ThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More Stories

The internet did not break this week. It got used exactly as designed, which is worse. Searches were siphoned through shady browser add-ons. AI chat links turned into malware delivery paths. macOS attacks ran in memory and left almost nothing behind. Cloud agents looked like helpers until attackers treated them like open shells. Add exposed edge gear, poisoned packages, cash courier scams, stealers, loaders, and phishing that barely bothers pretending anymore. Here’s the full mess. - DoH lands in Windows Server 2025 Microsoft has announced that DNS-over-HTTPS (DoH) for Windows DNS Server is generally available on Windows Server 2025 for client-to-server DNS traffic. "With general availability, organizations can now deploy encrypted and authenticated client-to-resolver DNS traffic directly within their existing on-premises DNS infrastructure," the company said. "The goal is to help improve privacy, reduce spoofing risk, and advance Zero Trust DNS without requiring a new resolver architecture. Enabling DoH on Windows DNS Server introduces encrypted communication for supported clients over HTTPS while preserving compatibility with most existing DNS deployments. Organizations can expect DoH traffic between DoH clients and Windows DNS Server to be encrypted via TLS, DNS queries to be transported as HTTPS requests, existing DNS functionality to continue operating as expected, and mixed environments, encrypted and traditional DNS, to be supported." - Search hijacks hide monetization layer A cluster of 23 deceptive Chrome browser extensions has been found stealthily overriding users' default search engines and routing queries through monetization middleware before delivering results. "Each extension presents a different advertised purpose - satellite imagery, productivity tools, news readers, maps – while the actual business is search affiliate revenue," security researcher Jean-Marie R. said. "The campaign spans at least 8 distinct monetization brokers and ~758,000 affected users. While this might look like simple adware, it is a real security risk. First, it is a massive privacy violation: every search a user makes is sent to anonymous third-party brokers. Second, because the operators control the web traffic, they can easily switch from showing regular search results to injecting phishing links or malicious downloads at any time – all without ever updating the extension code itself." - Fileless macOS ClickFix attack chain A Russian-speaking attacker has been observed targeting victims mainly in Asia, North America, and Oceania across technology, media, and business services sectors using ClickFix lures to deliver an AppleScript-based infostealer to macOS users. The ClickFix pages masquerade as downloads for a malware scanning utility. "To evade detection, the entire infection chain, starting from the initial clipboard paste to payload execution, is completely fileless, leaving no static artifacts on disk until persistence is established," Netskope Threat Labs said. "Victims are socially engineered into executing a curl command that fetches a gzip-compressed stager, which pipes the second-stage AppleScript directly into osascript memory." The second-stage, codenamed "Meow (DEBUG)," uses a fake system dialog to harvest credentials, browser data, session cookies, and keychain contents. It's also equipped with capabilities to trojanize legitimate desktop cryptocurrency wallet applications and maintain persistent command-and-control (C2) access, allowing the operator to run arbitrary payloads. - Claude chat abuse fuels malware delivery In another ClickFix campaign, threat actors have been spotted weaponizing Anthropic Claude's shared chat feature, abusing the trust associated with a legitimate domain to deliver the MacSync credential-stealing malware. "Cybercriminals hijacked Google Ads searches for popular AI developer tools to funnel over 2,000 victims toward malicious download pages before quietly moving their operation onto claude.ai's own platform, turning the trusted domain into a delivery mechanism for credential-stealing malware," Trend Micro said. "The Asia-Pacific region bore the brunt of the campaign, accounting for 67.2% of all confirmed victims, with Taiwan alone representing 30.5% of total traffic, a concentration that points to deliberate geographic ad targeting rather than opportunistic spread." As many as 106 unique malicious hostnames have been identified over a span of seven weeks across six distinct attack waves.Anthropic has since banned the accounts responsible, disabled the malicious shared conversations, and is implementing additional abuse mitigations for its shared chat feature. - WhatsApp booking fraud spreads globally Bitdefender haș warned of an ongoing phishing campaign impersonating hotels, resorts, and accommodation providers across more than 10 countries. "Unlike traditional travel scams that rely on generic phishing emails, this