Microsoft 365 Copilot Attack Enables Data Exfiltration via Malicious Mermaid Diagrams
A newly discovered attack in Microsoft 365 Copilot enabled attackers to exploit the AI assistant’s integration with Mermaid diagrams to exfiltrate sensitive tenant data. The flaw leveraged an indirect prompt injection hidden inside a crafted Microsoft Office document that instructed Copilot to use its internal tools to fetch corporate emails, hex-encode the output, and embed it in a fake “Login” button rendered as a Mermaid diagram. The attacker’s CSS-styled diagram linked to an external server, with the encoded data appended to the URL. When users clicked the fake login button, the data was transmitted directly to the adversary’s server logs, where it could be decoded to reveal confidential information. This attack combined subtle prompt manipulation, tool exploitation, and social engineering to achieve silent data exfiltration through trusted Microsoft infrastructure. The proof of concept was built upon prior work by Johann Rehberger, who demonstrated similar diagram-based exfiltration in Cursor IDE. Logue’s approach refined the concept by adding nested instructions and task drift techniques within an Excel file—making Copilot appear to act normally while performing hidden operations. Microsoft confirmed that the vulnerability stemmed from Copilot’s ability to render interactive Mermaid diagrams with clickable hyperlinks, which allowed encoded data to leave the environment through legitimate-looking requests. Following coordinated disclosure, Microsoft patched the issue by removing dynamic hyperlink support from Mermaid renderings and tightening content sanitization for AI-generated outputs. Security teams are urged to update Copilot integrations, restrict document summarization for untrusted sources, and apply network-level monitoring for unexpected outbound traffic from AI-powered workflows to mitigate similar prompt-driven exfiltration attacks in the future.
ChaosBot: Rust-Based Malware Hides Command-and-Control Inside Discord
A new strain of Rust-based malware dubbed ChaosBot is leveraging the Discord platform for command-and-control (C2) communication, blending malicious traffic with legitimate activity to evade detection. The malware connects directly to the Discord API, creating private channels named after compromised devices to execute commands and exfiltrate data. Attackers can issue instructions, including shell, download, or screenshot, directly through Discord messages, receiving the results as file attachments. ChaosBot employs multiple evasion techniques, including patching Windows Event Tracing (ETW) functions and checking for virtual machine indicators to avoid analysis. These stealth measures make ChaosBot particularly dangerous, allowing it to operate invisibly within trusted network traffic while maintaining persistent control over infected hosts. Initial access stems from compromised CiscoVPN credentials and over-privileged Active Directory accounts, enabling remote execution via Windows Management Instrumentation (WMI). The malware is typically deployed through DLL side-loading under the name msedge_elf.dll or distributed via phishing lures disguised as correspondence from the State Bank of Vietnam, containing malicious Windows shortcut files. Once executed, ChaosBot establishes persistence, downloads secondary payloads, and uses legitimate tools, including reverse proxy (frp) and Visual Studio Code Tunnel for additional backdoor channels. Organizations are urged to implement multi-factor authentication for privileged accounts, monitor outbound connections to Discord API endpoints, and restrict execution of payloads from public directories. Comprehensive phishing awareness and EDR solutions capable of detecting ETW patching are critical to countering this evolving threat that weaponizes legitimate communication platforms for covert operations.
Vidar Stealer 2.0 Emerges With Faster Data Theft and Advanced Evasion Techniques
The threat landscape has intensified with the release of Vidar Stealer 2.0, a complete overhaul of the notorious infostealer that has plagued organizations and individuals since 2018. Rewritten in C for improved performance and efficiency, the new version introduces multi-threaded data theft, allowing simultaneous collection of credentials, cookies, and financial information from multiple sources. It also features advanced evasion techniques, including debugger and virtual machine detection, uptime checks, and hardware profiling to bypass sandboxes and endpoint security tools. Most notably, Vidar 2.0 can now defeat Chrome’s App-Bound encryption by extracting encryption keys directly from browser memory using reflective DLL injection. These updates reduce dwell time and increase stealth, making the malware significantly more resilient to analysis and remediation. The timing of its release follows a decline in Lumma Stealer operations, suggesting Vidar’s developers are positioning it as the new market leader in the infostealer ecosystem. Trend Micro’s analysis highlights how Vidar 2.0’s new builder supports polymorphism and control-flow flattening, making static detection by antivirus engines far more difficult. The malware exfiltrates stolen data through Telegram bots and even hidden Steam profile URLs. By adopting this decentralized communication infrastructure, the threat actors ensure redundancy and persistence against takedowns. Once the data is sent, the malware performs clean-up routines to minimize forensic evidence, further complicating incident response. Researchers warn that these capabilities mark a shift toward professionalized cybercrime operations that blend efficiency, speed, and stealth. With its expanded compatibility, active development, and proven reliability, Vidar 2.0 is expected to dominate infostealer campaigns through the end of 2025.
PassiveNeuron APT Targets Global Servers with Neursite and NeuralExecutor Malware
Researchers have uncovered a cyber-espionage campaign dubbed PassiveNeuron, targeting government, financial, and industrial sectors across Asia, Africa, and Latin America. First identified by Kaspersky in mid-2024, the operation employs two bespoke malware families—Neursite and NeuralExecutor—designed for stealth, persistence, and modular adaptability. PassiveNeuron distinguishes itself by exploiting already compromised internal servers as intermediary command-and-control nodes, enabling attackers to evade detection and maintain control over isolated environments. The implants communicate via multiple protocols, including TCP, SSL, and HTTPS, and can proxy traffic between infected hosts to facilitate lateral movement within victim networks. Neursite’s plugin-based architecture enables dynamic functionality, including file system manipulation and process management. At the same time, NeuralExecutor specializes in retrieving and executing .NET payloads from varied channels, including HTTP, named pipes, and WebSockets. These technical hallmarks suggest a well-resourced and disciplined threat actor, though attribution remains inconclusive, with linguistic and operational indicators hinting toward Chinese-speaking origins. Recent incidents observed indicate the campaign is ongoing and evolving. In one intrusion, attackers gained remote command execution on a Windows Server host via an exposed Microsoft SQL service, potentially through brute-forced credentials or SQL injection vulnerabilities. The adversaries initially attempted to deploy a web shell for basic access but later shifted to more sophisticated DLL-based loaders residing in the System32 directory. These loaders deployed Neursite, NeuralExecutor, and Cobalt Strike, enabling full control over targeted infrastructure. A newer NeuralExecutor variant even leveraged GitHub repositories to dynamically fetch C2 addresses, transforming a legitimate platform into a covert communication channel. Kaspersky’s analysis underscores that PassiveNeuron’s focus on internet-facing servers allows attackers to establish persistent footholds for espionage operations, exfiltrating sensitive data while remaining nearly invisible to conventional security monitoring. Organizations are advised to audit exposed servers, patch SQL-based applications, and monitor for unusual outbound connections to mitigate risk from this active campaign.
