Category Archive
Malware
103 reports · All intelligence
Malware family breakdowns and reversing notes, mapped to the behavior defenders can actually detect and block.
Fake Payment SDKs Show Why Dependency Risk Is Credential Risk
Socket uncovered malicious npm and PyPI packages impersonating Paysafe, Skrill, and Neteller SDKs. Here is what SMBs and government contractors should do now to protect CI secrets, developer machines, and payment integrations.
Vidar Stealer Campaign Shows Why File Size and Fake Signatures Still Beat Weak Controls
Unit 42 reported a Vidar stealer and XMRig campaign using malvertising, fake cracked-software lures, misleading certificate metadata, oversized binaries, and commodity loader infrastructure. Here is what SMBs and government contractors should take away.
UAT-7810 Shows Edge Devices Are Becoming China-Nexus Relay Infrastructure
Cisco Talos reports UAT-7810 is expanding ORB relay infrastructure using compromised edge and embedded devices. Here is what SMBs and government contractors should do now.
FortiBleed Shows Firewall Credentials Are Ransomware Fuel
SOCRadar linked the FortiBleed FortiGate credential-harvesting campaign to INC and Lynx ransomware operations. Here is what SMBs and government contractors should do next.
NetNut and Popa Takedown Shows Residential Proxies Are Now Attack Infrastructure
The FBI and industry partners disrupted NetNut and the Popa botnet. Here is why residential proxy abuse matters for SMBs, government contractors, and defenders.
Vect and TeamPCP Show Supply-Chain Credentials Are Ransomware Fuel
Sophos CTU reports that Vect and TeamPCP have linked ransomware deployment with supply-chain credential theft. Here is what SMBs and government contractors should harden now.
Ousaban Shows Banking Trojans Are Learning to Hide From Sandboxes
Ousaban’s Spain and Portugal campaign shows how banking trojans use geofencing, phishing PDFs, steganography, and daily-changing C2 to evade sandbox-heavy defenses.
SimpleHelp Exploitation Shows RMM Is a Credential Control Plane
Active exploitation of SimpleHelp CVE-2026-48558 shows why RMM platforms must be treated as privileged credential control planes, not routine support tools.
Bing SEO Poisoning Shows IT Admin Downloads Are Ransomware Initial Access
A DFIR Report case study shows how a fake ManageEngine OpManager download led from BumbleBee and AdaptixC2 to Akira ransomware. The defensive lesson: admin software downloads need control, verification, and monitoring.
Shai Hulud Shows CI/CD Identity Is Production Cloud Identity
Fortinet’s Shai Hulud case study shows how poisoned CI/CD dependencies can become cloud identity compromise, IAM escalation, and Redshift data theft. Here is what SMBs and government contractors should harden now.
Hospitality Photo-ZIP Campaign Shows Front Desk Workflows Are Initial Access Paths
Microsoft’s hospitality photo-ZIP campaign shows why front desk, booking, and customer intake workflows need executable-content controls, redirect-chain inspection, and endpoint hunting for unusual Node.js persistence.
StrikeShark Shows Loader Malware Is an Edge-Exposure Problem
Kaspersky’s StrikeShark research shows how opportunistic exploitation of exposed servers can become a multi-stage SharkLoader and Cobalt Strike intrusion. Here is what SMBs and government contractors should review now.
MuddyWater’s Chaos Masquerade Shows Ransomware Response Needs Attribution Discipline
Iran-linked MuddyWater activity shows why ransomware response needs to examine identity compromise, remote access, and adversary objectives instead of trusting the ransom note at face value.
SocGholish Takedown Shows Website Trust Is Malware Infrastructure
Operation Endgame disrupted SocGholish infrastructure, but the defensive lesson is bigger: compromised trusted websites are malware delivery infrastructure.
Mastra npm Compromise Shows AI Frameworks Are Supply-Chain Targets
Microsoft linked the Mastra AI npm package compromise to North Korean actor Sapphire Sleet. Here is what SMBs and government contractors should do about AI framework supply-chain risk.
Showboat Malware Shows Telecom Linux Servers Need Rootkit-Level Monitoring
Showboat is a China-linked Linux post-exploitation framework aimed at telecom providers. The lesson for defenders: treat Linux server persistence, dynamic linker abuse, and low-noise C2 as first-class monitoring priorities.
