This month focuses on Quantum Route Redirect, a new phishing tool targeting Microsoft 365 Users, the SesameOp Backdoor using OpenAI for covert C2 attacks, and a new Android Trojan called Sturnus.

Quantum Route Redirect

A new phishing tool called Quantum Route Redirect is being used to target Microsoft 365 users, making advanced phishing campaigns accessible to even low-skilled cybercriminals.

Summary

• Security researchers first detected the tool in the wild in August, linked to a large-scale credential-theft campaign.
• About 1,000 domains currently host the tool, supporting automated phishing functions such as traffic rerouting and victim tracking.
• The campaign leveraging the tool has compromised victims in 90 countries, with 76% of targets located in the United States.
• The tool dramatically simplifies the creation of complex phishing campaigns, lowering technical barriers for inexperienced attackers.
• Quantum Route Redirect enables one-click setup for phishing themes such as DocuSign impersonation, payroll scams, payment notifications, voicemail scams, and QR-code phishing (quishing).
• Phishing URLs follow a consistent /quantum.php/ pattern and are hosted on compromised or parked domains, aiding brand impersonation.
• Its key strength is an evasive redirect system capable of bypassing Microsoft’s Exchange Online Protection, secure email gateways (SEGs), and cloud email security tools.
• The tool distinguishes between security scanners and human victims—redirecting scanners to legitimate sites while sending users to phishing pages.
• Researchers observed it successfully bypassing Web application firewalls, allowing multilayered security defenses to be evaded.
• To defend against such tools, organizations should adopt integrated cloud email security solutions with natural language processing (NLP) for advanced content analysis.
• Additional recommended defenses include URL filtering, strong impersonation detection, and sandboxing technologies to inspect suspicious emails.

• Read more about it here

SesameOp Backdoor

Microsoft’s Detection and Response Team (DART) discovered a new backdoor called SesameOp, used by attackers to maintain long-term, espionage-focused persistence in victim environments.

Summary

• SesameOp uniquely uses the OpenAI Assistants API as a covert command-and-control (C2) channel, abusing a legitimate AI service instead of using attacker-controlled infrastructure.
• The backdoor fetches commands from the API, executes them on compromised systems, and returns results—making C2 traffic blend in as normal AI service usage.
• Threat actors used compression, layered symmetric and asymmetric encryption, and other techniques to secure and obfuscate C2 communications.
• Investigators also found a complex network of internal web shells and malicious Visual Studio utilities injected with rogue libraries using .NET AppDomainManager injection.
• The SesameOp infection chain includes a loader (Netapi64.dll) and a .NET-based backdoor (OpenAIAgent.Netapi64) that relies on OpenAI for communications.
• The DLL was heavily obfuscated with Eazfuscator.NET to enhance stealth, persistence, and encrypted communication.
• Microsoft informed OpenAI, which disabled the attacker’s API key and account, confirming no unusual model usage beyond limited API calls.
• The abuse did not stem from a vulnerability in the OpenAI API but from intentional misuse of its legitimate capabilities.
• Microsoft and OpenAI will continue collaborating to understand and disrupt emerging AI-powered attacker techniques.
• Recommended mitigations include reviewing firewall and web server logs, limiting internet-exposed systems, enabling network and endpoint firewalls, blocking unauthorized C2 communications, and tightening proxy and perimeter firewall policies.
• Read more about it here.

Sturnus

Researchers uncovered Sturnus, a new Android banking trojan designed for credential theft and full device takeover to facilitate financial fraud.

Summary

• Sturnus can bypass encrypted messaging apps (WhatsApp, Telegram, Signal) by capturing content directly from the device screen after decryption.
• It conducts overlay attacks, displaying fake banking login screens to steal credentials, with region-specific overlays.
• The malware is in a private, early evaluation stage and is distributed via malicious apps such as Google Chrome (fake) and Preemix Box.
• Sturnus uses a mix of plaintext, AES, and RSA communications, inspiring its name due to its “mixed pattern” like the European starling.
• Once launched, the trojan connects to a remote C2 server via WebSocket and HTTP to register the device and receive payloads.
• It abuses Android accessibility services to capture keystrokes, monitor UI interactions, gather chat contents, and control the device remotely.
• The trojan can display a fake system update full-screen overlay to hide malicious activity running in the background.
• It prevents removal by monitoring attempts to disable admin rights and automatically navigating away from settings screens that could uninstall or stop it.
• Sturnus continuously collects extensive device environment data, enabling attackers to adapt tactics and refine the malware for future, broader operations.
• Read more about it here

Sources

• https://www.darkreading.com/endpoint-security/phishing-tool-smart-redirects-bypass-email-security
• https://www.darkreading.com/cyberattacks-data-breaches/sesameop-backdoor-openai-api-covert-c2
• https://thehackernews.com/2025/11/new-sturnus-android-trojan-quietly.html