The Indicator — Weekly Threat Intelligence

Weekly Threat Intel
May 30–June 5, 2026

Published June 5, 2026 | Based on 13 IOC reports | TLP: CLEAR
13 Reports analyzed
351 IOCs extracted
100+ Spoofed dev-tool sites in one TDS
260+ Brands impersonated in smishing op
72 Countries hit by Error 524 campaign
Key Takeaways for Security Professionals
  • Add the Check Point TDS reverse-engineering-tool lookalike domains to your blocklists now and warn your security and dev teams — attackers are SEO-poisoning searches for Ghidra, dnSpy, ILSpy, and SpiderFoot to serve RemusStealer and the new SessionGate loader. The spoofed domains observed in our data include ghidralite[.]com, dnspy[.]org, ilspy[.]org, grpcurl[.]com, mqttexplorer[.]com, and mfcmapi[.]com, with the TDS front-ending downloads through CloudFront distributions (e.g. d33f51dyacx7bd.cloudfront[.]net). The cruel irony is that the victims are exactly the people best positioned to analyze malware. Enforce that security tooling is installed only from vendor-canonical domains or signed package repositories, and treat any reverse-engineering or networking utility downloaded from a search-result link as suspect until hash-verified.
  • Treat blockchain-resolved C2 as a detection blind spot you must close — Elastic's PHANTOMPULSE (REF6598) resolves its command-and-control server by reading transaction inputs from wallet addresses on Ethereum, Base, and Optimism, so there is no static C2 domain to block. The technique class is now DPRK-tagged (it matches the dead-drop-resolver pattern Mandiant attributes to UNC5342/Contagious Interview), and the lures arrive via fake VC-firm outreach on LinkedIn and Telegram. You cannot sinkhole a transaction. Shift detection left to the host: schuac-style UAC bypass, hardware-breakpoint evasion, and process injection are the durable signals. Alert on workstation processes making outbound calls to public Blockscout/Etherscan-style RPC endpoints where no blockchain development is expected.
  • If you use device-code authentication anywhere, audit your conditional access policy this week — the Kali365 PhaaS platform has pivoted from Microsoft to abusing Okta, Xerox DocuShare, and MAX Messenger device-code flows for MFA bypass. The device authorization grant remains the soft underbelly of modern identity: the victim authenticates on a legitimate provider URL, and the attacker silently collects the resulting access and refresh tokens. Restrict the OAuth 2.0 device authorization grant to managed devices (or disable it outright where unused) across every IdP you operate, not just Entra. Okta administrators should review which apps permit device-code grants and constrain them by network and device posture.
  • Brief your help desk and fraud teams that the "Error 524" smishing operation will not phish them — that is by design. Group-IB's operation impersonates 260+ brands across 72 countries (4,389 phishing domains, with telecom and financial services the top sectors) and serves a convincing fake Cloudflare "Error 524" timeout page to any visitor who fails its access-control checks — wrong country geolocation, non-mobile user-agent, or missing session parameters. This means your analysts and automated scanners see a benign error while mobile victims in-region see the live credit-card phishing kit, which exfiltrates entered card data in real time over encrypted WebSocket channels. Hunt from a mobile, in-region vantage point with the expected session parameters, or you will conclude infrastructure is dead when it is fully operational.
  • Reinforce that "trusted source" now means cryptographically verified, not familiar-looking — this week's campaigns weaponized a developer's note-taking app (Obsidian plugin), adult game torrents (Argamal RAT via COM hijacking), a fake BlueWallet site (macOS AppleScript stealer), and Chrome extension copyright-removal phishing. None of these required a vulnerability; all required a moment of misplaced trust. The fake BlueWallet chain pulls a payload via curl from projects2026box[.]com to /tmp/.sysupd.sh, and the Argamal RAT persists by hijacking the InprocServer32 entry of the Windows Color System Calibration Loader. Endpoint behavioral detection — unexpected COM registry writes, shell utilities spawned from installers, scripts writing to /tmp dotfiles — is the controlling defense when the delivery channel is trust itself.
  • Add the malspam-to-RAT loader chains (DesckVB RAT, JS.MonoGlyphRAT) to your email and EDR hunt lists — both arrive through ordinary business-themed lures and stage through scripting interpreters before dropping a backdoor. DesckVB delivers via a ZIP containing a .js file that chains JScript → PowerShell → .NET, dropping artifacts such as C:\Users\Public\ktncm.js; JS.MonoGlyphRAT uses sales-themed phishing to establish persistence and pull additional payloads. The common denominator is the script interpreter as the execution bridge. Constrain wscript/cscript execution of files from archives and downloads, log PowerShell with script-block logging, and alert on Office or browser processes spawning js/vbs/powershell children.
Contents
  1. The Deception Economy: A 100+ Site Malware Distribution Ecosystem
  2. Industrialized Smishing: The Error 524 Decoy and 260+ Impersonated Brands
  3. The RAT Wave: PHANTOMPULSE, Argamal, DesckVB, and JS.MonoGlyphRAT
  4. Identity & Credential Theft: Kali365 Pivots to Okta, Fake Apps, Dev-Account Phishing
  5. Also Worth Tracking: Chinese Delivery Domains, ClickFix NetSupport, Talos Telemetry
Where the prior week was defined by mega-breaches and CISA KEV churn, May 30–June 5 was defined by something quieter and arguably more instructive: the maturation of the deception economy. Across the thirteen reports submitted to iocget this week — 351 IOCs in total — the dominant pattern was not exploitation of a vulnerability but exploitation of trust. Check Point exposed a single Traffic Distribution System fronting more than 100 websites that impersonate open-source developer tools to deliver the new RemusStealer and SessionGate families. Group-IB unmasked an industrial-scale smishing operation impersonating over 260 brands in 72 countries, hiding its live phishing kits behind fake Cloudflare error pages. Elastic dissected PHANTOMPULSE, a RAT that resolves its command-and-control through Ethereum blockchain transactions and so has no domain to block. Malware shipped inside a note-taking app, adult game torrents, a fake crypto wallet, and routine business email. Almost none of it required a CVE. The through-line for defenders is that perimeter and patch-centric controls are increasingly orthogonal to how compromise actually begins — the front door is a search result, a text message, or a familiar-looking installer.
01 — TOP STORY