SmartApeSG Okendo Compromise Shows Third-Party Widgets Are Supply-Chain Risk
Zscaler ThreatLabz reported that SmartApeSG injected malicious JavaScript into the Okendo Reviews widget, creating downstream exposure across e-commerce sites. Here is what SMBs and government contractors should do about third-party browser code risk.
Tor-Based Crypto Clipper Shows Clipboard Theft Is Now Backdoor Activity
Microsoft research on a Tor-routed crypto clipper shows why defenders should connect USB shortcut execution, script interpreters, localhost proxy activity, and clipboard theft into one investigation path.
Shai-Hulud Shows AI Package Scanners Need Prompt-Injection Boundaries
Zscaler ThreatLabz says the Shai-Hulud campaign has expanded across package ecosystems and introduced prompt-injection tactics aimed at automated AI security triage. The defense lesson is simple: treat package content as hostile input, even when an LLM is doing the review.
IMA Diligence Breach Shows Legacy Servers Are Still Third-Party Risk
A reported IMA Diligence breach affecting more than 525,000 people shows why legacy third-party servers need ownership, monitoring, decommissioning, and data-risk review.
C0XMO Shows IoT Botnets Are Still an Edge Exposure Problem
Fortinet researchers detailed C0XMO, a Gafgyt variant spreading through DD-WRT and other exposed devices. Here is what SMBs and government contractors should lock down before compromised routers become DDoS infrastructure.
TA4922’s Global Expansion Shows HR and Tax Lures Are Initial Access Infrastructure
Proofpoint’s TA4922 reporting shows how localized HR, payroll, tax, and invoice lures can become full initial-access infrastructure through DLL sideloading, loaders, RATs, RMM tools, and browser credential theft.
Red Hat’s Miasma npm Compromise Shows Trusted Publishing Is Not a Control Boundary
A Red Hat Cloud Services npm compromise shows why signed releases and trusted publishing must be paired with install-time controls, CI/CD isolation, and fast credential rotation.
AI-Assisted Ransomware Tooling Shows EDR Evasion Is Now an Iteration Problem
Sophos observed ransomware-linked operators using AI-assisted development workflows to accelerate EDR evasion testing and Active Directory discovery. The defensive lesson: validate controls, harden identity, and monitor behavior before attackers iterate around your tooling.
FlutterBridge Shows Why macOS Malvertising Is Backdoor Delivery, Not Just Adware
Unit 42’s FlutterBridge research shows macOS malvertising evolving from adware into FlutterShell backdoor delivery. Here is what SMBs and government contractors should tighten first.
Mustang Panda’s Fake Browser Updater Shows Why LNK Files Still Matter
Mustang Panda’s fake browser updater chain shows why defenders still need to hunt LNK-to-PowerShell execution, DLL sideloading, user-context persistence, and suspicious HTTPS beaconing.
FortiClient EMS Exploitation Turns Endpoint Management Into an Infostealer Delivery System
Attackers are abusing CVE-2026-35616 in FortiClient EMS to push a credential stealer through trusted endpoint management workflows. Here is what defenders should check first.
SolyxImmortal Shows Why Python Infostealers Are a Business Risk, Not Just Malware Noise
SolyxImmortal combines persistence, browser credential theft, document collection, screenshots, keylogging, and webhook exfiltration. Here is what SMB and government-contractor defenders should do about it.
Showboat and JFMBackdoor Show Telecom Intrusions Are Built for Pivoting
Lumen and PwC reporting on Showboat, Red Lamassu, and JFMBackdoor shows how China-linked telecom intrusions combine Linux footholds, proxying, and Windows backdoors. Here is what SMBs and government contractors should harden now.
SideCopy’s XenoRAT Campaign Shows Why Localized Lures Beat Generic Phishing Defenses
SideCopy/APT36 targeted Afghanistan finance officials with Pashto-language lures and XenoRAT. Here is what SMBs and government contractors should take from the campaign.
Dependency Confusion Campaign Shows Reconnaissance Is the First Supply-Chain Payload
Microsoft found 33 malicious npm packages abusing dependency confusion to profile developer and build environments. The defender lesson: treat package installation as code execution and lock down internal namespace hygiene before attackers do reconnaissance at scale.
