare R2 buckets, a C:\ProgramData\Zooms staging folder, and IPs hosted by Dedik Services Limited — while delivering multiple malware families including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer. A newly documented loader called ResiLoader is distributed via a trojanized Franz messaging app; it uses a BYOD driver technique to terminate 140+ AV/EDR processes, performs UAC bypass, and ultimately deploys StealC via process hollowing. The post includes full IOCs: hashes, C2 domains, payload distribution domains, and IP addresses.