operation uses real booking information, localized messaging, and convincing hotel branding to trick travelers into handing over payment card details," the Romanian cybersecurity company said. "Victims receive personalized messages containing names, stay dates, reservation details, and cancellation warnings. The campaign relies exclusively on WhatsApp, with no matching email or SMS infrastructure observed." Observed languages include English, German, French, Spanish, Romanian, and Polish. Similar campaigns have been reported by Sekoia and Netcraft in the past. - AI agent targets vulnerability chaos Amazon Web Services (AWS) has announced a new artificial intelligence (AI)-powered security agent called AWS Continuum for code vulnerabilities, as models like Claude Mythos by attackers and defenders accelerate the ability to find and exploit vulnerabilities. AWS Continuum "addresses the full lifecycle of managing code vulnerabilities at machine speed. It continuously discovers vulnerabilities, validates which are genuinely exploitable, prioritizes them by business context, and helps you remediate them across the full stack within guardrails you define," AWS said. The tech giant said the agent is model agnostic, and that it uses multiple frontier models where they perform best. - SD-WAN zero-day scope expands Cisco has updated its February 2026 advisory for CVE-2026-20127, a critical privilege escalation flaw in Catalyst SD-WAN Controller and Catalyst SD-WAN Manager, to note that the vulnerability also affects Catalyst SD-WAN Validator. The security flaw has been exploited as a zero-day since 2023 by a sophisticated threat actor known as UAT-8616. It allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on an affected system by sending a crafted request. - AI coding agent trust bypass exposed Manifold Security has flagged two high-severity local code-execution paths on a developer's machine via a malicious repository in Cline, an AI coding agent VS Code extension with more than 4.3 million installs. The repository's content, in turn, tricks the agent into executing attacker-supplied shell commands under the developer's account, enabling access to credentials, source code, and other sensitive data. "Cline ships an Approve/Deny dialog and a "Safe Commands" auto-approve filter that are supposed to stop exactly this. Both fail," Ax Sharma, head of research at Manifold Security, said. "Clicking the URL preview tile to verify where the agent is fetching from runs an OS-level command instead. The Approve/Deny dialog never gates the click. 'Safe Commands' doesn't inspect commands. It asks the AI agent whether its own command is safe, and trusts the answer, even after the same agent has been manipulated by attacker content." While the findings have been classified as "out of scope," Cline plans to release fixes in an upcoming release. - HTTP/2 abuse shifts to live reconnaissance Earlier this month, Calif used OpenAI's Codex to discover an exploit called the HTTP/2 Bomb. Formally tracked as CVE-2026-49975, the vulnerability ironically chains together two features that were expressly designed to save internet bandwidth to help attackers amplify junk traffic by orders of magnitude. Imperva has since reported that attackers in the wild were "running specialized tools designed to map out" vulnerable servers. A working proof-of-concept (PoC) is publicly available. "Exposure in this set is led by communication services at 24.9% of observed assets, with information technology contributing 18.0% and healthcare close behind at 17.0%," CyCognito said. - Exposed email server becomes phishing hub Cybersecurity researchers have discovered an "interesting attack" where an unknown actor leveraged a victim's internet-facing terminal server as a phishing stager. Huntress said it recovered the full staging directory, including a legitimate bulk email software application (Gammadyne Mailer), a project file named dracii.mmp , and six target lists holding 8,894,920 email addresses. "The campaign impersonated the U.K. pharmacy chain Boots, using a 'free gift' survey as a lure," the company said. "The payload it pointed victims at was hosted on a compromised Bolivian government website, ipelc.gob[.]bo." The payload is a Boots phishing web page hosted within the /boots_store/ subdirectory that urges users to complete a survey and redeem a free gift by entering their personal and financial information. - Bank phishing delivers in-memory stealer An active phishing campaign is targeting banks to deliver Phantom Stealer, an infostealer that's sold under a subscription model for between $70 to $240 by a threat actor operating under the alias Oldphantomoftheopera. "The attack begins with phishing emails containing malicious attachments disguised as business documents," Fortra said. "Once executed, the malware runs entirely in memory, helping it evade traditional defenses. "The combination of targeted phishing delivery, advanced evasion techniques, broad cr