Tracing the Mycelial Mage Credential Theft Operation and Its Evolving Exfiltration Infrastructure
Researchers found a credential theft operation, tracked here as Mycelial Mage, through sustained observation of phishing kit deployments beginning in early 2025. The activity centers on phishing pages designed to impersonate Microsoft Outlook login workflows and is distinguished by a recurring mushroom-emoji marker embedded in client-side JavaScript and in the formatting of exfiltrated data. This consistent signature enabled analysts to pivot across multiple deployments and identify a shared operational framework over time. Collected artifacts and telemetry show deliberate linguistic and contextual targeting of Spanish-speaking users, indicating intentional victim selection rather than generic mass phishing. The operation captures email credentials and systematically enriches them with IP addresses and geolocation data obtained from public services, demonstrating a structured, repeatable data theft pipeline. Further analysis shows that the operation has evolved its command-and-control mechanisms while preserving a stable core architecture. Early variants relied on Telegram bots with modular configuration files to support rapid credential rotation, while later iterations introduced layered anti-analysis controls to obstruct static inspection and live debugging. More recent deployments replaced Telegram with Discord webhooks, reducing post-compromise visibility by shifting exfiltration to effectively write-only channels. Despite these tactical changes, the underlying logic for input validation, victim enrichment, and payload construction remains consistent across samples, supporting assessment of a single code lineage distributed as a service. Infrastructure analysis reveals disposable phishing domains paired with selectively reused exfiltration endpoints, a pattern consistent with phishing-as-a-service ecosystems that emphasize operational resilience and scalability over long-lived infrastructure.
Evasive Panda Poisons DNS Infrastructure to Stealthily Deliver MgBot
Kaspersky researchers found that the China-linked Evasive Panda advanced persistent threat has conducted a long-running, highly targeted campaign abusing adversary-in-the-middle techniques and DNS poisoning to deliver its long-standing MgBot implant. The operation relies on trojanized software updates for trusted applications, including SohuVA, iQIYI Video, Tencent QQ, and IObit Smart Defrag to establish an initial foothold. In several cases, telemetry suggests attackers manipulated DNS resolution for legitimate domains, redirecting update requests to attacker-controlled infrastructure that served encrypted payloads disguised as benign resources. This approach allows the campaign to blend malicious traffic into normal application behavior while selectively targeting victims in Türkiye, China, and India, with some compromises persisting undetected for more than a year. Once execution was achieved, the intrusion chain unfolded through multiple carefully engineered stages designed to evade detection and frustrate analysis. Custom loaders decrypted and executed shellcode entirely in memory, resolved Windows APIs via hashing, and fetched victim-specific payloads using poisoned DNS responses that varied by geography and ISP. A secondary loader abused DLL sideloading with a signed, legacy Python executable to inject MgBot into legitimate processes such as svchost[.]exe, while a hybrid encryption scheme combining DPAPI and RC5 ensured that key components could be decrypted only on the original victim system. Configuration data revealed multiple hardcoded command-and-control servers, indicating a resilience strategy designed to maintain long-term access. Researchers assess with high confidence that these techniques align with Evasive Panda’s established tradecraft, underscoring the group’s continued investment in stealthy delivery mechanisms, adaptive payloads, and durable persistence across targeted environments. Organizations should enforce DNS integrity controls and resolver logging, validate all software updates through strict code-signing and allowlisting, monitor DLL sideloading and in-memory execution tied to trusted binaries, and proactively hunt for legacy implants such as MgBot that may be reintroduced through newly developed loaders.
Update: Exploited MongoBleed Vulnerability Enables Unauthenticated Memory Disclosure at Scale
Researchers at Ox report active exploitation of a critical MongoDB vulnerability, known as MongoBleed CVE-2025-14847, that allows unauthenticated attackers to remotely extract sensitive data directly from server memory. The flaw exists in how affected MongoDB versions handle zlib-compressed network messages, causing the server to return portions of allocated memory rather than the actual decompressed payload length. By sending specially crafted packets before authentication occurs, attackers can leak credentials, cloud and API keys, session tokens, configuration data, and other in-memory secrets without valid access. Public proof-of-concept exploit code is available, significantly lowering the barrier to exploitation and accelerating the adoption of attacks. Because the leakage occurs at the transport layer, exploitation can be difficult to detect and may leave few traditional forensic artifacts. Internet-wide scanning indicates substantial exposure: more than 87,000 potentially vulnerable MongoDB instances are accessible online, with a large concentration in the United States, China, and Europe. Security vendors have confirmed exploitation in the wild, and cloud telemetry suggests that a significant portion of environments run at least one vulnerable MongoDB version. MongoDB has released patches across supported versions and classified the issue as a critical fix, warning that no workaround exists beyond upgrading or disabling zlib compression. Given the unauthenticated nature of the flaw and the risk of silent credential leakage, organizations should assume potential compromise where exposure existed, prioritize patching and network isolation, rotate secrets, and review logs for anomalous high-volume connections consistent with memory-leak exploitation. Even environments that were not publicly exposed may be at risk if attackers can reach MongoDB through lateral movement or misconfigured internal networks.