The Deception Economy: A 100+ Site Malware Distribution Ecosystem Spoofing Developer Tools

Check Point Research published the week's most significant report: a deep look inside a coordinated malware distribution ecosystem that combines brand impersonation, click hijacking, and a sophisticated Traffic Distribution System (TDS) to funnel victims toward new malware families. The operation's defining choice of bait is what makes it notable — it impersonates open-source and freeware developer and security tools, placing more than 100 lookalike sites high in search results for utilities like Ghidra, dnSpy, ILSpy, and SpiderFoot. The submission to iocget surfaced 86 indicators from this single campaign, the largest of the week.

TDS Ecosystem — Impersonation — RemusStealer / SessionGate / AnimateClipper

100+ Spoofed Tool Sites Funnel Through a Gated TDS to Deliver New Stealer and Loader Families

The ecosystem repurposed existing infrastructure for malware distribution starting in January 2026, building 100+ websites that spoof developer and reverse-engineering tools. Spoofed domains observed in our data include ghidralite[.]com, dnspy[.]org, ilspy[.]org, grpcurl[.]com, mqttexplorer[.]com, and mfcmapi[.]com. Downloads are front-ended through CloudFront distributions such as d33f51dyacx7bd.cloudfront[.]net and dcbbwymp1bhlf.cloudfront[.]net with query-string gating (e.g. ?aydfd=1237183). The TDS enforces first-visit state, a mandatory click confirmation, anti-bot and anti-analysis logic, VPN/datacenter filtering, and frequency capping — an access-control architecture purpose-built to show analysts and crawlers nothing while serving real victims a payload. The malware set is new: SessionGate, a previously unknown multi-stage loader with heavy obfuscation; RemusStealer, an infostealer targeting 20+ browsers and hundreds of extensions including wallets, 2FA tools, and password managers; and AnimateClipper, a cryptocurrency clipper covering 20+ blockchains. Observed activity skewed toward Turkey, Poland, Brazil, Germany, France, Russia, and the UK.

100+ spoofed dev-tool sites — 86 IOCs extracted · Malware: SessionGate (loader), RemusStealer, AnimateClipper · Infra: CloudFront-fronted TDS with strict gating · Active since Jan 2026
DomainTools — Chinese Malware Delivery Domains (Part II)

A Second Cluster of Chinese Delivery Domains: Spoofed Sites, Fake Login Dashboards, Selective Delivery

DomainTools published the second installment of its analysis of Chinese-language malware delivery domains, this cluster focused on user data collection and selective malware delivery via spoofed websites and fake login dashboards. The 72 IOCs extracted from this submission included a notable volume of operator email addresses across outlook[.]com, gmail[.]com, proton[.]me, 163[.]com, and mozmail[.]com — useful pivot points for clustering related infrastructure. The selective-delivery model (deciding per-visitor whether to serve malware or a benign page) mirrors the TDS gating logic seen in the Check Point ecosystem above, reinforcing that conditional, victim-aware delivery is now the norm rather than the exception in commodity distribution.

72 IOCs — second domain cluster · Spoofed sites + fake login dashboards · 10 operator emails for pivoting · Selective per-visitor delivery

The decision to impersonate developer and security tools is not incidental — it is a targeting strategy with outsized payoff. A developer or analyst workstation typically holds cloud credentials, signing keys, source-code access, CI/CD tokens, and the very tooling needed to move laterally. By poisoning searches for Ghidra, dnSpy, and similar utilities, the operators select for victims whose compromise is worth far more than an average endpoint. The defensive implication is concrete: organizations should treat the acquisition of security and reverse-engineering tooling as a controlled supply-chain decision, not an ad-hoc download. Maintain an internal mirror or an approved-source list for these utilities, hash-verify against project-published checksums, and block known TDS front-ends. The same gating that hides these sites from your crawlers should make you assume any single negative scan result is unreliable — presence in a curated blocklist matters more than a one-time "looks clean" verdict.

02 — PHISHING & SMISHING AT SCALE

Industrialized Smishing: The Error 524 Decoy and 260+ Impersonated Brands

Group-IB unmasked a global smishing and phishing operation that demonstrates how far brand-impersonation phishing has industrialized. The campaign's signature evasion technique — serving a fake Cloudflare "Error 524" timeout page to any visitor who fails its access-control criteria — is a textbook example of why threat-intelligence teams must replicate victim conditions to validate infrastructure.

Group-IB — Error 524 Decoy — Real-Time Card Theft

4,389 Phishing Domains, 260+ Brands, 72 Countries — WebSocket Exfiltration Behind Fake Error Pages

Active since the second half of 2025, the operation impersonates more than 260 unique brands across 72 countries spanning LATAM, Europe, APAC, North America, and the META region. Group-IB identified 4,389 phishing domain instances; Mexico alone accounts for 1,851, with Chile and Colombia also heavily targeted. Telecommunications is the most targeted sector (1,754 domains), followed by financial services and consumer rewards programs. The defining technique is the decoy: when a request fails the campaign's access-control checks — IP geolocation from a non-targeted country, a non-mobile user-agent, or missing session parameters — the server returns a page visually identical to a Cloudflare Error 524 gateway timeout. Victims who pass the checks receive a live phishing kit that exfiltrates entered credit-card data in real time over encrypted WebSocket channels with heartbeat pings. Roughly 30% of the infrastructure is hosted on Tencent Cloud and Alibaba (US) origins, fronted by Cloudflare (AS13335) to mask true hosting IPs.

4,389 domains — 260+ brands — 72 countries · Evasion: fake Cloudflare Error 524 decoy · Exfil: encrypted WebSocket, real-time · Top sector: telecom
Malwarebytes — Fake Invoice Callback Scam

Fake Invoice Campaign Caught Mid-Build: PayPal, Amazon, Geek Squad Callback-Number Fraud

Malwarebytes documented a fake-invoice scam campaign — caught while the operators were still building it — that impersonates PayPal, Amazon, and Geek Squad to push victims toward calling fraudulent support numbers (a callback-phishing / "phone-oriented attack delivery" pattern). The IOCs are a tidy cluster of low-cost .xyz domains: invoicepdfin[.]xyz, invoicepdfus[.]xyz, invoicepdfusa[.]xyz, invoicerep[.]xyz, invoicestatement[.]xyz, and invoicestm[.]xyz. The naming convention is itself a detection opportunity: bulk-registered, theme-consistent domains on cheap TLDs are well-suited to proactive blocking via registration-pattern monitoring before the campaign goes live.

