Home · Live brief · Weekly 2026-W27
The week's tradecraft converged on abusing trusted primitives — OAuth tokens, signed binaries, native auth APIs and legitimate SaaS
Entities: ToddyCat Umbrij ARToken Avalon malware framework (CrownX ransomware component) PamStealer Mustang Panda ZOHOMURK
Part of run 2026-07-05T2305Z-weekly (weekly · Claude Opus 4.8 (1M context))
Five otherwise-unrelated research disclosures this week point the same direction: capable actors — from a Chinese APT to commodity BEC and ransomware crews — are increasingly operating through trusted, native mechanisms rather than dropping signatureable custom malware. For a detection-engineering audience, that is the strategic note, because it tells you where the hunt surface is moving.
OAuth tokens as the target. Kaspersky GReAT documented Umbrij, a .NET tool the ToddyCat APT uses to automate theft of Google Workspace OAuth tokens via a technique GReAT calls Shadow Token via Remote Debug (STRD) — driving Chromium's remote-debugging interface to lift live tokens (Kaspersky Securelist, 2026-06-30). Cisco Talos exposed ARToken, an EvilTokens-lineage BEC-as-a-service panel (80+ API endpoints) automating Microsoft 365 device-code phishing, Primary-Refresh-Token persistence that survives password resets, and mailbox/SharePoint exfiltration (Cisco Talos). Both defeat password-centric defences: the credential is no longer the secret worth stealing, the token is.
Signed binaries and native APIs as the execution and validation layer. Blackpoint's Avalon framework chains a signed-binary MSBuild loader with ETW/AMSI patching (in-process telemetry tampering) and the CrownX ransomware payload (Blackpoint Cyber); Jamf's PamStealer impersonates the Maccy clipboard app and confirms a stolen macOS password through the native pam_authenticate API before exfiltrating it (Jamf Threat Labs) — using the OS's own auth path to guarantee the loot is valid.
Legitimate SaaS as C2. Mustang Panda (TA416 / HIVE0154) used Zoho WorkDrive as a dead-drop C2 channel (ZOHOMURK) against government and energy targets (Acronis TRU, 2026-06-29) — command traffic riding a trusted, hard-to-block SaaS host.
Weekly takeaway: the common defensive failure mode across all five is reliance on signatures and on the password as the crown jewel. The hunt has to move to anomalous use of the trusted mechanism — remote-debugging flags on browser processes, token issuance/reuse surviving resets, signed LOLBins loading unexpected code, ETW/AMSI tampering, native auth-API calls from non-auth processes, and server egress to consumer SaaS storage. Per-tool detail and detection concepts in § references.
Action items
- Prioritise token-theft detections: alert on Chromium launched with remote-debugging flags by non-developer processes (Umbrij STRD), and monitor for OAuth/Primary-Refresh-Token issuance and reuse that survives password resets (ARToken device-code phishing) — password rotation alone does not evict a stolen PRT.
- Hunt signed-binary abuse and telemetry tampering: MSBuild and other signed LOLBins loading unexpected payloads, plus ETW/AMSI patching (in-process tampering) as a standalone high-value signal (Avalon).
- For macOS fleets, alert on non-Apple processes calling pam_authenticate to validate a captured password, and on clipboard-manager impersonation (PamStealer mimicking Maccy); for network egress, treat unexpected outbound to legitimate SaaS storage (Zoho WorkDrive) from server workloads as possible dead-drop C2 (Mustang Panda).