#backdoor — Public Fediverse posts

A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (a Python-based infostealer and RAT) and MINIRAT (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.

Pulse ID: 6a181e409d755171f4ac356c
Pulse Link: https://otx.alienvault.com/pulse/6a181e409d755171f4ac356c
Pulse Author: AlienVault
Created: 2026-05-28 10:51:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CredentialHarvesting #CyberSecurity #Endpoint #GitHub #InfoSec #InfoStealer #LinkedIn #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #Password #Python #RAT #SocialEngineering #SupplyChain #Trojan #VPN #Word #bot #cryptocurrency #AlienVault

A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (a Python-based infostealer and RAT) and MINIRAT (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.

Pulse ID: 6a181e409d755171f4ac356c
Pulse Link: https://otx.alienvault.com/pulse/6a181e409d755171f4ac356c
Pulse Author: AlienVault
Created: 2026-05-28 10:51:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CredentialHarvesting #CyberSecurity #Endpoint #GitHub #InfoSec #InfoStealer #LinkedIn #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #Password #Python #RAT #SocialEngineering #SupplyChain #Trojan #VPN #Word #bot #cryptocurrency #AlienVault

A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (a Python-based infostealer and RAT) and MINIRAT (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.

Pulse ID: 6a181e409d755171f4ac356c
Pulse Link: https://otx.alienvault.com/pulse/6a181e409d755171f4ac356c
Pulse Author: AlienVault
Created: 2026-05-28 10:51:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CredentialHarvesting #CyberSecurity #Endpoint #GitHub #InfoSec #InfoStealer #LinkedIn #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #Password #Python #RAT #SocialEngineering #SupplyChain #Trojan #VPN #Word #bot #cryptocurrency #AlienVault

A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (a Python-based infostealer and RAT) and MINIRAT (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.

Pulse ID: 6a181e409d755171f4ac356c
Pulse Link: https://otx.alienvault.com/pulse/6a181e409d755171f4ac356c
Pulse Author: AlienVault
Created: 2026-05-28 10:51:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CredentialHarvesting #CyberSecurity #Endpoint #GitHub #InfoSec #InfoStealer #LinkedIn #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #Password #Python #RAT #SocialEngineering #SupplyChain #Trojan #VPN #Word #bot #cryptocurrency #AlienVault

A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (a Python-based infostealer and RAT) and MINIRAT (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.

Pulse ID: 6a181e409d755171f4ac356c
Pulse Link: https://otx.alienvault.com/pulse/6a181e409d755171f4ac356c
Pulse Author: AlienVault
Created: 2026-05-28 10:51:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CredentialHarvesting #CyberSecurity #Endpoint #GitHub #InfoSec #InfoStealer #LinkedIn #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #Password #Python #RAT #SocialEngineering #SupplyChain #Trojan #VPN #Word #bot #cryptocurrency #AlienVault

Mal etwas neues von Cisco: neues Sicherheitsloch mit 10 von 10

Ach nein, das ist ja gar nicht neu! Im Gegenteil: Cisco hat die Welt doch gerade erst mit eine perfekten 10 beglückt. Sicherheitslücken mit höchster Risikostufe prasseln auf uns nieder, als erhielte Cisco dafür Geld*. Das nächste gefährliche Sicherheitsloch mit der Nummer CVE-2026-20223 klafft diesmal in Cisco Secure Workload (CSW). Dieses Produkt soll eigentlich die IT sicherer machen, indem es Anwendungen voneinander isoliert. Jetzt wird es selber zur Schwachstelle, die relativ einfach angegriffen werden kann. Ein entfernter, nicht angemeldeter Angreifer braucht nur eine speziell gedrechselte*

https://www.pc-fluesterer.info/wordpress/2026/05/28/mal-etwas-neues-von-cisco-neues-sicherheitsloch-mit-10-von-10/