6 invoice-themed .xyz domains · Brands: PayPal, Amazon, Geek Squad · TTP: callback-number fraud · Caught pre-launch

The Error 524 decoy is the operational lesson of the week for threat-intel teams: infrastructure that appears dead to you may be fully live to its victims. Conditional-access cloaking — geofencing, user-agent gating, session-parameter requirements — means that scanning from a datacenter IP with a desktop user-agent and no campaign cookie will reliably return a benign error page. Any verdict of "this domain is down" or "this is a false positive" reached from that vantage point is methodologically unsound. Validation requires reproducing victim conditions: mobile user-agent, in-region (or residential proxy) source IP, and the expected session parameters from the lure URL. Build this into your enrichment pipelines now, because the technique is becoming standard across both phishing kits (this report) and malware TDS gating (Section 01) — the same evasion logic, applied to different payloads.

03 — REMOTE ACCESS TROJANS

The RAT Wave: PHANTOMPULSE, Argamal, DesckVB, and JS.MonoGlyphRAT

Four distinct remote-access trojans appeared in this week's submissions, each delivered through a different trust channel and each illustrating a different evasion technique — from blockchain-based C2 resolution to trojanized adult games to multi-stage script loaders.

Malware Delivery Vector Notable Technique Source
PHANTOMPULSE Fake VC outreach on LinkedIn/Telegram; Obsidian plugin abuse (REF6598) C2 resolved via Ethereum/Base/Optimism transaction inputs; schuac UAC bypass; HWBP evasion. DPRK-tagged technique class. Elastic Security Labs
Argamal RAT Trojanized hentai games via dedicated sites, PixelDrain, and torrent trackers (AniRena) COM hijacking of the Windows Color System Calibration Loader InprocServer32 for logon persistence; full device control. Kaspersky / Securelist
DesckVB RAT Malspam with ZIP-delivered .js file Multi-stage loader: JScript → PowerShell → .NET. Drops artifacts such as C:\Users\Public\ktncm.js. Huntress
JS.MonoGlyphRAT Sales-themed phishing lures targeting US enterprises JavaScript backdoor; establishes persistence, C2 beacon, downloads additional payloads. ANY.RUN
Elastic — PHANTOMPULSE — Blockchain C2 — REF6598

PHANTOMPULSE: A RAT With No C2 Domain to Block — It Reads Ethereum Transactions Instead

Elastic Security Labs published a reverse-engineering analysis of PHANTOMPULSE, a long-lived .NET RAT delivered through the REF6598 intrusion set targeting financial and cryptocurrency-sector individuals. Operators pose as venture-capital representatives, approaching targets on LinkedIn and Telegram with investment pretexts and, in observed cases, abusing an Obsidian note-taking plugin to deliver the implant. PHANTOMPULSE's defining feature is its decentralized C2 resolution: it reads transaction input fields from specific wallet addresses on Ethereum, Base, and Optimism, using public blockchain infrastructure as a dead-drop resolver to identify its current C2 server. The implant ships three process-injection techniques, bypasses UAC via the public schuac technique, and includes hardware-breakpoint evasion. Elastic notes AI-assisted development fingerprints in the code. The blockchain-resolved C2 matches the dead-drop-resolver pattern Mandiant attributes to UNC5342 (Contagious Interview), placing the technique class in DPRK-tagged territory, though Elastic's specifics are not a 1:1 fingerprint.

