CyberWire Daily - The skills pay the bills. [Research Saturday]
Episode Date: May 30, 2026Today we are joined by Marco Giuliani, Vice President & Head of Research at ThreatDown, discussing their work on "GachiLoader adopts AI skill lure." Threat actors are now using fake AI agent “skills...” as highly convincing social engineering lures, with a new campaign disguising the GachiLoader malware as a legitimate OpenClaw tool for automated Polymarket betting. Victims are tricked through fake installation guides and polished Electron apps into downloading malware that deploys the Rhadamanthys infostealer using fileless injection and blockchain-based command-and-control infrastructure. Researchers say the campaign marks an evolution in cybercrime, turning AI skill ecosystems into a new phishing-style attack surface. The research and executive brief can be found here: GachiLoader adopts AI skill lure Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Do you know how the space and cybersecurity domains connect?
T-minus space cyber briefing is your guide through the space-based systems that expand the attack surface.
I'm Maria Varmazis, host here at N2K Cyberwire, and I'm excited to share that T-minus is back.
Now, as a weekly podcast, the T-minus Space Cyber Briefing.
We have a new dedicated focus on two great things that are even better together, space and cybersecurity.
Because whether we realize it or not, we all depend on space-based systems that are, by the way, increasingly internet-enabled.
We're talking cybersecurity technologies, policies, and organizations that are securing the critical space-based infrastructure that powers, protects, and connects our lives here on Earth.
So join me for T-minus, Space Space.
Cyber Reefing, new episodes every Sunday.
In Toronto, every arrival is a statement,
and nothing says it better than this.
Cadillac Optic was the number one selling luxury EV in Canada for 2025.
Find your rhythm across a seamless 33-inch display
and an immersive 19-speaker AKG surround audio system.
This city demands agility,
and Optic delivers with precision to make every drive extraordinary.
Let's take the Cadillac.
Find out more at Cadillac Canada.ca.ca.
Luxury sales claim based on S&P Global Mobility,
Canadian new vehicle total registrations for calendar year 2025 for the Cadillac definition of luxury.
Hello everyone and welcome to the CyberWires Research Saturday. I'm Dave Bittner and this is our
weekly conversation with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us. It's a progen which is dropping additional malware into the systems.
So it's a kind of entrance point to the infected system
and allows malware authors to drop additional malware in this specific case that we detected.
It's the Rodhamant is Infostiller to collect sensitive data
by hiding it inside what looks like an AI agent skill coming from a legitimate developer tool of encloat.
That's Marco Giuliani, Vice President and Head of Research,
at Threat Down. The research we're discussing today is titled Gatchelotor, adopts AI skill lure.
Well, the research describes AI agent skills as a new lure. What makes that such an effective
delivery mechanism? Oh, that's actually, you know, the key point, you know, it's a very
clever multi-step social engineering campaign. So the key point here is the, the, the
trust.
Traditional, I keep saying these multiple times, the traditional endpoint security, you know,
has got very, very good lately in the last, you know, 10, 15 years.
So also the attackers needed to look for, you know, blind spots.
Right now, the biggest blind spot that we have is the AI agent ecosystem.
So what we are doing right now is monitoring.
My team, the research team is monitoring all the EDR detections and triggers which come from the AI world.
What does that mean?
If we find something which is connected somehow to AI tools can be agentic.
be agentic systems, can be open clow, can be Gemini, the common line interface,
clothe, desktop, or whatever.
If we detect some suspicious activity happening through or coming from those specific tools,
then this is definitely ringing a bell to the research team and that automatically
get upgraded to the high-guess security level investigation need from the research team.
In this specific case, that's how it happened.
We were monitoring the suspicious activity.
We are monitoring constantly monitoring suspicious activities strictly connected to those tools.
And in the specific case, we detected this specific attack.
Well, let's go through the user experience here.
But what does the victim see and what convinces them to go down this path?
Cool.
You know, once it was the email, fake email, phasing email.
Now, let's try imaging.
Let's try and imagine a developer today looking to, let's say,
had the new capability to the AI agent.
They come across a skill package.
Inside there is a file called actually what looks like a legitimate skill package.
And inside there is a file called REMME before instant.
HTML.
This isn't just a simple text file.
The developer opened it looks like a telegraph blog post,
convincing legitimate looking piece of documentation.
And this document instruct the user, the developer,
to download the dependencies from GitHub release page,
legitimate, you know, GitHub.
Everything comes from GitHub, you know, should be safe.
That's what developers assume today.
But that GitHub page is entirely fake.
It's completely dressed up in using the OpenClood brand.
But it's not that.
It's just a fake open, fake open clue page.
The funny thing here is that, you know, that's the victim, which is starting every single
that reading the manual, going to GitHub, clicking download, they are, you know, they are letting
their guard down.
That's not, you know, something that the attacker is doing.
That's funny, but that, you know, that's the usual social engineering trick, just changing
the tools, just changing the ways, but that's always the same problem, the same security
program that we are trying to fix, you know, for a long time.