#Allgemein #Empfehlung #Hintergrund #Warnung #hersteller #hintertür #UnplugTrump #usa #wissen #backdoor

Mal etwas neues von Cisco: neues Sicherheitsloch mit 10 von 10

Ach nein, das ist ja gar nicht neu! Im Gegenteil: Cisco hat die Welt doch gerade erst mit eine perfekten 10 beglückt. Sicherheitslücken mit höchster Risikostufe prasseln auf uns nieder, als erhielte Cisco dafür Geld*. Das nächste gefährliche Sicherheitsloch mit der Nummer CVE-2026-20223 klafft diesmal in Cisco Secure Workload (CSW). Dieses Produkt soll eigentlich die IT sicherer machen, indem es Anwendungen voneinander isoliert. Jetzt wird es selber zur Schwachstelle, die relativ einfach angegriffen werden kann. Ein entfernter, nicht angemeldeter Angreifer braucht nur eine speziell gedrechselte*

https://www.pc-fluesterer.info/wordpress/2026/05/28/mal-etwas-neues-von-cisco-neues-sicherheitsloch-mit-10-von-10/

#Allgemein #Empfehlung #Hintergrund #Warnung #hersteller #hintertür #UnplugTrump #usa #wissen #backdoor

Suspeita de #backdoor no #bitlocker #microsoft

Pare de usar esse sistema maluco. Use #gnu #linux .

https://www.tomshardware.com/tech-industry/cyber-security/microsoft-bitlocker-protected-drives-can-now-be-opened-with-just-some-files-on-a-usb-stick-yellowkey-zero-day-exploit-demonstrates-an-apparent-backdoor

#freesoftware #softwarelivre

Nimbus Manticore e il backdoor MiniFast: l’Iran usa l’IA per colpire aviazione e oil&gas durante la guerra

https://insicurezzadigitale.com/nimbus-manticore-e-il-backdoor-minifast-liran-usa-lia-per-colpire-aviazione-e-oilgas-durante-la-guerra/

Nimbus Manticore e il backdoor MiniFast: l’Iran usa l’IA per colpire aviazione e oil&gas durante la guerra

https://insicurezzadigitale.com/nimbus-manticore-e-il-backdoor-minifast-liran-usa-lia-per-colpire-aviazione-e-oilgas-durante-la-guerra/

Nimbus Manticore e il backdoor MiniFast: l’Iran usa l’IA per colpire aviazione e oil&gas durante la guerra

https://insicurezzadigitale.com/nimbus-manticore-e-il-backdoor-minifast-liran-usa-lia-per-colpire-aviazione-e-oilgas-durante-la-guerra/

Nimbus Manticore e il backdoor MiniFast: l’Iran usa l’IA per colpire aviazione e oil&gas durante la guerra

https://insicurezzadigitale.com/nimbus-manticore-e-il-backdoor-minifast-liran-usa-lia-per-colpire-aviazione-e-oilgas-durante-la-guerra/

Nimbus Manticore e il backdoor MiniFast: l’Iran usa l’IA per colpire aviazione e oil&gas durante la guerra

https://insicurezzadigitale.com/nimbus-manticore-e-il-backdoor-minifast-liran-usa-lia-per-colpire-aviazione-e-oilgas-durante-la-guerra/

CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON

https://insicurezzadigitale.com/cve-2026-5426-zero-day-in-knowledgedeliver-lms-sfruttato-per-distribuire-bluebeam-e-cobalt-strike-beacon/

CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON

https://insicurezzadigitale.com/cve-2026-5426-zero-day-in-knowledgedeliver-lms-sfruttato-per-distribuire-bluebeam-e-cobalt-strike-beacon/

CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON

https://insicurezzadigitale.com/cve-2026-5426-zero-day-in-knowledgedeliver-lms-sfruttato-per-distribuire-bluebeam-e-cobalt-strike-beacon/

CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON

https://insicurezzadigitale.com/cve-2026-5426-zero-day-in-knowledgedeliver-lms-sfruttato-per-distribuire-bluebeam-e-cobalt-strike-beacon/

CVE-2026-5426: zero-day in KnowledgeDeliver LMS sfruttato per distribuire BLUEBEAM e Cobalt Strike BEACON

https://insicurezzadigitale.com/cve-2026-5426-zero-day-in-knowledgedeliver-lms-sfruttato-per-distribuire-bluebeam-e-cobalt-strike-beacon/

Void Dokkaebi evolve InvisibleFerret: il malware nordcoreano ora usa Cython per sfuggire agli antivirus

https://insicurezzadigitale.com/void-dokkaebi-evolve-invisibleferret-il-malware-nordcoreano-ora-usa-cython-per-sfuggire-agli-antivirus/

Void Dokkaebi evolve InvisibleFerret: il malware nordcoreano ora usa Cython per sfuggire agli antivirus

https://insicurezzadigitale.com/void-dokkaebi-evolve-invisibleferret-il-malware-nordcoreano-ora-usa-cython-per-sfuggire-agli-antivirus/

Void Dokkaebi evolve InvisibleFerret: il malware nordcoreano ora usa Cython per sfuggire agli antivirus

https://insicurezzadigitale.com/void-dokkaebi-evolve-invisibleferret-il-malware-nordcoreano-ora-usa-cython-per-sfuggire-agli-antivirus/

Void Dokkaebi evolve InvisibleFerret: il malware nordcoreano ora usa Cython per sfuggire agli antivirus

https://insicurezzadigitale.com/void-dokkaebi-evolve-invisibleferret-il-malware-nordcoreano-ora-usa-cython-per-sfuggire-agli-antivirus/

Void Dokkaebi evolve InvisibleFerret: il malware nordcoreano ora usa Cython per sfuggire agli antivirus

https://insicurezzadigitale.com/void-dokkaebi-evolve-invisibleferret-il-malware-nordcoreano-ora-usa-cython-per-sfuggire-agli-antivirus/

From Check Point Research: Nimbus Manticore Targets the US

#CheckPoint Research has revealed new campaigns of #Nimbus #Manticore, an IRGC-linked group that resurfaced during Operation #EpicFury with upgraded techniques. The campaigns use SEO poisoning and career-themed phishing across the United States, Europe, and the Middle East, and then delivered a new #MiniFast #backdoor.

https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/

From Check Point Research: Nimbus Manticore Targets the US

#CheckPoint Research has revealed new campaigns of #Nimbus #Manticore, an IRGC-linked group that resurfaced during Operation #EpicFury with upgraded techniques. The campaigns use SEO poisoning and career-themed phishing across the United States, Europe, and the Middle East, and then delivered a new #MiniFast #backdoor.

https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/

From Check Point Research: Nimbus Manticore Targets the US

#CheckPoint Research has revealed new campaigns of #Nimbus #Manticore, an IRGC-linked group that resurfaced during Operation #EpicFury with upgraded techniques. The campaigns use SEO poisoning and career-themed phishing across the United States, Europe, and the Middle East, and then delivered a new #MiniFast #backdoor.

https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/

From Check Point Research: Nimbus Manticore Targets the US

#CheckPoint Research has revealed new campaigns of #Nimbus #Manticore, an IRGC-linked group that resurfaced during Operation #EpicFury with upgraded techniques. The campaigns use SEO poisoning and career-themed phishing across the United States, Europe, and the Middle East, and then delivered a new #MiniFast #backdoor.

https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/

From Check Point Research: Nimbus Manticore Targets the US

#CheckPoint Research has revealed new campaigns of #Nimbus #Manticore, an IRGC-linked group that resurfaced during Operation #EpicFury with upgraded techniques. The campaigns use SEO poisoning and career-themed phishing across the United States, Europe, and the Middle East, and then delivered a new #MiniFast #backdoor.

