ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories
Bulletin ThreatsDay: RCE Chains بلا Auth، Android Rootkits، و تفادي CloudTrail
ThreatsDay Bulletin: Pre-Auth RCE Chains, Android Rootkits, and CloudTrail Evasion
TL;DR: This week’s bulletin highlights critical pre-auth RCE chains in Progress ShareFile, a massive Android rootkit campaign ("NoVoice") infecting 2.3 million devices, and sophisticated methods for bypassing AWS CloudTrail logging. Researchers also warn of a 14x spike in open-source malware and a persistent surge in GhostSocks proxy activity.
The digital landscape is shifting from loud, singular exploits to quiet, sophisticated "chains." The latest security intelligence shows researchers and threat actors alike are combining minor bugs to create massive backdoors, while new techniques allow attackers to bypass security logs entirely without leaving a trace. From supply chain poisoning to mobile rootkits, here is the breakdown of the most pressing threats currently facing the industry.
1. Remote Code Execution: The Progress ShareFile Chain
Researchers at watchTower Labs have disclosed two vulnerabilities in Progress ShareFile (CVE-2026-2699 and CVE-2026-2701) that, when combined, allow for pre-authenticated remote code execution (RCE).
The chain works by using an authentication bypass on the /ConfigService/Admin.aspx endpoint to gain the access necessary to upload malicious web shells. With approximately 30,000 internet-facing instances, patching to Storage Zone Controller 5.12.4 (released March 10, 2026) is considered critical.
2. Operation "NoVoice": Android Rootkit Targets 2.3M Users
A new malware campaign dubbed NoVoice has infiltrated over 50 apps on the Google Play Store, accumulating at least 2.3 million downloads. Masquerading as games and system utilities, the malware exploits 22 older Android vulnerabilities (patched between 2016–2021) to gain root access.
Once root is achieved, the malware:
- Disables SELinux.
- Injects code into every app the user opens.
- Exfiltrates data from sensitive apps like WhatsApp.
- Avoids detection by checking for VPNs, debuggers, and specific geographic regions (e.g., Beijing and Shenzhen).
3. Cloud Security: Bypassing AWS CloudTrail
Attackers are moving beyond obvious "StopLogging" commands to more subtle API calls that create "invisible activity zones." By chaining APIs like PutEventSelectors and StopEventDataStoreIngestion, adversaries can halt forensic visibility without triggering traditional alarms. These maneuvers look like routine maintenance but effectively blind security teams during an active breach.
4. The Open-Source Supply Chain Crisis
The "mess" in the supply chain is accelerating. Malware advisories in open-source ecosystems have increased 13.6x since early 2024. Specifically, npm account takeovers (ATOs) saw a 12x year-over-year increase in 2025. Threat actors are targeting packages with high download counts—some exceeding 100,000 monthly—to maximize the "blast radius" within automated CI/CD pipelines.
5. Mobile Phishing and Malware Evolution
- Targeting Enterprise Users: New phishing campaigns are using Firebase App Distribution to deliver malicious "beta" versions of ChatGPT and Meta advertising tools to steal Facebook credentials.
- XLoader 8.7: The persistent information stealer has evolved with improved code obfuscation and multiple encryption layers to evade automated analysis.
- LofyGang: This threat actor has returned with a fake npm package (
undicy-http) that delivers a dual-payload RAT capable of live screen streaming and credential stealing from over 90 crypto wallet extensions.
6. Emerging Threats and Global Updates
- GhostSocks Activity: Darktrace reports a surge in GhostSocks proxy activity, often partnered with Lumma Stealer, turning compromised devices into residential proxies.
- FBI Warning: The FBI has issued a warning regarding foreign-developed apps (specifically those from China) due to risks of data harvesting under national security laws.
- ImageMagick Zero-Days: Multiple unpatched zero-days in ImageMagick can be chained to achieve RCE via a simple image or PDF upload. Mitigation requires isolating PDF processing in a sandbox.
- Government Action: The U.S. State Department has launched the Bureau of Emerging Threats to counter cyber attacks and AI misuse from nation-state actors.
7. Operational Updates: Google Workspace
Google has officially rolled out two major features:
- Gmail Username Changes: Users in the U.S. can now change their email addresses, with the old address becoming an alias.
- Drive Ransomware Defense: Generally available ransomware detection now pauses syncing and allows for bulk file restoration, utilizing AI models that claim to detect 14x more infections than previous versions.
Conclusion
As the bulletin notes, these threats shouldn't be viewed as a list of isolated incidents, but as a pattern. Attackers are increasingly finding the "gap" between intended system behavior and malicious misuse. Staying safe in 2026 requires moving beyond looking for "the big hit" and instead monitoring the subtle, chained actions that signal a modern compromise.