27 IOCs — blockchain dead-drop C2 (ETH/Base/Optimism) · Lure: fake VC on LinkedIn/Telegram + Obsidian plugin · Evasion: schuac UAC bypass, HWBP · Technique class DPRK-tagged (UNC5342)
Kaspersky — Argamal RAT — COM Hijacking

Argamal RAT Ships in Hentai Games, Persists via COM Hijacking of a Windows System DLL

Kaspersky discovered Argamal, a previously unknown RAT distributed inside trojanized hentai games delivered through dedicated download sites (links redirecting to PixelDrain) and torrent trackers including AniRena. On launch, the infected game installs the implant and establishes persistence through COM hijacking — replacing the InprocServer32 entry for the Windows Color System Calibration Loader DLL, which is triggered at user logon. The RAT provides full device control: command execution, screenshots, file management, and input-device control, with data and credential theft the assessed goal. Hundreds of victims were observed, concentrated in Russia, Brazil, Germany, and Vietnam. The 38 IOCs from this report give defenders concrete hunt material for the COM-hijack persistence and the distribution domains.

38 IOCs — COM hijack of Color System Calibration Loader · Delivery: hentai games via PixelDrain + AniRena torrents · Victims: RU, BR, DE, VN

PHANTOMPULSE's blockchain C2 is the standout technical development of the week, and it breaks a foundational assumption of network-based detection. Traditional C2 disruption relies on identifying and blocking (or sinkholing) a domain or IP. A dead-drop resolver that reads its next-hop from an immutable public blockchain transaction has no takedown surface — the resolver infrastructure is Ethereum itself, and the actual C2 can be rotated by publishing a single cheap transaction. There is no DNS to poison, no domain to seize, no certificate to revoke. The defensive response must move entirely to the host and to anomalous-egress analysis: detect the schuac UAC bypass and process-injection behaviors at execution time, and flag the network anomaly of an enterprise endpoint querying public blockchain RPC/explorer endpoints when no legitimate blockchain workload exists on that host. Expect this technique to proliferate now that a polished, AI-assisted implementation has been publicly dissected.

04 — IDENTITY & CREDENTIAL THEFT

Identity Under Pressure: Kali365 Pivots to Okta, Fake Apps, and Developer-Account Phishing

The credential-theft theme that ran through prior weeks continued, with a notable expansion of the Kali365 phishing-as-a-service platform beyond Microsoft, alongside fake-application stealers and a phishing campaign aimed squarely at the accounts of software developers.

Kali365 PhaaS — Device-Code Abuse — Now Targeting Okta

Kali365 Expands MFA-Bypass Operation From Microsoft to Okta, Xerox DocuShare, and MAX Messenger

The Kali365 phishing-as-a-service platform — previously documented (via an FBI PSA in late May) abusing Microsoft's OAuth 2.0 device authorization grant for MFA bypass — has expanded its target set to Okta, Xerox DocuShare, and MAX Messenger. The core technique is unchanged: the platform abuses device-code authentication so that the victim authenticates on a legitimate provider URL while the attacker silently captures the resulting access and refresh tokens, never touching the password and never needing real-time MFA interception. The pivot to Okta is the significant development — it confirms the device-code weakness is a cross-IdP problem, not a Microsoft-specific one, and that PhaaS operators are productizing each provider's flow in turn.

Targets expanded: Okta, Xerox DocuShare, MAX Messenger · Method: OAuth 2.0 device-code abuse · Defense: restrict device-code grant to managed devices, per-IdP
Malwarebytes — Fake BlueWallet — macOS Stealer

Fake BlueWallet Site Drops macOS AppleScript Stealer for Passwords, Wallets, and Clipboard

A fake BlueWallet website (update-bluewallet[.]com, impersonating the legitimate bluewallet.io) targets Mac users with a malicious AppleScript "BlueWallet Installer" that downloads a payload to steal passwords, cryptocurrency wallets, and clipboard data. The chain pulls the second stage via curl from projects2026box[.]com/serve_site/ to /tmp/.sysupd.sh. The hidden-dotfile staging path in /tmp and a shell utility invoked from an AppleScript installer are both strong host-based detection signals on macOS endpoints, where users frequently assume the platform's relative malware scarcity confers safety.