https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/

Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability

In late 2025, an unknown threat actor exploited a critical zero-day vulnerability in KnowledgeDeliver, a Learning Management System widely used in Japan. The vulnerability, tracked as CVE-2026-5426, allowed unauthenticated remote code execution through ViewState deserialization attacks. The issue stemmed from identical hardcoded ASP.NET machine keys distributed across multiple customer deployments in the vendor's configuration files. Attackers obtained these keys from one deployment and used them to compromise other internet-facing instances. Following initial access, threat actors deployed the BLUEBEAM in-memory web shell, modified JavaScript files to display fake security alerts, and tricked users into installing malicious software that delivered Cobalt Strike BEACON backdoors. The attack demonstrates the severe risks of shared secrets in deployment templates and highlights the importance of unique cryptographic keys per installation.

Pulse ID: 6a140384686e44f07358066d
Pulse Link: https://otx.alienvault.com/pulse/6a140384686e44f07358066d
Pulse Author: AlienVault
Created: 2026-05-25 08:08:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CobaltStrike #CyberSecurity #Edge #InfoSec #Japan #Java #JavaScript #Mac #NET #OTX #OpenThreatExchange #RAT #RemoteCodeExecution #Vulnerability #ZeroDay #bot #AlienVault

Laravel Lang Compromised with RCE Backdoor Across 700+ Versions

Community-maintained Laravel Lang packages were compromised with remote code execution backdoors affecting over 700 versions across multiple repositories including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. The attack involved coordinated rapid tag publishing on May 22-23, 2026, suggesting organization-level credential compromise. A malicious helpers.php file was automatically executed via Composer's autoloader, deploying a sophisticated cross-platform information stealer. The second-stage payload systematically harvested credentials from cloud infrastructure, Kubernetes, CI/CD systems, browsers, password managers, cryptocurrency wallets, VPN clients, and local configurations. Stolen data was encrypted and exfiltrated to a command-and-control server. The backdoor employed advanced evasion techniques including TLS verification bypass, per-host execution markers, and embedded Windows executables to bypass Chrome encryption protections.

Pulse ID: 6a1187d92cdbfd79095008cd
Pulse Link: https://otx.alienvault.com/pulse/6a1187d92cdbfd79095008cd
Pulse Author: AlienVault
Created: 2026-05-23 10:56:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Chrome #Cloud #CyberSecurity #Encryption #HTTP #InfoSec #OTX #OpenThreatExchange #PHP #Password #RAT #RCE #RemoteCodeExecution #TLS #VPN #Windows #Word #bot #cryptocurrency #AlienVault

Laravel Lang Compromised with RCE Backdoor Across 700+ Versions

Community-maintained Laravel Lang packages were compromised with remote code execution backdoors affecting over 700 versions across multiple repositories including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. The attack involved coordinated rapid tag publishing on May 22-23, 2026, suggesting organization-level credential compromise. A malicious helpers.php file was automatically executed via Composer's autoloader, deploying a sophisticated cross-platform information stealer. The second-stage payload systematically harvested credentials from cloud infrastructure, Kubernetes, CI/CD systems, browsers, password managers, cryptocurrency wallets, VPN clients, and local configurations. Stolen data was encrypted and exfiltrated to a command-and-control server. The backdoor employed advanced evasion techniques including TLS verification bypass, per-host execution markers, and embedded Windows executables to bypass Chrome encryption protections.

