CyberWire Daily - Caught in the funnel. [Research Saturday]
Episode Date: January 24, 2026Today we have Andrew Northern, Principal Security Researcher at Censys, discussing "From Evasion to Evidence: Exploiting the Funneling Behavior of Injects". This research explains how modern web malwa...re campaigns use multi-stage JavaScript injections, redirects, and fake CAPTCHAs to selectively deliver payloads and evade detection. It shows that these attack chains rely on stable redirect and traffic-distribution chokepoints that can be monitored at scale. Using the SmartApe campaign as a case study, the report demonstrates how defenders can turn those chokepoints into high-confidence detection and tracking opportunities. The research can be found here: From Evasion to Evidence: Exploiting the Funneling Behavior of Injects Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Security works best in layers, and when those layers actually work together, that's when things get interesting.
Nordlayer is a network security platform designed for modern teams.
It secures connections, controls access, and helps stop threats all without hardware or long deployment cycles.
Now, Nordlayer has partnered with CrowdStrike to bring Falcon endpoint protection into the mix,
giving small and mid-sized businesses a multi-layered security approach that's practical to deploy and easy to manage.
NordLayer handles secure access and zero-trust networking.
CrowdStrike Falcon adds endpoint visibility and protection.
Together, they cover more ground than either could alone without requiring a large IT staff.
For business leaders, that means clearer control and easier compliance.
For IT teams, it means granular access policies, faster,
onboarding and protection that scales. If you're looking for enterprise grade security without
enterprise grade complexity, take a look at Nordlayer. Get up to 22% off yearly plans, plus an
additional 10% with code Cyberwire 10. There's even a 14-day money-back guarantee. Check out Nordlayer.com
slash Cyberwire Daily to learn more. Hello everyone and welcome to the Cyberwires Research
Saturday. I'm Dave Bittner, and this is our weekend.
conversation with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
I think that in general, what we're seeing is a broader shift in the greater threat landscape
where we're seeing adoption of web technologies as the way that threat actors are choosing
to deliver both lures and payloads.
as opposed to traditional means of perhaps delivering static payloads through traditional avenues such as email.
That's Andrew Northern, Principal Security researcher at Census.
The research we're discussing today is titled From Evasion to Evidence, Exploiting the Funneling Behavior of Injects.
And because of that, it affords a lot of great opportunities to really get in and explore what it is that threat.
factors are doing differently and how things are changing.
Well, help us understand in simple terms what exactly injects are.
Certainly.
So what we have is we have a series of websites, and by series, I mean a great volume of websites.
These are going to be anything from commercial websites to mom-and-pop brand personal blogs
or any type of website at all.
And those particular web properties or websites are going to have vulnerable pieces of software on them that allow start actors to take control or at a bare minimum modify them.
And in other cases, what we're seeing is that from password stealing attacks from stealers and previous incidents,
large numbers of usernames and passwords and otherwise known as credentials, are used to what are known.
as a password stuffing attack against some of these portals that are used for managing these sites,
at which time then the threat actors are able to insert or inject, hence the name,
a piece of malicious code onto those sites. So when I'm speaking of injects, I'm speaking of
injected malicious code that was not intended to be there by the rightful owner of the website.
And so the website itself is functioning normally to the owner of the website and to the users of the website, presumably?
Yes, that's correct.
The exception to that is when the injects are meeting their desired purpose,
and that's when you'll start to see some anomalies pop up, which are the beginning of the attack chain.
Well, you talk about this funneling behavior of inject-based attacks.
Can you explain that for us?
Yeah, for sure. When I speak about funneling, what I mean is I'm talking about the way that large numbers of these compromised or low-value sites are wired to steer victims into a much smaller set of shared infrastructure.
And you'll see the same patterns, patterns tend to emerge. So those are going to be many different injected pages, domains, and templates that we can consider to be the edge.
and then moving down the attack chain,
we see a relatively smaller number of intermediary redirectors
and JavaScript loaders in the middle,
and ultimately funneling and getting tighter once again,
we see even a smaller set of final payload delivery
or decision points at the end.