Since the security, you know, IT security started, you know, kicking in,
the user is, you know, willingly invite the malware in.
They are thinking that they are just installing a standard, you know, skill dependency.
Well, the lure talks about real services, things like weather forecasts and prediction markets.
I guess that realism helps make the attack believable.
Exactly. That's the world plan. The world plan is making a strike.
It's a, you know, building a drill, trustable style.
Sometimes they also, you know, invite you to do that,
and they promise you to that you're going to make a lot of money.
Just, you know, sitting in front of your PC.
I mean, everybody sometimes, you know, everybody wants in a while,
once in time, you know, hope to do that.
I did sometimes as well, you know, you sit in front of your PC
and you hope that what you're doing is making you, you know,
It's going to make you money, a lot of money without doing anything.
Who is not, you know, hope that at least once in their life.
Right, right.
Well, let's break down the two tracks here.
The research talks about two different ways for this to be delivered.
Can you take us through that element?
So, yes, absolutely.
So what happens is once the, you know, execution begins,
what the actors, the track actors do.
they immediately deploy, or actually I would say the victim itself deploy the Gaki Loder, you know.
And the very interesting thing here is that actually, you know, it's not new, but that's the most used way to drop malware as a day.
Gakiloder is being dropped using file as injection techniques.
What does that mean is that they are not dropping traditional, you know, executable,
easily scannable, executable onto the disk.
They are actually injecting the payload directly into the memory of legitimate processes
using, you know, what they are using, you know, the kind of attack that's, you know,
leaving off the land attack.
What does that mean?
Attackers are not using any more standalone,
malicious executable. Why would they are not doing that anymore because it's easy now detecting,
you know, executable, malicious executable. That's what, you know, AV are doing for the last two decades,
it's not three decades. How do they skip this kind of detection from traditional anti-malware solution
by using legitimate tools? I'm using legitimate tools, let's say Python scripts, let's say
every interpreter, PowerShell or whatever.
what they do is they trick the user into running a script into running whatever looks like legitimate,
but it's coming from a legitimate tool.
So even an anti-m malware, a classic, a traditional security product,
cannot easily detect what's happening because it's happening from a legitimate tool.
And this makes incredibly stealthy attack and hard for the classic AV tool to catch.
And that's the first part how it gets installed into the system.
What's the really fascinating part, I will say, is the command and control infrastructure that Gakey Lodder has set up.
Usually, you know, what's the command and control is basically the server, the centralized server that the malware is connecting to receive commands, you know, the next steps that it needs to execute.
how usually that, you know, get blocked by anti-malware or security companies, security products,
or also law enforcement, they go to the server, they go to the high speed,
they block the connection to that specific IP, blacklist the IP,
they get the server down, and that's how usually a common and control infrastructure is disabled,
is switched off, turned off.
That's not for gagged.
loader because they are now utilizing a blockchain-based company control mechanism.
That's really fascinating in my, I mean, from my point of view, because right now they are
hosting their communication pathways on decentralized blockchain network.
And by doing so, the infrastructure becomes highly resilient for defenders, for AV companies,
security companies, it's incredibly difficult to simply, you know, take down a server as it was
easy, as it was before. And the combination of fileless execution locally on the system, on the
infracted system, and the decentralized command control, which is basically distributed globally
across the world world, it's a tremendous, it's a tremendous and dangerous mix that can
you know, that ultimately
in this specific case,
ultimately drops the
Ramadan disinfestiler to steal
steal credential and sensitive data, but in
the end, makes this
combination extremely
resilient against
security product and
also for law
enforcement to take
that down. We'll be right
back.
When it comes to
mobile application security, good enough, is a risk. A recent survey shows that 72% of
organizations reported at least one mobile application security incident last year, and 92% of
responders reported threat levels have increased in the past two years. Guard Square delivers
the highest level of security for your mobile apps without compromising performance, time-to-market,
or user experience. Discover how Guard Square provides industry-leading security-leading security.
for your Android and iOS apps at www.gardesquare.com.
Reese knows a thing or two about great combinations.
Chocolate and peanut butter, obviously, but there's more than one way to Reese's.
From indulgent Reese's big cups with caramel to crunchy Reese's pieces and Reese's miniatures,
there's a delicious Reese's for every mood.
It's the same combo you love, just with more ways to enjoy it.
So whether you're snacking, sharing, or just treating yourself, nothing else is Rees's.
You mentioned the Rotamonthe's Info-Stealer.
From a defender's perspective, what makes this combination of Gatchelotor and Radamonthus particularly dangerous?
As I said, security product, AV, they are not, the classic security products, are not able to see
to see this attack.
They cannot find
anything running on the system
because it's everything running in memory.
They cannot detect
the eventual command and control connection
because they are not connecting
through classic IPs.
So they are completely,
the security product is completely blind
to this attack.
And this allows attackers
to do whatever they want.
