SoK Mirror Review, C2PA 2.1 Migration, and Threat Landscape Velocity

What I was reading

“SoK: History is a Mirror to the Future” (IEEE S&P 2025) — finally got through the full version this week. The section on credential-harvesting attack evolution is directly relevant to PhishRig work. The authors trace AiTM (Adversary-in-the-Middle) proxy phishing from early Evilginx iterations through modern session-token theft and make a compelling case that MFA bypass rates have plateaued not because defenses improved but because attackers shifted target selection upstream. Worth revisiting when I update PhishRig’s scenario templates.

C2PA 2.1 spec draft (Content Authenticity Initiative) — working through the changes to the c2pa.actions assertion schema, specifically the new digitalSourceType vocabulary additions. The draft formalizes distinctions between trainedAlgorithmicMedia and compositeWithTrainedAlgorithmicMedia that matter directly for ProvStamp’s classification pipeline. Previous spec was ambiguous enough that our label resolution logic was doing guesswork in ~12% of cases. The new vocabulary should collapse that.

Kang et al., “vTrain: Efficient GPU Memory Management for LLM Training” — skimming this for Moxel context. Their approach to page-granular VRAM migration is different from what we’re doing (we pool across physical GPUs rather than manage pages within one), but the pressure metrics they use to decide migration timing are interesting. Our current heuristic is naive utilization threshold; their gradient-aware predictor might translate.

---

What I was building

ThreatWatch — feed deduplication overhaul. The 03:00 UTC run on March 14 was a stark illustration of the problem: 1,653 articles fetched, 252 post-dedup, 496 scrape failures. The failure spike was a Cloudflare challenge wall on a cluster of news aggregator feeds that rotate their JS challenge fingerprint. I’ve been patching the scraper to use a rotating headless session pool, but the real issue is that our hash-based dedup is colliding on near-duplicate content from different syndication chains. Switching to a MinHash LSH approach (128-band, 2-row bands, Jaccard threshold ~0.85) in the enrichment layer. Early tests on a sample of 5,000 articles from last week bring duplicate escape rate from ~4% down to under 1%.

ProvStamp — C2PA 2.1 migration prep. Started scaffolding the updated digitalSourceType enum mapping in the manifest builder. The tricky part is backward compatibility: existing credentials issued under 2.0 use string literals that don’t map cleanly to the new vocabulary. I’m building a migration shim that normalizes on ingest. For Museka specifically, HeartMuLa 3B outputs need to be stamped as trainedAlgorithmicMedia with a c2pa.created action; the shim needs to correctly downconvert these for validators still running 2.0. Should have a working draft by end of next week.

PhishRig — Evilginx3 lure template refresh. Updated the Microsoft 365 and DocuSign lure pages against current production UI. The DocuSign template was 8 months stale — button placement and font rendering changes were immediately detectable to anyone paying attention. Also added a Mailhog webhook integration so captured credentials stream to a local dashboard in real time during engagements instead of requiring manual log polling.

---

Threat landscape notes

ClearFake surge. ThreatWatch is showing unusually high IOC velocity for ClearFake this week — multiple ThreatFox updates across the day on March 14, each batch at 10 new IOCs. ClearFake’s fake browser-update delivery mechanism has historically been static, but recent samples are cycling landing page domains on sub-4-hour intervals, which is burning through blocklist TTL windows. Worth adding a short-TTL feed path in ThreatWatch for this family specifically.

StrelaStealer renewed activity. Two separate IOC batches from ThreatFox today. StrelaStealer historically targets Outlook and Thunderbird credential stores via .zip/.one phishing lures. The renewed IOC submissions suggest an active campaign, likely correlated with the end-of-quarter period when invoice-themed lures perform better. Relevant for PhishRig scenario design — this TTP maps well to a template we could add.

Nightspire and BEAST ransomware — active victim posting. Ransomware.live picked up nightspire claiming CFTC Metallurgie (FR, discovered 2026-03-10) and BEAST posting two new victims today: Trinity Catholic High School (US) and Communicate UK (GB). BEAST’s breadth is notable — education and SME telecoms in the same posting window suggests opportunistic targeting rather than sector-specific campaigns. The Telus / ShinyHunters incident also surfaced this week; ShinyHunters’ data exposure operations continue to overlap with ransomware precursor activity patterns.

---

What I’m thinking about

The ClearFake domain cycling pattern is pointing at a broader operational tempo shift I’ve been tracking: threat actors are increasingly treating IOC validity windows as a design constraint rather than an operational risk. If your infrastructure turnover is faster than the median blocklist update cycle (~6 hours for most commercial feeds), you’re effectively running clean indefinitely. ThreatWatch’s 10-minute polling is better than most, but even that has gaps. I want to explore whether behavioral signals — traffic shape, TLS fingerprint clustering — can substitute for domain-level blocking in the short-TTL regime.

On the ProvStamp side, I’m increasingly skeptical that C2PA alone is sufficient for EU AI Act Article 50 compliance in the generated-music context. The act’s transparency obligation is about end-user disclosure, not just manifest presence. Museka needs a visible UI disclosure layer, not just a credential in the file’s metadata that 99% of listeners will never inspect.

Next week: MinHash LSH dedup goes into ThreatWatch staging; first pass at ProvStamp 2.1 shim with Museka test fixtures; and a closer look at ValleyRAT IOC clusters that have been quietly accumulating in the feed.