SVG phishing wave using application/ecmascript MIME to evade WAF/email pattern-matching (SANS ISC)

SANS ISC handler Xavier Mertens documented a fresh wave of phishing emails carrying SVG attachments whose embedded JavaScript is obfuscated with combined Base64 + XOR encoding and, on decode, redirects the victim via window.location.href to a credential-harvesting page (SANS ISC, 2026-06-02). The notable evasion is the use of <script type="application/ecmascript"> instead of the standard text/javascript — browsers execute both identically, but email-security and WAF products that pattern-match specifically on text/javascript can miss the non-standard declaration. Because SVGs open natively in Windows browsers, the redirect fires on file open with no extra click. [SINGLE-SOURCE] (SANS Internet Storm Center). Detection: flag email attachments of Content-Type: image/svg+xml that contain embedded <script> elements; treat the application/ecmascript/application/javascript MIME variants as equivalent to text/javascript in inspection rules; sandbox SVG attachments before delivery and watch newly-registered low-cost TLDs (the campaign used a .cfd domain) at the proxy.

SANS ISC handler Brad Duncan published a same-day forensic diary (2026-06-01) reconstructing an infection observed on 2026-05-27 that began with the SmartApeSG ClickFix campaign — fake browser-verification / "press Win+R" lures served from compromised pages — and ended in a full NetSupport Manager RAT deployment (SANS ISC, 2026-06-01). The ClickFix execution (T1204.001) drops a ZIP carrying an unnamed staging RAT that, per Duncan, has been beaconing a custom encoded — not TLS protocol over TCP/443 to its C2 since at least April 2026; that staging RAT then fetched the NetSupport payload as a ~17 MB Microsoft Cabinet (setup.cab). The install chain is processor.vbs (a 109-byte VBScript launcher in C:\ProgramData\, T1059.005) → token.bat (extracts the CAB into C:\ProgramData\UpdateInstaller\, sets persistence, then self-deletes all three dropper components, T1070.004) → NetSupport RAT C2 over port 443 (T1219 Remote Access Tools). Because NetSupport is legitimate commercial software, its presence and traffic blend with benign remote-support telemetry.

This is a single-source handler diary (HIGH-reliability source, single-day observation) and carries no independent corroboration of the identical chain in-window — treat the specifics as one analyst's forensic account. Detection concepts a SOC can apply without IOCs: browser process (chrome.exe/msedge.exe/firefox.exe) spawning wscript.exe/mshta.exe/cmd.exe (Sysmon EID 1 with browser parent-image); short-lived .vbs/.bat file-creates in C:\ProgramData\ (Sysmon EID 11); CAB expansion via expand.exe/wusa.exe from ProgramData; and registry Run-key persistence pointing at a non-standard NetSupport path (C:\ProgramData\UpdateInstaller\ rather than the legitimate C:\Program Files\NetSupport\). Where TLS inspection is in place, unencrypted payload on port 443 from a NetSupport process is anomalous.

SANS ISC handler Manuel Humberto Santander Pelaez published a forensic walkthrough on 2026-05-27 reconstructing an Akira ransomware intrusion using only two log sources — SSLVPN syslog and Windows EVTX exports — joined by source IP and normalised time (SANS Internet Storm Center, 2026-05-27). [SINGLE-SOURCE] — high-reliability technical primary, but no independent corroboration of the specific kill chain. Initial access (T1078.001 / T1133): non-distributed brute force from a single hosting-provider IP against a single local SSLVPN account that had been deprovisioned in Active Directory but remained provisioned as a local firewall user with no MFA. Discovery: EID 4688 captures nltest.exe /dclist:, net.exe group "Domain Admins" /domain, net.exe group "Enterprise Admins" /domain, whoami.exe /all, and a renamed AdFind.exe variant, all parented explorer.exe → cmd.exe. Credential access (T1558.003 Kerberoasting): a cluster of EID 4769 RC4-encrypted TGS requests for multiple SPNs from a single workstation within a 90-second window. Lateral movement (T1021.001): EID 4624 Logon Type 10 chain from jump host to file server, domain controllers, backup server; EID 4672 special-logon privileges on DC. Defense evasion + impact: EID 1102 security-log clear; sc.exe / net stop of endpoint-protection services (System EID 7036); vssadmin delete shadows /all /quiet.

