top of page

CYBER & INFOSEC

"blogger, InfoSec specialist, super hero ... and all round good guy" 

DISCUSSIONS, CONCEPTS & TECHNOLOGIES FOR THE WORLD OF

JOIN THE DISCUSSION

Novel Cyber TTPs: Attacker Playbook Updates – July 7, 2026

  • 49 minutes ago
  • 5 min read

Novel Cyber TTPs: Attacker Playbook Updates – July 7, 2026


Patching known CVEs is table stakes. What separates mature security programs from reactive ones is their ability to track and defend against attacker technique evolution — the 'how' behind the attacks, not just the 'what.' This week delivered an unusually rich set of novel TTP disclosures. We've got electromagnetic data exfiltration from air-gapped systems, Blogspot being weaponized as a fileless payload staging server, a brand-new Iranian C2 framework, ClickFix phishing that impersonates Google and Cloudflare's own UI patterns, and a cross-platform Java RAT sold as a service. Welcome to 2026.


TTP Breakdown


Veil#Drop: Blogspot as a Fileless Payload Staging Platform


Securonix researchers have documented Veil#Drop — a sophisticated attack framework that uses a chain of compromised legitimate websites and Google Blogspot blogs as payload staging infrastructure, combined with PowerShell and fileless execution techniques to deliver the PureLog information stealer while evading detection. The architecture is clever: by hosting payloads on Blogspot (a Google-owned, highly-trusted domain), attackers bypass domain reputation filters, web proxies, and many network-layer detection controls that would catch traffic to unknown malicious infrastructure.


From where I sit: this is a recurring theme in advanced attacker tradecraft — abuse of legitimate, trusted cloud services as delivery infrastructure. We've seen this with Dropbox, GitHub, Discord CDN, and now Blogspot. The problem is structural: defenders cannot simply block these domains without business impact. Effective defense requires behavioral analysis of the content being fetched, not just the domain being accessed.


Your SIEM and EDR need to be looking at what PowerShell is actually executing, not just where it's connecting. The fileless component means traditional file-scanning approaches are largely irrelevant here — this is a memory and behavior detection problem.


Defense priority: Review PowerShell execution logs for encoded commands and suspicious network calls to Blogspot/Google-owned infrastructure. Ensure your EDR has AMSI (Anti-Malware Scan Interface) integration enabled to catch fileless payloads at the PowerShell engine level.


Source: SecurityWeek — https://www.securityweek.com/blogspot-hosted-payloads-delivered-in-veildrop-attacks/


Cavern C2: Iran's MOIS Deploys New Modular Command-and-Control Framework


Researchers have documented a previously undisclosed modular command-and-control framework called Cavern, attributed to an Iranian hacking group affiliated with Iran's Ministry of Intelligence (MOIS), targeting Israeli organizations. The Cavern framework is modular — meaning its capabilities can be extended or swapped out through plugin-style components — and has not previously appeared in threat intelligence databases, suggesting it was developed specifically for this campaign or kept off the radar deliberately.


New C2 infrastructure from nation-state actors is significant for several reasons. First, it means existing detection signatures are irrelevant — defenders are starting from zero on this one. Second, modular C2 architectures are operationally flexible: the same core framework can be retasked quickly, and operators can swap in new modules to evade evolving detections. Third, MOIS-affiliated groups have historically expanded targeting beyond their initial focus once a tool set is mature. Organizations in critical infrastructure, defense, and technology sectors globally should be hunting for Cavern C2 IOCs regardless of whether they consider themselves a current Iranian targeting priority.


Defense priority: Pull Cavern IOCs from the research publication and load them into your threat intelligence platform. Look for modular C2 traffic patterns: beaconing with variable intervals, encrypted channels to unusual destinations, staged payload downloads.


Source: The Hacker News — https://thehackernews.com/2026/07/iran-linked-hackers-use-new-cavern-c2.html


TrojPix: Air-Gap Exfiltration via Video Cable Electromagnetic Emissions


Researchers at Shandong University have demonstrated TrojPix — a technique that modulates on-screen pixel patterns in ways invisible to human observers to control electromagnetic emissions from video cables, enabling covert data exfiltration from air-gapped systems. The attack requires malware to be running on the air-gapped host (the classic air-gap crossing challenge), but once installed, data can be exfiltrated by a nearby receiver capturing the EM emissions from the video cable — with no network connection required.