The research describes what you call choke points
in that second stage there.
Why are these choke points important?
Yeah, so those choke points are important because the pure magnitude of this issue,
the number of infected or injected sites, compromise sites, whichever you prefer to refer them to,
is astronomical.
There are, at any given time, I would say with a moderate level of confidence, tens of thousands of these compromised sites.
And as a defender, that is particularly difficult to try to get your arms around
and to proactively block those sites or at a bare minimum monitor.
So instead, by focusing on these choke points,
being at the small end of the funneling, as I described earlier,
defenders are better able and better positioned to use their tools at the disposal
to protect themselves, their users, and their domains.
And how do you go about identifying and tracing these attack chains,
especially at the scale that you're describing.
Sure.
So the way that I go about it is what I would consider to be a five-step process.
The first thing I'm looking for is a seed or seed patterns.
And that's by looking at anomalies that I've either discovered on my own
or that I am ingesting from incident reports,
meaning small pieces of things that I can go off of and hunt on.
these would be things like fake capture templates,
common script names and paths,
or characteristic HTML fragments like JavaScript
that are performing unusual redirects.
So the seed patterns are the first step.
Secondly, then I'm using census indexed HTML bodies
and various other resources to search for those patterns at scale.
So that's going to include doing things like exact matching
for known patterns or fuzzy matching on script paths, query strings, or observed HTML snippets.
So looking at that content similarity, then I'm able to narrow the field down into what I
presume to be suspect or potentially malicious sites.
After I do that, then I begin to essentially build out a graph of these properties of these
hits. And so
what I'll look at is I'll look
at where the injected code lives
and then I'll look at what the next
jump is in that attack chain,
meaning where does that malicious
injected JavaScript redirect people to?
And then I'll also look
to see if I'm missing any shared
resources. And what I mean by
that would be the same
pathing such as suspect
names, so reusable names, like
Captcha.js, or maybe
something as basic as a letter like an a.js or d.js, which I've seen recently.
So the third piece, again, is going to be trying to assemble a picture of that to fully understand
exactly what this looks like. And then fourth, I'm going to identify what those choke points are.
So once that graph or that picture that I just described is built,
what I'm going to be doing is I'm going to be looking at what are the things that this large number of injected or infected sites have in common and where do they lead to?
And that's where I'm able to identify that choke point.
Once I identify that choke point, then I'm able to validate my hypothesis or assumptions and many times challenged them to make sure that I'm getting true positives there.
and once I'm able to do that,
then I'll move on to the fifth step,
which would be to validate manually
and reconstruct those attack chains.
And so what I'll do is I'll go ahead
and hunt based upon those showpoints,
pull out a number of random samples,
and then I will make sure that while I'm walking those chains
manually, as if I were the intended victim,
that I am ultimately reaching those payloads
so that way I understand how we lead from those initial lures
to what can be presumed to be the intended final payload of the threat actor.
Do you find any consistency among the signals or the patterns
that you find across these campaigns?
Yes.
So what I find is that despite being what I would assess with a moderate level of confidence
to be unique or threat clusters,
maybe even operated by distinct threat actors.
There's a lot of sharing or copying of these techniques.
And once you see what is essentially in vogue for this week or this month,
then you start to see those types of things show up in various different clusters.
Things like that would be a few years ago,
as I've been tracking these types of things for a few years.
I saw threat actors stop injecting the JavaScript directly onto the main landing page.
Generally, it was the header where it was easy to find and identify,
but then they moved on to putting it into other resources.
These are going to be resources that are loaded by the page at the time of visiting.
For example, if you want to have something like a slideshow or a particular form on your web page,
you'll have a JavaScript library that's located on the same server
that will be used in order to enable that functionality.
What I saw was threat actors were very predictably moving to the same
JavaScript library over and over again and putting the code in there.
