Five Eyes Warns of Imminent AI-Powered Attacks; Major Supply Chain Breaches Hit NPM Ecosystem

The update provides more specific hunting hints, including monitoring MsMpEng.exe for crashes, Windows System Event Log for Event ID 1001, and 'whoami /priv' command line patterns. It also details monitoring for cmd.exe or powershell.exe spawned as child processes of MsMpEng.exe with SYSTEM integrity. The article reiterates the PoC's variable success rate but notes the researcher's claim of 100% success on some systems, emphasizing the assumed imminent exploitation despite no observed in-the-wild activity.

Further analysis of the WhatsApp malware campaign by Kaspersky researchers has identified the specific remote monitoring and management (RMM) tool being deployed by attackers. The malicious VBScript files, sent via compromised WhatsApp accounts, now stealthily install ManageEngine Endpoint Central. This legitimate RMM tool is then used to establish persistent remote access to victim systems, allowing attackers to blend their activities with normal administrative traffic. This 'living off the land' technique complicates detection and provides attackers with extensive control for data theft, surveillance, or further malware deployment across at least 11 countries, with Malaysia heavily impacted.

New analysis by ESET researchers reveals the specific EDR-killing framework used by The Gentlemen ransomware is named 'GentleKiller.' This custom toolkit is highly sophisticated, designed to neutralize over 400 processes from 48 different security vendors, including major players like Microsoft Defender, CrowdStrike, and Sophos. Crucially, GentleKiller operates by terminating security processes at the kernel level, a significantly more robust and effective method than user-space process killers. This kernel-level operation, likely involving a maliciously loaded driver (BYOVD), allows it to bypass the self-protection mechanisms of modern EDR solutions, making it much harder to detect and prevent the subsequent ransomware deployment. This development highlights a significant escalation in the technical capabilities of RaaS operations.

Further analysis of the Mastra AI framework supply chain attack by Sapphire Sleet indicates the malicious 'easy-day-js' package contained a second-stage payload designed to steal sensitive data from over 160 cryptocurrency-related browser extensions across Windows, macOS, and Linux. The attack was executed with precision in a 45-minute window on June 17, following a pre-positioning phase on June 16. This clarifies the financial motivation, highlighting the direct targeting of crypto assets from affected developer systems.

The updated analysis provides a deeper dive into the mechanics of anticipated AI-powered cyberattacks, detailing how AI will accelerate various stages of the attack lifecycle. It outlines specific MITRE ATT&CK techniques (e.g., T1592, T1598, T1027) and D3FEND defensive strategies (e.g., D3-UBA, D3-NTA) that will be impacted. Crucially, the report includes actionable 'Cyber Observables' such as unusual API calls to public AI services, randomized Base64 payloads in command lines, high-frequency password spraying, and AI-generated phishing URLs, offering concrete hunting hints for security teams. It also notes geopolitical tensions regarding AI model access.