Valid signatures now guarantee nothing

Signed Binaries Weaponized: DAEMON Tools Supply Chain, DigiCert EV Cert Theft

• DAEMON Tools versions 12.5.0.2421–12.5.0.2434 have been trojanized since April 8 — all compromised binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe) carry a valid AVB Disc Soft developer certificate, bypassing signature-based allow-list controls. The campaign remains active across 100+ countries; attribution points to a Chinese-speaking threat actor.
• The three-stage payload chain delivers an info collector (exfiltrating MAC address, hostname, processes, and locale to 38.180.107.76), a targeted backdoor deployed to ~12 machines in government, scientific, and manufacturing sectors across Russia, Belarus, and Thailand, and QUIC RAT — a C++ implant injecting into notepad.exe/conhost.exe, statically linked with WolfSSL. Audit all machines with DAEMON Tools installed for anomalous connections to 38.180.107.76 or env-check.daemontools.cc since April 8.
• On April 2, an attacker socially engineered DigiCert support via Salesforce chat — four attempts blocked before the fifth succeeded; a second endpoint was compromised April 4 and went undetected for 10 days until April 14. The exploit path: support analysts could view certificate initialization codes for approved, undelivered EV code signing orders in customer account context — sufficient to activate and obtain valid certs without additional authentication.
• DigiCert revoked 60 EV code signing certificates (April 14–17): 27 directly tied to the attacker, 16 from investigation scope, 33 precautionary; stolen certs were used to sign Zhong Stealer payloads attributed to GoldenEyeDog (APT Q-27), a crypto-theft group. DigiCert has blocked support proxies from viewing signing initialization codes and disabled Okta FastPass on the support portal. Validate any signed binary with an unfamiliar vendor cert from April 2–17 against CRL/OCSP immediately.

---

QLNX: Undocumented Linux RAT Hardwired for CI/CD Credential Theft

• Quasar Linux (QLNX) is a previously undocumented Linux RAT with zero or near-zero VirusTotal detections at discovery, documented in Trend Micro's full analysis: fileless execution via memfd_create + execveat, LD_PRELOAD + eBPF kernel rootkit, PAM backdoor with hardcoded master password (O$$f$QtYJK), and P2P mesh C2 network.
• Credential harvest targets cover the entire CI/CD secret surface: npm tokens (.npmrc), PyPI credentials (.pypirc), .aws/credentials, .kube/config, .docker/config.json, git credentials, SSH keys, browser databases, /etc/shadow, shell history, and clipboard — the RAT is explicitly designed to pivot through CI/CD pipelines and cloud infrastructure after gaining initial access.
• QLNX dynamically compiles its own rootkit on the victim host — embedding C source for the PAM backdoor and LD_PRELOAD rootkit, compiling with gcc, deploying via /etc/ld.so.preload. Hunt for ~/.X<hash>-lock mutex files, unexpected LD_PRELOAD entries, and anomalous PAM log writes to /var/log/.ICE-unix; Trend Micro network detection signatures are 47135: HTTP: Backdoor.Linux.QLNX.A and 47136: TCP: Backdoor.Linux.QLNX.A.

---

pnpm 11 Enforces Release Age by Default; AI-Generated Auth Gaps Cut Both Ways

• pnpm 11 ships a 24-hour minimum release age as a default — the first major package manager to enforce release age without explicit configuration, per the pnpm 11 announcement; directly counters the Mini Shai-Hulud and Shai-Hulud attacks where malicious packages were pulled within minutes of publication. Complements Renovate minimumReleaseAge: "3 days" and Dependabot min-release-age: 3d as an enforced-by-default layer.
• pnpm 11 also enables blockExoticSubdeps by default (blocking Git repo and direct tarball sources as subdependencies), requires explicit allowBuilds whitelisting per package for install-time script execution, and ships built-in CycloneDX and SPDX SBOM generation without additional tooling. Requires Node.js 22+, pure ESM.
• Threat actors building a dark-web carding validation service used Cursor — the AI generated an unauthenticated open web directory, exposing 145K valid card records (number, CVV, expiry, cardholder address) and ~200K flagged records; chat history confirms Cursor had sufficient context to identify a card-checking tool was being built but generated unauthenticated infrastructure regardless. The same missing-auth pattern applies to any vibe-coded internal tool absent explicit security review.
• The ACM Technology Policy Council published its first formal policy brief specifically addressing AI coding tool security risks, drawing on 20+ academic publications: AI tools trained on vulnerable codebases replicate those vulnerabilities and generate over-engineered code with subtle errors; agentic systems operating with minimal human oversight are explicitly flagged as a risk amplifier. ACM recommends applying formal methods, specialized audit tooling, and mandatory human review on code execution and deployment paths.

---

Apache HTTP Server 2.4.67 and MINA 2.2.7: RCE Patches — Upgrading MINA Is Not Enough

• Apache HTTP Server 2.4.67 patches 11 CVEs including CVE-2026-23918 (HTTP/2 early-reset double-free, potential RCE) and CVE-2026-28780 (heap buffer overflow in AJP message handling, potential RCE); also patches a Digest auth timing side-channel (CVE-2026-33006) and CRLF injection (CVE-2026-33523), per the full advisory. Update production servers immediately.
• Apache MINA 2.2.7 and 2.1.12 patch CVE-2026-42778 and CVE-2026-42779 — both are incomplete fixes for a recurring deserialization chain (CVE-2024-52046 → CVE-2026-41409 → CVE-2026-42778); upgrading alone does not close the attack surface. After upgrading, explicitly configure ObjectSerializationDecoder with an allowlist of permitted classes — any MINA service without this config remains exploitable. MINA is widely embedded in enterprise Java middleware and messaging systems.

---

ScarCruft APT37 Trojanizes Korean Gaming Platform; Malicious Android APKs Still Live

• ScarCruft (APT37, North Korea) trojanized sqgame.net — a gaming platform for ethnic Koreans near the North Korean border — with malicious update packages since late 2024; Windows installs deliver trojanized mono.dll → downloader → RokRAT → BirdCall C++ implant, with a clean mono.dll fetched post-execution to erase the artifact. ESET notified sqgame in December 2025 and received no response.
• Two of three offered Android APKs are repackaged with zhuagou — a new Android port of BirdCall — targeting .hwp, .p12, and document files with scheduled microphone recording between 7pm–10pm local time; C2 runs through 12 observed Zoho WorkDrive accounts, defeating domain-reputation blocking entirely. Malicious APKs remain available for download today.
• The attacker modified AndroidManifest.xml without source code access, indicating a distribution-site compromise rather than a developer environment intrusion — the same threat model as the DAEMON Tools attack above applied to mobile app distribution. Any third-party app distributed via a site that has no vendor response process should be treated as untrusted regardless of code signing status.