Poisoned Search and AI Recommendations Turn Utility Downloads Into RMM Access
Microsoft reported a cryptojacking campaign that uses poisoned search results, AI-surfaced software recommendations, fake utility downloads, and abused ScreenConnect access. Here is what SMBs and government contractors should defend first.
Megalodon GitHub Actions Backdoor Shows CI/CD Is Now a Credential Battlefield
The Megalodon GitHub campaign shows why CI/CD pipelines must be treated like production infrastructure: malicious workflow commits can harvest cloud credentials, OIDC tokens, SSH keys, and package secrets at scale.
Laravel-Lang Compromise Shows Dependency Tags Can Be Weaponized
A Laravel-Lang package compromise shows why trusted dependency tags, Composer autoload behavior, and runtime secrets need security monitoring—not just engineering review.
Cl0p’s South Staffs Water Case Shows SOC Coverage Must Be Proven
The South Staffordshire Water breach shows why outsourced SOC coverage, legacy server risk, and vulnerability management must be proven—not assumed—for SMBs, utilities, and government contractors.
Void Dokkaebi’s InvisibleFerret Shift Shows Developer Endpoints Are Production Risk
Trend Micro reports North Korea-aligned Void Dokkaebi has moved InvisibleFerret into Cython-compiled Python extension modules. For SMBs and government contractors, the real risk is developer endpoint access to CI/CD, cloud, and production secrets.
Nimbus Manticore Shows Iranian APTs Are Moving Faster With AI-Assisted Tooling
Check Point Research reports that IRGC-affiliated Nimbus Manticore resurfaced with fake Zoom and SQL Developer lures, SEO poisoning, AppDomain hijacking, and a new MiniFast backdoor. Here is what SMBs and government contractors should tighten first.
Kimwolf Arrest Shows DDoS Risk Starts on Forgotten IoT
The alleged Kimwolf botmaster arrest is a useful reminder for SMBs and government contractors: DDoS resilience starts with asset visibility, upstream protection, and hardening forgotten IoT and edge devices.
TamperedChef Shows Signed Productivity Apps Cannot Be Trusted by Default
TamperedChef-style malware hides inside convincing signed productivity apps. Here is what SMBs and government contractors should do about it.
Mini Shai-Hulud Shows CI/CD Secrets Are the Real npm Supply-Chain Prize
Mini Shai-Hulud’s @antv npm compromise shows why dependency malware should be treated as a CI/CD credential-theft threat, not just a package hygiene problem.
P2Pinfect Shows Exposed Redis in Kubernetes Can Become Dormant Botnet Infrastructure
Fortinet observed P2Pinfect infections inside GKE clusters where exposed Redis instances became long-lived botnet footholds. For SMBs and government contractors, the lesson is clear: cloud misconfiguration, runtime visibility, and egress monitoring matter as much as patching.
Fox Tempest Shows Code Signing Trust Can Be Weaponized
Microsoft disrupted Fox Tempest, a malware-signing-as-a-service operation that helped ransomware crews make malicious binaries look trusted. Here is what SMBs and government contractors should review now.
node-ipc Backdoor Shows Why CI Secrets Need Supply Chain Controls
Malicious node-ipc npm releases turned a package update into a credential-exposure event. Here is what SMBs and government contractors should check first.
PawsRunner Steganography Shows Infostealers Are Hiding in Plain Sight
FortiGuard Labs reports PureLogs is being delivered through PawsRunner steganography. Here is what SMBs and government contractors should watch for defensively.
Gremlin Stealer Shows Why Browser Sessions Are Now High-Value Targets
Unit 42 reports Gremlin Stealer has evolved with resource-file obfuscation, session hijacking, Discord token theft, and crypto clipboard fraud. Here is what SMBs and government contractors should do defensively.
Kazuar Shows Russian Espionage Malware Is Engineering for Resilience
Microsoft reports that Kazuar, attributed to Russian state actor Secret Blizzard, has evolved into a modular P2P botnet. Here is what SMBs and government contractors should take from it defensively.
The Gentlemen RaaS Leak Shows Ransomware Is Still an Edge-Device Problem
Check Point’s look inside The Gentlemen ransomware operation is a useful reminder for SMBs and government contractors: exposed edge appliances, weak identity controls, and unmanaged remote access paths still drive real ransomware risk.
JDownloader Site Compromise Shows Why Trusted Downloads Still Need Verification
Attackers swapped selected JDownloader website download links with malicious installers. Here is what SMB and government-contractor defenders should do about trusted-download risk.