Pulse ID: 6a1187d92cdbfd79095008cd
Pulse Link: https://otx.alienvault.com/pulse/6a1187d92cdbfd79095008cd
Pulse Author: AlienVault
Created: 2026-05-23 10:56:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Chrome #Cloud #CyberSecurity #Encryption #HTTP #InfoSec #OTX #OpenThreatExchange #PHP #Password #RAT #RCE #RemoteCodeExecution #TLS #VPN #Windows #Word #bot #cryptocurrency #AlienVault

Laravel Lang Compromised with RCE Backdoor Across 700+ Versions

Community-maintained Laravel Lang packages were compromised with remote code execution backdoors affecting over 700 versions across multiple repositories including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. The attack involved coordinated rapid tag publishing on May 22-23, 2026, suggesting organization-level credential compromise. A malicious helpers.php file was automatically executed via Composer's autoloader, deploying a sophisticated cross-platform information stealer. The second-stage payload systematically harvested credentials from cloud infrastructure, Kubernetes, CI/CD systems, browsers, password managers, cryptocurrency wallets, VPN clients, and local configurations. Stolen data was encrypted and exfiltrated to a command-and-control server. The backdoor employed advanced evasion techniques including TLS verification bypass, per-host execution markers, and embedded Windows executables to bypass Chrome encryption protections.

Pulse ID: 6a1187d92cdbfd79095008cd
Pulse Link: https://otx.alienvault.com/pulse/6a1187d92cdbfd79095008cd
Pulse Author: AlienVault
Created: 2026-05-23 10:56:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Chrome #Cloud #CyberSecurity #Encryption #HTTP #InfoSec #OTX #OpenThreatExchange #PHP #Password #RAT #RCE #RemoteCodeExecution #TLS #VPN #Windows #Word #bot #cryptocurrency #AlienVault

Laravel Lang Compromised with RCE Backdoor Across 700+ Versions

Community-maintained Laravel Lang packages were compromised with remote code execution backdoors affecting over 700 versions across multiple repositories including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. The attack involved coordinated rapid tag publishing on May 22-23, 2026, suggesting organization-level credential compromise. A malicious helpers.php file was automatically executed via Composer's autoloader, deploying a sophisticated cross-platform information stealer. The second-stage payload systematically harvested credentials from cloud infrastructure, Kubernetes, CI/CD systems, browsers, password managers, cryptocurrency wallets, VPN clients, and local configurations. Stolen data was encrypted and exfiltrated to a command-and-control server. The backdoor employed advanced evasion techniques including TLS verification bypass, per-host execution markers, and embedded Windows executables to bypass Chrome encryption protections.

Pulse ID: 6a1187d92cdbfd79095008cd
Pulse Link: https://otx.alienvault.com/pulse/6a1187d92cdbfd79095008cd
Pulse Author: AlienVault
Created: 2026-05-23 10:56:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Chrome #Cloud #CyberSecurity #Encryption #HTTP #InfoSec #OTX #OpenThreatExchange #PHP #Password #RAT #RCE #RemoteCodeExecution #TLS #VPN #Windows #Word #bot #cryptocurrency #AlienVault

Laravel Lang Compromised with RCE Backdoor Across 700+ Versions

Community-maintained Laravel Lang packages were compromised with remote code execution backdoors affecting over 700 versions across multiple repositories including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. The attack involved coordinated rapid tag publishing on May 22-23, 2026, suggesting organization-level credential compromise. A malicious helpers.php file was automatically executed via Composer's autoloader, deploying a sophisticated cross-platform information stealer. The second-stage payload systematically harvested credentials from cloud infrastructure, Kubernetes, CI/CD systems, browsers, password managers, cryptocurrency wallets, VPN clients, and local configurations. Stolen data was encrypted and exfiltrated to a command-and-control server. The backdoor employed advanced evasion techniques including TLS verification bypass, per-host execution markers, and embedded Windows executables to bypass Chrome encryption protections.

