Weekly Threat Landscape: From Developer Workflows to AI Exploitation
This week's threat intelligence reveals a crucial pattern: attackers are industrializing their operations. Rather than dramatic, headline-grabbing attacks, threat actors now execute precise intrusions through ordinary entry points—developer tools, remote access software, cloud workflows, and AI platforms. Each vector alone seems manageable. Together, they form a coordinated ecosystem.
Key Threat Developments
Codespaces RCE Vectors
Multiple attack vectors have been disclosed in GitHub Codespaces allowing remote code execution simply by opening a malicious repository or pull request. Identified vectors include:
- .vscode/settings.json with PROMPT_COMMAND injection
- .devcontainer/devcontainer.json with postCreateCommand injection
- .vscode/tasks.json with folderOpen auto-run tasks
Researchers demonstrated that adversaries can execute arbitrary commands, exfiltrate GitHub tokens and secrets, and abuse hidden APIs to access premium Copilot models. Microsoft has deemed this behavior by design.
BYOVD Driver Abuse Escalation
Threat actors are weaponizing legitimate but revoked Guidance Software (EnCase) kernel drivers as part of bring-your-own-vulnerable-driver (BYOVD) attacks. Compromised SonicWall SSL-VPN credentials enable initial access, followed by deployment of EDR solutions that abuse revoked drivers to terminate security processes from kernel mode and disable 59+ security tools.
AsyncRAT C2 Infrastructure
Analysis reveals 57 active AsyncRAT-associated hosts exposed on the public internet. These assets are concentrated on low-cost, abuse-tolerant VPS providers (APIVERSA, Contabo) rather than major cloud providers, enabling operators to maintain infrastructure at minimal cost.
AI Cloud Escalation
Offensive cloud operations targeting AWS environments achieved administrative privileges in just eight minutes. The speed and precision indicate large language model (LLM) use to automate reconnaissance, generate malicious code, and make real-time decisions. Threat actors gained initial access through exposed AWS credentials in public S3 buckets, then rapidly escalated privileges through Lambda injection, moved laterally across 19 AWS principals, and abused Amazon Bedrock for LLMjacking.
Emerging Threat Patterns
Shared Cybercrime Infrastructure: ShadowSyndicate has been linked to dozens of servers used by multiple threat clusters (Cl0p, BlackCat, Ryuk). Servers are transferred between SSH clusters, sometimes rotating SSH keys, creating attribution challenges.
Ransomware KEV Expansion: CISA updated 59 actively exploited vulnerability notices in 2025 to reflect ransomware group usage, including 16 Microsoft vulnerabilities, six for Ivanti, and five for Fortinet.
Volunteer DDoS Force: NoName057(16) operates DDoSia Project through Telegram channels with 20,000+ followers, framing attacks as "self-defense." This model combines ideological motivation with gamification and cryptocurrency rewards.
Affiliate Crypto Drainers: Rublevka Team has generated $10+ million through affiliate-driven cryptocurrency theft since 2023, deploying custom JavaScript via spoofed landing pages and supporting 90+ wallet types.
Critical Defense Gaps
Multiple case studies demonstrate attackers exploiting trusted services and legitimate tools:
- Fake voicemail campaigns deploying Remotely RMM
- Screensaver (.SCR) files installing SimpleHelp for remote control
- Cloud phishing chains using Vercel Blob storage and Dropbox impersonation
- Global SystemBC proxy botnet (10,000+ infected IPs) in early intrusion chains
TL;DR
- GitHub Codespaces RCE vectors allow code execution via malicious repos without detection- BYOVD attacks escalate privileges using revoked legitimate drivers to disable EDR
- AsyncRAT infrastructure spans 57 C2 nodes on abuse-tolerant VPS providers
- LLM-powered AWS intrusions achieve admin access in 8 minutes via S3 credential exposure
- Threat actors industrialize operations: affiliate ecosystems, shared infrastructure, reusable playbooks
- Supply chain attacks use trusted services (Vercel, Dropbox) to bypass security controls
- 59 ransomware-linked CVEs updated in 2025 CISA KEV list
Sources
Orca Security: GitHub Codespaces RCEHuntress: EnCase BYOVD EDR Killer
Sysdig: AI-Assisted Cloud Intrusion in 8 Minutes