Let me give you the honest threat assessment: TrojPix is currently a sophisticated research technique, not something you'll see in commodity threat actor playbooks tomorrow. But the history of air-gap attack research shows a consistent pattern: academic demonstration today, nation-state weaponization in 2-4 years, advanced threat actor adoption shortly after. The most sophisticated adversaries — the ones targeting critical infrastructure, defense contractors, and classified networks — absolutely track this research and develop operational implementations. If you manage truly air-gapped systems protecting crown-jewel assets, your threat model should include electromagnetic side-channel attacks and you should be thinking about physical shielding, signal monitoring, and RF-quiet zones around sensitive terminals.



ClickFix Evolution: Abusing Google and Cloudflare Verification UI Patterns


The ClickFix social engineering framework — which tricks users into running malicious commands by presenting fake verification pages — has evolved to specifically impersonate Google and Cloudflare's legitimate bot-check and CAPTCHA interfaces. The latest campaign delivers seven distinct malware families including StealC (credential stealer), NetSupport (remote access tool), and others through what appears to users to be a routine security verification step. The legitimacy borrowed from Google and Cloudflare branding is significant — these are among the most trusted visual interfaces on the web.


This is not a technical exploit — it's a social engineering TTP that specifically targets user conditioning. We've spent years training users to trust Cloudflare and Google security checks. ClickFix weaponizes exactly that conditioning. The fact that it's delivering seven different malware families suggests either a MaaS platform distributing through multiple operators, or a single sophisticated actor with diverse post-compromise objectives. User awareness training needs to explicitly cover this pattern: legitimate verification pages do not ask you to open a Run dialog, copy-paste commands into a terminal, or execute scripts. If a webpage is asking you to do that, it is an attack.


Source: Hackread — https://hackread.com/clickfix-scam-google-cloudflare-7-malware-families/


QuimaRAT: Cross-Platform Java MaaS Targeting Windows, Linux, and macOS


Cybersecurity researchers have flagged QuimaRAT — a novel Java-based remote access trojan sold as Malware-as-a-Service (MaaS) targeting Windows, Linux, and macOS environments simultaneously. The Java runtime cross-platform capability means a single payload can infect endpoints regardless of operating system, lowering the barrier for less sophisticated threat actors to maintain multi-platform footholds.


The MaaS model is the key threat intelligence signal here. MaaS platforms lower the technical bar for deployment, which means the volume of operators using QuimaRAT will grow rapidly. macOS in particular has historically enjoyed a threat landscape that was less populated with RAT capabilities compared to Windows — that gap is closing. Security teams that have taken a more relaxed posture toward macOS endpoint security need to revisit that assumption. Cross-platform Java RATs also present interesting detection challenges: Java processes are common in enterprise environments, and distinguishing malicious Java execution from legitimate business applications requires behavioral analysis and process tree visibility.



The Week's TTP Themes


Looking across these TTPs, a few patterns emerge that enterprise defenders should internalize. First: trusted infrastructure abuse is now standard practice. Blogspot, legitimate cloud services, and branded UI patterns are all being weaponized because they're harder to block and more effective at defeating user skepticism. Second: cross-platform capability is the new baseline expectation for MaaS tooling — assuming your non-Windows endpoints are safer is no longer a reasonable posture. Third: air-gap research continues to advance. The timeframe between research demonstration and nation-state weaponization is shortening. And fourth: new nation-state C2 frameworks mean signature-based detection is always playing catch-up — behavioral analytics and anomaly detection need to be your primary controls, not your fallback.



 
 
 

Recent Posts

See All
Active Exploits & Emerging Threats – July 7, 2026

Active exploitation confirmed on Adobe ColdFusion. PoC released for Linux root escalation. ShinyHunters tearing through healthcare and education sectors. Here's the threat board and what to do about i

 
 
 

Comments


doctorchaos.com and drchaos.com is a blog dedicated to Cyber Counter Intelligence and Cybersecurity technologies. The posts will be a discussion of concepts and technologies that make up emerging threats and techniques related to Cyber Defense. Sometimes we get a little off-topic. Articles are gathered or written by cyber security professionals, leading OEMs, and enthusiasts from all over the world to bring an in-depth, real-world, look at Cyber Security. About this blog doctorchaos.com and drchaos.com and any affiliate website does not represent or endorse the accuracy or reliability of any information’s, content or advertisements contained on, distributed through, or linked, downloaded or accessed from any of the services contained on this website, nor the quality of any products, information’s or any other material displayed, purchased, or obtained by you as a result of an advertisement or any other information’s or offer in or in connection with the services herein. Everything on this blog is based on personal opinion and should be interoperated as such. Contact Info If you would like to contact this blog, you may do so by emailing ALAKHANI(AT)YMAIL(DOT)COM  

SOCIALS 

SUBSCRIBE 

Keeping you informed | Latest News

© 2018 Dr. Chaos 

bottom of page