Pulse ID: 6a1187d92cdbfd79095008cd
Pulse Link: https://otx.alienvault.com/pulse/6a1187d92cdbfd79095008cd
Pulse Author: AlienVault
Created: 2026-05-23 10:56:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Chrome #Cloud #CyberSecurity #Encryption #HTTP #InfoSec #OTX #OpenThreatExchange #PHP #Password #RAT #RCE #RemoteCodeExecution #TLS #VPN #Windows #Word #bot #cryptocurrency #AlienVault

Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict

The Iranian IRGC-affiliated threat actor Nimbus Manticore launched sophisticated cyber operations during Operation Epic Fury, the US military campaign against Iran beginning February 28, 2026. The campaigns targeted organizations in aviation and software sectors across the United States, Europe, and Middle East using career-themed phishing lures. For the first time, the actor employed SEO poisoning techniques and introduced MiniFast, a previously undocumented backdoor showing signs of AI-assisted development. The operations leveraged AppDomain hijacking and abused legitimate Zoom installer execution flows for malware deployment. The actor demonstrated rapid adaptation capabilities during wartime conditions, maintaining high operational availability while expanding targeting to US-based aviation companies. Multiple campaign waves were observed from February through April 2026, with persistent infrastructure and evolving techniques.

Pulse ID: 6a141fcbde28865faa897cb4
Pulse Link: https://otx.alienvault.com/pulse/6a141fcbde28865faa897cb4
Pulse Author: AlienVault
Created: 2026-05-25 10:09:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Europe #IRGC #InfoSec #Iran #Malware #MiddleEast #Military #Nim #OTX #OpenThreatExchange #Phishing #RAT #SEOPoisoning #UnitedStates #Zoom #bot #AlienVault

Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict

The Iranian IRGC-affiliated threat actor Nimbus Manticore launched sophisticated cyber operations during Operation Epic Fury, the US military campaign against Iran beginning February 28, 2026. The campaigns targeted organizations in aviation and software sectors across the United States, Europe, and Middle East using career-themed phishing lures. For the first time, the actor employed SEO poisoning techniques and introduced MiniFast, a previously undocumented backdoor showing signs of AI-assisted development. The operations leveraged AppDomain hijacking and abused legitimate Zoom installer execution flows for malware deployment. The actor demonstrated rapid adaptation capabilities during wartime conditions, maintaining high operational availability while expanding targeting to US-based aviation companies. Multiple campaign waves were observed from February through April 2026, with persistent infrastructure and evolving techniques.

Pulse ID: 6a141fcbde28865faa897cb4
Pulse Link: https://otx.alienvault.com/pulse/6a141fcbde28865faa897cb4
Pulse Author: AlienVault
Created: 2026-05-25 10:09:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Europe #IRGC #InfoSec #Iran #Malware #MiddleEast #Military #Nim #OTX #OpenThreatExchange #Phishing #RAT #SEOPoisoning #UnitedStates #Zoom #bot #AlienVault

Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict

The Iranian IRGC-affiliated threat actor Nimbus Manticore launched sophisticated cyber operations during Operation Epic Fury, the US military campaign against Iran beginning February 28, 2026. The campaigns targeted organizations in aviation and software sectors across the United States, Europe, and Middle East using career-themed phishing lures. For the first time, the actor employed SEO poisoning techniques and introduced MiniFast, a previously undocumented backdoor showing signs of AI-assisted development. The operations leveraged AppDomain hijacking and abused legitimate Zoom installer execution flows for malware deployment. The actor demonstrated rapid adaptation capabilities during wartime conditions, maintaining high operational availability while expanding targeting to US-based aviation companies. Multiple campaign waves were observed from February through April 2026, with persistent infrastructure and evolving techniques.

