Update: DPRK “Fake Font” Contagious Interview Campaign Abuses VS Code Tasks to Deploy InvisibleFerret
North Korean Lazarus Group operators have launched a new evolution of the long-running “Contagious Interview” campaign that abuses Microsoft VS Code’s task automation feature to execute malware disguised as web font files. Tracked as the “Fake Font” campaign, the activity targets software engineers via fake LinkedIn recruiters who distribute malicious GitHub repositories as coding assessments. When a victim opens the project in VS Code and trusts the workspace, a hidden [.]vscode/tasks[.j]son file automatically runs a Node.js command on folder open, executing a [.]woff2 file that is actually heavily obfuscated JavaScript. This technique requires no vulnerability exploitation and instead weaponizes trusted developer workflows, enabling near-instant execution with minimal user interaction. The initial JavaScript loader, BeaverTail, establishes persistence and contacts the attacker's infrastructure, masquerading as a typosquatted Ethereum API service, which delivers a large second-stage payload known as InvisibleFerret. InvisibleFerret performs extensive environmental reconnaissance before deploying a Python backdoor capable of stealing cryptocurrency wallet credentials, browser credentials, cookies, clipboard contents, and keystrokes, while maintaining persistent access across Windows, macOS, and Linux. Analysis to date has identified at least 17 malicious repositories and 11 distinct payload variants, indicating rapid iteration and decentralized development within the Lazarus ecosystem. Organizations should restrict or disable automatic execution of VS Code tasks on folder open, enforce strict policies around trusting workspaces and opening third-party repositories, and educate developers to treat unsolicited “coding assessments” and recruiter-supplied GitHub projects as high-risk, especially when they contain preconfigured editor automation or non-code artifacts masquerading as benign resources such as fonts or build tools.
Stanley MaaS: Guaranteed Chrome Web Store Phishing Extensions
Stanley is a newly identified malware-as-a-service (MaaS) toolkit advertised on Russian-language cybercrime forums that enables large-scale browser-based phishing through malicious Chrome extensions. Marketed between $2,000 and $6,000, the service’s defining feature is a claimed guarantee that attacker-controlled extensions will pass Google’s Chrome Web Store review process and remain published. Disguised as a note-taking or bookmarking extension, Stanley leverages broad permissions, including <all_urls>, scripting, and webNavigation, to gain full control over a victim’s browsing activity while maintaining plausible, benign functionality to accumulate trust and positive reviews. Technically, Stanley performs full-page website spoofing by overlaying a full-screen iframe containing attacker-controlled phishing content while the browser address bar continues to display the legitimate domain, enabling high-fidelity credential theft against targets like cryptocurrency exchanges. The toolkit includes a web-based C2 panel that tracks victims by IP address, supports per-victim hijacking rules, pushes Chrome-native notifications to lure users into targeted workflows, and polls C2 infrastructure every 10 seconds with fallback domain rotation for resilience. While the underlying code relies on well-known techniques rather than novel exploits, the operational risk is driven by distribution: by abusing the trust model of browser extension marketplaces. Organizations should enforce strict browser extension allowlisting through enterprise browser management, continuously audit installed extensions for excessive permissions such as <all_urls> and scripting access, and monitor for anomalous behaviors like full-page iframe overlays, high-frequency C2 polling, or browser notifications originating from extensions rather than websites, as these are strong indicators of malicious extension abuse.