Why it matters to us: the diary is a forensic-primer for any SOC operating without full EDR coverage — the standard scenario in smaller public-sector entities and DACH commune networks. Concrete takeaways the SANS ISC author makes directly: reconcile local SSLVPN account directories against AD source-of-truth (deprovisioned-in-AD-but-retained-in-firewall is the recurring initial-access pathway in this class); alert on > 50 failed SSLVPN auths from a single source per hour; enable EID 4688 process auditing on every Windows host, set Security log size ≥ 1 GB; alert on RC4 TGS-REP (EID 4769 EncryptionType=0x17) for multiple SPNs from one workstation in a short window; EID 1102 security-log clear is incident-grade in every case; time-sync every host including the firewall to the same NTP source so perimeter-to-endpoint joins remain reliable.

SANS ISC handler Brad Duncan documented a delivery chain that impersonates Anthropic's Claude desktop app via counterfeit "Download for Windows" pages, promoted through malicious search ads hosted on sites.google.com, ultimately dropping ACR Stealer (SANS Internet Storm Center, 2026-05-26). Clicking the download button delivers a corrupted ZIP archive containing obfuscated PowerShell; the infection chain also involves a JPEG image whose precise role the SANS ISC analyst could not characterise (no embedded data was identified in it), and ends in execution of the commodity infostealer ACR Stealer, which harvests credentials and browser data (T1566.002, T1059.001). [SINGLE-SOURCE] — reported by SANS ISC only at time of writing.

Why it matters to us: this is the demand-side mirror of the TrapDoor item above — attackers monetising trust in AI tooling, here against ordinary employees searching for an AI client rather than developers. Add Anthropic/Claude and other AI-brand impersonation to brand-abuse and malvertising monitoring; hunt for powershell.exe spawned from browser-download or archive-extraction paths (Sysmon EID 1 / Windows 4688, especially with -nop/-w hidden/-enc), PowerShell reading image files as code, and outbound connections from powershell.exe to newly-registered domains.

UPDATE (originally covered 2026-05-21, consolidated weekly update): SANS ISC handler Kenneth Hartman documents three material escalations in the TeamPCP / Mini Shai-Hulud supply-chain campaign through 2026-05-24 (SANS Internet Storm Center, 2026-05-25). First, the complete TeamPCP framework was published to a public GitHub repository on/around 2026-05-22 — Datadog Security Labs' static analysis (reported by ISC) describes a modular TypeScript/Bun toolkit for credential harvesting, supply-chain poisoning and encrypted exfiltration whose README carries the strings "Love - TeamPCP" and "Change keys and C2 as needed" — and operational copycat forks appeared within hours, commoditising the kit and injecting attribution noise.

Second, an @antv npm wave pushed 639 malicious versions across 323 packages, including high-traffic libraries such as echarts-for-react (~1.1M weekly downloads) and size-sensor (~4.2M weekly downloads); 42 of the packages displayed forged Sigstore verification badges in the npm UI (The Hacker News, 2026-05-19). Read against the campaign's earlier abuse of genuine SLSA Build Level 3 attestations produced by hijacked pipelines, package provenance is now under attack from both directions at once — real attestations from compromised CI and fake badges rendered by the registry UI. Third, three versions of durabletask (1.4.1–1.4.3) on PyPI — Microsoft's official Azure Durable Functions SDK — were trojanised, and ISC reports the second-stage payload includes a Linux disk wiper (T1485), expanding the campaign's capability from credential theft to data destruction.