Pulse ID: 6a141fcbde28865faa897cb4
Pulse Link: https://otx.alienvault.com/pulse/6a141fcbde28865faa897cb4
Pulse Author: AlienVault
Created: 2026-05-25 10:09:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Europe #IRGC #InfoSec #Iran #Malware #MiddleEast #Military #Nim #OTX #OpenThreatExchange #Phishing #RAT #SEOPoisoning #UnitedStates #Zoom #bot #AlienVault

Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict

The Iranian IRGC-affiliated threat actor Nimbus Manticore launched sophisticated cyber operations during Operation Epic Fury, the US military campaign against Iran beginning February 28, 2026. The campaigns targeted organizations in aviation and software sectors across the United States, Europe, and Middle East using career-themed phishing lures. For the first time, the actor employed SEO poisoning techniques and introduced MiniFast, a previously undocumented backdoor showing signs of AI-assisted development. The operations leveraged AppDomain hijacking and abused legitimate Zoom installer execution flows for malware deployment. The actor demonstrated rapid adaptation capabilities during wartime conditions, maintaining high operational availability while expanding targeting to US-based aviation companies. Multiple campaign waves were observed from February through April 2026, with persistent infrastructure and evolving techniques.

Pulse ID: 6a141fcbde28865faa897cb4
Pulse Link: https://otx.alienvault.com/pulse/6a141fcbde28865faa897cb4
Pulse Author: AlienVault
Created: 2026-05-25 10:09:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Europe #IRGC #InfoSec #Iran #Malware #MiddleEast #Military #Nim #OTX #OpenThreatExchange #Phishing #RAT #SEOPoisoning #UnitedStates #Zoom #bot #AlienVault

Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict

The Iranian IRGC-affiliated threat actor Nimbus Manticore launched sophisticated cyber operations during Operation Epic Fury, the US military campaign against Iran beginning February 28, 2026. The campaigns targeted organizations in aviation and software sectors across the United States, Europe, and Middle East using career-themed phishing lures. For the first time, the actor employed SEO poisoning techniques and introduced MiniFast, a previously undocumented backdoor showing signs of AI-assisted development. The operations leveraged AppDomain hijacking and abused legitimate Zoom installer execution flows for malware deployment. The actor demonstrated rapid adaptation capabilities during wartime conditions, maintaining high operational availability while expanding targeting to US-based aviation companies. Multiple campaign waves were observed from February through April 2026, with persistent infrastructure and evolving techniques.

Pulse ID: 6a141fcbde28865faa897cb4
Pulse Link: https://otx.alienvault.com/pulse/6a141fcbde28865faa897cb4
Pulse Author: AlienVault
Created: 2026-05-25 10:09:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Europe #IRGC #InfoSec #Iran #Malware #MiddleEast #Military #Nim #OTX #OpenThreatExchange #Phishing #RAT #SEOPoisoning #UnitedStates #Zoom #bot #AlienVault

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and PowerShower for network reconnaissance. New tools identified include PowerCloud, which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, ReverseSocks, and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.

Pulse ID: 6a105530af26afbd3752ab81
Pulse Link: https://otx.alienvault.com/pulse/6a105530af26afbd3752ab81
Pulse Author: AlienVault
Created: 2026-05-22 13:08:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Belarus #Browser #Cloud #CloudAtlas #CyberSecurity #Google #Government #InfoSec #LNK #Microsoft #MicrosoftOffice #OTX #Office #OpenThreatExchange #Phishing #PowerShell #RAT #RDP #Russia #SSH #ZIP #bot #AlienVault

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and PowerShower for network reconnaissance. New tools identified include PowerCloud, which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, ReverseSocks, and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.

Pulse ID: 6a105530af26afbd3752ab81
Pulse Link: https://otx.alienvault.com/pulse/6a105530af26afbd3752ab81
Pulse Author: AlienVault
Created: 2026-05-22 13:08:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Belarus #Browser #Cloud #CloudAtlas #CyberSecurity #Google #Government #InfoSec #LNK #Microsoft #MicrosoftOffice #OTX #Office #OpenThreatExchange #Phishing #PowerShell #RAT #RDP #Russia #SSH #ZIP #bot #AlienVault

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and PowerShower for network reconnaissance. New tools identified include PowerCloud, which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, ReverseSocks, and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.

