THREATSDAY Bulletin this week continues to show threat actors leaning on familiar, trusted tools rather than chasing flashy new exploits, with a pattern of quiet, persistent intrusions designed to stay embedded and extract value. The issue highlights a 0-click risk in Claude Desktop Extensions, where a calendar prompt could trigger arbitrary local code execution, and notes that Anthropic’s product group has opted not to fix the issue at this time.
The briefing also covers RenEngine Loader and Foxveil loaders used to deliver next-stage payloads, and notes campaigns using pirated game installers to deploy the RenEngine Loader, with more than 400,000 global victims estimated. Additional items include 25+ stories across topics such as AI prompt injection, data theft campaigns, and ransomware developments, underscoring a trend of attackers exploiting legitimate workflows and space in plain sight rather than relying solely on new CVEs.
The bulletin draws on multiple sources, with coverage ranging from cloud loaders to desktop extensions and beyond, to sketch a broader operating picture where speed meets stealth. according to LayerX Security, the Claude issue demonstrates how unsandboxed extensions can chain low-risk connectors to high-risk executors, facilitating silent compromises.