Malicious VS Code AI Extensions Expose Source Code of 1.5 Million Developers
A newly uncovered campaign, dubbed MaliciousCorgi, has revealed that two popular AI-powered Visual Studio Code extensions were quietly siphoning source code and developer activity data at a massive scale while remaining fully functional and approved in the official marketplace. The extensions account for more than 1.5 million installations and market themselves as productivity-enhancing coding assistants. While they delivered legitimate features such as code explanations, autocomplete, and debugging help, investigators found they also monitored every file developers opened or edited and transmitted that data to servers located in China, without disclosure or user consent. Analysis shows the extensions operated as long-term surveillance tools rather than one-time data grabbers. Beyond real-time file monitoring, the operators retained the ability to remotely trigger bulk exfiltration of workspace files on demand, enabling selective theft of sensitive source code, configuration files, credentials, and proprietary logic. A hidden profiling layer further enriched this access by fingerprinting developers and tracking usage patterns through multiple commercial analytics frameworks, allowing attackers to identify high-value targets and prioritize exfiltration. The incident underscores a growing risk in the software supply chain, where functional, highly rated extensions can remain embedded in development environments for months or years before abuse is detected. Developers and organizations are advised to immediately remove the affected extensions, review IDE plugin inventories, restrict extension installation through allow-listing where possible, and monitor outbound traffic from development systems to identify unauthorized data flows.
New Fake CAPTCHA Chain Delivers Amatera Stealer via App-V LOLBIN Abuse
A newly observed Fake CAPTCHA campaign delivers Amatera Stealer through a deliberately gated, multi-stage execution chain that prioritizes reliability and evasion over exploit-based access. The infection begins with user-assisted execution via the Windows Run dialog, abusing the signed Microsoft App-V script SyncAppvPublishingServer.vbs as a LOLBIN to proxy PowerShell execution through wscript[.]exe. Early stages enforce strict execution-order and user-behavior checks using environment variables and clipboard state, causing the chain to silently stall if conditions are not met. This design selectively filters targets toward enterprise-managed systems with App-V components enabled while frustrating sandbox analysis and automated detonation. As the chain progresses, the loader retrieves live configuration from a public Google Calendar ([.]ics) file, then pivots to PNG-based steganography to extract an encrypted payload hidden within images fetched from public CDNs, all processed entirely in memory. Execution ultimately transitions from PowerShell into native shellcode, which maps and executes Amatera Stealer, a modular information-stealing malware known for layered encryption and evasive networking. The campaign’s significance lies less in its payload and more in its delivery strategy: chaining trusted Microsoft components, third-party infrastructure, behavioral execution gates, and fully in-memory stages to quietly bypass defenses and surface only after credential theft and data loss have already occurred. Defenders should block user-assisted execution patterns associated with ClickFix-style lures by restricting access to the Windows Run dialog and script hosts, disabling unnecessary LOLBINs, monitoring clipboard- and user-interaction–gated execution chains, and training users to treat fake CAPTCHA prompts or instructions that prompt manual command pasting as strong indicators of malware delivery.
Update: Microsoft Issues Out-of-Band Patch for Microsoft Office Zero-Day CVE-2026-21509
Microsoft has released an out-of-band security update to address CVE-2026-21509, a high-severity security feature bypass vulnerability affecting multiple Microsoft Office products, including Office 2016, Office 2019, Office LTSC 2021/2024, and Microsoft 365 Apps for Enterprise. The flaw stems from improper reliance on untrusted inputs in security decisions, allowing attackers to bypass OLE mitigations that normally block vulnerable COM/OLE controls. Successful exploitation requires user interaction, typically by convincing a victim to open a specially crafted Office document, and can result in significant impact to confidentiality, integrity, and availability despite being classified as a local attack vector. Microsoft has stated that exploitation has been detected internally; however, detailed public reporting on specific campaigns or threat actors remains limited, and some reporting characterizes in-the-wild exploitation as unconfirmed but suspected based on telemetry and emergency patch timing. The vulnerability has prompted heightened response actions, including inclusion in CISA’s Known Exploited Vulnerabilities catalog with a mandated remediation timeline for U.S. federal agencies. While Microsoft 365 and newer Office versions receive protections via service-side changes that take effect when applications are restarted, Office 2016 and 2019 environments require explicit patching or interim registry-based mitigations to block the vulnerable COM control. Organizations should immediately apply the latest Office security updates where available, implement Microsoft’s recommended registry workaround on unpatched versions, enforce Protected View and strict email attachment controls, and monitor for anomalous Office behavior such as unusual COM/OLE activity or unexpected child processes, particularly in environments where exploitation is suspected but not yet fully confirmed.