Pulse ID: 6a105530af26afbd3752ab81
Pulse Link: https://otx.alienvault.com/pulse/6a105530af26afbd3752ab81
Pulse Author: AlienVault
Created: 2026-05-22 13:08:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Belarus #Browser #Cloud #CloudAtlas #CyberSecurity #Google #Government #InfoSec #LNK #Microsoft #MicrosoftOffice #OTX #Office #OpenThreatExchange #Phishing #PowerShell #RAT #RDP #Russia #SSH #ZIP #bot #AlienVault

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and PowerShower for network reconnaissance. New tools identified include PowerCloud, which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, ReverseSocks, and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.

Pulse ID: 6a105530af26afbd3752ab81
Pulse Link: https://otx.alienvault.com/pulse/6a105530af26afbd3752ab81
Pulse Author: AlienVault
Created: 2026-05-22 13:08:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Belarus #Browser #Cloud #CloudAtlas #CyberSecurity #Google #Government #InfoSec #LNK #Microsoft #MicrosoftOffice #OTX #Office #OpenThreatExchange #Phishing #PowerShell #RAT #RDP #Russia #SSH #ZIP #bot #AlienVault

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Cloud Atlas APT group targeted government organizations and commercial companies in Russia and Belarus during late 2025 and early 2026, employing phishing campaigns with malicious ZIP archives containing LNK shortcuts. The attackers deployed multiple backdoors including VBCloud for file theft and PowerShower for network reconnaissance. New tools identified include PowerCloud, which exfiltrates data to Google Sheets, and browser checker utilities. The group established persistence through reverse SSH tunnels, patched OpenSSH binaries, ReverseSocks, and Tor networking. Initial infection vectors included malicious shortcuts executing PowerShell scripts and exploiting CVE-2018-0802 in Microsoft Office. The attackers performed credential theft, RDP manipulation via termsrv.dll patching, and lateral movement across networks while maintaining multiple backup control channels.

Pulse ID: 6a105530af26afbd3752ab81
Pulse Link: https://otx.alienvault.com/pulse/6a105530af26afbd3752ab81
Pulse Author: AlienVault
Created: 2026-05-22 13:08:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Belarus #Browser #Cloud #CloudAtlas #CyberSecurity #Google #Government #InfoSec #LNK #Microsoft #MicrosoftOffice #OTX #Office #OpenThreatExchange #Phishing #PowerShell #RAT #RDP #Russia #SSH #ZIP #bot #AlienVault

Megalodon: 5.561 repository GitHub compromessi in sei ore con workflow CI/CD malevoli

https://insicurezzadigitale.com/megalodon-5-561-repository-github-compromessi-in-sei-ore-con-workflow-ci-cd-malevoli/

Megalodon: 5.561 repository GitHub compromessi in sei ore con workflow CI/CD malevoli

https://insicurezzadigitale.com/megalodon-5-561-repository-github-compromessi-in-sei-ore-con-workflow-ci-cd-malevoli/

Megalodon: 5.561 repository GitHub compromessi in sei ore con workflow CI/CD malevoli

https://insicurezzadigitale.com/megalodon-5-561-repository-github-compromessi-in-sei-ore-con-workflow-ci-cd-malevoli/

Megalodon: 5.561 repository GitHub compromessi in sei ore con workflow CI/CD malevoli

https://insicurezzadigitale.com/megalodon-5-561-repository-github-compromessi-in-sei-ore-con-workflow-ci-cd-malevoli/

Megalodon: 5.561 repository GitHub compromessi in sei ore con workflow CI/CD malevoli

https://insicurezzadigitale.com/megalodon-5-561-repository-github-compromessi-in-sei-ore-con-workflow-ci-cd-malevoli/

Webworm evolve: i backdoor EchoCreep e GraphWorm trasformano Discord e Microsoft Graph in canali C2

https://insicurezzadigitale.com/webworm-evolve-i-backdoor-echocreep-e-graphworm-trasformano-discord-e-microsoft-graph-in-canali-c2/