9 IOCs · update-bluewallet[.]comprojects2026box[.]com · Stage 2: /tmp/.sysupd.sh via curl · Targets: macOS passwords, wallets, clipboard
Malwarebytes — Chrome Extension Copyright Phishing

Fake Copyright-Removal Notices Target Chrome Extension Developers to Steal Google Logins

A phishing campaign targets Chrome extension developers with convincing fake copyright-removal requests, designed to steal Google login credentials and potentially compromise developer accounts. The targeting is strategic: a compromised extension-developer Google account can be used to push a malicious update to an extension's entire installed base — a supply-chain pivot from a single credential theft. This mirrors the broader week's theme of attackers selecting victims (developers, analysts) whose accounts unlock downstream blast radius, and it underscores why phishing-resistant MFA on developer and publisher accounts is disproportionately valuable.

Target: Chrome extension developers · Lure: fake copyright-removal notice · Goal: Google account takeover → malicious extension update · Supply-chain pivot risk
05 — ALSO THIS WEEK

Also Worth Tracking

SANS ISC — SmartApeSG → ClickFix → NetSupport RAT

SmartApeSG ClickFix Campaign Pushes a Malicious NetSupport Manager RAT Package

The SANS Internet Storm Center documented a RAT infection originating from the SmartApeSG ClickFix campaign, which pushes a malicious NetSupport Manager RAT package. ClickFix — socially engineering users into pasting a malicious command into the Run dialog or terminal under the guise of "fixing" a fake error — remains one of the most effective initial-access patterns precisely because the victim executes the payload by hand, bypassing many download and attachment controls. The 25 IOCs from this submission support hunting for the NetSupport client configuration and C2 endpoints. Defensive priority: user education on the "paste this to fix it" pattern, and detection of NetSupport binaries running outside sanctioned IT-support deployments.

25 IOCs · SmartApeSG ClickFix → NetSupport RAT · TTP: user-pasted command execution · Hunt: unsanctioned NetSupport client + C2
Cisco Talos — Threat Source Newsletter

Talos: Threat Hunting for KongTuke C2 and the Most Prevalent Malware in Telemetry

The Cisco Talos Threat Source newsletter (reporting from Cisco Live) covered threat hunting for KongTuke C2 activity, AI in security operations, and the most prevalent malware files in Talos telemetry. The 15 IOCs extracted provide current high-volume commodity-malware indicators worth cross-referencing against your environment. Talos telemetry rankings are a useful sanity check on which families are actually hitting endpoints at scale versus which are merely generating headlines — a distinction worth keeping in front of leadership when prioritizing detection engineering effort.

15 IOCs · KongTuke C2 hunting · Talos prevalence telemetry · Cross-reference high-volume commodity families

Taken together, this week's reports describe a single coherent shift: the initial-access market has decoupled from the vulnerability market. A TDS spoofing developer tools, a 72-country smishing operation, ClickFix command-paste social engineering, fake VC outreach delivering a blockchain-C2 RAT, trojanized games, and device-code MFA bypass — not one of these depends on an unpatched CVE. They depend on a search result, a text message, a familiar app icon, or a moment of social trust. Patch management and exposure reduction remain necessary, but they are increasingly aimed at a different part of the kill chain than the one most actively monetized this week. The controls that map to this threat model are user-facing and host-facing: phishing-resistant MFA (especially for developers and admins), behavioral EDR tuned for script-interpreter chains and anomalous persistence, curated software-acquisition sources, and threat-intel validation methodology that reproduces victim conditions rather than trusting a datacenter-vantage scan.

Analyst Assessment: May 30–June 5 in Context

The week's signal is the industrialization of deception as a delivery layer that operates independently of software vulnerabilities. Check Point's 100+ site TDS, Group-IB's 4,389-domain smishing operation, and the cluster of fake-app and trojanized-software campaigns all share an architecture: conditional, victim-aware delivery that shows analysts a benign surface while serving real targets a payload. The same gating logic appears in commodity malware distribution and in phishing kits, which means it is no longer a sophistication marker — it is table stakes. For defenders, the most important downstream consequence is methodological: a negative scan result from your normal vantage point carries far less evidentiary weight than it did two years ago. Validation now requires reproducing victim conditions, and blocklist hygiene from curated intelligence matters more than one-shot verdicts.