Defender takeaway: treat any echarts-for-react / size-sensor build pulled in the affected window as compromised; stop treating an npm Sigstore badge or a displayed SLSA attestation as an install-time safety signal — verify provenance out-of-band against a known-good pipeline. durabletask consumers should audit build-runner logs for unexpected outbound connections and destructive disk operations (Sysmon EID 11 for anomalous file-deletion patterns, EID 3 for unexpected node/python egress from CI workers). Pin exact versions and verify lockfile hashes. The open-sourcing means PBKDF2-salt and dead-drop-string lineage will now also fire on unrelated copycats — behavioural detection on the install-time execution chain is more durable than any static artefact.

UPDATE (originally covered 2026-05-13, 2026-05-15): Three concurrent developments show the TeamPCP / Shai-Hulud campaign has entered an open-source-imitator phase following Datadog Security Labs' 2026-05-13 analysis of the leaked Shai-Hulud worm source code. First, OX Security disclosed on 2026-05-17 four malicious npm packages published by deadcode09284814 — chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils — combined weekly downloads ~3,000 (OX Security, 2026-05-17; The Hacker News, 2026-05-18). chalk-tempalte is a near-unmodified clone of the leaked Shai-Hulud worm with a modified C2 server and a new attacker-controlled key embedded in the code — the two primary sources disagree on whether this is a public or private key (see § 7); axois-utils bundles "Phantom Bot," a Golang HTTP/TCP/UDP/Reset-flood DDoS tool with Windows Startup folder and Linux scheduled-task persistence that survives package removal; the other two harvest SSH keys, cloud-provider credentials (AWS/GCP/Azure), and cryptocurrency wallet data.

Second, SANS ISC synthesised a 2026-05-18 campaign update confirming that Checkmarx officially acknowledged on 2026-05-11 that its Jenkins AST Scanner plugin had been trojanised — version 2026.5.09, compromise window 2026-05-09 01:25 UTC to 2026-05-10 08:47 UTC — making this TeamPCP's third confirmed Checkmarx intrusion in three months (SANS Internet Storm Center, 2026-05-18; Checkmarx, 2026-05-12). Hundreds of Jenkins controllers installed the malicious plugin before removal; remediated builds 2.0.13-848 and 2.0.13-847 are safe. CxSAST on-premise was unaffected; the cloud-integrated checkmarx/ast-github-action, checkmarx/kics-github-action, and VS Code extensions were all trojaned.

Third, SentinelLabs disclosed on 2026-05-07 — also folded into the SANS ISC summary — "PCPJack," a rival cloud worm that scans for exposed Docker, Kubernetes, Redis, MongoDB and RayML services and chains five CVEs (CVE-2025-29927 Next.js middleware auth bypass; CVE-2025-55182 Next.js Server Actions deserialization; CVE-2026-1357 WPVivid arbitrary file upload; CVE-2025-9501 W3 Total Cache RCE; CVE-2025-48703 CentOS Web Panel command injection) for initial access, then explicitly kills TeamPCP processes and removes TeamPCP artefacts before harvesting credentials — assessed by SentinelLabs with moderate confidence as possibly a former TeamPCP affiliate. Defender takeaway for the Swiss/EU public-sector SOC: developer endpoints and CI/CD runners with installed Checkmarx plugin should be audited for plugin versions outside the known-safe SHA range during the 2026-05-09 → 2026-05-10 window; npm audit and SBOM scans should flag the deadcode09284814 author/scope; egress from CI runners to *.lhr.life hostnames is a high-fidelity hunt pivot for the npm worm wave; Docker/Kubernetes/Redis/MongoDB endpoints exposed to the internet should be inventoried and removed from public exposure (PCPJack's scan list). MITRE T1195.002 (Supply Chain Compromise), T1552.001 (Credentials in Files), T1041 (Exfiltration over C2 Channel).