剣 KENSAI
← All posts · security · 2026-04-04 · 8 min

Device-Code-Phishing steigt 37x, TA416 greift Europa an, LinkedIn BrowserGate, Qilin trifft Die Linke

OAuth-Device-Code-Phishing explodiert mit 11 Kits. TA416 nimmt EU-Spionage mit PlugX wieder auf. LinkedIn scannt 6.000+ Erweiterungen. Qilin trifft Die Linke. SparkCat kehrt zurück.


1. Device Code Phishing Attacks Surge 37x — 11 PhaaS Kits Now Available

⚠ CRITICAL — OAuth Device Flow Widely Weaponized

Device code phishing attacks abusing the OAuth 2.0 Device Authorization Grant flow have surged 37.5x in 2026. At least 11 phishing kits now offer this capability as a service, making the technique accessible to low-skilled attackers.

Security researchers at Push Security have documented an explosive increase in device code phishing, a technique that abuses the OAuth 2.0 Device Authorization Grant flow designed for input-constrained devices like smart TVs and IoT hardware. The attack tricks victims into entering an attacker-generated device code on a legitimate Microsoft login page, unknowingly granting the attacker persistent access via valid tokens.

How the Attack Works

The threat actor sends a device authorization request to the identity provider and receives a code. This code is delivered to the victim via phishing lures — typically SaaS-themed pages mimicking DocuSign, SharePoint, Microsoft Teams, or Adobe. When the victim enters the code on the legitimate login page, the attacker's device receives valid access and refresh tokens, bypassing MFA entirely.

11 Competing Phishing Kits

The EvilTokens phishing-as-a-service platform, documented by Sekoia earlier this week, has been the primary driver of mainstream adoption. However, Push Security identified 10 additional competing kits:

Defensive Recommendations


2. China-Linked TA416 Resumes European Government Espionage With PlugX

🔶 HIGH — State-Sponsored Espionage Campaign Against EU & NATO

The TA416 APT group (overlapping with RedDelta, Vertigo Panda) has resumed aggressive targeting of European government and diplomatic organizations after a two-year pause, deploying updated PlugX backdoors via OAuth redirect abuse.

Proofpoint researchers have documented TA416's renewed espionage campaign against European government and diplomatic organizations since mid-2025. The China-aligned group — which overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda — targeted diplomatic missions to the EU and NATO across multiple European countries.

Evolving Attack Chain

TA416 has continuously evolved its infection techniques throughout the campaign:

Middle East Expansion

Beyond Europe, TA416 has also launched campaigns targeting diplomatic and government entities in the Middle East following the U.S.-Israel-Iran conflict in late February 2026, likely seeking regional intelligence.

Technical Details

The February 2026 attack chain downloads archives from Google Drive or compromised SharePoint instances containing a legitimate MSBuild executable and a malicious C# project file. The CSPROJ file decodes three Base64-encoded URLs to fetch a DLL side-loading triad from a TA416-controlled domain, executing PlugX via the group's characteristic DLL side-loading technique.

Indicators & Mitigations


3. LinkedIn "BrowserGate" — Microsoft Platform Scans 6,000+ Chrome Extensions

🔶 HIGH — Privacy Concerns Over Covert Browser Fingerprinting

LinkedIn has been caught injecting JavaScript that scans visitors' browsers for over 6,000 Chrome extensions and collecting detailed device fingerprinting data, linking results to identifiable user profiles.

A report dubbed "BrowserGate" by Fairlinked e.V. reveals that Microsoft's LinkedIn is using hidden JavaScript to scan visitors' browsers for installed extensions and collect device data. BleepingComputer independently confirmed the claims, observing a JavaScript file with a randomized filename loaded by LinkedIn's website that checked for 6,236 browser extensions.

What LinkedIn Collects

Growing Scope

The extension scanning has been escalating: from approximately 2,000 extensions in 2025, to 3,000 two months ago, to the current 6,236. Beyond LinkedIn-related extensions, the script also detects language tools, grammar extensions, tax professional tools, and seemingly unrelated features.

Competitive Intelligence Concerns

The report alleges that LinkedIn uses this data to map which companies use competing products, effectively extracting competitor customer lists from users' browsers. LinkedIn reportedly sent enforcement threats to users of third-party tools based on data obtained through covert scanning.

LinkedIn's Response

LinkedIn does not dispute detecting extensions but claims the practice is for platform protection. The company states the report author's account was banned for scraping and violating terms of service. LinkedIn says extension detection helps identify tools that scrape data without member consent.


4. Qilin Ransomware Steals Data From German Political Party Die Linke

⚠ CRITICAL — Political Party Data Breach With Geopolitical Implications

The Qilin ransomware group has compromised Germany's Die Linke political party, stealing sensitive internal data and employee personal information. The party suggests the attack may be politically motivated.

The Qilin ransomware group has claimed responsibility for an attack against Die Linke (The Left), a German democratic socialist political party currently represented in the Bundestag with 64 members and 123,000 registered members. The attack on March 27 forced an IT systems outage at party headquarters.

What Was Stolen

Political Dimensions

Die Linke described the attackers as Russian-speaking cybercriminals with both financial and political motivations, stating the attack "does not appear to be coincidental." The party characterized ransomware attacks against political organizations as "part of hybrid warfare" and "an attack on critical infrastructure." Russia-linked groups have previously targeted German political parties — in 2024, APT29 targeted CDU with the WineLoader backdoor.

Response Actions


5. SparkCat Crypto-Stealing Malware Returns to iOS and Android App Stores

🔶 HIGH — Official App Stores Compromised Again

A new, more sophisticated variant of SparkCat has been discovered in the Apple App Store and Google Play Store, using OCR to steal cryptocurrency wallet recovery phrases from victims' photo galleries.

Kaspersky researchers have discovered a new version of SparkCat malware on both the Apple App Store and Google Play Store, more than a year after the trojan was first documented. The malware hides within seemingly benign apps — enterprise messengers and food delivery services — while silently scanning victims' photo galleries for cryptocurrency wallet recovery phrases.

Technical Evolution

Scope & Attribution

Kaspersky found two infected apps on the App Store and one on Google Play, primarily targeting cryptocurrency users in Asia. The operation is attributed to a Chinese-speaking operator. The iOS variant's English-language scanning makes it potentially broader in reach, affecting users globally regardless of region.

User Protections


Zusammenfassung der Bedrohungslage

BedrohungSchweregradMaßnahme
Device code phishing (11 kits)CRITICALDisable device auth grant, monitor auth logs
TA416 PlugX against EU/NATOHIGHReview OAuth apps, block known C2 infrastructure
LinkedIn BrowserGateHIGHReview extension exposure, consider browser profiles
Qilin ransomware vs Die LinkeCRITICALPolitical orgs: review ransomware readiness
SparkCat crypto stealerHIGHNever photograph seed phrases, review app permissions