This is incredible.
incredibly powerful for the attackers.
And if you look from a defender perspective,
that's very strong int and sign
that we as a defender,
but we as a security company,
but also every company need to switch their attention
to not just detect malicious activities,
but it's more detecting what is not normal.
to your system. So it's a completely, it's a different approach. That's what an EDR product is, basically,
not detecting what is malicious, but detecting what is anomalous enough for that system to be, you know,
to be reported and to be reported and being carefully taken into consideration. It's a completely different
shift of, it's a different part of me. It's, that makes the security, uh,
way more complicated.
It doesn't make sense what I'm saying.
It's more like, you know, not anymore saying,
hey, this is bad, but it's more like,
hey, this is anomalous from my system.
Technically, it shouldn't do that.
By doing that means that we need to know for a fact
what is normal on the system.
That's what an EDR product is, basically.
Understanding what's normal on the system
and reporting what is suspicious enough to be not included in the normal activities of that system.
As I was reading through the research, there was a statement here that caught my eye.
You describe skills as the new fishing attachment.
What does that shift mean for how organizations should be thinking about user risk?
That's actually a great question. Thanks for asking that.
The attack surface is right now is shifting.
It's quickly shifting as the world world is shifting to AI.
It usually happens, you know, happening also in the past.
I'm actually in the security industry for almost 20 years now.
So I'm lucky enough to have seen multiple things, you know, wars, fishing and, you know,
root kids and etc.
And I always seen that every time we have,
shift to a new technology. Everybody's run to catch this new technology, but the risks of
threat, the risks of the new technology are not immediately taken into consideration. And that's
the blind spot, you know, for every new technology. What that means is that, you know, new technology,
new AI, everybody is shifting into the agentic AI so that you can instruct your computer,
your endpoint to do stuff for you.
How to make it, you know, for the agentic AI, you already, you know,
have something that makes your work easier and, you know, faster.
How you can make it even faster?
You go to a repository and download your skills.
What are AI skills?
Basically, they are just instructions, pre-built instructions to your agentic AI, very basic text files that contain instructions to your agentic AI that can execute for you.
So you go to a repository and, you know, you find a new skill that monitors for you, the weather forecast for the next three hours, up to 24 hours, every hour.
and then alerts you in case there is some, you know,
some sign of bad weather coming in, kicking in or whatever.
I'm just, you know, giving you an example, a very basic example.
You could do that yourself, but you also,
you can also easily instruct using a GEN-TKI to do the stuff for you.
And why not downloading an AI skill that already contains all this structure
to do that for you?
So companies are looking into digital.
new world more and more. And the problem is that there is no, there's no way right now to
vouch the skills that you are downloading. That's probably the biggest risk that the companies
are missing the people using AI companies are risking more. So they think that, you know,
you can monitor downloads from specific websites. You have a firewall, you have whatever,
your monitoring, fishing websites.
But you're still not considering that AI skills,
repositories can be a vector to introduce malware.
So AI skills are just, you know, text files that can be used on your AI desktop software.
You are not considering, you're still, companies are not still considering that as a vector.
So we urgently need that company.
get attention to this and start vouching also the AI skills that are being downloaded
from repositories because that's not anymore free and safe, secure world.
Just to give you a basic example, one of the skills that we, AI skills that we detected, malicious
AI skills, and that's outside of the research that we are discussing right now.
just telling you this story.
One of the AI skills, the malicious AI skills that we detected was very funny because you
downloaded it and you also started looking at the text file inside the skills and it was
a perfectly legitimate skill.
So we started looking into this because we got some our automated systems reported this
this skill as potentially malicious.
So we started to manually look at the AI skill,
my team, and look at that and say,
in the beginning, the text was completely safe,
just, you know, very, very, very safe instructions.
They were doing what the AI skill was supposed to do.
And so, you know, even for the basic people,
the basic user that wants to check what the AI skill is doing,
that would have bypassed the energy,
every kind of simple, you know,
a simple check. At some point, at the very, very, very end of the text of the skill,
there was one command telling the AI to completely forget what was being said since the
beginning of the text file and execute what was going to happen, what was written after that.
And everything was written in non-English language. I don't remember if it was Chinese or
or Russian and or anyway, it was some, you know, or Japanese.
I don't remember exactly what language was that.
And, you know, that was going to bypass every simple check from every customer, every user,
average user looking at that.
So, sorry, that was a very long description to tell you that this is incredibly risky
work right now that we need to immediately take action on.
Our thanks to Marco Giuliani from Threatdown for joining us.
The research is titled Gachi Loader adopts AI Skill Lure.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at n2K.com.
This episode is produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
Hey, y'all.
It's Kelly Clarkson with Wayfair.
Ever order furniture online and wonder what if?
Like, what if it doesn't hold up?
That sofa was four days old.
You should have ordered from Wayfair.
With Wayfair, there's no what if.
Just style you love and quality you can trust.
Visit Wayfair.ca.
Wayfair, every style, every home.