🚨 𝗡𝗲𝘄 𝗠𝗼𝗱𝘂𝗹𝗮𝗿 𝗥𝗔𝗧 𝗪𝗶𝘁𝗵 𝗩𝗶𝗰𝘁𝗶𝗺 𝗣𝗿𝗼𝗳𝗶𝗹𝗶𝗻𝗴: 𝗗𝗲𝘁𝗲𝗰𝘁 𝗜𝘁 𝗘𝗮𝗿𝗹𝘆
We identified #KarstoRAT, a new malware that had zero detections on VirusTotal at the time of analysis. 𝗜𝘁 𝗱𝗶𝘀𝗴𝘂𝗶𝘀𝗲𝘀 𝗶𝘁𝘀 𝗖𝟮 𝘁𝗿𝗮𝗳𝗳𝗶𝗰 𝗮𝘀 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝘀𝗼𝗳𝘁𝘄𝗮𝗿𝗲 by using the User-Agent SecurityNotifier, increasing the risk of prolonged dwell time and opearional disruption.

⚠️ 𝗧𝗵𝗶𝘀 𝗶𝘀 𝗻𝗼𝘁 𝗯𝗹𝗶𝗻𝗱 𝗺𝗮𝘀𝘀 𝗱𝗲𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁. KarstoRAT checks the victim’s external IP via api[.]ipify[.]org and maintains heartbeat and logging endpoints with its C2. This behavior suggests selective activation of certain modules based on country, network, or public IP.

❗️𝗦𝗲𝗽𝗮𝗿𝗮𝘁𝗲 𝘀𝗲𝗿𝘃𝗲𝗿 𝗽𝗮𝘁𝗵𝘀 𝗳𝗼𝗿 𝗱𝗮𝘁𝗮 𝗮𝗻𝗱 𝗰𝗼𝗺𝗺𝗮𝗻𝗱𝘀 𝗯𝗮𝗰𝗸 𝘁𝗵𝗶𝘀 𝘂𝗽. The C2 is modular, with functions managed independently. This enables controlled deployment and selective capability use, making campaigns harder to detect and contain at an early stage.

⚙️ Functionally, KarstoRAT combines surveillance and remote control: it steals credentials and tokens, logs keystrokes and clipboard data, executes remote commands, uploads payloads, and exfiltrates files, while also capturing screenshots, webcam, and audio activity on the infected host.

Persistence is set via Run keys, the Startup folder, and a scheduled SystemCheck task. For privilege escalation, it abuses fodhelper.exe and hijacks the ms-settings\Shell\Open\command registry path.

To avoid detection, KarstoRAT checks for debuggers and security analysis software. #ANYRUN Sandbox bypasses these checks, exposing full behavior within seconds.
Before threats turn into longer investigations and business impact, security teams use #ANYRUN to move from unclear signals to evidence-based action faster ✅

👾 See sample execution in a live analysis session: https://app.any.run/tasks/7f289c04-c532-4879-836f-a3931822ed24/?utm_source=mastodon&utm_medium=post&utm_campaign=karstorat&utm_term=250226&utm_content=linktoservice

🔍 Pivot from #IOCs and subscribe to Query Updates in TI Lookup to proactively track evolving attacks: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=karstorat&utm_content=250226&utm_term=linktotilookup#%7B%2522query%2522:%2522url:%255C%2522*/notify?event=heartbeat&user=*&public_ip=%255C%2522%2522,%2522dateRange%2522:30%7D%20

Equip your SOC with faster decisions and lower workload. See how #ANYRUN fits your workflows: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=karstorat&utm_term=250226&utm_content=linktoenterpriselanding

IOCs:
Domain:
hallucinative-shabbily-olga[.]ngrok-free[.]dev

IP:
212[.]227[.]65[.]132

HeartBeat URL:
"*/notify?event=heartbeat&user=*&public_ip="

Sha256:
839e882551258bf34e5c5105147f7198af2daf7e579d7d4a8c5f1f105966fd7e
07131e3fcb9e65c1e4d2e756efdb9f263fd90080d3ff83fbcca1f31a4890ebdb
ee5b0c1f0015b9f59e34ef8017ead6e83259b32c4b0e07dc1f894b0d407094a3
aca3f2902307c5ebdb43811b74000783d61b6ad29d7796bb8107d8b1b38d76a3

Command-and-control IPv4 map, 2026-02-10 to 2026-02-23 #IOCs
https://abjuri5t.github.io/SarlackLab/

148.178.64[.]0/19
148.178.32[.]0/19
178.16.52[.]0/22
207.56.192[.]0/19
91.92.240[.]0/22
158.94.208[.]0/22
102.117.128[.]0/18
45.114.106[.]0/24
156.234.94[.]0/24
106.52.0[.]0/14

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

Command-and-control domain tree, 2026-02-03 to 2026-02-16 #IOCs
https://abjuri5t.github.io/SarlackLab/

*.bj[.]baidubce[.]com
*.tcp[.]cpolar[.]top
*.dianqi1[.]jiayongdianqi[.]xyz
*.dianqi2[.]jiayongdianqi[.]xyz
*.getupi[.]in[.]net

⚠️ Enterprise #phishing is now abusing Microsoft & Google Cloud. Trusted domains don’t get flagged by common detection tools, leaving companies exposed.
❗ #Sneaky2FA specifically targets corporate emails. See the analysis session and gather #IOCs: https://app.any.run/tasks/96dbe668-1be7-4001-be2c-edec54df09f7/?utm_source=mastodon&utm_medium=post&utm_campaign=enterprise_phishing_analysis_case&utm_term=120226&utm_content=linktoservice