That will rotate over time, but those are some of the similarities
that I'm able to track across these various different clusters.
We'll be right back.
Most security conferences talk about Zero Trust.
Zero Trust World puts you inside.
This is a hands-on cybersecurity event designed for practitioners who want real skills, not just theory.
You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work, and learn how to stop them before they turn into incidents.
But Zero Trust World is more than labs.
You'll also experience expert-led sessions, practical case studies, and technical,
deep dives focused on real-world implementation. Whether your blue team, red team, or responsible
for securing an entire organization, the content is built to be immediately useful. You'll
earn CPE credits, connect with peers across the industry, and leave with strategies you can put
into action right away. Join us, March 4th through the 6th in Orlando, Florida. Register now at
ZTW.com and take your zero-trust strategy from theory to
execution.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application
security incident last year, and 92% of responders reported threat levels have increased in
the past two years.
Guard Square delivers the highest level of security for your mobile apps without compromising
performance, time to market, or user experience. Discover how Guard Square provides industry-leading
security for your Android and iOS apps at www.gardesquare.com. Well, from a defender's standpoint,
what does the research suggest about where they should be focusing their monitoring and their
detection efforts? Yeah, that's a very good point. As far as the monitoring and
And detection goes, I think that it comes back to understanding the baseline of your environment,
meaning that if there are things that are out of the norm that are happening on your endpoints,
that don't align with what is established behavior, that's certainly worth raising the alarm on.
But more specifically, the vendors can implement certain policies on their networks.
If we're talking about Windows networks,
an administrator would be able to implement a group policy object or a GPO,
which is a rule set that applies to the computers that are joined in the domain
to associate something like a .jS or JavaScript file,
not to open with the default W-Script utility built into Windows,
which would evaluate and execute that JavaScript payload,
but rather have it associate with something that would make it benign,
like a notepad or text editor.
So if someone is lured into clicking on one of these things
or visiting one of these malicious sites
and is lured into downloading a payload,
when they go to open it, it would not infect the system,
but rather just show them the script,
which would effectively break the chain.
Now, you mentioned that you've been looking at these things
for a number of years.
what's the trend that you're tracking?
Are these becoming more or less common?
Where do we stand?
I can tell you that the adoption is higher than it's ever been.
I've seen what I track,
threat actor groups that we're using traditional means
of delivering malware,
meaning pre-built binaries or payloads
that have hard-coded command and control configurations
baked into them.
Those threat actors have pivoted to start
starting to use these web-based attacks.
I can give you a few examples of some of the lures that I've become popular as well as
some of the new techniques and technologies that I've seen if that's all right with you.
Yeah, please.
So I'll start with some of the lures.
The biggest one that I've been seeing over the past year or so is a fake captcha.
And what that is, is essentially when you are visiting a website,
there are a number of anti-bought technologies that we've been accustomed to running into as a legitimate user.
For example, if we go to visit a site and the site says,
hey, maybe there's been some anonymous traffic coming from this IP,
or maybe there's just a whole lot of traffic right now where you need to make sure that people aren't bots.
You may be served a big CAPTCHA.
And because of this technology that is used to protect websites,
us as humans and end users,
we've been conditioned to start to click on these captions.
So the threat actors are preying upon our conditioning
to interact with these captions,
and once we've interacted with them,
then the threat actors are using JavaScript
to place a set of malicious commands
right on our clipboard,
and then some follow-on instructions are displayed,
such as to prove that you're a human,
please do this keystroke,
and it depends on if you're on Windows or Mac,
but ultimately it culminates to opening
some type of command prompt or terminal
and pasting in the command,
which will download the payload and execute it.
Those are called ClickFix,
and the lure type is fake Captcha.
Traditionally, what we've seen in the past
is a fake update,
and that is going to be something that this
telling you that a critical piece of software on your computer is out of date.
And this is particularly frustrating as a defender because we've worked so hard to get our end
users to be, let's say, judicious and to want to accept updates on their endpoints to keep
them safe from vulnerabilities.