Fake OpenAI Hugging Face Repo Shows AI Supply Chain Risk Is Already Here
A fake OpenAI Privacy Filter repository on Hugging Face delivered Windows infostealer malware. Here is what SMB and gov-contractor defenders should take from it.
PCPJack Shows Cloud Malware Is Moving From Cryptomining to Credential Theft
SentinelLabs reported PCPJack, a cloud-focused worm that evicts TeamPCP artifacts, steals credentials from exposed infrastructure, and spreads across cloud systems.
CrystalX RAT: New Malware-as-a-Service Combines Spyware, Stealer, and Prankware Capabilities
Kaspersky researchers have uncovered CrystalX RAT, a sophisticated new malware-as-a-service (MaaS) platform that combines remote access trojan capabilities with data theft, keylogging, and uniquely disturbing prankware features designed to psychologically torment victims. From We
LiteLLM Supply Chain Attack: TeamPCP Deploys Multi-Stage Credential Stealer to 95M Monthly Downloads
A sophisticated supply chain attack has compromised LiteLLM, the widely-used Python library for interfacing with large language models, delivering multi-stage credential-stealing malware to systems downloading over 95 million packages per month. The attack, attributed to TeamPCP—
Axios npm Supply Chain Attack Deploys Cross-Platform RAT to 83 Million Weekly Users
On March 31, 2026, the cybersecurity landscape was shaken by a significant supply chain attack targeting Axios, one of the most widely used HTTP client libraries in the JavaScript ecosystem with over 83 million weekly downloads. Attackers compromised a maintainer account to injec
DeepLoad Malware: AI-Generated Evasion Meets ClickFix Delivery in Enterprise Credential Theft Campaign
A sophisticated new malware campaign dubbed “DeepLoad” has emerged targeting enterprise environments, combining ClickFix social engineering delivery with AI-generated obfuscation techniques that defeat traditional security controls. ReliaQuest researchers discovered the threat af
Infinity Stealer: New macOS Infostealer Combines ClickFix Social Engineering with Nuitka Compilation
A sophisticated new info-stealing malware named Infinity Stealer is targeting macOS systems using an innovative attack chain that combines ClickFix social engineering with Python payloads compiled using the open-source Nuitka compiler. Attack Overview According to Malwarebytes re
Infinity Stealer: New macOS Infostealer Uses ClickFix and Nuitka Compilation to Evade Detection
A sophisticated new information-stealing malware named Infinity Stealer has emerged targeting macOS systems, combining the increasingly popular ClickFix social engineering technique with advanced evasion capabilities through Nuitka compilation. According to Malwarebytes research,
FBI Alert: Iranian MOIS Hackers Weaponize Telegram for Global Espionage Against Dissidents
The FBI has issued a public alert warning that Iranian government hackers affiliated with the Ministry of Intelligence and Security (MOIS) are actively weaponizing Telegram as a command-and-control (C2) platform to conduct espionage operations against dissidents, opposition group
Interlock Ransomware Exploited Cisco Firewall Zero-Day Weeks Before Public Disclosure
Amazon’s security team has revealed that the Interlock ransomware gang exploited a critical Cisco firewall vulnerability as a zero-day for five weeks before it was publicly disclosed, giving attackers a significant head start against defenders. Zero-Day Exploitation Timeline Acco
DarkSword iOS Exploit Kit: Russian Hackers Weaponize Six Vulnerabilities for Full iPhone Takeover
Google Threat Intelligence Group (GTIG), iVerify, and Lookout have jointly uncovered DarkSword, a sophisticated iOS exploit kit that enables complete device compromise with minimal user interaction. The kit, operational since at least November 2025, has been deployed by suspected
LeakNet Ransomware Scales Operations with ClickFix Lures and Stealthy Deno-Based Fileless Loader
The LeakNet ransomware group is rapidly scaling its operations with two dangerous innovations: a social engineering technique called ClickFix and a previously unreported fileless loader built on the legitimate Deno JavaScript runtime. According to ReliaQuest research, LeakNet has
GlassWorm Supply Chain Campaign Hijacks 72 Open VSX Extensions to Target Developers
Threat actors are abusing Visual Studio Code extension dependencies in the Open VSX registry to distribute the GlassWorm malware loader through 72 malicious extensions targeting developers.
