Major Cyber Attacks in March 2026: OAuth Phishing, SVG Smuggling, Magecart, and More

Key Takeaways

• EvilTokens campaign abuses Microsoft OAuth Device Code flow for credential-less account takeover, bypassing traditional phishing defenses.
• macOS ClickFix campaigns are delivering an upgraded AMOS Stealer equipped with an interactive reverse shell backdoor.
• RUTSSTAGER malware hides its DLL payload as a hexadecimal string in the Windows registry to deploy OrcusRAT.
• Magecart campaigns are utilizing WebSocket-based exfiltration to steal payment data from hijacked e-commerce checkout flows.
• Kamasers DDoS botnet utilizes Dead Drop Resolvers (GitHub, Telegram, Dropbox) for resilient command-and-control infrastructure.

Affected Systems

• Microsoft 365
• macOS
• Windows 10/11
• e-commerce websites (Spain focused)
• Organizations in Colombia (Government, Finance, Healthcare)

Attack Chain

Attackers employ various initial access vectors, including OAuth device code phishing (EvilTokens), ClickFix lures targeting developers, and SVG smuggling via email attachments. Once executed, payloads like AMOS Stealer, OrcusRAT, or MicroStealer are deployed using multi-stage loaders, registry-hidden DLLs, or nested archives. Persistence is established via backdoors or watchdog processes, followed by data exfiltration via WebSockets, Telegram bots, or direct C2 communication.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: ANY.RUN TI Lookup

The article provides ANY.RUN Threat Intelligence Lookup queries to find related infrastructure and sandbox sessions for the discussed campaigns.

Detection Engineering Assessment

EDR Visibility: Medium — Techniques like registry-hidden DLLs (RUTSSTAGER) and fileless execution (SVG Smuggling) evade basic file scanning, but EDRs can catch the behavioral chain such as PowerShell spawning from unusual parents or registry modifications. Network Visibility: High — Many campaigns rely on distinct network indicators, such as WebSocket exfiltration, Telegram API calls, or specific HTTP headers (X-Antibot-Token). Detection Difficulty: Moderate — While initial payloads are heavily obfuscated or use legitimate services (OAuth, Telegram, GitHub), the subsequent behaviors (registry staging, reverse shells, specific API calls) provide solid detection opportunities.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• Registry Events (Sysmon 12, 13, 14)
• Network Connections (Sysmon 3)
• HTTP/Proxy Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for HTTP requests containing the 'X-Antibot-Token' header communicating with non-standard or newly registered domains, indicating potential EvilTokens phishing infrastructure.	HTTP/Proxy Logs	Initial Access	Low
Monitor for large hexadecimal blobs being written to the Windows Registry, particularly under HKLM\SOFTWARE\WOW6432Node\Microsoft, which may indicate RUTSSTAGER activity.	Registry Events	Defense Evasion	Low
Identify outbound network connections to api.telegram.org/bot* originating from web browsers or document readers, suggesting credential exfiltration.	Network Connections, Proxy Logs	Exfiltration	Medium
Detect PowerShell execution querying Get-MpComputerStatus for RealTimeProtectionEnabled or IsTamperProtected, often used by malware to check AV status.	Process Creation, PowerShell Script Block Logging	Discovery	Low

Control Gaps

• Traditional email filtering (bypassed by SVG smuggling and legitimate OAuth links)
• File-based AV (bypassed by registry-stored DLLs)

Key Behavioral Indicators

• X-Antibot-Token header
• Hexadecimal DLLs in Registry
• WebSocket connections from checkout pages
• PowerShell checking MpComputerStatus

False Positive Assessment

• Medium (Some network indicators like connections to GitHub, Dropbox, or Telegram are common in enterprise environments and require correlation with suspicious parent processes or specific URI patterns to reduce noise.)

Recommendations

Immediate Mitigation

• Block known malicious domains and IPs associated with EvilTokens, Kamasers, and MicroStealer.
• Search endpoint telemetry for RUTSSTAGER registry keys and AMOS Stealer file paths.

Infrastructure Hardening

• Enforce strict Conditional Access policies for Microsoft 365 to mitigate OAuth token abuse.
• Implement network segmentation to limit the impact of compromised macOS developer machines.

User Protection

• Deploy EDR solutions capable of monitoring registry modifications and in-memory execution.
• Restrict the execution of HTA and JS files from downloaded archives.

Security Awareness

• Train users to recognize OAuth device code phishing and verify the source of verification codes.
• Educate developers on the risks of running terminal commands from unverified documentation pages (ClickFix).