So when you're presented with a page that says your Chrome or Firefox or whatever
web browser you're using is out of date and needs to be updated.
in order to continue.
The same type of security awareness training that has been provided is the same type of thing
that conditions in users into following those directions that are provided by the threat actors.
So where do you suppose we're headed with this then?
I mean, it seems as though this threat is here to stay.
Is this destined to be an ongoing nuisance and problem in your estimation?
I fear it is because even as we speak, I'm seeing additional changes to these attack chains that are leveraging new pieces of technology.
For example, I've written what can be considered a follow-up article to this report, to this funneling report that we're discussing about a technique called ether hiding.
and ether hiding is an attack chain that uses the same type of injections and technology
and techniques that we've been talking about already,
but they are now using part of the blockchain as well.
The blockchain being the external transparent ledger that's generally associated with
cryptocurrency and various things of that nature.
That ledger has objects on it called
smart contracts, which are binary objects that can be called from the HTML and JavaScript
to read the contents of these smart contracts, which cannot be updated without transparency,
meaning that it's really hard to take these types of things down as opposed to traditional
websites where one could file a complaint when they discover what the C2 or the
payload delivery infrastructure looks like.
So the JavaScript is then pulling the payload,
and in some cases, the next steps in a redirect chain to yet another resource.
So to fully answer your question,
I don't think that they're going to be going anywhere,
and the difficulty for defenders in tracking and reproducing these steps
is becoming more difficult,
and that lends itself to continue to adoption and sustained use
by threat actors.
How do you rate the sophistication of these threat actors?
I have two thoughts on that.
First, we tend to see what I would call the visionaries in the space,
which are highly capable, what I would consider to be the apex predators of the threat
actor landscape, specifically the e-crime or the criminal landscape whose motivations
are stealing money and getting that initial access and then perhaps
executing a locking of a domain such as a ransomware that we've seen in the news,
or maybe even just getting that foothold and selling it to another group that would like to conduct that activity.
Those folks, I would say, are some of the most capable developers that I've seen.
And the way that these threats continue to evolve rapidly,
it will make your head spin just the efficacy and the quickness.
in which they're able to deploy new tricks to evade researchers and defenders.
The other side of that is that with the advent of AI,
especially tools like ChatGPT and Claude and various other LLMs,
the barrier to entry in order to make these types of tools and attacks
has greatly been lowered.
So now we're seeing a lot of copycats.
And so this does a couple of things.
Number one, it increases the amount of attacks like this that are on the internet,
but it also muddies the water for researchers who are trying to track and do attribution of threat actors.
Because when you see folks that are adopting similar techniques and many who I would consider to be unskilled
are able to get working tools generated by these AI programs,
then it really is a duality of folks who really not.
what they're doing and those who don't know much but are able to get a working attack chain going.
Our thanks to Andrew Northern from Census for joining us, the research is titled From Evasion to Evidence,
Exploiting the Funneling Behavior of Injects. We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapid
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at
N2K.com.
This episode is produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibn.
Peter Kilpe is our publisher.
I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
If you only attend one cybersecurity.
Conference this year, make it R-SAC 2026. It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community for four days of expert insights, hands-on learning,
and real innovation. I'll say this plainly, I never miss this conference. The ideas and
conversations stay with me all year. Join thousands of practitioners and leaders tackling today's
toughest challenges and shaping what comes next. Register today,
at RSAconference.com slash cyberwire 26. I'll see you in San Francisco.
Attackers don't go through your tools, they go around them. In our interview with Jared
Atkinson, CTO at SpectorOps, he reveals how attackers look to exploit our identities, steal
tokens, and quietly snowball their access across active directory, cloud apps, and GitHub. We talk
through attack paths, why least privilege keeps failing, and how one misconfiguration can
hand over the keys to your organization.
Want to see risk as attackers do?
Then check out the full interview now on thecyberwire.com slash specterops.