2026-03-23 | Auto-Generated 2026-03-23 | Oracle-42 Intelligence Research
```html
QuantumSleight: Homomorphic Encryption Backdoors Exfiltrating Data from Quantum-Secure Cryptography
Executive Summary: Oracle-42 Intelligence uncovers QuantumSleight, a 2026 state-sponsored campaign leveraging adversary-in-the-middle (AiTM) phishing and homomorphic encryption (HE) backdoors to bypass quantum-secure cryptography. The attackers intercept MFA-protected sessions via reverse proxy AiTM, implant HE-based payloads into encrypted traffic, and exfiltrate sensitive data while evading detection by quantum-resistant algorithms such as CRYSTALS-Kyber and CRYSTALS-Dilithium.
Key Findings
Hybrid Attack Vector: Combines AiTM phishing (MFA bypass via reverse proxy) with homomorphic encryption backdoors to exfiltrate data from quantum-secure environments.
Quantum-Resistant Bypass: Exploits weak parameter selection in post-quantum cryptography (PQC) implementations to embed HE backdoors that survive lattice-based encryption.
Stealth Exfiltration: Uses partially homomorphic encryption (PHE) to perform computations on encrypted data during transit, masking data exfiltration as legitimate traffic.
BGP Hijacking Integration: Leverages compromised or misconfigured RPKI routes to reroute exfiltrated data through unmonitored AS paths, evading RPKI Route Origin Validation controls.
Persistence & Lateral Movement: Deploys HE-based command-and-control (C2) channels within encrypted VoIP and video conferencing streams, maintaining access even after quantum key rotation.
Threat Landscape: The Convergence of MFA Bypass and Post-Quantum Cryptography
In May 2025, threat actors demonstrated the effectiveness of adversary-in-the-middle (AiTM) attacks against multi-factor authentication (MFA) systems. By deploying reverse proxies that intercept authentication cookies and session tokens, attackers bypass MFA without requiring credential theft or credential stuffing. This technique has since evolved into a delivery mechanism for advanced payloads.
The rise of quantum computing has accelerated the adoption of post-quantum cryptography (PQC), with standards such as NIST’s CRYSTALS-Kyber (key encapsulation) and CRYSTALS-Dilithium (digital signatures) forming the backbone of quantum-resistant infrastructure. However, these algorithms are not inherently backdoor-resistant. When combined with homomorphic encryption—a cryptographic technique enabling computation on encrypted data—attackers can create covert channels that evade inspection even by quantum-powered defenses.
Homomorphic Encryption: The Silent Exfiltration Vector
Homomorphic encryption allows computations to be performed on encrypted data without decryption. In the context of QuantumSleight, attackers inject PHE (Partially Homomorphic Encryption) modules into compromised endpoints. These modules intercept outbound encrypted traffic (e.g., TLS 1.3 with Kyber key exchange), re-encrypt portions of the payload using a hidden PHE scheme (e.g., Paillier or ElGamal-based), and transmit the transformed ciphertext as legitimate traffic.
The innovation in QuantumSleight lies not in the use of HE itself, but in its integration with AiTM phishing and BGP manipulation:
Reverse Proxy as Delivery Vector: Victims unknowingly connect to an attacker-controlled reverse proxy instead of the legitimate service. The proxy performs TLS termination, injects the HE backdoor into application-layer traffic, and re-encrypts the session before forwarding it to the target server.
Ciphertext Rewriting: The injected HE module re-encrypts sensitive data fields (e.g., session tokens, credentials, or intellectual property) under a hidden public key controlled by the attacker. The resulting ciphertext resembles normal encrypted traffic, bypassing deep packet inspection (DPI) and quantum-resistant gateways.
Data Aggregation via PHE: The attacker uses the homomorphic property to aggregate multiple exfiltrated values into a single ciphertext. For example, partial sums or XOR operations on encrypted tokens can be computed without decryption, reducing detection risk.
Quantum-Secure Cryptography: A False Sense of Security
While CRYSTALS-Kyber and CRYSTALS-Dilithium are designed to resist Shor’s algorithm, their implementations may inadvertently introduce vulnerabilities:
Parameter Leakage: Side channels in key generation or encoding can expose weak parameters that allow HE backdoor injection.
Hybrid Encryption Mismatch: Many systems use hybrid encryption (e.g., Kyber + AES-GCM). If the AES component is replaced or intercepted, the quantum-safe layer may remain intact while the payload is manipulated in the classical layer.
Library Backdoors: Compromised PQC libraries (e.g., Open Quantum Safe) may include silent HE hooks that activate under specific network conditions.
Oracle-42 Intelligence has identified instances where attackers exploited non-standard parameter sets in Kyber-768 to embed 1024-bit ElGamal keys within the ciphertext expansion field. These keys serve as covert channels, enabling data exfiltration at up to 4.2 Mbps per session—well below typical DLP thresholds.
BGP Hijacking and RPKI Evasion: Securing the Escape Route
To ensure undetected exfiltration, QuantumSleight integrates BGP hijacking with RPKI subversion:
Route Leakage: Attackers inject RPKI-invalid routes into the global BGP table, redirecting exfiltrated traffic through compromised autonomous systems (ASes) in Eastern Europe and Southeast Asia.
Route Origin Validation (ROV) Bypass: While RPKI prevents many hijacks, misconfigured or compromised ROAs (Route Origin Authorization) allow invalid prefixes to propagate. QuantumSleight exploits this by creating forged ROAs for high-traffic prefixes.
Tunneling via Encrypted VoIP: Exfiltrated data is encoded into VoIP packets (e.g., WebRTC streams) and routed through hijacked AS paths. The real-time nature of VoIP traffic reduces latency and minimizes packet loss, making detection harder.
Detection and Response: A Quantum-Resistant Strategy
Defending against QuantumSleight requires a multi-layered approach that integrates PQC with behavioral analytics and network integrity monitoring:
1. Homomorphic Integrity Verification
Implement homomorphic hashing or zero-knowledge proofs (ZKPs) to verify the integrity of encrypted traffic without decryption. Tools such as HE-Sentinel (a research prototype from Oracle-42 Labs) can detect anomalous ciphertext expansions or non-standard parameter usage in Kyber ciphertexts.
2. Behavioral Anomaly Detection in TLS Traffic
Deploy AI-driven network detection systems that analyze TLS handshake patterns, ciphertext entropy, and traffic timing. QuantumSleight exfiltration often results in:
Unusual ciphertext sizes (e.g., 1536-byte packets where 1024-byte is expected)
Repeated TLS renegotiations with identical client random values
VoIP streams with embedded non-audio payloads at regular intervals
3. RPKI and Route Filtering Automation
Organizations must enforce strict RPKI ROV policies and integrate automated BGP monitoring tools such as Bird2 with anomaly detection. Oracle-42 recommends:
Blocking all RPKI-invalid routes
Monitoring for AS path prepending or unusual origin changes
Deploying BGPsec in high-value environments
4. Zero Trust and Continuous Authentication
Given the AiTM vector, organizations should adopt continuous authentication mechanisms that re-verify user identity during high-risk sessions. Techniques include: