Research Saturday

The link knows all.

Muhammad Danish, University of New Mexico lead author and cybersecurity researcher, discussing his team's work on "Private Links, Public Leaks: Consequences of Frictionless User Experience on the Security and Privacy Posture of SMS-Delivered URLs". This paper examines how the push for frictionless user experiences has led many services to rely on SMS-delivered, single-click URLs—an inherently insecure channel that can be intercepted or leaked. Analyzing more than 322,000 unique URLs from 33 million messages, the researchers found widespread security failures, including exposed PII across 701 endpoints at 177 services due to weak, token-based authentication that treats possession of a link as sufficient authorization. The study also identified low-entropy tokens enabling mass URL enumeration and data overfetching issues, though disclosures prompted 18 services to fix flaws, improving privacy protections for at least 120 million users.

Caught in the funnel.

Today we have ⁠Andrew Northern⁠, Principal Security Researcher at ⁠Censys⁠, discussing "From Evasion to Evidence: Exploiting the Funneling Behavior of Injects". This research explains how modern web malware campaigns use multi-stage JavaScript injections, redirects, and fake CAPTCHAs to selectively deliver payloads and evade detection. It shows that these attack chains rely on stable redirect and traffic-distribution chokepoints that can be monitored at scale. Using the SmartApe campaign as a case study, the report demonstrates how defenders can turn those chokepoints into high-confidence detection and tracking opportunities.

Picture perfect deception.

Today we are joined by ⁠Ben Folland⁠, Security Operations Analyst from ⁠Huntress⁠, discussing their work on "ClickFix Gets Creative: Malware Buried in Images." This analysis covers a ClickFix campaign that uses fake human verification checks and a realistic Windows Update screen to trick users into manually running malicious commands. The multi-stage attack chain leverages mshta.exe, PowerShell, and .NET loaders, ultimately delivering infostealers like LummaC2 and Rhadamanthys, with payloads hidden inside PNG images using steganography. While technically sophisticated, the campaign hinges on simple user interaction, underscoring the importance of user awareness and controls around command execution.

Walking on EggStremes.

This week, we are joined by ⁠Martin Zugec⁠, Technical Solutions Director from ⁠Bitdefender⁠, sharing their work and findings on "EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company." Built for long-term espionage, the campaign uses DLL sideloading, in-memory execution, and abused Windows services to stay stealthy and persistent. We walk through how the multi-stage framework delivers a powerful backdoor with reconnaissance, lateral movement, data theft, and keylogging capabilities—and what this operation reveals about the evolving tactics defenders need to watch for.

The lies that let AI run amok.

⁠Darren Meyer⁠, Security Research Advocate at ⁠Checkmarx⁠, is sharing their work on "Bypassing AI Agent Defenses with Lies-in-the-Loop." Checkmarx Zero researchers introduce “lies-in-the-loop,” a new attack technique that bypasses human‑in‑the‑loop AI safety controls by deceiving users into approving dangerous actions that appear benign. Using examples with AI code assistants like Claude Code, the research shows how prompt injection and manipulated context can trick both the agent and the human reviewer into enabling remote code execution. The findings highlight a growing risk as AI agents become more common in developer workflows, underscoring the limits of human oversight as a standalone security control.