Learn how these attacks work and what it takes for SOC teams to detect them: https://any.run/cybersecurity-blog/enterprise-phishing-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=enterprise_phishing_analysis_case&utm_term=120226&utm_content=linktoblog

#cybersecurity #infosec

🚨 𝗔 𝗻𝗲𝘄 𝗚𝗼-𝗯𝗮𝘀𝗲𝗱 #𝗿𝗮𝗻𝘀𝗼𝗺𝘄𝗮𝗿𝗲 𝗶𝘀 𝗮𝗰𝘁𝗶𝘃𝗲. GREENBLOOD encrypts files fast using ChaCha8 and tries to delete its executable to reduce visibility. Attackers threaten victims with leaking stolen data on their TOR-based website, creating business and compliance risks.

#ANYRUN Sandbox exposed ransomware behavior and cleanup attempts in real time, so SOC teams can act before the damage spreads.

👾 See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/6f5d3098-14c0-45ed-916e-863ef4ba354d/?utm_source=mastodon&utm_medium=post&utm_campaign=greenblood_case&utm_term=040226&utm_content=linktoservice

🔍 Pivot from IOCs and subscribe to Query Updates to proactively track evolving attacks: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=greenblood_case&utm_content=linktotilookup&utm_term=040226#%7B%2522query%2522:%2522commandLine:%255C%2522greenblood%255C%2522%2522,%2522dateRange%2522:180%7D%20

👨‍💻 Learn how #ANYRUN Sandbox helps SOC teams detect complex threats early: https://any.run/features/?utm_source=mastodon&utm_medium=post&utm_campaign=greenblood_case&utm_term=040226&utm_content=linktosandboxlanding

IOCs:
12bba7161d07efcb1b14d30054901ac9ffe5202972437b0c47c88d71e45c7176
5d234c382e0d8916bccbc5f50c8759e0fa62ac6740ae00f4923d4f2c03967d7a

#cybersecurity #infosec

⚠️ #BQTLock ransomware uses #Remcos injected into explorer.exe to hide inside normal system activity. In the #ANYRUN Sandbox, behavioral analysis and file system monitoring exposed a UAC bypass via fodhelper.exe, followed by persistence through autorun mechanisms with elevated privileges.

👾 Once elevated, the malware moves into data theft and screen capture. See the full execution chain and collect #IOCs to speed up detection and cut response time: https://app.any.run/tasks/90be5f16-fdde-4aca-9482-86e2aa43fba0/?utm_source=mastoodon&utm_medium=post&utm_campaign=bqtlock_case&utm_term=300126&utm_content=linktoservice

👨‍💻 Learn how #ANYRUN Sandbox helps SOC teams detect complex threats early: https://any.run/features/?utm_source=mastodon&utm_medium=post&utm_campaign=bqtlock_case&utm_term=300126&utm_content=linktosandboxlanding

#cybersecurity #infosec

🚨 #RustyWater: How Word Macros Still Enable Initial Access
Macros execution blends into normal document use and often runs before security tools raise alerts. In this case, the attack chain starts with a malicious Word document whose macros drops and executes the RustyWater implant.

The activity is linked to a #MuddyWater spearphishing campaign aimed at high-risk sectors.

⚠️ The implant launches from ProgramData via cmd[.]exe, bypassing static detection pushing defenders straight into incident response phase.

Execution pattern breakdown:
1️⃣ Document_Open
The macros trigger WriteHexToFile and love_me__ once the document is opened.

2️⃣ WriteHexToFile
Hex data from UserForm1.TextBox1 is cleaned, converted to bytes, and written to C:\ProgramData\CertificationKit[.]ini. This function acts as a dropper for the implant.

3️⃣ love_me__
The macros dynamically constructs WScript[.]Shell using Chr() and creates the object. It then builds and runs the command: cmd.exe /c C:\ProgramData\CertificationKit[.]ini. The implant runs without a visible window.

4️⃣ Strings, object names, and commands are obfuscated to complicate static inspection and signature-based detection.

👨‍💻 See live execution and download actionable report: https://app.any.run/tasks/6f60427a-522c-4972-b05f-ab12490bd690/?utm_source=mastodon&utm_medium=post&utm_campaign=rustywater&utm_term=210126&utm_content=linktoservice

❗️ Why macros-based initial access still works?
Macros execute payloads before actionable alerts appear. The delayed visibility forces teams to investigate after execution has already occurred. Earlier behavioral visibility helps contain threats before escalation, reducing investigation time and business impact.

🔍 Find similar Word macros-on-open cases and pivot from #IOCs in TI Lookup: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=rustywater&utm_content=linktotilookup&utm_term=210126#%7B%2522query%2522:%2522threatName:%255C%2522macros-on-open%255C%2522%2520AND%2520fileExtension:%255C%2522doc%255C%2522%2522,%2522dateRange%2522:180%7D

IOCs:
f38a56b8dc0e8a581999621eef65ef497f0ac0d35e953bd94335926f00e9464f
7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58
nomercys[.]it[.]com

🚀 Speed up detection and gain full visibility into complex threats with #ANYRUN. Sign up: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=rustywater&utm_term=210126&utm_content=register#register

#cybersecurity #infosec