PHANTOMPULSE's blockchain-resolved C2 is the technical milestone of the week and deserves to be tracked as a trend, not a curiosity. A dead-drop resolver reading from Ethereum, Base, and Optimism transactions removes the takedown surface that underpins most network-layer C2 disruption — there is no domain to seize and the next C2 hop can be rotated with one cheap transaction. The technique class is now associated with DPRK operations (UNC5342 / Contagious Interview), and Elastic's public dissection of a polished, AI-assisted implementation will accelerate adoption. The durable detections are at the host (schuac UAC bypass, process injection, hardware-breakpoint evasion) and in egress analysis (enterprise endpoints querying public blockchain RPC/explorer endpoints with no legitimate blockchain workload). Teams that still equate "C2 detection" with "block the domain" should treat this as the moment to add host-behavioral and blockchain-egress signals to their coverage.

The Kali365 pivot from Microsoft to Okta confirms that OAuth device-code abuse is a cross-IdP structural weakness, not a single-vendor bug. Because the victim authenticates on a legitimate provider URL and the attacker only collects the resulting tokens, push-based MFA and phishing-page training do not stop it. The fix is a conditional-access decision — restrict the device authorization grant to managed devices, or disable it where it serves no business purpose — and it must be applied at every identity provider an organization runs. Organizations that hardened Entra against this in late May but left Okta's device-code flow open have closed one door and left an adjacent one ajar.

What to do this week: (1) Block the Check Point TDS dev-tool lookalike domains (ghidralite[.]com, dnspy[.]org, ilspy[.]org, and the CloudFront front-ends) and establish a curated, hash-verified source list for security and reverse-engineering tooling. (2) Restrict or disable the OAuth 2.0 device authorization grant at every IdP — Entra, Okta, and any others — following the Kali365 expansion. (3) Add host-behavioral detections for the week's persistence and C2 techniques: COM InprocServer32 hijacking (Argamal), script-interpreter loader chains (DesckVB, JS.MonoGlyphRAT), shell utilities writing to /tmp dotfiles (fake BlueWallet on macOS), and outbound public-blockchain RPC/explorer queries from non-blockchain hosts (PHANTOMPULSE). (4) Update threat-intel validation playbooks to reproduce victim conditions (mobile UA, in-region IP, expected session parameters) before judging infrastructure inactive — the Error 524 decoy and TDS gating make datacenter-vantage scans unreliable. (5) Enforce phishing-resistant MFA on developer, extension-publisher, and admin accounts, which this week's campaigns specifically targeted for downstream blast radius. (6) Brief users on ClickFix "paste this to fix it" social engineering and the prevalence of trojanized software, fake installers, and callback-number invoice scams.

Sources

  1. Check Point ResearchImpersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem
  2. DomainToolsChinese Malware Delivery Domains Part II: Data Collection
  3. Group-IBError 524 Decoy: Unmasking a Global Smishing Operation Hiding Behind Error Pages
  4. Elastic Security LabsPHANTOMPULSE: Anatomy of a Hijackable Blockchain-C2 RAT
  5. Kaspersky / SecurelistNew Argamal RAT Targets Hentai Gamers
  6. HuntressMalspam to DesckVB RAT: Delivery Chain Analysis
  7. ANY.RUNJS.MonoGlyphRAT Attacks on US Enterprises
  8. CyberPressKali365 PhaaS Targets Okta, Xerox DocuShare, and MAX Messenger
  9. MalwarebytesFake BlueWallet Steals Passwords, Accounts, and Crypto From Macs
  10. MalwarebytesConvincing Copyright Notices Designed to Steal Google Logins
  11. MalwarebytesWe Found This Fake Invoice Campaign While Scammers Were Still Building It
  12. SANS Internet Storm CenterSmartApeSG ClickFix Pushes NetSupport Manager RAT
  13. Cisco TalosTalos Threat Source Newsletter: Reporting From Vegas — Networking, AI, and Good Boys

This post was generated with Claude by Anthropic, based on source reporting from the publications listed above and analysis of 13 IOC submissions to iocget.com between May 30–June 5, 2026.

The Indicator — iocget.com · Reports spanning May 30–June 5, 2026 · All IOCs TLP:CLEAR