MITRE ATT&CK Mapping

• T1566.002 - Phishing: Spearphishing Link
• T1566.001 - Phishing: Spearphishing Attachment
• T1528 - Steal Application Access Token
• T1112 - Modify Registry
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1027.006 - Obfuscated Files or Information: HTML Smuggling
• T1056.003 - Input Capture: Web Portal Capture
• T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
• T1102.001 - Web Service: Dead Drop Resolver
• T1498 - Network Denial of Service

Additional IOCs

• Ips:
  • 45[.]94[.]47[.]204 - AMOS Stealer C2
  • 178[.]16[.]54[.]87 - Kamasers C2
• Domains:
  • dibafef289[.]workers[.]dev - EvilTokens phishing infrastructure
  • ab-monvoisinproduction-com-s-account[.]workers[.]dev - EvilTokens phishing infrastructure
  • subzero908[.]workers[.]dev - EvilTokens phishing infrastructure
  • sandra-solorzano-duncanfamilyfarms-net-s-account[.]workers[.]dev - EvilTokens phishing infrastructure
  • tyler2miler-proton-me-s-account[.]workers[.]dev - EvilTokens phishing infrastructure
  • shark-app-5wkz2[.]ondigitalocean[.]app - EvilTokens related infrastructure
  • authsoftverifyappsoftcodeauths[.]powerappsportals[.]com - EvilTokens related infrastructure
  • dynamic-entry[.]powerappsportals[.]com - EvilTokens related infrastructure
  • email-internals[.]powerappsportals[.]com - EvilTokens related infrastructure
  • docusign[.]powerappsportals[.]com - EvilTokens related infrastructure
  • claude-download[.]squarespace[.]com - macOS ClickFix fake documentation lure
  • download-version[.]1-4-9[.]com - macOS ClickFix payload delivery
  • tokio11[.]dynuddns[.]net - Vjw0rm C2 domain from SVG Smuggling campaign
  • vapoclope[.]fr - Compromised e-commerce site targeted by Magecart
  • ryxuz[.]com - Kamasers related domain
  • silencestress[.]st - Kamasers related domain
  • vrcpluginhub[.]com - MicroStealer lure domain
  • swordfull[.]com - MicroStealer related domain
  • limewire[.]com - MicroStealer related domain (abused legitimate service)
  • yuboapp[.]com - MicroStealer related domain
  • nightslump[.]com - MicroStealer related domain
  • kitsucraft[.]com - MicroStealer related domain
• Urls:
  • /api/device/start - API endpoint used in EvilTokens phishing flow
  • /api/device/status/* - API endpoint used in EvilTokens phishing flow
• File Hashes:
  • 57ce6187be65c1c692a309c08457290ae74a0047304de6805dbb4feb89c0d7e5 (SHA256) - RUTSSTAGER related payload
  • 6a581c3b6fe7847bb327f5d76e05653a1504e51023454c41835e5dc48bc13ba4 (SHA256) - RUTSSTAGER related payload
  • 7d157366d74312965912a35cbba4187532cfeb3b803119a3a04c9ba0ba7d4ab0 (SHA256) - RUTSSTAGER related payload
  • 07f56ac8b5bd7cdb4c33ea5e9cd42bc7f9d3cd5504aabbb476ef010a142d7e29 (SHA256) - RUTSSTAGER related payload
  • a6f72590792b3f26271736e5a7ba80102292546bb118cf84ff29df99341abfbe (SHA256) - RUTSSTAGER related payload
  • E7C0AE330A37A276C4B0B9B342356CF4 (MD5) - Fake PDF HTML phishing file
  • 74C08B3347E7017E4F3B9D521F5A7477 (MD5) - Kamasers payload
  • 34261E80D3EA1687AA556E63AF5B88D9 (MD5) - Kamasers payload
  • D93555FE2E98A887C0B7627C8C6D22DD (MD5) - Kamasers payload
  • 3FDF0D0A854AD9F4A48B3D1512527912 (MD5) - Kamasers payload
  • FA9976832B05DCC82A66E207A8E7E92C (MD5) - Kamasers payload
  • 0E3F628288310858D95EF874E3054CA2 (MD5) - Kamasers payload
• Registry Keys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\rutsdll32 - RUTSSTAGER hidden DLL payload location
• File Paths:
  • ~/.mainhelper - AMOS Stealer backdoor module for interactive reverse shell
  • /private/tmp/20276/FileGrabber/Cookies.binarycookies - AMOS Stealer staging directory for stolen cookies
  • pdf.htm - Fake PDF HTML phishing attachment name
  • FAC0025487.PDF.html - Fake PDF HTML phishing attachment name
  • RADMISEDR_Revision_Caso_JUZGADO_1.pdf_F2ABEB.svg - SVG Smuggling attachment name
  • Notificacion Fiscal.js - Payload dropped via SVG Smuggling
  • radicado.hta - Payload dropped via SVG Smuggling
  • J0Ogv7Hf.ps1 - PowerShell script executed in SVG Smuggling chain
  • rutsStager.exe - RUTSSTAGER initial executable
  • rutsOrcus.exe - RUTSSTAGER deployed OrcusRAT executable
  • rutsWatchdog.exe - RUTSSTAGER persistence watchdog executable
• Command Lines:
  • Purpose: Check Windows Defender Real-Time Protection status | Tools: powershell.exe | Stage: Discovery
  • Purpose: Check Windows Defender Tamper Protection status | Tools: powershell.exe | Stage: Discovery
• Other:
  • X-Antibot-Token - HTTP header used in EvilTokens phishing infrastructure
  • 7802226280 - Telegram Chat ID used for credential exfiltration