GlassWorm ForceMemo Campaign: Stolen GitHub Tokens Used to Inject Malware Into Hundreds of Python Repositories
A sophisticated supply chain attack dubbed ForceMemo is leveraging stolen GitHub tokens to inject malware into hundreds of Python repositories, marking a dangerous escalation in the ongoing GlassWorm campaign targeting software developers. The Attack Chain According to StepSecuri
KadNap Botnet Hijacks 14,000+ ASUS Routers Using Novel Kademlia DHT Protocol for Stealth C2
A newly discovered botnet called KadNap is turning ASUS routers and edge networking devices into covert proxies for cybercriminal operations. Since August 2025, the malware has infected over 14,000 devices across the globe, with researchers from Black Lotus Labs (Lumen Technologi
BoryptGrab Stealer Spreads Through 100+ Fake GitHub Repositories in Massive Malware Campaign
Trend Micro researchers have uncovered a large-scale malware distribution campaign using over 100 GitHub repositories to spread BoryptGrab, an information stealer that targets browser credentials, cryptocurrency wallets, and sensitive files while deploying reverse SSH backdoors f
BoryptGrab Stealer Spreads Through 100+ Malicious GitHub Repositories
A massive malware distribution campaign has been discovered leveraging more than 100 GitHub repositories to spread the BoryptGrab information stealer. According to Trend Micro research, the campaign targets Windows users through deceptive downloads masquerading as legitimate soft
APT36 Vibeware Campaign: Pakistan’s Transparent Tribe Weaponizes AI to Mass-Produce Malware Targeting India
Pakistan-aligned threat actor Transparent Tribe (APT36) has embraced AI-assisted malware development to flood Indian government networks with disposable, polyglot implants—a technique security researchers are calling “vibeware” or Distributed Denial of Detection (DDoD). AI-Powere
VOID#GEIST: Multi-Stage Malware Campaign Uses Python Loaders and APC Injection to Deploy XWorm, AsyncRAT, and Xeno RAT
Security researchers at Securonix have uncovered a sophisticated multi-stage malware campaign dubbed VOID#GEIST that delivers three separate remote access trojans (RATs) through an elaborate infection chain designed to evade detection. A Modular Attack Framework Unlike traditiona
Zerobot Malware Targets n8n Automation Platform: First Active Exploitation of CVE-2025-68613
Akamai SIRT discovers Zerobot botnet actively exploiting CVE-2025-68613 in n8n workflow automation platform, marking a shift from traditional IoT targeting to enterprise infrastructure.
Malicious Go Crypto Module Steals Passwords and Deploys Rekoobe Backdoor
A sophisticated supply chain attack has been uncovered targeting Go developers through a malicious module that impersonates the legitimate golang.org/x/crypto library. The attack demonstrates how threat actors are increasingly exploiting namespace confusion to compromise develope
Fake Google Security Check Transforms Browser Into Surveillance Toolkit via PWA Installation
A sophisticated phishing campaign has been discovered that transforms web browsers into comprehensive surveillance platforms by masquerading as a Google Account security page. According to Malwarebytes researchers, this attack represents one of the most fully-featured browser-bas
DarkCloud Infostealer Emerges as Major Enterprise Threat: $30 Malware Delivers Scalable Credential Theft
The cybersecurity threat landscape is facing a growing challenge as infostealers continue to dominate the initial access ecosystem in 2026. Among the latest threats drawing serious attention is DarkCloud, a commercially available credential-harvesting malware that proves even low
APT28 Targets European Entities with Operation MacroMaze Webhook Malware Campaign
Russia’s notorious state-sponsored threat actor APT28 (also known as Fancy Bear) has been attributed to a sophisticated new campaign targeting organizations across Western and Central Europe. According to S2 Grupo’s LAB52 threat intelligence team, the campaign—codenamed Operation
