Agent Session Smuggling: How Malicious AI Hijacks Victim Agents
The newly uncovered agent session smuggling attack exposes a critical flaw in multi-agent AI ecosystems, allowing a malicious AI agent to hijack active communication sessions through the Agent2Agent (A2A) protocol. Unlike traditional one-shot prompt injections, this technique exploits A2A’s stateful design—its ability to remember context across multiple interactions—to inject hidden instructions that evolve over time. The malicious agent uses adaptive, multi-turn dialogue to build trust, exfiltrate sensitive information, and even trigger unauthorized actions such as financial transactions, all while remaining invisible to end users. In Palo Alto Networks’ proof-of-concept, a “research assistant” agent tricked a connected “financial assistant” into revealing confidential configurations and executing stock trades without user consent. This threat underscores how implicit trust between autonomous agents can become a systemic weakness in distributed AI environments. Mitigation requires enforcing human-in-the-loop approvals for critical actions, implementing context grounding to detect deviations from user intent, and requiring cryptographically signed AgentCards to verify agent identity and permissions. Organizations should also expose real-time agent activity logs and tool invocations to improve visibility into hidden interactions. As AI systems increasingly collaborate across vendors and trust boundaries, security architectures must evolve to treat all inter-agent communication as untrusted by default, integrating layered defenses such as Prisma AIRS, AI Access Security, and Cortex Cloud AI-SPM to detect, block, and contain adaptive, AI-driven adversarial behaviors.
New Teams-Cookies-BOF Exploit Lets Attackers Extract Encrypted Microsoft Teams Tokens for Chat Access
Researchers have revealed a new Beacon Object File (BOF) developed by Tier Zero Security that enables attackers to extract authentication cookies directly from Microsoft Teams without terminating the application. The tool builds on previous RandoriSec research showing that Teams stores sensitive access tokens in SQLite databases through its embedded msedgewebview2[.]exe browser process. Unlike modern Chromium browsers that safeguard cookie encryption keys via a SYSTEM-level IElevator service, Teams relies on the user’s Data Protection API (DPAPI)—making decryption far easier once local access is achieved. The new BOF bypasses Teams’ file-locking behavior by injecting into active ms-teams[.]exe or its child webview processes, duplicating file handles to read the locked database, and decrypting stored tokens in memory. This stealthy method allows attackers to impersonate users, access private chats, and interact with Teams, Skype, and Microsoft Graph APIs without alerting the victim. The attack demonstrates how Teams’ reliance on user-scoped encryption leaves enterprise environments vulnerable to post-compromise credential theft, even without elevated privileges. Once decrypted, these cookies can be used to exfiltrate messages or issue malicious API calls on behalf of compromised users—posing serious risks for lateral movement and social engineering. The tool is publicly available on GitHub and compatible with major Cobalt Strike frameworks, making it accessible to red teamers and adversaries alike. To mitigate the threat, organizations should implement process injection monitoring, restrict access to DPAPI keys, enforce least-privilege execution, and develop endpoint detection rules to flag anomalous handle duplication in Teams’ webview processes. Enterprises should also prioritize token lifecycle management and consider additional encryption layers for embedded browser components used in productivity applications.
BankBot-YNRK and DeliveryRAT Android Trojans Target Users with Sophisticated Financial Data Theft
Security researchers have uncovered two new Android malware strains, BankBot-YNRK and DeliveryRAT. They are designed to steal financial data and maintain persistent access on infected devices. According to CYFIRMA, BankBot-YNRK employs advanced evasion tactics, first verifying that it is running on a physical device by checking for manufacturers including Google, Samsung, or Oppo before activating its malicious functions. Distributed under names mimicking legitimate Indonesian government apps, the trojan disables system audio to prevent alerts and abuses accessibility services to gain elevated privileges and intercept sensitive information. Once installed, it leverages Android’s JobScheduler service for persistence and captures device data, contacts, SMS messages, banking credentials, and cryptocurrency wallet information from a predefined list of 62 financial apps. Its capabilities include overlay attacks, call redirection, and manipulating user interfaces to execute unauthorized transactions—all while impersonating trusted brands such as Google News to remain undetected. Meanwhile, F6 researchers detailed that DeliveryRAT is actively spreading in Russia under fake food delivery, banking, and marketplace apps promoted through a Telegram-based malware-as-a-service (MaaS) network called Bonvi Team. Victims are lured into installing malicious APKs via phishing links or job-related chats, after which the trojan requests notification and background permissions to exfiltrate SMS, call logs, and personal data while hiding its icon for stealth. Newer variants can also conduct DDoS attacks and abuse QR code functionality for phishing. Both trojans highlight the growing trend of commercializing mobile malware, where MaaS models make sophisticated financial theft tools widely accessible. To mitigate these threats, users should avoid sideloading apps from unofficial sources, disable accessibility permissions for untrusted apps, and keep Android devices updated—particularly since Android 14 now blocks the automatic abuse of accessibility features that both of these trojans depend on.
Operation SkyCloak Establishes Hidden SSH Backdoors via Tor
A newly identified espionage campaign dubbed Operation SkyCloak has been observed targeting Russian Airborne Forces and Belarusian Special Forces, using phishing archives that disguise PowerShell-based malware as official military correspondence. The campaign begins with shortcut (.LNK) files posing as nomination letters and training orders, which launch multi-stage droppers extracting payloads into concealed directories under %APPDATA% and %USERPROFILE%. These payloads deploy legitimate OpenSSH for Windows binaries, rename them as benign applications, and configure them to run as hidden SSH daemons on non-standard ports. The malware further exposes SSH, SMB, and RDP services via Tor using obfs4 bridges, enabling covert command-and-control channels and long-term persistence. Seqrite researchers link the campaign’s techniques to past operations like HollowQuill and CargoTalon, both of which targeted Russian defense sectors through similarly obfuscated PowerShell frameworks. The PowerShell scripts embedded in SkyCloak employ anti-analysis checks to evade sandbox detection before creating mutexes and hidden scheduled tasks. These tasks persistently trigger daily SSH sessions via Tor hidden services, configured for public-key authentication only, disabling passwords entirely. Connections are routed through obfs4 proxies using renamed binaries to blend in with legitimate traffic and evade network inspection. The use of legitimate open-source components and modular PowerShell scripting reflects a stealth-oriented intrusion design intended for covert espionage rather than disruptive activity. While attribution remains uncertain, analysts assess possible ties to Eastern European or pro-Ukrainian APT activity, given the campaign’s focus on Russian and Belarusian military infrastructure. Organizations should mitigate by restricting PowerShell execution policies, monitoring for abnormal SSH traffic on non-standard ports, and blocking Tor/obfs4 connections at the network perimeter to prevent similar covert access operations.