Remcos RAT Evolves with Real-Time Webcam Streaming and Live Keylogging Capabilities
A newly observed variant of Remcos RAT has introduced significant upgrades to its surveillance arsenal, marking a dangerous evolution in how this remote access trojan operates on compromised Windows systems. From Storage to Streaming According to Infosecurity Magazine, the update
SANDWORMMODE: Self-Replicating npm Worm Steals Dev Secrets and Targets AI Coding Tools
A sophisticated supply chain worm dubbed SANDWORMMODE is actively targeting the npm ecosystem, compromising at least 19 malicious packages designed to steal developer credentials and CI/CD secrets while automatically spreading across repositories and workflows. Researchers at Soc
Facebook Malvertising Campaign Uses Fake Windows 11 Pages to Deploy Credential-Stealing Malware
Attackers are running a sophisticated malvertising campaign that leverages paid Facebook ads to distribute credential-stealing malware disguised as official Windows 11 updates. The campaign uses convincing fake Microsoft download pages and includes multiple technical countermeasu
Kimwolf Botnet Swamps I2P Anonymity Network in Massive Sybil Attack
The massive Kimwolf IoT botnet has caused significant disruptions to The Invisible Internet Project (I2P), a decentralized privacy network, after botnet operators accidentally overwhelmed the system while attempting to use it for command-and-control evasion. The Attack According
Russian Threat Actor Deploys CANFAIL Malware Against Ukrainian Organizations
Google Threat Intelligence Group (GTIG) has uncovered a new threat actor possibly affiliated with Russian intelligence services that has been systematically targeting Ukrainian organizations with a sophisticated malware strain known as CANFAIL. Target Profile The threat group has
ClawHavoc Supply Chain Attack Poisons OpenClaw ClawHub With 1,184 Malicious AI Agent Skills
A massive supply chain attack dubbed ClawHavoc has compromised ClawHub, the official skill marketplace for OpenClaw, an open-source AI agent platform formerly known as ClawdBot and Moltbot. Researchers have uncovered at least 1,184 malicious “Skills”—plugin-style packages that ex
NexShield Fake Ad Blocker Uses CrashFix Attack to Deliver ModeloRAT Malware
Security researchers at Huntress have uncovered a sophisticated new malware campaign that weaponizes browser stability against users. The attack, dubbed CrashFix, represents an evolution of the notorious ClickFix social engineering technique—but with a dangerous twist: instead of
OysterLoader: Sophisticated Multi-Stage Malware Loader Linked to Rhysida Ransomware Campaigns
A highly sophisticated malware loader known as OysterLoader has emerged as a significant cybersecurity threat, employing advanced multi-layer obfuscation techniques to evade detection while delivering dangerous payloads including Rhysida ransomware and the widespread Vidar infost
AiFrame Campaign: 30 Fake AI Chrome Extensions with 300K Users Steal Credentials, Gmail Content
Researchers at browser security platform LayerX have uncovered a coordinated malware campaign dubbed “AiFrame” involving 30 malicious Chrome extensions installed by more than 300,000 users. The extensions masquerade as AI assistants while secretly stealing credentials, email cont
Phorpiex Botnet Resurfaces: Phishing Campaign Delivers Offline-Capable Global Group Ransomware
A new phishing campaign leveraging the infamous Phorpiex botnet has been observed distributing Global Group ransomware through weaponized Windows shortcut (.LNK) files, according to a new advisory from Forcepoint X-Labs. The Attack Chain The campaign uses phishing emails with the
Cybercriminals Weaponize ChatGPT and Grok to Distribute AMOS Stealer on macOS
A sophisticated attack campaign is exploiting user trust in artificial intelligence platforms to distribute the Atomic macOS Stealer (AMOS), representing a dangerous evolution in social engineering tactics that combines legitimate AI chatbot services with paid Google advertising.
XWorm RAT Campaign Exploits CVE-2018-0802 in Multi-Language Phishing Attacks Using Fileless Injection
FortiGuard Labs has uncovered a sophisticated phishing campaign delivering XWorm version 7.2, a multi-functional Remote Access Trojan (RAT) that provides attackers with full remote control of compromised Windows systems. Campaign Overview The campaign utilizes multiple phishing e
Fake 7-Zip Downloads Convert Home PCs Into Residential Proxy Nodes for Cybercriminals
A sophisticated brand impersonation campaign is weaponizing the popular 7-Zip file archiver to silently transform infected Windows computers into residential proxy nodes—monetizing victims’ IP addresses for fraud, scraping, and anonymity laundering operations. The Lookalike Domai
Silver Fox APT Unleashes ValleyRAT with Rare PoolParty Process Injection Technique
A sophisticated malware campaign targeting Chinese-speaking users has revealed a significant evolution in the Silver Fox APT group’s capabilities. According to new research from Cybereason Security Services, the threat actors are deploying fake software installers to deliver Vall
SystemBC Botnet Survives Law Enforcement Takedown, Infects Over 10,000 Devices Worldwide
The SystemBC malware loader has demonstrated remarkable resilience, continuing to operate despite targeted efforts during Europol’s Operation Endgame in May 2024. Cybersecurity firm Silent Push has identified more than 10,000 unique infected IP addresses across a massive botnet i
PDFSider: The Stealthy Backdoor Targeting Fortune 100 Financial Institutions
A newly identified Windows malware strain called PDFSider has emerged as a dangerous tool in the arsenals of multiple ransomware operators, with at least one confirmed attack targeting a Fortune 100 finance company. Security researchers at Resecurity uncovered the malware during
ShadowHS: Fileless Linux Post-Exploitation Framework Runs Entirely in Memory
Cyble Research & Intelligence Labs (CRIL) has uncovered a sophisticated Linux intrusion framework dubbed ShadowHS — a stealthy, fileless post-exploitation tool that executes entirely from memory, leaving virtually no traces on disk. This discovery highlights the growing sophistic
Android Malware Campaign Abuses Hugging Face AI Platform to Distribute RAT
Threat actors are abusing the Hugging Face AI platform to host Android malware, using server-side polymorphism to generate thousands of RAT variants every 15 minutes.
Fake Clawdbot VS Code Extension Deploys ScreenConnect RAT
A malicious VS Code extension impersonating the popular Clawdbot AI assistant has been caught deploying ScreenConnect RAT on Windows machines. The trojanized extension worked as a functional AI coding tool while silently installing remote access software.
Poland Thwarts Russian Wiper Malware Attack on Power Plants
Source: Hackread | Author: Deeba Ahmed Poland has narrowly avoided a massive energy crisis following what officials are calling the largest cyberattack on the country in years. Between 29 and 30 December 2025, hackers attempted to break into the nation’s energy infrastructure, sp
New Go loader pushes Rhadamanthys stealer
READ ARTICLE Posted: March 22, 2024 by Jérôme Segura Malware loaders (also known as droppers or downloaders) are a popular commodity in the criminal underground. Their primary function is to successfully compromise a machine and deploy one or multiple additional payloads. A good
DreamBus Unleashes Metabase Mayhem With New Exploit Module
Read Article Key Takeaways
Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns
Read Article On January 3, 2024, Mandiant’s X social media account was taken over and subsequently used to distribute links to a cryptocurrency drainer phishing page. Working with X, we were able to regain control of the account and, based on our investigation over the following
Custom GPTs: A Case of Malware Analysis and IoC Analyzing
Read Article On November 6, 2023, CustomGPTs, a new feature that OpenAI stated on its blog, became available. We can already say that the emergence of Custom Generative Pre-trained Transformers (GPTs) could mark a significant shift in the dynamics of both digital defense and offe
Deceptive Cracked Software Spreads Lumma Variant on YouTube
Read Article Initial Infection Vector The hacker initially breaches a YouTuber’s account and uploads videos masquerading as sharing cracked software. Figure 3 shows the video descriptions in which a malicious URL is embedded, enticing users to download a ZIP file that harbors mal
Alert: Carbanak Malware Strikes Again With Updated Tactics
AsyncRAT loader: Obfuscation, DGAs, decoys and Govno
Read Article Executive summary AT&T Alien Labs has identified a campaign to deliver AsyncRAT onto unsuspecting victim systems. During at least 11 months, this threat actor has been working on delivering the RAT through an initial JavaScript file, embedded in a phishing page. Afte
Chapter 84: In-depth analysis and technical analysis of LockBit, the top encryption ransomware organization (Part 1)
Read Article Excerpt LockBit operators and affiliates will find ways to obtain the victim’s initial access rights and use them to deliver encrypted ransomware. The attack methods can be roughly divided into the following methods: 1. Extensive vulnerability scanning . Using Nday v
JavaScript Malware: 50,000+ Bank Users at Risk Worldwide
IOC: jscdnpack[.]com
Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer
https://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/
Hackers target Apache RocketMQ servers vulnerable to RCE attacks
https://www.bleepingcomputer.com/news/security/hackers-target-apache-rocketmq-servers-vulnerable-to-rce-attacks/